diff --git a/.copywrite.hcl b/.copywrite.hcl
index 1be2d22001..dac6e0ced1 100644
--- a/.copywrite.hcl
+++ b/.copywrite.hcl
@@ -2,21 +2,25 @@ schema_version = 1
 
 project {
   license          = "BUSL-1.1"
-  copyright_year   = 2025
+  copyright_year   = 2016
   copyright_holder = "IBM Corp."
+  ignore_year1     = true
 
   # (OPTIONAL) A list of globs that should not have copyright/license headers.
   # Supports doublestar glob patterns for more flexibility in defining which
   # files or folders should be ignored
   header_ignore = [
+    ".git/**",
+    "enos/.enos/**",
+    "enos/.terraform/**",
+    "enos/k8s/.enos/**",
+    "enos/modules/k8s_deploy_vault/raft-config.hcl",
+    "enos/modules/zap_scan_ent/templates/plan.yml",
     "helper/pkcs7/**",
+    "plugins/database/postgresql/scram/**",
+    "tools/pipeline/internal/pkg/generate/fixtures/*",
     "ui/node_modules/**",
     "ui/pnpm-lock.yaml",
     "ui/pnpm-workspace.yaml",
-    "enos/modules/k8s_deploy_vault/raft-config.hcl",
-    "plugins/database/postgresql/scram/**",
-    "enos/.enos/**",
-    "enos/k8s/.enos/**",
-    "enos/.terraform/**",
   ]
 }
diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000000..6b74c047ca
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,2 @@
+.git
+enos
diff --git a/.github/actionlint.yml b/.github/actionlint.yml
index 8385af154f..11f5016522 100644
--- a/.github/actionlint.yml
+++ b/.github/actionlint.yml
@@ -1,4 +1,4 @@
-# Copyright IBM Corp. 2016, 2025
+# Copyright IBM Corp. 2016, 2026
 # SPDX-License-Identifier: BUSL-1.1
 
 self-hosted-runner:
@@ -8,14 +8,9 @@ self-hosted-runner:
     - medium
     - large
     - xlarge
-    - ondemand
-    - disk_gb=64
-    - os=linux
-    - os=ubuntu-arm
-    - type=m5.2xlarge
-    - type=c6a.xlarge
-    - type=c6g.2xlarge
-    - type=c6a.4xlarge
-    - type=c6g.2xlarge;c6g.4xlarge
-    - ubuntu-latest-x64
+    - ubuntu-22.04-x64
+    - ubuntu-22.04-x64
+    - ubuntu-24.04-arm64
     - custom-linux-xl-vault-latest
+    - stats
+    - type=m6a.8xlarge
diff --git a/.github/actions/build-ui/action.yml b/.github/actions/build-ui/action.yml
new file mode 100644
index 0000000000..973401a799
--- /dev/null
+++ b/.github/actions/build-ui/action.yml
@@ -0,0 +1,57 @@
+# Copyright IBM Corp. 2016, 2026
+# SPDX-License-Identifier: BUSL-1.1
+
+---
+name: Build UI
+description: |
+  Build the Vault Web UI assets and cache the results.
+
+inputs:
+  github-token:
+    description: An elevated Github token to access private dependencies if necessary.
+    default: ""
+
+outputs:
+  cache-key:
+    description: "The cache key for the built UI assets (format: ui-<git-hash>)"
+    value: ${{ steps.ui-hash.outputs.cache-key }}
+  cache-hit:
+    description: "Whether the UI was restored from cache (true) or built fresh (false)"
+    value: ${{ steps.cache-ui-assets.outputs.cache-hit }}
+
+runs:
+  using: composite
+  steps:
+    - name: Get UI hash
+      id: ui-hash
+      shell: bash
+      run: |
+        ui_hash=$(git ls-tree HEAD ui --object-only)
+        echo "cache-key=ui-${ui_hash}" | tee -a "$GITHUB_OUTPUT"
+    - name: Set up UI asset cache
+      id: cache-ui-assets
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+      with:
+        enableCrossOsArchive: true
+        lookup-only: true
+        path: http/web_ui
+        # Only restore the UI asset cache if we haven't modified anything in the ui directory.
+        # Never do a partial restore of the web_ui if we don't get a cache hit.
+        key: ${{ steps.ui-hash.outputs.cache-key }}
+    - name: Install PNPM
+      if: ${{ steps.cache-ui-assets.outputs.cache-hit != 'true' }}
+      uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      with:
+        run_install: false
+        package_json_file: './ui/package.json'
+    - name: Set up node and pnpm
+      if: ${{ steps.cache-ui-assets.outputs.cache-hit != 'true' }}
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      with:
+        node-version-file: ui/package.json
+        cache: pnpm
+        cache-dependency-path: ui/pnpm-lock.yaml
+    - name: Build UI
+      if: ${{ steps.cache-ui-assets.outputs.cache-hit != 'true' }}
+      shell: bash
+      run: make ci-build-ui
diff --git a/.github/actions/build-vault/action.yml b/.github/actions/build-vault/action.yml
index 616631b282..b72cd2fd97 100644
--- a/.github/actions/build-vault/action.yml
+++ b/.github/actions/build-vault/action.yml
@@ -69,7 +69,7 @@ runs:
       shell: bash
       run: git config --global url."https://${{ inputs.github-token }}:@github.com".insteadOf "https://github.com"
     - name: Restore UI from cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         # Restore the UI asset from the UI build workflow. Never use a partial restore key.
         enableCrossOsArchive: true
@@ -117,7 +117,7 @@ runs:
       id: build-vault-select-license
       uses: hashicorp-forge/actions-pao-tool/select-license@6997f7457c338e008506005cc370e7b02f7fb421 # v1.0.3
       with:
-        arch: ${{ matrix.goarch }}
+        arch: ${{ inputs.goarch }}
     - if: inputs.cgo-enabled == '0'
       name: ${{ steps.metadata.outputs.build-step-name }}
       env:
@@ -133,7 +133,7 @@ runs:
       shell: bash
       run: make ci-build
     - if: inputs.cgo-enabled == '1'
-      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
       with:
         driver-opts: network=host # So we can run our own little registry
     - if: inputs.cgo-enabled == '1'
@@ -143,7 +143,7 @@ runs:
       if: inputs.cgo-enabled == '1'
       id: build-push-action-attempt-1
       continue-on-error: true # we will retry this if it fails
-      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+      uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
       env:
         DOCKER_BUILD_SUMMARY: false
       with:
@@ -165,7 +165,7 @@ runs:
       id: build-push-action-attempt-2
       continue-on-error: false
       if: inputs.cgo-enabled == '1' && steps.build-push-action-attempt-1.outcome != 'success'
-      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+      uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
       env:
         DOCKER_BUILD_SUMMARY: false
       with:
@@ -218,12 +218,16 @@ runs:
         BUNDLE_PATH: out/${{ steps.metadata.outputs.artifact-basename }}.zip
       shell: bash
       run: make ci-bundle
-    - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+    - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: ${{ steps.metadata.outputs.artifact-basename }}.zip
         path: out/${{ steps.metadata.outputs.artifact-basename }}.zip
         if-no-files-found: error
     - if: inputs.create-packages == 'true'
+      env:
+        # Use our elevated token instead of the workflow token so that our
+        # download of nfpm is less likely to fail.
+        GH_TOKEN: ${{ inputs.github-token }}
       uses: hashicorp/actions-packaging-linux@33f7d23b14f24e6a7b7d9948cb7f5caca2045ee3
       with:
         name: ${{ inputs.package-name }}
@@ -250,13 +254,13 @@ runs:
           echo "deb-files=$(basename out/*.deb)"
         } | tee -a "$GITHUB_OUTPUT"
     - if: inputs.create-packages == 'true'
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: ${{ steps.package-files.outputs.rpm-files }}
         path: out/${{ steps.package-files.outputs.rpm-files }}
         if-no-files-found: error
     - if: inputs.create-packages == 'true'
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: ${{ steps.package-files.outputs.deb-files }}
         path: out/${{ steps.package-files.outputs.deb-files }}
diff --git a/.github/actions/create-dynamic-config/action.yml b/.github/actions/create-dynamic-config/action.yml
index 4cf11c190e..5bd5fbe951 100644
--- a/.github/actions/create-dynamic-config/action.yml
+++ b/.github/actions/create-dynamic-config/action.yml
@@ -20,26 +20,21 @@ runs:
       id: dyn-cfg-metadata
       shell: bash
       run: |
-        # Since the dynamic config is created by a specific version of the
-        # pipeline tool, we always need to factor it into our cache key.
-        # If the pipeline changes we always want to make sure we are using
-        # dynamic config from the latest version.
+        # The cache key is a short SHA of the enos-dynamic-config.tmpl file.
+        # We also include a weekly date in the cache key so that we regenerate
+        # the configuration on at least a weekly basis to account for changing
+        # versions. If we add more templates to this we ought to consider their
+        # short sha's in the key too!
         #
-        # We use a weekly date in the cache key so that we regenerate the
-        # configuration on at least a weekly basis
-        #
-        # If/when Github decides to purge our tiny config file cache we'll also
-        # recreate it as necessary.
-        #
-        # Uses GITHUB_ENV instead of GITHUB_OUTPUT because composite actions are broken,
-        # see: https://github.com/actions/cache/issues/803#issuecomment-1793565071
+        # Uses GITHUB_ENV instead of GITHUB_OUTPUT because composite actions are
+        # broken, see: https://github.com/actions/cache/issues/803#issuecomment-1793565071
         {
-          echo "DYNAMIC_CONFIG_KEY=${{ inputs.vault-version }}-$(date +%Y-%m-%U)-$(git ls-tree HEAD tools/pipeline --object-only --abbrev=8)"
+          echo "DYNAMIC_CONFIG_KEY=${{ inputs.vault-version }}-$(date +%Y-%m-%U)-$(git ls-tree HEAD enos/enos-dynamic-config.tmpl --object-only --abbrev=8)"
           echo "DYNAMIC_CONFIG_PATH=enos/enos-dynamic-config.hcl"
         } | tee -a "$GITHUB_ENV"
     - name: Try to restore dynamic config from cache
       id: dyn-cfg-cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         path: ${{ env.DYNAMIC_CONFIG_PATH }}
         key: dyn-cfg-${{ env.DYNAMIC_CONFIG_KEY }}
@@ -56,9 +51,8 @@ runs:
       shell: bash
       run: |
         # Make sure that any branch specific dynamic config has been generated
-        pipeline generate enos-dynamic-config ${{ runner.debug && '--log debug' }}\
-          -d ./enos \
-          --file enos-dynamic-config.hcl \
-          -v ${{ inputs.vault-version }} \
-          -e ${{ inputs.vault-edition }} \
-          -n 3
+        pipeline generate template ${{ runner.debug && '--log debug' }} \
+          enos/enos-dynamic-config.tmpl \
+          enos/enos-dynamic-config.hcl \
+            --version '${{ inputs.vault-version }}' \
+            --edition '${{ inputs.vault-edition }}'
diff --git a/.github/actions/install-tools/action.yml b/.github/actions/install-tools/action.yml
index 7274562fa2..3b33e7c716 100644
--- a/.github/actions/install-tools/action.yml
+++ b/.github/actions/install-tools/action.yml
@@ -69,7 +69,7 @@ runs:
           echo "VAULT_TOOLS_CACHE_KEY=${cache_key}"
         } | tee -a "$GITHUB_ENV"
     - id: cache-tools
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         lookup-only: ${{ inputs.no-restore }}
         path: ${{ env.VAULT_TOOLS_PATH }}
diff --git a/.github/actions/metadata/action.yml b/.github/actions/metadata/action.yml
index 8c7efd1ff5..c13c627ac7 100644
--- a/.github/actions/metadata/action.yml
+++ b/.github/actions/metadata/action.yml
@@ -156,9 +156,11 @@ runs:
         if [ "$is_enterprise_repo" = 'true' ]; then
           base_ref='${{ github.event.pull_request.base.ref || github.event.base_ref || github.ref_name || github.event.branch || github.ref }}'
           is_ent_repo='true'
-          is_ce_in_enterprise=$([[ $base_ref == ce/* ]] && echo "true" || echo "false")
+          is_ent_branch='true'
+          is_ce_in_enterprise=$([[ $base_ref == ce/* || $base_ref == refs/heads/ce/* ]] && echo "true" || echo "false")
           if [ "$is_ce_in_enterprise" = 'true' ]; then
             is_enterprise="false"
+            is_ent_branch="false"
             go_tags=''
             version_metadata='${{ inputs.vault-version }}'
           else
@@ -166,10 +168,10 @@ runs:
             go_tags='ent,enterprise'
             version_metadata='${{ inputs.vault-version }}+ent'
           fi
-          compute_build='["self-hosted","ondemand","os=linux","disk_gb=64","type=c6a.4xlarge;c5a.4xlarge"]'
-          compute_build_ui='["self-hosted","ondemand","os=linux","disk_gb=64","type=c6a.2xlarge;c5a.2xlarge;c6a.4xlarge"]'
-          compute_test_go='["self-hosted","ondemand","os=linux","disk_gb=64","type=c6a.2xlarge;c5a.2xlarge;c6a.4xlarge"]'
-          compute_test_ui='["self-hosted","ondemand","os=linux","type=m6a.2xlarge;m6a.4xlarge"]'
+          compute_build='["self-hosted","ubuntu-22.04-x64"]'
+          compute_build_ui='["self-hosted","ubuntu-22.04-x64"]'
+          compute_test_go='["self-hosted","ubuntu-22.04-x64"]'
+          compute_test_ui='["self-hosted","ubuntu-22.04-x64"]'
           compute_small='["self-hosted","linux","small"]'
         else
           compute_build='"custom-linux-medium-vault-latest"'
@@ -191,7 +193,7 @@ runs:
           echo "compute-small=${compute_small}"
           echo "go-tags=${go_tags}"
           echo "is-ce-in-enterprise=${is_ce_in_enterprise}"
-          echo "is-ent-branch=${is_enterprise}"
+          echo "is-ent-branch=${is_ent_branch}"
           echo "is-ent-repo=${is_ent_repo}"
           echo "vault-version-metadata=${version_metadata}"
         } | tee -a "$GITHUB_OUTPUT"
diff --git a/.github/actions/run-enos-scenario/README.md b/.github/actions/run-enos-scenario/README.md
new file mode 100644
index 0000000000..bdccb77631
--- /dev/null
+++ b/.github/actions/run-enos-scenario/README.md
@@ -0,0 +1,114 @@
+# run-enos-scenario
+
+Reusable composite action for running an Enos scenario with standardized retry, debug artifact upload, and destroy cleanup behavior.
+
+## Behavior
+
+The action performs this lifecycle:
+
+1. Optionally installs Terraform.
+2. Optionally installs Enos.
+3. Prepares a sanitized debug artifact name from the scenario filter.
+4. Runs `enos scenario launch`.
+5. Retries the launch command once if the first attempt fails.
+6. Optionally prints `enos scenario exec --cmd show` and `plan` before retry and after a failed retry.
+7. Uploads debug data on failure.
+8. Always destroys the scenario and retries destroy once if needed.
+
+## Inputs
+
+| Name | Required | Default | Description |
+| --- | --- | --- | --- |
+| `scenario-filter` | yes | n/a | Scenario filter passed to Enos. |
+| `working-directory` | no | `./enos` | Value passed to `--chdir`. |
+| `timeout` | no | `45m0s` | Timeout for the first main command attempt. |
+| `retry-timeout` | no | `30m0s` | Timeout for the retry attempt. |
+| `destroy-timeout` | no | `10m0s` | Timeout for destroy. |
+| `show-state-on-retry` | no | `false` | When `true`, prints scenario state and plan before retry and after failed retry. |
+| `upload-debug-data` | no | `true` | When `true`, uploads debug data on failure. |
+| `debug-data-retention-days` | no | `30` | Artifact retention days for debug data. |
+| `debug-data-path` | no | empty | Explicit debug data directory. If empty, uses `ENOS_DEBUG_DATA_ROOT_DIR` or `/tmp/enos-debug-data`. |
+| `setup-terraform` | no | `true` | When `true`, installs Terraform. |
+| `setup-enos` | no | `true` | When `true`, installs Enos. |
+| `launch-extra-args` | no | empty | Extra arguments added to the launch command before the scenario filter. |
+| `retry-extra-args` | no | empty | Extra arguments added to the retry launch command before the scenario filter. |
+| `destroy-extra-args` | no | empty | Extra arguments added to destroy before the scenario filter. |
+| `pre-destroy-command` | no | empty | Optional enos scenario command to run before destroying (e.g., `exec`). |
+| `pre-destroy-extra-args` | no | empty | Extra arguments added to the pre-destroy command before the scenario filter. |
+
+## Outputs
+
+| Name | Description |
+| --- | --- |
+| `launch-outcome` | Final main phase outcome: `success` or `failure`. |
+| `launch-retry-attempted` | `true` when the main phase retry was attempted. |
+| `destroy-outcome` | Final destroy outcome: `success` or `failure`. |
+| `destroy-retry-attempted` | `true` when destroy retry was attempted. |
+| `debug-data-artifact-name` | Sanitized debug artifact name derived from the scenario filter. |
+| `debug-data-dir` | Debug data directory used by the action. |
+| `error-message` | Failure message captured from the retry step, when present. |
+
+## Usage
+
+### Standard launch workflow
+
+```yaml
+- name: Run Enos scenario
+  id: run-scenario
+  uses: ./.github/actions/run-enos-scenario
+  with:
+    scenario-filter: ${{ matrix.scenario.id.filter }}
+    timeout: 45m0s
+    retry-timeout: 30m0s
+    destroy-timeout: 10m0s
+    show-state-on-retry: 'true'
+```
+
+### With custom destroy arguments
+
+```yaml
+- name: Run Enos scenario
+  id: run-scenario
+  uses: ./.github/actions/run-enos-scenario
+  with:
+    scenario-filter: ${{ inputs.scenario }}
+    timeout: 60m0s
+    retry-timeout: 60m0s
+    destroy-timeout: 60m0s
+    destroy-extra-args: --grpc-listen http://localhost
+```
+
+### Skip tool installation
+
+```yaml
+- name: Run Enos scenario
+  uses: ./.github/actions/run-enos-scenario
+  with:
+    scenario-filter: ${{ steps.sample.outputs.filter }}
+    setup-terraform: 'false'
+    setup-enos: 'false'
+```
+
+### With pre-destroy command
+
+```yaml
+- name: Run Enos scenario
+  uses: ./.github/actions/run-enos-scenario
+  with:
+    scenario-filter: ${{ inputs.scenario }}
+    timeout: 30m0s
+    pre-destroy-command: exec
+    pre-destroy-extra-args: --cmd 'output -raw scan_markdown'
+```
+
+### With pre-destroy command and output redirection
+
+```yaml
+- name: Run Enos scenario
+  uses: ./.github/actions/run-enos-scenario
+  with:
+    scenario-filter: ${{ inputs.scenario }}
+    timeout: 30m0s
+    pre-destroy-command: exec
+    pre-destroy-extra-args: --cmd 'output -raw scan_markdown' | tee -a "$GITHUB_STEP_SUMMARY"
+```
diff --git a/.github/actions/run-enos-scenario/action.yml b/.github/actions/run-enos-scenario/action.yml
new file mode 100644
index 0000000000..6c2dfb389c
--- /dev/null
+++ b/.github/actions/run-enos-scenario/action.yml
@@ -0,0 +1,266 @@
+# Copyright IBM Corp. 2016, 2026
+# SPDX-License-Identifier: BUSL-1.1
+
+---
+name: Run and retry an Enos scenario
+description: |
+  Run an Enos scenario with a standard launch retry flow, optional state/plan diagnostics,
+  automatic debug data artifact naming, and destroy cleanup with a destroy retry.
+
+inputs:
+  scenario-filter:
+    description: Enos scenario filter/identifier (for example "ui edition:ent backend:raft")
+    required: true
+  working-directory:
+    description: Working directory to pass to enos via --chdir
+    required: false
+    default: ./enos
+  timeout:
+    description: Timeout for the initial launch command
+    required: false
+    default: 45m0s
+  retry-timeout:
+    description: Timeout for the retry launch attempt
+    required: false
+    default: 30m0s
+  destroy-timeout:
+    description: Timeout for the destroy command
+    required: false
+    default: 10m0s
+  show-state-on-retry:
+    description: Whether to show scenario state and plan before and after a failed retry (true/false)
+    required: false
+    default: 'false'
+  upload-debug-data:
+    description: Whether to upload Enos debug data on failure (true/false)
+    required: false
+    default: "true"
+  debug-data-retention-days:
+    description: Retention period in days for uploaded debug data artifacts
+    required: false
+    default: "30"
+  debug-data-path:
+    description: Debug data root directory to create and upload
+    required: false
+    default: ""
+  setup-terraform:
+    description: Whether to install Terraform in the action (true/false)
+    required: false
+    default: "true"
+  setup-enos:
+    description: Whether to install Enos in the action (true/false)
+    required: false
+    default: "true"
+  launch-extra-args:
+    description: Extra arguments to append to the launch command before the scenario filter
+    required: false
+    default: ""
+  retry-extra-args:
+    description: Extra arguments to append to the retry launch command before the scenario filter
+    required: false
+    default: ""
+  destroy-extra-args:
+    description: Extra arguments to append to the destroy command before the scenario filter
+    required: false
+    default: ""
+  pre-destroy-command:
+    description: Optional enos scenario command to run before destroying (e.g., "exec")
+    required: false
+    default: ""
+  pre-destroy-extra-args:
+    description: Extra arguments to append to the pre-destroy command before the scenario filter
+    required: false
+    default: ""
+
+outputs:
+  launch-outcome:
+    description: Final execution outcome for the main phase (success or failure)
+    value: ${{ steps.determine-launch-outcome.outputs.outcome }}
+  launch-retry-attempted:
+    description: Whether a retry was attempted for the main phase
+    value: ${{ steps.determine-launch-outcome.outputs.retry-attempted }}
+  destroy-outcome:
+    description: Final destroy outcome (success or failure)
+    value: ${{ steps.determine-destroy-outcome.outputs.outcome }}
+  destroy-retry-attempted:
+    description: Whether a destroy retry was attempted
+    value: ${{ steps.determine-destroy-outcome.outputs.retry-attempted }}
+  debug-data-artifact-name:
+    description: Debug data artifact name prepared by the action
+    value: ${{ steps.prepare-artifacts.outputs.debug-data-artifact-name }}
+  debug-data-dir:
+    description: Debug data directory prepared by the action
+    value: ${{ steps.prepare-artifacts.outputs.debug-data-dir }}
+  error-message:
+    description: Error message captured from a failed retry
+    value: ${{ steps.launch-retry.outputs.error-message }}
+
+runs:
+  using: composite
+  steps:
+    - if: inputs.setup-terraform == 'true'
+      name: Setup Terraform
+      uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
+      with:
+        terraform_wrapper: false
+
+    - if: inputs.setup-enos == 'true'
+      name: Setup Enos
+      uses: hashicorp/action-setup-enos@6ec106c8f809fe645162d73bea565c65f3269907 # v1.52
+
+    - id: prepare-artifacts
+      name: Prepare artifacts and debug directory
+      shell: bash
+      run: |
+        artifact_name="enos-debug-data_$(echo "${{ inputs.scenario-filter }}" | sed -e 's/ /_/g' | sed -e 's/:/=/g')"
+        debug_dir="${{ inputs.debug-data-path }}"
+        if [ -z "${debug_dir}" ]; then
+          debug_dir="${ENOS_DEBUG_DATA_ROOT_DIR:-/tmp/enos-debug-data}"
+        fi
+        mkdir -p "${debug_dir}"
+        {
+          echo "debug-data-artifact-name=${artifact_name}"
+          echo "debug-data-dir=${debug_dir}"
+        } | tee -a "$GITHUB_OUTPUT"
+
+    - id: launch
+      name: Run Enos scenario
+      continue-on-error: true
+      shell: bash
+      run: |
+        enos scenario launch \
+          --timeout ${{ inputs.timeout }} \
+          ${{ inputs.launch-extra-args }} \
+          --chdir ${{ inputs.working-directory }} \
+          ${{ inputs.scenario-filter }}
+
+    - if: steps.launch.outcome == 'failure' && inputs.show-state-on-retry == 'true'
+      name: Show scenario state before retry
+      shell: bash
+      run: |
+        echo "::group::Scenario state before retry"
+        enos scenario exec --cmd show \
+          --chdir ${{ inputs.working-directory }} \
+          ${{ inputs.scenario-filter }} || true
+        echo "::endgroup::"
+        echo "::group::Scenario plan before retry"
+        enos scenario exec --cmd plan \
+          --chdir ${{ inputs.working-directory }} \
+          ${{ inputs.scenario-filter }} || true
+        echo "::endgroup::"
+
+    - if: steps.launch.outcome == 'failure'
+      id: launch-retry
+      name: Retry Enos scenario
+      shell: bash
+      run: |
+        if ! output=$(enos scenario launch \
+          --timeout ${{ inputs.retry-timeout }} \
+          ${{ inputs.retry-extra-args }} \
+          --chdir ${{ inputs.working-directory }} \
+          ${{ inputs.scenario-filter }} 2>&1); then
+          if [ "${{ inputs.show-state-on-retry }}" = "true" ]; then
+            echo "::group::Scenario state after retry"
+            enos scenario exec --cmd show \
+              --chdir ${{ inputs.working-directory }} \
+              ${{ inputs.scenario-filter }} || true
+            echo "::endgroup::"
+            echo "::group::Scenario plan after retry"
+            enos scenario exec --cmd plan \
+              --chdir ${{ inputs.working-directory }} \
+              ${{ inputs.scenario-filter }} || true
+            echo "::endgroup::"
+          fi
+          echo "::group::Scenario retry failure"
+          echo "$output" >&2
+          {
+            echo "# Enos Scenario Failed!"
+            echo 'See the [workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more information'
+            echo '```'
+            echo "$output"
+            echo '```'
+          } | tee -a "$GITHUB_STEP_SUMMARY"
+          echo "::endgroup::"
+          exit 1
+        fi
+
+    - id: determine-launch-outcome
+      name: Determine launch outcome
+      shell: bash
+      run: |
+        retry_attempted=false
+        if [ "${{ steps.launch.outcome }}" = "failure" ]; then
+          retry_attempted=true
+        fi
+        if [ "${{ steps.launch.outcome }}" = "success" ] || [ "${{ steps.launch-retry.outcome }}" = "success" ]; then
+          outcome=success
+        else
+          outcome=failure
+        fi
+        {
+          echo "outcome=${outcome}"
+          echo "retry-attempted=${retry_attempted}"
+        } | tee -a "$GITHUB_OUTPUT"
+
+    - if: failure() && inputs.upload-debug-data == 'true'
+      name: Upload debug data
+      continue-on-error: true
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      with:
+        name: ${{ steps.prepare-artifacts.outputs.debug-data-artifact-name }}
+        path: ${{ steps.prepare-artifacts.outputs.debug-data-dir }}
+        retention-days: ${{ inputs.debug-data-retention-days }}
+
+    - if: always() && inputs.pre-destroy-command != ''
+      id: pre-destroy
+      name: Run pre-destroy command
+      continue-on-error: true
+      shell: bash
+      run: |
+        enos scenario ${{ inputs.pre-destroy-command }} \
+          --chdir ${{ inputs.working-directory }} \
+          ${{ inputs.scenario-filter }} \
+          ${{ inputs.pre-destroy-extra-args }}
+
+    - if: always()
+      id: destroy
+      name: Destroy Enos scenario
+      continue-on-error: true
+      shell: bash
+      run: |
+        enos scenario destroy \
+          --timeout ${{ inputs.destroy-timeout }} \
+          ${{ inputs.destroy-extra-args }} \
+          --chdir ${{ inputs.working-directory }} \
+          ${{ inputs.scenario-filter }}
+
+    - if: steps.destroy.outcome == 'failure'
+      id: destroy-retry
+      name: Retry Enos scenario destroy
+      continue-on-error: true
+      shell: bash
+      run: |
+        enos scenario destroy \
+          --timeout ${{ inputs.destroy-timeout }} \
+          ${{ inputs.destroy-extra-args }} \
+          --chdir ${{ inputs.working-directory }} \
+          ${{ inputs.scenario-filter }}
+
+    - if: always()
+      id: determine-destroy-outcome
+      name: Determine destroy outcome
+      shell: bash
+      run: |
+        retry_attempted=false
+        if [ "${{ steps.destroy.outcome }}" = "failure" ]; then
+          retry_attempted=true
+        fi
+        if [ "${{ steps.destroy.outcome }}" = "success" ] || [ "${{ steps.destroy-retry.outcome }}" = "success" ]; then
+          outcome=success
+        else
+          outcome=failure
+        fi
+        {
+          echo "outcome=${outcome}"
+          echo "retry-attempted=${retry_attempted}"
+        } | tee -a "$GITHUB_OUTPUT"
diff --git a/.github/actions/set-up-go/action.yml b/.github/actions/set-up-go/action.yml
index f30bc3ea7c..89d7e95cbb 100644
--- a/.github/actions/set-up-go/action.yml
+++ b/.github/actions/set-up-go/action.yml
@@ -40,7 +40,7 @@ runs:
         else
           echo "go-version=${{ inputs.go-version }}" | tee -a "$GITHUB_OUTPUT"
         fi
-    - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+    - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
       with:
         go-version: ${{ steps.go-version.outputs.go-version }}
         cache: false # We use our own caching strategy
@@ -63,7 +63,7 @@ runs:
           echo "cache-key=go-modules-${wd_hash}-${{ hashFiles('**/go.sum') }}"
         } | tee -a "$GITHUB_OUTPUT"
     - id: cache-modules
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         enableCrossOsArchive: true
         lookup-only: ${{ inputs.no-restore }}
diff --git a/.github/actions/set-up-pipeline/action.yml b/.github/actions/set-up-pipeline/action.yml
index 2206fc7d75..b73804e7b7 100644
--- a/.github/actions/set-up-pipeline/action.yml
+++ b/.github/actions/set-up-pipeline/action.yml
@@ -33,7 +33,7 @@ runs:
         } | tee -a "$GITHUB_ENV"
     - name: Try to restore pipeline from cache
       id: pipeline-cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         path: ${{ env.PIPELINE_PATH }}
         key: pipeline-${{ env.PIPELINE_HASH }}
diff --git a/.github/actions/setup-pnpm/action.yml b/.github/actions/setup-pnpm/action.yml
new file mode 100644
index 0000000000..1027261f13
--- /dev/null
+++ b/.github/actions/setup-pnpm/action.yml
@@ -0,0 +1,32 @@
+# Copyright IBM Corp. 2016, 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+
+# This action will set up Node and then install pnpm dependencies, which might be restored from cache if available.
+# In case of a cache miss, pnpm dependencies will be installed and later be stored in the "post step" of actions/cache.
+---
+name: Setup pnpm
+description: Setup Node and install pnpm
+runs:
+  using: composite
+  steps:
+
+    - name: Install PNPM
+      uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      with:
+        run_install: false
+        package_json_file: './ui/package.json'
+
+    - name: Setup Node Caching
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      with:
+        node-version-file: './ui/package.json'
+        cache: pnpm
+        cache-dependency-path: ui/pnpm-lock.yaml
+
+    - name: Install UI dependencies
+      working-directory: ./ui
+      shell: bash
+      run: |
+        pnpm i
+        pnpm rebuild node-sass
diff --git a/.github/instructions/generic/ember_hbs.instructions.md b/.github/instructions/generic/ember_hbs.instructions.md
index da67c4a51f..dcbff91e28 100644
--- a/.github/instructions/generic/ember_hbs.instructions.md
+++ b/.github/instructions/generic/ember_hbs.instructions.md
@@ -11,7 +11,7 @@ This document provides Handlebars template coding standards for HashiCorp Ember.
 
 ## Template Best Practices
 - Check truthiness of arrays directly instead of using `.length` property
-- Use string interpolation `"prefix/{{value}}"` instead of `{{concat}}` helper  
+- Use string interpolation `"prefix/{{value}}"` instead of `{{concat}}` helper
 - Remove unnecessary quotes around dynamic component arguments
 - Use `Hds::Link::Inline` for external documentation links instead of `<button>` elements
 - Make `selected` attributes dynamic rather than static values - warn if static values are used
@@ -19,6 +19,7 @@ This document provides Handlebars template coding standards for HashiCorp Ember.
 - Avoid inline `style` attributes and `{{style ...}}` helpers - define CSS classes in `.scss` files instead
 - Place `data-test-*` selectors as the last attribute on elements
 - Remove quotes around dynamic data attributes: `data-test-id={{value}}` not `data-test-id="{{value}}"`
+- **Avoid shadowed elements**: Avoid HTML element names (like `option`, `input`, `select`, etc.) as block parameter names in `{{#each}}` loops to prevent `no-shadowed-elements` lint errors and broken functionality.
 
 Examples:
 ```handlebars
@@ -64,6 +65,20 @@ Examples:
 
 {{!-- Bad: unnecessary quotes --}}
 <div data-test-namespace-link="{{option.label}}">
+
+{{!-- Good: avoid shadowed elements by using descriptive block parameter names --}}
+{{#each @field.options as |opt|}}
+  <option selected={{eq @value opt.value}} value={{opt.value}}>
+    {{opt.label}}
+  </option>
+{{/each}}
+
+{{!-- Bad: using HTML element name as block parameter causes lint error --}}
+{{#each @field.options as |option|}}
+  <option selected={{eq @value option.value}} value={{option.value}}>
+    {{option.label}}
+  </option>
+{{/each}}
 ```
 
 ---
diff --git a/.github/scripts/report-ci-status.sh b/.github/scripts/report-ci-status.sh
index 20158f4f19..eef91785e5 100755
--- a/.github/scripts/report-ci-status.sh
+++ b/.github/scripts/report-ci-status.sh
@@ -12,8 +12,12 @@ MAX_TESTS=10
 [ "${PR_NUMBER:?}" ]
 [ "${RESULT:?}" ]
 
-table_data() {
-  if [ -z "$TABLE_DATA" ]; then
+# Function to format table data for a specific test type
+format_table_data() {
+  local data="$1"
+  local test_type="$2"
+  
+  if [ -z "$data" ]; then
     return 0
   fi
 
@@ -21,45 +25,80 @@ table_data() {
   # Only keep the test type, test package, test name, and logs column
   # Remove the scroll emoji
   # Remove "github.com/hashicorp/vault" from the package name
-  TABLE_DATA=$(echo "$TABLE_DATA" | awk -F\| '{if ($4 != " - ") { print "|" $2 "|" $3 "|" $4 "|" $7 }}' | sed -r 's/ :scroll://' | sed -r 's/github.com\/hashicorp\/vault\///')
-  NUM_FAILURES=$(wc -l <<< "$TABLE_DATA")
+  local formatted_data=$(echo "$data" | awk -F\| '{if ($4 != " - ") { print "|" $2 "|" $3 "|" $4 "|" $7 }}' | sed -r 's/ :scroll://' | sed -r 's/github.com\/hashicorp\/vault\///')
+  local num_failures=$(echo "$formatted_data" | wc -l)
 
   # Check if the number of failures is greater than the maximum tests to display
   # If so, limit the table to MAX_TESTS number of results
-  if [ "$NUM_FAILURES" -gt "$MAX_TESTS" ]; then
-    TABLE_DATA=$(echo "$TABLE_DATA" | head -n "$MAX_TESTS")
-    NUM_OTHER=( "$NUM_FAILURES" - "$MAX_TESTS" )
-    TABLE_DATA="${TABLE_DATA}
+  if [ "$num_failures" -gt "$MAX_TESTS" ]; then
+    formatted_data=$(echo "$formatted_data" | head -n "$MAX_TESTS")
+    local num_other=$(( num_failures - MAX_TESTS ))
+    formatted_data="${formatted_data}
 
-and ${NUM_OTHER[*]} other tests"
+and ${num_other} other tests"
   fi
 
   # Add the header for the table
   printf "%s" "Failures:
 | Test Type | Package | Test | Logs |
 | --------- | ------- | ---- | ---- |
-${TABLE_DATA}"
+${formatted_data}"
 }
 
-td="$(table_data)"
-
-case "$RESULT" in
-  success)
-    if [ -z "$td" ]; then
-      BODY="CI Results:
-All Go tests succeeded! :white_check_mark:"
-    else
-      BODY="CI Results:
-All required Go tests succeeded but failures were detected :warning:
-${td}"
-    fi
-  ;;
-  *)
-    BODY="CI Results: ${RESULT} :x:
-${td}"
-  ;;
-esac
-
 source ./.github/scripts/gh-comment.sh
 
-update_or_create_comment "$REPO" "$PR_NUMBER" "CI Results:" "$BODY"
+# Separate enos failures from other test failures
+if [ -n "$TABLE_DATA" ]; then
+  ENOS_DATA=$(echo "$TABLE_DATA" | grep "^| enos |" || true)
+  OTHER_DATA=$(echo "$TABLE_DATA" | grep -v "^| enos |" || true)
+else
+  ENOS_DATA=""
+  OTHER_DATA=""
+fi
+
+# Create comment for regular test failures (non-enos)
+if [ -n "$OTHER_DATA" ]; then
+  other_td="$(format_table_data "$OTHER_DATA" "other")"
+  
+  case "$RESULT" in
+    success)
+      OTHER_BODY="CI Results - Go Tests:
+All required Go tests succeeded but failures were detected :warning:
+${other_td}"
+    ;;
+    *)
+      OTHER_BODY="CI Results - Go Tests: ${RESULT} :x:
+${other_td}"
+    ;;
+  esac
+  
+  update_or_create_comment "$REPO" "$PR_NUMBER" "CI Results - Go Tests:" "$OTHER_BODY"
+fi
+
+# Create separate comment for enos failures
+if [ -n "$ENOS_DATA" ]; then
+  enos_td="$(format_table_data "$ENOS_DATA" "enos")"
+  
+  case "$RESULT" in
+    success)
+      ENOS_BODY="CI Results - Enos Tests:
+All required Enos tests succeeded but failures were detected :warning:
+${enos_td}"
+    ;;
+    *)
+      ENOS_BODY="CI Results - Enos Tests: ${RESULT} :x:
+${enos_td}"
+    ;;
+  esac
+  
+  update_or_create_comment "$REPO" "$PR_NUMBER" "CI Results - Enos Tests:" "$ENOS_BODY"
+fi
+
+# If no failures at all, create a single success comment
+if [ -z "$OTHER_DATA" ] && [ -z "$ENOS_DATA" ]; then
+  if [ "$RESULT" == "success" ]; then
+    SUCCESS_BODY="CI Results:
+All Go tests succeeded! :white_check_mark:"
+    update_or_create_comment "$REPO" "$PR_NUMBER" "CI Results:" "$SUCCESS_BODY"
+  fi
+fi
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
index 3b6d868c56..a345d6b865 100644
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@@ -12,7 +12,7 @@ concurrency:
 
 jobs:
   actionlint:
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: "Run actionlint"
diff --git a/.github/workflows/add-hashicorp-contributed-label.yml b/.github/workflows/add-hashicorp-contributed-label.yml
index ec99c91fb7..a18e7bb1df 100644
--- a/.github/workflows/add-hashicorp-contributed-label.yml
+++ b/.github/workflows/add-hashicorp-contributed-label.yml
@@ -17,7 +17,7 @@ jobs:
   add-hashicorp-contributed-label:
     # Only run if this is NOT coming from a fork of hashicorp/vault (if this is not true, it's community contributed)
     if: ${{ github.repository == 'hashicorp/vault' && (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name) }}
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     steps:
       # gh pr edit needs a .git directory so we'll do a shallow checkout
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/benchmark-prevent-performance-degradations.yml b/.github/workflows/benchmark-prevent-performance-degradations.yml
index aab544a64a..ea9c6248bd 100644
--- a/.github/workflows/benchmark-prevent-performance-degradations.yml
+++ b/.github/workflows/benchmark-prevent-performance-degradations.yml
@@ -13,7 +13,7 @@ on:
 jobs:
   bench:
     name: Bench
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6808cbc484..4540f6394e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -83,7 +83,7 @@ jobs:
       github.event_name == 'push' ||
       github.event_name == 'schedule' ||
       (github.event_name == 'pull_request' && github.event.pull_request.draft == false)
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     permissions: write-all # vault-auth
     outputs:
       build-date: ${{ steps.metadata.outputs.vault-build-date }}
@@ -186,7 +186,7 @@ jobs:
       startsWith(github.event.pull_request.base.ref, 'ce/')
     runs-on:
       - self-hosted
-      - ubuntu-latest-x64
+      - ubuntu-22.04-x64
     permissions: write-all # vault-auth
     needs:
       - setup
@@ -293,40 +293,13 @@ jobs:
     needs: setup
     runs-on: ${{ fromJSON(needs.setup.outputs.compute-build-ui) }}
     outputs:
-      cache-key: ui-${{ steps.ui-hash.outputs.ui-hash }}
+      cache-key: ${{ steps.build-ui.outputs.cache-key }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ needs.setup.outputs.checkout-ref }}
-      - name: Get UI hash
-        id: ui-hash
-        run: echo "ui-hash=$(git ls-tree HEAD ui --object-only)" | tee -a "$GITHUB_OUTPUT"
-      - name: Set up UI asset cache
-        id: cache-ui-assets
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
-        with:
-          enableCrossOsArchive: true
-          lookup-only: true
-          path: http/web_ui
-          # Only restore the UI asset cache if we haven't modified anything in the ui directory.
-          # Never do a partial restore of the web_ui if we don't get a cache hit.
-          key: ui-${{ steps.ui-hash.outputs.ui-hash }}
-      - if: steps.cache-ui-assets.outputs.cache-hit != 'true'
-        name: Install PNPM
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
-        with:
-          run_install: false
-          package_json_file: './ui/package.json'
-      - if: steps.cache-ui-assets.outputs.cache-hit != 'true'
-        name: Set up node and pnpm
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
-        with:
-          node-version-file: ui/package.json
-          cache: pnpm
-          cache-dependency-path: ui/pnpm-lock.yaml
-      - if: steps.cache-ui-assets.outputs.cache-hit != 'true'
-        name: Build UI
-        run: make ci-build-ui
+      - uses: ./.github/actions/build-ui
+        id: build-ui
 
   # Artifacts is where we'll build the various Vault binaries and package them into their respective
   # Zip bundles, RPM and Deb packages, and container images. After we've packaged them we upload
@@ -392,23 +365,75 @@ jobs:
       web-ui-cache-key: ${{ needs.ui.outputs.cache-key }}
     secrets: inherit
 
+  # Setup HCP input parameters with proper validation
+  hcp-setup:
+    runs-on: ubuntu-latest
+    outputs:
+      pull-request-number: ${{ steps.pr-logic.outputs.pull-request-number }}
+      branch-name: ${{ steps.branch-logic.outputs.branch-name }}
+    steps:
+      - id: pr-logic
+        name: Determine pull request number
+        run: |
+          echo "Analyzing PR context for event: ${{ github.event_name }}"
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            PR_NUM="${{ github.event.pull_request.number }}"
+            if [[ -n "$PR_NUM" && "$PR_NUM" != "null" ]]; then
+              echo "PR context detected, using number: $PR_NUM"
+            else
+              echo "PR context but no valid number found, using 0"
+              PR_NUM="0"
+            fi
+          else
+            PR_NUM="0"
+            echo "Non-PR context, using fallback value: $PR_NUM"
+          fi
+          echo "pull-request-number=$PR_NUM" >> "$GITHUB_OUTPUT"
+
+      - id: branch-logic
+        name: Determine branch name
+        run: |
+          echo "Analyzing branch context for event: ${{ github.event_name }}"
+          if [[ "${{ github.event_name }}" == "schedule" ]]; then
+            BRANCH="main"
+            echo "Schedule context, using branch: $BRANCH"
+          else
+            BRANCH=""
+            echo "Non-schedule context, using empty branch"
+          fi
+          echo "branch-name=$BRANCH" >> "$GITHUB_OUTPUT"
+
   hcp-image:
+    # Logic: Run HCP image job if:
+    #   if needs.setup.outputs.is-ent-branch != 'true' then
+    #     false
+    #   elseif needs.setup.outputs.workflow-trigger == 'schedule' then
+    #     true
+    #   elseif needs.setup.outputs.workflow-trigger == 'pull_request' and (
+    #       contains(fromJSON(needs.setup.outputs.changed-files).groups, 'hcp') or
+    #       contains(fromJSON(needs.setup.outputs.labels), 'hcp/build-image') or
+    #       contains(fromJSON(needs.setup.outputs.labels), 'hcp/test')
+    #     ) then
+    #     true
+    #   end
     if: |
-      needs.setup.outputs.is-ent-branch == 'true' &&
-      needs.setup.outputs.workflow-trigger == 'schedule' ||
+      ( needs.setup.outputs.is-ent-branch != 'true' ) && false ||
+      ( needs.setup.outputs.workflow-trigger == 'schedule' ) && true ||
       ( needs.setup.outputs.workflow-trigger == 'pull_request' &&
-        (
+        ( contains(fromJSON(needs.setup.outputs.changed-files).groups, 'hcp') ||
+          contains(fromJSON(needs.setup.outputs.changed-files).groups, 'hcp') ||
           contains(fromJSON(needs.setup.outputs.labels), 'hcp/build-image') ||
           contains(fromJSON(needs.setup.outputs.labels), 'hcp/test')
         )
-      )
+      ) && true
     needs:
       - setup
       - artifacts-ent
+      - hcp-setup
     uses: ./.github/workflows/build-hcp-image.yml
     with:
-      pull-request: ${{ needs.setup.outputs.workflow-trigger == 'pull_request' && github.event.pull_request.number || '' }}
-      branch: ${{ needs.setup.outputs.workflow-trigger == 'schedule' && 'main' || '' }}
+      pull-request: ${{ fromJSON(needs.hcp-setup.outputs.pull-request-number) }}
+      branch: ${{ needs.hcp-setup.outputs.branch-name }}
       create-aws-image: true
       create-azure-image: false
       hcp-environment: int
@@ -433,7 +458,7 @@ jobs:
         include: ${{ needs.setup.outputs.is-ent-branch == 'true' && fromJSON(needs.artifacts-ent.outputs.testable-packages) || fromJSON(needs.artifacts-ce.outputs.testable-packages) }}
     with:
       build-artifact-name: ${{ matrix.artifact }}
-      runs-on: ${{ github.repository == 'hashicorp/vault' && '"ubuntu-latest"' || '["self-hosted","ubuntu-latest-x64"]' }}
+      runs-on: ${{ github.repository == 'hashicorp/vault' && '"ubuntu-latest"' || '["self-hosted","ubuntu-22.04-x64"]' }}
       sample-max: 1
       sample-name: ${{ matrix.sample }}
       ssh-key-name: ${{ github.event.repository.name }}-ci-ssh-key
@@ -473,11 +498,17 @@ jobs:
     # Test our custom HCP image if our image build was successful and we've
     # been configured with the correct label.
     if: |
-      needs.setup.outputs.is-ent-branch == 'true' &&
-      needs.setup.outputs.workflow-trigger == 'pull_request' &&
-      needs.artifacts-ent.result == 'success' &&
-      needs.hcp-image.result == 'success' &&
-      contains(fromJSON(needs.setup.outputs.labels), 'hcp/test')
+      needs.setup.outputs.is-ent-branch == 'true' && (
+        ( needs.setup.outputs.workflow-trigger == 'pull_request' &&
+          needs.artifacts-ent.result == 'success' &&
+          needs.hcp-image.result == 'success' &&
+          ( contains(fromJSON(needs.setup.outputs.changed-files).groups, 'hcp') || contains(fromJSON(needs.setup.outputs.labels), 'hcp/test') )
+        ) || (
+          needs.setup.outputs.workflow-trigger == 'schedule' &&
+          needs.artifacts-ent.result == 'success' &&
+          needs.hcp-image.result == 'success'
+        )
+      )
     needs:
       - setup
       - artifacts-ent
@@ -502,7 +533,7 @@ jobs:
         github.event_name == 'schedule' ||
         (github.event_name == 'pull_request' && github.event.pull_request.draft == false)
       )
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     permissions: write-all # Ensure we have id-token:write access for vault-auth.
     needs:
       - setup
@@ -558,6 +589,39 @@ jobs:
       - id: slackbot-webhook-url
         run:
           echo "slackbot-webhook-url=${{ needs.setup.outputs.is-ent-repo != 'true' && secrets.FEED_VAULT_CI_OFFICIAL_WEBHOOK_URL || steps.secrets.outputs.slackbot-webhook-url }}" >> "$GITHUB_OUTPUT"
+      - if: ${{ needs.setup.outputs.is-fork == 'false' }}
+        name: Download failure summaries
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          pattern: failure-summary-*.md
+          path: failure-summaries
+          merge-multiple: true
+      - if: ${{ needs.setup.outputs.is-fork == 'false' }}
+        id: prepare-failure-summary
+        name: Prepare failure summary
+        run: |
+          # Sort all of the summary table rows and push them to a temp file.
+          temp_file_name=temp-$(date +%s)
+          find failure-summaries -name '*.md' -type f -exec cat {} \; 2>/dev/null | sort >> "$temp_file_name" || true
+
+          # If there are test failures, present them in a format of a GitHub Markdown table.
+          if [ -s "$temp_file_name" ]; then
+            # Here we create the headings for the summary table
+            {
+              echo "| Test Type | Package | Test | Elapsed | Runner Index | Logs |"
+              echo "| --------- | ------- | ---- | ------- | ------------ | ---- |"
+              cat "$temp_file_name"
+            } >> "$GITHUB_STEP_SUMMARY"
+          else
+            if [ "${{ steps.status.outputs.result }}" == 'success' ]; then
+              echo "### All required tests passed! :white_check_mark:" >> "$GITHUB_STEP_SUMMARY"
+            fi
+          fi
+          {
+            echo 'table-test-results<<EOFTABLE'
+            cat "$temp_file_name"
+            echo EOFTABLE
+          } | tee -a "$GITHUB_OUTPUT"
       - if: |
           needs.setup.outputs.workflow-trigger == 'pull_request' &&
           github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name &&
@@ -573,12 +637,26 @@ jobs:
           TEST_CONTAINERS: ${{ needs.test-containers.result }}
           UI: ${{ needs.ui.result }}
         run: ./.github/scripts/report-build-status.sh
+      - name: Create test results comment
+        if: |
+          needs.setup.outputs.workflow-trigger == 'pull_request' &&
+          github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name &&
+          (github.repository == 'hashicorp/vault' || github.repository == 'hashicorp/vault-enterprise') &&
+          needs.setup.outputs.is-fork == 'false'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          RUN_ID: ${{ github.run_id }}
+          REPO: ${{ github.event.repository.name }}
+          RESULT: ${{ steps.status.outputs.result }}
+          TABLE_DATA: ${{ steps.prepare-failure-summary.outputs.table-test-results }}
+        run: ./.github/scripts/report-ci-status.sh
       - name: Notify build failures in Slack
         if: |
           always() &&
           steps.status.outputs.result != 'success' &&
           (github.ref_name == 'main' || startsWith(github.ref_name, 'release/'))
-        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
         with:
           errors: true # exit with an error if the payload is invalid
           retries: rapid # retry if we're being rated limited
@@ -617,7 +695,7 @@ jobs:
         with:
           version: ${{ needs.setup.outputs.vault-version-metadata }}
           product: ${{ needs.setup.outputs.vault-binary-name }}
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: steps.generate-metadata-file.outcome == 'success' # upload our metadata if we created it
         with:
           name: metadata.json
diff --git a/.github/workflows/changelog-checker.yml b/.github/workflows/changelog-checker.yml
index 2d92d2d53b..f4df843ea8 100644
--- a/.github/workflows/changelog-checker.yml
+++ b/.github/workflows/changelog-checker.yml
@@ -15,7 +15,7 @@ jobs:
   changelog-check:
     # If there  a `pr/no-changelog` label we ignore this check
     if: "!contains(github.event.pull_request.labels.*.name, 'pr/no-changelog')"
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ff3853aff1..3a683afa5c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,11 +23,12 @@ concurrency:
 
 jobs:
   setup:
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     permissions: write-all # vault-auth
     outputs:
       changed-files: ${{ steps.changed-files.outputs.changed-files }}
       checkout-ref: ${{ steps.checkout.outputs.ref }}
+      compute-build: ${{ steps.metadata.outputs.compute-build }}
       compute-small: ${{ steps.metadata.outputs.compute-small }}
       compute-test-go: ${{ steps.metadata.outputs.compute-test-go }}
       compute-test-ui: ${{ steps.metadata.outputs.compute-test-ui }}
@@ -38,6 +39,7 @@ jobs:
       is-fork: ${{ steps.metadata.outputs.is-fork }}
       labels: ${{ steps.metadata.outputs.labels }}
       workflow-trigger: ${{ steps.metadata.outputs.workflow-trigger }}
+      run-ui-tests: ${{ steps.ui-should-run.outputs.run-ui-tests }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       # Make sure we check out correct ref based on PR labels and such
@@ -78,6 +80,12 @@ jobs:
           # Don't download them on a cache hit during setup, just make sure they're cached before
           # subsequent workflows are run.
           no-restore: true
+      # Run the UI tests if our UI has changed, or a 'ui' label is present, or our workflow trigger
+      # was triggered by a merge to main or releases/*.
+      - id: ui-should-run
+        name: Determine whether or not we should run UI tests
+        run: |
+          echo "run-ui-tests=${{ contains(fromJSON(steps.changed-files.outputs.changed-files).groups, 'ui') || steps.metadata.outputs.workflow-trigger == 'push' || contains(steps.metadata.outputs.labels, 'ui') }}" | tee -a "$GITHUB_OUTPUT"
 
   test-autopilot-upgrade:
     name: Run Autopilot upgrade tool
@@ -252,120 +260,16 @@ jobs:
 
   test-ui:
     name: Test UI
-    # Run the UI tests if our UI has changed, or a 'ui' label is present, or our workflow trigger
-    # was triggered by a merge to main or releases/*.
-    if: |
-      contains(fromJSON(needs.setup.outputs.changed-files).groups, 'ui') ||
-      needs.setup.outputs.workflow-trigger == 'push' ||
-      contains(needs.setup.outputs.labels, 'ui')
     needs: setup
-    permissions:
-      id-token: write
-      contents: read
-    runs-on: ${{ fromJSON(needs.setup.outputs.compute-test-ui) }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        name: status
-        with:
-          ref: ${{ needs.setup.outputs.checkout-ref }}
-      - uses: ./.github/actions/set-up-go
-        with:
-          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
-      - name: Install PNPM
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
-        with:
-          run_install: false
-          package_json_file: './ui/package.json'
-
-      # Setup node.js with caching using the pnpm-lock.yaml file
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
-        with:
-          node-version-file: './ui/package.json'
-          cache: pnpm
-          cache-dependency-path: ui/pnpm-lock.yaml
-
-      - uses: browser-actions/setup-chrome@b94431e051d1c52dcbe9a7092a4f10f827795416 # v2.1.0
-      - name: ui-dependencies
-        working-directory: ./ui
-        run: |
-          pnpm i
-          npm rebuild node-sass
-      - if: needs.setup.outputs.is-ent-repo != 'true'
-        name: Rebuild font cache on Github hosted runner
-        # Fix `Fontconfig error: No writable cache directories` error on Github hosted runners
-        # This seems to have been introduced with this runner image: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240818.1
-        # Hopefully this will resolve itself at some point with a newer image and we can remove it
-        run: fc-cache -f -v
-      - if: needs.setup.outputs.is-ent-repo == 'true'
-        id: vault-auth
-        name: Authenticate to Vault
-        run: vault-auth
-      - if: needs.setup.outputs.is-ent-repo == 'true'
-        id: secrets
-        name: Fetch secrets
-        uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0
-        with:
-          url: ${{ steps.vault-auth.outputs.addr }}
-          caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
-          token: ${{ steps.vault-auth.outputs.token }}
-          secrets: |
-            kv/data/github/hashicorp/vault-enterprise/github-token username-and-token | PRIVATE_REPO_GITHUB_TOKEN;
-            kv/data/github/hashicorp/vault-enterprise/license license_1 | VAULT_LICENSE;
-            kv/data/github/${{ github.repository }}/datadog-ci DATADOG_API_KEY;
-      - if: needs.setup.outputs.is-ent-repo == 'true'
-        name: Set up Git
-        run: git config --global url."https://${{ steps.secrets.outputs.PRIVATE_REPO_GITHUB_TOKEN }}@github.com".insteadOf https://github.com
-      - uses: ./.github/actions/install-tools
-      - name: build-go-dev
-        run: |
-          rm -rf ./pkg
-          mkdir ./pkg
-          make prep dev
-      - name: test-ui
-        env:
-          VAULT_LICENSE: ${{ steps.secrets.outputs.VAULT_LICENSE }}
-        run: |
-          export PATH="${PWD}/bin:${PATH}"
-          # Run Ember tests
-          cd ui
-          mkdir -p test-results/qunit
-          pnpm ${{ needs.setup.outputs.is-ent-branch == 'true' && 'test' || 'test:oss' }}
-      - if: always()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-        with:
-          name: test-results-ui
-          path: ui/test-results
-      - name: Prepare datadog-ci
-        if: (github.repository == 'hashicorp/vault' || github.repository == 'hashicorp/vault-enterprise') && (success() || failure())
-        continue-on-error: true
-        run: |
-          if type datadog-ci > /dev/null 2>&1; then
-            exit 0
-          fi
-          # Curl does not always exit 1 if things go wrong. To determine if this is successful
-          # we'll silence all non-error output and check the results to determine success.
-          if ! out="$(curl -sSL --fail https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64 --output /usr/local/bin/datadog-ci 2>&1)"; then
-            printf "failed to download datadog-ci: %s" "$out"
-          fi
-          if [[ -n "$out" ]]; then
-            printf "failed to download datadog-ci: %s" "$out"
-          fi
-          chmod +x /usr/local/bin/datadog-ci
-      - name: Upload test results to DataDog
-        if: success() || failure()
-        continue-on-error: true
-        env:
-          DD_ENV: ci
-        run: |
-          if [[ ${{ github.repository }} == 'hashicorp/vault' ]]; then
-            export DATADOG_API_KEY=${{ secrets.DATADOG_API_KEY }}
-          fi
-          datadog-ci junit upload --service "$GITHUB_REPOSITORY" 'ui/test-results/qunit/results.xml'
-      - if: always()
-        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
-        with:
-          paths: "ui/test-results/qunit/results.xml"
-          show: "fail"
+    if: needs.setup.outputs.run-ui-tests == 'true'
+    uses: ./.github/workflows/test-ui.yml
+    with:
+      checkout-ref: ${{ needs.setup.outputs.checkout-ref }}
+      runs-on: ${{ needs.setup.outputs.compute-build }}
+      runs-on-small: ${{ needs.setup.outputs.compute-test-ui }}
+      is-ent-repo: ${{ needs.setup.outputs.is-ent-repo }}
+      is-ent-branch: ${{ needs.setup.outputs.is-ent-branch }}
+    secrets: inherit
 
   tests-completed:
     needs:
@@ -377,7 +281,7 @@ jobs:
       - test-go-fips
       - test-ui
     if: always()
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     permissions: write-all # Ensure we have id-token:write access for vault-auth.
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -430,8 +334,7 @@ jobs:
           secrets: |
             kv/data/github/${{ github.repository }}/slack feed-vault-ci-official-webhook-url | slackbot-webhook-url;
       - id: slackbot-webhook-url
-        run:
-          echo "slackbot-webhook-url=${{ needs.setup.outputs.is-ent-repo != 'true' && secrets.FEED_VAULT_CI_OFFICIAL_WEBHOOK_URL || steps.secrets.outputs.slackbot-webhook-url }}" >> "$GITHUB_OUTPUT"
+        run: echo "slackbot-webhook-url=${{ needs.setup.outputs.is-ent-repo != 'true' && secrets.FEED_VAULT_CI_OFFICIAL_WEBHOOK_URL || steps.secrets.outputs.slackbot-webhook-url }}" >> "$GITHUB_OUTPUT"
       - if: |
           always() &&
           needs.setup.outputs.workflow-trigger == 'push' &&
@@ -445,7 +348,7 @@ jobs:
             needs.test-ui.result == 'failure'
           )
         name: Notify build failures in Slack
-        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
         with:
           errors: true # exit with an error if the payload is invalid
           retries: rapid # retry if we're being rated limited
@@ -486,13 +389,16 @@ jobs:
       # Only create the PR summary if it's a pull request and it is not a fork as we need access
       # to secrets.
       - if: ${{ needs.setup.outputs.is-fork == 'false' }}
+        id: download-summaries
         name: Download failure summaries
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           pattern: failure-summary-*.md
           path: failure-summaries
           merge-multiple: true
-      - if: ${{ needs.setup.outputs.is-fork == 'false' }}
+        # Don't allow failure summary aggregation to fail this workflow
+        continue-on-error: true
+      - if: needs.setup.outputs.is-fork == 'false' && steps.download-summaries.outcome == 'success'
         id: prepare-failure-summary
         name: Prepare failure summary
         run: |
@@ -507,10 +413,10 @@ jobs:
               echo "| Test Type | Package | Test | Elapsed | Runner Index | Logs |"
               echo "| --------- | ------- | ---- | ------- | ------------ | ---- |"
               cat "$temp_file_name"
-            } >> "$GITHUB_STEP_SUMMARY"
+            } | tee -a "$GITHUB_STEP_SUMMARY"
           else
             if [ "${{ steps.status.outputs.result }}" == 'success' ]; then
-              echo "### All required Go tests passed! :white_check_mark:" >> "$GITHUB_STEP_SUMMARY"
+              echo "### All required Go tests passed! :white_check_mark:" | tee -a "$GITHUB_STEP_SUMMARY"
             fi
           fi
           {
@@ -519,7 +425,7 @@ jobs:
             echo EOFTABLE
           } | tee -a "$GITHUB_OUTPUT"
       - name: Create comment
-        if: github.head_ref != '' && needs.setup.outputs.is-fork == 'false'
+        if: github.head_ref != '' && needs.setup.outputs.is-fork == 'false' && steps.prepare-failure-summary.outcome == 'success'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
diff --git a/.github/workflows/code-checker.yml b/.github/workflows/code-checker.yml
index cb622738d3..7669319121 100644
--- a/.github/workflows/code-checker.yml
+++ b/.github/workflows/code-checker.yml
@@ -15,7 +15,7 @@ concurrency:
 jobs:
   setup:
     name: Setup
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Ensure Go modules are cached
@@ -30,7 +30,7 @@ jobs:
 
   deprecations:
     name: Deprecated functions
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     needs: setup
     if: github.base_ref == 'main'
     steps:
@@ -47,7 +47,7 @@ jobs:
 
   codechecker:
     name: Code checks
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     needs: setup
     if: github.base_ref == 'main'
     steps:
@@ -69,7 +69,7 @@ jobs:
 
   generate-delta:
     name: Protobuf generate delta
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     needs: setup
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -83,7 +83,7 @@ jobs:
 
   format:
     name: Format
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     needs: setup
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -101,7 +101,7 @@ jobs:
 
   semgrep:
     name: Semgrep
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     container:
       image: returntocorp/semgrep@sha256:cfad18cfb6536aa48ad5a71017207a10320b4e17e3b2bd7b7de27b42dc9651e7 #v1.58
     steps:
diff --git a/.github/workflows/copywrite.yml b/.github/workflows/copywrite.yml
index 61b84921aa..df443d7db8 100644
--- a/.github/workflows/copywrite.yml
+++ b/.github/workflows/copywrite.yml
@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   copywrite:
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: hashicorp/setup-copywrite@32638da2d4e81d56a0764aa1547882fc4d209636 # v1.1.3
diff --git a/.github/workflows/do-not-merge-checker.yml b/.github/workflows/do-not-merge-checker.yml
index c3d05d48ff..313b6e6a08 100644
--- a/.github/workflows/do-not-merge-checker.yml
+++ b/.github/workflows/do-not-merge-checker.yml
@@ -15,7 +15,7 @@ jobs:
   do-not-merge-check:
     # If there is a `do-not-merge` label we ignore this check
     if: ${{ contains(github.event.pull_request.labels.*.name, 'do-not-merge') }}
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     steps:
       - name: Fail if do-not-merge label is applied
         run: |
diff --git a/.github/workflows/enos-lint.yml b/.github/workflows/enos-lint.yml
index 4dad11e45d..d56e24b433 100644
--- a/.github/workflows/enos-lint.yml
+++ b/.github/workflows/enos-lint.yml
@@ -12,7 +12,7 @@ jobs:
     # as we need secrets to install enos.
     if: "! github.event.pull_request.head.repo.fork"
     name: metadata
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     outputs:
       runs-on: ${{ steps.metadata.outputs.runs-on }}
       version: ${{ steps.metadata.outputs.version }}
@@ -27,7 +27,7 @@ jobs:
           echo "version=${{ steps.set-product-version.outputs.product-version }}" >> "$GITHUB_OUTPUT"
           github_repository="${{ github.repository }}"
           if [ "${github_repository##*/}" == "vault-enterprise" ] ; then
-            echo 'runs-on=["self-hosted","ubuntu-latest-x64","type=c6a.2xlarge;c6a.4xlarge;c6a.8xlarge"]' >> "$GITHUB_OUTPUT"
+            echo 'runs-on=["self-hosted","ubuntu-22.04-x64","large"]' >> "$GITHUB_OUTPUT"
           else
             echo 'runs-on="custom-linux-xl-vault-latest"' >> "$GITHUB_OUTPUT"
           fi
@@ -42,10 +42,10 @@ jobs:
           no-restore: true
           no-save: true
       - uses: ./.github/actions/install-tools
-      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+      - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
         with:
           terraform_wrapper: false
-      - uses: hashicorp/action-setup-enos@17b90fcf9591275b468a94aefb9dc6a93017de8a # v1.50
+      - uses: hashicorp/action-setup-enos@6ec106c8f809fe645162d73bea565c65f3269907 # v1.52
       - name: Ensure shellcheck is available for linting
         run: which shellcheck || (sudo apt update && sudo apt install -y shellcheck)
       - name: lint
diff --git a/.github/workflows/mend-pr-scan.yml b/.github/workflows/mend-pr-scan.yml
index 7277ff06fe..9b8559bf94 100644
--- a/.github/workflows/mend-pr-scan.yml
+++ b/.github/workflows/mend-pr-scan.yml
@@ -11,7 +11,7 @@ concurrency:
 jobs:
   mend-scan:
     if: ${{ github.repository == 'hashicorp/vault-enterprise' }}
-    runs-on: [self-hosted, ubuntu-latest-x64]
+    runs-on: [self-hosted, ubuntu-22.04-x64]
     permissions:
       id-token: write
       contents: read
@@ -34,7 +34,7 @@ jobs:
           psirt-id: "PSIRT_PRD0014264"
 
       - name: Upload Scan Artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         if: always()
         with:
           name: mend-scan-results-pr-${{ github.event.number }}
diff --git a/.github/workflows/milestone-checker.yml b/.github/workflows/milestone-checker.yml
index ef06d3f181..3ec8205793 100644
--- a/.github/workflows/milestone-checker.yml
+++ b/.github/workflows/milestone-checker.yml
@@ -20,7 +20,7 @@ jobs:
     if: ${{ ((github.repository == 'hashicorp/vault' || github.repository == 'hashicorp/vault-enterprise')
       && (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name))
       && (!contains(github.event.pull_request.labels.*.name, 'pr/no-milestone')) }}
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     steps:
       - name: Check milestone
         run: ${{ github.event.pull_request.milestone != null }}
diff --git a/.github/workflows/oss.yml b/.github/workflows/oss.yml
index 3f290a265a..9410363322 100644
--- a/.github/workflows/oss.yml
+++ b/.github/workflows/oss.yml
@@ -21,7 +21,7 @@ jobs:
       - if: github.event.pull_request != null
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - if: github.event.pull_request != null
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
         id: changes
         with:
           # derived from CODEOWNERS
diff --git a/.github/workflows/plugin-update-check.yml b/.github/workflows/plugin-update-check.yml
index 3ed737b900..4a1a02b588 100644
--- a/.github/workflows/plugin-update-check.yml
+++ b/.github/workflows/plugin-update-check.yml
@@ -15,7 +15,7 @@ on:
 
 jobs:
   plugin-update-check:
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     env:
       PLUGIN_REPO: "${{inputs.repo}}"
       PLUGIN_BRANCH: "${{inputs.plugin_branch}}"
@@ -29,7 +29,7 @@ jobs:
           # https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
           token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
 
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
           go-version-file: .go-version
diff --git a/.github/workflows/plugin-update.yml b/.github/workflows/plugin-update.yml
index 586b424909..4652f5eafd 100644
--- a/.github/workflows/plugin-update.yml
+++ b/.github/workflows/plugin-update.yml
@@ -31,7 +31,7 @@ on:
 
 jobs:
   plugin-update:
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     env:
       GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
       GOPRIVATE: github.com/hashicorp/*
diff --git a/.github/workflows/remove-labels.yml b/.github/workflows/remove-labels.yml
index e9bbeb5cb5..b73e6b8d29 100644
--- a/.github/workflows/remove-labels.yml
+++ b/.github/workflows/remove-labels.yml
@@ -10,7 +10,7 @@ jobs:
 
   RemoveWaitingLabelFromClosedIssueOrPR:
     if: github.event.action == 'closed'
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     steps:
       - name: Remove triaging labels from closed issues and PRs
         uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index b4e2043f21..9c2f7be4b5 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -16,7 +16,7 @@ on:
 
 jobs:
   scan:
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ondemand","os=linux","type=c6a.4xlarge;c6a.2xlarge;m8a.4xlarge;c6a.8xlarge"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64","xlarge"]') }}
     # The first check ensures this doesn't run on community-contributed PRs, who won't have the
     # permissions to run this job.
     if: |
@@ -27,7 +27,7 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Set up Go
-      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
       with:
         cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
         go-version: 'stable'
diff --git a/.github/workflows/test-ci-bootstrap.yml b/.github/workflows/test-ci-bootstrap.yml
index 88822e2872..6f6db08368 100644
--- a/.github/workflows/test-ci-bootstrap.yml
+++ b/.github/workflows/test-ci-bootstrap.yml
@@ -22,7 +22,7 @@ on:
 
 jobs:
   bootstrap-ci:
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     permissions: write-all
     env:
       TF_WORKSPACE: "${{ github.event.repository.name }}-ci-enos-bootstrap"
@@ -32,11 +32,11 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up Terraform
-        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+        uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
         with:
           terraform_wrapper: false
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI_09042025 }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI_09042025 }}
diff --git a/.github/workflows/test-ci-cleanup.yml b/.github/workflows/test-ci-cleanup.yml
index d60dd11543..418bd9b069 100644
--- a/.github/workflows/test-ci-cleanup.yml
+++ b/.github/workflows/test-ci-cleanup.yml
@@ -7,14 +7,14 @@ on:
 
 jobs:
   setup:
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     permissions: write-all
     outputs:
       regions: ${{steps.setup.outputs.regions}}
     steps:
       - name: Configure AWS credentials
         id: aws-configure
-        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI_09042025 }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI_09042025 }}
@@ -29,7 +29,7 @@ jobs:
 
   aws-nuke:
     needs: setup
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     container:
       image: ghcr.io/ekristen/aws-nuke:v3.51.0 # https://github.com/ekristen/aws-nuke/pkgs/container/aws-nuke
       options:
@@ -43,7 +43,7 @@ jobs:
     steps:
       - name: Configure AWS credentials
         id: aws-configure
-        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI_09042025 }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI_09042025 }}
@@ -68,7 +68,7 @@ jobs:
 
   check-quotas:
     needs: [ setup, aws-nuke ]
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     container:
       image: jantman/awslimitchecker
       env:
@@ -80,7 +80,7 @@ jobs:
     steps:
       - name: Configure AWS credentials
         id: aws-configure
-        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI_09042025 }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI_09042025 }}
diff --git a/.github/workflows/test-enos-scenario-ui.yml b/.github/workflows/test-enos-scenario-ui.yml
index a43b20d1fb..5f40fa6efe 100644
--- a/.github/workflows/test-enos-scenario-ui.yml
+++ b/.github/workflows/test-enos-scenario-ui.yml
@@ -35,7 +35,7 @@ on:
 jobs:
   get-metadata:
     name: Get metadata
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     outputs:
       is-ent-branch: ${{ steps.metadata.outputs.is-ent-branch }}
       is-ent-repo: ${{ steps.metadata.outputs.is-ent-repo }}
@@ -48,7 +48,7 @@ jobs:
       - id: get-outputs
         run: |
           if [[ '${{ steps.metadata.outputs.is-ent-repo }}' == 'true' ]]; then
-            echo "runs-on=['self-hosted', 'ondemand', 'os=linux', 'type=m8a.4xlarge;m7a.4xlarge;m5d.4xlarge']" >> "$GITHUB_OUTPUT"
+            echo 'runs-on=["self-hosted","ubuntu-22.04-x64","xlarge"]' >> "$GITHUB_OUTPUT"
           else
             echo "runs-on=\"custom-linux-xl-vault-latest\"" >> "$GITHUB_OUTPUT"
           fi
@@ -82,23 +82,23 @@ jobs:
       - uses: ./.github/actions/set-up-go
         with:
           github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
-      - uses: hashicorp/action-setup-enos@17b90fcf9591275b468a94aefb9dc6a93017de8a # v1.50
+      - uses: hashicorp/action-setup-enos@6ec106c8f809fe645162d73bea565c65f3269907 # v1.52
         with:
           github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
       - name: Set Up Git
         run: git config --global url."https://${{ secrets.elevated_github_token }}:@github.com".insteadOf "https://github.com"
       - name: Set Up Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version-file: './ui/package.json'
           cache: pnpm
           cache-dependency-path: ui/pnpm-lock.yaml
       - name: Install PNPM
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
           package_json_file: './ui/package.json'
       - name: Set Up Terraform
-        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+        uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
         with:
           cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
           terraform_wrapper: false
@@ -120,12 +120,12 @@ jobs:
           sudo apt install -y libnss3-dev libgdk-pixbuf2.0-dev libgtk-3-dev libxss-dev libasound2
       - name: Install Chrome
         if: steps.chrome-check.outputs.chrome-version == 'not-installed'
-        uses: browser-actions/setup-chrome@b94431e051d1c52dcbe9a7092a4f10f827795416 # v2.1.0
+        uses: browser-actions/setup-chrome@4f8e94349a351df0f048634f25fec36c3c91eded # v2.1.1
       - name: Installed Chrome Version
         run: |
           echo "Installed Chrome Version = [$(chrome --version 2> /dev/null || google-chrome --version 2> /dev/null || google-chrome-stable --version 2> /dev/null)]"
       - name: Configure AWS credentials from Test account
-        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI_09042025 }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI_09042025 }}
diff --git a/.github/workflows/test-go.yml b/.github/workflows/test-go.yml
index e785a4b16d..6d98469ebf 100644
--- a/.github/workflows/test-go.yml
+++ b/.github/workflows/test-go.yml
@@ -147,7 +147,7 @@ jobs:
       - uses: ./.github/actions/install-tools # for gotestsum
       - run: mkdir -p ${{ steps.local-metadata.outputs.go-test-dir }}
       - if: inputs.test-timing-cache-restore || inputs.test-timing-cache-save
-        uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: ${{ steps.local-metadata.outputs.go-test-dir }}
           key: ${{ inputs.test-timing-cache-key }}-${{ github.run_number }}
@@ -185,7 +185,7 @@ jobs:
           # testonly tagged tests need an additional tag to be included
           # also running some extra tests for sanity checking with the testonly build tag
           (
-            go list -tags=testonly ./vault/external_tests/{kv,token,*replication-perf*,*testonly*} ./command/*testonly* ./vault/ | gotestsum tool ci-matrix --debug \
+            go list -tags=testonly ./vault/external_tests/{kv,token,*replication-perf*,*testonly*,*verify*} ./command/*testonly* ./vault/ | gotestsum tool ci-matrix --debug \
               --partitions "${{ inputs.total-runners }}" \
               --timing-files '${{ steps.local-metadata.outputs.go-test-dir }}/*.json' > matrix.json
           )
@@ -338,7 +338,33 @@ jobs:
         # The dev mode binary has to exist for binary tests that are dispatched on the last runner.
         env:
           GOPRIVATE: github.com/hashicorp/*
-        run: time make prep dev
+        run: |
+          set -exo pipefail
+          time make prep dev
+          mv bin/vault vault-binary
+      - if: inputs.binary-tests && matrix.id == inputs.total-runners
+        id: build-docker-image
+        name: Build Docker image with custom vault binary
+        run: |
+          set -exo pipefail
+
+          if [ "${{ needs.test-matrix.outputs.is-ent-branch }}" == "true" ]; then
+            go run ./tools/testimagemaker/ -source=docker.io/hashicorp/vault-enterprise:latest -target=hashicorp/vault-enterprise-ci:latest -binary=./vault-binary
+            go run ./tools/testimagemaker/ -source=docker.io/hashicorp/vault-enterprise:2.0.1-ent.hsm -target=hashicorp/vault-enterprise-ci:latest-hsm -binary=./vault-hsm-binary -hsm
+
+            # Verify the images were built successfully
+            docker images hashicorp/vault-enterprise-ci:latest
+            echo "image=hashicorp/vault-enterprise-ci:latest" >> "$GITHUB_OUTPUT"
+
+            docker images hashicorp/vault-enterprise-ci:latest-hsm
+            echo "hsmimage=hashicorp/vault-enterprise-ci:latest-hsm" >> "$GITHUB_OUTPUT"
+          else
+            go run ./tools/testimagemaker/ -source=docker.io/hashicorp/vault:latest -target=hashicorp/vault-ci:latest -binary=./vault-binary
+
+            # Verify the images was built successfully
+            docker images hashicorp/vault-ci:latest
+            echo "image=hashicorp/vault-ci:latest" >> "$GITHUB_OUTPUT"
+          fi
       - if: needs.test-matrix.outputs.is-ent-repo != 'true'
         # Enterprise repo runners do not allow sudo, so can't install gVisor there yet.
         name: Install gVisor
@@ -402,17 +428,26 @@ jobs:
           # The docker/binary tests are more expensive, and we've had problems with timeouts when running at full
           # parallelism.  The default if -p isn't specified is to use NumCPUs, which seems fine for regular tests.
           package_parallelism=""
+          test_parallelism="${{ inputs.go-test-parallelism }}"
 
-          if [ -f vault-hsm-binary ]; then
-            VAULT_HSM_BINARY="$(pwd)/vault-hsm-binary"
-            export VAULT_HSM_BINARY
+          # The image will be preferred by most docker tests, since it doesn't require the extra
+          # overhead of mutating an image to add the current binary.  We still populate $VAULT_BINARY
+          # for the sake of exec tests like TestSysPprof_Exec.
+          if [ -f vault-binary ]; then
+            VAULT_BINARY=$(pwd)/vault-binary
+            export VAULT_BINARY
+            export VAULT_IMAGE=${{ steps.build-docker-image.outputs.image }}
           fi
 
-          if [ -f bin/vault ]; then
-            VAULT_BINARY="$(pwd)/bin/vault"
-            export VAULT_BINARY
+          if [ -f vault-hsm-binary ]; then
+            VAULT_HSM_BINARY=$(pwd)/vault-hsm-binary
+            export VAULT_HSM_BINARY
+            export VAULT_HSM_IMAGE=${{ steps.build-docker-image.outputs.hsmimage }}
+          fi
 
+          if [ -f vault-binary ] || [ -f vault-hsm-binary ]; then
             package_parallelism="-p 2"
+            test_parallelism=4
           fi
 
           # If running Go tests on the enterprise repo, add a flag to rerun failed tests.
@@ -436,7 +471,7 @@ jobs:
               $package_parallelism \
               -tags "${{ inputs.go-tags }}" \
               -timeout=${{ inputs.go-test-timeout }} \
-              -parallel=${{ inputs.go-test-parallelism }} \
+              -parallel="$test_parallelism" \
               ${{ inputs.extra-flags }} \
       - if: (github.repository == 'hashicorp/vault' || github.repository == 'hashicorp/vault-enterprise') && (success() || failure())
         name: Prepare datadog-ci
@@ -473,14 +508,14 @@ jobs:
           tar -cvf '${{ steps.metadata.outputs.go-test-log-archive-name }}' -C "${{ steps.metadata.outputs.go-test-log-dir }}" .
       - if: success() || failure()
         name: Upload test logs archives
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: ${{ steps.metadata.outputs.go-test-log-archive-name }}
           path: ${{ steps.metadata.outputs.go-test-log-archive-name }}
           retention-days: 7
       - if: success() || failure()
         name: Upload test results
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: ${{ steps.metadata.outputs.go-test-results-upload-key }}
           path: |
@@ -518,7 +553,7 @@ jobs:
           echo "data-race-result=${result}" | tee -a "$GITHUB_OUTPUT"
       - if: (success() || failure()) && steps.data-race-check.outputs.data-race-result == 'failure'
         name: Upload data race detector failure log
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: ${{ steps.metadata.outputs.data-race-log-upload-key }}
           path: ${{ steps.metadata.outputs.go-test-dir }}/${{ steps.metadata.outputs.data-race-log-file }}
@@ -530,7 +565,7 @@ jobs:
       # so we have to fetch it from the API
       - if: success() || failure()
         name: Fetch job logs URL
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         continue-on-error: true
         with:
           retries: 3
@@ -592,7 +627,7 @@ jobs:
           >> '${{ steps.metadata.outputs.failure-summary-file-name }}'
       - if: success() || failure()
         name: Upload failure summary
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: ${{ steps.metadata.outputs.failure-summary-file-name }}
           path: ${{ steps.metadata.outputs.failure-summary-file-name }}
@@ -609,7 +644,7 @@ jobs:
       data-race-output: ${{ steps.status.outputs.data-race-output }}
       data-race-result: ${{ steps.status.outputs.data-race-result }}
     steps:
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           pattern: ${{ needs.test-go.outputs.data-race-log-download-pattern }}
           path: data-race-logs
@@ -651,7 +686,7 @@ jobs:
           } | tee -a "$GITHUB_OUTPUT"
       # Aggregate, prune, and cache our timing data
       - if: ${{ ! cancelled() && needs.test-go.result == 'success' && inputs.test-timing-cache-save }}
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: ${{ needs.test-matrix.outputs.go-test-dir }}
           key: ${{ inputs.test-timing-cache-key }}-${{ github.run_number }}
@@ -659,7 +694,7 @@ jobs:
             ${{ inputs.test-timing-cache-key }}-
             go-test-timing-
       - if: ${{ ! cancelled() && needs.test-go.result == 'success' && inputs.test-timing-cache-save }}
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: ${{ needs.test-matrix.outputs.go-test-dir }}
           pattern: ${{ needs.test-go.outputs.go-test-results-download-pattern }}
diff --git a/.github/workflows/test-run-acc-tests-for-path.yml b/.github/workflows/test-run-acc-tests-for-path.yml
index 13f0295746..2dc88ee983 100644
--- a/.github/workflows/test-run-acc-tests-for-path.yml
+++ b/.github/workflows/test-run-acc-tests-for-path.yml
@@ -18,14 +18,14 @@ env:
 
 jobs:
   go-test:
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: ./.github/actions/set-up-go
         with:
           github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
       - run: go test -v ./${{ inputs.path }}/... 2>&1 | tee ${{ inputs.name }}.txt
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: ${{ inputs.name }}-output
           path: ${{ inputs.name }}.txt
diff --git a/.github/workflows/test-run-enos-scenario-containers.yml b/.github/workflows/test-run-enos-scenario-containers.yml
index 4e8dd5fc21..e05c52637f 100644
--- a/.github/workflows/test-run-enos-scenario-containers.yml
+++ b/.github/workflows/test-run-enos-scenario-containers.yml
@@ -34,7 +34,7 @@ on:
 
 jobs:
   metadata:
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     outputs:
       build-date: ${{ steps.metadata.outputs.build-date }}
       is-ent-repo: ${{ steps.global-metadata.outputs.is-ent-repo }}
@@ -44,7 +44,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ inputs.vault-revision }}
-      - uses: hashicorp/action-setup-enos@17b90fcf9591275b468a94aefb9dc6a93017de8a # v1.50
+      - uses: hashicorp/action-setup-enos@6ec106c8f809fe645162d73bea565c65f3269907 # v1.52
         with:
           github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
       - uses: ./.github/actions/metadata
@@ -73,7 +73,7 @@ jobs:
   run:
     needs: metadata
     name: run ${{ matrix.scenario.id.filter }}
-    runs-on: ${{ fromJSON(needs.metadata.outputs.is-ent-repo == 'true' && (contains(inputs.build-artifact-name, 'arm64') && '["self-hosted","ondemand","os=ubuntu-arm","type=c6g.xlarge;c6g.2xlarge;c6g.4xlarge"]' || '["self-hosted","ubuntu-latest-x64"]') || (contains(inputs.build-artifact-name, 'arm64') && '"ubuntu-22.04-arm"' || '"ubuntu-latest"')) }}
+    runs-on: ${{ fromJSON(needs.metadata.outputs.is-ent-repo == 'true' && (contains(inputs.build-artifact-name, 'arm64') && '["self-hosted","ubuntu-24.04-arm64"]' || '["self-hosted","ubuntu-22.04-x64"]') || (contains(inputs.build-artifact-name, 'arm64') && '"ubuntu-22.04-arm"' || '"ubuntu-latest"')) }}
     strategy:
       fail-fast: false # don't fail as that can skip required cleanup steps for jobs
       matrix:
@@ -82,17 +82,9 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
-        with:
-          # the Terraform wrapper will break Terraform execution in Enos because
-          # it changes the output to text when we expect it to be JSON.
-          terraform_wrapper: false
-      - uses: hashicorp/action-setup-enos@17b90fcf9591275b468a94aefb9dc6a93017de8a # v1.50
-        with:
-          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
       - name: Download Docker Image
         id: download
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: ${{ inputs.build-artifact-name }}
           path: ./enos/support/downloads
@@ -101,40 +93,22 @@ jobs:
         run: |
           echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic || true
       - name: Run Enos scenario
-        id: run
-        # Continue once and retry to handle occasional blips when creating
-        # infrastructure.
-        continue-on-error: true
+        id: run-scenario
         env:
           ENOS_VAR_terraform_plugin_cache_dir: ../support/terraform-plugin-cache
           ENOS_VAR_vault_build_date: ${{ needs.metadata.outputs.build-date }}
           ENOS_VAR_vault_version: ${{ needs.metadata.outputs.vault-version }}
           ENOS_VAR_vault_revision: ${{ inputs.vault-revision }}
           ENOS_VAR_container_image_archive: ${{steps.download.outputs.download-path}}/${{ inputs.build-artifact-name }}
-        run: |
-          mkdir -p ./enos/support/terraform-plugin-cache
-          enos scenario run --timeout 10m0s --chdir ./enos/k8s ${{ matrix.scenario.id.filter }}
-      - name: Retry Enos scenario
-        id: run_retry
-        if: steps.run.outcome == 'failure'
-        env:
-          ENOS_VAR_terraform_plugin_cache_dir: ../support/terraform-plugin-cache
-          ENOS_VAR_vault_build_date: ${{ needs.metadata.outputs.build-date }}
-          ENOS_VAR_vault_version: ${{ needs.metadata.outputs.vault-version }}
-          ENOS_VAR_vault_revision: ${{ inputs.vault-revision }}
-          ENOS_VAR_container_image_archive: ${{steps.download.outputs.download-path}}/${{ inputs.build-artifact-name }}
-        run: |
-          enos scenario run --timeout 10m0s --chdir ./enos/k8s ${{ matrix.scenario.id.filter }}
-      - name: Destroy Enos scenario
-        if: ${{ always() }}
-        env:
-          ENOS_VAR_terraform_plugin_cache_dir: ../support/terraform-plugin-cache
-          ENOS_VAR_vault_build_date: ${{ needs.metadata.outputs.build-date }}
-          ENOS_VAR_vault_version: ${{ needs.metadata.outputs.vault-version }}
-          ENOS_VAR_vault_revision: ${{ inputs.vault-revision }}
-          ENOS_VAR_container_image_archive: ${{steps.download.outputs.download-path}}/${{ inputs.build-artifact-name }}
-        run: |
-          enos scenario destroy --timeout 10m0s --grpc-listen http://localhost --chdir ./enos/k8s ${{ matrix.scenario.id.filter }}
+        uses: ./.github/actions/run-enos-scenario
+        with:
+          scenario-filter: ${{ matrix.scenario.id.filter }}
+          working-directory: ./enos/k8s
+          timeout: 10m0s
+          retry-timeout: 10m0s
+          destroy-timeout: 10m0s
+          show-state-on-retry: ${{ github.repository == 'hashicorp/vault-enterprise' && 'true' || 'false' }}
+          destroy-extra-args: --grpc-listen http://localhost
       - name: Cleanup Enos runtime directories
         if: ${{ always() }}
         run: |
diff --git a/.github/workflows/test-run-enos-scenario-matrix.yml b/.github/workflows/test-run-enos-scenario-matrix.yml
index f3ebc3517b..dae2826ccd 100644
--- a/.github/workflows/test-run-enos-scenario-matrix.yml
+++ b/.github/workflows/test-run-enos-scenario-matrix.yml
@@ -43,7 +43,7 @@ on:
 
 jobs:
   metadata:
-    runs-on: ${{ fromJSON(inputs.runs-on) }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     permissions:
       id-token: write # vault-auth
       contents: read
@@ -70,7 +70,7 @@ jobs:
           token: ${{ steps.vault-auth.outputs.token }}
           secrets: |
             kv/data/github/${{ github.repository }}/github-token token | ELEVATED_GITHUB_TOKEN;
-      - uses: hashicorp/action-setup-enos@17b90fcf9591275b468a94aefb9dc6a93017de8a # v1.50
+      - uses: hashicorp/action-setup-enos@6ec106c8f809fe645162d73bea565c65f3269907 # v1.52
         with:
           github-token: ${{ github.repository == 'hashicorp/vault' && secrets.ELEVATED_GITHUB_TOKEN || steps.vault-secrets.outputs.ELEVATED_GITHUB_TOKEN }}
       - uses: ./.github/actions/create-dynamic-config
@@ -112,6 +112,7 @@ jobs:
     permissions:
       id-token: write # vault-auth
       contents: read
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -138,7 +139,9 @@ jobs:
             kv/data/github/${{ github.repository }}/slack feed-vault-enos-failures-webhook-url | SLACK_WEBHOOK_URL;
             kv/data/github/${{ github.repository }}/enos ssh-key | SSH_KEY_PRIVATE_CI;
             kv/data/github/${{ github.repository }}/license license_1 | VAULT_LICENSE;
+            kv/data/github/${{ github.repository }}/ibm-license license_1 | VAULT_LICENSE_IBM;
             kv/data/github/${{ github.repository }}/github-token token | ELEVATED_GITHUB_TOKEN;
+
       - id: secrets
         run: |
           if [[ "${{ needs.metadata.outputs.is-ent-repo }}" != 'true' ]]; then
@@ -155,6 +158,7 @@ jobs:
               echo "${{ secrets.SSH_KEY_PRIVATE_CI }}"
               echo EOFSSHKEYCE
               echo 'vault-license=${{ secrets.VAULT_LICENSE }}'
+              echo 'vault-license-ibm=${{ secrets.VAULT_LICENSE_IBM }}'
            } | tee -a "$GITHUB_OUTPUT"
           else
             {
@@ -170,8 +174,10 @@ jobs:
               echo "${{ steps.vault-secrets.outputs.SSH_KEY_PRIVATE_CI }}"
               echo EOFSSHKEYENT
               echo 'vault-license=${{ steps.vault-secrets.outputs.VAULT_LICENSE }}'
+              echo 'vault-license-ibm=${{ steps.vault-secrets.outputs.VAULT_LICENSE_IBM }}'
             } | tee -a "$GITHUB_OUTPUT"
           fi
+
       - id: env
         run: |
           # Configure input environment variables.
@@ -191,6 +197,7 @@ jobs:
             echo 'ENOS_VAR_vault_artifact_path=./support/downloads/${{ inputs.build-artifact-name }}'
             echo 'ENOS_VAR_vault_build_date=${{ needs.metadata.outputs.build-date }}'
             echo 'ENOS_VAR_vault_license_path=./support/vault.hclic'
+            echo 'ENOS_VAR_vault_ibm_license_path=./support/ibm-pao.lic'
             echo 'ENOS_VAR_vault_product_version=${{ needs.metadata.outputs.vault-version }}'
             echo 'ENOS_VAR_vault_radar_license_path=./support/vault-radar.hclic'
             echo 'ENOS_VAR_vault_revision=${{ inputs.vault-revision }}'
@@ -200,13 +207,20 @@ jobs:
             echo 'ENOS_VAR_verify_ldap_secrets_engine=false'
             echo 'ENOS_VAR_verify_log_secrets=true'
           } | tee -a "$GITHUB_ENV"
-      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+
+      - uses: ./.github/actions/set-up-go
         with:
-          # the Terraform wrapper will break Terraform execution in Enos because
-          # it changes the output to text when we expect it to be JSON.
-          terraform_wrapper: false
+          github-token: ${{ steps.secrets.outputs.github-token }}
+
+      - name: Install LDAP client tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y ldap-utils
+
+      - uses: ./.github/actions/install-tools
+
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
         with:
           aws-access-key-id: ${{ steps.secrets.outputs.aws-access-key-id }}
           aws-secret-access-key: ${{ steps.secrets.outputs.aws-secret-access-key }}
@@ -214,14 +228,13 @@ jobs:
           role-to-assume: ${{ steps.secrets.outputs.aws-role-arn }}
           role-skip-session-tagging: true
           role-duration-seconds: 3600
-      - uses: hashicorp/action-setup-enos@17b90fcf9591275b468a94aefb9dc6a93017de8a # v1.50
-        with:
-          github-token: ${{ steps.secrets.outputs.github-token }}
+
       - uses: ./.github/actions/create-dynamic-config
         with:
           github-token: ${{ steps.secrets.outputs.github-token }}
           vault-version: ${{ inputs.vault-version }}
           vault-edition: ${{ inputs.vault-edition }}
+
       - name: Prepare scenario dependencies
         id: prepare_scenario
         run: |
@@ -230,50 +243,136 @@ jobs:
           chmod 600 "./enos/support/private_key.pem"
           sha256sum "./enos/support/private_key.pem"
           du -h "./enos/support/private_key.pem"
-          echo "debug_data_artifact_name=enos-debug-data_$(echo "${{ matrix.scenario }}" | sed -e 's/ /_/g' | sed -e 's/:/=/g')" >> "$GITHUB_OUTPUT"
+          {
+            echo "debug_data_artifact_name=enos-debug-data_$(echo "${{ matrix.scenario }}" | sed -e 's/ /_/g' | sed -e 's/:/=/g')"
+            echo "test_results_artifact_name=test-results_$(echo "${{ matrix.scenario.id.filter }}" | sed -e 's/ /_/g' | sed -e 's/:/=/g')"
+            echo "junit_results_artifact_name=junit-results_$(echo "${{ matrix.scenario.id.filter }}" | sed -e 's/ /_/g' | sed -e 's/:/=/g')"
+            echo "failure_summary_artifact_name=failure-summary-enos_$(echo "${{ matrix.scenario.id.filter }}" | sed -e 's/ /_/g' | sed -e 's/:/=/g').md"
+          } | tee -a "$GITHUB_OUTPUT"
+
       - if: contains(inputs.sample-name, 'build')
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: ${{ inputs.build-artifact-name }}
           path: ./enos/support/downloads
+
       - if: contains(inputs.sample-name, 'ent')
-        name: Configure Vault license
-        run: echo "${{ steps.secrets.outputs.vault-license }}" > ./enos/support/vault.hclic || true
+        name: Configure Vault licenses
+        run: |
+          echo "${{ steps.secrets.outputs.vault-license }}" > ./enos/support/vault.hclic || true
+          echo "${{ steps.secrets.outputs.vault-license-ibm }}" > ./enos/support/ibm-pao.lic || true
+
       - if: contains(matrix.scenario.id.filter, 'consul_edition:ent')
         name: Configure Consul license
         run: |
           echo "${{ steps.secrets.outputs.consul-license }}" > ./enos/support/consul.hclic || true
+
       - name: Configure Vault Radar license
         run: |
           echo "${{ steps.secrets.outputs.radar-license }}" > ./enos/support/vault-radar.hclic || true
-      - id: launch
-        name: enos scenario launch ${{ matrix.scenario.id.filter }}
-        # Continue once and retry to handle occasional blips when creating infrastructure.
-        continue-on-error: true
-        run: enos scenario launch --timeout 45m0s --chdir ./enos ${{ matrix.scenario.id.filter }}
-      - if: steps.launch.outcome == 'failure'
-        id: launch_retry
-        name: Retry enos scenario launch ${{ matrix.scenario.id.filter }}
-        run: enos scenario launch --timeout 45m0s --chdir ./enos ${{ matrix.scenario.id.filter }}
-      - name: Upload Debug Data
-        if: failure()
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+
+      - id: run-scenario
+        name: Run Enos scenario ${{ matrix.scenario.id.filter }}
+        uses: ./.github/actions/run-enos-scenario
         with:
-          # The name of the artifact is the same as the matrix scenario name with the spaces replaced with underscores and colons replaced by equals.
-          name: ${{ steps.prepare_scenario.outputs.debug_data_artifact_name }}
-          path: ${{ env.ENOS_DEBUG_DATA_ROOT_DIR }}
-          retention-days: 30
+          scenario-filter: ${{ matrix.scenario.id.filter }}
+          working-directory: ./enos
+          timeout: 45m0s
+          retry-timeout: 30m0s
+          destroy-timeout: 10m0s
+          show-state-on-retry: ${{ github.repository == 'hashicorp/vault-enterprise' && 'true' || 'false' }}
+          upload-debug-data: 'true'
+          debug-data-retention-days: '30'
+          debug-data-path: ${{ env.ENOS_DEBUG_DATA_ROOT_DIR }}
+
+      - name: Upload Test Results
+        if: always()
+        id: upload_test_results
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: ${{ steps.prepare_scenario.outputs.test_results_artifact_name }}
+          path: /tmp/vault_test_results_*.json
+          retention-days: 7
+          if-no-files-found: ignore
         continue-on-error: true
-      - if: ${{ always() }}
-        id: destroy
-        name: enos scenario destroy ${{ matrix.scenario.id.filter }}
+
+      - name: Upload JUnit Test Results
+        if: always()
+        id: upload_junit_results
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: ${{ steps.prepare_scenario.outputs.junit_results_artifact_name }}
+          path: /tmp/vault_test_results_*.xml
+          retention-days: 7
+          if-no-files-found: ignore
         continue-on-error: true
-        run: enos scenario destroy --timeout 10m0s --chdir ./enos ${{ matrix.scenario.id.filter }}
-      - if: steps.destroy.outcome == 'failure'
-        id: destroy_retry
-        name: Retry enos scenario destroy ${{ matrix.scenario.id.filter }}
+
+      - name: Check for test results
+        if: always()
+        id: check_test_results
         continue-on-error: true
-        run: enos scenario destroy --timeout 10m0s --chdir ./enos ${{ matrix.scenario.id.filter }}
+        run: |
+          if find /tmp -maxdepth 1 -name 'vault_test_results_*.json' -type f -print -quit 2>/dev/null | grep -q .; then
+            echo "has_results=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_results=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Prepare Test Results Summary
+        if: always() && steps.check_test_results.outputs.has_results == 'true'
+        continue-on-error: true
+        run: |
+          # Find the most recent JSON test results file
+          json_file=$(find /tmp -maxdepth 1 -name 'vault_test_results_*.json' -type f -printf '%T@ %p\n' 2>/dev/null | sort -rn | head -n1 | cut -d' ' -f2-)
+
+          if [ -n "$json_file" ] && [ -f "$json_file" ]; then
+            # Create failure summary file for aggregation in build.yml
+            failure_summary_file="${{ steps.prepare_scenario.outputs.failure_summary_artifact_name }}"
+
+            # Extract failed tests and format as table rows matching ci.yml format
+            # Format: | Test Type | Package | Test | Elapsed | Runner Index | Logs |
+            jq -r 'select(.Action == "fail") | select(.Test != null) | "| enos | \(.Package) | \(.Test) | \(.Elapsed // "N/A") | ${{ matrix.scenario.id.filter }} | [view test results :scroll:](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) |"' \
+              "$json_file" > "$failure_summary_file"
+
+            # Count total tests, passes, and failures
+            total_tests=$(jq -r 'select(.Action == "pass" or .Action == "fail") | select(.Test != null)' "$json_file" | jq -s 'length')
+            passed_tests=$(jq -r 'select(.Action == "pass") | select(.Test != null)' "$json_file" | jq -s 'length')
+            failed_tests=$(jq -r 'select(.Action == "fail") | select(.Test != null)' "$json_file" | jq -s 'length')
+
+            # Create step summary for this specific scenario
+            {
+              echo "## Test Results for ${{ matrix.scenario.id.filter }}"
+              echo ""
+              echo "- **Total Tests:** $total_tests"
+              echo "- **Passed:** ✅ $passed_tests"
+              echo "- **Failed:** ❌ $failed_tests"
+              echo ""
+
+              # If there are failures, create a table with details
+              if [ "$failed_tests" -gt 0 ]; then
+                echo "### Failed Tests"
+                echo ""
+                echo "| Test Type | Package | Test | Elapsed | Runner Index | Logs |"
+                echo "| --------- | ------- | ---- | ------- | ------------ | ---- |"
+                cat "${failure_summary_file}"
+                echo ""
+              fi
+
+              echo "📊 Full test results available in artifacts: \`${{ steps.prepare_scenario.outputs.test_results_artifact_name }}\`"
+            } >> "$GITHUB_STEP_SUMMARY"
+          else
+            echo "⚠️ No test results found in /tmp/vault_test_results_*.json" >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+      - name: Upload Failure Summary
+        if: always() && steps.check_test_results.outputs.has_results == 'true'
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: ${{ steps.prepare_scenario.outputs.failure_summary_artifact_name }}
+          path: ${{ steps.prepare_scenario.outputs.failure_summary_artifact_name }}
+          if-no-files-found: ignore
+        continue-on-error: true
+
       - name: Clean up Enos runtime directories
         id: cleanup
         if: ${{ always() }}
@@ -282,34 +381,39 @@ jobs:
           rm -rf /tmp/enos*
           rm -rf ./enos/support
           rm -rf ./enos/.enos
+
       # Send slack notifications to #feed-vault-enos-failures any of our enos scenario commands fail.
       # There is an incoming webhook set up on the "Enos Vault Failure Bot" Slackbot:
       # https://api.slack.com/apps/A05E31CH1LG/incoming-webhooks
+
       - if: ${{ always() && ! cancelled() }}
         name: Notify launch failed
         uses: hashicorp/actions-slack-status@1a3f63b30bd476aee1f3bd6f9d8f2aacc4f14d81 # v2.0.1
         with:
           failure-message: "enos scenario launch ${{ matrix.scenario.id.filter}} failed. \nTriggering event: `${{ github.event_name }}` \nActor: `${{ github.actor }}`"
-          status: ${{ steps.launch.outcome }}
+          status: ${{ steps.run-scenario.outputs.launch-outcome == 'failure' && 'failure' || 'success' }}
           slack-webhook-url: ${{ steps.secrets.outputs.slack-webhook-url }}
+
       - if: ${{ always() && ! cancelled() }}
         name: Notify retry launch failed
         uses: hashicorp/actions-slack-status@1a3f63b30bd476aee1f3bd6f9d8f2aacc4f14d81 # v2.0.1
         with:
           failure-message: "retry enos scenario launch ${{ matrix.scenario.id.filter}} failed. \nTriggering event: `${{ github.event_name }}` \nActor: `${{ github.actor }}`"
-          status: ${{ steps.launch_retry.outcome }}
+          status: ${{ steps.run-scenario.outputs.launch-retry-attempted == 'true' && steps.run-scenario.outputs.launch-outcome == 'failure' && 'failure' || 'success' }}
           slack-webhook-url: ${{ steps.secrets.outputs.slack-webhook-url }}
+
       - if: ${{ always() && ! cancelled() }}
         name: Notify destroy failed
         uses: hashicorp/actions-slack-status@1a3f63b30bd476aee1f3bd6f9d8f2aacc4f14d81 # v2.0.1
         with:
           failure-message: "enos scenario destroy ${{ matrix.scenario.id.filter}} failed. \nTriggering event: `${{ github.event_name }}` \nActor: `${{ github.actor }}`"
-          status: ${{ steps.destroy.outcome }}
+          status: ${{ steps.run-scenario.outputs.destroy-outcome == 'failure' && 'failure' || 'success' }}
           slack-webhook-url: ${{ steps.secrets.outputs.slack-webhook-url }}
+
       - if: ${{ always() && ! cancelled() }}
         name: Notify retry destroy failed
         uses: hashicorp/actions-slack-status@1a3f63b30bd476aee1f3bd6f9d8f2aacc4f14d81 # v2.0.1
         with:
           failure-message: "retry enos scenario destroy ${{ matrix.scenario.id.filter}} failed. \nTriggering event: `${{ github.event_name }}` \nActor: `${{ github.actor }}`"
-          status: ${{ steps.destroy_retry.outcome }}
+          status: ${{ steps.run-scenario.outputs.destroy-retry-attempted == 'true' && steps.run-scenario.outputs.destroy-outcome == 'failure' && 'failure' || 'success' }}
           slack-webhook-url: ${{ steps.secrets.outputs.slack-webhook-url }}
diff --git a/.github/workflows/test-run-enos-scenario.yml b/.github/workflows/test-run-enos-scenario.yml
index 5d8949d5bc..e9fa0a5b89 100644
--- a/.github/workflows/test-run-enos-scenario.yml
+++ b/.github/workflows/test-run-enos-scenario.yml
@@ -35,7 +35,7 @@ on:
 jobs:
   enos-run-vault-interactive-test:
     name:  Enos run Vault interactive test
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-22.04-x64"]') }}
     permissions: write-all
     timeout-minutes: 120
     env:
@@ -64,26 +64,23 @@ jobs:
       - uses: ./.github/actions/set-up-go
         with:
           github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+      # Install additional tools like gotestsum that are required for Enos scenarios
+      - uses: ./.github/actions/install-tools
       - name: Configure Git
         run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
       - name: Set up node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version-file: './ui/package.json'
           cache: pnpm
           cache-dependency-path: ui/pnpm-lock.yaml
 
       - name: Install PNPM
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
           package_json_file: './ui/package.json'
-      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
-        with:
-          # the Terraform wrapper will break Terraform execution in Enos because
-          # it changes the output to text when we expect it to be JSON.
-          terraform_wrapper: false
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI_09042025 }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI_09042025 }}
@@ -91,9 +88,6 @@ jobs:
           role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
           role-skip-session-tagging: true
           role-duration-seconds: 3600
-      - uses: hashicorp/action-setup-enos@17b90fcf9591275b468a94aefb9dc6a93017de8a # v1.50
-        with:
-          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
       - name: Prepare scenario dependencies
         id: scenario-deps
         run: |
@@ -106,29 +100,30 @@ jobs:
         id: license
         run: echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic
       - name: Run Enos scenario
-        id: run
-        run: enos scenario run --timeout 60m0s --chdir ./enos ${{ inputs.scenario }}
+        id: run-scenario
+        uses: ./.github/actions/run-enos-scenario
+        with:
+          scenario-filter: ${{ inputs.scenario }}
+          working-directory: ./enos
+          timeout: 60m0s
+          retry-timeout: 60m0s
+          destroy-timeout: 60m0s
+          show-state-on-retry: ${{ github.repository == 'hashicorp/vault-enterprise' && 'true' || 'false' }}
+          destroy-extra-args: --grpc-listen http://localhost
+          debug-data-path: ${{ env.ENOS_DEBUG_DATA_ROOT_DIR }}
+          debug-data-retention-days: '1'
       - name: Collect logs when scenario fails
         id: collect_logs
         if: ${{ always() }}
         run: |
           bash -x ./scripts/gha_enos_logs.sh "${{ steps.scenario-deps.outputs.logsdir }}" "${{ inputs.scenario }}" "${{ inputs.distro }}" "${{ inputs.artifact-type }}" 2>/dev/null
           find "${{ steps.scenario-deps.outputs.logsdir }}" -maxdepth 0 -empty -exec rmdir {} \;
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: ${{ always() }}
         with:
           name: enos-scenario-logs
           path: ${{ steps.scenario-deps.outputs.logsdir }}
           retention-days: 1
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-        if: ${{ always() }}
-        with:
-          name: enos-debug-data-logs
-          path: ${{ env.ENOS_DEBUG_DATA_ROOT_DIR }}
-          retention-days: 1
-      - name: Ensure scenario has been destroyed
-        if: ${{ always() }}
-        run: enos scenario destroy --timeout 60m0s --grpc-listen http://localhost --chdir ./enos ${{ inputs.scenario }}
       - name: Clean up Enos runtime directories
         if: ${{ always() }}
         run: |
diff --git a/.github/workflows/test-ui.yml b/.github/workflows/test-ui.yml
new file mode 100644
index 0000000000..d0ce513890
--- /dev/null
+++ b/.github/workflows/test-ui.yml
@@ -0,0 +1,230 @@
+on:
+  workflow_call:
+    inputs:
+      checkout-ref:
+        description: The ref to use for checkout.
+        required: false
+        default: ${{ github.ref }}
+        type: string
+      runs-on:
+        description: An expression indicating which kind of runners to use Go testing jobs.
+        required: false
+        type: string
+        default: '"ubuntu-latest"'
+      runs-on-small:
+        description: An expression indicating which kind of runners to use for small computing jobs.
+        required: false
+        type: string
+        default: '"ubuntu-latest"'
+      is-ent-repo:
+        description: A boolean indicating whether the repository is an enterprise repository.
+        required: false
+        type: string
+        default: 'false'
+      is-ent-branch:
+        description: A boolean indicating whether the repository is an enterprise branch.
+        required: false
+        type: string
+        default: 'false'
+
+jobs:
+  test-ui-build-go:
+    name: Build Vault Binary for UI Tests
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ${{ fromJSON(inputs.runs-on) }}
+    outputs:
+      ui-go-binary-artifact-id: ${{ steps.upload.outputs.artifact-id }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        name: status
+        with:
+          ref: ${{ inputs.checkout-ref }}
+      - uses: ./.github/actions/set-up-go
+        with:
+          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+
+      - if: inputs.is-ent-repo == 'true'
+        id: vault-auth
+        name: Authenticate to Vault
+        run: vault-auth
+      - if: inputs.is-ent-repo == 'true'
+        id: secrets
+        name: Fetch secrets
+        uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0
+        with:
+          url: ${{ steps.vault-auth.outputs.addr }}
+          caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
+          token: ${{ steps.vault-auth.outputs.token }}
+          secrets: |
+            kv/data/github/hashicorp/vault-enterprise/github-token username-and-token | PRIVATE_REPO_GITHUB_TOKEN;
+      - if: inputs.is-ent-repo == 'true'
+        name: Set up Git
+        run: git config --global url."https://${{ steps.secrets.outputs.PRIVATE_REPO_GITHUB_TOKEN }}@github.com".insteadOf https://github.com
+      - uses: ./.github/actions/install-tools
+      - name: build-go-dev
+        run: |
+          rm -rf ./pkg
+          mkdir ./pkg
+          make prep dev
+      - name: Upload Vault Binary for UI Tests
+        id: upload
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          path: ./bin/vault
+          name: vault-ui-test-binary
+          retention-days: 1
+
+  test-ui-build-js:
+    name: Build JS for UI Tests
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ${{ fromJSON(inputs.runs-on-small) }}
+    outputs:
+      ui-js-bundle-artifact-id: ${{ steps.upload.outputs.artifact-id }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        name: status
+        with:
+          ref: ${{ inputs.checkout-ref }}
+      - name: Setup pnpm
+        uses: ./.github/actions/setup-pnpm
+      - name: Build Ember Test Bundle
+        working-directory: ./ui
+        run: pnpm build:jsondiffpatch && pnpm exec ember build --environment=test --output-path=dist
+      - name: Upload Ember Test Bundle
+        id: upload
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          path: ./ui/dist
+          name: vault-ui-test-bundle
+          retention-days: 1
+
+  test-ui:
+    name: Run UI Tests
+    needs: [test-ui-build-go, test-ui-build-js]
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ${{ fromJSON(inputs.runs-on-small) }}
+    strategy:
+      fail-fast: false
+      matrix:
+        ci-index: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14]
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        name: status
+        with:
+          ref: ${{ inputs.checkout-ref }}
+      - if: inputs.is-ent-repo == 'true'
+        id: vault-auth
+        name: Authenticate to Vault
+        run: vault-auth
+      - if: inputs.is-ent-repo == 'true'
+        id: secrets
+        name: Fetch secrets
+        uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0
+        with:
+          url: ${{ steps.vault-auth.outputs.addr }}
+          caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
+          token: ${{ steps.vault-auth.outputs.token }}
+          secrets: |
+            kv/data/github/hashicorp/vault-enterprise/github-token username-and-token | PRIVATE_REPO_GITHUB_TOKEN;
+            kv/data/github/hashicorp/vault-enterprise/license license_1 | VAULT_LICENSE;
+            kv/data/github/${{ github.repository }}/datadog-ci DATADOG_API_KEY;
+      - name: Install Chrome
+        uses: browser-actions/setup-chrome@4f8e94349a351df0f048634f25fec36c3c91eded # v2.1.1
+        with:
+          chrome-version: stable
+      - name: Setup pnpm
+        uses: ./.github/actions/setup-pnpm
+      - name: Download Ember Test Bundle
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          path: ./ui/dist
+          artifact-ids: ${{ needs.test-ui-build-js.outputs.ui-js-bundle-artifact-id }}
+      - name: Download Vault Binary
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          path: ./bin
+          artifact-ids: ${{ needs.test-ui-build-go.outputs.ui-go-binary-artifact-id }}
+      - name: Make Vault Binary Executable
+        run: chmod +x ./bin/vault
+      - name: Set Parallel Count
+        # hardcoding this to 1 for now because multiple parallelism in UI tests with a vault server casuses test failures due to the shared backend
+        run: echo "PARALLEL_COUNT=1" >> "$GITHUB_ENV"
+      - name: Create test-results directory
+        run: mkdir -p ui/test-results/qunit
+      - name: Run UI Lint Checks
+        if: strategy.job-index == 0
+        working-directory: ./ui
+        run: pnpm lint
+      - name: Run UI Tests
+        if: strategy.job-index != 0
+        env:
+          VAULT_LICENSE: ${{ steps.secrets.outputs.VAULT_LICENSE }}
+        working-directory: ./ui
+        # NOTE: We subtract 1 from the total number of jobs because job-index 0 is the lint job
+        run: |
+          pnpm test${{ inputs.is-ent-branch == 'false' && ':oss' || '' }} \
+            --load-balance \
+            --split=$((${{ strategy.job-total }} - 1)) \
+            --partition=${{ strategy.job-index }} \
+            --parallel="$PARALLEL_COUNT" \
+            --path=dist
+      - if: always() && strategy.job-index != 0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: test-results-ui-${{ strategy.job-index }}
+          path: ui/test-results
+      - name: Prepare datadog-ci
+        if: always() && startsWith(github.repository, 'hashicorp/vault') && strategy.job-index != 0
+        continue-on-error: true
+        run: |
+          if type datadog-ci > /dev/null 2>&1; then
+            exit 0
+          fi
+          # Curl does not always exit 1 if things go wrong. To determine if this is successful
+          # we'll silence all non-error output and check the results to determine success.
+          if ! out="$(curl -sSL --fail https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64 --output /usr/local/bin/datadog-ci 2>&1)"; then
+            printf "failed to download datadog-ci: %s" "$out"
+          fi
+          if [[ -n "$out" ]]; then
+            printf "failed to download datadog-ci: %s" "$out"
+          fi
+          chmod +x /usr/local/bin/datadog-ci
+      - name: Upload test results to DataDog
+        if: (success() || failure()) && strategy.job-index != 0
+        continue-on-error: true
+        env:
+          DD_ENV: ci
+        run: |
+          if [[ ${{ github.repository }} == 'hashicorp/vault' ]]; then
+            export DATADOG_API_KEY=${{ secrets.DATADOG_API_KEY }}
+          fi
+          datadog-ci junit upload --service "$GITHUB_REPOSITORY" 'ui/test-results/qunit/results.xml'
+      - if: always() && strategy.job-index != 0
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
+        with:
+          paths: "ui/test-results/qunit/results.xml"
+          show: "fail"
+
+  test-ui-complete:
+    runs-on: ${{ fromJSON(inputs.runs-on-small) }}
+    needs: [test-ui-build-go, test-ui-build-js, test-ui]
+    steps:
+      - id: status
+        name: Determine status
+        run: |
+          results=$(tr -d '\n' <<< '${{ toJSON(needs.*.result) }}')
+          if ! grep -q -v -E '(failure|cancelled)' <<< "$results"; then
+            result="failed"
+          else
+            result="success"
+          fi
+          {
+            echo "result=${result}"
+            echo "results=${results}"
+          } | tee -a "$GITHUB_OUTPUT"
diff --git a/.gitignore b/.gitignore
index c180ae09fb..674fd6691c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -66,6 +66,8 @@ Vagrantfile
 enos-local.vars.hcl
 enos/**/support
 enos/**/kubeconfig
+enos/modules/**/plan.yml
+enos/sarif**.json
 .terraform
 .terraform.lock.hcl
 .tfstate.*
diff --git a/.go-version b/.go-version
index 5ff8c4f5d2..ea0928cedf 100644
--- a/.go-version
+++ b/.go-version
@@ -1 +1 @@
-1.26.0
+1.26.4
diff --git a/.hooks/pre-push b/.hooks/pre-push
index 2c9faf51ab..0e4b3a0a55 100755
--- a/.hooks/pre-push
+++ b/.hooks/pre-push
@@ -45,6 +45,9 @@
 
 set -eou pipefail
 
+# We need extglob in order to parse remote_url_is_enterprise
+shopt -s extglob
+
 # fail takes two arguments. The first is the failure reasons and the second is
 # an explanation. Both will be written to STDERR. The script will then exit 1.
 fail() {
@@ -60,7 +63,7 @@ fail() {
 # that of hashicorp/vault-enterprise, otherwise it returns 1.
 remote_url_is_enterprise() {
   case "$1" in
-    git@github.com:hashicorp/vault-enterprise* | https://github.com/hashicorp/vault-enterprise*)
+    ?(ssh://)git@github.com@(:|/)hashicorp/vault-enterprise?(.git) | https://github.com/hashicorp/vault-enterprise?(.git))
       return 0
       ;;
     *)
@@ -131,7 +134,7 @@ main() {
     fi
   done
 
-  fail "git pre-push hook failed!" "git did not write expected commit information to STDIN! Please reach out to #team-vault-automation for help!"
+  fail "git pre-push hook failed!" "git did not write expected commit information to STDIN! This is likely because git could not push one-or-more refs to the remote repository. Did you change history with a rebase and need to force push? If that does not resolve the issue please reach out to #team-vault-automation for help!"
 }
 
 # Call the main function. We currently only care about the URL so we'll pass in
diff --git a/.node-version b/.node-version
new file mode 100644
index 0000000000..ccc4c6c7f8
--- /dev/null
+++ b/.node-version
@@ -0,0 +1 @@
+20.20.2
diff --git a/.nvmrc b/.nvmrc
new file mode 100644
index 0000000000..ccc4c6c7f8
--- /dev/null
+++ b/.nvmrc
@@ -0,0 +1 @@
+20.20.2
diff --git a/.release/docker/docker-entrypoint.sh b/.release/docker/docker-entrypoint.sh
index b43a9fcedd..4467a9ba40 100755
--- a/.release/docker/docker-entrypoint.sh
+++ b/.release/docker/docker-entrypoint.sh
@@ -17,21 +17,21 @@ ulimit -c 0
 # VAULT_REDIRECT_INTERFACE and VAULT_CLUSTER_INTERFACE environment variables. If
 # VAULT_*_ADDR is also set, the resulting URI will combine the protocol and port
 # number with the IP of the named interface.
-get_addr () {
+get_addr() {
     local if_name=$1
     local uri_template=$2
-    ip addr show dev $if_name | awk -v uri=$uri_template '/\s*inet\s/ { \
+    ip addr show dev "$if_name" | awk -v uri="$uri_template" '/\s*inet\s/ { \
       ip=gensub(/(.+)\/.+/, "\\1", "g", $2); \
       print gensub(/^(.+:\/\/).+(:.+)$/, "\\1" ip "\\2", "g", uri); \
       exit}'
 }
 
 if [ -n "$VAULT_REDIRECT_INTERFACE" ]; then
-    export VAULT_REDIRECT_ADDR=$(get_addr $VAULT_REDIRECT_INTERFACE ${VAULT_REDIRECT_ADDR:-"http://0.0.0.0:8200"})
+    export VAULT_REDIRECT_ADDR=$(get_addr "$VAULT_REDIRECT_INTERFACE" "${VAULT_REDIRECT_ADDR:-"http://0.0.0.0:8200"}")
     echo "Using $VAULT_REDIRECT_INTERFACE for VAULT_REDIRECT_ADDR: $VAULT_REDIRECT_ADDR"
 fi
 if [ -n "$VAULT_CLUSTER_INTERFACE" ]; then
-    export VAULT_CLUSTER_ADDR=$(get_addr $VAULT_CLUSTER_INTERFACE ${VAULT_CLUSTER_ADDR:-"https://0.0.0.0:8201"})
+    export VAULT_CLUSTER_ADDR=$(get_addr "$VAULT_CLUSTER_INTERFACE" "${VAULT_CLUSTER_ADDR:-"https://0.0.0.0:8201"}")
     echo "Using $VAULT_CLUSTER_INTERFACE for VAULT_CLUSTER_ADDR: $VAULT_CLUSTER_ADDR"
 fi
 
@@ -69,38 +69,41 @@ elif vault --help "$1" 2>&1 | grep -q "vault $1"; then
     set -- vault "$@"
 fi
 
-# If we are running Vault, make sure it executes as the proper user.
+# If we are running Vault and the container user is root then execute as the vault user
 if [ "$1" = 'vault' ]; then
-    if [ -z "$SKIP_CHOWN" ]; then
-        # If the config dir is bind mounted then chown it
-        if [ "$(stat -c %u /vault/config)" != "$(id -u vault)" ]; then
-            chown -R vault:vault /vault/config || echo "Could not chown /vault/config (may not have appropriate permissions)"
+    if [ "$(id -u)" != '0' ]; then
+        [ -n "$SKIP_CHOWN" ] && echo "Container is running as non-root user, ignoring SKIP_CHOWN" >&2
+        [ -n "$SKIP_SETCAP" ] && echo "Container is running as non-root user, ignoring SKIP_SETCAP" >&2
+    else
+        if [ -z "$SKIP_CHOWN" ]; then
+            # If the config dir is bind mounted then chown it
+            if [ "$(stat -c %u /vault/config)" != "$(id -u vault)" ]; then
+                chown -R vault:vault /vault/config || echo "Could not chown /vault/config (may not have appropriate permissions)"
+            fi
+
+            # If the logs dir is bind mounted then chown it
+            if [ "$(stat -c %u /vault/logs)" != "$(id -u vault)" ]; then
+                chown -R vault:vault /vault/logs
+            fi
+
+            # If the file dir is bind mounted then chown it
+            if [ "$(stat -c %u /vault/file)" != "$(id -u vault)" ]; then
+                chown -R vault:vault /vault/file
+            fi
         fi
 
-        # If the logs dir is bind mounted then chown it
-        if [ "$(stat -c %u /vault/logs)" != "$(id -u vault)" ]; then
-            chown -R vault:vault /vault/logs
+        if [ -z "$SKIP_SETCAP" ]; then
+            # Allow mlock to avoid swapping Vault memory to disk
+            setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
+
+            # In the case vault has been started in a container without IPC_LOCK privileges
+            if ! vault -version 1> /dev/null 2> /dev/null; then
+                >&2 echo "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --cap-add IPC_LOCK"
+                setcap cap_ipc_lock=-ep $(readlink -f $(which vault))
+            fi
         fi
 
-        # If the file dir is bind mounted then chown it
-        if [ "$(stat -c %u /vault/file)" != "$(id -u vault)" ]; then
-            chown -R vault:vault /vault/file
-        fi
-    fi
-
-    if [ -z "$SKIP_SETCAP" ]; then
-        # Allow mlock to avoid swapping Vault memory to disk
-        setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
-
-        # In the case vault has been started in a container without IPC_LOCK privileges
-        if ! vault -version 1>/dev/null 2>/dev/null; then
-            >&2 echo "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --cap-add IPC_LOCK"
-            setcap cap_ipc_lock=-ep $(readlink -f $(which vault))
-        fi
-    fi
-
-    if [ "$(id -u)" = '0' ]; then
-      set -- su-exec vault "$@"
+        set -- su-exec vault "$@"
     fi
 fi
 
diff --git a/.release/docker/ubi-docker-entrypoint.sh b/.release/docker/ubi-docker-entrypoint.sh
index 8794416225..f332ef467f 100755
--- a/.release/docker/ubi-docker-entrypoint.sh
+++ b/.release/docker/ubi-docker-entrypoint.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 # Copyright IBM Corp. 2016, 2025
 # SPDX-License-Identifier: BUSL-1.1
 
@@ -12,21 +12,21 @@ ulimit -c 0
 # VAULT_REDIRECT_INTERFACE and VAULT_CLUSTER_INTERFACE environment variables. If
 # VAULT_*_ADDR is also set, the resulting URI will combine the protocol and port
 # number with the IP of the named interface.
-get_addr () {
-    local if_name=$1
-    local uri_template=$2
-    ip addr show dev $if_name | awk -v uri=$uri_template '/\s*inet\s/ { \
+get_addr() {
+    local if_name="$1"
+    local uri_template="$2"
+    ip addr show dev "$if_name" | awk -v uri="$uri_template" '/\s*inet\s/ { \
       ip=gensub(/(.+)\/.+/, "\\1", "g", $2); \
       print gensub(/^(.+:\/\/).+(:.+)$/, "\\1" ip "\\2", "g", uri); \
       exit}'
 }
 
 if [ -n "$VAULT_REDIRECT_INTERFACE" ]; then
-    export VAULT_REDIRECT_ADDR=$(get_addr $VAULT_REDIRECT_INTERFACE ${VAULT_REDIRECT_ADDR:-"http://0.0.0.0:8200"})
+    export VAULT_REDIRECT_ADDR=$(get_addr "$VAULT_REDIRECT_INTERFACE" "${VAULT_REDIRECT_ADDR:-"http://0.0.0.0:8200"}")
     echo "Using $VAULT_REDIRECT_INTERFACE for VAULT_REDIRECT_ADDR: $VAULT_REDIRECT_ADDR"
 fi
 if [ -n "$VAULT_CLUSTER_INTERFACE" ]; then
-    export VAULT_CLUSTER_ADDR=$(get_addr $VAULT_CLUSTER_INTERFACE ${VAULT_CLUSTER_ADDR:-"https://0.0.0.0:8201"})
+    export VAULT_CLUSTER_ADDR=$(get_addr "$VAULT_CLUSTER_INTERFACE" "${VAULT_CLUSTER_ADDR:-"https://0.0.0.0:8201"}")
     echo "Using $VAULT_CLUSTER_INTERFACE for VAULT_CLUSTER_ADDR: $VAULT_CLUSTER_ADDR"
 fi
 
@@ -69,33 +69,38 @@ elif vault --help "$1" 2>&1 | grep -q "vault $1"; then
     set -- vault "$@"
 fi
 
-# If we are running Vault, make sure it executes as the proper user.
+# If we are running Vault and the container user is root then execute as the vault user
 if [ "$1" = 'vault' ]; then
-    if [ -z "$SKIP_CHOWN" ]; then
-        # If the config dir is bind mounted then chown it
-        if [ "$(stat -c %u /vault/config)" != "$(id -u vault)" ]; then
-            chown -R vault:vault /vault/config || echo "Could not chown /vault/config (may not have appropriate permissions)"
+    if [ "$(id -u)" != '0' ]; then
+        [ -n "$SKIP_CHOWN" ] && echo "Container is running as non-root user, ignoring SKIP_CHOWN" >&2
+        [ -n "$SKIP_SETCAP" ] && echo "Container is running as non-root user, ignoring SKIP_SETCAP" >&2
+    else
+        if [ -z "$SKIP_CHOWN" ]; then
+            # If the config dir is bind mounted then chown it
+            if [ "$(stat -c %u /vault/config)" != "$(id -u vault)" ]; then
+                chown -R vault:vault /vault/config || echo "Could not chown /vault/config (may not have appropriate permissions)"
+            fi
+
+            # If the logs dir is bind mounted then chown it
+            if [ "$(stat -c %u /vault/logs)" != "$(id -u vault)" ]; then
+                chown -R vault:vault /vault/logs
+            fi
+
+            # If the file dir is bind mounted then chown it
+            if [ "$(stat -c %u /vault/file)" != "$(id -u vault)" ]; then
+                chown -R vault:vault /vault/file
+            fi
         fi
 
-        # If the logs dir is bind mounted then chown it
-        if [ "$(stat -c %u /vault/logs)" != "$(id -u vault)" ]; then
-            chown -R vault:vault /vault/logs
-        fi
+        if [ -z "$SKIP_SETCAP" ]; then
+            # Allow mlock to avoid swapping Vault memory to disk
+            setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
 
-        # If the file dir is bind mounted then chown it
-        if [ "$(stat -c %u /vault/file)" != "$(id -u vault)" ]; then
-            chown -R vault:vault /vault/file
-        fi
-    fi
-
-    if [ -z "$SKIP_SETCAP" ]; then
-        # Allow mlock to avoid swapping Vault memory to disk
-        setcap cap_ipc_lock=+ep $(readlink -f /bin/vault)
-
-        # In the case vault has been started in a container without IPC_LOCK privileges
-        if ! vault -version 1>/dev/null 2>/dev/null; then
-            >&2 echo "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --cap-add IPC_LOCK"
-            setcap cap_ipc_lock=-ep $(readlink -f /bin/vault)
+            # In the case vault has been started in a container without IPC_LOCK privileges
+            if ! vault -version 1> /dev/null 2> /dev/null; then
+                echo "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --cap-add IPC_LOCK" >&2
+                setcap cap_ipc_lock=-ep $(readlink -f $(which vault))
+            fi
         fi
     fi
 fi
@@ -106,8 +111,7 @@ fi
 # we're now rerunning the entrypoint script as the Vault
 # user but no longer need to run setup code for setcap
 # or chowning directories (previously done on the first run).
-if [[ "$(id -u)" == '0' ]]
-then
+if [ "$(id -u)" = '0' ]; then
     export SKIP_CHOWN="true"
     export SKIP_SETCAP="true"
     exec su vault -p "$0" -- "$@"
diff --git a/.release/pipeline.hcl b/.release/pipeline.hcl
index 2f58f30b5c..099b8d5b3e 100644
--- a/.release/pipeline.hcl
+++ b/.release/pipeline.hcl
@@ -119,6 +119,7 @@ changed_files {
         # These exist on CE branches to please Github Actions.
         joinpath(".github", "workflows", "build-artifacts-ent.yml"),
         joinpath(".github", "workflows", "backport-automation-ent.yml"),
+        joinpath(".github", "workflows", "test-run-enos-scenario-cloud.yml"),
       ]
     }
 
@@ -127,7 +128,6 @@ changed_files {
       base_dir = [
         "website",
         joinpath(".release", "docker"),
-        joinpath("enos", "modules"),
         joinpath("scripts", "docker"),
       ]
     }
@@ -147,6 +147,26 @@ changed_files {
       ]
     }
 
+    // Ignore some enos modules related to HSM
+    ignore {
+      base_dir = [
+        # The next matcher looks for HSM but we can ignore the softhsm modules
+        joinpath("enos", "modules", "softhsm_install"),
+        joinpath("enos", "modules", "softhsm_create_vault_keys"),
+        joinpath("enos", "modules", "softhsm_init"),
+        joinpath("enos", "modules", "softhsm_distribute_vault_keys"),
+        # Some filename have ent in them
+        joinpath("enos", "modules", "verify_secrets_engines"),
+      ]
+    }
+
+    // Make sure our zap scanner is always ent only
+    match {
+      base_dir = [
+        joinpath("enos", "modules", "zap_scan_ent")
+      ]
+    }
+
     // Match whole directories that are enterprise only
     match {
       base_dir = [
@@ -217,6 +237,35 @@ changed_files {
     }
   }
 
+  // The "hcp" group is for files that are unique to testing Vault in the
+  // HashiCorp Cloud Platform, i.e. HVD or Vault Cloud.
+  group "hcp" {
+    match {
+      file = [
+        joinpath(".github", "workflows", "build-hcp-image.yml"),
+        joinpath(".github", "workflows", "test-run-enos-scenario-cloud.yml"),
+        joinpath("enos", "enos-scenario-cloud-ent.hcl"),
+      ]
+    }
+
+    match {
+      base_dir = [
+        joinpath("enos", "modules", "cloud_docker_vault_cluster"),
+        joinpath("enos", "modules", "hcp"),
+        joinpath("tools", "pipeline", "internal", "pkg", "hcp"),
+      ]
+    }
+
+    match {
+      base_dir = [
+        joinpath("tools", "pipeline", "internal", "cmd"),
+      ]
+      contains = [
+        "hcp"
+      ]
+    }
+  }
+
   // The "pipeline" group matches directories where we house code and
   // configuration used in the CI/CD pipeline
   group "pipeline" {
@@ -258,4 +307,14 @@ changed_files {
       base_dir = ["ui"]
     }
   }
+
+  // The "zap_scan" group matches the Zap scanner
+  group "zap_scan" {
+    match {
+      contains = [
+        "security-scan-zap",
+        "zap_scan",
+      ]
+    }
+  }
 }
diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
index e9de3804b7..7e4c8aa952 100644
--- a/.release/security-scan.hcl
+++ b/.release/security-scan.hcl
@@ -27,9 +27,6 @@ container {
   triage {
     suppress {
       vulnerabilities = [
-        // We can't do anything about these two CVEs until a new Alpine container with busybox 1.38 is available.
-        "CVE-2025-46394",
-        "CVE-2024-58251",
         "GO-2022-0635", // github.com/aws/aws-sdk-go@v1.x
       ]
 
diff --git a/.release/versions.hcl b/.release/versions.hcl
index ee3c4cb59d..6dc44b4978 100644
--- a/.release/versions.hcl
+++ b/.release/versions.hcl
@@ -9,11 +9,16 @@
 
 schema = 1
 active_versions {
-  version "1.21.x" {
+  version "2.x.x" {
     ce_active = true
+    lts       = true
   }
 
-  version "1.20.x" {
+  version "1.21.x" {
+    ce_active = false
+  }
+
+   version "1.20.x" {
     ce_active = false
   }
 
@@ -21,9 +26,4 @@ active_versions {
     ce_active = false
     lts       = true
   }
-
-  version "1.16.x" {
-    ce_active = false
-    lts       = true
-  }
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 27472494ff..5b7b612f91 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,524 @@
 - [v1.0.0 - v1.9.10](CHANGELOG-pre-v1.10.md)
 - [v0.11.6 and earlier](CHANGELOG-v0.md)
 
+## 2.0.2
+### June 05, 2026
+BREAKING CHANGES:
+
+* containers: Remove `cap_ipc_lock` capability on `vault` at build time to allow running Vault in common container runtimes. Vault in containers will no longer be able to call `mlock()` to lock memory. Operators should set `disable_mlock = true` in Vault's configuration. Runtime operators are advised to disable swapping to guarantee data safety.
+* secrets/ssh: RSA key sizes are now limited to a maximum size of 8192 bits addressing CVE-2026-39829
+
+CHANGES:
+
+* core: Bump Go version to 1.26.4
+* secrets/azure (enterprise): Update plugin to [v0.26.4+ent](https://github.com/hashicorp/vault-plugin-secrets-azure-enterprise/releases/tag/v0.26.4+ent)
+
+BUG FIXES:
+
+* plugins: Fix plugin signature verification failure with expired pgp key when registering a plugin.
+* ui/transit: Fix key version dropdown selected state when editing a transit key.
+
+## 2.0.1
+### May 19, 2026
+BREAKING CHANGES:
+
+* containers: set cap_ipc_lock capability on vault at build time. Container runtimes will need to add `IPC_LOCK` capabilities when running the vault container.
+
+SECURITY:
+
+* api: Update golang.org/x/net to resolve GO-2026-4918"
+* core/identity: reject wildcards in rendered identity templates
+* core: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4
+* core: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1.
+* core: Update github.com/apache/thrift to fix security vulnerability GHSA-wf45-q9ch-q8gh
+* core: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx.
+* core: Update golang.org/x/net to resolve GO-2026-4918"
+* core: Validate both `path` and `file_path` cannot be empty for requests to `sys/audit/{path}`
+* sdk: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4
+* sdk: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1.
+* sdk: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx.
+* sdk: Update golang.org/x/net to resolve GO-2026-4918"
+
+CHANGES:
+
+* auth/jwt: Update plugin to [v0.26.3](https://github.com/hashicorp/vault-plugin-auth-jwt/releases/tag/v0.26.3)
+* core: Bump Go version to 1.26.3
+* identity: Require `sudo` capability to invoke the identity entity merge API endpoint (`identity/entity/merge`).
+* secrets/azure: Update plugin to [v0.26.2+ent](https://github.com/hashicorp/vault-plugin-secrets-azure-enterprise/releases/tag/v0.26.2+ent)
+* secrets/openldap: Update plugin to [v0.18.1+ent](https://github.com/hashicorp/vault-plugin-secrets-openldap-enterprise/releases/tag/v0.18.1+ent)
+
+FEATURES:
+
+* **Billing metrics dashboard**: Create a new billing dashboard with responsive layout to display metric data.
+* **Secrets Sync UI**: Added Workload Identity Federation (WIF) support in the UI for AWS, Azure, and GCP sync destinations
+
+IMPROVEMENTS:
+
+* api: Add `start_month` and `end_month` parameters to `/sys/billing/overview` endpoint to allow querying billing data for specific time ranges.
+* api: Add migration_done_at_epoch to sys/seal-status response.
+* consumption-billing: Add billing tracking for OS Local Account static roles to support consumption-based billing metrics and high-water mark (HWM) tracking.
+* consumption-billing: Added consumption billing metrics for OIDC tokens.
+* consumption-billing: Added consumption billing metrics for PKI External CA certificates.
+* consumption-billing: Added consumption billing metrics for SPIFFE JWT tokens.
+* consumption-billing: Enabled `sys/billing/overview` endpoint in admin namespace.
+* consumption-billing: Float64 values returned by `sys/billing/overview` are now rounded to 4 decimal places.
+* consumption-billing: Increased billing data retention from 2 months to 37 months. The `/sys/internal/billing/overview` API endpoint now returns 37 months of historical consumption billing data by default.
+* consumption-billing: The `/sys/internal/billing/overview` API endpoint now always returns all metric types in the response, even when their values are zero. This ensures consistent response structure for easier client-side parsing.
+* core (Enterprise): Sanitized config now shows kms_library config.
+* core/seal (enterprise): Make it possible for new nodes to join a cluster configured with Seal High Availability.
+* scim: The SCIM Group PATCH handler now supports the path field in the form members[value eq "id"] on remove operations.
+* sdk: Expand support for docker test cluster options like seals, kms libraries, and entropy augmentation. DockerClusterNode.UpdateConfig now takes a full set of cluster options instead of just node config.
+* sdk: add WIF and rotation helpers for checking if params were updated to allow
+the consumer to know when changes need to be persisted to storage
+* secrets/pki (enterprise): Allow SCEP to use an issuer that is backed by an RSA based PKCS#11 managed key
+* secrets/transit: Change to using Trail of Bits libraries for PQC signature implementation in Transit
+* ui/dashboard: Reorganized dashboard widgets to improve layout and usability. Updated widgets to use HDS table components for better consistency. Enhanced the Quick Actions card with frequently used links alongside existing actions.
+* ui: Set pagination size to 10 for custom messages list view and toggle the "Apply filters" button visibility based on filter selection.
+* ui: Update copy on merge entities page to specify entity ID is the required data input when merging entities.
+* ui: add validations to the ACL visual policy editor to prevent it from saving policies with empty paths or capabilities.
+
+BUG FIXES:
+
+* auth/aws: fix bug where rotation and wif config updates were not persisted to storage
+* client/ocsp: Adds a grace period to renew the cached entry for OCSP response.
+* core: Fix failure to detect errors during storage writes of totp keys.
+* database/mssql: Fix "sysadmin" requirement during lease revocation by replacing the undocumented `sp_msloginmappings` procedure with a granular metadata query. This allows the plugin to function with `VIEW ANY DEFINITION` instead of full `sysadmin` privileges.
+* database/mssql: Fix dynamic secret revocation by executing custom statements as a single batch instead of splitting on semicolons
+* database/snowflake: Fix WAL rollback issue for key-pair root credential rotation.
+* database: prevent static role rotation and connection init from hanging indefinitely when database calls block by adding timeouts around UpdateUser and Initialize
+* events (enterprise): Fix panic when replicating lease events.
+* go-plugin: Upgrade go-plugin to fix a bug where file descriptors could be leaked when spawning external plugins
+* identity: fixed a rare but possible data race issue with identities.
+* sdk: Small bugfixes relating to docker test container cleanup and image building.
+* secrets-sync (enterprise): Fix destination PATCH handling for WIF identity_token_ttl normalization and GCP service_account_email decoding.
+* secrets/kmip (enterprise): Address a nil pointer within the invalidation handler for managed objects.
+* secrets/ldap: enable proper license checking on 'openldap' plugin alias. This enables enterprise features when configuring mounts with the 'openldap' alias.
+* secrets/pki (enterprise): Fix SCEP nonce logging in audit data.
+* secrets/pki (enterprise): Include root CA in chain for CIEPS endpoints when root is the direct issuer, unless `remove_roots_from_chain` is true.
+* secrets/pki: Remove invalid value from the supported list of ACME algorithms.
+* ui: Add name field validation to LDAP create and edit roles forms.
+* ui: Fix LDAP hierarchical role navigation in UI
+* ui: Fix entities page to show success message after successfully editing an entity.
+* ui: Fix secrets to secrets-engines redirect for bookmarked URLs.
+* ui: Fixed custom messages list to display the expiration time on Inactive message badges.
+* ui: Fixed sidebar navigation animation issues
+* ui: Restore re-sizable columns for secrets and namespaces tables.
+* ui: Update DR operation token generation to accept a primary root token for authentication.
+* ui: Update KV max_version validation to disallow negative values.
+
+## 2.0.0  
+### April 14, 2026  
+
+BREAKING CHANGES:
+
+* sdk/helpers/docker: Migrate docker helpers from github.com/docker/docker to github.com/moby/moby. This was necessary as github.com/docker/docker is no longer maintained. Resolves GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9.
+
+SECURITY:
+
+* Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229
+* Upgrade `filippo.io/edwards25519` to v1.1.1 to resolve GO-2026-4503
+* api/auth/gcp: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.
+* api/auth: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.
+* auth/aws: fix an issue where a user may be able to bypass authentication to Vault due to incorrect caching of the AWS client
+* auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.
+* core: Correctly remove any Vault tokens from the Authorization header when this header is forwarded to plugin backends. The header will only be forwarded if "Authorization" is explicitly included in the list of passthrough request headers.
+* core: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5
+* core: Update github.com/aws/aws-sdk-go-v2/ to fix security vulnerability GHSA-xmrv-pmrh-hhx2.
+* core: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.
+* core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-92mm-2pjq-r785.
+* core: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.
+* core: reject URL-encoded paths that do not specify a canonical path
+* http: Added configurable `max_token_header_size` listener option (default 8 KB) to bound the size of authentication token headers (`X-Vault-Token` and `Authorization: Bearer`), preventing a potential denial-of-service attack via oversized header contents. The stdlib-level `MaxHeaderBytes` backstop is also now set on the HTTP server. Set `max_token_header_size = -1` to disable the limit.
+* sdk: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5
+* sdk: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.
+* ui: disable scarf analytics for ui builds
+* vault/sdk: Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229
+* vault/sdk: Upgrade `go.opentelemetry.io/otel/sdk` to v1.40.0 to resolve GO-2026-4394
+* Update github.com/dvsekhvalnov/jose2go to fix security vulnerability CVE-2025-63811.
+* go: update to golang/x/crypto to v0.45.0 to resolve GHSA-f6x5-jh6r-wrfv, GHSA-j5w8-q4qc-rx2x, GO-2025-4134 and GO-2025-4135.
+
+CHANGES:
+
+* secrets/ldap (enterprise): Static roles will be migrated from a plugin-managed queue to the Vault Enterprise Rotation Manager system. Static role migration progress can be checked and managed through a new static-migration endpoint. See the [LDAP documentation](https://developer.hashicorp.com/vault/docs/secrets/ldap#static-role-migration-to-rotation-manager) for more details on this process.
+* audit: A new top-level key called `supplemental_audit_data` can now appear within audit entries of type "response" within the request and response data structures. These new fields can contain data that further describe the request/response data and are mainly used for non-JSON based requests and responses to help auditing. The `audit-non-hmac-request-keys` and `audit-non-hmac-response-keys` apply to keys within `supplemental_audit_data` to remove the HMAC of the field values if so desired.
+* auth/alicloud: Update plugin to [v0.23.1](https://github.com/hashicorp/vault-plugin-auth-alicloud/releases/tag/v0.23.1)
+* auth/azure: Update plugin to [v0.24.0](https://github.com/hashicorp/vault-plugin-auth-azure/releases/tag/v0.24.0)
+* auth/cf: Update plugin to [v0.23.0](https://github.com/hashicorp/vault-plugin-auth-cf/releases/tag/v0.23.0)
+* auth/gcp: Update plugin to [v0.23.1](https://github.com/hashicorp/vault-plugin-auth-gcp/releases/tag/v0.23.1)
+* auth/jwt: Update plugin to [v0.26.1](https://github.com/hashicorp/vault-plugin-auth-jwt/releases/tag/v0.26.1)
+* auth/kerberos: Update plugin to [v0.17.1](https://github.com/hashicorp/vault-plugin-auth-kerberos/releases/tag/v0.17.1)
+* auth/kubernetes: Update plugin to [v0.24.1](https://github.com/hashicorp/vault-plugin-auth-kubernetes/releases/tag/v0.24.1)
+* auth/oci: Update plugin to [v0.21.1](https://github.com/hashicorp/vault-plugin-auth-oci/releases/tag/v0.21.1)
+* auth/saml: Update plugin to v0.8.1
+* core/managed-keys (enterprise): The response to API endpoint GET sys/managed-keys/:type/:name now returns an array of string values for key usages, rather than an array of integer values. The strings used are 'encrypt' (1), 'decrypt' (2), 'sign' (3), 'verify' (4), 'wrap' (5), 'unwrap' (6), 'generate_random' (7), and 'mac' (8).
+* core: Bump Go version to 1.26.2
+* core: Vault now rejects paths that are not canonical, such as paths containing double slashes (`path//to/resource`)
+* core: bump github.com/hashicorp/cap to v0.12.0
+* core: secondary DR requests can now be authenticated using a root token generated on the primary.
+* core: sys/generate-root and sys/replication/dr/secondary/generate-operation-token endpoints are now authenticated by default, with the old unauthenticated behaviour enabled by setting the new HCL config key enable_unauthenticated_access to include the value "generate-root" or "generate-operation-token" respectively.
+* core: sys/rekey endpoints are now authenticated by default, with the old unauthenticated behaviour enabled by setting the new HCL config key enable_unauthenticated_access to include the value "rekey".
+* database/couchbase: Update plugin to [v0.16.1](https://github.com/hashicorp/vault-plugin-database-couchbase/releases/tag/v0.16.1)
+* database/elasticsearch: Update plugin to [v0.20.1](https://github.com/hashicorp/vault-plugin-database-elasticsearch/releases/tag/v0.20.1)
+* database/mongodbatlas: Update plugin to [v0.17.1](https://github.com/hashicorp/vault-plugin-database-mongodbatlas/releases/tag/v0.17.1)
+* database/redis-elasticache: Update plugin to [v0.9.1](https://github.com/hashicorp/vault-plugin-database-redis-elasticache/releases/tag/v0.9.1)
+* database/redis: Update plugin to [v0.8.1](https://github.com/hashicorp/vault-plugin-database-redis/releases/tag/v0.8.1)
+* database/snowflake: Update plugin to [v0.16.0](https://github.com/hashicorp/vault-plugin-database-snowflake/releases/tag/v0.16.0)
+* license utilization reporting (enterprise): Manual reporting bundles generated by `vault operator utilization` have a changed format. Notably they contain an array of `snapshot_records` instead of `snapshots`. The `decoded_snapshot` field in each record contains the human-readable data that was previously in the `snapshots` array.
+* mfa/duo: Upgrade duo_api_golang client to 0.2.0 to include the new Duo certificate authorities
+* packaging: Container images are now exported using a compressed OCI image layout.
+* packaging: UBI container images are now built on the UBI 10 minimal image.
+* secrets/ad: Update plugin to [v0.22.1](https://github.com/hashicorp/vault-plugin-secrets-ad/releases/tag/v0.22.1)
+* secrets/alicloud: Update plugin to [v0.22.1](https://github.com/hashicorp/vault-plugin-secrets-alicloud/releases/tag/v0.22.1)
+* secrets/azure: Update azure enterprise secrets plugin to include static roles.
+* secrets/azure: Update plugin to v0.25.1+ent. Improves retry handling during Azure application and service principal creation to reduce transient failures.
+* secrets/azure: Update plugin to v0.26.1+ent
+* secrets/gcp: Update plugin to [v0.24.0](https://github.com/hashicorp/vault-plugin-secrets-gcp/releases/tag/v0.24.0)
+* secrets/gcpkms: Update plugin to [v0.23.0](https://github.com/hashicorp/vault-plugin-secrets-gcpkms/releases/tag/v0.23.0)
+* secrets/keymgmt: Update plugin to [v0.19.0+ent](https://github.com/hashicorp/vault-plugin-secrets-keymgmt/releases/tag/v0.19.0+ent)
+* secrets/kmip: Update plugin to v0.20.0
+* secrets/kubernetes: Update plugin to [v0.13.1](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/releases/tag/v0.13.1)
+* secrets/kv: Update plugin to [v0.26.2](https://github.com/hashicorp/vault-plugin-secrets-kv/releases/tag/v0.26.2)
+* secrets/mongodbatlas: Update plugin to [v0.17.1](https://github.com/hashicorp/vault-plugin-secrets-mongodbatlas/releases/tag/v0.17.1)
+* secrets/openldap: Update plugin to [v0.18.0](https://github.com/hashicorp/vault-plugin-secrets-openldap/releases/tag/v0.18.0)
+* secrets/pki: sign-verbatim endpoints no longer ignore basic constraints extension in CSRs, using them in generated certificates if isCA=false or returning an error if isCA=true
+* secrets/terraform: Update plugin to [v0.14.1](https://github.com/hashicorp/vault-plugin-secrets-terraform/releases/tag/v0.14.1)
+* secure-plugin-api: Update to v0.2.0
+* storage: Upgrade aerospike client library to v8.
+* ui/secrets: Secrets engines url paths renamed from '/secrets' to '/secrets-engines'
+* ui: Remove ability to bulk delete secrets engines from the list view.
+
+FEATURES:
+
+* **PKI External CA (Enterprise)**: A new plugin that provides the ability to acquire PKI certificates from Public CA providers through the ACME protocol
+* **IBM PAO License Integration**: Added IBM PAO license support, allowing usage of Vault Enterprise with an IBM PAO license key. A new configuration stanza `license_entitlement` is required in the Vault config to use an IBM license. For more details, see the [License documentation](https://developer.hashicorp.com/vault/docs/license#ibm-pao-license-keys).
+* **KMIP Bring Your Own CA**: Add new API to manage multiple CAs for client verification and make it possible to import external CAs.
+* **LDAP Secrets Engine Enterprise Plugin**: Add the new LDAP Secrets Engine Enterprise plugin. This enterprise version adds support for self-managed static roles and Rotation Manager support for automatic static role rotation. New plugin configurations can be set as "self managed", skipping the requirement for a bindpass field and allowing static roles to use their own password to rotate their credential. Automated static role credential rotation supports fine-grained scheduled rotations and retry policies through Vault Enterprise.
+* **Login MFA TOTP Self-Enrollment (Enterprise)**: Simplify creation of login MFA TOTP credentials for users, allowing them to self-enroll MFA TOTP using a QR code (TOTP secret) generated during login. The new functionality is configurable on the TOTP login MFA method configuration screen and via the `enable_self_enrollment` parameter in the API.
+* **Plugins (Enterprise)**: Allow overriding pinned version when creating and updating database engines
+* **Plugins (Enterprise)**: Allow overriding pinned version when enabling and tuning auth and secrets backends
+* **SCIM 2.0 Identity Provisioning Beta (Beta/Enterprise)**: Adds beta support for Vault to act as a SCIM 2.0 server, allowing external management of Vault entities, aliases and groups.
+* **Template Integration for PublicPKICA**: Vault Agent templates are now automatically re-rendered when a PKI external CA certificate is issued or renewed.
+* **UI ACL Policies intro**: Onboarding intro which provides feature context to users.
+* **UI Authentication methods intro**: Onboarding intro which provides feature context to users.
+* **UI Namespace Wizard (Enterprise)**: Onboarding wizard which provides advice to users based on their intended usage and guides them through namespace creation.
+* **UI Policy Generator (Enterprise)**: Adds policy generator flyout to KV V2 and PKI secrets engines prepopulated with relevant API requests for each page.
+* **UI Secret engines intro**: Onboarding intro which provides feature context to users.
+* **UI TLS Certificate login**: Add UI login support for the TLS certificate (cert) authentication.
+* **UI: Hashi-Built External Plugin Support**: Recognize and support Hashi-built plugins when run as external binaries
+* **UI: Hashi-Built External Plugin Support**: Support external plugin version updates via the GUI.
+* **UI: Mount versioned external plugins**: Adds ability to mount previously registered, external plugins and specify a version when enabling secrets engines.
+* **Vault Agent: ACME protocol support**: Add support to natively support Public CA ACME workflows
+* secrets-sync: implemented workload identity federation support for secrets sync flows.
+
+IMPROVEMENTS:
+
+* **Secrets Engines UI improvement**: Updated configuration views and added tune support for configurations across all compatible secrets engines.
+* **Sidebar UI improvement**: Add top navbar, update sidebar navigation structure, and update page headers.
+* api: Add a SHA256 sum field to the json list response for external plugins.
+* api: Added sudo-permissioned `sys/reporting/scan` endpoint which will output a set of files containing information about Vault state to the location specified by the `reporting_scan_directory` config item.
+* auth/ldap: Require non-empty passwords on login command to prevent unauthenticated access to Vault.
+* config/listener: logs warnings on invalid x-forwarded-for configurations.
+* consumption-billing: Adds a new `sys/billing/overview` endpoint that returns current and previous month consumption billing metrics. Accessible via API client method `client.Sys().BillingOverview()`.
+* core (enterprise): Add common_criteria_mode feature_flags setting which limits listener TLS cipher suites.
+* core (enterprise): Added a new telemetry metric `vault.core.license.termination_time_epoch`.
+* core (enterprise): enable rotation manager to send rotation information required by plugin backends during registration and rotation operations. This allows plugin backends to have the necessary context for managing their rotation state effectively.
+* core (enterprise): enable rotation manager to use configurable retry policies to limit the retry behavior for rotation entries and include an orphaning mechanism to handle entries that exceed the maximum retry attempts.
+* core (enterprise): improve rotation manager error handling by implementing a backoff when re-queueing failed rotations
+* core/identity: Add two new fields to the alias API, external_id and issuer. These fields do not inherently do anything meaningful, and are part of a future feature.
+* core/managed-keys (enterprise): Allow GCP managed keys to leverage workload identity federation credentials
+* core/metrics: Reading and listing from a snapshot are now tracked via the `vault.route.read-snapshot.{mount_point}` and `vault.route.list-snapshot.{mount_point}` metrics.
+* core/seal: Enhance sys/seal-backend-status to provide more information about seal backends.
+* core: check rotation manager queue every 5 seconds instead of 10 seconds to improve responsiveness
+* dockerfile: container will now run as vault user by default
+* events (enterprise): Add event notifications support for lease events.
+* events (enterprise): Forward event notifications from primary to secondary clusters
+* kmip (enterprise): Add experimental API to execute KMIP requests.
+* license utilization reporting (enterprise): Add metrics for the number of issued PKI certificates.
+* license utilization reporting (enterprise): Utilization reports now include new license metadata fields `issuer`, `edition`, `add_ons`, `license_start_time`, `license_expiration_time`, and `license_termination_time`.
+* license utilization reporting: Added consumption billing metrics.
+* pki: Reject obviously unsafe validation targets during ACME HTTP-01 and TLS-ALPN-01 challenge verification
+* policies: add warning about list comparison when using allowed_parameters or denied_parameters
+* rotation: Ensure rotations for shared paths only execute on the Primary cluster's active node. Ensure rotations for local paths execute on the cluster-local active node.
+* sdk/rotation: Prevent rotation attempts on read-only storage
+* sdk: Add NewTestDockerCluster support for running external plugins within the same container as the server.  Also add support for those plugins to expose their own listeners, as KMIP does.
+* sdk: Add alias_metadata to tokenutil fields that auth method roles use.
+* secret-sync (enterprise): Added telemetry counters for reconciliation loop operations, including the number of corrections detected,  retry attempts, and operation outcomes (success or failure with internal/external cause labels).
+* secret-sync (enterprise): Added telemetry counters for sync/unsync operations with status breakdown by destination type, and exposed operation counters in the destinations list API response.
+* secret-sync: add parallelization support to sync and unsync operations for secret-key granularity associations
+* secrets-pki (enterprise): Add response data in a parsed format to the audit log for enrollment protocols.
+* secrets-sync (enterprise): Added support for a boolean force_delete flag (default: false). When set to true, this flag allows deletion of a destination even if its associations cannot be unsynced. This option should be used only as a last-resort deletion mechanism, as any secrets already synced to the external provider will remain orphaned and require manual cleanup.
+* secrets-sync (enterprise): Improved the user experience during mount lifecycle changes by triggering immediate unsyncing of external secrets when a secrets engine mount is deleted or disabled. By moving this logic from the background reconciliation loop to a direct callback, the system prevents perceived "leaks" and ensures external secret resources are cleaned up synchronously with the Vault unmount.
+* secrets/database: Add root rotation support for Snowflake database secrets engines using key-pair credentials.
+* secrets/keymgmt (enterprise): Add support for multi-region AWS KMS keys.
+* secrets/kmip (Enterprise): Obey configured best_effort_wal_wait_duration when forwarding kmip requests.
+* secrets/ldap: Users can now fully manage and tune the LDAP secrets engine. This includes the ability to view, edit, and configure the LDAP engine.
+* secrets/pki (enterprise): Return the POSTPKIOperation capability within SCEP GetCACaps endpoint for better legacy client support.
+* secrets/pki (enterprise): Validate entire chain in common criteria mode; add field to enable time checks on validation
+* secrets/pki (enterprise): When the common_criteria_mode feature flag is enabled, NotBefore will always be treated as zero.
+* secrets/pki (enterprise): When the common_criteria_mode feature flag is enabled, enforce a minimum set of key usages for each ext key usage set based on RFC 5280 Section 4.2.1.12 during PKI role updates.
+* secrets/pki: Add ACME configuration fields challenge_permitted_ip_ranges and challenge_excluded_ip_ranges configuration to control which IP addresses are allowed or disallowed for challenge validation.
+* secrets/pki: Add Freshest CRL extension (Delta CRL Distribution Points) to base CRLs
+* secrets/pki: Avoid loading issuer information multiple times per leaf certificate signing
+* secrets/pki: Include the certificate's AuthorityKeyID in response fields for API endpoints that issue, sign, or fetch certs.
+* secrets/pki: OCSP populate details of the response within the new `supplemental_audit_data` section of audit log response entries. Details such as issuer_id, next_update, ocsp_status, serial_number, revoked_at will appear as hmac values by default unless added to the mount's `audit-non-hmac-response-keys` set of keys.
+* secrets/pki: when in common criteria mode, don't allow upload of certificates without a chain of trust.
+* secrets/transit, core: Boost the limit of random bytes retrievable via random byte APIs.  And add the option to get PRNG random bytes seeded by random sources. Note that requests for large numbers of bytes will increase Vault memory usage accordingly.
+* secrets/transit: Improve import errors for non-PKCS#8 keys to clearly require PKCS#8.
+* sys (enterprise): Add sys/billing/certificates API endpoint to retrieve the number of issued PKI certificates.
+* transit (enterprise): Add context parameter to datakeys and derived-keys endpoint, to allow derived key encryption of the DEKs.
+* ui/activity (enterprise): Add clarifying text to explain the "Initial Usage" column will only have timestamps for clients initially used after upgrading to version 1.21
+* ui/activity (enterprise): Allow manual querying of client usage if there is a problem retrieving the license start time.
+* ui/activity (enterprise): Reduce requests to the activity export API by only fetching new data when the dashboard initially loads or is manually refreshed.
+* ui/activity (enterprise): Support filtering months dropdown by ISO timestamp or display value.
+* ui/activity: Display total instead of new monthly clients for HCP managed clusters
+* ui/pki: Adds support to configure `server_flag`, `client_flag`, `code_signing_flag`, and `email_protection_flag` parameters for creating/updating a role.
+* ui: Add "Configuration path" and "Configuration metadata path" fields to KV v2 secret paths page showing paths without /v1/ prefix for use in policies, Vault Agent configurations, and other tools that reference the logical path.
+* ui: After clicking Save or Discard in the unsaved changes modal, the user will now navigate to the intended destination link.
+* ui: Display errors consistently across the application and show API messages where available.
+* ui: Update the sidenav design and add top navbar.
+
+BUG FIXES:
+
+* activity (enterprise): sys/internal/counters/activity outputs the correct mount type when called from a non root namespace
+* agent/pkiexternalca: Fix token distribution to PKI system and HTTP-01 challenge server shutdown preventing certificate acquisition and retries
+* agent: Fix Vault Agent discarding cached tokens on transient server errors instead of retrying
+* audit/file: The logic preventing setting of executable bits on audit devices was enforced at unseal instead of just at new audit device creation, causing an error at unseal if an existing audit device had exec permissions.  The logic now warns and clears exec bits to prevent unseal errors.
+* auth/approle (enterprise): Fixed bug that prevented periodic tidy running on performance secondary
+* auth/approle (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+* auth/aws (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+* auth/cert (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+* auth/gcp: Fix intermittent context canceled failures for Workload Identity Federation (WIF) authentication
+* auth/github (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+* auth/ldap (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+* auth/okta (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+* auth/radius (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+* auth/scep (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+* auth/spiffe: Address an issue updating a role with overlapping workload_id_pattern values it previously contained.
+* auth/userpass (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+* auth: fixed panic when suppling integer as a lease_id in renewal.
+* core (Enterprise): fix unaligned atomic panic in replication code on 32-bit platforms.
+* core (enterprise): Avoid duplicate seal rewrapping, and ensure that cluster secondaries rewrap after a seal migration.
+* core (enterprise): Buffer the POST body on binary paths to allow re-reading on non-logical forwarding attempts. Addresses an issue for SCEP, EST and CMPv2 certificate issuances with slow replication of entities
+* core (enterprise): Fix crash when seal HSM is disconnected
+* core/activitylog (enterprise): Resolve a stability issue where Vault Enterprise could encounter a panic during month-end billing activity rollover.
+* core/identity (enterprise): Fix excessive logging when updating existing aliases
+* core/managed-keys (enterprise): Fix a bug that prevented the max_parallel field of PKCS#11 managed keys from being updated.
+* core/managed-keys (enterprise): Fix a problem that prevented 'mac' and 'generate_random' key usages from being set.
+* core/managed-keys (enterprise): client credentials should not be required when using Azure Managed Identities in managed keys.
+* core/rotation: avoid shifting timezones by ignoring cron.SpecSchedule
+* core: Fix bug where background thread to clean the MFA response auth queue runs on PR and DR secondaries.
+* core: interpret all new rotation manager rotation_schedules as UTC to avoid inadvertent use of tz-local
+* default-auth: Fix issue when specifying "root" explicitly in Default Auth UI
+* events (enterprise): Fix missed events when multiple event clients specify the same namespace and event type filters and one client disconnects.
+* http: skip JSON limit parsing on cluster listener
+* identity: Fix issue where Vault may consume more memory than intended under heavy authentication load.
+* identity: Repair the integrity of duplicate and/or dangling entity aliases.
+* kmip (enterprise): Fix a bug that would cause a panic on Create Key Pair operations that specify no attributes for the private or the public key.
+* ldap auth (enterprise): Fix root password rotation for Active Directory by implementing UTF-16LE encoding and schema-specific handling. Adds new 'schema' config field (defaults to 'openldap' for backward compatibility).
+* logging: Fixed an issue where the `log_requests_level` configuration was not respected on a SIGHUP reload when set to "off" or removed from the config file.
+* plugins (enterprise): Fix bug where requests to external plugins that modify storage weren't populating the X-Vault-Index response header.
+* plugins: Fix regression in plugin sdk where external plugins may panic when doing storage writes/deletes.
+* quotas: Vault now protects plugins with ResolveRole operations from panicking on quota creation.
+* replication (enterprise): fix rare panic due to race when enabling a secondary with Consul storage.
+* rotation: Fix a bug where a performance secondary would panic if a write was made to a local mount
+* secret sync (enterprise): fix panic in set-association API when using Vault Proxy with token-bound CIDRs. The panic occurred due to missing connection information during CIDR validation.
+* secret sync (enterprise): fixed panic due to nil pointer dereference when reconciling associations. Added guard checks to prevent access to nil references, making association handling more robust.
+* secret-sync (enterprise): Fix race condition in secretsSetRemoveHandler by serializing MemDB transaction access.
+* secret-sync (enterprise): Improved unsync error handling by treating cases where the destination no longer exists as successful.
+* secrets (pki): Allow issuance of certificates without the server_flag key usage from SCEP, EST and CMPV2 protocols.
+* secrets-sync (enterprise): Corrected a bug where the deletion of the latest KV-V2 secret version caused the associated external secret to be deleted entirely. The sync job now implements a version fallback mechanism to find and sync the highest available active version, ensuring continuity and preventing the unintended deletion of the external secret resource.
+* secrets-sync (enterprise): Fix issue where secrets were not properly un-synced after destination config changes.
+* secrets-sync (enterprise): Fix issue where sync store deletion could be attempted when sync is disabled.
+* secrets-sync: secrets-sync APIs return appropriate client side error codes when the request is invalid.
+* secrets/azure: Ensure proper installation of the Azure enterprise secrets plugin.
+* secrets/pki (enterprise): Address cache invalidation issues with CMPv2 on performance standby nodes.
+* secrets/pki (enterprise): Address issues using SCEP on performance standby nodes failing due to configuration invalidation issues along with errors writing to storage
+* secrets/pki (enterprise): Fix SCEP related digest errors when requests contained compound octet strings
+* secrets/pki (enterprise): Modify the SCEP GetCACaps endpoint to dynamically reflect the configured encryption and digest algorithms.
+* secrets/pki: Return error when issuing/signing certs whose NotAfter is before NotBefore or whose validity period isn't contained by the CA's.
+* secrets/pki: The root/sign-intermediate endpoint max_path_length parameter is now restricted by the signing CA's max_path_length if set.
+* secrets/pki: The root/sign-intermediate endpoint should not fail when provided a CSR with a basic constraint extension containing isCa set to true
+* secrets/pki: Warn if the Country field on roles and when generating CAs is not ISO 3166 compliant
+* secrets/pki: allow glob-style DNS names in alt_names.
+* secrets/transit (enterprise): Fix bugs that prevent using ML-DSA and SLH-DSA keys after reading the policy from storage.
+* secrets/transit: Fix nil pointer panic when restoring malformed backup data.
+* ui (enterprise): Fix KV v2 not displaying secrets in namespaces.
+* ui (enterprise): Fixes login form so input renders correctly when token is a preferred login method for a namespace.
+* ui/pki: Fixes certificate parsing of the `key_usage` extension so details accurately reflect certificate values.
+* ui/pki: Fixes creating and updating a role so `basic_constraints_valid_for_non_ca` is correctly set.
+* ui: Fix KV v2 metadata list request failing for policies without a trailing slash in the path.
+* ui: Fix secrets table pagination when switching page sizes.
+* ui: Fixes login form so `?with=<path>` query param correctly displays only the specified mount when multiple mounts of the same auth type are configured with `listing_visibility="unauth"`
+* ui: Resolved a regression that prevented users with create and update permissions on KV v1 secrets from opening the edit view. The UI now correctly recognizes these capabilities and allows editing without requiring full read access.
+* ui: Reverts Kubernetes CA Certificate auth method configuration form field type to file selector
+* ui: Update LDAP accounts checked-in table to display hierarchical LDAP libraries
+* ui: Update LDAP library count to reflect the total number of nodes instead of number of directories
+* ui: fix renew token button rendering for denied renew-self.
+* ui: remove unnecessary 'credential type' form input when generating AWS secrets
+
+## 1.21.7 Enterprise
+### June 05, 2026
+BREAKING CHANGES:
+
+* containers: Remove `cap_ipc_lock` capability on `vault` at build time to allow running Vault in common container runtimes. Vault in containers will no longer be able to call `mlock()` to lock memory. Operators should set `disable_mlock = true` in Vault's configuration. Runtime operators are advised to disable swapping to guarantee data safety.
+* secrets/ssh: RSA key sizes are now limited to a maximum size of 8192 bits addressing CVE-2026-39829
+
+
+CHANGES:
+
+* core: Bump Go version to 1.25.11
+* secrets/azure (enterprise): Update plugin to [v0.25.3+ent](https://github.com/hashicorp/vault-plugin-secrets-azure-enterprise/releases/tag/v0.25.3+ent)
+
+BUG FIXES:
+
+* plugins: Fix plugin signature verification failure with expired pgp key when registering a plugin.
+* ui/transit: Fix key version dropdown selected state when editing a transit key.
+
+## 1.21.6 Enterprise
+### May 19, 2026
+BREAKING CHANGES:
+
+* containers: set cap_ipc_lock capability on vault at build time. Container runtimes will need to add `IPC_LOCK` capabilities when running the vault container.
+
+SECURITY:
+
+* api: Update golang.org/x/net to resolve GO-2026-4918"
+* core/identity: reject wildcards in rendered identity templates
+* core: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4
+* core: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1.
+* core: Update github.com/apache/thrift to fix security vulnerability GHSA-wf45-q9ch-q8gh
+* core: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx.
+* core: Update golang.org/x/net to resolve GO-2026-4918"
+* core: Validate both `path` and `file_path` cannot be empty for requests to `sys/audit/{path}`
+* sdk: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4
+* sdk: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1.
+* sdk: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx.
+* sdk: Update golang.org/x/net to resolve GO-2026-4918"
+
+CHANGES:
+
+* auth/jwt: Update plugin to [v0.25.1](https://github.com/hashicorp/vault-plugin-auth-jwt/releases/tag/v0.25.1)
+* core: Bump Go version to 1.25.10
+* identity: Require `sudo` capability to invoke the identity entity merge API endpoint (`identity/entity/merge`).
+* secrets/azure: Update plugin to [v0.25.2+ent](https://github.com/hashicorp/vault-plugin-secrets-azure/releases/tag/v0.25.2+ent)
+
+IMPROVEMENTS:
+
+* api: Add migration_done_at_epoch to sys/seal-status response.
+* core (Enterprise): Sanitized config now shows kms_library config.
+* core/seal (enterprise): Make it possible for new nodes to join a cluster configured with Seal High Availability.
+* sdk: Expand support for docker test cluster options like seals, kms libraries, and entropy augmentation. DockerClusterNode.UpdateConfig now takes a full set of cluster options instead of just node config.
+* secrets/pki (enterprise): Allow SCEP to use an issuer that is backed by an RSA based PKCS#11 managed key
+* ui: `unsafe-inline` is no longer included in the `style-src` CSP directive.
+
+BUG FIXES:
+
+* client/ocsp: Adds a grace period to renew the cached entry for OCSP response.
+* database/mssql: Fix "sysadmin" requirement during lease revocation by replacing the undocumented `sp_msloginmappings` procedure with a granular metadata query. This allows the plugin to function with `VIEW ANY DEFINITION` instead of full `sysadmin` privileges.
+* database/mssql: Fix dynamic secret revocation by executing custom statements as a single batch instead of splitting on semicolons
+* database/snowflake: Fix WAL rollback issue for key-pair root credential rotation.
+* database: prevent static role rotation and connection init from hanging indefinitely when database calls block by adding timeouts around UpdateUser and Initialize
+* go-plugin: Upgrade go-plugin to fix a bug where file descriptors could be leaked when spawning external plugins
+* identity: fixed a rare but possible data race issue with identities.
+* plugins/database/hana: Fixed a SQL injection risk in the default DeleteUser revoke path by safely quoting usernames as SQL identifiers before ALTER USER and DROP USER statements.
+plugins/database/redshift: Fixed a SQL injection risk in the default DeleteUser revoke path by safely quoting usernames as SQL string literals when invoking terminateloop(...), preventing statement-structure manipulation.
+* sdk: Small bugfixes relating to docker test container cleanup and image building.
+* secrets/kmip (enterprise): Address a nil pointer within the invalidation handler for managed objects.
+* secrets/pki (enterprise): Include root CA in chain for CIEPS endpoints when root is the direct issuer, unless `remove_roots_from_chain` is true.
+* ui: Fix LDAP check-out capabilities check.
+* ui: Fix entities page to show success message after successfully editing an entity.
+* ui: Fix secrets table pagination when switching page sizes.
+* ui: Fixed custom messages list to display the expiration time on Inactive message badges.
+* ui: Restore re-sizable columns for secrets and namespaces tables.
+* ui: Update KV max_version validation to disallow negative values.
+
+## 1.21.5  Enterprise
+### April 14, 2026  
+
+BREAKING CHANGES:  
+
+* sdk/helpers/docker: Migrate docker helpers from github.com/docker/docker to github.com/moby/moby. This was necessary as github.com/docker/docker is no longer maintained. Resolves GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9.  
+
+SECURITY:  
+
+* api/auth/gcp: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.  
+* api/auth: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.  
+* core: Correctly remove any Vault tokens from the Authorization header when this header is forwarded to plugin backends. The header will only be forwarded if "Authorization" is explicitly included in the list of passthrough request headers.  
+* core: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5  
+* core: Update github.com/aws/aws-sdk-go-v2/ to fix security vulnerability GHSA-xmrv-pmrh-hhx2.  
+* core: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.  
+* core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-92mm-2pjq-r785.  
+* core: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.  
+* core: reject URL-encoded paths that do not specify a canonical path  
+* sdk: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5  
+* sdk: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.  
+
+CHANGES:  
+
+* core: Bump Go version to 1.25.9  
+* core: Vault now rejects paths that are not canonical, such as paths containing double slashes (`path//to/resource`)  
+
+IMPROVEMENTS:  
+
+* config/listener: logs warnings on invalid x-forwarded-for configurations.  
+* dockerfile: container will now run as vault user by default  
+* events (enterprise): Forward event notifications from primary to secondary clusters  
+* pki: Reject obviously unsafe validation targets during ACME HTTP-01 and TLS-ALPN-01 challenge verification  
+* secrets/pki: Add ACME configuration fields challenge_permitted_ip_ranges and challenge_excluded_ip_ranges configuration to control which IP addresses are allowed or disallowed for challenge validation.  
+* secrets/pki: Add Freshest CRL extension (Delta CRL Distribution Points) to base CRLs  
+* secrets/transit: Improve import errors for non-PKCS#8 keys to clearly require PKCS#8.  
+* transit (enterprise): Add context parameter to datakeys and derived-keys endpoint, to allow derived key encryption of the DEKs.  
+
+BUG FIXES:  
+
+* audit/file: The logic preventing setting of executable bits on audit devices was enforced at unseal instead of just at new audit device creation, causing an error at unseal if an existing audit device had exec permissions. The logic now warns and clears exec bits to prevent unseal errors.  
+* auth/gcp: Fix intermittent context canceled failures for Workload Identity Federation (WIF) authentication  
+* core (Enterprise): fix unaligned atomic panic in replication code on 32-bit platforms.  
+* core/managed-keys (enterprise): Fix a bug that prevented the max_parallel field of PKCS#11 managed keys from being updated.  
+* events (enterprise): Fix missed events when multiple event clients specify the same namespace and event type filters and one client disconnects.  
+* identity: Repair the integrity of duplicate and/or dangling entity aliases.  
+* ldap auth (enterprise): Fix root password rotation for Active Directory by implementing UTF-16LE encoding and schema-specific handling. Adds new 'schema' config field (defaults to 'openldap' for backward compatibility).  
+* secret sync (enterprise): fix panic in set-association API when using Vault Proxy with token-bound CIDRs. The panic occurred due to missing connection information during CIDR validation.  
+* secret sync (enterprise): fixed panic due to nil pointer dereference when reconciling associations. Added guard checks to prevent access to nil references, making association handling more robust.  
+* secret-sync (enterprise): Fix race condition in secretsSetRemoveHandler by serializing MemDB transaction access.  
+* secrets/pki: The root/sign-intermediate endpoint max_path_length parameter is now restricted by the signing CA's max_path_length if set.  
+* secrets/transit (enterprise): Fix bugs that prevent using ML-DSA and SLH-DSA keys after reading the policy from storage.
+
+## 1.21.4
+### March 05, 2026
+
+SECURITY:
+
+* Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229
+* Upgrade `filippo.io/edwards25519` to v1.1.1 to resolve GO-2026-4503
+* vault/sdk: Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229
+* vault/sdk: Upgrade `go.opentelemetry.io/otel/sdk` to v1.40.0 to resolve GO-2026-4394
+
+CHANGES:
+
+* core: Bump Go version to 1.25.7
+* mfa/duo: Upgrade duo_api_golang client to 0.2.0 to include the new Duo certificate authorities
+* ui: Remove ability to bulk delete secrets engines from the list view.
+
+IMPROVEMENTS:
+
+* core/seal: Enhance sys/seal-backend-status to provide more information about seal backends.
+* secrets/kmip (Enterprise): Obey configured best_effort_wal_wait_duration when forwarding kmip requests.
+* secrets/pki (enterprise): Return the POSTPKIOperation capability within SCEP GetCACaps endpoint for better legacy client support.
+
+BUG FIXES:
+
+* core (enterprise): Buffer the POST body on binary paths to allow re-reading on non-logical forwarding attempts. Addresses an issue for SCEP, EST and CMPv2 certificate issuances with slow replication of entities
+* core/identity (enterprise): Fix excessive logging when updating existing aliases
+* core/managed-keys (enterprise): client credentials should not be required when using Azure Managed Identities in managed keys.
+* plugins (enterprise): Fix bug where requests to external plugins that modify storage weren't populating the X-Vault-Index response header.
+* secrets (pki): Allow issuance of certificates without the server_flag key usage from SCEP, EST and CMPV2 protocols.
+* secrets/pki (enterprise): Address cache invalidation issues with CMPv2 on performance standby nodes.
+* secrets/pki (enterprise): Address issues using SCEP on performance standby nodes failing due to configuration invalidation issues along with errors writing to storage
+* secrets/pki (enterprise): Modify the SCEP GetCACaps endpoint to dynamically reflect the configured encryption and digest algorithms.
+* secrets/pki: The root/sign-intermediate endpoint should not fail when provided a CSR with a basic constraint extension containing isCa set to true
+* secrets/pki: allow glob-style DNS names in alt_names.
+
 ## 1.21.3
 ### February 05, 2026
 
@@ -327,6 +845,159 @@ BUG FIXES:
 * ui: Revert camelizing of parameters returned from `sys/internal/ui/mounts` so mount paths match serve value
 * ui: Fixes permissions for hiding and showing sidebar navigation items for policies that include special characters: `+`, `*`
 
+## 1.20.12 Enterprise
+### June 05, 2026
+BREAKING CHANGES:
+
+* containers: Remove `cap_ipc_lock` capability on `vault` at build time to allow running Vault in common container runtimes. Vault in containers will no longer be able to call `mlock()` to lock memory. Operators should set `disable_mlock = true` in Vault's configuration. Runtime operators are advised to disable swapping to guarantee data safety.
+* secrets/ssh: RSA key sizes are now limited to a maximum size of 8192 bits addressing CVE-2026-39829
+
+
+CHANGES:
+
+* core: Bump Go version to 1.25.11
+
+BUG FIXES:
+
+* plugins: Fix plugin signature verification failure with expired pgp key when registering a plugin.
+
+## 1.20.11 Enterprise
+### May 19, 2026
+BREAKING CHANGES:
+
+* containers: set cap_ipc_lock capability on vault at build time. Container runtimes will need to add `IPC_LOCK` capabilities when running the vault container.
+
+SECURITY:
+
+* api: Update golang.org/x/net to resolve GO-2026-4918"
+* core/identity: reject wildcards in rendered identity templates
+* core: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4
+* core: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1.
+* core: Update github.com/apache/thrift to fix security vulnerability GHSA-wf45-q9ch-q8gh
+* core: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx.
+* core: Update golang.org/x/net to resolve GO-2026-4918"
+* core: Validate both `path` and `file_path` cannot be empty for requests to `sys/audit/{path}`
+* sdk: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4
+* sdk: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1.
+* sdk: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx.
+* sdk: Update golang.org/x/net to resolve GO-2026-4918"
+
+CHANGES:
+
+* auth/jwt: Update plugin to [v0.24.2](https://github.com/hashicorp/vault-plugin-auth-jwt/releases/tag/v0.24.2)
+* core: Bump Go version to 1.25.10
+* identity: Require `sudo` capability to invoke the identity entity merge API endpoint (`identity/entity/merge`).
+
+IMPROVEMENTS:
+
+* api: Add migration_done_at_epoch to sys/seal-status response.
+* core (Enterprise): Sanitized config now shows kms_library config.
+* core/seal (enterprise): Make it possible for new nodes to join a cluster configured with Seal High Availability.
+* sdk: Expand support for docker test cluster options like seals, kms libraries, and entropy augmentation. DockerClusterNode.UpdateConfig now takes a full set of cluster options instead of just node config.
+* secrets/pki (enterprise): Allow SCEP to use an issuer that is backed by an RSA based PKCS#11 managed key
+* ui: `unsafe-inline` is no longer included in the `style-src` CSP directive.
+
+BUG FIXES:
+
+* client/ocsp: Adds a grace period to renew the cached entry for OCSP response.
+* core: Fix failure to detect errors during storage writes of totp keys.
+* database/mssql: Fix "sysadmin" requirement during lease revocation by replacing the undocumented `sp_msloginmappings` procedure with a granular metadata query. This allows the plugin to function with `VIEW ANY DEFINITION` instead of full `sysadmin` privileges.
+* database/mssql: Fix dynamic secret revocation by executing custom statements as a single batch instead of splitting on semicolons
+* database/snowflake: Fix WAL rollback issue for key-pair root credential rotation.
+* database: prevent static role rotation and connection init from hanging indefinitely when database calls block by adding timeouts around UpdateUser and Initialize
+* go-plugin: Upgrade go-plugin to fix a bug where file descriptors could be leaked when spawning external plugins
+* identity: fixed a rare but possible data race issue with identities.
+* plugins/database/hana: Fixed a SQL injection risk in the default DeleteUser revoke path by safely quoting usernames as SQL identifiers before ALTER USER and DROP USER statements.
+plugins/database/redshift: Fixed a SQL injection risk in the default DeleteUser revoke path by safely quoting usernames as SQL string literals when invoking terminateloop(...), preventing statement-structure manipulation.
+* sdk: Small bugfixes relating to docker test container cleanup and image building.
+* secrets/kmip (enterprise): Address a nil pointer within the invalidation handler for managed objects.
+* secrets/pki (enterprise): Include root CA in chain for CIEPS endpoints when root is the direct issuer, unless `remove_roots_from_chain` is true.
+* ui/transit: Fix key version dropdown selected state when editing a transit key.
+* ui: Fix LDAP check-out capabilities check.
+* ui: Fix entities page to show success message after successfully editing an entity.
+
+## 1.20.10  Enterprise
+### April 14, 2026  
+
+BREAKING CHANGES:  
+
+* sdk/helpers/docker: Migrate docker helpers from github.com/docker/docker to github.com/moby/moby. This was necessary as github.com/docker/docker is no longer maintained. Resolves GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9.  
+
+SECURITY:  
+
+* api/auth/gcp: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.  
+* api/auth: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.  
+* core: Correctly remove any Vault tokens from the Authorization header when this header is forwarded to plugin backends. The header will only be forwarded if "Authorization" is explicitly included in the list of passthrough request headers.  
+* core: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5  
+* core: Update github.com/aws/aws-sdk-go-v2/ to fix security vulnerability GHSA-xmrv-pmrh-hhx2.  
+* core: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.  
+* core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-92mm-2pjq-r785.  
+* core: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.  
+* core: reject URL-encoded paths that do not specify a canonical path  
+* sdk: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5  
+* sdk: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.  
+
+CHANGES:  
+
+* core: Bump Go version to 1.25.9  
+* core: Vault now rejects paths that are not canonical, such as paths containing double slashes (`path//to/resource`)  
+
+IMPROVEMENTS:  
+
+* config/listener: logs warnings on invalid x-forwarded-for configurations.  
+* dockerfile: container will now run as vault user by default  
+* pki: Reject obviously unsafe validation targets during ACME HTTP-01 and TLS-ALPN-01 challenge verification  
+* secrets/pki: Add ACME configuration fields challenge_permitted_ip_ranges and challenge_excluded_ip_ranges configuration to control which IP addresses are allowed or disallowed for challenge validation.  
+* secrets/pki: Add Freshest CRL extension (Delta CRL Distribution Points) to base CRLs  
+
+BUG FIXES:  
+
+* audit/file: The logic preventing setting of executable bits on audit devices was enforced at unseal instead of just at new audit device creation, causing an error at unseal if an existing audit device had exec permissions. The logic now warns and clears exec bits to prevent unseal errors.  
+* auth/gcp: Fix intermittent context canceled failures for Workload Identity Federation (WIF) authentication  
+* core (Enterprise): fix unaligned atomic panic in replication code on 32-bit platforms.  
+* core/managed-keys (enterprise): Fix a bug that prevented the max_parallel field of PKCS#11 managed keys from being updated.  
+* events (enterprise): Fix missed events when multiple event clients specify the same namespace and event type filters and one client disconnects.  
+* identity: Repair the integrity of duplicate and/or dangling entity aliases.  
+* ldap auth (enterprise): Fix root password rotation for Active Directory by implementing UTF-16LE encoding and schema-specific handling. Adds new 'schema' config field (defaults to 'openldap' for backward compatibility).  
+* secret sync (enterprise): fix panic in set-association API when using Vault Proxy with token-bound CIDRs. The panic occurred due to missing connection information during CIDR validation.  
+* secret sync (enterprise): fixed panic due to nil pointer dereference when reconciling associations. Added guard checks to prevent access to nil references, making association handling more robust.  
+* secrets/pki: The root/sign-intermediate endpoint max_path_length parameter is now restricted by the signing CA's max_path_length if set.  
+* secrets/transit (enterprise): Fix bugs that prevent using ML-DSA and SLH-DSA keys after reading the policy from storage.
+
+## 1.20.9 Enterprise
+### March 05, 2026
+
+SECURITY:
+
+* Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229
+* Upgrade `filippo.io/edwards25519` to v1.1.1 to resolve GO-2026-4503
+* vault/sdk: Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229
+* vault/sdk: Upgrade `go.opentelemetry.io/otel/sdk` to v1.40.0 to resolve GO-2026-4394
+
+CHANGES:
+
+* core: Bump Go version to 1.25.7
+* mfa/duo: Upgrade duo_api_golang client to 0.2.0 to include the new Duo certificate authorities
+
+IMPROVEMENTS:
+
+* core/seal: Enhance sys/seal-backend-status to provide more information about seal backends.
+* secrets/kmip (Enterprise): Obey configured best_effort_wal_wait_duration when forwarding kmip requests.
+* secrets/pki (enterprise): Return the POSTPKIOperation capability within SCEP GetCACaps endpoint for better legacy client support.
+
+BUG FIXES:
+
+* core (enterprise): Buffer the POST body on binary paths to allow re-reading on non-logical forwarding attempts. Addresses an issue for SCEP, EST and CMPv2 certificate issuances with slow replication of entities
+* core/identity (enterprise): Fix excessive logging when updating existing aliases
+* core/managed-keys (enterprise): client credentials should not be required when using Azure Managed Identities in managed keys.
+* plugins (enterprise): Fix bug where requests to external plugins that modify storage weren't populating the X-Vault-Index response header.
+* secrets (pki): Allow issuance of certificates without the server_flag key usage from SCEP, EST and CMPV2 protocols.
+* secrets/pki (enterprise): Address cache invalidation issues with CMPv2 on performance standby nodes.
+* secrets/pki (enterprise): Address issues using SCEP on performance standby nodes failing due to configuration invalidation issues along with errors writing to storage
+* secrets/pki (enterprise): Modify the SCEP GetCACaps endpoint to dynamically reflect the configured encryption and digest algorithms.
+* secrets/pki: allow glob-style DNS names in alt_names.
+* ui: Fixes login form so `?with=<path>` query param correctly displays only the specified mount when multiple mounts of the same auth type are configured with `listing_visibility="unauth"`
+
 ## 1.20.8 Enterprise
 ### February 05, 2026
 
@@ -750,6 +1421,153 @@ intermediate certificates. [[GH-30034](https://github.com/hashicorp/vault/pull/3
 * ui: MFA methods now display the namespace path instead of the namespace id. [[GH-29588](https://github.com/hashicorp/vault/pull/29588)]
 * ui: Redirect users authenticating with Vault as an OIDC provider to log in again when token expires. [[GH-30838](https://github.com/hashicorp/vault/pull/30838)]
 
+## 1.19.18 Enterprise
+### June 05, 2026
+BREAKING CHANGES:
+
+* containers: Remove `cap_ipc_lock` capability on `vault` at build time to allow running Vault in common container runtimes. Vault in containers will no longer be able to call `mlock()` to lock memory. Operators should set `disable_mlock = true` in Vault's configuration. Runtime operators are advised to disable swapping to guarantee data safety.
+* secrets/ssh: RSA key sizes are now limited to a maximum size of 8192 bits addressing CVE-2026-39829
+
+
+CHANGES:
+
+* core: Bump Go version to 1.25.11
+
+BUG FIXES:
+
+* plugins: Fix plugin signature verification failure with expired pgp key when registering a plugin.
+* ui/transit: Fix key version dropdown selected state when editing a transit key.
+
+## 1.19.17 Enterprise
+### May 19, 2026
+BREAKING CHANGES:
+
+* containers: set cap_ipc_lock capability on vault at build time. Container runtimes will need to add `IPC_LOCK` capabilities when running the vault container.
+
+SECURITY:
+
+* api: Update golang.org/x/net to resolve GO-2026-4918"
+* core/identity: reject wildcards in rendered identity templates
+* core: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4
+* core: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1.
+* core: Update github.com/apache/thrift to fix security vulnerability GHSA-wf45-q9ch-q8gh
+* core: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx.
+* core: Update golang.org/x/net to resolve GO-2026-4918"
+* core: Validate both `path` and `file_path` cannot be empty for requests to `sys/audit/{path}`
+* sdk: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4
+* sdk: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1.
+* sdk: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx.
+* sdk: Update golang.org/x/net to resolve GO-2026-4918"
+
+CHANGES:
+
+* auth/jwt: Update plugin to [v0.23.3](https://github.com/hashicorp/vault-plugin-auth-jwt/releases/tag/v0.23.3)
+* core: Bump Go version to 1.25.10
+* core: secondary DR requests can now be authenticated using a root token generated on the primary.
+* core: sys/generate-root and sys/replication/dr/secondary/generate-operation-token endpoints are now authenticated by default, with the old unauthenticated behaviour enabled by setting the new HCL config key enable_unauthenticated_access to include the value "generate-root" or "generate-operation-token" respectively.
+* core: sys/rekey endpoints are now authenticated by default, with the old unauthenticated behaviour enabled by setting the new HCL config key enable_unauthenticated_access to include the value "rekey".
+* identity: Require `sudo` capability to invoke the identity entity merge API endpoint (`identity/entity/merge`).
+
+IMPROVEMENTS:
+
+* api: Add migration_done_at_epoch to sys/seal-status response.
+* core (Enterprise): Sanitized config now shows kms_library config.
+* core/seal (enterprise): Make it possible for new nodes to join a cluster configured with Seal High Availability.
+* sdk: Expand support for docker test cluster options like seals, kms libraries, and entropy augmentation. DockerClusterNode.UpdateConfig now takes a full set of cluster options instead of just node config.
+
+BUG FIXES:
+
+* client/ocsp: Adds a grace period to renew the cached entry for OCSP response.
+* core: Fix failure to detect errors during storage writes of totp keys.
+* database/mssql: Fix "sysadmin" requirement during lease revocation by replacing the undocumented `sp_msloginmappings` procedure with a granular metadata query. This allows the plugin to function with `VIEW ANY DEFINITION` instead of full `sysadmin` privileges.
+* database/mssql: Fix dynamic secret revocation by executing custom statements as a single batch instead of splitting on semicolons
+* database/snowflake: Fix WAL rollback issue for key-pair root credential rotation.
+* database: prevent static role rotation and connection init from hanging indefinitely when database calls block by adding timeouts around UpdateUser and Initialize
+* go-plugin: Upgrade go-plugin to fix a bug where file descriptors could be leaked when spawning external plugins
+* identity: fixed a rare but possible data race issue with identities.
+* plugins/database/hana: Fixed a SQL injection risk in the default DeleteUser revoke path by safely quoting usernames as SQL identifiers before ALTER USER and DROP USER statements.
+plugins/database/redshift: Fixed a SQL injection risk in the default DeleteUser revoke path by safely quoting usernames as SQL string literals when invoking terminateloop(...), preventing statement-structure manipulation.
+* sdk: Small bugfixes relating to docker test container cleanup and image building.
+* secrets/kmip (enterprise): Address a nil pointer within the invalidation handler for managed objects.
+* secrets/pki (enterprise): Include root CA in chain for CIEPS endpoints when root is the direct issuer, unless `remove_roots_from_chain` is true.
+* ui: Update DR operation token generation to accept a primary root token for authentication.
+
+## 1.19.16  Enterprise
+### April 14, 2026  
+
+**Enterprise LTS:** Vault Enterprise 1.19 is a [Long-Term Support (LTS)](https://developer.hashicorp.com/vault/docs/enterprise/lts) release.
+
+BREAKING CHANGES:  
+
+* sdk/helpers/docker: Migrate docker helpers from github.com/docker/docker to github.com/moby/moby. This was necessary as github.com/docker/docker is no longer maintained. Resolves GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9.  
+
+SECURITY:  
+
+* api/auth/gcp: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.  
+* api/auth: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.  
+* core: Correctly remove any Vault tokens from the Authorization header when this header is forwarded to plugin backends. The header will only be forwarded if "Authorization" is explicitly included in the list of passthrough request headers.  
+* core: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5  
+* core: Update github.com/aws/aws-sdk-go-v2/ to fix security vulnerability GHSA-xmrv-pmrh-hhx2.  
+* core: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.  
+* core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-92mm-2pjq-r785.  
+* core: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.  
+* core: reject URL-encoded paths that do not specify a canonical path  
+* sdk: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5  
+* sdk: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.  
+
+CHANGES:  
+
+* core: Bump Go version to 1.25.9  
+* core: Vault now rejects paths that are not canonical, such as paths containing double slashes (`path//to/resource`)  
+
+IMPROVEMENTS:  
+
+* config/listener: logs warnings on invalid x-forwarded-for configurations.  
+* dockerfile: container will now run as vault user by default  
+* pki: Reject obviously unsafe validation targets during ACME HTTP-01 and TLS-ALPN-01 challenge verification  
+* secrets/pki: Add ACME configuration fields challenge_permitted_ip_ranges and challenge_excluded_ip_ranges configuration to control which IP addresses are allowed or disallowed for challenge validation.  
+
+BUG FIXES:  
+
+* audit/file: The logic preventing setting of executable bits on audit devices was enforced at unseal instead of just at new audit device creation, causing an error at unseal if an existing audit device had exec permissions. The logic now warns and clears exec bits to prevent unseal errors.  
+* auth/gcp: Fix intermittent context canceled failures for Workload Identity Federation (WIF) authentication  
+* core (Enterprise): fix unaligned atomic panic in replication code on 32-bit platforms.  
+* core/managed-keys (enterprise): Fix a bug that prevented the max_parallel field of PKCS#11 managed keys from being updated.  
+* events (enterprise): Fix missed events when multiple event clients specify the same namespace and event type filters and one client disconnects.  
+* identity: Repair the integrity of duplicate and/or dangling entity aliases.  
+* ldap auth (enterprise): Fix root password rotation for Active Directory by implementing UTF-16LE encoding and schema-specific handling. Adds new 'schema' config field (defaults to 'openldap' for backward compatibility).  
+* secret sync (enterprise): fix panic in set-association API when using Vault Proxy with token-bound CIDRs. The panic occurred due to missing connection information during CIDR validation.  
+* secret sync (enterprise): fixed panic due to nil pointer dereference when reconciling associations. Added guard checks to prevent access to nil references, making association handling more robust.  
+* secrets/pki: The root/sign-intermediate endpoint max_path_length parameter is now restricted by the signing CA's max_path_length if set.  
+* secrets/transit (enterprise): Fix bugs that prevent using ML-DSA and SLH-DSA keys after reading the policy from storage.
+  
+## 1.19.15 Enterprise
+### March 05, 2026
+
+SECURITY:
+
+* Upgrade `filippo.io/edwards25519` to v1.1.1 to resolve GO-2026-4503
+* vault/sdk: Upgrade `go.opentelemetry.io/otel/sdk` to v1.40.0 to resolve GO-2026-4394
+
+CHANGES:
+
+* core: Bump Go version to 1.25.7
+* mfa/duo: Upgrade duo_api_golang client to 0.2.0 to include the new Duo certificate authorities
+
+IMPROVEMENTS:
+
+* core/seal: Enhance sys/seal-backend-status to provide more information about seal backends.
+* secrets/kmip (Enterprise): Obey configured best_effort_wal_wait_duration when forwarding kmip requests.
+
+BUG FIXES:
+
+* core (enterprise): Buffer the POST body on binary paths to allow re-reading on non-logical forwarding attempts. Addresses an issue for SCEP, EST and CMPv2 certificate issuances with slow replication of entities
+* core/identity (enterprise): Fix excessive logging when updating existing aliases
+* core/managed-keys (enterprise): client credentials should not be required when using Azure Managed Identities in managed keys.
+* secrets (pki): Allow issuance of certificates without the server_flag key usage from SCEP, EST and CMPV2 protocols.
+* secrets/pki (enterprise): Address cache invalidation issues with CMPv2 on performance standby nodes.
+* secrets/pki: allow glob-style DNS names in alt_names.
+
 ## 1.19.14 Enterprise
 ### February 05, 2026
 
@@ -2586,7 +3404,26 @@ autopilot to fail to discover new server versions and so not trigger an upgrade.
 * ui: fixed a bug where the replication pages did not update display when navigating between DR and performance [[GH-26325](https://github.com/hashicorp/vault/pull/26325)]
 * ui: fixes undefined start time in filename for downloaded client count attribution csv [[GH-26485](https://github.com/hashicorp/vault/pull/26485)]
 
-## 1.16.30
+## 1.16.31 Enterprise
+### March 05, 2026
+
+**Enterprise LTS:** Vault Enterprise 1.16 is a [Long-Term Support (LTS)](https://developer.hashicorp.com/vault/docs/enterprise/lts) release.
+
+SECURITY:
+
+* Upgrade `filippo.io/edwards25519` to v1.1.1 to resolve GO-2026-4503
+* vault/sdk: Upgrade `go.opentelemetry.io/otel/sdk` to v1.40.0 to resolve GO-2026-4394
+
+CHANGES:
+
+* core: Bump Go version to 1.24.13
+* mfa/duo: Upgrade duo_api_golang client to 0.2.0 to include the new Duo certificate authorities
+
+IMPROVEMENTS:
+
+* core/seal: Enhance sys/seal-backend-status to provide more information about seal backends.
+
+## 1.16.30 Enterprise
 ### February 05, 2026
 
 **Enterprise LTS:** Vault Enterprise 1.16 is a [Long-Term Support (LTS)](https://developer.hashicorp.com/vault/docs/enterprise/lts) release.
diff --git a/Dockerfile b/Dockerfile
index 32da3d036a..cb1768083d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,182 +1,7 @@
-# Copyright IBM Corp. 2016, 2025
+# Copyright IBM Corp. 2016, 2026
 # SPDX-License-Identifier: BUSL-1.1
 
-## DOCKERHUB DOCKERFILE ##
-FROM alpine:3 AS default
-
-ARG BIN_NAME
-# NAME and PRODUCT_VERSION are the name of the software in releases.hashicorp.com
-# and the version to download. Example: NAME=vault PRODUCT_VERSION=1.2.3.
-ARG NAME=vault
-ARG PRODUCT_VERSION
-ARG PRODUCT_REVISION
-# TARGETARCH and TARGETOS are set automatically when --platform is provided.
-ARG TARGETOS TARGETARCH
-# LICENSE_SOURCE is the path to IBM license documents, which may be architecture-specific.
-ARG LICENSE_SOURCE
-# LICENSE_DEST is the path where license files are installed in the container
-ARG LICENSE_DEST
-
-# Additional metadata labels used by container registries, platforms
-# and certification scanners.
-LABEL name="Vault" \
-      maintainer="Vault Team <vault@hashicorp.com>" \
-      vendor="HashiCorp" \
-      version=${PRODUCT_VERSION} \
-      release=${PRODUCT_REVISION} \
-      revision=${PRODUCT_REVISION} \
-      summary="Vault is a tool for securely accessing secrets." \
-      description="Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log."
-
-# Copy the license file as per Legal requirement
-COPY ${LICENSE_SOURCE} ${LICENSE_DEST}
-
-# Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD
-ENV NAME=$NAME
-
-# Create a non-root user to run the software.
-RUN addgroup ${NAME} && adduser -S -G ${NAME} ${NAME}
-
-RUN apk add --no-cache libcap su-exec dumb-init tzdata
-
-COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/
-
-# /vault/logs is made available to use as a location to store audit logs, if
-# desired; /vault/file is made available to use as a location with the file
-# storage backend, if desired; the server will be started with /vault/config as
-# the configuration directory so you can add additional config files in that
-# location.
-RUN mkdir -p /vault/logs && \
-    mkdir -p /vault/file && \
-    mkdir -p /vault/config && \
-    chown -R ${NAME}:${NAME} /vault
-
-# Expose the logs directory as a volume since there's potentially long-running
-# state in there
-VOLUME /vault/logs
-
-# Expose the file directory as a volume since there's potentially long-running
-# state in there
-VOLUME /vault/file
-
-# 8200/tcp is the primary interface that applications use to interact with
-# Vault.
-EXPOSE 8200
-
-# The entry point script uses dumb-init as the top-level process to reap any
-# zombie processes created by Vault sub-processes.
-#
-# For production derivatives of this container, you should add the IPC_LOCK
-# capability so that Vault can mlock memory.
-COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-
-# # By default you'll get a single-node development server that stores everything
-# # in RAM and bootstraps itself. Don't use this configuration for production.
-CMD ["server", "-dev"]
-
-
-## UBI DOCKERFILE ##
-FROM registry.access.redhat.com/ubi10/ubi-minimal AS ubi
-
-ARG BIN_NAME
-# NAME and PRODUCT_VERSION are the name of the software in releases.hashicorp.com
-# and the version to download. Example: NAME=vault PRODUCT_VERSION=1.2.3.
-ARG NAME=vault
-ARG PRODUCT_VERSION
-ARG PRODUCT_REVISION
-# TARGETARCH and TARGETOS are set automatically when --platform is provided.
-ARG TARGETOS TARGETARCH
-# LICENSE_SOURCE is the path to IBM license documents, which may be architecture-specific.
-ARG LICENSE_SOURCE
-# LICENSE_DEST is the path where license files are installed in the container
-ARG LICENSE_DEST
-
-# Additional metadata labels used by container registries, platforms
-# and certification scanners.
-LABEL name="Vault" \
-      maintainer="Vault Team <vault@hashicorp.com>" \
-      vendor="HashiCorp" \
-      version=${PRODUCT_VERSION} \
-      release=${PRODUCT_REVISION} \
-      revision=${PRODUCT_REVISION} \
-      summary="Vault is a tool for securely accessing secrets." \
-      description="Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log."
-
-# Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD
-ENV NAME=$NAME
-
-# Copy the license file as per Legal requirement
-COPY ${LICENSE_SOURCE} ${LICENSE_DEST}/
-
-# We must have a copy of the license in this directory to comply with the HasLicense Redhat requirement
-# Note the trailing slash on the first argument -- plain files meet the requirement but directories do not.
-COPY ${LICENSE_SOURCE}/ /licenses/
-
-# Set up certificates, our base tools, and Vault. Unlike the other version of
-# this (https://github.com/hashicorp/docker-vault/blob/master/ubi/Dockerfile),
-# we copy in the Vault binary from CRT.
-RUN set -eux; \
-    microdnf install -y ca-certificates gnupg openssl libcap tzdata procps shadow-utils util-linux tar
-
-# Create a non-root user to run the software.
-RUN groupadd --gid 1000 vault && \
-    adduser --uid 100 --system -g vault vault && \
-    usermod -a -G root vault
-
-# Copy in the new Vault from CRT pipeline, rather than fetching it from our
-# public releases.
-COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/
-
-# /vault/logs is made available to use as a location to store audit logs, if
-# desired; /vault/file is made available to use as a location with the file
-# storage backend, if desired; the server will be started with /vault/config as
-# the configuration directory so you can add additional config files in that
-# location.
-ENV HOME=/home/vault
-RUN mkdir -p /vault/logs && \
-    mkdir -p /vault/file && \
-    mkdir -p /vault/config && \
-    mkdir -p $HOME && \
-    chown -R vault /vault && chown -R vault $HOME && \
-    chgrp -R 0 $HOME && chmod -R g+rwX $HOME && \
-    chgrp -R 0 /vault && chmod -R g+rwX /vault
-
-# Expose the logs directory as a volume since there's potentially long-running
-# state in there
-VOLUME /vault/logs
-
-# Expose the file directory as a volume since there's potentially long-running
-# state in there
-VOLUME /vault/file
-
-# 8200/tcp is the primary interface that applications use to interact with
-# Vault.
-EXPOSE 8200
-
-# The entry point script uses dumb-init as the top-level process to reap any
-# zombie processes created by Vault sub-processes.
-#
-# For production derivatives of this container, you should add the IPC_LOCK
-# capability so that Vault can mlock memory.
-COPY .release/docker/ubi-docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-# Use the Vault user as the default user for starting this container.
-USER vault
-
-# # By default you'll get a single-node development server that stores everything
-# # in RAM and bootstraps itself. Don't use this configuration for production.
-CMD ["server", "-dev"]
-
-FROM ubi AS ubi-fips
-
-FROM ubi AS ubi-hsm
-
-FROM ubi AS ubi-hsm-fips
-
-## Builder:
+## Builder
 #
 #  A build container used to build the Vault binary. We use focal because the
 #  version of glibc is old enough for all of our supported distros for editions
@@ -225,3 +50,180 @@ COPY .build/entrypoint.sh .
 RUN chmod +x entrypoint.sh
 
 ENTRYPOINT ["/entrypoint.sh"]
+
+#  Default
+#
+#  Our default conatiner image.
+#
+FROM alpine:3 AS default
+
+ARG BIN_NAME
+# NAME and PRODUCT_VERSION are the name of the software in releases.hashicorp.com
+# and the version to download. Example: NAME=vault PRODUCT_VERSION=1.2.3.
+ARG NAME=vault
+ARG PRODUCT_VERSION
+ARG PRODUCT_REVISION
+# TARGETARCH and TARGETOS are set automatically when --platform is provided.
+ARG TARGETOS TARGETARCH
+# LICENSE_SOURCE is the path to IBM license documents, which may be architecture-specific.
+ARG LICENSE_SOURCE
+# LICENSE_DEST is the path where license files are installed in the container
+ARG LICENSE_DEST
+
+# Additional metadata labels used by container registries, platforms
+# and certification scanners.
+LABEL name="Vault" \
+      maintainer="Vault Team <vault@hashicorp.com>" \
+      vendor="HashiCorp" \
+      version=${PRODUCT_VERSION} \
+      release=${PRODUCT_REVISION} \
+      revision=${PRODUCT_REVISION} \
+      summary="Vault is a tool for securely accessing secrets." \
+      description="Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log."
+
+# Copy the license file as per Legal requirement
+COPY ${LICENSE_SOURCE} ${LICENSE_DEST}
+
+# Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD
+ENV NAME=$NAME
+
+# Create a non-root user to run the software.
+RUN addgroup ${NAME} && adduser -S -G ${NAME} ${NAME}
+
+# NOTE: zlib is only here to resolve ALPINE-CVE-2026-27171, it can be removed
+# when when our Alpine release is >= 3.23.4
+RUN apk update && apk add --upgrade --no-cache su-exec dumb-init tzdata zlib
+
+COPY dist/$TARGETOS/$TARGETARCH/${BIN_NAME} /bin/${BIN_NAME}
+
+# /vault/logs is made available to use as a location to store audit logs, if
+# desired; /vault/file is made available to use as a location with the file
+# storage backend, if desired; the server will be started with /vault/config as
+# the configuration directory so you can add additional config files in that
+# location.
+RUN mkdir -p /vault/logs && \
+    mkdir -p /vault/file && \
+    mkdir -p /vault/config && \
+    chown -R ${NAME}:${NAME} /vault
+
+# Expose the logs directory as a volume since there's potentially long-running
+# state in there
+VOLUME /vault/logs
+
+# Expose the file directory as a volume since there's potentially long-running
+# state in there
+VOLUME /vault/file
+
+# 8200/tcp is the primary interface that applications use to interact with
+# Vault.
+EXPOSE 8200
+
+# The entry point script uses dumb-init as the top-level process to reap any
+# zombie processes created by Vault sub-processes.
+#
+# For production derivatives of this container, you should add the IPC_LOCK
+# capability so that Vault can mlock memory.
+COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# Use the Vault user as the default user for starting this container.
+USER ${NAME}
+
+# # By default you'll get a single-node development server that stores everything
+# # in RAM and bootstraps itself. Don't use this configuration for production.
+CMD ["server", "-dev"]
+
+
+#  UBI
+#
+#  Our UBI container image
+#
+FROM registry.access.redhat.com/ubi10/ubi-minimal AS ubi
+
+ARG BIN_NAME
+# NAME and PRODUCT_VERSION are the name of the software in releases.hashicorp.com
+# and the version to download. Example: NAME=vault PRODUCT_VERSION=1.2.3.
+ARG NAME=vault
+ARG PRODUCT_VERSION
+ARG PRODUCT_REVISION
+# TARGETARCH and TARGETOS are set automatically when --platform is provided.
+ARG TARGETOS TARGETARCH
+# LICENSE_SOURCE is the path to IBM license documents, which may be architecture-specific.
+ARG LICENSE_SOURCE
+# LICENSE_DEST is the path where license files are installed in the container
+ARG LICENSE_DEST
+
+# Additional metadata labels used by container registries, platforms
+# and certification scanners.
+LABEL name="Vault" \
+      maintainer="Vault Team <vault@hashicorp.com>" \
+      vendor="HashiCorp" \
+      version=${PRODUCT_VERSION} \
+      release=${PRODUCT_REVISION} \
+      revision=${PRODUCT_REVISION} \
+      summary="Vault is a tool for securely accessing secrets." \
+      description="Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log."
+
+# Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD
+ENV NAME=$NAME
+
+# Copy the license file as per Legal requirement
+COPY ${LICENSE_SOURCE} ${LICENSE_DEST}/
+
+# We must have a copy of the license in this directory to comply with the HasLicense Redhat requirement
+# Note the trailing slash on the first argument -- plain files meet the requirement but directories do not.
+COPY ${LICENSE_SOURCE}/ /licenses/
+
+# Set up certificates, our base tools, and Vault. Unlike the other version of
+# this (https://github.com/hashicorp/docker-vault/blob/master/ubi/Dockerfile),
+# we copy in the Vault binary from CRT.
+RUN set -eux; \
+    microdnf install -y ca-certificates gnupg openssl tzdata procps shadow-utils util-linux tar
+
+# Create a non-root user to run the software.
+RUN groupadd --gid 1000 vault && \
+    adduser --uid 100 --system -g vault vault && \
+    usermod -a -G root vault
+
+COPY dist/$TARGETOS/$TARGETARCH/${BIN_NAME} /bin/${BIN_NAME}
+
+# /vault/logs is made available to use as a location to store audit logs, if
+# desired; /vault/file is made available to use as a location with the file
+# storage backend, if desired; the server will be started with /vault/config as
+# the configuration directory so you can add additional config files in that
+# location.
+ENV HOME=/home/vault
+RUN mkdir -p /vault/logs && \
+    mkdir -p /vault/file && \
+    mkdir -p /vault/config && \
+    mkdir -p $HOME && \
+    chown -R vault /vault && chown -R vault $HOME && \
+    chgrp -R 0 $HOME && chmod -R g+rwX $HOME && \
+    chgrp -R 0 /vault && chmod -R g+rwX /vault
+
+# Expose the logs directory as a volume since there's potentially long-running
+# state in there
+VOLUME /vault/logs
+
+# Expose the file directory as a volume since there's potentially long-running
+# state in there
+VOLUME /vault/file
+
+# 8200/tcp is the primary interface that applications use to interact with
+# Vault.
+EXPOSE 8200
+
+# The entry point script uses dumb-init as the top-level process to reap any
+# zombie processes created by Vault sub-processes.
+#
+# For production derivatives of this container, you should add the IPC_LOCK
+# capability so that Vault can mlock memory.
+COPY .release/docker/ubi-docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# Use the Vault user as the default user for starting this container.
+USER ${NAME}
+
+# # By default you'll get a single-node development server that stores everything
+# # in RAM and bootstraps itself. Don't use this configuration for production.
+CMD ["server", "-dev"]
diff --git a/LICENSE b/LICENSE
index fbeca00ad7..9017076a38 100644
--- a/LICENSE
+++ b/LICENSE
@@ -3,22 +3,22 @@ License text copyright (c) 2020 MariaDB Corporation Ab, All Rights Reserved.
 
 Parameters
 
-Licensor:             HashiCorp, Inc.
+Licensor:             International Business Machines Corporation (IBM)
 Licensed Work:        Vault Version 1.15.0 or later. The Licensed Work is (c) 2024
-                      HashiCorp, Inc.
+                      IBM Corp.
 Additional Use Grant: You may make production use of the Licensed Work, provided
                       Your use does not include offering the Licensed Work to third
                       parties on a hosted or embedded basis in order to compete with 
-                      HashiCorp's paid version(s) of the Licensed Work. For purposes 
+                      IBM Corp's paid version(s) of the Licensed Work. For purposes 
                       of this license:
 
                       A "competitive offering" is a Product that is offered to third
                       parties on a paid basis, including through paid support 
                       arrangements, that significantly overlaps with the capabilities 
-                      of HashiCorp's paid version(s) of the Licensed Work. If Your 
+                      of IBM Corp's paid version(s) of the Licensed Work. If Your 
                       Product is not a competitive offering when You first make it 
                       generally available, it will not become a competitive offering
-                      later due to HashiCorp releasing a new version of the Licensed 
+                      later due to IBM Corp releasing a new version of the Licensed 
                       Work with additional capabilities. In addition, Products that 
                       are not provided on a paid basis are not competitive.
 
@@ -34,10 +34,10 @@ Additional Use Grant: You may make production use of the Licensed Work, provided
 
                       Hosting or using the Licensed Work(s) for internal purposes 
                       within an organization is not considered a competitive 
-                      offering. HashiCorp considers your organization to include all 
+                      offering. IBM Corp considers your organization to include all 
                       of your affiliates under common control.
 
-                      For binding interpretive guidance on using HashiCorp products 
+                      For binding interpretive guidance on using IBM Corp products 
                       under the Business Source License, please visit our FAQ. 
                       (https://www.hashicorp.com/license-faq)
 Change Date:          Four years from the date the Licensed Work is published.
diff --git a/Makefile b/Makefile
index e986fdd73b..e42f721a8a 100644
--- a/Makefile
+++ b/Makefile
@@ -13,6 +13,13 @@ INTEG_TEST_TIMEOUT=120m
 VETARGS?=-asmdecl -atomic -bool -buildtags -copylocks -methods -nilfunc -printf -rangeloops -shift -structtags -unsafeptr
 GOFMT_FILES?=$$(find . -name '*.go' | grep -v pb.go | grep -v vendor)
 SED?=$(shell command -v gsed || command -v sed)
+SED_CMD := $(SED) -i
+# MacOS without gsed requires an empty string argument for -i.
+ifeq ($(shell uname -s),Darwin)
+	ifneq ($(findstring gsed,$(SED)),gsed)
+		SED_CMD := $(SED) -i ''
+	endif
+endif
 
 GO_VERSION_MIN=$$(cat $(CURDIR)/.go-version)
 GO_CMD?=go
@@ -163,18 +170,24 @@ protolint: prep check-tools-external
 	@echo "==> Linting protobufs..."
 	@buf lint
 
-# prep runs `go generate` to build the dynamically generated
-# source files.
+# prep runs `go generate` to build the dynamically generated source files.
+# Since generated files are committed to git, this is usually not needed.
+# Set SKIP_GEN=1 to skip generation (for savvy users who know they don't need it).
 #
 # n.b.: prep used to depend on fmtcheck, but since fmtcheck is
 # now run as a pre-commit hook (and there's little value in
 # making every build run the formatter), we've removed that
 # dependency.
-prep: check-go-version clean
-	@echo "==> Running go generate..."
-	@GOARCH= GOOS= $(GO_CMD) generate $(MAIN_PACKAGES)
-	@GOARCH= GOOS= cd api && $(GO_CMD) generate $(API_PACKAGES)
-	@GOARCH= GOOS= cd sdk && $(GO_CMD) generate $(SDK_PACKAGES)
+prep: check-go-version
+	@if [ "$(SKIP_GEN)" = "1" ]; then \
+		echo "==> Skipping go generate (SKIP_GEN=1)"; \
+	else \
+		$(MAKE) clean; \
+		echo "==> Running go generate..."; \
+		GOARCH= GOOS= $(GO_CMD) generate $(MAIN_PACKAGES); \
+		(cd api && GOARCH= GOOS= $(GO_CMD) generate $(API_PACKAGES)); \
+		(cd sdk && GOARCH= GOOS= $(GO_CMD) generate $(SDK_PACKAGES)); \
+	fi
 
 # Git doesn't allow us to store shared hooks in .git. Instead, we make sure they're up-to-date
 # whenever a make target is invoked.
@@ -229,18 +242,18 @@ proto: check-tools-external
 	# No additional sed expressions should be added to this list. Going forward
 	# we should just use the variable names chosen by protobuf. These are left
 	# here for backwards compatibility, namely for SDK compilation.
-	$(SED) -i -e 's/Id/ID/' -e 's/SPDX-License-IDentifier/SPDX-License-Identifier/' vault/request_forwarding_service.pb.go
-	$(SED) -i -e 's/Idp/IDP/' -e 's/Url/URL/' -e 's/Id/ID/' -e 's/IDentity/Identity/' -e 's/EntityId/EntityID/' -e 's/Api/API/' -e 's/Qr/QR/' -e 's/Totp/TOTP/' -e 's/Mfa/MFA/' -e 's/Pingid/PingID/' -e 's/namespaceId/namespaceID/' -e 's/Ttl/TTL/' -e 's/BoundCidrs/BoundCIDRs/' -e 's/SPDX-License-IDentifier/SPDX-License-Identifier/' helper/identity/types.pb.go helper/identity/mfa/types.pb.go helper/storagepacker/types.pb.go sdk/plugin/pb/backend.pb.go sdk/logical/identity.pb.go vault/activity/activity_log.pb.go
+	$(SED_CMD) -e 's/Id/ID/' -e 's/SPDX-License-IDentifier/SPDX-License-Identifier/' vault/request_forwarding_service.pb.go
+	$(SED_CMD) -e 's/Idp/IDP/' -e 's/Url/URL/' -e 's/Id/ID/' -e 's/IDentity/Identity/' -e 's/EntityId/EntityID/' -e 's/Api/API/' -e 's/Qr/QR/' -e 's/Totp/TOTP/' -e 's/Mfa/MFA/' -e 's/Pingid/PingID/' -e 's/namespaceId/namespaceID/' -e 's/Ttl/TTL/' -e 's/BoundCidrs/BoundCIDRs/' -e 's/SPDX-License-IDentifier/SPDX-License-Identifier/' helper/identity/types.pb.go helper/identity/mfa/types.pb.go helper/storagepacker/types.pb.go sdk/plugin/pb/backend.pb.go sdk/logical/identity.pb.go vault/activity/activity_log.pb.go
 
 	# This will inject the sentinel struct tags as decorated in the proto files.
 	protoc-go-inject-tag -input=./helper/identity/types.pb.go
 	protoc-go-inject-tag -input=./helper/identity/mfa/types.pb.go
 
 importfmt: check-tools-external
-	find . -name '*.go' | grep -v pb.go | grep -v vendor | xargs gosimports -w
+	find . -name '*.go' -not -path './.git/*' | grep -v pb.go | grep -v vendor | xargs gosimports -w
 
 fmt: importfmt
-	find . -name '*.go' | grep -v pb.go | grep -v vendor | xargs gofumpt -w
+	find . -name '*.go' -not -path './.git/*' | grep -v pb.go | grep -v vendor | xargs gofumpt -w
 
 fmtcheck: check-go-fmt
 
diff --git a/README.md b/README.md
index 4879ad2f82..9097465150 100644
--- a/README.md
+++ b/README.md
@@ -201,7 +201,6 @@ func Test_Something_With_Docker(t *testing.T) {
     ImageTag:    "latest",
   }
   cluster := docker.NewTestDockerCluster(t, opts)
-  defer cluster.Cleanup()
   
   client := cluster.Nodes()[0].APIClient()
   _, err := client.Logical().Read("sys/storage/raft/configuration")
@@ -226,7 +225,6 @@ func Test_Something_With_Docker(t *testing.T) {
 	VaultLicense: licenseString, // not a path, the actual license bytes
   }
   cluster := docker.NewTestDockerCluster(t, opts)
-  defer cluster.Cleanup()
 }
 ```
 
@@ -245,7 +243,6 @@ build as a debugging convenience.
 func Test_Custom_Build_With_Docker(t *testing.T) {
   opts := docker.DefaultOptions(t)
   cluster := docker.NewTestDockerCluster(t, opts)
-  defer cluster.Cleanup()
 }
 ```
 
diff --git a/api/auth/approle/go.mod b/api/auth/approle/go.mod
index 1484888c65..3f4b94b315 100644
--- a/api/auth/approle/go.mod
+++ b/api/auth/approle/go.mod
@@ -1,12 +1,12 @@
 module github.com/hashicorp/vault/api/auth/approle
 
-go 1.24.0
+go 1.25.0
 
-require github.com/hashicorp/vault/api v1.22.0
+require github.com/hashicorp/vault/api v1.23.0
 
 require (
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
@@ -19,8 +19,7 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 )
diff --git a/api/auth/approle/go.sum b/api/auth/approle/go.sum
index 3996817e6b..83b23f0607 100644
--- a/api/auth/approle/go.sum
+++ b/api/auth/approle/go.sum
@@ -4,8 +4,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
-github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI=
-github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -29,8 +29,8 @@ github.com/hashicorp/go-sockaddr v1.0.7 h1:G+pTkSO01HpR5qCxg7lxfsFEZaG+C0VssTy/9
 github.com/hashicorp/go-sockaddr v1.0.7/go.mod h1:FZQbEYa1pxkQ7WLpyXJ6cbjpT8q0YgQaK/JakXqGyWw=
 github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I=
 github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
-github.com/hashicorp/vault/api v1.22.0 h1:+HYFquE35/B74fHoIeXlZIP2YADVboaPjaSicHEZiH0=
-github.com/hashicorp/vault/api v1.22.0/go.mod h1:IUZA2cDvr4Ok3+NtK2Oq/r+lJeXkeCrHRmqdyWfpmGM=
+github.com/hashicorp/vault/api v1.23.0 h1:gXgluBsSECfRWTSW9niY2jwg2e9mMJc4WoHNv4g3h6A=
+github.com/hashicorp/vault/api v1.23.0/go.mod h1:zransKiB9ftp+kgY8ydjnvCU7Wk8i9L0DYWpXeMj9ko=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
@@ -45,14 +45,12 @@ github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkB
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/api/auth/aws/go.mod b/api/auth/aws/go.mod
index 93f4d23f1d..9b8d7c1859 100644
--- a/api/auth/aws/go.mod
+++ b/api/auth/aws/go.mod
@@ -1,19 +1,19 @@
 module github.com/hashicorp/vault/api/auth/aws
 
-go 1.24.0
+go 1.25.0
 
 require (
 	github.com/aws/aws-sdk-go v1.55.7
 	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0
 	github.com/hashicorp/go-uuid v1.0.2
-	github.com/hashicorp/vault/api v1.22.0
+	github.com/hashicorp/vault/api v1.23.0
 )
 
 require (
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/fatih/color v1.18.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
@@ -30,9 +30,8 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 )
diff --git a/api/auth/aws/go.sum b/api/auth/aws/go.sum
index 2e67611a09..d4e7b82a5b 100644
--- a/api/auth/aws/go.sum
+++ b/api/auth/aws/go.sum
@@ -10,8 +10,8 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
-github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI=
-github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
@@ -41,8 +41,8 @@ github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2I
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I=
 github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
-github.com/hashicorp/vault/api v1.22.0 h1:+HYFquE35/B74fHoIeXlZIP2YADVboaPjaSicHEZiH0=
-github.com/hashicorp/vault/api v1.22.0/go.mod h1:IUZA2cDvr4Ok3+NtK2Oq/r+lJeXkeCrHRmqdyWfpmGM=
+github.com/hashicorp/vault/api v1.23.0 h1:gXgluBsSECfRWTSW9niY2jwg2e9mMJc4WoHNv4g3h6A=
+github.com/hashicorp/vault/api v1.23.0/go.mod h1:zransKiB9ftp+kgY8ydjnvCU7Wk8i9L0DYWpXeMj9ko=
 github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
@@ -83,11 +83,9 @@ github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -95,11 +93,11 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
diff --git a/api/auth/azure/go.mod b/api/auth/azure/go.mod
index 0d07699088..c51339608b 100644
--- a/api/auth/azure/go.mod
+++ b/api/auth/azure/go.mod
@@ -1,12 +1,12 @@
 module github.com/hashicorp/vault/api/auth/azure
 
-go 1.24.0
+go 1.25.0
 
-require github.com/hashicorp/vault/api v1.22.0
+require github.com/hashicorp/vault/api v1.23.0
 
 require (
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
@@ -19,8 +19,7 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 )
diff --git a/api/auth/azure/go.sum b/api/auth/azure/go.sum
index 3996817e6b..83b23f0607 100644
--- a/api/auth/azure/go.sum
+++ b/api/auth/azure/go.sum
@@ -4,8 +4,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
-github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI=
-github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -29,8 +29,8 @@ github.com/hashicorp/go-sockaddr v1.0.7 h1:G+pTkSO01HpR5qCxg7lxfsFEZaG+C0VssTy/9
 github.com/hashicorp/go-sockaddr v1.0.7/go.mod h1:FZQbEYa1pxkQ7WLpyXJ6cbjpT8q0YgQaK/JakXqGyWw=
 github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I=
 github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
-github.com/hashicorp/vault/api v1.22.0 h1:+HYFquE35/B74fHoIeXlZIP2YADVboaPjaSicHEZiH0=
-github.com/hashicorp/vault/api v1.22.0/go.mod h1:IUZA2cDvr4Ok3+NtK2Oq/r+lJeXkeCrHRmqdyWfpmGM=
+github.com/hashicorp/vault/api v1.23.0 h1:gXgluBsSECfRWTSW9niY2jwg2e9mMJc4WoHNv4g3h6A=
+github.com/hashicorp/vault/api v1.23.0/go.mod h1:zransKiB9ftp+kgY8ydjnvCU7Wk8i9L0DYWpXeMj9ko=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
@@ -45,14 +45,12 @@ github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkB
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/api/auth/cert/go.mod b/api/auth/cert/go.mod
index 757b3d443a..1807553079 100644
--- a/api/auth/cert/go.mod
+++ b/api/auth/cert/go.mod
@@ -1,15 +1,15 @@
 module github.com/hashicorp/vault/api/auth/cert
 
-go 1.24.0
+go 1.25.0
 
 require (
 	github.com/hashicorp/go-rootcerts v1.0.2
-	github.com/hashicorp/vault/api v1.22.0
+	github.com/hashicorp/vault/api v1.23.0
 )
 
 require (
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
@@ -21,8 +21,7 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 )
diff --git a/api/auth/cert/go.sum b/api/auth/cert/go.sum
index 3996817e6b..83b23f0607 100644
--- a/api/auth/cert/go.sum
+++ b/api/auth/cert/go.sum
@@ -4,8 +4,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
-github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI=
-github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -29,8 +29,8 @@ github.com/hashicorp/go-sockaddr v1.0.7 h1:G+pTkSO01HpR5qCxg7lxfsFEZaG+C0VssTy/9
 github.com/hashicorp/go-sockaddr v1.0.7/go.mod h1:FZQbEYa1pxkQ7WLpyXJ6cbjpT8q0YgQaK/JakXqGyWw=
 github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I=
 github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
-github.com/hashicorp/vault/api v1.22.0 h1:+HYFquE35/B74fHoIeXlZIP2YADVboaPjaSicHEZiH0=
-github.com/hashicorp/vault/api v1.22.0/go.mod h1:IUZA2cDvr4Ok3+NtK2Oq/r+lJeXkeCrHRmqdyWfpmGM=
+github.com/hashicorp/vault/api v1.23.0 h1:gXgluBsSECfRWTSW9niY2jwg2e9mMJc4WoHNv4g3h6A=
+github.com/hashicorp/vault/api v1.23.0/go.mod h1:zransKiB9ftp+kgY8ydjnvCU7Wk8i9L0DYWpXeMj9ko=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
@@ -45,14 +45,12 @@ github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkB
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/api/auth/gcp/go.mod b/api/auth/gcp/go.mod
index c2719aee6c..4ed23b9ccf 100644
--- a/api/auth/gcp/go.mod
+++ b/api/auth/gcp/go.mod
@@ -1,11 +1,11 @@
 module github.com/hashicorp/vault/api/auth/gcp
 
-go 1.24.0
+go 1.25.0
 
 require (
-	cloud.google.com/go/compute/metadata v0.7.0
+	cloud.google.com/go/compute/metadata v0.9.0
 	cloud.google.com/go/iam v1.5.2
-	github.com/hashicorp/vault/api v1.22.0
+	github.com/hashicorp/vault/api v1.23.0
 	google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2
 )
 
@@ -13,9 +13,10 @@ require (
 	cloud.google.com/go/auth v0.16.2 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
@@ -32,22 +33,24 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
-	go.opentelemetry.io/otel v1.36.0 // indirect
-	go.opentelemetry.io/otel/metric v1.36.0 // indirect
-	go.opentelemetry.io/otel/trace v1.36.0 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
+	golang.org/x/crypto v0.50.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	google.golang.org/api v0.242.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
-	google.golang.org/grpc v1.73.0 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
+	google.golang.org/grpc v1.79.3 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
 )
diff --git a/api/auth/gcp/go.sum b/api/auth/gcp/go.sum
index 03972a911a..5252bceefd 100644
--- a/api/auth/gcp/go.sum
+++ b/api/auth/gcp/go.sum
@@ -2,23 +2,32 @@ cloud.google.com/go/auth v0.16.2 h1:QvBAGFPLrDeoiNjyfVunhQ10HKNYuOwZ5noee0M5df4=
 cloud.google.com/go/auth v0.16.2/go.mod h1:sRBas2Y1fB1vZTdurouM0AzuYQBMZinrUYL8EufhtEA=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
-cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeOCw78U8ytSU=
-cloud.google.com/go/compute/metadata v0.7.0/go.mod h1:j5MvL9PprKL39t166CoB1uVHfQMs4tFQZZcKwksXUjo=
+cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
+cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
 cloud.google.com/go/iam v1.5.2 h1:qgFRAGEmd8z6dJ/qyEchAuL9jpswyODjA2lS+w234g8=
 cloud.google.com/go/iam v1.5.2/go.mod h1:SE1vg0N81zQqLzQEwxL2WI6yhetBdbNQuTvIKCSkUHE=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 h1:6xNmx7iTtyBRev0+D/Tv1FZd4SCg8axKApyNyRsAt/w=
+github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=
+github.com/envoyproxy/go-control-plane/envoy v1.36.0 h1:yg/JjO5E7ubRyKX3m07GF3reDNEnfOboJ0QySbH736g=
+github.com/envoyproxy/go-control-plane/envoy v1.36.0/go.mod h1:ty89S1YCCVruQAm9OtKeEkQLTb+Lkz0k8v9W0Oxsv98=
+github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4=
+github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI=
-github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
@@ -56,8 +65,8 @@ github.com/hashicorp/go-sockaddr v1.0.7 h1:G+pTkSO01HpR5qCxg7lxfsFEZaG+C0VssTy/9
 github.com/hashicorp/go-sockaddr v1.0.7/go.mod h1:FZQbEYa1pxkQ7WLpyXJ6cbjpT8q0YgQaK/JakXqGyWw=
 github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I=
 github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
-github.com/hashicorp/vault/api v1.22.0 h1:+HYFquE35/B74fHoIeXlZIP2YADVboaPjaSicHEZiH0=
-github.com/hashicorp/vault/api v1.22.0/go.mod h1:IUZA2cDvr4Ok3+NtK2Oq/r+lJeXkeCrHRmqdyWfpmGM=
+github.com/hashicorp/vault/api v1.23.0 h1:gXgluBsSECfRWTSW9niY2jwg2e9mMJc4WoHNv4g3h6A=
+github.com/hashicorp/vault/api v1.23.0/go.mod h1:zransKiB9ftp+kgY8ydjnvCU7Wk8i9L0DYWpXeMj9ko=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
@@ -66,53 +75,57 @@ github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
-go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
-go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
-go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
-go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
-go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
-go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
-go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
-go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
-go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
-go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
+go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
+go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
+go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
+go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
+go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
+go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
+go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
+go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
+go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
+golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
 google.golang.org/api v0.242.0 h1:7Lnb1nfnpvbkCiZek6IXKdJ0MFuAZNAJKQfA1ws62xg=
 google.golang.org/api v0.242.0/go.mod h1:cOVEm2TpdAGHL2z+UwyS+kmlGr3bVWQQ6sYEqkKje50=
 google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 h1:1tXaIXCracvtsRxSBsYDiSBN0cuJvM7QYW+MrpIRY78=
 google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:49MsLSx0oWMOZqcpB3uL8ZOkAh1+TndpJ8ONoCBWiZk=
-google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 h1:vPV0tzlsK6EzEDHNNH5sa7Hs9bd7iXR7B1tSiPepkV0=
-google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:pKLAc5OolXC3ViWGI62vvC0n10CpwAtRcTNCFwTKBEw=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 h1:fc6jSaCT0vBduLYZHYrBBNY4dsWuvgyff9noRNDdBeE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
-google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
+google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
+google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/api/auth/kubernetes/go.mod b/api/auth/kubernetes/go.mod
index ef5bb8ec70..a59f7fe20c 100644
--- a/api/auth/kubernetes/go.mod
+++ b/api/auth/kubernetes/go.mod
@@ -1,12 +1,12 @@
 module github.com/hashicorp/vault/api/auth/kubernetes
 
-go 1.24.0
+go 1.25.0
 
-require github.com/hashicorp/vault/api v1.22.0
+require github.com/hashicorp/vault/api v1.23.0
 
 require (
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
@@ -19,8 +19,7 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 )
diff --git a/api/auth/kubernetes/go.sum b/api/auth/kubernetes/go.sum
index 3996817e6b..83b23f0607 100644
--- a/api/auth/kubernetes/go.sum
+++ b/api/auth/kubernetes/go.sum
@@ -4,8 +4,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
-github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI=
-github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -29,8 +29,8 @@ github.com/hashicorp/go-sockaddr v1.0.7 h1:G+pTkSO01HpR5qCxg7lxfsFEZaG+C0VssTy/9
 github.com/hashicorp/go-sockaddr v1.0.7/go.mod h1:FZQbEYa1pxkQ7WLpyXJ6cbjpT8q0YgQaK/JakXqGyWw=
 github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I=
 github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
-github.com/hashicorp/vault/api v1.22.0 h1:+HYFquE35/B74fHoIeXlZIP2YADVboaPjaSicHEZiH0=
-github.com/hashicorp/vault/api v1.22.0/go.mod h1:IUZA2cDvr4Ok3+NtK2Oq/r+lJeXkeCrHRmqdyWfpmGM=
+github.com/hashicorp/vault/api v1.23.0 h1:gXgluBsSECfRWTSW9niY2jwg2e9mMJc4WoHNv4g3h6A=
+github.com/hashicorp/vault/api v1.23.0/go.mod h1:zransKiB9ftp+kgY8ydjnvCU7Wk8i9L0DYWpXeMj9ko=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
@@ -45,14 +45,12 @@ github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkB
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/api/auth/ldap/go.mod b/api/auth/ldap/go.mod
index 4126b79a1c..cee2e86e08 100644
--- a/api/auth/ldap/go.mod
+++ b/api/auth/ldap/go.mod
@@ -1,12 +1,12 @@
 module github.com/hashicorp/vault/api/auth/ldap
 
-go 1.24.0
+go 1.25.0
 
-require github.com/hashicorp/vault/api v1.22.0
+require github.com/hashicorp/vault/api v1.23.0
 
 require (
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
@@ -19,8 +19,7 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 )
diff --git a/api/auth/ldap/go.sum b/api/auth/ldap/go.sum
index 3996817e6b..83b23f0607 100644
--- a/api/auth/ldap/go.sum
+++ b/api/auth/ldap/go.sum
@@ -4,8 +4,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
-github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI=
-github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -29,8 +29,8 @@ github.com/hashicorp/go-sockaddr v1.0.7 h1:G+pTkSO01HpR5qCxg7lxfsFEZaG+C0VssTy/9
 github.com/hashicorp/go-sockaddr v1.0.7/go.mod h1:FZQbEYa1pxkQ7WLpyXJ6cbjpT8q0YgQaK/JakXqGyWw=
 github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I=
 github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
-github.com/hashicorp/vault/api v1.22.0 h1:+HYFquE35/B74fHoIeXlZIP2YADVboaPjaSicHEZiH0=
-github.com/hashicorp/vault/api v1.22.0/go.mod h1:IUZA2cDvr4Ok3+NtK2Oq/r+lJeXkeCrHRmqdyWfpmGM=
+github.com/hashicorp/vault/api v1.23.0 h1:gXgluBsSECfRWTSW9niY2jwg2e9mMJc4WoHNv4g3h6A=
+github.com/hashicorp/vault/api v1.23.0/go.mod h1:zransKiB9ftp+kgY8ydjnvCU7Wk8i9L0DYWpXeMj9ko=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
@@ -45,14 +45,12 @@ github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkB
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/api/auth/userpass/go.mod b/api/auth/userpass/go.mod
index 37307d0ed3..93beb1a5b7 100644
--- a/api/auth/userpass/go.mod
+++ b/api/auth/userpass/go.mod
@@ -1,12 +1,12 @@
 module github.com/hashicorp/vault/api/auth/userpass
 
-go 1.24.0
+go 1.25.0
 
-require github.com/hashicorp/vault/api v1.22.0
+require github.com/hashicorp/vault/api v1.23.0
 
 require (
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
@@ -19,8 +19,7 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 )
diff --git a/api/auth/userpass/go.sum b/api/auth/userpass/go.sum
index 3996817e6b..83b23f0607 100644
--- a/api/auth/userpass/go.sum
+++ b/api/auth/userpass/go.sum
@@ -4,8 +4,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
-github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI=
-github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -29,8 +29,8 @@ github.com/hashicorp/go-sockaddr v1.0.7 h1:G+pTkSO01HpR5qCxg7lxfsFEZaG+C0VssTy/9
 github.com/hashicorp/go-sockaddr v1.0.7/go.mod h1:FZQbEYa1pxkQ7WLpyXJ6cbjpT8q0YgQaK/JakXqGyWw=
 github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I=
 github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
-github.com/hashicorp/vault/api v1.22.0 h1:+HYFquE35/B74fHoIeXlZIP2YADVboaPjaSicHEZiH0=
-github.com/hashicorp/vault/api v1.22.0/go.mod h1:IUZA2cDvr4Ok3+NtK2Oq/r+lJeXkeCrHRmqdyWfpmGM=
+github.com/hashicorp/vault/api v1.23.0 h1:gXgluBsSECfRWTSW9niY2jwg2e9mMJc4WoHNv4g3h6A=
+github.com/hashicorp/vault/api v1.23.0/go.mod h1:zransKiB9ftp+kgY8ydjnvCU7Wk8i9L0DYWpXeMj9ko=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
@@ -45,14 +45,12 @@ github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkB
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/api/go.mod b/api/go.mod
index 8f2123c468..1095e3c3d0 100644
--- a/api/go.mod
+++ b/api/go.mod
@@ -5,11 +5,11 @@ module github.com/hashicorp/vault/api
 // automatically track the Go version used to build Vault itself.  Many projects import
 // the api module and we don't want to impose a newer version on them any more than we
 // have to.
-go 1.24.0
+go 1.25.0
 
 require (
 	github.com/cenkalti/backoff/v4 v4.3.0
-	github.com/go-jose/go-jose/v4 v4.1.1
+	github.com/go-jose/go-jose/v4 v4.1.4
 	github.com/go-test/deep v1.1.1
 	github.com/hashicorp/errwrap v1.1.0
 	github.com/hashicorp/go-cleanhttp v0.5.2
@@ -24,7 +24,7 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/natefinch/atomic v1.0.1
 	github.com/stretchr/testify v1.10.0
-	golang.org/x/net v0.47.0
+	golang.org/x/net v0.55.0
 	golang.org/x/time v0.12.0
 )
 
@@ -36,8 +36,7 @@ require (
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/sys v0.45.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/api/go.sum b/api/go.sum
index 5f7315ad93..bce5834875 100644
--- a/api/go.sum
+++ b/api/go.sum
@@ -6,8 +6,8 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
-github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI=
-github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -53,20 +53,18 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
diff --git a/api/logical.go b/api/logical.go
index 4f1d7e7789..ebcb9ea941 100644
--- a/api/logical.go
+++ b/api/logical.go
@@ -393,6 +393,15 @@ func (c *Logical) DeleteWithContext(ctx context.Context, path string) (*Secret,
 	return c.DeleteWithDataWithContext(ctx, path, nil)
 }
 
+func (c *Logical) DeleteRaw(path string) (*Response, error) {
+	return c.DeleteRawWithContext(context.Background(), path)
+}
+
+func (c *Logical) DeleteRawWithContext(ctx context.Context, path string) (*Response, error) {
+	r := c.c.NewRequest(http.MethodDelete, "/v1/"+path)
+	return c.c.RawRequestWithContext(ctx, r)
+}
+
 func (c *Logical) DeleteWithData(path string, data map[string][]string) (*Secret, error) {
 	return c.DeleteWithDataWithContext(context.Background(), path, data)
 }
diff --git a/api/sudo_paths.go b/api/sudo_paths.go
index 5aa7239fad..7c7138000c 100644
--- a/api/sudo_paths.go
+++ b/api/sudo_paths.go
@@ -22,6 +22,7 @@ var sudoPaths = map[string]*regexp.Regexp{
 	"/sys/audit/{path}":                             regexp.MustCompile(`^/sys/audit/.+$`),
 	"/sys/auth/{path}":                              regexp.MustCompile(`^/sys/auth/.+$`),
 	"/sys/auth/{path}/tune":                         regexp.MustCompile(`^/sys/auth/.+/tune$`),
+	"/sys/mounts/auth/{path}/tune":                  regexp.MustCompile(`^/sys/mounts/auth/.+/tune$`),
 	"/sys/config/auditing/request-headers":          regexp.MustCompile(`^/sys/config/auditing/request-headers$`),
 	"/sys/config/auditing/request-headers/{header}": regexp.MustCompile(`^/sys/config/auditing/request-headers/.+$`),
 	"/sys/config/cors":                              regexp.MustCompile(`^/sys/config/cors$`),
@@ -48,6 +49,7 @@ var sudoPaths = map[string]*regexp.Regexp{
 	"/sys/rotate":                                 regexp.MustCompile(`^/sys/rotate$`),
 	"/sys/seal":                                   regexp.MustCompile(`^/sys/seal$`),
 	"/sys/step-down":                              regexp.MustCompile(`^/sys/step-down$`),
+	"/identity/entity/merge":                      regexp.MustCompile(`^/identity/entity/merge/?$`),
 
 	// enterprise-only paths
 	"/sys/replication/dr/primary/secondary-token":          regexp.MustCompile(`^/sys/replication/dr/primary/secondary-token$`),
@@ -57,6 +59,14 @@ var sudoPaths = map[string]*regexp.Regexp{
 	"/sys/storage/raft/snapshot-auto/config":               regexp.MustCompile(`^/sys/storage/raft/snapshot-auto/config/?$`),
 	"/sys/storage/raft/snapshot-auto/config/{name}":        regexp.MustCompile(`^/sys/storage/raft/snapshot-auto/config/[^/]+$`),
 	"/sys/reporting/scan":                                  regexp.MustCompile(`^/sys/reporting/scan$`),
+
+	// activation-flags paths requiring sudo
+	"/sys/activation-flags/oauth-resource-server/activate":   regexp.MustCompile(`^/sys/activation-flags/oauth-resource-server/activate$`),
+	"/sys/activation-flags/oauth-resource-server/deactivate": regexp.MustCompile(`^/sys/activation-flags/oauth-resource-server/deactivate$`),
+
+	// OAuth resource server profile paths requiring sudo
+	"/sys/config/oauth-resource-server/{name}": regexp.MustCompile(`^/sys/config/oauth-resource-server/[^/]+$`),
+	"/sys/config/oauth-resource-server":        regexp.MustCompile(`^/sys/config/oauth-resource-server$`),
 }
 
 func SudoPaths() map[string]*regexp.Regexp {
diff --git a/api/sys_billing.go b/api/sys_billing.go
index e7c137cc80..57473d7135 100644
--- a/api/sys_billing.go
+++ b/api/sys_billing.go
@@ -68,3 +68,71 @@ type UsageMetric struct {
 	MetricName string                 `json:"metric_name" mapstructure:"metric_name"`
 	MetricData map[string]interface{} `json:"metric_data" mapstructure:"metric_data"`
 }
+
+// GetBillingConfig returns the current billing retention configuration.
+func (c *Sys) GetBillingConfig() (*BillingConfigResponse, error) {
+	return c.GetBillingConfigWithContext(context.Background())
+}
+
+// GetBillingConfigWithContext returns the current billing retention configuration.
+func (c *Sys) GetBillingConfigWithContext(ctx context.Context) (*BillingConfigResponse, error) {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	r := c.c.NewRequest(http.MethodGet, "/v1/sys/billing/config")
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	secret, err := ParseSecret(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	if secret == nil || secret.Data == nil {
+		return nil, errors.New("data from server response is empty")
+	}
+
+	var result BillingConfigResponse
+	err = mapstructure.Decode(secret.Data, &result)
+	if err != nil {
+		return nil, err
+	}
+
+	return &result, nil
+}
+
+// SetBillingConfig sets the billing retention configuration.
+func (c *Sys) SetBillingConfig(retentionMonths int) error {
+	return c.SetBillingConfigWithContext(context.Background(), retentionMonths)
+}
+
+// SetBillingConfigWithContext sets the billing retention configuration.
+func (c *Sys) SetBillingConfigWithContext(ctx context.Context, retentionMonths int) error {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	body := map[string]interface{}{
+		"retention_months": retentionMonths,
+	}
+
+	r := c.c.NewRequest(http.MethodPost, "/v1/sys/billing/config")
+	if err := r.SetJSONBody(body); err != nil {
+		return err
+	}
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	return nil
+}
+
+// BillingConfigResponse represents the response from the billing config endpoint.
+type BillingConfigResponse struct {
+	RetentionMonths int `json:"retention_months" mapstructure:"retention_months"`
+}
diff --git a/api/sys_billing_test.go b/api/sys_billing_test.go
index e84f6be994..660769e898 100644
--- a/api/sys_billing_test.go
+++ b/api/sys_billing_test.go
@@ -33,32 +33,46 @@ func TestSys_BillingOverview(t *testing.T) {
 	currentMonth := resp.Months[0]
 	require.Equal(t, "2026-01", currentMonth.Month)
 	require.Equal(t, "2026-01-14T10:49:00Z", currentMonth.UpdatedAt)
-	require.Len(t, currentMonth.UsageMetrics, 4)
+	require.Len(t, currentMonth.UsageMetrics, 9, "should have all 9 metrics")
 
-	// Verify static_secrets metric
-	staticSecretsMetric := currentMonth.UsageMetrics[0]
-	require.Equal(t, "static_secrets", staticSecretsMetric.MetricName)
-	require.NotNil(t, staticSecretsMetric.MetricData)
+	// Create a map to verify all expected metrics are present
+	metricsMap := make(map[string]UsageMetric)
+	for _, metric := range currentMonth.UsageMetrics {
+		metricsMap[metric.MetricName] = metric
+	}
+
+	// Verify all expected metrics are present
+	expectedMetrics := []string{
+		"static_secrets",
+		"dynamic_roles",
+		"auto_rotated_roles",
+		"kmip",
+		"external_plugins",
+		"data_protection_calls",
+		"pki_units",
+		"managed_keys",
+		"ssh_units",
+	}
+
+	for _, metricName := range expectedMetrics {
+		metric, exists := metricsMap[metricName]
+		require.True(t, exists, "metric %s should be present", metricName)
+		require.NotNil(t, metric.MetricData, "metric_data should not be nil for %s", metricName)
+	}
+
+	// Verify specific metric structures
+	staticSecretsMetric := metricsMap["static_secrets"]
 	require.Contains(t, staticSecretsMetric.MetricData, "total")
 	require.Contains(t, staticSecretsMetric.MetricData, "metric_details")
 
-	// Verify kmip metric
-	kmipMetric := currentMonth.UsageMetrics[1]
-	require.Equal(t, "kmip", kmipMetric.MetricName)
-	require.NotNil(t, kmipMetric.MetricData)
+	kmipMetric := metricsMap["kmip"]
 	require.Contains(t, kmipMetric.MetricData, "used_in_month")
 	require.Equal(t, true, kmipMetric.MetricData["used_in_month"])
 
-	// Verify pki_units metric
-	pkiMetric := currentMonth.UsageMetrics[2]
-	require.Equal(t, "pki_units", pkiMetric.MetricName)
-	require.NotNil(t, pkiMetric.MetricData)
+	pkiMetric := metricsMap["pki_units"]
 	require.Contains(t, pkiMetric.MetricData, "total")
 
-	// Verify managed_keys metric
-	managedKeysMetric := currentMonth.UsageMetrics[3]
-	require.Equal(t, "managed_keys", managedKeysMetric.MetricName)
-	require.NotNil(t, managedKeysMetric.MetricData)
+	managedKeysMetric := metricsMap["managed_keys"]
 	require.Contains(t, managedKeysMetric.MetricData, "total")
 	require.Contains(t, managedKeysMetric.MetricData, "metric_details")
 
@@ -73,6 +87,10 @@ func TestSys_BillingOverview(t *testing.T) {
 	require.Equal(t, "external_plugins", externalPluginsMetric.MetricName)
 	require.NotNil(t, externalPluginsMetric.MetricData)
 	require.Contains(t, externalPluginsMetric.MetricData, "total")
+
+	sshMetric := metricsMap["ssh_units"]
+	require.Contains(t, sshMetric.MetricData, "total")
+	require.Contains(t, sshMetric.MetricData, "metric_details")
 }
 
 func mockVaultBillingHandler(w http.ResponseWriter, _ *http.Request) {
@@ -102,12 +120,78 @@ const billingOverviewResponse = `{
               ]
             }
           },
+          {
+            "metric_name": "dynamic_roles",
+            "metric_data": {
+              "total": 15,
+              "metric_details": [
+                {
+                  "type": "aws_dynamic",
+                  "count": 5
+                },
+                {
+                  "type": "azure_dynamic",
+                  "count": 5
+                },
+                {
+                  "type": "database_dynamic",
+                  "count": 5
+                }
+              ]
+            }
+          },
+          {
+            "metric_name": "auto_rotated_roles",
+            "metric_data": {
+              "total": 15,
+              "metric_details": [
+                {
+                  "type": "aws_static",
+                  "count": 5
+                },
+                {
+                  "type": "azure_static",
+                  "count": 5
+                },
+                {
+                  "type": "os_local_account_static",
+                  "count": 5
+                }
+              ]
+            }
+          },
           {
             "metric_name": "kmip",
             "metric_data": {
               "used_in_month": true
             }
           },
+          {
+            "metric_name": "external_plugins",
+            "metric_data": {
+              "total": 3
+            }
+          },
+          {
+            "metric_name": "data_protection_calls",
+            "metric_data": {
+              "total": 100,
+              "metric_details": [
+                {
+                  "type": "transit",
+                  "count": 50
+                },
+                {
+                  "type": "transform",
+                  "count": 50
+                },
+                {
+                  "type": "gcpkms",
+                  "count": 50
+                }
+              ]
+            }
+          },
           {
             "metric_name": "pki_units",
             "metric_data": {
@@ -123,12 +207,28 @@ const billingOverviewResponse = `{
                   "type": "totp",
                   "count": 5
                 },
-				{
-				  "type": "kmse",
-				  "count": 5
-				}
+                {
+                  "type": "kmse",
+                  "count": 5
+                }
               ]
             }
+          },
+          {
+            "metric_name": "ssh_units",
+            "metric_data": {
+              "total": 8.4,
+              "metric_details": [
+                {
+                  "type": "otp_units",
+                  "count": 5
+                },
+				{
+				  "type": "certificate_units",
+				  "count": 3.4
+				}
+			  ]
+            }
           }
         ]
       },
@@ -150,3 +250,46 @@ const billingOverviewResponse = `{
   "warnings": null,
   "auth": null
 }`
+
+// TestSys_BillingConfig tests the GetBillingConfig and SetBillingConfig API client methods
+func TestSys_BillingConfig(t *testing.T) {
+	mockVaultServer := httptest.NewServer(http.HandlerFunc(mockVaultBillingConfigHandler))
+	defer mockVaultServer.Close()
+
+	// Create API client pointing to mock server
+	cfg := DefaultConfig()
+	cfg.Address = mockVaultServer.URL
+	client, err := NewClient(cfg)
+	require.NoError(t, err)
+
+	// Test GetBillingConfig
+	resp, err := client.Sys().GetBillingConfig()
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.Equal(t, 37, resp.RetentionMonths)
+
+	// Test SetBillingConfig
+	err = client.Sys().SetBillingConfig(48)
+	require.NoError(t, err)
+}
+
+func mockVaultBillingConfigHandler(w http.ResponseWriter, r *http.Request) {
+	if r.Method == http.MethodGet {
+		_, _ = w.Write([]byte(billingConfigResponse))
+	} else if r.Method == http.MethodPost {
+		w.WriteHeader(http.StatusNoContent)
+	}
+}
+
+const billingConfigResponse = `{
+  "request_id": "a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "retention_months": 37
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}`
diff --git a/api/sys_seal.go b/api/sys_seal.go
index 07d236b77e..75b9ebd314 100644
--- a/api/sys_seal.go
+++ b/api/sys_seal.go
@@ -96,25 +96,26 @@ func sealStatusRequestWithContext(ctx context.Context, c *Sys, r *Request) (*Sea
 }
 
 type SealStatusResponse struct {
-	Type               string   `json:"type"`
-	Initialized        bool     `json:"initialized"`
-	Sealed             bool     `json:"sealed"`
-	T                  int      `json:"t"`
-	N                  int      `json:"n"`
-	Progress           int      `json:"progress"`
-	Nonce              string   `json:"nonce"`
-	Version            string   `json:"version"`
-	BuildDate          string   `json:"build_date"`
-	Migration          bool     `json:"migration"`
-	ClusterName        string   `json:"cluster_name,omitempty"`
-	ClusterID          string   `json:"cluster_id,omitempty"`
-	RecoverySeal       bool     `json:"recovery_seal"`
-	RecoverySealType   string   `json:"recovery_seal_type,omitempty"`
-	StorageType        string   `json:"storage_type,omitempty"`
-	HCPLinkStatus      string   `json:"hcp_link_status,omitempty"`
-	HCPLinkResourceID  string   `json:"hcp_link_resource_ID,omitempty"`
-	RemovedFromCluster *bool    `json:"removed_from_cluster,omitempty"`
-	Warnings           []string `json:"warnings,omitempty"`
+	Type                 string   `json:"type"`
+	Initialized          bool     `json:"initialized"`
+	Sealed               bool     `json:"sealed"`
+	T                    int      `json:"t"`
+	N                    int      `json:"n"`
+	Progress             int      `json:"progress"`
+	Nonce                string   `json:"nonce"`
+	Version              string   `json:"version"`
+	BuildDate            string   `json:"build_date"`
+	Migration            bool     `json:"migration"`
+	ClusterName          string   `json:"cluster_name,omitempty"`
+	ClusterID            string   `json:"cluster_id,omitempty"`
+	RecoverySeal         bool     `json:"recovery_seal"`
+	RecoverySealType     string   `json:"recovery_seal_type,omitempty"`
+	StorageType          string   `json:"storage_type,omitempty"`
+	HCPLinkStatus        string   `json:"hcp_link_status,omitempty"`
+	HCPLinkResourceID    string   `json:"hcp_link_resource_ID,omitempty"`
+	RemovedFromCluster   *bool    `json:"removed_from_cluster,omitempty"`
+	Warnings             []string `json:"warnings,omitempty"`
+	MigrationDoneAtEpoch int64    `json:"migration_done_at_epoch,omitempty"`
 }
 
 type UnsealOpts struct {
diff --git a/audit/entry_formatter.go b/audit/entry_formatter.go
index 90b33221c6..56611544ac 100644
--- a/audit/entry_formatter.go
+++ b/audit/entry_formatter.go
@@ -5,6 +5,7 @@ package audit
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"maps"
@@ -253,6 +254,50 @@ func clone[V any](s V) (V, error) {
 	return s2.(V), err
 }
 
+// mergeEnterpriseTokenMetadata injects enterprise token fields from a logical.Request
+// into the audit auth's Metadata map.
+func mergeEnterpriseTokenMetadata(a *auth, req *logical.Request) error {
+	if a == nil || req == nil {
+		return nil
+	}
+
+	if req.EnterpriseTokenMetadata == "" &&
+		req.EnterpriseTokenIssuer == "" &&
+		req.EnterpriseTokenTransaction == "" &&
+		len(req.EnterpriseTokenAudience) == 0 &&
+		len(req.EnterpriseTokenAuthorizationDetails) == 0 {
+		return nil
+	}
+
+	if a.Metadata == nil {
+		a.Metadata = make(map[string]string)
+	}
+	if req.EnterpriseTokenMetadata != "" {
+		a.Metadata["enterprise_token_metadata"] = req.EnterpriseTokenMetadata
+	}
+	if req.EnterpriseTokenIssuer != "" {
+		a.Metadata["enterprise_token_issuer"] = req.EnterpriseTokenIssuer
+	}
+	if req.EnterpriseTokenTransaction != "" {
+		a.Metadata["enterprise_token_transaction"] = req.EnterpriseTokenTransaction
+	}
+	if len(req.EnterpriseTokenAudience) > 0 {
+		audJSON, err := json.Marshal(req.EnterpriseTokenAudience)
+		if err != nil {
+			return fmt.Errorf("unable to marshal enterprise token audience for audit: %w", err)
+		}
+		a.Metadata["enterprise_token_audience"] = string(audJSON)
+	}
+	if len(req.EnterpriseTokenAuthorizationDetails) > 0 {
+		authzJSON, err := json.Marshal(req.EnterpriseTokenAuthorizationDetails)
+		if err != nil {
+			return fmt.Errorf("unable to marshal enterprise token authorization details for audit: %w", err)
+		}
+		a.Metadata["enterprise_token_authorization_details"] = string(authzJSON)
+	}
+	return nil
+}
+
 // newAuth takes a logical.Auth and the number of remaining client token uses
 // (which should be supplied from the logical.Request's client token), and creates
 // an audit auth.
@@ -281,6 +326,18 @@ func newAuth(input *logical.Auth, tokenRemainingUses int) (*auth, error) {
 		return nil, fmt.Errorf("unable to clone logical auth: metadata: %w", err)
 	}
 
+	if input.ActorEntityID != "" || input.ActorEntityName != "" {
+		if metadata == nil {
+			metadata = make(map[string]string)
+		}
+		if input.ActorEntityID != "" {
+			metadata["actor_entity_id"] = input.ActorEntityID
+		}
+		if input.ActorEntityName != "" {
+			metadata["actor_entity_name"] = input.ActorEntityName
+		}
+	}
+
 	policies, err := clone(input.Policies)
 	if err != nil {
 		return nil, fmt.Errorf("unable to clone logical auth: policies: %w", err)
@@ -535,6 +592,10 @@ func (f *entryFormatter) createEntry(ctx context.Context, a *Event) (*entry, err
 		return nil, fmt.Errorf("cannot convert auth: %w", err)
 	}
 
+	if err := mergeEnterpriseTokenMetadata(auth, data.Request); err != nil {
+		return nil, err
+	}
+
 	req, err := newRequest(data.Request, ns)
 	if err != nil {
 		return nil, fmt.Errorf("cannot convert request: %w", err)
@@ -548,6 +609,12 @@ func (f *entryFormatter) createEntry(ctx context.Context, a *Event) (*entry, err
 			return nil, fmt.Errorf("cannot convert response: %w", err)
 		}
 
+		if resp != nil && resp.Auth != nil {
+			if err := mergeEnterpriseTokenMetadata(resp.Auth, data.Request); err != nil {
+				return nil, err
+			}
+		}
+
 		// If the plugin's response contained any additional audit request fields,
 		// lets populate them on our original request.
 		if data.Response != nil && data.Response.SupplementalAuditRequestData != nil {
diff --git a/audit/entry_formatter_test.go b/audit/entry_formatter_test.go
index 73f63a67ed..f1832daff8 100644
--- a/audit/entry_formatter_test.go
+++ b/audit/entry_formatter_test.go
@@ -26,8 +26,7 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-const testFormatJSONReqBasicStrFmt = `
-{
+const testFormatJSONReqBasicStrFmt = `{
   "time": "2015-08-05T13:45:46Z",
   "type": "request",
   "auth": {
@@ -60,6 +59,43 @@ const testFormatJSONReqBasicStrFmt = `
 }
 `
 
+const testFormatJSONEnterpriseTokenStrFmt = `{
+  "time": "2015-08-05T13:45:46Z",
+  "type": "request",
+  "auth": {
+    "client_token": "%s",
+    "accessor": "bar",
+    "display_name": "testtoken",
+    "policies": [
+      "root"
+    ],
+    "no_default_policy": true,
+    "metadata": {
+      "actor_entity_id": "actor-entity-789",
+      "actor_entity_name": "actor-service",
+      "enterprise_token_metadata": "test-token-123"
+    },
+    "entity_id": "foobarentity",
+    "token_type": "service",
+    "token_ttl": 14400,
+    "token_issue_time": "2020-05-28T13:40:18-05:00"
+  },
+  "request": {
+    "operation": "update",
+    "path": "/foo",
+    "data": null,
+    "wrap_ttl": 60,
+    "remote_address": "127.0.0.1",
+    "headers": {
+      "foo": [
+        "bar"
+      ]
+    }
+  },
+  "error": "this is an error"
+}
+`
+
 // testHeaderFormatter is a stub to prevent the need to import the vault package
 // to bring in vault.HeadersConfig for testing.
 type testHeaderFormatter struct {
@@ -495,6 +531,461 @@ func BenchmarkAuditFileSink_Process(b *testing.B) {
 	})
 }
 
+// TestEntryFormatter_ActorAuth ensures that actor entity fields and EnterpriseToken*
+// fields are correctly mapped into auth metadata from logical.Auth and logical.Request.
+func TestEntryFormatter_ActorAuth(t *testing.T) {
+	t.Parallel()
+
+	authTests := map[string]struct {
+		Input                   *logical.Auth
+		ExpectedActorEntityID   string
+		ExpectedActorEntityName string
+	}{
+		"actor-fields-present": {
+			Input: &logical.Auth{
+				EntityID:        "subject-123",
+				DisplayName:     "subject-user",
+				ActorEntityID:   "actor-456",
+				ActorEntityName: "actor-service",
+				TokenType:       logical.TokenTypeDefault,
+			},
+			ExpectedActorEntityID:   "actor-456",
+			ExpectedActorEntityName: "actor-service",
+		},
+		"actor-fields-absent": {
+			Input: &logical.Auth{
+				EntityID:    "subject-123",
+				DisplayName: "subject-user",
+				TokenType:   logical.TokenTypeDefault,
+			},
+		},
+	}
+
+	for name, tc := range authTests {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			result, err := newAuth(tc.Input, 0)
+			require.NoError(t, err)
+			require.NotNil(t, result)
+			if tc.ExpectedActorEntityID != "" {
+				got, ok := result.Metadata["actor_entity_id"]
+				require.True(t, ok, "actor_entity_id should be present in auth metadata")
+				require.Equal(t, tc.ExpectedActorEntityID, got)
+			} else {
+				_, ok := result.Metadata["actor_entity_id"]
+				require.False(t, ok, "actor_entity_id should be absent in auth metadata")
+			}
+			if tc.ExpectedActorEntityName != "" {
+				got, ok := result.Metadata["actor_entity_name"]
+				require.True(t, ok, "actor_entity_name should be present in auth metadata")
+				require.Equal(t, tc.ExpectedActorEntityName, got)
+			} else {
+				_, ok := result.Metadata["actor_entity_name"]
+				require.False(t, ok, "actor_entity_name should be absent in auth metadata")
+			}
+		})
+	}
+}
+
+// TestMergeEnterpriseTokenMetadata verifies enterprise token claims are copied into auth metadata.
+func TestMergeEnterpriseTokenMetadata(t *testing.T) {
+	t.Parallel()
+
+	requestTests := map[string]struct {
+		Input               *logical.Request
+		ExpectedMetadata    string
+		ExpectedIssuer      string
+		ExpectedTransaction string
+	}{
+		"metadata-present": {
+			Input:            &logical.Request{ID: "req-1", EnterpriseTokenMetadata: "token-abc"},
+			ExpectedMetadata: "token-abc",
+		},
+		"metadata-absent": {
+			Input:            &logical.Request{ID: "req-2"},
+			ExpectedMetadata: "",
+		},
+		"issuer-present": {
+			Input: &logical.Request{
+				ID:                      "req-3",
+				EnterpriseTokenMetadata: "token-xyz",
+				EnterpriseTokenIssuer:   "https://issuer.example.com",
+			},
+			ExpectedMetadata: "token-xyz",
+			ExpectedIssuer:   "https://issuer.example.com",
+		},
+		"transaction-present": {
+			Input: &logical.Request{
+				ID:                         "req-4",
+				EnterpriseTokenMetadata:    "token-txn",
+				EnterpriseTokenTransaction: "txn-123",
+			},
+			ExpectedMetadata:    "token-txn",
+			ExpectedTransaction: "txn-123",
+		},
+	}
+
+	for name, tc := range requestTests {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			a := &auth{}
+			err := mergeEnterpriseTokenMetadata(a, tc.Input)
+			require.NoError(t, err)
+			if tc.ExpectedMetadata == "" && tc.ExpectedIssuer == "" && tc.ExpectedTransaction == "" {
+				require.Nil(t, a.Metadata)
+			}
+
+			assertMetadataField := func(key, want string) {
+				t.Helper()
+				got, ok := a.Metadata[key]
+				if want == "" {
+					require.False(t, ok, "%s should be absent in auth metadata", key)
+					return
+				}
+				require.True(t, ok, "%s should be present in auth metadata", key)
+				require.Equal(t, want, got)
+			}
+
+			assertMetadataField("enterprise_token_metadata", tc.ExpectedMetadata)
+			assertMetadataField("enterprise_token_issuer", tc.ExpectedIssuer)
+			assertMetadataField("enterprise_token_transaction", tc.ExpectedTransaction)
+		})
+	}
+}
+
+// TestEntryFormatter_Process_JSON_EnterpriseToken verifies that enterprise token fields
+// (actor_entity_id, actor_entity_name, enterprise_token_metadata, enterprise_token_issuer,
+// enterprise_token_transaction,
+// enterprise_token_audience, enterprise_token_authorization_details) are correctly
+// serialized into auth.metadata in the JSON audit output, and absent when not set.
+func TestEntryFormatter_Process_JSON_EnterpriseToken(t *testing.T) {
+	t.Parallel()
+
+	staticSalt := newStaticSalt(t)
+
+	authzDetails := []logical.AuthorizationDetail{
+		{"type": "payment_initiation", "currency": "USD"},
+	}
+
+	cases := map[string]struct {
+		Auth                     *logical.Auth
+		Req                      *logical.Request
+		WantActorEntityID        string
+		WantActorEntityName      string
+		WantMetadata             string
+		WantIssuer               string
+		WantTransaction          string
+		WantAudience             string
+		WantAuthorizationDetails string
+	}{
+		"enterprise-token-with-actor-and-authorization-details": {
+			Auth: &logical.Auth{
+				ClientToken:     "foo",
+				Accessor:        "bar",
+				DisplayName:     "testtoken",
+				EntityID:        "subject-entity-123",
+				ActorEntityID:   "actor-entity-456",
+				ActorEntityName: "actor-service",
+				Policies:        []string{"default"},
+				TokenType:       logical.TokenTypeDefault,
+			},
+			Req: &logical.Request{
+				Operation:                           logical.ReadOperation,
+				Path:                                "/cubbyhole/test",
+				EnterpriseTokenMetadata:             "test-token-abc",
+				EnterpriseTokenIssuer:               "https://issuer.example.com",
+				EnterpriseTokenTransaction:          "txn-actor-1",
+				EnterpriseTokenAudience:             []string{"vault"},
+				EnterpriseTokenAuthorizationDetails: authzDetails,
+				Connection: &logical.Connection{
+					RemoteAddr: "127.0.0.1",
+				},
+			},
+			WantActorEntityID:        "actor-entity-456",
+			WantActorEntityName:      "actor-service",
+			WantMetadata:             "test-token-abc",
+			WantIssuer:               "https://issuer.example.com",
+			WantTransaction:          "txn-actor-1",
+			WantAudience:             `["vault"]`,
+			WantAuthorizationDetails: `[{"currency":"USD","type":"payment_initiation"}]`,
+		},
+		"enterprise-token-base-fields-only": {
+			Auth: &logical.Auth{
+				ClientToken: "foo",
+				Accessor:    "bar",
+				DisplayName: "testtoken",
+				EntityID:    "subject-entity-123",
+				Policies:    []string{"default"},
+				TokenType:   logical.TokenTypeDefault,
+			},
+			Req: &logical.Request{
+				Operation:                  logical.ReadOperation,
+				Path:                       "/cubbyhole/test",
+				EnterpriseTokenMetadata:    "test-token-xyz",
+				EnterpriseTokenIssuer:      "https://issuer.example.com",
+				EnterpriseTokenTransaction: "txn-base-1",
+				EnterpriseTokenAudience:    []string{"vault"},
+				Connection: &logical.Connection{
+					RemoteAddr: "127.0.0.1",
+				},
+			},
+			WantMetadata:    "test-token-xyz",
+			WantIssuer:      "https://issuer.example.com",
+			WantTransaction: "txn-base-1",
+			WantAudience:    `["vault"]`,
+		},
+	}
+
+	for name, tc := range cases {
+		tc := tc
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			cfg, err := newFormatterConfig(&testHeaderFormatter{}, map[string]string{
+				"hmac_accessor": "false",
+			})
+			require.NoError(t, err)
+			formatter, err := newEntryFormatter("test", cfg, staticSalt, hclog.NewNullLogger())
+			require.NoError(t, err)
+
+			in := &logical.LogInput{
+				Auth:    tc.Auth,
+				Request: tc.Req,
+			}
+
+			auditEvent, err := newEvent(RequestType)
+			require.NoError(t, err)
+			auditEvent.Data = in
+
+			e := &eventlogger.Event{
+				Type:      event.AuditType.AsEventType(),
+				CreatedAt: time.Now(),
+				Formatted: make(map[string][]byte),
+				Payload:   auditEvent,
+			}
+
+			e2, err := formatter.Process(nshelper.RootContext(nil), e)
+			require.NoError(t, err)
+
+			jsonBytes, ok := e2.Format(jsonFormat.String())
+			require.True(t, ok)
+			require.Positive(t, len(jsonBytes))
+
+			var result entry
+			require.NoError(t, json.Unmarshal(jsonBytes, &result))
+
+			require.NotNil(t, result.Auth)
+			require.Equal(t, tc.WantActorEntityID, result.Auth.Metadata["actor_entity_id"])
+			require.Equal(t, tc.WantActorEntityName, result.Auth.Metadata["actor_entity_name"])
+
+			require.NotNil(t, result.Request)
+			require.Equal(t, tc.WantMetadata, result.Auth.Metadata["enterprise_token_metadata"])
+			require.Equal(t, tc.WantIssuer, result.Auth.Metadata["enterprise_token_issuer"])
+			require.Equal(t, tc.WantTransaction, result.Auth.Metadata["enterprise_token_transaction"])
+			require.Equal(t, tc.WantAudience, result.Auth.Metadata["enterprise_token_audience"])
+			require.Equal(t, tc.WantAuthorizationDetails, result.Auth.Metadata["enterprise_token_authorization_details"])
+		})
+	}
+}
+
+// TestEntryFormatter_Process_Response_EnterpriseToken verifies that enterprise token
+// fields are injected into both the top-level auth.metadata AND the response auth.metadata.
+func TestEntryFormatter_Process_Response_EnterpriseToken(t *testing.T) {
+	t.Parallel()
+
+	staticSalt := newStaticSalt(t)
+
+	cfg, err := newFormatterConfig(&testHeaderFormatter{}, map[string]string{
+		"hmac_accessor": "false",
+	})
+	require.NoError(t, err)
+	formatter, err := newEntryFormatter("test", cfg, staticSalt, hclog.NewNullLogger())
+	require.NoError(t, err)
+
+	in := &logical.LogInput{
+		Auth: &logical.Auth{
+			ClientToken:     "foo",
+			Accessor:        "bar",
+			DisplayName:     "testtoken",
+			EntityID:        "subject-entity-123",
+			ActorEntityID:   "actor-entity-456",
+			ActorEntityName: "actor-service",
+			Policies:        []string{"default"},
+			TokenType:       logical.TokenTypeDefault,
+		},
+		Request: &logical.Request{
+			Operation:                  logical.ReadOperation,
+			Path:                       "/secret/data/test",
+			EnterpriseTokenMetadata:    "resp-token-abc",
+			EnterpriseTokenIssuer:      "https://issuer.example.com",
+			EnterpriseTokenTransaction: "txn-response-1",
+			EnterpriseTokenAudience:    []string{"vault", "api"},
+			Connection: &logical.Connection{
+				RemoteAddr: "127.0.0.1",
+			},
+		},
+		Response: &logical.Response{
+			Auth: &logical.Auth{
+				ClientToken: "foo",
+				Accessor:    "bar",
+				EntityID:    "subject-entity-123",
+				Policies:    []string{"default"},
+				TokenType:   logical.TokenTypeDefault,
+			},
+			Data: map[string]interface{}{
+				"value": "secret",
+			},
+		},
+	}
+
+	auditEvent, err := newEvent(ResponseType)
+	require.NoError(t, err)
+	auditEvent.Data = in
+
+	e := &eventlogger.Event{
+		Type:      event.AuditType.AsEventType(),
+		CreatedAt: time.Now(),
+		Formatted: make(map[string][]byte),
+		Payload:   auditEvent,
+	}
+
+	e2, err := formatter.Process(nshelper.RootContext(nil), e)
+	require.NoError(t, err)
+
+	jsonBytes, ok := e2.Format(jsonFormat.String())
+	require.True(t, ok)
+
+	var result entry
+	require.NoError(t, json.Unmarshal(jsonBytes, &result))
+
+	// Top-level auth must have enterprise token fields in metadata
+	require.NotNil(t, result.Auth)
+	require.Equal(t, "actor-entity-456", result.Auth.Metadata["actor_entity_id"])
+	require.Equal(t, "actor-service", result.Auth.Metadata["actor_entity_name"])
+	require.Equal(t, "resp-token-abc", result.Auth.Metadata["enterprise_token_metadata"])
+	require.Equal(t, "https://issuer.example.com", result.Auth.Metadata["enterprise_token_issuer"])
+	require.Equal(t, "txn-response-1", result.Auth.Metadata["enterprise_token_transaction"])
+	require.Equal(t, `["vault","api"]`, result.Auth.Metadata["enterprise_token_audience"])
+
+	// Response auth must also have enterprise token fields in metadata
+	require.NotNil(t, result.Response)
+	require.NotNil(t, result.Response.Auth)
+	require.Equal(t, "resp-token-abc", result.Response.Auth.Metadata["enterprise_token_metadata"])
+	require.Equal(t, "https://issuer.example.com", result.Response.Auth.Metadata["enterprise_token_issuer"])
+	require.Equal(t, "txn-response-1", result.Response.Auth.Metadata["enterprise_token_transaction"])
+	require.Equal(t, `["vault","api"]`, result.Response.Auth.Metadata["enterprise_token_audience"])
+}
+
+// TestEntryFormatter_EnterpriseTokenFieldsNotOnRequestOrAuthTopLevel verifies that
+// enterprise token fields do NOT appear as top-level JSON keys on the request or auth
+// structs — they must only be in auth.metadata.
+func TestEntryFormatter_EnterpriseTokenFieldsNotOnRequestOrAuthTopLevel(t *testing.T) {
+	t.Parallel()
+
+	staticSalt := newStaticSalt(t)
+
+	cfg, err := newFormatterConfig(&testHeaderFormatter{}, map[string]string{
+		"hmac_accessor": "false",
+	})
+	require.NoError(t, err)
+	formatter, err := newEntryFormatter("test", cfg, staticSalt, hclog.NewNullLogger())
+	require.NoError(t, err)
+
+	in := &logical.LogInput{
+		Auth: &logical.Auth{
+			ClientToken:     "foo",
+			Accessor:        "bar",
+			DisplayName:     "testtoken",
+			EntityID:        "foobarentity",
+			ActorEntityID:   "actor-entity-789",
+			ActorEntityName: "actor-service",
+			Policies:        []string{"root"},
+			TokenType:       logical.TokenTypeService,
+		},
+		Request: &logical.Request{
+			Operation:                           logical.ReadOperation,
+			Path:                                "/secret/data/test",
+			EnterpriseTokenMetadata:             "test-token-123",
+			EnterpriseTokenIssuer:               "https://issuer.example.com",
+			EnterpriseTokenTransaction:          "txn-top-level-1",
+			EnterpriseTokenAudience:             []string{"vault"},
+			EnterpriseTokenAuthorizationDetails: []logical.AuthorizationDetail{{"type": "access"}},
+			Connection: &logical.Connection{
+				RemoteAddr: "127.0.0.1",
+			},
+		},
+	}
+
+	auditEvent, err := newEvent(RequestType)
+	require.NoError(t, err)
+	auditEvent.Data = in
+
+	e := &eventlogger.Event{
+		Type:      event.AuditType.AsEventType(),
+		CreatedAt: time.Now(),
+		Formatted: make(map[string][]byte),
+		Payload:   auditEvent,
+	}
+
+	e2, err := formatter.Process(nshelper.RootContext(nil), e)
+	require.NoError(t, err)
+
+	jsonBytes, ok := e2.Format(jsonFormat.String())
+	require.True(t, ok)
+
+	var raw map[string]json.RawMessage
+	require.NoError(t, json.Unmarshal(jsonBytes, &raw))
+
+	// Auth top-level must NOT have actor_entity_id or actor_entity_name
+	var authMap map[string]json.RawMessage
+	require.NoError(t, json.Unmarshal(raw["auth"], &authMap))
+	_, hasActorEntityID := authMap["actor_entity_id"]
+	_, hasActorEntityName := authMap["actor_entity_name"]
+	require.False(t, hasActorEntityID, "actor_entity_id must not be a top-level auth field")
+	require.False(t, hasActorEntityName, "actor_entity_name must not be a top-level auth field")
+
+	// Request top-level must NOT have any enterprise_token_* fields
+	var reqMap map[string]json.RawMessage
+	require.NoError(t, json.Unmarshal(raw["request"], &reqMap))
+	for key := range reqMap {
+		require.False(t, strings.HasPrefix(key, "enterprise_token_"),
+			"request must not have top-level enterprise_token_ field: %s", key)
+	}
+
+	// But auth.metadata MUST have them
+	var metadataMap map[string]string
+	require.NoError(t, json.Unmarshal(authMap["metadata"], &metadataMap))
+	entityID, ok := metadataMap["actor_entity_id"]
+	require.True(t, ok)
+	require.Equal(t, "actor-entity-789", entityID)
+
+	entityName, ok := metadataMap["actor_entity_name"]
+	require.True(t, ok)
+	require.Equal(t, "actor-service", entityName)
+
+	tokenMetadata, ok := metadataMap["enterprise_token_metadata"]
+	require.True(t, ok)
+	require.Equal(t, "test-token-123", tokenMetadata)
+
+	tokenIssuer, ok := metadataMap["enterprise_token_issuer"]
+	require.True(t, ok)
+	require.Equal(t, "https://issuer.example.com", tokenIssuer)
+
+	tokenTransaction, ok := metadataMap["enterprise_token_transaction"]
+	require.True(t, ok)
+	require.Equal(t, "txn-top-level-1", tokenTransaction)
+
+	tokenAudience, ok := metadataMap["enterprise_token_audience"]
+	require.True(t, ok)
+	require.Equal(t, `["vault"]`, tokenAudience)
+
+	tokenAuthzDetails, ok := metadataMap["enterprise_token_authorization_details"]
+	require.True(t, ok)
+	require.Contains(t, tokenAuthzDetails, `"type":"access"`)
+}
+
 // TestEntryFormatter_Process_Request exercises entryFormatter process an event
 // with varying inputs.
 func TestEntryFormatter_Process_Request(t *testing.T) {
@@ -788,6 +1279,40 @@ func TestEntryFormatter_Process_JSON(t *testing.T) {
 			"@cee: ",
 			expectedResultStr,
 		},
+		"auth, request with enterprise token": {
+			&logical.Auth{
+				ClientToken:     "foo",
+				Accessor:        "bar",
+				DisplayName:     "testtoken",
+				EntityID:        "foobarentity",
+				ActorEntityID:   "actor-entity-789",
+				ActorEntityName: "actor-service",
+				NoDefaultPolicy: true,
+				Policies:        []string{"root"},
+				TokenType:       logical.TokenTypeService,
+				LeaseOptions: logical.LeaseOptions{
+					TTL:       time.Hour * 4,
+					IssueTime: issueTime,
+				},
+			},
+			&logical.Request{
+				Operation:               logical.UpdateOperation,
+				Path:                    "/foo",
+				EnterpriseTokenMetadata: "test-token-123",
+				Connection: &logical.Connection{
+					RemoteAddr: "127.0.0.1",
+				},
+				WrapInfo: &logical.RequestWrapInfo{
+					TTL: 60 * time.Second,
+				},
+				Headers: map[string][]string{
+					"foo": {"bar"},
+				},
+			},
+			errors.New("this is an error"),
+			"",
+			fmt.Sprintf(testFormatJSONEnterpriseTokenStrFmt, ss.salt.GetIdentifiedHMAC("foo")),
+		},
 	}
 
 	for name, tc := range cases {
@@ -831,7 +1356,7 @@ func TestEntryFormatter_Process_JSON(t *testing.T) {
 
 		expectedJSON := new(entry)
 
-		if err := jsonutil.DecodeJSON([]byte(expectedResultStr), &expectedJSON); err != nil {
+		if err := jsonutil.DecodeJSON([]byte(tc.ExpectedStr), &expectedJSON); err != nil {
 			t.Fatalf("bad json: %s", err)
 		}
 		expectedJSON.Request.Namespace = &namespace{ID: "root"}
@@ -1190,7 +1715,73 @@ func TestEntryFormatter_Process_NoMutation(t *testing.T) {
 	require.NotEqual(t, e2, e)
 }
 
-// TestEntryFormatter_Process_Panic tries to send data into the entryFormatter
+// TestEntryFormatter_Process_NoMutation_WithEnterpriseToken verifies that
+// formatting an event carrying enterprise token fields does not mutate the
+// original logical.Request. The EnterpriseToken* fields must be identical on
+// the input after Process returns.
+func TestEntryFormatter_Process_NoMutation_WithEnterpriseToken(t *testing.T) {
+	t.Parallel()
+
+	cfg, err := newFormatterConfig(&testHeaderFormatter{}, nil)
+	require.NoError(t, err)
+	staticSalt := newStaticSalt(t)
+	formatter, err := newEntryFormatter("no-mutation-ent-token", cfg, staticSalt, hclog.NewNullLogger())
+	require.NoError(t, err)
+	require.NotNil(t, formatter)
+
+	authzDetails := []logical.AuthorizationDetail{
+		{
+			"type":            "vault:path_access",
+			"path_constraint": "secret/data/users/alice",
+			"action":          "read",
+		},
+	}
+
+	in := &logical.LogInput{
+		Auth: &logical.Auth{
+			ClientToken:     "foo",
+			Accessor:        "bar",
+			EntityID:        "subject-entity-123",
+			ActorEntityID:   "actor-entity-456",
+			ActorEntityName: "actor-service",
+			DisplayName:     "testtoken",
+			Policies:        []string{"default"},
+			TokenType:       logical.TokenTypeService,
+		},
+		Request: &logical.Request{
+			Operation:                           logical.ReadOperation,
+			Path:                                "/cubbyhole/test",
+			EnterpriseTokenMetadata:             "test-token-abc",
+			EnterpriseTokenIssuer:               "https://issuer.example.com",
+			EnterpriseTokenAudience:             []string{"vault", "api"},
+			EnterpriseTokenAuthorizationDetails: authzDetails,
+			Connection: &logical.Connection{
+				RemoteAddr: "127.0.0.1",
+			},
+		},
+	}
+
+	// Snapshot the enterprise token field values before processing.
+	wantMetadata := in.Request.EnterpriseTokenMetadata
+	wantIssuer := in.Request.EnterpriseTokenIssuer
+	wantAudience := append([]string(nil), in.Request.EnterpriseTokenAudience...)
+
+	e := fakeEvent(t, RequestType, in)
+
+	e2, err := formatter.Process(nshelper.RootContext(nil), e)
+	require.NoError(t, err)
+	require.NotNil(t, e2)
+
+	// The event pointer must differ — no in-place mutation.
+	require.NotEqual(t, e2, e)
+
+	// The original request's enterprise token fields must be unchanged.
+	require.Equal(t, wantMetadata, in.Request.EnterpriseTokenMetadata)
+	require.Equal(t, wantIssuer, in.Request.EnterpriseTokenIssuer)
+	require.Equal(t, wantAudience, in.Request.EnterpriseTokenAudience)
+	require.Equal(t, authzDetails, in.Request.EnterpriseTokenAuthorizationDetails)
+}
+
 // which will currently cause a panic when a response is formatted due to the
 // underlying hashing that is done with reflectwalk.
 func TestEntryFormatter_Process_Panic(t *testing.T) {
diff --git a/audit/hashstructure_test.go b/audit/hashstructure_test.go
index 5901599253..b8396a3e6f 100644
--- a/audit/hashstructure_test.go
+++ b/audit/hashstructure_test.go
@@ -432,3 +432,71 @@ func TestHashWalker_TimeStructs(t *testing.T) {
 		}
 	}
 }
+
+// TestCopy_request_EnterpriseTokenFields verifies that copystructure.Copy
+// correctly deep-copies a logical.Request that carries enterprise token fields,
+// including EnterpriseTokenAuthorizationDetails which is []map[string]any and
+// would silently lose data under a shallow copy.
+func TestCopy_request_EnterpriseTokenFields(t *testing.T) {
+	expected := logical.Request{
+		Data: map[string]interface{}{
+			"foo": "bar",
+		},
+		EnterpriseTokenMetadata:    "test-token-abc",
+		EnterpriseTokenIssuer:      "https://issuer.example.com",
+		EnterpriseTokenTransaction: "txn-copy-1",
+		EnterpriseTokenAudience:    []string{"vault", "api"},
+		EnterpriseTokenAuthorizationDetails: []logical.AuthorizationDetail{
+			{
+				"type":            "vault:path_access",
+				"path_constraint": "secret/data/users/alice",
+				"action":          "read",
+			},
+			{
+				"type":            "vault:path_access",
+				"path_constraint": "secret/data/config/general",
+				"action":          "update",
+			},
+		},
+	}
+	arg := expected
+
+	dup, err := copystructure.Copy(&arg)
+	require.NoError(t, err)
+
+	arg2 := dup.(*logical.Request)
+	require.EqualValues(t, expected, *arg2)
+}
+
+// TestHashRequest_EnterpriseTokenFieldsInMetadata verifies that enterprise token
+// fields stored in auth.Metadata are not HMAC'd by hashAuth. These values are
+// not secrets and must appear as cleartext in the audit log.
+func TestHashRequest_EnterpriseTokenFieldsInMetadata(t *testing.T) {
+	// Enterprise token fields are now stored in auth.Metadata by createEntry().
+	// Verify that hashAuth does not HMAC metadata values.
+	auditAuth := &auth{
+		ClientToken: "secret-token",
+		Metadata: map[string]string{
+			"enterprise_token_metadata":    "test-token-xyz",
+			"enterprise_token_issuer":      "https://issuer.example.com",
+			"enterprise_token_transaction": "txn-hash-1",
+			"actor_entity_id":              "actor-123",
+			"actor_entity_name":            "actor-service",
+		},
+	}
+
+	salter := &testSalter{}
+	err := hashAuth(context.Background(), salter, auditAuth, false)
+	require.NoError(t, err)
+
+	// ClientToken must be HMAC'd — it is a secret.
+	require.NotEqual(t, "secret-token", auditAuth.ClientToken)
+	require.Contains(t, auditAuth.ClientToken, "hmac-sha256:")
+
+	// Metadata values must pass through unchanged — they are not secrets.
+	require.Equal(t, "test-token-xyz", auditAuth.Metadata["enterprise_token_metadata"])
+	require.Equal(t, "https://issuer.example.com", auditAuth.Metadata["enterprise_token_issuer"])
+	require.Equal(t, "txn-hash-1", auditAuth.Metadata["enterprise_token_transaction"])
+	require.Equal(t, "actor-123", auditAuth.Metadata["actor_entity_id"])
+	require.Equal(t, "actor-service", auditAuth.Metadata["actor_entity_name"])
+}
diff --git a/builtin/credential/aws/backend_e2e_test.go b/builtin/credential/aws/backend_e2e_test.go
index fa1902b771..67a1e774ad 100644
--- a/builtin/credential/aws/backend_e2e_test.go
+++ b/builtin/credential/aws/backend_e2e_test.go
@@ -20,7 +20,6 @@ func TestBackend_E2E_Initialize(t *testing.T) {
 	// Set up the cluster.  This will trigger an Initialize(); we sleep briefly
 	// awaiting its completion.
 	cluster := setupAwsTestCluster(t, ctx)
-	defer cluster.Cleanup()
 	time.Sleep(time.Second)
 	core := cluster.Cores[0]
 
@@ -112,12 +111,10 @@ func setupAwsTestCluster(t *testing.T, _ context.Context) *vault.TestCluster {
 		HandlerFunc: vaulthttp.Handler,
 	})
 
-	cluster.Start()
 	if len(cluster.Cores) != 1 {
 		t.Fatalf("expected exactly one core")
 	}
 	core := cluster.Cores[0]
-	vault.TestWaitActive(t, core.Core)
 
 	// load the auth plugin
 	if err := core.Client.Sys().EnableAuthWithOptions("aws", &api.EnableAuthOptions{
diff --git a/builtin/credential/aws/path_config_client.go b/builtin/credential/aws/path_config_client.go
index 315381d0a3..3f34443767 100644
--- a/builtin/credential/aws/path_config_client.go
+++ b/builtin/credential/aws/path_config_client.go
@@ -368,14 +368,26 @@ func (b *backend) pathConfigClientCreateUpdate(ctx context.Context, req *logical
 		configEntry.RoleARN = data.Get("role_arn").(string)
 	}
 
+	// Checking if identity_token_ttl is actually changed, no need to flush the cache if it is not
+	previousIdentityParams := configEntry.PluginIdentityTokenParams
 	if err := configEntry.ParsePluginIdentityTokenFields(data); err != nil {
 		return logical.ErrorResponse(err.Error()), nil
 	}
 
+	if !previousIdentityParams.Equals(configEntry.PluginIdentityTokenParams) {
+		changedCreds = true
+	}
+
+	// Checking if any for the rotation parameters has been modified, if yes, we set "changedOtherConfig" to true
+	previousRotationParams := configEntry.AutomatedRotationParams
 	if err := configEntry.ParseAutomatedRotationFields(data); err != nil {
 		return logical.ErrorResponse(err.Error()), nil
 	}
 
+	if !previousRotationParams.Equals(configEntry.AutomatedRotationParams) {
+		changedOtherConfig = true
+	}
+
 	// handle mutual exclusivity
 	if configEntry.IdentityTokenAudience != "" && configEntry.AccessKey != "" {
 		return logical.ErrorResponse("only one of 'access_key' or 'identity_token_audience' can be set"), nil
diff --git a/builtin/credential/aws/path_config_client_test.go b/builtin/credential/aws/path_config_client_test.go
index e901705c2b..1b24036024 100644
--- a/builtin/credential/aws/path_config_client_test.go
+++ b/builtin/credential/aws/path_config_client_test.go
@@ -187,3 +187,39 @@ func (d testSystemView) RegisterRotationJob(_ context.Context, _ *rotation.Rotat
 func (d testSystemView) DeregisterRotationJob(_ context.Context, _ *rotation.RotationJobDeregisterRequest) error {
 	return nil
 }
+
+// TestBackend_PathConfigClient_RotationParameters tests that configuration
+// of root creds rotation returns an immediate error.
+func TestBackend_PathConfigClient_RotationParameters(t *testing.T) {
+	config := logical.TestBackendConfig()
+	config.StorageView = &logical.InmemStorage{}
+	config.System = &testSystemView{}
+
+	b, err := Backend(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = b.Setup(context.Background(), config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	configData := map[string]interface{}{
+		"disable_automated_rotation": "false",
+		"rotation_schedule":          "0 2 1-7 * TUE",
+		"rotation_window":            "1h",
+	}
+
+	configReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Storage:   config.StorageView,
+		Path:      "config/client",
+		Data:      configData,
+	}
+
+	resp, err := b.HandleRequest(context.Background(), configReq)
+	assert.NoError(t, err)
+	assert.NotNil(t, resp)
+	assert.ErrorContains(t, resp.Error(), automatedrotationutil.ErrRotationManagerUnsupported.Error())
+}
diff --git a/builtin/credential/aws/path_role.go b/builtin/credential/aws/path_role.go
index 52695e6ab0..9198862618 100644
--- a/builtin/credential/aws/path_role.go
+++ b/builtin/credential/aws/path_role.go
@@ -563,7 +563,7 @@ func (b *backend) upgradeRole(ctx context.Context, s logical.Storage, roleEntry
 		roleEntry.Version = currentRoleStorageVersion
 
 	default:
-		return false, fmt.Errorf("unrecognized role version: %q", roleEntry.Version)
+		return false, fmt.Errorf("unrecognized role version: %d", roleEntry.Version)
 	}
 
 	// Add tokenutil upgrades. These don't need to be persisted, they're fine
diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go
index efad03179e..44970788b4 100644
--- a/builtin/credential/cert/backend_test.go
+++ b/builtin/credential/cert/backend_test.go
@@ -12,6 +12,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/asn1"
 	"encoding/pem"
 	"fmt"
 	"io"
@@ -25,6 +26,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"strings"
 	"testing"
 	"time"
 
@@ -34,6 +36,7 @@ import (
 	"github.com/hashicorp/go-sockaddr"
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/builtin/logical/pki"
+	"github.com/hashicorp/vault/helper/testhelpers/certhelpers"
 	logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
 	vaulthttp "github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/sdk/framework"
@@ -48,21 +51,24 @@ import (
 	"golang.org/x/net/http2"
 )
 
-const (
-	serverCertPath = "test-fixtures/cacert.pem"
-	serverKeyPath  = "test-fixtures/cakey.pem"
-	serverCAPath   = serverCertPath
+// Helper function to create custom X.509 extensions
+func createCustomExtensions() []pkix.Extension {
+	// OID 2.1.1.1 with UTF8String value
+	ext1Value, _ := asn1.Marshal("A UTF8String Extension")
+	ext1 := pkix.Extension{
+		Id:    asn1.ObjectIdentifier{2, 1, 1, 1},
+		Value: ext1Value,
+	}
 
-	testRootCACertPath1 = "test-fixtures/testcacert1.pem"
-	testRootCAKeyPath1  = "test-fixtures/testcakey1.pem"
-	testCertPath1       = "test-fixtures/testissuedcert4.pem"
-	testKeyPath1        = "test-fixtures/testissuedkey4.pem"
-	testIssuedCertCRL   = "test-fixtures/issuedcertcrl"
+	// OID 2.1.1.2 with UTF8String value
+	ext2Value, _ := asn1.Marshal("A UTF8 Extension")
+	ext2 := pkix.Extension{
+		Id:    asn1.ObjectIdentifier{2, 1, 1, 2},
+		Value: ext2Value,
+	}
 
-	testRootCACertPath2 = "test-fixtures/testcacert2.pem"
-	testRootCAKeyPath2  = "test-fixtures/testcakey2.pem"
-	testRootCertCRL     = "test-fixtures/cacert2crl"
-)
+	return []pkix.Extension{ext1, ext2}
+}
 
 func generateTestCertAndConnState(t *testing.T, template *x509.Certificate, caKey *ecdsa.PrivateKey) (string, tls.ConnectionState, error) {
 	t.Helper()
@@ -266,10 +272,7 @@ func TestBackend_PermittedDNSDomainsIntermediateCA(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	cores := cluster.Cores
-	vault.TestWaitActive(t, cores[0].Core)
 	client := cores[0].Client
 
 	var err error
@@ -477,6 +480,102 @@ func TestBackend_PermittedDNSDomainsIntermediateCA(t *testing.T) {
 }
 
 func TestBackend_MetadataBasedACLPolicy(t *testing.T) {
+	// Generate CA certificate
+	caKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	caTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: "Test CA",
+		},
+		NotBefore:             time.Now().Add(-1 * time.Hour),
+		NotAfter:              time.Now().Add(24 * time.Hour),
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+
+	caCertBytes, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &caKey.PublicKey, caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	caCert, err := x509.ParseCertificate(caCertBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	caPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caCertBytes,
+	})
+
+	// Generate client certificate with custom extensions
+	clientKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create custom extensions
+	customExts := createCustomExtensions()
+
+	clientTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(2),
+		Subject: pkix.Name{
+			CommonName: "example.com",
+		},
+		NotBefore:             time.Now().Add(-1 * time.Hour),
+		NotAfter:              time.Now().Add(24 * time.Hour),
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+		BasicConstraintsValid: true,
+		ExtraExtensions:       customExts,
+	}
+
+	clientCertBytes, err := x509.CreateCertificate(rand.Reader, clientTemplate, caCert, &clientKey.PublicKey, caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	clientCertPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: clientCertBytes,
+	})
+
+	clientKeyBytes, err := x509.MarshalECPrivateKey(clientKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	clientKeyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: clientKeyBytes,
+	})
+
+	// Write certificates to temporary files for API client configuration
+	clientCertFile, err := ioutil.TempFile("", "client-cert-*.pem")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.Remove(clientCertFile.Name())
+	if _, err := clientCertFile.Write(clientCertPEM); err != nil {
+		t.Fatal(err)
+	}
+	clientCertFile.Close()
+
+	clientKeyFile, err := ioutil.TempFile("", "client-key-*.pem")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.Remove(clientKeyFile.Name())
+	if _, err := clientKeyFile.Write(clientKeyPEM); err != nil {
+		t.Fatal(err)
+	}
+	clientKeyFile.Close()
+
 	// Start cluster with cert auth method enabled
 	coreConfig := &vault.CoreConfig{
 		CredentialBackends: map[string]logical.Factory{
@@ -486,14 +585,9 @@ func TestBackend_MetadataBasedACLPolicy(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	cores := cluster.Cores
-	vault.TestWaitActive(t, cores[0].Core)
 	client := cores[0].Client
 
-	var err error
-
 	// Enable the cert auth method
 	err = client.Sys().EnableAuthWithOptions("cert", &api.EnableAuthOptions{
 		Type: "cert",
@@ -541,16 +635,11 @@ path "kv/ext/{{identity.entity.aliases.%s.metadata.2-1-1-1}}" {
 		t.Fatalf("err: %v", err)
 	}
 
-	ca, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem")
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
 	// Set the trusted certificate in the backend
 	_, err = client.Logical().Write("auth/cert/certs/test", map[string]interface{}{
 		"display_name":                "test",
 		"policies":                    "metadata-based",
-		"certificate":                 string(ca),
+		"certificate":                 string(caPEM),
 		"allowed_metadata_extensions": "2.1.1.1,1.2.3.45",
 	})
 	if err != nil {
@@ -583,8 +672,8 @@ path "kv/ext/{{identity.entity.aliases.%s.metadata.2-1-1-1}}" {
 		// Set the client certificates
 		config.ConfigureTLS(&api.TLSConfig{
 			CACertBytes: cluster.CACertPEM,
-			ClientCert:  "test-fixtures/root/rootcawextcert.pem",
-			ClientKey:   "test-fixtures/root/rootcawextkey.pem",
+			ClientCert:  clientCertFile.Name(),
+			ClientKey:   clientKeyFile.Name(),
 		})
 
 		apiClient, err := api.NewClient(config)
@@ -862,14 +951,19 @@ func TestBackend_RegisteredNonCA_CRL(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	nonCACert, err := ioutil.ReadFile(testCertPath1)
-	if err != nil {
-		t.Fatal(err)
-	}
+	// Generate a self-signed certificate that can sign CRLs (needs to be a CA for CRL signing)
+	leafCert := certhelpers.NewCert(t,
+		certhelpers.CommonName("cert.example.com"),
+		certhelpers.DNS("cert.example.com"),
+		certhelpers.IP("127.0.0.1"),
+		certhelpers.IsCA(true),
+		certhelpers.SelfSign(),
+	)
+	leafCertPEM := strings.TrimSpace(string(leafCert.Pem))
 
 	// Register the Non-CA certificate of the client key pair
 	certData := map[string]interface{}{
-		"certificate":  nonCACert,
+		"certificate":  leafCertPEM,
 		"policies":     "abc",
 		"display_name": "cert1",
 		"ttl":          10000,
@@ -886,12 +980,14 @@ func TestBackend_RegisteredNonCA_CRL(t *testing.T) {
 		t.Fatalf("err:%v resp:%#v", err, resp)
 	}
 
-	// Connection state is presenting the client Non-CA cert and its key.
-	// This is exactly what is registered at the backend.
-	connState, err := connectionState(serverCAPath, serverCertPath, serverKeyPath, testCertPath1, testKeyPath1)
+	// Create connection state with the leaf certificate
+	rootCAs := x509.NewCertPool()
+	rootCAs.AppendCertsFromPEM(leafCert.Pem)
+	connState, err := testConnStateWithCert(leafCert.TLSCert, rootCAs)
 	if err != nil {
 		t.Fatalf("error testing connection state:%v", err)
 	}
+
 	loginReq := &logical.Request{
 		Operation: logical.UpdateOperation,
 		Storage:   storage,
@@ -906,13 +1002,28 @@ func TestBackend_RegisteredNonCA_CRL(t *testing.T) {
 		t.Fatalf("err:%v resp:%#v", err, resp)
 	}
 
-	// Register a CRL containing the issued client certificate used above.
-	issuedCRL, err := ioutil.ReadFile(testIssuedCertCRL)
+	// Generate a CRL that revokes the leaf certificate
+	crlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{
+		Number:     big.NewInt(1),
+		ThisUpdate: time.Now(),
+		NextUpdate: time.Now().Add(24 * time.Hour),
+		RevokedCertificateEntries: []x509.RevocationListEntry{
+			{
+				SerialNumber:   leafCert.Template.SerialNumber,
+				RevocationTime: time.Now(),
+			},
+		},
+	}, leafCert.Template, leafCert.PrivKey.PrivKey)
 	if err != nil {
 		t.Fatal(err)
 	}
+	crlPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "X509 CRL",
+		Bytes: crlBytes,
+	})
+
 	crlData := map[string]interface{}{
-		"crl": issuedCRL,
+		"crl": crlPEM,
 	}
 	crlReq := &logical.Request{
 		Operation: logical.UpdateOperation,
@@ -960,13 +1071,19 @@ func TestBackend_CRLs(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	clientCA1, err := ioutil.ReadFile(testRootCACertPath1)
-	if err != nil {
-		t.Fatal(err)
-	}
+	// Generate CA1 certificate
+	ca1Cert := certhelpers.NewCert(t,
+		certhelpers.CommonName("ca1.example.com"),
+		certhelpers.DNS("ca1.example.com"),
+		certhelpers.IP("127.0.0.1"),
+		certhelpers.IsCA(true),
+		certhelpers.SelfSign(),
+	)
+	ca1CertPEM := strings.TrimSpace(string(ca1Cert.Pem))
+
 	// Register the CA certificate of the client key pair
 	certData := map[string]interface{}{
-		"certificate":  clientCA1,
+		"certificate":  ca1CertPEM,
 		"policies":     "abc",
 		"display_name": "cert1",
 		"ttl":          10000,
@@ -986,10 +1103,13 @@ func TestBackend_CRLs(t *testing.T) {
 
 	// Connection state is presenting the client CA cert and its key.
 	// This is exactly what is registered at the backend.
-	connState, err := connectionState(serverCAPath, serverCertPath, serverKeyPath, testRootCACertPath1, testRootCAKeyPath1)
+	rootCAs1 := x509.NewCertPool()
+	rootCAs1.AppendCertsFromPEM(ca1Cert.Pem)
+	connState, err := testConnStateWithCert(ca1Cert.TLSCert, rootCAs1)
 	if err != nil {
 		t.Fatalf("error testing connection state:%v", err)
 	}
+
 	loginReq := &logical.Request{
 		Operation: logical.UpdateOperation,
 		Storage:   storage,
@@ -1005,7 +1125,14 @@ func TestBackend_CRLs(t *testing.T) {
 
 	// Now, without changing the registered client CA cert, present from
 	// the client side, a cert issued using the registered CA.
-	connState, err = connectionState(serverCAPath, serverCertPath, serverKeyPath, testCertPath1, testKeyPath1)
+	issuedCert := certhelpers.NewCert(t,
+		certhelpers.CommonName("issued.example.com"),
+		certhelpers.DNS("issued.example.com"),
+		certhelpers.IP("127.0.0.1"),
+		certhelpers.Parent(ca1Cert),
+	)
+
+	connState, err = testConnStateWithCert(issuedCert.TLSCert, rootCAs1)
 	if err != nil {
 		t.Fatalf("error testing connection state: %v", err)
 	}
@@ -1018,12 +1145,27 @@ func TestBackend_CRLs(t *testing.T) {
 	}
 
 	// Register a CRL containing the issued client certificate used above.
-	issuedCRL, err := ioutil.ReadFile(testIssuedCertCRL)
+	crlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{
+		Number:     big.NewInt(1),
+		ThisUpdate: time.Now(),
+		NextUpdate: time.Now().Add(24 * time.Hour),
+		RevokedCertificateEntries: []x509.RevocationListEntry{
+			{
+				SerialNumber:   issuedCert.Template.SerialNumber,
+				RevocationTime: time.Now(),
+			},
+		},
+	}, ca1Cert.Template, ca1Cert.PrivKey.PrivKey)
 	if err != nil {
 		t.Fatal(err)
 	}
+	crlPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "X509 CRL",
+		Bytes: crlBytes,
+	})
+
 	crlData := map[string]interface{}{
-		"crl": issuedCRL,
+		"crl": crlPEM,
 	}
 
 	crlReq := &logical.Request{
@@ -1047,18 +1189,25 @@ func TestBackend_CRLs(t *testing.T) {
 	}
 
 	// Register a different client CA certificate.
-	clientCA2, err := ioutil.ReadFile(testRootCACertPath2)
-	if err != nil {
-		t.Fatal(err)
-	}
-	certData["certificate"] = clientCA2
+	ca2Cert := certhelpers.NewCert(t,
+		certhelpers.CommonName("ca2.example.com"),
+		certhelpers.DNS("ca2.example.com"),
+		certhelpers.IP("127.0.0.1"),
+		certhelpers.IsCA(true),
+		certhelpers.SelfSign(),
+	)
+	ca2CertPEM := strings.TrimSpace(string(ca2Cert.Pem))
+
+	certData["certificate"] = ca2CertPEM
 	resp, err = b.HandleRequest(context.Background(), certReq)
 	if err != nil || (resp != nil && resp.IsError()) {
 		t.Fatalf("err:%v resp:%#v", err, resp)
 	}
 
 	// Test login using a different client CA cert pair.
-	connState, err = connectionState(serverCAPath, serverCertPath, serverKeyPath, testRootCACertPath2, testRootCAKeyPath2)
+	rootCAs2 := x509.NewCertPool()
+	rootCAs2.AppendCertsFromPEM(ca2Cert.Pem)
+	connState, err = testConnStateWithCert(ca2Cert.TLSCert, rootCAs2)
 	if err != nil {
 		t.Fatalf("error testing connection state: %v", err)
 	}
@@ -1071,11 +1220,26 @@ func TestBackend_CRLs(t *testing.T) {
 	}
 
 	// Register a CRL containing the root CA certificate used above.
-	rootCRL, err := ioutil.ReadFile(testRootCertCRL)
+	rootCRLBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{
+		Number:     big.NewInt(2),
+		ThisUpdate: time.Now(),
+		NextUpdate: time.Now().Add(24 * time.Hour),
+		RevokedCertificateEntries: []x509.RevocationListEntry{
+			{
+				SerialNumber:   ca2Cert.Template.SerialNumber,
+				RevocationTime: time.Now(),
+			},
+		},
+	}, ca2Cert.Template, ca2Cert.PrivKey.PrivKey)
 	if err != nil {
 		t.Fatal(err)
 	}
-	crlData["crl"] = rootCRL
+	rootCRLPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "X509 CRL",
+		Bytes: rootCRLBytes,
+	})
+
+	crlData["crl"] = rootCRLPEM
 	resp, err = b.HandleRequest(context.Background(), crlReq)
 	if err != nil || (resp != nil && resp.IsError()) {
 		t.Fatalf("err:%v resp:%#v", err, resp)
@@ -1113,28 +1277,60 @@ func testFactory(t *testing.T) logical.Backend {
 
 // Test the certificates being registered to the backend
 func TestBackend_CertWrites(t *testing.T) {
-	// CA cert
-	ca1, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem")
+	// Generate CA cert
+	ca1Cert := certhelpers.NewCert(t,
+		certhelpers.CommonName("test-ca"),
+		certhelpers.IsCA(true),
+		certhelpers.SelfSign(),
+	)
+
+	// Generate non-CA cert signed by CA
+	ca2Cert := certhelpers.NewCert(t,
+		certhelpers.CommonName("test-client"),
+		certhelpers.Parent(ca1Cert),
+	)
+
+	// Generate non-CA cert without TLS web client authentication
+	// Create a certificate template without client auth (should fail registration)
+	ca3Key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
-		t.Fatalf("err: %v", err)
+		t.Fatal(err)
 	}
-	// Non CA Cert
-	ca2, err := ioutil.ReadFile("test-fixtures/keys/cert.pem")
+	subjKeyID, err := certutil.GetSubjKeyID(ca3Key)
 	if err != nil {
-		t.Fatalf("err: %v", err)
+		t.Fatal(err)
 	}
-	// Non CA cert without TLS web client authentication
-	ca3, err := ioutil.ReadFile("test-fixtures/noclientauthcert.pem")
+	ca3Template := &x509.Certificate{
+		Subject: pkix.Name{
+			CommonName: "no-client-auth",
+		},
+		SubjectKeyId: subjKeyID,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageServerAuth, // Only server auth, no client auth
+		},
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		SerialNumber:          big.NewInt(mathrand.Int63()),
+		NotBefore:             time.Now().Add(-30 * time.Second),
+		NotAfter:              time.Now().Add(262980 * time.Hour),
+		BasicConstraintsValid: true,
+		IsCA:                  false, // Not a CA
+	}
+	ca3Bytes, err := x509.CreateCertificate(rand.Reader, ca3Template, ca3Template, ca3Key.Public(), ca3Key)
 	if err != nil {
-		t.Fatalf("err: %v", err)
+		t.Fatal(err)
 	}
+	ca3PEMBlock := &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: ca3Bytes,
+	}
+	ca3PEM := pem.EncodeToMemory(ca3PEMBlock)
 
 	tc := logicaltest.TestCase{
 		CredentialBackend: testFactory(t),
 		Steps: []logicaltest.TestStep{
-			testAccStepCert(t, "aaa", ca1, "foo", allowed{}, false),
-			testAccStepCert(t, "bbb", ca2, "foo", allowed{}, false),
-			testAccStepCert(t, "ccc", ca3, "foo", allowed{}, true),
+			testAccStepCert(t, "aaa", ca1Cert.Pem, "foo", allowed{}, false),
+			testAccStepCert(t, "bbb", ca2Cert.Pem, "foo", allowed{}, false),
+			testAccStepCert(t, "ccc", ca3PEM, "foo", allowed{}, true),
 		},
 	}
 	tc.Steps = append(tc.Steps, testAccStepListCerts(t, []string{"aaa", "bbb"})...)
@@ -1143,30 +1339,46 @@ func TestBackend_CertWrites(t *testing.T) {
 
 // Test a client trusted by a CA
 func TestBackend_basic_CA(t *testing.T) {
-	connState, err := testConnState("test-fixtures/keys/cert.pem",
-		"test-fixtures/keys/key.pem", "test-fixtures/root/rootcacert.pem")
+	// Generate CA certificate
+	ca := certhelpers.NewCert(t,
+		certhelpers.CommonName("test-ca"),
+		certhelpers.IsCA(true),
+		certhelpers.SelfSign(),
+	)
+
+	// Generate client certificate signed by CA
+	clientCert := certhelpers.NewCert(t,
+		certhelpers.CommonName("test-client"),
+		certhelpers.DNS("*.example.com"),
+		certhelpers.IP("127.0.0.1"),
+		certhelpers.Parent(ca),
+	)
+
+	// Create root CA pool for connection state
+	rootCAs := x509.NewCertPool()
+	rootCAs.AppendCertsFromPEM(ca.Pem)
+
+	// Create connection state with generated certificates
+	connState, err := testConnStateWithCert(clientCert.TLSCert, rootCAs)
 	if err != nil {
 		t.Fatalf("error testing connection state: %v", err)
 	}
-	ca, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem")
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
+
 	logicaltest.Test(t, logicaltest.TestCase{
 		CredentialBackend: testFactory(t),
 		Steps: []logicaltest.TestStep{
-			testAccStepCert(t, "web", ca, "foo", allowed{}, false),
+			testAccStepCert(t, "web", ca.Pem, "foo", allowed{}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCertLease(t, "web", ca, "foo"),
-			testAccStepCertTTL(t, "web", ca, "foo"),
+			testAccStepCertLease(t, "web", ca.Pem, "foo"),
+			testAccStepCertTTL(t, "web", ca.Pem, "foo"),
 			testAccStepLogin(t, connState),
-			testAccStepCertMaxTTL(t, "web", ca, "foo"),
+			testAccStepCertMaxTTL(t, "web", ca.Pem, "foo"),
 			testAccStepLogin(t, connState),
-			testAccStepCertNoLease(t, "web", ca, "foo"),
+			testAccStepCertNoLease(t, "web", ca.Pem, "foo"),
 			testAccStepLoginDefaultLease(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "*.example.com"}, false),
+			testAccStepCert(t, "web", ca.Pem, "foo", allowed{names: "*.example.com"}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "*.invalid.com"}, false),
+			testAccStepCert(t, "web", ca.Pem, "foo", allowed{names: "*.invalid.com"}, false),
 			testAccStepLoginInvalid(t, connState),
 		},
 	})
@@ -1174,26 +1386,140 @@ func TestBackend_basic_CA(t *testing.T) {
 
 // Test CRL behavior
 func TestBackend_Basic_CRLs(t *testing.T) {
-	connState, err := testConnState("test-fixtures/keys/cert.pem",
-		"test-fixtures/keys/key.pem", "test-fixtures/root/rootcacert.pem")
+	// Generate CA certificate
+	caKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	subjKeyID, err := certutil.GetSubjKeyID(caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	caTemplate := &x509.Certificate{
+		Subject: pkix.Name{
+			CommonName: "Test CA",
+		},
+		SubjectKeyId:          subjKeyID,
+		KeyUsage:              x509.KeyUsage(x509.KeyUsageCertSign | x509.KeyUsageCRLSign),
+		SerialNumber:          big.NewInt(mathrand.Int63()),
+		NotBefore:             time.Now().Add(-30 * time.Second),
+		NotAfter:              time.Now().Add(262980 * time.Hour),
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+	caBytes, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, caKey.Public(), caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	caCert, err := x509.ParseCertificate(caBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	caPEMBlock := &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caBytes,
+	}
+	caPEM := pem.EncodeToMemory(caPEMBlock)
+
+	// Generate client certificate signed by CA
+	clientKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	clientSubjKeyID, err := certutil.GetSubjKeyID(clientKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	clientTemplate := &x509.Certificate{
+		Subject: pkix.Name{
+			CommonName: "client",
+		},
+		SubjectKeyId: clientSubjKeyID,
+		IPAddresses:  []net.IP{net.ParseIP("127.0.0.1")},
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageServerAuth,
+			x509.ExtKeyUsageClientAuth,
+		},
+		KeyUsage:     x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		SerialNumber: big.NewInt(mathrand.Int63()),
+		NotBefore:    time.Now().Add(-30 * time.Second),
+		NotAfter:     time.Now().Add(262980 * time.Hour),
+	}
+	clientBytes, err := x509.CreateCertificate(rand.Reader, clientTemplate, caCert, clientKey.Public(), caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	clientCert, err := x509.ParseCertificate(clientBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	clientPEMBlock := &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: clientBytes,
+	}
+	clientPEM := pem.EncodeToMemory(clientPEMBlock)
+
+	clientKeyBytes, err := x509.MarshalECPrivateKey(clientKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	clientKeyPEMBlock := &pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: clientKeyBytes,
+	}
+	clientKeyPEM := pem.EncodeToMemory(clientKeyPEMBlock)
+
+	// Create TLS certificate for connection state
+	tlsCert, err := tls.X509KeyPair(clientPEM, clientKeyPEM)
+	if err != nil {
+		t.Fatal(err)
+	}
+	tlsCert.Leaf = clientCert
+
+	// Create root CA pool
+	rootCAs := x509.NewCertPool()
+	rootCAs.AddCert(caCert)
+
+	// Create connection state
+	connState, err := testConnStateWithCert(tlsCert, rootCAs)
 	if err != nil {
 		t.Fatalf("error testing connection state: %v", err)
 	}
-	ca, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem")
-	if err != nil {
-		t.Fatalf("err: %v", err)
+
+	// Generate CRL with the client certificate revoked
+	now := time.Now()
+	revokedCerts := []pkix.RevokedCertificate{
+		{
+			SerialNumber:   clientCert.SerialNumber,
+			RevocationTime: now,
+		},
 	}
-	crl, err := ioutil.ReadFile("test-fixtures/root/root.crl")
-	if err != nil {
-		t.Fatalf("err: %v", err)
+	crlTemplate := &x509.RevocationList{
+		Number:              big.NewInt(1),
+		ThisUpdate:          now,
+		NextUpdate:          now.Add(24 * time.Hour),
+		RevokedCertificates: revokedCerts,
 	}
+	crlBytes, err := x509.CreateRevocationList(rand.Reader, crlTemplate, caCert, caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	crlPEMBlock := &pem.Block{
+		Type:  "X509 CRL",
+		Bytes: crlBytes,
+	}
+	crlPEM := pem.EncodeToMemory(crlPEMBlock)
+
+	// Get the serial number as a string for checking in the CRL
+	expectedSerial := clientCert.SerialNumber.String()
+
 	logicaltest.Test(t, logicaltest.TestCase{
 		CredentialBackend: testFactory(t),
 		Steps: []logicaltest.TestStep{
-			testAccStepCertNoLease(t, "web", ca, "foo"),
+			testAccStepCertNoLease(t, "web", caPEM, "foo"),
 			testAccStepLoginDefaultLease(t, connState),
-			testAccStepAddCRL(t, crl, connState),
-			testAccStepReadCRL(t, connState),
+			testAccStepAddCRL(t, crlPEM, connState),
+			testAccStepReadCRLWithSerial(t, connState, expectedSerial),
 			testAccStepLoginInvalid(t, connState),
 			testAccStepDeleteCRL(t, connState),
 			testAccStepLoginDefaultLease(t, connState),
@@ -1203,50 +1529,68 @@ func TestBackend_Basic_CRLs(t *testing.T) {
 
 // Test a self-signed client (root CA) that is trusted
 func TestBackend_basic_singleCert(t *testing.T) {
-	connState, err := testConnState("test-fixtures/root/rootcacert.pem",
-		"test-fixtures/root/rootcakey.pem", "test-fixtures/root/rootcacert.pem")
+	// Generate self-signed CA certificate that will also be used as client cert
+	ca := certhelpers.NewCert(t,
+		certhelpers.CommonName("example.com"),
+		certhelpers.IsCA(true),
+		certhelpers.SelfSign(),
+		certhelpers.IP("127.0.0.1"),
+	)
+
+	// Create root CA pool for connection state
+	rootCAs := x509.NewCertPool()
+	rootCAs.AppendCertsFromPEM(ca.Pem)
+
+	// Create connection state using the CA cert as both client and CA
+	connState, err := testConnStateWithCert(ca.TLSCert, rootCAs)
 	if err != nil {
 		t.Fatalf("error testing connection state: %v", err)
 	}
-	ca, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem")
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
+
 	logicaltest.Test(t, logicaltest.TestCase{
 		CredentialBackend: testFactory(t),
 		Steps: []logicaltest.TestStep{
-			testAccStepCert(t, "web", ca, "foo", allowed{}, false),
+			testAccStepCert(t, "web", ca.Pem, "foo", allowed{}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "example.com"}, false),
+			testAccStepCert(t, "web", ca.Pem, "foo", allowed{names: "example.com"}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "invalid"}, false),
+			testAccStepCert(t, "web", ca.Pem, "foo", allowed{names: "invalid"}, false),
 			testAccStepLoginInvalid(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{ext: "1.2.3.4:invalid"}, false),
+			testAccStepCert(t, "web", ca.Pem, "foo", allowed{ext: "1.2.3.4:invalid"}, false),
 			testAccStepLoginInvalid(t, connState),
 		},
 	})
 }
 
 func TestBackend_common_name_singleCert(t *testing.T) {
-	connState, err := testConnState("test-fixtures/root/rootcacert.pem",
-		"test-fixtures/root/rootcakey.pem", "test-fixtures/root/rootcacert.pem")
+	// Generate self-signed CA certificate that will also be used as client cert
+	ca := certhelpers.NewCert(t,
+		certhelpers.CommonName("example.com"),
+		certhelpers.IsCA(true),
+		certhelpers.SelfSign(),
+		certhelpers.IP("127.0.0.1"),
+	)
+
+	// Create root CA pool for connection state
+	rootCAs := x509.NewCertPool()
+	rootCAs.AppendCertsFromPEM(ca.Pem)
+
+	// Create connection state using the CA cert as both client and CA
+	connState, err := testConnStateWithCert(ca.TLSCert, rootCAs)
 	if err != nil {
 		t.Fatalf("error testing connection state: %v", err)
 	}
-	ca, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem")
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
+
 	logicaltest.Test(t, logicaltest.TestCase{
 		CredentialBackend: testFactory(t),
 		Steps: []logicaltest.TestStep{
-			testAccStepCert(t, "web", ca, "foo", allowed{}, false),
+			testAccStepCert(t, "web", ca.Pem, "foo", allowed{}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{common_names: "example.com"}, false),
+			testAccStepCert(t, "web", ca.Pem, "foo", allowed{common_names: "example.com"}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{common_names: "invalid"}, false),
+			testAccStepCert(t, "web", ca.Pem, "foo", allowed{common_names: "invalid"}, false),
 			testAccStepLoginInvalid(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{ext: "1.2.3.4:invalid"}, false),
+			testAccStepCert(t, "web", ca.Pem, "foo", allowed{ext: "1.2.3.4:invalid"}, false),
 			testAccStepLoginInvalid(t, connState),
 		},
 	})
@@ -1254,71 +1598,129 @@ func TestBackend_common_name_singleCert(t *testing.T) {
 
 // Test a self-signed client with custom ext (root CA) that is trusted
 func TestBackend_ext_singleCert(t *testing.T) {
-	connState, err := testConnState(
-		"test-fixtures/root/rootcawextcert.pem",
-		"test-fixtures/root/rootcawextkey.pem",
-		"test-fixtures/root/rootcacert.pem",
-	)
+	// Generate self-signed CA certificate with custom X.509 extensions
+	caKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	subjKeyID, err := certutil.GetSubjKeyID(caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create custom extensions
+	customExtensions := createCustomExtensions()
+
+	caTemplate := &x509.Certificate{
+		Subject: pkix.Name{
+			CommonName: "example.com",
+		},
+		SubjectKeyId:          subjKeyID,
+		DNSNames:              []string{"example.com"},
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		KeyUsage:              x509.KeyUsage(x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature),
+		SerialNumber:          big.NewInt(mathrand.Int63()),
+		NotBefore:             time.Now().Add(-30 * time.Second),
+		NotAfter:              time.Now().Add(262980 * time.Hour),
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+		ExtraExtensions:       customExtensions,
+	}
+	caBytes, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, caKey.Public(), caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	caCert, err := x509.ParseCertificate(caBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	caPEMBlock := &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caBytes,
+	}
+	caPEM := pem.EncodeToMemory(caPEMBlock)
+
+	// Create TLS certificate for connection state
+	caKeyBytes, err := x509.MarshalECPrivateKey(caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	caKeyPEMBlock := &pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: caKeyBytes,
+	}
+	caKeyPEM := pem.EncodeToMemory(caKeyPEMBlock)
+
+	tlsCert, err := tls.X509KeyPair(caPEM, caKeyPEM)
+	if err != nil {
+		t.Fatal(err)
+	}
+	tlsCert.Leaf = caCert
+
+	// Create root CA pool
+	rootCAs := x509.NewCertPool()
+	rootCAs.AddCert(caCert)
+
+	// Create connection state
+	connState, err := testConnStateWithCert(tlsCert, rootCAs)
 	if err != nil {
 		t.Fatalf("error testing connection state: %v", err)
 	}
-	ca, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem")
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
+
 	logicaltest.Test(t, logicaltest.TestCase{
 		CredentialBackend: testFactory(t),
 		Steps: []logicaltest.TestStep{
-			testAccStepCert(t, "web", ca, "foo", allowed{ext: "2.1.1.1:A UTF8String Extension"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{ext: "2.1.1.1:A UTF8String Extension"}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{ext: "2.1.1.1:*,2.1.1.2:A UTF8*"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{ext: "2.1.1.1:*,2.1.1.2:A UTF8*"}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{ext: "1.2.3.45:*"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{ext: "1.2.3.45:*"}, false),
 			testAccStepLoginInvalid(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{ext: "2.1.1.1:The Wrong Value"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{ext: "2.1.1.1:The Wrong Value"}, false),
 			testAccStepLoginInvalid(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{ext: "2.1.1.1:*,2.1.1.2:The Wrong Value"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{ext: "2.1.1.1:*,2.1.1.2:The Wrong Value"}, false),
 			testAccStepLoginInvalid(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{ext: "2.1.1.1:"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{ext: "2.1.1.1:"}, false),
 			testAccStepLoginInvalid(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{ext: "2.1.1.1:,2.1.1.2:*"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{ext: "2.1.1.1:,2.1.1.2:*"}, false),
 			testAccStepLoginInvalid(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "example.com", ext: "2.1.1.1:A UTF8String Extension"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{names: "example.com", ext: "2.1.1.1:A UTF8String Extension"}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "example.com", ext: "2.1.1.1:*,2.1.1.2:A UTF8*"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{names: "example.com", ext: "2.1.1.1:*,2.1.1.2:A UTF8*"}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "example.com", ext: "1.2.3.45:*"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{names: "example.com", ext: "1.2.3.45:*"}, false),
 			testAccStepLoginInvalid(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "example.com", ext: "2.1.1.1:The Wrong Value"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{names: "example.com", ext: "2.1.1.1:The Wrong Value"}, false),
 			testAccStepLoginInvalid(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "example.com", ext: "2.1.1.1:*,2.1.1.2:The Wrong Value"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{names: "example.com", ext: "2.1.1.1:*,2.1.1.2:The Wrong Value"}, false),
 			testAccStepLoginInvalid(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "invalid", ext: "2.1.1.1:A UTF8String Extension"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{names: "invalid", ext: "2.1.1.1:A UTF8String Extension"}, false),
 			testAccStepLoginInvalid(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "invalid", ext: "2.1.1.1:*,2.1.1.2:A UTF8*"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{names: "invalid", ext: "2.1.1.1:*,2.1.1.2:A UTF8*"}, false),
 			testAccStepLoginInvalid(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "invalid", ext: "1.2.3.45:*"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{names: "invalid", ext: "1.2.3.45:*"}, false),
 			testAccStepLoginInvalid(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "invalid", ext: "2.1.1.1:The Wrong Value"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{names: "invalid", ext: "2.1.1.1:The Wrong Value"}, false),
 			testAccStepLoginInvalid(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "invalid", ext: "2.1.1.1:*,2.1.1.2:The Wrong Value"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{names: "invalid", ext: "2.1.1.1:*,2.1.1.2:The Wrong Value"}, false),
 			testAccStepLoginInvalid(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "example.com", ext: "hex:2.5.29.17:*87047F000002*"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{names: "example.com", ext: "hex:2.5.29.17:*87047F000002*"}, false),
 			testAccStepLoginInvalid(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "example.com", ext: "hex:2.5.29.17:*87047F000001*"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{names: "example.com", ext: "hex:2.5.29.17:*87047F000001*"}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{names: "example.com", ext: "2.5.29.17:"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{names: "example.com", ext: "2.5.29.17:"}, false),
 			testAccStepLogin(t, connState),
 			testAccStepReadConfig(t, config{EnableIdentityAliasMetadata: false}, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{metadata_ext: "2.1.1.1,1.2.3.45"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{metadata_ext: "2.1.1.1,1.2.3.45"}, false),
 			testAccStepLoginWithMetadata(t, connState, "web", map[string]string{"2-1-1-1": "A UTF8String Extension"}, false),
-			testAccStepCert(t, "web", ca, "foo", allowed{metadata_ext: "1.2.3.45"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{metadata_ext: "1.2.3.45"}, false),
 			testAccStepLoginWithMetadata(t, connState, "web", map[string]string{}, false),
 			testAccStepSetConfig(t, config{EnableIdentityAliasMetadata: true}, connState),
 			testAccStepReadConfig(t, config{EnableIdentityAliasMetadata: true}, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{metadata_ext: "2.1.1.1,1.2.3.45"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{metadata_ext: "2.1.1.1,1.2.3.45"}, false),
 			testAccStepLoginWithMetadata(t, connState, "web", map[string]string{"2-1-1-1": "A UTF8String Extension"}, true),
-			testAccStepCert(t, "web", ca, "foo", allowed{metadata_ext: "1.2.3.45"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{metadata_ext: "1.2.3.45"}, false),
 			testAccStepLoginWithMetadata(t, connState, "web", map[string]string{}, true),
 			testAccStepSetConfig(t, config{EnableMetadataOnFailures: true}, connState),
 			testAccStepReadConfig(t, config{EnableMetadataOnFailures: true}, connState),
@@ -1422,28 +1824,81 @@ func TestBackend_email_singleCert(t *testing.T) {
 
 // Test a self-signed client with OU (root CA) that is trusted
 func TestBackend_organizationalUnit_singleCert(t *testing.T) {
-	connState, err := testConnState(
-		"test-fixtures/root/rootcawoucert.pem",
-		"test-fixtures/root/rootcawoukey.pem",
-		"test-fixtures/root/rootcawoucert.pem",
-	)
+	// Generate self-signed CA certificate with organizational unit
+	caKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	subjKeyID, err := certutil.GetSubjKeyID(caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	caTemplate := &x509.Certificate{
+		Subject: pkix.Name{
+			CommonName:         "example.com",
+			OrganizationalUnit: []string{"engineering"},
+		},
+		SubjectKeyId:          subjKeyID,
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		KeyUsage:              x509.KeyUsage(x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature),
+		SerialNumber:          big.NewInt(mathrand.Int63()),
+		NotBefore:             time.Now().Add(-30 * time.Second),
+		NotAfter:              time.Now().Add(262980 * time.Hour),
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+	caBytes, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, caKey.Public(), caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	caCert, err := x509.ParseCertificate(caBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	caPEMBlock := &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caBytes,
+	}
+	caPEM := pem.EncodeToMemory(caPEMBlock)
+
+	// Create TLS certificate for connection state
+	caKeyBytes, err := x509.MarshalECPrivateKey(caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	caKeyPEMBlock := &pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: caKeyBytes,
+	}
+	caKeyPEM := pem.EncodeToMemory(caKeyPEMBlock)
+
+	tlsCert, err := tls.X509KeyPair(caPEM, caKeyPEM)
+	if err != nil {
+		t.Fatal(err)
+	}
+	tlsCert.Leaf = caCert
+
+	// Create root CA pool
+	rootCAs := x509.NewCertPool()
+	rootCAs.AddCert(caCert)
+
+	// Create connection state
+	connState, err := testConnStateWithCert(tlsCert, rootCAs)
 	if err != nil {
 		t.Fatalf("error testing connection state: %v", err)
 	}
-	ca, err := ioutil.ReadFile("test-fixtures/root/rootcawoucert.pem")
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
+
 	logicaltest.Test(t, logicaltest.TestCase{
 		CredentialBackend: testFactory(t),
 		Steps: []logicaltest.TestStep{
-			testAccStepCert(t, "web", ca, "foo", allowed{organizational_units: "engineering"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{organizational_units: "engineering"}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{organizational_units: "eng*"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{organizational_units: "eng*"}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{organizational_units: "engineering,finance"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{organizational_units: "engineering,finance"}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{organizational_units: "foo"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{organizational_units: "foo"}, false),
 			testAccStepLoginInvalid(t, connState),
 		},
 	})
@@ -1452,32 +1907,81 @@ func TestBackend_organizationalUnit_singleCert(t *testing.T) {
 // TestBackend_organization_singleCert checks validation of the Organization (O) field on a self-signed cert that is
 // trusted
 func TestBackend_organization_singleCert(t *testing.T) {
-	connState, err := testConnState(
-		"test-fixtures/root/rootcawocert.pem",
-		"test-fixtures/root/rootcawokey.pem",
-		"test-fixtures/root/rootcawocert.pem",
-		// These have been generated to last 100 years with the following Vault PKI commands:
-		// $ vault -v secrets enable pki
-		// $ vault secrets tune -max-lease-ttl=876000h pki
-		// $ vault write pki/root/generate/exported common_name=example.com organization="example" ip_sans=127.0.0.1 ttl=875999h
-	)
+	// Generate self-signed CA certificate with organization
+	caKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	subjKeyID, err := certutil.GetSubjKeyID(caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	caTemplate := &x509.Certificate{
+		Subject: pkix.Name{
+			CommonName:   "example.com",
+			Organization: []string{"example"},
+		},
+		SubjectKeyId:          subjKeyID,
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		KeyUsage:              x509.KeyUsage(x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature),
+		SerialNumber:          big.NewInt(mathrand.Int63()),
+		NotBefore:             time.Now().Add(-30 * time.Second),
+		NotAfter:              time.Now().Add(262980 * time.Hour),
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+	caBytes, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, caKey.Public(), caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	caCert, err := x509.ParseCertificate(caBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	caPEMBlock := &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caBytes,
+	}
+	caPEM := pem.EncodeToMemory(caPEMBlock)
+
+	// Create TLS certificate for connection state
+	caKeyBytes, err := x509.MarshalECPrivateKey(caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	caKeyPEMBlock := &pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: caKeyBytes,
+	}
+	caKeyPEM := pem.EncodeToMemory(caKeyPEMBlock)
+
+	tlsCert, err := tls.X509KeyPair(caPEM, caKeyPEM)
+	if err != nil {
+		t.Fatal(err)
+	}
+	tlsCert.Leaf = caCert
+
+	// Create root CA pool
+	rootCAs := x509.NewCertPool()
+	rootCAs.AddCert(caCert)
+
+	// Create connection state
+	connState, err := testConnStateWithCert(tlsCert, rootCAs)
 	if err != nil {
 		t.Fatalf("error testing connection state: %v", err)
 	}
-	ca, err := ioutil.ReadFile("test-fixtures/root/rootcawocert.pem")
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
+
 	logicaltest.Test(t, logicaltest.TestCase{
 		CredentialBackend: testFactory(t),
 		Steps: []logicaltest.TestStep{
-			testAccStepCert(t, "web", ca, "foo", allowed{organizations: "example"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{organizations: "example"}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{organizations: "exa*"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{organizations: "exa*"}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{organizations: "example,otherspecimen"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{organizations: "example,otherspecimen"}, false),
 			testAccStepLogin(t, connState),
-			testAccStepCert(t, "web", ca, "foo", allowed{organizations: "foo"}, false),
+			testAccStepCert(t, "web", caPEM, "foo", allowed{organizations: "foo"}, false),
 			testAccStepLoginInvalid(t, connState),
 		},
 	})
@@ -1588,21 +2092,37 @@ func TestBackend_sameKey_differentCN(t *testing.T) {
 
 // Test against a collection of matching and non-matching rules
 func TestBackend_mixed_constraints(t *testing.T) {
-	connState, err := testConnState("test-fixtures/keys/cert.pem",
-		"test-fixtures/keys/key.pem", "test-fixtures/root/rootcacert.pem")
+	// Generate CA certificate
+	ca := certhelpers.NewCert(t,
+		certhelpers.CommonName("test-ca"),
+		certhelpers.IsCA(true),
+		certhelpers.SelfSign(),
+	)
+
+	// Generate client certificate signed by CA
+	clientCert := certhelpers.NewCert(t,
+		certhelpers.CommonName("test-client"),
+		certhelpers.DNS("*.example.com"),
+		certhelpers.IP("127.0.0.1"),
+		certhelpers.Parent(ca),
+	)
+
+	// Create root CA pool for connection state
+	rootCAs := x509.NewCertPool()
+	rootCAs.AppendCertsFromPEM(ca.Pem)
+
+	// Create connection state with generated certificates
+	connState, err := testConnStateWithCert(clientCert.TLSCert, rootCAs)
 	if err != nil {
 		t.Fatalf("error testing connection state: %v", err)
 	}
-	ca, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem")
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
+
 	logicaltest.Test(t, logicaltest.TestCase{
 		CredentialBackend: testFactory(t),
 		Steps: []logicaltest.TestStep{
-			testAccStepCert(t, "1unconstrained", ca, "foo", allowed{}, false),
-			testAccStepCert(t, "2matching", ca, "foo", allowed{names: "*.example.com,whatever"}, false),
-			testAccStepCert(t, "3invalid", ca, "foo", allowed{names: "invalid"}, false),
+			testAccStepCert(t, "1unconstrained", ca.Pem, "foo", allowed{}, false),
+			testAccStepCert(t, "2matching", ca.Pem, "foo", allowed{names: "*.example.com,whatever"}, false),
+			testAccStepCert(t, "3invalid", ca.Pem, "foo", allowed{names: "invalid"}, false),
 			testAccStepLogin(t, connState),
 			// Assumes CertEntries are processed in alphabetical order (due to store.List), so we only match 2matching if 1unconstrained doesn't match
 			testAccStepLoginWithName(t, connState, "2matching"),
@@ -1613,11 +2133,30 @@ func TestBackend_mixed_constraints(t *testing.T) {
 
 // Test an untrusted client
 func TestBackend_untrusted(t *testing.T) {
-	connState, err := testConnState("test-fixtures/keys/cert.pem",
-		"test-fixtures/keys/key.pem", "test-fixtures/root/rootcacert.pem")
+	// Generate CA certificate
+	ca := certhelpers.NewCert(t,
+		certhelpers.CommonName("test-ca"),
+		certhelpers.IsCA(true),
+		certhelpers.SelfSign(),
+	)
+
+	// Generate client certificate signed by CA
+	clientCert := certhelpers.NewCert(t,
+		certhelpers.CommonName("test-client"),
+		certhelpers.IP("127.0.0.1"),
+		certhelpers.Parent(ca),
+	)
+
+	// Create root CA pool for connection state
+	rootCAs := x509.NewCertPool()
+	rootCAs.AppendCertsFromPEM(ca.Pem)
+
+	// Create connection state with generated certificates
+	connState, err := testConnStateWithCert(clientCert.TLSCert, rootCAs)
 	if err != nil {
 		t.Fatalf("error testing connection state: %v", err)
 	}
+
 	logicaltest.Test(t, logicaltest.TestCase{
 		CredentialBackend: testFactory(t),
 		Steps: []logicaltest.TestStep{
@@ -1637,20 +2176,40 @@ func TestBackend_different_cn(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	connState, err := testConnState("test-fixtures/keys/cert.pem",
-		"test-fixtures/keys/key.pem", "test-fixtures/root/rootcacert.pem")
+	// Generate CA certificate
+	ca := certhelpers.NewCert(t,
+		certhelpers.CommonName("test-ca"),
+		certhelpers.IsCA(true),
+		certhelpers.SelfSign(),
+	)
+
+	// Generate first client certificate
+	cert1 := certhelpers.NewCert(t,
+		certhelpers.CommonName("example.com"),
+		certhelpers.IP("127.0.0.1"),
+		certhelpers.Parent(ca),
+	)
+
+	// Generate second client certificate with different CN
+	cert2 := certhelpers.NewCert(t,
+		certhelpers.CommonName("alt.example.com"),
+		certhelpers.IP("127.0.0.1"),
+		certhelpers.Parent(ca),
+	)
+
+	// Create root CA pool
+	rootCAs := x509.NewCertPool()
+	rootCAs.AppendCertsFromPEM(ca.Pem)
+
+	// Create connection states
+	connState, err := testConnStateWithCert(cert1.TLSCert, rootCAs)
 	if err != nil {
 		t.Fatalf("error testing connection state: %v", err)
 	}
-	connState2, err := testConnState("test-fixtures/keys/cert-alt-cn.pem",
-		"test-fixtures/keys/key.pem", "test-fixtures/root/rootcacert.pem")
+	connState2, err := testConnStateWithCert(cert2.TLSCert, rootCAs)
 	if err != nil {
 		t.Fatalf("error testing connection state: %v", err)
 	}
-	ca, err := ioutil.ReadFile("test-fixtures/keys/cert.pem")
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
 
 	name := "web"
 
@@ -1658,7 +2217,7 @@ func TestBackend_different_cn(t *testing.T) {
 		Operation: logical.UpdateOperation,
 		Path:      "certs/" + name,
 		Data: map[string]interface{}{
-			"certificate":  string(ca),
+			"certificate":  string(cert1.Pem),
 			"policies":     "foo",
 			"display_name": name,
 			"lease":        1000,
@@ -1718,15 +2277,29 @@ func TestBackend_validCIDR(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	connState, err := testConnState("test-fixtures/keys/cert.pem",
-		"test-fixtures/keys/key.pem", "test-fixtures/root/rootcacert.pem")
+	// Generate CA certificate
+	ca := certhelpers.NewCert(t,
+		certhelpers.CommonName("test-ca"),
+		certhelpers.IsCA(true),
+		certhelpers.SelfSign(),
+	)
+
+	// Generate client certificate signed by CA
+	clientCert := certhelpers.NewCert(t,
+		certhelpers.CommonName("test-client"),
+		certhelpers.IP("127.0.0.1"),
+		certhelpers.Parent(ca),
+	)
+
+	// Create root CA pool for connection state
+	rootCAs := x509.NewCertPool()
+	rootCAs.AppendCertsFromPEM(ca.Pem)
+
+	// Create connection state with generated certificates
+	connState, err := testConnStateWithCert(clientCert.TLSCert, rootCAs)
 	if err != nil {
 		t.Fatalf("error testing connection state: %v", err)
 	}
-	ca, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem")
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
 
 	name := "web"
 	boundCIDRs := []string{"127.0.0.1", "128.252.0.0/16"}
@@ -1735,7 +2308,7 @@ func TestBackend_validCIDR(t *testing.T) {
 		Operation: logical.UpdateOperation,
 		Path:      "certs/" + name,
 		Data: map[string]interface{}{
-			"certificate":         string(ca),
+			"certificate":         string(ca.Pem),
 			"policies":            "foo",
 			"display_name":        name,
 			"allowed_names":       "",
@@ -1800,15 +2373,29 @@ func TestBackend_invalidCIDR(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	connState, err := testConnState("test-fixtures/keys/cert.pem",
-		"test-fixtures/keys/key.pem", "test-fixtures/root/rootcacert.pem")
+	// Generate CA certificate
+	ca := certhelpers.NewCert(t,
+		certhelpers.CommonName("test-ca"),
+		certhelpers.IsCA(true),
+		certhelpers.SelfSign(),
+	)
+
+	// Generate client certificate signed by CA
+	clientCert := certhelpers.NewCert(t,
+		certhelpers.CommonName("test-client"),
+		certhelpers.IP("127.0.0.1"),
+		certhelpers.Parent(ca),
+	)
+
+	// Create root CA pool for connection state
+	rootCAs := x509.NewCertPool()
+	rootCAs.AppendCertsFromPEM(ca.Pem)
+
+	// Create connection state with generated certificates
+	connState, err := testConnStateWithCert(clientCert.TLSCert, rootCAs)
 	if err != nil {
 		t.Fatalf("error testing connection state: %v", err)
 	}
-	ca, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem")
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
 
 	name := "web"
 
@@ -1816,7 +2403,7 @@ func TestBackend_invalidCIDR(t *testing.T) {
 		Operation: logical.UpdateOperation,
 		Path:      "certs/" + name,
 		Data: map[string]interface{}{
-			"certificate":         string(ca),
+			"certificate":         string(ca.Pem),
 			"policies":            "foo",
 			"display_name":        name,
 			"allowed_names":       "",
@@ -1886,6 +2473,28 @@ func testAccStepReadCRL(t *testing.T, connState tls.ConnectionState) logicaltest
 	}
 }
 
+func testAccStepReadCRLWithSerial(t *testing.T, connState tls.ConnectionState, expectedSerial string) logicaltest.TestStep {
+	return logicaltest.TestStep{
+		Operation: logical.ReadOperation,
+		Path:      "crls/test",
+		ConnState: &connState,
+		Check: func(resp *logical.Response) error {
+			crlInfo := CRLInfo{}
+			err := mapstructure.Decode(resp.Data, &crlInfo)
+			if err != nil {
+				t.Fatalf("err: %v", err)
+			}
+			if len(crlInfo.Serials) != 1 {
+				t.Fatalf("bad: expected CRL with length 1, got %d", len(crlInfo.Serials))
+			}
+			if _, ok := crlInfo.Serials[expectedSerial]; !ok {
+				t.Fatalf("bad: expected serial number %s not found in CRL, got serials: %v", expectedSerial, crlInfo.Serials)
+			}
+			return nil
+		},
+	}
+}
+
 func testAccStepDeleteCRL(t *testing.T, connState tls.ConnectionState) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.DeleteOperation,
@@ -2363,15 +2972,37 @@ func Test_Renew(t *testing.T) {
 	}
 
 	b := lb.(*backend)
-	connState, err := testConnState("test-fixtures/testcert1.pem",
-		"test-fixtures/testkey1.pem", "test-fixtures/root/rootcacert.pem")
+
+	// Generate CA certificate
+	ca := certhelpers.NewCert(t,
+		certhelpers.CommonName("test-ca"),
+		certhelpers.IsCA(true),
+		certhelpers.SelfSign(),
+	)
+
+	// Generate first client certificate signed by CA
+	clientCert1 := certhelpers.NewCert(t,
+		certhelpers.CommonName("test-client-1"),
+		certhelpers.IP("127.0.0.1"),
+		certhelpers.Parent(ca),
+	)
+
+	// Generate second client certificate signed by CA (for testing cert change)
+	clientCert2 := certhelpers.NewCert(t,
+		certhelpers.CommonName("test-client-2"),
+		certhelpers.IP("127.0.0.1"),
+		certhelpers.Parent(ca),
+	)
+
+	// Create root CA pool for connection state
+	rootCAs := x509.NewCertPool()
+	rootCAs.AppendCertsFromPEM(ca.Pem)
+
+	// Create connection state with first certificate
+	connState, err := testConnStateWithCert(clientCert1.TLSCert, rootCAs)
 	if err != nil {
 		t.Fatalf("error testing connection state: %v", err)
 	}
-	ca, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem")
-	if err != nil {
-		t.Fatal(err)
-	}
 
 	req := &logical.Request{
 		Connection: &logical.Connection{
@@ -2384,7 +3015,7 @@ func Test_Renew(t *testing.T) {
 	fd := &framework.FieldData{
 		Raw: map[string]interface{}{
 			"name":        "test",
-			"certificate": ca,
+			"certificate": ca.Pem,
 			// Uppercase B should not cause an issue during renewal
 			"token_policies": "foo,Bar",
 		},
@@ -2428,8 +3059,7 @@ func Test_Renew(t *testing.T) {
 
 	// Try changing the cert - this should fail
 	goodConnState := connState
-	connState, err = testConnState("test-fixtures/testcert2.pem",
-		"test-fixtures/testkey2.pem", "test-fixtures/root/rootcacert.pem")
+	connState, err = testConnStateWithCert(clientCert2.TLSCert, rootCAs)
 	req.Connection.ConnState = &connState
 	if err != nil {
 		t.Fatal(err)
@@ -2584,16 +3214,11 @@ func TestBackend_CertUpgrade(t *testing.T) {
 // TestOCSPFailOpenWithBadIssuer validates we fail all different types of cert auth
 // login scenarios if we encounter an OCSP verification error
 func TestOCSPFailOpenWithBadIssuer(t *testing.T) {
-	caFile := "test-fixtures/root/rootcacert.pem"
-	pemCa, err := os.ReadFile(caFile)
-	require.NoError(t, err, "failed reading in file %s", caFile)
-	caTLS := loadCerts(t, caFile, "test-fixtures/root/rootcakey.pem")
-	leafTLS := loadCerts(t, "test-fixtures/keys/cert.pem", "test-fixtures/keys/key.pem")
+	caTLS, leafTLS, pemCa := createCertAndKey(t)
+
+	rootCAs := x509.NewCertPool()
+	rootCAs.AddCert(caTLS.Leaf)
 
-	rootConfig := &rootcerts.Config{
-		CAFile: caFile,
-	}
-	rootCAs, err := rootcerts.LoadCACerts(rootConfig)
 	connState, err := testConnStateWithCert(leafTLS, rootCAs)
 	require.NoError(t, err, "error testing connection state: %v", err)
 
@@ -2676,16 +3301,11 @@ func TestOCSPFailOpenWithBadIssuer(t *testing.T) {
 // TestOCSPWithMixedValidResponses validates the expected behavior of multiple OCSP servers configured,
 // with and without ocsp_query_all_servers enabled or disabled.
 func TestOCSPWithMixedValidResponses(t *testing.T) {
-	caFile := "test-fixtures/root/rootcacert.pem"
-	pemCa, err := os.ReadFile(caFile)
-	require.NoError(t, err, "failed reading in file %s", caFile)
-	caTLS := loadCerts(t, caFile, "test-fixtures/root/rootcakey.pem")
-	leafTLS := loadCerts(t, "test-fixtures/keys/cert.pem", "test-fixtures/keys/key.pem")
+	caTLS, leafTLS, pemCa := createCertAndKey(t)
+
+	rootCAs := x509.NewCertPool()
+	rootCAs.AddCert(caTLS.Leaf)
 
-	rootConfig := &rootcerts.Config{
-		CAFile: caFile,
-	}
-	rootCAs, err := rootcerts.LoadCACerts(rootConfig)
 	connState, err := testConnStateWithCert(leafTLS, rootCAs)
 	require.NoError(t, err, "error testing connection state: %v", err)
 
@@ -2755,16 +3375,11 @@ func TestOCSPWithMixedValidResponses(t *testing.T) {
 // TestOCSPFailOpenWithGoodResponse validates the expected behavior with multiple OCSP servers configured
 // one that returns a Good response the other is not available, along with the ocsp_fail_open in multiple modes
 func TestOCSPFailOpenWithGoodResponse(t *testing.T) {
-	caFile := "test-fixtures/root/rootcacert.pem"
-	pemCa, err := os.ReadFile(caFile)
-	require.NoError(t, err, "failed reading in file %s", caFile)
-	caTLS := loadCerts(t, caFile, "test-fixtures/root/rootcakey.pem")
-	leafTLS := loadCerts(t, "test-fixtures/keys/cert.pem", "test-fixtures/keys/key.pem")
+	caTLS, leafTLS, pemCa := createCertAndKey(t)
+
+	rootCAs := x509.NewCertPool()
+	rootCAs.AddCert(caTLS.Leaf)
 
-	rootConfig := &rootcerts.Config{
-		CAFile: caFile,
-	}
-	rootCAs, err := rootcerts.LoadCACerts(rootConfig)
 	connState, err := testConnStateWithCert(leafTLS, rootCAs)
 	require.NoError(t, err, "error testing connection state: %v", err)
 
@@ -2871,16 +3486,11 @@ func TestOCSPFailOpenWithGoodResponse(t *testing.T) {
 // TestOCSPFailOpenWithRevokeResponse validates the expected behavior with multiple OCSP servers configured
 // one that returns a Revoke response the other is not available, along with the ocsp_fail_open in multiple modes
 func TestOCSPFailOpenWithRevokeResponse(t *testing.T) {
-	caFile := "test-fixtures/root/rootcacert.pem"
-	pemCa, err := os.ReadFile(caFile)
-	require.NoError(t, err, "failed reading in file %s", caFile)
-	caTLS := loadCerts(t, caFile, "test-fixtures/root/rootcakey.pem")
-	leafTLS := loadCerts(t, "test-fixtures/keys/cert.pem", "test-fixtures/keys/key.pem")
+	caTLS, leafTLS, pemCa := createCertAndKey(t)
+
+	rootCAs := x509.NewCertPool()
+	rootCAs.AddCert(caTLS.Leaf)
 
-	rootConfig := &rootcerts.Config{
-		CAFile: caFile,
-	}
-	rootCAs, err := rootcerts.LoadCACerts(rootConfig)
 	connState, err := testConnStateWithCert(leafTLS, rootCAs)
 	require.NoError(t, err, "error testing connection state: %v", err)
 
@@ -2962,16 +3572,11 @@ func TestOCSPFailOpenWithRevokeResponse(t *testing.T) {
 // TestOCSPFailOpenWithUnknownResponse validates the expected behavior with multiple OCSP servers configured
 // one that returns an Unknown response the other is not available, along with the ocsp_fail_open in multiple modes
 func TestOCSPFailOpenWithUnknownResponse(t *testing.T) {
-	caFile := "test-fixtures/root/rootcacert.pem"
-	pemCa, err := os.ReadFile(caFile)
-	require.NoError(t, err, "failed reading in file %s", caFile)
-	caTLS := loadCerts(t, caFile, "test-fixtures/root/rootcakey.pem")
-	leafTLS := loadCerts(t, "test-fixtures/keys/cert.pem", "test-fixtures/keys/key.pem")
+	caTLS, leafTLS, pemCa := createCertAndKey(t)
+
+	rootCAs := x509.NewCertPool()
+	rootCAs.AddCert(caTLS.Leaf)
 
-	rootConfig := &rootcerts.Config{
-		CAFile: caFile,
-	}
-	rootCAs, err := rootcerts.LoadCACerts(rootConfig)
 	connState, err := testConnStateWithCert(leafTLS, rootCAs)
 	require.NoError(t, err, "error testing connection state: %v", err)
 
@@ -3066,9 +3671,7 @@ func TestOcspMaxRetriesUpdate(t *testing.T) {
 	})
 	require.NoError(t, err, "failed creating backend")
 
-	caFile := "test-fixtures/root/rootcacert.pem"
-	pemCa, err := os.ReadFile(caFile)
-	require.NoError(t, err, "failed reading in file %s", caFile)
+	_, _, pemCa := createCertAndKey(t)
 
 	data := map[string]interface{}{
 		"certificate":  string(pemCa),
@@ -3156,13 +3759,15 @@ func TestRecoverPartialLoad(t *testing.T) {
 	require.True(t, ok, "somehow the backend was the wrong type")
 
 	// There a single certificate in storage...
-	nonCACert, err := os.ReadFile(testCertPath1)
-	if err != nil {
-		t.Fatal(err)
-	}
+	// Generate a self-signed non-CA certificate
+	leafCert := certhelpers.NewCert(t,
+		certhelpers.CommonName("cert_a.example.com"),
+		certhelpers.SelfSign(),
+	)
+
 	entry, err := logical.StorageEntryJSON("cert/cert_a", CertEntry{
 		Name:        "cert_a",
-		Certificate: string(nonCACert),
+		Certificate: string(leafCert.Pem),
 	})
 	if err != nil {
 		t.Fatal(err)
@@ -3229,3 +3834,91 @@ func createCa(t *testing.T) (*x509.Certificate, *ecdsa.PrivateKey) {
 
 	return rootCa, rootCaKey
 }
+
+// createCertAndKey generates a CA and leaf certificate dynamically for testing
+func createCertAndKey(t *testing.T) (caTLS tls.Certificate, leafTLS tls.Certificate, caPEM []byte) {
+	// Generate CA
+	caKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err, "failed to generate CA key")
+
+	caTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: "Test CA",
+		},
+		NotBefore:             time.Now().Add(-1 * time.Hour),
+		NotAfter:              time.Now().Add(24 * time.Hour),
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageOCSPSigning, x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+
+	caCertBytes, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &caKey.PublicKey, caKey)
+	require.NoError(t, err, "failed to create CA certificate")
+
+	caCert, err := x509.ParseCertificate(caCertBytes)
+	require.NoError(t, err, "failed to parse CA certificate")
+
+	caPEM = pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caCertBytes,
+	})
+
+	caKeyBytes, err := x509.MarshalECPrivateKey(caKey)
+	require.NoError(t, err, "failed to marshal CA key")
+
+	caKeyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: caKeyBytes,
+	})
+
+	// Create tls.Certificate for CA
+	caTLS, err = tls.X509KeyPair(caPEM, caKeyPEM)
+	require.NoError(t, err, "failed to create CA tls.Certificate")
+	caTLS.Leaf = caCert
+
+	// Generate leaf certificate
+	leafKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err, "failed to generate leaf key")
+
+	leafTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(2),
+		Subject: pkix.Name{
+			CommonName: "cert.example.com",
+		},
+		DNSNames:              []string{"cert.example.com", "localhost"},
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
+		NotBefore:             time.Now().Add(-1 * time.Hour),
+		NotAfter:              time.Now().Add(24 * time.Hour),
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+
+	leafCertBytes, err := x509.CreateCertificate(rand.Reader, leafTemplate, caCert, &leafKey.PublicKey, caKey)
+	require.NoError(t, err, "failed to create leaf certificate")
+
+	leafCert, err := x509.ParseCertificate(leafCertBytes)
+	require.NoError(t, err, "failed to parse leaf certificate")
+
+	leafCertPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: leafCertBytes,
+	})
+
+	leafKeyBytes, err := x509.MarshalECPrivateKey(leafKey)
+	require.NoError(t, err, "failed to marshal leaf key")
+
+	leafKeyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: leafKeyBytes,
+	})
+
+	// Create tls.Certificate for leaf
+	leafTLS, err = tls.X509KeyPair(leafCertPEM, leafKeyPEM)
+	require.NoError(t, err, "failed to create leaf tls.Certificate")
+	leafTLS.Leaf = leafCert
+
+	return caTLS, leafTLS, caPEM
+}
diff --git a/builtin/credential/cert/path_crls_test.go b/builtin/credential/cert/path_crls_test.go
index 837566f9a8..df33c0de39 100644
--- a/builtin/credential/cert/path_crls_test.go
+++ b/builtin/credential/cert/path_crls_test.go
@@ -5,12 +5,16 @@ package cert
 
 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
+	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/pem"
 	"fmt"
-	"io/ioutil"
 	"math/big"
+	"net"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -55,14 +59,87 @@ func TestCRLFetch(t *testing.T) {
 	if err != nil {
 		t.Fatalf("error: %s", err)
 	}
-	connState, err := testConnState("test-fixtures/keys/cert.pem",
-		"test-fixtures/keys/key.pem", "test-fixtures/root/rootcacert.pem")
+
+	// Generate CA certificate
+	caKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	require.NoError(t, err)
-	caPEM, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem")
+
+	caTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: "Test CA",
+		},
+		NotBefore:             time.Now().Add(-1 * time.Hour),
+		NotAfter:              time.Now().Add(24 * time.Hour),
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+
+	caCertBytes, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &caKey.PublicKey, caKey)
 	require.NoError(t, err)
-	caKeyPEM, err := ioutil.ReadFile("test-fixtures/keys/key.pem")
+
+	caCert, err := x509.ParseCertificate(caCertBytes)
+	require.NoError(t, err)
+
+	caPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caCertBytes,
+	})
+
+	caKeyBytes, err := x509.MarshalECPrivateKey(caKey)
+	require.NoError(t, err)
+
+	caKeyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: caKeyBytes,
+	})
+
+	// Generate client certificate
+	clientKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+
+	clientTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(2),
+		Subject: pkix.Name{
+			CommonName: "test.example.com",
+		},
+		NotBefore:             time.Now().Add(-1 * time.Hour),
+		NotAfter:              time.Now().Add(24 * time.Hour),
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		DNSNames:              []string{"localhost", "test.example.com"},
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
+	}
+
+	clientCertBytes, err := x509.CreateCertificate(rand.Reader, clientTemplate, caCert, &clientKey.PublicKey, caKey)
+	require.NoError(t, err)
+
+	certPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: clientCertBytes,
+	})
+
+	clientKeyBytes, err := x509.MarshalECPrivateKey(clientKey)
+	require.NoError(t, err)
+
+	clientKeyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: clientKeyBytes,
+	})
+
+	// Create tls.Certificate from PEM data
+	tlsCert, err := tls.X509KeyPair(certPEM, clientKeyPEM)
+	require.NoError(t, err)
+
+	// Create CA cert pool
+	rootCAs := x509.NewCertPool()
+	rootCAs.AppendCertsFromPEM(caPEM)
+
+	// Create connection state with generated certificates
+	connState, err := testConnStateWithCert(tlsCert, rootCAs)
 	require.NoError(t, err)
-	certPEM, err := ioutil.ReadFile("test-fixtures/keys/cert.pem")
 
 	caBundle, err := certutil.ParsePEMBundle(string(caPEM))
 	require.NoError(t, err)
@@ -80,7 +157,7 @@ func TestCRLFetch(t *testing.T) {
 		Number:             big.NewInt(1),
 		ThisUpdate:         time.Now(),
 		NextUpdate:         time.Now().Add(50 * time.Millisecond),
-		SignatureAlgorithm: x509.SHA1WithRSA,
+		SignatureAlgorithm: x509.ECDSAWithSHA256,
 	}
 
 	var crlBytesLock sync.Mutex
diff --git a/builtin/credential/cert/test-fixtures/cacert.pem b/builtin/credential/cert/test-fixtures/cacert.pem
deleted file mode 100644
index 9d9a3859e5..0000000000
--- a/builtin/credential/cert/test-fixtures/cacert.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPjCCAiagAwIBAgIUXiEDuecwua9+j1XHLnconxQ/JBcwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wIBcNMTYwNTAyMTYwMzU4WhgPMjA2
-NjA0MjAxNjA0MjhaMBYxFDASBgNVBAMTC215dmF1bHQuY29tMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwWPjnTqnkc6acah+wWLmdTK0oCrf2687XVhx
-VP3IN897TYzkaBQ2Dn1UM2VEL71sE3OZSVm0UWs5n7UqRuDp6mvkvrT2q5zgh/bV
-zg9ZL1AI5H7dY2Rsor95I849ymFpXZooMgNtIQLxIeleBwzTnVSkFl8RqKM7NkjZ
-wvBafQEjSsYk9050Bu0GMLgFJYRo1LozJLbwIs5ykG5F5PWTMfRvLCgLBzixPb75
-unIJ29nL0yB7zzUdkM8CG1EX8NkjGLEnpRnPa7+RMf8bd10v84cr0JFCUQmoabks
-sqVyA825/1we2r5Y8blyXZVIr2lcPyGocLDxz1qT1MqxrNQIywIDAQABo4GBMH8w
-DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBTo2I+W
-3Wb2MBe3OWuj5qCbafavMB8GA1UdIwQYMBaAFBTo2I+W3Wb2MBe3OWuj5qCbafav
-MBwGA1UdEQQVMBOCC215dmF1bHQuY29thwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQAyjJzDMzf28yMgiu//2R6LD3+zuLHlfX8+p5JB7WDBT7CgSm89gzMRtD2DvqZQ
-6iLbZv/x7Td8bdLsOKf3LDCkZyOygJ0Sr9+6YZdc9heWO8tsO/SbcLhj9/vK8YyV
-5fJo+vECW8I5zQLeTKfPqJtTU0zFspv0WYCB96Hsbhd1hTfHmVgjBoxi0YuduAa8
-3EHuYPfTYkO3M4QJCoQ+3S6LXSTDqppd1KGAy7QhRU6shd29EpSVxhgqZ+CIOpZu
-3RgPOgPqfqcOD/v/SRPqhRf+P5O5Dc/N4ZXTZtfJbaY0qE+smpeQUskVQ2TrSqha
-UYpNk7+toZW3Gioo0lBD3gH2
------END CERTIFICATE-----
\ No newline at end of file
diff --git a/builtin/credential/cert/test-fixtures/cacert2crl b/builtin/credential/cert/test-fixtures/cacert2crl
deleted file mode 100644
index 82db7a3f6c..0000000000
--- a/builtin/credential/cert/test-fixtures/cacert2crl
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN X509 CRL-----
-MIIBrjCBlzANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbRcN
-MTYwNTAyMTYxNDMzWhcNMTYwNTA1MTYxNDMzWjArMCkCFCXxxcbS0ATpI2PYrx8d
-ACLEQ3B9FxExNjA1MDIxMjE0MzMtMDQwMKAjMCEwHwYDVR0jBBgwFoAUwsRNYCw4
-U2won66rMKEJm8inFfgwDQYJKoZIhvcNAQELBQADggEBAD/VvoRK4eaEDzG7Z95b
-fHL5ubJGkyvkp8ruNu+rfQp8NLgFVvY6a93Hz7WLOhACkKIWJ63+/4vCfDi5uU0B
-HW2FICHdlSQ+6DdGJ6MrgujALlyT+69iF+fPiJ/M1j/N7Am8XPYYcfNdSK6CHtfg
-gHNB7E+ubBA7lIw7ucIkoiJjXrSWSXTs9/GzLUImiXJAKQ+JzPYryIsGKXKAwgHh
-HB56BnJ2vOs7+6UxQ6fjKTMxYdNgoZ34MhkkxNNhylrEndO6XUvUvC1f/1p1wlzy
-xTq2MrMfJHJyu08rkrD+kwMPH2uoVwKyDhXdRBP0QrvQwOsvNEhW8LTKwLWkK17b
-fEI=
------END X509 CRL-----
diff --git a/builtin/credential/cert/test-fixtures/cakey.pem b/builtin/credential/cert/test-fixtures/cakey.pem
deleted file mode 100644
index ecba4754cd..0000000000
--- a/builtin/credential/cert/test-fixtures/cakey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAwWPjnTqnkc6acah+wWLmdTK0oCrf2687XVhxVP3IN897TYzk
-aBQ2Dn1UM2VEL71sE3OZSVm0UWs5n7UqRuDp6mvkvrT2q5zgh/bVzg9ZL1AI5H7d
-Y2Rsor95I849ymFpXZooMgNtIQLxIeleBwzTnVSkFl8RqKM7NkjZwvBafQEjSsYk
-9050Bu0GMLgFJYRo1LozJLbwIs5ykG5F5PWTMfRvLCgLBzixPb75unIJ29nL0yB7
-zzUdkM8CG1EX8NkjGLEnpRnPa7+RMf8bd10v84cr0JFCUQmoabkssqVyA825/1we
-2r5Y8blyXZVIr2lcPyGocLDxz1qT1MqxrNQIywIDAQABAoIBAD1pBd9ov8t6Surq
-sY2hZUM0Hc16r+ln5LcInbx6djjaxvHiWql+OYgyXimP764lPYuTuspjFPKB1SOU
-+N7XDxCkwFeayXXHdDlYtZ4gm5Z9mMVOT+j++8xWdxZaqJ56fmX9zOPM2LuR3paB
-L52Xgh9EwHJmMApYAzaCvbu8bU+iHeNTW80xabxQrp9VCu/A1BXUX06jK4T+wmjZ
-kDA82uQp3dCOF1tv/10HgwqkJj6/1jjM0XUzUZR6iV85S6jrA7wD7gDDeqNO8YHN
-08YMRgTKk4pbA7AqoC5xbL3gbSjsjyw48KRq0FkdkjsgV0PJZRMUU9fv9puDa23K
-WRPa8LECgYEAyeth5bVH8FXnVXIAAFU6W0WdgCK3VakhjItLw0eoxshuTwbVq64w
-CNOB8y1pfP83WiJjX3qRG43NDW07X69J57YKtCCb6KICVUPmecgYZPkmegD1HBQZ
-5+Aak+5pIUQuycQ0t65yHGu4Jsju05gEFgdzydFjNANgiPxRzZxzAkkCgYEA9S+y
-ZR063oCQDg/GhMLCx19nCJyU44Figh1YCD6kTrsSTECuRpQ5B1F9a+LeZT2wnYxv
-+qMvvV+lfVY73f5WZ567u2jSDIsCH34p4g7sE25lKwo+Lhik6EtOehJFs2ZUemaT
-Ym7EjqWlC1whrG7P4MnTGzPOVNAGAxsGPtT58nMCgYAs/R8A2VU//UPfy9ioOlUY
-RPiEtjd3BIoPEHI+/lZihAHf5bvx1oupS8bmcbXRPeQNVyAhA+QU6ZFIbpAOD7Y9
-xFe6LpHOUVqHuOs/MxAMX17tTA1QxkHHYi1JzJLr8I8kMW01h86w+mc7bQWZa4Nt
-jReFXfvmeOInY2CumS8e0QKBgC23ow/vj1aFqla04lNG7YK3a0LTz39MVM3mItAG
-viRgBV1qghRu9uNCcpx3RPijtBbsZMTbQL+S4gyo06jlD79qfZ7IQMJN+SteHvkj
-xykoYHzSAB4gQj9+KzffyFdXMVFRZxHnjYb7o/amSzEXyHMlrtNXqZVu5HAXzeZR
-V/m5AoGAAStS43Q7qSJSMfMBITKMdKlqCObnifD77WeR2WHGrpkq26300ggsDpMS
-UTmnAAo77lSMmDsdoNn2XZmdeTu1CPoQnoZSE5CqPd5GeHA/hhegVCdeYxSXZJoH
-Lhiac+AhCEog/MS1GmVsjynD7eDGVFcsJ6SWuam7doKfrpPqPnE=
------END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/builtin/credential/cert/test-fixtures/generate.txt b/builtin/credential/cert/test-fixtures/generate.txt
deleted file mode 100644
index 5b888ee778..0000000000
--- a/builtin/credential/cert/test-fixtures/generate.txt
+++ /dev/null
@@ -1,67 +0,0 @@
-vault mount pki
-vault mount-tune -max-lease-ttl=438000h pki
-vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1
-vi cacert.pem
-vi cakey.pem
-
-vaultcert.hcl
-backend "inmem" {
-}
-disable_mlock = true
-default_lease_ttl = "700h"
-max_lease_ttl = "768h"
-listener "tcp" {
-  address = "127.0.0.1:8200"
-  tls_cert_file = "./cacert.pem"
-  tls_key_file = "./cakey.pem"
-}
-========================================
-vault mount pki
-vault mount-tune -max-lease-ttl=438000h pki
-vault write pki/root/generate/exported common_name=myvault.com ttl=438000h max_ttl=438000h ip_sans=127.0.0.1
-vi testcacert1.pem
-vi testcakey1.pem
-vi testcaserial1
-
-vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
-vault write pki/roles/myvault-dot-com allowed_domains=myvault.com allow_subdomains=true ttl=437999h max_ttl=438000h allow_ip_sans=true
-
-vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
-vi testissuedserial1
-
-vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
-vi testissuedcert2.pem
-vi testissuedkey2.pem
-vi testissuedserial2
-
-vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
-vi testissuedserial3
-
-vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
-vi testissuedcert4.pem
-vi testissuedkey4.pem
-vi testissuedserial4
-
-vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
-vi testissuedserial5
-
-vault write pki/revoke serial_number=$(cat testissuedserial2)
-vault write pki/revoke serial_number=$(cat testissuedserial4)
-curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > issuedcertcrl
-openssl crl -in issuedcertcrl -noout -text
-
-========================================
-export VAULT_ADDR='http://127.0.0.1:8200'
-vault mount pki
-vault mount-tune -max-lease-ttl=438000h pki
-vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1
-vi testcacert2.pem
-vi testcakey2.pem
-vi testcaserial2
-vi testcacert2leaseid
-
-vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
-vault revoke $(cat testcacert2leaseid)
-
-curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > cacert2crl
-openssl crl -in cacert2crl -noout -text
diff --git a/builtin/credential/cert/test-fixtures/issuedcertcrl b/builtin/credential/cert/test-fixtures/issuedcertcrl
deleted file mode 100644
index 45e9a98ecd..0000000000
--- a/builtin/credential/cert/test-fixtures/issuedcertcrl
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN X509 CRL-----
-MIIB2TCBwjANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbRcN
-MTYwNTAyMTYxMTA4WhcNMTYwNTA1MTYxMTA4WjBWMCkCFAS6oenLRllQ1MRYcSV+
-5ukv2563FxExNjA1MDIxMjExMDgtMDQwMDApAhQaQdPJfbIwE3q4nyYp60lVnZaE
-5hcRMTYwNTAyMTIxMTA1LTA0MDCgIzAhMB8GA1UdIwQYMBaAFOuKvPiUG06iHkRX
-AOeMiUdBfHFyMA0GCSqGSIb3DQEBCwUAA4IBAQBD2jkeOAmkDdYkAXbmjLGdHaQI
-WMS/M+wtFnHVIDVQEmUmj/KPsrkshTZv2UgCHIxBha6y+kXUMQFMg6FwriDTB170
-WyJVDVhGg2WjiQjnzrzEI+iOmcpx60sPPXE63J/Zxo4QS5M62RTXRq3909HQTFI5
-f3xf0pog8mOrv5uQxO1SACP6YFtdDE2dGOVwoIPuNMTY5vijnj8I9dAw8VrbdoBX
-m/Ky56kT+BpmVWHKwQd1nEcP/RHSKbZwwJzJG0BoGM8cvzjITtBmpEF+OZcea81x
-p9XJkpfFeiVIgzxks3zTeuQjLF8u+MDcdGt0ztHEbkswjxuk1cCovZe2GFr4
------END X509 CRL-----
diff --git a/builtin/credential/cert/test-fixtures/keys/cert-alt-cn.pem b/builtin/credential/cert/test-fixtures/keys/cert-alt-cn.pem
deleted file mode 100644
index 06975732de..0000000000
--- a/builtin/credential/cert/test-fixtures/keys/cert-alt-cn.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDFjCCAf6gAwIBAgIJAJIiPq+77hewMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
-BAMTC2V4YW1wbGUuY29tMCAXDTI1MDYxODE5MzEzM1oYDzIwNTAwNjE5MTkzMTMz
-WjAWMRQwEgYDVQQDDAtub3RmYWtlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBALGcdEr6/NmCaRaSMuHyTVuXygOgfJocUk0QFZ8oAH7XrU/Kbh35
-WNLLO2Ol9jl47FND0Z/tT7MLYr4Sovni7YFpFBfXBWBRp0oDJXemVkYTYXmYQOmX
-0JnjPwRdqWuRytkgxd+pY4Iy/U/p1q67tlL9AQqB8ywJomGDIiFqZYnTJjDuTU0R
-t5PtwDdE5H2pAeiVc4yxoU3F3TnFRDF5HkFaiTALhqLlOXaJ8qrZ2h7iCRrlHcue
-GA51/OrcYTkIQL+q+3R182cUuKZi78PFCNa7En/xi3FFRgfufgABheYrhwtzdg05
-eMc9xXDeAm+MPaW2kO/pgs8/mp6oiX8q9p8CAwEAAaNlMGMwIQYDVR0RBBowGIIQ
-Y2VydC5leGFtcGxlLmNvbYcEfwAAATAdBgNVHQ4EFgQUmuMiWgeoyPlkEyXcJ7Og
-qJotlJkwHwYDVR0jBBgwFoAUncSzT/6HMexyuiU9/7EgHu+ok5swDQYJKoZIhvcN
-AQELBQADggEBANYE2poNMZakvN2a8hGbVHNXCR4+j5dE/nIw0ZW2PPv4CuNJ3whN
-G15MT790k9DiNNecJBP32jwAOedIWKr3aqasur4eXA8xhN1nbtJODWxXYaV3USs7
-C1Mu9DV3aRiyFhEv6Va6RL4gCnOqOZdXG1+dAkughBKrRNJAMo5Wop/VC8rkSssO
-NpQBt7ROIJjyTXrHQq23HR/uVv511AE5hDMDzxaVbsslBuzhD4nHOJ/Y/LWcXHJ1
-8W6S1vgSES2lo8U5tthSE4WyYW6kH6r2hBrK4ESdpdAUfO/lVNCe5KeYYWRwzMOw
-oj9OOxBsjSX5C368IWM4sAn08mYJUUmq3i4=
------END CERTIFICATE-----
diff --git a/builtin/credential/cert/test-fixtures/keys/cert.pem b/builtin/credential/cert/test-fixtures/keys/cert.pem
deleted file mode 100644
index 5b7fa1aed0..0000000000
--- a/builtin/credential/cert/test-fixtures/keys/cert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC2zCCAcOgAwIBAgIJAJIiPq+77hewMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
-BAMTC2V4YW1wbGUuY29tMCAXDTI1MDEwNjE0MzgzMloYDzIwNTAwMTA3MTQzODMy
-WjAbMRkwFwYDVQQDExBjZXJ0LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxSTRAVnygAftet
-T8puHflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGnSgMld6ZWRhNh
-eZhA6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmiYYMiIWplidMm
-MO5NTRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5donyqtnaHuIJ
-GuUdy54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVGB+5+AAGF5iuH
-C3N2DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABoyUwIzAhBgNVHREE
-GjAYghBjZXJ0LmV4YW1wbGUuY29thwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQB/
-0M2jZ8cZJW23s1xpMDS5u2ScrW4QdpVsPbuBu5dxi3SNx7MK0CbvcNVUEZE0WV6b
-rCYvYS0+SBi0skudHRV7IeRADPcvzbXY/AdFktWt0adtQ/5B/DKeZIRrnhGtlzhD
-m8b3TTnKLoGdV7iS5HO8emvlzaihY/5PjObkztLRLLDRmBAOwYv4z/xBhEqZJRV1
-Ztywy/Qy5srNJug+sHmj8JlBldob/Ohk7Eon04XvXMuCIBptPG/QytnmgGbDGghD
-WO/HpCWBh6GHrwzQtof8y7Upxi16i5DSiFbRwNXgRyST4W/ChpZoggvOJ/RI4o2g
-5serAZLPfBGztdRbTef2
------END CERTIFICATE-----
diff --git a/builtin/credential/cert/test-fixtures/keys/key.pem b/builtin/credential/cert/test-fixtures/keys/key.pem
deleted file mode 100644
index add982002a..0000000000
--- a/builtin/credential/cert/test-fixtures/keys/key.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxSTRAVnygAftetT8pu
-HflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGnSgMld6ZWRhNheZhA
-6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmiYYMiIWplidMmMO5N
-TRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5donyqtnaHuIJGuUd
-y54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVGB+5+AAGF5iuHC3N2
-DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABAoIBAHR7fFV0eAGaopsX
-9OD0TUGlsephBXb43g0GYHfJ/1Ew18w9oaxszJEqkl+PB4W3xZ3yG3e8ZomxDOhF
-RreF2WgG5xOfhDogMwu6NodbArfgnAvoC6JnW3qha8HMP4F500RFVyCRcd6A3Frd
-rFtaZn/UyCsBAN8/zkwPeYHayo7xX6d9kzgRl9HluEX5PXI5+3uiBDUiM085gkLI
-5Cmadh9fMdjfhDXI4x2JYmILpp/9Nlc/krB15s5n1MPNtn3yL0TI0tWp0WlwDCV7
-oUm1SfIM0F1fXGFyFDcqwoIr6JCQgXk6XtTg31YhH1xgUIclUVdtHqmAwAbLdIhQ
-GAiHn2kCgYEAwD4pZ8HfpiOG/EHNoWsMATc/5yC7O8F9WbvcHZQIymLY4v/7HKZb
-VyOR6UQ5/O2cztSGIuKSF6+OK1C34lOyCuTSOTFrjlgEYtLIXjdGLfFdtOO8GRQR
-akVXdwuzNAjTBaH5eXbG+NKcjmCvZL48dQVlfDTVulzFGbcsVTHIMQUCgYEA7IQI
-FVsKnY3KqpyGqXq92LMcsT3XgW6X1BIIV+YhJ5AFUFkFrjrbXs94/8XyLfi0xBQy
-efK+8g5sMs7koF8LyZEcAXWZJQduaKB71hoLlRaU4VQkL/dl2B6VFmAII/CsRCYh
-r9RmDN2PF/mp98Ih9dpC1VqcCDRGoTYsd7jLalMCgYAMgH5k1wDaZxkSMp1S0AlZ
-0uP+/evvOOgT+9mWutfPgZolOQx1koQCKLgGeX9j6Xf3I28NubpSfAI84uTyfQrp
-FnRtb79U5Hh0jMynA+U2e6niZ6UF5H41cQj9Hu+qhKBkj2IP+h96cwfnYnZFkPGR
-kqZE65KyqfHPeFATwkcImQKBgCdrfhlpGiTWXCABhKQ8s+WpPLAB2ahV8XJEKyXT
-UlVQuMIChGLcpnFv7P/cUxf8asx/fUY8Aj0/0CLLvulHziQjTmKj4gl86pb/oIQ3
-xRRtNhU0O+/OsSfLORgIm3K6C0w0esregL/GMbJSR1TnA1gBr7/1oSnw5JC8Ab9W
-injHAoGAJT1MGAiQrhlt9GCGe6Ajw4omdbY0wS9NXefnFhf7EwL0es52ezZ28zpU
-2LXqSFbtann5CHgpSLxiMYPDIf+er4xgg9Bz34tz1if1rDfP2Qrxdrpr4jDnrGT3
-gYC2qCpvVD9RRUMKFfnJTfl5gMQdBW/LINkHtJ82snAeLl3gjQ4=
------END RSA PRIVATE KEY-----
diff --git a/builtin/credential/cert/test-fixtures/keys/pkioutput b/builtin/credential/cert/test-fixtures/keys/pkioutput
deleted file mode 100644
index 526ff03167..0000000000
--- a/builtin/credential/cert/test-fixtures/keys/pkioutput
+++ /dev/null
@@ -1,74 +0,0 @@
-Key             	Value
-lease_id        	pki/issue/example-dot-com/d8214077-9976-8c68-9c07-6610da30aea4
-lease_duration  	279359999
-lease_renewable 	false
-certificate     	-----BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIUf+jhKTFBnqSs34II0WS1L4QsbbAwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzQxWhcNMjUw
-MTA1MTAyODExWjAbMRkwFwYDVQQDExBjZXJ0LmV4YW1wbGUuY29tMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxS
-TRAVnygAftetT8puHflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGn
-SgMld6ZWRhNheZhA6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmi
-YYMiIWplidMmMO5NTRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5
-donyqtnaHuIJGuUdy54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVG
-B+5+AAGF5iuHC3N2DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABo4H1
-MIHyMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUm++e
-HpyM3p708bgZJuRYEdX1o+UwHwYDVR0jBBgwFoAUncSzT/6HMexyuiU9/7EgHu+o
-k5swOwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzAChh9odHRwOi8vMTI3LjAuMC4x
-OjgyMDAvdjEvcGtpL2NhMCEGA1UdEQQaMBiCEGNlcnQuZXhhbXBsZS5jb22HBH8A
-AAEwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3Br
-aS9jcmwwDQYJKoZIhvcNAQELBQADggEBABsuvmPSNjjKTVN6itWzdQy+SgMIrwfs
-X1Yb9Lefkkwmp9ovKFNQxa4DucuCuzXcQrbKwWTfHGgR8ct4rf30xCRoA7dbQWq4
-aYqNKFWrRaBRAaaYZ/O1ApRTOrXqRx9Eqr0H1BXLsoAq+mWassL8sf6siae+CpwA
-KqBko5G0dNXq5T4i2LQbmoQSVetIrCJEeMrU+idkuqfV2h1BQKgSEhFDABjFdTCN
-QDAHsEHsi2M4/jRW9fqEuhHSDfl2n7tkFUI8wTHUUCl7gXwweJ4qtaSXIwKXYzNj
-xqKHA8Purc1Yfybz4iE1JCROi9fInKlzr5xABq8nb9Qc/J9DIQM+Xmk=
------END CERTIFICATE-----
-issuing_ca      	-----BEGIN CERTIFICATE-----
-MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw
-MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7
-Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0
-z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x
-AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb
-6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH
-SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G
-A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx
-7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc
-BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
-wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2
-U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa
-cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N
-ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ
-t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk
-zehNe5dFTjFpylg1o6b8Ow==
------END CERTIFICATE-----
-private_key     	-----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxSTRAVnygAftetT8pu
-HflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGnSgMld6ZWRhNheZhA
-6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmiYYMiIWplidMmMO5N
-TRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5donyqtnaHuIJGuUd
-y54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVGB+5+AAGF5iuHC3N2
-DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABAoIBAHR7fFV0eAGaopsX
-9OD0TUGlsephBXb43g0GYHfJ/1Ew18w9oaxszJEqkl+PB4W3xZ3yG3e8ZomxDOhF
-RreF2WgG5xOfhDogMwu6NodbArfgnAvoC6JnW3qha8HMP4F500RFVyCRcd6A3Frd
-rFtaZn/UyCsBAN8/zkwPeYHayo7xX6d9kzgRl9HluEX5PXI5+3uiBDUiM085gkLI
-5Cmadh9fMdjfhDXI4x2JYmILpp/9Nlc/krB15s5n1MPNtn3yL0TI0tWp0WlwDCV7
-oUm1SfIM0F1fXGFyFDcqwoIr6JCQgXk6XtTg31YhH1xgUIclUVdtHqmAwAbLdIhQ
-GAiHn2kCgYEAwD4pZ8HfpiOG/EHNoWsMATc/5yC7O8F9WbvcHZQIymLY4v/7HKZb
-VyOR6UQ5/O2cztSGIuKSF6+OK1C34lOyCuTSOTFrjlgEYtLIXjdGLfFdtOO8GRQR
-akVXdwuzNAjTBaH5eXbG+NKcjmCvZL48dQVlfDTVulzFGbcsVTHIMQUCgYEA7IQI
-FVsKnY3KqpyGqXq92LMcsT3XgW6X1BIIV+YhJ5AFUFkFrjrbXs94/8XyLfi0xBQy
-efK+8g5sMs7koF8LyZEcAXWZJQduaKB71hoLlRaU4VQkL/dl2B6VFmAII/CsRCYh
-r9RmDN2PF/mp98Ih9dpC1VqcCDRGoTYsd7jLalMCgYAMgH5k1wDaZxkSMp1S0AlZ
-0uP+/evvOOgT+9mWutfPgZolOQx1koQCKLgGeX9j6Xf3I28NubpSfAI84uTyfQrp
-FnRtb79U5Hh0jMynA+U2e6niZ6UF5H41cQj9Hu+qhKBkj2IP+h96cwfnYnZFkPGR
-kqZE65KyqfHPeFATwkcImQKBgCdrfhlpGiTWXCABhKQ8s+WpPLAB2ahV8XJEKyXT
-UlVQuMIChGLcpnFv7P/cUxf8asx/fUY8Aj0/0CLLvulHziQjTmKj4gl86pb/oIQ3
-xRRtNhU0O+/OsSfLORgIm3K6C0w0esregL/GMbJSR1TnA1gBr7/1oSnw5JC8Ab9W
-injHAoGAJT1MGAiQrhlt9GCGe6Ajw4omdbY0wS9NXefnFhf7EwL0es52ezZ28zpU
-2LXqSFbtann5CHgpSLxiMYPDIf+er4xgg9Bz34tz1if1rDfP2Qrxdrpr4jDnrGT3
-gYC2qCpvVD9RRUMKFfnJTfl5gMQdBW/LINkHtJ82snAeLl3gjQ4=
------END RSA PRIVATE KEY-----
-private_key_type	rsa
diff --git a/builtin/credential/cert/test-fixtures/keys/rebuild-cert.md b/builtin/credential/cert/test-fixtures/keys/rebuild-cert.md
deleted file mode 100644
index 6a69ff78e4..0000000000
--- a/builtin/credential/cert/test-fixtures/keys/rebuild-cert.md
+++ /dev/null
@@ -1,6 +0,0 @@
-To rebuild the cert.pem within this folder run the following commands
-
-```shell
-$ openssl x509 -in cert.pem -signkey key.pem -x509toreq -out cert.csr
-$ openssl x509 -req -in cert.csr -CA ../root/rootcacert.pem -CAkey ../root/rootcakey.pem -CAcreateserial -out cert.pem -days 9132 -sha256 -extensions v3_req -extfile <(echo "[v3_req]\nsubjectAltName=DNS:cert.example.com,IP:127.0.0.1")
-```
diff --git a/builtin/credential/cert/test-fixtures/noclientauthcert.pem b/builtin/credential/cert/test-fixtures/noclientauthcert.pem
deleted file mode 100644
index 3948f22032..0000000000
--- a/builtin/credential/cert/test-fixtures/noclientauthcert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDGTCCAgGgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBxMQowCAYDVQQDFAEqMQsw
-CQYDVQQIEwJHQTELMAkGA1UEBhMCVVMxJTAjBgkqhkiG9w0BCQEWFnZpc2hhbG5h
-eWFrdkBnbWFpbC5jb20xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwGA1UECxMFVmF1
-bHQwHhcNMTYwMjI5MjE0NjE2WhcNMjEwMjI3MjE0NjE2WjBxMQowCAYDVQQDFAEq
-MQswCQYDVQQIEwJHQTELMAkGA1UEBhMCVVMxJTAjBgkqhkiG9w0BCQEWFnZpc2hh
-bG5heWFrdkBnbWFpbC5jb20xEjAQBgNVBAoTCUhhc2hpQ29ycDEOMAwGA1UECxMF
-VmF1bHQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMfRkLfIGHt1r2jjnV0N
-LqRCu3oB+J1dqpM03vQt3qzIiqtuQuIA2ba7TJm2HwU3W3+rtfFcS+hkBR/LZM+u
-cBPB+9b9+7i08vHjgy2P3QH/Ebxa8j1v7JtRMT2qyxWK8NlT/+wZSH82Cr812aS/
-zNT56FbBo2UAtzpqeC4eiv6NAgMBAAGjQDA+MAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgXgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEQQIMAaHBH8AAAEwDQYJKoZI
-hvcNAQEFBQADggEBAG2mUwsZ6+R8qqyNjzMk7mgpsRZv9TEl6c1IiQdyjaCOPaYH
-vtZpLX20um36cxrLuOUtZLllG/VJEhRZW5mXWxuOk4QunWMBXQioCDJG1ktcZAcQ
-QqYv9Dzy2G9lZHjLztEac37T75RXW7OEeQREgwP11c8sQYiS9jf+7ITYL7nXjoKq
-gEuH0h86BOH2O/BxgMelt9O0YCkvkLLHnE27xuNelRRZcBLSuE1GxdUi32MDJ+ff
-25GUNM0zzOEaJAFE/USUBEdQqN1gvJidNXkAiMtIK7T8omQZONRaD2ZnSW8y2krh
-eUg+rKis9RinqFlahLPfI5BlyQsNMEnsD07Q85E=
------END CERTIFICATE-----
diff --git a/builtin/credential/cert/test-fixtures/root/pkioutput b/builtin/credential/cert/test-fixtures/root/pkioutput
deleted file mode 100644
index 312ae18dea..0000000000
--- a/builtin/credential/cert/test-fixtures/root/pkioutput
+++ /dev/null
@@ -1,74 +0,0 @@
-Key             	Value
-lease_id        	pki/root/generate/exported/7bf99d76-dd3e-2c5b-04ce-5253062ad586
-lease_duration  	315359999
-lease_renewable 	false
-certificate     	-----BEGIN CERTIFICATE-----
-MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw
-MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7
-Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0
-z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x
-AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb
-6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH
-SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G
-A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx
-7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc
-BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
-wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2
-U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa
-cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N
-ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ
-t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk
-zehNe5dFTjFpylg1o6b8Ow==
------END CERTIFICATE-----
-expiration      	1.772072879e+09
-issuing_ca      	-----BEGIN CERTIFICATE-----
-MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw
-MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7
-Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0
-z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x
-AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb
-6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH
-SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G
-A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx
-7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc
-BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
-wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2
-U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa
-cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N
-ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ
-t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk
-zehNe5dFTjFpylg1o6b8Ow==
------END CERTIFICATE-----
-private_key     	-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA7FMy+FO4hFzZiHFmmY/B6A/zpyCep9PWZfGLUDtDuprHbg2p
-t/TQjegMxC0AmWPZEHeG9FIJvT+WQXuLUG5v5MbG4zs21mqnYXwWAbTPaZ35bpp3
-BbbquXFtAqOZG8yfrob1g9OSgmY+bG3ZNxxv35qmbBbuWyUvmPwfjzEAclMxv48w
-/2Rs4dXkBuvc9PiNdQ9Sv+ZYG8GIqIcbRd38cSaXI4Q94BOHEr4jm1vqb54H7twv
-0Gy9CnLXfn7ZtEDFSmG8WLk2GvIna+UC+gnxSqKCw0rcTby63rQUCgdJZF8VQUVi
-18+BMNLXI4pT/P9cxTaCJC/YeuV5a3SaniOoFQIDAQABAoIBAQCoGZJC84JnnIgb
-ttZNWuWKBXbCJcDVDikOQJ9hBZbqsFg1X0CfGmQS3MHf9Ubc1Ro8zVjQh15oIEfn
-8lIpdzTeXcpxLdiW8ix3ekVJF20F6pnXY8ZP6UnTeOwamXY6QPZAtb0D9UXcvY+f
-nw+IVRD6082XS0Rmzu+peYWVXDy+FDN+HJRANBcdJZz8gOmNBIe0qDWx1b85d/s8
-2Kk1Wwdss1IwAGeSddTSwzBNaaHdItZaMZOqPW1gRyBfVSkcUQIE6zn2RKw2b70t
-grkIvyRcTdfmiKbqkkJ+eR+ITOUt0cBZSH4cDjlQA+r7hulvoBpQBRj068Toxkcc
-bTagHaPBAoGBAPWPGVkHqhTbJ/DjmqDIStxby2M1fhhHt4xUGHinhUYjQjGOtDQ9
-0mfaB7HObudRiSLydRAVGAHGyNJdQcTeFxeQbovwGiYKfZSA1IGpea7dTxPpGEdN
-ksA0pzSp9MfKzX/MdLuAkEtO58aAg5YzsgX9hDNxo4MhH/gremZhEGZlAoGBAPZf
-lqdYvAL0fjHGJ1FUEalhzGCGE9PH2iOqsxqLCXK7bDbzYSjvuiHkhYJHAOgVdiW1
-lB34UHHYAqZ1VVoFqJ05gax6DE2+r7K5VV3FUCaC0Zm3pavxchU9R/TKP82xRrBj
-AFWwdgDTxUyvQEmgPR9sqorftO71Iz2tiwyTpIfxAoGBAIhEMLzHFAse0rtKkrRG
-ccR27BbRyHeQ1Lp6sFnEHKEfT8xQdI/I/snCpCJ3e/PBu2g5Q9z416mktiyGs8ib
-thTNgYsGYnxZtfaCx2pssanoBcn2wBJRae5fSapf5gY49HDG9MBYR7qCvvvYtSzU
-4yWP2ZzyotpRt3vwJKxLkN5BAoGAORHpZvhiDNkvxj3da7Rqpu7VleJZA2y+9hYb
-iOF+HcqWhaAY+I+XcTRrTMM/zYLzLEcEeXDEyao86uwxCjpXVZw1kotvAC9UqbTO
-tnr3VwRkoxPsV4kFYTAh0+1pnC8dbcxxDmhi3Uww3tOVs7hfkEDuvF6XnebA9A+Y
-LyCgMzECgYEA6cCU8QODOivIKWFRXucvWckgE6MYDBaAwe6qcLsd1Q/gpE2e3yQc
-4RB3bcyiPROLzMLlXFxf1vSNJQdIaVfrRv+zJeGIiivLPU8+Eq4Lrb+tl1LepcOX
-OzQeADTSCn5VidOfjDkIst9UXjMlrFfV9/oJEw5Eiqa6lkNPCGDhfA8=
------END RSA PRIVATE KEY-----
-private_key_type	rsa
-serial_number   	6f:98:9d:f8:67:1a:31:e3:27:60:1b:f7:32:f7:53:19:68:a0:c8:9d
diff --git a/builtin/credential/cert/test-fixtures/root/root.crl b/builtin/credential/cert/test-fixtures/root/root.crl
deleted file mode 100644
index a80c9e4117..0000000000
--- a/builtin/credential/cert/test-fixtures/root/root.crl
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN X509 CRL-----
-MIIBrjCBlzANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbRcN
-MTYwMjI5MDIyOTE3WhcNMjUwMTA1MTAyOTE3WjArMCkCFG+YnfhnGjHjJ2Ab9zL3
-UxlooMidFxExNjAyMjgyMTI5MTctMDUwMKAjMCEwHwYDVR0jBBgwFoAUncSzT/6H
-MexyuiU9/7EgHu+ok5swDQYJKoZIhvcNAQELBQADggEBAG9YDXpNe4LJroKZmVCn
-HqMhW8eyzyaPak2nPPGCVUnc6vt8rlBYQU+xlBizD6xatZQDMPgrT8sBl9W3ysXk
-RUlliHsT/SHddMz5dAZsBPRMJ7pYWLTx8jI4w2WRfbSyI4bY/6qTRNkEBUv+Fk8J
-xvwB89+EM0ENcVMhv9ghsUA8h7kOg673HKwRstLDAzxS/uLmEzFjj8SV2m5DbV2Y
-UUCKRSV20/kxJMIC9x2KikZhwOSyv1UE1otD+RQvbfAoZPUDmvp2FR/E0NGjBBOg
-1TtCPRrl63cjqU3s8KQ4uah9Vj+Cwcu9n/yIKKtNQq4NKHvagv8GlUsoJ4BdAxCw
-IA0=
------END X509 CRL-----
diff --git a/builtin/credential/cert/test-fixtures/root/rootcacert.pem b/builtin/credential/cert/test-fixtures/root/rootcacert.pem
deleted file mode 100644
index dcb307a140..0000000000
--- a/builtin/credential/cert/test-fixtures/root/rootcacert.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw
-MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7
-Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0
-z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x
-AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb
-6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH
-SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G
-A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx
-7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc
-BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
-wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2
-U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa
-cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N
-ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ
-t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk
-zehNe5dFTjFpylg1o6b8Ow==
------END CERTIFICATE-----
diff --git a/builtin/credential/cert/test-fixtures/root/rootcacert.srl b/builtin/credential/cert/test-fixtures/root/rootcacert.srl
deleted file mode 100644
index 1c85d6318e..0000000000
--- a/builtin/credential/cert/test-fixtures/root/rootcacert.srl
+++ /dev/null
@@ -1 +0,0 @@
-92223EAFBBEE17AF
diff --git a/builtin/credential/cert/test-fixtures/root/rootcakey.pem b/builtin/credential/cert/test-fixtures/root/rootcakey.pem
deleted file mode 100644
index e950da5ba3..0000000000
--- a/builtin/credential/cert/test-fixtures/root/rootcakey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA7FMy+FO4hFzZiHFmmY/B6A/zpyCep9PWZfGLUDtDuprHbg2p
-t/TQjegMxC0AmWPZEHeG9FIJvT+WQXuLUG5v5MbG4zs21mqnYXwWAbTPaZ35bpp3
-BbbquXFtAqOZG8yfrob1g9OSgmY+bG3ZNxxv35qmbBbuWyUvmPwfjzEAclMxv48w
-/2Rs4dXkBuvc9PiNdQ9Sv+ZYG8GIqIcbRd38cSaXI4Q94BOHEr4jm1vqb54H7twv
-0Gy9CnLXfn7ZtEDFSmG8WLk2GvIna+UC+gnxSqKCw0rcTby63rQUCgdJZF8VQUVi
-18+BMNLXI4pT/P9cxTaCJC/YeuV5a3SaniOoFQIDAQABAoIBAQCoGZJC84JnnIgb
-ttZNWuWKBXbCJcDVDikOQJ9hBZbqsFg1X0CfGmQS3MHf9Ubc1Ro8zVjQh15oIEfn
-8lIpdzTeXcpxLdiW8ix3ekVJF20F6pnXY8ZP6UnTeOwamXY6QPZAtb0D9UXcvY+f
-nw+IVRD6082XS0Rmzu+peYWVXDy+FDN+HJRANBcdJZz8gOmNBIe0qDWx1b85d/s8
-2Kk1Wwdss1IwAGeSddTSwzBNaaHdItZaMZOqPW1gRyBfVSkcUQIE6zn2RKw2b70t
-grkIvyRcTdfmiKbqkkJ+eR+ITOUt0cBZSH4cDjlQA+r7hulvoBpQBRj068Toxkcc
-bTagHaPBAoGBAPWPGVkHqhTbJ/DjmqDIStxby2M1fhhHt4xUGHinhUYjQjGOtDQ9
-0mfaB7HObudRiSLydRAVGAHGyNJdQcTeFxeQbovwGiYKfZSA1IGpea7dTxPpGEdN
-ksA0pzSp9MfKzX/MdLuAkEtO58aAg5YzsgX9hDNxo4MhH/gremZhEGZlAoGBAPZf
-lqdYvAL0fjHGJ1FUEalhzGCGE9PH2iOqsxqLCXK7bDbzYSjvuiHkhYJHAOgVdiW1
-lB34UHHYAqZ1VVoFqJ05gax6DE2+r7K5VV3FUCaC0Zm3pavxchU9R/TKP82xRrBj
-AFWwdgDTxUyvQEmgPR9sqorftO71Iz2tiwyTpIfxAoGBAIhEMLzHFAse0rtKkrRG
-ccR27BbRyHeQ1Lp6sFnEHKEfT8xQdI/I/snCpCJ3e/PBu2g5Q9z416mktiyGs8ib
-thTNgYsGYnxZtfaCx2pssanoBcn2wBJRae5fSapf5gY49HDG9MBYR7qCvvvYtSzU
-4yWP2ZzyotpRt3vwJKxLkN5BAoGAORHpZvhiDNkvxj3da7Rqpu7VleJZA2y+9hYb
-iOF+HcqWhaAY+I+XcTRrTMM/zYLzLEcEeXDEyao86uwxCjpXVZw1kotvAC9UqbTO
-tnr3VwRkoxPsV4kFYTAh0+1pnC8dbcxxDmhi3Uww3tOVs7hfkEDuvF6XnebA9A+Y
-LyCgMzECgYEA6cCU8QODOivIKWFRXucvWckgE6MYDBaAwe6qcLsd1Q/gpE2e3yQc
-4RB3bcyiPROLzMLlXFxf1vSNJQdIaVfrRv+zJeGIiivLPU8+Eq4Lrb+tl1LepcOX
-OzQeADTSCn5VidOfjDkIst9UXjMlrFfV9/oJEw5Eiqa6lkNPCGDhfA8=
------END RSA PRIVATE KEY-----
diff --git a/builtin/credential/cert/test-fixtures/root/rootcawext.cnf b/builtin/credential/cert/test-fixtures/root/rootcawext.cnf
deleted file mode 100644
index 77e8258e10..0000000000
--- a/builtin/credential/cert/test-fixtures/root/rootcawext.cnf
+++ /dev/null
@@ -1,16 +0,0 @@
-[ req ]
-default_bits = 2048
-encrypt_key = no
-prompt = no
-default_md = sha256
-req_extensions = req_v3
-distinguished_name = dn
-
-[ dn ]
-CN = example.com
-
-[ req_v3 ]
-2.1.1.1=ASN1:UTF8String:A UTF8String Extension
-2.1.1.2=ASN1:UTF8:A UTF8 Extension
-2.1.1.3=ASN1:IA5:An IA5 Extension
-2.1.1.4=ASN1:VISIBLE:A Visible Extension
diff --git a/builtin/credential/cert/test-fixtures/root/rootcawext.csr b/builtin/credential/cert/test-fixtures/root/rootcawext.csr
deleted file mode 100644
index 55e22eedeb..0000000000
--- a/builtin/credential/cert/test-fixtures/root/rootcawext.csr
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIDAzCCAesCAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQDM2PrLyK/wVQIcnK362ZylDrIVMjFQzps/0AxM
-ke+8MNPMArBlSAhnZus6qb0nN0nJrDLkHQgYqnSvK9N7VUv/xFblEcOLBlciLhyN
-Wkm92+q/M/xOvUVmnYkN3XgTI5QNxF7ZWDFHmwCNV27RraQZou0hG7yvyoILLMQE
-3MnMCNM1nZ9JIuBMcRsZLGqQ1XNaQljboRVIUjimzkcfYyTruhLosTIbwForp78J
-MzHHqVjtLJXPqUnRMS7KhGMj1f2mIswQzCv6F2PWEzNBbP4Gb67znKikKDs0RgyL
-RyfizFNFJSC58XntK8jwHK1D8W3UepFf4K8xNFnhPoKWtWfJAgMBAAGggacwgaQG
-CSqGSIb3DQEJDjGBljCBkzAcBgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATAf
-BgNRAQEEGAwWQSBVVEY4U3RyaW5nIEV4dGVuc2lvbjAZBgNRAQIEEgwQQSBVVEY4
-IEV4dGVuc2lvbjAZBgNRAQMEEhYQQW4gSUE1IEV4dGVuc2lvbjAcBgNRAQQEFRoT
-QSBWaXNpYmxlIEV4dGVuc2lvbjANBgkqhkiG9w0BAQsFAAOCAQEAtYjewBcqAXxk
-tDY0lpZid6ZvfngdDlDZX0vrs3zNppKNe5Sl+jsoDOexqTA7HQA/y1ru117sAEeB
-yiqMeZ7oPk8b3w+BZUpab7p2qPMhZypKl93y/jGXGscc3jRbUBnym9S91PSq6wUd
-f2aigSqFc9+ywFVdx5PnnZUfcrUQ2a+AweYEkGOzXX2Ga+Ige8grDMCzRgCoP5cW
-kM5ghwZp5wYIBGrKBU9iDcBlmnNhYaGWf+dD00JtVDPNn2bJnCsJHIO0nklZgnrS
-fli8VQ1nYPkONdkiRYLt6//6at1iNDoDgsVCChtlVkLpxFIKcDFUHlffZsc1kMFI
-HTX579k8hA==
------END CERTIFICATE REQUEST-----
diff --git a/builtin/credential/cert/test-fixtures/root/rootcawextcert.pem b/builtin/credential/cert/test-fixtures/root/rootcawextcert.pem
deleted file mode 100644
index 2c8591735f..0000000000
--- a/builtin/credential/cert/test-fixtures/root/rootcawextcert.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDRjCCAi6gAwIBAgIJAJIiPq+77hejMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
-BAMTC2V4YW1wbGUuY29tMB4XDTE3MTEyOTE5MTgwM1oXDTI3MTEyNzE5MTgwM1ow
-FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQDM2PrLyK/wVQIcnK362ZylDrIVMjFQzps/0AxMke+8MNPMArBlSAhn
-Zus6qb0nN0nJrDLkHQgYqnSvK9N7VUv/xFblEcOLBlciLhyNWkm92+q/M/xOvUVm
-nYkN3XgTI5QNxF7ZWDFHmwCNV27RraQZou0hG7yvyoILLMQE3MnMCNM1nZ9JIuBM
-cRsZLGqQ1XNaQljboRVIUjimzkcfYyTruhLosTIbwForp78JMzHHqVjtLJXPqUnR
-MS7KhGMj1f2mIswQzCv6F2PWEzNBbP4Gb67znKikKDs0RgyLRyfizFNFJSC58Xnt
-K8jwHK1D8W3UepFf4K8xNFnhPoKWtWfJAgMBAAGjgZYwgZMwHAYDVR0RBBUwE4IL
-ZXhhbXBsZS5jb22HBH8AAAEwHwYDUQEBBBgMFkEgVVRGOFN0cmluZyBFeHRlbnNp
-b24wGQYDUQECBBIMEEEgVVRGOCBFeHRlbnNpb24wGQYDUQEDBBIWEEFuIElBNSBF
-eHRlbnNpb24wHAYDUQEEBBUaE0EgVmlzaWJsZSBFeHRlbnNpb24wDQYJKoZIhvcN
-AQELBQADggEBAGU/iA6saupEaGn/veVNCknFGDL7pst5D6eX/y9atXlBOdJe7ZJJ
-XQRkeHJldA0khVpzH7Ryfi+/25WDuNz+XTZqmb4ppeV8g9amtqBwxziQ9UUwYrza
-eDBqdXBaYp/iHUEHoceX4F44xuo80BIqwF0lD9TFNUFoILnF26ajhKX0xkGaiKTH
-6SbjBfHoQVMzOHokVRWregmgNycV+MAI9Ne9XkIZvdOYeNlcS9drZeJI3szkiaxB
-WWaWaAr5UU2Z0yUCZnAIDMRcIiUbSEjIDz504sSuCzTctMOxWZu0r/0UrXRzwZZi
-HAaKm3MUmBh733ChP4rTB58nr5DEr5rJ9P8=
------END CERTIFICATE-----
diff --git a/builtin/credential/cert/test-fixtures/root/rootcawextkey.pem b/builtin/credential/cert/test-fixtures/root/rootcawextkey.pem
deleted file mode 100644
index 3f8d8ebed9..0000000000
--- a/builtin/credential/cert/test-fixtures/root/rootcawextkey.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDM2PrLyK/wVQIc
-nK362ZylDrIVMjFQzps/0AxMke+8MNPMArBlSAhnZus6qb0nN0nJrDLkHQgYqnSv
-K9N7VUv/xFblEcOLBlciLhyNWkm92+q/M/xOvUVmnYkN3XgTI5QNxF7ZWDFHmwCN
-V27RraQZou0hG7yvyoILLMQE3MnMCNM1nZ9JIuBMcRsZLGqQ1XNaQljboRVIUjim
-zkcfYyTruhLosTIbwForp78JMzHHqVjtLJXPqUnRMS7KhGMj1f2mIswQzCv6F2PW
-EzNBbP4Gb67znKikKDs0RgyLRyfizFNFJSC58XntK8jwHK1D8W3UepFf4K8xNFnh
-PoKWtWfJAgMBAAECggEAW7hLkzMok9N8PpNo0wjcuor58cOnkSbxHIFrAF3XmcvD
-CXWqxa6bFLFgYcPejdCTmVkg8EKPfXvVAxn8dxyaCss+nRJ3G6ibGxLKdgAXRItT
-cIk2T4svp+KhmzOur+MeR4vFbEuwxP8CIEclt3yoHVJ2Gnzw30UtNRO2MPcq48/C
-ZODGeBqUif1EGjDAvlqu5kl/pcDBJ3ctIZdVUMYYW4R9JtzKsmwhX7CRCBm8k5hG
-2uzn8AKwpuVtfWcnX59UUmHGJ8mjETuNLARRAwWBWhl8f7wckmi+PKERJGEM2QE5
-/Voy0p22zmQ3waS8LgiI7YHCAEFqjVWNziVGdR36gQKBgQDxkpfkEsfa5PieIaaF
-iQOO0rrjEJ9MBOQqmTDeclmDPNkM9qvCF/dqpJfOtliYFxd7JJ3OR2wKrBb5vGHt
-qIB51Rnm9aDTM4OUEhnhvbPlERD0W+yWYXWRvqyHz0GYwEFGQ83h95GC/qfTosqy
-LEzYLDafiPeNP+DG/HYRljAxUwKBgQDZFOWHEcZkSFPLNZiksHqs90OR2zIFxZcx
-SrbkjqXjRjehWEAwgpvQ/quSBxrE2E8xXgVm90G1JpWzxjUfKKQRM6solQeEpnwY
-kCy2Ozij/TtbLNRlU65UQ+nMto8KTSIyJbxxdOZxYdtJAJQp1FJO1a1WC11z4+zh
-lnLV1O5S8wKBgQCDf/QU4DBQtNGtas315Oa96XJ4RkUgoYz+r1NN09tsOERC7UgE
-KP2y3JQSn2pMqE1M6FrKvlBO4uzC10xLja0aJOmrssvwDBu1D8FtA9IYgJjFHAEG
-v1i7lJrgdu7TUtx1flVli1l3gF4lM3m5UaonBrJZV7rB9iLKzwUKf8IOJwKBgFt/
-QktPA6brEV56Za8sr1hOFA3bLNdf9B0Tl8j4ExWbWAFKeCu6MUDCxsAS/IZxgdeW
-AILovqpC7CBM78EFWTni5EaDohqYLYAQ7LeWeIYuSyFf4Nogjj74LQha/iliX4Jx
-g17y3dp2W34Gn2yOEG8oAxpcSfR54jMnPZnBWP5fAoGBAMNAd3oa/xq9A5v719ik
-naD7PdrjBdhnPk4egzMDv54y6pCFlvFbEiBduBWTmiVa7dSzhYtmEbri2WrgARlu
-vkfTnVH9E8Hnm4HTbNn+ebxrofq1AOAvdApSoslsOP1NT9J6zB89RzChJyzjbIQR
-Gevrutb4uO9qpB1jDVoMmGde
------END PRIVATE KEY-----
diff --git a/builtin/credential/cert/test-fixtures/root/rootcawocert.pem b/builtin/credential/cert/test-fixtures/root/rootcawocert.pem
deleted file mode 100644
index 14536c16ae..0000000000
--- a/builtin/credential/cert/test-fixtures/root/rootcawocert.pem
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDYjCCAkqgAwIBAgIUM4ANPdEihcrpgryBFpBr3QCr2a4wDQYJKoZIhvcNAQEL
-BQAwKDEQMA4GA1UEChMHZXhhbXBsZTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wIBcN
-MjUwOTE4MTcxMjUwWhgPMjEyNTA4MjUxNjEzMjBaMCgxEDAOBgNVBAoTB2V4YW1w
-bGUxFDASBgNVBAMTC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEA45oJCYBM7SI4KwfAQHTRQnJt5PGap0s/ckdoozjulpDRE45OKT3Q
-Dbc6mYXgBXVCpcHjVweqptPUetoWUwpPppgmbj4/MvaPWFebskspE9i/W85m9SOk
-s1V8zD73Apf3m2l6v3VyZ1hGHaM1uLTcRj47qR+dF6naU76QWjIObKqFDBk24kDD
-Ktr6IEVF44GERqfson+u40NqQE/ZnqTk5jnBEWKf3Lp/NNlmrKb3EZ1jkPhCNE9N
-IsShs5qg+3y0PNut4wCE5WXaYCIIk7ydn8s3dJO6cMSkCZpAvyXz1Af0oSh+aqKH
-Y1+uudfu8sheRCRd4u0J+4Q27J9GpQeOrwIDAQABo4GBMH8wDgYDVR0PAQH/BAQD
-AgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPTXC7WMp/TjZ2OyfotP13k6
-5MDCMB8GA1UdIwQYMBaAFPTXC7WMp/TjZ2OyfotP13k65MDCMBwGA1UdEQQVMBOC
-C2V4YW1wbGUuY29thwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQAZ+sdJdmeZznMu
-W7LAt/yPhf1gIMReL3WTRi9zAxjOyJCmMOcqGbSWX+iYah5fm16ehmfaenZjli9e
-JEgfsD9PlZgopwrThFB6haW3O+9WpMAcQ4gbJTQMpV0M7wLcj3SNtnY3jaQ9AB5X
-ys0nc146wVaJgUZycvCkOwTDo6JZ0Z1F5qbNI82bUSZdkXC1MgyHI0uFfmSloXi/
-jTdv9o1zjsYEjckzqVuGzuGXT5zl96WBE4RofJhzRPRefccnYJQ3aitzuzxbl3J/
-FtiW3HYBupXfXr46gXncuWfB3MNDzxftf1OeDfYdT7Een5zV8PdIqoFOvIl51ZC1
-/lVyaDYd
------END CERTIFICATE-----
\ No newline at end of file
diff --git a/builtin/credential/cert/test-fixtures/root/rootcawokey.pem b/builtin/credential/cert/test-fixtures/root/rootcawokey.pem
deleted file mode 100644
index 0bbe2bf496..0000000000
--- a/builtin/credential/cert/test-fixtures/root/rootcawokey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA45oJCYBM7SI4KwfAQHTRQnJt5PGap0s/ckdoozjulpDRE45O
-KT3QDbc6mYXgBXVCpcHjVweqptPUetoWUwpPppgmbj4/MvaPWFebskspE9i/W85m
-9SOks1V8zD73Apf3m2l6v3VyZ1hGHaM1uLTcRj47qR+dF6naU76QWjIObKqFDBk2
-4kDDKtr6IEVF44GERqfson+u40NqQE/ZnqTk5jnBEWKf3Lp/NNlmrKb3EZ1jkPhC
-NE9NIsShs5qg+3y0PNut4wCE5WXaYCIIk7ydn8s3dJO6cMSkCZpAvyXz1Af0oSh+
-aqKHY1+uudfu8sheRCRd4u0J+4Q27J9GpQeOrwIDAQABAoIBACR+Miy/0ZXEAtWD
-bKPpFxRcXJp00qM4QXgFUxW4ryidF6jXDFk4e/92/YJYIM8/Oexx5g2yQP52wH7i
-MOonoRXJF4Bdoqx9NAaqJWC1BGUWP7hso71ydZn7fwMQpXJZA257vx6rqig/0x41
-aQuwlBD/MXmwg/OjXEpJJ8QOepmZgEte2stFJOF1dxnWwRk3KDFsAIukYdxkzb/Z
-oaLDetDj678t71ab6EPToPDRAzu9zIzyP9KhbirPepLOTrwfEU552oSYs4THU0+z
-PJy/vMKuEa/M56a8WoyV5S+Q/t9VgTkUUgqpEsodXvsd3el7xOquuVTcQyRLTXqB
-SrP0rSECgYEA8oVNGgxMk9vTXbEFxWqLIEkDU8h3A9e0IS19VqBXEML5YKNAh5xh
-zar+xqlkIXWTqD0qFIgtE7ggB+Gu7Gb7lGrI1bj2tLAMlaEImqvT9ALtSzsiIK1L
-8KpNBdPkOlWlG2OA3fU0m0TynjtwOaxHGRVmf67BEG6v/wWk77q97lsCgYEA8EB1
-n0TaW2PTqCU9F2wwuoML8XEn0L0+J7rXJy+vC3rjr8asglxVNndXV3/Z+jtwupQN
-y1MIxUA2WghGr40N53UHnQzSjn3IKfi6Nqb/uKiW34KppcI0W3MrqhLEoytyhj+Q
-8UTryrajaiKvNgWo+J/8oAqFoNuCOFhwa0ByuT0CgYBS4WVpGnztJvoEEeRUBEZJ
-oUomzuKFiKkBkac8/IzkqI1LDl+WOMZf4CkzwV375U+x9j00SRmGnK0tpF4AYm1l
-2lyKVazSMTwLwr3LBh/oSzvHMw1Ft5O1Sq4J6NEdcnl7c7Ttpcf1rElx9AQ1YX/m
-vZ6K0jEeqYUyFT65wsr38wKBgQDVKhwyqEClfbk6I3BE6/WARu2914xgJMiVL63e
-UuyY3vxN5ZUCRTJGFTUlqYaaA0tOADcNBCtv+D1BPL6a3ChOCQQsUEgxrWB//PQb
-saiLCupyfdhP/jO+QD2ptOVLcS03+AZ+S4x6W/o6HXQgFn2Ju0nGJg/SXXD41V9J
-ifFAcQKBgH692iebaAhWHgEbYNlIdpwZh+hhraOVp6D+xi+2j0TbZi5gZtsBzzkK
-RTlU6rmgYgUOlURYM7uysFcddB2pgraSrFigQ6J7LHRpowaJxyHC9yQbQ4Y0UjgK
-Mrh68/EHSDhm1M0J+CwleLkYNfW+xE5TCABgvv5mLl1hIOa3tyYq
------END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/builtin/credential/cert/test-fixtures/root/rootcawou.cnf b/builtin/credential/cert/test-fixtures/root/rootcawou.cnf
deleted file mode 100644
index be11c33a17..0000000000
--- a/builtin/credential/cert/test-fixtures/root/rootcawou.cnf
+++ /dev/null
@@ -1,18 +0,0 @@
-[ req ]
-default_bits = 2048
-encrypt_key = no
-prompt = no
-default_md = sha256
-distinguished_name = dn
-req_extensions = req_v3
-
-[ req_v3 ]
-subjectAltName = @alt_names
-
-[ dn ]
-CN = example.com
-OU = engineering
-
-[ alt_names ]
-IP.1 = 127.0.0.1
-email = valid@example.com
diff --git a/builtin/credential/cert/test-fixtures/root/rootcawou.csr b/builtin/credential/cert/test-fixtures/root/rootcawou.csr
deleted file mode 100644
index d72579b76c..0000000000
--- a/builtin/credential/cert/test-fixtures/root/rootcawou.csr
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIICpjCCAY4CAQAwLDEUMBIGA1UEAwwLZXhhbXBsZS5jb20xFDASBgNVBAsMC2Vu
-Z2luZWVyaW5nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsI4ZJWfQ
-mI/3qfacas7O260Iii06oTP4GoQ5QpAYvcfWKKnkXagd0fBl+hfpnrK6ojYY71Jt
-cMstVdff2Wc5D3bnQ8Hikb1TMhdAAtZDUW4QbeWAXJ4mkDq1ARRcbTvK121bmDQp
-1efepohe0mDxNCruGSHpqfayC6LOkk7XZ73VAOcPPV5OOpY8el7quUdfvElxn0vH
-KBVlFRBBW2fbY5EAHDMkmBjWr0ofpwb+vhSuQlOZgsbd20mjDwSYIbywG0tAEOoj
-pLI0pOQV5msdfbqmKYE6ZmUeL/Q/pZjYh5uxFUZ4aMD/STDaeq7GdYQYcm17WL+N
-ceal9+gKceJSiQIDAQABoDUwMwYJKoZIhvcNAQkOMSYwJDAiBgNVHREEGzAZhwR/
-AAABgRF2YWxpZEBleGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAf1tnXgX1
-/1p2MAxHhcil5/lsOMgHWU5dRL6KjK2cepuBpfzlCbxFtvnsj9WHx46f9Q/xbqy+
-1A2TJIBUWxK+Eji//WJxbDsi7fmV5VQlpG7+sEa7yin3KobfMd84nDIYP8wLF1Fq
-HhRf7ZjIDh3zTgBosvIIjGEyABrouGYm4Nl409I09MftGXK/5TLJkgm6sxcJCAHG
-BMm8IFaI0VN5QFIHKvJ/1oQLpLV+gvtR6jAM/99LXc0SXmFn0Jcy/mE/hxJXJigW
-dDOblgjliJo0rWwHK4gfsgpMbHjJiG70g0XHtTpBW+i/NyuPnc8RYzBIJv+4sks+
-hWSmn6/IL46qTg==
------END CERTIFICATE REQUEST-----
diff --git a/builtin/credential/cert/test-fixtures/root/rootcawoucert.pem b/builtin/credential/cert/test-fixtures/root/rootcawoucert.pem
deleted file mode 100644
index fe0f227543..0000000000
--- a/builtin/credential/cert/test-fixtures/root/rootcawoucert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDATCCAemgAwIBAgIJAMAMmdiZi5G/MA0GCSqGSIb3DQEBCwUAMCwxFDASBgNV
-BAMMC2V4YW1wbGUuY29tMRQwEgYDVQQLDAtlbmdpbmVlcmluZzAeFw0xODA5MDEx
-NDM0NTVaFw0yODA4MjkxNDM0NTVaMCwxFDASBgNVBAMMC2V4YW1wbGUuY29tMRQw
-EgYDVQQLDAtlbmdpbmVlcmluZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBALCOGSVn0JiP96n2nGrOztutCIotOqEz+BqEOUKQGL3H1iip5F2oHdHwZfoX
-6Z6yuqI2GO9SbXDLLVXX39lnOQ9250PB4pG9UzIXQALWQ1FuEG3lgFyeJpA6tQEU
-XG07ytdtW5g0KdXn3qaIXtJg8TQq7hkh6an2sguizpJO12e91QDnDz1eTjqWPHpe
-6rlHX7xJcZ9LxygVZRUQQVtn22ORABwzJJgY1q9KH6cG/r4UrkJTmYLG3dtJow8E
-mCG8sBtLQBDqI6SyNKTkFeZrHX26pimBOmZlHi/0P6WY2IebsRVGeGjA/0kw2nqu
-xnWEGHJte1i/jXHmpffoCnHiUokCAwEAAaMmMCQwIgYDVR0RBBswGYcEfwAAAYER
-dmFsaWRAZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAHATSjW20P7+6en0
-Oq/n/R/i+aCgzcxIWSgf3dhOyxGfBW6svSg8ZtBQFEZZHqIRSXZX89zz25+mvwqi
-kGRJKKzD/KDd2v9C5+H3DSuu9CqClVtpjF2XLvRHnuclBIrwvyijRcqa2GCTA9YZ
-sOfVVGQYobDbtRCgTwWkEpU9RrZWWoD8HAYMkxFc1Cs/vJconeAaQDPEIZx9wnAN
-4r/F5143rn5dyhbYehz1/gykL3K0v7s4U5NhaSACE2AiQ+63vhAEd5xt9WPKAAGY
-zEyK4b/qPO88mxLr3A/rdzzt1UYAwT38kXA7aV82AH1J8EaCr7tLnXzyLXiEsI4E
-BOrHBgU=
------END CERTIFICATE-----
diff --git a/builtin/credential/cert/test-fixtures/root/rootcawoukey.pem b/builtin/credential/cert/test-fixtures/root/rootcawoukey.pem
deleted file mode 100644
index 166317294d..0000000000
--- a/builtin/credential/cert/test-fixtures/root/rootcawoukey.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCwjhklZ9CYj/ep
-9pxqzs7brQiKLTqhM/gahDlCkBi9x9YoqeRdqB3R8GX6F+mesrqiNhjvUm1wyy1V
-19/ZZzkPdudDweKRvVMyF0AC1kNRbhBt5YBcniaQOrUBFFxtO8rXbVuYNCnV596m
-iF7SYPE0Ku4ZIemp9rILos6STtdnvdUA5w89Xk46ljx6Xuq5R1+8SXGfS8coFWUV
-EEFbZ9tjkQAcMySYGNavSh+nBv6+FK5CU5mCxt3bSaMPBJghvLAbS0AQ6iOksjSk
-5BXmax19uqYpgTpmZR4v9D+lmNiHm7EVRnhowP9JMNp6rsZ1hBhybXtYv41x5qX3
-6Apx4lKJAgMBAAECggEAF1Jd7fv9qPlzfKcP2GgDGS+NLjt1QDAOOOp4aduA+Si5
-mFuAyAJaFg5MWjHocUcosh61Qn+/5yNflLRUZHJnLizFtcSZuiipIbfCg91rvQjt
-8KZdQ168t1aZ7E+VOfSpAbX3YG6bjB754UOoSt/1XK/DDdzV8dadhD34TYlOmOxZ
-MMnIRERqa+IBSn90TONWPyY3ELSpaiCkz1YZpp6g9RnTACZKLwzBMSunNO5qbEfH
-TWlk5o14DZ3zRu5gLT5wy3SGfzm2M+qi8afQq1MT2I6opXj4KU3c64agjNUBYTq7
-S2YWmw6yrqPzxcg0hOz9H6djCx2oen/UxM2z4uoE1QKBgQDlHIFQcVTWEmxhy5yp
-uV7Ya5ubx6rW4FnCgh5lJ+wWuSa5TkMuBr30peJn0G6y0I0J1El4o3iwLD/jxwHb
-BIJTB1z5fBo3K7lhpZLuRFSWe9Mcd/Aj2pFcy5TqaIV9x8bgVAMVOoZAq9muiEog
-zIWVWrVF6FDuFgRMRegNDej6pwKBgQDFRpNQMscPpH+x6xeS0E8boZKnHyuJUZQZ
-kfEmnHQuTYmmHS4kXSnJhjODa53YddknTrPrHOvddDDYAaulyyYitPemubYQzBog
-MyIgaeFSw/eHrcr/8g4QTohRFcI71xnKRmHvQZb8UflFJkqsqil6WZ6FJiC+STcn
-Qdnhol9fTwKBgQCZtGDw1cdjgqKhjVcB6nG94ZtYjECJvaOaQW8g0AKsT/SxttaN
-B0ri2XMl0IijgBROttO/knQCRP1r03PkOocwKq1uVprDzpqk7s6++KqC9nlwDOrX
-Muf4iD/UbuC3vJIop1QWJtgwhNoaJCcPEAbCZ0Nbrfq1b6Hchb2jHGTj2wKBgHJo
-DpDJEeaBeMi+1SoAgpA8sKcZDY+SbvgxShAhVcNwli5u586Q9OX5XTCPHbhmB+yi
-2Pa2DBefBaCPv3LkEJa6KpFXTD4Lj+8ymE0B+nmcSpY19O9f+kX8tVOI8d7wTPWg
-wbUWbbCg/ZXbshzWhj19cdA4H28bWM/8gZY4K2VDAoGBAMYsNhKdu9ON/7vaLijh
-kai2tQLObYqDV6OAzdYm1gopmTTLcxQ6jP6aQlyw1ie51ms/hFozmNkGkaQGD8pp
-751Lv3prQz/lDaZeQfKANNN1tpz/QqUOu2di9secMmodxXkwcLzcEKjWPDTuPhcO
-VODU1hC5oj8yGFInoDLL2B0K
------END PRIVATE KEY-----
diff --git a/builtin/credential/cert/test-fixtures/testcacert1.pem b/builtin/credential/cert/test-fixtures/testcacert1.pem
deleted file mode 100644
index ab8bf9e931..0000000000
--- a/builtin/credential/cert/test-fixtures/testcacert1.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPjCCAiagAwIBAgIUfIKsF2VPT7sdFcKOHJH2Ii6K4MwwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wIBcNMTYwNTAyMTYwNTQyWhgPMjA2
-NjA0MjAxNjA2MTJaMBYxFDASBgNVBAMTC215dmF1bHQuY29tMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuOimEXawD2qBoLCFP3Skq5zi1XzzcMAJlfdS
-xz9hfymuJb+cN8rB91HOdU9wQCwVKnkUtGWxUnMp0tT0uAZj5NzhNfyinf0JGAbP
-67HDzVZhGBHlHTjPX0638yaiUx90cTnucX0N20SgCYct29dMSgcPl+W78D3Jw3xE
-JsHQPYS9ASe2eONxG09F/qNw7w/RO5/6WYoV2EmdarMMxq52pPe2chtNMQdSyOUb
-cCcIZyk4QVFZ1ZLl6jTnUPb+JoCx1uMxXvMek4NF/5IL0Wr9dw2gKXKVKoHDr6SY
-WrCONRw61A5Zwx1V+kn73YX3USRlkufQv/ih6/xThYDAXDC9cwIDAQABo4GBMH8w
-DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOuKvPiU
-G06iHkRXAOeMiUdBfHFyMB8GA1UdIwQYMBaAFOuKvPiUG06iHkRXAOeMiUdBfHFy
-MBwGA1UdEQQVMBOCC215dmF1bHQuY29thwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQBcN/UdAMzc7UjRdnIpZvO+5keBGhL/vjltnGM1dMWYHa60Y5oh7UIXF+P1RdNW
-n7g80lOyvkSR15/r1rDkqOK8/4oruXU31EcwGhDOC4hU6yMUy4ltV/nBoodHBXNh
-MfKiXeOstH1vdI6G0P6W93Bcww6RyV1KH6sT2dbETCw+iq2VN9CrruGIWzd67UT/
-spe/kYttr3UYVV3O9kqgffVVgVXg/JoRZ3J7Hy2UEXfh9UtWNanDlRuXaZgE9s/d
-CpA30CHpNXvKeyNeW2ktv+2nAbSpvNW+e6MecBCTBIoDSkgU8ShbrzmDKVwNN66Q
-5gn6KxUPBKHEtNzs5DgGM7nq
------END CERTIFICATE-----
\ No newline at end of file
diff --git a/builtin/credential/cert/test-fixtures/testcacert2.pem b/builtin/credential/cert/test-fixtures/testcacert2.pem
deleted file mode 100644
index a8fe6c4806..0000000000
--- a/builtin/credential/cert/test-fixtures/testcacert2.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPjCCAiagAwIBAgIUJfHFxtLQBOkjY9ivHx0AIsRDcH0wDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wIBcNMTYwNTAyMTYxMjI5WhgPMjA2
-NjA0MjAxNjEyNTlaMBYxFDASBgNVBAMTC215dmF1bHQuY29tMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqj8ANjAGrg5BgUb3owGwUHlMYDxljMdwroA/
-Bv76ESjomj1zCyVtoJxlDZ8m9VcKQldk5ashFNuY+Ms9FrJ1YsePvsfStNe37C26
-2uldDToh5rm7K8uwp/bQiErwM9QZMCVYCPEH8QgETPg9qWnikDFLMqcLBNbIiXVL
-alxEYgA1Qt6+ayMvoS35288hFdZj6a0pCF0+zMHORZxloPhkXWnZLp5lWBiunSJG
-0kVz56TjF+oY0L74iW4y3x2805biisGvFqgpZJW8/hLw/kDthNylNTzEqBktsctQ
-BXpSMcwG3woJ0uZ8cH/HA/m0VDeIA77UisXnlLiQDpdB7U7QPwIDAQABo4GBMH8w
-DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMLETWAs
-OFNsKJ+uqzChCZvIpxX4MB8GA1UdIwQYMBaAFMLETWAsOFNsKJ+uqzChCZvIpxX4
-MBwGA1UdEQQVMBOCC215dmF1bHQuY29thwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQCRlFb6bZDrq3NkoZF9evls7cT41V3XCdykMA4K9YRgDroZ5psanSvYEnSrk9cU
-Y7sVYW7b8qSRWkLZrHCAwc2V0/i5F5j4q9yVnWaTZ+kOVCFYCI8yUS7ixRQdTLNN
-os/r9dcRSzzTEqoQThAzn571yRcbJHzTjda3gCJ5F4utYUBU2F9WK+ukW9nqfepa
-ju5vEEGDuL2+RyApzL0nGzMUkCdBcK82QBksTlElPnbICbJZWUUMTZWPaZ7WGDDa
-Pj+pWMXiDQmzIuzgXUCNtQL6lEv4tQwGYRHjjPmhgJP4sr6Cyrj4G0iljrqM+z/3
-gLyJOlNU8c5x02/C1nFDDa14
------END CERTIFICATE-----
\ No newline at end of file
diff --git a/builtin/credential/cert/test-fixtures/testcakey1.pem b/builtin/credential/cert/test-fixtures/testcakey1.pem
deleted file mode 100644
index 05211bad1c..0000000000
--- a/builtin/credential/cert/test-fixtures/testcakey1.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAuOimEXawD2qBoLCFP3Skq5zi1XzzcMAJlfdSxz9hfymuJb+c
-N8rB91HOdU9wQCwVKnkUtGWxUnMp0tT0uAZj5NzhNfyinf0JGAbP67HDzVZhGBHl
-HTjPX0638yaiUx90cTnucX0N20SgCYct29dMSgcPl+W78D3Jw3xEJsHQPYS9ASe2
-eONxG09F/qNw7w/RO5/6WYoV2EmdarMMxq52pPe2chtNMQdSyOUbcCcIZyk4QVFZ
-1ZLl6jTnUPb+JoCx1uMxXvMek4NF/5IL0Wr9dw2gKXKVKoHDr6SYWrCONRw61A5Z
-wx1V+kn73YX3USRlkufQv/ih6/xThYDAXDC9cwIDAQABAoIBAG3bCo7ljMQb6tel
-CAUjL5Ilqz5a9ebOsONABRYLOclq4ePbatxawdJF7/sSLwZxKkIJnZtvr2Hkubxg
-eOO8KC0YbVS9u39Rjc2QfobxHfsojpbWSuCJl+pvwinbkiUAUxXR7S/PtCPJKat/
-fGdYCiMQ/tqnynh4vR4+/d5o12c0KuuQ22/MdEf3GOadUamRXS1ET9iJWqla1pJW
-TmzrlkGAEnR5PPO2RMxbnZCYmj3dArxWAnB57W+bWYla0DstkDKtwg2j2ikNZpXB
-nkZJJpxR76IYD1GxfwftqAKxujKcyfqB0dIKCJ0UmfOkauNWjexroNLwaAOC3Nud
-XIxppAECgYEA1wJ9EH6A6CrSjdzUocF9LtQy1LCDHbdiQFHxM5/zZqIxraJZ8Gzh
-Q0d8JeOjwPdG4zL9pHcWS7+x64Wmfn0+Qfh6/47Vy3v90PIL0AeZYshrVZyJ/s6X
-YkgFK80KEuWtacqIZ1K2UJyCw81u/ynIl2doRsIbgkbNeN0opjmqVTMCgYEA3CkW
-2fETWK1LvmgKFjG1TjOotVRIOUfy4iN0kznPm6DK2PgTF5DX5RfktlmA8i8WPmB7
-YFOEdAWHf+RtoM/URa7EAGZncCWe6uggAcWqznTS619BJ63OmncpSWov5Byg90gJ
-48qIMY4wDjE85ypz1bmBc2Iph974dtWeDtB7dsECgYAyKZh4EquMfwEkq9LH8lZ8
-aHF7gbr1YeWAUB3QB49H8KtacTg+iYh8o97pEBUSXh6hvzHB/y6qeYzPAB16AUpX
-Jdu8Z9ylXsY2y2HKJRu6GjxAewcO9bAH8/mQ4INrKT6uIdx1Dq0OXZV8jR9KVLtB
-55RCfeLhIBesDR0Auw9sVQKBgB0xTZhkgP43LF35Ca1btgDClNJGdLUztx8JOIH1
-HnQyY/NVIaL0T8xO2MLdJ131pGts+68QI/YGbaslrOuv4yPCQrcS3RBfzKy1Ttkt
-TrLFhtoy7T7HqyeMOWtEq0kCCs3/PWB5EIoRoomfOcYlOOrUCDg2ge9EP4nyVVz9
-hAGBAoGBAJXw/ufevxpBJJMSyULmVWYr34GwLC1OhSE6AVVt9JkIYnc5L4xBKTHP
-QNKKJLmFmMsEqfxHUNWmpiHkm2E0p37Zehui3kywo+A4ybHPTua70ZWQfZhKxLUr
-PvJa8JmwiCM7kO8zjOv+edY1mMWrbjAZH1YUbfcTHmST7S8vp0F3
------END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/builtin/credential/cert/test-fixtures/testcakey2.pem b/builtin/credential/cert/test-fixtures/testcakey2.pem
deleted file mode 100644
index c2e3763e23..0000000000
--- a/builtin/credential/cert/test-fixtures/testcakey2.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAqj8ANjAGrg5BgUb3owGwUHlMYDxljMdwroA/Bv76ESjomj1z
-CyVtoJxlDZ8m9VcKQldk5ashFNuY+Ms9FrJ1YsePvsfStNe37C262uldDToh5rm7
-K8uwp/bQiErwM9QZMCVYCPEH8QgETPg9qWnikDFLMqcLBNbIiXVLalxEYgA1Qt6+
-ayMvoS35288hFdZj6a0pCF0+zMHORZxloPhkXWnZLp5lWBiunSJG0kVz56TjF+oY
-0L74iW4y3x2805biisGvFqgpZJW8/hLw/kDthNylNTzEqBktsctQBXpSMcwG3woJ
-0uZ8cH/HA/m0VDeIA77UisXnlLiQDpdB7U7QPwIDAQABAoIBADivQ2XHdeHsUzk1
-JOz8efVBfgGo+nL2UPl5MAMnUKH4CgKZJT3311mb2TXA4RrdQUg3ixvBcAFe4L8u
-BIgTIWyjX6Q5KloWXWHhFA8hll76FSGag8ygRJCYaHSI5xOKslxKgtZvUqKZdb0f
-BoDrBYnXL9+MqOmSjjDegh7G2+n49n774Z2VVR47TZTBB5LCWDWj4AtEcalgwlvw
-d5yL/GU/RfCkXCjCeie1pInp3eCMUI9jlvbe/vyaoFq2RiaJw1LSlJLXZBMYzaij
-XkgMtRsr5bf0Tg2z3SPiaa9QZogfVLqHWAt6RHZf9Keidtiho+Ad6/dzJu+jKDys
-Z6cthOECgYEAxMUCIYKO74BtPRN2r7KxbSjHzFsasxbfwkSg4Qefd4UoZJX2ShlL
-cClnef3WdkKxtShJhqEPaKTYTrfgM+iz/a9+3lAFnS4EZawSf3YgXXslVTory0Da
-yPQZKxX6XsupaLl4s13ehw/D0qfdxWVYaiFad3ePEE4ytmSkMMHLHo8CgYEA3X4a
-jMWVbVv1W1lj+LFcg7AhU7lHgla+p7NI4gHw9V783noafnW7/8pNF80kshYo4u0g
-aJRwaU/Inr5uw14eAyEjB4X7N8AE5wGmcxxS2uluGG6r3oyQSJBqktGnLwyTfcfC
-XrfsGJza2BRGF4Mn8SFb7WtCl3f1qu0hTF+mC1ECgYB4oA1eXZsiV6if+H6Z1wHN
-2WIidPc5MpyZi1jUmse3jXnlr8j8Q+VrLPayYlpGxTwLwlbQoYvAqs2v9CkNqWot
-6pfr0UKfyMYJTiNI4DGXHRcV2ENgprF436tOLnr+AfwopwrHapQwWAnD6gSaLja1
-WR0Mf87EQCv2hFvjR+otIQKBgQCLyvJQ1MeZzQdPT1zkcnSUfM6b+/1hCwSr7WDb
-nCQLiZcJh4E/PWmZaII9unEloQzPJKBmwQEtxng1kLVxwu4oRXrJXcuPhTbS4dy/
-HCpDFj8xVnBNNuQ9mEBbR80/ya0xHqnThDuT0TPiWvFeF55W9xoA/8h4tvKrnZx9
-ioTO8QKBgCMqRa5pHb+vCniTWUTz9JZRnRsdq7fRSsJHngMe5gOR4HylyAmmqKrd
-kEXfkdu9TH2jxSWcZbHUPVwKfOUqQUZMz0pml0DIs1kedUDFanTZ8Rgg5SGUHBW0
-5bNCq64tKMmw6GiicaAGqd04OPo85WD9h8mPhM1Jdv/UmTV+HFAr
------END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/builtin/credential/cert/test-fixtures/testcert1.pem b/builtin/credential/cert/test-fixtures/testcert1.pem
deleted file mode 100644
index ae39599d14..0000000000
--- a/builtin/credential/cert/test-fixtures/testcert1.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDVzCCAj+gAwIBAgIUKJtTQMEcL+SjIDyoqDFZ/JQFAIwwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wIBcNMjYwMTA5MjEyMzM2WhgPMjA3
-NTEwMDYxMzI0MDZaMBsxGTAXBgNVBAMTEHRlc3QuZXhhbXBsZS5jb20wggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0Il8itdPokxLUfLylUx2BU0keMVc1
-ADkQLVSRbn8PadSDp6bs9EBe2vhWM0kfs/OyKC9Y1AMd7dubmj+KYemOpEjnayoi
-ym/RB767b9JgphnkbvR13V7qUVkWGdiXVBbultTaSpNNSUTPkhQoxYgl3VM9G+Vc
-7hXJ4u7/SyhqA5R2HuPAse4HQG2HBvHU5qsmSEfZijQNR6YpL/qfCki3Fj7G4ZA0
-6QGVYltcAKmsBC1KtIxlxbxMzdkkiQrzaq1otEGR1Db9ScLFz1Kf5APT5lIoOC4T
-qwn9KRA10wkTL0yCYO0LkrHbmEFcagZBq0I8tfan2TMkOQdMLrhk0U2jAgMBAAGj
-gZUwgZIwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
-BQcDAjAdBgNVHQ4EFgQUAsz+3ch3eUMLIOBSaBHNvkuotpwwHwYDVR0jBBgwFoAU
-ncSzT/6HMexyuiU9/7EgHu+ok5swIQYDVR0RBBowGIIQdGVzdC5leGFtcGxlLmNv
-bYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAeQpN2vLKiTbLw1JhpvIlUzOftWU/
-tykJDMuTOP2QBTPq9pRvofE5Ij/nCZj2z7+Ui3M/RsuziCA2qzlT5voqL3cQZ6FJ
-xYm+oUlIyw+88/ArcSUZmWaA/dtkvn0CUTImSgYKswlzCBABISGGzCC5xPkhLKfa
-lVB6jQFmSyOXmeSKwA1KXOhykzUVvFvhjMJidWj12rsB6jzixLCtCuhPgXol801w
-X76Ul8bKtVaZOLyzUd/eWcd3qSVi7jvuTtC368pV9CsIzanXAG+rfmOXQhMh48C+
-4IQFEXjf9u18KgQrk3UCwN4bhIwzyNAd90A3rdiv0a86jZjmOtPJZzypEw==
------END CERTIFICATE-----
\ No newline at end of file
diff --git a/builtin/credential/cert/test-fixtures/testcert2.pem b/builtin/credential/cert/test-fixtures/testcert2.pem
deleted file mode 100644
index c6defccc02..0000000000
--- a/builtin/credential/cert/test-fixtures/testcert2.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDVzCCAj+gAwIBAgIUegOuC0oLkgJXvcRbbqq6HaU4b48wDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wIBcNMjYwMTA5MjEzODM1WhgPMjA3
-NTEwMDYxMzM5MDVaMBsxGTAXBgNVBAMTEHRlc3QuZXhhbXBsZS5jb20wggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwzWVwpgL1ezR+nphVdcSJpAXDIqh0
-ByClMi9Zr9iDEPnSAoLAaXKkhn81IyydsL2RHbt+jjUaGjBfd8Y4ib/0abiGN6fo
-R1WNIVRE6tYMJZ6WntWyPsGrqPCpLU9PTrovGGqV1u498AJPJPmPYHvEoceHUEbS
-e9qlsQis+hjd9CuQfXRYhhcBjBZQo6IQ/9ucS5VPF2M7+c+6TjlnHiO+UPKIwEtr
-74SRQngG4jMVYwG8GLDBB6rLlqhoUqwxl1ld4UnIitbb7uiG0lnT4liT0l11pjVy
-1DxMM5g6h2tIIqNECriwAD1DWe28GVmi59EPwBT6yPt/1QkGcj1ukPsJAgMBAAGj
-gZUwgZIwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
-BQcDAjAdBgNVHQ4EFgQUidElpxqnvZelSOfHrdHBDj4WOYowHwYDVR0jBBgwFoAU
-ncSzT/6HMexyuiU9/7EgHu+ok5swIQYDVR0RBBowGIIQdGVzdC5leGFtcGxlLmNv
-bYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAM0rhxChmXvCNOZLmeoijW8u3Piw4
-HrYNKvubgoWlhSaJTyvqHyNtgvIDoR4nLwlTe0hfww32gSueIqRcmmrH+0S1406k
-Z88bgFFN1pNRR0yNhu9obxAbHY/nK8/ODeJF8h+waqhfWw6JRWxV3+8IprqAL+F8
-Oz5gJ1JpMNR7SfgZgNMDHnXdYt/XyDGWdzIG9L8xJ8X6wPZRmYYWKIfuFZWijoav
-9LReF31VbXrEn/Qlb7JO5lfPFmmasXzkCJC8DlnWVFhsh/iyfxDo35kc4WlQ371K
-KRZco41pVge0ExY69IENa8dqL882hrU+g3UTo09MCMpuNUYwmS4wrmEOgA==
------END CERTIFICATE-----
\ No newline at end of file
diff --git a/builtin/credential/cert/test-fixtures/testissuedcert4.pem b/builtin/credential/cert/test-fixtures/testissuedcert4.pem
deleted file mode 100644
index 5bffd67779..0000000000
--- a/builtin/credential/cert/test-fixtures/testissuedcert4.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDtzCCAp+gAwIBAgIUBLqh6ctGWVDUxFhxJX7m6S/bnrcwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wIBcNMTYwNTAyMTYwOTI2WhgPMjA2
-NjA0MjAxNTA5NTZaMBsxGTAXBgNVBAMTEGNlcnQubXl2YXVsdC5jb20wggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDY3gPB29kkdbu0mPO6J0efagQhSiXB
-9OyDuLf5sMk6CVDWVWal5hISkyBmw/lXgF7qC2XFKivpJOrcGQd5Ep9otBqyJLzI
-b0IWdXuPIrVnXDwcdWr86ybX2iC42zKWfbXgjzGijeAVpl0UJLKBj+fk5q6NvkRL
-5FUL6TRV7Krn9mrmnrV9J5IqV15pTd9W2aVJ6IqWvIPCACtZKulqWn4707uy2X2W
-1Stq/5qnp1pDshiGk1VPyxCwQ6yw3iEcgecbYo3vQfhWcv7Q8LpSIM9ZYpXu6OmF
-+czqRZS9gERl+wipmmrN1MdYVrTuQem21C/PNZ4jo4XUk1SFx6JrcA+lAgMBAAGj
-gfUwgfIwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBSe
-Cl9WV3BjGCwmS/KrDSLRjfwyqjAfBgNVHSMEGDAWgBTrirz4lBtOoh5EVwDnjIlH
-QXxxcjA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAKGH2h0dHA6Ly8xMjcuMC4w
-LjE6ODIwMC92MS9wa2kvY2EwIQYDVR0RBBowGIIQY2VydC5teXZhdWx0LmNvbYcE
-fwAAATAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vMTI3LjAuMC4xOjgyMDAvdjEv
-cGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAWGholPN8buDYwKbUiDavbzjsxUIX
-lU4MxEqOHw7CD3qIYIauPboLvB9EldBQwhgOOy607Yvdg3rtyYwyBFwPhHo/hK3Z
-6mn4hc6TF2V+AUdHBvGzp2dbYLeo8noVoWbQ/lBulggwlIHNNF6+a3kALqsqk1Ch
-f/hzsjFnDhAlNcYFgG8TgfE2lE/FckvejPqBffo7Q3I+wVAw0buqiz5QL81NOT+D
-Y2S9LLKLRaCsWo9wRU1Az4Rhd7vK5SEMh16jJ82GyEODWPvuxOTI1MnzfnbWyLYe
-TTp6YBjGMVf1I6NEcWNur7U17uIOiQjMZ9krNvoMJ1A/cxCoZ98QHgcIPg==
------END CERTIFICATE-----
\ No newline at end of file
diff --git a/builtin/credential/cert/test-fixtures/testissuedkey4.pem b/builtin/credential/cert/test-fixtures/testissuedkey4.pem
deleted file mode 100644
index 58e7f8df73..0000000000
--- a/builtin/credential/cert/test-fixtures/testissuedkey4.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA2N4DwdvZJHW7tJjzuidHn2oEIUolwfTsg7i3+bDJOglQ1lVm
-peYSEpMgZsP5V4Be6gtlxSor6STq3BkHeRKfaLQasiS8yG9CFnV7jyK1Z1w8HHVq
-/Osm19oguNsyln214I8xoo3gFaZdFCSygY/n5Oaujb5ES+RVC+k0Veyq5/Zq5p61
-fSeSKldeaU3fVtmlSeiKlryDwgArWSrpalp+O9O7stl9ltUrav+ap6daQ7IYhpNV
-T8sQsEOssN4hHIHnG2KN70H4VnL+0PC6UiDPWWKV7ujphfnM6kWUvYBEZfsIqZpq
-zdTHWFa07kHpttQvzzWeI6OF1JNUhceia3APpQIDAQABAoIBAQCH3vEzr+3nreug
-RoPNCXcSJXXY9X+aeT0FeeGqClzIg7Wl03OwVOjVwl/2gqnhbIgK0oE8eiNwurR6
-mSPZcxV0oAJpwiKU4T/imlCDaReGXn86xUX2l82KRxthNdQH/VLKEmzij0jpx4Vh
-bWx5SBPdkbmjDKX1dmTiRYWIn/KjyNPvNvmtwdi8Qluhf4eJcNEUr2BtblnGOmfL
-FdSu+brPJozpoQ1QdDnbAQRgqnh7Shl0tT85whQi0uquqIj1gEOGVjmBvDDnL3GV
-WOENTKqsmIIoEzdZrql1pfmYTk7WNaD92bfpN128j8BF7RmAV4/DphH0pvK05y9m
-tmRhyHGxAoGBAOV2BBocsm6xup575VqmFN+EnIOiTn+haOvfdnVsyQHnth63fOQx
-PNtMpTPR1OMKGpJ13e2bV0IgcYRsRkScVkUtoa/17VIgqZXffnJJ0A/HT67uKBq3
-8o7RrtyK5N20otw0lZHyqOPhyCdpSsurDhNON1kPVJVYY4N1RiIxfut/AoGBAPHz
-HfsJ5ZkyELE9N/r4fce04lprxWH+mQGK0/PfjS9caXPhj/r5ZkVMvzWesF3mmnY8
-goE5S35TuTvV1+6rKGizwlCFAQlyXJiFpOryNWpLwCmDDSzLcm+sToAlML3tMgWU
-jM3dWHx3C93c3ft4rSWJaUYI9JbHsMzDW6Yh+GbbAoGBANIbKwxh5Hx5XwEJP2yu
-kIROYCYkMy6otHLujgBdmPyWl+suZjxoXWoMl2SIqR8vPD+Jj6mmyNJy9J6lqf3f
-DRuQ+fEuBZ1i7QWfvJ+XuN0JyovJ5Iz6jC58D1pAD+p2IX3y5FXcVQs8zVJRFjzB
-p0TEJOf2oqORaKWRd6ONoMKvAoGALKu6aVMWdQZtVov6/fdLIcgf0pn7Q3CCR2qe
-X3Ry2L+zKJYIw0mwvDLDSt8VqQCenB3n6nvtmFFU7ds5lvM67rnhsoQcAOaAehiS
-rl4xxoJd5Ewx7odRhZTGmZpEOYzFo4odxRSM9c30/u18fqV1Mm0AZtHYds4/sk6P
-aUj0V+kCgYBMpGrJk8RSez5g0XZ35HfpI4ENoWbiwB59FIpWsLl2LADEh29eC455
-t9Muq7MprBVBHQo11TMLLFxDIjkuMho/gcKgpYXCt0LfiNm8EZehvLJUXH+3WqUx
-we6ywrbFCs6LaxaOCtTiLsN+GbZCatITL0UJaeBmTAbiw0KQjUuZPQ==
------END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/builtin/credential/cert/test-fixtures/testkey1.pem b/builtin/credential/cert/test-fixtures/testkey1.pem
deleted file mode 100644
index 6d81857a63..0000000000
--- a/builtin/credential/cert/test-fixtures/testkey1.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAtCJfIrXT6JMS1Hy8pVMdgVNJHjFXNQA5EC1UkW5/D2nUg6em
-7PRAXtr4VjNJH7PzsigvWNQDHe3bm5o/imHpjqRI52sqIspv0Qe+u2/SYKYZ5G70
-dd1e6lFZFhnYl1QW7pbU2kqTTUlEz5IUKMWIJd1TPRvlXO4VyeLu/0soagOUdh7j
-wLHuB0Bthwbx1OarJkhH2Yo0DUemKS/6nwpItxY+xuGQNOkBlWJbXACprAQtSrSM
-ZcW8TM3ZJIkK82qtaLRBkdQ2/UnCxc9Sn+QD0+ZSKDguE6sJ/SkQNdMJEy9MgmDt
-C5Kx25hBXGoGQatCPLX2p9kzJDkHTC64ZNFNowIDAQABAoIBAAalZgEv2DuygXVZ
-jNREtsf4vK/ific0dOaF5aLgAswcyXx6CQyhDmbxiUwU5FPJHeqq1ORgHiVSi1G4
-ZTPD3QwoP5BaQdm6wlliAcWEoKx0NGxbM6XNnxziF3lbRsR+k8IFyqCrM7gcRe+q
-ohfHAfjzq4iLqPC+0Ar81niQ21Ld8xgck3t+UWtgoYdLAyA8aIa43k+I3wHEPhNv
-+1w+/F/dOKcmCMBrnh3ff6mot/6J31MOecP8tU1ss5nWyJ3B+3tdHjETIcWWFhtG
-w5XXlP+e39C/Haq8+h+3AgsCPVoLfVAEMDtwyax+a9S7tEie+F09ENecRPlDJLQi
-cepy+uECgYEA0NQrwRFJGmaTi5zsgwXu04kbsx8vCdR0SlJeE++s7zhwH8SD66np
-ZxjiAHTu6OxlIkxLR0C+YKKpP2c9sq2jpj4saJzxHtv+E9N6qSuPj1ULQ/yKQhog
-y9bIBpznuTaK1k2nJ8naWoYJuiFN3LQhMmGyVRr4+MSbY0FkzWNRKVkCgYEA3NLl
-1qlKPRvn3Q1oT4y9vkvtlVINZael2aZS+zM+yuZyZoo7ximOeYIMJ/YQGH1b7ygl
-bLEnaCS+OBFRA4RkAwAeO9I7g57gJjoFKo4KCyF9T9oPEa5NYXAohvLhiJRZJgG/
-dhpwcQgMRUGC9nzj8wk8KJJ5rnWf+T18afVWE1sCgYEAztpr4NmTdRBIdJHjgUGe
-OXFlu79W48DL1FbUk6Dkxy07e2w4VHbBGPt/2n35rUWERD4YjyLlsWlOhtxoNBZl
-tSV+7b0P5sZ5XgAsT2gz0wGloBmGhkXFWMSO7GX97uvFCNRwkCwVG3gMKJAWxVi0
-TWiSslR+bESrutyq0fvgCDkCgYBCQqImvFuDZKk5QjmnjRKuVDgxExLkCt8QJQFH
-UQQpe+ad8CKpfnS67xPYtdP0lUENzR0VtT6e2E+foUqO5J3h7Jol1xp2jyixL723
-HDHVTzI70LGu239qmm3+uEiGZAUwC1w5Awv0Trbn3RWAAs+fcIj1n6YVfEQJVLLN
-VImEewKBgALnn48dFKSRPWcYJKnbWI5ujsggUZmabuWJKwiHeoTgJ8o8yFtWrFIW
-+GVPqL2ZrKhrF+sYqbVX6yjF+0GzeGIjtaW9DifvimJ2kyhyncUEomDxRsl22/LG
-P3w7PM0YzvAuo6muYqqhljhNpZUBRmCvpBaqsNwoJc04cYhfFvhn
------END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/builtin/credential/cert/test-fixtures/testkey2.pem b/builtin/credential/cert/test-fixtures/testkey2.pem
deleted file mode 100644
index c8b16f98d2..0000000000
--- a/builtin/credential/cert/test-fixtures/testkey2.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAsM1lcKYC9Xs0fp6YVXXEiaQFwyKodAcgpTIvWa/YgxD50gKC
-wGlypIZ/NSMsnbC9kR27fo41GhowX3fGOIm/9Gm4hjen6EdVjSFUROrWDCWelp7V
-sj7Bq6jwqS1PT066LxhqldbuPfACTyT5j2B7xKHHh1BG0nvapbEIrPoY3fQrkH10
-WIYXAYwWUKOiEP/bnEuVTxdjO/nPuk45Zx4jvlDyiMBLa++EkUJ4BuIzFWMBvBiw
-wQeqy5aoaFKsMZdZXeFJyIrW2+7ohtJZ0+JYk9JddaY1ctQ8TDOYOodrSCKjRAq4
-sAA9Q1ntvBlZoufRD8AU+sj7f9UJBnI9bpD7CQIDAQABAoIBAATt2wbEmBdGNbDU
-hNh4GbBBLohx0Eq40qYMY8HPO1zvFZnvaDwLTI8N8WC2v/UPAv/3WV12Q0B8q63T
-sebsXznGE0cJqPCawYW3YMkxl2FcEKNwHvLS2VUq9veue9QxFJOAzaLrDLYVGYlh
-lWQUC2tQW9bXy/utCIvfR0fESrpwWwQgjFJQJnoiWs9RYG/crpaIZUZOsGcWWGwI
-6qUKO/aqL0zVcb6+grwtppCgJKx7jx0bXj8LkhTUxzxx8IW0YK/lvJ/wxhfy5242
-DJLD2hBmxpW4FiAss26jKkaznzrLVrCUYWDSa//11dYnTZMNL8N5zqhYmnrnVd4N
-Yju6/1ECgYEA1oHxreRvmYgYkMqY6r4qHT/cTHgQc0zwL1OXqIZrYFgHQqQ1VrHg
-bdhGMXJAPhEtuPuVPqikv9bdVfvhf6bt3h5bGYnz3cKpi+ud70c88hOQCr33CCVN
-54JQC0UDi7EQRqAhGaLpFah4S46kbLzpuPTsKpUR8lic/aAwdVV6o5kCgYEA0wBZ
-zECi1yzwdKspoJwUJwdfSU1JJSwS2uWSMxRhkY1Avg8RNMQcb+3gM7Jt+BTL0dy7
-Fxr8kQ235NfY8rnJz0auNFpYjIRDb0KI82THDQovg+EvhdD5FaOJk5kS4jYfe2N4
-Iy6szO9NweoLO3xmZcYECuGtLqq4pVOxLqkfuPECgYEAi5LjwaU45GqEqXnaBCwW
-VQ/fdTZOZeezBOhcbwB/z6GXn8ofFrkI8hBeo//WQ0yENrAkjS/IezcAr9kEAj6I
-2hVga36y2iG2ll+KVU5CHrWR7RtsKLW1OiU1lg+i3fspPvskbnztMvV6yJcY79QA
-NCPRo2d51PnJtNHNlhs3gEkCgYEAtXY1xA1KfldtrEiPkkroofAbKIVJBKj0xkBt
-DXTXvD+IkGuQ1ppaAoDHMm6fWJ059JAqbmKNF4p+vlZLg+P4BUS6CNgyExakkAje
-ksP20+YQmxCMuD7SGKP+a2tX7Cezx3/yD//SKKUdcEmBw3Tm81vqmhkfwWSdS8HA
-PWrBl2ECgYAeZYrxrwWkelcbhJsxkOgeQhJkfUdv/VuDLT5pcJlH5jjvaFsEWDZW
-wCtQz2KLrEK1u/HnfmjXgRURvDgf1qddGD/BV83AnBIHtXD9ia8dtbt/4rY+KaYU
-/ROg406oZ7m55UhsUtuQkNAcAG7IvhHDGCp9dY2QaheeXpHvcDxe+w==
------END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/builtin/credential/github/backend.go b/builtin/credential/github/backend.go
index 7f8026e680..e584e9f858 100644
--- a/builtin/credential/github/backend.go
+++ b/builtin/credential/github/backend.go
@@ -7,7 +7,7 @@ import (
 	"context"
 	"net/url"
 
-	"github.com/google/go-github/github"
+	"github.com/google/go-github/v83/github"
 	"github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
diff --git a/builtin/credential/github/path_config.go b/builtin/credential/github/path_config.go
index f871a2ff8f..e9c6da9538 100644
--- a/builtin/credential/github/path_config.go
+++ b/builtin/credential/github/path_config.go
@@ -11,7 +11,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/google/go-github/github"
+	"github.com/google/go-github/v83/github"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/tokenutil"
 	"github.com/hashicorp/vault/sdk/logical"
diff --git a/builtin/credential/github/path_login.go b/builtin/credential/github/path_login.go
index b01967bd26..9e343f322e 100644
--- a/builtin/credential/github/path_login.go
+++ b/builtin/credential/github/path_login.go
@@ -9,7 +9,7 @@ import (
 	"fmt"
 	"net/url"
 
-	"github.com/google/go-github/github"
+	"github.com/google/go-github/v83/github"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/cidrutil"
 	"github.com/hashicorp/vault/sdk/helper/policyutil"
diff --git a/builtin/credential/ldap/backend_test.go b/builtin/credential/ldap/backend_test.go
index adcfb7922e..1e5ddca630 100644
--- a/builtin/credential/ldap/backend_test.go
+++ b/builtin/credential/ldap/backend_test.go
@@ -17,9 +17,9 @@ import (
 	hclog "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
 	"github.com/hashicorp/vault/helper/namespace"
-	"github.com/hashicorp/vault/helper/testhelpers/ldap"
 	logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
 	"github.com/hashicorp/vault/sdk/helper/automatedrotationutil"
+	"github.com/hashicorp/vault/sdk/helper/docker"
 	"github.com/hashicorp/vault/sdk/helper/ldaputil"
 	"github.com/hashicorp/vault/sdk/helper/policyutil"
 	"github.com/hashicorp/vault/sdk/helper/tokenutil"
@@ -330,7 +330,7 @@ func TestLdapAuthBackend_CaseSensitivity(t *testing.T) {
 		}
 	}
 
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 	configReq := &logical.Request{
 		Operation: logical.UpdateOperation,
@@ -376,7 +376,7 @@ func TestLdapAuthBackend_UserPolicies(t *testing.T) {
 	var err error
 	b, storage := createBackendWithStorage(t)
 
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 	configReq := &logical.Request{
 		Operation: logical.UpdateOperation,
@@ -487,7 +487,7 @@ func factory(t *testing.T) logical.Backend {
 // https://github.com/hashicorp/vault/issues/26183.
 func TestBackend_LoginRegression_AnonBind(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	cfg.AnonymousGroupSearch = true
 	defer cleanup()
 
@@ -520,7 +520,7 @@ func TestBackend_LoginRegression_AnonBind(t *testing.T) {
 // passwords are disallowed
 func TestBackend_Login_EmptyPasswordDisallowed(t *testing.T) {
 	b, storage := createBackendWithStorage(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 
 	configReq := &logical.Request{
@@ -571,7 +571,7 @@ func TestBackend_Login_EmptyPasswordDisallowed(t *testing.T) {
 // attributes to entity alias metadata.
 func TestBackend_LoginRegression_UserAttr(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	cfg.UserAttr = "givenName"
 	defer cleanup()
 
@@ -602,7 +602,7 @@ func TestBackend_LoginRegression_UserAttr(t *testing.T) {
 
 func TestBackend_basic(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 
 	logicaltest.Test(t, logicaltest.TestCase{
@@ -632,7 +632,7 @@ func TestBackend_basic(t *testing.T) {
 
 func TestBackend_basic_noPolicies(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 
 	logicaltest.Test(t, logicaltest.TestCase{
@@ -650,7 +650,7 @@ func TestBackend_basic_noPolicies(t *testing.T) {
 
 func TestBackend_basic_group_noPolicies(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 
 	logicaltest.Test(t, logicaltest.TestCase{
@@ -671,7 +671,7 @@ func TestBackend_basic_group_noPolicies(t *testing.T) {
 
 func TestBackend_basic_authbind(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 
 	logicaltest.Test(t, logicaltest.TestCase{
@@ -688,7 +688,7 @@ func TestBackend_basic_authbind(t *testing.T) {
 
 func TestBackend_basic_authbind_userfilter(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 
 	// userattr not used in the userfilter should result in a warning in the response
@@ -831,7 +831,7 @@ func TestBackend_basic_authbind_userfilter(t *testing.T) {
 
 func TestBackend_basic_authbind_metadata_name(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 
 	cfg.UserAttr = "cn"
@@ -896,7 +896,7 @@ func addUPNAttributeToLDAPSchemaAndUser(t *testing.T, cfg *ldaputil.ConfigEntry,
 
 func TestBackend_basic_discover(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 
 	logicaltest.Test(t, logicaltest.TestCase{
@@ -913,7 +913,7 @@ func TestBackend_basic_discover(t *testing.T) {
 
 func TestBackend_basic_nogroupdn(t *testing.T) {
 	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 
 	logicaltest.Test(t, logicaltest.TestCase{
@@ -1478,7 +1478,7 @@ func TestLdapAuthBackend_ConfigUpgrade(t *testing.T) {
 
 	ctx := context.Background()
 
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 	configReq := &logical.Request{
 		Operation: logical.UpdateOperation,
@@ -1543,6 +1543,7 @@ func TestLdapAuthBackend_ConfigUpgrade(t *testing.T) {
 			UsernameAsAlias:          false,
 			DerefAliases:             "never",
 			MaximumPageSize:          1000,
+			Schema:                   ldaputil.SchemaOpenLDAP, // Default schema when not specified
 		},
 	}
 
diff --git a/builtin/credential/ldap/path_config.go b/builtin/credential/ldap/path_config.go
index f990ce8db6..ea91903617 100644
--- a/builtin/credential/ldap/path_config.go
+++ b/builtin/credential/ldap/path_config.go
@@ -12,6 +12,7 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/automatedrotationutil"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/ldaputil"
+	"github.com/hashicorp/vault/sdk/helper/strutil"
 	"github.com/hashicorp/vault/sdk/helper/tokenutil"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/sdk/rotation"
@@ -96,6 +97,13 @@ func (b *backend) Config(ctx context.Context, req *logical.Request) (*ldapConfig
 			return nil, err
 		}
 
+		// perform schema validation, as NewConfigEntry does not check supported schemas
+		if result.Schema != "" {
+			if !strutil.StrListContains(ldaputil.SupportedSchemas(), result.Schema) {
+				return nil, fmt.Errorf("unsupported schema type %q: must be one of %v", result.Schema, ldaputil.SupportedSchemas())
+			}
+		}
+
 		// No user overrides, return default configuration
 		result.CaseSensitiveNames = new(bool)
 		*result.CaseSensitiveNames = false
@@ -128,6 +136,12 @@ func (b *backend) Config(ctx context.Context, req *logical.Request) (*ldapConfig
 		persistNeeded = true
 	}
 
+	// Upgrade path: Set default schema for configs created before schema field was added
+	if result.Schema == "" {
+		result.Schema = ldaputil.SchemaOpenLDAP
+		persistNeeded = true
+	}
+
 	if persistNeeded && (b.System().LocalMount() || !b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary|consts.ReplicationPerformanceStandby)) {
 		entry, err := logical.StorageEntryJSON("config", result)
 		if err != nil {
diff --git a/builtin/credential/ldap/path_config_rotate_root.go b/builtin/credential/ldap/path_config_rotate_root.go
index a683a30240..580d0e4344 100644
--- a/builtin/credential/ldap/path_config_rotate_root.go
+++ b/builtin/credential/ldap/path_config_rotate_root.go
@@ -5,7 +5,11 @@ package ldap
 
 import (
 	"context"
+	"encoding/binary"
 	"errors"
+	"fmt"
+	"strings"
+	"unicode/utf16"
 
 	"github.com/go-ldap/ldap/v3"
 	"github.com/hashicorp/vault/sdk/framework"
@@ -83,6 +87,19 @@ func (b *backend) rotateRootCredential(ctx context.Context, req *logical.Request
 		return responseError{errors.New("auth is not using authenticated search, no root to rotate")}
 	}
 
+	// Validate TLS requirements for AD password rotation
+	schema := ldaputil.NormalizedSchema(cfg.Schema)
+	if schema == ldaputil.SchemaAD {
+		// Validate URL(s) which will actually be used for rotation
+		urlToValidate := cfg.Url
+		if cfg.RotationUrl != "" {
+			urlToValidate = cfg.RotationUrl
+		}
+		if err := validateADRotationURLs(urlToValidate, cfg.StartTLS); err != nil {
+			return responseError{err}
+		}
+	}
+
 	// grab our ldap client
 	client := ldaputil.Client{
 		Logger: b.Logger(),
@@ -98,16 +115,14 @@ func (b *backend) rotateRootCredential(ctx context.Context, req *logical.Request
 	if err != nil {
 		return err
 	}
+	// Close the connection when done to avoid leaking connections, especially during repeated rotation attempts.defer conn.Close()
+	defer conn.Close()
 
 	err = conn.Bind(u, p)
 	if err != nil {
 		return err
 	}
 
-	lreq := &ldap.ModifyRequest{
-		DN: cfg.BindDN,
-	}
-
 	var newPassword string
 	if cfg.PasswordPolicy != "" {
 		newPassword, err = b.System().GeneratePasswordFromPolicy(ctx, cfg.PasswordPolicy)
@@ -118,12 +133,38 @@ func (b *backend) rotateRootCredential(ctx context.Context, req *logical.Request
 		return err
 	}
 
-	lreq.Replace("userPassword", []string{newPassword})
+	switch schema {
+	case ldaputil.SchemaAD:
+		// AD root rotation requires:
+		// 1) Quoted password
+		// 2) UTF-16LE encoding
+		// 3) Encrypted connection (LDAPS/StartTLS)
+		// Without these, AD rejects password updates.
+		b.Logger().Debug("rotating root password using AD schema")
+		quotedPwd := fmt.Sprintf("\"%s\"", newPassword)
+		utf16Bytes := encodeUTF16LEBytes(quotedPwd)
 
-	err = conn.Modify(lreq)
-	if err != nil {
-		return err
+		modReq := ldap.NewModifyRequest(cfg.BindDN, nil)
+		modReq.Replace("unicodePwd", []string{string(utf16Bytes)})
+
+		if err := conn.Modify(modReq); err != nil {
+			return fmt.Errorf("failed to modify AD password for %q: %w", cfg.BindDN, err)
+		}
+
+	case ldaputil.SchemaOpenLDAP:
+		b.Logger().Debug("rotating root password using openldap schema")
+		lreq := &ldap.ModifyRequest{
+			DN: cfg.BindDN,
+		}
+		lreq.Replace("userPassword", []string{newPassword})
+
+		if err := conn.Modify(lreq); err != nil {
+			return fmt.Errorf("failed to modify OpenLDAP password: %w", err)
+		}
+	default:
+		return responseError{fmt.Errorf("unsupported schema type for password rotation: %s", schema)}
 	}
+
 	// update config with new password
 	cfg.BindPassword = newPassword
 	entry, err := logical.StorageEntryJSON("config", cfg)
@@ -138,6 +179,56 @@ func (b *backend) rotateRootCredential(ctx context.Context, req *logical.Request
 	return nil
 }
 
+// encodeUTF16LEBytes encodes a string as UTF-16LE bytes for AD password changes.
+// This encoding is required for Active Directory password changes via the unicodePwd attribute.
+func encodeUTF16LEBytes(s string) []byte {
+	utf16Runes := utf16.Encode([]rune(s))
+	buf := make([]byte, len(utf16Runes)*2)
+	for i, r := range utf16Runes {
+		binary.LittleEndian.PutUint16(buf[i*2:], r)
+	}
+	return buf
+}
+
+// validateADRotationURLs validates that all URLs in the provided URL string
+// meet the security requirements for AD password rotation.
+func validateADRotationURLs(urlString string, startTLS bool) error {
+	// AD password rotation requires encrypted connections (LDAPS or StartTLS)
+	// Supported configurations:
+	// 1. ldaps:// with proper certificate validation (recommended)
+	// 2. ldaps:// with insecure_tls=true (skips certificate validation)
+	// 3. ldap:// with starttls=true (with or without explicit certificates)
+	if strings.TrimSpace(urlString) == "" {
+		return errors.New("AD password rotation requires a configured URL")
+	}
+	// Split on commas to handle multiple URLs
+	rawURLs := strings.Split(urlString, ",")
+	hasNonTLSURL := false
+	for _, rawURL := range rawURLs {
+		rawURL := strings.TrimSpace(rawURL)
+		if rawURL == "" {
+			continue
+		}
+		urlLower := strings.ToLower(rawURL)
+		isLDAPS := strings.HasPrefix(urlLower, "ldaps://")
+		isLDAP := strings.HasPrefix(urlLower, "ldap://")
+
+		// Validate that URL uses a supported protocol
+		if !isLDAPS && !isLDAP {
+			return fmt.Errorf("AD password rotation requires ldap:// or ldaps:// protocol, got: %s", rawURL)
+		}
+		// Track if any URL uses non-TLS ldap://
+		if isLDAP {
+			hasNonTLSURL = true
+		}
+	}
+	// If any URL uses ldap:// (non-TLS), require StartTLS to ensure encryption
+	if hasNonTLSURL && !startTLS {
+		return errors.New("AD password rotation with ldap:// requires starttls=true for encrypted connection")
+	}
+	return nil
+}
+
 const pathConfigRotateRootHelpSyn = `
 Request to rotate the LDAP credentials used by Vault
 `
diff --git a/builtin/credential/ldap/path_config_rotate_root_test.go b/builtin/credential/ldap/path_config_rotate_root_test.go
index c4790eca87..9840e3e90e 100644
--- a/builtin/credential/ldap/path_config_rotate_root_test.go
+++ b/builtin/credential/ldap/path_config_rotate_root_test.go
@@ -4,25 +4,31 @@
 package ldap
 
 import (
+	"bytes"
 	"context"
+	"encoding/binary"
 	"os"
+	"strings"
 	"testing"
+	"unicode/utf16"
 
-	"github.com/hashicorp/vault/helper/testhelpers/ldap"
 	logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
+	"github.com/hashicorp/vault/sdk/helper/docker"
+	"github.com/hashicorp/vault/sdk/helper/ldaputil"
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
+// TestRotateRoot_DefaultSchema tests that the default schema type is used when not explicitly set and that rotation works in that case.
 // This test relies on a docker ldap server with a suitable person object (cn=admin,dc=planetexpress,dc=com)
-// with bindpassword "admin". `PrepareTestContainer` does this for us. - see the backend_test for more details
-func TestRotateRoot(t *testing.T) {
+// with bindpassword "admin". `PrepareTestContainer` does this for us - see the backend_test for more details.
+func TestRotateRoot_DefaultSchema(t *testing.T) {
 	if os.Getenv(logicaltest.TestEnvVar) == "" {
 		t.Skip("skipping rotate root tests because VAULT_ACC is unset")
 	}
 	ctx := context.Background()
 
 	b, store := createBackendWithStorage(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 	// set up auth config
 	req := &logical.Request{
@@ -57,6 +63,12 @@ func TestRotateRoot(t *testing.T) {
 	}
 
 	newCFG, err := b.Config(ctx, req)
+	if err != nil {
+		t.Fatalf("failed to get config after rotation: %s", err)
+	}
+	if newCFG == nil {
+		t.Fatal("config is nil after rotation")
+	}
 	if newCFG.BindDN != cfg.BindDN {
 		t.Fatalf("a value in config that should have stayed the same changed: %s", cfg.BindDN)
 	}
@@ -76,7 +88,7 @@ func TestRotateRootWithRotationUrl(t *testing.T) {
 	ctx := context.Background()
 
 	b, store := createBackendWithStorage(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 	const mainDummyUrl = "ldap://example.com:389"
 	// set up auth config
@@ -113,6 +125,12 @@ func TestRotateRootWithRotationUrl(t *testing.T) {
 	}
 
 	newCFG, err := b.Config(ctx, req)
+	if err != nil {
+		t.Fatalf("failed to get config after rotation: %s", err)
+	}
+	if newCFG == nil {
+		t.Fatal("config is nil after rotation")
+	}
 	if newCFG.BindDN != cfg.BindDN {
 		t.Fatalf("BindDN %q changed unexpectedly, found new value %q", cfg.BindDN, newCFG.BindDN)
 	}
@@ -124,3 +142,370 @@ func TestRotateRootWithRotationUrl(t *testing.T) {
 		t.Fatalf("URL %q changed unexpectedly, found new value %q", mainDummyUrl, newCFG.Url)
 	}
 }
+
+// TestRotateRoot_Schema_OpenLDAP tests that rotation for OpenLDAP schema
+func TestRotateRoot_Schema_OpenLDAP(t *testing.T) {
+	if os.Getenv(logicaltest.TestEnvVar) == "" {
+		t.Skip("skipping rotate root tests because VAULT_ACC is unset")
+	}
+	ctx := context.Background()
+	b, store := createBackendWithStorage(t)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
+	defer cleanup()
+	// set up auth config
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "config",
+		Storage:   store,
+		Data: map[string]interface{}{
+			"url":      cfg.Url,
+			"binddn":   cfg.BindDN,
+			"bindpass": cfg.BindPassword,
+			"userdn":   cfg.UserDN,
+			"schema":   ldaputil.SchemaOpenLDAP,
+		},
+	}
+	resp, err := b.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("failed to initialize ldap auth config: %s", err)
+	}
+	if resp != nil && resp.IsError() {
+		t.Fatalf("failed to initialize ldap auth config: %s", resp.Data["error"])
+	}
+	req = &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "config/rotate-root",
+		Storage:   store,
+	}
+	_, err = b.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("failed to rotate password: %s", err)
+	}
+	newCFG, err := b.Config(ctx, req)
+	if err != nil {
+		t.Fatalf("failed to get config after rotation: %s", err)
+	}
+	if newCFG == nil {
+		t.Fatal("config is nil after rotation")
+	}
+	if newCFG.BindDN != cfg.BindDN {
+		t.Fatalf("a value in config that should have stayed the same changed: %s", cfg.BindDN)
+	}
+	if newCFG.BindPassword == cfg.BindPassword {
+		t.Fatalf("the password should have changed, but it didn't")
+	}
+}
+
+// TestRotateRoot_UnsupportedSchema tests unsupported schema handling
+func TestRotateRoot_UnsupportedSchema(t *testing.T) {
+	if os.Getenv(logicaltest.TestEnvVar) == "" {
+		t.Skip("skipping rotate root tests because VAULT_ACC is unset")
+	}
+	ctx := context.Background()
+	b, store := createBackendWithStorage(t)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
+	defer cleanup()
+	// set up auth config
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "config",
+		Storage:   store,
+		Data: map[string]interface{}{
+			"url":      cfg.Url,
+			"binddn":   cfg.BindDN,
+			"bindpass": cfg.BindPassword,
+			"userdn":   cfg.UserDN,
+			"schema":   "unsupported_schema", // unsupported schema type
+		},
+	}
+
+	resp, err := b.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("failed to initialize ldap auth config: %s", err)
+	}
+	// Config creation should fail with logical error
+	if resp == nil || !resp.IsError() {
+		t.Fatal("expected config creation to fail with unsupported schema type, but it succeeded")
+	}
+	// Verify error message contains expected text
+	errMsg := resp.Error().Error()
+	if !strings.Contains(errMsg, "unsupported schema type") {
+		t.Fatalf("expected error containing 'unsupported schema type', got: %s", errMsg)
+	}
+}
+
+// TestRotateRoot_EncodeUTF16LEBytes tests the encoding of UTF-16LE bytes for AD password modification.
+func TestRotateRoot_EncodeUTF16LEBytes(t *testing.T) {
+	tests := []struct {
+		name  string
+		input string
+	}{
+		{name: "empty_string", input: ""},
+		{name: "single_char", input: "A"},
+		{name: "quoted_password", input: "\"password\""},
+		{name: "alphanumeric_with_special", input: "Pass123!"},
+		{name: "unicode_chars", input: "Pāsswörd✓"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := encodeUTF16LEBytes(tt.input)
+			r := utf16.Encode([]rune(tt.input))
+			expected := make([]byte, len(r)*2)
+			for i, v := range r {
+				binary.LittleEndian.PutUint16(expected[i*2:], v)
+			}
+
+			if !bytes.Equal(got, expected) {
+				t.Fatalf("encodeUTF16LEBytes(%q) = %v, want %v", tt.input, got, expected)
+			}
+		})
+	}
+}
+
+// adTLSTestCase defines a test case for AD TLS validation
+type adTLSTestCase struct {
+	name           string
+	url            string
+	insecureTLS    bool
+	startTLS       bool
+	certificate    string
+	passwordPolicy string
+	expectError    bool
+	errorContains  string
+}
+
+// TestRotateRoot_AD_TLS_Validation tests TLS validation for AD schema
+func TestRotateRoot_AD_TLS_Validation(t *testing.T) {
+	tests := []adTLSTestCase{
+		// Valid: ldaps - TLS validation passes, connection refused immediately (no real server).
+		{
+			name:        "ldaps_valid",
+			url:         "ldaps://127.0.0.1:1",
+			insecureTLS: true,
+		},
+		// Valid: ldap + starttls - with optional cert and password policy
+		{
+			name:           "ldap_with_starttls_valid",
+			url:            "ldap://127.0.0.1:1",
+			startTLS:       true,
+			certificate:    testCert,
+			passwordPolicy: "test-policy",
+		},
+		// Invalid: ldap without starttls - must surface as LogicalErrorResponse
+		{
+			name:          "ldap_without_starttls_invalid",
+			url:           "ldap://example.com",
+			expectError:   true,
+			errorContains: "AD password rotation with ldap:// requires starttls=true for encrypted connection",
+		},
+		// Invalid: unsupported protocol - must surface as LogicalErrorResponse
+		{
+			name:          "invalid_protocol",
+			url:           "http://example.com",
+			expectError:   true,
+			errorContains: "AD password rotation requires ldap:// or ldaps:// protocol, got: http://example.com",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			testADTLSValidation(t, tt)
+		})
+	}
+}
+
+// Valid self-signed certificate for testing (shared across tests)
+const testCert = `-----BEGIN CERTIFICATE-----
+MIIB1jCCAUGgAwIBAgIFAMv4K9YwCwYJKoZIhvcNAQELMCkxEDAOBgNVBAoTB0Fj
+bWUgQ28xFTATBgNVBAMTDEVkZGFyZCBTdGFyazAeFw0xNTA1MDYwMzU2NDBaFw0x
+NjA1MDYwMzU2NDBaMCUxEDAOBgNVBAoTB0FjbWUgQ28xETAPBgNVBAMTCEpvbiBT
+bm93MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK6NU0R0eiCYVquU4RcjKc
+LzGfx0aa1lMr2TnLQUSeLFZHFxsyyMXXuMPig3HK4A7SGFHupO+/1H/sL4xpH5zg
+8+Zg2r8xnnney7abxcuv0uATWSIeKlNnb1ZO1BAxFnESc3GtyOCr2dUwZHX5mRVP
++Zxp2ni5qHNraf3wE2VPIQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCAKAwCwYJKoZI
+hvcNAQELA4GBAIr2F7wsqmEU/J/kLyrCgEVXgaV/sKZq4pPNnzS0tBYk8fkV3V18
+sBJyHKRLL/wFZASvzDcVGCplXyMdAOCyfd8jO3F9Ac/xdlz10RrHJT75hNu3a7/n
+9KNwKhfN4A1CQv2x372oGjRhCW5bHNCWx4PIVeNzCyq/KZhyY9sxHE1g
+-----END CERTIFICATE-----`
+
+// testADTLSValidation is a helper function that runs AD TLS validation tests
+func testADTLSValidation(t *testing.T, tt adTLSTestCase) {
+	t.Helper()
+	ctx := context.Background()
+	// Create fresh backend and storage for each subtest to avoid state bleeding
+	b, store := createBackendWithStorage(t)
+
+	data := map[string]interface{}{
+		"url":             tt.url,
+		"binddn":          "cn=admin,dc=example,dc=com",
+		"bindpass":        "password",
+		"userdn":          "ou=users,dc=example,dc=com",
+		"schema":          ldaputil.SchemaAD,
+		"insecure_tls":    tt.insecureTLS,
+		"starttls":        tt.startTLS,
+		"certificate":     tt.certificate,
+		"password_policy": tt.passwordPolicy,
+	}
+
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "config",
+		Storage:   store,
+		Data:      data,
+	}
+
+	resp, err := b.HandleRequest(ctx, req)
+	if err != nil {
+		t.Fatalf("unexpected error during config: %v", err)
+	}
+	if resp != nil && resp.IsError() {
+		t.Fatalf("unexpected response error during config: %v", resp.Error())
+	}
+
+	// Try to rotate - this is where TLS validation happens
+	rotateReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "config/rotate-root",
+		Storage:   store,
+	}
+
+	rotateResp, rotateErr := b.HandleRequest(ctx, rotateReq)
+
+	if tt.expectError {
+		// responseError is returned as logical.ErrorResponse with nil error
+		if rotateResp == nil || !rotateResp.IsError() {
+			t.Fatalf("expected error response, got resp=%v", rotateResp)
+		}
+		errMsg := rotateResp.Error().Error()
+		if !strings.Contains(errMsg, tt.errorContains) {
+			t.Fatalf("expected error containing %q, got: %q", tt.errorContains, errMsg)
+		}
+	} else {
+		// For valid configs, TLS validation passes and we expect a connection error
+		// (no real LDAP server). The backend logs these at ERROR level,
+		// which is expected and does not indicate a test failure.
+		// Assert neither the Go error nor the response error is a TLS validation failure,
+		// proving execution got past the TLS checks.
+		if rotateErr != nil {
+			if isTLSValidationError(rotateErr.Error()) {
+				t.Fatalf("unexpected TLS validation error: %s", rotateErr)
+			}
+			// connection/bind error is expected — TLS validation passed
+		}
+		if rotateResp != nil && rotateResp.IsError() {
+			errMsg := rotateResp.Error().Error()
+			if isTLSValidationError(errMsg) {
+				t.Fatalf("unexpected TLS validation error in response: %s", errMsg)
+			}
+			// connection/bind error in response is expected — TLS validation passed
+		}
+	}
+}
+
+// isTLSValidationError checks if an error message is a TLS validation error
+func isTLSValidationError(msg string) bool {
+	return strings.Contains(msg, "AD password rotation with ldap:// requires starttls=true for encrypted connection") ||
+		strings.Contains(msg, "AD password rotation requires ldap:// or ldaps:// protocol, got:")
+}
+
+// TestValidateADRotationURLs tests the URL validation logic for AD password rotation
+func TestValidateADRotationURLs(t *testing.T) {
+	tests := []struct {
+		name      string
+		urlString string
+		startTLS  bool
+		wantErr   bool
+		errMsg    string
+	}{
+		{
+			name:      "single ldaps URL - valid",
+			urlString: "ldaps://secure.example.com",
+			startTLS:  false,
+			wantErr:   false,
+		},
+		{
+			name:      "single ldap URL with StartTLS - valid",
+			urlString: "ldap://example.com",
+			startTLS:  true,
+			wantErr:   false,
+		},
+		{
+			name:      "single ldap URL without StartTLS - invalid",
+			urlString: "ldap://example.com",
+			startTLS:  false,
+			wantErr:   true,
+			errMsg:    "starttls=true",
+		},
+		{
+			name:      "multiple ldaps URLs - valid",
+			urlString: "ldaps://server1.example.com,ldaps://server2.example.com",
+			startTLS:  false,
+			wantErr:   false,
+		},
+		{
+			name:      "multiple ldap URLs with StartTLS - valid",
+			urlString: "ldap://server1.example.com,ldap://server2.example.com",
+			startTLS:  true,
+			wantErr:   false,
+		},
+		{
+			name:      "mixed ldaps and ldap with StartTLS - valid",
+			urlString: "ldaps://server1.example.com,ldap://server2.example.com",
+			startTLS:  true,
+			wantErr:   false,
+		},
+		{
+			name:      "mixed ldaps and ldap without StartTLS - invalid",
+			urlString: "ldaps://server1.example.com,ldap://server2.example.com",
+			startTLS:  false,
+			wantErr:   true,
+			errMsg:    "starttls=true",
+		},
+		{
+			name:      "multiple ldap URLs without StartTLS - invalid",
+			urlString: "ldap://server1.example.com,ldap://server2.example.com",
+			startTLS:  false,
+			wantErr:   true,
+			errMsg:    "starttls=true",
+		},
+		{
+			name:      "invalid protocol - invalid",
+			urlString: "http://example.com",
+			startTLS:  false,
+			wantErr:   true,
+			errMsg:    "ldap:// or ldaps://",
+		},
+		{
+			name:      "empty URL - invalid",
+			urlString: "",
+			startTLS:  false,
+			wantErr:   true,
+			errMsg:    "requires a configured URL",
+		},
+		{
+			name:      "URL with spaces - valid",
+			urlString: "ldaps://server1.example.com, ldaps://server2.example.com",
+			startTLS:  false,
+			wantErr:   false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateADRotationURLs(tt.urlString, tt.startTLS)
+			if tt.wantErr {
+				if err == nil {
+					t.Errorf("validateADRotationURLs() expected error but got none")
+					return
+				}
+				if tt.errMsg != "" && !strings.Contains(err.Error(), tt.errMsg) {
+					t.Errorf("validateADRotationURLs() error = %v, want error containing %q", err, tt.errMsg)
+				}
+			} else {
+				if err != nil {
+					t.Errorf("validateADRotationURLs() unexpected error = %v", err)
+				}
+			}
+		})
+	}
+}
diff --git a/builtin/credential/ldap/path_config_test.go b/builtin/credential/ldap/path_config_test.go
new file mode 100644
index 0000000000..4b2e377d2c
--- /dev/null
+++ b/builtin/credential/ldap/path_config_test.go
@@ -0,0 +1,113 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package ldap
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/ldaputil"
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+// TestConfig_UpgradePath_Schema verifies that a ConfigEntry written to storage
+// before the "schema" field existed (i.e. Schema == "") is transparently
+// upgraded to the default value (SchemaOpenLDAP) when read back via Config().
+// This mirrors the upgrade handling already in place for CaseSensitiveNames
+// and UsePre111GroupCNBehavior.
+func TestConfig_UpgradePath_Schema(t *testing.T) {
+	ctx := context.Background()
+	b, store := createBackendWithStorage(t)
+
+	// Simulate a pre-existing stored config that has no "schema" key —
+	// i.e. data written before the field was introduced. We do this by
+	// marshalling a map that deliberately omits the field.
+	oldEntry := map[string]interface{}{
+		"url":      "ldap://127.0.0.1",
+		"userdn":   "ou=People,dc=example,dc=org",
+		"binddn":   "cn=admin,dc=example,dc=org",
+		"bindpass": "secret",
+		// "schema" intentionally absent
+		"CaseSensitiveNames":           false,
+		"use_pre111_group_cn_behavior": true,
+	}
+	raw, err := json.Marshal(oldEntry)
+	if err != nil {
+		t.Fatalf("failed to marshal old config entry: %s", err)
+	}
+	entry := &logical.StorageEntry{
+		Key:   "config",
+		Value: raw,
+	}
+	if err := store.Put(ctx, entry); err != nil {
+		t.Fatalf("failed to write legacy config to storage: %s", err)
+	}
+
+	// Read back via Config() — this should trigger the upgrade path.
+	req := &logical.Request{Storage: store}
+	cfg, err := b.Config(ctx, req)
+	if err != nil {
+		t.Fatalf("Config() returned unexpected error: %s", err)
+	}
+	if cfg == nil {
+		t.Fatal("Config() returned nil; expected a valid ConfigEntry")
+	}
+
+	// Schema must be defaulted to SchemaOpenLDAP, not left as "".
+	if cfg.Schema != ldaputil.SchemaOpenLDAP {
+		t.Errorf("expected Schema=%q after upgrade, got %q", ldaputil.SchemaOpenLDAP, cfg.Schema)
+	}
+
+	// Verify the migrated value was persisted to storage.
+	persisted, err := store.Get(ctx, "config")
+	if err != nil {
+		t.Fatalf("failed to read persisted config: %s", err)
+	}
+	if persisted == nil {
+		t.Fatal("expected config to be re-persisted after upgrade, but nothing found in storage")
+	}
+	var persistedMap map[string]interface{}
+	if err := json.Unmarshal(persisted.Value, &persistedMap); err != nil {
+		t.Fatalf("failed to decode persisted config: %s", err)
+	}
+	if persistedMap["schema"] != ldaputil.SchemaOpenLDAP {
+		t.Errorf("persisted schema=%q; expected %q", persistedMap["schema"], ldaputil.SchemaOpenLDAP)
+	}
+}
+
+// TestConfig_UpgradePath_Schema_NoOverwrite ensures that an already-set schema
+// value is not overwritten by the upgrade logic.
+func TestConfig_UpgradePath_Schema_NoOverwrite(t *testing.T) {
+	ctx := context.Background()
+	b, store := createBackendWithStorage(t)
+
+	oldEntry := map[string]interface{}{
+		"url":                          "ldap://127.0.0.1",
+		"userdn":                       "ou=People,dc=example,dc=org",
+		"binddn":                       "cn=admin,dc=example,dc=org",
+		"bindpass":                     "secret",
+		"schema":                       ldaputil.SchemaAD, // explicitly set to AD
+		"CaseSensitiveNames":           false,
+		"use_pre111_group_cn_behavior": true,
+	}
+	raw, err := json.Marshal(oldEntry)
+	if err != nil {
+		t.Fatalf("failed to marshal config entry: %s", err)
+	}
+	entry := &logical.StorageEntry{Key: "config", Value: raw}
+	if err := store.Put(ctx, entry); err != nil {
+		t.Fatalf("failed to write config to storage: %s", err)
+	}
+
+	req := &logical.Request{Storage: store}
+	cfg, err := b.Config(ctx, req)
+	if err != nil {
+		t.Fatalf("Config() returned unexpected error: %s", err)
+	}
+
+	if cfg.Schema != ldaputil.SchemaAD {
+		t.Errorf("expected Schema=%q to be preserved, got %q", ldaputil.SchemaAD, cfg.Schema)
+	}
+}
diff --git a/builtin/logical/aws/rotation_test.go b/builtin/logical/aws/rotation_test.go
index 71989b9cd9..d3e8ed9ea8 100644
--- a/builtin/logical/aws/rotation_test.go
+++ b/builtin/logical/aws/rotation_test.go
@@ -544,11 +544,7 @@ func Test_RotationQueueInitialized(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 		NumCores:    2,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
-	vault.TestWaitActive(t, cores[0].Core)
 	client := cores[0].Client
 	err := client.Sys().Mount("aws", &api.MountInput{
 		Type: "aws",
diff --git a/builtin/logical/database/backend.go b/builtin/logical/database/backend.go
index 4609d27413..5a77ec85fd 100644
--- a/builtin/logical/database/backend.go
+++ b/builtin/logical/database/backend.go
@@ -39,7 +39,12 @@ const (
 	minRootCredRollbackAge  = 1 * time.Minute
 )
 
-var databaseConfigNameFromRotationIDRegex = regexp.MustCompile("^.+/config/(.+$)")
+var (
+	databaseInitTimeout                   = 10 * time.Second
+	databaseConfigNameFromRotationIDRegex = regexp.MustCompile("^.+/config/(.+$)")
+)
+
+var errDatabaseInitializeTimeout = errors.New("timeout exceeded during Initialize")
 
 type dbPluginInstance struct {
 	sync.RWMutex
@@ -380,6 +385,61 @@ func (b *databaseBackend) CloseIfShutdown(db *dbPluginInstance, err error) {
 	}
 }
 
+type initializeConnectionResult struct {
+	resp v5.InitializeResponse
+	err  error
+}
+
+// initializeConnection bounds how long Vault waits for plugin initialization.
+// Some drivers and plugins do not reliably honor context cancellation during
+// connection verification, so Initialize runs in a goroutine and is raced
+// against a timeout to keep rotation and connection creation from hanging
+// indefinitely while locks are held.
+func (b *databaseBackend) initializeConnection(ctx context.Context, dbw databaseVersionWrapper, initReq v5.InitializeRequest) (v5.InitializeResponse, error) {
+	timeoutCtx, cancel := context.WithTimeout(ctx, databaseInitTimeout)
+	defer cancel()
+
+	done := make(chan initializeConnectionResult, 1)
+
+	go func() {
+		resp, err := dbw.Initialize(timeoutCtx, initReq)
+		done <- initializeConnectionResult{resp: resp, err: err}
+	}()
+
+	select {
+	case result := <-done:
+		return result.resp, result.err
+	case <-timeoutCtx.Done():
+		// Preserve the caller's cancellation or deadline when it fired first.
+		if ctx.Err() != nil {
+			return v5.InitializeResponse{}, ctx.Err()
+		}
+		// This only bounds Vault's wait; the underlying Initialize call may still
+		// be blocked below the plugin boundary until that implementation notices cancellation.
+		return v5.InitializeResponse{}, fmt.Errorf("%w: %v", errDatabaseInitializeTimeout, timeoutCtx.Err())
+	}
+}
+
+// closeDatabaseWrapperAfterInitError treats init timeouts differently because a
+// synchronous Close can block behind the same stuck initialization path.
+func (b *databaseBackend) closeDatabaseWrapperAfterInitError(dbw databaseVersionWrapper, err error) {
+	/*
+	 * Use async close when the init goroutine may still be running. This
+	 * covers both Vault's own databaseInitTimeout sentinel and the case where
+	 * the caller's context fired first (path B1 in initializeConnection),
+	 * which returns the raw ctx.Err() rather than the wrapped sentinel.
+	 */
+	if errors.Is(err, errDatabaseInitializeTimeout) ||
+		errors.Is(err, context.DeadlineExceeded) ||
+		errors.Is(err, context.Canceled) {
+		// Let the caller unwind immediately; best-effort cleanup continues in the background.
+		go dbw.Close()
+		return
+	}
+
+	_ = dbw.Close()
+}
+
 // clean closes all connections from all database types
 // and cancels any rotation queue loading operation.
 func (b *databaseBackend) clean(_ context.Context) {
diff --git a/builtin/logical/database/backend_ce.go b/builtin/logical/database/backend_ce.go
index 977576429a..4462321831 100644
--- a/builtin/logical/database/backend_ce.go
+++ b/builtin/logical/database/backend_ce.go
@@ -56,9 +56,11 @@ func (b *databaseBackend) GetConnectionWithConfig(ctx context.Context, name stri
 		Config:           config.ConnectionDetails,
 		VerifyConnection: config.VerifyConnection,
 	}
-	_, err = dbw.Initialize(ctx, initReq)
+	// Bound cache-miss initialization so a blocked handshake cannot stall callers
+	// indefinitely while the connection creation lock is held.
+	_, err = b.initializeConnection(ctx, dbw, initReq)
 	if err != nil {
-		dbw.Close()
+		b.closeDatabaseWrapperAfterInitError(dbw, err)
 		return nil, err
 	}
 
diff --git a/builtin/logical/database/backend_ce_test.go b/builtin/logical/database/backend_ce_test.go
index 2326b3672f..c006184a08 100644
--- a/builtin/logical/database/backend_ce_test.go
+++ b/builtin/logical/database/backend_ce_test.go
@@ -19,7 +19,7 @@ import (
 	"github.com/hashicorp/vault/sdk/database/helper/dbutil"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
-	_ "github.com/jackc/pgx/v4"
+	_ "github.com/jackc/pgx/v5"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -28,9 +28,7 @@ func TestBackend_config_connection(t *testing.T) {
 	var resp *logical.Response
 	var err error
 
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
-
+	_, sys := getClusterPostgresDB(t)
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
 	config.System = sys
@@ -254,7 +252,6 @@ func TestBackend_connectionCrud(t *testing.T) {
 	t.Parallel()
 	dbFactory := &singletonDBFactory{}
 	cluster, sys := getClusterPostgresDBWithFactory(t, dbFactory.factory)
-	defer cluster.Cleanup()
 
 	dbFactory.sys = sys
 	client := cluster.Cores[0].Client.Logical()
diff --git a/builtin/logical/database/backend_get_test.go b/builtin/logical/database/backend_get_test.go
index dc1bd4b50d..fa3743d36a 100644
--- a/builtin/logical/database/backend_get_test.go
+++ b/builtin/logical/database/backend_get_test.go
@@ -5,9 +5,12 @@ package database
 
 import (
 	"context"
+	"errors"
 	"sync"
 	"testing"
+	"time"
 
+	v5 "github.com/hashicorp/vault/sdk/database/dbplugin/v5"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/pluginutil"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -16,12 +19,14 @@ import (
 
 func newSystemViewWrapper(view logical.SystemView) logical.SystemView {
 	return &systemViewWrapper{
-		view,
+		SystemView: view,
 	}
 }
 
 type systemViewWrapper struct {
 	logical.SystemView
+	pluginName     string
+	builtinFactory func() (interface{}, error)
 }
 
 var _ logical.ExtendedSystemView = (*systemViewWrapper)(nil)
@@ -51,11 +56,21 @@ func (s *systemViewWrapper) GetPinnedPluginVersion(ctx context.Context, pluginTy
 }
 
 func (s *systemViewWrapper) LookupPluginVersion(ctx context.Context, pluginName string, pluginType consts.PluginType, version string) (*pluginutil.PluginRunner, error) {
+	name := s.pluginName
+	if name == "" {
+		name = mockv5
+	}
+
+	factory := s.builtinFactory
+	if factory == nil {
+		factory = New
+	}
+
 	return &pluginutil.PluginRunner{
-		Name:           mockv5,
+		Name:           name,
 		Type:           consts.PluginTypeDatabase,
 		Builtin:        true,
-		BuiltinFactory: New,
+		BuiltinFactory: factory,
 	}, nil
 }
 
@@ -77,6 +92,96 @@ func getDbBackend(t *testing.T) (*databaseBackend, logical.Storage) {
 	return b, config.StorageView
 }
 
+type blockingInitializeDatabase struct {
+	initializeDone chan struct{}
+}
+
+func newBlockingInitializeDatabase() (interface{}, error) {
+	return &blockingInitializeDatabase{initializeDone: make(chan struct{})}, nil
+}
+
+func (d *blockingInitializeDatabase) Initialize(context.Context, v5.InitializeRequest) (v5.InitializeResponse, error) {
+	<-d.initializeDone
+	return v5.InitializeResponse{}, nil
+}
+
+func (d *blockingInitializeDatabase) NewUser(context.Context, v5.NewUserRequest) (v5.NewUserResponse, error) {
+	return v5.NewUserResponse{}, nil
+}
+
+func (d *blockingInitializeDatabase) UpdateUser(context.Context, v5.UpdateUserRequest) (v5.UpdateUserResponse, error) {
+	return v5.UpdateUserResponse{}, nil
+}
+
+func (d *blockingInitializeDatabase) DeleteUser(context.Context, v5.DeleteUserRequest) (v5.DeleteUserResponse, error) {
+	return v5.DeleteUserResponse{}, nil
+}
+
+func (d *blockingInitializeDatabase) Type() (string, error) {
+	return mockV5Type, nil
+}
+
+func (d *blockingInitializeDatabase) Close() error {
+	close(d.initializeDone)
+	return nil
+}
+
+// slowCloseDatabase blocks in Close until closeCh is closed, so a synchronous
+// call to closeDatabaseWrapperAfterInitError would stall the test.
+type slowCloseDatabase struct {
+	closeCh chan struct{}
+}
+
+func (d *slowCloseDatabase) Initialize(context.Context, v5.InitializeRequest) (v5.InitializeResponse, error) {
+	return v5.InitializeResponse{}, nil
+}
+
+func (d *slowCloseDatabase) NewUser(context.Context, v5.NewUserRequest) (v5.NewUserResponse, error) {
+	return v5.NewUserResponse{}, nil
+}
+
+func (d *slowCloseDatabase) UpdateUser(context.Context, v5.UpdateUserRequest) (v5.UpdateUserResponse, error) {
+	return v5.UpdateUserResponse{}, nil
+}
+
+func (d *slowCloseDatabase) DeleteUser(context.Context, v5.DeleteUserRequest) (v5.DeleteUserResponse, error) {
+	return v5.DeleteUserResponse{}, nil
+}
+func (d *slowCloseDatabase) Type() (string, error) { return "slow-close", nil }
+func (d *slowCloseDatabase) Close() error {
+	<-d.closeCh
+	return nil
+}
+
+// TestCloseDatabaseWrapperAfterInitError_ContextCanceled_IsAsync verifies that
+// closeDatabaseWrapperAfterInitError does not block when the error is
+// context.Canceled (parent context fired before Vault's own databaseInitTimeout).
+// In that path the init goroutine may still be running, so Close must be async.
+// context.DeadlineExceeded is symmetric (same code branch), so a single test for
+// context.Canceled is sufficient.
+func TestCloseDatabaseWrapperAfterInitError_ContextCanceled_IsAsync(t *testing.T) {
+	closeCh := make(chan struct{})
+	dbw := databaseVersionWrapper{v5: &slowCloseDatabase{closeCh: closeCh}}
+
+	b := &databaseBackend{}
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		b.closeDatabaseWrapperAfterInitError(dbw, context.Canceled)
+	}()
+
+	select {
+	case <-done:
+		// Good: function returned before Close() completed.
+	case <-time.After(100 * time.Millisecond):
+		t.Fatal("closeDatabaseWrapperAfterInitError blocked synchronously on Close() for context.Canceled")
+	}
+
+	// Unblock the background goroutine so it does not leak.
+	close(closeCh)
+}
+
 // TestGetConnectionRaceCondition checks that GetConnection always returns the same instance, even when asked
 // by multiple goroutines in parallel.
 func TestGetConnectionRaceCondition(t *testing.T) {
@@ -107,3 +212,54 @@ func TestGetConnectionRaceCondition(t *testing.T) {
 		}
 	}
 }
+
+// TestGetConnectionInitializeTimeout verifies GetConnection returns an initialize-timeout
+// error when plugin initialization blocks longer than the configured timeout
+func TestGetConnectionInitializeTimeout(t *testing.T) {
+	oldTimeout := databaseInitTimeout
+	databaseInitTimeout = 25 * time.Millisecond
+	defer func() {
+		databaseInitTimeout = oldTimeout
+	}()
+
+	config := logical.TestBackendConfig()
+	config.System = &systemViewWrapper{
+		SystemView:     config.System,
+		builtinFactory: newBlockingInitializeDatabase,
+	}
+	config.StorageView = &logical.InmemStorage{}
+
+	b := Backend(config)
+	if err := b.Setup(context.Background(), config); err != nil {
+		t.Fatal(err)
+	}
+	defer b.Cleanup(context.Background())
+
+	entry, err := logical.StorageEntryJSON("config/blocked", &DatabaseConfig{
+		AllowedRoles:      []string{"*"},
+		PluginName:        mockV5Type,
+		VerifyConnection:  true,
+		ConnectionDetails: map[string]interface{}{"connection_url": "unused"},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := config.StorageView.Put(context.Background(), entry); err != nil {
+		t.Fatal(err)
+	}
+
+	start := time.Now()
+	_, err = b.GetConnection(context.Background(), config.StorageView, "blocked")
+	if err == nil {
+		t.Fatal("expected timeout error")
+	}
+	if !errors.Is(err, errDatabaseInitializeTimeout) {
+		t.Fatalf("expected initialize timeout error, got: %v", err)
+	}
+	if elapsed := time.Since(start); elapsed > time.Second {
+		t.Fatalf("GetConnection took too long to fail: %s", elapsed)
+	}
+	if conn := b.connections.Get("blocked"); conn != nil {
+		t.Fatal("expected timed out connection to not be cached")
+	}
+}
diff --git a/builtin/logical/database/backend_test.go b/builtin/logical/database/backend_test.go
index 4c088b1579..8c063b7274 100644
--- a/builtin/logical/database/backend_test.go
+++ b/builtin/logical/database/backend_test.go
@@ -35,7 +35,7 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/pluginutil"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/vault"
-	_ "github.com/jackc/pgx/v4"
+	_ "github.com/jackc/pgx/v5"
 	"github.com/mitchellh/mapstructure"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -69,7 +69,6 @@ func getClusterWithFactory(t *testing.T, factory logical.Factory) (*vault.TestCl
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
 	cores := cluster.Cores
 	vault.TestWaitActive(t, cores[0].Core)
 
@@ -157,8 +156,7 @@ func TestBackend_RoleUpgrade(t *testing.T) {
 // TestBackend_BadConnectionString tests that an error response resulting from
 // a failed connection does not expose the URL. The middleware should sanitize it.
 func TestBackend_BadConnectionString(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -206,8 +204,7 @@ func TestBackend_BadConnectionString(t *testing.T) {
 }
 
 func TestBackend_basic(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -472,7 +469,6 @@ func TestBackend_connectionSanitizePrivateKey(t *testing.T) {
 	t.Parallel()
 	dbFactory := &singletonDBFactory{}
 	cluster, sys := getClusterPostgresDBWithFactory(t, dbFactory.factory)
-	defer cluster.Cleanup()
 
 	dbFactory.sys = sys
 	client := cluster.Cores[0].Client.Logical()
@@ -520,8 +516,7 @@ func TestBackend_connectionSanitizePrivateKey(t *testing.T) {
 }
 
 func TestBackend_roleCrud(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -773,8 +768,7 @@ func TestBackend_roleCrud(t *testing.T) {
 }
 
 func TestBackend_allowedRoles(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -784,7 +778,6 @@ func TestBackend_allowedRoles(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer b.Cleanup(context.Background())
 
 	cleanup, connURL := postgreshelper.PrepareTestContainer(t)
 	defer cleanup()
@@ -970,8 +963,7 @@ func TestBackend_allowedRoles(t *testing.T) {
 }
 
 func TestBackend_RotateRootCredentials(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -1071,8 +1063,7 @@ func TestBackend_RotateRootCredentials(t *testing.T) {
 }
 
 func TestBackend_ConnectionURL_redacted(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	t.Cleanup(cluster.Cleanup)
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -1185,7 +1176,6 @@ func TestBackend_ConnectionURL_redacted(t *testing.T) {
 // for each plugin type.
 func TestBackend_GetConnectionMetrics(t *testing.T) {
 	cluster, sys := getCluster(t)
-	defer cluster.Cleanup()
 
 	vault.TestAddTestPlugin(t, cluster.Cores[0].Core, "cassandra-database-plugin", consts.PluginTypeDatabase, "", "TestBackend_PluginMain_CassandraMultiplexed",
 		[]string{fmt.Sprintf("%s=%s", pluginutil.PluginCACertPEMEnv, cluster.CACertPEMFile)})
@@ -1350,7 +1340,6 @@ func TestBackend_AsyncClose(t *testing.T) {
 	// longer than 750ms.
 	cluster, sys := getCluster(t)
 	vault.TestAddTestPlugin(t, cluster.Cores[0].Core, "hanging-plugin", consts.PluginTypeDatabase, "", "TestBackend_PluginMain_Hanging", []string{})
-	t.Cleanup(cluster.Cleanup)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -1393,8 +1382,8 @@ func TestBackend_AsyncClose(t *testing.T) {
 }
 
 func TestNewDatabaseWrapper_IgnoresBuiltinVersion(t *testing.T) {
-	cluster, sys := getCluster(t)
-	t.Cleanup(cluster.Cleanup)
+	_, sys := getCluster(t)
+
 	_, err := newDatabaseWrapper(context.Background(), "hana-database-plugin", "v1.0.0+builtin", sys, hclog.Default())
 	if err != nil {
 		t.Fatal(err)
diff --git a/builtin/logical/database/dbplugin/plugin_test.go b/builtin/logical/database/dbplugin/plugin_test.go
index f34cfc6edd..83cf149f9e 100644
--- a/builtin/logical/database/dbplugin/plugin_test.go
+++ b/builtin/logical/database/dbplugin/plugin_test.go
@@ -114,7 +114,6 @@ func getCluster(t *testing.T) (*vault.TestCluster, logical.SystemView) {
 	}, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
 	cores := cluster.Cores
 
 	sys := vault.TestDynamicSystemView(cores[0].Core, nil)
@@ -144,8 +143,7 @@ func TestPlugin_GRPC_Main(t *testing.T) {
 }
 
 func TestPlugin_Init(t *testing.T) {
-	cluster, sys := getCluster(t)
-	defer cluster.Cleanup()
+	_, sys := getCluster(t)
 
 	dbRaw, err := dbplugin.PluginFactoryVersion(namespace.RootContext(nil), "test-plugin", "", sys, log.NewNullLogger())
 	if err != nil {
@@ -168,8 +166,7 @@ func TestPlugin_Init(t *testing.T) {
 }
 
 func TestPlugin_CreateUser(t *testing.T) {
-	cluster, sys := getCluster(t)
-	defer cluster.Cleanup()
+	_, sys := getCluster(t)
 
 	db, err := dbplugin.PluginFactoryVersion(namespace.RootContext(nil), "test-plugin", "", sys, log.NewNullLogger())
 	if err != nil {
@@ -208,8 +205,7 @@ func TestPlugin_CreateUser(t *testing.T) {
 }
 
 func TestPlugin_RenewUser(t *testing.T) {
-	cluster, sys := getCluster(t)
-	defer cluster.Cleanup()
+	_, sys := getCluster(t)
 
 	db, err := dbplugin.PluginFactoryVersion(namespace.RootContext(nil), "test-plugin", "", sys, log.NewNullLogger())
 	if err != nil {
@@ -242,8 +238,7 @@ func TestPlugin_RenewUser(t *testing.T) {
 }
 
 func TestPlugin_RevokeUser(t *testing.T) {
-	cluster, sys := getCluster(t)
-	defer cluster.Cleanup()
+	_, sys := getCluster(t)
 
 	db, err := dbplugin.PluginFactoryVersion(namespace.RootContext(nil), "test-plugin", "", sys, log.NewNullLogger())
 	if err != nil {
diff --git a/builtin/logical/database/path_config_connection_ce.go b/builtin/logical/database/path_config_connection_ce.go
index c56115bb1a..d8d1a8b484 100644
--- a/builtin/logical/database/path_config_connection_ce.go
+++ b/builtin/logical/database/path_config_connection_ce.go
@@ -145,9 +145,11 @@ func (b *databaseBackend) connectionWriteHandler() framework.OperationFunc {
 			Config:           config.ConnectionDetails,
 			VerifyConnection: config.VerifyConnection,
 		}
-		initResp, err := dbw.Initialize(ctx, initReq)
+		// verify_connection can perform a live handshake here, so bound how long
+		// Vault waits before failing the write and releasing the caller.
+		initResp, err := b.initializeConnection(ctx, dbw, initReq)
 		if err != nil {
-			dbw.Close()
+			b.closeDatabaseWrapperAfterInitError(dbw, err)
 			return logical.ErrorResponse("error creating database object: %s", err), nil
 		}
 		config.ConnectionDetails = initResp.Config
diff --git a/builtin/logical/database/path_config_connection_test.go b/builtin/logical/database/path_config_connection_test.go
index 83a2c79bbb..07dd573bdb 100644
--- a/builtin/logical/database/path_config_connection_test.go
+++ b/builtin/logical/database/path_config_connection_test.go
@@ -15,8 +15,7 @@ import (
 )
 
 func TestWriteConfig_PluginVersionInStorage(t *testing.T) {
-	cluster, sys := getCluster(t)
-	t.Cleanup(cluster.Cleanup)
+	_, sys := getCluster(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -127,8 +126,7 @@ func TestWriteConfig_PluginVersionInStorage(t *testing.T) {
 }
 
 func TestWriteConfig_HelpfulErrorMessageWhenBuiltinOverridden(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	t.Cleanup(cluster.Cleanup)
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
diff --git a/builtin/logical/database/path_roles_test.go b/builtin/logical/database/path_roles_test.go
index 85cd4cd176..373a516d10 100644
--- a/builtin/logical/database/path_roles_test.go
+++ b/builtin/logical/database/path_roles_test.go
@@ -207,8 +207,7 @@ func TestBackend_Roles_CredentialTypes(t *testing.T) {
 }
 
 func TestBackend_StaticRole_Config(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -472,8 +471,7 @@ func TestBackend_StaticRole_Config(t *testing.T) {
 }
 
 func TestBackend_StaticRole_ReadCreds(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -652,8 +650,7 @@ func TestBackend_StaticRole_ReadCreds(t *testing.T) {
 }
 
 func TestBackend_StaticRole_Updates(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -951,8 +948,7 @@ func TestBackend_StaticRole_Updates_RotationSchedule(t *testing.T) {
 }
 
 func TestBackend_StaticRole_Role_name_check(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
diff --git a/builtin/logical/database/path_rotate_credentials.go b/builtin/logical/database/path_rotate_credentials.go
index c3242c0aee..f7caafe92f 100644
--- a/builtin/logical/database/path_rotate_credentials.go
+++ b/builtin/logical/database/path_rotate_credentials.go
@@ -189,9 +189,8 @@ func (b *databaseBackend) performRootRotation(ctx context.Context, req *logical.
 			if err != nil {
 				return nil, err
 			}
-			config.ConnectionDetails["private_key"] = string(newPrivateKey)
-
 			oldPrivateKey := config.ConnectionDetails["private_key"].(string)
+			config.ConnectionDetails["private_key"] = string(newPrivateKey)
 			walEntry = NewRotateRootCredentialsWALPrivateKeyEntry(name, rootUsername, string(newPublicKey), string(newPrivateKey), oldPrivateKey)
 			updateReq = v5.UpdateUserRequest{
 				Username:       rootUsername,
@@ -210,9 +209,8 @@ func (b *databaseBackend) performRootRotation(ctx context.Context, req *logical.
 		if err != nil {
 			return nil, err
 		}
-		config.ConnectionDetails["password"] = newPassword
-
 		oldPassword := config.ConnectionDetails["password"].(string)
+		config.ConnectionDetails["password"] = newPassword
 		walEntry = NewRotateRootCredentialsWALPasswordEntry(name, rootUsername, newPassword, oldPassword)
 		updateReq = v5.UpdateUserRequest{
 			Username:       rootUsername,
diff --git a/builtin/logical/database/path_rotate_credentials_test.go b/builtin/logical/database/path_rotate_credentials_test.go
index 14570224fd..274508e228 100644
--- a/builtin/logical/database/path_rotate_credentials_test.go
+++ b/builtin/logical/database/path_rotate_credentials_test.go
@@ -19,8 +19,7 @@ func TestRotateRootPassword_Postgres(t *testing.T) {
 	cleanup, connURL := postgreshelper.PrepareTestContainer(t)
 	defer cleanup()
 
-	cluster, sys := getClusterWithFactory(t, Factory)
-	defer cluster.Cleanup()
+	_, sys := getClusterWithFactory(t, Factory)
 
 	connURL = strings.Replace(connURL, "postgres:secret", "{{username}}:{{password}}", 1)
 
@@ -50,8 +49,7 @@ func TestRotateRootKeypair_Snowflake_Acc(t *testing.T) {
 		t.Skip("VAULT_SNOWFLAKE_USERNAME not set, skipping test")
 	}
 
-	cluster, sys := getClusterWithFactory(t, Factory)
-	defer cluster.Cleanup()
+	_, sys := getClusterWithFactory(t, Factory)
 
 	testRotateRoot(t, sys, false, connURL, "snowflake-database-plugin", username, string(keyFile))
 }
diff --git a/builtin/logical/database/rollback.go b/builtin/logical/database/rollback.go
index d1b3b07c40..bb16407756 100644
--- a/builtin/logical/database/rollback.go
+++ b/builtin/logical/database/rollback.go
@@ -5,7 +5,12 @@ package database
 
 import (
 	"context"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
+	"fmt"
+	"strings"
 
 	"github.com/hashicorp/vault/sdk/database/dbplugin"
 	v5 "github.com/hashicorp/vault/sdk/database/dbplugin/v5"
@@ -18,6 +23,10 @@ import (
 // WAL storage key used for the rollback of root database credentials
 const rotateRootWALKey = "rotateRootWALKey"
 
+// snowflakeErrJWTTokenInvalid is the Snowflake server-side error code for JWT
+// authentication failure.
+const snowflakeErrJWTTokenInvalid = "390144"
+
 // WAL entry used for the rollback of root database credentials
 type rotateRootCredentialsWAL struct {
 	ConnectionName string
@@ -71,6 +80,25 @@ func (b *databaseBackend) walRollback(ctx context.Context, req *logical.Request,
 		return err
 	}
 
+	// Route based on credential type in the WAL entry.
+	if entry.NewPrivateKey != "" {
+		// Stored key matches WAL new key: rotation completed, WAL not yet deleted.
+		if config.ConnectionDetails["private_key"] == entry.NewPrivateKey {
+			b.Logger().Info("WAL rollback: private key already rotated, nothing to roll back",
+				"connection", entry.ConnectionName)
+			return nil
+		}
+
+		b.Logger().Warn("WAL rollback: private key out of sync, starting rollback",
+			"connection", entry.ConnectionName, "username", entry.UserName)
+
+		if err := b.ClearConnection(entry.ConnectionName); err != nil {
+			return err
+		}
+
+		return b.rollbackDatabasePrivateKey(ctx, config, entry)
+	}
+
 	// The password in storage doesn't match the new password
 	// in the WAL entry. This means there was a partial failure
 	// to update either the database or storage.
@@ -90,6 +118,16 @@ func (b *databaseBackend) walRollback(ctx context.Context, req *logical.Request,
 			return nil
 		}
 
+		// An initialization timeout means the database was unreachable within
+		// Vault's deadline, not that the stored credentials are wrong. A timeout
+		// is not a reliable signal of credential state: the rotation may have
+		// already applied the new password before the database became slow.
+		// Returning the error here lets the WAL framework retry later rather
+		// than risking a rollback that reverts a successfully rotated credential.
+		if errors.Is(err, errDatabaseInitializeTimeout) {
+			return err
+		}
+
 		return b.rollbackDatabaseCredentials(ctx, config, entry)
 	}
 
@@ -138,3 +176,84 @@ func (b *databaseBackend) rollbackDatabaseCredentials(ctx context.Context, confi
 	}
 	return err
 }
+
+// rollbackDatabasePrivateKey restores the old public key on Snowflake for key-pair
+// auth connections by connecting with the new private key and issuing ALTER USER.
+func (b *databaseBackend) rollbackDatabasePrivateKey(ctx context.Context, config *DatabaseConfig, entry rotateRootCredentialsWAL) error {
+	oldPublicKey, err := derivePublicKeyFromPrivateKeyPEM(entry.OldPrivateKey)
+	if err != nil {
+		return fmt.Errorf("failed to derive old public key for rollback: %w", err)
+	}
+
+	config.ConnectionDetails["private_key"] = entry.NewPrivateKey
+	dbi, err := b.GetConnectionWithConfig(ctx, entry.ConnectionName, config)
+	if err != nil {
+		b.Logger().Error("WAL rollback: failed to connect using new private key", "connection", entry.ConnectionName, "error", err.Error())
+		return err
+	}
+
+	defer func() {
+		if err := b.ClearConnection(entry.ConnectionName); err != nil {
+			b.Logger().Error("error closing database plugin connection", "error", err)
+		}
+	}()
+
+	b.Logger().Info("WAL rollback: restoring old public key on Snowflake", "connection", entry.ConnectionName, "username", entry.UserName)
+
+	updateReq := v5.UpdateUserRequest{
+		Username:       entry.UserName,
+		CredentialType: v5.CredentialTypeRSAPrivateKey,
+		PublicKey: &v5.ChangePublicKey{
+			NewPublicKey: oldPublicKey,
+			Statements: v5.Statements{
+				Commands: config.RootCredentialsRotateStatements,
+			},
+		},
+	}
+
+	_, err = dbi.database.UpdateUser(ctx, updateReq, false)
+	if status.Code(err) == codes.Unimplemented || err == dbplugin.ErrPluginStaticUnsupported {
+		return nil
+	}
+	if err != nil {
+		// Snowflake error 390144 means JWT authentication failed. This occurs when
+		// the new private key was never registered with Snowflake (crash before UpdateUser),
+		// so the system is already consistent with the old key — delete the WAL cleanly.
+		if strings.Contains(err.Error(), snowflakeErrJWTTokenInvalid) {
+			b.Logger().Info("WAL rollback: new private key rejected by Snowflake (crash before UpdateUser), system already consistent",
+				"connection", entry.ConnectionName)
+			return nil
+		}
+		b.Logger().Error("WAL rollback: failed to restore old public key", "connection", entry.ConnectionName, "error", err.Error())
+		return err
+	}
+	b.Logger().Info("WAL rollback: successfully restored old public key", "connection", entry.ConnectionName, "username", entry.UserName)
+	return nil
+}
+
+func derivePublicKeyFromPrivateKeyPEM(privateKeyPEM string) ([]byte, error) {
+	block, _ := pem.Decode([]byte(privateKeyPEM))
+	if block == nil {
+		return nil, fmt.Errorf("failed to decode PEM block from private key")
+	}
+
+	key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse private key: %w", err)
+	}
+
+	rsaKey, ok := key.(*rsa.PrivateKey)
+	if !ok {
+		return nil, fmt.Errorf("private key is not an RSA key")
+	}
+
+	pubKeyBytes, err := x509.MarshalPKIXPublicKey(&rsaKey.PublicKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal public key: %w", err)
+	}
+
+	return pem.EncodeToMemory(&pem.Block{
+		Type:  "PUBLIC KEY",
+		Bytes: pubKeyBytes,
+	}), nil
+}
diff --git a/builtin/logical/database/rollback_test.go b/builtin/logical/database/rollback_test.go
index a3d48c5a49..eecf8715e3 100644
--- a/builtin/logical/database/rollback_test.go
+++ b/builtin/logical/database/rollback_test.go
@@ -5,6 +5,11 @@ package database
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
 	"strings"
 	"testing"
 	"time"
@@ -19,6 +24,7 @@ import (
 const (
 	databaseUser    = "postgres"
 	defaultPassword = "secret"
+	newPrivateKey   = "new-private-key-pem"
 )
 
 // Tests that the WAL rollback function rolls back the database password.
@@ -27,8 +33,7 @@ const (
 //   - Password has been altered on the database
 //   - Password has not been updated in storage
 func TestBackend_RotateRootCredentials_WAL_rollback(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -165,8 +170,7 @@ func TestBackend_RotateRootCredentials_WAL_rollback(t *testing.T) {
 //   - Password has not been altered on the database
 //   - Password has not been updated in storage
 func TestBackend_RotateRootCredentials_WAL_no_rollback_1(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -264,8 +268,7 @@ func TestBackend_RotateRootCredentials_WAL_no_rollback_1(t *testing.T) {
 //   - Password has been altered on the database
 //   - Password has been updated in storage
 func TestBackend_RotateRootCredentials_WAL_no_rollback_2(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -408,3 +411,415 @@ func TestBackend_RotateRootCredentials_WAL_no_rollback_2(t *testing.T) {
 		t.Fatalf("err:%s resp:%v\n", err, credResp)
 	}
 }
+
+// failingInitializeDatabase is a v5.Database mock whose Initialize always
+// returns a fixed error. Used to simulate a persistent connection failure
+// (wrong credentials, network refused) without a blocking timeout.
+type failingInitializeDatabase struct {
+	err error
+}
+
+func (d *failingInitializeDatabase) Initialize(_ context.Context, _ v5.InitializeRequest) (v5.InitializeResponse, error) {
+	return v5.InitializeResponse{}, d.err
+}
+
+func (d *failingInitializeDatabase) NewUser(_ context.Context, _ v5.NewUserRequest) (v5.NewUserResponse, error) {
+	return v5.NewUserResponse{}, nil
+}
+
+func (d *failingInitializeDatabase) UpdateUser(_ context.Context, _ v5.UpdateUserRequest) (v5.UpdateUserResponse, error) {
+	return v5.UpdateUserResponse{}, nil
+}
+
+func (d *failingInitializeDatabase) DeleteUser(_ context.Context, _ v5.DeleteUserRequest) (v5.DeleteUserResponse, error) {
+	return v5.DeleteUserResponse{}, nil
+}
+func (d *failingInitializeDatabase) Type() (string, error) { return mockV5Type, nil }
+func (d *failingInitializeDatabase) Close() error          { return nil }
+
+// TestWalRollback_InitializeTimeout_SkipsRollback verifies that a transient
+// errDatabaseInitializeTimeout from GetConnection does not trigger
+// rollbackDatabaseCredentials. The timeout only means the database was slow;
+// it says nothing about whether credentials were already rotated successfully.
+func TestWalRollback_InitializeTimeout_SkipsRollback(t *testing.T) {
+	oldTimeout := databaseInitTimeout
+	databaseInitTimeout = 25 * time.Millisecond
+	defer func() { databaseInitTimeout = oldTimeout }()
+
+	config := logical.TestBackendConfig()
+	config.System = &systemViewWrapper{
+		SystemView:     config.System,
+		builtinFactory: newBlockingInitializeDatabase,
+	}
+	config.StorageView = &logical.InmemStorage{}
+
+	b := Backend(config)
+	if err := b.Setup(context.Background(), config); err != nil {
+		t.Fatal(err)
+	}
+	defer b.Cleanup(context.Background())
+
+	entry, err := logical.StorageEntryJSON("config/mydb", &DatabaseConfig{
+		AllowedRoles:     []string{"*"},
+		VerifyConnection: true,
+		PluginName:       mockV5Type,
+		ConnectionDetails: map[string]interface{}{
+			"password": "original-pass",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := config.StorageView.Put(context.Background(), entry); err != nil {
+		t.Fatal(err)
+	}
+
+	walEntry := &rotateRootCredentialsWAL{
+		ConnectionName: "mydb",
+		UserName:       "root",
+		NewPassword:    "new-pass", // != "original-pass": enters the credential-verification branch
+		OldPassword:    "original-pass",
+	}
+	err = b.walRollback(context.Background(), &logical.Request{Storage: config.StorageView}, rotateRootWALKey, walEntry)
+	if !errors.Is(err, errDatabaseInitializeTimeout) {
+		t.Fatalf("expected errDatabaseInitializeTimeout to propagate, got: %v", err)
+	}
+}
+
+// TestWalRollback_ConnectionFailed_TriggersRollback verifies that a
+// non-timeout connection failure still reaches rollbackDatabaseCredentials,
+// preserving the existing behavior for genuine authentication failures.
+func TestWalRollback_ConnectionFailed_TriggersRollback(t *testing.T) {
+	connErr := errors.New("connection refused: invalid credentials")
+	config := logical.TestBackendConfig()
+	config.System = &systemViewWrapper{
+		SystemView: config.System,
+		builtinFactory: func() (interface{}, error) {
+			return &failingInitializeDatabase{err: connErr}, nil
+		},
+	}
+	config.StorageView = &logical.InmemStorage{}
+
+	b := Backend(config)
+	if err := b.Setup(context.Background(), config); err != nil {
+		t.Fatal(err)
+	}
+	defer b.Cleanup(context.Background())
+
+	entry, err := logical.StorageEntryJSON("config/mydb", &DatabaseConfig{
+		AllowedRoles:     []string{"*"},
+		VerifyConnection: true,
+		PluginName:       mockV5Type,
+		ConnectionDetails: map[string]interface{}{
+			"password": "original-pass",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := config.StorageView.Put(context.Background(), entry); err != nil {
+		t.Fatal(err)
+	}
+
+	walEntry := &rotateRootCredentialsWAL{
+		ConnectionName: "mydb",
+		UserName:       "root",
+		NewPassword:    "new-pass",
+		OldPassword:    "original-pass",
+	}
+	err = b.walRollback(context.Background(), &logical.Request{Storage: config.StorageView}, rotateRootWALKey, walEntry)
+	// A non-timeout failure must not be swallowed: rollbackDatabaseCredentials is
+	// called and its error (from a second failed GetConnectionWithConfig) propagates.
+	if errors.Is(err, errDatabaseInitializeTimeout) {
+		t.Fatal("timeout sentinel must not appear for a non-timeout connection failure")
+	}
+	if err == nil {
+		t.Fatal("expected rollbackDatabaseCredentials to return an error")
+	}
+}
+
+// configuredUpdateUserDatabase is a v5.Database mock whose Initialize always
+// succeeds and whose UpdateUser returns a configurable error (nil for success).
+type configuredUpdateUserDatabase struct {
+	updateUserErr error
+}
+
+func (d *configuredUpdateUserDatabase) Initialize(_ context.Context, _ v5.InitializeRequest) (v5.InitializeResponse, error) {
+	return v5.InitializeResponse{}, nil
+}
+
+func (d *configuredUpdateUserDatabase) NewUser(_ context.Context, _ v5.NewUserRequest) (v5.NewUserResponse, error) {
+	return v5.NewUserResponse{}, nil
+}
+
+func (d *configuredUpdateUserDatabase) UpdateUser(_ context.Context, _ v5.UpdateUserRequest) (v5.UpdateUserResponse, error) {
+	return v5.UpdateUserResponse{}, d.updateUserErr
+}
+
+func (d *configuredUpdateUserDatabase) DeleteUser(_ context.Context, _ v5.DeleteUserRequest) (v5.DeleteUserResponse, error) {
+	return v5.DeleteUserResponse{}, nil
+}
+
+func (d *configuredUpdateUserDatabase) Type() (string, error) { return mockV5Type, nil }
+func (d *configuredUpdateUserDatabase) Close() error          { return nil }
+
+// generateTestRSAPrivateKeyPEM generates a 2048-bit RSA private key in
+// PKCS#8 PEM format suitable for use with derivePublicKeyFromPrivateKeyPEM.
+func generateTestRSAPrivateKeyPEM(t *testing.T) string {
+	t.Helper()
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatal(err)
+	}
+	keyBytes, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return string(pem.EncodeToMemory(&pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: keyBytes,
+	}))
+}
+
+// TestWalRollback_PrivateKey_RotationCompleted_NoRollback verifies that when
+// the private key already stored matches the WAL new key, walRollback returns
+// nil immediately — the rotation completed and the WAL simply wasn't deleted.
+func TestWalRollback_PrivateKey_RotationCompleted_NoRollback(t *testing.T) {
+	config := logical.TestBackendConfig()
+	config.System = &systemViewWrapper{SystemView: config.System}
+	config.StorageView = &logical.InmemStorage{}
+
+	b := Backend(config)
+	if err := b.Setup(context.Background(), config); err != nil {
+		t.Fatal(err)
+	}
+	defer b.Cleanup(context.Background())
+
+	entry, err := logical.StorageEntryJSON("config/mydb", &DatabaseConfig{
+		AllowedRoles: []string{"*"},
+		PluginName:   mockV5Type,
+		ConnectionDetails: map[string]interface{}{
+			// Stored key matches WAL new key: rotation completed, WAL not yet GC'd.
+			"private_key": newPrivateKey,
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := config.StorageView.Put(context.Background(), entry); err != nil {
+		t.Fatal(err)
+	}
+
+	walEntry := &rotateRootCredentialsWAL{
+		ConnectionName: "mydb",
+		UserName:       "root",
+		NewPrivateKey:  newPrivateKey,
+		OldPrivateKey:  "old-private-key-pem",
+	}
+	err = b.walRollback(context.Background(), &logical.Request{Storage: config.StorageView}, rotateRootWALKey, walEntry)
+	if err != nil {
+		t.Fatalf("expected no error when rotation already completed, got: %v", err)
+	}
+}
+
+// TestWalRollback_PrivateKey_ConnectionFails_ReturnsError verifies that when
+// connecting with the WAL new private key fails, the error propagates.
+func TestWalRollback_PrivateKey_ConnectionFails_ReturnsError(t *testing.T) {
+	connErr := errors.New("JWT token rejected: invalid key pair")
+	config := logical.TestBackendConfig()
+	config.System = &systemViewWrapper{
+		SystemView: config.System,
+		builtinFactory: func() (interface{}, error) {
+			return &failingInitializeDatabase{err: connErr}, nil
+		},
+	}
+	config.StorageView = &logical.InmemStorage{}
+
+	b := Backend(config)
+	if err := b.Setup(context.Background(), config); err != nil {
+		t.Fatal(err)
+	}
+	defer b.Cleanup(context.Background())
+
+	oldPrivateKey := generateTestRSAPrivateKeyPEM(t)
+
+	entry, err := logical.StorageEntryJSON("config/mydb", &DatabaseConfig{
+		AllowedRoles:     []string{"*"},
+		VerifyConnection: true,
+		PluginName:       mockV5Type,
+		ConnectionDetails: map[string]interface{}{
+			// Stored key does not match new key: out-of-sync, triggers rollback path.
+			"private_key": "old-private-key-pem",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := config.StorageView.Put(context.Background(), entry); err != nil {
+		t.Fatal(err)
+	}
+
+	walEntry := &rotateRootCredentialsWAL{
+		ConnectionName: "mydb",
+		UserName:       "root",
+		NewPrivateKey:  "new-private-key-pem",
+		OldPrivateKey:  oldPrivateKey,
+	}
+	err = b.walRollback(context.Background(), &logical.Request{Storage: config.StorageView}, rotateRootWALKey, walEntry)
+	if err == nil {
+		t.Fatal("expected connection error to propagate, got nil")
+	}
+}
+
+// TestWalRollback_PrivateKey_UpdateUserFails_ReturnsError verifies that a
+// UpdateUser error propagates so the WAL framework can retry.
+func TestWalRollback_PrivateKey_UpdateUserFails_ReturnsError(t *testing.T) {
+	updateErr := errors.New("internal server error")
+
+	config := logical.TestBackendConfig()
+	config.System = &systemViewWrapper{
+		SystemView: config.System,
+		builtinFactory: func() (interface{}, error) {
+			return &configuredUpdateUserDatabase{updateUserErr: updateErr}, nil
+		},
+	}
+	config.StorageView = &logical.InmemStorage{}
+
+	b := Backend(config)
+	if err := b.Setup(context.Background(), config); err != nil {
+		t.Fatal(err)
+	}
+	defer b.Cleanup(context.Background())
+
+	oldPrivateKey := generateTestRSAPrivateKeyPEM(t)
+
+	entry, err := logical.StorageEntryJSON("config/mydb", &DatabaseConfig{
+		AllowedRoles:     []string{"*"},
+		VerifyConnection: true,
+		PluginName:       mockV5Type,
+		ConnectionDetails: map[string]interface{}{
+			"private_key": "old-private-key-pem",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := config.StorageView.Put(context.Background(), entry); err != nil {
+		t.Fatal(err)
+	}
+
+	walEntry := &rotateRootCredentialsWAL{
+		ConnectionName: "mydb",
+		UserName:       "root",
+		NewPrivateKey:  "new-private-key-pem",
+		OldPrivateKey:  oldPrivateKey,
+	}
+	err = b.walRollback(context.Background(), &logical.Request{Storage: config.StorageView}, rotateRootWALKey, walEntry)
+	if err == nil {
+		t.Fatal("expected UpdateUser error to propagate, got nil")
+	}
+}
+
+// TestWalRollback_PrivateKey_RollbackSucceeds verifies the happy path: when the
+// stored key is out-of-sync with the WAL new key and UpdateUser succeeds,
+// walRollback returns nil indicating the rollback completed successfully.
+func TestWalRollback_PrivateKey_RollbackSucceeds(t *testing.T) {
+	config := logical.TestBackendConfig()
+	config.System = &systemViewWrapper{
+		SystemView: config.System,
+		builtinFactory: func() (interface{}, error) {
+			return &configuredUpdateUserDatabase{updateUserErr: nil}, nil
+		},
+	}
+	config.StorageView = &logical.InmemStorage{}
+
+	b := Backend(config)
+	if err := b.Setup(context.Background(), config); err != nil {
+		t.Fatal(err)
+	}
+	defer b.Cleanup(context.Background())
+
+	oldPrivateKey := generateTestRSAPrivateKeyPEM(t)
+
+	entry, err := logical.StorageEntryJSON("config/mydb", &DatabaseConfig{
+		AllowedRoles:     []string{"*"},
+		VerifyConnection: true,
+		PluginName:       mockV5Type,
+		ConnectionDetails: map[string]interface{}{
+			"private_key": "old-private-key-pem",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := config.StorageView.Put(context.Background(), entry); err != nil {
+		t.Fatal(err)
+	}
+
+	walEntry := &rotateRootCredentialsWAL{
+		ConnectionName: "mydb",
+		UserName:       "root",
+		NewPrivateKey:  "new-private-key-pem",
+		OldPrivateKey:  oldPrivateKey,
+	}
+	err = b.walRollback(context.Background(), &logical.Request{Storage: config.StorageView}, rotateRootWALKey, walEntry)
+	if err != nil {
+		t.Fatalf("expected successful rollback, got: %v", err)
+	}
+}
+
+// TestWalRollback_PrivateKey_SnowflakeJWTError_TreatsAsNoOp verifies the
+// crash-before-UpdateUser safety path: when UpdateUser returns a Snowflake
+// 390144 JWT error, the new private key was never registered with Snowflake,
+// so the system is already consistent with the old key. walRollback must
+// return nil to cleanly delete the WAL rather than retrying indefinitely.
+func TestWalRollback_PrivateKey_SnowflakeJWTError_TreatsAsNoOp(t *testing.T) {
+	// Simulate the error Snowflake returns when the JWT is signed with a key
+	// it has never seen. The error crosses the gRPC plugin boundary as a plain
+	// string, so it is matched via strings.Contains against the error code.
+	jwtErr := errors.New("390144 (08001): JWT token is invalid")
+
+	config := logical.TestBackendConfig()
+	config.System = &systemViewWrapper{
+		SystemView: config.System,
+		builtinFactory: func() (interface{}, error) {
+			return &configuredUpdateUserDatabase{updateUserErr: jwtErr}, nil
+		},
+	}
+	config.StorageView = &logical.InmemStorage{}
+
+	b := Backend(config)
+	if err := b.Setup(context.Background(), config); err != nil {
+		t.Fatal(err)
+	}
+	defer b.Cleanup(context.Background())
+
+	oldPrivateKey := generateTestRSAPrivateKeyPEM(t)
+
+	entry, err := logical.StorageEntryJSON("config/mydb", &DatabaseConfig{
+		AllowedRoles:     []string{"*"},
+		VerifyConnection: true,
+		PluginName:       mockV5Type,
+		ConnectionDetails: map[string]interface{}{
+			// Stored key does not match new key: rollback path is entered.
+			"private_key": "old-private-key-pem",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := config.StorageView.Put(context.Background(), entry); err != nil {
+		t.Fatal(err)
+	}
+
+	walEntry := &rotateRootCredentialsWAL{
+		ConnectionName: "mydb",
+		UserName:       "root",
+		NewPrivateKey:  "new-private-key-pem",
+		OldPrivateKey:  oldPrivateKey,
+	}
+	err = b.walRollback(context.Background(), &logical.Request{Storage: config.StorageView}, rotateRootWALKey, walEntry)
+	if err != nil {
+		t.Fatalf("expected 390144 JWT error to be treated as no-op (nil), got: %v", err)
+	}
+}
diff --git a/builtin/logical/database/rotation.go b/builtin/logical/database/rotation.go
index 19e66d1447..76c425a775 100644
--- a/builtin/logical/database/rotation.go
+++ b/builtin/logical/database/rotation.go
@@ -29,6 +29,8 @@ const (
 	staticWALKey = "staticRotationKey"
 )
 
+var staticUpdateUserTimeout = 10 * time.Second
+
 // populateQueue loads the priority queue with existing static accounts. This
 // occurs at initialization, after any WAL entries of failed or interrupted
 // rotations have been processed. It lists the roles from storage and searches
@@ -538,7 +540,27 @@ func (b *databaseBackend) setStaticAccount(ctx context.Context, s logical.Storag
 		b.Logger().Debug("writing WAL", "role", input.RoleName, "WAL ID", output.WALID)
 	}
 
-	_, err = dbi.database.UpdateUser(ctx, updateReq, false)
+	timeoutCtx, cancel := context.WithTimeout(ctx, staticUpdateUserTimeout)
+	defer cancel()
+	updateUserTimeoutErr := errors.New("timeout exceeded during UpdateUser")
+
+	done := make(chan error, 1)
+
+	go func() {
+		_, e := dbi.database.UpdateUser(timeoutCtx, updateReq, false)
+		done <- e
+	}()
+
+	select {
+	case err = <-done:
+	case <-timeoutCtx.Done():
+		if ctx.Err() != nil {
+			err = ctx.Err()
+		} else {
+			err = updateUserTimeoutErr
+		}
+	}
+
 	if err != nil {
 		b.CloseIfShutdown(dbi, err)
 		if usedCredentialFromPreviousRotation {
@@ -547,11 +569,11 @@ func (b *databaseBackend) setStaticAccount(ctx context.Context, s logical.Storag
 				b.Logger().Warn("failed to delete WAL", "error", err, "WAL ID", output.WALID)
 			}
 
-			// Generate a new WAL entry and credential for next attempt
 			output.WALID = ""
 		}
 		return output, fmt.Errorf("error setting credentials: %w", err)
 	}
+
 	modified = true
 
 	// static user password successfully updated in external system
diff --git a/builtin/logical/database/rotation_test.go b/builtin/logical/database/rotation_test.go
index 251d8d1468..075f353f2c 100644
--- a/builtin/logical/database/rotation_test.go
+++ b/builtin/logical/database/rotation_test.go
@@ -25,7 +25,7 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/pluginutil"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/sdk/queue"
-	_ "github.com/jackc/pgx/v4/stdlib"
+	_ "github.com/jackc/pgx/v5/stdlib"
 	"github.com/robfig/cron/v3"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
@@ -44,8 +44,7 @@ const (
 )
 
 func TestBackend_StaticRole_Rotation_basic(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -253,8 +252,7 @@ func TestBackend_StaticRole_Rotation_basic(t *testing.T) {
 // rotations can successfully recover and that they do not occur outside of a
 // rotation window.
 func TestBackend_StaticRole_Rotation_Schedule_ErrorRecover(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	t.Cleanup(cluster.Cleanup)
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -441,8 +439,7 @@ func TestBackend_StaticRole_Rotation_Schedule_ErrorRecover(t *testing.T) {
 // for non-static accounts, which doesn't make sense anyway, but doesn't hurt to
 // verify we return an error
 func TestBackend_StaticRole_Rotation_NonStaticError(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -545,8 +542,7 @@ func TestBackend_StaticRole_Rotation_NonStaticError(t *testing.T) {
 }
 
 func TestBackend_StaticRole_Rotation_Revoke_user(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -723,8 +719,7 @@ func verifyPgConn(t *testing.T, username, password, connURL string) {
 //
 // First scenario, WAL contains a role name that does not exist.
 func TestBackend_StaticRole_Rotation_QueueWAL_discard_role_not_found(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	ctx := context.Background()
 
@@ -764,8 +759,7 @@ func TestBackend_StaticRole_Rotation_QueueWAL_discard_role_not_found(t *testing.
 // Second scenario, WAL contains a role name that does exist, but the role's
 // LastVaultRotation is greater than the WAL has
 func TestBackend_StaticRole_Rotation_QueueWAL_discard_role_newer_rotation_date(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	ctx := context.Background()
 
@@ -1029,8 +1023,7 @@ func TestBackend_StaticRole_Rotation_MongoDBAtlas(t *testing.T) {
 // does not break on invalid values.
 func TestQueueTickIntervalKeyConfig(t *testing.T) {
 	t.Parallel()
-	cluster, sys := getCluster(t)
-	defer cluster.Cleanup()
+	_, sys := getCluster(t)
 
 	values := []string{"1", "0", "-1"}
 	for _, v := range values {
@@ -1060,8 +1053,7 @@ func testBackend_StaticRole_Rotations(t *testing.T, createUser userCreator, opts
 		}
 	}()
 
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -1224,8 +1216,7 @@ type createUserCommand struct {
 
 // Demonstrates a bug fix for the credential rotation not releasing locks
 func TestBackend_StaticRole_Rotation_LockRegression(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -1303,8 +1294,7 @@ func TestBackend_StaticRole_Rotation_LockRegression(t *testing.T) {
 }
 
 func TestBackend_StaticRole_Rotation_Invalid_Role(t *testing.T) {
-	cluster, sys := getClusterPostgresDB(t)
-	defer cluster.Cleanup()
+	_, sys := getClusterPostgresDB(t)
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
@@ -1706,6 +1696,47 @@ func TestRotationSchedulePriorityAfterRestart(t *testing.T) {
 	require.Equal(t, newPriority, firstPriority) // confirm that priority has not changed
 }
 
+// TestRotateRole_BlockedUpdateUser_TimesOut verifies rotate-role returns quickly
+// with a timeout error when UpdateUser blocks past Vault's timeout window.
+func TestRotateRole_BlockedUpdateUser_TimesOut(t *testing.T) {
+	ctx := context.Background()
+	b, storage, mockDB := getBackend(t)
+	defer b.Cleanup(ctx)
+	configureDBMount(t, storage)
+
+	oldTimeout := staticUpdateUserTimeout
+	staticUpdateUserTimeout = 25 * time.Millisecond
+	defer func() { staticUpdateUserTimeout = oldTimeout }()
+
+	roleName := "hashicorp"
+	data := map[string]interface{}{
+		"username":        "hashicorp",
+		"db_name":         "mockv5",
+		"rotation_period": "10m",
+	}
+	createRoleWithData(t, b, storage, mockDB, roleName, data)
+
+	blockCh := make(chan struct{})
+	defer close(blockCh)
+	mockDB.On("UpdateUser", mock.Anything, mock.Anything).
+		Run(func(args mock.Arguments) {
+			<-blockCh
+		}).
+		Return(v5.UpdateUserResponse{}, nil).
+		Once()
+
+	start := time.Now()
+	_, err := b.HandleRequest(ctx, &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "rotate-role/" + roleName,
+		Storage:   storage,
+	})
+
+	require.Error(t, err)
+	require.ErrorContains(t, err, "timeout exceeded during UpdateUser")
+	require.Less(t, time.Since(start), time.Second, "rotate-role should return promptly on update timeout")
+}
+
 func generateWALFromFailedRotation(t *testing.T, b *databaseBackend, storage logical.Storage, mockDB *mockNewDatabase, roleName string) {
 	t.Helper()
 	mockDB.On("UpdateUser", mock.Anything, mock.Anything).
diff --git a/builtin/logical/database/versioning_large_test.go b/builtin/logical/database/versioning_large_test.go
index 0251fe86bf..a191aad852 100644
--- a/builtin/logical/database/versioning_large_test.go
+++ b/builtin/logical/database/versioning_large_test.go
@@ -23,7 +23,6 @@ import (
 
 func TestPlugin_lifecycle(t *testing.T) {
 	cluster, sys := getCluster(t)
-	defer cluster.Cleanup()
 
 	env := []string{fmt.Sprintf("%s=%s", pluginutil.PluginCACertPEMEnv, cluster.CACertPEMFile)}
 	vault.TestAddTestPlugin(t, cluster.Cores[0].Core, "mock-v4-database-plugin", consts.PluginTypeDatabase, "", "TestBackend_PluginMain_MockV4", env)
@@ -224,7 +223,6 @@ func TestPlugin_lifecycle(t *testing.T) {
 
 func TestPlugin_VersionSelection(t *testing.T) {
 	cluster, sys := getCluster(t)
-	defer cluster.Cleanup()
 
 	for _, version := range []string{"v11.0.0", "v11.0.1-rc1", "v2.0.0"} {
 		vault.TestAddTestPlugin(t, cluster.Cores[0].Core, "mock-v5-database-plugin", consts.PluginTypeDatabase, version, "TestBackend_PluginMain_MockV5", []string{})
@@ -337,7 +335,6 @@ func TestPlugin_VersionSelection(t *testing.T) {
 
 func TestPlugin_VersionMustBeExplicitlyUpgraded(t *testing.T) {
 	cluster, sys := getCluster(t)
-	defer cluster.Cleanup()
 
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
diff --git a/builtin/logical/pki/acme_billing_test.go b/builtin/logical/pki/acme_billing_test.go
index d2fbd92677..67b71ef3f7 100644
--- a/builtin/logical/pki/acme_billing_test.go
+++ b/builtin/logical/pki/acme_billing_test.go
@@ -32,7 +32,6 @@ func TestACMEBilling(t *testing.T) {
 	timeutil.SkipAtEndOfMonth(t)
 
 	cluster, client, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
 
 	var activeCore *vault.TestClusterCore
 	{
diff --git a/builtin/logical/pki/acme_challenges.go b/builtin/logical/pki/acme_challenges.go
index b5eade5fcc..967ade931f 100644
--- a/builtin/logical/pki/acme_challenges.go
+++ b/builtin/logical/pki/acme_challenges.go
@@ -12,6 +12,7 @@ import (
 	"crypto/x509"
 	"encoding/asn1"
 	"encoding/base64"
+	"errors"
 	"fmt"
 	"io"
 	"net"
@@ -48,7 +49,7 @@ func ValidateKeyAuthorization(keyAuthz string, token string, thumbprint string)
 	tokenPart := parts[0]
 	thumbprintPart := parts[1]
 
-	if token != tokenPart || thumbprint != thumbprintPart {
+	if subtle.ConstantTimeCompare([]byte(token), []byte(tokenPart)) != 1 || subtle.ConstantTimeCompare([]byte(thumbprint), []byte(thumbprintPart)) != 1 {
 		return false, fmt.Errorf("%w: %s", ErrIncorrectResponse, fmt.Errorf("key authorization was invalid").Error())
 	}
 
@@ -118,6 +119,102 @@ func buildDialerConfig(config *acmeConfigEntry) (*net.Dialer, error) {
 	}, nil
 }
 
+func isIPInCIDRList(cidrList []string, ip net.IP) bool {
+	if len(cidrList) == 0 {
+		return false
+	}
+
+	for _, cidr := range cidrList {
+		_, ipNet, err := net.ParseCIDR(cidr)
+		if err == nil && ipNet.Contains(ip) {
+			return true
+		}
+
+		allowedIP := net.ParseIP(cidr)
+		if allowedIP != nil && allowedIP.Equal(ip) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func isValidChallengeIP(config *acmeConfigEntry, ip net.IP) bool {
+	if ip == nil {
+		return false
+	}
+
+	// Check excluded list first - it takes precedence
+	if isIPInCIDRList(config.ChallengeExcludedIPRanges, ip) {
+		return false
+	}
+
+	// Check permitted list - if IP is in permitted list, allow it
+	if isIPInCIDRList(config.ChallengePermittedIPRanges, ip) {
+		return true
+	}
+
+	// If permitted list is configured but IP is not in it, reject it
+	if len(config.ChallengePermittedIPRanges) > 0 {
+		return false
+	}
+
+	// Vault is often deployed on private networks, so avoid a blanket private
+	// range denylist here and instead reject obviously unsafe targets.
+	if ip.IsLoopback() || ip.IsUnspecified() || ip.IsMulticast() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
+		return false
+	}
+
+	return ip.IsGlobalUnicast()
+}
+
+func dialACMEValidationTarget(ctx context.Context, config *acmeConfigEntry, dialer *net.Dialer, network string, address string) (net.Conn, error) {
+	host, port, err := net.SplitHostPort(address)
+	if err != nil {
+		return dialer.DialContext(ctx, network, address)
+	}
+
+	if ip := net.ParseIP(host); ip != nil {
+		if !isValidChallengeIP(config, ip) {
+			return nil, fmt.Errorf("%w: validation target resolved to a disallowed ip range", ErrRejectedIdentifier)
+		}
+
+		return dialer.DialContext(ctx, network, address)
+	}
+
+	if dialer.Resolver == nil {
+		return dialer.DialContext(ctx, network, address)
+	}
+
+	ips, err := dialer.Resolver.LookupIPAddr(ctx, host)
+	if err != nil {
+		return nil, err
+	}
+
+	var lastErr error
+	var foundAllowed bool
+	for _, candidate := range ips {
+		if !isValidChallengeIP(config, candidate.IP) {
+			continue
+		}
+
+		foundAllowed = true
+
+		conn, err := dialer.DialContext(ctx, network, net.JoinHostPort(candidate.IP.String(), port))
+		if err == nil {
+			return conn, nil
+		}
+
+		lastErr = err
+	}
+
+	if !foundAllowed {
+		return nil, fmt.Errorf("%w: validation target resolved to a disallowed ip range", ErrRejectedIdentifier)
+	}
+
+	return nil, lastErr
+}
+
 // Validates a given ACME http-01 challenge against the specified domain,
 // per RFC 8555.
 //
@@ -142,7 +239,9 @@ func ValidateHTTP01Challenge(domain string, token string, thumbprint string, con
 
 		// We'd rather timeout and re-attempt validation later than hang
 		// too many validators waiting for slow hosts.
-		DialContext:           dialer.DialContext,
+		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
+			return dialACMEValidationTarget(ctx, config, dialer, network, address)
+		},
 		ResponseHeaderTimeout: 10 * time.Second,
 	}
 
@@ -167,6 +266,10 @@ func ValidateHTTP01Challenge(domain string, token string, thumbprint string, con
 
 	resp, err := client.Get(path)
 	if err != nil {
+		if errors.Is(err, ErrRejectedIdentifier) {
+			return false, fmt.Errorf("%w: http-01: validation target resolved to a disallowed ip range", ErrRejectedIdentifier)
+		}
+
 		return false, fmt.Errorf("%w: %s", ErrConnection, fmt.Errorf("http-01: failed to fetch path %v: %w", path, err).Error())
 	}
 
@@ -469,8 +572,12 @@ func ValidateTLSALPN01Challenge(domain string, token string, thumbprint string,
 	// > 3. The ACME server initiates a TLS connection to the chosen IP
 	// >    address. This connection MUST use TCP port 443.
 	address := fmt.Sprintf("%v:"+ALPNPort, domain)
-	conn, err := dialer.Dial("tcp", address)
+	conn, err := dialACMEValidationTarget(context.Background(), config, dialer, "tcp", address)
 	if err != nil {
+		if errors.Is(err, ErrRejectedIdentifier) {
+			return false, fmt.Errorf("%w: tls-alpn-01: validation target resolved to a disallowed ip range", ErrRejectedIdentifier)
+		}
+
 		return false, fmt.Errorf("%w: %s", ErrConnection, fmt.Errorf("tls-alpn-01: failed to dial host: %w", err).Error())
 	}
 
diff --git a/builtin/logical/pki/acme_challenges_test.go b/builtin/logical/pki/acme_challenges_test.go
index ac845e735f..21b0d9e114 100644
--- a/builtin/logical/pki/acme_challenges_test.go
+++ b/builtin/logical/pki/acme_challenges_test.go
@@ -17,6 +17,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"math/big"
+	"net"
 	"net/http"
 	"net/http/httptest"
 	"strconv"
@@ -26,6 +27,7 @@ import (
 
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/sdk/helper/testhelpers/dnstest"
+	"github.com/miekg/dns"
 	"github.com/stretchr/testify/require"
 )
 
@@ -95,6 +97,59 @@ var keyAuthorizationTestCases = []keyAuthorizationTestCase{
 	},
 }
 
+func startLocalDNSServer(t *testing.T, records map[string]net.IP) string {
+	t.Helper()
+
+	handler := dns.NewServeMux()
+	handler.HandleFunc(".", func(w dns.ResponseWriter, r *dns.Msg) {
+		msg := new(dns.Msg)
+		msg.SetReply(r)
+
+		for _, q := range r.Question {
+			if q.Qtype != dns.TypeA {
+				continue
+			}
+
+			name := strings.TrimSuffix(strings.ToLower(q.Name), ".")
+			ip, ok := records[name]
+			if !ok {
+				continue
+			}
+
+			a := ip.To4()
+			if a == nil {
+				continue
+			}
+
+			msg.Answer = append(msg.Answer, &dns.A{
+				Hdr: dns.RR_Header{
+					Name:   q.Name,
+					Rrtype: dns.TypeA,
+					Class:  dns.ClassINET,
+					Ttl:    0,
+				},
+				A: a,
+			})
+		}
+
+		_ = w.WriteMsg(msg)
+	})
+
+	pc, err := net.ListenPacket("udp", "127.0.0.1:0")
+	require.NoError(t, err)
+
+	srv := &dns.Server{PacketConn: pc, Handler: handler}
+	go func() {
+		_ = srv.ActivateAndServe()
+	}()
+
+	t.Cleanup(func() {
+		_ = srv.Shutdown()
+	})
+
+	return pc.LocalAddr().String()
+}
+
 func TestAcmeValidateKeyAuthorization(t *testing.T) {
 	t.Parallel()
 
@@ -149,7 +204,9 @@ func TestAcmeValidateHTTP01Challenge(t *testing.T) {
 				defer ts.Close()
 
 				host := ts.URL[7:]
-				isValid, err := ValidateHTTP01Challenge(host, tc.token, tc.thumbprint, &acmeConfigEntry{})
+				isValid, err := ValidateHTTP01Challenge(host, tc.token, tc.thumbprint, &acmeConfigEntry{
+					ChallengePermittedIPRanges: []string{"127.0.0.1/32", "::1/128"},
+				})
 				if !isValid && err == nil {
 					t.Fatalf("[tc=%d/handler=%d] expected failure to give reason via err (%v / %v)", index, handlerIndex, isValid, err)
 				}
@@ -198,7 +255,9 @@ func TestAcmeValidateHTTP01Challenge(t *testing.T) {
 			defer ts.Close()
 
 			host := ts.URL[7:]
-			isValid, err := ValidateHTTP01Challenge(host, "my-token", "my-thumbprint", &acmeConfigEntry{})
+			isValid, err := ValidateHTTP01Challenge(host, "my-token", "my-thumbprint", &acmeConfigEntry{
+				ChallengePermittedIPRanges: []string{"127.0.0.1/32", "::1/128"},
+			})
 			if isValid || err == nil {
 				t.Fatalf("[handler=%d] expected failure validating challenge (%v / %v)", handlerIndex, isValid, err)
 			}
@@ -206,6 +265,30 @@ func TestAcmeValidateHTTP01Challenge(t *testing.T) {
 	}
 }
 
+// TestAcmeValidateHTTP01ChallengeRejectsLoopbackViaDNS verifies that hosts that
+// resolve to localhost are rejected.
+func TestAcmeValidateHTTP01ChallengeRejectsLoopbackViaDNS(t *testing.T) {
+	t.Parallel()
+
+	host := "acme-ipfilter-http01.example.test"
+	dnsAddr := startLocalDNSServer(t, map[string]net.IP{
+		host: net.IPv4(127, 0, 0, 1),
+	})
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_, _ = w.Write([]byte("my-token.my-thumbprint"))
+	}))
+	defer ts.Close()
+
+	port := strconv.Itoa(ts.Listener.Addr().(*net.TCPAddr).Port)
+	config := &acmeConfigEntry{DNSResolver: dnsAddr}
+
+	isValid, err := ValidateHTTP01Challenge(net.JoinHostPort(host, port), "my-token", "my-thumbprint", config)
+	require.False(t, isValid)
+	require.Error(t, err)
+	require.ErrorIs(t, err, ErrRejectedIdentifier)
+}
+
 func TestAcmeValidateDNS01Challenge(t *testing.T) {
 	t.Parallel()
 
@@ -243,7 +326,9 @@ func TestAcmeValidateTLSALPN01Challenge(t *testing.T) {
 	// This test is not parallel because we modify ALPNPort to use a custom
 	// non-standard port _just for testing purposes_.
 	host := "localhost"
-	config := &acmeConfigEntry{}
+	config := &acmeConfigEntry{
+		ChallengePermittedIPRanges: []string{"127.0.0.1/32", "::1/128"},
+	}
 
 	log := hclog.L()
 
@@ -717,6 +802,47 @@ func TestAcmeValidateTLSALPN01Challenge(t *testing.T) {
 	}
 }
 
+// TestAcmeValidateTLSALPN01ChallengeRejectsLoopbackViaDNS verifies that hosts
+// that resolve to localhost are rejected.
+func TestAcmeValidateTLSALPN01ChallengeRejectsLoopbackViaDNS(t *testing.T) {
+	host := "acme-ipfilter-tlsalpn01.example.test"
+	dnsAddr := startLocalDNSServer(t, map[string]net.IP{
+		host: net.IPv4(127, 0, 0, 1),
+	})
+
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer ln.Close()
+
+	go func() {
+		conn, err := ln.Accept()
+		if err == nil {
+			_ = conn.Close()
+		}
+	}()
+
+	oldPort := ALPNPort
+	ALPNPort = strconv.Itoa(ln.Addr().(*net.TCPAddr).Port)
+	defer func() {
+		ALPNPort = oldPort
+	}()
+
+	config := &acmeConfigEntry{DNSResolver: dnsAddr}
+	isValid, err := ValidateTLSALPN01Challenge(host, "my-token", "my-thumbprint", config)
+	require.False(t, isValid)
+	require.Error(t, err)
+	require.ErrorIs(t, err, ErrRejectedIdentifier)
+}
+
+// TestDialACMEValidationTargetRejectsLoopbackLiteral verifies that localhost is
+// rejected as a valid validation target.
+func TestDialACMEValidationTargetRejectsLoopbackLiteral(t *testing.T) {
+	conn, err := dialACMEValidationTarget(context.Background(), &acmeConfigEntry{}, &net.Dialer{Timeout: time.Second}, "tcp", "127.0.0.1:1")
+	require.Nil(t, conn)
+	require.Error(t, err)
+	require.ErrorIs(t, err, ErrRejectedIdentifier)
+}
+
 // TestAcmeValidateHttp01TLSRedirect verify that we allow a http-01 challenge to redirect
 // to a TLS server and not validate the certificate chain is valid. We don't validate the
 // TLS chain as we would have accepted the auth over a non-secured channel anyway had
@@ -744,7 +870,9 @@ func TestAcmeValidateHttp01TLSRedirect(t *testing.T) {
 			defer ts.Close()
 
 			host := ts.URL[len("http://"):]
-			isValid, err := ValidateHTTP01Challenge(host, tc.token, tc.thumbprint, &acmeConfigEntry{})
+			isValid, err := ValidateHTTP01Challenge(host, tc.token, tc.thumbprint, &acmeConfigEntry{
+				ChallengePermittedIPRanges: []string{"127.0.0.1/32", "::1/128"},
+			})
 			if !isValid && err == nil {
 				st.Fatalf("[tc=%d] expected failure to give reason via err (%v / %v)", index, isValid, err)
 			}
@@ -756,3 +884,206 @@ func TestAcmeValidateHttp01TLSRedirect(t *testing.T) {
 		})
 	}
 }
+
+// TestAcmeValidateHTTP01ChallengeRedirectHonorsPermittedIPRanges verifies that
+// redirected validation targets are still subject to the HTTP-01 IP allowlist.
+func TestAcmeValidateHTTP01ChallengeRedirectHonorsPermittedIPRanges(t *testing.T) {
+	t.Parallel()
+
+	for _, redirectScheme := range []string{"http", "https"} {
+		t.Run(redirectScheme, func(st *testing.T) {
+			ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				http.Redirect(w, r, fmt.Sprintf("%s://10.0.0.1:12345%s", redirectScheme, r.URL.Path), http.StatusMovedPermanently)
+			}))
+			defer ts.Close()
+
+			host := ts.URL[7:] // Remove "http://"
+
+			isValid, err := ValidateHTTP01Challenge(host, "my-token", "my-thumbprint", &acmeConfigEntry{
+				ChallengePermittedIPRanges: []string{"127.0.0.1/32"},
+			})
+			require.False(st, isValid)
+			require.Error(st, err)
+			require.ErrorIs(st, err, ErrRejectedIdentifier)
+		})
+	}
+}
+
+// TestIsValidChallengeIP tests the excluded CIDR list functionality
+func TestIsValidChallengeIP(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name               string
+		permittedIPRanges  []string
+		excludedIPRanges   []string
+		testIP             string
+		shouldBeDisallowed bool
+	}{
+		{
+			name:               "nil IP should be disallowed",
+			permittedIPRanges:  []string{},
+			excludedIPRanges:   []string{},
+			testIP:             "",
+			shouldBeDisallowed: true,
+		},
+		{
+			name:               "loopback IP should be disallowed by default",
+			permittedIPRanges:  []string{},
+			excludedIPRanges:   []string{},
+			testIP:             "127.0.0.1",
+			shouldBeDisallowed: true,
+		},
+		{
+			name:               "public IP should be allowed by default",
+			permittedIPRanges:  []string{},
+			excludedIPRanges:   []string{},
+			testIP:             "8.8.8.8",
+			shouldBeDisallowed: false,
+		},
+		{
+			name:               "IP in excluded list should be rejected",
+			permittedIPRanges:  []string{},
+			excludedIPRanges:   []string{"8.8.8.0/24"},
+			testIP:             "8.8.8.8",
+			shouldBeDisallowed: true,
+		},
+		{
+			name:               "IP in excluded list (exact match) should be rejected",
+			permittedIPRanges:  []string{},
+			excludedIPRanges:   []string{"8.8.8.8"},
+			testIP:             "8.8.8.8",
+			shouldBeDisallowed: true,
+		},
+		{
+			name:               "excluded list takes precedence over permitted list",
+			permittedIPRanges:  []string{"8.8.8.0/24"},
+			excludedIPRanges:   []string{"8.8.8.8"},
+			testIP:             "8.8.8.8",
+			shouldBeDisallowed: true,
+		},
+		{
+			name:               "IP in permitted list but not excluded should be allowed",
+			permittedIPRanges:  []string{"8.8.8.0/24"},
+			excludedIPRanges:   []string{"8.8.4.0/24"},
+			testIP:             "8.8.8.8",
+			shouldBeDisallowed: false,
+		},
+		{
+			name:               "loopback in permitted list should be allowed",
+			permittedIPRanges:  []string{"127.0.0.1/32"},
+			excludedIPRanges:   []string{},
+			testIP:             "127.0.0.1",
+			shouldBeDisallowed: false,
+		},
+		{
+			name:               "private IP with permitted list should be rejected if not in list",
+			permittedIPRanges:  []string{"8.8.8.0/24"},
+			excludedIPRanges:   []string{},
+			testIP:             "192.168.1.1",
+			shouldBeDisallowed: true,
+		},
+		{
+			name:               "IPv6 loopback should be disallowed by default",
+			permittedIPRanges:  []string{},
+			excludedIPRanges:   []string{},
+			testIP:             "::1",
+			shouldBeDisallowed: true,
+		},
+		{
+			name:               "IPv6 in excluded list should be rejected",
+			permittedIPRanges:  []string{},
+			excludedIPRanges:   []string{"2001:db8::/32"},
+			testIP:             "2001:db8::1",
+			shouldBeDisallowed: true,
+		},
+		{
+			name:               "IPv6 in permitted list should be allowed",
+			permittedIPRanges:  []string{"2001:db8::/32"},
+			excludedIPRanges:   []string{},
+			testIP:             "2001:db8::1",
+			shouldBeDisallowed: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(st *testing.T) {
+			config := &acmeConfigEntry{
+				ChallengePermittedIPRanges: tc.permittedIPRanges,
+				ChallengeExcludedIPRanges:  tc.excludedIPRanges,
+			}
+
+			var ip net.IP
+			if tc.testIP != "" {
+				ip = net.ParseIP(tc.testIP)
+				if ip == nil {
+					st.Fatalf("failed to parse test IP: %s", tc.testIP)
+				}
+			}
+
+			result := !isValidChallengeIP(config, ip)
+			if result != tc.shouldBeDisallowed {
+				st.Fatalf("expected isDisallowed=%v, got %v for IP %s with permitted=%v, excluded=%v",
+					tc.shouldBeDisallowed, result, tc.testIP, tc.permittedIPRanges, tc.excludedIPRanges)
+			}
+		})
+	}
+}
+
+// TestAcmeValidateHTTP01ChallengeWithExcludedIPRange tests HTTP-01 validation with excluded CIDRs
+func TestAcmeValidateHTTP01ChallengeWithExcludedIPRange(t *testing.T) {
+	t.Parallel()
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte("my-token.my-thumbprint"))
+	}))
+	defer ts.Close()
+
+	host := ts.URL[7:] // Remove "http://"
+
+	// Test with excluded localhost
+	config := &acmeConfigEntry{
+		ChallengeExcludedIPRanges: []string{"127.0.0.0/8", "::1/128"},
+	}
+
+	isValid, err := ValidateHTTP01Challenge(host, "my-token", "my-thumbprint", config)
+	require.False(t, isValid)
+	require.Error(t, err)
+	require.ErrorIs(t, err, ErrRejectedIdentifier)
+}
+
+// TestAcmeValidateTLSALPN01ChallengeWithExcludedIPRange tests TLS-ALPN-01 validation with excluded CIDRs
+func TestAcmeValidateTLSALPN01ChallengeWithExcludedIPRange(t *testing.T) {
+	host := "acme-excluded-cidr.example.test"
+	dnsAddr := startLocalDNSServer(t, map[string]net.IP{
+		host: net.IPv4(127, 0, 0, 1),
+	})
+
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer ln.Close()
+
+	go func() {
+		conn, err := ln.Accept()
+		if err == nil {
+			_ = conn.Close()
+		}
+	}()
+
+	oldPort := ALPNPort
+	ALPNPort = strconv.Itoa(ln.Addr().(*net.TCPAddr).Port)
+	defer func() {
+		ALPNPort = oldPort
+	}()
+
+	// Test with excluded 127.0.0.0/8 range
+	config := &acmeConfigEntry{
+		DNSResolver:               dnsAddr,
+		ChallengeExcludedIPRanges: []string{"127.0.0.0/8"},
+	}
+
+	isValid, err := ValidateTLSALPN01Challenge(host, "my-token", "my-thumbprint", config)
+	require.False(t, isValid)
+	require.Error(t, err)
+	require.ErrorIs(t, err, ErrRejectedIdentifier)
+}
diff --git a/builtin/logical/pki/acme_jws.go b/builtin/logical/pki/acme_jws.go
index d7207b7fcc..bbf7e99200 100644
--- a/builtin/logical/pki/acme_jws.go
+++ b/builtin/logical/pki/acme_jws.go
@@ -15,16 +15,15 @@ import (
 )
 
 var AllowedOuterJWSTypes = map[string]interface{}{
-	"RS256":  true,
-	"RS384":  true,
-	"RS512":  true,
-	"PS256":  true,
-	"PS384":  true,
-	"PS512":  true,
-	"ES256":  true,
-	"ES384":  true,
-	"ES512":  true,
-	"EdDSA2": true,
+	"RS256": true,
+	"RS384": true,
+	"RS512": true,
+	"PS256": true,
+	"PS384": true,
+	"PS512": true,
+	"ES256": true,
+	"ES384": true,
+	"ES512": true,
 }
 
 var AllowedEabJWSTypes = map[string]interface{}{
diff --git a/builtin/logical/pki/acme_state.go b/builtin/logical/pki/acme_state.go
index 755c08141b..273d028481 100644
--- a/builtin/logical/pki/acme_state.go
+++ b/builtin/logical/pki/acme_state.go
@@ -164,15 +164,6 @@ func (a *acmeState) writeConfig(sc *storageContext, config *acmeConfigEntry) (*a
 	return config, nil
 }
 
-func generateRandomBase64(srcBytes int) (string, error) {
-	data := make([]byte, 21)
-	if _, err := io.ReadFull(rand.Reader, data); err != nil {
-		return "", err
-	}
-
-	return base64.RawURLEncoding.EncodeToString(data), nil
-}
-
 func (a *acmeState) GetNonce() (string, time.Time, error) {
 	return a.nonces.Get()
 }
@@ -720,5 +711,10 @@ func getOrderPath(accountId string, orderId string) string {
 }
 
 func getACMEToken() (string, error) {
-	return generateRandomBase64(tokenBytes)
+	data := make([]byte, tokenBytes)
+	if _, err := io.ReadFull(rand.Reader, data); err != nil {
+		return "", err
+	}
+
+	return base64.RawURLEncoding.EncodeToString(data), nil
 }
diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go
index bf0e9cb70e..9c8f9e02a6 100644
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
@@ -26,7 +26,6 @@ import (
 	"net"
 	"net/url"
 	"os"
-	"os/exec"
 	"reflect"
 	"slices"
 	"sort"
@@ -51,6 +50,7 @@ import (
 	logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
 	"github.com/hashicorp/vault/helper/testhelpers/teststorage"
 	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/hashicorp/vault/sdk/helper/cryptoutil"
 	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
@@ -261,6 +261,41 @@ func TestPKI_DeviceCert(t *testing.T) {
 	}
 }
 
+// TestPKI_NotAfterRespectsRoleMaxTTL tests that the not_after time is respected and does not exceed the role's max_ttl.
+func TestPKI_NotAfterRespectsRoleMaxTTL(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	_, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "myvault.com",
+		"ttl":         "3h",
+	})
+	require.NoError(t, err)
+	_, err = CBWrite(b, s, "roles/example", map[string]interface{}{
+		"allowed_domains":    "example.com",
+		"allow_bare_domains": true,
+		"max_ttl":            "1h",
+	})
+	require.NoError(t, err)
+
+	now := time.Now()
+	// Issue a certificate with a requested not_after time that exceeds the role's max_ttl.
+	resp, err := CBWrite(b, s, "issue/example", map[string]interface{}{
+		"common_name": "example.com",
+		"not_after":   now.Add(2 * time.Hour).Format(time.RFC3339),
+	})
+	require.NoError(t, err)
+
+	var certBundle certutil.CertBundle
+	err = mapstructure.Decode(resp.Data, &certBundle)
+	require.NoError(t, err)
+
+	parsedCertBundle, err := certBundle.ToParsedCertBundle()
+	require.NoError(t, err)
+
+	require.WithinDuration(t, now.Add(time.Hour), parsedCertBundle.Certificate.NotAfter, 5*time.Second)
+}
+
 func TestBackend_InvalidParameter(t *testing.T) {
 	t.Parallel()
 	b, s := CreateBackendWithStorage(t)
@@ -936,7 +971,7 @@ func generateTestCsr(t *testing.T, keyType certutil.PrivateKeyType, keyBits int)
 
 	csrTemplate := x509.CertificateRequest{
 		Subject: pkix.Name{
-			Country:      []string{"MyCountry"},
+			Country:      []string{"MC"},
 			PostalCode:   []string{"MyPostalCode"},
 			SerialNumber: "MySerialNumber",
 			CommonName:   "my@example.com",
@@ -1561,10 +1596,10 @@ func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep {
 	}
 	// Country tests
 	{
-		roleVals.Country = []string{"foo"}
+		roleVals.Country = []string{"jp"}
 		addTests(getCountryCheck(roleVals))
 
-		roleVals.Country = []string{"foo", "bar"}
+		roleVals.Country = []string{"us", "ca"}
 		addTests(getCountryCheck(roleVals))
 	}
 	// OU tests
@@ -2414,9 +2449,10 @@ func runTestSignVerbatim(t *testing.T, keyType string) {
 	}
 
 	// Now check signing a certificate using the not_after input using the Y10K value
+	// Note that we do not specify the role in the sign-verbatim request, so the role's max TTL does not apply
 	resp, err = b.HandleRequest(context.Background(), &logical.Request{
 		Operation: logical.UpdateOperation,
-		Path:      "sign-verbatim/test",
+		Path:      "sign-verbatim",
 		Storage:   storage,
 		Data: map[string]interface{}{
 			"csr":       pemCSR,
@@ -3646,8 +3682,6 @@ func TestBackend_AllowedURISANsTemplate(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	client := cluster.Cores[0].Client
 
 	// Write test policy for userpass auth method.
@@ -3771,8 +3805,6 @@ func TestBackend_AllowedDomainsTemplate(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	client := cluster.Cores[0].Client
 
 	// Write test policy for userpass auth method.
@@ -3904,8 +3936,7 @@ func TestReadWriteDeleteRoles(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
+
 	client := cluster.Cores[0].Client
 
 	// Mount PKI.
@@ -4152,8 +4183,7 @@ func TestBackend_RevokePlusTidy_Intermediate(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
+
 	cores := cluster.Cores
 	vault.TestWaitActive(t, cores[0].Core)
 	client := cores[0].Client
@@ -5633,8 +5663,7 @@ func TestBackend_IfModifiedSinceHeaders(t *testing.T) {
 		HandlerFunc:             vaulthttp.Handler,
 		RequestResponseCallback: schema.ResponseValidatingCallback(t),
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
+
 	client := cluster.Cores[0].Client
 
 	// Mount PKI.
@@ -6812,8 +6841,6 @@ func TestStandby_Operations(t *testing.T) {
 		},
 	}, nil, teststorage.InmemBackendSetup)
 	cluster := vault.NewTestCluster(t, conf, opts)
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	testhelpers.WaitForActiveNodeAndStandbys(t, cluster)
 	standbyCores := testhelpers.DeriveStandbyCores(t, cluster)
@@ -7042,8 +7069,7 @@ func TestProperAuthing(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
+
 	client := cluster.Cores[0].Client
 	token := client.Token()
 
@@ -7766,8 +7792,8 @@ func TestIssuance_DeltaCRLDistributionPoint(t *testing.T) {
 		"-text",
 		"-in", filePath,
 	}
-	out, err := exec.Command(opensslCmd, args...).CombinedOutput()
-	require.NoError(t, err, "failed running command %s with args: %v\n%s", opensslCmd, args, string(out))
+
+	out := runOpenSSL(t, log, opensslCmd, args)
 	require.Regexp(t, `\s+X509v3 Freshest CRL:\s+Full Name:\s+URI:http://example.com/crl/delta\s+Full Name:\s+URI:http://backup\.example\.com/crl/delta`, string(out))
 }
 
@@ -7899,3 +7925,458 @@ func TestIssuance_ValidityPeriodContainedByCA(t *testing.T) {
 		})
 	}
 }
+
+// TestBackend_SignIntermediate_IgnoresCSR_BasicConstraint verifies that when signing an intermediate CSR,
+// with use_csr_values set to true, we ignore the CSR's Basic constraint extension as we do
+// not properly support max_path_length.
+func TestBackend_SignIntermediate_IgnoresCSR_BasicConstraint(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	// Generate root CA with max_path_length of 2
+	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name":     "Root CA",
+		"ttl":             "180h",
+		"max_path_length": 2,
+	})
+	requireSuccessNonNilResponse(t, resp, err)
+
+	// Generate private key for CSR
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err, "failed to generate private key")
+
+	bcExt, err := certutil.CreateBasicConstraintExtension(true, 5)
+	require.NoError(t, err, "failed to create basic constraint extension")
+
+	// Create CSR template
+	csrTemplate := &x509.CertificateRequest{
+		Subject: pkix.Name{
+			CommonName: "Intermediate CA",
+		},
+		ExtraExtensions: []pkix.Extension{bcExt},
+	}
+
+	// Create the CSR
+	csrDER, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, privateKey)
+	require.NoError(t, err, "failed to create CSR")
+
+	csrPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE REQUEST",
+		Bytes: csrDER,
+	})
+
+	// Sign the intermediate CSR
+	signParams := map[string]interface{}{
+		"csr":            string(csrPEM),
+		"common_name":    "Intermediate CA",
+		"use_csr_values": true,
+		"ttl":            "87600h",
+	}
+
+	resp, err = CBWrite(b, s, "root/sign-intermediate", signParams)
+	require.NoError(t, err, "failed to sign intermediate")
+	require.NotNil(t, resp, "expected response")
+	require.NotEmpty(t, resp.Data["certificate"], "expected certificate in response")
+
+	// Parse the signed certificate
+	certPEM := resp.Data["certificate"].(string)
+	block, _ := pem.Decode([]byte(certPEM))
+	require.NotNil(t, block, "failed to decode certificate PEM")
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	require.NoError(t, err, "failed to parse certificate")
+
+	// Verify Basic Constraints extension exists and is critical
+	hasBasicConstraints := false
+	for _, ext := range cert.Extensions {
+		if ext.Id.Equal(certutil.ExtensionBasicConstraintsOID) {
+			hasBasicConstraints = true
+			require.True(t, ext.Critical, "Basic Constraints should be marked as critical")
+			isCA, maxPathLen, err := certutil.ParseBasicConstraintExtension(ext)
+			require.NoError(t, err, "failed to parse Basic Constraints extension")
+			require.True(t, isCA, "Basic Constraints should be marked as CA")
+			require.Equal(t, 1, maxPathLen, "max_path_length should be set to 1, root of 2-1")
+			break
+		}
+	}
+	require.True(t, hasBasicConstraints, "certificate should have Basic Constraints extension")
+}
+
+// TestBackend_IDNWithWildcards_CommonName tests IDNA conversion and wildcard validation
+// in the Common Name (CN) field using both /issue and /sign endpoints.
+func TestBackend_IDNWithWildcards_CommonName(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	// Generate root CA
+	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "Root CA",
+		"ttl":         "40h",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+
+	// Create a role that allows wildcards and any name
+	_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
+		"allow_any_name":              true,
+		"allow_wildcard_certificates": true,
+		"enforce_hostnames":           true,
+		"max_ttl":                     "2h",
+		"key_type":                    "ec",
+	})
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name           string
+		commonName     string
+		expectDNSNames []string
+		expectError    bool
+	}{
+		{
+			name:           "ASCII wildcard in CN",
+			commonName:     "*.example.com",
+			expectDNSNames: []string{"*.example.com"},
+		},
+		{
+			name:           "IDN with wildcard in CN - German umlaut",
+			commonName:     "*.müller.com",
+			expectDNSNames: []string{"*.xn--mller-kva.com"},
+		},
+		{
+			name:           "IDN with wildcard in CN - Japanese",
+			commonName:     "*.日本.com",
+			expectDNSNames: []string{"*.xn--wgv71a.com"},
+		},
+		{
+			name:           "IDN with wildcard in CN - Chinese",
+			commonName:     "*.中国.com",
+			expectDNSNames: []string{"*.xn--fiqs8s.com"},
+		},
+		{
+			name:           "IDN with wildcard in CN - Arabic",
+			commonName:     "*.مثال.com",
+			expectDNSNames: []string{"*.xn--mgbh0fb.com"},
+		},
+		{
+			name:           "IDN with multiple labels and wildcard",
+			commonName:     "*.subdomain.müller.com",
+			expectDNSNames: []string{"*.subdomain.xn--mller-kva.com"},
+		},
+		// Invalid hostname test cases
+		{
+			name:        "Invalid - wildcard not in leftmost position",
+			commonName:  "sub.*.example.com",
+			expectError: true,
+		},
+		{
+			name:        "Invalid - multiple wildcards",
+			commonName:  "*.*.example.com",
+			expectError: true,
+		},
+		{
+			name:        "Invalid - wildcard in IDN not in leftmost position",
+			commonName:  "sub.*.müller.com",
+			expectError: true,
+		},
+		{
+			name:        "Invalid - empty label in hostname",
+			commonName:  "example..com",
+			expectError: true,
+		},
+		{
+			name:        "Invalid - label starting with hyphen",
+			commonName:  "-example.com",
+			expectError: true,
+		},
+		{
+			name:        "Invalid - label ending with hyphen",
+			commonName:  "example-.com",
+			expectError: true,
+		},
+		{
+			name:        "Invalid - label too long (>63 chars)",
+			commonName:  "*.verylonglabelverylonglabelverylonglabelverylonglabelverylonglabel.com",
+			expectError: true,
+		},
+		{
+			name:        "Invalid - hostname starting with dot",
+			commonName:  ".example.com",
+			expectError: true,
+		},
+	}
+
+	for _, useCSR := range []bool{false, true} {
+		testType := "issue"
+		if useCSR {
+			testType = "sign"
+		}
+		t.Run(testType, func(t *testing.T) {
+			for _, tc := range testCases {
+				t.Run(tc.name, func(t *testing.T) {
+					var resp *logical.Response
+					var err error
+
+					if useCSR {
+						// Generate a CSR with the test common name
+						csrTemplate := &x509.CertificateRequest{
+							Subject: pkix.Name{
+								CommonName: tc.commonName,
+							},
+						}
+						_, _, csrPem := generateCSR(t, csrTemplate, "ec", 256)
+
+						resp, err = CBWrite(b, s, "sign/test", map[string]interface{}{
+							"csr": csrPem,
+						})
+					} else {
+						// Use direct issue
+						resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+							"common_name": tc.commonName,
+						})
+					}
+
+					if tc.expectError {
+						require.Error(t, err, "expected error for test case: %s", tc.name)
+						return
+					}
+
+					require.NoError(t, err, "unexpected error for test case: %s", tc.name)
+					require.NotNil(t, resp, "response should not be nil for test case: %s", tc.name)
+					require.NotNil(t, resp.Data["certificate"], "certificate should be present for test case: %s", tc.name)
+
+					// Parse the certificate to verify DNS names
+					certPEM := resp.Data["certificate"].(string)
+					block, _ := pem.Decode([]byte(certPEM))
+					require.NotNil(t, block, "failed to decode PEM for test case: %s", tc.name)
+
+					cert, err := x509.ParseCertificate(block.Bytes)
+					require.NoError(t, err, "failed to parse certificate for test case: %s", tc.name)
+
+					// Verify DNS names match expected (order may vary, so use ElementsMatch)
+					require.ElementsMatch(t, tc.expectDNSNames, cert.DNSNames,
+						"DNS names mismatch for test case: %s\nExpected: %v\nGot: %v",
+						tc.name, tc.expectDNSNames, cert.DNSNames)
+				})
+			}
+		})
+	}
+}
+
+// TestBackend_IDNWithWildcards_AltNames tests IDNA conversion and wildcard validation
+// in the alternative names field using both /issue and /sign endpoints.
+func TestBackend_IDNWithWildcards_AltNames(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	// Generate root CA
+	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "Root CA",
+		"ttl":         "40h",
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+
+	// Create a role that allows wildcards and any name
+	_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
+		"allow_any_name":              true,
+		"allow_subdomains":            true,
+		"allow_glob_domains":          true,
+		"allow_wildcard_certificates": true,
+		"enforce_hostnames":           true,
+		"max_ttl":                     "2h",
+		"key_type":                    "ec",
+	})
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name           string
+		commonName     string
+		altNames       string
+		expectDNSNames []string
+		expectError    bool
+	}{
+		{
+			name:           "ASCII wildcard in alt_names",
+			commonName:     "example.com",
+			altNames:       "*.test.com",
+			expectDNSNames: []string{"example.com", "*.test.com"},
+		},
+		{
+			name:           "Mixed ASCII and IDN with wildcards in alt_names",
+			commonName:     "example.com",
+			altNames:       "*.example.com,*.müller.de",
+			expectDNSNames: []string{"example.com", "*.example.com", "*.xn--mller-kva.de"},
+		},
+		{
+			name:           "Multiple IDN domains with wildcards in alt_names",
+			commonName:     "example.com",
+			altNames:       "*.日本.com,*.中国.cn",
+			expectDNSNames: []string{"example.com", "*.xn--wgv71a.com", "*.xn--fiqs8s.cn"},
+		},
+		{
+			name:           "Complex IDN with multiple subdomains and wildcard",
+			commonName:     "example.com",
+			altNames:       "*.api.v2.müller.com",
+			expectDNSNames: []string{"example.com", "*.api.v2.xn--mller-kva.com"},
+		},
+		{
+			name:           "IDN with trailing dot and wildcard",
+			commonName:     "example.com",
+			altNames:       "*.müller.com.",
+			expectDNSNames: []string{"example.com", "*.xn--mller-kva.com."},
+		},
+		{
+			name:           "Invalid - wildcard in alt_names not in leftmost position",
+			commonName:     "example.com",
+			altNames:       "sub*.test.com",
+			expectDNSNames: []string{"example.com", "sub*.test.com"},
+		},
+		// Invalid hostname test cases
+		{
+			name:        "Invalid - wildcard in alt_names not in leftmost position",
+			commonName:  "example.com",
+			altNames:    "sub*.test.com,sub.*.test.com",
+			expectError: true,
+		},
+		{
+			name:        "Invalid - multiple wildcards in alt_names",
+			commonName:  "example.com",
+			altNames:    "*.*.müller.com",
+			expectError: true,
+		},
+		{
+			name:        "Invalid - wildcard in IDN not in leftmost position",
+			commonName:  "example.com",
+			altNames:    "sub.*.müller.com",
+			expectError: true,
+		},
+		{
+			name:        "Invalid - empty label in hostname",
+			commonName:  "example.com",
+			altNames:    "example..com",
+			expectError: true,
+		},
+		{
+			name:        "Invalid - label starting with hyphen",
+			commonName:  "example.com",
+			altNames:    "-example.com",
+			expectError: true,
+		},
+		{
+			name:        "Invalid - label ending with hyphen",
+			commonName:  "example.com",
+			altNames:    "example-.com",
+			expectError: true,
+		},
+		{
+			name:        "Invalid - label too long (>63 chars)",
+			commonName:  "example.com",
+			altNames:    "*.verylonglabelverylonglabelverylonglabelverylonglabelverylonglabel.com",
+			expectError: true,
+		},
+		{
+			name:        "Invalid - hostname starting with dot",
+			commonName:  "example.com",
+			altNames:    ".example.com",
+			expectError: true,
+		},
+	}
+
+	for _, useCSR := range []bool{false, true} {
+		testType := "issue"
+		if useCSR {
+			testType = "sign"
+		}
+		t.Run(testType, func(t *testing.T) {
+			for _, tc := range testCases {
+				t.Run(tc.name, func(t *testing.T) {
+					var resp *logical.Response
+					var err error
+
+					if useCSR {
+						// Generate a CSR with the test common name and alt names
+						// Note: CSRs include DNS SANs in the request, and they must be in Punycode (ASCII)
+						var dnsNames []string
+						if tc.altNames != "" {
+							// Split alt names by comma and convert to Punycode
+							altNamesList := strings.Split(tc.altNames, ",")
+							for _, name := range altNamesList {
+								// Convert IDN to Punycode for CSR (CSRs only support ASCII)
+								punycoded, err := idna.ToASCII(name)
+								if err != nil {
+									// If conversion fails, use original (will fail validation as expected)
+									dnsNames = append(dnsNames, name)
+								} else {
+									dnsNames = append(dnsNames, punycoded)
+								}
+							}
+						}
+
+						csrTemplate := &x509.CertificateRequest{
+							Subject: pkix.Name{
+								CommonName: tc.commonName,
+							},
+							DNSNames: dnsNames,
+						}
+						_, _, csrPem := generateCSR(t, csrTemplate, "ec", 256)
+
+						resp, err = CBWrite(b, s, "sign/test", map[string]interface{}{
+							"csr": csrPem,
+						})
+					} else {
+						// Use direct issue
+						resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
+							"common_name": tc.commonName,
+							"alt_names":   tc.altNames,
+						})
+					}
+
+					if tc.expectError {
+						require.Error(t, err, "expected error for test case: %s", tc.name)
+						return
+					}
+
+					require.NoError(t, err, "unexpected error for test case: %s", tc.name)
+					require.NotNil(t, resp, "response should not be nil for test case: %s", tc.name)
+					require.NotNil(t, resp.Data["certificate"], "certificate should be present for test case: %s", tc.name)
+
+					// Parse the certificate to verify DNS names
+					certPEM := resp.Data["certificate"].(string)
+					block, _ := pem.Decode([]byte(certPEM))
+					require.NotNil(t, block, "failed to decode PEM for test case: %s", tc.name)
+
+					cert, err := x509.ParseCertificate(block.Bytes)
+					require.NoError(t, err, "failed to parse certificate for test case: %s", tc.name)
+
+					// Verify DNS names match expected (order may vary, so use ElementsMatch)
+					require.ElementsMatch(t, tc.expectDNSNames, cert.DNSNames,
+						"DNS names mismatch for test case: %s\nExpected: %v\nGot: %v",
+						tc.name, tc.expectDNSNames, cert.DNSNames)
+				})
+			}
+		})
+	}
+}
+
+func stringSliceContainsAny(sl []string, substr string) bool {
+	return slices.ContainsFunc(sl, func(s string) bool { return strings.Contains(s, substr) })
+}
+
+func nilFunction(ctx context.Context, req *logical.Request, data *framework.FieldData, role *issuing.RoleEntry) (*logical.Response, error) {
+	return nil, nil
+}
+
+// TestBackend_MetricsWrapManagesNilResp validates that when wrapping a function that returns nil, nil (no error, no
+// response), we pass on the lack of error and lack of response (and don't panic).
+func TestBackend_MetricsWrapManagesNilResp(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	req := &logical.Request{Storage: s}
+	fieldData := &framework.FieldData{Schema: map[string]*framework.FieldSchema{}, Raw: map[string]interface{}{}}
+
+	wrappedFunc := b.metricsWrap("huh", roleOptional, nilFunction)
+	resp, err := wrappedFunc(context.Background(), req, fieldData)
+	require.NoError(t, err)
+	require.Nil(t, resp)
+}
diff --git a/builtin/logical/pki/ca_test.go b/builtin/logical/pki/ca_test.go
index 9cdeafca95..fe958e2157 100644
--- a/builtin/logical/pki/ca_test.go
+++ b/builtin/logical/pki/ca_test.go
@@ -48,8 +48,6 @@ func TestBackend_CA_Steps(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	client := cluster.Cores[0].Client
 
diff --git a/builtin/logical/pki/ca_util.go b/builtin/logical/pki/ca_util.go
index 744116e35e..bf21e4cf9e 100644
--- a/builtin/logical/pki/ca_util.go
+++ b/builtin/logical/pki/ca_util.go
@@ -21,11 +21,17 @@ import (
 	"golang.org/x/crypto/ed25519"
 )
 
-func getGenerationParams(sc *storageContext, data *framework.FieldData, isRoot bool) (exported bool, format string, role *issuing.RoleEntry, errorResp *logical.Response) {
+type generationParams struct {
+	exported bool
+	format   string
+	role     *issuing.RoleEntry
+}
+
+func getCAGenerationParams(sc *storageContext, data *framework.FieldData, isRoot bool) (params generationParams, warnings []string, errorResp *logical.Response) {
 	exportedStr := data.Get("exported").(string)
 	switch exportedStr {
 	case "exported":
-		exported = true
+		params.exported = true
 	case "internal":
 	case "existing":
 	case "kms":
@@ -35,20 +41,40 @@ func getGenerationParams(sc *storageContext, data *framework.FieldData, isRoot b
 		return
 	}
 
-	format = getFormat(data)
-	if format == "" {
-		errorResp = logical.ErrorResponse(
-			`the "format" path parameter must be "pem", "der", or "pem_bundle"`)
+	// PKCS#12/JKS formats are only supported for root certificate generation.
+	// For non-root operations, only a CSR is generated and PKCS#12/JKS is not a valid output format.
+	params.format = getFormat(data)
+	isKeystoreFormat := params.format == "pkcs12_bundle" || params.format == "jks_bundle"
+	if params.format == "" || (!isRoot && isKeystoreFormat) {
+		errorMsg := `the "format" parameter must be "pem", "der", "pem_bundle", "pkcs12_bundle" or "jks_bundle"`
+		if !isRoot {
+			errorMsg = `the "format" parameter must be "pem", "der" or "pem_bundle"`
+		}
+		errorResp = logical.ErrorResponse(errorMsg)
 		return
 	}
 
+	if params.format == "pkcs12_bundle" {
+		// Cast to encoder type and validate it is a permitted value
+		_, err := validatePKCS12Encoder(data.Get("pkcs12_encoder").(string))
+		if err != nil {
+			errorResp = logical.ErrorResponse(`invalid "pkcs12_encoder" parameter: %v`, err)
+			return
+		}
+	}
+
 	keyType, keyBits, err := sc.getKeyTypeAndBitsForRole(data)
 	if err != nil {
 		errorResp = logical.ErrorResponse(err.Error())
 		return
 	}
 
-	role = &issuing.RoleEntry{
+	country := data.Get("country").([]string)
+	if err := validateCountry(country); err != nil {
+		warnings = append(warnings, err.Error())
+	}
+
+	role := &issuing.RoleEntry{
 		TTL:                       time.Duration(data.Get("ttl").(int)) * time.Second,
 		KeyType:                   keyType,
 		KeyBits:                   keyBits,
@@ -65,7 +91,7 @@ func getGenerationParams(sc *storageContext, data *framework.FieldData, isRoot b
 		AllowedUserIDs:            []string{"*"},
 		OU:                        data.Get("ou").([]string),
 		Organization:              data.Get("organization").([]string),
-		Country:                   data.Get("country").([]string),
+		Country:                   country,
 		Locality:                  data.Get("locality").([]string),
 		Province:                  data.Get("province").([]string),
 		StreetAddress:             data.Get("street_address").([]string),
@@ -74,6 +100,7 @@ func getGenerationParams(sc *storageContext, data *framework.FieldData, isRoot b
 		CNValidations:             []string{"disabled"},
 		KeyUsage:                  data.Get("key_usage").([]string),
 	}
+	params.role = role
 	*role.AllowWildcardCertificates = true
 
 	if role.KeyBits, err = certutil.ValidateDefaultOrValueKeyType(role.KeyType, role.KeyBits); err != nil {
diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
index 7f039711ed..a06c673578 100644
--- a/builtin/logical/pki/cert_util.go
+++ b/builtin/logical/pki/cert_util.go
@@ -4,6 +4,7 @@
 package pki
 
 import (
+	"bytes"
 	"crypto"
 	"crypto/x509"
 	"crypto/x509/pkix"
@@ -15,10 +16,10 @@ import (
 	"math/big"
 	"net"
 	"net/url"
-	"regexp"
 	"strconv"
 	"strings"
 	"time"
+	"unicode"
 
 	"github.com/hashicorp/vault/builtin/logical/pki/issuing"
 	"github.com/hashicorp/vault/builtin/logical/pki/parsing"
@@ -27,8 +28,10 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/hashicorp/vault/sdk/helper/errutil"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/pavlo-v-chernykh/keystore-go/v4"
 	"golang.org/x/crypto/cryptobyte"
 	cbbasn1 "golang.org/x/crypto/cryptobyte/asn1"
+	"software.sslmate.com/src/go-pkcs12"
 )
 
 type inputBundle struct {
@@ -37,33 +40,6 @@ type inputBundle struct {
 	apiData *framework.FieldData
 }
 
-var (
-	// labelRegex is a single label from a valid domain name and was extracted
-	// from hostnameRegex below for use in leftWildLabelRegex, without any
-	// label separators (`.`).
-	labelRegex = `([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])`
-
-	// A note on hostnameRegex: although we set the StrictDomainName option
-	// when doing the idna conversion, this appears to only affect output, not
-	// input, so it will allow e.g. host^123.example.com straight through. So
-	// we still need to use this to check the output.
-	hostnameRegex = regexp.MustCompile(`^(\*\.)?(` + labelRegex + `\.)*` + labelRegex + `\.?$`)
-
-	// Left Wildcard Label Regex is equivalent to a single domain label
-	// component from hostnameRegex above, but with additional wildcard
-	// characters added. There are four possibilities here:
-	//
-	//  1. Entire label is a wildcard,
-	//  2. Wildcard exists at the start,
-	//  3. Wildcard exists at the end,
-	//  4. Wildcard exists in the middle.
-	allWildRegex       = `\*`
-	startWildRegex     = `\*` + labelRegex
-	endWildRegex       = labelRegex + `\*`
-	middleWildRegex    = labelRegex + `\*` + labelRegex
-	leftWildLabelRegex = regexp.MustCompile(`^(` + allWildRegex + `|` + startWildRegex + `|` + endWildRegex + `|` + middleWildRegex + `)$`)
-)
-
 func doesPublicKeyAlgoMatchSignatureAlgo(pubKey x509.PublicKeyAlgorithm, algo x509.SignatureAlgorithm) bool {
 	return issuing.DoesPublicKeyAlgoMatchSignatureAlgo(pubKey, algo)
 }
@@ -74,12 +50,23 @@ func getFormat(data *framework.FieldData) string {
 	case "pem":
 	case "der":
 	case "pem_bundle":
+	case "pkcs12_bundle":
+	case "jks_bundle":
 	default:
 		format = ""
 	}
 	return format
 }
 
+func supportedFormats(includePKCS12 bool) []string {
+	if includePKCS12 {
+		// includePKCS12 enables both PKCS#12 and JKS output formats.
+		// JKS is included as a legacy companion format, so the flag just references pk12.
+		return []string{"pem", "der", "pem_bundle", "pkcs12_bundle", "jks_bundle"}
+	}
+	return []string{"pem", "der", "pem_bundle"}
+}
+
 // fetchCAInfo will fetch the CA info, will return an error if no ca info exists, this does NOT support
 // loading using the legacyBundleShimID and should be used with care. This should be called only once
 // within the request path otherwise you run the risk of a race condition with the issuer migration on perf-secondaries.
@@ -797,3 +784,152 @@ func (i CertNotAfterInputFromFieldData) GetTTL() int {
 func (i CertNotAfterInputFromFieldData) GetOptionalNotAfter() (interface{}, bool) {
 	return i.data.GetOk("not_after")
 }
+
+func validateCountry(country []string) error {
+	for _, c := range country {
+		if len(c) != 2 {
+			return fmt.Errorf("country must be a 2 character ISO 3166 code, have: %v", c)
+		}
+		for _, cc := range c {
+			cc = unicode.ToUpper(cc)
+			if cc < 'A' || cc > 'Z' {
+				return fmt.Errorf("country code characters must be between A and Z, have: %v", c)
+			}
+		}
+	}
+	return nil
+}
+
+type pkcs12EncoderType string
+
+const (
+	PKCS12EncoderModern2026 pkcs12EncoderType = "modern2026"
+	PKCS12EncoderModern2023 pkcs12EncoderType = "modern2023"
+)
+
+// validatePKCS12Encoder validates the encoder string and returns the typed value.
+// Returns an error if the encoder type is invalid.
+func validatePKCS12Encoder(encoderStr string) (pkcs12EncoderType, error) {
+	encoder := pkcs12EncoderType(encoderStr)
+	switch encoder {
+	case "":
+		return PKCS12EncoderModern2026, nil
+	case PKCS12EncoderModern2026, PKCS12EncoderModern2023:
+		return encoder, nil
+	default:
+		return "", fmt.Errorf("encoder must be %q or %q; received: %q", PKCS12EncoderModern2026, PKCS12EncoderModern2023, encoder)
+	}
+}
+
+func (e pkcs12EncoderType) encodeToPKCS12(privateKey crypto.Signer, cert *x509.Certificate, caChain []*x509.Certificate, password string) ([]byte, error) {
+	var enc *pkcs12.Encoder
+	switch e {
+	case PKCS12EncoderModern2026:
+		enc = pkcs12.Modern2026
+	case PKCS12EncoderModern2023:
+		enc = pkcs12.Modern2023
+	default:
+		return nil, fmt.Errorf("unexpected encoder type: %q; encoder must be %q or %q", e, PKCS12EncoderModern2026, PKCS12EncoderModern2023)
+	}
+
+	if privateKey != nil {
+		return enc.Encode(privateKey, cert, caChain, password)
+	}
+	// For trust store (no private key), include the issued cert + CA chain
+	certs := append([]*x509.Certificate{cert}, caChain...)
+	return enc.EncodeTrustStore(certs, password)
+}
+
+// EncodeToPKCS12 encodes the certificate, optional private key, and CA chain into a PKCS#12 archive.
+func EncodeToPKCS12(encoder string, privateKey crypto.Signer, cert *x509.Certificate, caChain []*x509.Certificate, password string) ([]byte, error) {
+	return pkcs12EncoderType(encoder).encodeToPKCS12(privateKey, cert, caChain, password)
+}
+
+// EncodeToJKS encodes the certificate, optional private key, and CA chain into a JKS keystore.
+func EncodeToJKS(privateKey crypto.Signer, cert *x509.Certificate, caChain []*x509.Certificate, alias string, password string) ([]byte, error) {
+	certs := append([]*x509.Certificate{cert}, caChain...)
+	p := []byte(password)
+	defer clear(p)
+
+	ks := keystore.New()
+
+	var err error
+	if privateKey != nil {
+		err = setPrivateKeyEntry(ks, alias, p, privateKey, certs)
+	} else {
+		// custom aliases for trust stores are currently unsupported and
+		// incrementing aliases, starting at "1", are used to guarantee uniqueness
+		err = setTrustedCertificateEntry(ks, certs)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	// Encode keystore to bytes
+	var buf bytes.Buffer
+	if err := ks.Store(&buf, p); err != nil {
+		return nil, fmt.Errorf("failed to encode keystore: %w", err)
+	}
+
+	return buf.Bytes(), nil
+}
+
+// setPrivateKeyEntry creates a single PrivateKeyEntry containing a private key and chain
+// and adds it to the java keystore
+func setPrivateKeyEntry(ks keystore.KeyStore, alias string, p []byte, privateKey crypto.Signer, certs []*x509.Certificate) error {
+	var ksCerts []keystore.Certificate
+	for _, cert := range certs {
+		ksCerts = append(ksCerts, keystore.Certificate{
+			Type:    "X509",
+			Content: cert.Raw,
+		})
+	}
+
+	// Private key entry must be PKCS#8 DER
+	privKeyBytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
+	if err != nil {
+		return fmt.Errorf("failed to marshal private key: %w", err)
+	}
+
+	pke := keystore.PrivateKeyEntry{
+		CreationTime:     time.Now(),
+		PrivateKey:       privKeyBytes,
+		CertificateChain: ksCerts,
+	}
+
+	if err := ks.SetPrivateKeyEntry(alias, pke, p); err != nil {
+		return fmt.Errorf("failed to set keystore private key entry: %w", err)
+	}
+
+	return nil
+}
+
+// setTrustedCertificateEntry creates a TrustedCertificateEntry for each cert in the chain
+// and adds each to the java keystore. It assigns an incrementing string numeric alias
+// for each entry, starting at "1".
+func setTrustedCertificateEntry(ks keystore.KeyStore, certs []*x509.Certificate) error {
+	for i, cert := range certs {
+		// Create TrustedCertificateEntry for each cert in the chain
+		tce := keystore.TrustedCertificateEntry{
+			CreationTime: time.Now(),
+			Certificate: keystore.Certificate{
+				Type:    "X509",
+				Content: cert.Raw,
+			},
+		}
+
+		alias := fmt.Sprintf("%d", i+1)
+		if err := ks.SetTrustedCertificateEntry(alias, tce); err != nil {
+			return fmt.Errorf("failed to set keystore trusted certificate entry for alias: %s, %w", alias, err)
+		}
+	}
+	return nil
+}
+
+func x509Certificates(chain []*certutil.CertBlock) []*x509.Certificate {
+	var certs []*x509.Certificate
+	for _, cert := range chain {
+		certs = append(certs, cert.Certificate)
+	}
+	return certs
+}
diff --git a/builtin/logical/pki/cert_util_test.go b/builtin/logical/pki/cert_util_test.go
index caab759de6..d7f4a9a5c4 100644
--- a/builtin/logical/pki/cert_util_test.go
+++ b/builtin/logical/pki/cert_util_test.go
@@ -4,10 +4,13 @@
 package pki
 
 import (
+	"bytes"
 	"context"
+	"crypto"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
+	"math/big"
 	"net"
 	"net/url"
 	"os"
@@ -20,11 +23,14 @@ import (
 	"github.com/hashicorp/go-secure-stdlib/parseutil"
 	"github.com/hashicorp/vault/builtin/logical/pki/issuing"
 	"github.com/hashicorp/vault/builtin/logical/pki/parsing"
+	pkihelper "github.com/hashicorp/vault/helper/testhelpers/pki"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/pavlo-v-chernykh/keystore-go/v4"
 	"github.com/stretchr/testify/require"
+	"software.sslmate.com/src/go-pkcs12"
 )
 
 func TestPki_FetchCertBySerial(t *testing.T) {
@@ -111,7 +117,7 @@ func TestPki_FetchCertBySerial(t *testing.T) {
 func TestPki_MultipleOUs(t *testing.T) {
 	t.Parallel()
 	b, _ := CreateBackendWithStorage(t)
-	fields := addCACommonFields(map[string]*framework.FieldSchema{})
+	fields := addCACommonFields(map[string]*framework.FieldSchema{}, supportedFormats(true))
 
 	apiData := &framework.FieldData{
 		Schema: fields,
@@ -123,7 +129,7 @@ func TestPki_MultipleOUs(t *testing.T) {
 	input := &inputBundle{
 		apiData: apiData,
 		role: &issuing.RoleEntry{
-			MaxTTL: 3600,
+			MaxTTL: time.Hour,
 			OU:     []string{"Z", "E", "V"},
 		},
 	}
@@ -143,7 +149,7 @@ func TestPki_MultipleOUs(t *testing.T) {
 func TestPki_PermitFQDNs(t *testing.T) {
 	t.Parallel()
 	b, _ := CreateBackendWithStorage(t)
-	fields := addCACommonFields(map[string]*framework.FieldSchema{})
+	fields := addCACommonFields(map[string]*framework.FieldSchema{}, supportedFormats(true))
 
 	cases := map[string]struct {
 		input            *inputBundle
@@ -453,7 +459,7 @@ func TestParseCertificate(t *testing.T) {
 				"province":                  "",
 				"street_address":            "",
 				"postal_code":               "",
-				"serial_number":             "",
+				"serial_number":             "We'll assert that it is not nil as an special case",
 				"ttl":                       "1h0m30s",
 				"max_path_length":           -1,
 				"permitted_dns_domains":     "",
@@ -562,7 +568,7 @@ func TestParseCertificate(t *testing.T) {
 				"province":                  "province1,province2",
 				"street_address":            "street_address1,street_address2",
 				"postal_code":               "postal_code1,postal_code2",
-				"serial_number":             "",
+				"serial_number":             "We'll assert that it is not nil as an special case",
 				"ttl":                       "2h0m45s",
 				"max_path_length":           2,
 				"permitted_dns_domains":     "example.com,.example.com,.www.example.com",
@@ -657,7 +663,7 @@ func TestParseCertificate(t *testing.T) {
 				"province":                  "",
 				"street_address":            "",
 				"postal_code":               "",
-				"serial_number":             "",
+				"serial_number":             "We'll assert that it is not nil as an special case",
 				"ttl":                       "2h0m45s",
 				"max_path_length":           0,
 				"permitted_dns_domains":     "",
@@ -857,6 +863,16 @@ func testParseCertificateToFields(t *testing.T, issueTime time.Time, tt *parseCe
 	require.NotNil(t, fields["skid"])
 	delete(fields, "skid")
 	delete(tt.wantFields, "skid")
+	require.NotNil(t, fields["serial_number"])
+	// We don't test explicitly for a number as values prefixed with 00: get dropped.
+	require.Regexp(t, "^[a-fA-F0-9:]+$", fields["serial_number"], "invalid serial number")
+	serialBytes := certutil.ParseHexFormatted(fields["serial_number"].(string), ":")
+	actualBigInt := &big.Int{}
+	actualBigInt.SetBytes(serialBytes)
+	require.Equal(t, 0, cert.SerialNumber.Cmp(actualBigInt), "serial number mismatch")
+
+	delete(fields, "serial_number")
+	delete(tt.wantFields, "serial_number")
 
 	{
 		// Sometimes TTL comes back as 1s off, so we'll allow that
@@ -1278,3 +1294,308 @@ func TestVerify_chained_name_constraints(t *testing.T) {
 		})
 	}
 }
+
+// Test_PKCS12encoders tests for validatePKCS12Encoder and EncodeToPKCS12 utils
+func Test_PKCS12encoders(t *testing.T) {
+	// Generate test CA, leaf and key once for all subtests
+	result := pkihelper.GenerateCertWithRoot(t)
+	key, cert, caChain := result.Leaf.Key, result.Leaf.Cert, []*x509.Certificate{result.RootCa.Cert}
+
+	t.Run("validatePKCS12Encoder", func(t *testing.T) {
+		tests := []struct {
+			name        string
+			input       string
+			wantEncoder pkcs12EncoderType
+			errorMsg    string
+		}{
+			{
+				name:        "empty string defaults to modern2026",
+				input:       "",
+				wantEncoder: PKCS12EncoderModern2026,
+			},
+			{
+				name:        "modern2026 explicit",
+				input:       string(PKCS12EncoderModern2026),
+				wantEncoder: PKCS12EncoderModern2026,
+			},
+			{
+				name:        "modern2023 explicit",
+				input:       string(PKCS12EncoderModern2023),
+				wantEncoder: PKCS12EncoderModern2023,
+			},
+			{
+				name:     "invalid encoder type",
+				input:    "invalid-type",
+				errorMsg: `encoder must be "modern2026" or "modern2023"; received: "invalid-type"`,
+			},
+		}
+
+		for _, tc := range tests {
+			t.Run(tc.name, func(t *testing.T) {
+				encoder, err := validatePKCS12Encoder(tc.input)
+				if tc.errorMsg != "" {
+					require.Error(t, err)
+					require.Equal(t, err.Error(), tc.errorMsg)
+				} else {
+					require.NoError(t, err)
+					require.Equal(t, tc.wantEncoder, encoder)
+				}
+			})
+		}
+	})
+
+	t.Run("EncodeToPKCS12", func(t *testing.T) {
+		tests := []struct {
+			name         string
+			encoder      string
+			isTrustStore bool
+			withoutChain bool
+			errorMsg     string
+		}{
+			// Valid encodings with private key
+			{name: "keystore modern2026", encoder: "modern2026"},
+			{name: "keystore modern2023", encoder: "modern2023"},
+			// Valid encodings with private key, no CA chain
+			{name: "keystore modern2026 without CA chain", encoder: "modern2026", withoutChain: true},
+			{name: "keystore modern2023 without CA chain", encoder: "modern2023", withoutChain: true},
+			// Trust store only (no private key)
+			{name: "trust store modern2026", encoder: "modern2026", isTrustStore: true},
+			{name: "trust store modern2023", encoder: "modern2023", isTrustStore: true},
+
+			{name: "trust store modern2026 without CA chain", encoder: "modern2026", isTrustStore: true, withoutChain: true},
+			{name: "trust store modern2023 without CA chain", encoder: "modern2023", isTrustStore: true, withoutChain: true},
+
+			// Error case - invalid encoder caught by EncodeToPKCS12 -> encodeToPKCS12
+			{
+				name: "empty encoder type", encoder: "",
+				errorMsg: `unexpected encoder type: ""; encoder must be "modern2026" or "modern2023"`,
+			},
+			{
+				name: "invalid encoder type", encoder: "invalid-type",
+				errorMsg: `unexpected encoder type: "invalid-type"; encoder must be "modern2026" or "modern2023"`,
+			},
+		}
+
+		for _, tc := range tests {
+			t.Run(tc.name, func(t *testing.T) {
+				var preEncodedKey crypto.Signer
+				var preEncodedChain []*x509.Certificate
+				if !tc.isTrustStore {
+					preEncodedKey = key
+				}
+				if !tc.withoutChain {
+					preEncodedChain = caChain
+				}
+
+				pfx, err := EncodeToPKCS12(tc.encoder, preEncodedKey, cert, preEncodedChain, "password")
+
+				if tc.errorMsg != "" {
+					require.Error(t, err)
+					require.Equal(t, err.Error(), tc.errorMsg)
+				} else {
+					require.NoError(t, err)
+					require.NotEmpty(t, pfx)
+
+					// Validate encoding can be decoded
+					if !tc.isTrustStore {
+						dKey, dCert, dCa, err := pkcs12.DecodeChain(pfx, "password")
+						require.NoError(t, err, "it should decode chain")
+						require.Equal(t, preEncodedKey, dKey)
+						require.Equal(t, cert, dCert)
+						require.Equal(t, preEncodedChain, dCa)
+					}
+
+					if tc.isTrustStore {
+						dCerts, err := pkcs12.DecodeTrustStore(pfx, "password")
+						require.NoError(t, err, "it should decode trust store")
+						if tc.withoutChain {
+							require.Len(t, dCerts, 1)
+						} else {
+							require.Len(t, dCerts, 2)
+						}
+					}
+				}
+			})
+		}
+	})
+}
+
+// Test_JKSEncoders tests for EncodeToJKS and related helper functions
+func Test_JKSEncoders(t *testing.T) {
+	// Generate test CA, leaf and key once for all subtests
+	result := pkihelper.GenerateCertWithRoot(t)
+	key, cert, caChain := result.Leaf.Key, result.Leaf.Cert, []*x509.Certificate{result.RootCa.Cert}
+	pw := "123-secure-password"
+
+	t.Run("EncodeToJKS", func(t *testing.T) {
+		tests := []struct {
+			name            string
+			alias           string
+			expectedAliases []string
+			isTrustStore    bool
+			withoutChain    bool
+		}{
+			// Valid encodings with private key (keystore)
+			{name: "keystore with custom alias", alias: "myapp", expectedAliases: []string{"myapp"}},
+			{name: "keystore without CA chain", alias: "1", withoutChain: true, expectedAliases: []string{"1"}},
+
+			// Trust store only (no private key)
+			// jks_private_key_alias parameter should be ignored for trust stores and always start at "1"
+			{name: "trust store with numeric alias", alias: "2", isTrustStore: true, expectedAliases: []string{"1", "2"}},
+			{name: "trust store with non-numeric alias", alias: "myapp", isTrustStore: true, expectedAliases: []string{"1", "2"}},
+			{name: "trust store without CA chain", isTrustStore: true, withoutChain: true, expectedAliases: []string{"1"}},
+		}
+
+		for _, tc := range tests {
+			t.Run(tc.name, func(t *testing.T) {
+				var preEncodedKey crypto.Signer
+				var preEncodedChain []*x509.Certificate
+				if !tc.isTrustStore {
+					preEncodedKey = key
+				}
+				if !tc.withoutChain {
+					preEncodedChain = caChain
+				}
+
+				jksBytes, err := EncodeToJKS(preEncodedKey, cert, preEncodedChain, tc.alias, pw)
+				require.NoError(t, err)
+				require.NotEmpty(t, jksBytes)
+
+				ks := keystore.New()
+				err = ks.Load(bytes.NewReader(jksBytes), []byte(pw))
+				require.NoError(t, err, "should load JKS keystore")
+
+				aliases := ks.Aliases()
+				require.NotEmpty(t, aliases, "keystore should have entries")
+				require.ElementsMatch(t, tc.expectedAliases, aliases, "aliases should match expected set")
+
+				if !tc.isTrustStore {
+					require.Len(t, aliases, 1, "keystore should have one private key entry")
+					require.True(t, ks.IsPrivateKeyEntry(tc.alias), "should have private key entry")
+
+					chain, err := ks.GetPrivateKeyEntryCertificateChain(tc.alias)
+					require.NoError(t, err, "should get private key certificate chain")
+
+					if tc.withoutChain {
+						require.Len(t, chain, 1, "chain should only have leaf cert")
+					} else {
+						require.Len(t, chain, 2, "chain should have leaf + CA cert")
+					}
+				}
+
+				if tc.isTrustStore {
+					for _, alias := range aliases {
+						require.True(t, ks.IsTrustedCertificateEntry(alias), "should be trusted certificate entry")
+					}
+
+					if tc.withoutChain {
+						require.Len(t, aliases, 1, "should only have one entry")
+					} else {
+						require.Len(t, aliases, 2, "should have two entries")
+					}
+				}
+			})
+		}
+	})
+
+	t.Run("setPrivateKeyEntry", func(t *testing.T) {
+		tests := []struct {
+			name         string
+			alias        string
+			withoutChain bool
+		}{
+			{name: "with default alias", alias: "1"},
+			{name: "with custom alias", alias: "myapp"},
+			{name: "without CA chain", alias: "5", withoutChain: true},
+		}
+
+		for _, tc := range tests {
+			t.Run(tc.name, func(t *testing.T) {
+				ks := keystore.New()
+				var chain []*x509.Certificate
+				if !tc.withoutChain {
+					chain = caChain
+				}
+
+				certs := append([]*x509.Certificate{cert}, chain...)
+				err := setPrivateKeyEntry(ks, tc.alias, []byte(pw), key, certs)
+				require.NoError(t, err, "should set private key entry")
+
+				// Verify entry was created
+				require.True(t, ks.IsPrivateKeyEntry(tc.alias), "should have private key entry")
+
+				// Verify entry contents
+				pke, err := ks.GetPrivateKeyEntry(tc.alias, []byte(pw))
+				require.NoError(t, err, "should get private key entry")
+				require.NotNil(t, pke, "private key entry should not be nil")
+
+				// Verify private key
+				privKey, err := x509.ParsePKCS8PrivateKey(pke.PrivateKey)
+				require.NoError(t, err, "should parse private key")
+				require.Equal(t, key, privKey, "private key should match")
+
+				// Verify certificate chain
+				expectedChainLen := 1
+				if !tc.withoutChain {
+					expectedChainLen = 2
+				}
+				require.Len(t, pke.CertificateChain, expectedChainLen, "certificate chain length should match")
+
+				// Verify all certificates have correct type
+				for i, certEntry := range pke.CertificateChain {
+					require.Equal(t, "X509", certEntry.Type, "certificate type should be X509 at index %d", i)
+					parsedCert, err := x509.ParseCertificate(certEntry.Content)
+					require.NoError(t, err, "should parse certificate at index %d", i)
+					require.Equal(t, certs[i], parsedCert, "certificate should match at index %d", i)
+				}
+			})
+		}
+	})
+
+	t.Run("setTrustedCertificateEntry", func(t *testing.T) {
+		resultWithInt := pkihelper.GenerateCertWithIntermediaryRoot(t)
+		_, leafFromInt, chainWithInt := resultWithInt.Leaf.Key, resultWithInt.Leaf.Cert, []*x509.Certificate{resultWithInt.IntCa.Cert, resultWithInt.RootCa.Cert}
+		resultWithoutInt := pkihelper.GenerateCertWithRoot(t)
+		_, leafFromRoot, chainWithoutInt := resultWithoutInt.Leaf.Key, resultWithoutInt.Leaf.Cert, []*x509.Certificate{resultWithoutInt.RootCa.Cert}
+		tests := []struct {
+			name            string
+			certs           []*x509.Certificate
+			expectedAliases []string
+		}{
+			{name: "it sets aliases for leaf+root", certs: append([]*x509.Certificate{leafFromRoot}, chainWithoutInt...), expectedAliases: []string{"1", "2"}},
+			{name: "it sets aliases for leaf+int+root", certs: append([]*x509.Certificate{leafFromInt}, chainWithInt...), expectedAliases: []string{"1", "2", "3"}},
+		}
+		for _, tc := range tests {
+			t.Run(tc.name, func(t *testing.T) {
+				ks := keystore.New()
+
+				err := setTrustedCertificateEntry(ks, tc.certs)
+				require.NoError(t, err, "should set trusted certificate entries")
+
+				// Verify entries were created
+				aliases := ks.Aliases()
+				require.Len(t, aliases, len(tc.expectedAliases), "should have correct number of entries")
+				require.ElementsMatch(t, tc.expectedAliases, aliases, "aliases should match expected set")
+
+				// Verify all entries
+				for i, expectedAlias := range tc.expectedAliases {
+					expectedCert := tc.certs[i]
+					require.True(t, ks.IsTrustedCertificateEntry(expectedAlias), "should have trusted certificate entry at alias %s", expectedAlias)
+					tce, err := ks.GetTrustedCertificateEntry(expectedAlias)
+					require.NoError(t, err, "should get trusted certificate entry at alias %s", expectedAlias)
+					require.Equal(t, "X509", tce.Certificate.Type, "certificate type should be X509 at alias %s", expectedAlias)
+
+					parsedCert, err := x509.ParseCertificate(tce.Certificate.Content)
+					require.NoError(t, err, "should parse certificate at alias %s", expectedAlias)
+					require.Equal(t, expectedCert, parsedCert, "certificate should match at alias %s", expectedAlias)
+				}
+			})
+		}
+	})
+}
+
+// Test_supportedFormats safeguards the function returns expected slice certificate formats
+func Test_supportedFormats(t *testing.T) {
+	require.Equal(t, []string{"pem", "der", "pem_bundle", "pkcs12_bundle", "jks_bundle"}, supportedFormats(true))
+	require.Equal(t, []string{"pem", "der", "pem_bundle"}, supportedFormats(false))
+}
diff --git a/builtin/logical/pki/crl_test.go b/builtin/logical/pki/crl_test.go
index 9c25c0c7cb..bc4b1e532f 100644
--- a/builtin/logical/pki/crl_test.go
+++ b/builtin/logical/pki/crl_test.go
@@ -8,6 +8,7 @@ import (
 	"encoding/asn1"
 	"encoding/json"
 	"fmt"
+	"os/exec"
 	"strings"
 	"testing"
 	"time"
@@ -18,7 +19,9 @@ import (
 	"github.com/hashicorp/vault/builtin/logical/pki/pki_backend"
 	"github.com/hashicorp/vault/builtin/logical/pki/revocation"
 	"github.com/hashicorp/vault/helper/constants"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
 	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/vault"
@@ -958,8 +961,6 @@ func TestAutoRebuild(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	client := cluster.Cores[0].Client
 
 	// Mount PKI
@@ -1549,3 +1550,216 @@ func TestCRLIssuerRemoval(t *testing.T) {
 	}
 	require.Equal(t, len(afterUnifiedCRLList), len(unifiedCRLList))
 }
+
+// TestCRLFreshestCRLExtension verifies when the Freshest CRL extension is
+// present on the base CRL and that it never appears on the delta CRL.
+func TestCRLFreshestCRLExtension(t *testing.T) {
+	t.Parallel()
+
+	b, s := CreateBackendWithStorage(t)
+
+	// Create a root CA
+	_, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "root example.com",
+		"issuer_name": "root",
+		"key_type":    "ec",
+	})
+	require.NoError(t, err)
+
+	tests := []struct {
+		name              string
+		enableDelta       bool
+		expectedDeltaCDPs []string // If this is nil there should be no Freshest CRL
+		mountUrl          []string
+		issuerUrl         []string
+	}{
+		{
+			name:              "issuer URL takes precedence over mount URL",
+			enableDelta:       true,
+			expectedDeltaCDPs: []string{"http://example.com/issuer"},
+			mountUrl:          []string{"http://example.com/mount"},
+			issuerUrl:         []string{"http://example.com/issuer"},
+		},
+		{
+			name:              "uses issuer URL when mount URL not set",
+			enableDelta:       true,
+			expectedDeltaCDPs: []string{"http://example.com/issuer"},
+			mountUrl:          nil,
+			issuerUrl:         []string{"http://example.com/issuer"},
+		},
+		{
+			name:              "falls back to mount URL when issuer URL not set",
+			enableDelta:       true,
+			expectedDeltaCDPs: []string{"http://example.com/mount"},
+			mountUrl:          []string{"http://example.com/mount"},
+			issuerUrl:         nil,
+		},
+		{
+			name:              "supports multiple delta CRL distribution points and LDAP urls",
+			enableDelta:       true,
+			expectedDeltaCDPs: []string{"http://example.com/primary", "ldap://ldap.example.com/"},
+			mountUrl:          []string{"http://example.com/primary", "ldap://ldap.example.com/"},
+			issuerUrl:         nil,
+		},
+		{
+			name:              "no extension when delta CRL enabled and no URLs",
+			enableDelta:       true,
+			expectedDeltaCDPs: nil,
+			mountUrl:          nil,
+			issuerUrl:         nil,
+		},
+		{
+			name:              "no extension when URLs are empty slices",
+			enableDelta:       true,
+			expectedDeltaCDPs: nil,
+			mountUrl:          []string{},
+			issuerUrl:         []string{},
+		},
+		{
+			name:              "no extension when delta CRL disabled despite URLs configured",
+			enableDelta:       false,
+			expectedDeltaCDPs: nil,
+			mountUrl:          []string{"http://127.0.0.1:8200/v1/pki/mount"},
+			issuerUrl:         []string{"http://127.0.0.1:8200/v1/pki/issuer"},
+		},
+		{
+			name:              "no extension when delta CRL disabled and no URLs",
+			enableDelta:       false,
+			expectedDeltaCDPs: nil,
+			mountUrl:          nil,
+			issuerUrl:         nil,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			// Configure mount's delta CDP
+			_, err = CBWrite(b, s, "config/urls", map[string]interface{}{
+				"delta_crl_distribution_points": tc.mountUrl,
+			})
+			require.NoError(t, err)
+
+			// Update issuer's delta CDP
+			_, err = CBPatch(b, s, "issuer/root", map[string]interface{}{
+				"delta_crl_distribution_points": tc.issuerUrl,
+			})
+			require.NoError(t, err)
+
+			// Enable delta CRL
+			_, err = CBWrite(b, s, "config/crl", map[string]interface{}{
+				"enable_delta": tc.enableDelta,
+				"auto_rebuild": tc.enableDelta,
+			})
+			require.NoError(t, err)
+
+			// Rotate CRL to apply updates
+			_, err = CBRead(b, s, "crl/rotate")
+			require.NoError(t, err)
+
+			// There should only be a Freshest CRL extension if expectedDeltaCDPs != nil
+			var expectedExtValue []byte
+			if len(tc.expectedDeltaCDPs) > 0 {
+				// Encode expected extension to compare to actual
+				ext, err := certutil.CreateDeltaCRLExtension(tc.expectedDeltaCDPs)
+				require.NoError(t, err)
+				expectedExtValue = ext.Value
+			}
+
+			resp := requestCrlFromBackend(t, s, b)
+			crl := parseCrlPemBytes(t, resp.Data["http_raw_body"].([]byte))
+
+			foundFreshestExt, ext, _ := findExtension(certutil.FreshestCrlOid, crl.Extensions)
+
+			// Verify base CRL has Freshest CRL Extension (if expected)
+			if len(tc.expectedDeltaCDPs) > 0 {
+				require.True(t, foundFreshestExt, "freshest CRL extension not found in base CRL")
+				require.Equal(t, expectedExtValue, ext.Value, "freshest CRL value does not match expected")
+			} else {
+				require.False(t, foundFreshestExt, "freshest CRL extension exists in base CRL")
+			}
+
+			// Verify delta CRL does not have Freshest CRL extension (only base CRL should)
+			if tc.enableDelta {
+				deltaCrl := getParsedCrlFromBackend(t, b, s, "crl/delta").TBSCertList
+				foundFreshestInDelta, _, _ := findExtension(certutil.FreshestCrlOid, deltaCrl.Extensions)
+				require.False(t, foundFreshestInDelta, "freshest CRL extension exists in CRL")
+			}
+		})
+	}
+}
+
+// TestCRLOpenSSLVerifyFreshestExtension verifies OpenSSL output for Freshest
+// CRL on the base CRL and confirms the extension is absent on the delta CRL.
+func TestCRLOpenSSLVerifyFreshestExtension(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+	// Configure mount's delta CDP
+	resp, err := CBWrite(b, s, "config/urls", map[string]interface{}{
+		"delta_crl_distribution_points": []string{"http://example.com/crl/delta", "ldap://ldap.example.com"},
+	})
+	require.NoError(t, err)
+
+	// Create a root CA.
+	resp, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "root example.com",
+		"issuer_name": "root",
+		"key_type":    "ec",
+	})
+	require.NoError(t, err)
+
+	// Enable delta CRL
+	_, err = CBWrite(b, s, "config/crl", map[string]interface{}{
+		"enable_delta": true,
+		"auto_rebuild": true,
+	})
+	require.NoError(t, err)
+
+	// Rotate CRL to apply updates
+	_, err = CBRead(b, s, "crl/rotate")
+	require.NoError(t, err)
+
+	// Fetch base CRL
+	resp, err = CBRead(b, s, "crl/pem")
+	require.NoError(t, err)
+	baseCRLpem := resp.Data["http_raw_body"].([]byte)
+
+	// Write to temp file for OpenSSL
+	tmpDir := t.TempDir()
+	filePath := writeToTmpDir(t, tmpDir, "base_crl.pem", string(baseCRLpem))
+
+	opensslCmd, output, found := findOpenSSL()
+	if !found {
+		t.Skipf("no appropriate OpenSSL version found")
+	}
+
+	log := corehelpers.NewTestLogger(t)
+	log.Info("Using OpenSSL", "path", opensslCmd, "version", output)
+
+	// The open ssl test:
+	args := []string{
+		"crl",
+		"-noout",
+		"-text",
+		"-in", filePath,
+	}
+
+	out, err := exec.Command(opensslCmd, args...).CombinedOutput()
+	require.NoError(t, err, "failed running command %s with args: %v\n%s", opensslCmd, args, string(out))
+	require.Regexp(t, `\s+X509v3 Freshest CRL:\s+Full Name:\s+URI:http://example.com/crl/delta\s+Full Name:\s+URI:ldap://ldap.example.com`, string(out))
+
+	// Confirm Freshest CRL is NOT in delta CRL
+	resp, err = CBRead(b, s, "crl/delta/pem")
+	requireSuccessNonNilResponse(t, resp, err)
+	deltaCRLPem := resp.Data["http_raw_body"].([]byte)
+	filePath = writeToTmpDir(t, tmpDir, "delta_crl.pem", string(deltaCRLPem))
+
+	args = []string{
+		"crl",
+		"-noout",
+		"-text",
+		"-in", filePath,
+	}
+
+	out, err = exec.Command(opensslCmd, args...).CombinedOutput()
+	require.NoError(t, err, "failed running command %s with args: %v\n%s", opensslCmd, args, string(out))
+	require.NotContains(t, string(out), "X509v3 Freshest CRL")
+}
diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go
index b0a751deb4..6da34c7155 100644
--- a/builtin/logical/pki/crl_util.go
+++ b/builtin/logical/pki/crl_util.go
@@ -2162,6 +2162,12 @@ WRITE:
 			return nil, fmt.Errorf("could not create crl delta indicator extension: %w", err)
 		}
 		extensions = []pkix.Extension{ext}
+	} else if crlInfo.EnableDelta && signingBundle.URLs != nil && len(signingBundle.URLs.DeltaCRLDistributionPoints) > 0 {
+		ext, err := certutil.CreateDeltaCRLExtension(signingBundle.URLs.DeltaCRLDistributionPoints)
+		if err != nil {
+			return nil, fmt.Errorf("could not create freshest crl extension: %w", err)
+		}
+		extensions = []pkix.Extension{ext}
 	}
 
 	revocationListTemplate := &x509.RevocationList{
diff --git a/builtin/logical/pki/dnstest/server.go b/builtin/logical/pki/dnstest/server.go
index 00c88ca52b..2538b76c98 100644
--- a/builtin/logical/pki/dnstest/server.go
+++ b/builtin/logical/pki/dnstest/server.go
@@ -15,6 +15,7 @@ import (
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
 	"github.com/hashicorp/vault/sdk/helper/docker"
+	"github.com/moby/moby/client"
 	"github.com/stretchr/testify/require"
 )
 
@@ -241,7 +242,9 @@ func (ts *TestServer) PushConfig() {
 				return fmt.Errorf("failed to update zone mtime: %w", err)
 			}
 		}
-		ts.runner.DockerAPI.ContainerKill(ts.ctx, ts.startup.Container.ID, "SIGHUP")
+		_, _ = ts.runner.DockerAPI.ContainerKill(ts.ctx, ts.startup.Container.ID, client.ContainerKillOptions{
+			Signal: "SIGHUP",
+		})
 
 		// Connect to our bind resolver.
 		resolver := &net.Resolver{
diff --git a/builtin/logical/pki/fields.go b/builtin/logical/pki/fields.go
index 404cd4718c..50bee72ccd 100644
--- a/builtin/logical/pki/fields.go
+++ b/builtin/logical/pki/fields.go
@@ -6,8 +6,10 @@ package pki
 import (
 	"time"
 
+	"github.com/hashicorp/go-secure-stdlib/strutil"
 	"github.com/hashicorp/vault/builtin/logical/pki/issuing"
 	"github.com/hashicorp/vault/sdk/framework"
+	"software.sslmate.com/src/go-pkcs12"
 )
 
 const (
@@ -22,7 +24,7 @@ const (
 
 // addIssueAndSignCommonFields adds fields common to both CA and non-CA issuing
 // and signing
-func addIssueAndSignCommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+func addIssueAndSignCommonFields(fields map[string]*framework.FieldSchema, allowedFormats []string) map[string]*framework.FieldSchema {
 	fields["exclude_cn_from_sans"] = &framework.FieldSchema{
 		Type:    framework.TypeBool,
 		Default: false,
@@ -34,15 +36,25 @@ Defaults to false (CN is included).`,
 		},
 	}
 
+	formatDescription := `Format for returned data. Can be "pem", "der" or
+	"pem_bundle". If "pem_bundle", any private
+	key and issuing cert will be appended to the
+	certificate pem. If "der", the value will be
+	base64 encoded. Defaults to "pem".`
+
+	if strutil.StrListContains(allowedFormats, "pkcs12_bundle") && strutil.StrListContains(allowedFormats, "jks_bundle") {
+		formatDescription = `Format for returned data. Can be "pem", "der",
+	"pem_bundle", "pkcs12_bundle" or "jks_bundle". If "pem_bundle", any private
+	key and issuing cert will be appended to the
+	certificate pem. Formats "der", "pkcs12_bundle" or "jks_bundle" are
+	base64 encoded. Defaults to "pem".`
+	}
+
 	fields["format"] = &framework.FieldSchema{
-		Type:    framework.TypeString,
-		Default: "pem",
-		Description: `Format for returned data. Can be "pem", "der",
-or "pem_bundle". If "pem_bundle", any private
-key and issuing cert will be appended to the
-certificate pem. If "der", the value will be
-base64 encoded. Defaults to "pem".`,
-		AllowedValues: []interface{}{"pem", "der", "pem_bundle"},
+		Type:          framework.TypeString,
+		Default:       "pem",
+		Description:   formatDescription,
+		AllowedValues: strutil.StringListToInterfaceList(allowedFormats),
 		DisplayAttrs: &framework.DisplayAttributes{
 			Value: "pem",
 		},
@@ -63,6 +75,47 @@ pkcs8 instead. Defaults to "der".`,
 		},
 	}
 
+	if strutil.StrListContains(allowedFormats, "pkcs12_bundle") {
+		fields["pkcs12_encoder"] = &framework.FieldSchema{
+			Type:    framework.TypeString,
+			Default: "modern2026",
+			Description: `Encoder profile to use for PKCS#12 archives when 
+format is set to "pkcs12_bundle". Valid values are "modern2026" and 
+"modern2023". Defaults to "modern2026", which uses the newer PKCS#12 
+integrity format (PBMAC1).`,
+			AllowedValues: []interface{}{"modern2026", "modern2023"},
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name: "PKCS#12 encoder profile",
+			},
+		}
+
+		fields["pkcs12_password"] = &framework.FieldSchema{
+			Type:    framework.TypeString,
+			Default: pkcs12.DefaultPassword,
+			Description: `Password for encrypting the PKCS#12 
+		archive when format is set to "pkcs12_bundle". If not provided, 
+		defaults to "changeit". It is recommended to use the default password
+		and protect the file using other means or use a high-entropy password.`,
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name: "PKCS#12 password",
+			},
+		}
+	}
+
+	if strutil.StrListContains(allowedFormats, "jks_bundle") {
+		fields["jks_password"] = &framework.FieldSchema{
+			Type:    framework.TypeString,
+			Default: pkcs12.DefaultPassword,
+			Description: `Password for encrypting the Java keystore
+		when format is set to "jks_bundle". If not provided, 
+		defaults to "changeit". It is recommended to use the default password
+		and protect the file using other means or use a high-entropy password.`,
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name: "Java keystore password",
+			},
+		}
+	}
+
 	fields["ip_sans"] = &framework.FieldSchema{
 		Type: framework.TypeCommaStringSlice,
 		Description: `The requested IP SANs, if any, in a
@@ -96,7 +149,7 @@ comma-delimited list.`,
 // addNonCACommonFields adds fields with help text specific to non-CA
 // certificate issuing and signing
 func addNonCACommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields = addIssueAndSignCommonFields(fields)
+	fields = addIssueAndSignCommonFields(fields, supportedFormats(true))
 
 	fields["role"] = &framework.FieldSchema{
 		Type: framework.TypeString,
@@ -181,8 +234,8 @@ Any values are added with OID 0.9.2342.19200300.100.1.1.`,
 
 // addCACommonFields adds fields with help text specific to CA
 // certificate issuing and signing
-func addCACommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields = addIssueAndSignCommonFields(fields)
+func addCACommonFields(fields map[string]*framework.FieldSchema, allowedFormats []string) map[string]*framework.FieldSchema {
+	fields = addIssueAndSignCommonFields(fields, allowedFormats)
 
 	fields["alt_names"] = &framework.FieldSchema{
 		Type: framework.TypeString,
@@ -745,3 +798,20 @@ usage will not appear on the CSR.`,
 
 	return fields
 }
+
+func addJKSPrivateKeyAlias(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	fields["jks_private_key_alias"] = &framework.FieldSchema{
+		Type:    framework.TypeString,
+		Default: "1",
+		Description: `The entry alias in the Java keystore (JKS) when format is set to "jks_bundle"
+		and bundle contains a single PrivateKeyEntry. This field is case-sensitive, but relying
+		on case-only differences for unique aliases is not recommended. Defaults to "1".
+		This parameter is ignored by endpoints that return TrustedCertificateEntry values
+		(trust stores), and instead entries are assigned incrementing numeric strings aliases starting at "1".`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "Java keystore alias",
+		},
+	}
+
+	return fields
+}
diff --git a/builtin/logical/pki/integration_test.go b/builtin/logical/pki/integration_test.go
index ae109665fa..70457790c4 100644
--- a/builtin/logical/pki/integration_test.go
+++ b/builtin/logical/pki/integration_test.go
@@ -493,11 +493,7 @@ func TestLDAPAiaCrlUrls(t *testing.T) {
 		NumCores:    1,
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
-	singleCore := cluster.Cores[0]
-	vault.TestWaitActive(t, singleCore.Core)
-	client := singleCore.Client
+	client := cluster.Cores[0].Client
 
 	mountPKIEndpoint(t, client, "pki")
 
@@ -572,9 +568,6 @@ func TestIntegrationOCSPClientWithPKI(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-
-	cluster.Start()
-	defer cluster.Cleanup()
 	cores := cluster.Cores
 	vault.TestWaitActive(t, cores[0].Core)
 	client := cores[0].Client
diff --git a/builtin/logical/pki/issuing/audit_utils.go b/builtin/logical/pki/issuing/audit_utils.go
new file mode 100644
index 0000000000..5316417b0d
--- /dev/null
+++ b/builtin/logical/pki/issuing/audit_utils.go
@@ -0,0 +1,39 @@
+// Copyright IBM Corp. 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package issuing
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+
+	"github.com/hashicorp/vault/sdk/helper/certutil"
+)
+
+func AddCertificateFieldsToAuditData(auditData map[string]any, certificateType string, certificate *x509.Certificate) error {
+	if auditData == nil {
+		return fmt.Errorf("no audit data on which to add certificate fields")
+	}
+	if certificate == nil {
+		return fmt.Errorf("no certificate whose fields should be added to audit data")
+	}
+	certificateFieldPrefix := ""
+	if certificateType != "" {
+		certificateFieldPrefix = certificateType + "_"
+	}
+	auditData[certificateFieldPrefix+"certificate"] = string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certificate.Raw}))
+	certificateFields, err := certutil.ParseCertificateToFields(*certificate)
+	if err != nil {
+		return fmt.Errorf("error parsing certificate fields for audit data: %v", err)
+	}
+	for field, value := range certificateFields {
+		switch field {
+		case "common_name", "serial_number", "ttl", "skid", "key_type":
+			auditData[certificateFieldPrefix+field] = value
+		default:
+			continue
+		}
+	}
+	return nil
+}
diff --git a/builtin/logical/pki/issuing/cert_verify.go b/builtin/logical/pki/issuing/cert_verify.go
index 9331132004..a707045b5f 100644
--- a/builtin/logical/pki/issuing/cert_verify.go
+++ b/builtin/logical/pki/issuing/cert_verify.go
@@ -43,9 +43,17 @@ func VerifyCertificate(issuer *IssuerEntry, system logical.SystemView, parsedBun
 	// Note that we use github.com/google/certificate-transparency-go/x509 to perform certificate verification,
 	// since that library provides options to disable checks that the standard library does not.
 	options := ctx509.VerifyOptions{
-		KeyUsages:                      nil,
-		MaxConstraintComparisions:      0, // Use the library's 'sensible default'
-		DisableTimeChecks:              true,
+		KeyUsages:                 nil,
+		MaxConstraintComparisions: 0, // Use the library's 'sensible default'
+		DisableTimeChecks:         true,
+		// The go certificate transparency library enforces Extended Key Usage (EKU) support down-the-chain.  That is,
+		// it prevents an intermediate Certificate Authority from supporting an EKU which was not supported by its
+		// parent.  See: https://pkg.go.dev/crypto/x509#Certificate.Verify
+		// This doesn't reflect how our customers use the product: our customers expect EKU flags to restrict
+		// what the certificate can do, but not what the certificates it issues can do.  This down-the-chain behaviour
+		// is not mandated by the RFC, nor by NIAP.
+		// NIAP (and RFC) restrictions on EKU usage (requiring certain base key usage flags) are not implemented by
+		// this validation.  Those checks are separately implemented in roles_eku_checks_ent.go of this project.
 		DisableEKUChecks:               true,
 		DisableCriticalExtensionChecks: false,
 		DisableNameChecks:              false,
diff --git a/builtin/logical/pki/issuing/issue_common.go b/builtin/logical/pki/issuing/issue_common.go
index dade2bf598..3fe5fe290a 100644
--- a/builtin/logical/pki/issuing/issue_common.go
+++ b/builtin/logical/pki/issuing/issue_common.go
@@ -32,16 +32,10 @@ const (
 )
 
 var (
-	// labelRegex is a single label from a valid domain name and was extracted
+	// labelPattern is a single label from a valid domain name and was extracted
 	// from hostnameRegex below for use in leftWildLabelRegex, without any
 	// label separators (`.`).
-	labelRegex = `([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])`
-
-	// A note on hostnameRegex: although we set the StrictDomainName option
-	// when doing the idna conversion, this appears to only affect output, not
-	// input, so it will allow e.g. host^123.example.com straight through. So
-	// we still need to use this to check the output.
-	hostnameRegex = regexp.MustCompile(`^(\*\.)?(` + labelRegex + `\.)*` + labelRegex + `\.?$`)
+	labelPattern = `([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])`
 
 	// Left Wildcard Label Regex is equivalent to a single domain label
 	// component from hostnameRegex above, but with additional wildcard
@@ -51,11 +45,20 @@ var (
 	//  2. Wildcard exists at the start,
 	//  3. Wildcard exists at the end,
 	//  4. Wildcard exists in the middle.
-	allWildRegex       = `\*`
-	startWildRegex     = `\*` + labelRegex
-	endWildRegex       = labelRegex + `\*`
-	middleWildRegex    = labelRegex + `\*` + labelRegex
-	leftWildLabelRegex = regexp.MustCompile(`^(` + allWildRegex + `|` + startWildRegex + `|` + endWildRegex + `|` + middleWildRegex + `)$`)
+	allWildPattern    = `\*`
+	startWildPattern  = `\*` + labelPattern
+	endWildPattern    = labelPattern + `\*`
+	middleWildPattern = labelPattern + `\*` + labelPattern
+
+	leftWildLabelPattern = fmt.Sprintf(`(%s|%s|%s|%s)`, allWildPattern, startWildPattern, endWildPattern, middleWildPattern)
+	hostnamePattern      = fmt.Sprintf(`(%s\.)*%s\.?$`, labelPattern, labelPattern)
+	wildHostnamePattern  = fmt.Sprintf(`^(%s\.)?%s`, leftWildLabelPattern, hostnamePattern)
+
+	// A note on hostnameRegex: although we set the StrictDomainName option
+	// when doing the idna conversion, this appears to only affect output, not
+	// input, so it will allow e.g. host^123.example.com straight through. So
+	// we still need to use this to check the output.
+	wildHostnameRegex = regexp.MustCompile(wildHostnamePattern)
 )
 
 type EntityInfo struct {
@@ -153,7 +156,7 @@ func GenerateCreationBundle(b logical.SystemView, role *RoleEntry, entityInfo En
 				if err != nil {
 					return nil, nil, errutil.UserError{Err: err.Error()}
 				}
-				if hostnameRegex.MatchString(converted) {
+				if wildHostnameRegex.MatchString(converted) {
 					dnsNames = append(dnsNames, converted)
 				}
 			}
@@ -177,8 +180,10 @@ func GenerateCreationBundle(b logical.SystemView, role *RoleEntry, entityInfo En
 						if err != nil {
 							return nil, nil, errutil.UserError{Err: err.Error()}
 						}
-						if hostnameRegex.MatchString(converted) {
+						if wildHostnameRegex.MatchString(converted) {
 							dnsNames = append(dnsNames, converted)
+						} else {
+							return nil, nil, errutil.UserError{Err: fmt.Sprintf("subject alternate name %s is not a valid DNS name and cannot be included as a SAN", v)}
 						}
 					}
 				}
@@ -544,6 +549,9 @@ func ValidateNames(b logical.SystemView, role *RoleEntry, entityInfo EntityInfo,
 			return name
 		}
 
+		// At this point, we know reducedName does not have an '*'. If isWildcard is true,
+		// the '*' is in wildcardLabel
+
 		// AllowAnyName is checked after this because EnforceHostnames still
 		// applies when allowing any name. Also, we check the reduced name to
 		// ensure that we are not either checking a full email address or a
@@ -560,16 +568,15 @@ func ValidateNames(b logical.SystemView, role *RoleEntry, entityInfo EntityInfo,
 				if err != nil {
 					return name
 				}
-				if !hostnameRegex.MatchString(converted) {
+				if isWildcard {
+					// When a wildcard is specified, we additionally need to validate
+					// the label with the wildcard is correctly formed.
+					converted = wildcardLabel + "." + converted
+				}
+				if !wildHostnameRegex.MatchString(converted) {
 					return name
 				}
 			}
-
-			// When a wildcard is specified, we additionally need to validate
-			// the label with the wildcard is correctly formed.
-			if isWildcard && !leftWildLabelRegex.MatchString(wildcardLabel) {
-				return name
-			}
 		}
 
 		// Self-explanatory, but validations from EnforceHostnames and
@@ -617,6 +624,7 @@ func ValidateNames(b logical.SystemView, role *RoleEntry, entityInfo EntityInfo,
 			}
 		}
 
+		// Deprecated: AllowTokenDisplayName is retained for backward compatibility but has not been writeable since v0.4.0
 		if role.AllowTokenDisplayName {
 			if name == entityInfo.DisplayName {
 				continue
@@ -999,6 +1007,12 @@ func GetCertificateNotAfter(b logical.SystemView, role *RoleEntry, input CertNot
 		if err != nil {
 			return notAfter, warnings, errutil.UserError{Err: err.Error()}
 		}
+
+		requestedTTL := time.Until(notAfter)
+		if role.MaxTTL > 0 && requestedTTL > maxTTL {
+			warnings = append(warnings, fmt.Sprintf("not_after %q results in a lifetime %q which is longer than permitted maxTTL %q, so maxTTL is being used", notAfterAlt, requestedTTL, maxTTL))
+			notAfter = time.Now().Add(maxTTL)
+		}
 	} else {
 		notAfter = time.Now().Add(ttl)
 	}
diff --git a/builtin/logical/pki/issuing/issue_common_test.go b/builtin/logical/pki/issuing/issue_common_test.go
new file mode 100644
index 0000000000..1c1c4f2d63
--- /dev/null
+++ b/builtin/logical/pki/issuing/issue_common_test.go
@@ -0,0 +1,330 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package issuing
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// Test_wildHostnameRegex tests the wildHostnameRegex regular expression against a variety of
+// valid and invalid hostnames.
+func Test_wildHostnameRegex(t *testing.T) {
+	tests := []struct {
+		name     string
+		hostname string
+		want     bool
+	}{
+		// Valid hostnames without wildcards - with trailing dot
+		{
+			name:     "simple domain with dot",
+			hostname: "example.com.",
+			want:     true,
+		},
+		{
+			name:     "subdomain with dot",
+			hostname: "www.example.com.",
+			want:     true,
+		},
+		{
+			name:     "multi-level subdomain with dot",
+			hostname: "api.v1.example.com.",
+			want:     true,
+		},
+		{
+			name:     "single label with dot",
+			hostname: "localhost.",
+			want:     true,
+		},
+
+		// Valid hostnames without wildcards - without trailing dot
+		{
+			name:     "simple domain without dot",
+			hostname: "example.com",
+			want:     true,
+		},
+		{
+			name:     "subdomain without dot",
+			hostname: "www.example.com",
+			want:     true,
+		},
+		{
+			name:     "multi-level subdomain without dot",
+			hostname: "api.v1.example.com",
+			want:     true,
+		},
+		{
+			name:     "single label without dot",
+			hostname: "localhost",
+			want:     true,
+		},
+		{
+			name:     "hyphenated domain",
+			hostname: "my-domain.example.com",
+			want:     true,
+		},
+		{
+			name:     "numeric in domain",
+			hostname: "server123.example.com",
+			want:     true,
+		},
+
+		// Valid wildcards - entire label
+		{
+			name:     "wildcard entire first label",
+			hostname: "*.example.com",
+			want:     true,
+		},
+		{
+			name:     "wildcard entire first label with dot",
+			hostname: "*.example.com.",
+			want:     true,
+		},
+		{
+			name:     "wildcard entire label multi-level",
+			hostname: "*.api.example.com",
+			want:     true,
+		},
+
+		// Valid wildcards - start of label
+		{
+			name:     "wildcard at start of label",
+			hostname: "*test.example.com",
+			want:     true,
+		},
+		{
+			name:     "wildcard at start with numbers",
+			hostname: "*123.example.com",
+			want:     true,
+		},
+		{
+			name:     "wildcard at start alphanumeric",
+			hostname: "*abc123.example.com",
+			want:     true,
+		},
+
+		// Valid wildcards - end of label
+		{
+			name:     "wildcard at end of label",
+			hostname: "test*.example.com",
+			want:     true,
+		},
+		{
+			name:     "wildcard at end with numbers",
+			hostname: "123*.example.com",
+			want:     true,
+		},
+		{
+			name:     "wildcard at end alphanumeric",
+			hostname: "abc123*.example.com",
+			want:     true,
+		},
+
+		// Valid wildcards - middle of label
+		{
+			name:     "wildcard in middle of label",
+			hostname: "test*server.example.com",
+			want:     true,
+		},
+		{
+			name:     "wildcard in middle with numbers",
+			hostname: "api*v1.example.com",
+			want:     true,
+		},
+		{
+			name:     "wildcard in middle complex",
+			hostname: "my*server.example.com",
+			want:     true,
+		},
+
+		// Invalid cases - hyphens adjacent to wildcards (labels can't start/end with hyphen)
+		{
+			name:     "wildcard at start with hyphen after",
+			hostname: "*-server.example.com",
+			want:     false,
+		},
+		{
+			name:     "wildcard at end with hyphen before",
+			hostname: "server-*.example.com",
+			want:     false,
+		},
+		{
+			name:     "wildcard in middle with hyphens",
+			hostname: "my-*-server.example.com",
+			want:     false,
+		},
+
+		// Invalid cases - wildcard in wrong position
+		{
+			name:     "wildcard in second label",
+			hostname: "example.*.com",
+			want:     false,
+		},
+		{
+			name:     "wildcard in last label",
+			hostname: "example.com*",
+			want:     false,
+		},
+		{
+			name:     "wildcard in TLD",
+			hostname: "example.*",
+			want:     false,
+		},
+
+		// Invalid cases - multiple wildcards
+		{
+			name:     "multiple wildcards in same label",
+			hostname: "*test*",
+			want:     false,
+		},
+		{
+			name:     "multiple wildcard labels",
+			hostname: "*.*.example.com",
+			want:     false,
+		},
+
+		// Invalid cases - empty or malformed
+		{
+			name:     "empty string",
+			hostname: "",
+			want:     false,
+		},
+		{
+			name:     "just dot",
+			hostname: ".",
+			want:     false,
+		},
+		{
+			name:     "double dots",
+			hostname: "example..com",
+			want:     false,
+		},
+
+		// Invalid cases - invalid characters
+		{
+			name:     "underscore in domain",
+			hostname: "test_server.example.com",
+			want:     false,
+		},
+		{
+			name:     "space in domain",
+			hostname: "test server.example.com",
+			want:     false,
+		},
+		{
+			name:     "special char in domain",
+			hostname: "test@server.example.com",
+			want:     false,
+		},
+
+		// Edge cases - label boundaries
+		{
+			name:     "label starting with hyphen",
+			hostname: "-test.example.com",
+			want:     false,
+		},
+		{
+			name:     "label ending with hyphen",
+			hostname: "test-.example.com",
+			want:     false,
+		},
+		{
+			name:     "single character label",
+			hostname: "a.example.com",
+			want:     true,
+		},
+		{
+			name:     "single digit label",
+			hostname: "1.example.com",
+			want:     true,
+		},
+
+		// Edge cases - wildcard combinations
+		{
+			name:     "wildcard with single char after",
+			hostname: "*a.example.com",
+			want:     true,
+		},
+		{
+			name:     "wildcard with single char before",
+			hostname: "a*.example.com",
+			want:     true,
+		},
+		{
+			name:     "wildcard between single chars",
+			hostname: "a*b.example.com",
+			want:     true,
+		},
+
+		// Complex valid cases
+		{
+			name:     "long subdomain chain",
+			hostname: "service.api.v2.prod.example.com",
+			want:     true,
+		},
+		{
+			name:     "wildcard in long chain",
+			hostname: "*service.api.v2.prod.example.com",
+			want:     true,
+		},
+		{
+			name:     "alphanumeric with hyphens",
+			hostname: "my-api-v2-test.example.com",
+			want:     true,
+		},
+
+		// Invalid - wildcard not in leftmost label
+		{
+			name:     "wildcard in middle of hostname",
+			hostname: "api.*.example.com",
+			want:     false,
+		},
+		{
+			name:     "wildcard at end of hostname",
+			hostname: "api.example.*.com",
+			want:     false,
+		},
+
+		// Edge cases - only wildcard
+		{
+			name:     "only wildcard",
+			hostname: "*",
+			want:     false,
+		},
+		{
+			name:     "wildcard with dot",
+			hostname: "*.",
+			want:     false,
+		},
+
+		// Edge cases - wildcard without domain
+		{
+			name:     "wildcard label only",
+			hostname: "*..",
+			want:     false,
+		},
+
+		// Valid - wildcard with minimal domain
+		{
+			name:     "wildcard with single label domain",
+			hostname: "*.com",
+			want:     true,
+		},
+		{
+			name:     "wildcard pattern with single label domain",
+			hostname: "*test.com",
+			want:     true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := wildHostnameRegex.MatchString(tt.hostname)
+			require.Equal(t, tt.want, got, "wildHostnameRegex.MatchString(%q) = %v, want %v", tt.hostname, got, tt.want)
+		})
+	}
+}
+
+// Made with Bob
diff --git a/builtin/logical/pki/issuing/roles.go b/builtin/logical/pki/issuing/roles.go
index 68f25b4fc6..30c90e7a86 100644
--- a/builtin/logical/pki/issuing/roles.go
+++ b/builtin/logical/pki/issuing/roles.go
@@ -29,19 +29,20 @@ const (
 )
 
 type RoleEntry struct {
-	LeaseMax                      string        `json:"lease_max"`
-	Lease                         string        `json:"lease"`
-	DeprecatedMaxTTL              string        `json:"max_ttl"`
-	DeprecatedTTL                 string        `json:"ttl"`
-	TTL                           time.Duration `json:"ttl_duration"`
-	MaxTTL                        time.Duration `json:"max_ttl_duration"`
-	AllowLocalhost                bool          `json:"allow_localhost"`
-	AllowedBaseDomain             string        `json:"allowed_base_domain"`
-	AllowedDomainsOld             string        `json:"allowed_domains,omitempty"`
-	AllowedDomains                []string      `json:"allowed_domains_list"`
-	AllowedDomainsTemplate        bool          `json:"allowed_domains_template"`
-	AllowBaseDomain               bool          `json:"allow_base_domain"`
-	AllowBareDomains              bool          `json:"allow_bare_domains"`
+	LeaseMax               string        `json:"lease_max"`
+	Lease                  string        `json:"lease"`
+	DeprecatedMaxTTL       string        `json:"max_ttl"`
+	DeprecatedTTL          string        `json:"ttl"`
+	TTL                    time.Duration `json:"ttl_duration"`
+	MaxTTL                 time.Duration `json:"max_ttl_duration"`
+	AllowLocalhost         bool          `json:"allow_localhost"`
+	AllowedBaseDomain      string        `json:"allowed_base_domain"`
+	AllowedDomainsOld      string        `json:"allowed_domains,omitempty"`
+	AllowedDomains         []string      `json:"allowed_domains_list"`
+	AllowedDomainsTemplate bool          `json:"allowed_domains_template"`
+	AllowBaseDomain        bool          `json:"allow_base_domain"`
+	AllowBareDomains       bool          `json:"allow_bare_domains"`
+	// Deprecated: AllowTokenDisplayName is retained for backward compatibility but has not been writeable since v0.4.0
 	AllowTokenDisplayName         bool          `json:"allow_token_displayname"`
 	AllowSubdomains               bool          `json:"allow_subdomains"`
 	AllowGlobDomains              bool          `json:"allow_glob_domains"`
diff --git a/builtin/logical/pki/path_acme_test.go b/builtin/logical/pki/path_acme_test.go
index 90f75ab815..047ed6d98d 100644
--- a/builtin/logical/pki/path_acme_test.go
+++ b/builtin/logical/pki/path_acme_test.go
@@ -45,7 +45,7 @@ import (
 func TestAcmeBasicWorkflow(t *testing.T) {
 	t.Parallel()
 	cluster, client, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
+
 	cases := []struct {
 		name      string
 		prefixUrl string
@@ -358,7 +358,7 @@ func TestAcmeBasicWorkflow(t *testing.T) {
 func TestAcmeBasicWorkflowWithEab(t *testing.T) {
 	t.Parallel()
 	cluster, client, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
+
 	testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancel()
 
@@ -477,8 +477,7 @@ func TestAcmeBasicWorkflowWithEab(t *testing.T) {
 // based on the
 func TestAcmeNonce(t *testing.T) {
 	t.Parallel()
-	cluster, client, pathConfig := setupAcmeBackend(t)
-	defer cluster.Cleanup()
+	_, client, pathConfig := setupAcmeBackend(t)
 
 	cases := []struct {
 		name         string
@@ -535,8 +534,7 @@ func TestAcmeNonce(t *testing.T) {
 // TestAcmeClusterPathNotConfigured basic testing of the ACME error handler.
 func TestAcmeClusterPathNotConfigured(t *testing.T) {
 	t.Parallel()
-	cluster, client := setupTestPkiCluster(t)
-	defer cluster.Cleanup()
+	_, client := setupTestPkiCluster(t)
 
 	// Go sneaky, sneaky and update the acme configuration through sys/raw to bypass config/cluster path checks
 	pkiMount := findStorageMountUuid(t, client, "pki")
@@ -590,7 +588,6 @@ func TestAcmeClusterPathNotConfigured(t *testing.T) {
 func TestAcmeAccountsCrossingDirectoryPath(t *testing.T) {
 	t.Parallel()
 	cluster, _, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
 
 	baseAcmeURL := "/v1/pki/acme/"
 	accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048)
@@ -619,7 +616,6 @@ func TestAcmeAccountsCrossingDirectoryPath(t *testing.T) {
 func TestAcmeEabCrossingDirectoryPath(t *testing.T) {
 	t.Parallel()
 	cluster, client, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
 
 	// Enable EAB
 	_, err := client.Logical().WriteWithContext(context.Background(), "pki/config/acme", map[string]interface{}{
@@ -656,7 +652,6 @@ func TestAcmeDisabledWithEnvVar(t *testing.T) {
 	// Setup a cluster with the configuration set to not-required, initially as the
 	// configuration will validate if the environment var is set
 	cluster, client, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
 
 	// Seal setup the environment variable, and unseal which now means we have a cluster
 	// with ACME configuration saying it is enabled with a bad EAB policy.
@@ -681,8 +676,7 @@ func TestAcmeDisabledWithEnvVar(t *testing.T) {
 // TestAcmeConfigChecksPublicAcmeEnv verifies certain EAB policy values can not be set if ENV var is enabled
 func TestAcmeConfigChecksPublicAcmeEnv(t *testing.T) {
 	t.Setenv("VAULT_DISABLE_PUBLIC_ACME", "true")
-	cluster, client := setupTestPkiCluster(t)
-	defer cluster.Cleanup()
+	_, client := setupTestPkiCluster(t)
 
 	_, err := client.Logical().WriteWithContext(context.Background(), "pki/config/cluster", map[string]interface{}{
 		"path": "https://dadgarcorp.com/v1/pki",
@@ -717,7 +711,6 @@ func TestAcmeHonorsAlwaysEnforceErr(t *testing.T) {
 	t.Parallel()
 
 	cluster, client, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
 
 	testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancel()
@@ -797,7 +790,6 @@ func TestAcmeTruncatesToIssuerExpiry(t *testing.T) {
 	t.Parallel()
 
 	cluster, client, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
 
 	testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancel()
@@ -887,7 +879,6 @@ func TestAcmeRoleExtKeyUsage(t *testing.T) {
 	t.Parallel()
 
 	cluster, client, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
 
 	testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancel()
@@ -991,7 +982,6 @@ func TestIssuerRoleDirectoryAssociations(t *testing.T) {
 	// roles (test-role, acme) that we can use with various directory
 	// configurations.
 	cluster, client, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
 
 	// Setup DNS for validations.
 	testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
@@ -1126,7 +1116,6 @@ func TestACMESubjectFieldsAndExtensionsIgnored(t *testing.T) {
 	// roles (test-role, acme) that we can use with various directory
 	// configurations.
 	cluster, client, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
 
 	// Setup DNS for validations.
 	testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
@@ -1175,7 +1164,6 @@ func TestAcmeWithCsrIncludingBasicConstraintExtension(t *testing.T) {
 	t.Parallel()
 
 	cluster, client, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
 
 	testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancel()
@@ -1507,7 +1495,6 @@ func testAcmeCertSignedByCa(t *testing.T, client *api.Client, derCerts [][]byte,
 func TestAcmeValidationError(t *testing.T) {
 	t.Parallel()
 	cluster, _, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
 
 	testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancel()
@@ -1616,7 +1603,7 @@ func TestAcmeRevocationAcrossAccounts(t *testing.T) {
 	t.Parallel()
 
 	cluster, vaultClient, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
+
 	testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancel()
 
@@ -1701,7 +1688,6 @@ func TestAcmeRevocationAcrossAccounts(t *testing.T) {
 func TestAcmeMaxTTL(t *testing.T) {
 	t.Parallel()
 	cluster, client, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
 
 	testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancel()
@@ -1786,7 +1772,7 @@ func TestAcmeMaxTTL(t *testing.T) {
 func TestVaultOperatorACMEDisableWorkflow(t *testing.T) {
 	t.Parallel()
 	cluster, vaultClient, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
+
 	testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancel()
 
@@ -1927,7 +1913,6 @@ func setupTestPkiCluster(t *testing.T) (*vault.TestCluster, *api.Client) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
 	client := cluster.Cores[0].Client
 	mountPKIEndpoint(t, client, "pki")
 	return cluster, client
@@ -1986,7 +1971,6 @@ func getEABKey(t *testing.T, client *api.Client, baseUrl string) (string, []byte
 
 func TestACMEClientRequestLimits(t *testing.T) {
 	cluster, client, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
 
 	cases := []struct {
 		name           string
diff --git a/builtin/logical/pki/path_config_acme.go b/builtin/logical/pki/path_config_acme.go
index 3ac8981392..501db2ba68 100644
--- a/builtin/logical/pki/path_config_acme.go
+++ b/builtin/logical/pki/path_config_acme.go
@@ -29,14 +29,16 @@ const (
 )
 
 type acmeConfigEntry struct {
-	Enabled                bool          `json:"enabled"`
-	AllowedIssuers         []string      `json:"allowed_issuers="`
-	AllowedRoles           []string      `json:"allowed_roles"`
-	AllowRoleExtKeyUsage   bool          `json:"allow_role_ext_key_usage"`
-	DefaultDirectoryPolicy string        `json:"default_directory_policy"`
-	DNSResolver            string        `json:"dns_resolver"`
-	EabPolicyName          EabPolicyName `json:"eab_policy_name"`
-	MaxTTL                 time.Duration `json:"max_ttl"`
+	Enabled                    bool          `json:"enabled"`
+	AllowedIssuers             []string      `json:"allowed_issuers="`
+	AllowedRoles               []string      `json:"allowed_roles"`
+	AllowRoleExtKeyUsage       bool          `json:"allow_role_ext_key_usage"`
+	DefaultDirectoryPolicy     string        `json:"default_directory_policy"`
+	DNSResolver                string        `json:"dns_resolver"`
+	EabPolicyName              EabPolicyName `json:"eab_policy_name"`
+	MaxTTL                     time.Duration `json:"max_ttl"`
+	ChallengePermittedIPRanges []string      `json:"challenge_permitted_ip_ranges"`
+	ChallengeExcludedIPRanges  []string      `json:"challenge_excluded_ip_ranges"`
 }
 
 var defaultAcmeConfig = acmeConfigEntry{
@@ -144,6 +146,16 @@ func pathAcmeConfig(b *backend) *framework.Path {
 				Description: `Specify the maximum TTL for ACME certificates. Role TTL values will be limited to this value`,
 				Default:     defaultAcmeMaxTTL.Seconds(),
 			},
+			"challenge_permitted_ip_ranges": {
+				Type:        framework.TypeCommaStringSlice,
+				Description: `List of CIDR blocks that are permitted for ACME challenge validation. If set, only IPs within these ranges will be allowed for validation. Can be individual IPs or CIDR notation.`,
+				Default:     []string{},
+			},
+			"challenge_excluded_ip_ranges": {
+				Type:        framework.TypeCommaStringSlice,
+				Description: `List of CIDR blocks that are excluded from ACME challenge validation. IPs within these ranges will be rejected for validation. Can be individual IPs or CIDR notation. This list takes precedence over challenge_permitted_ip_ranges.`,
+				Default:     []string{},
+			},
 		},
 
 		Operations: map[logical.Operation]framework.OperationHandler{
@@ -195,14 +207,16 @@ func (b *backend) pathAcmeRead(ctx context.Context, req *logical.Request, _ *fra
 func genResponseFromAcmeConfig(config *acmeConfigEntry, warnings []string) *logical.Response {
 	response := &logical.Response{
 		Data: map[string]interface{}{
-			"allowed_roles":            config.AllowedRoles,
-			"allow_role_ext_key_usage": config.AllowRoleExtKeyUsage,
-			"allowed_issuers":          config.AllowedIssuers,
-			"default_directory_policy": config.DefaultDirectoryPolicy,
-			"enabled":                  config.Enabled,
-			"dns_resolver":             config.DNSResolver,
-			"eab_policy":               config.EabPolicyName,
-			"max_ttl":                  config.MaxTTL.Seconds(),
+			"allowed_roles":                 config.AllowedRoles,
+			"allow_role_ext_key_usage":      config.AllowRoleExtKeyUsage,
+			"allowed_issuers":               config.AllowedIssuers,
+			"default_directory_policy":      config.DefaultDirectoryPolicy,
+			"enabled":                       config.Enabled,
+			"dns_resolver":                  config.DNSResolver,
+			"eab_policy":                    config.EabPolicyName,
+			"max_ttl":                       config.MaxTTL.Seconds(),
+			"challenge_permitted_ip_ranges": config.ChallengePermittedIPRanges,
+			"challenge_excluded_ip_ranges":  config.ChallengeExcludedIPRanges,
 		},
 		Warnings: warnings,
 	}
@@ -279,6 +293,34 @@ func (b *backend) pathAcmeWrite(ctx context.Context, req *logical.Request, d *fr
 		config.MaxTTL = maxTTL
 	}
 
+	if permittedIPRangesRaw, ok := d.GetOk("challenge_permitted_ip_ranges"); ok {
+		permittedIPRanges := permittedIPRangesRaw.([]string)
+		// Validate each CIDR entry
+		for _, cidr := range permittedIPRanges {
+			if _, _, err := net.ParseCIDR(cidr); err != nil {
+				// Try parsing as IP address
+				if net.ParseIP(cidr) == nil {
+					return nil, fmt.Errorf("invalid CIDR or IP address in challenge_permitted_ip_ranges: %s", cidr)
+				}
+			}
+		}
+		config.ChallengePermittedIPRanges = permittedIPRanges
+	}
+
+	if excludedIPRangesRaw, ok := d.GetOk("challenge_excluded_ip_ranges"); ok {
+		excludedIPRanges := excludedIPRangesRaw.([]string)
+		// Validate each CIDR entry
+		for _, cidr := range excludedIPRanges {
+			if _, _, err := net.ParseCIDR(cidr); err != nil {
+				// Try parsing as IP address
+				if net.ParseIP(cidr) == nil {
+					return nil, fmt.Errorf("invalid CIDR or IP address in challenge_excluded_ip_ranges: %s", cidr)
+				}
+			}
+		}
+		config.ChallengeExcludedIPRanges = excludedIPRanges
+	}
+
 	// Validate Default Directory Behavior:
 	defaultDirectoryPolicyType, extraInfo, err := getDefaultDirectoryPolicyType(config.DefaultDirectoryPolicy)
 	if err != nil {
diff --git a/builtin/logical/pki/path_config_acme_test.go b/builtin/logical/pki/path_config_acme_test.go
index bcdeb3d425..cc7cc6fcec 100644
--- a/builtin/logical/pki/path_config_acme_test.go
+++ b/builtin/logical/pki/path_config_acme_test.go
@@ -18,7 +18,6 @@ func TestAcmeConfig(t *testing.T) {
 	t.Parallel()
 
 	cluster, client, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
 
 	cases := []struct {
 		name        string
@@ -153,3 +152,135 @@ func TestAcmeExternalPolicyOss(t *testing.T) {
 		})
 	}
 }
+
+// TestAcmeIPRangeConfiguration tests setting and modifying challenge IP range configuration
+func TestAcmeIPRangeConfiguration(t *testing.T) {
+	t.Parallel()
+
+	_, client, _ := setupAcmeBackend(t)
+
+	testCtx := context.Background()
+
+	_, err := client.Logical().WriteWithContext(testCtx, "pki/config/acme", map[string]interface{}{
+		"enabled": true,
+	})
+	require.NoError(t, err)
+
+	cases := []struct {
+		name                    string
+		writeConfig             map[string]interface{}
+		expectErrorContains     string
+		expectedPermittedRanges []string
+		expectedExcludedRanges  []string
+	}{
+		{
+			name: "set_permitted_ip_ranges",
+			writeConfig: map[string]interface{}{
+				"challenge_permitted_ip_ranges": []string{"192.168.1.0/24", "10.0.0.0/8"},
+			},
+			expectedPermittedRanges: []string{"192.168.1.0/24", "10.0.0.0/8"},
+			expectedExcludedRanges:  []string{},
+		},
+		{
+			name: "set_excluded_ip_ranges",
+			writeConfig: map[string]interface{}{
+				"challenge_permitted_ip_ranges": []string{},
+				"challenge_excluded_ip_ranges":  []string{"127.0.0.0/8", "::1/128"},
+			},
+			expectedPermittedRanges: []string{},
+			expectedExcludedRanges:  []string{"127.0.0.0/8", "::1/128"},
+		},
+		{
+			name: "set_both_ranges",
+			writeConfig: map[string]interface{}{
+				"challenge_permitted_ip_ranges": []string{"192.168.0.0/16"},
+				"challenge_excluded_ip_ranges":  []string{"192.168.1.0/24"},
+			},
+			expectedPermittedRanges: []string{"192.168.0.0/16"},
+			expectedExcludedRanges:  []string{"192.168.1.0/24"},
+		},
+		{
+			name: "set_individual_ips",
+			writeConfig: map[string]interface{}{
+				"challenge_permitted_ip_ranges": []string{"192.168.1.100"},
+				"challenge_excluded_ip_ranges":  []string{"10.0.0.1"},
+			},
+			expectedPermittedRanges: []string{"192.168.1.100"},
+			expectedExcludedRanges:  []string{"10.0.0.1"},
+		},
+		{
+			name: "invalid_cidr_notation",
+			writeConfig: map[string]interface{}{
+				"challenge_permitted_ip_ranges": []string{"invalid-cidr"},
+			},
+			expectErrorContains: "invalid CIDR or IP address",
+		},
+		{
+			name: "invalid_excluded_ip",
+			writeConfig: map[string]interface{}{
+				"challenge_excluded_ip_ranges": []string{"999.999.999.999"},
+			},
+			expectErrorContains: "invalid CIDR or IP address",
+		},
+		{
+			name: "modify_existing_config",
+			writeConfig: map[string]interface{}{
+				"challenge_excluded_ip_ranges": []string{"10.0.0.0/8"},
+			},
+			expectedPermittedRanges: []string{"192.168.1.100"},
+			expectedExcludedRanges:  []string{"10.0.0.0/8"},
+		},
+		{
+			name: "clear_ranges",
+			writeConfig: map[string]interface{}{
+				"challenge_permitted_ip_ranges": []string{},
+				"challenge_excluded_ip_ranges":  []string{},
+			},
+			expectedPermittedRanges: []string{},
+			expectedExcludedRanges:  []string{},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(st *testing.T) {
+			deadline := time.Now().Add(1 * time.Minute)
+			subTestCtx, _ := context.WithDeadline(testCtx, deadline)
+
+			_, err := client.Logical().WriteWithContext(subTestCtx, "pki/config/acme", tc.writeConfig)
+
+			if tc.expectErrorContains != "" {
+				require.Contains(st, err.Error(), tc.expectErrorContains)
+				return
+			}
+
+			require.NoError(st, err)
+
+			// Read back and verify
+			resp, err := client.Logical().ReadWithContext(subTestCtx, "pki/config/acme")
+			require.NoError(st, err)
+			require.NotNil(st, resp)
+
+			var permittedRanges []interface{}
+			if resp.Data["challenge_permitted_ip_ranges"] != nil {
+				permittedRanges = resp.Data["challenge_permitted_ip_ranges"].([]interface{})
+			}
+
+			var excludedRanges []interface{}
+			if resp.Data["challenge_excluded_ip_ranges"] != nil {
+				excludedRanges = resp.Data["challenge_excluded_ip_ranges"].([]interface{})
+			}
+
+			// Verify permitted ranges
+			require.Len(st, permittedRanges, len(tc.expectedPermittedRanges))
+			for _, expected := range tc.expectedPermittedRanges {
+				require.Contains(st, permittedRanges, expected)
+			}
+
+			// Verify excluded ranges
+			require.Len(st, excludedRanges, len(tc.expectedExcludedRanges))
+			for _, expected := range tc.expectedExcludedRanges {
+				require.Contains(st, excludedRanges, expected)
+			}
+		})
+	}
+}
diff --git a/builtin/logical/pki/path_fetch_issuers_test.go b/builtin/logical/pki/path_fetch_issuers_test.go
index de65824cd3..34d32a804e 100644
--- a/builtin/logical/pki/path_fetch_issuers_test.go
+++ b/builtin/logical/pki/path_fetch_issuers_test.go
@@ -14,9 +14,7 @@ import (
 // to something completely incorrect (missing an intermediate issuer).  In this case, the attempt to write the manual
 // chain throws an error, and the manual chain is not updated.
 func TestManualChainValidation(t *testing.T) {
-	// Set Up a Cluster
-	cluster, client := setupTestPkiCluster(t)
-	defer cluster.Cleanup()
+	_, client := setupTestPkiCluster(t)
 
 	// Set Up Root-A
 	mount := "pki"
diff --git a/builtin/logical/pki/path_generate_root_test.go b/builtin/logical/pki/path_generate_root_test.go
new file mode 100644
index 0000000000..a7ac54f2ba
--- /dev/null
+++ b/builtin/logical/pki/path_generate_root_test.go
@@ -0,0 +1,379 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package pki
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"software.sslmate.com/src/go-pkcs12"
+)
+
+// TestGenerateRoot_InvalidCountry validates that ISO 3166 is followed for the Country field
+func TestGenerateRoot_InvalidCountry(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+	params := map[string]interface{}{
+		"common_name": "root.example.com",
+		"ttl":         "87600h",
+		"key_type":    "ec",
+		"country":     "Japan",
+	}
+
+	resp, err := CBWrite(b, s, "root/generate/internal", params)
+	require.NoError(t, err)
+
+	require.True(t, stringSliceContainsAny(resp.Warnings, "3166"))
+}
+
+func TestGenerateRoot_MaxPathLengthValidation(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name          string
+		maxPathLength int
+		omitParam     bool
+
+		expectError   bool
+		errorContains string
+
+		// Expected fields on the issued certificate (only checked when
+		// expectError == false).
+		expectedMaxPathLen int // cert.MaxPathLen; -1 means no constraint
+	}{
+		// ----------------------------------------------------------------
+		// Parameter omitted: Vault generates a root with no pathLenConstraint.
+		// ----------------------------------------------------------------
+		{
+			name:               "param_omitted_no_constraint",
+			omitParam:          true,
+			expectError:        false,
+			expectedMaxPathLen: -1,
+		},
+
+		// ----------------------------------------------------------------
+		// Explicit -1: "no constraint" — identical outcome to omitting the
+		// parameter; the generated certificate carries no pathLenConstraint.
+		// ----------------------------------------------------------------
+		{
+			name:               "explicit_neg1_no_constraint",
+			maxPathLength:      -1,
+			expectError:        false,
+			expectedMaxPathLen: -1,
+		},
+
+		// ----------------------------------------------------------------
+		// Explicit 0: pathLenConstraint=0 — the CA may not issue further
+		// intermediate CAs.  Vault should succeed but add a warning.
+		// ----------------------------------------------------------------
+		{
+			name:               "explicit_0_zero_constraint_with_warning",
+			maxPathLength:      0,
+			expectError:        false,
+			expectedMaxPathLen: 0,
+		},
+
+		// ----------------------------------------------------------------
+		// Explicit positive values: pathLenConstraint is set as requested.
+		// ----------------------------------------------------------------
+		{
+			name:               "explicit_1",
+			maxPathLength:      1,
+			expectError:        false,
+			expectedMaxPathLen: 1,
+		},
+		{
+			name:               "explicit_2",
+			maxPathLength:      2,
+			expectError:        false,
+			expectedMaxPathLen: 2,
+		},
+		{
+			name:               "explicit_5",
+			maxPathLength:      5,
+			expectError:        false,
+			expectedMaxPathLen: 5,
+		},
+
+		// ----------------------------------------------------------------
+		// Invalid values (< -1): the handler must reject these immediately.
+		// ----------------------------------------------------------------
+		{
+			name:          "invalid_neg2",
+			maxPathLength: -2,
+			expectError:   true,
+			errorContains: "max_path_length -2 is invalid",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			b, s := CreateBackendWithStorage(t)
+
+			params := map[string]interface{}{
+				"common_name": "root.example.com",
+				"ttl":         "87600h",
+				"key_type":    "ec",
+			}
+			if !tc.omitParam {
+				params["max_path_length"] = tc.maxPathLength
+			}
+
+			resp, err := CBWrite(b, s, "root/generate/internal", params)
+
+			if tc.expectError {
+				require.Error(t, err, "expected root/generate/internal to fail but it succeeded")
+				if tc.errorContains != "" {
+					require.Contains(t, err.Error(), tc.errorContains,
+						"error message did not contain expected text")
+				}
+				return
+			}
+
+			// Success path.
+			require.NoError(t, err, "expected root/generate/internal to succeed but it failed")
+			require.NotNil(t, resp, "expected non-nil response from root/generate/internal")
+			require.False(t, resp.IsError(), "root/generate/internal returned error response: %v", resp.Error())
+
+			// Parse the returned PEM certificate and verify BasicConstraints.
+			certPEM, ok := resp.Data["certificate"].(string)
+			require.True(t, ok, "response missing 'certificate' field")
+
+			cert := parseCert(t, certPEM)
+			require.True(t, cert.BasicConstraintsValid, "expected BasicConstraints to be set on root CA")
+			require.True(t, cert.IsCA, "expected IsCA to be true on root CA")
+
+			require.Equal(t, tc.expectedMaxPathLen, cert.MaxPathLen,
+				"certificate has unexpected MaxPathLen")
+			require.Equal(t, tc.expectedMaxPathLen == 0, cert.MaxPathLenZero,
+				"certificate has unexpected MaxPathLenZero")
+
+			// Check for the zero-path-length warning.
+			if tc.expectedMaxPathLen == 0 {
+				requireMaxPathLengthZeroWarning(t, resp.Warnings)
+			}
+		})
+	}
+}
+
+func requireMaxPathLengthZeroWarning(t testing.TB, warnings []string) {
+	t.Helper()
+	require.NotEmpty(t, warnings, "expected at least one warning for zero max_path_length")
+	foundWarning := false
+	for _, w := range warnings {
+		if strings.Contains(w, "Max path length of the generated certificate is zero") {
+			foundWarning = true
+			break
+		}
+	}
+	require.True(t, foundWarning, "expected warning about zero max path length, got warnings: %v", warnings)
+}
+
+// TestGenerateAndRotateRoot_PKCS12Format validates PKCS12 support for (internal and exported) root generation and rotation.
+// PKCS12 archives from exported endpoints should contain a private key and root certificate while
+// internal endpoints should only have the root certificate.
+func TestGenerateAndRotateRoot_PKCS12Format(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	var decryptPw string
+	buildData := func(omitPassword bool, encoder string) map[string]interface{} {
+		decryptPw = pkcs12.DefaultPassword
+		data := map[string]interface{}{
+			"format":      "pkcs12_bundle",
+			"common_name": "Root CA",
+			"ttl":         "87600h",
+			"key_type":    "ec",
+			"key_bits":    256,
+		}
+		if !omitPassword {
+			decryptPw = "secure-root-password"
+			data["pkcs12_password"] = "secure-root-password"
+		}
+		if encoder != "" {
+			data["pkcs12_encoder"] = encoder
+		}
+		return data
+	}
+
+	for _, p := range []string{"root/generate/", "root/rotate/"} {
+		testCases := []struct {
+			name         string
+			endpoint     string
+			encoder      string
+			omitPassword bool
+			shouldError  bool
+		}{
+			// exported
+			{name: "custom password", endpoint: "exported"},
+			{name: "default password", endpoint: "exported", omitPassword: true},
+			{name: "with modern2026 encoder", endpoint: "exported", encoder: "modern2026"},
+			{name: "with modern2023 encoder", endpoint: "exported", encoder: "modern2023"},
+			{name: "with invalid encoder", endpoint: "exported", encoder: "modern2020", shouldError: true},
+			// internal
+			{name: "custom password", endpoint: "internal"},
+			{name: "default password", endpoint: "internal", omitPassword: true},
+			{name: "with modern2026 encoder", endpoint: "internal", encoder: "modern2026"},
+			{name: "with modern2023 encoder", endpoint: "internal", encoder: "modern2023"},
+			{name: "with invalid encoder", endpoint: "internal", encoder: "modern2020", shouldError: true},
+		}
+		for _, tc := range testCases {
+			path := p + tc.endpoint
+			name := fmt.Sprintf("endpoint=%q %s", path, tc.name)
+
+			t.Run(name, func(t *testing.T) {
+				resp, err := CBWrite(b, s, path, buildData(tc.omitPassword, tc.encoder))
+				pkcs12Bytes := verifyAndDecodePKCS12(t, path, resp, err, tc.shouldError)
+				if tc.shouldError {
+					return
+				}
+
+				if tc.endpoint == "exported" {
+					_, cert, caCerts := requireDecodesPKCS12Chain(t, pkcs12Bytes, decryptPw)
+					require.Equal(t, "Root CA", cert.Subject.CommonName)
+					require.True(t, cert.IsCA, "should be a CA certificate")
+					// The root certificate itself is in 'cert', not in 'caCerts'
+					require.Len(t, caCerts, 0, "should have no CA chain because root is self-signed")
+				} else {
+					// Validate PKCS12 trust store for internal root: contains only certificates (no private key)
+					certs := requireDecodesPKCS12TrustStore(t, pkcs12Bytes, decryptPw)
+					require.Len(t, certs, 1, "should have no additional certs because root is self-signed")
+					// First cert should be the root
+					require.True(t, certs[0].IsCA, "cert should be a CA")
+					require.Equal(t, "Root CA", certs[0].Subject.CommonName)
+					requireSignedBy(t, certs[0], certs[0])
+				}
+			})
+		}
+	}
+}
+
+// TestGenerateAndRotateRoot_JKSFormat validates JKS support for (internal and exported) root generation and rotation.
+// JKS archives from exported endpoints should contain a private key and root certificate while
+// internal endpoints should only have the root certificate.
+func TestGenerateAndRotateRoot_JKSFormat(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	var decryptPw string
+	buildData := func(alias string, password string) map[string]interface{} {
+		decryptPw = pkcs12.DefaultPassword
+		data := map[string]interface{}{
+			"format":      "jks_bundle",
+			"common_name": "Root CA",
+			"key_type":    "ec",
+			"key_bits":    256,
+		}
+		if alias != "" {
+			data["jks_private_key_alias"] = alias
+		}
+		if password != "" {
+			decryptPw = password
+			data["jks_password"] = password
+		}
+		return data
+	}
+
+	for _, p := range []string{"root/generate/", "root/rotate/"} {
+		testCases := []struct {
+			name            string
+			endpoint        string
+			alias           string
+			password        string
+			expectedAliases []string
+		}{
+			// exported
+			{name: "default password and alias", endpoint: "exported"},
+			{name: "custom alias and password", endpoint: "exported", alias: "myapp", password: "my-very-secure-password"},
+			// internal
+			{name: "default password and alias", endpoint: "internal", expectedAliases: []string{"1"}},
+			{name: "custom alias and password", endpoint: "internal", alias: "myapp", expectedAliases: []string{"1"}, password: "my-very-secure-password"},
+		}
+		for _, tc := range testCases {
+			path := p + tc.endpoint
+			name := fmt.Sprintf("endpoint=%q %s", path, tc.name)
+
+			t.Run(name, func(t *testing.T) {
+				data := buildData(tc.alias, tc.password)
+				resp, err := CBWrite(b, s, path, data)
+				jksBytes := verifyAndDecodeJKS(t, path, resp, err)
+
+				// If exported then JKS bundle should be a PrivateKeyEntry
+				if tc.endpoint == "exported" {
+					expectedAlias := tc.alias
+					if expectedAlias == "" {
+						// Alias should be default if unset
+						expectedAlias = "1"
+					}
+					_, cert, caCerts := requireDecodesJKSChain(t, jksBytes, decryptPw, expectedAlias)
+					require.Equal(t, "Root CA", cert.Subject.CommonName)
+					require.True(t, cert.IsCA, "should be a CA certificate")
+					// The root certificate itself is in 'cert', not in 'caCerts'
+					require.Len(t, caCerts, 0, "should have no CA chain because root is self-signed")
+				} else {
+					// Validate JKS trust store for internal root: contains only certificates (no private key)
+					certs := requireDecodesJKSTrustStore(t, jksBytes, decryptPw, tc.expectedAliases)
+					require.Len(t, certs, 1, "should have no additional certs because root is self-signed")
+					// First cert should be the root
+					require.True(t, certs[0].IsCA, "cert should be a CA")
+					require.Equal(t, "Root CA", certs[0].Subject.CommonName)
+					requireSignedBy(t, certs[0], certs[0])
+				}
+			})
+		}
+	}
+}
+
+// TestGenerateAndRotateRoot_FormatValidation validates that empty format string and invalid encoders are rejected
+func TestGenerateAndRotateRoot_FormatValidation(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	tcEmptyFormat := []struct {
+		name     string
+		endpoint string
+		format   string
+	}{
+		{name: "generate empty format", endpoint: "root/generate/exported", format: ""},
+		{name: "rotate empty format", endpoint: "root/rotate/exported", format: ""},
+	}
+
+	for _, tc := range tcEmptyFormat {
+		t.Run(tc.endpoint, func(t *testing.T) {
+			_, err := CBWrite(b, s, tc.endpoint, map[string]interface{}{
+				"common_name": "Root CA",
+				"format":      "",
+				"key_type":    "ec",
+			})
+			require.Error(t, err)
+			require.Contains(t, err.Error(), `the "format" parameter must be "pem", "der", "pem_bundle", "pkcs12_bundle" or "jks_bundle"`)
+		})
+	}
+
+	tcInvalidEncoder := []struct {
+		name     string
+		endpoint string
+		encoder  string
+	}{
+		{name: "generate invalid format", endpoint: "root/generate/exported", encoder: "invalid"},
+		{name: "rotate invalid format", endpoint: "root/rotate/exported", encoder: "invalid"},
+	}
+
+	for _, tc := range tcInvalidEncoder {
+		t.Run(tc.endpoint, func(t *testing.T) {
+			_, err := CBWrite(b, s, tc.endpoint, map[string]interface{}{
+				"common_name":    "Root CA",
+				"format":         "pkcs12_bundle",
+				"pkcs12_encoder": tc.encoder,
+				"key_type":       "ec",
+			})
+			require.Error(t, err)
+			require.Contains(t, err.Error(), `invalid "pkcs12_encoder" parameter: encoder must be "modern2026" or "modern2023"; received: "invalid"`)
+		})
+	}
+}
diff --git a/builtin/logical/pki/path_intermediate.go b/builtin/logical/pki/path_intermediate.go
index cdc10578da..9a492867a3 100644
--- a/builtin/logical/pki/path_intermediate.go
+++ b/builtin/logical/pki/path_intermediate.go
@@ -121,19 +121,25 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req
 	}
 	data.Raw["use_pss"] = false
 
+	resp := &logical.Response{
+		Data: map[string]interface{}{},
+	}
+
 	sc := b.makeStorageContext(ctx, req.Storage)
-	exported, format, role, errorResp := getGenerationParams(sc, data, false)
+	genParams, warnings, errorResp := getCAGenerationParams(sc, data, false)
 	if errorResp != nil {
 		return errorResp, nil
 	}
+	if len(warnings) > 0 {
+		resp.Warnings = append(resp.Warnings, warnings...)
+	}
 
 	keyName, err := getKeyName(sc, data)
 	if err != nil {
 		return logical.ErrorResponse(err.Error()), nil
 	}
-	var resp *logical.Response
 	input := &inputBundle{
-		role:    role,
+		role:    genParams.role,
 		req:     req,
 		apiData: data,
 	}
@@ -153,10 +159,6 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req
 		return nil, fmt.Errorf("error converting raw CSR bundle to CSR bundle: %w", err)
 	}
 
-	resp = &logical.Response{
-		Data: map[string]interface{}{},
-	}
-
 	entries, err := getGlobalAIAURLs(ctx, req.Storage)
 	if err == nil && len(entries.OCSPServers) == 0 && len(entries.IssuingCertificates) == 0 &&
 		len(entries.CRLDistributionPoints) == 0 && len(entries.DeltaCRLDistributionPoints) == 0 {
@@ -170,17 +172,17 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req
 		resp.AddWarning("This mount has configured delta crl distribution points but no base crl distribution points were set.")
 	}
 
-	switch format {
+	switch genParams.format {
 	case "pem":
 		resp.Data["csr"] = csrb.CSR
-		if exported {
+		if genParams.exported {
 			resp.Data["private_key"] = csrb.PrivateKey
 			resp.Data["private_key_type"] = csrb.PrivateKeyType
 		}
 
 	case "pem_bundle":
 		resp.Data["csr"] = csrb.CSR
-		if exported {
+		if genParams.exported {
 			resp.Data["csr"] = fmt.Sprintf("%s\n%s", csrb.PrivateKey, csrb.CSR)
 			resp.Data["private_key"] = csrb.PrivateKey
 			resp.Data["private_key_type"] = csrb.PrivateKeyType
@@ -188,12 +190,12 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req
 
 	case "der":
 		resp.Data["csr"] = base64.StdEncoding.EncodeToString(parsedBundle.CSRBytes)
-		if exported {
+		if genParams.exported {
 			resp.Data["private_key"] = base64.StdEncoding.EncodeToString(parsedBundle.PrivateKeyBytes)
 			resp.Data["private_key_type"] = csrb.PrivateKeyType
 		}
 	default:
-		return nil, fmt.Errorf("unsupported format argument: %s", format)
+		return nil, fmt.Errorf("unsupported format argument: %s", genParams.format)
 	}
 
 	if data.Get("private_key_format").(string) == "pkcs8" {
@@ -215,9 +217,9 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req
 		observe.NewAdditionalPKIMetadata("key_id", myKey.ID),
 		observe.NewAdditionalPKIMetadata("key_name", myKey.Name),
 		observe.NewAdditionalPKIMetadata("key_type", myKey.PrivateKeyType),
-		observe.NewAdditionalPKIMetadata("role_name", role.Name),
-		observe.NewAdditionalPKIMetadata("exported", exported),
-		observe.NewAdditionalPKIMetadata("type", format))
+		observe.NewAdditionalPKIMetadata("role_name", genParams.role.Name),
+		observe.NewAdditionalPKIMetadata("exported", genParams.exported),
+		observe.NewAdditionalPKIMetadata("type", genParams.format))
 
 	return resp, nil
 }
diff --git a/builtin/logical/pki/path_intermediate_test.go b/builtin/logical/pki/path_intermediate_test.go
new file mode 100644
index 0000000000..393235f972
--- /dev/null
+++ b/builtin/logical/pki/path_intermediate_test.go
@@ -0,0 +1,66 @@
+// Copyright IBM Corp. 2016, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package pki
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// TestGenerateIntermediate_FormatParam validates that CSR generation
+// only supports valid formats and does NOT support PKCS#12 since there's no certificate to bundle
+func TestGenerateIntermediate_FormatParam(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+	testCases := []struct {
+		endpoint   string
+		format     string
+		isValid    bool
+		omitFormat bool
+	}{
+		{endpoint: "intermediate/generate/internal", format: "pkcs12_bundle"},
+		{endpoint: "intermediate/generate/exported", format: "pkcs12_bundle"},
+		{endpoint: "issuers/generate/intermediate/internal", format: "pkcs12_bundle"},
+		{endpoint: "issuers/generate/intermediate/exported", format: "pkcs12_bundle"},
+
+		{endpoint: "intermediate/generate/internal", format: "invalid"},
+		{endpoint: "intermediate/generate/exported", format: "invalid"},
+		{endpoint: "issuers/generate/intermediate/internal", format: "invalid"},
+		{endpoint: "issuers/generate/intermediate/exported", format: "invalid"},
+
+		{endpoint: "intermediate/generate/internal", format: ""},
+		{endpoint: "intermediate/generate/exported", format: ""},
+		{endpoint: "issuers/generate/intermediate/internal", format: ""},
+		{endpoint: "issuers/generate/intermediate/exported", format: ""},
+
+		{endpoint: "intermediate/generate/internal", omitFormat: true},
+		{endpoint: "intermediate/generate/exported", omitFormat: true},
+		{endpoint: "issuers/generate/intermediate/internal", omitFormat: true},
+		{endpoint: "issuers/generate/intermediate/exported", omitFormat: true},
+	}
+	for _, tc := range testCases {
+		name := fmt.Sprintf("endpoint=%s format=%s", tc.endpoint, tc.format)
+		t.Run(name, func(t *testing.T) {
+			// Attempt to generate intermediate CSR with various formats
+			data := map[string]interface{}{
+				"common_name": "Intermediate CA",
+				"key_type":    "ec",
+				"key_bits":    256,
+			}
+			if !tc.omitFormat {
+				data["format"] = tc.format
+			}
+			_, err := CBWrite(b, s, tc.endpoint, data)
+
+			if tc.omitFormat {
+				require.NoError(t, err)
+			} else {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), `the "format" parameter must be "pem", "der" or "pem_bundle"`)
+			}
+		})
+	}
+}
diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go
index 1c6e05f481..816cfa692f 100644
--- a/builtin/logical/pki/path_issue_sign.go
+++ b/builtin/logical/pki/path_issue_sign.go
@@ -111,6 +111,7 @@ func buildPathIssue(b *backend, pattern string, displayAttrs *framework.DisplayA
 	}
 
 	ret.Fields = addNonCACommonFields(map[string]*framework.FieldSchema{})
+	ret.Fields = addJKSPrivateKeyAlias(ret.Fields)
 	return ret
 }
 
@@ -405,7 +406,15 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d
 	format := getFormat(data)
 	if format == "" {
 		return logical.ErrorResponse(
-			`the "format" path parameter must be "pem", "der", or "pem_bundle"`), nil
+			`the "format" parameter must be "pem", "der", "pem_bundle", "pkcs12_bundle" or "jks_bundle"`), nil
+	}
+
+	if format == "pkcs12_bundle" {
+		// Cast to encoder type and validate it is a permitted value
+		_, err := validatePKCS12Encoder(data.Get("pkcs12_encoder").(string))
+		if err != nil {
+			return logical.ErrorResponse(`invalid "pkcs12_encoder" parameter: %v`, err), nil
+		}
 	}
 
 	var caErr error
@@ -617,6 +626,36 @@ func signIssueApiResponse(b *backend, data *framework.FieldData, parsedBundle *c
 			respData["private_key"] = base64.StdEncoding.EncodeToString(parsedBundle.PrivateKeyBytes)
 			respData["private_key_type"] = cb.PrivateKeyType
 		}
+
+	case "pkcs12_bundle":
+		password := data.Get("pkcs12_password").(string)
+		encoder := data.Get("pkcs12_encoder").(string)
+		caCerts := x509Certificates(caChainGen.chain)
+		// Pass parsedBundle.PrivateKey as is. It should be nil for signed certs and set for issued certs.
+		pkcs12Bytes, err := EncodeToPKCS12(encoder, parsedBundle.PrivateKey, parsedBundle.Certificate, caCerts, password)
+		if err != nil {
+			return nil, fmt.Errorf("failed to encode to PKCS#12 format: %w", err)
+		}
+		respData["certificate"] = base64.StdEncoding.EncodeToString(pkcs12Bytes)
+		respData["issuing_ca"] = signingCB.Certificate
+
+	case "jks_bundle":
+		var alias string
+		if _, ok := data.Schema["jks_private_key_alias"]; ok {
+			// Issue endpoints define jks_private_key_alias (defaults to "1")
+			// Sign endpoints do not define this field, so alias stays empty.
+			alias = data.Get("jks_private_key_alias").(string)
+		}
+		password := data.Get("jks_password").(string)
+		caCerts := x509Certificates(caChainGen.chain)
+		// Pass parsedBundle.PrivateKey as is. It should be nil for signed certs and set for issued certs.
+		jksBytes, err := EncodeToJKS(parsedBundle.PrivateKey, parsedBundle.Certificate, caCerts, alias, password)
+		if err != nil {
+			return nil, fmt.Errorf("failed to encode to JKS format: %w", err)
+		}
+		respData["certificate"] = base64.StdEncoding.EncodeToString(jksBytes)
+		respData["issuing_ca"] = signingCB.Certificate
+
 	default:
 		return nil, fmt.Errorf("unsupported format: %s", format)
 	}
@@ -695,7 +734,7 @@ func (b *backend) issueSignEmptyCert(ctx context.Context, req *logical.Request,
 		KeyType:           "ec", // We need more tests with "ec"
 	}
 	schema := map[string]*framework.FieldSchema{}
-	schema = addNonCACommonFields(addIssueAndSignCommonFields(schema))
+	schema = addNonCACommonFields(schema)
 	emptyData := &framework.FieldData{
 		Raw: map[string]interface{}{
 			"ttl":        "300s",
diff --git a/builtin/logical/pki/path_issue_sign_test.go b/builtin/logical/pki/path_issue_sign_test.go
index 009e8501b6..9f6f92b161 100644
--- a/builtin/logical/pki/path_issue_sign_test.go
+++ b/builtin/logical/pki/path_issue_sign_test.go
@@ -6,13 +6,16 @@ package pki
 import (
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/pem"
 	"fmt"
 	"slices"
 	"strconv"
 	"strings"
 	"testing"
 
+	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/stretchr/testify/require"
+	"software.sslmate.com/src/go-pkcs12"
 )
 
 // TestPathIssueSign_KeyTypeAny is a regression test.  At one point, the signature bits
@@ -163,6 +166,483 @@ func signingBits(alg x509.SignatureAlgorithm) int {
 	}
 }
 
+// TestPathIssueSign_PKCS12Format validates PKCS12 output for /issue and /sign endpoints:
+// - /issue: PKCS12 contains private key, issued cert, and CA chain
+// - /sign: PKCS12 trust store (no private key), signed cert, and CA chain
+// This test checks encoder parameter handling and basic structure. Interoperability and encryption
+// are covered in TestPKCS12OpenSSLValidation and TestPKCS12AndJKSJavaValidation.
+func TestPathIssueSign_PKCS12Format(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	// Import a CA certificate for test setup
+	resp, err := CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
+		"pem_bundle": ec256CaAndKey,
+	})
+	requireSuccessNonNilResponse(t, resp, err)
+
+	// Get root cert data for tests with intermediate issuer
+	issuers := resp.Data["imported_issuers"].([]string)
+	issuerID := issuers[0]
+	resp, err = CBRead(b, s, "issuer/"+issuerID)
+	requireSuccessNonNilResponse(t, resp, err)
+	rootData := resp.Data
+	rootCert := rootData["certificate"].(string)
+
+	// Create a role that allows issuing/signing certificates
+	resp, err = CBWrite(b, s, "roles/test-role", map[string]interface{}{
+		"allow_any_name": true,
+		"max_ttl":        "2h",
+		"key_type":       "ec",
+		"key_bits":       "256",
+	})
+	requireSuccessNonNilResponse(t, resp, err)
+
+	// Assert invalid format fails
+	_, err = CBWrite(b, s, "issue/test-role", map[string]interface{}{
+		"format":      "invalid",
+		"common_name": "test.example.com",
+	})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), `the "format" parameter must be "pem", "der", "pem_bundle", "pkcs12_bundle" or "jks_bundle"`)
+
+	// Parse PEM bundle and CSR for validation
+	expectedRoot, err := certutil.ParsePEMBundle(ec256CaAndKey)
+	require.NoError(t, err)
+	block, _ := pem.Decode([]byte(ec256leafCsr))
+	require.NotNil(t, block)
+	expectedCSR, err := x509.ParseCertificateRequest(block.Bytes)
+	require.NoError(t, err)
+
+	buildData := func(password string, omitPassword bool, removeRoot bool, encoder string) map[string]interface{} {
+		data := map[string]interface{}{
+			"format":      "pkcs12_bundle",
+			"common_name": "test.example.com",
+		}
+		if !omitPassword {
+			data["pkcs12_password"] = password
+		}
+		if removeRoot {
+			data["remove_roots_from_chain"] = true
+		}
+		if encoder != "" {
+			data["pkcs12_encoder"] = encoder
+		}
+		return data
+	}
+
+	t.Run("issue", func(t *testing.T) {
+		testCases := []struct {
+			name         string
+			encoder      string
+			omitPassword bool
+			password     string
+			removeRoot   bool
+			shouldError  bool
+		}{
+			{name: "custom password", password: "123-secure-password"},
+			{name: "default password", password: pkcs12.DefaultPassword, omitPassword: true},
+			{name: "empty password", password: ""},
+			{name: "without CA chain", password: "123-secure-password", removeRoot: true},
+			{name: "with modern2026 encoder", password: "123-secure-password", encoder: "modern2026"},
+			{name: "with modern2023 encoder", password: "123-secure-password", encoder: "modern2023"},
+			{name: "with invalid encoder", encoder: "modern2020", shouldError: true},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				data := buildData(tc.password, tc.omitPassword, tc.removeRoot, tc.encoder)
+				resp, err := CBWrite(b, s, "issue/test-role", data)
+				pkcs12Bytes := verifyAndDecodePKCS12(t, "issue/test-role", resp, err, tc.shouldError)
+
+				if !tc.shouldError {
+					_, cert, caCerts := requireDecodesPKCS12Chain(t, pkcs12Bytes, tc.password)
+
+					require.False(t, cert.IsCA, "leaf should not be CA")
+					if tc.removeRoot {
+						require.Len(t, caCerts, 0, "should have no CA cert when remove_roots_from_chain is true")
+					} else {
+						require.Len(t, caCerts, 1, "should have single cert in CA chain")
+						require.True(t, caCerts[0].IsCA, "cert should be CA")
+						require.Equal(t, expectedRoot.Certificate.Subject.CommonName, caCerts[0].Subject.CommonName)
+					}
+				}
+			})
+		}
+	})
+
+	t.Run("sign", func(t *testing.T) {
+		testCases := []struct {
+			name        string
+			encoder     string
+			endpoint    string
+			removeRoot  bool
+			shouldError bool
+		}{
+			{name: "sign", endpoint: "sign"},
+			{name: "sign verbatim", endpoint: "sign-verbatim"},
+			{name: "sign without CA chain", endpoint: "sign", removeRoot: true},
+			{name: "with modern2026 encoder", endpoint: "sign", encoder: "modern2026"},
+			{name: "with modern2023 encoder", endpoint: "sign", encoder: "modern2023"},
+			{name: "with invalid encoder", endpoint: "sign", encoder: "modern2020", shouldError: true},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				password := "123-secure-password"
+				data := buildData(password, false, tc.removeRoot, tc.encoder)
+				data["csr"] = ec256leafCsr
+				path := tc.endpoint + "/test-role"
+				resp, err := CBWrite(b, s, path, data)
+				pkcs12Bytes := verifyAndDecodePKCS12(t, path, resp, err, tc.shouldError)
+
+				if !tc.shouldError {
+					certs := requireDecodesPKCS12TrustStore(t, pkcs12Bytes, password)
+					require.False(t, certs[0].IsCA, "first cert should be leaf (not CA)")
+					require.Equal(t, expectedCSR.RawSubjectPublicKeyInfo, certs[0].RawSubjectPublicKeyInfo, "first cert should contain CSR public key")
+					require.Equal(t, expectedRoot.Certificate.Subject, certs[0].Issuer, "first should be issued by the expected CA")
+
+					if tc.removeRoot {
+						require.Len(t, certs, 1, "bundle should only contain leaf cert when remove_roots_from_chain is true")
+					} else {
+						require.Len(t, certs, 2, "bundle should contain leaf + CA")
+						require.True(t, certs[1].IsCA, "last cert should be CA")
+						require.Equal(t, expectedRoot.Certificate.Subject, certs[1].Subject, "last cert should match the expected CA certificate")
+					}
+				}
+			})
+		}
+	})
+
+	t.Run("with intermediate issuer", func(t *testing.T) {
+		// Setup an intermediate, signed by the root.
+		b_int, s_int := CreateBackendWithStorage(t)
+		resp, err = CBWrite(b_int, s_int, "intermediate/generate/exported", map[string]interface{}{
+			"common_name": "intermediate myvault.com",
+			"key_type":    "ec",
+		})
+		requireSuccessNonNilResponse(t, resp, err)
+		intermediateData := resp.Data
+		resp, err = CBWrite(b, s, "root/sign-intermediate", map[string]interface{}{
+			"csr":    intermediateData["csr"],
+			"format": "pem",
+		})
+		requireSuccessNonNilResponse(t, resp, err)
+		intermediateSignedData := resp.Data
+		intermediateCert := intermediateSignedData["certificate"].(string)
+		resp, err = CBWrite(b_int, s_int, "intermediate/set-signed", map[string]interface{}{
+			"certificate": intermediateCert + "\n" + rootCert + "\n",
+		})
+		requireSuccessNonNilResponse(t, resp, err)
+		// Setup role for signing certs
+		resp, err = CBWrite(b_int, s_int, "roles/test-role", map[string]interface{}{
+			"allow_any_name": true,
+			"key_type":       "ec",
+			"key_bits":       "256",
+			"max_ttl":        "2h",
+		})
+		requireSuccessNonNilResponse(t, resp, err)
+
+		testCases := []struct {
+			name       string
+			endpoint   string
+			removeRoot bool
+		}{
+			{name: "sign", endpoint: "sign"},
+			{name: "sign without root", endpoint: "sign", removeRoot: true},
+			{name: "issue", endpoint: "issue"},
+			{name: "issue without root", endpoint: "issue", removeRoot: true},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				password := "123-secure-password"
+				data := buildData(password, false, tc.removeRoot, "")
+				if tc.endpoint == "sign" {
+					data["csr"] = ec256leafCsr
+				}
+				path := tc.endpoint + "/test-role"
+				resp, err := CBWrite(b_int, s_int, path, data)
+				pkcs12Bytes := verifyAndDecodePKCS12(t, path, resp, err, false)
+
+				if tc.endpoint == "issue" {
+					_, cert, caCerts := requireDecodesPKCS12Chain(t, pkcs12Bytes, password)
+					require.False(t, cert.IsCA, "leaf should not be CA")
+
+					if tc.removeRoot {
+						require.Len(t, caCerts, 1, "should have one CA cert when remove_roots_from_chain is true")
+						require.True(t, caCerts[0].IsCA, "cert should be CA")
+					} else {
+						require.Len(t, caCerts, 2, "should have two certs in CA chain")
+						require.True(t, caCerts[0].IsCA, "cert should be CA")
+						require.True(t, caCerts[1].IsCA, "cert should be CA")
+						require.Equal(t, expectedRoot.Certificate.Subject.CommonName, caCerts[1].Subject.CommonName)
+
+					}
+				}
+
+				if tc.endpoint == "sign" {
+					certs := requireDecodesPKCS12TrustStore(t, pkcs12Bytes, password)
+					// Verify first cert is the leaf
+					require.False(t, certs[0].IsCA, "first cert should be leaf (not CA)")
+					require.Equal(t, expectedCSR.RawSubjectPublicKeyInfo, certs[0].RawSubjectPublicKeyInfo, "first cert should contain CSR public key")
+
+					if tc.removeRoot {
+						require.Len(t, certs, 2, "should have leaf + intermediate (no root)")
+						require.True(t, certs[1].IsCA, "second cert should be CA")
+						require.Equal(t, certs[1].Subject, certs[0].Issuer, "leaf should be issued by intermediate")
+					} else {
+						require.Len(t, certs, 3, "should have leaf + intermediate + root")
+						require.True(t, certs[1].IsCA, "second cert should be CA")
+						require.Equal(t, certs[1].Subject, certs[0].Issuer, "leaf should be issued by intermediate")
+						require.True(t, certs[2].IsCA, "third cert should be CA")
+						require.Equal(t, certs[2].Subject, certs[1].Issuer, "intermediate should be issued by root")
+						requireSignedBy(t, certs[0], certs[1])
+						requireSignedBy(t, certs[1], certs[2])
+						// Verify root is self-signed
+						requireSignedBy(t, certs[2], certs[2])
+					}
+				}
+			})
+		}
+	})
+}
+
+// TestPathIssueSign_JKSFormat validates JKS (java keystore) output for /issue and /sign endpoints:
+// - /issue: JKS contains private key, issued cert, and CA chain
+// - /sign: JKS trust store (no private key), signed cert, and CA chain
+// This test checks encoder parameter handling and basic structure.
+// Interoperability is covered in TestPKCS12AndJKSJavaValidation.
+func TestPathIssueSign_JKSFormat(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	// Import a CA certificate for test setup
+	resp, err := CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
+		"pem_bundle": ec256CaAndKey,
+	})
+	requireSuccessNonNilResponse(t, resp, err)
+
+	// Get root cert data for tests with intermediate issuer
+	issuers := resp.Data["imported_issuers"].([]string)
+	issuerID := issuers[0]
+	resp, err = CBRead(b, s, "issuer/"+issuerID)
+	requireSuccessNonNilResponse(t, resp, err)
+	rootData := resp.Data
+	rootCert := rootData["certificate"].(string)
+
+	// Create a role that allows issuing/signing certificates
+	resp, err = CBWrite(b, s, "roles/test-role", map[string]interface{}{
+		"allow_any_name": true,
+		"max_ttl":        "2h",
+		"key_type":       "ec",
+		"key_bits":       "256",
+	})
+	requireSuccessNonNilResponse(t, resp, err)
+
+	// Parse PEM bundle and CSR for validation
+	expectedRoot, err := certutil.ParsePEMBundle(ec256CaAndKey)
+	require.NoError(t, err)
+	block, _ := pem.Decode([]byte(ec256leafCsr))
+	require.NotNil(t, block)
+	expectedCSR, err := x509.ParseCertificateRequest(block.Bytes)
+	require.NoError(t, err)
+
+	buildData := func(password string, omitPassword bool, removeRoot bool, alias string) map[string]interface{} {
+		data := map[string]interface{}{
+			"format":      "jks_bundle",
+			"common_name": "test.example.com",
+		}
+		if !omitPassword {
+			data["jks_password"] = password
+		}
+		if removeRoot {
+			data["remove_roots_from_chain"] = true
+		}
+		if alias != "" {
+			data["jks_private_key_alias"] = alias
+		}
+		return data
+	}
+
+	t.Run("issue", func(t *testing.T) {
+		testCases := []struct {
+			name         string
+			alias        string
+			omitPassword bool
+			password     string
+			removeRoot   bool
+		}{
+			{name: "default password and alias", password: pkcs12.DefaultPassword, omitPassword: true},
+			{name: "empty password", password: ""},
+			{name: "without CA chain", password: "123-secure-password", removeRoot: true},
+			{name: "with custom password and alias", password: "123-secure-password", alias: "myapp"},
+			{name: "with custom numeric alias", password: "123-secure-password", alias: "5"},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				data := buildData(tc.password, tc.omitPassword, tc.removeRoot, tc.alias)
+				resp, err := CBWrite(b, s, "issue/test-role", data)
+				jksBytes := verifyAndDecodeJKS(t, "issue/test-role", resp, err)
+
+				expectedAlias := tc.alias
+				if expectedAlias == "" {
+					// Alias should be default if unset
+					expectedAlias = "1"
+				}
+
+				_, cert, caCerts := requireDecodesJKSChain(t, jksBytes, tc.password, expectedAlias)
+				require.False(t, cert.IsCA, "leaf should not be CA")
+				if tc.removeRoot {
+					require.Len(t, caCerts, 0, "should have no CA cert when remove_roots_from_chain is true")
+				} else {
+					require.Len(t, caCerts, 1, "should have single cert in CA chain")
+					require.True(t, caCerts[0].IsCA, "cert should be CA")
+					require.Equal(t, expectedRoot.Certificate.Subject.CommonName, caCerts[0].Subject.CommonName)
+				}
+			})
+		}
+	})
+
+	t.Run("sign", func(t *testing.T) {
+		testCases := []struct {
+			name            string
+			alias           string
+			expectedAliases []string
+			endpoint        string
+			removeRoot      bool
+		}{
+			{name: "with defaults", endpoint: "sign", expectedAliases: []string{"1", "2"}},
+			{name: "verbatim with defaults", endpoint: "sign-verbatim", expectedAliases: []string{"1", "2"}},
+			{name: "without CA chain", endpoint: "sign", removeRoot: true, expectedAliases: []string{"1"}},
+			// jks_private_key_alias should be ignored
+			{name: "with numeric alias", endpoint: "sign", alias: "3", expectedAliases: []string{"1", "2"}},
+			{name: "with non-numeric alias", endpoint: "sign", alias: "myapp", expectedAliases: []string{"1", "2"}},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				password := "123-secure-password"
+				data := buildData(password, false, tc.removeRoot, tc.alias)
+				data["csr"] = ec256leafCsr
+				path := tc.endpoint + "/test-role"
+				resp, err := CBWrite(b, s, path, data)
+				jksBytes := verifyAndDecodeJKS(t, path, resp, err)
+
+				certs := requireDecodesJKSTrustStore(t, jksBytes, password, tc.expectedAliases)
+				require.False(t, certs[0].IsCA, "first cert should be leaf (not CA)")
+				require.Equal(t, expectedCSR.RawSubjectPublicKeyInfo, certs[0].RawSubjectPublicKeyInfo, "first cert should contain CSR public key")
+				require.Equal(t, expectedRoot.Certificate.Subject, certs[0].Issuer, "first should be issued by the expected CA")
+
+				if tc.removeRoot {
+					require.Len(t, certs, 1, "bundle should only contain leaf cert when remove_roots_from_chain is true")
+				} else {
+					require.Len(t, certs, 2, "bundle should contain leaf + CA")
+					require.True(t, certs[1].IsCA, "last cert should be CA")
+					require.Equal(t, expectedRoot.Certificate.Subject, certs[1].Subject, "last cert should match the expected CA certificate")
+				}
+			})
+		}
+	})
+
+	t.Run("with intermediate issuer", func(t *testing.T) {
+		// Setup an intermediate, signed by the root.
+		b_int, s_int := CreateBackendWithStorage(t)
+		resp, err = CBWrite(b_int, s_int, "intermediate/generate/exported", map[string]interface{}{
+			"common_name": "intermediate myvault.com",
+			"key_type":    "ec",
+		})
+		requireSuccessNonNilResponse(t, resp, err)
+		intermediateData := resp.Data
+		resp, err = CBWrite(b, s, "root/sign-intermediate", map[string]interface{}{
+			"csr":    intermediateData["csr"],
+			"format": "pem",
+		})
+		requireSuccessNonNilResponse(t, resp, err)
+		intermediateSignedData := resp.Data
+		intermediateCert := intermediateSignedData["certificate"].(string)
+		resp, err = CBWrite(b_int, s_int, "intermediate/set-signed", map[string]interface{}{
+			"certificate": intermediateCert + "\n" + rootCert + "\n",
+		})
+		requireSuccessNonNilResponse(t, resp, err)
+		// Setup role for signing certs
+		resp, err = CBWrite(b_int, s_int, "roles/test-role", map[string]interface{}{
+			"allow_any_name": true,
+			"key_type":       "ec",
+			"key_bits":       "256",
+			"max_ttl":        "2h",
+		})
+		requireSuccessNonNilResponse(t, resp, err)
+
+		testCases := []struct {
+			name       string
+			endpoint   string
+			removeRoot bool
+		}{
+			{name: "sign", endpoint: "sign"},
+			{name: "sign without root", endpoint: "sign", removeRoot: true},
+			{name: "issue", endpoint: "issue"},
+			{name: "issue without root", endpoint: "issue", removeRoot: true},
+		}
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				password := "123-secure-password"
+				data := buildData(password, false, tc.removeRoot, "")
+				if tc.endpoint == "sign" {
+					data["csr"] = ec256leafCsr
+				}
+				path := tc.endpoint + "/test-role"
+				resp, err := CBWrite(b_int, s_int, path, data)
+				jksBytes := verifyAndDecodeJKS(t, path, resp, err)
+
+				if tc.endpoint == "issue" {
+					_, cert, caCerts := requireDecodesJKSChain(t, jksBytes, password, "1")
+					require.False(t, cert.IsCA, "leaf should not be CA")
+
+					if tc.removeRoot {
+						require.Len(t, caCerts, 1, "should have one CA cert when remove_roots_from_chain is true")
+						require.True(t, caCerts[0].IsCA, "cert should be CA")
+					} else {
+						require.Len(t, caCerts, 2, "should have two certs in CA chain")
+						require.True(t, caCerts[0].IsCA, "cert should be CA")
+						require.True(t, caCerts[1].IsCA, "cert should be CA")
+						require.Equal(t, expectedRoot.Certificate.Subject.CommonName, caCerts[1].Subject.CommonName)
+
+					}
+				}
+
+				if tc.endpoint == "sign" {
+					expectedAliases := []string{"1", "2", "3"}
+					if tc.removeRoot {
+						expectedAliases = []string{"1", "2"}
+					}
+					certs := requireDecodesJKSTrustStore(t, jksBytes, password, expectedAliases)
+					// Verify first cert is the leaf
+					require.False(t, certs[0].IsCA, "first cert should be leaf (not CA)")
+					require.Equal(t, expectedCSR.RawSubjectPublicKeyInfo, certs[0].RawSubjectPublicKeyInfo, "first cert should contain CSR public key")
+
+					if tc.removeRoot {
+						require.Len(t, certs, 2, "should have leaf + intermediate (no root)")
+						require.True(t, certs[1].IsCA, "second cert should be CA")
+						require.Equal(t, certs[1].Subject, certs[0].Issuer, "leaf should be issued by intermediate")
+					} else {
+						require.Len(t, certs, 3, "should have leaf + intermediate + root")
+						require.True(t, certs[1].IsCA, "second cert should be CA")
+						require.Equal(t, certs[1].Subject, certs[0].Issuer, "leaf should be issued by intermediate")
+						require.True(t, certs[2].IsCA, "third cert should be CA")
+						require.Equal(t, certs[2].Subject, certs[1].Issuer, "intermediate should be issued by root")
+						requireSignedBy(t, certs[0], certs[1])
+						requireSignedBy(t, certs[1], certs[2])
+						// Verify root is self-signed
+						requireSignedBy(t, certs[2], certs[2])
+					}
+				}
+			})
+		}
+	})
+}
+
 // RSA keys (and certificates to a lesser degree) are very slow to generate which is
 // inconvenient for testing; so these have been pre-generated.  They are valid for
 // 100 years; so shouldn't expire.  They were generated with the following code (and
diff --git a/builtin/logical/pki/path_manage_issuers.go b/builtin/logical/pki/path_manage_issuers.go
index 45d875d00a..c42d57379d 100644
--- a/builtin/logical/pki/path_manage_issuers.go
+++ b/builtin/logical/pki/path_manage_issuers.go
@@ -115,10 +115,11 @@ func buildPathGenerateRoot(b *backend, pattern string, displayAttrs *framework.D
 		HelpDescription: pathGenerateRootHelpDesc,
 	}
 
-	ret.Fields = addCACommonFields(map[string]*framework.FieldSchema{})
+	ret.Fields = addCACommonFields(map[string]*framework.FieldSchema{}, supportedFormats(true))
 	ret.Fields = addCAKeyGenerationFields(ret.Fields)
 	ret.Fields = addCAIssueFields(ret.Fields)
 	ret.Fields = addCACertKeyUsage(ret.Fields)
+	ret.Fields = addJKSPrivateKeyAlias(ret.Fields)
 	return ret
 }
 
@@ -190,7 +191,8 @@ func buildPathGenerateIntermediate(b *backend, pattern string, displayAttrs *fra
 		HelpDescription: pathGenerateIntermediateHelpDesc,
 	}
 
-	ret.Fields = addCACommonFields(map[string]*framework.FieldSchema{})
+	// PKCS#12 (pkcs12_bundle) is not a valid format for encoding CSRs
+	ret.Fields = addCACommonFields(map[string]*framework.FieldSchema{}, supportedFormats(false))
 	ret.Fields = addCAKeyGenerationFields(ret.Fields)
 	ret.Fields["add_basic_constraints"] = &framework.FieldSchema{
 		Type: framework.TypeBool,
@@ -419,6 +421,11 @@ func (b *backend) pathImportIssuers(ctx context.Context, req *logical.Request, d
 		}
 	}
 
+	err := enforceCommonCriteriaOnUploadedCAs(sc, issuerKeyMap, createdIssuers)
+	if err != nil {
+		return logical.ErrorResponse(fmt.Sprintf("Error validating trust chain of Certificate Authorities matching key material: %v", err)), nil
+	}
+
 	response := &logical.Response{
 		Data: map[string]interface{}{
 			"mapping":          issuerKeyMap,
diff --git a/builtin/logical/pki/path_ocsp_test.go b/builtin/logical/pki/path_ocsp_test.go
index 6bdb63ae6c..587d48bdae 100644
--- a/builtin/logical/pki/path_ocsp_test.go
+++ b/builtin/logical/pki/path_ocsp_test.go
@@ -384,8 +384,6 @@ func TestOcsp_HigherLevel(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	client := cluster.Cores[0].Client
 	mountPKIEndpoint(t, client, "pki")
 	resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
diff --git a/builtin/logical/pki/path_resign_crls_test.go b/builtin/logical/pki/path_resign_crls_test.go
index 2a09a50db2..6a407e4ad5 100644
--- a/builtin/logical/pki/path_resign_crls_test.go
+++ b/builtin/logical/pki/path_resign_crls_test.go
@@ -237,8 +237,6 @@ func TestSignRevocationList(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	client := cluster.Cores[0].Client
 
 	// Mount PKI, use this form of backend so our request is closer to reality (json parsed)
@@ -478,15 +476,7 @@ func setupResignCrlMounts(t *testing.T, b1 *backend, s1 logical.Storage, b2 *bac
 func requireExtensionOid(t *testing.T, identifier asn1.ObjectIdentifier, extensions []pkix.Extension, msgAndArgs ...interface{}) {
 	t.Helper()
 
-	found := false
-	var oidsInExtensions []string
-	for _, extension := range extensions {
-		oidsInExtensions = append(oidsInExtensions, extension.Id.String())
-		if extension.Id.Equal(identifier) {
-			found = true
-			break
-		}
-	}
+	found, _, oidsInExtensions := findExtension(identifier, extensions)
 
 	if !found {
 		msg := fmt.Sprintf("Failed to find matching asn oid %s out of %v", identifier.String(), oidsInExtensions)
diff --git a/builtin/logical/pki/path_roles.go b/builtin/logical/pki/path_roles.go
index 065a6713e1..4a2638e47a 100644
--- a/builtin/logical/pki/path_roles.go
+++ b/builtin/logical/pki/path_roles.go
@@ -59,10 +59,11 @@ value or the value of max_ttl, whichever is shorter.`,
 set, defaults to the system maximum lease TTL.`,
 		},
 		"allow_token_displayname": {
-			Type:     framework.TypeBool,
-			Required: true,
-			Description: `Whether to allow "localhost" and "localdomain"
-as a valid common name in a request, independent of allowed_domains value.`,
+			Type: framework.TypeBool,
+			Description: `Deprecated. If set, clients can request certificates matching 
+the value of Display Name from the requesting token. Remember, this stacks with 
+the other CN options, including allow_subdomains. Defaults to false.`,
+			Deprecated: true,
 		},
 
 		"allow_localhost": {
@@ -1044,27 +1045,28 @@ func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data
 	}
 	*entry.AllowWildcardCertificates = allowWildcardCertificates.(bool)
 
-	warning := ""
+	var warnings []string
 	// no_store implies generate_lease := false
 	if entry.NoStore {
 		*entry.GenerateLease = false
 		if data.Get("generate_lease").(bool) {
-			warning = "mutually exclusive values no_store=true and generate_lease=true were both specified; no_store=true takes priority"
+			warnings = append(warnings, "mutually exclusive values no_store=true and generate_lease=true were both specified; no_store=true takes priority")
 		}
 	} else {
 		*entry.GenerateLease = data.Get("generate_lease").(bool)
 		if *entry.GenerateLease {
-			warning = "it is encouraged to disable generate_lease and rely on PKI's native capabilities when possible; this option can cause Vault-wide issues with large numbers of issued certificates"
+			warnings = append(warnings, "it is encouraged to disable generate_lease and rely on PKI's native capabilities when possible; this option can cause Vault-wide issues with large numbers of issued certificates")
 		}
 	}
 
-	userError, warnings, err := validateRole(b, entry, ctx, req.Storage)
+	userError, vrWarns, err := validateRole(b, entry, ctx, req.Storage)
 	if err != nil {
 		return nil, err
 	}
-	if warning != "" {
-		warnings = append(warnings, warning)
+	if len(vrWarns) > 0 {
+		warnings = append(warnings, vrWarns...)
 	}
+
 	if userError != "" {
 		return logical.ErrorResponse(userError), nil
 	}
@@ -1111,6 +1113,11 @@ func validateRole(b *backend, entry *issuing.RoleEntry, ctx context.Context, s l
 		return fmt.Sprintf("error setting keyBits %v on role for keyType %v: %v", entry.KeyBits, entry.KeyType, err.Error()), nil, nil
 	}
 
+	var warnings []string
+	if err := validateCountry(entry.Country); err != nil {
+		warnings = append(warnings, err.Error())
+	}
+
 	if entry.SerialNumberSource != "" &&
 		entry.SerialNumberSource != "json-csr" &&
 		entry.SerialNumberSource != "json" {
@@ -1141,7 +1148,6 @@ func validateRole(b *backend, entry *issuing.RoleEntry, ctx context.Context, s l
 		issuer = defaultRef
 	}
 
-	var warnings []string
 	// Check that the issuers reference set resolves to something
 	if !b.UseLegacyBundleCaStorage() {
 		sc := b.makeStorageContext(ctx, s)
diff --git a/builtin/logical/pki/path_roles_test.go b/builtin/logical/pki/path_roles_test.go
index 1024d390b8..47ab0c0c17 100644
--- a/builtin/logical/pki/path_roles_test.go
+++ b/builtin/logical/pki/path_roles_test.go
@@ -219,6 +219,37 @@ func TestPki_RoleKeyUsage(t *testing.T) {
 	}
 }
 
+// TestPki_RoleBadCountry validates that ISO 3166 is followed for the Country field
+func TestPki_RoleBadCountry(t *testing.T) {
+	t.Parallel()
+	b, storage := CreateBackendWithStorage(t)
+
+	roleData := map[string]interface{}{
+		"allowed_domains": "myvault.com",
+		"ttl":             "5h",
+		"country":         "Japan",
+	}
+
+	roleReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "roles/testrole",
+		Storage:   storage,
+		Data:      roleData,
+	}
+
+	resp, err := b.HandleRequest(context.Background(), roleReq)
+	require.NoError(t, err)
+	require.False(t, resp.IsError())
+	require.True(t, stringSliceContainsAny(resp.Warnings, "3166"))
+
+	roleData["country"] = "3p"
+
+	resp, err = b.HandleRequest(context.Background(), roleReq)
+	require.NoError(t, err)
+	require.False(t, resp.IsError())
+	require.True(t, stringSliceContainsAny(resp.Warnings, "country code"))
+}
+
 func TestPki_RoleOUOrganizationUpgrade(t *testing.T) {
 	t.Parallel()
 	var resp *logical.Response
@@ -897,7 +928,7 @@ func TestPki_RolePatch(t *testing.T) {
 		{
 			Field:   "country",
 			Before:  []string{"US"},
-			Patched: []string{"USA"},
+			Patched: []string{"CA"},
 		},
 		{
 			Field:   "locality",
diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go
index 62c051be05..ebd5650e4c 100644
--- a/builtin/logical/pki/path_root.go
+++ b/builtin/logical/pki/path_root.go
@@ -141,16 +141,26 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
 
 	sc := b.makeStorageContext(ctx, req.Storage)
 
-	// Tell getGenerationParams we are generating a root, so that we can validate signatureBits against KeyType
-	exported, format, role, errorResp := getGenerationParams(sc, data, true)
+	resp := &logical.Response{
+		Data: make(map[string]any),
+	}
+
+	// Tell getCAGenerationParams we are generating a root, so that we can validate signatureBits against KeyType
+	genParams, warnings, errorResp := getCAGenerationParams(sc, data, true)
 	if errorResp != nil {
 		return errorResp, nil
 	}
+	if len(warnings) > 0 {
+		resp.Warnings = append(resp.Warnings, warnings...)
+	}
 
 	maxPathLengthIface, ok := data.GetOk("max_path_length")
 	if ok {
 		maxPathLength := maxPathLengthIface.(int)
-		role.MaxPathLength = &maxPathLength
+		if maxPathLength < -1 {
+			return logical.ErrorResponse("requested max_path_length %d is invalid: must be a non-negative integer or -1 for no constraint", maxPathLength), nil
+		}
+		genParams.role.MaxPathLength = &maxPathLength
 	}
 
 	issuerName, err := getIssuerName(sc, data)
@@ -175,7 +185,7 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
 	input := &inputBundle{
 		req:     req,
 		apiData: data,
-		role:    role,
+		role:    genParams.role,
 	}
 	b.adjustInputBundle(input)
 	parsedBundle, warnings, err := generateCert(sc, input, nil, true, b.Backend.GetRandomReader())
@@ -193,12 +203,8 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
 		return nil, fmt.Errorf("error converting raw cert bundle to cert bundle: %w", err)
 	}
 
-	resp := &logical.Response{
-		Data: map[string]interface{}{
-			"expiration":    int64(parsedBundle.Certificate.NotAfter.Unix()),
-			"serial_number": cb.SerialNumber,
-		},
-	}
+	resp.Data["expiration"] = int64(parsedBundle.Certificate.NotAfter.Unix())
+	resp.Data["serial_number"] = cb.SerialNumber
 
 	if keyUsages, ok := data.GetOk("key_usage"); ok {
 		err = validateCaKeyUsages(keyUsages.([]string))
@@ -234,11 +240,12 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
 		resp.AddWarning("This mount has configured Delta CRL distribution points are set but no CRL Distribution Points.")
 	}
 
+	format := genParams.format
 	switch format {
 	case "pem":
 		resp.Data["certificate"] = cb.Certificate
 		resp.Data["issuing_ca"] = cb.Certificate
-		if exported {
+		if genParams.exported {
 			resp.Data["private_key"] = cb.PrivateKey
 			resp.Data["private_key_type"] = cb.PrivateKeyType
 		}
@@ -246,7 +253,7 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
 	case "pem_bundle":
 		resp.Data["issuing_ca"] = cb.Certificate
 
-		if exported {
+		if genParams.exported {
 			resp.Data["private_key"] = cb.PrivateKey
 			resp.Data["private_key_type"] = cb.PrivateKeyType
 			resp.Data["certificate"] = fmt.Sprintf("%s\n%s", cb.PrivateKey, cb.Certificate)
@@ -257,10 +264,45 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
 	case "der":
 		resp.Data["certificate"] = base64.StdEncoding.EncodeToString(parsedBundle.CertificateBytes)
 		resp.Data["issuing_ca"] = base64.StdEncoding.EncodeToString(parsedBundle.CertificateBytes)
-		if exported {
+		if genParams.exported {
 			resp.Data["private_key"] = base64.StdEncoding.EncodeToString(parsedBundle.PrivateKeyBytes)
 			resp.Data["private_key_type"] = cb.PrivateKeyType
 		}
+
+	case "pkcs12_bundle":
+		password := data.Get("pkcs12_password").(string)
+		encoder := data.Get("pkcs12_encoder").(string)
+		caChain := x509Certificates(parsedBundle.CAChain)
+
+		var privateKey crypto.Signer
+		if genParams.exported {
+			privateKey = parsedBundle.PrivateKey
+		}
+
+		pkcs12Bytes, err := EncodeToPKCS12(encoder, privateKey, parsedBundle.Certificate, caChain, password)
+		if err != nil {
+			return nil, fmt.Errorf("failed to encode to PKCS#12 format: %w", err)
+		}
+		resp.Data["certificate"] = base64.StdEncoding.EncodeToString(pkcs12Bytes)
+		resp.Data["issuing_ca"] = cb.Certificate
+
+	case "jks_bundle":
+		alias := data.Get("jks_private_key_alias").(string)
+		password := data.Get("jks_password").(string)
+		caChain := x509Certificates(parsedBundle.CAChain)
+
+		var privateKey crypto.Signer
+		if genParams.exported {
+			privateKey = parsedBundle.PrivateKey
+		}
+
+		jksBytes, err := EncodeToJKS(privateKey, parsedBundle.Certificate, caChain, alias, password)
+		if err != nil {
+			return nil, fmt.Errorf("failed to encode to JKS format: %w", err)
+		}
+		resp.Data["certificate"] = base64.StdEncoding.EncodeToString(jksBytes)
+		resp.Data["issuing_ca"] = cb.Certificate
+
 	default:
 		return nil, fmt.Errorf("unsupported format argument: %s", format)
 	}
@@ -341,7 +383,7 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
 		observe.NewAdditionalPKIMetadata("key_id", myKey.ID),
 		observe.NewAdditionalPKIMetadata("key_name", myKey.Name),
 		observe.NewAdditionalPKIMetadata("key_type", myKey.PrivateKeyType),
-		observe.NewAdditionalPKIMetadata("role_name", role.Name),
+		observe.NewAdditionalPKIMetadata("role_name", genParams.role.Name),
 		observe.NewAdditionalPKIMetadata("serial_number", parsing.SerialFromCert(parsedBundle.Certificate)),
 		observe.NewAdditionalPKIMetadata("type", format),
 		observe.NewAdditionalPKIMetadata("common_name", parsedBundle.Certificate.Subject.CommonName),
@@ -365,7 +407,20 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
 
 	format := getFormat(data)
 	if format == "" {
-		return logical.ErrorResponse(`The "format" path parameter must be "pem", "der" or "pem_bundle"`), nil
+		return logical.ErrorResponse(`the "format" parameter must be "pem", "der", "pem_bundle", "pkcs12_bundle" or "jks_bundle"`), nil
+	}
+	if format == "pkcs12_bundle" {
+		// Cast to encoder type and validate it is a permitted value
+		_, err := validatePKCS12Encoder(data.Get("pkcs12_encoder").(string))
+		if err != nil {
+			return logical.ErrorResponse(`invalid "pkcs12_encoder" parameter: %v`, err), nil
+		}
+	}
+	encParams := certEncodingParams{
+		format:         format,
+		pkcs12Encoder:  data.Get("pkcs12_encoder").(string),
+		pkcs12Password: data.Get("pkcs12_password").(string),
+		jksPassword:    data.Get("jks_password").(string),
 	}
 
 	role := &issuing.RoleEntry{
@@ -426,9 +481,27 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
 
 	useCSRValues := data.Get("use_csr_values").(bool)
 
-	maxPathLengthIface, ok := data.GetOk("max_path_length")
-	if ok {
+	if maxPathLengthIface, ok := data.GetOk("max_path_length"); ok {
 		maxPathLength := maxPathLengthIface.(int)
+		if maxPathLength < -1 {
+			return logical.ErrorResponse("requested max_path_length %d is invalid: must be a non-negative integer or -1 for no constraint", maxPathLength), nil
+		}
+		// Validate the requested max_path_length against the signing CA's
+		// BasicConstraints path length constraint (RFC 5280 4.2.1.9).
+		// If the signing CA has a pathLenConstraint of N, any intermediate
+		// it signs may have a pathLenConstraint strictly less than N.
+		// An explicit -1 means "no constraint on the intermediate", which
+		// is also invalid when the CA already has a pathLenConstraint.
+		caMaxPathLen := signingBundle.Certificate.MaxPathLen
+		caHasConstraint := caMaxPathLen >= 0 || signingBundle.Certificate.MaxPathLenZero
+		if caHasConstraint {
+			if maxPathLength < 0 || maxPathLength >= caMaxPathLen {
+				return logical.ErrorResponse(
+					fmt.Sprintf("requested max_path_length %d is not allowed: the signing CA has a pathLenConstraint of %[2]d, so the intermediate's pathLenConstraint must be a non-negative value less than %[2]d",
+						maxPathLength, caMaxPathLen),
+				), nil
+			}
+		}
 		role.MaxPathLength = &maxPathLength
 	}
 
@@ -453,7 +526,7 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
 		return nil, fmt.Errorf("verification of parsed bundle failed: %w", err)
 	}
 
-	resp, err := signIntermediateResponse(signingBundle, parsedBundle, format, warnings)
+	resp, err := signIntermediateResponse(signingBundle, parsedBundle, encParams, warnings)
 	if err != nil {
 		return nil, err
 	}
@@ -469,6 +542,10 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
 		resp.AddWarning(intCaTruncatationWarning)
 	}
 
+	if parsedBundle.Certificate.MaxPathLen == 0 {
+		resp.AddWarning("Max path length of the generated certificate is zero. This CA certificate cannot be used to issue further intermediate CA certificates.")
+	}
+
 	if keyUsages, ok := data.GetOk("key_usage"); ok {
 		err = validateCaKeyUsages(keyUsages.([]string))
 		if err != nil {
@@ -493,7 +570,14 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
 	return resp, nil
 }
 
-func signIntermediateResponse(signingBundle *certutil.CAInfoBundle, parsedBundle *certutil.ParsedCertBundle, format string, warnings []string) (*logical.Response, error) {
+type certEncodingParams struct {
+	format         string
+	pkcs12Encoder  string
+	pkcs12Password string
+	jksPassword    string
+}
+
+func signIntermediateResponse(signingBundle *certutil.CAInfoBundle, parsedBundle *certutil.ParsedCertBundle, encParams certEncodingParams, warnings []string) (*logical.Response, error) {
 	signingCB, err := signingBundle.ToCertBundle()
 	if err != nil {
 		return nil, fmt.Errorf("error converting raw signing bundle to cert bundle: %w", err)
@@ -544,6 +628,7 @@ func signIntermediateResponse(signingBundle *certutil.CAInfoBundle, parsedBundle
 
 	caChain := append([]string{cb.Certificate}, cb.CAChain...)
 
+	format := encParams.format
 	switch format {
 	case "pem":
 		resp.Data["certificate"] = cb.Certificate
@@ -566,12 +651,38 @@ func signIntermediateResponse(signingBundle *certutil.CAInfoBundle, parsedBundle
 		}
 		resp.Data["ca_chain"] = derCaChain
 
+	case "pkcs12_bundle":
+		password := encParams.pkcs12Password
+		encoder := encParams.pkcs12Encoder
+		// Use parsedBundle.CAChain (not caChain var above) because EncodeToPKCS12 handles chain building.
+		caCerts := x509Certificates(parsedBundle.CAChain)
+		// Intermediates are signed from a CSR, pass nil because no private key should be available here.
+		pkcs12Bytes, err := EncodeToPKCS12(encoder, nil, parsedBundle.Certificate, caCerts, password)
+		if err != nil {
+			return nil, fmt.Errorf("failed to encode to PKCS#12 format: %w", err)
+		}
+		resp.Data["certificate"] = base64.StdEncoding.EncodeToString(pkcs12Bytes)
+		resp.Data["issuing_ca"] = signingCB.Certificate
+
+	case "jks_bundle":
+		password := encParams.jksPassword
+		// Use parsedBundle.CAChain (not caChain var above) because EncodeToJKS handles chain building.
+		caCerts := x509Certificates(parsedBundle.CAChain)
+		// Intermediates are signed from a CSR, pass nil because no private key should be available here.
+		// For trust stores custom aliases are currently unsupported, pass empty string.
+		jksBytes, err := EncodeToJKS(nil, parsedBundle.Certificate, caCerts, "", password)
+		if err != nil {
+			return nil, fmt.Errorf("failed to encode to JKS format: %w", err)
+		}
+		resp.Data["certificate"] = base64.StdEncoding.EncodeToString(jksBytes)
+		resp.Data["issuing_ca"] = cb.Certificate
+
 	default:
 		return nil, fmt.Errorf("unsupported format argument: %s", format)
 	}
 
 	if parsedBundle.Certificate.MaxPathLen == 0 {
-		resp.AddWarning("Max path length of the signed certificate is zero. This certificate cannot be used to issue intermediate CA certificates.")
+		resp.AddWarning("Max path length of the signed certificate is zero. This CA certificate cannot be used to issue intermediate CA certificates.")
 	}
 
 	resp = addWarnings(resp, warnings)
diff --git a/builtin/logical/pki/path_sign_intermediate_test.go b/builtin/logical/pki/path_sign_intermediate_test.go
new file mode 100644
index 0000000000..f10bfdafa8
--- /dev/null
+++ b/builtin/logical/pki/path_sign_intermediate_test.go
@@ -0,0 +1,347 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package pki
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"software.sslmate.com/src/go-pkcs12"
+)
+
+// TestSignIntermediate_MaxPathLengthValidation verifies that when signing an
+// intermediate CA, the requested max_path_length is validated against the
+// signing CA's BasicConstraints pathLenConstraint per RFC 5280 4.2.1.9.
+//
+// If the signing CA has a pathLenConstraint of N, any intermediate it signs
+// must have a pathLenConstraint strictly less than N.
+//
+// When max_path_length is not provided at all (omitted from the request), the
+// validation block is skipped entirely and the request always succeeds.
+//
+// When max_path_length is explicitly set to -1 (meaning "no constraint on the
+// intermediate"), and the signing CA already has a pathLenConstraint, the
+// request is rejected because an unconstrained intermediate would violate the
+// CA's constraint.
+//
+// When the generated certificate has MaxPathLen == 0 (pathLenConstraint=0),
+// Vault adds a warning that the certificate cannot be used to issue
+// intermediate CAs.
+func TestSignIntermediate_MaxPathLengthValidation(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name             string
+		caMaxPathLength  int  // max_path_length set on the root CA (-1 means not set / unconstrained)
+		intMaxPathLength int  // max_path_length requested when signing the intermediate (-1 = "no constraint")
+		omitParam        bool // if true, do not include max_path_length in the sign request at all
+		expectError      bool
+		errorContains    string
+		// Expected values on the issued certificate (only checked when expectError==false).
+		expectedMaxPathLen int // expected cert.MaxPathLen; -1 means "no constraint"
+	}{
+		// --- Explicit positive values: validation is active ---
+		{
+			name:               "ca_path_len_2_int_path_len_1_allowed",
+			caMaxPathLength:    2,
+			intMaxPathLength:   1,
+			expectError:        false,
+			expectedMaxPathLen: 1,
+		},
+		{
+			name:             "ca_path_len_2_int_path_len_2_rejected",
+			caMaxPathLength:  2,
+			intMaxPathLength: 2,
+			expectError:      true,
+			errorContains:    "requested max_path_length 2 is not allowed",
+		},
+		{
+			name:             "ca_path_len_2_int_path_len_3_rejected",
+			caMaxPathLength:  2,
+			intMaxPathLength: 3,
+			expectError:      true,
+			errorContains:    "requested max_path_length 3 is not allowed",
+		},
+		{
+			// pathLenConstraint=0 on the issued cert; Go represents this with
+			// MaxPathLen==0 and MaxPathLenZero==true.
+			name:               "ca_path_len_1_int_path_len_0_allowed",
+			caMaxPathLength:    1,
+			intMaxPathLength:   0,
+			expectError:        false,
+			expectedMaxPathLen: 0,
+		},
+		{
+			name:             "ca_path_len_1_int_path_len_1_rejected",
+			caMaxPathLength:  1,
+			intMaxPathLength: 1,
+			expectError:      true,
+			errorContains:    "requested max_path_length 1 is not allowed",
+		},
+		{
+			// pathLenConstraint=0 on the CA means it may not issue further CAs
+			// with any pathLenConstraint (including 0).
+			name:             "ca_path_len_0_int_path_len_0_rejected",
+			caMaxPathLength:  0,
+			intMaxPathLength: 0,
+			expectError:      true,
+			errorContains:    "requested max_path_length 0 is not allowed",
+		},
+		{
+			// CA has no pathLenConstraint; any explicit positive value is allowed.
+			name:               "ca_no_path_len_constraint_int_path_len_5_allowed",
+			caMaxPathLength:    -1, // no constraint on CA
+			intMaxPathLength:   5,
+			expectError:        false,
+			expectedMaxPathLen: 5,
+		},
+
+		// --- Explicit -1 ("no constraint on intermediate"): rejected only when CA is constrained ---
+		{
+			// CA has no constraint; explicit -1 is allowed and results in no
+			// pathLenConstraint on the issued certificate.
+			name:               "ca_no_constraint_int_explicit_neg1_allowed",
+			caMaxPathLength:    -1,
+			intMaxPathLength:   -1,
+			expectError:        false,
+			expectedMaxPathLen: -1,
+		},
+		{
+			// CA has a constraint; explicit -1 means "no constraint on the
+			// intermediate", which violates the CA's pathLenConstraint.
+			name:             "ca_path_len_5_int_explicit_neg1_rejected",
+			caMaxPathLength:  5,
+			intMaxPathLength: -1,
+			expectError:      true,
+			errorContains:    "requested max_path_length -1 is not allowed",
+		},
+		{
+			// CA has pathLenConstraint=0; explicit -1 is also rejected.
+			name:             "ca_path_len_0_int_explicit_neg1_rejected",
+			caMaxPathLength:  0,
+			intMaxPathLength: -1,
+			expectError:      true,
+			errorContains:    "requested max_path_length -1 is not allowed",
+		},
+
+		// --- Parameter omitted entirely: validation is skipped ---
+		// When omitted, Vault auto-derives the pathLenConstraint as (CA pathLen - 1).
+		// When the CA has no constraint, the issued cert also has no constraint (-1).
+		{
+			// CA has no constraint; omitting the parameter results in no
+			// pathLenConstraint on the issued certificate.
+			name:               "ca_no_constraint_int_param_omitted_allowed",
+			caMaxPathLength:    -1,
+			omitParam:          true,
+			expectError:        false,
+			expectedMaxPathLen: -1,
+		},
+		{
+			// CA has pathLenConstraint=5; omitting the parameter causes Vault to
+			// auto-derive pathLenConstraint = 5 - 1 = 4 on the issued certificate.
+			name:               "ca_path_len_5_int_param_omitted_allowed",
+			caMaxPathLength:    5,
+			omitParam:          true,
+			expectError:        false,
+			expectedMaxPathLen: 4,
+		},
+		{
+			// CA has pathLenConstraint=1; omitting the parameter causes Vault to
+			// auto-derive pathLenConstraint = 1 - 1 = 0 on the issued certificate.
+			name:               "ca_path_len_1_int_param_omitted_allowed",
+			caMaxPathLength:    1,
+			omitParam:          true,
+			expectError:        false,
+			expectedMaxPathLen: 0,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			b, s := CreateBackendWithStorage(t)
+
+			// Generate root CA with the specified max_path_length.
+			rootParams := map[string]interface{}{
+				"common_name": "root.example.com",
+				"ttl":         "87600h",
+			}
+			if tc.caMaxPathLength >= 0 {
+				rootParams["max_path_length"] = tc.caMaxPathLength
+			}
+
+			resp, err := CBWrite(b, s, "root/generate/internal", rootParams)
+			requireSuccessNonNilResponse(t, resp, err, "failed to generate root CA")
+
+			// Generate an intermediate CSR.
+			resp, err = CBWrite(b, s, "intermediate/generate/internal", map[string]interface{}{
+				"common_name": "int.example.com",
+			})
+			requireSuccessNonNilResponse(t, resp, err, "failed to generate intermediate CSR")
+			csr := resp.Data["csr"].(string)
+
+			// Build the sign-intermediate request.
+			signParams := map[string]interface{}{
+				"common_name": "int.example.com",
+				"csr":         csr,
+				"ttl":         "43800h",
+			}
+			if !tc.omitParam {
+				signParams["max_path_length"] = tc.intMaxPathLength
+			}
+
+			resp, err = CBWrite(b, s, "root/sign-intermediate", signParams)
+
+			if tc.expectError {
+				require.Error(t, err, "expected sign-intermediate to fail but it succeeded")
+				if tc.errorContains != "" {
+					require.Contains(t, err.Error(), tc.errorContains,
+						"error message did not contain expected text")
+				}
+			} else {
+				require.NoError(t, err, "expected sign-intermediate to succeed but it failed")
+				require.NotNil(t, resp, "expected non-nil response from sign-intermediate")
+				require.False(t, resp.IsError(), "sign-intermediate returned error: %v", resp.Error())
+
+				cert := parseCert(t, resp.Data["certificate"].(string))
+				require.True(t, cert.BasicConstraintsValid, "expected BasicConstraints to be set")
+				require.True(t, cert.IsCA, "expected IsCA to be true")
+
+				require.Equal(t, tc.expectedMaxPathLen == 0, cert.MaxPathLenZero,
+					"issued certificate has unexpected MaxPathLenZero")
+				require.Equal(t, tc.expectedMaxPathLen, cert.MaxPathLen,
+					"issued certificate has unexpected MaxPathLen")
+				if tc.expectedMaxPathLen == 0 {
+					requireMaxPathLengthZeroWarning(t, resp.Warnings)
+				}
+			}
+		})
+	}
+}
+
+// TestSignIntermediate_PKCS12AndJKSFormat validates PKCS12 and JKS output for intermediate signing
+// and asserts encoder (PK12) or alias (JKS) parameter handling and trust store structure.
+// PKCS12/JKS archive should be a trust store (no private key) containing the signed intermediate and CA chain.
+func TestSignIntermediate_PKCS12AndJKSFormat(t *testing.T) {
+	t.Parallel()
+	b, s := CreateBackendWithStorage(t)
+
+	// Generate a root CA
+	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
+		"common_name": "Root CA",
+		"issuer_name": "root-ca",
+		"ttl":         "87600h",
+		"key_type":    "ec",
+		"key_bits":    256,
+	})
+	requireSuccessNonNilResponse(t, resp, err)
+
+	// Generate an intermediate CSR
+	resp, err = CBWrite(b, s, "intermediate/generate/internal", map[string]interface{}{
+		"common_name": "Intermediate CA",
+		"key_type":    "ec",
+		"key_bits":    256,
+	})
+	requireSuccessNonNilResponse(t, resp, err)
+	intermediateCsr := resp.Data["csr"].(string)
+
+	for _, path := range []string{"root/sign-intermediate", "issuer/root-ca/sign-intermediate"} {
+
+		t.Run("invalid format", func(t *testing.T) {
+			_, err := CBWrite(b, s, path, map[string]interface{}{
+				"format": "invalid",
+				"csr":    intermediateCsr,
+				"ttl":    "43800h",
+			})
+			require.Error(t, err)
+			require.Contains(t, err.Error(), `the "format" parameter must be "pem", "der", "pem_bundle", "pkcs12_bundle" or "jks_bundle"`)
+		})
+
+		testCasesPKCS12 := []struct {
+			name         string
+			encoder      string
+			omitPassword bool
+			password     string
+			shouldError  bool
+		}{
+			{name: "custom password", password: "intermediate-password"},
+			{name: "default password", password: pkcs12.DefaultPassword, omitPassword: true},
+			{name: "empty password", password: ""},
+			{name: "with modern2026 encoder", password: "intermediate-password", encoder: "modern2026"},
+			{name: "with modern2023 encoder", password: "intermediate-password", encoder: "modern2023"},
+			{name: "with invalid encoder", encoder: "modern2020", shouldError: true},
+		}
+
+		for _, tc := range testCasesPKCS12 {
+			name := fmt.Sprintf("PKCS12 endpoint=%q %s", path, tc.name)
+			t.Run(name, func(t *testing.T) {
+				data := map[string]interface{}{
+					"format": "pkcs12_bundle",
+					"csr":    intermediateCsr,
+					"ttl":    "43800h",
+				}
+				if !tc.omitPassword {
+					data["pkcs12_password"] = tc.password
+				}
+				if tc.encoder != "" {
+					data["pkcs12_encoder"] = tc.encoder
+				}
+
+				resp, err := CBWrite(b, s, path, data)
+				pkcs12Bytes := verifyAndDecodePKCS12(t, path, resp, err, tc.shouldError)
+				if !tc.shouldError {
+					certs := requireDecodesPKCS12TrustStore(t, pkcs12Bytes, tc.password)
+					// First cert should be the intermediate
+					require.Len(t, certs, 2, "should contain intermediate + root CA")
+					require.True(t, certs[0].IsCA, "first cert should be a CA")
+					require.Equal(t, "Intermediate CA", certs[0].Subject.CommonName)
+					require.True(t, certs[1].IsCA, "second cert should be CA")
+					require.Equal(t, "Root CA", certs[1].Subject.CommonName)
+				}
+			})
+		}
+
+		testCasesJKS := []struct {
+			name            string
+			alias           string
+			password        string
+			expectedAliases []string
+		}{
+			{name: "default password and alias", expectedAliases: []string{"1", "2"}},
+			{name: "custom password and alias", alias: "myapp", expectedAliases: []string{"1", "2"}, password: "my-very-secure-password"},
+			{name: "custom numeric alias", alias: "4", expectedAliases: []string{"1", "2"}},
+		}
+
+		for _, tc := range testCasesJKS {
+			name := fmt.Sprintf("JKS endpoint=%q %s", path, tc.name)
+			t.Run(name, func(t *testing.T) {
+				decryptPw := pkcs12.DefaultPassword
+				data := map[string]interface{}{
+					"format": "jks_bundle",
+					"csr":    intermediateCsr,
+					"ttl":    "43800h",
+				}
+				if tc.password != "" {
+					decryptPw = tc.password
+					data["jks_password"] = tc.password
+				}
+				if tc.alias != "" {
+					data["jks_private_key_alias"] = tc.alias
+				}
+
+				resp, err := CBWrite(b, s, path, data)
+				pkcs12Bytes := verifyAndDecodeJKS(t, path, resp, err)
+				certs := requireDecodesJKSTrustStore(t, pkcs12Bytes, decryptPw, tc.expectedAliases)
+				// First cert should be the intermediate
+				require.Len(t, certs, 2, "should contain intermediate + root CA")
+				require.True(t, certs[0].IsCA, "first cert should be a CA")
+				require.Equal(t, "Intermediate CA", certs[0].Subject.CommonName)
+				require.True(t, certs[1].IsCA, "second cert should be CA")
+				require.Equal(t, "Root CA", certs[1].Subject.CommonName)
+			})
+		}
+	}
+}
diff --git a/builtin/logical/pki/path_sign_issuers.go b/builtin/logical/pki/path_sign_issuers.go
index 154a28a07b..27e6ccf424 100644
--- a/builtin/logical/pki/path_sign_issuers.go
+++ b/builtin/logical/pki/path_sign_issuers.go
@@ -87,7 +87,7 @@ func buildPathIssuerSignIntermediateRaw(b *backend, pattern string, displayAttrs
 		HelpDescription: pathIssuerSignIntermediateHelpDesc,
 	}
 
-	path.Fields = addCACommonFields(path.Fields)
+	path.Fields = addCACommonFields(path.Fields, supportedFormats(true))
 	path.Fields = addCAIssueFields(path.Fields)
 
 	path.Fields["csr"] = &framework.FieldSchema{
diff --git a/builtin/logical/pki/path_tidy_test.go b/builtin/logical/pki/path_tidy_test.go
index 488889d4bf..a8fe490f48 100644
--- a/builtin/logical/pki/path_tidy_test.go
+++ b/builtin/logical/pki/path_tidy_test.go
@@ -198,8 +198,6 @@ func TestAutoTidy(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	client := cluster.Cores[0].Client
 
 	// Mount PKI
@@ -336,8 +334,6 @@ func TestAutoTidyPersistsAcrossRestarts(t *testing.T) {
 		NumCores:    1,
 	}
 	cluster := vault.NewTestCluster(t, coreConfig, opts)
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	client := cluster.Cores[0].Client
 
@@ -643,8 +639,6 @@ func TestCertStorageMetrics(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 		NumCores:    1,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	client := cluster.Cores[0].Client
 
 	// Mount PKI
@@ -912,7 +906,6 @@ func TestTidyAcmeWithBackdate(t *testing.T) {
 	t.Parallel()
 
 	cluster, client, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
 	testCtx := context.Background()
 
 	// Grab the mount UUID for sys/raw invocations.
@@ -1069,7 +1062,6 @@ func TestTidyAcmeWithSafetyBuffer(t *testing.T) {
 
 	// This would still be way easier if I could do both sides
 	cluster, client, _ := setupAcmeBackend(t)
-	defer cluster.Cleanup()
 	testCtx := context.Background()
 
 	// Grab the mount UUID for sys/raw invocations.
diff --git a/builtin/logical/pki/storage_test.go b/builtin/logical/pki/storage_test.go
index 47c55b603f..1a788329a8 100644
--- a/builtin/logical/pki/storage_test.go
+++ b/builtin/logical/pki/storage_test.go
@@ -250,7 +250,7 @@ func genIssuerAndKey(t *testing.T, b *backend, s logical.Storage) (issuing.Issue
 
 func genCertBundle(t *testing.T, b *backend, s logical.Storage) *certutil.CertBundle {
 	// Pretty gross just to generate a cert bundle, but
-	fields := addCACommonFields(map[string]*framework.FieldSchema{})
+	fields := addCACommonFields(map[string]*framework.FieldSchema{}, supportedFormats(true))
 	fields = addCAKeyGenerationFields(fields)
 	fields = addCAIssueFields(fields)
 	fields = addCACertKeyUsage(fields)
@@ -263,7 +263,7 @@ func genCertBundle(t *testing.T, b *backend, s logical.Storage) *certutil.CertBu
 		},
 	}
 	sc := b.makeStorageContext(ctx, s)
-	_, _, role, respErr := getGenerationParams(sc, apiData, true)
+	genParams, _, respErr := getCAGenerationParams(sc, apiData, true)
 	require.Nil(t, respErr)
 
 	input := &inputBundle{
@@ -273,7 +273,7 @@ func genCertBundle(t *testing.T, b *backend, s logical.Storage) *certutil.CertBu
 			Storage:   s,
 		},
 		apiData: apiData,
-		role:    role,
+		role:    genParams.role,
 	}
 	parsedCertBundle, _, err := generateCert(sc, input, nil, true, b.GetRandomReader())
 
diff --git a/builtin/logical/pki/storage_validate_imports_oss.go b/builtin/logical/pki/storage_validate_imports_oss.go
new file mode 100644
index 0000000000..a6bd57416c
--- /dev/null
+++ b/builtin/logical/pki/storage_validate_imports_oss.go
@@ -0,0 +1,11 @@
+// Copyright IBM Corp. 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise
+
+package pki
+
+// Common Criteria is an Ent-Only Feature
+func enforceCommonCriteriaOnUploadedCAs(sc *storageContext, issuerKeyMap map[string]string, createdIssuers []string) error {
+	return nil
+}
diff --git a/builtin/logical/pki/test_helpers.go b/builtin/logical/pki/test_helpers.go
index 9da615ff1d..42e0a29410 100644
--- a/builtin/logical/pki/test_helpers.go
+++ b/builtin/logical/pki/test_helpers.go
@@ -4,13 +4,16 @@
 package pki
 
 import (
+	"bytes"
 	"context"
 	"crypto"
+	"crypto/ecdsa"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
+	"encoding/base64"
 	"encoding/pem"
 	"fmt"
 	"io"
@@ -24,11 +27,14 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/pavlo-v-chernykh/keystore-go/v4"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/ocsp"
+	"software.sslmate.com/src/go-pkcs12"
 )
 
 // Setup helpers
@@ -112,6 +118,151 @@ func parseCert(t *testing.T, pemCert string) *x509.Certificate {
 	return cert
 }
 
+// PKCS12 helpers
+
+// verifyAndDecodePKCS12 verifies a PKCS#12 response and decodes the base64 archive.
+// It accepts the response and error directly so callers can pass CBWrite inline.
+func verifyAndDecodePKCS12(t *testing.T, path string, resp *logical.Response, err error, shouldError bool) []byte {
+	t.Helper()
+	if shouldError {
+		require.Error(t, err)
+		require.Contains(t, err.Error(), `invalid "pkcs12_encoder" parameter: encoder must be "modern2026" or "modern2023"; received: "modern2020"`)
+		return nil
+	}
+
+	requireSuccessNonNilResponse(t, resp, err, fmt.Sprintf("endpoint: %s errored", path))
+	require.Contains(t, resp.Data, "certificate")
+	pkcs12Base64, ok := resp.Data["certificate"].(string)
+	require.True(t, ok, "pkcs12 field should be a string")
+	require.NotEmpty(t, pkcs12Base64)
+
+	// Decode pkcs12
+	pkcs12Bytes, err := base64.StdEncoding.DecodeString(pkcs12Base64)
+	require.NoError(t, err, "pkcs12 data should be valid base64")
+	require.NotEmpty(t, pkcs12Bytes)
+	return pkcs12Bytes
+}
+
+// requireDecodesPKCS12Chain decodes a PKCS#12 bundle containing a private key, a certificate, and a chain of CA certificates.
+// It asserts that decoding succeeds, the private key and certificate are present, and the certificate's public key matches the private key.
+func requireDecodesPKCS12Chain(t *testing.T, pkcs12Bytes []byte, password string) (interface{}, *x509.Certificate, []*x509.Certificate) {
+	t.Helper()
+
+	privateKey, cert, caCerts, err := pkcs12.DecodeChain(pkcs12Bytes, password)
+	require.NoError(t, err, "failed decoding chain %w", err)
+	require.NotNil(t, privateKey, "PKCS12 should have private key")
+	require.NotNil(t, cert, "PKCS12 should include a certificate")
+	// Extract public key from private key for comparison
+	var pubKey crypto.PublicKey
+	switch k := privateKey.(type) {
+	case *rsa.PrivateKey:
+		pubKey = &k.PublicKey
+	case *ecdsa.PrivateKey:
+		pubKey = &k.PublicKey
+	default:
+		t.Fatalf("unsupported private key type: %T", privateKey)
+	}
+	requireMatchingPublicKeys(t, cert, pubKey)
+	return privateKey, cert, caCerts
+}
+
+// requireDecodesPKCS12TrustStore decodes a PKCS#12 trust store and asserts that decoding succeeds and certificates are present.
+func requireDecodesPKCS12TrustStore(t *testing.T, pkcs12Bytes []byte, password string) []*x509.Certificate {
+	t.Helper()
+
+	certs, err := pkcs12.DecodeTrustStore(pkcs12Bytes, password)
+	require.NoError(t, err, "failed decoding trust store %w", err)
+	require.NotEmpty(t, certs, "PKCS12 trust store should contain certificates")
+	return certs
+}
+
+// JKS helpers
+
+// verifyAndDecodeJKS verifies a JKS response and decodes the base64 archive.
+// It accepts the response and error directly so callers can pass CBWrite inline.
+func verifyAndDecodeJKS(t *testing.T, path string, resp *logical.Response, err error) []byte {
+	t.Helper()
+	requireSuccessNonNilResponse(t, resp, err, fmt.Sprintf("endpoint: %s errored", path))
+	require.Contains(t, resp.Data, "certificate")
+	jksBase64, ok := resp.Data["certificate"].(string)
+	require.True(t, ok, "jks field should be a string")
+	require.NotEmpty(t, jksBase64)
+
+	// Decode JKS
+	jksBytes, err := base64.StdEncoding.DecodeString(jksBase64)
+	require.NoError(t, err, "jks should be valid base64")
+	require.NotEmpty(t, jksBytes)
+	return jksBytes
+}
+
+// requireDecodesJKSChain decodes JKS with private key and returns key + certs
+func requireDecodesJKSChain(t *testing.T, jksBytes []byte, password string, expectedAlias string) (crypto.PrivateKey, *x509.Certificate, []*x509.Certificate) {
+	t.Helper()
+
+	ks := keystore.New()
+	err := ks.Load(bytes.NewReader(jksBytes), []byte(password))
+	require.NoError(t, err, "failed to load JKS keystore")
+
+	// First make sure the alias is what we expect since we use that to assert the entry
+	aliases := ks.Aliases()
+	require.Len(t, aliases, 1, "keystore should only have 1 alias")
+	require.Contains(t, aliases, expectedAlias, "list does not include expected alias")
+
+	// Get the PrivateKeyEntry and parse contents
+	pke, err := ks.GetPrivateKeyEntry(expectedAlias, []byte(password))
+	require.NoError(t, err, "failed to get private key entry")
+	require.NotNil(t, pke, "private key entry is nil")
+	require.NotEmpty(t, pke.CertificateChain, "certificate chain is empty")
+
+	// Parse private key (PKCS#8 DER format)
+	privKey, err := x509.ParsePKCS8PrivateKey(pke.PrivateKey)
+	require.NoError(t, err, "failed to parse private key")
+
+	// Parse certificates
+	leafCert, err := x509.ParseCertificate(pke.CertificateChain[0].Content)
+	require.NoError(t, err, "failed to parse leaf certificate")
+
+	var caCerts []*x509.Certificate
+	for i := 1; i < len(pke.CertificateChain); i++ {
+		cert, err := x509.ParseCertificate(pke.CertificateChain[i].Content)
+		require.NoError(t, err, "failed to parse CA certificate at index %d", i)
+		caCerts = append(caCerts, cert)
+	}
+
+	return privKey, leafCert, caCerts
+}
+
+// requireDecodesJKSTrustStore decodes JKS trust store (no private key) and returns all certs
+func requireDecodesJKSTrustStore(t *testing.T, jksBytes []byte, password string, expectedAliases []string) []*x509.Certificate {
+	t.Helper()
+
+	ks := keystore.New()
+	err := ks.Load(bytes.NewReader(jksBytes), []byte(password))
+	require.NoError(t, err, "failed to load JKS keystore, invalid password?")
+
+	// First make sure the alias is what we expect since we use that to assert the entry
+	aliases := ks.Aliases()
+	require.NotEmpty(t, aliases, "keystore has no entries")
+	// JKS does not guarantee alias iteration order, so compare aliases as a set.
+	require.ElementsMatch(t, expectedAliases, aliases, "list does not match expected aliases")
+
+	var certs []*x509.Certificate
+	// Retrieve TrustedCertificateEntry for each alias
+	for _, alias := range expectedAliases {
+		entry, err := ks.GetTrustedCertificateEntry(alias)
+		require.NoError(t, err, "failed to get trusted cert entry for alias %s", alias)
+
+		cert, err := x509.ParseCertificate(entry.Certificate.Content)
+		require.NoError(t, err, "failed to parse certificate for alias %s", alias)
+		certs = append(certs, cert)
+	}
+
+	require.NotEmpty(t, certs, "no trusted certificate entries found")
+	return certs
+}
+
+// End PKCS#12 and JKS helpers
+
 func requireMatchingPublicKeys(t *testing.T, cert *x509.Certificate, key crypto.PublicKey) {
 	t.Helper()
 
@@ -489,6 +640,22 @@ func writeToTmpDir(t *testing.T, tmpDir string, filename string, contents string
 	return filePath
 }
 
+func findExtension(oid asn1.ObjectIdentifier, extensions []pkix.Extension) (bool, pkix.Extension, []string) {
+	var oidsInExtensions []string
+
+	isFound := false
+	var extension pkix.Extension
+	for _, ext := range extensions {
+		oidsInExtensions = append(oidsInExtensions, ext.Id.String())
+		if ext.Id.Equal(oid) {
+			extension = ext
+			isFound = true
+			break
+		}
+	}
+	return isFound, extension, oidsInExtensions
+}
+
 // Openssl is a good reference implementation for x509 and CMPv2
 func findOpenSSL() (string, string, bool) {
 	paths := os.Getenv("PATH")
@@ -507,6 +674,14 @@ func findOpenSSL() (string, string, bool) {
 	return "", "", false
 }
 
+func runOpenSSL(t *testing.T, log hclog.Logger, opensslCmd string, args []string) []byte {
+	log.Info("Running OpenSSL", "command", opensslCmd, "args", strings.Join(args, " "))
+	output, err := exec.Command(opensslCmd, args...).CombinedOutput()
+	require.NoError(t, err, "failed running command %s with args: %v\n%s", opensslCmd, args, string(output))
+	log.Info("OpenSSL output", "output", string(output))
+	return output
+}
+
 type testingPkiCertificateCounter struct {
 	count logical.CertCount
 }
diff --git a/builtin/logical/pkiext/pkcs12_jks_java_validator_test.go b/builtin/logical/pkiext/pkcs12_jks_java_validator_test.go
new file mode 100644
index 0000000000..0e392e2930
--- /dev/null
+++ b/builtin/logical/pkiext/pkcs12_jks_java_validator_test.go
@@ -0,0 +1,386 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package pkiext
+
+import (
+	"context"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"regexp"
+	"strconv"
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/hashicorp/vault/builtin/logical/pki"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	pkihelper "github.com/hashicorp/vault/helper/testhelpers/pki"
+	"github.com/hashicorp/vault/sdk/helper/docker"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	javaImageRepo   = "docker.mirror.hashicorp.services/ibm-semeru-runtimes"
+	java8Image      = "open-8-jdk"
+	java26Image     = "open-26-jdk"
+	jksDefaultAlias = "1"
+	bundlePassword  = "my-very-secure-password"
+)
+
+// TestPKCS12AndJKSJavaValidation verifies encoded PKCS#12 and JKS bundles, with different
+// key types, can inspected by Java keytool.
+// PKCS#12 coverage checks encoder compatibility across Java versions and bundle contents.
+// JKS coverage checks alias handling and the expected store entries exist.
+// This test focuses on format compatibility, not PKI backend functionality.
+func TestPKCS12AndJKSJavaValidation(t *testing.T) {
+	t.Parallel()
+
+	// Cleanup containers after tests complete
+	envs := map[string]*javaEnv{}
+	t.Cleanup(func() {
+		for tag, env := range envs {
+			if err := env.runner.Stop(context.Background(), env.container.Container.ID); err != nil {
+				t.Logf("Warning: failed to stop container (tag: %s): %v", tag, err)
+			}
+		}
+	})
+
+	// Generate test CA, leaf and key once for all subtests
+	result := pkihelper.GenerateCertWithRoot(t)
+	leafKey, leafCert, caChain := result.Leaf.Key, result.Leaf.Cert, []*x509.Certificate{result.RootCa.Cert}
+
+	// Test matrix:
+	// 2 bundle types (with and without a private key) x 2 encoders (modern2026, modern2023) x 2 Java versions
+	// - modern2026 encoder is incompatible with Java 21 (uses newer algorithms)
+	// - modern2023 encoder works with both Java 21 and 26
+	testCasesPKCS12 := []struct {
+		bundleType  string // "keystore" or "trust store"
+		encoder     string
+		version     string
+		shouldError bool
+	}{
+		{bundleType: "keystore", encoder: "modern2026", version: java26Image},
+		{bundleType: "keystore", encoder: "modern2023", version: java26Image},
+		{bundleType: "keystore", encoder: "modern2026", version: java8Image, shouldError: true},
+		{bundleType: "keystore", encoder: "modern2023", version: java8Image},
+
+		{bundleType: "trust store", encoder: "modern2026", version: java26Image},
+		{bundleType: "trust store", encoder: "modern2023", version: java26Image},
+		{bundleType: "trust store", encoder: "modern2026", version: java8Image, shouldError: true},
+		{bundleType: "trust store", encoder: "modern2023", version: java8Image},
+	}
+
+	for _, tc := range testCasesPKCS12 {
+		name := fmt.Sprintf("bundle=%s encoder=%s java=%s", tc.bundleType, tc.encoder, tc.version)
+		if tc.shouldError {
+			name += " (should error)"
+		}
+		t.Run(name, func(t *testing.T) {
+			log := corehelpers.NewTestLogger(t)
+
+			var pkcs12Bytes []byte
+			var err error
+			if tc.bundleType == "keystore" {
+				// Only pass private key for keystores
+				pkcs12Bytes, err = pki.EncodeToPKCS12(
+					tc.encoder,
+					leafKey,
+					leafCert,
+					caChain,
+					bundlePassword)
+			} else {
+				pkcs12Bytes, err = pki.EncodeToPKCS12(
+					tc.encoder, nil,
+					leafCert,
+					caChain,
+					bundlePassword)
+			}
+			require.NoError(t, err, "EncodeToPKCS12 should succeed")
+			require.NotEmpty(t, pkcs12Bytes)
+
+			// Validate with Java keytool
+			keytoolOutput, err := runJavaKeytoolInspect(t, envs, pkcs12Bytes, tc.version, "PKCS12")
+
+			if tc.shouldError {
+				// Expect keytool to fail for incompatible PKCS12 encoders (modern2026 with Java 21)
+				require.Error(t, err, "keytool should fail to read PKCS12 file with incompatible encoder")
+				// Verify it's the expected algorithm incompatibility error and not some other failure
+				errMsg := err.Error()
+				require.Contains(t, errMsg, "NoSuchAlgorithmException", "should fail due to algorithm not available")
+				require.Contains(t, errMsg, "HmacPBE", "should fail due to HMAC-based PKCS12 algorithm")
+				log.Info("Keytool failed as expected with algorithm incompatibility", "error", err)
+				return
+			}
+
+			require.NoError(t, err, "keytool should successfully read PKCS12 file")
+			log.Info("Java keytool output", "output", keytoolOutput)
+
+			// Verify keytool can read the PKCS12 file
+			require.Contains(t, keytoolOutput, "Keystore type: PKCS12", "keytool should recognize PKCS12 format")
+
+			// Verify certificate chain and entry type based on bundle type
+			if tc.bundleType == "keystore" {
+				require.Contains(t, keytoolOutput, "Alias name: "+jksDefaultAlias, "bundle with key should use numeric alias")
+				require.Contains(t, keytoolOutput, "Certificate chain length: 2", "keytool should show complete certificate chain")
+				require.Contains(t, keytoolOutput, "Entry type: PrivateKeyEntry", "bundle with key should create PrivateKeyEntry")
+			} else {
+				// Trust stores use CN-based aliases, not numeric ones
+				require.Contains(t, keytoolOutput, "Entry type: trustedCertEntry", "trust store should create trustedCertEntry without private key")
+				// Trust stores contain separate entries for each cert, not a chain
+				require.Contains(t, keytoolOutput, "Your keystore contains 2 entries", "trust store should contain leaf cert and CA cert as separate entries")
+			}
+
+			// Verify CA certificate is present
+			require.Contains(t, keytoolOutput, "Owner: CN=Root CA", "keytool should show CA certificate")
+		})
+	}
+
+	// Test matrix: 2 bundle types (with and without a private key) x different aliases x 2 Java versions
+	testCasesJKS := []struct {
+		name       string
+		bundleType string // "keystore" or "trust store"
+		version    string
+		alias      string
+	}{
+		{name: "keystore default alias", bundleType: "keystore", version: java26Image, alias: jksDefaultAlias},
+		{name: "keystore with java 8", bundleType: "keystore", version: java8Image, alias: jksDefaultAlias},
+		{name: "keystore custom alias", bundleType: "keystore", version: java26Image, alias: "myapp"},
+
+		{name: "trust store default alias", bundleType: "trust store", version: java26Image, alias: jksDefaultAlias},
+		{name: "trust store with java 8", bundleType: "trust store", version: java8Image, alias: jksDefaultAlias},
+		{name: "trust store non-numeric alias", bundleType: "trust store", version: java26Image, alias: "myapp"},
+		{name: "trust store non-default numeric alias", bundleType: "trust store", version: java26Image, alias: "5"},
+	}
+
+	for _, tc := range testCasesJKS {
+		t.Run(tc.name, func(t *testing.T) {
+			log := corehelpers.NewTestLogger(t)
+
+			var jksBytes []byte
+			var err error
+			if tc.bundleType == "keystore" {
+				// Keystore with private key
+				jksBytes, err = pki.EncodeToJKS(
+					leafKey,
+					leafCert,
+					caChain,
+					tc.alias,
+					bundlePassword)
+			} else {
+				// Trust store without private key
+				jksBytes, err = pki.EncodeToJKS(
+					nil,
+					leafCert,
+					caChain,
+					tc.alias,
+					bundlePassword)
+			}
+			require.NoError(t, err, "EncodeToJKS should succeed")
+			require.NotEmpty(t, jksBytes)
+
+			// Validate with Java keytool
+			keytoolOutput, err := runJavaKeytoolInspect(t, envs, jksBytes, tc.version, "JKS")
+			require.NoError(t, err, "keytool should successfully read JKS file")
+			log.Info("Java keytool output", "output", keytoolOutput)
+			aliases := extractAliasNames(t, keytoolOutput)
+
+			// Verify keytool can read the JKS file
+			require.Contains(t, keytoolOutput, "Keystore type: JKS", "keytool should recognize JKS format")
+
+			// Verify certificate chain and entry type based on bundle type
+			if tc.bundleType == "keystore" {
+				require.Equal(t, []string{tc.alias}, aliases, "keystore should contain exactly the provided alias")
+				require.Contains(t, keytoolOutput, "Entry type: PrivateKeyEntry", "keystore should create PrivateKeyEntry")
+				require.Contains(t, keytoolOutput, "Certificate chain length: 2", "keytool should show complete certificate chain (leaf + CA)")
+			} else {
+				// Trust stores contain separate entries for each cert
+				require.Contains(t, keytoolOutput, "Entry type: trustedCertEntry", "trust store should create trustedCertEntry without private key")
+				require.Contains(t, keytoolOutput, "Your keystore contains 2 entries", "trust store should contain leaf cert and CA cert as separate entries")
+				require.NotContains(t, keytoolOutput, "Entry type: PrivateKeyEntry", "keystore should not create PrivateKeyEntry")
+				require.ElementsMatch(t, expectedNumericAliases(2), aliases, "trust store should contain generated numeric entry aliases for each entry")
+			}
+
+			// Verify CA certificate is present
+			require.Contains(t, keytoolOutput, "Owner: CN=Root CA", "keytool should show CA certificate")
+			// Verify leaf certificate is present
+			require.Contains(t, keytoolOutput, "Owner: CN=localhost", "keytool should show leaf certificate")
+		})
+	}
+
+	// validates PKCS12/JKS bundles with different key types can be read by java
+	keyTypes := []struct {
+		name    string
+		keyType string
+		keyBits int
+	}{
+		// RSA keys
+		{name: "RSA-2048", keyType: "rsa", keyBits: 2048},
+		{name: "RSA-4096", keyType: "rsa", keyBits: 4096},
+
+		// ECDSA keys (ECDSA-P256 is used for interop tests above so not re-tested here)
+		{name: "ECDSA-P384", keyType: "ec", keyBits: 384},
+		{name: "ECDSA-P521", keyType: "ec", keyBits: 521},
+
+		// Ed25519
+		{name: "Ed25519", keyType: "ed25519", keyBits: 0},
+	}
+
+	for _, tc := range keyTypes {
+		// Generate key and certificate for key type
+		privateKey, cert, caChain, err := generateKeyAndCert(t, tc.keyType, tc.keyBits)
+		require.NoError(t, err, "Should generate cert and private key: %s, bits: %s", tc.keyType, tc.keyBits)
+
+		// Test each encoder type
+		for _, encoder := range []string{"modern2023", "modern2026"} {
+			name := fmt.Sprintf("PKCS#12 encoder=%s key=%s", encoder, tc.name)
+
+			t.Run(name, func(t *testing.T) {
+				pkcs12Bytes, err := pki.EncodeToPKCS12(
+					encoder,
+					privateKey,
+					cert,
+					caChain,
+					bundlePassword,
+				)
+				require.NoError(t, err, "Failed to encode PKCS#12 for key type: %s, bits:", tc.keyType, tc.keyBits)
+
+				// Validate with Java keytool
+				keytoolOutput, err := runJavaKeytoolInspect(t, envs, pkcs12Bytes, java26Image, "PKCS12")
+				require.NoError(t, err, "keytool should successfully read PKCS12 file")
+				// Verify keytool can read the PKCS12 file
+				require.Contains(t, keytoolOutput, "Keystore type: PKCS12", "keytool should recognize PKCS12 format")
+			})
+		}
+
+		// Test JKS
+		t.Run("JKS "+tc.name, func(t *testing.T) {
+			jksBytes, err := pki.EncodeToJKS(
+				leafKey,
+				leafCert,
+				caChain,
+				"1",
+				bundlePassword)
+			require.NoError(t, err, "EncodeToJKS should succeed")
+			require.NotEmpty(t, jksBytes)
+
+			// Validate with Java keytool
+			keytoolOutput, err := runJavaKeytoolInspect(t, envs, jksBytes, java26Image, "JKS")
+			require.NoError(t, err, "keytool should successfully read JKS file")
+			// Verify keytool can read the JKS file
+			require.Contains(t, keytoolOutput, "Keystore type: JKS", "keytool should recognize JKS format")
+		})
+	}
+}
+
+type javaEnv struct {
+	runner    *docker.Runner
+	container *docker.StartResult
+}
+
+func getOrBuildJavaEnv(t *testing.T, envs map[string]*javaEnv, imageTag string) *javaEnv {
+	// Return cached runner and container for a given image tag if it exists
+	if env, ok := envs[imageTag]; ok {
+		return env
+	}
+
+	// Otherwise create the runner and container
+	runner, err := docker.NewServiceRunner(docker.RunOptions{
+		ImageRepo:     javaImageRepo,
+		ImageTag:      imageTag,
+		ContainerName: "java_pkcs12_" + uuid.New().String()[:8], // 8 chars is not guaranteed unique but should be fine for test containers
+		Entrypoint:    []string{"sleep", "infinity"},            // Containers are cleaned up after subtests run
+		LogConsumer: func(s string) {
+			if t.Failed() {
+				t.Logf("container logs: %s", s)
+			}
+		},
+	})
+	if err != nil {
+		t.Fatalf("Could not provision docker service runner: %s", err)
+	}
+
+	result, err := runner.Start(context.Background(), true, false)
+	if err != nil {
+		t.Fatalf("Could not start container: %s (repo:%s, tag:%s)", err, javaImageRepo, imageTag)
+	}
+
+	envs[imageTag] = &javaEnv{runner: runner, container: result}
+	return envs[imageTag]
+}
+
+func runJavaCmd(t *testing.T, runner *docker.Runner, containerID string, cmd []string) (string, error) {
+	ctx := context.Background()
+	stdout, stderr, retcode, err := runner.RunCmdWithOutput(ctx, containerID, cmd)
+	if err != nil {
+		return "", fmt.Errorf("could not run command %v in container: %w", cmd, err)
+	}
+
+	if len(stderr) != 0 {
+		t.Logf("Got stderr from command %v:%v", cmd, string(stderr))
+	}
+
+	if retcode != 0 {
+		t.Logf("Got stdout from command %v:%v", cmd, string(stdout))
+		// Return stdout as error because it contains the Java exception details which some tests expect
+		return "", errors.New(string(stdout))
+	}
+
+	return string(stdout), nil
+}
+
+func runJavaKeytoolInspect(t *testing.T, envs map[string]*javaEnv, pkcs12Bytes []byte, imageTag string, storeType string) (string, error) {
+	env := getOrBuildJavaEnv(t, envs, imageTag)
+
+	_, err := runJavaCmd(t, env.runner, env.container.Container.ID, []string{"java", "-version"})
+	if err != nil {
+		return "", fmt.Errorf("failed to get java version: %w", err)
+	}
+
+	_, err = runJavaCmd(t, env.runner, env.container.Container.ID, []string{"keytool", "-J-version"})
+	if err != nil {
+		return "", fmt.Errorf("failed to get keytool version: %w", err)
+	}
+
+	file := "bundle.p12"
+	if storeType == "JKS" {
+		file = "bundle.jks"
+	}
+	pfxCtx := docker.NewBuildContext()
+	pfxCtx[file] = docker.PathContentsFromBytes(pkcs12Bytes)
+	if err := env.runner.CopyTo(env.container.Container.ID, "/tmp/", pfxCtx); err != nil {
+		return "", fmt.Errorf("could not copy bundle into container for store type: %s, Error: %w", storeType, err)
+	}
+
+	return runJavaCmd(t, env.runner, env.container.Container.ID, []string{
+		"keytool",
+		"-list",
+		"-v",
+		"-storetype", storeType,
+		"-keystore", "/tmp/" + file,
+		"-storepass", bundlePassword,
+	})
+}
+
+func extractAliasNames(t *testing.T, keytoolOutput string) []string {
+	t.Helper()
+
+	aliasPattern := regexp.MustCompile(`(?m)^Alias name: (.+)$`)
+	matches := aliasPattern.FindAllStringSubmatch(keytoolOutput, -1)
+	aliases := make([]string, 0, len(matches))
+	for _, match := range matches {
+		require.Len(t, match, 2, "alias match should include the full line and captured alias")
+		aliases = append(aliases, match[1])
+	}
+
+	return aliases
+}
+
+func expectedNumericAliases(count int) []string {
+	aliases := make([]string, 0, count)
+	for index := 1; index <= count; index++ {
+		aliases = append(aliases, strconv.Itoa(index))
+	}
+
+	return aliases
+}
diff --git a/builtin/logical/pkiext/pkcs12_openssl_validator_test.go b/builtin/logical/pkiext/pkcs12_openssl_validator_test.go
new file mode 100644
index 0000000000..2bce07af19
--- /dev/null
+++ b/builtin/logical/pkiext/pkcs12_openssl_validator_test.go
@@ -0,0 +1,423 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package pkiext
+
+import (
+	"context"
+	"crypto"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"fmt"
+	"math/big"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/hashicorp/vault/builtin/logical/pki"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	pkihelper "github.com/hashicorp/vault/helper/testhelpers/pki"
+	"github.com/hashicorp/vault/sdk/helper/certutil"
+	"github.com/hashicorp/vault/sdk/helper/docker"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	opensslImageRepo = "docker.mirror.hashicorp.services/alpine/openssl"
+	openssl3_5       = "3.5.6"
+	openssl3_3       = "3.3.3"
+	pkcs12Password   = "123-secure-password"
+)
+
+// TestPKCS12OpenSSLValidation validates PKCS#12 output from different encoders
+// can be read by different OpenSSL versions.
+// This test focuses on PKCS#12 format compatibility, not PKI backend functionality.
+func TestPKCS12OpenSSLValidation(t *testing.T) {
+	t.Parallel()
+
+	// Cleanup containers after tests complete
+	envs := map[string]*alpineEnv{}
+	t.Cleanup(func() {
+		for tag, env := range envs {
+			if err := env.runner.Stop(context.Background(), env.container.Container.ID); err != nil {
+				t.Logf("Warning: failed to stop container (tag: %s): %v", tag, err)
+			}
+		}
+	})
+
+	// Generate test CA, leaf and key once for all subtests
+	result := pkihelper.GenerateCertWithRoot(t)
+	leafKey, leafCert, caChain := result.Leaf.Key, result.Leaf.Cert, []*x509.Certificate{result.RootCa.Cert}
+
+	// Test matrix:
+	// 2 bundle types (with and without a private key) x 2 encoders (modern2026, modern2023) x 2 OpenSSL versions
+	// - modern2026 encoder is incompatible with OpenSSL 3.3 (uses newer algorithms)
+	// - modern2023 encoder works with both OpenSSL 3.3 and 3.5
+	testCases := []struct {
+		bundleType  string // "keystore" or "trust store"
+		encoder     string
+		version     string
+		shouldError bool
+	}{
+		{bundleType: "keystore", encoder: "modern2026", version: openssl3_5},
+		{bundleType: "keystore", encoder: "modern2023", version: openssl3_5},
+		{bundleType: "keystore", encoder: "modern2026", version: openssl3_3, shouldError: true},
+		{bundleType: "keystore", encoder: "modern2023", version: openssl3_3},
+
+		{bundleType: "trust store", encoder: "modern2026", version: openssl3_5},
+		{bundleType: "trust store", encoder: "modern2023", version: openssl3_5},
+		{bundleType: "trust store", encoder: "modern2026", version: openssl3_3, shouldError: true},
+		{bundleType: "trust store", encoder: "modern2023", version: openssl3_3},
+	}
+
+	for _, tc := range testCases {
+		name := fmt.Sprintf("bundle=%s encoder=%s openssl=%s", tc.bundleType, tc.encoder, tc.version)
+		if tc.shouldError {
+			name += " (should error)"
+		}
+		t.Run(name, func(t *testing.T) {
+			log := corehelpers.NewTestLogger(t)
+
+			var pkcs12Bytes []byte
+			var err error
+			if tc.bundleType == "keystore" {
+				// Only pass private key for keystores
+				pkcs12Bytes, err = pki.EncodeToPKCS12(
+					tc.encoder,
+					leafKey,
+					leafCert,
+					caChain,
+					pkcs12Password)
+			} else {
+				pkcs12Bytes, err = pki.EncodeToPKCS12(
+					tc.encoder, nil,
+					leafCert,
+					caChain,
+					pkcs12Password)
+			}
+			require.NoError(t, err, "EncodeToPKCS12 should succeed")
+			require.NotEmpty(t, pkcs12Bytes)
+
+			// Validate with openSSL
+			opensslInfo, err := runOpenSSLInfo(t, envs, pkcs12Bytes, tc.version)
+
+			if tc.shouldError {
+				// Expect openssl to fail for incompatible PKCS12 encoders (modern2026 with OpenSSL 3.3)
+				require.Error(t, err, "openssl should fail to read PKCS12 file with incompatible encoder")
+				log.Info("OpenSSL failed as expected with incompatible encoder", "error", err)
+				// Verify it's the expected algorithm incompatibility error and not some other failure
+				errMsg := err.Error()
+				isExpectedError := strings.Contains(errMsg, "unknown digest algorithm") || strings.Contains(errMsg, "PBMAC1") || strings.Contains(errMsg, "mac generation error")
+				require.True(t, isExpectedError, "Expected algorithm parsing error but got: %s", errMsg)
+				return
+			}
+
+			require.NoError(t, err, "OpenSSL should successfully read PKCS12 file")
+			log.Info("OpenSSL info", "output", opensslInfo)
+			require.Contains(t, opensslInfo, "PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256", "Encoder should use expected encryption")
+
+			// Verify encryption uses expected algorithms
+			expectedMac := "MAC: PBMAC1 using PBKDF2"
+			if tc.encoder == "modern2023" {
+				expectedMac = "MAC: sha256"
+			}
+			require.Contains(t, opensslInfo, expectedMac, "%s encoder should use %s", tc.encoder, expectedMac)
+
+			runner := envs[tc.version].runner
+			containerID := envs[tc.version].container.Container.ID
+
+			// Determine if this bundle includes a private key
+			hasPrivateKey := tc.bundleType == "keystore"
+			validateCertificateOrder(t, runner, containerID, hasPrivateKey)
+
+			// Validate that OpenSSL can extract the private key
+			// and exists for bundles with key and empty for trust stores
+			output, err := runOpenSSLCmd(runner, containerID, []string{
+				"pkcs12",
+				"-in", "/tmp/bundle.p12",
+				"-nocerts",
+				"-nodes",
+				"-passin", "pass:" + pkcs12Password,
+				"-noenc",
+			})
+			require.NoError(t, err, "OpenSSL should successfully extract private key from PKCS12")
+			if hasPrivateKey {
+				require.Contains(t, opensslInfo, "Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256", "private key should use expected encryption")
+				require.Contains(t, output, "-----BEGIN PRIVATE KEY-----", "OpenSSL should output private key")
+			} else {
+				require.True(t, strings.TrimSpace(output) == "", "Key should be empty")
+			}
+		})
+	}
+
+	//  validates PKCS#12 bundles work with different key types
+	keyTypes := []struct {
+		name    string
+		keyType string
+		keyBits int
+	}{
+		// RSA keys
+		{name: "RSA-2048", keyType: "rsa", keyBits: 2048},
+		{name: "RSA-4096", keyType: "rsa", keyBits: 4096},
+
+		// ECDSA keys (ECDSA-P256 is used for interop tests above so not re-tested here)
+		{name: "ECDSA-P384", keyType: "ec", keyBits: 384},
+		{name: "ECDSA-P521", keyType: "ec", keyBits: 521},
+
+		// Ed25519
+		{name: "Ed25519", keyType: "ed25519", keyBits: 0},
+	}
+
+	for _, tc := range keyTypes {
+		// Generate key and certificate for this key type
+		privateKey, cert, caChain, err := generateKeyAndCert(t, tc.keyType, tc.keyBits)
+		require.NoError(t, err, "Should generate cert and private key: %s, bits: %s", tc.keyType, tc.keyBits)
+
+		// Test each encoder type
+		for _, encoder := range []string{"modern2023", "modern2026"} {
+			name := fmt.Sprintf("encoder=%s key=%s", encoder, tc.name)
+
+			t.Run(name, func(t *testing.T) {
+				// Encode to PKCS#12
+				pkcs12Bytes, err := pki.EncodeToPKCS12(
+					encoder,
+					privateKey,
+					cert,
+					caChain,
+					pkcs12Password,
+				)
+				require.NoError(t, err, "Failed to encode PKCS#12 for key type: %s, bits:", tc.keyType, tc.keyBits)
+
+				// Validate with OpenSSL
+				opensslInfo, err := runOpenSSLInfo(t, envs, pkcs12Bytes, openssl3_5)
+				require.NoError(t, err, "OpenSSL should read PKCS#12 bundle")
+				// Verify expected encryption algorithms
+				require.Contains(t, opensslInfo, "PBES2, PBKDF2, AES-256-CBC")
+				// Extract and verify private key
+				runner := envs[openssl3_5].runner
+				containerID := envs[openssl3_5].container.Container.ID
+				keyOutput, err := runOpenSSLCmd(runner, containerID, []string{
+					"pkcs12", "-in", "/tmp/bundle.p12",
+					"-nocerts", "-nodes",
+					"-passin", "pass:" + pkcs12Password,
+					"-noenc",
+				})
+				require.NoError(t, err, "Should extract private key")
+				require.Contains(t, keyOutput, "-----BEGIN PRIVATE KEY-----",
+					"Should contain private key for %s", tc.keyType)
+			})
+		}
+	}
+}
+
+type alpineEnv struct {
+	runner    *docker.Runner
+	container *docker.StartResult
+}
+
+func getOrBuildOpenSSLEnv(t *testing.T, envs map[string]*alpineEnv, imageTag string) *alpineEnv {
+	// Return cached runner and container for a given image tag if it exists
+	if env, ok := envs[imageTag]; ok {
+		return env
+	}
+
+	// Otherwise create the runner and container
+	runner, err := docker.NewServiceRunner(docker.RunOptions{
+		ImageRepo:     opensslImageRepo,
+		ImageTag:      imageTag,
+		ContainerName: "openssl_pkcs12_" + uuid.New().String()[:8], // 8 chars is not guaranteed unique but should be fine for test containers
+		Entrypoint:    []string{"sleep", "infinity"},               // Containers are cleaned up after subtests run
+		LogConsumer: func(s string) {
+			if t.Failed() {
+				t.Logf("container logs: %s", s)
+			}
+		},
+	})
+	if err != nil {
+		t.Fatalf("Could not provision docker service runner: %s", err)
+	}
+
+	result, err := runner.Start(context.Background(), true, false)
+	if err != nil {
+		t.Fatalf("Could not start container: %s (repo:%s, tag:%s)", err, opensslImageRepo, imageTag)
+	}
+
+	// Install OpenSSL in the container
+	ctx := context.Background()
+	installCmd := []string{"apk", "add", "--no-cache", "openssl"}
+	_, stderr, retcode, err := runner.RunCmdWithOutput(ctx, result.Container.ID, installCmd)
+	if err != nil || retcode != 0 {
+		t.Fatalf("Failed to install OpenSSL version: %v, stderr: %s, (repo: %s, tag: %s)", err, string(stderr), opensslImageRepo, imageTag)
+	}
+
+	envs[imageTag] = &alpineEnv{runner: runner, container: result}
+	return envs[imageTag]
+}
+
+func runOpenSSLCmd(runner *docker.Runner, containerID string, args []string) (string, error) {
+	opensslCmd := append([]string{"openssl"}, args...)
+	ctx := context.Background()
+	stdout, stderr, retcode, err := runner.RunCmdWithOutput(ctx, containerID, opensslCmd)
+
+	var errorMsg string
+	if err != nil {
+		errorMsg += fmt.Sprintf("error: %s", err)
+	}
+	if retcode != 0 {
+		errorMsg += fmt.Sprintf("non-zero retcode: %v", retcode)
+		if len(stderr) > 0 {
+			errorMsg += fmt.Sprintf("stderr: %s", string(stderr))
+		}
+	}
+	if errorMsg != "" {
+		return "", fmt.Errorf("failed running command: %v, %s", opensslCmd, errorMsg)
+	}
+	// -info output is returned in stderr
+	combined := string(stdout) + "\n" + string(stderr)
+	return combined, nil
+}
+
+func runOpenSSLInfo(t *testing.T, envs map[string]*alpineEnv, pkcs12Bytes []byte, imageTag string) (string, error) {
+	env := getOrBuildOpenSSLEnv(t, envs, imageTag)
+
+	_, err := runOpenSSLCmd(env.runner, env.container.Container.ID, []string{"version"})
+	if err != nil {
+		return "", fmt.Errorf("failed to get openssl version: %w", err)
+	}
+
+	pfxCtx := docker.NewBuildContext()
+	pfxCtx["bundle.p12"] = docker.PathContentsFromBytes(pkcs12Bytes)
+	if err := env.runner.CopyTo(env.container.Container.ID, "/tmp/", pfxCtx); err != nil {
+		return "", fmt.Errorf("could not copy pkcs12 bundle into container: %w", err)
+	}
+
+	return runOpenSSLCmd(env.runner, env.container.Container.ID, []string{
+		"pkcs12",
+		"-in", "/tmp/bundle.p12",
+		"-info",
+		"-noout",
+		"-passin", "pass:" + pkcs12Password,
+	})
+}
+
+// validateCertificateOrder validates that certificates are in the correct order (leaf first, then CA chain)
+// hasPrivateKey indicates whether the PKCS12 bundle contains a private key (true for keystores, false for trust stores)
+func validateCertificateOrder(t *testing.T, runner *docker.Runner, containerID string, hasPrivateKey bool) {
+	// Count total certificates (should be exactly 2: leaf + CA)
+	allCertsOutput, err := runOpenSSLCmd(runner, containerID, []string{
+		"pkcs12",
+		"-in", "/tmp/bundle.p12",
+		"-nokeys",
+		"-passin", "pass:" + pkcs12Password,
+	})
+	require.NoError(t, err, "OpenSSL should extract all certificates")
+	certCount := strings.Count(allCertsOutput, "-----BEGIN CERTIFICATE-----")
+	require.Equal(t, 2, certCount, "Should have exactly 2 certificates (leaf + CA)")
+	require.Contains(t, allCertsOutput, "subject=CN=Root CA", "Should contain CA certificate")
+
+	// For trust stores: No private key, so all certs are treated as CA certs
+	// only validate leaf vs CA certs for bundles with private key.
+	if hasPrivateKey {
+		leafOutput, err := runOpenSSLCmd(runner, containerID, []string{
+			"pkcs12",
+			"-in", "/tmp/bundle.p12",
+			"-clcerts", // extracts certs that have corresponding private keys (i.e. leaf certs)
+			"-nokeys",
+			"-passin", "pass:" + pkcs12Password,
+		})
+		require.NoError(t, err, "OpenSSL should extract leaf certificate")
+		require.Contains(t, leafOutput, "subject=CN=localhost", "leaf cert should have correct subject")
+
+		caOutput, err := runOpenSSLCmd(runner, containerID, []string{
+			"pkcs12",
+			"-in", "/tmp/bundle.p12",
+			"-cacerts", // extract CA certificates only using
+			"-nokeys",
+			"-passin", "pass:" + pkcs12Password,
+		})
+		require.NoError(t, err, "OpenSSL should extract CA certificates")
+		require.Contains(t, caOutput, "subject=CN=Root CA", "CA cert should have correct subject")
+	}
+}
+
+// generateKeyAndCert creates a private key and certificate for the specified key type
+func generateKeyAndCert(t *testing.T, keyType string, keyBits int) (crypto.Signer, *x509.Certificate, []*x509.Certificate, error) {
+	container := &privateKeyContainer{}
+	if err := certutil.GeneratePrivateKey(keyType, keyBits, container); err != nil {
+		return nil, nil, nil, err
+	}
+	privateKey := container.key
+
+	// Generate CA certificate
+	caSerialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("failed to generate CA serial: %w", err)
+	}
+
+	caTemplate := &x509.Certificate{
+		SerialNumber: caSerialNumber,
+		Subject: pkix.Name{
+			CommonName: "Root CA",
+		},
+		NotBefore:             time.Now().Add(-1 * time.Hour),
+		NotAfter:              time.Now().Add(24 * time.Hour),
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+
+	caCertDER, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, privateKey.Public(), privateKey)
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("failed to create CA certificate: %w", err)
+	}
+
+	caCert, err := x509.ParseCertificate(caCertDER)
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("failed to parse CA certificate: %w", err)
+	}
+
+	// Generate leaf certificate
+	leafSerialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("failed to generate leaf serial: %w", err)
+	}
+
+	leafTemplate := &x509.Certificate{
+		SerialNumber: leafSerialNumber,
+		Subject: pkix.Name{
+			CommonName: "test.example.com",
+		},
+		NotBefore:             time.Now().Add(-1 * time.Hour),
+		NotAfter:              time.Now().Add(2 * time.Hour),
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IsCA:                  false,
+	}
+
+	leafCertDER, err := x509.CreateCertificate(rand.Reader, leafTemplate, caCert, privateKey.Public(), privateKey)
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("failed to create leaf certificate: %w", err)
+	}
+
+	leafCert, err := x509.ParseCertificate(leafCertDER)
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("failed to parse leaf certificate: %w", err)
+	}
+
+	return privateKey, leafCert, []*x509.Certificate{caCert}, nil
+}
+
+type privateKeyContainer struct {
+	key           crypto.Signer
+	keyType       certutil.PrivateKeyType
+	serializedKey []byte
+}
+
+func (c *privateKeyContainer) SetParsedPrivateKey(key crypto.Signer, keyType certutil.PrivateKeyType, serializedKey []byte) {
+	c.key = key
+	c.keyType = keyType
+	c.serializedKey = serializedKey
+}
diff --git a/builtin/logical/pkiext/pkiext_binary/pki_cluster.go b/builtin/logical/pkiext/pkiext_binary/pki_cluster.go
index 628dc36323..811e607163 100644
--- a/builtin/logical/pkiext/pkiext_binary/pki_cluster.go
+++ b/builtin/logical/pkiext/pkiext_binary/pki_cluster.go
@@ -6,11 +6,11 @@ package pkiext_binary
 import (
 	"context"
 	"fmt"
-	"os"
 	"testing"
 	"time"
 
 	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/testhelpers/testimages"
 	dockhelper "github.com/hashicorp/vault/sdk/helper/docker"
 	"github.com/hashicorp/vault/sdk/helper/testcluster"
 	"github.com/hashicorp/vault/sdk/helper/testcluster/docker"
@@ -23,17 +23,11 @@ type VaultPkiCluster struct {
 }
 
 func NewVaultPkiCluster(t *testing.T) *VaultPkiCluster {
-	binary := os.Getenv("VAULT_BINARY")
-	if binary == "" {
-		t.Skip("only running docker test when $VAULT_BINARY present")
-	}
+	repo, tag := testimages.GetImageRepoAndTag(t, false)
 
 	opts := &docker.DockerClusterOptions{
-		ImageRepo: "docker.mirror.hashicorp.services/hashicorp/vault",
-		// We're replacing the binary anyway, so we're not too particular about
-		// the docker image version tag.
-		ImageTag:    "latest",
-		VaultBinary: binary,
+		ImageRepo: repo,
+		ImageTag:  tag,
 		ClusterOptions: testcluster.ClusterOptions{
 			VaultNodeConfig: &testcluster.VaultNodeConfig{
 				LogLevel: "TRACE",
diff --git a/builtin/logical/ssh/backend.go b/builtin/logical/ssh/backend.go
index c64c98a47c..13aad152eb 100644
--- a/builtin/logical/ssh/backend.go
+++ b/builtin/logical/ssh/backend.go
@@ -18,10 +18,11 @@ const operationPrefixSSH = "ssh"
 
 type backend struct {
 	*framework.Backend
-	view        logical.Storage
-	salt        *salt.Salt
-	saltMutex   sync.RWMutex
-	backendUUID string
+	view                  logical.Storage
+	salt                  *salt.Salt
+	saltMutex             sync.RWMutex
+	backendUUID           string
+	sshCertificateCounter logical.CertificateCounter
 }
 
 func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
@@ -84,6 +85,12 @@ func Backend(conf *logical.BackendConfig) (*backend, error) {
 		BackendType: logical.TypeLogical,
 	}
 
+	if sshCertCounterSysView, ok := conf.System.(logical.CertificateCountSystemView); ok {
+		b.sshCertificateCounter = sshCertCounterSysView.GetCertificateCounter()
+	} else {
+		b.sshCertificateCounter = logical.NewNullCertificateCounter()
+	}
+
 	b.backendUUID = conf.BackendUUID
 	return &b, nil
 }
diff --git a/builtin/logical/ssh/backend_test.go b/builtin/logical/ssh/backend_test.go
index a5b89b2ab9..e30bf6ddb9 100644
--- a/builtin/logical/ssh/backend_test.go
+++ b/builtin/logical/ssh/backend_test.go
@@ -506,7 +506,7 @@ func TestBackend_DefaultUserTemplate_WithStaticPrefix(t *testing.T) {
 
 func TestBackend_DefaultUserTemplateFalse_AllowedUsersTemplateTrue(t *testing.T) {
 	cluster, userpassToken := getSshCaTestCluster(t, testUserName)
-	defer cluster.Cleanup()
+
 	client := cluster.Cores[0].Client
 
 	// set metadata "ssh_username" to userpass username
@@ -556,7 +556,7 @@ func TestBackend_DefaultUserTemplateFalse_AllowedUsersTemplateTrue(t *testing.T)
 
 func TestBackend_DefaultUserTemplateFalse_AllowedUsersTemplateFalse(t *testing.T) {
 	cluster, userpassToken := getSshCaTestCluster(t, testUserName)
-	defer cluster.Cleanup()
+
 	client := cluster.Cores[0].Client
 
 	// set metadata "ssh_username" to userpass username
@@ -1784,7 +1784,7 @@ func TestBackend_DisallowUserProvidedKeyIDs(t *testing.T) {
 
 func TestBackend_DefExtTemplatingEnabled(t *testing.T) {
 	cluster, userpassToken := getSshCaTestCluster(t, testUserName)
-	defer cluster.Cleanup()
+
 	client := cluster.Cores[0].Client
 
 	// Get auth accessor for identity template.
@@ -1880,7 +1880,7 @@ func TestBackend_DefExtTemplatingEnabled(t *testing.T) {
 
 func TestBackend_EmptyAllowedExtensionFailsClosed(t *testing.T) {
 	cluster, userpassToken := getSshCaTestCluster(t, testUserName)
-	defer cluster.Cleanup()
+
 	client := cluster.Cores[0].Client
 
 	// Get auth accessor for identity template.
@@ -1927,7 +1927,7 @@ func TestBackend_EmptyAllowedExtensionFailsClosed(t *testing.T) {
 
 func TestBackend_DefExtTemplatingDisabled(t *testing.T) {
 	cluster, userpassToken := getSshCaTestCluster(t, testUserName)
-	defer cluster.Cleanup()
+
 	client := cluster.Cores[0].Client
 
 	// Get auth accessor for identity template.
@@ -2160,7 +2160,6 @@ func getSshCaTestCluster(t *testing.T, userIdentity string) (*vault.TestCluster,
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
 	client := cluster.Cores[0].Client
 
 	// Write test policy for userpass auth method.
@@ -2222,7 +2221,7 @@ func testDefaultUserTemplate(t *testing.T, testDefaultUserTemplate string,
 	expectedValidPrincipal string, testEntityMetadata map[string]string,
 ) {
 	cluster, userpassToken := getSshCaTestCluster(t, testUserName)
-	defer cluster.Cleanup()
+
 	client := cluster.Cores[0].Client
 
 	// set metadata "ssh_username" to userpass username
@@ -2282,7 +2281,7 @@ func testAllowedPrincipalsTemplate(t *testing.T, testAllowedDomainsTemplate stri
 	roleConfigPayload map[string]interface{}, signingPayload map[string]interface{},
 ) {
 	cluster, userpassToken := getSshCaTestCluster(t, testUserName)
-	defer cluster.Cleanup()
+
 	client := cluster.Cores[0].Client
 
 	// set metadata "ssh_username" to userpass username
@@ -3096,8 +3095,7 @@ func TestProperAuthing(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
+
 	client := cluster.Cores[0].Client
 	token := client.Token()
 
diff --git a/builtin/logical/ssh/path_creds_create.go b/builtin/logical/ssh/path_creds_create.go
index 0f27c6b5de..3827803369 100644
--- a/builtin/logical/ssh/path_creds_create.go
+++ b/builtin/logical/ssh/path_creds_create.go
@@ -203,6 +203,8 @@ func (b *backend) GenerateOTPCredential(ctx context.Context, req *logical.Reques
 	if err := req.Storage.Put(ctx, newEntry); err != nil {
 		return "", err
 	}
+
+	b.sshCertificateCounter.Increment().AddSSHOTP()
 	return otp, nil
 }
 
diff --git a/builtin/logical/ssh/path_issue_sign.go b/builtin/logical/ssh/path_issue_sign.go
index f0a87e3dbf..baf5574d38 100644
--- a/builtin/logical/ssh/path_issue_sign.go
+++ b/builtin/logical/ssh/path_issue_sign.go
@@ -129,6 +129,8 @@ func (b *backend) pathSignIssueCertificateHelper(ctx context.Context, req *logic
 		return nil, nil, errors.New("error marshaling signed certificate")
 	}
 
+	b.sshCertificateCounter.Increment().AddSSHCertificate(ttl)
+
 	response := &logical.Response{
 		Data: map[string]interface{}{
 			"serial_number": strconv.FormatUint(certificate.Serial, 16),
diff --git a/builtin/logical/ssh/path_roles.go b/builtin/logical/ssh/path_roles.go
index 9f1e8f160b..6df26de188 100644
--- a/builtin/logical/ssh/path_roles.go
+++ b/builtin/logical/ssh/path_roles.go
@@ -6,6 +6,7 @@ package ssh
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"strings"
 	"time"
 
@@ -78,8 +79,27 @@ func pathListRoles(b *backend) *framework.Path {
 			OperationSuffix: "roles",
 		},
 
-		Callbacks: map[logical.Operation]framework.OperationFunc{
-			logical.ListOperation: b.pathRoleList,
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.ListOperation: &framework.PathOperation{
+				Callback: b.pathRoleList,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"keys": {
+								Type:        framework.TypeStringSlice,
+								Description: `A list of SSH role keys`,
+								Required:    true,
+							},
+							"key_info": {
+								Type:        framework.TypeMap,
+								Description: `SSH role details keyed by the role name`,
+								Required:    false,
+							},
+						},
+					}},
+				},
+			},
 		},
 
 		HelpSynopsis:    pathRoleHelpSyn,
diff --git a/builtin/logical/transit/backend.go b/builtin/logical/transit/backend.go
index 662d0bf2b6..4abedd0797 100644
--- a/builtin/logical/transit/backend.go
+++ b/builtin/logical/transit/backend.go
@@ -4,7 +4,9 @@
 package transit
 
 import (
+	"container/heap"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"strconv"
@@ -90,6 +92,7 @@ func Backend(ctx context.Context, conf *logical.BackendConfig) (*backend, error)
 	}
 
 	b.backendUUID = conf.BackendUUID
+	b.initializeRotationQueue()
 
 	// determine cacheSize to use. Defaults to 0 which means unlimited
 	cacheSize := 0
@@ -131,9 +134,66 @@ type backend struct {
 	cacheSizeChanged     bool
 	checkAutoRotateAfter time.Time
 	autoRotateOnce       sync.Once
+	rotationQueue        *rotationQueue
 	backendUUID          string
 }
 
+type keyRotationEntry struct {
+	rotateAt time.Time
+	keyPath  string
+}
+
+func (kre keyRotationEntry) isZero() bool {
+	return kre.rotateAt.IsZero() && kre.keyPath == ""
+}
+
+// rotationQueue stores information about which keys need to be rotated at what time.  It's a priority queue, which
+// implements hash.Interface.
+type rotationQueue []keyRotationEntry
+
+var _ heap.Interface = &rotationQueue{}
+
+func (rq rotationQueue) Len() int { return len(rq) }
+func (rq rotationQueue) Less(i, j int) bool {
+	if i < 0 || j < 0 || i >= rq.Len() || j >= rq.Len() { // If out of bounds, don't switch
+		return false
+	}
+	return rq[i].rotateAt.Before(rq[j].rotateAt)
+}
+
+func (rq rotationQueue) Swap(i, j int) {
+	if i < 0 || j < 0 || i >= len(rq) || j >= len(rq) {
+		return
+	}
+	rq[i], rq[j] = rq[j], rq[i]
+}
+
+func (rq *rotationQueue) Push(kre any) {
+	if kre.(keyRotationEntry).isZero() {
+		return
+	}
+	*rq = append(*rq, kre.(keyRotationEntry))
+}
+
+func (rq *rotationQueue) Pop() any {
+	if len(*rq) == 0 {
+		return keyRotationEntry{}
+	}
+	old := *rq
+	n := len(old)
+	item := (*rq)[n-1]
+	*rq = old[0 : n-1]
+	return item
+}
+
+func (rq rotationQueue) Peek() keyRotationEntry {
+	if len(rq) == 0 {
+		return keyRotationEntry{}
+	} else {
+		return rq[0]
+	}
+}
+
 func GetCacheSizeFromStorage(ctx context.Context, s logical.Storage) (int, error) {
 	size := 0
 	entry, err := s.Get(ctx, "config/cache")
@@ -196,6 +256,7 @@ func (b *backend) GetPolicy(ctx context.Context, polReq keysutil.PolicyRequest,
 	}
 
 	if p != nil && p.Type.IsEnterpriseOnly() && !constants.IsEnterprise {
+		p.Unlock()
 		return nil, false, fmt.Errorf(ErrKeyTypeEntOnly, p.Type)
 	}
 
@@ -223,8 +284,7 @@ func (b *backend) invalidate(ctx context.Context, key string) {
 // periodicFunc is a central collection of functions that run on an interval.
 // Anything that should be called regularly can be placed within this method.
 func (b *backend) periodicFunc(ctx context.Context, req *logical.Request) error {
-	// These operations ensure the auto-rotate only happens once simultaneously. It's an unlikely edge
-	// given the time scale, but a safeguard nonetheless.
+	// These operations ensure the auto-rotate only happens once simultaneously.
 	var err error
 	didAutoRotate := false
 	autoRotateOnceFn := func() {
@@ -247,6 +307,35 @@ func (b *backend) periodicFunc(ctx context.Context, req *logical.Request) error
 // auto rotate period defined which has passed. This operation only happens
 // on primary nodes and performance secondary nodes which have a local mount.
 func (b *backend) autoRotateKeys(ctx context.Context, req *logical.Request) error {
+	// Early exit if not a primary or performance secondary with a local mount.
+	if b.System().ReplicationState().HasState(consts.ReplicationDRSecondary|consts.ReplicationPerformanceStandby) ||
+		(!b.System().LocalMount() && b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary)) {
+		return nil
+	}
+
+	// Collect errors in a multierror to ensure a single failure doesn't prevent
+	// all keys from being rotated.
+	var errs *multierror.Error
+
+	// If we haven't initialized yet, exit out
+	if b.rotationQueue == nil {
+		errs = multierror.Append(errs, errors.New("auto-rotation can not run because backend is not initialized"))
+		return errs.ErrorOrNil()
+	}
+
+	// Between once-per-hour rotations, check to see if any keys that need rotating are in the heap
+	if b.rotationQueue.Len() == 0 {
+		// No keys are scheduled for rotation this hour
+	} else {
+		for !b.rotationQueue.Peek().isZero() && b.rotationQueue.Peek().rotateAt.Before(time.Now()) {
+			kre := heap.Pop(b.rotationQueue).(keyRotationEntry)
+			_, err := b.rotateByPath(ctx, req, kre.keyPath)
+			if err != nil {
+				errs = multierror.Append(errs, err)
+			}
+		}
+	}
+
 	// Only check for autorotation once an hour to avoid unnecessarily iterating
 	// over all keys too frequently.
 	if time.Now().Before(b.checkAutoRotateAfter) {
@@ -254,86 +343,101 @@ func (b *backend) autoRotateKeys(ctx context.Context, req *logical.Request) erro
 	}
 	b.checkAutoRotateAfter = time.Now().Add(1 * time.Hour)
 
-	// Early exit if not a primary or performance secondary with a local mount.
-	if b.System().ReplicationState().HasState(consts.ReplicationDRSecondary|consts.ReplicationPerformanceStandby) ||
-		(!b.System().LocalMount() && b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary)) {
-		return nil
-	}
-
 	// Retrieve all keys and loop over them to check if they need to be rotated.
 	keys, err := req.Storage.List(ctx, "policy/")
 	if err != nil {
 		return err
 	}
 
-	// Collect errors in a multierror to ensure a single failure doesn't prevent
-	// all keys from being rotated.
-	var errs *multierror.Error
-
 	for _, key := range keys {
-		p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
-			Storage: req.Storage,
-			Name:    key,
-		}, b.GetRandomReader())
+		kre, err := b.rotateByPath(ctx, req, key)
 		if err != nil {
 			errs = multierror.Append(errs, err)
-			continue
 		}
-
-		// If the policy is nil, move onto the next one.
-		if p == nil {
-			continue
-		}
-
-		// rotateIfRequired properly acquires/releases the lock on p
-		err = b.rotateIfRequired(ctx, req, key, p)
-		if err != nil {
-			errs = multierror.Append(errs, err)
+		if !kre.isZero() {
+			heap.Push(b.rotationQueue, kre)
 		}
 	}
 
 	return errs.ErrorOrNil()
 }
 
-// rotateIfRequired rotates a key if it is due for autorotation.
-func (b *backend) rotateIfRequired(ctx context.Context, req *logical.Request, key string, p *keysutil.Policy) error {
-	if !b.System().CachingDisabled() {
-		p.Lock(true)
+func (b *backend) rotateByPath(ctx context.Context, req *logical.Request, keyPath string) (keyRotationEntry, error) {
+	p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
+		Storage:     req.Storage,
+		Name:        keyPath,
+		WriteLocked: true,
+	}, b.GetRandomReader())
+	if err != nil {
+		return keyRotationEntry{}, err
 	}
-	defer p.Unlock()
 
+	// If the policy is nil, move onto the next one.
+	if p == nil {
+		return keyRotationEntry{}, nil
+	}
+
+	// rotateIfRequired properly acquires/releases the lock on p
+	kre, err := b.rotateIfRequired(ctx, req, keyPath, p)
+	if err != nil {
+		return kre, err
+	}
+
+	p.Unlock()
+	return kre, err
+}
+
+// rotateIfRequired rotates a key if it is due for autorotation.  If it isn't due for autorotation, but will be due
+// soon (within an hour), it returns a keyRotationEntry.
+func (b *backend) rotateIfRequired(ctx context.Context, req *logical.Request, key string, p *keysutil.Policy) (kre keyRotationEntry, err error) {
 	// If the key is imported, it can only be rotated from within Vault if allowed.
 	if p.Imported && !p.AllowImportedKeyRotation {
-		return nil
+		return keyRotationEntry{}, nil
 	}
 
 	// If the policy's automatic rotation period is 0, it should not
 	// automatically rotate.
 	if p.AutoRotatePeriod == 0 {
-		return nil
+		return keyRotationEntry{}, nil
 	}
 
 	// We can't auto-rotate managed keys
 	if p.Type == keysutil.KeyType_MANAGED_KEY {
-		return nil
+		return keyRotationEntry{}, nil
 	}
 
 	// Retrieve the latest version of the policy and determine if it is time to rotate.
 	latestKey := p.Keys[strconv.Itoa(p.LatestVersion)]
-	if time.Now().After(latestKey.CreationTime.Add(p.AutoRotatePeriod)) {
+	autoRotateAt := latestKey.CreationTime.Add(p.AutoRotatePeriod)
+	if time.Now().After(autoRotateAt) {
 		if b.Logger().IsDebug() {
 			b.Logger().Debug("automatically rotating key", "key", key)
 		}
-		return p.Rotate(ctx, req.Storage, b.GetRandomReader())
-
+		return keyRotationEntry{}, p.Rotate(ctx, req.Storage, b.GetRandomReader())
+	} else {
+		// Check if it will be time to rotate the key within the next hour
+		if time.Now().Add(1 * time.Hour).After(autoRotateAt) {
+			kre = keyRotationEntry{
+				rotateAt: autoRotateAt,
+				keyPath:  key,
+			}
+			return kre, nil
+		}
 	}
-	return nil
+
+	return keyRotationEntry{}, nil
 }
 
 func (b *backend) initialize(ctx context.Context, request *logical.InitializationRequest) error {
 	return b.initializeEnt(ctx, request)
 }
 
+func (b *backend) initializeRotationQueue() {
+	rotationQueue := &rotationQueue{}
+	heap.Init(rotationQueue)
+	b.rotationQueue = rotationQueue
+}
+
 func (b *backend) cleanup(ctx context.Context) {
 	b.cleanupEnt(ctx)
 }
diff --git a/builtin/logical/transit/backend_test.go b/builtin/logical/transit/backend_test.go
index 955344a21e..2bd4d59eeb 100644
--- a/builtin/logical/transit/backend_test.go
+++ b/builtin/logical/transit/backend_test.go
@@ -22,6 +22,7 @@ import (
 	"sync"
 	"sync/atomic"
 	"testing"
+	"testing/synctest"
 	"time"
 
 	uuid "github.com/hashicorp/go-uuid"
@@ -1741,6 +1742,10 @@ func TestTransit_AutoRotateKeys(t *testing.T) {
 				if err != nil {
 					t.Fatal(err)
 				}
+				err = b.Initialize(context.Background(), &logical.InitializationRequest{Storage: storage})
+				if err != nil {
+					t.Fatal(err)
+				}
 
 				// Write a key with the default auto rotate value (0/disabled)
 				req := &logical.Request{
@@ -1818,6 +1823,7 @@ func TestTransit_AutoRotateKeys(t *testing.T) {
 				if err != nil {
 					t.Fatal(err)
 				}
+				p.Unlock()
 
 				// Run the rotation check and validate the state of key rotations
 				b.checkAutoRotateAfter = time.Now()
@@ -1859,6 +1865,184 @@ func TestTransit_AutoRotateKeys(t *testing.T) {
 	}
 }
 
+// TestTransit_AutoRotateKeysNotAffectedByManualRotation sets up a backend, then tests: that a (1h auto-rotate) key
+// which was manually rotated is not auto-rotated 1hour after initial creation, rather 1hour after it's manual rotation.
+// Because auto-rotation sets up a priority queue to do this, the ordering of that queue needs to be tested: this tests
+// that by setting up two auto-rotating keys.
+func TestTransit_AutoRotateKeysNotAffectedByManualRotation(t *testing.T) {
+	sysView := logical.TestSystemView()
+	storage := &logical.InmemStorage{}
+
+	conf := &logical.BackendConfig{
+		StorageView: storage,
+		System:      sysView,
+	}
+
+	synctest.Test(t, func(t *testing.T) {
+		b, _ := Backend(context.Background(), conf)
+		if b == nil {
+			t.Fatal("failed to create backend")
+		}
+
+		err := b.Backend.Setup(context.Background(), conf)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		err = b.Backend.Initialize(context.Background(), &logical.InitializationRequest{Storage: storage})
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Write a key with 1h rotate value
+		req := &logical.Request{
+			Storage:   storage,
+			Operation: logical.UpdateOperation,
+			Path:      "keys/test1",
+			Data: map[string]interface{}{
+				"auto_rotate_period": 1 * time.Hour,
+			},
+		}
+		resp, err := b.HandleRequest(context.Background(), req)
+		if err != nil {
+			t.Fatal(err)
+		}
+		require.NotNil(t, resp, "expected populated request")
+
+		// Write a second key with an auto rotate value
+		req = &logical.Request{
+			Storage:   storage,
+			Operation: logical.UpdateOperation,
+			Path:      "keys/test2",
+			Data: map[string]interface{}{
+				"auto_rotate_period": 1 * time.Hour,
+			},
+		}
+		resp, err = b.HandleRequest(context.Background(), req)
+		if err != nil {
+			t.Fatal(err)
+		}
+		require.NotNil(t, resp, "expected populated request")
+
+		time.Sleep(time.Minute * 10)
+
+		// Manually Rotate the First Key
+		req = &logical.Request{
+			Storage:   storage,
+			Operation: logical.UpdateOperation,
+			Path:      "keys/test1/rotate",
+		}
+		resp, err = b.HandleRequest(context.Background(), req)
+		if err != nil {
+			t.Fatal(err)
+		}
+		require.NotNil(t, resp, "expected populated request")
+
+		time.Sleep(time.Minute * 10)
+
+		// Manually Rotate the Second Key
+		req = &logical.Request{
+			Storage:   storage,
+			Operation: logical.UpdateOperation,
+			Path:      "keys/test2/rotate",
+		}
+		resp, err = b.HandleRequest(context.Background(), req)
+		if err != nil {
+			t.Fatal(err)
+		}
+		require.NotNil(t, resp, "expected populated request")
+
+		time.Sleep(time.Minute * 41)
+		err = b.periodicFunc(context.Background(), &logical.Request{Storage: storage})
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Check that no auto-rotation happened when keys were only 50, 40 minutes old
+		// If this is the case version should be "2" - the keys were rotated once manually
+		req = &logical.Request{
+			Storage:   storage,
+			Operation: logical.ReadOperation,
+			Path:      "keys/test1",
+		}
+		resp, err = b.HandleRequest(context.Background(), req)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if resp == nil {
+			t.Fatal("expected non-nil response")
+		}
+		if resp.Data["latest_version"] != 2 {
+			t.Fatalf("incorrect latest_version found, got: %d, want: %d", resp.Data["latest_version"], 2)
+		}
+		req.Path = "keys/test2"
+		resp, err = b.HandleRequest(context.Background(), req)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if resp == nil {
+			t.Fatal("expected non-nil response")
+		}
+		if resp.Data["latest_version"] != 2 {
+			t.Fatalf("incorrect latest_version found, got: %d, want: %d", resp.Data["latest_version"], 2)
+		}
+
+		// This is when the auto-rotation of key test1 should happen
+		time.Sleep(time.Minute * 11)
+		err = b.periodicFunc(context.Background(), &logical.Request{Storage: storage})
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Check that the first key auto-rotated when it reached an hour old (but the second didn't at 50 minutes)
+		req = &logical.Request{
+			Storage:   storage,
+			Operation: logical.ReadOperation,
+			Path:      "keys/test1",
+		}
+		resp, err = b.HandleRequest(context.Background(), req)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if resp == nil {
+			t.Fatal("expected non-nil response")
+		}
+		if resp.Data["latest_version"] != 3 {
+			t.Fatalf("incorrect latest_version found, got: %d, want: %d", resp.Data["latest_version"], 3)
+		}
+		req.Path = "keys/test2"
+		resp, err = b.HandleRequest(context.Background(), req)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if resp == nil {
+			t.Fatal("expected non-nil response")
+		}
+		if resp.Data["latest_version"] != 2 {
+			t.Fatalf("incorrect latest_version found, got: %d, want: %d", resp.Data["latest_version"], 2)
+		}
+
+		time.Sleep(time.Minute * 10)
+		err = b.periodicFunc(context.Background(), &logical.Request{Storage: storage})
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Check that the second key auto-rotated when it reached an hour old
+		req.Path = "keys/test2"
+		resp, err = b.HandleRequest(context.Background(), req)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if resp == nil {
+			t.Fatal("expected non-nil response")
+		}
+		if resp.Data["latest_version"] != 3 {
+			t.Fatalf("incorrect latest_version found, got: %d, want: %d", resp.Data["latest_version"], 3)
+		}
+	})
+}
+
 func TestTransit_AEAD(t *testing.T) {
 	testTransit_AEAD(t, "aes128-gcm96")
 	testTransit_AEAD(t, "aes256-gcm96")
@@ -2024,8 +2208,6 @@ func TestTransitPKICSR(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	cores := cluster.Cores
 
@@ -2239,12 +2421,11 @@ func TestTransit_VerifyWithImportedPublicKey(t *testing.T) {
 	}
 
 	// Retrieve public wrapping key
-	wrappingKey, err := b.getWrappingKey(context.Background(), s)
-	if err != nil || wrappingKey == nil {
+	privWrappingKey, err := b.getWrappingKey(context.Background(), s)
+	if err != nil || privWrappingKey == nil {
 		t.Fatalf("failed to retrieve public wrapping key: %s", err)
 	}
 
-	privWrappingKey := wrappingKey.Keys[strconv.Itoa(wrappingKey.LatestVersion)].RSAKey
 	pubWrappingKey := &privWrappingKey.PublicKey
 
 	// generate ciphertext
diff --git a/builtin/logical/transit/key_utils.go b/builtin/logical/transit/key_utils.go
index e6c37bf437..63e7e820cd 100644
--- a/builtin/logical/transit/key_utils.go
+++ b/builtin/logical/transit/key_utils.go
@@ -23,9 +23,6 @@ func (b *backend) getReadLockedPolicy(ctx context.Context, s logical.Storage, na
 	if p == nil {
 		return nil, fmt.Errorf("%w: key %s not found", logical.ErrInvalidRequest, name)
 	}
-	if !b.System().CachingDisabled() {
-		p.Lock(false)
-	}
 	return p, nil
 }
 
diff --git a/builtin/logical/transit/path_byok.go b/builtin/logical/transit/path_byok.go
index 42d4b0f1d5..ed225f7569 100644
--- a/builtin/logical/transit/path_byok.go
+++ b/builtin/logical/transit/path_byok.go
@@ -74,9 +74,6 @@ func (b *backend) pathPolicyBYOKExportRead(ctx context.Context, req *logical.Req
 	if dstP == nil {
 		return nil, fmt.Errorf("no such destination key to export to")
 	}
-	if !b.System().CachingDisabled() {
-		dstP.Lock(false)
-	}
 	defer dstP.Unlock()
 
 	srcP, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
@@ -89,9 +86,6 @@ func (b *backend) pathPolicyBYOKExportRead(ctx context.Context, req *logical.Req
 	if srcP == nil {
 		return nil, fmt.Errorf("no such source key for export")
 	}
-	if !b.System().CachingDisabled() {
-		srcP.Lock(false)
-	}
 	defer srcP.Unlock()
 
 	if !srcP.Exportable {
diff --git a/builtin/logical/transit/path_certificates.go b/builtin/logical/transit/path_certificates.go
index 14fc0dcb85..8d631a3a95 100644
--- a/builtin/logical/transit/path_certificates.go
+++ b/builtin/logical/transit/path_certificates.go
@@ -106,9 +106,6 @@ func (b *backend) pathCreateCsrWrite(ctx context.Context, req *logical.Request,
 	if p == nil {
 		return logical.ErrorResponse(fmt.Sprintf("key with provided name '%s' not found", name)), logical.ErrInvalidRequest
 	}
-	if !b.System().CachingDisabled() {
-		p.Lock(false) // NOTE: No lock on "read" operations?
-	}
 	defer p.Unlock()
 
 	// Check if transit key supports signing
@@ -162,8 +159,9 @@ func (b *backend) pathImportCertChainWrite(ctx context.Context, req *logical.Req
 	name := d.Get("name").(string)
 
 	p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
-		Storage: req.Storage,
-		Name:    name,
+		Storage:     req.Storage,
+		Name:        name,
+		WriteLocked: true,
 	}, b.GetRandomReader())
 	if err != nil {
 		return nil, err
@@ -171,9 +169,6 @@ func (b *backend) pathImportCertChainWrite(ctx context.Context, req *logical.Req
 	if p == nil {
 		return logical.ErrorResponse(fmt.Sprintf("key with provided name '%s' not found", name)), logical.ErrInvalidRequest
 	}
-	if !b.System().CachingDisabled() {
-		p.Lock(true) // NOTE: Lock as we are might write to the policy
-	}
 	defer p.Unlock()
 
 	// Check if transit key supports signing
diff --git a/builtin/logical/transit/path_certificates_test.go b/builtin/logical/transit/path_certificates_test.go
index c6024ba9bc..48491d2b46 100644
--- a/builtin/logical/transit/path_certificates_test.go
+++ b/builtin/logical/transit/path_certificates_test.go
@@ -128,9 +128,6 @@ func TestTransit_Certs_ImportCertChain(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 	})
 
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
 	vault.TestWaitActive(t, cores[0].Core)
 	client := cores[0].Client
@@ -272,9 +269,6 @@ func TestTransit_Certs_ImportInvalidCertChain(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 	})
 
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
 	vault.TestWaitActive(t, cores[0].Core)
 	client := cores[0].Client
diff --git a/builtin/logical/transit/path_datakey.go b/builtin/logical/transit/path_datakey.go
index 18b6db37ea..1abdcaf44c 100644
--- a/builtin/logical/transit/path_datakey.go
+++ b/builtin/logical/transit/path_datakey.go
@@ -117,9 +117,6 @@ func (b *backend) pathDatakeyWrite(ctx context.Context, req *logical.Request, d
 	if p == nil {
 		return logical.ErrorResponse("encryption key not found"), logical.ErrInvalidRequest
 	}
-	if !b.System().CachingDisabled() {
-		p.Lock(false)
-	}
 	defer p.Unlock()
 
 	params.factories = make([]any, 0)
diff --git a/builtin/logical/transit/path_decrypt.go b/builtin/logical/transit/path_decrypt.go
index 08c20fc0a3..a1e6876a6f 100644
--- a/builtin/logical/transit/path_decrypt.go
+++ b/builtin/logical/transit/path_decrypt.go
@@ -190,9 +190,6 @@ func (b *backend) pathDecryptWrite(ctx context.Context, req *logical.Request, d
 	if p == nil {
 		return logical.ErrorResponse("encryption key not found"), logical.ErrInvalidRequest
 	}
-	if !b.System().CachingDisabled() {
-		p.Lock(false)
-	}
 	defer p.Unlock()
 
 	successesInBatch := false
diff --git a/builtin/logical/transit/path_encrypt.go b/builtin/logical/transit/path_encrypt.go
index f568bf64ec..24cd6f5d40 100644
--- a/builtin/logical/transit/path_encrypt.go
+++ b/builtin/logical/transit/path_encrypt.go
@@ -357,7 +357,7 @@ func (b *backend) pathEncryptExistenceCheck(ctx context.Context, req *logical.Re
 	if err != nil {
 		return false, err
 	}
-	if p != nil && b.System().CachingDisabled() {
+	if p != nil {
 		p.Unlock()
 	}
 
@@ -521,9 +521,6 @@ func (b *backend) pathEncryptWrite(ctx context.Context, req *logical.Request, d
 	if p == nil {
 		return logical.ErrorResponse("encryption key not found"), logical.ErrInvalidRequest
 	}
-	if !b.System().CachingDisabled() {
-		p.Lock(false)
-	}
 	defer p.Unlock()
 
 	// Process batch request items. If encryption of any request
diff --git a/builtin/logical/transit/path_export.go b/builtin/logical/transit/path_export.go
index aaf6ad5dc7..40fbd59df6 100644
--- a/builtin/logical/transit/path_export.go
+++ b/builtin/logical/transit/path_export.go
@@ -94,9 +94,6 @@ func (b *backend) pathPolicyExportRead(ctx context.Context, req *logical.Request
 	if p == nil {
 		return nil, nil
 	}
-	if !b.System().CachingDisabled() {
-		p.Lock(false)
-	}
 	defer p.Unlock()
 
 	if !p.Exportable && exportType != exportTypePublicKey && exportType != exportTypeCertificateChain {
diff --git a/builtin/logical/transit/path_export_test.go b/builtin/logical/transit/path_export_test.go
index 78d211eaab..f29a53f26d 100644
--- a/builtin/logical/transit/path_export_test.go
+++ b/builtin/logical/transit/path_export_test.go
@@ -526,12 +526,7 @@ func TestTransit_Export_CertificateChain(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
-	vault.TestWaitActive(t, cores[0].Core)
 	client := cores[0].Client
 
 	// Mount transit backend
diff --git a/builtin/logical/transit/path_hmac.go b/builtin/logical/transit/path_hmac.go
index 47776a3bb7..0c33b8370c 100644
--- a/builtin/logical/transit/path_hmac.go
+++ b/builtin/logical/transit/path_hmac.go
@@ -133,9 +133,6 @@ func (b *backend) pathHMACWrite(ctx context.Context, req *logical.Request, d *fr
 	if p == nil {
 		return logical.ErrorResponse("encryption key not found"), logical.ErrInvalidRequest
 	}
-	if !b.System().CachingDisabled() {
-		p.Lock(false)
-	}
 	defer p.Unlock()
 
 	switch {
@@ -291,9 +288,6 @@ func (b *backend) pathHMACVerify(ctx context.Context, req *logical.Request, d *f
 	if p == nil {
 		return logical.ErrorResponse("encryption key not found"), logical.ErrInvalidRequest
 	}
-	if !b.System().CachingDisabled() {
-		p.Lock(false)
-	}
 	defer p.Unlock()
 
 	hashAlgorithm, ok := keysutil.HashTypeMap[algorithm]
diff --git a/builtin/logical/transit/path_hmac_test.go b/builtin/logical/transit/path_hmac_test.go
index 29fba94488..40283ef119 100644
--- a/builtin/logical/transit/path_hmac_test.go
+++ b/builtin/logical/transit/path_hmac_test.go
@@ -419,8 +419,6 @@ func TestHMACBatchResultsFields(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	cores := cluster.Cores
 
diff --git a/builtin/logical/transit/path_import.go b/builtin/logical/transit/path_import.go
index 2db7cf1d79..3c86cfdde1 100644
--- a/builtin/logical/transit/path_import.go
+++ b/builtin/logical/transit/path_import.go
@@ -13,7 +13,6 @@ import (
 	"errors"
 	"fmt"
 	"hash"
-	"strconv"
 	"strings"
 	"time"
 
@@ -240,9 +239,7 @@ func (b *backend) pathImportWrite(ctx context.Context, req *logical.Request, d *
 	}
 
 	if p != nil {
-		if b.System().CachingDisabled() {
-			p.Unlock()
-		}
+		p.Unlock()
 		return nil, errors.New("the import path cannot be used with an existing key; use import-version to rotate an existing imported key")
 	}
 
@@ -281,6 +278,7 @@ func (b *backend) pathImportVersionWrite(ctx context.Context, req *logical.Reque
 		Name:         name,
 		Upsert:       false,
 		IsPrivateKey: isCiphertextSet,
+		WriteLocked:  true,
 	}
 	p, _, err := b.GetPolicy(ctx, polReq, b.GetRandomReader())
 	if err != nil {
@@ -289,6 +287,7 @@ func (b *backend) pathImportVersionWrite(ctx context.Context, req *logical.Reque
 	if p == nil {
 		return nil, fmt.Errorf("no key found with name %s; to import a new key, use the import/ endpoint", name)
 	}
+	defer p.Unlock()
 	if !p.Imported {
 		return nil, errors.New("the import_version endpoint can only be used with an imported key")
 	}
@@ -296,11 +295,6 @@ func (b *backend) pathImportVersionWrite(ctx context.Context, req *logical.Reque
 		return nil, errors.New("import_version cannot be used on keys with convergent encryption enabled")
 	}
 
-	if !b.System().CachingDisabled() {
-		p.Lock(true)
-	}
-	defer p.Unlock()
-
 	key, resp, err := b.extractKeyFromFields(ctx, req, d, p.Type, isCiphertextSet)
 	if err != nil {
 		return resp, err
@@ -343,15 +337,14 @@ func (b *backend) decryptImportedKey(ctx context.Context, storage logical.Storag
 	wrappedEphKey := ciphertext[:EncryptedKeyBytes]
 	wrappedImportKey := ciphertext[EncryptedKeyBytes:]
 
-	wrappingKey, err := b.getWrappingKey(ctx, storage)
+	privWrappingKey, err := b.getWrappingKey(ctx, storage)
 	if err != nil {
 		return nil, err
 	}
-	if wrappingKey == nil {
+	if privWrappingKey == nil {
 		return nil, fmt.Errorf("error importing key: wrapping key was nil")
 	}
 
-	privWrappingKey := wrappingKey.Keys[strconv.Itoa(wrappingKey.LatestVersion)].RSAKey
 	ephKey, err := rsa.DecryptOAEP(hashFn, b.GetRandomReader(), privWrappingKey, wrappedEphKey, []byte{})
 	if err != nil {
 		return nil, err
diff --git a/builtin/logical/transit/path_import_test.go b/builtin/logical/transit/path_import_test.go
index 0cb2a39a2e..412697afb9 100644
--- a/builtin/logical/transit/path_import_test.go
+++ b/builtin/logical/transit/path_import_test.go
@@ -15,7 +15,6 @@ import (
 	"encoding/base64"
 	"encoding/pem"
 	"fmt"
-	"strconv"
 	"sync"
 	"testing"
 
@@ -95,11 +94,10 @@ func TestTransit_ImportNSSEd25519Key(t *testing.T) {
 	generateKeys(t)
 	b, s, obsRecorder := createBackendWithObservationRecorder(t)
 
-	wrappingKey, err := b.getWrappingKey(context.Background(), s)
-	if err != nil || wrappingKey == nil {
+	privWrappingKey, err := b.getWrappingKey(context.Background(), s)
+	if err != nil || privWrappingKey == nil {
 		t.Fatalf("failed to retrieve public wrapping key: %s", err)
 	}
-	privWrappingKey := wrappingKey.Keys[strconv.Itoa(wrappingKey.LatestVersion)].RSAKey
 	pubWrappingKey := &privWrappingKey.PublicKey
 
 	rawPKCS8, err := base64.StdEncoding.DecodeString(nssFormattedEd25519Key)
@@ -133,11 +131,10 @@ func TestTransit_ImportRSAPSS(t *testing.T) {
 	generateKeys(t)
 	b, s, obsRecorder := createBackendWithObservationRecorder(t)
 
-	wrappingKey, err := b.getWrappingKey(context.Background(), s)
-	if err != nil || wrappingKey == nil {
+	privWrappingKey, err := b.getWrappingKey(context.Background(), s)
+	if err != nil || privWrappingKey == nil {
 		t.Fatalf("failed to retrieve public wrapping key: %s", err)
 	}
-	privWrappingKey := wrappingKey.Keys[strconv.Itoa(wrappingKey.LatestVersion)].RSAKey
 	pubWrappingKey := &privWrappingKey.PublicKey
 
 	rawPKCS8, err := base64.StdEncoding.DecodeString(rsaPSSFormattedKey)
@@ -205,11 +202,10 @@ func TestTransit_Import(t *testing.T) {
 	)
 
 	// Retrieve public wrapping key
-	wrappingKey, err := b.getWrappingKey(context.Background(), s)
-	if err != nil || wrappingKey == nil {
+	privWrappingKey, err := b.getWrappingKey(context.Background(), s)
+	if err != nil || privWrappingKey == nil {
 		t.Fatalf("failed to retrieve public wrapping key: %s", err)
 	}
-	privWrappingKey := wrappingKey.Keys[strconv.Itoa(wrappingKey.LatestVersion)].RSAKey
 	pubWrappingKey := &privWrappingKey.PublicKey
 
 	t.Run(
@@ -555,11 +551,10 @@ func TestTransit_ImportVersion(t *testing.T) {
 	)
 
 	// Retrieve public wrapping key
-	wrappingKey, err := b.getWrappingKey(context.Background(), s)
-	if err != nil || wrappingKey == nil {
+	privWrappingKey, err := b.getWrappingKey(context.Background(), s)
+	if err != nil || privWrappingKey == nil {
 		t.Fatalf("failed to retrieve public wrapping key: %s", err)
 	}
-	privWrappingKey := wrappingKey.Keys[strconv.Itoa(wrappingKey.LatestVersion)].RSAKey
 	pubWrappingKey := &privWrappingKey.PublicKey
 
 	t.Run(
@@ -726,11 +721,10 @@ func TestTransit_ImportVersionWithPublicKeys(t *testing.T) {
 	b, s, obsRecorder := createBackendWithObservationRecorder(t)
 
 	// Retrieve public wrapping key
-	wrappingKey, err := b.getWrappingKey(context.Background(), s)
-	if err != nil || wrappingKey == nil {
+	privWrappingKey, err := b.getWrappingKey(context.Background(), s)
+	if err != nil || privWrappingKey == nil {
 		t.Fatalf("failed to retrieve public wrapping key: %s", err)
 	}
-	privWrappingKey := wrappingKey.Keys[strconv.Itoa(wrappingKey.LatestVersion)].RSAKey
 	pubWrappingKey := &privWrappingKey.PublicKey
 
 	// Import a public key then import private should give us one key
diff --git a/builtin/logical/transit/path_keys.go b/builtin/logical/transit/path_keys.go
index 4116feadd8..2292a1dc57 100644
--- a/builtin/logical/transit/path_keys.go
+++ b/builtin/logical/transit/path_keys.go
@@ -49,105 +49,7 @@ func (b *backend) pathKeys() *framework.Path {
 			OperationSuffix: "key",
 		},
 
-		Fields: map[string]*framework.FieldSchema{
-			"name": {
-				Type:        framework.TypeString,
-				Description: "Name of the key",
-			},
-
-			"type": {
-				Type:    framework.TypeString,
-				Default: "aes256-gcm96",
-				Description: `
-The type of key to create. Currently, "aes128-gcm96" (symmetric), "aes256-gcm96" (symmetric), "ecdsa-p256"
-(asymmetric), "ecdsa-p384" (asymmetric), "ecdsa-p521" (asymmetric), "ed25519" (asymmetric), "rsa-2048" (asymmetric), "rsa-3072"
-(asymmetric), "rsa-4096" (asymmetric), "ml-dsa" (asymmetric), "slh-dsa" (asymmetric) are supported.  Defaults to "aes256-gcm96".
-`,
-			},
-
-			"derived": {
-				Type: framework.TypeBool,
-				Description: `Enables key derivation mode. This
-allows for per-transaction unique
-keys for encryption operations.`,
-			},
-
-			"convergent_encryption": {
-				Type: framework.TypeBool,
-				Description: `Whether to support convergent encryption.
-This is only supported when using a key with
-key derivation enabled and will require all
-requests to carry both a context and 96-bit
-(12-byte) nonce. The given nonce will be used
-in place of a randomly generated nonce. As a
-result, when the same context and nonce are
-supplied, the same ciphertext is generated. It
-is *very important* when using this mode that
-you ensure that all nonces are unique for a
-given context. Failing to do so will severely
-impact the ciphertext's security.`,
-			},
-
-			"exportable": {
-				Type: framework.TypeBool,
-				Description: `Enables keys to be exportable.
-This allows for all the valid keys
-in the key ring to be exported.`,
-			},
-
-			"allow_plaintext_backup": {
-				Type: framework.TypeBool,
-				Description: `Enables taking a backup of the named
-key in plaintext format. Once set,
-this cannot be disabled.`,
-			},
-
-			"context": {
-				Type: framework.TypeString,
-				Description: `Base64 encoded context for key derivation.
-When reading a key with key derivation enabled,
-if the key type supports public keys, this will
-return the public key for the given context.`,
-			},
-
-			"auto_rotate_period": {
-				Type:    framework.TypeDurationSecond,
-				Default: 0,
-				Description: `Amount of time the key should live before
-being automatically rotated. A value of 0
-(default) disables automatic rotation for the
-key.`,
-			},
-			"key_size": {
-				Type:        framework.TypeInt,
-				Default:     0,
-				Description: fmt.Sprintf("The key size in bytes for the algorithm.  Only applies to HMAC and must be no fewer than %d bytes and no more than %d", keysutil.HmacMinKeySize, keysutil.HmacMaxKeySize),
-			},
-			"managed_key_name": {
-				Type:        framework.TypeString,
-				Description: "The name of the managed key to use for this transit key",
-			},
-			"managed_key_id": {
-				Type:        framework.TypeString,
-				Description: "The UUID of the managed key to use for this transit key",
-			},
-			"parameter_set": {
-				Type: framework.TypeString,
-				Description: `The parameter set to use. Applies to ML-DSA and SLH-DSA key types.
-For ML-DSA key types, valid values are 44, 65, or 87.
-For SLH-DSA key types, valid values are SLH-DSA-SHA2-128s, SLH-DSA-SHAKE-128s, SLH-DSA-SHA2-128f, SLH-DSA-SHAKE-128f, SLH-DSA-SHA2-192s, SLH-DSA-SHAKE-192s, SLH-DSA-SHA2-192f, SLH-DSA-SHAKE-192f, SLH-DSA-SHA2-256s, SLH-DSA-SHAKE-256s, SLH-DSA-SHA2-256f, SLH-DSA-SHAKE-256f`,
-			},
-			"hybrid_key_type_pqc": {
-				Type: framework.TypeString,
-				Description: `The key type of the post-quantum key to use for hybrid signature schemes.
-Supported types are: ML-DSA.`,
-			},
-			"hybrid_key_type_ec": {
-				Type: framework.TypeString,
-				Description: `The key type of the elliptic curve key to use for hybrid signature schemes.
-Supported types are: ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.`,
-			},
-		},
+		Fields: pathKeyCreateFields(),
 
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.UpdateOperation: &framework.PathOperation{
@@ -167,6 +69,12 @@ Supported types are: ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.`,
 				DisplayAttrs: &framework.DisplayAttributes{
 					OperationVerb: "read",
 				},
+				Responses: map[int][]framework.Response{
+					200: {{
+						Description: "OK",
+						Fields:      pathKeyReadResponseFields(),
+					}},
+				},
 			},
 		},
 
@@ -225,6 +133,7 @@ func (b *backend) pathPolicyWrite(ctx context.Context, req *logical.Request, d *
 		Exportable:           exportable,
 		AllowPlaintextBackup: allowPlaintextBackup,
 		AutoRotatePeriod:     autoRotatePeriod,
+		WriteLocked:          true,
 	}
 
 	switch keyType {
@@ -336,9 +245,6 @@ func (b *backend) pathPolicyWrite(ctx context.Context, req *logical.Request, d *
 	if p == nil {
 		return nil, fmt.Errorf("error generating key: returned policy was nil")
 	}
-	if !b.System().CachingDisabled() {
-		p.Lock(true)
-	}
 	defer p.Unlock()
 
 	resp, err := b.formatKeyPolicy(p, nil)
@@ -379,9 +285,6 @@ func (b *backend) pathPolicyRead(ctx context.Context, req *logical.Request, d *f
 	if p == nil {
 		return nil, nil
 	}
-	if !b.System().CachingDisabled() {
-		p.Lock(false)
-	}
 	defer p.Unlock()
 
 	contextRaw := d.Get("context").(string)
@@ -634,6 +537,234 @@ func getHybridKeyConfig(pqcKeyType, parameterSet, ecKeyType string) (keysutil.Hy
 	return config, nil
 }
 
+// pathKeySharedFields returns FieldSchema entries common to both the create/update
+// request and the read response for the keys/:name path.
+func pathKeySharedFields() map[string]*framework.FieldSchema {
+	return map[string]*framework.FieldSchema{
+		"name": {
+			Type:        framework.TypeString,
+			Description: "Name of the key.",
+		},
+		"type": {
+			Type:    framework.TypeString,
+			Default: "aes256-gcm96",
+			Description: `The type of key. Symmetric types: "aes128-gcm96", "aes256-gcm96", "chacha20-poly1305",
+"aes128-cbc", "aes256-cbc", "aes128-cmac", "aes192-cmac", "aes256-cmac". Asymmetric types: "ecdsa-p256",
+"ecdsa-p384", "ecdsa-p521", "ed25519", "rsa-2048", "rsa-3072", "rsa-4096", "ml-dsa", "slh-dsa", "hybrid".
+Defaults to "aes256-gcm96"`,
+			AllowedValues: []interface{}{
+				"aes128-gcm96", "aes256-gcm96", "chacha20-poly1305",
+				"aes128-cbc", "aes256-cbc",
+				"aes128-cmac", "aes192-cmac", "aes256-cmac",
+				"ecdsa-p256", "ecdsa-p384", "ecdsa-p521",
+				"ed25519", "rsa-2048", "rsa-3072", "rsa-4096",
+				"hmac", "managed_key",
+				"ml-dsa", "slh-dsa", "hybrid",
+			},
+		},
+		"derived": {
+			Type: framework.TypeBool,
+			Description: `Enables key derivation mode. This allows for per-transaction unique
+keys for encryption operations.`,
+		},
+		"convergent_encryption": {
+			Type: framework.TypeBool,
+			Description: `Whether to support convergent encryption. This is only supported when using a key
+with key derivation enabled and will require all requests to carry both a context and 96-bit (12-byte) nonce.
+The given nonce will be used in place of a randomly generated nonce. As a result, when the same context and
+nonce are supplied, the same ciphertext is generated. It is *very important* when using this mode that you
+ensure that all nonces are unique for a given context. Failing to do so will severely impact the ciphertext's
+security.`,
+		},
+		"exportable": {
+			Type: framework.TypeBool,
+			Description: `Enables keys to be exportable. This allows for all the valid keys
+in the key ring to be exported.`,
+		},
+		"allow_plaintext_backup": {
+			Type: framework.TypeBool,
+			Description: `Enables taking a backup of the named key in plaintext format.
+Once set, this cannot be disabled.`,
+		},
+		"auto_rotate_period": {
+			Type:    framework.TypeDurationSecond,
+			Default: 0,
+			Description: `Amount of time the key should live before being automatically rotated.
+A value of 0 (default) disables automatic rotation for the key.`,
+		},
+		"key_size": {
+			Type:        framework.TypeInt,
+			Default:     0,
+			Description: fmt.Sprintf("The key size in bytes for the algorithm. Only applies to HMAC and must be no fewer than %d bytes and no more than %d.", keysutil.HmacMinKeySize, keysutil.HmacMaxKeySize),
+		},
+		"parameter_set": {
+			Type: framework.TypeString,
+			Description: `The parameter set to use for post-quantum key types. For ML-DSA, valid values are 44, 65,
+or 87. For SLH-DSA, valid values are the full parameter set identifiers (e.g. "slh-dsa-sha2-128s").
+Applies to ML-DSA, SLH-DSA, and Hybrid key types.`,
+			AllowedValues: []interface{}{
+				// ML-DSA
+				"44", "65", "87",
+				// SLH-DSA
+				"slh-dsa-sha2-128s", "slh-dsa-shake128s",
+				"slh-dsa-sha2-128f", "slh-dsa-shake128f",
+				"slh-dsa-sha2-192s", "slh-dsa-shake192s",
+				"slh-dsa-sha2-192f", "slh-dsa-shake192f",
+				"slh-dsa-sha2-256s", "slh-dsa-shake256s",
+				"slh-dsa-sha2-256f", "slh-dsa-shake256f",
+			},
+		},
+		"hybrid_key_type_pqc": {
+			Type: framework.TypeString,
+			Description: `The post-quantum key type to use for hybrid signature schemes.
+Supported types are: ml-dsa.`,
+			AllowedValues: []interface{}{
+				"ml-dsa",
+			},
+		},
+		"hybrid_key_type_ec": {
+			Type: framework.TypeString,
+			Description: `The elliptic curve key type to use for hybrid signature schemes.
+Supported types are: ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.`,
+			AllowedValues: []interface{}{
+				"ecdsa-p256", "ecdsa-p384", "ecdsa-p521", "ed25519",
+			},
+		},
+	}
+}
+
+// pathKeyCreateFields returns the field schema for create requests on the keys/:name path.
+// It extends pathKeySharedFields with request-only parameters and default values.
+func pathKeyCreateFields() map[string]*framework.FieldSchema {
+	fields := pathKeySharedFields()
+	fields["context"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `Base64 encoded context for key derivation. When reading a key with key derivation
+enabled, if the key type supports public keys, this will return the public key for the given context.`,
+	}
+	fields["managed_key_name"] = &framework.FieldSchema{
+		Type:        framework.TypeString,
+		Description: "The name of the managed key to use for this transit key",
+	}
+	fields["managed_key_id"] = &framework.FieldSchema{
+		Type:        framework.TypeString,
+		Description: "The UUID of the managed key to use for this transit key",
+	}
+	return fields
+}
+
+// pathKeyReadResponseFields returns the field schema for read response
+// It extends pathKeySharedFields with response-only fields and marks always-present fields as Required.
+func pathKeyReadResponseFields() map[string]*framework.FieldSchema {
+	fields := pathKeySharedFields()
+
+	// Mark fields that are always present in the read response.
+	for _, k := range []string{
+		// convergent_encryption, key_size, parameter_set, and hybrid_key_type_* are intentionally
+		// omitted: they are only set conditionally in formatKeyPolicy.
+		"name", "type", "derived", "exportable", "allow_plaintext_backup", "auto_rotate_period",
+	} {
+		fields[k].Required = true
+	}
+
+	// Response-only fields — unconditionally present.
+	fields["deletion_allowed"] = &framework.FieldSchema{
+		Type:        framework.TypeBool,
+		Description: `Whether deletion of the key is allowed.`,
+		Required:    true,
+	}
+	fields["min_available_version"] = &framework.FieldSchema{
+		Type: framework.TypeInt,
+		Description: `The minimum version of the key available for use. Versions below this have
+been permanently deleted.`,
+		Required: true,
+	}
+	fields["min_decryption_version"] = &framework.FieldSchema{
+		Type: framework.TypeInt,
+		Description: `The minimum version of the key allowed for decryption. For signing keys,
+the minimum version allowed for verification.`,
+		Required: true,
+	}
+	fields["min_encryption_version"] = &framework.FieldSchema{
+		Type: framework.TypeInt,
+		Description: `The minimum version of the key allowed for encryption. For signing keys,
+the minimum version allowed for signing. If set to 0, only the latest version is allowed.`,
+		Required: true,
+	}
+	fields["latest_version"] = &framework.FieldSchema{
+		Type:        framework.TypeInt,
+		Description: `The latest (current) version of the key.`,
+		Required:    true,
+	}
+	fields["supports_encryption"] = &framework.FieldSchema{
+		Type:        framework.TypeBool,
+		Description: `Whether this key type supports encryption operations.`,
+		Required:    true,
+	}
+	fields["supports_decryption"] = &framework.FieldSchema{
+		Type:        framework.TypeBool,
+		Description: `Whether this key type supports decryption operations.`,
+		Required:    true,
+	}
+	fields["supports_signing"] = &framework.FieldSchema{
+		Type:        framework.TypeBool,
+		Description: `Whether this key type supports signing operations.`,
+		Required:    true,
+	}
+	fields["supports_derivation"] = &framework.FieldSchema{
+		Type:        framework.TypeBool,
+		Description: `Whether this key type supports key derivation.`,
+		Required:    true,
+	}
+	fields["imported_key"] = &framework.FieldSchema{
+		Type:        framework.TypeBool,
+		Description: `Whether this key was imported rather than generated by Vault.`,
+		Required:    true,
+	}
+	// Response-only fields — conditionally present.
+	fields["imported_key_allow_rotation"] = &framework.FieldSchema{
+		Type:        framework.TypeBool,
+		Description: `Whether rotation is allowed for this imported key. Only present if the key was imported.`,
+	}
+	fields["backup_info"] = &framework.FieldSchema{
+		Type: framework.TypeMap,
+		Description: `Information about the most recent backup of this key. Contains "time" and "version"
+fields. Only present if the key has been backed up.`,
+	}
+	fields["restore_info"] = &framework.FieldSchema{
+		Type: framework.TypeMap,
+		Description: `Information about when this key was restored from backup. Contains "time" and "version"
+fields. Only present if the key has been restored.`,
+	}
+	fields["kdf"] = &framework.FieldSchema{
+		Type:        framework.TypeString,
+		Description: `The key derivation function used. Only present if key derivation is enabled.`,
+		AllowedValues: []interface{}{
+			"hmac-sha256-counter",
+			"hkdf_sha256",
+		},
+	}
+	fields["kdf_mode"] = &framework.FieldSchema{
+		Type:        framework.TypeString,
+		Description: `The key derivation function mode. Only present if KDF is "hmac-sha256-counter".`,
+		AllowedValues: []interface{}{
+			"hmac-sha256-counter",
+		},
+	}
+	fields["convergent_encryption_version"] = &framework.FieldSchema{
+		Type:        framework.TypeInt,
+		Description: `The version of convergent encryption. Only present if convergent encryption is enabled.`,
+	}
+	fields["keys"] = &framework.FieldSchema{
+		Type: framework.TypeMap,
+		Description: `A map of active key versions. For memory efficiency, transit keeps a working set of
+versions from "min_decryption_version" through the latest version. Older versions may still be retained in
+archived storage if they are at or above "min_available_version". Versions older than "min_available_version"
+are permanently deleted. Not present for hmac, managed_key, and CMAC key types.`,
+	}
+	return fields
+}
+
 const pathPolicyHelpSyn = `Managed named encryption keys`
 
 const pathPolicyHelpDesc = `
diff --git a/builtin/logical/transit/path_keys_config.go b/builtin/logical/transit/path_keys_config.go
index 57f719d077..eaf6a2f9de 100644
--- a/builtin/logical/transit/path_keys_config.go
+++ b/builtin/logical/transit/path_keys_config.go
@@ -81,8 +81,9 @@ func (b *backend) pathKeysConfigWrite(ctx context.Context, req *logical.Request,
 
 	// Check if the policy already exists before we lock everything
 	p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
-		Storage: req.Storage,
-		Name:    name,
+		Storage:     req.Storage,
+		Name:        name,
+		WriteLocked: true,
 	}, b.GetRandomReader())
 	if err != nil {
 		return nil, err
@@ -92,9 +93,6 @@ func (b *backend) pathKeysConfigWrite(ctx context.Context, req *logical.Request,
 				fmt.Sprintf("no existing key named %s could be found", name)),
 			logical.ErrInvalidRequest
 	}
-	if !b.System().CachingDisabled() {
-		p.Lock(true)
-	}
 	defer p.Unlock()
 
 	var warning string
diff --git a/builtin/logical/transit/path_keys_config_test.go b/builtin/logical/transit/path_keys_config_test.go
index 7513037659..22af13b044 100644
--- a/builtin/logical/transit/path_keys_config_test.go
+++ b/builtin/logical/transit/path_keys_config_test.go
@@ -346,8 +346,6 @@ func TestTransit_UpdateKeyConfigWithAutorotation(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	cores := cluster.Cores
 	vault.TestWaitActive(t, cores[0].Core)
 	client := cores[0].Client
diff --git a/builtin/logical/transit/path_keys_test.go b/builtin/logical/transit/path_keys_test.go
index 6c6ad2f606..49ef7edd55 100644
--- a/builtin/logical/transit/path_keys_test.go
+++ b/builtin/logical/transit/path_keys_test.go
@@ -34,13 +34,7 @@ func TestTransit_Issue_2958(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
-
-	vault.TestWaitActive(t, cores[0].Core)
-
 	client := cores[0].Client
 
 	err := client.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
@@ -143,10 +137,7 @@ func TestTransit_CreateKeyWithAutorotation(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	cores := cluster.Cores
-	vault.TestWaitActive(t, cores[0].Core)
 	client := cores[0].Client
 	err := client.Sys().Mount("transit", &api.MountInput{
 		Type: "transit",
@@ -365,10 +356,7 @@ func TestTransit_CreateKey(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	cores := cluster.Cores
-	vault.TestWaitActive(t, cores[0].Core)
 	client := cores[0].Client
 	err := client.Sys().Mount("transit", &api.MountInput{
 		Type: "transit",
diff --git a/builtin/logical/transit/path_rewrap.go b/builtin/logical/transit/path_rewrap.go
index df0dbea991..39fe2df74c 100644
--- a/builtin/logical/transit/path_rewrap.go
+++ b/builtin/logical/transit/path_rewrap.go
@@ -196,9 +196,6 @@ func (b *backend) pathRewrapWrite(ctx context.Context, req *logical.Request, d *
 	if p == nil {
 		return logical.ErrorResponse("encryption key not found"), logical.ErrInvalidRequest
 	}
-	if !b.System().CachingDisabled() {
-		p.Lock(false)
-	}
 	defer p.Unlock()
 
 	warnAboutNonceUsage := false
diff --git a/builtin/logical/transit/path_rotate.go b/builtin/logical/transit/path_rotate.go
index 6a3b119da8..e3ccb73347 100644
--- a/builtin/logical/transit/path_rotate.go
+++ b/builtin/logical/transit/path_rotate.go
@@ -52,8 +52,9 @@ func (b *backend) pathRotateWrite(ctx context.Context, req *logical.Request, d *
 
 	// Get the policy
 	p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
-		Storage: req.Storage,
-		Name:    name,
+		Storage:     req.Storage,
+		Name:        name,
+		WriteLocked: true,
 	}, b.GetRandomReader())
 	if err != nil {
 		// the error here will be something about "couldn't get policy")
@@ -64,9 +65,6 @@ func (b *backend) pathRotateWrite(ctx context.Context, req *logical.Request, d *
 		b.Logger().Error("failed to rotate key on user request", "name", name, "error", "key not found")
 		return logical.ErrorResponse("key not found"), logical.ErrInvalidRequest
 	}
-	if !b.System().CachingDisabled() {
-		p.Lock(true)
-	}
 	defer p.Unlock()
 	var keyId string
 	if p.Type == keysutil.KeyType_MANAGED_KEY {
diff --git a/builtin/logical/transit/path_sign_verify.go b/builtin/logical/transit/path_sign_verify.go
index 4ebebec5b3..7d2b599025 100644
--- a/builtin/logical/transit/path_sign_verify.go
+++ b/builtin/logical/transit/path_sign_verify.go
@@ -398,9 +398,6 @@ func (b *backend) pathSignWrite(ctx context.Context, req *logical.Request, d *fr
 	if p == nil {
 		return logical.ErrorResponse("signing key not found"), logical.ErrInvalidRequest
 	}
-	if !b.System().CachingDisabled() {
-		p.Lock(false)
-	}
 	defer p.Unlock()
 
 	if err := validateCommonSignVerifyApiArgs(p, apiArgs.commonSignVerifyApiArgs); err != nil {
@@ -689,9 +686,6 @@ func (b *backend) pathVerifyWrite(ctx context.Context, req *logical.Request, d *
 	if p == nil {
 		return logical.ErrorResponse("signature verification key not found"), logical.ErrInvalidRequest
 	}
-	if !b.System().CachingDisabled() {
-		p.Lock(false)
-	}
 	defer p.Unlock()
 
 	if err := validateCommonSignVerifyApiArgs(p, apiArgs.commonSignVerifyApiArgs); err != nil {
diff --git a/builtin/logical/transit/path_sign_verify_test.go b/builtin/logical/transit/path_sign_verify_test.go
index c116a2cb3c..355fafd61a 100644
--- a/builtin/logical/transit/path_sign_verify_test.go
+++ b/builtin/logical/transit/path_sign_verify_test.go
@@ -179,7 +179,7 @@ func testTransit_SignVerify_ECDSA(t *testing.T, bits int) {
 		return value.(string)
 	}
 
-	verifyRequest := func(req *logical.Request, errExpected bool, postpath, sig string) {
+	verifyRequest := func(req *logical.Request, errExpected, sigFailureExpected bool, postpath, sig string) {
 		t.Helper()
 		req.Path = "verify/foo" + postpath
 		req.Data["signature"] = sig
@@ -203,9 +203,9 @@ func testTransit_SignVerify_ECDSA(t *testing.T, bits int) {
 		if !ok {
 			t.Fatalf("no valid key found in returned data, got resp data %#v", resp.Data)
 		}
-		if !value.(bool) && !errExpected {
+		if !value.(bool) && !sigFailureExpected {
 			t.Fatalf("verification failed; req was %#v, resp is %#v", *req, *resp)
-		} else if value.(bool) && errExpected {
+		} else if value.(bool) && sigFailureExpected {
 			t.Fatalf("expected error and didn't get one; req was %#v, resp is %#v", *req, *resp)
 		}
 	}
@@ -214,10 +214,13 @@ func testTransit_SignVerify_ECDSA(t *testing.T, bits int) {
 
 	// Test defaults -- sha2-256
 	sig := signRequest(req, false, "")
-	verifyRequest(req, false, "", sig)
+	require.Equal(t, uint64(1), b.billingDataCounts.Transit.Load(), "Counter after sign #1")
+	verifyRequest(req, false, false, "", sig)
+	require.Equal(t, uint64(2), b.billingDataCounts.Transit.Load(), "Counter after verify #1")
 
 	// Test a bad signature
-	verifyRequest(req, true, "", sig[0:len(sig)-2])
+	verifyRequest(req, true, false, "", sig[0:len(sig)-2])
+	require.Equal(t, uint64(2), b.billingDataCounts.Transit.Load(), "Counter after bad signature verify (should not increment)")
 
 	// Test a signature generated with the same key by openssl
 	switch bits {
@@ -228,78 +231,114 @@ func testTransit_SignVerify_ECDSA(t *testing.T, bits int) {
 	default:
 		sig = `vault:v1:MEUCIAgnEl9V8P305EBAlz68Nq4jZng5fE8k6MactcnlUw9dAiEAvJVePg3dazW6MaW7lRAVtEz82QJDVmR98tXCl8Pc7DA=`
 	}
-	verifyRequest(req, false, "", sig)
+	verifyRequest(req, false, false, "", sig)
+	require.Equal(t, uint64(3), b.billingDataCounts.Transit.Load(), "Counter after openssl verify")
 
 	// Test algorithm selection in the path
 	sig = signRequest(req, false, "/sha2-224")
-	verifyRequest(req, false, "/sha2-224", sig)
+	require.Equal(t, uint64(4), b.billingDataCounts.Transit.Load(), "Counter after sha2-224 path sign")
+	verifyRequest(req, false, false, "/sha2-224", sig)
+	require.Equal(t, uint64(5), b.billingDataCounts.Transit.Load(), "Counter after sha2-224 path verify")
 
 	// Reset and test algorithm selection in the data
 	req.Data["hash_algorithm"] = "sha2-224"
 	sig = signRequest(req, false, "")
-	verifyRequest(req, false, "", sig)
+	require.Equal(t, uint64(6), b.billingDataCounts.Transit.Load(), "Counter after sha2-224 data sign")
+	verifyRequest(req, false, false, "", sig)
+	require.Equal(t, uint64(7), b.billingDataCounts.Transit.Load(), "Counter after sha2-224 data verify")
 
 	req.Data["hash_algorithm"] = "sha2-384"
 	sig = signRequest(req, false, "")
-	verifyRequest(req, false, "", sig)
+	require.Equal(t, uint64(8), b.billingDataCounts.Transit.Load(), "Counter after sha2-384 sign")
+	verifyRequest(req, false, false, "", sig)
+	require.Equal(t, uint64(9), b.billingDataCounts.Transit.Load(), "Counter after sha2-384 verify")
 
 	req.Data["hash_algorithm"] = "sha2-512"
 	sig = signRequest(req, false, "")
-	verifyRequest(req, false, "", sig)
+	require.Equal(t, uint64(10), b.billingDataCounts.Transit.Load(), "Counter after sha2-512 sign")
+	verifyRequest(req, false, false, "", sig)
+	require.Equal(t, uint64(11), b.billingDataCounts.Transit.Load(), "Counter after sha2-512 verify")
 
 	req.Data["hash_algorithm"] = "sha3-224"
 	sig = signRequest(req, false, "")
-	verifyRequest(req, false, "", sig)
+	require.Equal(t, uint64(12), b.billingDataCounts.Transit.Load(), "Counter after sha3-224 sign")
+	verifyRequest(req, false, false, "", sig)
+	require.Equal(t, uint64(13), b.billingDataCounts.Transit.Load(), "Counter after sha3-224 verify")
 
 	req.Data["hash_algorithm"] = "sha3-256"
 	sig = signRequest(req, false, "")
-	verifyRequest(req, false, "", sig)
+	require.Equal(t, uint64(14), b.billingDataCounts.Transit.Load(), "Counter after sha3-256 sign")
+	verifyRequest(req, false, false, "", sig)
+	require.Equal(t, uint64(15), b.billingDataCounts.Transit.Load(), "Counter after sha3-256 verify")
 
 	req.Data["hash_algorithm"] = "sha3-384"
 	sig = signRequest(req, false, "")
-	verifyRequest(req, false, "", sig)
+	require.Equal(t, uint64(16), b.billingDataCounts.Transit.Load(), "Counter after sha3-384 sign")
+	verifyRequest(req, false, false, "", sig)
+	require.Equal(t, uint64(17), b.billingDataCounts.Transit.Load(), "Counter after sha3-384 verify")
 
 	req.Data["hash_algorithm"] = "sha3-512"
 	sig = signRequest(req, false, "")
-	verifyRequest(req, false, "", sig)
+	require.Equal(t, uint64(18), b.billingDataCounts.Transit.Load(), "Counter after sha3-512 sign")
+	verifyRequest(req, false, false, "", sig)
+	require.Equal(t, uint64(19), b.billingDataCounts.Transit.Load(), "Counter after sha3-512 verify")
 
 	req.Data["prehashed"] = true
 	sig = signRequest(req, false, "")
-	verifyRequest(req, false, "", sig)
+	require.Equal(t, uint64(20), b.billingDataCounts.Transit.Load(), "Counter after prehashed sign")
+	verifyRequest(req, false, false, "", sig)
+	require.Equal(t, uint64(21), b.billingDataCounts.Transit.Load(), "Counter after prehashed verify")
 	delete(req.Data, "prehashed")
 
 	// Test marshaling selection
 	// Bad value
 	req.Data["marshaling_algorithm"] = "asn2"
 	sig = signRequest(req, true, "")
+	require.Equal(t, uint64(21), b.billingDataCounts.Transit.Load(), "Counter after bad marshaling (asn2) - should not increment")
 	// Use the default, verify we can't validate with jws
 	req.Data["marshaling_algorithm"] = "asn1"
 	sig = signRequest(req, false, "")
+	require.Equal(t, uint64(22), b.billingDataCounts.Transit.Load(), "Counter after asn1 sign")
+
+	// Make sure we fail for the right reason that jws signature fails and not a base64 encoding issue
 	req.Data["marshaling_algorithm"] = "jws"
-	verifyRequest(req, true, "", sig)
+	asn1Sig := strings.TrimPrefix(sig, "vault:v1:")
+	decodedAsn1Sig, err := base64.StdEncoding.DecodeString(asn1Sig)
+	require.NoError(t, err)
+	jwsSig := "vault:v1:" + base64.RawURLEncoding.EncodeToString(decodedAsn1Sig)
+	verifyRequest(req, false, true, "", jwsSig)
+	require.Equal(t, uint64(23), b.billingDataCounts.Transit.Load(), "Counter after jws verify (should fail signature verification which increments)")
+
 	// Sign with jws, verify we can validate
 	sig = signRequest(req, false, "")
-	verifyRequest(req, false, "", sig)
+	require.Equal(t, uint64(24), b.billingDataCounts.Transit.Load(), "Counter after jws sign")
+	verifyRequest(req, false, false, "", sig)
+	require.Equal(t, uint64(25), b.billingDataCounts.Transit.Load(), "Counter after jws verify")
 	// If we change marshaling back to asn1 we shouldn't be able to verify
 	delete(req.Data, "marshaling_algorithm")
-	verifyRequest(req, true, "", sig)
+	verifyRequest(req, true, false, "", sig)
+	require.Equal(t, uint64(25), b.billingDataCounts.Transit.Load(), "Counter after asn1 verify (should fail) - should not increment")
 
 	// Test 512 and save sig for later to ensure we can't validate once min
 	// decryption version is set
 	req.Data["hash_algorithm"] = "sha2-512"
 	sig = signRequest(req, false, "")
-	verifyRequest(req, false, "", sig)
+	require.Equal(t, uint64(26), b.billingDataCounts.Transit.Load(), "Counter after sha2-512 sign")
+	verifyRequest(req, false, false, "", sig)
+	require.Equal(t, uint64(27), b.billingDataCounts.Transit.Load(), "Counter after sha2-512 verify")
 
 	v1sig := sig
 
 	// Test bad algorithm
 	req.Data["hash_algorithm"] = "foobar"
 	signRequest(req, true, "")
+	require.Equal(t, uint64(27), b.billingDataCounts.Transit.Load(), "Counter after bad algorithm - should not increment")
 
 	// Test bad input
 	req.Data["hash_algorithm"] = "sha2-256"
 	req.Data["input"] = "foobar"
 	signRequest(req, true, "")
+	require.Equal(t, uint64(27), b.billingDataCounts.Transit.Load(), "Counter after bad input - should not increment")
 
 	// Rotate and set min decryption version
 	err = p.Rotate(context.Background(), storage, b.GetRandomReader())
@@ -320,10 +359,12 @@ func testTransit_SignVerify_ECDSA(t *testing.T, bits int) {
 	req.Data["hash_algorithm"] = "sha2-256"
 	// Make sure signing still works fine
 	sig = signRequest(req, false, "")
-	verifyRequest(req, false, "", sig)
+	require.Equal(t, uint64(28), b.billingDataCounts.Transit.Load(), "Counter after final sign")
+	verifyRequest(req, false, false, "", sig)
+	require.Equal(t, uint64(29), b.billingDataCounts.Transit.Load(), "Counter after final verify")
 	// Now try the v1
-	verifyRequest(req, true, "", v1sig)
-	require.Equal(t, uint64(28), b.billingDataCounts.Transit.Load())
+	verifyRequest(req, true, false, "", v1sig)
+	require.Equal(t, uint64(29), b.billingDataCounts.Transit.Load(), "Counter after v1sig verify (should fail) - should not increment")
 }
 
 func validatePublicKey(t *testing.T, in string, sig string, pubKeyRaw []byte, expectValid bool, postpath string, b *backend) {
diff --git a/builtin/logical/transit/path_trim.go b/builtin/logical/transit/path_trim.go
index 86a0db30f4..b64f909886 100644
--- a/builtin/logical/transit/path_trim.go
+++ b/builtin/logical/transit/path_trim.go
@@ -51,8 +51,9 @@ func (b *backend) pathTrimUpdate() framework.OperationFunc {
 		name := d.Get("name").(string)
 
 		p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
-			Storage: req.Storage,
-			Name:    name,
+			Storage:     req.Storage,
+			Name:        name,
+			WriteLocked: true,
 		}, b.GetRandomReader())
 		if err != nil {
 			return nil, err
@@ -60,9 +61,6 @@ func (b *backend) pathTrimUpdate() framework.OperationFunc {
 		if p == nil {
 			return logical.ErrorResponse("invalid key name"), logical.ErrInvalidRequest
 		}
-		if !b.System().CachingDisabled() {
-			p.Lock(true)
-		}
 		defer p.Unlock()
 
 		minAvailableVersionRaw, ok, err := d.GetOkErr("min_available_version")
diff --git a/builtin/logical/transit/path_trim_test.go b/builtin/logical/transit/path_trim_test.go
index 303729ed24..13f6e30e15 100644
--- a/builtin/logical/transit/path_trim_test.go
+++ b/builtin/logical/transit/path_trim_test.go
@@ -59,6 +59,8 @@ func TestTransit_Trim(t *testing.T) {
 		t.Fatalf("bad: len of archived keys; expected: 2, actual: %d", len(archive.Keys))
 	}
 
+	p.Unlock()
+
 	// Ensure that there are 5 key versions, by rotating the key 4 times
 	for i := 0; i < 4; i++ {
 		req.Path = "keys/aes/rotate"
diff --git a/builtin/logical/transit/path_wrapping_key.go b/builtin/logical/transit/path_wrapping_key.go
index 8d4d87db59..11da69a165 100644
--- a/builtin/logical/transit/path_wrapping_key.go
+++ b/builtin/logical/transit/path_wrapping_key.go
@@ -5,8 +5,10 @@ package transit
 
 import (
 	"context"
+	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"strconv"
 
@@ -33,13 +35,12 @@ func (b *backend) pathWrappingKey() *framework.Path {
 }
 
 func (b *backend) pathWrappingKeyRead(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
-	p, err := b.getWrappingKey(ctx, req.Storage)
+	wrappingKey, err := b.getWrappingKey(ctx, req.Storage)
 	if err != nil {
 		return nil, err
 	}
-	wrappingKey := p.Keys[strconv.Itoa(p.LatestVersion)]
 
-	derBytes, err := x509.MarshalPKIXPublicKey(wrappingKey.RSAKey.Public())
+	derBytes, err := x509.MarshalPKIXPublicKey(wrappingKey.Public())
 	if err != nil {
 		return nil, fmt.Errorf("error marshaling RSA public key: %w", err)
 	}
@@ -63,7 +64,7 @@ func (b *backend) pathWrappingKeyRead(ctx context.Context, req *logical.Request,
 	return resp, nil
 }
 
-func (b *backend) getWrappingKey(ctx context.Context, storage logical.Storage) (*keysutil.Policy, error) {
+func (b *backend) getWrappingKey(ctx context.Context, storage logical.Storage) (*rsa.PrivateKey, error) {
 	polReq := keysutil.PolicyRequest{
 		Upsert:               true,
 		Storage:              storage,
@@ -82,11 +83,18 @@ func (b *backend) getWrappingKey(ctx context.Context, storage logical.Storage) (
 	if p == nil {
 		return nil, fmt.Errorf("error retrieving wrapping key: returned policy was nil")
 	}
-	if b.System().CachingDisabled() {
-		p.Unlock()
+	defer p.Unlock()
+
+	keyEntry, ok := p.Keys[strconv.Itoa(p.LatestVersion)]
+	if !ok {
+		return nil, errors.New("error retrieving wrapping key: key not found")
 	}
 
-	return p, nil
+	if keyEntry.RSAKey == nil {
+		return nil, errors.New("error retrieving wrapping key: key not found")
+	}
+
+	return keyEntry.RSAKey, nil
 }
 
 const (
diff --git a/builtin/plugin/backend_test.go b/builtin/plugin/backend_test.go
index d9732e49a1..c96008a333 100644
--- a/builtin/plugin/backend_test.go
+++ b/builtin/plugin/backend_test.go
@@ -123,7 +123,6 @@ func testConfig(t *testing.T, pluginCmd string) (*logical.BackendConfig, func())
 	}, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
 	cores := cluster.Cores
 
 	core := cores[0]
@@ -144,6 +143,5 @@ func testConfig(t *testing.T, pluginCmd string) (*logical.BackendConfig, func())
 		[]string{fmt.Sprintf("%s=%s", pluginutil.PluginCACertPEMEnv, cluster.CACertPEMFile)})
 
 	return config, func() {
-		cluster.Cleanup()
 	}
 }
diff --git a/changelog/31807.txt b/changelog/31807.txt
new file mode 100644
index 0000000000..eaaa7aa67b
--- /dev/null
+++ b/changelog/31807.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: fix renew token button rendering for denied renew-self.
+```
diff --git a/changelog/31828.txt b/changelog/31828.txt
new file mode 100644
index 0000000000..8f439d54aa
--- /dev/null
+++ b/changelog/31828.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+pki: Reject obviously unsafe validation targets during ACME HTTP-01 and TLS-ALPN-01 challenge verification
+```
diff --git a/changelog/_11699.txt b/changelog/_11699.txt
new file mode 100644
index 0000000000..389a3e6079
--- /dev/null
+++ b/changelog/_11699.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+events (enterprise): Add event notifications support for lease events.
+```
diff --git a/changelog/_11823.txt b/changelog/_11823.txt
new file mode 100644
index 0000000000..50ac85f866
--- /dev/null
+++ b/changelog/_11823.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+config/listener: logs warnings on invalid x-forwarded-for configurations.
+```
diff --git a/changelog/_12101.txt b/changelog/_12101.txt
new file mode 100644
index 0000000000..64a92cb942
--- /dev/null
+++ b/changelog/_12101.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/pki: when in common criteria mode, don't allow upload of certificates without a chain of trust.
+```
diff --git a/changelog/_12223.txt b/changelog/_12223.txt
new file mode 100644
index 0000000000..2f5a406c3f
--- /dev/null
+++ b/changelog/_12223.txt
@@ -0,0 +1,4 @@
+```release-note:bug
+ldap auth (enterprise): Fix root password rotation for Active Directory by implementing UTF-16LE encoding and schema-specific handling. Adds new 'schema' config field (defaults to 'openldap' for backward compatibility).
+```
+
diff --git a/changelog/_12336.txt b/changelog/_12336.txt
new file mode 100644
index 0000000000..6c183bcd18
--- /dev/null
+++ b/changelog/_12336.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secret sync (enterprise): fix panic in set-association API when using Vault Proxy with token-bound CIDRs. The panic occurred due to missing connection information during CIDR validation.
+```
\ No newline at end of file
diff --git a/changelog/_12363.txt b/changelog/_12363.txt
new file mode 100644
index 0000000000..e2a87bf00d
--- /dev/null
+++ b/changelog/_12363.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+**Vault Agent: ACME protocol support**: Add support to natively support Public CA ACME workflows
+```
\ No newline at end of file
diff --git a/changelog/_12482.txt b/changelog/_12482.txt
new file mode 100644
index 0000000000..250fccfdec
--- /dev/null
+++ b/changelog/_12482.txt
@@ -0,0 +1,6 @@
+```release-note:security
+vault/sdk: Upgrade `go.opentelemetry.io/otel/sdk` to v1.40.0 to resolve GO-2026-4394
+```
+```release-note:security
+Upgrade `filippo.io/edwards25519` to v1.1.1 to resolve GO-2026-4503
+```
diff --git a/changelog/_12493.txt b/changelog/_12493.txt
new file mode 100644
index 0000000000..d42d514dd4
--- /dev/null
+++ b/changelog/_12493.txt
@@ -0,0 +1,3 @@
+```release-note:change
+ui: Remove ability to bulk delete secrets engines from the list view.
+```
\ No newline at end of file
diff --git a/changelog/_12511.txt b/changelog/_12511.txt
new file mode 100644
index 0000000000..a35a68e911
--- /dev/null
+++ b/changelog/_12511.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: fix stale secrets engine list after deleting an engine within a namespace.
+``
diff --git a/changelog/_12548.txt b/changelog/_12548.txt
new file mode 100644
index 0000000000..4302de05d0
--- /dev/null
+++ b/changelog/_12548.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+**Billing metrics dashboard**: Create a new billing dashboard with responsive layout to display metric data. 
+```
diff --git a/changelog/_12567.txt b/changelog/_12567.txt
new file mode 100644
index 0000000000..debb1f87ff
--- /dev/null
+++ b/changelog/_12567.txt
@@ -0,0 +1,6 @@
+```release-note:security
+vault/sdk: Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229
+```
+```release-note:security
+Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229
+```
diff --git a/changelog/_12575.txt b/changelog/_12575.txt
new file mode 100644
index 0000000000..5e3b95af9e
--- /dev/null
+++ b/changelog/_12575.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+core/seal: Enhance sys/seal-backend-status to provide more information about seal backends.
+```
diff --git a/changelog/_12603.txt b/changelog/_12603.txt
new file mode 100644
index 0000000000..07d8f56df4
--- /dev/null
+++ b/changelog/_12603.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: The root/sign-intermediate endpoint should not fail when provided a CSR with a basic constraint extension containing isCa set to true
+```
diff --git a/changelog/_12609.txt b/changelog/_12609.txt
new file mode 100644
index 0000000000..3f544285b9
--- /dev/null
+++ b/changelog/_12609.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets (pki): Allow issuance of certificates without the server_flag key usage from SCEP, EST and CMPV2 protocols.
+```
\ No newline at end of file
diff --git a/changelog/_12623.txt b/changelog/_12623.txt
new file mode 100644
index 0000000000..c818d0596d
--- /dev/null
+++ b/changelog/_12623.txt
@@ -0,0 +1,4 @@
+
+```release-note:bug
+secrets/pki: The root/sign-intermediate endpoint max_path_length parameter is now restricted by the signing CA's max_path_length if set.
+```
diff --git a/changelog/_12644.txt b/changelog/_12644.txt
new file mode 100644
index 0000000000..187f6c36e5
--- /dev/null
+++ b/changelog/_12644.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+*** PKI External CA (Enterprise) ***: A new plugin that provides the ability to acquire PKI certificates from Public CA providers through the ACME protocol
+```
diff --git a/changelog/_12674.txt b/changelog/_12674.txt
new file mode 100644
index 0000000000..892db22041
--- /dev/null
+++ b/changelog/_12674.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: allow glob-style DNS names in alt_names.
+```
diff --git a/changelog/_12712.txt b/changelog/_12712.txt
new file mode 100644
index 0000000000..d53727d36d
--- /dev/null
+++ b/changelog/_12712.txt
@@ -0,0 +1,3 @@
+```release-note:change
+core: sys/rekey endpoints are now authenticated by default, with the old unauthenticated behaviour enabled by setting the new HCL config key enable_unauthenticated_access to include the value "rekey".
+```
diff --git a/changelog/_12738.txt b/changelog/_12738.txt
new file mode 100644
index 0000000000..84296e43aa
--- /dev/null
+++ b/changelog/_12738.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+identity: Repair the integrity of duplicate and/or dangling entity aliases.
+```
diff --git a/changelog/_12749.txt b/changelog/_12749.txt
new file mode 100644
index 0000000000..9136ce5989
--- /dev/null
+++ b/changelog/_12749.txt
@@ -0,0 +1,3 @@
+```release-note:security
+http: Added configurable `max_token_header_size` listener option (default 8 KB) to bound the size of authentication token headers (`X-Vault-Token` and `Authorization: Bearer`), preventing a potential denial-of-service attack via oversized header contents. The stdlib-level `MaxHeaderBytes` backstop is also now set on the HTTP server. Set `max_token_header_size = -1` to disable the limit.
+```
diff --git a/changelog/_12761.txt b/changelog/_12761.txt
new file mode 100644
index 0000000000..6fbad55e12
--- /dev/null
+++ b/changelog/_12761.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/managed-keys (enterprise): Fix a bug that prevented the max_parallel field of PKCS#11 managed keys from being updated.
+```
diff --git a/changelog/_12769.txt b/changelog/_12769.txt
new file mode 100644
index 0000000000..8bea6ab9ed
--- /dev/null
+++ b/changelog/_12769.txt
@@ -0,0 +1,9 @@
+```release-note:bug
+core/managed-keys (enterprise): Fix a problem that prevented 'mac' and 'generate_random' key usages from being set.
+```
+```release-note:change
+core/managed-keys (enterprise): The response to API endpoint GET sys/managed-keys/:type/:name now
+returns an array of string values for key usages, rather than an array of integer values. The
+strings used are 'encrypt' (1), 'decrypt' (2), 'sign' (3), 'verify' (4), 'wrap' (5), 'unwrap' (6),
+'generate_random' (7), and 'mac' (8).
+```
diff --git a/changelog/_12786.txt b/changelog/_12786.txt
new file mode 100644
index 0000000000..6cf0f02d60
--- /dev/null
+++ b/changelog/_12786.txt
@@ -0,0 +1,7 @@
+```release-note:security
+core: reject URL-encoded paths that do not specify a canonical path
+```
+
+```release-note:change
+core: Vault now rejects paths that are not canonical, such as paths containing double slashes (`path//to/resource`)
+```
\ No newline at end of file
diff --git a/changelog/_12790.txt b/changelog/_12790.txt
new file mode 100644
index 0000000000..08667e1845
--- /dev/null
+++ b/changelog/_12790.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets-pki (enterprise): Add response data in a parsed format to the audit log for enrollment protocols.
+```
diff --git a/changelog/_12856.txt b/changelog/_12856.txt
new file mode 100644
index 0000000000..2c49473868
--- /dev/null
+++ b/changelog/_12856.txt
@@ -0,0 +1,6 @@
+```release-note:change
+core: sys/generate-root and sys/replication/dr/secondary/generate-operation-token endpoints are now authenticated by default, with the old unauthenticated behaviour enabled by setting the new HCL config key enable_unauthenticated_access to include the value "generate-root" or "generate-operation-token" respectively.
+```
+```release-note:change
+core: secondary DR requests can now be authenticated using a root token generated on the primary.
+```
diff --git a/changelog/_12890.txt b/changelog/_12890.txt
new file mode 100644
index 0000000000..a1405ec451
--- /dev/null
+++ b/changelog/_12890.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+**UI TLS Certificate login: Add UI login support for the TLS certificate (cert) authentication.
+```
diff --git a/changelog/_12920.txt b/changelog/_12920.txt
new file mode 100644
index 0000000000..2b4bfa8566
--- /dev/null
+++ b/changelog/_12920.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+dockerfile: container will now run as vault user by default
+```
diff --git a/changelog/_12926.txt b/changelog/_12926.txt
new file mode 100644
index 0000000000..0fd5dfb4e4
--- /dev/null
+++ b/changelog/_12926.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+license utilization reporting: Added consumption billing metrics.
+```
\ No newline at end of file
diff --git a/changelog/_13010.txt b/changelog/_13010.txt
new file mode 100644
index 0000000000..e12c152ac6
--- /dev/null
+++ b/changelog/_13010.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/pki: Add ACME configuration fields challenge_permitted_ip_ranges and challenge_excluded_ip_ranges configuration to control which IP addresses are allowed or disallowed for challenge validation.
+```
diff --git a/changelog/_13049.txt b/changelog/_13049.txt
new file mode 100644
index 0000000000..e820b7327e
--- /dev/null
+++ b/changelog/_13049.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+consumption-billing: Enabled `sys/billing/overview` endpoint in admin namespace.
+```
\ No newline at end of file
diff --git a/changelog/_13053.txt b/changelog/_13053.txt
new file mode 100644
index 0000000000..c8eee2202d
--- /dev/null
+++ b/changelog/_13053.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+core/identity: Add two new fields to the alias API, external_id and issuer. These fields do not inherently do anything meaningful, and are part of a future feature.
+```
diff --git a/changelog/_13058.txt b/changelog/_13058.txt
new file mode 100644
index 0000000000..b3101a3fdb
--- /dev/null
+++ b/changelog/_13058.txt
@@ -0,0 +1,3 @@
+```release-note:change
+auth/alicloud: Update plugin to [v0.23.0](https://github.com/hashicorp/vault-plugin-auth-alicloud/releases/tag/v0.23.0)
+```
diff --git a/changelog/_13068.txt b/changelog/_13068.txt
new file mode 100644
index 0000000000..20537c22ce
--- /dev/null
+++ b/changelog/_13068.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/transit: Improve import errors for non-PKCS#8 keys to clearly require PKCS#8.
+```
diff --git a/changelog/_13069.txt b/changelog/_13069.txt
new file mode 100644
index 0000000000..2e1c53ccb2
--- /dev/null
+++ b/changelog/_13069.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+**Template Integration for PublicPKICA**: Vault Agent templates are now automatically re-rendered when a PKI external CA certificate is issued or renewed.
+```
diff --git a/changelog/_13086.txt b/changelog/_13086.txt
new file mode 100644
index 0000000000..1ede0b59ee
--- /dev/null
+++ b/changelog/_13086.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/gcp: Fix intermittent context canceled failures for Workload Identity Federation (WIF) authentication
+```
diff --git a/changelog/_13126.txt b/changelog/_13126.txt
new file mode 100644
index 0000000000..0287f54451
--- /dev/null
+++ b/changelog/_13126.txt
@@ -0,0 +1,3 @@
+```release-note:change
+auth/kerberos: Update plugin to [v0.17.0](https://github.com/hashicorp/vault-plugin-auth-kerberos/releases/tag/v0.17.0)
+```
diff --git a/changelog/_13134.txt b/changelog/_13134.txt
new file mode 100644
index 0000000000..9fbb558db8
--- /dev/null
+++ b/changelog/_13134.txt
@@ -0,0 +1,3 @@
+```release-note:change
+database/mongodbatlas: Update plugin to [v0.17.0](https://github.com/hashicorp/vault-plugin-database-mongodbatlas/releases/tag/v0.17.0)
+```
diff --git a/changelog/_13139.txt b/changelog/_13139.txt
new file mode 100644
index 0000000000..2bdcec2c3c
--- /dev/null
+++ b/changelog/_13139.txt
@@ -0,0 +1,3 @@
+```release-note:change
+database/redis-elasticache: Update plugin to [v0.9.0](https://github.com/hashicorp/vault-plugin-database-redis-elasticache/releases/tag/v0.9.0)
+```
diff --git a/changelog/_13150.txt b/changelog/_13150.txt
new file mode 100644
index 0000000000..30fabdf842
--- /dev/null
+++ b/changelog/_13150.txt
@@ -0,0 +1,3 @@
+```release-note:change
+auth/kubernetes: Update plugin to v0.24.0
+```
diff --git a/changelog/_13169.txt b/changelog/_13169.txt
new file mode 100644
index 0000000000..e47895d590
--- /dev/null
+++ b/changelog/_13169.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/alicloud: Update plugin to [v0.22.0](https://github.com/hashicorp/vault-plugin-secrets-alicloud/releases/tag/v0.22.0)
+```
diff --git a/changelog/_13200.txt b/changelog/_13200.txt
new file mode 100644
index 0000000000..2105add0ac
--- /dev/null
+++ b/changelog/_13200.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/terraform: Update plugin to [v0.14.1](https://github.com/hashicorp/vault-plugin-secrets-terraform/releases/tag/v0.14.1)
+```
diff --git a/changelog/_13201.txt b/changelog/_13201.txt
new file mode 100644
index 0000000000..7a7eb598ee
--- /dev/null
+++ b/changelog/_13201.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/alicloud: Update plugin to [v0.22.1](https://github.com/hashicorp/vault-plugin-secrets-alicloud/releases/tag/v0.22.1)
+```
diff --git a/changelog/_13202.txt b/changelog/_13202.txt
new file mode 100644
index 0000000000..1f0973c6f0
--- /dev/null
+++ b/changelog/_13202.txt
@@ -0,0 +1,3 @@
+```release-note:change
+auth/alicloud: Update plugin to [v0.23.1](https://github.com/hashicorp/vault-plugin-auth-alicloud/releases/tag/v0.23.1)
+```
diff --git a/changelog/_13203.txt b/changelog/_13203.txt
new file mode 100644
index 0000000000..86affd3d05
--- /dev/null
+++ b/changelog/_13203.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/kubernetes: Update plugin to [v0.13.1](https://github.com/hashicorp/vault-plugin-secrets-kubernetes/releases/tag/v0.13.1)
+```
diff --git a/changelog/_13205.txt b/changelog/_13205.txt
new file mode 100644
index 0000000000..bba6d38b14
--- /dev/null
+++ b/changelog/_13205.txt
@@ -0,0 +1,3 @@
+```release-note:change
+database/mongodbatlas: Update plugin to [v0.17.1](https://github.com/hashicorp/vault-plugin-database-mongodbatlas/releases/tag/v0.17.1)
+```
diff --git a/changelog/_13207.txt b/changelog/_13207.txt
new file mode 100644
index 0000000000..fa65d976e9
--- /dev/null
+++ b/changelog/_13207.txt
@@ -0,0 +1,3 @@
+```release-note:change
+database/redis: Update plugin to [v0.8.1](https://github.com/hashicorp/vault-plugin-database-redis/releases/tag/v0.8.1)
+```
diff --git a/changelog/_13215.txt b/changelog/_13215.txt
new file mode 100644
index 0000000000..5b13ef5256
--- /dev/null
+++ b/changelog/_13215.txt
@@ -0,0 +1,3 @@
+```release-note:change
+database/couchbase: Update plugin to [v0.16.1](https://github.com/hashicorp/vault-plugin-database-couchbase/releases/tag/v0.16.1)
+```
diff --git a/changelog/_13217.txt b/changelog/_13217.txt
new file mode 100644
index 0000000000..d68afeb94c
--- /dev/null
+++ b/changelog/_13217.txt
@@ -0,0 +1,3 @@
+```release-note:change
+auth/gcp: Update plugin to [v0.23.1](https://github.com/hashicorp/vault-plugin-auth-gcp/releases/tag/v0.23.1)
+```
diff --git a/changelog/_13225.txt b/changelog/_13225.txt
new file mode 100644
index 0000000000..333cb658cc
--- /dev/null
+++ b/changelog/_13225.txt
@@ -0,0 +1,3 @@
+```release-note:change
+database/elasticsearch: Update plugin to [v0.20.1](https://github.com/hashicorp/vault-plugin-database-elasticsearch/releases/tag/v0.20.1)
+```
diff --git a/changelog/_13227.txt b/changelog/_13227.txt
new file mode 100644
index 0000000000..9b694c037d
--- /dev/null
+++ b/changelog/_13227.txt
@@ -0,0 +1,3 @@
+```release-note:change
+auth/azure: Update plugin to [v0.24.0](https://github.com/hashicorp/vault-plugin-auth-azure/releases/tag/v0.24.0)
+```
diff --git a/changelog/_13228.txt b/changelog/_13228.txt
new file mode 100644
index 0000000000..c2079228e3
--- /dev/null
+++ b/changelog/_13228.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/mongodbatlas: Update plugin to [v0.17.1](https://github.com/hashicorp/vault-plugin-secrets-mongodbatlas/releases/tag/v0.17.1)
+```
diff --git a/changelog/_13230.txt b/changelog/_13230.txt
new file mode 100644
index 0000000000..897b151a57
--- /dev/null
+++ b/changelog/_13230.txt
@@ -0,0 +1,3 @@
+```release-note:change
+database/redis-elasticache: Update plugin to [v0.9.1](https://github.com/hashicorp/vault-plugin-database-redis-elasticache/releases/tag/v0.9.1)
+```
diff --git a/changelog/_13234.txt b/changelog/_13234.txt
new file mode 100644
index 0000000000..7fc70979cf
--- /dev/null
+++ b/changelog/_13234.txt
@@ -0,0 +1,3 @@
+```release-note:change
+auth/oci: Update plugin to [v0.21.1](https://github.com/hashicorp/vault-plugin-auth-oci/releases/tag/v0.21.1)
+```
diff --git a/changelog/_13236.txt b/changelog/_13236.txt
new file mode 100644
index 0000000000..43fe7d1a90
--- /dev/null
+++ b/changelog/_13236.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/gcpkms: Update plugin to [v0.23.0](https://github.com/hashicorp/vault-plugin-secrets-gcpkms/releases/tag/v0.23.0)
+```
diff --git a/changelog/_13237.txt b/changelog/_13237.txt
new file mode 100644
index 0000000000..bd450f50d0
--- /dev/null
+++ b/changelog/_13237.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/ad: Update plugin to [v0.22.1](https://github.com/hashicorp/vault-plugin-secrets-ad/releases/tag/v0.22.1)
+```
diff --git a/changelog/_13240.txt b/changelog/_13240.txt
new file mode 100644
index 0000000000..54111f6471
--- /dev/null
+++ b/changelog/_13240.txt
@@ -0,0 +1,3 @@
+```release-note:change
+database/snowflake: Update plugin to [v0.16.0](https://github.com/hashicorp/vault-plugin-database-snowflake/releases/tag/v0.16.0)
+```
diff --git a/changelog/_13242.txt b/changelog/_13242.txt
new file mode 100644
index 0000000000..df8361fe68
--- /dev/null
+++ b/changelog/_13242.txt
@@ -0,0 +1,3 @@
+```release-note:change
+auth/jwt: Update plugin to [v0.26.1](https://github.com/hashicorp/vault-plugin-auth-jwt/releases/tag/v0.26.1)
+```
diff --git a/changelog/_13245.txt b/changelog/_13245.txt
new file mode 100644
index 0000000000..6cb90ea059
--- /dev/null
+++ b/changelog/_13245.txt
@@ -0,0 +1,3 @@
+```release-note:change
+auth/kerberos: Update plugin to [v0.17.1](https://github.com/hashicorp/vault-plugin-auth-kerberos/releases/tag/v0.17.1)
+```
diff --git a/changelog/_13251.txt b/changelog/_13251.txt
new file mode 100644
index 0000000000..7430ca4b63
--- /dev/null
+++ b/changelog/_13251.txt
@@ -0,0 +1,3 @@
+```release-note:security
+core: Correctly remove any Vault tokens from the Authorization header when this header is forwarded to plugin backends. The header will only be forwarded if "Authorization" is explicitly included in the list of passthrough request headers.  
+```
diff --git a/changelog/_13259.txt b/changelog/_13259.txt
new file mode 100644
index 0000000000..d1dfaebf18
--- /dev/null
+++ b/changelog/_13259.txt
@@ -0,0 +1,3 @@
+```release-note:change
+auth/kubernetes: Update plugin to [v0.24.1](https://github.com/hashicorp/vault-plugin-auth-kubernetes/releases/tag/v0.24.1)
+```
diff --git a/changelog/_13260.txt b/changelog/_13260.txt
new file mode 100644
index 0000000000..1b90e6a242
--- /dev/null
+++ b/changelog/_13260.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/openldap: Update plugin to [v0.18.0](https://github.com/hashicorp/vault-plugin-secrets-openldap/releases/tag/v0.18.0)
+```
diff --git a/changelog/_13264.txt b/changelog/_13264.txt
new file mode 100644
index 0000000000..08cfcbf9e3
--- /dev/null
+++ b/changelog/_13264.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/kv: Update plugin to [v0.26.2](https://github.com/hashicorp/vault-plugin-secrets-kv/releases/tag/v0.26.2)
+```
diff --git a/changelog/_13270.txt b/changelog/_13270.txt
new file mode 100644
index 0000000000..ef9665104b
--- /dev/null
+++ b/changelog/_13270.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/gcp: Update plugin to [v0.24.0](https://github.com/hashicorp/vault-plugin-secrets-gcp/releases/tag/v0.24.0)
+```
diff --git a/changelog/_13281.txt b/changelog/_13281.txt
new file mode 100644
index 0000000000..c325873d2b
--- /dev/null
+++ b/changelog/_13281.txt
@@ -0,0 +1,24 @@
+```release-note:feature
+**IBM PAO License Integration**: Added IBM PAO license support, allowing usage of Vault Enterprise with an IBM PAO license key.
+A new configuration stanza `license_entitlement` is required in the Vault config to use an IBM license. For more details, see
+the [License documentation](https://developer.hashicorp.com/vault/docs/license#ibm-pao-license-keys).
+```
+
+```release-note:change
+license utilization reporting (enterprise): Manual reporting bundles generated by `vault operator utilization` have a changed format.
+Notably they contain an array of `snapshot_records` instead of `snapshots`. The `decoded_snapshot` field in each record contains
+the human-readable data that was previously in the `snapshots` array.
+```
+
+```release-note:improvement
+license utilization reporting (enterprise): Utilization reports now include new license metadata fields `issuer`, `edition`, `add_ons`,
+`license_start_time`, `license_expiration_time`, and `license_termination_time`. 
+
+```release-note:improvement
+core (enterprise): New license fields `architecture`, `os`, `issuer`, `edition`, and `add_ons` have been added to the output of
+`vault license inspect`, `vault license get`, and the `/sys/license/status` API endpoint.
+```
+
+```release-note:improvement
+core (enterprise): Added a new telemetry metric `vault.core.license.termination_time_epoch`.
+```
\ No newline at end of file
diff --git a/changelog/_13303.txt b/changelog/_13303.txt
new file mode 100644
index 0000000000..3da14b0809
--- /dev/null
+++ b/changelog/_13303.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: `unsafe-inline` is no longer included in the `style-src` CSP directive.
+```
diff --git a/changelog/_13333.txt b/changelog/_13333.txt
new file mode 100644
index 0000000000..52a7088c53
--- /dev/null
+++ b/changelog/_13333.txt
@@ -0,0 +1,3 @@
+```release-note:change
+auth/cf: Update plugin to [v0.23.0](https://github.com/hashicorp/vault-plugin-auth-cf/releases/tag/v0.23.0)
+```
diff --git a/changelog/_13336.txt b/changelog/_13336.txt
new file mode 100644
index 0000000000..647ad38ddf
--- /dev/null
+++ b/changelog/_13336.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secret-sync (enterprise): Fix race condition in secretsSetRemoveHandler by serializing MemDB transaction access.
+```
\ No newline at end of file
diff --git a/changelog/_13346.txt b/changelog/_13346.txt
new file mode 100644
index 0000000000..e136b914f7
--- /dev/null
+++ b/changelog/_13346.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: Warn if the Country field on roles and when generating CAs is not ISO 3166 compliant
+```
diff --git a/changelog/_13474.txt b/changelog/_13474.txt
new file mode 100644
index 0000000000..9ff2282996
--- /dev/null
+++ b/changelog/_13474.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+database/mssql: Fix dynamic secret revocation by executing custom statements as a single batch instead of splitting on semicolons
+```
\ No newline at end of file
diff --git a/changelog/_13528.txt b/changelog/_13528.txt
new file mode 100644
index 0000000000..2ad2831af0
--- /dev/null
+++ b/changelog/_13528.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+database/mssql: Fix "sysadmin" requirement during lease revocation by replacing the undocumented `sp_msloginmappings` procedure with a granular metadata query. This allows the plugin to function with `VIEW ANY DEFINITION` instead of full `sysadmin` privileges.
+```
\ No newline at end of file
diff --git a/changelog/_13540.txt b/changelog/_13540.txt
new file mode 100644
index 0000000000..cddf9d52b2
--- /dev/null
+++ b/changelog/_13540.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+**PKI PKCS#12 and JKS Support**: Adds support for PKCS#12 (PFX) and Java keytool (JKS) certificate bundles to relevant PKI endpoints. Bundles are returned as base64-encoded, password-protected files.
+```
\ No newline at end of file
diff --git a/changelog/_13549.txt b/changelog/_13549.txt
new file mode 100644
index 0000000000..01b561f99d
--- /dev/null
+++ b/changelog/_13549.txt
@@ -0,0 +1,11 @@
+```release-note:security
+core: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5
+```
+```release-note:security
+sdk: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5
+```
+```release-note:breaking-change
+sdk/helpers/docker: Migrate docker helpers from github.com/docker/docker to
+github.com/moby/moby. This was necessary as github.com/docker/docker is no
+longer maintained. Resolves GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9.
+```
diff --git a/changelog/_13564.txt b/changelog/_13564.txt
new file mode 100644
index 0000000000..d941fd0efb
--- /dev/null
+++ b/changelog/_13564.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/pki: Add Freshest CRL extension (Delta CRL Distribution Points) to base CRLs
+```
\ No newline at end of file
diff --git a/changelog/_13613.txt b/changelog/_13613.txt
new file mode 100644
index 0000000000..d5e4582bf1
--- /dev/null
+++ b/changelog/_13613.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+agent/pkiexternalca: Fix token distribution to PKI system and HTTP-01 challenge server shutdown preventing certificate acquisition and retries
+```
\ No newline at end of file
diff --git a/changelog/_13645.txt b/changelog/_13645.txt
new file mode 100644
index 0000000000..7afca4c641
--- /dev/null
+++ b/changelog/_13645.txt
@@ -0,0 +1,9 @@
+```release-note:security
+core: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.
+```
+```release-note:security
+api/auth: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.
+```
+```release-note:security
+sdk: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.
+```
diff --git a/changelog/_13669.txt b/changelog/_13669.txt
new file mode 100644
index 0000000000..8bde861e8d
--- /dev/null
+++ b/changelog/_13669.txt
@@ -0,0 +1,4 @@
+```release-note:feature
+**SCIM 2.0 Identity Provisioning Beta (Beta/Enterprise)**: Adds beta support for Vault to act as a SCIM 2.0 server,
+allowing external management of Vault entities, aliases and groups.
+```
diff --git a/changelog/_13697.txt b/changelog/_13697.txt
new file mode 100644
index 0000000000..94ded70fb2
--- /dev/null
+++ b/changelog/_13697.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+database: prevent static role rotation and connection init from hanging indefinitely when database calls block by adding timeouts around UpdateUser and Initialize
+```
\ No newline at end of file
diff --git a/changelog/_13738.txt b/changelog/_13738.txt
new file mode 100644
index 0000000000..e81aeb4a1a
--- /dev/null
+++ b/changelog/_13738.txt
@@ -0,0 +1,3 @@
+```release-note:change
+core: Require sudo capability for `sys/mounts/auth/<path>/tune`, matching `sys/auth/<path>/tune`.
+```
diff --git a/changelog/_13741.txt b/changelog/_13741.txt
new file mode 100644
index 0000000000..469a676124
--- /dev/null
+++ b/changelog/_13741.txt
@@ -0,0 +1,4 @@
+```release-note:bug
+plugins/database/hana: Fixed a SQL injection risk in the default DeleteUser revoke path by safely quoting usernames as SQL identifiers before ALTER USER and DROP USER statements.
+plugins/database/redshift: Fixed a SQL injection risk in the default DeleteUser revoke path by safely quoting usernames as SQL string literals when invoking terminateloop(...), preventing statement-structure manipulation.
+```
diff --git a/changelog/_13757.txt b/changelog/_13757.txt
new file mode 100644
index 0000000000..ce698a493b
--- /dev/null
+++ b/changelog/_13757.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Add name field validation to LDAP create and edit roles forms. 
+```
\ No newline at end of file
diff --git a/changelog/_13760.txt b/changelog/_13760.txt
new file mode 100644
index 0000000000..498fde5773
--- /dev/null
+++ b/changelog/_13760.txt
@@ -0,0 +1,3 @@
+```release-note:security
+core: Update github.com/aws/aws-sdk-go-v2/ to fix security vulnerability GHSA-xmrv-pmrh-hhx2.
+```
diff --git a/changelog/_13791.txt b/changelog/_13791.txt
new file mode 100644
index 0000000000..99f8620be6
--- /dev/null
+++ b/changelog/_13791.txt
@@ -0,0 +1,6 @@
+```release-note:security
+core: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.
+```
+```release-note:security
+api/auth/gcp: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.
+```
diff --git a/changelog/_13794.txt b/changelog/_13794.txt
new file mode 100644
index 0000000000..dfd8987864
--- /dev/null
+++ b/changelog/_13794.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Fix secrets table pagination when switching page sizes. 
+```
\ No newline at end of file
diff --git a/changelog/_13833.txt b/changelog/_13833.txt
new file mode 100644
index 0000000000..bcb23cbcfd
--- /dev/null
+++ b/changelog/_13833.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+scim: The SCIM Group PATCH handler now supports the path field in the form members[value eq "id"] on remove operations.
+```
\ No newline at end of file
diff --git a/changelog/_13864.txt b/changelog/_13864.txt
new file mode 100644
index 0000000000..36655e5185
--- /dev/null
+++ b/changelog/_13864.txt
@@ -0,0 +1,3 @@
+```release-note:security
+core/identity: reject wildcards in rendered identity templates
+```
diff --git a/changelog/_13878.txt b/changelog/_13878.txt
new file mode 100644
index 0000000000..1d24c9bc95
--- /dev/null
+++ b/changelog/_13878.txt
@@ -0,0 +1,3 @@
+```release-note:security
+core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-92mm-2pjq-r785.
+```
diff --git a/changelog/_13884.txt b/changelog/_13884.txt
new file mode 100644
index 0000000000..e8e5fc3967
--- /dev/null
+++ b/changelog/_13884.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Fixed custom messages list to display the expiration time on Inactive message badges.
+```
\ No newline at end of file
diff --git a/changelog/_13895.txt b/changelog/_13895.txt
new file mode 100644
index 0000000000..20a43e7335
--- /dev/null
+++ b/changelog/_13895.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+physical/postgresql: Update `go-pgmultiauth` to v1.1.0 to add Azure Workload Identity support for PostgreSQL storage authentication, with fallback to Managed Identity.
+```
\ No newline at end of file
diff --git a/changelog/_13899.txt b/changelog/_13899.txt
new file mode 100644
index 0000000000..4f3c434614
--- /dev/null
+++ b/changelog/_13899.txt
@@ -0,0 +1,4 @@
+```release-note:improvement
+sdk/helper/keysutil: The lock manager's GetPolicy function now always returns a locked Policy, even when caching is
+enabled. The PolicyRequest struct has a new field to indicate whether the caller requires a write lock on the policy.
+```
\ No newline at end of file
diff --git a/changelog/_13920.txt b/changelog/_13920.txt
new file mode 100644
index 0000000000..182e0eb9bb
--- /dev/null
+++ b/changelog/_13920.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: Set pagination size to 10 for custom messages list view and toggle the "Apply filters" button visibility based on filter selection.
+```
\ No newline at end of file
diff --git a/changelog/_13988.txt b/changelog/_13988.txt
new file mode 100644
index 0000000000..717c5cf42a
--- /dev/null
+++ b/changelog/_13988.txt
@@ -0,0 +1,3 @@
+```release-note:breaking-change
+containers: set cap_ipc_lock capability on vault at build time. Container runtimes will need to add `IPC_LOCK` capabilities when running the vault container.
+```
diff --git a/changelog/_14001.txt b/changelog/_14001.txt
new file mode 100644
index 0000000000..58f2a305ae
--- /dev/null
+++ b/changelog/_14001.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+**Secrets Sync UI**: Added Workload Identity Federation (WIF) support in the UI for AWS, Azure, and GCP sync destinations
+```
\ No newline at end of file
diff --git a/changelog/_14027.txt b/changelog/_14027.txt
new file mode 100644
index 0000000000..25fcffe6fc
--- /dev/null
+++ b/changelog/_14027.txt
@@ -0,0 +1,3 @@
+```release-note:security
+core: Validate both `path` and `file_path` cannot be empty for requests to `sys/audit/{path}`
+```
\ No newline at end of file
diff --git a/changelog/_14046.txt b/changelog/_14046.txt
new file mode 100644
index 0000000000..59217b75cc
--- /dev/null
+++ b/changelog/_14046.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+database/snowflake: Fix WAL rollback issue for key-pair root credential rotation.
+```
\ No newline at end of file
diff --git a/changelog/_14050.txt b/changelog/_14050.txt
new file mode 100644
index 0000000000..3ac702bdf2
--- /dev/null
+++ b/changelog/_14050.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+identity: fixed a rare but possible data race issue with identities. 
+```
\ No newline at end of file
diff --git a/changelog/_14097.txt b/changelog/_14097.txt
new file mode 100644
index 0000000000..836ea2ffbb
--- /dev/null
+++ b/changelog/_14097.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+ui/dashboard: Reorganized dashboard widgets to improve layout and usability. Updated widgets to use HDS table components for better consistency. Enhanced the Quick Actions card with frequently used links alongside existing actions.
+```
\ No newline at end of file
diff --git a/changelog/_14161.txt b/changelog/_14161.txt
new file mode 100644
index 0000000000..ffa17e59ba
--- /dev/null
+++ b/changelog/_14161.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: Update copy on merge entities page to specify entity ID is the required data input when merging entities.
+```
\ No newline at end of file
diff --git a/changelog/_14175.txt b/changelog/_14175.txt
new file mode 100644
index 0000000000..34fdd5fa07
--- /dev/null
+++ b/changelog/_14175.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Fixed sidebar navigation animation issues
+```
\ No newline at end of file
diff --git a/changelog/_14197.txt b/changelog/_14197.txt
new file mode 100644
index 0000000000..b437f42dce
--- /dev/null
+++ b/changelog/_14197.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Fix entities page to show success message after successfully editing an entity.  
+```
diff --git a/changelog/_14226.txt b/changelog/_14226.txt
new file mode 100644
index 0000000000..2f61f12864
--- /dev/null
+++ b/changelog/_14226.txt
@@ -0,0 +1,6 @@
+```release-note:security
+core: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx.
+```
+```release-note:security
+sdk: Update github.com/jackc/pgx/v5 to fix security vulnerability GHSA-j88v-2chj-qfwx.
+```
diff --git a/changelog/_14247.txt b/changelog/_14247.txt
new file mode 100644
index 0000000000..bc7fe38259
--- /dev/null
+++ b/changelog/_14247.txt
@@ -0,0 +1,4 @@
+
+```release-note:improvement
+secrets/pki (enterprise): Allow SCEP to use an issuer that is backed by an RSA based PKCS#11 managed key
+```
diff --git a/changelog/_14249.txt b/changelog/_14249.txt
new file mode 100644
index 0000000000..25a9564cd6
--- /dev/null
+++ b/changelog/_14249.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki (enterprise): Include root CA in chain for CIEPS endpoints when root is the direct issuer, unless `remove_roots_from_chain` is true.
+```
\ No newline at end of file
diff --git a/changelog/_14271.txt b/changelog/_14271.txt
new file mode 100644
index 0000000000..70e4261553
--- /dev/null
+++ b/changelog/_14271.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+core/seal (enterprise): Make it possible for new nodes to join a cluster configured with Seal High Availability.
+```
diff --git a/changelog/_14299.txt b/changelog/_14299.txt
new file mode 100644
index 0000000000..a5d9fed5ea
--- /dev/null
+++ b/changelog/_14299.txt
@@ -0,0 +1,6 @@
+```release-note:security
+core: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1.
+```
+```release-note:security
+sdk: Update github.com/Azure/go-ntlmssp to fix security vulnerability v0.1.1.
+```
diff --git a/changelog/_14334.txt b/changelog/_14334.txt
new file mode 100644
index 0000000000..c19611afc5
--- /dev/null
+++ b/changelog/_14334.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+api: Add migration_done_at_epoch to sys/seal-status response.
+```
diff --git a/changelog/_14350.txt b/changelog/_14350.txt
new file mode 100644
index 0000000000..75b5e0858a
--- /dev/null
+++ b/changelog/_14350.txt
@@ -0,0 +1,9 @@
+```release-note:improvement
+sdk: Expand support for docker test cluster options like seals, kms libraries, and entropy augmentation. DockerClusterNode.UpdateConfig now takes a full set of cluster options instead of just node config.
+```
+```release-note:improvement
+core (Enterprise): Sanitized config now shows kms_library config.
+```
+```release-note:Bug
+core (Enterprise): Fix parsing of kms_libary and entropy config in JSON format.
+```
diff --git a/changelog/_14414.txt b/changelog/_14414.txt
new file mode 100644
index 0000000000..afbdfa453d
--- /dev/null
+++ b/changelog/_14414.txt
@@ -0,0 +1,7 @@
+```release-note:bug
+auth/aws: fix bug where rotation and wif config updates were not persisted to storage
+```
+```release-note:improvement
+sdk: add WIF and rotation helpers for checking if params were updated to allow
+the consumer to know when changes need to be persisted to storage
+```
diff --git a/changelog/_14430.txt b/changelog/_14430.txt
new file mode 100644
index 0000000000..a69ac0a8b3
--- /dev/null
+++ b/changelog/_14430.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Update KV max_version validation to disallow negative values.
+```
diff --git a/changelog/_14436.txt b/changelog/_14436.txt
new file mode 100644
index 0000000000..14c96c4ea2
--- /dev/null
+++ b/changelog/_14436.txt
@@ -0,0 +1,3 @@
+```release-note:change
+identity: Require `sudo` capability to invoke the identity entity merge API endpoint (`identity/entity/merge`).
+```
diff --git a/changelog/_14445.txt b/changelog/_14445.txt
new file mode 100644
index 0000000000..ef4c67d3ed
--- /dev/null
+++ b/changelog/_14445.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Fix secrets to secrets-engines redirect for bookmarked URLs.
+```
\ No newline at end of file
diff --git a/changelog/_14463.txt b/changelog/_14463.txt
new file mode 100644
index 0000000000..e19fd38a69
--- /dev/null
+++ b/changelog/_14463.txt
@@ -0,0 +1,3 @@
+```release-note:bugfix
+secrets/transit: added granular autorotation to transit keys, prevents a key missing it's scheduled autorotation by an hour.
+```
\ No newline at end of file
diff --git a/changelog/_14464.txt b/changelog/_14464.txt
new file mode 100644
index 0000000000..24fca367cd
--- /dev/null
+++ b/changelog/_14464.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+go-plugin: Upgrade go-plugin to fix a bug where file descriptors could be leaked when spawning external plugins
+```
diff --git a/changelog/_14467.txt b/changelog/_14467.txt
new file mode 100644
index 0000000000..583a2b3e01
--- /dev/null
+++ b/changelog/_14467.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+consumption-billing: Add billing tracking for OS Local Account static roles to support consumption-based billing metrics and high-water mark (HWM) tracking.
+```
\ No newline at end of file
diff --git a/changelog/_14508.txt b/changelog/_14508.txt
new file mode 100644
index 0000000000..8715010438
--- /dev/null
+++ b/changelog/_14508.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Update DR operation token generation to accept a primary root token for authentication.
+```
\ No newline at end of file
diff --git a/changelog/_14532.txt b/changelog/_14532.txt
new file mode 100644
index 0000000000..7b21ecb339
--- /dev/null
+++ b/changelog/_14532.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+api: Add `start_month` and `end_month` parameters to `/sys/billing/overview` endpoint to allow querying billing data for specific time ranges.
+```
\ No newline at end of file
diff --git a/changelog/_14536.txt b/changelog/_14536.txt
new file mode 100644
index 0000000000..76729af580
--- /dev/null
+++ b/changelog/_14536.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+consumption-billing: Added consumption billing metrics for OIDC tokens.
+```
\ No newline at end of file
diff --git a/changelog/_14572.txt b/changelog/_14572.txt
new file mode 100644
index 0000000000..acc0d3c8ce
--- /dev/null
+++ b/changelog/_14572.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Restore re-sizable columns for secrets and namespaces tables.  
+```
diff --git a/changelog/_14581.txt b/changelog/_14581.txt
new file mode 100644
index 0000000000..f0a5c600ed
--- /dev/null
+++ b/changelog/_14581.txt
@@ -0,0 +1,3 @@
+```release-note:security
+core: Update github.com/apache/thrift to fix security vulnerability GHSA-wf45-q9ch-q8gh
+```
diff --git a/changelog/_14609.txt b/changelog/_14609.txt
new file mode 100644
index 0000000000..a26dc9f526
--- /dev/null
+++ b/changelog/_14609.txt
@@ -0,0 +1,14 @@
+```release-note:improvement
+consumption-billing: Increased billing data retention from 2 months to 37 months. The `/sys/internal/billing/overview` API endpoint now returns 37 months of historical consumption billing data by default.
+```
+
+```release-note:improvement
+consumption-billing: The `/sys/internal/billing/overview` API endpoint now always returns all metric types in the response, even when their values are zero. This ensures consistent response structure for easier client-side parsing.
+```
+
+```release-note:improvement
+consumption-billing: Added consumption billing metrics for SPIFFE JWT tokens.
+```
+
+```release-note:improvement
+consumption-billing: Added consumption billing metrics for GCP KMS data protection operations.
\ No newline at end of file
diff --git a/changelog/_14645.txt b/changelog/_14645.txt
new file mode 100644
index 0000000000..c437913f6f
--- /dev/null
+++ b/changelog/_14645.txt
@@ -0,0 +1,9 @@
+```release-note:security
+core: Update golang.org/x/net to resolve GO-2026-4918"
+```
+```release-note:security
+sdk: Update golang.org/x/net to resolve GO-2026-4918"
+```
+```release-note:security
+api: Update golang.org/x/net to resolve GO-2026-4918"
+```
diff --git a/changelog/_14648.txt b/changelog/_14648.txt
new file mode 100644
index 0000000000..15f0ce7c05
--- /dev/null
+++ b/changelog/_14648.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+consumption-billing: Float64 values returned by `sys/billing/overview` are now rounded to 4 decimal places.
+```
\ No newline at end of file
diff --git a/changelog/_14685.txt b/changelog/_14685.txt
new file mode 100644
index 0000000000..95fdc0a94e
--- /dev/null
+++ b/changelog/_14685.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+consumption-billing: Added consumption billing metrics for PKI External CA certificates.
+```
\ No newline at end of file
diff --git a/changelog/_14688.txt b/changelog/_14688.txt
new file mode 100644
index 0000000000..0788c7ea17
--- /dev/null
+++ b/changelog/_14688.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: add validations to the ACL visual policy editor to prevent it from saving policies with empty paths or capabilities.
+```
diff --git a/changelog/_14702.txt b/changelog/_14702.txt
new file mode 100644
index 0000000000..85178bf8dc
--- /dev/null
+++ b/changelog/_14702.txt
@@ -0,0 +1,3 @@
+```release-note:change
+auth/jwt: Update plugin to [v0.26.3](https://github.com/hashicorp/vault-plugin-auth-jwt/releases/tag/v0.26.3)
+```
diff --git a/changelog/_14723.txt b/changelog/_14723.txt
new file mode 100644
index 0000000000..3ebdf36727
--- /dev/null
+++ b/changelog/_14723.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+client/ocsp: Adds a grace period to renew the cached entry for OCSP response.
+```
\ No newline at end of file
diff --git a/changelog/_14731.txt b/changelog/_14731.txt
new file mode 100644
index 0000000000..f00fb68927
--- /dev/null
+++ b/changelog/_14731.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Fix LDAP hierarchical role navigation in UI
+```
\ No newline at end of file
diff --git a/changelog/_14732.txt b/changelog/_14732.txt
new file mode 100644
index 0000000000..1553550157
--- /dev/null
+++ b/changelog/_14732.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+identity/scim (enterprise): Add support for `attributes` and `excludedAttributes` query parameters on SCIM User and Group endpoints, allowing callers to request a subset or exclusion of attributes in responses per RFC 7644.
+```
diff --git a/changelog/_14737.txt b/changelog/_14737.txt
new file mode 100644
index 0000000000..937032c23a
--- /dev/null
+++ b/changelog/_14737.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: Remove invalid value from the supported list of ACME algorithms.
+```
\ No newline at end of file
diff --git a/changelog/_14751.txt b/changelog/_14751.txt
new file mode 100644
index 0000000000..f179697330
--- /dev/null
+++ b/changelog/_14751.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki (enterprise): Fix SCEP nonce logging in audit data.
+```
\ No newline at end of file
diff --git a/changelog/_14777.txt b/changelog/_14777.txt
new file mode 100644
index 0000000000..0f7ba5912b
--- /dev/null
+++ b/changelog/_14777.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: Fix PKI certificate issuance not_after time to respect max TTL.
+```
\ No newline at end of file
diff --git a/changelog/_14778.txt b/changelog/_14778.txt
new file mode 100644
index 0000000000..804511a9aa
--- /dev/null
+++ b/changelog/_14778.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: Fix failure to detect errors during storage writes of totp keys.
+```
diff --git a/changelog/_14779.txt b/changelog/_14779.txt
new file mode 100644
index 0000000000..ad722f1959
--- /dev/null
+++ b/changelog/_14779.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+events (enterprise): Fix panic when replicating lease events.
+```
diff --git a/changelog/_14785.txt b/changelog/_14785.txt
new file mode 100644
index 0000000000..3b847da5c0
--- /dev/null
+++ b/changelog/_14785.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+consumption-billing: Add a new `sys/billing/config` endpoint to allow configuration of billing data retention (min 13 months, max 6 years).
+```
\ No newline at end of file
diff --git a/changelog/_14807.txt b/changelog/_14807.txt
new file mode 100644
index 0000000000..80a85a3a38
--- /dev/null
+++ b/changelog/_14807.txt
@@ -0,0 +1,6 @@
+```release-note:security
+core: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4
+```
+```release-note:security
+sdk: Resolve GHSA-j88v-2chj-qfwx by removing our dependency on github.com/jackc/pgx/v3 and github.com/jackc/pgx/v4
+```
diff --git a/changelog/_14845.txt b/changelog/_14845.txt
new file mode 100644
index 0000000000..76c4d9b8f3
--- /dev/null
+++ b/changelog/_14845.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui/transit: Fix key version dropdown selected state when editing a transit key.
+```
\ No newline at end of file
diff --git a/changelog/_14954.txt b/changelog/_14954.txt
new file mode 100644
index 0000000000..c9bb45bc82
--- /dev/null
+++ b/changelog/_14954.txt
@@ -0,0 +1,3 @@
+```release-note:change
+core/raft: Limited concurrent retry-join workers to 20. Any further retry-join attempts while 20 are in progress will result in an error (`too many concurrent raft retry joins in progress`).
+```
diff --git a/changelog/_14965.txt b/changelog/_14965.txt
new file mode 100644
index 0000000000..9977724780
--- /dev/null
+++ b/changelog/_14965.txt
@@ -0,0 +1,3 @@
+```release-note:security
+core: Use constant-time recovery token comparison
+```
\ No newline at end of file
diff --git a/changelog/_14968.txt b/changelog/_14968.txt
new file mode 100644
index 0000000000..28e6401d49
--- /dev/null
+++ b/changelog/_14968.txt
@@ -0,0 +1,3 @@
+```release-note:breaking-change
+containers: Remove `cap_ipc_lock` capability on `vault` at build time to allow running Vault in common container runtimes. Vault in containers will no longer be able to call `mlock()` to lock memory. Operators should set `disable_mlock = true` in Vault's configuration. Runtime operators are advised to disable swapping to guarantee data safety.
+```
diff --git a/changelog/_14976.txt b/changelog/_14976.txt
new file mode 100644
index 0000000000..091ba0ee0f
--- /dev/null
+++ b/changelog/_14976.txt
@@ -0,0 +1,3 @@
+```release-note:security
+secrets/spiffe (enterprise): Ensure template values are properly escaped.
+```
diff --git a/changelog/_15054.txt b/changelog/_15054.txt
new file mode 100644
index 0000000000..470387d694
--- /dev/null
+++ b/changelog/_15054.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/ssh: RSA key sizes are now limited to a maximum size of 8192 bits addressing CVE-2026-39829
+```
diff --git a/changelog/_15110.txt b/changelog/_15110.txt
new file mode 100644
index 0000000000..38e5200b4a
--- /dev/null
+++ b/changelog/_15110.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+storage/raft: reject `performance_multiplier` values less than or equal to zero
+```
diff --git a/changelog/_15126.txt b/changelog/_15126.txt
new file mode 100644
index 0000000000..4f4fa19b09
--- /dev/null
+++ b/changelog/_15126.txt
@@ -0,0 +1,3 @@
+```release-note:change
+core: Vault will now redirect non-canonicalized paths (containing `/./`, `/../`, or `//`) to a cleaned path, instead of rejecting these requests
+```
diff --git a/changelog/_15135.txt b/changelog/_15135.txt
new file mode 100644
index 0000000000..00ff6c8318
--- /dev/null
+++ b/changelog/_15135.txt
@@ -0,0 +1,6 @@
+```release-note:feature
+**AI Agent Support (Beta/Enterprise)**: Adds beta support for first-class AI agents. Adds
+an Agent Registry to register agents, and adds support for using Vault as an OAuth resource server
+for registered agent entities. When configured, allows OAuth 2.0 JWTs to be used to directly authorize
+requests to Vault, without needing a Vault token.
+```
diff --git a/changelog/_15164.txt b/changelog/_15164.txt
new file mode 100644
index 0000000000..03e84a7a38
--- /dev/null
+++ b/changelog/_15164.txt
@@ -0,0 +1,3 @@
+```release-note:change
+http: Return 431 status code instead of 400 when token header size validation fails.
+```
diff --git a/changelog/_go-ver-1220.txt b/changelog/_go-ver-1220.txt
index 256caa4bb6..2b5163dc20 100644
--- a/changelog/_go-ver-1220.txt
+++ b/changelog/_go-ver-1220.txt
@@ -1,3 +1,3 @@
 ```release-note:change
-core: Bump Go version to 1.26.0
+core: Bump Go version to 1.26.1
 ```
diff --git a/changelog/_go-ver-200.txt b/changelog/_go-ver-200.txt
new file mode 100644
index 0000000000..86115bea85
--- /dev/null
+++ b/changelog/_go-ver-200.txt
@@ -0,0 +1,3 @@
+```release-note:change
+core: Bump Go version to 1.26.2
+```
diff --git a/changelog/_go-ver-300.txt b/changelog/_go-ver-300.txt
new file mode 100644
index 0000000000..07b02d5ae8
--- /dev/null
+++ b/changelog/_go-ver-300.txt
@@ -0,0 +1,3 @@
+```release-note:change
+core: Bump Go version to 1.26.4
+```
diff --git a/command/agent.go b/command/agent.go
index 86e4f810a1..14c2c39239 100644
--- a/command/agent.go
+++ b/command/agent.go
@@ -31,6 +31,7 @@ import (
 	"github.com/hashicorp/vault/api"
 	agentConfig "github.com/hashicorp/vault/command/agent/config"
 	"github.com/hashicorp/vault/command/agent/exec"
+	"github.com/hashicorp/vault/command/agent/pkiexternalca"
 	"github.com/hashicorp/vault/command/agent/template"
 	"github.com/hashicorp/vault/command/agentproxyshared"
 	"github.com/hashicorp/vault/command/agentproxyshared/auth"
@@ -555,9 +556,11 @@ func (c *AgentCommand) Run(args []string) int {
 	var ss *sink.SinkServer
 	var ts *template.Server
 	var es *exec.Server
+	var ps *pkiexternalca.Server
 	if method != nil {
 		enableTemplateTokenCh := len(config.Templates) > 0
 		enableEnvTemplateTokenCh := len(config.EnvTemplates) > 0
+		enablePKIExternalCATokenCh := len(config.PKIExternalCAs) > 0
 
 		// Auth Handler is going to set its own retry values, so we want to
 		// work on a copy of the client to not affect other subsystems.
@@ -589,6 +592,7 @@ func (c *AgentCommand) Run(args []string) int {
 			EnableReauthOnNewCredentials: config.AutoAuth.EnableReauthOnNewCredentials,
 			EnableTemplateTokenCh:        enableTemplateTokenCh,
 			EnableExecTokenCh:            enableEnvTemplateTokenCh,
+			EnablePKIExternalCATokenCh:   enablePKIExternalCATokenCh,
 			Token:                        previousToken,
 			ExitOnError:                  config.AutoAuth.Method.ExitOnError,
 			UserAgent:                    useragent.AgentAutoAuthString(),
@@ -601,13 +605,30 @@ func (c *AgentCommand) Run(args []string) int {
 			ExitAfterAuth: config.ExitAfterAuth,
 		})
 
+		// Create PKI External CA server if any pki_external_ca blocks are configured
+		var pkiProvider template.PKIExternalCAProvider
+		if len(config.PKIExternalCAs) > 0 {
+			ps, err = pkiexternalca.NewServer(&pkiexternalca.ServerConfig{
+				Logger:      c.logger.Named("pkiexternalca.server"),
+				AgentConfig: c.config,
+				LogLevel:    c.logger.GetLevel(),
+				LogWriter:   c.logWriter,
+			})
+			if err != nil {
+				c.logger.Error("could not create pki external ca server", "error", err)
+				return 1
+			}
+			pkiProvider = ps
+		}
+
 		ts = template.NewServer(&template.ServerConfig{
-			Logger:        c.logger.Named("template.server"),
-			LogLevel:      c.logger.GetLevel(),
-			LogWriter:     c.logWriter,
-			AgentConfig:   c.config,
-			Namespace:     templateNamespace,
-			ExitAfterAuth: config.ExitAfterAuth,
+			Logger:              c.logger.Named("template.server"),
+			LogLevel:            c.logger.GetLevel(),
+			LogWriter:           c.logWriter,
+			AgentConfig:         c.config,
+			PKIExternalCAServer: pkiProvider,
+			Namespace:           templateNamespace,
+			ExitAfterAuth:       config.ExitAfterAuth,
 		})
 
 		es, err = exec.NewServer(&exec.ServerConfig{
@@ -843,8 +864,38 @@ func (c *AgentCommand) Run(args []string) int {
 			cancelFunc()
 		})
 
+		// When a PKI external CA server is running, both it and the template server
+		// need every token. The auth handler sends tokens to ah.PKIExternalCATokenCh
+		// when PKI is configured. This fan-out goroutine reads each token once from
+		// ah.PKIExternalCATokenCh and forwards it to separate channels for each consumer.
+		templateTokenCh := ah.TemplateTokenCh
+		var pkiTokenCh chan string
+		if ps != nil {
+			templateTokenCh = make(chan string, 1)
+			pkiTokenCh = make(chan string, 1)
+			go func() {
+				for {
+					select {
+					case <-ctx.Done():
+						return
+					case token, ok := <-ah.PKIExternalCATokenCh:
+						if !ok {
+							return
+						}
+						for _, ch := range []chan string{templateTokenCh, pkiTokenCh} {
+							select {
+							case ch <- token:
+							case <-ctx.Done():
+								return
+							}
+						}
+					}
+				}
+			}()
+		}
+
 		g.Add(func() error {
-			return ts.Run(ctx, ah.TemplateTokenCh, config.Templates, ah.AuthInProgress, ah.InvalidToken)
+			return ts.Run(ctx, templateTokenCh, config.Templates, ah.AuthInProgress, ah.InvalidToken)
 		}, func(error) {
 			// Let the lease cache know this is a shutdown; no need to evict
 			// everything
@@ -867,6 +918,21 @@ func (c *AgentCommand) Run(args []string) int {
 			es.Close()
 		})
 
+		// Start PKI External CA server if configured
+		if ps != nil {
+			g.Add(func() error {
+				return ps.Run(ctx, pkiTokenCh, c.client)
+			}, func(err error) {
+				// Let the lease cache know this is a shutdown; no need to evict
+				// everything
+				if leaseCache != nil {
+					leaseCache.SetShuttingDown(true)
+				}
+				cancelFunc()
+				ps.Stop()
+			})
+		}
+
 	}
 
 	// Server configuration output
@@ -1228,7 +1294,7 @@ func (c *AgentCommand) loadConfig(paths []string) (*agentConfig.Config, error) {
 		return nil, errs
 	}
 
-	if err := cfg.ValidateConfig(); err != nil {
+	if err := cfg.ValidateConfig(c.logger); err != nil {
 		return nil, fmt.Errorf("error validating configuration: %w", err)
 	}
 
diff --git a/command/agent/alicloud_end_to_end_test.go b/command/agent/alicloud_end_to_end_test.go
index 6e613c5f9f..af9d45bdb6 100644
--- a/command/agent/alicloud_end_to_end_test.go
+++ b/command/agent/alicloud_end_to_end_test.go
@@ -55,10 +55,7 @@ func TestAliCloudEndToEnd(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	client := cluster.Cores[0].Client
 
 	// Setup Vault
diff --git a/command/agent/approle_end_to_end_test.go b/command/agent/approle_end_to_end_test.go
index 9ced7a47de..9971fc223f 100644
--- a/command/agent/approle_end_to_end_test.go
+++ b/command/agent/approle_end_to_end_test.go
@@ -80,14 +80,7 @@ func testAppRoleEndToEnd(t *testing.T, removeSecretIDFile bool, bindSecretID boo
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
-
-	vault.TestWaitActive(t, cores[0].Core)
-
 	client := cores[0].Client
 
 	err = client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{
@@ -418,14 +411,7 @@ func TestAppRoleLongRoleName(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
-
-	vault.TestWaitActive(t, cores[0].Core)
-
 	client := cores[0].Client
 
 	err := client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{
@@ -482,9 +468,6 @@ func testAppRoleWithWrapping(t *testing.T, bindSecretID bool, secretIDLess bool,
 		HandlerFunc: vaulthttp.Handler,
 	})
 
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
 
 	vault.TestWaitActive(t, cores[0].Core)
diff --git a/command/agent/auto_auth_preload_token_end_to_end_test.go b/command/agent/auto_auth_preload_token_end_to_end_test.go
index bd443bedab..1d45ad75da 100644
--- a/command/agent/auto_auth_preload_token_end_to_end_test.go
+++ b/command/agent/auto_auth_preload_token_end_to_end_test.go
@@ -36,10 +36,7 @@ func TestTokenPreload_UsingAutoAuth(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	client := cluster.Cores[0].Client
 
 	// Setup Vault
diff --git a/command/agent/aws_end_to_end_test.go b/command/agent/aws_end_to_end_test.go
index fec55c41a7..8718f3e73b 100644
--- a/command/agent/aws_end_to_end_test.go
+++ b/command/agent/aws_end_to_end_test.go
@@ -68,10 +68,7 @@ func TestAWSEndToEnd(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	client := cluster.Cores[0].Client
 
 	// Setup Vault
diff --git a/command/agent/cache_end_to_end_test.go b/command/agent/cache_end_to_end_test.go
index 637c0ab4a0..0fe2ad82c6 100644
--- a/command/agent/cache_end_to_end_test.go
+++ b/command/agent/cache_end_to_end_test.go
@@ -56,9 +56,6 @@ func TestCache_UsingAutoAuthToken(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 	})
 
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
 
 	vault.TestWaitActive(t, cores[0].Core)
diff --git a/command/agent/cert_end_to_end_test.go b/command/agent/cert_end_to_end_test.go
index 9b2139e3ae..80a83bf919 100644
--- a/command/agent/cert_end_to_end_test.go
+++ b/command/agent/cert_end_to_end_test.go
@@ -73,10 +73,7 @@ func testCertEndToEnd(t *testing.T, withCertRoleName, ahWrapping bool) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	client := cluster.Cores[0].Client
 
 	// Setup Vault
@@ -315,10 +312,7 @@ func TestCertEndToEnd_CertsInConfig(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	client := cluster.Cores[0].Client
 
 	// /////////////
diff --git a/command/agent/cf_end_to_end_test.go b/command/agent/cf_end_to_end_test.go
index bab26755e7..4363672959 100644
--- a/command/agent/cf_end_to_end_test.go
+++ b/command/agent/cf_end_to_end_test.go
@@ -38,9 +38,6 @@ func TestCFEndToEnd(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 	})
 
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
 	vault.TestWaitActive(t, cores[0].Core)
 	client := cores[0].Client
diff --git a/command/agent/config/config.go b/command/agent/config/config.go
index 20d11c064b..ce690013fe 100644
--- a/command/agent/config/config.go
+++ b/command/agent/config/config.go
@@ -17,6 +17,7 @@ import (
 
 	ctconfig "github.com/hashicorp/consul-template/config"
 	ctsignals "github.com/hashicorp/consul-template/signals"
+	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/go-secure-stdlib/parseutil"
 	"github.com/hashicorp/hcl"
@@ -32,25 +33,45 @@ import (
 
 // Config is the configuration for Vault Agent.
 type Config struct {
+	// SharedConfig carries listener, telemetry, and other shared agent settings.
 	*configutil.SharedConfig `hcl:"-"`
 
-	AutoAuth                    *AutoAuth                  `hcl:"auto_auth"`
-	ExitAfterAuth               bool                       `hcl:"exit_after_auth"`
-	Cache                       *Cache                     `hcl:"cache"`
-	APIProxy                    *APIProxy                  `hcl:"api_proxy"`
-	Vault                       *Vault                     `hcl:"vault"`
-	TemplateConfig              *TemplateConfig            `hcl:"template_config"`
-	Templates                   []*ctconfig.TemplateConfig `hcl:"templates"`
-	DisableIdleConns            []string                   `hcl:"disable_idle_connections"`
-	DisableIdleConnsAPIProxy    bool                       `hcl:"-"`
-	DisableIdleConnsTemplating  bool                       `hcl:"-"`
-	DisableIdleConnsAutoAuth    bool                       `hcl:"-"`
-	DisableKeepAlives           []string                   `hcl:"disable_keep_alives"`
-	DisableKeepAlivesAPIProxy   bool                       `hcl:"-"`
-	DisableKeepAlivesTemplating bool                       `hcl:"-"`
-	DisableKeepAlivesAutoAuth   bool                       `hcl:"-"`
-	Exec                        *ExecConfig                `hcl:"exec,optional"`
-	EnvTemplates                []*ctconfig.TemplateConfig `hcl:"env_template,optional"`
+	// AutoAuth configures the agent auth method and token sinks.
+	AutoAuth *AutoAuth `hcl:"auto_auth"`
+	// ExitAfterAuth exits the agent after the first successful authentication.
+	ExitAfterAuth bool `hcl:"exit_after_auth"`
+	// Cache configures the local caching mode for proxied Vault requests.
+	Cache *Cache `hcl:"cache"`
+	// APIProxy configures the agent's API proxy mode.
+	APIProxy *APIProxy `hcl:"api_proxy"`
+	// Vault configures how the agent connects to upstream Vault servers.
+	Vault *Vault `hcl:"vault"`
+	// TemplateConfig defines defaults shared by all template stanzas.
+	TemplateConfig *TemplateConfig `hcl:"template_config"`
+	// Templates lists file-rendering template stanzas.
+	Templates []*ctconfig.TemplateConfig `hcl:"templates"`
+	// PKIExternalCAs stores parsed pki_external_ca blocks available to templates.
+	PKIExternalCAs []*PKIExternalCA `hcl:"-"`
+	// DisableIdleConns holds the raw disable_idle_connections subsystem names from HCL.
+	DisableIdleConns []string `hcl:"disable_idle_connections"`
+	// DisableIdleConnsAPIProxy is true when idle HTTP connections are disabled for caching or proxying.
+	DisableIdleConnsAPIProxy bool `hcl:"-"`
+	// DisableIdleConnsTemplating is true when idle HTTP connections are disabled for templating.
+	DisableIdleConnsTemplating bool `hcl:"-"`
+	// DisableIdleConnsAutoAuth is true when idle HTTP connections are disabled for auto-auth.
+	DisableIdleConnsAutoAuth bool `hcl:"-"`
+	// DisableKeepAlives holds the raw disable_keep_alives subsystem names from HCL.
+	DisableKeepAlives []string `hcl:"disable_keep_alives"`
+	// DisableKeepAlivesAPIProxy is true when HTTP keep-alives are disabled for caching or proxying.
+	DisableKeepAlivesAPIProxy bool `hcl:"-"`
+	// DisableKeepAlivesTemplating is true when HTTP keep-alives are disabled for templating.
+	DisableKeepAlivesTemplating bool `hcl:"-"`
+	// DisableKeepAlivesAutoAuth is true when HTTP keep-alives are disabled for auto-auth.
+	DisableKeepAlivesAutoAuth bool `hcl:"-"`
+	// Exec defines the child process used with env_template mode.
+	Exec *ExecConfig `hcl:"exec,optional"`
+	// EnvTemplates lists env_template stanzas rendered into the exec environment.
+	EnvTemplates []*ctconfig.TemplateConfig `hcl:"env_template,optional"`
 }
 
 const (
@@ -297,6 +318,14 @@ func (c *Config) Merge(c2 *Config) *Config {
 		result.EnvTemplates = append(result.EnvTemplates, envTmpl)
 	}
 
+	for _, pkiExternalCA := range c.PKIExternalCAs {
+		result.PKIExternalCAs = append(result.PKIExternalCAs, pkiExternalCA)
+	}
+
+	for _, pkiExternalCA := range c2.PKIExternalCAs {
+		result.PKIExternalCAs = append(result.PKIExternalCAs, pkiExternalCA)
+	}
+
 	return result
 }
 
@@ -313,7 +342,7 @@ func (c *Config) IsDefaultListerDefined() bool {
 
 // ValidateConfig validates an Agent configuration after it has been fully merged together, to
 // ensure that required combinations of configs are there
-func (c *Config) ValidateConfig() error {
+func (c *Config) ValidateConfig(logger hclog.Logger) error {
 	if c.APIProxy != nil && c.Cache != nil {
 		if c.Cache.UseAutoAuthTokenRaw != nil {
 			if c.APIProxy.UseAutoAuthTokenRaw != nil {
@@ -367,6 +396,10 @@ func (c *Config) ValidateConfig() error {
 		return fmt.Errorf("no auto_auth, cache, or listener block found in config")
 	}
 
+	if err := c.validatePKIExternalCAConfig(logger); err != nil {
+		return err
+	}
+
 	return c.validateEnvTemplateConfig()
 }
 
@@ -686,6 +719,10 @@ func LoadConfigFileCheckDuplicates(path string) (cfg *Config, duplicate bool, er
 		return nil, duplicate, fmt.Errorf("error parsing 'env_template': %w", err)
 	}
 
+	if err := parsePKIExternalCA(result, list); err != nil {
+		return nil, duplicate, fmt.Errorf("error parsing 'pki_external_ca': %w", err)
+	}
+
 	if result.Cache != nil && result.APIProxy == nil && (result.Cache.UseAutoAuthToken || result.Cache.ForceAutoAuthToken) {
 		result.APIProxy = &APIProxy{
 			UseAutoAuthToken:   result.Cache.UseAutoAuthToken,
diff --git a/command/agent/config/config_test.go b/command/agent/config/config_test.go
index 1372a21859..0c1043d062 100644
--- a/command/agent/config/config_test.go
+++ b/command/agent/config/config_test.go
@@ -11,6 +11,9 @@ import (
 
 	"github.com/go-test/deep"
 	ctconfig "github.com/hashicorp/consul-template/config"
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/hcl"
+	"github.com/hashicorp/hcl/hcl/ast"
 	"github.com/hashicorp/vault/command/agentproxyshared"
 	"github.com/hashicorp/vault/internalshared/configutil"
 	"github.com/hashicorp/vault/sdk/helper/pointerutil"
@@ -721,7 +724,7 @@ func TestLoadConfigFile_Bad_AgentCache_InconsisentAutoAuth(t *testing.T) {
 	if config == nil {
 		t.Fatal("config was nil")
 	}
-	err = config.ValidateConfig()
+	err = config.ValidateConfig(hclog.NewNullLogger())
 	if err == nil {
 		t.Fatal("ValidateConfig should return an error when use_auto_auth_token=true and no auto_auth section present")
 	}
@@ -735,7 +738,7 @@ func TestLoadConfigFile_Bad_AgentCache_ForceAutoAuthNoMethod(t *testing.T) {
 	if config == nil {
 		t.Fatal("config was nil")
 	}
-	err = config.ValidateConfig()
+	err = config.ValidateConfig(hclog.NewNullLogger())
 	if err == nil {
 		t.Fatal("ValidateConfig should return an error when use_auto_auth_token=force and no auto_auth section present")
 	}
@@ -763,7 +766,7 @@ func TestLoadConfigFile_Bad_AutoAuth_Nosinks_Nocache_Notemplates(t *testing.T) {
 	if config == nil {
 		t.Fatal("config was nil")
 	}
-	err = config.ValidateConfig()
+	err = config.ValidateConfig(hclog.NewNullLogger())
 	if err == nil {
 		t.Fatal("ValidateConfig should return an error when auto_auth configured and there are no sinks, caches or templates")
 	}
@@ -784,7 +787,7 @@ func TestLoadConfigFile_Bad_AgentCache_AutoAuth_Method_wrapping(t *testing.T) {
 	if config == nil {
 		t.Fatal("config was nil")
 	}
-	err = config.ValidateConfig()
+	err = config.ValidateConfig(hclog.NewNullLogger())
 	if err == nil {
 		t.Fatal("ValidateConfig should return an error when auth_auth.method.wrap_ttl nonzero and cache.use_auto_auth_token=true")
 	}
@@ -798,7 +801,7 @@ func TestLoadConfigFile_Bad_APIProxy_And_Cache_Same_Config(t *testing.T) {
 	if config == nil {
 		t.Fatal("config was nil")
 	}
-	err = config.ValidateConfig()
+	err = config.ValidateConfig(hclog.NewNullLogger())
 	if err == nil {
 		t.Fatal("ValidateConfig should return an error when cache and api_proxy try and configure the same value")
 	}
@@ -2366,7 +2369,7 @@ func TestLoadConfigFile_EnvTemplates_Simple(t *testing.T) {
 		t.Fatalf("error loading config file: %s", err)
 	}
 
-	if err := cfg.ValidateConfig(); err != nil {
+	if err := cfg.ValidateConfig(hclog.NewNullLogger()); err != nil {
 		t.Fatalf("validation error: %s", err)
 	}
 
@@ -2389,7 +2392,7 @@ func TestLoadConfigFile_EnvTemplates_Complex(t *testing.T) {
 		t.Fatalf("error loading config file: %s", err)
 	}
 
-	if err := cfg.ValidateConfig(); err != nil {
+	if err := cfg.ValidateConfig(hclog.NewNullLogger()); err != nil {
 		t.Fatalf("validation error: %s", err)
 	}
 
@@ -2422,7 +2425,7 @@ func TestLoadConfigFile_EnvTemplates_WithSource(t *testing.T) {
 		t.Fatalf("error loading config file: %s", err)
 	}
 
-	if err := cfg.ValidateConfig(); err != nil {
+	if err := cfg.ValidateConfig(hclog.NewNullLogger()); err != nil {
 		t.Fatalf("validation error: %s", err)
 	}
 }
@@ -2450,7 +2453,7 @@ func TestLoadConfigFile_EnvTemplates_ExecSimple(t *testing.T) {
 		t.Fatalf("error loading config file: %s", err)
 	}
 
-	if err := cfg.ValidateConfig(); err != nil {
+	if err := cfg.ValidateConfig(hclog.NewNullLogger()); err != nil {
 		t.Fatalf("validation error: %s", err)
 	}
 
@@ -2476,7 +2479,7 @@ func TestLoadConfigFile_EnvTemplates_ExecComplex(t *testing.T) {
 		t.Fatalf("error loading config file: %s", err)
 	}
 
-	if err := cfg.ValidateConfig(); err != nil {
+	if err := cfg.ValidateConfig(hclog.NewNullLogger()); err != nil {
 		t.Fatalf("validation error: %s", err)
 	}
 
@@ -2501,7 +2504,7 @@ func TestLoadConfigFile_Bad_EnvTemplates_MissingExec(t *testing.T) {
 		t.Fatalf("error loading config file: %s", err)
 	}
 
-	if err := config.ValidateConfig(); err == nil {
+	if err := config.ValidateConfig(hclog.NewNullLogger()); err == nil {
 		t.Fatal("expected an error from ValidateConfig: exec section is missing")
 	}
 }
@@ -2514,7 +2517,7 @@ func TestLoadConfigFile_Bad_EnvTemplates_WithProxy(t *testing.T) {
 		t.Fatalf("error loading config file: %s", err)
 	}
 
-	if err := config.ValidateConfig(); err == nil {
+	if err := config.ValidateConfig(hclog.NewNullLogger()); err == nil {
 		t.Fatal("expected an error from ValidateConfig: listener / api_proxy are not compatible with env_template")
 	}
 }
@@ -2527,7 +2530,7 @@ func TestLoadConfigFile_Bad_EnvTemplates_WithFileTemplates(t *testing.T) {
 		t.Fatalf("error loading config file: %s", err)
 	}
 
-	if err := config.ValidateConfig(); err == nil {
+	if err := config.ValidateConfig(hclog.NewNullLogger()); err == nil {
 		t.Fatal("expected an error from ValidateConfig: file template stanza is not compatible with env_template")
 	}
 }
@@ -2540,7 +2543,19 @@ func TestLoadConfigFile_Bad_EnvTemplates_DisalowedFields(t *testing.T) {
 		t.Fatalf("error loading config file: %s", err)
 	}
 
-	if err := config.ValidateConfig(); err == nil {
+	if err := config.ValidateConfig(hclog.NewNullLogger()); err == nil {
 		t.Fatal("expected an error from ValidateConfig: disallowed fields specified in env_template")
 	}
 }
+
+func parseHCLObjectListForPKITemplateRef(t *testing.T, src string) *ast.ObjectList {
+	t.Helper()
+
+	file, err := hcl.Parse(src)
+	require.NoError(t, err)
+
+	list, ok := file.Node.(*ast.ObjectList)
+	require.True(t, ok)
+
+	return list
+}
diff --git a/command/agent/config/pki_external_config_ce.go b/command/agent/config/pki_external_config_ce.go
new file mode 100644
index 0000000000..43145e84d9
--- /dev/null
+++ b/command/agent/config/pki_external_config_ce.go
@@ -0,0 +1,24 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise
+
+package config
+
+import (
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/hcl/hcl/ast"
+)
+
+// PKIExternalCA is a CE stub; pki_external_ca is an enterprise-only feature.
+type PKIExternalCA struct{}
+
+// validatePKIExternalCAConfig is a no-op in CE builds.
+func (c *Config) validatePKIExternalCAConfig(_ hclog.Logger) error {
+	return nil
+}
+
+// parsePKIExternalCA is a no-op in CE builds.
+func parsePKIExternalCA(_ *Config, _ *ast.ObjectList) error {
+	return nil
+}
diff --git a/command/agent/jwt_end_to_end_test.go b/command/agent/jwt_end_to_end_test.go
index 6589ebbe48..4fa9439405 100644
--- a/command/agent/jwt_end_to_end_test.go
+++ b/command/agent/jwt_end_to_end_test.go
@@ -62,10 +62,7 @@ func testJWTEndToEnd(t *testing.T, ahWrapping, useSymlink, removeJWTAfterReading
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	client := cluster.Cores[0].Client
 
 	// Setup Vault
@@ -273,7 +270,9 @@ func testJWTEndToEnd(t *testing.T, ahWrapping, useSymlink, removeJWTAfterReading
 	}
 
 	checkToken := func() string {
-		timeout := time.Now().Add(5 * time.Second)
+		// CI can be slower to materialize and write the token after JWT ingestion;
+		// this timeout is intentionally higher to reduce timing-only flakes.
+		timeout := time.Now().Add(12 * time.Second)
 		for {
 			if time.Now().After(timeout) {
 				t.Fatal("did not find a written token after timeout")
diff --git a/command/agent/oci_end_to_end_test.go b/command/agent/oci_end_to_end_test.go
index 82e12e7cb1..ee02125011 100644
--- a/command/agent/oci_end_to_end_test.go
+++ b/command/agent/oci_end_to_end_test.go
@@ -66,10 +66,7 @@ func TestOCIEndToEnd(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	client := cluster.Cores[0].Client
 
 	// Setup Vault
diff --git a/command/agent/pkiexternalca/server.go b/command/agent/pkiexternalca/server.go
new file mode 100644
index 0000000000..828b98027a
--- /dev/null
+++ b/command/agent/pkiexternalca/server.go
@@ -0,0 +1,19 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package pkiexternalca
+
+import (
+	"io"
+
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/command/agent/config"
+)
+
+// ServerConfig holds configuration for the PKI External CA server.
+type ServerConfig struct {
+	Logger      hclog.Logger
+	AgentConfig *config.Config
+	LogLevel    hclog.Level
+	LogWriter   io.Writer
+}
diff --git a/command/agent/pkiexternalca/server_ce.go b/command/agent/pkiexternalca/server_ce.go
new file mode 100644
index 0000000000..4a9e426c9c
--- /dev/null
+++ b/command/agent/pkiexternalca/server_ce.go
@@ -0,0 +1,52 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise
+
+package pkiexternalca
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/vault/api"
+	"go.uber.org/atomic"
+)
+
+// Server is a CE stub; PKI external CA is an enterprise-only feature.
+type Server struct {
+	DoneCh  chan struct{}
+	stopped *atomic.Bool
+}
+
+// NewServer returns a stub server for CE builds.
+func NewServer(cfg *ServerConfig) (*Server, error) {
+	if cfg == nil {
+		return nil, fmt.Errorf("server config cannot be nil")
+	}
+	return &Server{
+		DoneCh:  make(chan struct{}),
+		stopped: atomic.NewBool(false),
+	}, nil
+}
+
+// Run waits for context cancellation; PKI external CA is never active in CE builds.
+func (s *Server) Run(ctx context.Context, _ chan string, _ *api.Client) error {
+	<-ctx.Done()
+	return nil
+}
+
+// Stop closes DoneCh idempotently.
+func (s *Server) Stop() {
+	if s.stopped.CAS(false, true) {
+		close(s.DoneCh)
+	}
+}
+
+// CertIssuedCh returns nil in CE builds.
+func (s *Server) CertIssuedCh() <-chan struct{} { return nil }
+
+// TemplatePEMByName returns an error in CE builds.
+func (s *Server) TemplatePEMByName(_ string) (any, error) {
+	return nil, fmt.Errorf("pki_external_ca is not supported in this build")
+}
diff --git a/command/agent/template/template.go b/command/agent/template/template.go
index f31891c5f6..36ba582451 100644
--- a/command/agent/template/template.go
+++ b/command/agent/template/template.go
@@ -16,6 +16,7 @@ import (
 	"math"
 	"strings"
 	sync "sync/atomic"
+	"text/template"
 	"time"
 
 	ctconfig "github.com/hashicorp/consul-template/config"
@@ -38,6 +39,8 @@ type ServerConfig struct {
 	Logger hclog.Logger
 	// Client        *api.Client
 	AgentConfig *config.Config
+	// PKIExternalCAServer provides access to named external CA material for templates.
+	PKIExternalCAServer PKIExternalCAProvider
 
 	ExitAfterAuth bool
 	Namespace     string
@@ -52,6 +55,12 @@ type ServerConfig struct {
 	LogWriter io.Writer
 }
 
+// PKIExternalCAProvider returns template-ready data for named external CA entries.
+type PKIExternalCAProvider interface {
+	TemplatePEMByName(name string) (any, error)
+	CertIssuedCh() <-chan struct{}
+}
+
 // Server manages the Consul Template Runner which renders templates
 type Server struct {
 	// config holds the ServerConfig used to create it. It's passed along in other
@@ -113,6 +122,15 @@ func (ts *Server) Run(ctx context.Context, incoming chan string, templates []*ct
 		return nil
 	}
 
+	ts.applyPKIExternalCAFuncs(templates)
+
+	// certIssuedCh fires whenever a PKI external CA issues or renews a cert,
+	// signalling that templates should be re-rendered.
+	var certIssuedCh <-chan struct{}
+	if ts.config.PKIExternalCAServer != nil {
+		certIssuedCh = ts.config.PKIExternalCAServer.CertIssuedCh()
+	}
+
 	// construct a consul template vault config based the agents vault
 	// configuration
 	var runnerConfig *ctconfig.Config
@@ -192,6 +210,22 @@ func (ts *Server) Run(ctx context.Context, incoming chan string, templates []*ct
 				go ts.runner.Start()
 			}
 
+		case <-certIssuedCh:
+			// A PKI external CA issued or renewed a certificate; restart the runner
+			// so templates that use pkiCertExternalCa pick up the new material.
+			if !ts.runnerStarted.Load() {
+				continue
+			}
+			ts.logger.Info("template server restarting runner: PKI external CA certificate updated")
+			ts.runner.Stop()
+			var runnerCertErr error
+			ts.runner, runnerCertErr = manager.NewRunner(runnerConfig, false)
+			if runnerCertErr != nil {
+				ts.logger.Error("template server failed to restart runner after cert issuance", "error", runnerCertErr)
+				continue
+			}
+			go ts.runner.Start()
+
 		case err := <-ts.runner.ErrCh:
 			ts.logger.Error("template server error", "error", err.Error())
 			ts.runner.StopImmediately()
@@ -268,6 +302,48 @@ func (ts *Server) Run(ctx context.Context, incoming chan string, templates []*ct
 	}
 }
 
+// applyPKIExternalCAFuncs injects the pkiCertExternalCa template function into
+// each template's ExtFuncMap. The CA name must always be passed explicitly as an
+// argument: {{ pkiCertExternalCa "ca-name" }}.
+func (ts *Server) applyPKIExternalCAFuncs(templates []*ctconfig.TemplateConfig) {
+	if ts.config == nil || ts.config.PKIExternalCAServer == nil {
+		return
+	}
+
+	for _, tmpl := range templates {
+		if tmpl.ExtFuncMap == nil {
+			tmpl.ExtFuncMap = make(template.FuncMap)
+		}
+		tmpl.ExtFuncMap["pkiCertExternalCa"] = pkiCertExternalCaFunc(ts.config.PKIExternalCAServer)
+	}
+}
+
+func pkiCertExternalCaFunc(server PKIExternalCAProvider) func(...string) (interface{}, error) {
+	return func(args ...string) (interface{}, error) {
+		if server == nil {
+			return nil, fmt.Errorf("pki external ca server is not configured")
+		}
+		if len(args) != 1 {
+			return nil, fmt.Errorf("pkiCertExternalCa requires exactly one argument: the pki_external_ca name")
+		}
+
+		name := strings.TrimSpace(args[0])
+		if name == "" {
+			return nil, fmt.Errorf("pkiCertExternalCa requires a non-empty pki_external_ca name")
+		}
+
+		pem, err := server.TemplatePEMByName(name)
+		if err != nil {
+			return nil, err
+		}
+		if pem == nil {
+			// Certificate not yet available; return nil so {{ with }} skips the block.
+			return nil, nil
+		}
+		return pem, nil
+	}
+}
+
 func (ts *Server) Stop() {
 	if ts.stopped.CAS(false, true) {
 		close(ts.DoneCh)
diff --git a/command/agent/token_file_end_to_end_test.go b/command/agent/token_file_end_to_end_test.go
index 424dd3a3ba..7c32e82187 100644
--- a/command/agent/token_file_end_to_end_test.go
+++ b/command/agent/token_file_end_to_end_test.go
@@ -26,9 +26,6 @@ func TestTokenFileEndToEnd(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 	})
 
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
 
 	vault.TestWaitActive(t, cores[0].Core)
diff --git a/command/agent_test.go b/command/agent_test.go
index ad4185e5d3..544ebe38d3 100644
--- a/command/agent_test.go
+++ b/command/agent_test.go
@@ -119,10 +119,7 @@ func testAgentExitAfterAuth(t *testing.T, viaFlag bool) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	client := cluster.Cores[0].Client
 
 	// Setup Vault
@@ -308,9 +305,7 @@ func TestAgent_RequireRequestHeader(t *testing.T) {
 		&vault.TestClusterOptions{
 			HandlerFunc: vaulthttp.Handler,
 		})
-	cluster.Start()
-	defer cluster.Cleanup()
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
+
 	serverClient := cluster.Cores[0].Client
 
 	// Enable the approle auth method
@@ -620,10 +615,7 @@ func TestAgent_Template_UserAgent(t *testing.T) {
 					return &h
 				}),
 		})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	serverClient := cluster.Cores[0].Client
 
 	// Unset the environment variable so that agent picks up the right test
@@ -790,10 +782,7 @@ func TestAgent_Template_Basic(t *testing.T) {
 		&vault.TestClusterOptions{
 			HandlerFunc: vaulthttp.Handler,
 		})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	serverClient := cluster.Cores[0].Client
 
 	// Unset the environment variable so that agent picks up the right test
@@ -933,7 +922,13 @@ auto_auth {
 				// the temp dir before Agent has had time to render and will
 				// likely fail the test
 				tick := time.Tick(1 * time.Second)
-				timeout := time.After(10 * time.Second)
+				timeoutDuration := 10 * time.Second
+				// exit_after_auth can terminate close to template completion under CI load;
+				// allow a wider wait window to reduce timing flake without changing behavior.
+				if tc.exitAfterAuth {
+					timeoutDuration = 20 * time.Second
+				}
+				timeout := time.After(timeoutDuration)
 				var err error
 				for {
 					select {
@@ -1091,10 +1086,7 @@ func TestAgent_Template_VaultClientFromEnv(t *testing.T) {
 		&vault.TestClusterOptions{
 			HandlerFunc: vaulthttp.Handler,
 		})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	serverClient := cluster.Cores[0].Client
 
 	roleIDPath, secretIDPath := setupAppRoleAndKVMounts(t, serverClient)
@@ -1268,10 +1260,7 @@ func TestAgent_Template_ExitCounter(t *testing.T) {
 		&vault.TestClusterOptions{
 			HandlerFunc: vaulthttp.Handler,
 		})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	serverClient := cluster.Cores[0].Client
 
 	// Unset the environment variable so that agent picks up the right test
@@ -1566,10 +1555,7 @@ func TestAgent_Template_Retry(t *testing.T) {
 					return &h
 				}),
 		})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	serverClient := cluster.Cores[0].Client
 
 	// Unset the environment variable so that agent picks up the right test
@@ -1846,8 +1832,6 @@ func TestAgent_AutoAuth_UserAgent(t *testing.T) {
 				return &h
 			}),
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	serverClient := cluster.Cores[0].Client
 
@@ -1962,8 +1946,6 @@ func TestAgent_APIProxyWithoutCache_UserAgent(t *testing.T) {
 				return &h
 			}),
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	serverClient := cluster.Cores[0].Client
 
@@ -2048,8 +2030,6 @@ func TestAgent_APIProxyWithCache_UserAgent(t *testing.T) {
 				return &h
 			}),
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	serverClient := cluster.Cores[0].Client
 
@@ -2123,8 +2103,6 @@ func TestAgent_Cache_DynamicSecret(t *testing.T) {
 	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	serverClient := cluster.Cores[0].Client
 
@@ -2245,10 +2223,7 @@ func TestAgent_ApiProxy_Retry(t *testing.T) {
 				return &h
 			}),
 		})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	serverClient := cluster.Cores[0].Client
 
 	// Unset the environment variable so that agent picks up the right test
@@ -2391,10 +2366,7 @@ func TestAgent_TemplateConfig_ExitOnRetryFailure(t *testing.T) {
 			NumCores:    1,
 			HandlerFunc: vaulthttp.Handler,
 		})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	serverClient := cluster.Cores[0].Client
 
 	// Unset the environment variable so that agent picks up the right test
@@ -2684,9 +2656,7 @@ func TestAgent_Metrics(t *testing.T) {
 		&vault.TestClusterOptions{
 			HandlerFunc: vaulthttp.Handler,
 		})
-	cluster.Start()
-	defer cluster.Cleanup()
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
+
 	serverClient := cluster.Cores[0].Client
 
 	// Create a config file
@@ -3158,8 +3128,6 @@ func TestAgent_NonTLSListener_SIGHUP(t *testing.T) {
 	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	serverClient := cluster.Cores[0].Client
 
@@ -3232,8 +3200,6 @@ func TestAgent_TokenRenewal(t *testing.T) {
 	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	serverClient := cluster.Cores[0].Client
 
@@ -3473,10 +3439,7 @@ func TestAgent_DeleteAfterVersion_Rendering(t *testing.T) {
 			NumCores:    1,
 			HandlerFunc: vaulthttp.Handler,
 		})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	serverClient := cluster.Cores[0].Client
 
 	// Set up KVv2
diff --git a/command/agentproxyshared/auth/auth.go b/command/agentproxyshared/auth/auth.go
index 533c8950b3..cbfe4047af 100644
--- a/command/agentproxyshared/auth/auth.go
+++ b/command/agentproxyshared/auth/auth.go
@@ -50,10 +50,21 @@ type AuthConfig struct {
 
 // AuthHandler is responsible for keeping a token alive and renewed and passing
 // new tokens to the sink server
+//
+// Each subsystem that needs a Vault token gets its own dedicated channel so that
+// a slow or idle consumer cannot starve another. The enable flags gate delivery:
+// a channel is only written to when the corresponding subsystem is configured,
+// preventing unnecessary blocking sends to unused channels.
 type AuthHandler struct {
-	OutputCh                     chan string
-	TemplateTokenCh              chan string
-	ExecTokenCh                  chan string
+	// OutputCh delivers every new token to sink writers (e.g. file sinks).
+	OutputCh chan string
+	// TemplateTokenCh delivers tokens to the consul-template rendering server.
+	TemplateTokenCh chan string
+	// ExecTokenCh delivers tokens to the exec/env-template server.
+	ExecTokenCh chan string
+	// PKIExternalCATokenCh delivers tokens to the PKI external CA server.
+	// Kept separate from TemplateTokenCh so that only one consumer receives each token.
+	PKIExternalCATokenCh         chan string
 	AuthInProgress               *atomic.Bool
 	InvalidToken                 chan error
 	token                        string
@@ -66,9 +77,12 @@ type AuthHandler struct {
 	maxBackoff                   time.Duration
 	minBackoff                   time.Duration
 	enableReauthOnNewCredentials bool
-	enableTemplateTokenCh        bool
-	enableExecTokenCh            bool
-	exitOnError                  bool
+	// enable* flags mirror whether the corresponding subsystem is configured.
+	// Only true channels receive token sends, preventing stalls on un-configured subsystems.
+	enableTemplateTokenCh      bool
+	enableExecTokenCh          bool
+	enablePKIExternalCATokenCh bool
+	exitOnError                bool
 }
 
 type AuthHandlerConfig struct {
@@ -87,6 +101,7 @@ type AuthHandlerConfig struct {
 	EnableReauthOnNewCredentials bool
 	EnableTemplateTokenCh        bool
 	EnableExecTokenCh            bool
+	EnablePKIExternalCATokenCh   bool
 	ExitOnError                  bool
 }
 
@@ -97,6 +112,7 @@ func NewAuthHandler(conf *AuthHandlerConfig) *AuthHandler {
 		OutputCh:                     make(chan string, 1),
 		TemplateTokenCh:              make(chan string, 1),
 		ExecTokenCh:                  make(chan string, 1),
+		PKIExternalCATokenCh:         make(chan string, 1),
 		InvalidToken:                 make(chan error, 1),
 		AuthInProgress:               &atomic.Bool{},
 		token:                        conf.Token,
@@ -109,6 +125,7 @@ func NewAuthHandler(conf *AuthHandlerConfig) *AuthHandler {
 		enableReauthOnNewCredentials: conf.EnableReauthOnNewCredentials,
 		enableTemplateTokenCh:        conf.EnableTemplateTokenCh,
 		enableExecTokenCh:            conf.EnableExecTokenCh,
+		enablePKIExternalCATokenCh:   conf.EnablePKIExternalCATokenCh,
 		exitOnError:                  conf.ExitOnError,
 		userAgent:                    conf.UserAgent,
 		metricsSignifier:             conf.MetricsSignifier,
@@ -168,9 +185,13 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 
 	defer func() {
 		am.Shutdown()
+		// Closing the token channels signals downstream consumers (template server,
+		// exec server, PKI server) that no further tokens will arrive and they should
+		// stop waiting.
 		close(ah.OutputCh)
 		close(ah.TemplateTokenCh)
 		close(ah.ExecTokenCh)
+		close(ah.PKIExternalCATokenCh)
 		ah.logger.Info("auth handler stopped")
 		// Set unauthenticated when shutting down
 		metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
@@ -422,6 +443,9 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if ah.enableExecTokenCh {
 				ah.ExecTokenCh <- string(wrappedResp)
 			}
+			if ah.enablePKIExternalCATokenCh {
+				ah.PKIExternalCATokenCh <- string(wrappedResp)
+			}
 
 			am.CredSuccess()
 			backoffCfg.backoff.Reset()
@@ -485,6 +509,9 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 				if ah.enableExecTokenCh {
 					ah.ExecTokenCh <- token
 				}
+				if ah.enablePKIExternalCATokenCh {
+					ah.PKIExternalCATokenCh <- token
+				}
 
 				tokenType := secret.Data["type"].(string)
 				if tokenType == "batch" {
@@ -523,6 +550,9 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 				if ah.enableExecTokenCh {
 					ah.ExecTokenCh <- secret.Auth.ClientToken
 				}
+				if ah.enablePKIExternalCATokenCh {
+					ah.PKIExternalCATokenCh <- secret.Auth.ClientToken
+				}
 			}
 
 			am.CredSuccess()
diff --git a/command/agentproxyshared/auth/auth_test.go b/command/agentproxyshared/auth/auth_test.go
index 0c08d2c511..3b7349171e 100644
--- a/command/agentproxyshared/auth/auth_test.go
+++ b/command/agentproxyshared/auth/auth_test.go
@@ -73,10 +73,7 @@ func TestAuthHandler(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	client := cluster.Cores[0].Client
 
 	ctx, cancelFunc := context.WithCancel(context.Background())
diff --git a/command/agentproxyshared/cache/api_proxy_test.go b/command/agentproxyshared/cache/api_proxy_test.go
index 1145075183..c7206e0399 100644
--- a/command/agentproxyshared/cache/api_proxy_test.go
+++ b/command/agentproxyshared/cache/api_proxy_test.go
@@ -201,11 +201,7 @@ func setupClusterAndAgentCommon(ctx context.Context, t *testing.T, coreConfig *v
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-
 	cores := cluster.Cores
-	vault.TestWaitActive(t, cores[0].Core)
-
 	activeClient := cores[0].Client
 	standbyClient := cores[1].Client
 
@@ -322,8 +318,6 @@ func setupClusterAndAgentCommon(ctx context.Context, t *testing.T, coreConfig *v
 	cleanup := func() {
 		// We wait for a tiny bit for things such as agent renewal to exit properly
 		time.Sleep(50 * time.Millisecond)
-
-		cluster.Cleanup()
 		os.Setenv(api.EnvVaultAddress, origEnvVaultAddress)
 		os.Setenv(api.EnvVaultCACert, origEnvVaultCACert)
 		listener.Close()
diff --git a/command/agentproxyshared/cache/cache_test.go b/command/agentproxyshared/cache/cache_test.go
index 25318a923e..d37c30a40d 100644
--- a/command/agentproxyshared/cache/cache_test.go
+++ b/command/agentproxyshared/cache/cache_test.go
@@ -62,8 +62,6 @@ func TestCache_AutoAuthTokenStripping(t *testing.T) {
 	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	cores := cluster.Cores
 	vault.TestWaitActive(t, cores[0].Core)
@@ -151,12 +149,7 @@ func TestCache_AutoAuthClientTokenProxyStripping(t *testing.T) {
 	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	cores := cluster.Cores
-	vault.TestWaitActive(t, cores[0].Core)
-	client := cores[0].Client
+	client := cluster.Cores[0].Client
 
 	cacheLogger := logging.NewVaultLogger(hclog.Trace).Named("cache")
 	listener, err := net.Listen("tcp", "127.0.0.1:0")
diff --git a/command/agentproxyshared/cache/handler.go b/command/agentproxyshared/cache/handler.go
index 0e9f1576e8..282e1b60d6 100644
--- a/command/agentproxyshared/cache/handler.go
+++ b/command/agentproxyshared/cache/handler.go
@@ -7,6 +7,7 @@ import (
 	"bufio"
 	"bytes"
 	"context"
+	"crypto/subtle"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -71,7 +72,7 @@ func ProxyHandler(ctx context.Context, logger hclog.Logger, proxier Proxier, inm
 				metrics.IncrCounter([]string{"agent", "proxy", "client_error"}, 1)
 				// Re-trigger auto auth if the token is the same as the auto auth token
 				if resp.Response.StatusCode == 403 && strings.Contains(responseErrMessage.Error(), logical.ErrInvalidToken.Error()) &&
-					autoAuthToken == token && !authInProgress.Load() {
+					subtle.ConstantTimeCompare([]byte(autoAuthToken), []byte(token)) == 1 && !authInProgress.Load() {
 					// Drain the error channel first
 					logger.Info("proxy received an invalid token error")
 					select {
diff --git a/command/approle_concurrency_integ_test.go b/command/approle_concurrency_integ_test.go
index cd993f26ff..a658b19868 100644
--- a/command/approle_concurrency_integ_test.go
+++ b/command/approle_concurrency_integ_test.go
@@ -27,14 +27,7 @@ func TestAppRole_Integ_ConcurrentLogins(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
-
-	vault.TestWaitActive(t, cores[0].Core)
-
 	client := cores[0].Client
 
 	err = client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{
diff --git a/command/base_predict_test.go b/command/base_predict_test.go
index 8da9e3e1ca..27795ddfb5 100644
--- a/command/base_predict_test.go
+++ b/command/base_predict_test.go
@@ -383,6 +383,7 @@ func TestPredict_Plugins(t *testing.T) {
 				"openldap",
 				"pcf", // Deprecated.
 				"pki",
+				"pki-external-ca",
 				"postgresql-database-plugin",
 				"rabbitmq",
 				"radius",
@@ -414,51 +415,13 @@ func TestPredict_Plugins(t *testing.T) {
 
 				act := p.plugins()
 
-				if !strutil.StrListContains(act, "keymgmt") {
-					for i, v := range tc.exp {
-						if v == "keymgmt" {
-							tc.exp = append(tc.exp[:i], tc.exp[i+1:]...)
-							break
-						}
-					}
-				}
-				if !strutil.StrListContains(act, "kmip") {
-					for i, v := range tc.exp {
-						if v == "kmip" {
-							tc.exp = append(tc.exp[:i], tc.exp[i+1:]...)
-							break
-						}
-					}
-				}
-				if !strutil.StrListContains(act, "transform") {
-					for i, v := range tc.exp {
-						if v == "transform" {
-							tc.exp = append(tc.exp[:i], tc.exp[i+1:]...)
-							break
-						}
-					}
-				}
-				if !strutil.StrListContains(act, "saml") {
-					for i, v := range tc.exp {
-						if v == "saml" {
-							tc.exp = append(tc.exp[:i], tc.exp[i+1:]...)
-							break
-						}
-					}
-				}
-				if !strutil.StrListContains(act, "scep") {
-					for i, v := range tc.exp {
-						if v == "scep" {
-							tc.exp = append(tc.exp[:i], tc.exp[i+1:]...)
-							break
-						}
-					}
-				}
-				if !strutil.StrListContains(act, "spiffe") {
-					for i, v := range tc.exp {
-						if v == "spiffe" {
-							tc.exp = append(tc.exp[:i], tc.exp[i+1:]...)
-							break
+				for _, pluginName := range []string{"keymgmt", "kmip", "transform", "saml", "scep", "spiffe", "pki-external-ca"} {
+					if !strutil.StrListContains(act, pluginName) {
+						for i, v := range tc.exp {
+							if v == pluginName {
+								tc.exp = append(tc.exp[:i], tc.exp[i+1:]...)
+								break
+							}
 						}
 					}
 				}
@@ -492,7 +455,7 @@ func TestPredict_Policies(t *testing.T) {
 		{
 			"good_path",
 			client,
-			[]string{"default", "root"},
+			[]string{"default", "default-ceiling", "root"},
 		},
 	}
 
diff --git a/command/command_test.go b/command/command_test.go
index 7a4be03fda..b4e4af2ba8 100644
--- a/command/command_test.go
+++ b/command/command_test.go
@@ -209,7 +209,6 @@ func testVaultServerCoreConfigWithOpts(tb testing.TB, coreConfig *vault.CoreConf
 	tb.Helper()
 
 	cluster := vault.NewTestCluster(tb, coreConfig, opts)
-	cluster.Start()
 
 	// Make it easy to get access to the active
 	core := cluster.Cores[0].Core
@@ -226,7 +225,7 @@ func testVaultServerCoreConfigWithOpts(tb testing.TB, coreConfig *vault.CoreConf
 		keys = cluster.BarrierKeys
 	}
 
-	return client, encodeKeys(keys), cluster.Cleanup
+	return client, encodeKeys(keys), func() {}
 }
 
 // Convert the unseal keys to base64 encoded, since these are how the user
diff --git a/command/command_testonly/operator_usage_testonly_oss_test.go b/command/command_testonly/operator_usage_testonly_oss_test.go
index 44919f619a..ce3dd86aa9 100644
--- a/command/command_testonly/operator_usage_testonly_oss_test.go
+++ b/command/command_testonly/operator_usage_testonly_oss_test.go
@@ -43,10 +43,6 @@ func TestOperatorUsageCommandRun(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 		NumCores:    1,
 	})
-	defer cluster.Cleanup()
-	core := cluster.Cores[0].Core
-	vault.TestWaitActive(t, core)
-
 	client := cluster.Cores[0].Client
 	_, err := client.Logical().Write("sys/internal/counters/config", map[string]interface{}{"enabled": "enable"})
 	require.NoError(t, err)
diff --git a/command/policy_delete.go b/command/policy_delete.go
index d3e241adc1..b7cb70c3ec 100644
--- a/command/policy_delete.go
+++ b/command/policy_delete.go
@@ -35,8 +35,8 @@ Usage: vault policy delete [options] NAME
 
       $ vault policy delete my-policy
 
-  Note that it is not possible to delete the "default" or "root" policies.
-  These are built-in policies.
+  Note that it is not possible to delete the "default", "default-ceiling",
+  or "root" policies. These are built-in policies.
 
 ` + c.Flags().Help()
 
diff --git a/command/policy_delete_test.go b/command/policy_delete_test.go
index 06068110b2..076e22a3ae 100644
--- a/command/policy_delete_test.go
+++ b/command/policy_delete_test.go
@@ -105,7 +105,7 @@ func TestPolicyDeleteCommand_Run(t *testing.T) {
 			t.Fatal(err)
 		}
 
-		list := []string{"default", "root"}
+		list := []string{"default", "default-ceiling", "root"}
 		if !reflect.DeepEqual(policies, list) {
 			t.Errorf("expected %q to be %q", policies, list)
 		}
diff --git a/command/policy_list_test.go b/command/policy_list_test.go
index aec04c1b10..8a39cd7de6 100644
--- a/command/policy_list_test.go
+++ b/command/policy_list_test.go
@@ -80,7 +80,7 @@ func TestPolicyListCommand_Run(t *testing.T) {
 			t.Errorf("expected %d to be %d", code, exp)
 		}
 
-		expected := "default\nroot"
+		expected := "default\ndefault-ceiling\nroot"
 		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
 		if !strings.Contains(combined, expected) {
 			t.Errorf("expected %q to contain %q", combined, expected)
diff --git a/command/policy_write_test.go b/command/policy_write_test.go
index 4a67f229a3..76b8997517 100644
--- a/command/policy_write_test.go
+++ b/command/policy_write_test.go
@@ -131,7 +131,7 @@ func TestPolicyWriteCommand_Run(t *testing.T) {
 			t.Fatal(err)
 		}
 
-		list := []string{"default", "my-policy", "root"}
+		list := []string{"default", "default-ceiling", "my-policy", "root"}
 		if !reflect.DeepEqual(policies, list) {
 			t.Errorf("expected %q to be %q", policies, list)
 		}
@@ -172,7 +172,7 @@ func TestPolicyWriteCommand_Run(t *testing.T) {
 			t.Fatal(err)
 		}
 
-		list := []string{"default", "my-policy", "root"}
+		list := []string{"default", "default-ceiling", "my-policy", "root"}
 		if !reflect.DeepEqual(policies, list) {
 			t.Errorf("expected %q to be %q", policies, list)
 		}
diff --git a/command/proxy_test.go b/command/proxy_test.go
index 3de79bbfef..1469396f84 100644
--- a/command/proxy_test.go
+++ b/command/proxy_test.go
@@ -74,10 +74,7 @@ func testProxyExitAfterAuth(t *testing.T, viaFlag bool) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	client := cluster.Cores[0].Client
 
 	// Setup Vault
@@ -237,8 +234,6 @@ func TestProxy_NoTriggerAutoAuth_BadPolicy(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 		Logger:      vaultLogger,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	serverClient := cluster.Cores[0].Client
 
@@ -550,8 +545,6 @@ func TestProxy_ReTriggerAutoAuth_ForceAutoAuthToken(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 		Logger:      vaultLogger,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	serverClient := cluster.Cores[0].Client
 
@@ -709,8 +702,6 @@ func TestProxy_ReTriggerAutoAuth_ProxyIsAutoAuthToken(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 		Logger:      vaultLogger,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	serverClient := cluster.Cores[0].Client
 
@@ -899,8 +890,6 @@ func TestProxy_ReTriggerAutoAuth_RevokedToken(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 		Logger:      vaultLogger,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	serverClient := cluster.Cores[0].Client
 
@@ -1093,8 +1082,6 @@ func TestProxy_AutoAuth_UserAgent(t *testing.T) {
 				return &h
 			}),
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	serverClient := cluster.Cores[0].Client
 
@@ -1240,8 +1227,6 @@ func TestProxy_APIProxyWithoutCache_UserAgent(t *testing.T) {
 				return &h
 			}),
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	serverClient := cluster.Cores[0].Client
 
@@ -1326,8 +1311,6 @@ func TestProxy_APIProxyWithCache_UserAgent(t *testing.T) {
 				return &h
 			}),
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	serverClient := cluster.Cores[0].Client
 
@@ -1403,8 +1386,6 @@ func TestProxy_Cache_DynamicSecret(t *testing.T) {
 	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	serverClient := cluster.Cores[0].Client
 
@@ -1509,8 +1490,6 @@ func TestProxy_NoAutoAuthTokenIfNotConfigured(t *testing.T) {
 	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	serverClient := cluster.Cores[0].Client
 
@@ -1636,10 +1615,7 @@ func TestProxy_ApiProxy_Retry(t *testing.T) {
 				return &h
 			}),
 		})
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	serverClient := cluster.Cores[0].Client
 
 	// Unset the environment variable so that proxy picks up the right test
@@ -1772,9 +1748,7 @@ func TestProxy_Metrics(t *testing.T) {
 		&vault.TestClusterOptions{
 			HandlerFunc: vaulthttp.Handler,
 		})
-	cluster.Start()
-	defer cluster.Cleanup()
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
+
 	serverClient := cluster.Cores[0].Client
 
 	// Create a config file
diff --git a/command/server.go b/command/server.go
index 3a6445ad82..fe3281768e 100644
--- a/command/server.go
+++ b/command/server.go
@@ -128,6 +128,7 @@ type ServerCommand struct {
 	flagDevNoStoreToken    bool
 	flagDevPluginDir       string
 	flagDevPluginInit      bool
+	flagDevPluginPGPKey    string
 	flagDevHA              bool
 	flagDevLatency         int
 	flagDevLatencyJitter   int
@@ -317,6 +318,13 @@ func (c *ServerCommand) Flags() *FlagSets {
 		Hidden:  true,
 	})
 
+	f.StringVar(&StringVar{
+		Name:    "dev-plugin-pgp-key",
+		Target:  &c.flagDevPluginPGPKey,
+		Default: "",
+		Hidden:  true,
+	})
+
 	f.BoolVar(&BoolVar{
 		Name:    "dev-ha",
 		Target:  &c.flagDevHA,
@@ -552,7 +560,7 @@ func (c *ServerCommand) runRecoveryMode() int {
 		return 1
 	}
 
-	hasPartialPaths, err := hasPartiallyWrappedPaths(ctx, backend)
+	hasPartialPaths, err := vault.HasPartiallyWrappedPaths(ctx, backend)
 	if err != nil {
 		c.UI.Error(fmt.Sprintf("Cannot determine if there are partially seal wrapped entries in storage: %v", err))
 		return 1
@@ -691,6 +699,7 @@ func (c *ServerCommand) runRecoveryMode() int {
 			ReadTimeout:       30 * time.Second,
 			IdleTimeout:       5 * time.Minute,
 			ErrorLog:          c.logger.StandardLogger(nil),
+			MaxHeaderBytes:    vaulthttp.TokenHeaderMaxBytes(ln.Config),
 		}
 
 		go server.Serve(ln.Listener)
@@ -1516,7 +1525,8 @@ func (c *ServerCommand) Run(args []string) int {
 	core.SetClusterHandler(vaulthttp.Handler.Handler(&vault.HandlerProperties{
 		Core: core,
 		ListenerConfig: &configutil.Listener{
-			DisableJSONLimitParsing: true,
+			DisableJSONLimitParsing:       true,
+			DisableTokenHeaderSizeParsing: true,
 		},
 	}))
 
@@ -1925,7 +1935,7 @@ func (c *ServerCommand) configureSeals(ctx context.Context, config *server.Confi
 		return nil, nil, fmt.Errorf("Error getting seal generation info: %v", err)
 	}
 
-	hasPartialPaths, err := hasPartiallyWrappedPaths(ctx, backend)
+	hasPartialPaths, err := vault.HasPartiallyWrappedPaths(ctx, backend)
 	if err != nil {
 		return nil, nil, fmt.Errorf("Cannot determine if there are partially seal wrapped entries in storage: %v", err)
 	}
@@ -2348,6 +2358,9 @@ func (c *ServerCommand) Reload(lock *sync.RWMutex, reloadFuncs *map[string][]rel
 	// Set Introspection Endpoint to enabled with new value in the config after reload
 	core.ReloadIntrospectionEndpointEnabled()
 
+	// Reload unauthenticated endpoints override configuration
+	core.ReloadEnableUnauthenticatedAccess()
+
 	// Send a message that we reloaded. This prevents "guessing" sleep times
 	// in tests.
 	select {
@@ -2739,25 +2752,16 @@ func (c *ServerCommand) computeSealGenerationInfo(existingSealGenInfo *vaultseal
 		Enabled:    multisealEnabled,
 	}
 
-	if multisealEnabled || (existingSealGenInfo != nil && existingSealGenInfo.Enabled) {
-		err := newSealGenInfo.Validate(existingSealGenInfo, hasPartiallyWrappedPaths)
-		if err != nil {
-			return nil, err
-		}
+	// Validate multi seal concerns of the seal configuration. Note that at this
+	// point Vault is starting up, not initializing (as in "vault operator init").
+	err := vaultseal.ValidateMultiSealGenerationInfo(false, newSealGenInfo, existingSealGenInfo, hasPartiallyWrappedPaths)
+	if err != nil {
+		return nil, err
 	}
 
 	return newSealGenInfo, nil
 }
 
-func hasPartiallyWrappedPaths(ctx context.Context, backend physical.Backend) (bool, error) {
-	paths, err := vault.GetPartiallySealWrappedPaths(ctx, backend)
-	if err != nil {
-		return false, err
-	}
-
-	return len(paths) > 0, nil
-}
-
 func initHaBackend(c *ServerCommand, config *server.Config, coreConfig *vault.CoreConfig, backend physical.Backend) (bool, error) {
 	// Initialize the separate HA storage backend, if it exists
 	var ok bool
@@ -3000,6 +3004,7 @@ func createCoreConfig(c *ServerCommand, config *server.Config, backend physical.
 		AdministrativeNamespacePath:    config.AdministrativeNamespacePath,
 		ObservationSystemConfig:        config.Observations,
 		ReportingScanDirectory:         config.ReportingScanDirectory,
+		EnableUnauthenticatedAccess:    config.EnableUnauthenticatedAccess,
 	}
 
 	if c.flagDev {
@@ -3012,6 +3017,9 @@ func createCoreConfig(c *ServerCommand, config *server.Config, backend physical.
 		if c.flagDevPluginDir != "" {
 			coreConfig.PluginDirectory = c.flagDevPluginDir
 		}
+		if c.flagDevPluginPGPKey != "" {
+			coreConfig.DevPluginPGPKey = c.flagDevPluginPGPKey
+		}
 		if c.flagDevLatency > 0 {
 			injectLatency := time.Duration(c.flagDevLatency) * time.Millisecond
 			if _, txnOK := backend.(physical.Transactional); txnOK {
@@ -3061,6 +3069,16 @@ func initDevCore(c *ServerCommand, coreConfig *vault.CoreConfig, config *server.
 
 			for _, name := range list {
 				path := filepath.Join(f.Name(), name)
+
+				// Skip directories (e.g., enterprise plugin packages)
+				fileInfo, err := os.Stat(path)
+				if err != nil {
+					return fmt.Errorf("Error reading plugin file info %s: %s", name, err)
+				}
+				if fileInfo.IsDir() {
+					continue
+				}
+
 				if err := c.addPlugin(path, init.RootToken, core); err != nil {
 					if !errwrap.Contains(err, plugincatalog.ErrPluginBadType.Error()) {
 						return fmt.Errorf("Error enabling plugin %s: %s", name, err)
@@ -3194,6 +3212,7 @@ func startHttpServers(c *ServerCommand, core *vault.Core, config *server.Config,
 			ReadTimeout:       30 * time.Second,
 			IdleTimeout:       5 * time.Minute,
 			ErrorLog:          c.logger.StandardLogger(nil),
+			MaxHeaderBytes:    vaulthttp.TokenHeaderMaxBytes(ln.Config),
 		}
 
 		// override server defaults with config values for read/write/idle timeouts if configured
diff --git a/command/server/config.go b/command/server/config.go
index f960f404ca..9888da47c5 100644
--- a/command/server/config.go
+++ b/command/server/config.go
@@ -56,6 +56,8 @@ type Config struct {
 
 	Experiments []string `hcl:"experiments"`
 
+	EnableUnauthenticatedAccess []string `hcl:"enable_unauthenticated_access"`
+
 	CacheSize                int         `hcl:"cache_size"`
 	DisableCache             bool        `hcl:"-"`
 	DisableCacheRaw          interface{} `hcl:"disable_cache"`
@@ -520,6 +522,11 @@ func (c *Config) Merge(c2 *Config) *Config {
 
 	result.Experiments = mergeExperiments(c.Experiments, c2.Experiments)
 
+	result.EnableUnauthenticatedAccess = c.EnableUnauthenticatedAccess
+	if len(c2.EnableUnauthenticatedAccess) > 0 {
+		result.EnableUnauthenticatedAccess = c2.EnableUnauthenticatedAccess
+	}
+
 	return result
 }
 
@@ -1415,6 +1422,8 @@ func (c *Config) Sanitized() map[string]interface{} {
 		"log_requests_level": c.LogRequestsLevel,
 		"experiments":        c.Experiments,
 
+		"enable_unauthenticated_access": c.EnableUnauthenticatedAccess,
+
 		"detect_deadlocks": c.DetectDeadlocks,
 
 		"imprecise_lease_role_tracking": c.ImpreciseLeaseRoleTracking,
diff --git a/command/server/config_test_helpers.go b/command/server/config_test_helpers.go
index 3974232bd9..ede2e1cfa7 100644
--- a/command/server/config_test_helpers.go
+++ b/command/server/config_test_helpers.go
@@ -330,11 +330,13 @@ func testLoadConfigFile_json2(t *testing.T, entropy *configutil.Entropy) {
 
 func testParseEntropy(t *testing.T, oss bool) {
 	tests := []struct {
+		name       string
 		inConfig   string
 		outErr     error
 		outEntropy configutil.Entropy
 	}{
 		{
+			name: "good",
 			inConfig: `entropy "seal" {
 				mode = "augmentation"
 				}`,
@@ -342,18 +344,21 @@ func testParseEntropy(t *testing.T, oss bool) {
 			outEntropy: configutil.Entropy{Mode: configutil.EntropyAugmentation},
 		},
 		{
+			name: "bad mode",
 			inConfig: `entropy "seal" {
 				mode = "a_mode_that_is_not_supported"
 				}`,
 			outErr: fmt.Errorf("the specified entropy mode %q is not supported", "a_mode_that_is_not_supported"),
 		},
 		{
+			name: "bad device",
 			inConfig: `entropy "device_that_is_not_supported" {
 				mode = "augmentation"
 				}`,
 			outErr: fmt.Errorf("only the %q type of external entropy is supported", "seal"),
 		},
 		{
+			name: "duplicate section",
 			inConfig: `entropy "seal" {
 				mode = "augmentation"
 				}
@@ -362,6 +367,15 @@ func testParseEntropy(t *testing.T, oss bool) {
 				}`,
 			outErr: fmt.Errorf("only one %q block is permitted", "entropy"),
 		},
+		{
+			name: "json",
+			inConfig: `{
+              "entropy": {
+                 "seal": {"mode": "augmentation"}
+              }`,
+			outErr:     nil,
+			outEntropy: configutil.Entropy{Mode: configutil.EntropyAugmentation},
+		},
 	}
 
 	config := Config{
@@ -369,25 +383,27 @@ func testParseEntropy(t *testing.T, oss bool) {
 	}
 
 	for _, test := range tests {
-		obj, _ := hcl.Parse(strings.TrimSpace(test.inConfig))
-		list, _ := obj.Node.(*ast.ObjectList)
-		objList := list.Filter("entropy")
-		err := configutil.ParseEntropy(config.SharedConfig, objList, "entropy")
-		// validate the error, both should be nil or have the same Error()
-		switch {
-		case oss:
-			if config.Entropy != nil {
-				t.Fatalf("parsing Entropy should not be possible in oss but got a non-nil config.Entropy: %#v", config.Entropy)
-			}
-		case err != nil && test.outErr != nil:
-			if err.Error() != test.outErr.Error() {
+		t.Run(test.name, func(t *testing.T) {
+			obj, _ := hcl.Parse(strings.TrimSpace(test.inConfig))
+			list, _ := obj.Node.(*ast.ObjectList)
+			objList := list.Filter("entropy")
+			err := configutil.ParseEntropy(config.SharedConfig, objList, "entropy")
+			// validate the error, both should be nil or have the same Error()
+			switch {
+			case oss:
+				if config.Entropy != nil {
+					t.Fatalf("parsing Entropy should not be possible in oss but got a non-nil config.Entropy: %#v", config.Entropy)
+				}
+			case err != nil && test.outErr != nil:
+				if err.Error() != test.outErr.Error() {
+					t.Fatalf("error mismatch: expected %#v got %#v", err, test.outErr)
+				}
+			case err != test.outErr:
 				t.Fatalf("error mismatch: expected %#v got %#v", err, test.outErr)
+			case err == nil && config.Entropy != nil && *config.Entropy != test.outEntropy:
+				t.Fatalf("entropy config mismatch: expected %#v got %#v", test.outEntropy, *config.Entropy)
 			}
-		case err != test.outErr:
-			t.Fatalf("error mismatch: expected %#v got %#v", err, test.outErr)
-		case err == nil && config.Entropy != nil && *config.Entropy != test.outEntropy:
-			t.Fatalf("entropy config mismatch: expected %#v got %#v", test.outEntropy, *config.Entropy)
-		}
+		})
 	}
 }
 
@@ -943,6 +959,7 @@ func testConfig_Sanitized(t *testing.T) {
 		"post_unseal_trace_directory":    "/tmp",
 		"remove_irrevocable_lease_after": (30 * 24 * time.Hour) / time.Second,
 		"allow_audit_log_prefixing":      false,
+		"enable_unauthenticated_access":  []string(nil),
 	}
 
 	addExpectedEntSanitizedConfig(expected, []string{"http"})
diff --git a/command/server/server_seal_transit_acc_test.go b/command/server/server_seal_transit_acc_test.go
index 31d78baea0..0e453750d7 100644
--- a/command/server/server_seal_transit_acc_test.go
+++ b/command/server/server_seal_transit_acc_test.go
@@ -135,6 +135,7 @@ func prepareTestContainer(t *testing.T) (func(), *DockerVaultConfig) {
 
 	runner, err := docker.NewServiceRunner(docker.RunOptions{
 		ContainerName: "vault",
+		Capabilities:  []string{"IPC_LOCK"},
 		ImageRepo:     "docker.mirror.hashicorp.services/hashicorp/vault",
 		ImageTag:      "latest",
 		Cmd: []string{
diff --git a/command/server_dev_plugin_test.go b/command/server_dev_plugin_test.go
new file mode 100644
index 0000000000..b34b915d77
--- /dev/null
+++ b/command/server_dev_plugin_test.go
@@ -0,0 +1,221 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !race && !hsm
+
+package command
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// testPGPPublicKey is a sample PGP public key for testing purposes
+const testPGPPublicKey = `-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGB9+xkBEACabYZOWKmgZsHTdRDiyPJxhbuUiKX65GUWkyRMJKi/1dviVxOX
+PG6hBPtF48IFnVgxKpIb7G6NjBousAV+CuLlv5yqFKpOZEGC6sBV+Gx8Vu1CICpl
+Zm+HpQPcIzwBpN+Ar4l/exCG/f/MZq/oxGgH+TyRF3XcYDjG8dbJCpHO5nQ5Cy9h
+QIp3/Bh09kET6lk+4QlofNgHKVT2epV8iK1cXlbQe2tZtfCUtxk+pxvU0UHXp+AB
+0xc3/gIhjZp/dePmCOyQyGPJbp5bpO4UeAJ6frqhexmNlaw9Z897ltZmRLGq1p4a
+RnWL8FPkBz9SCSKXS8uNyV5oMNVn4G1obCkc106iWuKBTibffYQzq5TG8FYVJKrh
+RwWB6piacEB8hl20IIWSxIM3J9tT7CPSnk5RYYCTRHgA5OOrqZhC7JefudrP8n+M
+pxkDgNORDu7GCfAuisrf7dXYjLsxG4tu22DBJJC0c/IpRpXDnOuJN1Q5e/3VUKKW
+mypNumuQpP5lc1ZFG64TRzb1HR6oIdHfbrVQfdiQXpvdcFx+Fl57WuUraXRV6qfb
+4ZmKHX1JEwM/7tu21QE4F1dz0jroLSricZxfaCTHHWNfvGJoZ30/MZUrpSC0IfB3
+iQutxbZrwIlTBt+fGLtm3vDtwMFNWM+Rb1lrOxEQd2eijdxhvBOHtlIcswARAQAB
+tERIYXNoaUNvcnAgU2VjdXJpdHkgKGhhc2hpY29ycC5jb20vc2VjdXJpdHkpIDxz
+ZWN1cml0eUBoYXNoaWNvcnAuY29tPokCVAQTAQoAPhYhBMh0AR8KtAURDQIQVTQ2
+XZRy10aPBQJgffsZAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
+EDQ2XZRy10aPtpcP/0PhJKiHtC1zREpRTrjGizoyk4Sl2SXpBZYhkdrG++abo6zs
+buaAG7kgWWChVXBo5E20L7dbstFK7OjVs7vAg/OLgO9dPD8n2M19rpqSbbvKYWvp
+0NSgvFTT7lbyDhtPj0/bzpkZEhmvQaDWGBsbDdb2dBHGitCXhGMpdP0BuuPWEix+
+QnUMaPwU51q9GM2guL45Tgks9EKNnpDR6ZdCeWcqo1IDmklloidxT8aKL21UOb8t
+cD+Bg8iPaAr73bW7Jh8TdcV6s6DBFub+xPJEB/0bVPmq3ZHs5B4NItroZ3r+h3ke
+VDoSOSIZLl6JtVooOJ2la9ZuMqxchO3mrXLlXxVCo6cGcSuOmOdQSz4OhQE5zBxx
+LuzA5ASIjASSeNZaRnffLIHmht17BPslgNPtm6ufyOk02P5XXwa69UCjA3RYrA2P
+QNNC+OWZ8qQLnzGldqE4MnRNAxRxV6cFNzv14ooKf7+k686LdZrP/3fQu2p3k5rY
+0xQUXKh1uwMUMtGR867ZBYaxYvwqDrg9XB7xi3N6aNyNQ+r7zI2lt65lzwG1v9hg
+FG2AHrDlBkQi/t3wiTS3JOo/GCT8BjN0nJh0lGaRFtQv2cXOQGVRW8+V/9IpqEJ1
+qQreftdBFWxvH7VJq2mSOXUJyRsoUrjkUuIivaA9Ocdipk2CkP8bpuGz7ZF4
+=s1CX
+-----END PGP PUBLIC KEY BLOCK-----`
+
+// invalidPGPKey is not a valid PGP key format
+const invalidPGPKey = `This is not a valid PGP key`
+
+// testConfig is used to disable prometheus to avoid issues with the
+// global prometheus registry in tests
+const testConfig = `
+	storage "inmem" {}
+	listener "tcp" {
+		address = "127.0.0.1:0"
+		tls_disable = true
+	}
+	disable_mlock = true
+	telemetry {
+		prometheus_retention_time = "0s"
+		disable_hostname = true
+	}
+`
+
+// TestServer_DevPluginPGPKey_ValidKey tests that the server accepts a valid PGP key file
+func TestServer_DevPluginPGPKey_ValidKey(t *testing.T) {
+	// Create a valid PGP key file
+	keyPath := filepath.Join(t.TempDir(), "test-pgp-key.asc")
+	err := os.WriteFile(keyPath, []byte(testPGPPublicKey), 0o644)
+	require.NoError(t, err)
+
+	ui, cmd := testServerCommand(t)
+	args := []string{
+		"-dev",
+		"-dev-plugin-pgp-key=" + keyPath,
+		"-dev-listen-address=127.0.0.1:0",
+		"-test-server-config",
+	}
+
+	retCode := cmd.Run(args)
+	output := ui.ErrorWriter.String() + ui.OutputWriter.String()
+
+	// The server should start successfully with a valid key
+	require.Equal(t, 0, retCode, "expected server to start successfully, output: %s", output)
+}
+
+// TestServer_DevPluginPGPKey_InvalidPath tests that the server handles invalid file paths
+func TestServer_DevPluginPGPKey_InvalidPath(t *testing.T) {
+	ui, cmd := testServerCommand(t)
+
+	// Use an invalid path with null bytes (not allowed in file paths)
+	invalidPath := "/tmp/test\x00key.asc"
+
+	configPath := filepath.Join(t.TempDir(), "config.hcl")
+	err := os.WriteFile(configPath, []byte(testConfig), 0o644)
+	require.NoError(t, err)
+
+	args := []string{
+		"-dev",
+		"-config=" + configPath,
+		"-dev-plugin-pgp-key=" + invalidPath,
+		"-dev-listen-address=127.0.0.1:0",
+		"-test-server-config",
+	}
+
+	retCode := cmd.Run(args)
+	output := ui.ErrorWriter.String() + ui.OutputWriter.String()
+
+	// The server should fail to start with an invalid path
+	require.NotEqual(t, 0, retCode, "expected server to fail with invalid path")
+	require.Contains(t, output, "dev plugin PGP key", "expected error message about PGP key path, output: %s", output)
+}
+
+// TestServer_DevPluginPGPKey_NonExistentFile tests that the server handles non-existent key files
+func TestServer_DevPluginPGPKey_NonExistentFile(t *testing.T) {
+	tmpDir := t.TempDir()
+	// Use a path that doesn't exist
+	keyPath := filepath.Join(tmpDir, "non-existent-key.asc")
+
+	ui, cmd := testServerCommand(t)
+
+	configPath := filepath.Join(tmpDir, "config.hcl")
+	err := os.WriteFile(configPath, []byte(testConfig), 0o644)
+	require.NoError(t, err)
+
+	args := []string{
+		"-dev",
+		"-config=" + configPath,
+		"-dev-plugin-pgp-key=" + keyPath,
+		"-dev-listen-address=127.0.0.1:0",
+		"-test-server-config",
+	}
+
+	retCode := cmd.Run(args)
+	output := ui.ErrorWriter.String() + ui.OutputWriter.String()
+
+	// The server should fail to start with a non-existent key file
+	require.NotEqual(t, 0, retCode, "expected server to fail with non-existent key file")
+	require.Contains(t, output, "dev plugin PGP key", "expected error message about PGP key path, output: %s", output)
+}
+
+// TestServer_DevPluginPGPKey_EmptyFlag tests default behavior when flag is not set
+func TestServer_DevPluginPGPKey_EmptyFlag(t *testing.T) {
+	ui, cmd := testServerCommand(t)
+
+	configPath := filepath.Join(t.TempDir(), "config.hcl")
+	err := os.WriteFile(configPath, []byte(testConfig), 0o644)
+	require.NoError(t, err)
+
+	args := []string{
+		"-dev",
+		"-config=" + configPath,
+		"-dev-listen-address=127.0.0.1:0",
+		"-test-server-config",
+	}
+
+	retCode := cmd.Run(args)
+	output := ui.ErrorWriter.String() + ui.OutputWriter.String()
+
+	// The server should start successfully without the flag (uses default HashiCorp key)
+	require.Equal(t, 0, retCode, "expected server to start successfully without flag, output: %s", output)
+}
+
+// TestServer_DevPluginPGPKey_InvalidKeyContent tests handling of invalid PGP key content
+func TestServer_DevPluginPGPKey_InvalidKeyContent(t *testing.T) {
+	tmpDir := t.TempDir()
+	// Create a file with invalid PGP key content
+	keyPath := filepath.Join(tmpDir, "invalid-key.asc")
+	err := os.WriteFile(keyPath, []byte(invalidPGPKey), 0o644)
+	require.NoError(t, err)
+
+	ui, cmd := testServerCommand(t)
+
+	configPath := filepath.Join(tmpDir, "config.hcl")
+	err = os.WriteFile(configPath, []byte(testConfig), 0o644)
+	require.NoError(t, err)
+
+	args := []string{
+		"-dev",
+		"-config=" + configPath,
+		"-dev-plugin-pgp-key=" + keyPath,
+		"-dev-listen-address=127.0.0.1:0",
+		"-test-server-config",
+	}
+
+	retCode := cmd.Run(args)
+	output := ui.ErrorWriter.String() + ui.OutputWriter.String()
+
+	// The server should start (validation happens when actually using the key)
+	// but we verify the path was set correctly
+	require.Equal(t, 0, retCode, "expected server to start (key validation happens at use time), output: %s", output)
+}
+
+// TestServer_DevPluginPGPKey_EmptyFile tests handling of an empty key file
+func TestServer_DevPluginPGPKey_EmptyFile(t *testing.T) {
+	tmpDir := t.TempDir()
+	// Create an empty file
+	keyPath := filepath.Join(tmpDir, "empty-key.asc")
+	err := os.WriteFile(keyPath, []byte(""), 0o644)
+	require.NoError(t, err)
+
+	ui, cmd := testServerCommand(t)
+
+	configPath := filepath.Join(tmpDir, "config.hcl")
+	err = os.WriteFile(configPath, []byte(testConfig), 0o644)
+	require.NoError(t, err)
+
+	args := []string{
+		"-dev",
+		"-config=" + configPath,
+		"-dev-plugin-pgp-key=" + keyPath,
+		"-dev-listen-address=127.0.0.1:0",
+		"-test-server-config",
+	}
+
+	retCode := cmd.Run(args)
+	output := ui.ErrorWriter.String() + ui.OutputWriter.String()
+
+	// The server should start (validation happens when actually using the key)
+	require.Equal(t, 0, retCode, "expected server to start (key validation happens at use time), output: %s", output)
+}
diff --git a/command/server_test.go b/command/server_test.go
index 9c2f1eb42c..0800df57ec 100644
--- a/command/server_test.go
+++ b/command/server_test.go
@@ -17,6 +17,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"path/filepath"
 	"regexp"
 	"strings"
 	"sync"
@@ -328,7 +329,17 @@ func TestServer(t *testing.T) {
 // TestServer_DevTLS verifies that a vault server starts up correctly with the -dev-tls flag
 func TestServer_DevTLS(t *testing.T) {
 	ui, cmd := testServerCommand(t)
-	args := []string{"-dev-tls", "-dev-listen-address=127.0.0.1:0", "-test-server-config"}
+
+	configPath := filepath.Join(t.TempDir(), "config.hcl")
+	err := os.WriteFile(configPath, []byte(testConfig), 0o644)
+	require.NoError(t, err)
+
+	args := []string{
+		"-dev-tls",
+		"-dev-listen-address=127.0.0.1:0",
+		"-test-server-config",
+		"-config=" + configPath,
+	}
 	retCode := cmd.Run(args)
 	output := ui.ErrorWriter.String() + ui.OutputWriter.String()
 	require.Equal(t, 0, retCode, output)
diff --git a/command/status_test.go b/command/status_test.go
index 0d8a44729c..e4cb5a2add 100644
--- a/command/status_test.go
+++ b/command/status_test.go
@@ -33,7 +33,6 @@ func testStatusCommand(tb testing.TB) (*cli.MockUi, *StatusCommand) {
 func TestStatusCommand_RaftCluster(t *testing.T) {
 	t.Parallel()
 	cluster := testVaultRaftCluster(t)
-	defer cluster.Cleanup()
 
 	toRemove := cluster.Cores[1]
 	expectRemovedFromCluster := func(expectCode int, removed bool) {
diff --git a/enos/README.md b/enos/README.md
index 9b140b7a79..8e94c24101 100644
--- a/enos/README.md
+++ b/enos/README.md
@@ -217,7 +217,7 @@ Here are the steps to configure the GitHub Actions service user:
 - Full access to the CI AWS account is required.
 
 **Notes:**
-- For help with access to Terraform Cloud and the CI Account, contact the QT team on Slack (#team-quality)
+- For help with access to Terraform Cloud and the CI Account, contact the Vault Automation team on Slack (#team-vault-automation)
   for an invite. After receiving an invite to Terraform Cloud, a personal access token can be created
   by clicking `User Settings` --> `Tokens` --> `Create an API token`.
 - Access to the AWS account can be done via Doormat, at: https://doormat.hashicorp.services/.
@@ -228,7 +228,7 @@ Here are the steps to configure the GitHub Actions service user:
 1. **Create the Terraform Cloud Workspace** - The name of the workspace to be created depends on the
    repository for which it is being created, but the pattern is: `<repository>-ci-enos-service-user-iam`,
    e.g. `vault-ci-enos-service-user-iam`. It is important that the execution mode for the workspace be set
-   to `local`. For help on setting up the workspace, contact the QT team on Slack (#team-quality)
+   to `local`. For help on setting up the workspace, contact the Vault Automation team on Slack (#team-vault-automation)
 
 
 2. **Execute the Terraform module**
@@ -250,7 +250,7 @@ workspace must be created as follows:
 1. **Create the Terraform Cloud Workspace** - The name workspace to be created depends on the repository
    for which it is being created, but the pattern is: `<repository>-ci-bootstrap`, e.g.
    `vault-ci-bootstrap`. It is important that the execution mode for the workspace be set to
-   `local`. For help on setting up the workspace, contact the QT team on Slack (#team-quality).
+   `local`. For help on setting up the workspace, contact the Vault Automation team on Slack (#team-vault-automation).
 
 Once the workspace has been created, changes to the bootstrap module will automatically be applied via
 the GitHub PR workflow. Each time a PR is created for changes to files within that module the module
diff --git a/enos/enos-descriptions.hcl b/enos/enos-descriptions.hcl
index bc91d74c75..cf71dc765f 100644
--- a/enos/enos-descriptions.hcl
+++ b/enos/enos-descriptions.hcl
@@ -211,6 +211,12 @@ globals {
       the Vault version, edition, build date, and any special prerelease metadata.
     EOF
 
+    run_verify_blackbox_tests = <<-EOF
+      Run blackbox verification tests via the Vault API from the CI/GitHub runner. These tests
+      validate Vault functionality without requiring direct access to the Vault binary on the
+      target hosts.
+    EOF
+
     wait_for_cluster_to_have_leader = <<-EOF
       Wait for a leader election to occur before we proceed with any further quality verification.
     EOF
diff --git a/enos/enos-dynamic-config.hcl b/enos/enos-dynamic-config.hcl
index 6c82d2106f..300f48286a 100644
--- a/enos/enos-dynamic-config.hcl
+++ b/enos/enos-dynamic-config.hcl
@@ -1,7 +1,7 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2016, 2026
 # SPDX-License-Identifier: BUSL-1.1
 
-# Code generated by pipeline generate enos-dynamic-config DO NOT EDIT.
+# Code generated by 'pipeline generate template' DO NOT EDIT.
 
 # This file is overwritten in CI as it contains branch specific and sometimes ever-changing values.
 # It's checked in here so that enos samples and scenarios can be performed, just be aware that this
@@ -13,7 +13,7 @@ globals {
     distro_version_amzn     = ["2023"]
     distro_version_rhel     = ["8.10", "9.7", "10.1"]
     distro_version_sles     = ["15.7", "16.0"]
-    distro_version_ubuntu   = ["22.04", "24.04"]
-    upgrade_initial_version = ["1.19.0", "1.19.1", "1.19.2", "1.19.3", "1.19.4", "1.19.5", "1.19.6", "1.19.7", "1.19.8", "1.19.9", "1.19.10", "1.19.11", "1.19.12", "1.20.0", "1.20.1", "1.20.2", "1.20.3", "1.20.4", "1.20.5", "1.20.6", "1.21.0", "1.21.1"]
+    distro_version_ubuntu   = ["22.04", "24.04", "26.04"]
+    upgrade_initial_version = ["1.20.0", "1.20.1", "1.20.2", "1.20.3", "1.20.4", "1.20.5", "1.20.6", "1.20.7", "1.20.8", "1.20.9", "1.20.10", "1.21.0-rc1", "1.21.0", "1.21.1", "1.21.2", "1.21.3", "1.21.4", "1.21.5", "2.0.0-rc1", "2.0.0"]
   }
 }
diff --git a/enos/enos-dynamic-config.tmpl b/enos/enos-dynamic-config.tmpl
new file mode 100644
index 0000000000..33e4c62202
--- /dev/null
+++ b/enos/enos-dynamic-config.tmpl
@@ -0,0 +1,19 @@
+# Copyright IBM Corp. 2016, 2026
+# SPDX-License-Identifier: BUSL-1.1
+
+# Code generated by 'pipeline generate template' DO NOT EDIT.
+
+# This file is overwritten in CI as it contains branch specific and sometimes ever-changing values.
+# It's checked in here so that enos samples and scenarios can be performed, just be aware that this
+# might change out from under you.
+
+globals {
+  sample_attributes = {
+    aws_region              = ["us-east-1", "us-west-2"]
+    distro_version_amzn     = ["2023"]
+    distro_version_rhel     = ["8.10", "9.7", "10.1"]
+    distro_version_sles     = ["15.7", "16.0"]
+    distro_version_ubuntu   = ["22.04", "24.04", "26.04"]
+    upgrade_initial_version = [{{- $versions := VersionsNMinusTransition "vault" .Edition .Version 3 "major" "1.21.5" "minor" }}{{- range $i, $v := $versions }}{{if $i}}, {{end}}"{{ $v }}"{{- end }}]
+  }
+}
diff --git a/enos/enos-globals.hcl b/enos/enos-globals.hcl
index 9940b15c16..753920bd96 100644
--- a/enos/enos-globals.hcl
+++ b/enos/enos-globals.hcl
@@ -43,6 +43,7 @@ globals {
     ubuntu = {
       "22.04" = ["netcat", "ldap-utils"]
       "24.04" = ["netcat-openbsd", "ldap-utils"]
+      "26.04" = ["netcat-openbsd", "ldap-utils"]
     }
   }
   distro_version = {
@@ -152,30 +153,61 @@ globals {
       protocol    = "tcp"
     }
   }
-  // Ports that we'll open up for ingress in the security group for all external integration target machines.
-  integration_host_ports = {
-    ldap : {
-      description = "LDAP"
-      port        = 389
-      protocol    = "tcp"
+  // Database configurations for Vault database secrets engine testing
+  database_configs = {
+    postgres : {
+      port        = 5432
+      version     = "16-alpine"
+      username    = "postgres"
+      password    = "secret"
+      database    = "postgres"
+      description = "PostgreSQL Server"
     },
-    ldaps : {
-      description = "LDAPS"
-      port        = 636
-      protocol    = "tcp"
+    mongodb : {
+      port        = 27017
+      version     = "7.0"
+      username    = "admin"
+      password    = "secret"
+      database    = "admin"
+      description = "MongoDB Server"
     },
     mysql : {
-      description = "MySQL Server"
       port        = 3306
-      protocol    = "tcp"
-    },
-    kmip : {
-      description = "KMIP Server"
-      port        = 5696
-      protocol    = "tcp"
-    },
+      version     = "8.0"
+      username    = "root"
+      password    = "secret"
+      database    = "mysql"
+      description = "MySQL Server"
+    }
   }
 
+  // Ports that we'll open up for ingress in the security group for all external integration target machines.
+  integration_host_ports = merge(
+    {
+      ldap : {
+        description = "LDAP"
+        port        = 389
+        protocol    = "tcp"
+      },
+      ldaps : {
+        description = "LDAPS"
+        port        = 636
+        protocol    = "tcp"
+      },
+      kmip : {
+        description = "KMIP Server"
+        port        = 5696
+        protocol    = "tcp"
+      }
+    },
+    // Add database ports dynamically from database_configs
+    { for db_name, db_config in global.database_configs : db_name => {
+      description = db_config.description
+      port        = db_config.port
+      protocol    = "tcp"
+    } }
+  )
+
   // Combine all ports into a single map
   ports = merge(
     global.vault_cluster_ports,
diff --git a/enos/enos-modules.hcl b/enos/enos-modules.hcl
index 443c78140e..9714126ab7 100644
--- a/enos/enos-modules.hcl
+++ b/enos/enos-modules.hcl
@@ -396,24 +396,12 @@ module "vault_verify_ui" {
   source = "./modules/vault_verify_ui"
 }
 
-module "vault_verify_undo_logs" {
-  source = "./modules/vault_verify_undo_logs"
-
-  vault_install_dir = var.vault_install_dir
-}
-
 module "vault_wait_for_cluster_unsealed" {
   source = "./modules/vault_wait_for_cluster_unsealed"
 
   vault_install_dir = var.vault_install_dir
 }
 
-module "vault_verify_version" {
-  source = "./modules/vault_verify_version"
-
-  vault_install_dir = var.vault_install_dir
-}
-
 module "vault_wait_for_leader" {
   source = "./modules/vault_wait_for_leader"
 
@@ -445,3 +433,14 @@ module "vault_verify_billing_start_date" {
   vault_instance_count    = var.vault_instance_count
   vault_cluster_addr_port = global.ports["vault_cluster"]["port"]
 }
+
+module "vault_update_license_ibm" {
+  source = "./modules/vault_update_license_ibm"
+}
+
+module "vault_verify_ibm_license_update" {
+  source = "./modules/vault_verify_ibm_license_update"
+
+  vault_install_dir       = var.vault_install_dir
+  vault_cluster_addr_port = global.ports["vault_cluster"]["port"]
+}
diff --git a/enos/enos-providers.hcl b/enos/enos-providers.hcl
index a9bddf33bb..1e6cab0d6f 100644
--- a/enos/enos-providers.hcl
+++ b/enos/enos-providers.hcl
@@ -30,3 +30,6 @@ provider "hcp" "default" {
 
 provider "docker" "default" {
 }
+
+provider "local" "default" {
+}
diff --git a/enos/enos-qualities.hcl b/enos/enos-qualities.hcl
index 3bd741e90f..28c0da2e82 100644
--- a/enos/enos-qualities.hcl
+++ b/enos/enos-qualities.hcl
@@ -671,3 +671,7 @@ quality "vault_version_release" {
 quality "vault_billing_start_date" {
   description = "Vault's billing start date has adjusted to the latest billing year"
 }
+
+quality "vault_license_update_ibm" {
+  description = "Vault updates the cluster license to an IBM PAO license and it is in effect"
+}
diff --git a/enos/enos-scenario-agent.hcl b/enos/enos-scenario-agent.hcl
index 579eea9fad..9c6097cff6 100644
--- a/enos/enos-scenario-agent.hcl
+++ b/enos/enos-scenario-agent.hcl
@@ -178,11 +178,12 @@ scenario "agent" {
     }
 
     variables {
-      ami_id          = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
-      cluster_tag_key = global.vault_tag_key
-      common_tags     = global.tags
-      instance_count  = 1
-      vpc_id          = step.create_vpc.id
+      ami_id           = step.ec2_info.ami_ids["arm64"]["ubuntu"]["26.04"]
+      cluster_tag_key  = global.vault_tag_key
+      common_tags      = global.tags
+      instance_count   = 1
+      root_volume_size = 64
+      vpc_id           = step.create_vpc.id
     }
   }
 
@@ -236,7 +237,7 @@ scenario "agent" {
     variables {
       hosts      = step.create_external_integration_target.hosts
       ip_version = matrix.ip_version
-      packages   = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
+      packages   = concat(global.packages, global.distro_packages["ubuntu"]["26.04"], ["podman", "podman-docker"])
       ports      = global.integration_host_ports
     }
   }
@@ -483,10 +484,10 @@ scenario "agent" {
     }
   }
 
-  step "verify_vault_version" {
-    description = global.description.verify_vault_version
-    module      = module.vault_verify_version
-    depends_on  = [step.verify_vault_unsealed]
+  step "run_verify_blackbox_tests" {
+    description = global.description.run_verify_blackbox_tests
+    module      = module.vault_run_blackbox_test
+    depends_on  = [step.verify_vault_unsealed, step.get_vault_cluster_ips]
 
     providers = {
       enos = local.enos_provider[matrix.distro]
@@ -501,14 +502,16 @@ scenario "agent" {
     ]
 
     variables {
-      hosts                 = step.create_vault_cluster_targets.hosts
-      vault_addr            = step.create_vault_cluster.api_addr_localhost
+      leader_host           = step.get_vault_cluster_ips.leader_host
+      leader_public_ip      = step.get_vault_cluster_ips.leader_public_ip
+      vault_root_token      = step.create_vault_cluster.root_token
+      test_package          = "./vault/external_tests/blackbox/verify"
+      test_names            = ["TestVaultServerVersion"]
       vault_edition         = matrix.edition
-      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
       vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
       vault_revision        = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
       vault_build_date      = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
-      vault_root_token      = step.create_vault_cluster.root_token
+      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
     }
   }
 
@@ -517,7 +520,8 @@ scenario "agent" {
     module      = module.vault_verify_secrets_engines_create
     depends_on = [
       step.verify_vault_unsealed,
-      step.get_vault_cluster_ips
+      step.get_vault_cluster_ips,
+      step.set_up_external_integration_target,
     ]
 
     providers = {
@@ -556,6 +560,7 @@ scenario "agent" {
       vault_edition          = matrix.edition
       vault_install_dir      = global.vault_install_dir[matrix.artifact_type]
       vault_root_token       = step.create_vault_cluster.root_token
+      vault_audit_log_path   = step.create_vault_cluster.audit_device_file_path
     }
   }
 
diff --git a/enos/enos-scenario-autopilot.hcl b/enos/enos-scenario-autopilot.hcl
index 6c5586974b..7f98b06e9a 100644
--- a/enos/enos-scenario-autopilot.hcl
+++ b/enos/enos-scenario-autopilot.hcl
@@ -175,11 +175,12 @@ scenario "autopilot" {
     }
 
     variables {
-      ami_id          = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
-      cluster_tag_key = global.vault_tag_key
-      common_tags     = global.tags
-      instance_count  = 1
-      vpc_id          = step.create_vpc.id
+      ami_id           = step.ec2_info.ami_ids["arm64"]["ubuntu"]["26.04"]
+      cluster_tag_key  = global.vault_tag_key
+      common_tags      = global.tags
+      instance_count   = 1
+      root_volume_size = 64
+      vpc_id           = step.create_vpc.id
     }
   }
 
@@ -236,7 +237,7 @@ scenario "autopilot" {
     variables {
       hosts      = step.create_external_integration_target.hosts
       ip_version = matrix.ip_version
-      packages   = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
+      packages   = concat(global.packages, global.distro_packages["ubuntu"]["26.04"], ["podman", "podman-docker"])
       ports      = global.integration_host_ports
     }
   }
@@ -421,6 +422,7 @@ scenario "autopilot" {
       vault_edition          = matrix.edition
       vault_install_dir      = local.vault_install_dir
       vault_root_token       = step.create_vault_cluster.root_token
+      vault_audit_log_path   = step.create_vault_cluster.audit_device_file_path
     }
   }
 
@@ -843,14 +845,15 @@ scenario "autopilot" {
     }
   }
 
-  step "verify_vault_version" {
-    description = global.description.verify_vault_version
-    module      = module.vault_verify_version
+  step "run_verify_blackbox_tests" {
+    description = global.description.run_verify_blackbox_tests
+    module      = module.vault_run_blackbox_test
     depends_on = [
       step.create_vault_cluster_upgrade_targets,
       step.upgrade_vault_cluster_with_autopilot,
       step.verify_raft_auto_join_voter,
-      step.remove_old_nodes
+      step.remove_old_nodes,
+      step.get_updated_vault_cluster_ips
     ]
 
     providers = {
@@ -866,14 +869,16 @@ scenario "autopilot" {
     ]
 
     variables {
-      hosts                 = step.upgrade_vault_cluster_with_autopilot.hosts
-      vault_addr            = step.upgrade_vault_cluster_with_autopilot.api_addr_localhost
+      leader_host           = step.get_updated_vault_cluster_ips.leader_host
+      leader_public_ip      = step.get_updated_vault_cluster_ips.leader_public_ip
+      vault_root_token      = step.create_vault_cluster.root_token
+      test_package          = "./vault/external_tests/blackbox/verify"
+      test_names            = ["TestVaultServerVersion"]
       vault_edition         = matrix.edition
-      vault_install_dir     = local.vault_install_dir
       vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
       vault_revision        = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
       vault_build_date      = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
-      vault_root_token      = step.create_vault_cluster.root_token
+      vault_install_dir     = local.vault_install_dir
     }
   }
 
@@ -901,7 +906,7 @@ scenario "autopilot" {
 
   step "verify_undo_logs_enabled_on_primary" {
     skip_step   = semverconstraint(var.vault_product_version, "<1.13.0-0")
-    module      = module.vault_verify_undo_logs
+    module      = module.vault_run_blackbox_test
     description = <<-EOF
       Verifies that undo logs is correctly enabled on newly upgraded target hosts. For this it will
       query the metrics system backend for the vault.core.replication.write_undo_logs gauge.
@@ -921,18 +926,24 @@ scenario "autopilot" {
     }
 
     variables {
-      expected_state    = 1 # Enabled
-      hosts             = step.get_updated_vault_cluster_ips.leader_hosts
-      timeout           = 180 # Seconds
-      vault_addr        = step.upgrade_vault_cluster_with_autopilot.api_addr_localhost
-      vault_install_dir = local.vault_install_dir
-      vault_root_token  = step.create_vault_cluster.root_token
+      ip_version       = matrix.ip_version
+      leader_host      = step.get_updated_vault_cluster_ips.leader_host
+      leader_public_ip = step.get_updated_vault_cluster_ips.leader_public_ip
+      vault_root_token = step.create_vault_cluster.root_token
+      test_package     = "./vault/external_tests/blackbox/verify"
+      test_names       = ["TestVaultUndoLogsMetric"]
+      vault_edition    = matrix.edition
+      test_env_vars = {
+        EXPECTED_STATE  = "1"
+        TIMEOUT_SECONDS = "180"
+        RETRY_INTERVAL  = "5"
+      }
     }
   }
 
   step "verify_undo_logs_disabled_on_followers" {
     skip_step  = semverconstraint(var.vault_product_version, "<1.13.0-0")
-    module     = module.vault_verify_undo_logs
+    module     = module.vault_run_blackbox_test
     depends_on = [step.verify_undo_logs_enabled_on_primary]
 
     providers = {
@@ -940,12 +951,18 @@ scenario "autopilot" {
     }
 
     variables {
-      expected_state    = 0 # Disabled
-      hosts             = step.get_updated_vault_cluster_ips.follower_hosts
-      timeout           = 10 # Seconds
-      vault_addr        = step.upgrade_vault_cluster_with_autopilot.api_addr_localhost
-      vault_install_dir = local.vault_install_dir
-      vault_root_token  = step.create_vault_cluster.root_token
+      ip_version       = matrix.ip_version
+      leader_host      = step.get_updated_vault_cluster_ips.follower_hosts[0]
+      leader_public_ip = step.get_updated_vault_cluster_ips.follower_hosts[0].public_ip
+      vault_root_token = step.create_vault_cluster.root_token
+      test_package     = "./vault/external_tests/blackbox/verify"
+      test_names       = ["TestVaultUndoLogsMetric"]
+      vault_edition    = matrix.edition
+      test_env_vars = {
+        EXPECTED_STATE  = "0"
+        TIMEOUT_SECONDS = "60"
+        RETRY_INTERVAL  = "2"
+      }
     }
   }
 
diff --git a/enos/enos-scenario-dr-replication.hcl b/enos/enos-scenario-dr-replication.hcl
index 551a6996b5..d2325d9d6d 100644
--- a/enos/enos-scenario-dr-replication.hcl
+++ b/enos/enos-scenario-dr-replication.hcl
@@ -218,11 +218,12 @@ scenario "dr_replication" {
     }
 
     variables {
-      ami_id          = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
-      cluster_tag_key = global.vault_tag_key
-      common_tags     = global.tags
-      instance_count  = 1
-      vpc_id          = step.create_vpc.id
+      ami_id           = step.ec2_info.ami_ids["arm64"]["ubuntu"]["26.04"]
+      cluster_tag_key  = global.vault_tag_key
+      common_tags      = global.tags
+      instance_count   = 1
+      root_volume_size = 64
+      vpc_id           = step.create_vpc.id
     }
   }
 
@@ -317,7 +318,7 @@ scenario "dr_replication" {
     variables {
       hosts      = step.create_external_integration_target.hosts
       ip_version = matrix.ip_version
-      packages   = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
+      packages   = concat(global.packages, global.distro_packages["ubuntu"]["26.04"], ["podman", "podman-docker"])
       ports      = global.integration_host_ports
     }
   }
@@ -665,9 +666,12 @@ scenario "dr_replication" {
     }
   }
 
-  step "verify_vault_version" {
-    description = global.description.verify_vault_version
-    module      = module.vault_verify_version
+  step "run_verify_blackbox_tests" {
+    // NOTE: This must run before we transition the cluster to a DR secondary.
+    // because afterwards the namespaces API won't be available and the bbsdk
+    // init will fail.
+    description = global.description.run_verify_blackbox_tests
+    module      = module.vault_run_blackbox_test
     depends_on  = [step.get_primary_cluster_ips]
 
     providers = {
@@ -683,14 +687,16 @@ scenario "dr_replication" {
     ]
 
     variables {
-      hosts                 = step.create_primary_cluster_targets.hosts
-      vault_addr            = step.create_primary_cluster.api_addr_localhost
+      leader_host           = step.get_primary_cluster_ips.leader_host
+      leader_public_ip      = step.get_primary_cluster_ips.leader_public_ip
+      vault_root_token      = step.create_primary_cluster.root_token
+      test_package          = "./vault/external_tests/blackbox/verify"
+      test_names            = ["TestVaultServerVersion"]
       vault_edition         = matrix.edition
-      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
       vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
       vault_revision        = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
       vault_build_date      = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
-      vault_root_token      = step.create_primary_cluster.root_token
+      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
     }
   }
 
@@ -755,6 +761,7 @@ scenario "dr_replication" {
       vault_edition          = matrix.edition
       vault_install_dir      = global.vault_install_dir[matrix.artifact_type]
       vault_root_token       = step.create_primary_cluster.root_token
+      vault_audit_log_path   = step.create_primary_cluster.audit_device_file_path
     }
   }
 
@@ -780,6 +787,8 @@ scenario "dr_replication" {
     depends_on = [
       step.get_primary_cluster_ips,
       step.get_secondary_cluster_ips,
+      step.run_verify_blackbox_tests,
+      step.verify_ui,
       step.verify_secrets_engines_on_primary,
     ]
 
diff --git a/enos/enos-scenario-plugin.hcl b/enos/enos-scenario-plugin.hcl
new file mode 100644
index 0000000000..0a8e033c15
--- /dev/null
+++ b/enos/enos-scenario-plugin.hcl
@@ -0,0 +1,558 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+scenario "plugin" {
+  description = <<-EOF
+    The plugin scenario deploys a Vault cluster with external integration services and runs comprehensive
+    plugin blackbox tests. This scenario validates plugin functionality including:
+
+    - LDAP secrets engine: Static/dynamic roles, password policies, rotation, rollback scenarios
+    - Future plugins: Database, SSH, PKI, and other secrets engines
+
+    The scenario creates dedicated external services (LDAP, databases, etc.) using containers and
+    configures them with test data required for comprehensive plugin testing.
+
+    # How to run this scenario
+
+    For general instructions on running a scenario, refer to the Enos docs: https://eng-handbook.hashicorp.services/internal-tools/enos/running-a-scenario/
+    For troubleshooting tips and common errors, see https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/.
+
+    Variables required for all scenario variants:
+      - aws_ssh_private_key_path (more info about AWS SSH keypairs: https://eng-handbook.hashicorp.services/internal-tools/enos/getting-started/#set-your-aws-key-pair-name-and-private-key)
+      - aws_ssh_keypair_name
+      - vault_build_date*
+      - vault_product_version
+      - vault_revision*
+
+    * If you don't already know what build date and revision you should be using, see
+    https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
+
+    Variables required for some scenario variants:
+      - artifactory_token (if using `artifact_source:artifactory` in your filter)
+      - aws_region (if different from the default value in enos-variables.hcl)
+      - vault_artifact_path (the path to where you have a Vault artifact already downloaded,
+      if using `artifact_source:crt` in your filter)
+      - vault_license_path (if using an ENT edition of Vault)
+  EOF
+
+  matrix {
+    arch            = global.archs
+    artifact_source = global.artifact_sources
+    artifact_type   = global.artifact_types
+    backend         = global.backends
+    config_mode     = global.config_modes
+    consul_edition  = global.consul_editions
+    consul_version  = global.consul_versions
+    distro          = global.distros
+    edition         = global.editions
+    ip_version      = global.ip_versions
+    seal            = global.seals
+
+    // Our local builder always creates bundles
+    exclude {
+      artifact_source = ["local"]
+      artifact_type   = ["package"]
+    }
+
+    // PKCS#11 can only be used on ent.hsm and ent.hsm.fips1403.
+    exclude {
+      seal    = ["pkcs11"]
+      edition = [for e in matrix.edition : e if !strcontains(e, "hsm")]
+    }
+
+    // softhsm packages not available for sles (at the time of development)
+    exclude {
+      seal   = ["pkcs11"]
+      distro = ["sles"]
+    }
+
+    // Testing in IPV6 mode is currently implemented for integrated Raft storage only
+    exclude {
+      ip_version = ["6"]
+      backend    = ["consul"]
+    }
+
+    // plugin scenario cannot be run in CE
+    exclude {
+      edition = ["ce"]
+    }
+  }
+
+  terraform_cli = terraform_cli.default
+  terraform     = terraform.default
+  providers = [
+    provider.aws.default,
+    provider.enos.ec2_user,
+    provider.enos.ubuntu
+  ]
+
+  locals {
+    artifact_path = matrix.artifact_source != "artifactory" ? abspath(var.vault_artifact_path) : null
+    enos_provider = {
+      amzn   = provider.enos.ec2_user
+      rhel   = provider.enos.ec2_user
+      sles   = provider.enos.ec2_user
+      ubuntu = provider.enos.ubuntu
+    }
+    manage_service = matrix.artifact_type == "bundle"
+  }
+
+  step "build_vault" {
+    description = global.description.build_vault
+    module      = "build_${matrix.artifact_source}"
+
+    variables {
+      build_tags        = var.vault_local_build_tags != null ? var.vault_local_build_tags : global.build_tags[matrix.edition]
+      artifact_path     = local.artifact_path
+      goarch            = matrix.arch
+      goos              = "linux"
+      artifactory_host  = matrix.artifact_source == "artifactory" ? var.artifactory_host : null
+      artifactory_repo  = matrix.artifact_source == "artifactory" ? var.artifactory_repo : null
+      artifactory_token = matrix.artifact_source == "artifactory" ? var.artifactory_token : null
+      arch              = matrix.artifact_source == "artifactory" ? matrix.arch : null
+      product_version   = var.vault_product_version
+      artifact_type     = matrix.artifact_type
+      distro            = matrix.artifact_source == "artifactory" ? matrix.distro : null
+      edition           = matrix.artifact_source == "artifactory" ? matrix.edition : null
+      revision          = var.vault_revision
+    }
+  }
+
+  step "ec2_info" {
+    description = global.description.ec2_info
+    module      = module.ec2_info
+  }
+
+  step "create_vpc" {
+    description = global.description.create_vpc
+    module      = module.create_vpc
+
+    variables {
+      common_tags = global.tags
+      ip_version  = matrix.ip_version
+    }
+  }
+
+  step "read_backend_license" {
+    description = global.description.read_backend_license
+    module      = module.read_license
+    skip_step   = matrix.backend == "raft" || matrix.consul_edition == "ce"
+
+    variables {
+      file_name = global.backend_license_path
+    }
+  }
+
+  step "read_vault_license" {
+    description = global.description.read_vault_license
+    skip_step   = matrix.edition == "ce"
+    module      = module.read_license
+
+    variables {
+      file_name = global.vault_license_path
+    }
+  }
+
+  step "create_seal_key" {
+    description = global.description.create_seal_key
+    module      = "seal_${matrix.seal}"
+    depends_on  = [step.create_vpc]
+
+    providers = {
+      enos = provider.enos.ubuntu
+    }
+
+    variables {
+      cluster_id  = step.create_vpc.id
+      common_tags = global.tags
+    }
+  }
+
+  step "create_plugin_integration_target" {
+    description = "Create dedicated EC2 instance for external plugin services (LDAP, databases, etc.)"
+    module      = module.target_ec2_instances
+    depends_on  = [step.create_vpc]
+
+    providers = {
+      enos = provider.enos.ubuntu
+    }
+
+    variables {
+      ami_id           = step.ec2_info.ami_ids["arm64"]["ubuntu"]["26.04"]
+      cluster_tag_key  = "plugin-integration"
+      common_tags      = global.tags
+      instance_count   = 1
+      root_volume_size = 64
+      vpc_id           = step.create_vpc.id
+    }
+  }
+
+  step "create_vault_cluster_targets" {
+    description = global.description.create_vault_cluster_targets
+    module      = module.target_ec2_instances
+    depends_on  = [step.create_vpc]
+
+    providers = {
+      enos = local.enos_provider[matrix.distro]
+    }
+
+    variables {
+      ami_id          = step.ec2_info.ami_ids[matrix.arch][matrix.distro][global.distro_version[matrix.distro]]
+      cluster_tag_key = global.vault_tag_key
+      common_tags     = global.tags
+      seal_key_names  = step.create_seal_key.resource_names
+      vpc_id          = step.create_vpc.id
+    }
+  }
+
+  step "create_vault_cluster_backend_targets" {
+    description = global.description.create_vault_cluster_targets
+    module      = matrix.backend == "consul" ? module.target_ec2_instances : module.target_ec2_shim
+    depends_on  = [step.create_vpc]
+
+    providers = {
+      enos = provider.enos.ubuntu
+    }
+
+    variables {
+      ami_id          = step.ec2_info.ami_ids["arm64"]["ubuntu"][global.distro_version["ubuntu"]]
+      cluster_tag_key = global.backend_tag_key
+      common_tags     = global.tags
+      seal_key_names  = step.create_seal_key.resource_names
+      vpc_id          = step.create_vpc.id
+    }
+  }
+
+  step "set_up_plugin_services" {
+    description = "Set up external plugin services (LDAP server, databases, etc.) for plugin testing"
+    module      = module.set_up_external_integration_target
+    depends_on = [
+      step.create_vault_cluster_targets
+    ]
+
+    providers = {
+      enos = provider.enos.ubuntu
+    }
+
+    variables {
+      hosts            = step.create_plugin_integration_target.hosts
+      ip_version       = matrix.ip_version
+      packages         = concat(global.packages, global.distro_packages["ubuntu"]["26.04"], ["podman", "podman-docker"])
+      ports            = global.integration_host_ports
+      database_configs = global.database_configs
+    }
+  }
+
+  step "create_backend_cluster" {
+    description = global.description.create_backend_cluster
+    module      = "backend_${matrix.backend}"
+    depends_on = [
+      step.create_vault_cluster_backend_targets
+    ]
+
+    providers = {
+      enos = provider.enos.ubuntu
+    }
+
+    verifies = [
+      // verified in modules
+      quality.consul_autojoin_aws,
+      quality.consul_config_file,
+      quality.consul_ha_leader_election,
+      quality.consul_service_start_server,
+      // verified in enos_consul_start resource
+      quality.consul_api_agent_host_read,
+      quality.consul_api_health_node_read,
+      quality.consul_api_operator_raft_config_read,
+      quality.consul_cli_validate,
+      quality.consul_health_state_passing_read_nodes_minimum,
+      quality.consul_operator_raft_configuration_read_voters_minimum,
+      quality.consul_service_systemd_notified,
+      quality.consul_service_systemd_unit,
+    ]
+
+    variables {
+      cluster_name    = step.create_vault_cluster_backend_targets.cluster_name
+      cluster_tag_key = global.backend_tag_key
+      hosts           = step.create_vault_cluster_backend_targets.hosts
+      license         = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
+      release = {
+        edition = matrix.consul_edition
+        version = matrix.consul_version
+      }
+    }
+  }
+
+  step "create_vault_cluster" {
+    description = global.description.create_vault_cluster
+    module      = module.vault_cluster
+    depends_on = [
+      step.create_backend_cluster,
+      step.build_vault,
+      step.create_vault_cluster_targets,
+      step.set_up_plugin_services
+    ]
+
+    providers = {
+      enos = local.enos_provider[matrix.distro]
+    }
+
+    verifies = [
+      // verified in modules
+      quality.consul_service_start_client,
+      quality.vault_artifact_bundle,
+      quality.vault_artifact_deb,
+      quality.vault_artifact_rpm,
+      quality.vault_audit_log,
+      quality.vault_audit_socket,
+      quality.vault_audit_syslog,
+      quality.vault_autojoin_aws,
+      quality.vault_config_env_variables,
+      quality.vault_config_file,
+      quality.vault_config_log_level,
+      quality.vault_init,
+      quality.vault_license_required_ent,
+      quality.vault_listener_ipv4,
+      quality.vault_listener_ipv6,
+      quality.vault_service_start,
+      quality.vault_storage_backend_consul,
+      quality.vault_storage_backend_raft,
+      // verified in enos_vault_start resource
+      quality.vault_api_sys_config_read,
+      quality.vault_api_sys_ha_status_read,
+      quality.vault_api_sys_health_read,
+      quality.vault_api_sys_host_info_read,
+      quality.vault_api_sys_replication_status_read,
+      quality.vault_api_sys_seal_status_api_read_matches_sys_health,
+      quality.vault_api_sys_storage_raft_autopilot_configuration_read,
+      quality.vault_api_sys_storage_raft_autopilot_state_read,
+      quality.vault_api_sys_storage_raft_configuration_read,
+      quality.vault_cli_status_exit_code,
+      quality.vault_service_systemd_notified,
+      quality.vault_service_systemd_unit,
+    ]
+
+    variables {
+      artifactory_release     = matrix.artifact_source == "artifactory" ? step.build_vault.vault_artifactory_release : null
+      backend_cluster_name    = step.create_vault_cluster_backend_targets.cluster_name
+      backend_cluster_tag_key = global.backend_tag_key
+      cluster_name            = step.create_vault_cluster_targets.cluster_name
+      config_mode             = matrix.config_mode
+      consul_license          = (matrix.backend == "consul" && matrix.consul_edition == "ent") ? step.read_backend_license.license : null
+      consul_release = matrix.backend == "consul" ? {
+        edition = matrix.consul_edition
+        version = matrix.consul_version
+      } : null
+      enable_audit_devices = var.vault_enable_audit_devices
+      hosts                = step.create_vault_cluster_targets.hosts
+      install_dir          = global.vault_install_dir[matrix.artifact_type]
+      ip_version           = matrix.ip_version
+      license              = matrix.edition != "ce" ? step.read_vault_license.license : null
+      local_artifact_path  = local.artifact_path
+      manage_service       = local.manage_service
+      packages             = concat(global.packages, global.distro_packages[matrix.distro][global.distro_version[matrix.distro]])
+      seal_attributes      = step.create_seal_key.attributes
+      seal_type            = matrix.seal
+      storage_backend      = matrix.backend
+    }
+  }
+
+  step "get_local_metadata" {
+    description = global.description.get_local_metadata
+    skip_step   = matrix.artifact_source != "local"
+    module      = module.get_local_metadata
+  }
+
+  // Wait for our cluster to elect a leader
+  step "wait_for_leader" {
+    description = global.description.wait_for_cluster_to_have_leader
+    module      = module.vault_wait_for_leader
+    depends_on  = [step.create_vault_cluster]
+
+    providers = {
+      enos = local.enos_provider[matrix.distro]
+    }
+
+    verifies = [
+      quality.vault_api_sys_leader_read,
+      quality.vault_unseal_ha_leader_election,
+    ]
+
+    variables {
+      timeout           = 120 // seconds
+      ip_version        = matrix.ip_version
+      hosts             = step.create_vault_cluster_targets.hosts
+      vault_addr        = step.create_vault_cluster.api_addr_localhost
+      vault_install_dir = global.vault_install_dir[matrix.artifact_type]
+      vault_root_token  = step.create_vault_cluster.root_token
+    }
+  }
+
+  step "get_vault_cluster_ips" {
+    description = global.description.get_vault_cluster_ip_addresses
+    module      = module.vault_get_cluster_ips
+    depends_on  = [step.wait_for_leader]
+
+    providers = {
+      enos = local.enos_provider[matrix.distro]
+    }
+
+    verifies = [
+      quality.vault_api_sys_ha_status_read,
+      quality.vault_api_sys_leader_read,
+      quality.vault_cli_operator_members,
+    ]
+
+    variables {
+      hosts             = step.create_vault_cluster_targets.hosts
+      ip_version        = matrix.ip_version
+      vault_addr        = step.create_vault_cluster.api_addr_localhost
+      vault_install_dir = global.vault_install_dir[matrix.artifact_type]
+      vault_root_token  = step.create_vault_cluster.root_token
+    }
+  }
+
+  step "verify_vault_unsealed" {
+    description = global.description.verify_vault_unsealed
+    module      = module.vault_wait_for_cluster_unsealed
+    depends_on  = [step.wait_for_leader]
+
+    providers = {
+      enos = local.enos_provider[matrix.distro]
+    }
+
+    verifies = [
+      quality.vault_seal_awskms,
+      quality.vault_seal_pkcs11,
+      quality.vault_seal_shamir,
+    ]
+
+    variables {
+      hosts             = step.create_vault_cluster_targets.hosts
+      vault_addr        = step.create_vault_cluster.api_addr_localhost
+      vault_install_dir = global.vault_install_dir[matrix.artifact_type]
+    }
+  }
+
+  step "run_verify_blackbox_tests" {
+    description = global.description.run_verify_blackbox_tests
+    module      = module.vault_run_blackbox_test
+    depends_on  = [step.verify_vault_unsealed, step.get_vault_cluster_ips]
+
+    providers = {
+      enos = local.enos_provider[matrix.distro]
+    }
+
+    verifies = [
+      quality.vault_api_sys_version_history_keys,
+      quality.vault_api_sys_version_history_key_info,
+      quality.vault_version_build_date,
+      quality.vault_version_edition,
+      quality.vault_version_release,
+    ]
+
+    variables {
+      leader_host           = step.get_vault_cluster_ips.leader_host
+      leader_public_ip      = step.get_vault_cluster_ips.leader_public_ip
+      vault_root_token      = step.create_vault_cluster.root_token
+      test_package          = "./vault/external_tests/blackbox/verify"
+      test_names            = ["TestVaultServerVersion"]
+      vault_edition         = matrix.edition
+      vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
+      vault_revision        = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
+      vault_build_date      = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
+      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
+
+    }
+  }
+
+  locals {
+    // Determine if filter contains test names (starts with "Test") or package names
+    is_test_name_filter = length(var.blackbox_test_filter) > 0 && length([for t in var.blackbox_test_filter : t if can(regex("^Test", t))]) > 0
+
+    // For plugins, if package filter is provided, convert to plugin paths, otherwise run default plugin tests
+    plugin_test_packages = length(var.blackbox_test_filter) > 0 && !local.is_test_name_filter ? [
+      for pkg in var.blackbox_test_filter : "./vault/external_tests/blackbox/plugins/${pkg}/..."
+    ] : ["./vault/external_tests/blackbox/plugins/..."]
+  }
+
+  // Run comprehensive plugin blackbox tests
+  step "run_plugin_blackbox_tests" {
+    description = local.is_test_name_filter ? "Run specific plugin tests: ${join(", ", var.blackbox_test_filter)}" : "Run plugin blackbox tests from: ${join(", ", length(var.blackbox_test_filter) > 0 && !local.is_test_name_filter ? var.blackbox_test_filter : ["plugins"])}"
+    module      = module.vault_run_blackbox_test
+    depends_on  = [step.get_vault_cluster_ips, step.set_up_plugin_services, step.run_verify_blackbox_tests]
+
+    providers = {
+      enos = local.enos_provider[matrix.distro]
+    }
+
+    verifies = [
+      quality.vault_secrets_ldap_write_config,
+      quality.vault_secrets_kmip_write_config,
+      quality.vault_secrets_kv_read,
+      quality.vault_secrets_kv_write,
+      quality.vault_mount_auth,
+      quality.vault_mount_kv,
+    ]
+
+    variables {
+      leader_host            = step.get_vault_cluster_ips.leader_host
+      leader_public_ip       = step.get_vault_cluster_ips.leader_public_ip
+      vault_root_token       = step.create_vault_cluster.root_token
+      test_names             = local.is_test_name_filter ? var.blackbox_test_filter : null
+      test_package           = local.is_test_name_filter ? "./vault/external_tests/blackbox" : join(" ", local.plugin_test_packages)
+      integration_host_state = step.set_up_plugin_services.state
+      vault_edition          = matrix.edition
+    }
+  }
+
+  output "audit_device_file_path" {
+    description = "The file path for the file audit device, if enabled"
+    value       = step.create_vault_cluster.audit_device_file_path
+  }
+
+  output "plugin_services_state" {
+    description = "The external plugin services configuration and state"
+    value       = step.set_up_plugin_services.state
+  }
+
+  output "cluster_name" {
+    description = "The Vault cluster name"
+    value       = step.create_vault_cluster.cluster_name
+  }
+
+  output "hosts" {
+    description = "The Vault cluster target hosts"
+    value       = step.create_vault_cluster.hosts
+  }
+
+  output "private_ips" {
+    description = "The Vault cluster private IPs"
+    value       = step.create_vault_cluster.private_ips
+  }
+
+  output "public_ips" {
+    description = "The Vault cluster public IPs"
+    value       = step.create_vault_cluster.public_ips
+  }
+
+  output "root_token" {
+    description = "The Vault cluster root token"
+    value       = step.create_vault_cluster.root_token
+  }
+
+  output "unseal_keys_b64" {
+    description = "The Vault cluster unseal keys"
+    value       = step.create_vault_cluster.unseal_keys_b64
+  }
+
+  output "unseal_keys_hex" {
+    description = "The Vault cluster unseal keys hex"
+    value       = step.create_vault_cluster.unseal_keys_hex
+  }
+
+  output "plugin_test_results" {
+    description = "Results from plugin blackbox tests"
+    value       = step.run_plugin_blackbox_tests.test_results_summary
+  }
+}
diff --git a/enos/enos-scenario-pr-replication.hcl b/enos/enos-scenario-pr-replication.hcl
index b521a9462c..0dcc6d6478 100644
--- a/enos/enos-scenario-pr-replication.hcl
+++ b/enos/enos-scenario-pr-replication.hcl
@@ -218,11 +218,12 @@ scenario "pr_replication" {
     }
 
     variables {
-      ami_id          = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
-      cluster_tag_key = global.vault_tag_key
-      common_tags     = global.tags
-      instance_count  = 1
-      vpc_id          = step.create_vpc.id
+      ami_id           = step.ec2_info.ami_ids["arm64"]["ubuntu"]["26.04"]
+      cluster_tag_key  = global.vault_tag_key
+      common_tags      = global.tags
+      instance_count   = 1
+      root_volume_size = 64
+      vpc_id           = step.create_vpc.id
     }
   }
 
@@ -339,7 +340,7 @@ scenario "pr_replication" {
     variables {
       hosts      = step.create_external_integration_target.hosts
       ip_version = matrix.ip_version
-      packages   = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
+      packages   = concat(global.packages, global.distro_packages["ubuntu"]["26.04"], ["podman", "podman-docker"])
       ports      = global.integration_host_ports
     }
   }
@@ -687,9 +688,9 @@ scenario "pr_replication" {
     }
   }
 
-  step "verify_vault_version" {
-    description = global.description.verify_vault_version
-    module      = module.vault_verify_version
+  step "run_verify_blackbox_tests" {
+    description = global.description.run_verify_blackbox_tests
+    module      = module.vault_run_blackbox_test
     depends_on  = [step.get_primary_cluster_ips]
 
     providers = {
@@ -705,14 +706,16 @@ scenario "pr_replication" {
     ]
 
     variables {
-      hosts                 = step.create_primary_cluster_targets.hosts
-      vault_addr            = step.create_primary_cluster.api_addr_localhost
+      leader_host           = step.get_primary_cluster_ips.leader_host
+      leader_public_ip      = step.get_primary_cluster_ips.leader_public_ip
+      vault_root_token      = step.create_primary_cluster.root_token
+      test_package          = "./vault/external_tests/blackbox/verify"
+      test_names            = ["TestVaultServerVersion"]
       vault_edition         = matrix.edition
-      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
       vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
       vault_revision        = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
       vault_build_date      = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
-      vault_root_token      = step.create_primary_cluster.root_token
+      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
     }
   }
 
@@ -777,6 +780,7 @@ scenario "pr_replication" {
       vault_edition          = matrix.edition
       vault_install_dir      = global.vault_install_dir[matrix.artifact_type]
       vault_root_token       = step.create_primary_cluster.root_token
+      vault_audit_log_path   = step.create_primary_cluster.audit_device_file_path
     }
   }
 
@@ -793,7 +797,7 @@ scenario "pr_replication" {
       step.get_secondary_cluster_ips,
       step.verify_secrets_engines_on_primary,
       // Wait base verification to complete...
-      step.verify_vault_version,
+      step.run_verify_blackbox_tests,
       step.verify_ui,
     ]
 
diff --git a/enos/enos-scenario-proxy.hcl b/enos/enos-scenario-proxy.hcl
index 8948949eb4..532ea337a9 100644
--- a/enos/enos-scenario-proxy.hcl
+++ b/enos/enos-scenario-proxy.hcl
@@ -185,11 +185,12 @@ scenario "proxy" {
     }
 
     variables {
-      ami_id          = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
-      cluster_tag_key = global.vault_tag_key
-      common_tags     = global.tags
-      instance_count  = 1
-      vpc_id          = step.create_vpc.id
+      ami_id           = step.ec2_info.ami_ids["arm64"]["ubuntu"]["26.04"]
+      cluster_tag_key  = global.vault_tag_key
+      common_tags      = global.tags
+      instance_count   = 1
+      root_volume_size = 64
+      vpc_id           = step.create_vpc.id
     }
   }
 
@@ -243,7 +244,7 @@ scenario "proxy" {
     variables {
       hosts      = step.create_external_integration_target.hosts
       ip_version = matrix.ip_version
-      packages   = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
+      packages   = concat(global.packages, global.distro_packages["ubuntu"]["26.04"], ["podman", "podman-docker"])
       ports      = global.integration_host_ports
     }
   }
@@ -459,10 +460,10 @@ scenario "proxy" {
     }
   }
 
-  step "verify_vault_version" {
-    description = global.description.verify_vault_version
-    module      = module.vault_verify_version
-    depends_on  = [step.verify_vault_unsealed]
+  step "run_verify_blackbox_tests" {
+    description = global.description.run_verify_blackbox_tests
+    module      = module.vault_run_blackbox_test
+    depends_on  = [step.verify_vault_unsealed, step.get_vault_cluster_ips]
 
     providers = {
       enos = local.enos_provider[matrix.distro]
@@ -477,14 +478,17 @@ scenario "proxy" {
     ]
 
     variables {
-      hosts                 = step.create_vault_cluster_targets.hosts
-      vault_addr            = step.create_vault_cluster.api_addr_localhost
+      leader_host           = step.get_vault_cluster_ips.leader_host
+      leader_public_ip      = step.get_vault_cluster_ips.leader_public_ip
+      vault_root_token      = step.create_vault_cluster.root_token
+      test_package          = "./vault/external_tests/blackbox/verify"
+      test_names            = ["TestVaultServerVersion"]
       vault_edition         = matrix.edition
-      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
       vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
       vault_revision        = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
       vault_build_date      = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
-      vault_root_token      = step.create_vault_cluster.root_token
+      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
+
     }
   }
 
@@ -532,6 +536,7 @@ scenario "proxy" {
       vault_edition          = matrix.edition
       vault_install_dir      = global.vault_install_dir[matrix.artifact_type]
       vault_root_token       = step.create_vault_cluster.root_token
+      vault_audit_log_path   = step.create_vault_cluster.audit_device_file_path
     }
   }
 
diff --git a/enos/enos-scenario-seal-ha.hcl b/enos/enos-scenario-seal-ha.hcl
index 37c27f6910..460c744bb0 100644
--- a/enos/enos-scenario-seal-ha.hcl
+++ b/enos/enos-scenario-seal-ha.hcl
@@ -217,11 +217,12 @@ scenario "seal_ha" {
     }
 
     variables {
-      ami_id          = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
-      cluster_tag_key = global.vault_tag_key
-      common_tags     = global.tags
-      instance_count  = 1
-      vpc_id          = step.create_vpc.id
+      ami_id           = step.ec2_info.ami_ids["arm64"]["ubuntu"]["26.04"]
+      cluster_tag_key  = global.vault_tag_key
+      common_tags      = global.tags
+      instance_count   = 1
+      root_volume_size = 64
+      vpc_id           = step.create_vpc.id
     }
   }
 
@@ -275,7 +276,7 @@ scenario "seal_ha" {
     variables {
       hosts      = step.create_external_integration_target.hosts
       ip_version = matrix.ip_version
-      packages   = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
+      packages   = concat(global.packages, global.distro_packages["ubuntu"]["26.04"], ["podman", "podman-docker"])
       ports      = global.integration_host_ports
     }
   }
@@ -472,7 +473,8 @@ scenario "seal_ha" {
     depends_on = [
       step.create_vault_cluster,
       step.get_vault_cluster_ips,
-      step.verify_vault_unsealed
+      step.verify_vault_unsealed,
+      step.set_up_external_integration_target,
     ]
 
     providers = {
@@ -511,6 +513,7 @@ scenario "seal_ha" {
       vault_edition          = matrix.edition
       vault_install_dir      = global.vault_install_dir[matrix.artifact_type]
       vault_root_token       = step.create_vault_cluster.root_token
+      vault_audit_log_path   = step.create_vault_cluster.audit_device_file_path
     }
   }
 
@@ -758,10 +761,10 @@ scenario "seal_ha" {
   }
 
   // Perform all of our standard verifications after we've enabled multiseal
-  step "verify_vault_version" {
-    description = global.description.verify_vault_version
-    module      = module.vault_verify_version
-    depends_on  = [step.wait_for_seal_rewrap]
+  step "run_verify_blackbox_tests" {
+    description = global.description.run_verify_blackbox_tests
+    module      = module.vault_run_blackbox_test
+    depends_on  = [step.wait_for_seal_rewrap, step.get_vault_cluster_ips]
 
     providers = {
       enos = local.enos_provider[matrix.distro]
@@ -776,14 +779,17 @@ scenario "seal_ha" {
     ]
 
     variables {
-      hosts                 = step.create_vault_cluster_targets.hosts
-      vault_addr            = step.create_vault_cluster.api_addr_localhost
+      leader_host           = step.get_vault_cluster_ips.leader_host
+      leader_public_ip      = step.get_vault_cluster_ips.leader_public_ip
+      vault_root_token      = step.create_vault_cluster.root_token
+      test_package          = "./vault/external_tests/blackbox/verify"
+      test_names            = ["TestVaultServerVersion"]
       vault_edition         = matrix.edition
-      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
       vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
       vault_revision        = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
       vault_build_date      = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
-      vault_root_token      = step.create_vault_cluster.root_token
+      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
+
     }
   }
 
@@ -861,34 +867,6 @@ scenario "seal_ha" {
     }
   }
 
-  step "verify_log_secrets" {
-    skip_step = !var.vault_enable_audit_devices || !var.verify_log_secrets
-
-    description = global.description.verify_log_secrets
-    module      = module.verify_log_secrets
-    depends_on = [
-      step.verify_secrets_engines_read,
-    ]
-
-    providers = {
-      enos = local.enos_provider[matrix.distro]
-    }
-
-    verifies = [
-      quality.vault_audit_log_secrets,
-      quality.vault_journal_secrets,
-      quality.vault_radar_index_create,
-      quality.vault_radar_scan_file,
-    ]
-
-    variables {
-      audit_log_file_path = step.create_vault_cluster.audit_device_file_path
-      leader_host         = step.get_updated_cluster_ips.leader_host
-      vault_addr          = step.create_vault_cluster.api_addr_localhost
-      vault_root_token    = step.create_vault_cluster.root_token
-    }
-  }
-
   step "verify_ui" {
     description = global.description.verify_ui
     module      = module.vault_verify_ui
@@ -936,7 +914,6 @@ scenario "seal_ha" {
     depends_on = [
       step.wait_for_seal_rewrap,
       step.verify_secrets_engines_read,
-      step.verify_log_secrets,
     ]
 
     providers = {
@@ -1139,6 +1116,34 @@ scenario "seal_ha" {
     }
   }
 
+  step "verify_log_secrets" {
+    skip_step = !var.vault_enable_audit_devices || !var.verify_log_secrets
+
+    description = global.description.verify_log_secrets
+    module      = module.verify_log_secrets
+    depends_on = [
+      step.verify_secrets_engines_read_after_migration
+    ]
+
+    providers = {
+      enos = local.enos_provider[matrix.distro]
+    }
+
+    verifies = [
+      quality.vault_audit_log_secrets,
+      quality.vault_journal_secrets,
+      quality.vault_radar_index_create,
+      quality.vault_radar_scan_file,
+    ]
+
+    variables {
+      audit_log_file_path = step.create_vault_cluster.audit_device_file_path
+      leader_host         = step.get_updated_cluster_ips.leader_host
+      vault_addr          = step.create_vault_cluster.api_addr_localhost
+      vault_root_token    = step.create_vault_cluster.root_token
+    }
+  }
+
   output "audit_device_file_path" {
     description = "The file path for the file audit device, if enabled"
     value       = step.create_vault_cluster.audit_device_file_path
diff --git a/enos/enos-scenario-smoke-sdk.hcl b/enos/enos-scenario-smoke-sdk.hcl
index 9962956a47..25d7de073c 100644
--- a/enos/enos-scenario-smoke-sdk.hcl
+++ b/enos/enos-scenario-smoke-sdk.hcl
@@ -70,6 +70,11 @@ scenario "smoke_sdk" {
       ip_version = ["6"]
       backend    = ["consul"]
     }
+
+    // smoke_sdk scenario cannot be run in CE
+    exclude {
+      edition = ["ce"]
+    }
   }
 
   terraform_cli = terraform_cli.default
@@ -173,11 +178,12 @@ scenario "smoke_sdk" {
     }
 
     variables {
-      ami_id          = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
-      cluster_tag_key = global.vault_tag_key
-      common_tags     = global.tags
-      instance_count  = 1
-      vpc_id          = step.create_vpc.id
+      ami_id           = step.ec2_info.ami_ids["arm64"]["ubuntu"]["26.04"]
+      cluster_tag_key  = global.vault_tag_key
+      common_tags      = global.tags
+      instance_count   = 1
+      root_volume_size = 64
+      vpc_id           = step.create_vpc.id
     }
   }
 
@@ -231,7 +237,7 @@ scenario "smoke_sdk" {
     variables {
       hosts      = step.create_external_integration_target.hosts
       ip_version = matrix.ip_version
-      packages   = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
+      packages   = concat(global.packages, global.distro_packages["ubuntu"]["26.04"], ["podman", "podman-docker"])
       ports      = global.integration_host_ports
     }
   }
@@ -405,45 +411,41 @@ scenario "smoke_sdk" {
     }
   }
 
-  // Define smoke test suite
   locals {
-    smoke_tests = [
-      "TestStepdownAndLeaderElection",
-      "TestSecretsEngineCreate",
-      "TestUnsealedStatus",
-      "TestVaultVersion",
-      "TestSecretsEngineRead",
-      "TestReplicationStatus",
-      "TestUIAssets",
-      "TestSecretsEngineDelete"
-    ]
+    // Default test packages for smoke_sdk scenario
+    // TODO: "integration" has been removed from the default packages pending
+    // a restructure to handle tests that mutate the cluster via sys endpoints.
+    default_test_packages = ["core", "secrets", "replication", "raft"]
 
-    // Add backend-specific tests
-    smoke_tests_with_backend = concat(
-      local.smoke_tests,
-      matrix.backend == "raft" ? [
-        "TestRaftVoters",
-        "TestNodeRemovalAndRejoin"
-      ] : []
-    )
+    // Determine if filter contains test names (starts with "Test") or package names
+    is_test_name_filter = length(var.blackbox_test_filter) > 0 && length([for t in var.blackbox_test_filter : t if can(regex("^Test", t))]) > 0
+
+    // Convert package names to directory paths, or use defaults
+    test_packages = length(var.blackbox_test_filter) > 0 && !local.is_test_name_filter ? [
+      for pkg in var.blackbox_test_filter : "./vault/external_tests/blackbox/${pkg}/..."
+      ] : [
+      for pkg in local.default_test_packages : "./vault/external_tests/blackbox/${pkg}/..."
+    ]
   }
 
-  // Run all blackbox SDK smoke tests
+  // Run all blackbox SDK smoke tests using directory-based organization
   step "run_blackbox_tests" {
-    description = "Run blackbox SDK smoke tests: ${join(", ", local.smoke_tests_with_backend)}"
+    description = local.is_test_name_filter ? "Run specific blackbox tests: ${join(", ", var.blackbox_test_filter)}" : "Run blackbox SDK tests from packages: ${join(", ", length(var.blackbox_test_filter) > 0 ? var.blackbox_test_filter : local.default_test_packages)}"
     module      = module.vault_run_blackbox_test
-    depends_on  = [step.get_vault_cluster_ips]
+    depends_on  = [step.get_vault_cluster_ips, step.set_up_external_integration_target]
 
     providers = {
       enos = local.enos_provider[matrix.distro]
     }
 
     variables {
-      leader_host      = step.get_vault_cluster_ips.leader_host
-      leader_public_ip = step.get_vault_cluster_ips.leader_public_ip
-      vault_root_token = step.create_vault_cluster.root_token
-      test_names       = local.smoke_tests_with_backend
-      test_package     = "./vault/external_tests/blackbox"
+      leader_host            = step.get_vault_cluster_ips.leader_host
+      leader_public_ip       = step.get_vault_cluster_ips.leader_public_ip
+      vault_root_token       = step.create_vault_cluster.root_token
+      test_names             = local.is_test_name_filter ? var.blackbox_test_filter : null
+      test_package           = local.is_test_name_filter ? "./vault/external_tests/blackbox" : join(" ", local.test_packages)
+      integration_host_state = step.set_up_external_integration_target.state
+      vault_edition          = matrix.edition
     }
   }
 
@@ -502,4 +504,9 @@ scenario "smoke_sdk" {
     description = "The Vault cluster unseal keys hex"
     value       = step.create_vault_cluster.unseal_keys_hex
   }
+
+  output "smoke_test_results" {
+    description = "Results from smoke blackbox tests"
+    value       = step.run_blackbox_tests.test_results_summary
+  }
 }
diff --git a/enos/enos-scenario-smoke.hcl b/enos/enos-scenario-smoke.hcl
index 8963999901..d7b8d9c667 100644
--- a/enos/enos-scenario-smoke.hcl
+++ b/enos/enos-scenario-smoke.hcl
@@ -175,11 +175,12 @@ scenario "smoke" {
     }
 
     variables {
-      ami_id          = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
-      cluster_tag_key = global.vault_tag_key
-      common_tags     = global.tags
-      instance_count  = 1
-      vpc_id          = step.create_vpc.id
+      ami_id           = step.ec2_info.ami_ids["arm64"]["ubuntu"]["26.04"]
+      cluster_tag_key  = global.vault_tag_key
+      common_tags      = global.tags
+      instance_count   = 1
+      root_volume_size = 64
+      vpc_id           = step.create_vpc.id
     }
   }
 
@@ -233,7 +234,7 @@ scenario "smoke" {
     variables {
       hosts      = step.create_external_integration_target.hosts
       ip_version = matrix.ip_version
-      packages   = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
+      packages   = concat(global.packages, global.distro_packages["ubuntu"]["26.04"], ["podman", "podman-docker"])
       ports      = global.integration_host_ports
     }
   }
@@ -501,10 +502,10 @@ scenario "smoke" {
     }
   }
 
-  step "verify_vault_version" {
-    description = global.description.verify_vault_version
-    module      = module.vault_verify_version
-    depends_on  = [step.verify_vault_unsealed]
+  step "run_verify_blackbox_tests" {
+    description = global.description.run_verify_blackbox_tests
+    module      = module.vault_run_blackbox_test
+    depends_on  = [step.verify_vault_unsealed, step.get_vault_cluster_ips]
 
     providers = {
       enos = local.enos_provider[matrix.distro]
@@ -519,18 +520,20 @@ scenario "smoke" {
     ]
 
     variables {
-      hosts                 = step.create_vault_cluster_targets.hosts
-      vault_addr            = step.create_vault_cluster.api_addr_localhost
+      leader_host           = step.get_vault_cluster_ips.leader_host
+      leader_public_ip      = step.get_vault_cluster_ips.leader_public_ip
+      vault_root_token      = step.create_vault_cluster.root_token
+      test_package          = "./vault/external_tests/blackbox/verify"
+      test_names            = ["TestVaultServerVersion"]
       vault_edition         = matrix.edition
-      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
       vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
       vault_revision        = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
       vault_build_date      = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
-      vault_root_token      = step.create_vault_cluster.root_token
+      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
+      ip_version            = matrix.ip_version
     }
   }
 
-
   step "verify_raft_auto_join_voter" {
     description = global.description.verify_raft_cluster_all_nodes_are_voters
     skip_step   = matrix.backend != "raft"
@@ -597,7 +600,7 @@ scenario "smoke" {
     depends_on = [
       step.get_vault_cluster_ips,
       step.vault_remove_node_and_verify,
-      step.verify_vault_version
+      step.run_verify_blackbox_tests
     ]
 
     providers = {
@@ -636,13 +639,14 @@ scenario "smoke" {
       vault_edition          = matrix.edition
       vault_install_dir      = global.vault_install_dir[matrix.artifact_type]
       vault_root_token       = step.create_vault_cluster.root_token
+      vault_audit_log_path   = step.create_vault_cluster.audit_device_file_path
     }
   }
 
   step "verify_replication" {
     description = global.description.verify_replication_status
-    module      = module.vault_verify_replication
-    depends_on  = [step.vault_remove_node_and_verify]
+    module      = module.vault_run_blackbox_test
+    depends_on  = [step.vault_remove_node_and_verify, step.get_vault_cluster_ips]
 
     providers = {
       enos = local.enos_provider[matrix.distro]
@@ -655,9 +659,14 @@ scenario "smoke" {
     ]
 
     variables {
-      hosts         = step.create_vault_cluster_targets.hosts
-      vault_addr    = step.create_vault_cluster.api_addr_localhost
-      vault_edition = matrix.edition
+      leader_host       = step.get_vault_cluster_ips.leader_host
+      leader_public_ip  = step.get_vault_cluster_ips.leader_public_ip
+      vault_root_token  = step.create_vault_cluster.root_token
+      test_package      = "./vault/external_tests/blackbox/verify"
+      test_names        = ["TestReplicationAvailability"]
+      vault_edition     = matrix.edition
+      vault_install_dir = global.vault_install_dir[matrix.artifact_type]
+      ip_version        = matrix.ip_version
     }
   }
 
diff --git a/enos/enos-scenario-upgrade.hcl b/enos/enos-scenario-upgrade.hcl
index a1a4c5aefd..e4e3795e1c 100644
--- a/enos/enos-scenario-upgrade.hcl
+++ b/enos/enos-scenario-upgrade.hcl
@@ -36,6 +36,8 @@ scenario "upgrade" {
       - vault_artifact_path (the path to where you have a Vault artifact already downloaded,
       if using `artifact_source:crt` in your filter)
       - vault_license_path (if using an ENT edition of Vault)
+      - vault_ibm_license_path (if wanting to test a license update, which requires an IBM PAO license file to be provided as a variable.
+      Note: to obtain a test IBM license, please see https://github.com/hashicorp/vault-enterprise/pull/12661#discussion_r2914617420)
       - vault_upgrade_initial_version (if the version you want to start with differs
       from the default value defined in enos-variables.hcl)
   EOF
@@ -52,6 +54,7 @@ scenario "upgrade" {
     edition         = global.editions
     ip_version      = global.ip_versions
     seal            = global.seals
+    license_update  = ["ibm", "none"]
 
     // Our local builder always creates bundles
     exclude {
@@ -101,7 +104,9 @@ scenario "upgrade" {
       sles   = provider.enos.ec2_user
       ubuntu = provider.enos.ubuntu
     }
-    manage_service = matrix.artifact_type == "bundle"
+    manage_service            = matrix.artifact_type == "bundle"
+    vault_ibm_license_path    = abspath(var.vault_ibm_license_path != null ? var.vault_ibm_license_path : joinpath(path.root, "./support/ibm-pao.lic"))
+    vault_ibm_license_edition = var.vault_ibm_license_edition != null ? var.vault_ibm_license_edition : "premium"
   }
 
   step "build_vault" {
@@ -187,11 +192,12 @@ scenario "upgrade" {
     }
 
     variables {
-      ami_id          = step.ec2_info.ami_ids["arm64"]["ubuntu"]["24.04"]
-      cluster_tag_key = global.vault_tag_key
-      common_tags     = global.tags
-      instance_count  = 1
-      vpc_id          = step.create_vpc.id
+      ami_id           = step.ec2_info.ami_ids["arm64"]["ubuntu"]["26.04"]
+      cluster_tag_key  = global.vault_tag_key
+      common_tags      = global.tags
+      instance_count   = 1
+      root_volume_size = 64
+      vpc_id           = step.create_vpc.id
     }
   }
 
@@ -245,7 +251,7 @@ scenario "upgrade" {
     variables {
       hosts      = step.create_external_integration_target.hosts
       ip_version = matrix.ip_version
-      packages   = concat(global.packages, global.distro_packages["ubuntu"]["24.04"], ["podman", "podman-docker"])
+      packages   = concat(global.packages, global.distro_packages["ubuntu"]["26.04"], ["podman", "podman-docker"])
       ports      = global.integration_host_ports
     }
   }
@@ -470,8 +476,38 @@ scenario "upgrade" {
       vault_addr             = step.create_vault_cluster.api_addr_localhost
       vault_edition          = matrix.edition
       // Use the install dir for our initial version, which always comes from a zip bundle
-      vault_install_dir = global.vault_install_dir["bundle"]
-      vault_root_token  = step.create_vault_cluster.root_token
+      vault_install_dir    = global.vault_install_dir["bundle"]
+      vault_root_token     = step.create_vault_cluster.root_token
+      vault_audit_log_path = step.create_vault_cluster.audit_device_file_path
+    }
+  }
+
+  step "update_license_ibm" {
+    description = <<-EOF
+      If the matrix is configured to test a license update and the Vault version supports it, perform a license update
+      from a HashiCorp Vault license to an IBM PAO license. This step only updates the license file on disk, the
+      new license won't be in effect until after the upgrade_vault step restarts the Vault service.
+    EOF
+    skip_step   = matrix.license_update == "none" || semverconstraint(var.vault_product_version, "<2.0.0-0") || matrix.edition == "ce"
+    module      = module.vault_update_license_ibm
+    depends_on = [
+      step.read_vault_license,
+      step.create_vault_cluster,
+      step.verify_secrets_engines_create,
+    ]
+
+    providers = {
+      enos = local.enos_provider[matrix.distro]
+    }
+
+    verifies = [
+      quality.vault_license_update_ibm
+    ]
+
+    variables {
+      hosts                     = step.create_vault_cluster_targets.hosts
+      vault_ibm_license_path    = local.vault_ibm_license_path
+      vault_ibm_license_edition = local.vault_ibm_license_edition
     }
   }
 
@@ -485,7 +521,7 @@ scenario "upgrade" {
     module      = module.vault_upgrade
     depends_on = [
       step.create_vault_cluster,
-      step.verify_secrets_engines_create,
+      (matrix.license_update == "none" || semverconstraint(var.vault_product_version, "<2.0.0-0") || matrix.edition == "ce") ? step.verify_secrets_engines_create : step.update_license_ibm,
     ]
 
     providers = {
@@ -660,10 +696,10 @@ scenario "upgrade" {
     }
   }
 
-  step "verify_vault_version" {
-    description = global.description.verify_vault_version
-    module      = module.vault_verify_version
-    depends_on  = [step.verify_vault_unsealed]
+  step "run_verify_blackbox_tests" {
+    description = global.description.run_verify_blackbox_tests
+    module      = module.vault_run_blackbox_test
+    depends_on  = [step.verify_vault_unsealed, step.get_vault_cluster_ips]
 
     providers = {
       enos = local.enos_provider[matrix.distro]
@@ -678,14 +714,17 @@ scenario "upgrade" {
     ]
 
     variables {
-      hosts                 = step.create_vault_cluster_targets.hosts
-      vault_addr            = step.create_vault_cluster.api_addr_localhost
+      leader_host           = step.get_vault_cluster_ips.leader_host
+      leader_public_ip      = step.get_vault_cluster_ips.leader_public_ip
+      vault_root_token      = step.create_vault_cluster.root_token
+      test_package          = "./vault/external_tests/blackbox/verify"
+      test_names            = ["TestVaultServerVersion"]
       vault_edition         = matrix.edition
-      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
       vault_product_version = matrix.artifact_source == "local" ? step.get_local_metadata.version : var.vault_product_version
       vault_revision        = matrix.artifact_source == "local" ? step.get_local_metadata.revision : var.vault_revision
       vault_build_date      = matrix.artifact_source == "local" ? step.get_local_metadata.build_date : var.vault_build_date
-      vault_root_token      = step.create_vault_cluster.root_token
+      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
+
     }
   }
 
@@ -722,6 +761,35 @@ scenario "upgrade" {
     }
   }
 
+  step "verify_ibm_license_update" {
+    description = <<-EOF
+      If the update_license_ibm step was executed, verify that the new IBM license is now being used.
+    EOF
+    skip_step   = matrix.license_update == "none" || semverconstraint(var.vault_product_version, "<2.0.0-0") || matrix.edition == "ce"
+    module      = module.vault_verify_ibm_license_update
+    depends_on = [
+      step.update_license_ibm,
+      step.upgrade_vault,
+      step.verify_secrets_engines_read,
+    ]
+
+    providers = {
+      enos = local.enos_provider[matrix.distro]
+    }
+
+    verifies = [
+      quality.vault_license_update_ibm,
+    ]
+
+    variables {
+      hosts                     = step.create_vault_cluster_targets.hosts
+      vault_addr                = step.create_vault_cluster.api_addr_localhost
+      vault_install_dir         = global.vault_install_dir[matrix.artifact_type]
+      vault_root_token          = step.create_vault_cluster.root_token
+      vault_ibm_license_edition = local.vault_ibm_license_edition
+    }
+  }
+
   step "verify_log_secrets" {
     // Only verify log secrets if the audit devices are turned on and we've enabled the check (as
     // it requires a radar license). Some older versions have known issues so we'll skip this step
@@ -731,7 +799,7 @@ scenario "upgrade" {
     description = global.description.verify_log_secrets
     module      = module.verify_log_secrets
     depends_on = [
-      step.verify_secrets_engines_read,
+      (matrix.license_update == "none" || semverconstraint(var.vault_product_version, "<2.0.0-0") || matrix.edition == "ce") ? step.verify_secrets_engines_read : step.verify_ibm_license_update,
     ]
 
     providers = {
@@ -746,10 +814,11 @@ scenario "upgrade" {
     ]
 
     variables {
-      audit_log_file_path = step.create_vault_cluster.audit_device_file_path
-      leader_host         = step.get_updated_vault_cluster_ips.leader_host
-      vault_addr          = step.create_vault_cluster.api_addr_localhost
-      vault_root_token    = step.create_vault_cluster.root_token
+      audit_log_file_path           = step.create_vault_cluster.audit_device_file_path
+      leader_host                   = step.get_updated_vault_cluster_ips.leader_host
+      vault_addr                    = step.create_vault_cluster.api_addr_localhost
+      vault_root_token              = step.create_vault_cluster.root_token
+      vault_ibm_license_customer_id = (matrix.license_update == "none" || semverconstraint(var.vault_product_version, "<2.0.0-0") || matrix.edition == "ce") ? "" : step.verify_ibm_license_update.customer_id
     }
   }
 
diff --git a/enos/enos-variables.hcl b/enos/enos-variables.hcl
index ba899a1f4f..3943309aaf 100644
--- a/enos/enos-variables.hcl
+++ b/enos/enos-variables.hcl
@@ -62,6 +62,12 @@ variable "backend_log_level" {
   default     = "trace"
 }
 
+variable "blackbox_test_filter" {
+  type        = list(string)
+  description = "Override list of specific blackbox test packages (e.g., ['core', 'secrets']) or test names (e.g., ['TestUnsealedStatus']). Empty list uses scenario defaults. Package names are converted to directory paths automatically."
+  default     = []
+}
+
 variable "distro_version_amzn" {
   description = "The version of Amazon Linux 2 to use"
   type        = string
@@ -83,7 +89,7 @@ variable "distro_version_sles" {
 variable "distro_version_ubuntu" {
   description = "The version of Ubuntu Linux to use"
   type        = string
-  default     = "24.04" // or "22.04"
+  default     = "26.04" // or "22.04" or "24.04"
 }
 
 variable "project_name" {
@@ -157,6 +163,18 @@ variable "vault_license_path" {
   default     = null
 }
 
+variable "vault_ibm_license_path" {
+  description = "The path to a valid IBM PAO license. This is only required when testing a license update during the upgrade scenario"
+  type        = string
+  default     = null
+}
+
+variable "vault_ibm_license_edition" {
+  description = "The edition to select when using an IBM PAO license. This should match the edition of a valid Vault entitlement in the license located at var.vault_ibm_license_path."
+  type        = string
+  default     = null
+}
+
 variable "vault_local_build_tags" {
   description = "The build tags to pass to the Go compiler for builder:local variants"
   type        = list(string)
@@ -202,17 +220,17 @@ variable "verify_aws_secrets_engine" {
 variable "verify_kmip_secrets_engine" {
   description = "If true we'll verify KMIP secrets engines behavior"
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "verify_ldap_secrets_engine" {
   description = "If true we'll verify LDAP secrets engines behavior"
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "verify_log_secrets" {
   description = "If true and var.vault_enable_audit_devices is true we'll verify that the audit log does not contain unencrypted secrets. Requires var.vault_radar_license_path to be set to a valid license file."
   type        = bool
-  default     = false
+  default     = false // Only because it requires a Vault Radar license
 }
diff --git a/enos/enos.vars.hcl b/enos/enos.vars.hcl
index b57d6c54db..f4704ea1f8 100644
--- a/enos/enos.vars.hcl
+++ b/enos/enos.vars.hcl
@@ -44,7 +44,7 @@
 // distro_version_sles = "16.0" // or "15.7"
 
 // distro_version_ubuntu is the version of ubuntu to use for "distro:ubuntu" variants
-// distro_version_ubuntu = "22.04" // or "24.04"
+// distro_version_ubuntu = "22.04" // or "26.04"
 
 // tags are a map of tags that will be applied to infrastructure resources that
 // support tagging.
@@ -113,3 +113,6 @@
 // vault_revision is the git sha of Vault artifact we are testing. Some validations will expect the vault
 // binary and cluster to report this revision.
 // vault_revision = "df733361af26f8bb29b63704168bbc5ab8d083de"
+
+// vault_radar_license_path is the path to a valid Vault Radar path.
+// vault_radar_license_path = "./support/vault-radar.hclic"
diff --git a/enos/k8s/enos-providers-k8s.hcl b/enos/k8s/enos-providers-k8s.hcl
index 48ea5d826d..613055d7af 100644
--- a/enos/k8s/enos-providers-k8s.hcl
+++ b/enos/k8s/enos-providers-k8s.hcl
@@ -4,7 +4,7 @@
 provider "enos" "default" {}
 
 provider "helm" "default" {
-  kubernetes {
+  kubernetes = {
     config_path = abspath(joinpath(path.root, "kubeconfig"))
   }
 }
diff --git a/enos/modules/artifact/metadata/main.tf b/enos/modules/artifact/metadata/main.tf
index 6c6d3a1acb..575649c198 100644
--- a/enos/modules/artifact/metadata/main.tf
+++ b/enos/modules/artifact/metadata/main.tf
@@ -157,6 +157,7 @@ locals {
     ubuntu = {
       "22.04" = local.release_path_deb,
       "24.04" = local.release_path_deb,
+      "26.04" = local.release_path_deb,
     }
   }
   release_paths = local.release_path_distro[var.distro]
diff --git a/enos/modules/build_local/scripts/build.sh b/enos/modules/build_local/scripts/build.sh
index ae69ce3980..48bf05022d 100755
--- a/enos/modules/build_local/scripts/build.sh
+++ b/enos/modules/build_local/scripts/build.sh
@@ -22,7 +22,9 @@ root_dir="$(git rev-parse --show-toplevel)"
 pushd "$root_dir" > /dev/null
 
 if [ -n "$BUILD_UI" ] && [ "$BUILD_UI" = "true" ]; then
-  make ci-build-ui
+  if ! output=$(make ci-build-ui 2>&1); then
+    echo "Failed to build the UI assets. Make sure you have the required node version (defined in ui/package.json) install and have set up pnpm (npm i -g pnpm): ${output}" 1>&2
+  fi
 fi
 
 make ci-build
diff --git a/enos/modules/cloud_docker_vault_cluster/main.tf b/enos/modules/cloud_docker_vault_cluster/main.tf
index 8248e2c773..0500612b11 100644
--- a/enos/modules/cloud_docker_vault_cluster/main.tf
+++ b/enos/modules/cloud_docker_vault_cluster/main.tf
@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2016, 2025
 # SPDX-License-Identifier: BUSL-1.1
 
 terraform {
@@ -152,6 +152,8 @@ locals {
       tls_disable = true
     }
 
+    administrative_namespace_path = "admin"
+
     storage "raft" {
       path = "/vault/data"
       node_id = "node%s"
diff --git a/enos/modules/database_container/main.tf b/enos/modules/database_container/main.tf
new file mode 100644
index 0000000000..68209c6048
--- /dev/null
+++ b/enos/modules/database_container/main.tf
@@ -0,0 +1,83 @@
+# Copyright IBM Corp. 2016, 2026
+# SPDX-License-Identifier: BUSL-1.1
+
+terraform {
+  required_providers {
+    enos = {
+      source = "registry.terraform.io/hashicorp-forge/enos"
+    }
+  }
+}
+
+locals {
+  # Database-specific configurations
+  database_configs = {
+    postgres = {
+      image_template = "docker.io/postgres:${var.db_version}"
+      env_vars = {
+        POSTGRES_USER     = var.username
+        POSTGRES_PASSWORD = var.password
+        POSTGRES_DB       = var.database
+      }
+    }
+    mongodb = {
+      image_template = "docker.io/mongo:${var.db_version}"
+      env_vars = {
+        MONGO_INITDB_ROOT_USERNAME = var.username
+        MONGO_INITDB_ROOT_PASSWORD = var.password
+        MONGO_INITDB_DATABASE      = var.database
+      }
+      args = "--bind_ip_all"
+    }
+    mysql = {
+      image_template = "docker.io/mysql:${var.db_version}"
+      env_vars = {
+        MYSQL_ROOT_PASSWORD = var.password
+        MYSQL_USER          = var.username
+        MYSQL_PASSWORD      = var.password
+        MYSQL_DATABASE      = var.database
+      }
+    }
+  }
+
+  config       = local.database_configs[var.database_type]
+  image        = local.config.image_template
+  env_vars_map = local.config.env_vars
+  env_vars     = join(",", [for k, v in local.env_vars_map : "${k}=${v}"])
+  args         = try(local.config.args, "")
+}
+
+# Creating Database Server using generic container script
+resource "enos_remote_exec" "create_database" {
+  depends_on = [var.depends_on_modules]
+
+  scripts = [abspath("${path.module}/../../modules/set_up_external_integration_target/scripts/start-container.sh")]
+
+  environment = {
+    CONTAINER_IMAGE = local.image
+    CONTAINER_NAME  = "${var.database_type}-${var.instance_name}"
+    CONTAINER_PORTS = var.port
+    CONTAINER_ENVS  = local.env_vars
+    CONTAINER_ARGS  = local.args
+  }
+
+  transport = {
+    ssh = {
+      host = var.host.public_ip
+    }
+  }
+}
+
+# Outputs
+output "config" {
+  description = "Database configuration details"
+  value = {
+    type     = var.database_type
+    username = var.username
+    password = var.password
+    database = var.database
+    version  = var.db_version
+    port     = var.port
+    host     = var.host
+  }
+}
diff --git a/enos/modules/database_container/variables.tf b/enos/modules/database_container/variables.tf
new file mode 100644
index 0000000000..1729e9ed67
--- /dev/null
+++ b/enos/modules/database_container/variables.tf
@@ -0,0 +1,58 @@
+# Copyright IBM Corp. 2016, 2026
+# SPDX-License-Identifier: BUSL-1.1
+
+variable "database_type" {
+  description = "Type of database to create (postgres, mongodb, mysql)"
+  type        = string
+  validation {
+    condition     = contains(["postgres", "mongodb", "mysql"], var.database_type)
+    error_message = "database_type must be one of: postgres, mongodb, mysql"
+  }
+}
+
+variable "db_version" {
+  description = "Database version to use"
+  type        = string
+}
+
+variable "username" {
+  description = "Database username"
+  type        = string
+}
+
+variable "password" {
+  description = "Database password"
+  type        = string
+  sensitive   = true
+}
+
+variable "database" {
+  description = "Database name"
+  type        = string
+}
+
+variable "port" {
+  description = "Database port"
+  type        = number
+}
+
+variable "host" {
+  description = "Host configuration with public_ip"
+  type = object({
+    public_ip  = string
+    private_ip = string
+    ipv6       = optional(string)
+  })
+}
+
+variable "instance_name" {
+  description = "Unique instance name for the container (defaults to 'default')"
+  type        = string
+  default     = "default"
+}
+
+variable "depends_on_modules" {
+  description = "List of modules this depends on"
+  type        = list(any)
+  default     = []
+}
diff --git a/enos/modules/docker_namespace_token/main.tf b/enos/modules/docker_namespace_token/main.tf
index 69ad34d8d9..5342428d1d 100644
--- a/enos/modules/docker_namespace_token/main.tf
+++ b/enos/modules/docker_namespace_token/main.tf
@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2016, 2025
 # SPDX-License-Identifier: BUSL-1.1
 
 variable "vault_root_token" {
diff --git a/enos/modules/docker_network/main.tf b/enos/modules/docker_network/main.tf
index bea258681d..81a3d1d1fe 100644
--- a/enos/modules/docker_network/main.tf
+++ b/enos/modules/docker_network/main.tf
@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2016, 2025
 # SPDX-License-Identifier: BUSL-1.1
 
 terraform {
diff --git a/enos/modules/ec2_info/main.tf b/enos/modules/ec2_info/main.tf
index f66425c142..7bdf913915 100644
--- a/enos/modules/ec2_info/main.tf
+++ b/enos/modules/ec2_info/main.tf
@@ -27,6 +27,7 @@ locals {
       "ubuntu" = {
         "22.04" = data.aws_ami.ubuntu_2204["arm64"].id
         "24.04" = data.aws_ami.ubuntu_2404["arm64"].id
+        "26.04" = data.aws_ami.ubuntu_2604["arm64"].id
       }
     }
     "amd64" = {
@@ -46,6 +47,7 @@ locals {
       "ubuntu" = {
         "22.04" = data.aws_ami.ubuntu_2204["x86_64"].id
         "24.04" = data.aws_ami.ubuntu_2404["x86_64"].id
+        "26.04" = data.aws_ami.ubuntu_2604["x86_64"].id
       }
     }
   }
@@ -229,6 +231,28 @@ data "aws_ami" "ubuntu_2404" {
   owners = [local.canonical_owner_id]
 }
 
+data "aws_ami" "ubuntu_2604" {
+  most_recent = true
+  for_each    = local.architectures
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd-gp3/ubuntu-resolute-26.04-*-server-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = [each.value]
+  }
+
+  owners = [local.canonical_owner_id]
+}
+
 data "aws_region" "current" {}
 
 data "aws_availability_zones" "available" {
@@ -245,7 +269,7 @@ output "ami_ids" {
 }
 
 output "current_region" {
-  value = data.aws_region.current
+  value = data.aws_region.current.name
 }
 
 output "availability_zones" {
diff --git a/enos/modules/k8s_deploy_vault/main.tf b/enos/modules/k8s_deploy_vault/main.tf
index 73aee7fa79..09f46a65c0 100644
--- a/enos/modules/k8s_deploy_vault/main.tf
+++ b/enos/modules/k8s_deploy_vault/main.tf
@@ -11,30 +11,40 @@ terraform {
 
     helm = {
       source  = "hashicorp/helm"
-      version = "2.6.0"
+      version = "3.1.1"
     }
   }
 }
 
 locals {
-  helm_chart_settings = {
-    "server.ha.enabled"             = "true"
-    "server.ha.replicas"            = var.vault_instance_count
-    "server.ha.raft.enabled"        = "true"
-    "server.affinity"               = ""
-    "server.image.repository"       = var.image_repository
-    "server.image.tag"              = var.image_tag
-    "server.image.pullPolicy"       = "Never" # Forces local image use
-    "server.resources.requests.cpu" = "50m"
-    "server.limits.memory"          = "200m"
-    "server.limits.cpu"             = "200m"
-    "server.ha.raft.config"         = file("${abspath(path.module)}/raft-config.hcl")
-    "server.dataStorage.size"       = "100m"
-    "server.logLevel"               = var.vault_log_level
+  chart_settings = {
+    "server.affinity"                                                       = ""
+    "server.dataStorage.size"                                               = "100m"
+    "server.ha.enabled"                                                     = "true"
+    "server.ha.raft.config"                                                 = file("${abspath(path.module)}/raft-config.hcl")
+    "server.ha.raft.enabled"                                                = "true"
+    "server.ha.replicas"                                                    = var.vault_instance_count
+    "server.image.pullPolicy"                                               = "Never" # Forces local image use
+    "server.image.repository"                                               = var.image_repository
+    "server.image.tag"                                                      = var.image_tag
+    "server.limits.cpu"                                                     = "200m"
+    "server.limits.memory"                                                  = "200m"
+    "server.logLevel"                                                       = var.vault_log_level
+    "server.resources.requests.cpu"                                         = "50m"
+    "server.statefulSet.securityContext.container.allowPrivilegeEscalation" = "false"
+    "server.statefulSet.securityContext.pod.runAsNonRoot"                   = "true"
+    "server.statefulSet.securityContext.pod.runAsGroup"                     = "1000"
+    "server.statefulSet.securityContext.pod.runAsUser"                      = "100"
+    "server.statefulSet.securityContext.pod.fsGroup"                        = "1000"
   }
-  all_helm_chart_settings = var.ent_license == null ? local.helm_chart_settings : merge(local.helm_chart_settings, {
+  all_chart_settings = var.ent_license == null ? local.chart_settings : merge(local.chart_settings, {
     "server.extraEnvironmentVars.VAULT_LICENSE" = var.ent_license
   })
+  chart_list_settings = {
+    "server.statefulSet.securityContext.container.capabilities.add" = [
+      "IPC_LOCK",
+    ],
+  }
 
   vault_address = "http://127.0.0.1:8200"
 
@@ -50,14 +60,8 @@ resource "helm_release" "vault" {
   repository = "https://helm.releases.hashicorp.com"
   chart      = "vault"
 
-  dynamic "set" {
-    for_each = local.all_helm_chart_settings
-
-    content {
-      name  = set.key
-      value = set.value
-    }
-  }
+  set      = [for k, v in local.all_chart_settings : { name : k, value : v }]
+  set_list = [for k, v in local.chart_list_settings : { name : k, value : v }]
 }
 
 data "enos_kubernetes_pods" "vault_pods" {
diff --git a/enos/modules/ldap_wait_for_search/main.tf b/enos/modules/ldap_wait_for_search/main.tf
new file mode 100644
index 0000000000..402143e022
--- /dev/null
+++ b/enos/modules/ldap_wait_for_search/main.tf
@@ -0,0 +1,89 @@
+# Copyright IBM Corp. 2016, 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+terraform {
+  required_providers {
+    enos = {
+      source = "registry.terraform.io/hashicorp-forge/enos"
+    }
+  }
+}
+
+variable "hosts" {
+  description = "The target machines to run the test query from"
+  type = map(object({
+    ipv6       = string
+    private_ip = string
+    public_ip  = string
+  }))
+}
+
+variable "ldap_base_dn" {
+  type        = string
+  description = "The LDAP base dn to search from"
+}
+
+variable "ldap_bind_dn" {
+  type        = string
+  description = "The LDAP bind dn"
+}
+
+variable "ldap_host" {
+  type = object({
+    ipv6       = string
+    private_ip = string
+    public_ip  = string
+  })
+  description = "The LDAP host"
+}
+
+variable "ldap_password" {
+  type        = string
+  description = "The LDAP password"
+}
+
+variable "ldap_port" {
+  type        = string
+  description = "The LDAP port"
+}
+
+variable "ldap_query" {
+  type        = string
+  description = "The LDAP query to use when testing the connection"
+  default     = null
+}
+
+variable "retry_interval" {
+  type        = number
+  description = "How many seconds to wait between each retry"
+  default     = 2
+}
+
+variable "timeout" {
+  type        = number
+  description = "The max number of seconds to wait before timing out"
+  default     = 60
+}
+
+# Wait for the search to succeed
+resource "enos_remote_exec" "wait_for_search" {
+  for_each = var.hosts
+
+  environment = {
+    LDAP_BASE_DN    = var.ldap_base_dn
+    LDAP_BIND_DN    = var.ldap_bind_dn
+    LDAP_HOST       = var.ldap_host.public_ip
+    LDAP_PASSWORD   = var.ldap_password
+    LDAP_PORT       = var.ldap_port
+    LDAP_QUERY      = var.ldap_query == null ? "" : var.ldap_query
+    RETRY_INTERVAL  = var.retry_interval
+    TIMEOUT_SECONDS = var.timeout
+  }
+  scripts = [abspath("${path.module}/scripts/wait-for-search.sh")]
+
+  transport = {
+    ssh = {
+      host = each.value.public_ip
+    }
+  }
+}
diff --git a/enos/modules/ldap_wait_for_search/scripts/wait-for-search.sh b/enos/modules/ldap_wait_for_search/scripts/wait-for-search.sh
new file mode 100755
index 0000000000..08a94938be
--- /dev/null
+++ b/enos/modules/ldap_wait_for_search/scripts/wait-for-search.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2026
+# SPDX-License-Identifier: BUSL-1.1
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$LDAP_BASE_DN" ]] && fail "LDAP_BASE_DN env variable has not been set"
+[[ -z "$LDAP_BIND_DN" ]] && fail "LDAP_BIND_DN env variable has not been set"
+[[ -z "$LDAP_HOST" ]] && fail "LDAP_HOST env variable has not been set"
+[[ -z "$LDAP_PORT" ]] && fail "LDAP_PORT env variable has not been set"
+[[ -z "$LDAP_PASSWORD" ]] && fail "LDAP_PASSWORD env variable has not been set"
+[[ -z "$RETRY_INTERVAL" ]] && fail "RETRY_INTERVAL env variable has not been set"
+[[ -z "$TIMEOUT_SECONDS" ]] && fail "TIMEOUT_SECONDS env variable has not been set"
+
+# NOTE: An LDAP_QUERY is not technically required here as long as we have a base
+# DN and bind DN to search and bind to.
+
+search="ldap://${LDAP_HOST}:${LDAP_PORT} -b ${LDAP_BASE_DN} -D ${LDAP_BIND_DN} -w ${LDAP_PASSWORD} -s base ${LDAP_QUERY}"
+safe_search="ldap://${LDAP_HOST}:${LDAP_PORT} -b ${LDAP_BASE_DN} -D ${LDAP_BIND_DN} -s base ${LDAP_QUERY}"
+echo "Running test search: ${safe_search}"
+
+begin_time=$(date +%s)
+end_time=$((begin_time + TIMEOUT_SECONDS))
+test_search_out=""
+test_search_res=""
+declare -i tries=0
+while [ "$(date +%s)" -lt "$end_time" ]; do
+  tries+=1
+  if test_search_out=$(eval "ldapsearch -x -H ${search}" 2>&1); then
+    test_search_res=0
+    break
+  fi
+
+  test_search_res=$?
+  echo "Test search failed!, search: ${safe_search}, attempt: ${tries}, exit code: ${test_search_res}, error: ${test_search_out}, retrying..."
+  sleep "$RETRY_INTERVAL"
+done
+
+if [ "$test_search_res" -ne 0 ]; then
+  echo "Timed out waiting for search!, search: ${safe_search}, attempt: ${tries}, exit code: ${test_search_res}, error: ${test_search_out}" 2>&1
+  # Exit with the ldapsearch exit code so we bubble that up to error diagnostic
+  exit "$test_search_res"
+fi
diff --git a/enos/modules/set_up_external_integration_target/main.tf b/enos/modules/set_up_external_integration_target/main.tf
index c24c230de7..9ef1377833 100755
--- a/enos/modules/set_up_external_integration_target/main.tf
+++ b/enos/modules/set_up_external_integration_target/main.tf
@@ -11,8 +11,10 @@ terraform {
 
 locals {
   test_server_address = var.ip_version == "6" ? var.hosts[0].ipv6 : var.hosts[0].public_ip
+  ldap_base_dn        = join(",", formatlist("dc=%s", split(".", var.ldap_domain)))
   ldap_server = {
-    domain      = "enos.com"
+    domain      = var.ldap_domain
+    base_dn     = local.ldap_base_dn
     org         = "hashicorp"
     admin_pw    = "password1"
     version     = var.ldap_version
@@ -27,14 +29,24 @@ locals {
     port = var.ports.mysql.port
     host = var.hosts[0]
   }
+  # Database configurations are now pulled from var.database_configs
+  database_servers = {
+    for db_name, db_config in var.database_configs : db_name => merge(db_config, {
+      host = var.hosts[0]
+    })
+  }
 }
 
 # Outputs
 output "state" {
-  value = {
-    ldap = local.ldap_server
-    kmip = local.kmip_client
-  }
+  value = merge(
+    {
+      ldap = local.ldap_server
+      kmip = local.kmip_client
+    },
+    # Add database servers dynamically
+    { for db_name, db_server in local.database_servers : db_name => db_server }
+  )
 }
 
 # We run install_packages before we install Vault because for some combinations of
@@ -66,6 +78,39 @@ resource "enos_remote_exec" "setup_openldap" {
   }
 }
 
+// Wait for the base DN to be available before we populate it
+module "wait_for_ldap_base_dn" {
+  depends_on = [enos_remote_exec.setup_openldap]
+  source     = "../ldap_wait_for_search"
+
+  hosts         = var.hosts
+  ldap_base_dn  = local.ldap_base_dn
+  ldap_bind_dn  = "cn=admin,${local.ldap_base_dn}"
+  ldap_host     = local.ldap_server.host
+  ldap_password = local.ldap_server.admin_pw
+  ldap_port     = local.ldap_server.port
+}
+
+# Populate LDAP server with required users and organizational units
+resource "enos_remote_exec" "populate_ldap" {
+  depends_on = [module.wait_for_ldap_base_dn]
+
+  scripts = [abspath("${path.module}/scripts/populate-ldap.sh")]
+
+  environment = {
+    LDAP_SERVER   = local.ldap_server.host.private_ip
+    LDAP_PORT     = local.ldap_server.port
+    LDAP_ADMIN_PW = local.ldap_server.admin_pw
+    LDAP_BASE_DN  = local.ldap_server.base_dn
+  }
+
+  transport = {
+    ssh = {
+      host = local.ldap_server.host.public_ip
+    }
+  }
+}
+
 # Creating KMIP Server using generic container script
 resource "enos_remote_exec" "create_kmip" {
   depends_on = [module.install_packages]
@@ -90,3 +135,19 @@ resource "enos_remote_exec" "create_kmip" {
     }
   }
 }
+
+# Creating Database Servers using generic database_container module
+module "database_servers" {
+  for_each = var.database_configs
+  source   = "../database_container"
+
+  database_type      = each.key
+  db_version         = each.value.version
+  username           = each.value.username
+  password           = each.value.password
+  database           = each.value.database
+  port               = each.value.port
+  host               = var.hosts[0]
+  instance_name      = "default"
+  depends_on_modules = [module.install_packages]
+}
diff --git a/enos/modules/set_up_external_integration_target/scripts/populate-ldap.sh b/enos/modules/set_up_external_integration_target/scripts/populate-ldap.sh
new file mode 100644
index 0000000000..677a5674c5
--- /dev/null
+++ b/enos/modules/set_up_external_integration_target/scripts/populate-ldap.sh
@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$LDAP_SERVER" ]] && fail "LDAP_SERVER env variable has not been set"
+[[ -z "$LDAP_PORT" ]] && fail "LDAP_PORT env variable has not been set"
+[[ -z "$LDAP_ADMIN_PW" ]] && fail "LDAP_ADMIN_PW env variable has not been set"
+[[ -z "$LDAP_BASE_DN" ]] && fail "LDAP_BASE_DN env variable has not been set"
+
+echo "OpenLDAP: Checking for OpenLDAP Server Connection: ${LDAP_SERVER}:${LDAP_PORT}"
+echo "OpenLDAP: Using base DN: ${LDAP_BASE_DN}"
+echo "OpenLDAP: Testing connection with admin credentials"
+
+echo "OpenLDAP: Creating organizational units"
+# Creating Users and Groups Org Units LDIF file
+OU_LDIF="ou.ldif"
+cat << EOF > "${OU_LDIF}"
+dn: ou=users,${LDAP_BASE_DN}
+objectClass: organizationalUnit
+ou: users
+
+dn: ou=groups,${LDAP_BASE_DN}
+objectClass: organizationalUnit
+ou: groups
+EOF
+
+ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,${LDAP_BASE_DN}" -w "${LDAP_ADMIN_PW}" -f "${OU_LDIF}" || echo "OUs may already exist"
+
+echo "OpenLDAP: Creating test users"
+USER_LDIF="users.ldif"
+cat << EOF > "${USER_LDIF}"
+# User: enos
+dn: uid=enos,ou=users,${LDAP_BASE_DN}
+objectClass: inetOrgPerson
+sn: enos
+cn: enos user
+uid: enos
+userPassword: ${LDAP_ADMIN_PW}
+
+# Static-role test user (for LDAP verification tests)
+dn: uid=vault-static-user,ou=users,${LDAP_BASE_DN}
+objectClass: inetOrgPerson
+sn: vault-static-user
+cn: Vault Static User
+uid: vault-static-user
+userPassword: ${LDAP_ADMIN_PW}
+
+# Service accounts for library tests
+dn: uid=svc-account-1,ou=users,${LDAP_BASE_DN}
+objectClass: inetOrgPerson
+sn: svc-account-1
+cn: Service Account 1
+uid: svc-account-1
+userPassword: ${LDAP_ADMIN_PW}
+
+dn: uid=svc-account-2,ou=users,${LDAP_BASE_DN}
+objectClass: inetOrgPerson
+sn: svc-account-2
+cn: Service Account 2
+uid: svc-account-2
+userPassword: ${LDAP_ADMIN_PW}
+
+dn: uid=svc-delete,ou=users,${LDAP_BASE_DN}
+objectClass: inetOrgPerson
+sn: svc-delete
+cn: Service Account Delete
+uid: svc-delete
+userPassword: ${LDAP_ADMIN_PW}
+EOF
+
+ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,${LDAP_BASE_DN}" -w "${LDAP_ADMIN_PW}" -f "${USER_LDIF}" || echo "Users may already exist"
+
+echo "LDAP population completed successfully."
diff --git a/enos/modules/set_up_external_integration_target/variables.tf b/enos/modules/set_up_external_integration_target/variables.tf
index 1a46fe2f4c..ea04c2835e 100644
--- a/enos/modules/set_up_external_integration_target/variables.tf
+++ b/enos/modules/set_up_external_integration_target/variables.tf
@@ -16,12 +16,10 @@ variable "ip_version" {
   default     = "4"
 }
 
-variable "ports" {
-  description = "Port configuration for services"
-  type = map(object({
-    port        = string
-    description = string
-  }))
+variable "ldap_domain" {
+  type        = string
+  description = "The name of the domain"
+  default     = "enos.com"
 }
 
 variable "ldap_version" {
@@ -35,3 +33,25 @@ variable "packages" {
   description = "A list of packages to install via the target host package manager"
   default     = []
 }
+
+variable "ports" {
+  description = "Port configuration for services"
+  type = map(object({
+    port        = string
+    description = string
+  }))
+}
+
+
+variable "database_configs" {
+  description = "Database configurations for setting up database servers"
+  type = map(object({
+    port        = number
+    version     = string
+    username    = string
+    password    = string
+    database    = string
+    description = string
+  }))
+  default = {}
+}
diff --git a/enos/modules/softhsm_install/main.tf b/enos/modules/softhsm_install/main.tf
index 80278d1ac0..76be102c22 100644
--- a/enos/modules/softhsm_install/main.tf
+++ b/enos/modules/softhsm_install/main.tf
@@ -51,6 +51,7 @@ locals {
     ubuntu = {
       "22.04" = ["softhsm", "opensc"]
       "24.04" = ["softhsm2", "opensc"]
+      "26.04" = ["softhsm2", "opensc"]
     }
     } : {
     amzn = {
@@ -64,6 +65,7 @@ locals {
     ubuntu = {
       "22.04" = ["softhsm"]
       "24.04" = ["softhsm2"]
+      "26.04" = ["softhsm2"]
     }
   }
 }
diff --git a/enos/modules/vault_run_blackbox_test/main.tf b/enos/modules/vault_run_blackbox_test/main.tf
index 05dc3ed757..089123d950 100644
--- a/enos/modules/vault_run_blackbox_test/main.tf
+++ b/enos/modules/vault_run_blackbox_test/main.tf
@@ -10,14 +10,18 @@ terraform {
 }
 
 # Generate matrix.json for gotestsum from the test list
+locals {
+  test_names = var.test_names != null ? var.test_names : []
+}
+
 resource "local_file" "test_matrix" {
   filename = "/tmp/vault_test_matrix_${random_string.test_id.result}.json"
   content = jsonencode({
-    include = length(var.test_names) > 0 ? [
-      for test in var.test_names : {
+    include = [
+      for test in local.test_names : {
         test = test
       }
-    ] : []
+    ]
   })
 }
 
@@ -28,16 +32,71 @@ resource "random_string" "test_id" {
 }
 
 resource "enos_local_exec" "run_blackbox_test" {
-  scripts = [abspath("${path.module}/scripts/run-test.sh")]
-  environment = merge({
-    VAULT_TOKEN        = var.vault_root_token
-    VAULT_ADDR         = var.vault_addr != null ? var.vault_addr : "http://${var.leader_public_ip}:8200"
-    VAULT_TEST_PACKAGE = var.test_package
-    VAULT_TEST_MATRIX  = length(var.test_names) > 0 ? local_file.test_matrix.filename : ""
-    }, var.vault_namespace != null ? {
-    VAULT_NAMESPACE = var.vault_namespace
-  } : {})
+  scripts    = [abspath("${path.module}/scripts/run-test.sh")]
   depends_on = [local_file.test_matrix]
+
+  environment = merge(
+    {
+      VAULT_TOKEN        = var.vault_root_token
+      VAULT_ADDR         = var.vault_addr != null ? var.vault_addr : (contains(split("", var.leader_public_ip), ":") ? "http://[${var.leader_public_ip}]:8200" : "http://${var.leader_public_ip}:8200")
+      VAULT_TEST_PACKAGE = var.test_package
+      VAULT_TEST_MATRIX  = length(local.test_names) > 0 ? local_file.test_matrix.filename : ""
+      VAULT_EDITION      = var.vault_edition
+      # PATH and Go-related environment variables are inherited from the calling process
+    },
+    var.vault_namespace != null ? { VAULT_NAMESPACE = var.vault_namespace } : {},
+    var.vault_product_version != null ? { VAULT_VERSION = var.vault_product_version } : {},
+    var.vault_revision != null ? { VAULT_REVISION = var.vault_revision } : {},
+    var.vault_build_date != null ? { VAULT_BUILD_DATE = var.vault_build_date } : {},
+    var.vault_install_dir != null ? { VAULT_INSTALL_DIR = var.vault_install_dir } : {},
+    local.ldap_environment,
+    local.postgres_environment,
+    local.mongodb_environment,
+    var.test_env_vars
+  )
+}
+
+# Local variables for LDAP environment setup
+locals {
+  # Extract LDAP configuration safely, defaulting to empty map if not available
+  ldap_config = try(var.integration_host_state.ldap, {})
+
+  # Convert domain (e.g., "enos.com") to DN format (e.g., "dc=enos,dc=com")
+  domain_dn = try(local.ldap_config.domain, "") != "" ? join(",", [for part in split(".", local.ldap_config.domain) : "dc=${part}"]) : ""
+
+  # Set up LDAP environment variables when LDAP integration is available
+  ldap_environment = try(local.ldap_config.domain, "") != "" ? {
+    LDAP_URL_PRIVATE = "ldap://${local.ldap_config.host.private_ip}:${local.ldap_config.port}"
+    LDAP_URL_PUBLIC  = "ldap://${local.ldap_config.host.public_ip}:${local.ldap_config.port}"
+    LDAP_BIND_DN     = "cn=admin,${local.domain_dn}"
+    LDAP_BIND_PASS   = local.ldap_config.admin_pw
+    LDAP_USERNAME    = "enos"
+  } : {}
+
+  # Extract PostgreSQL configuration safely, defaulting to empty map if not available
+  postgres_config = try(var.integration_host_state.postgres, {})
+
+  # Set up PostgreSQL environment variables when PostgreSQL integration is available
+  postgres_environment = try(local.postgres_config.host.private_ip, "") != "" ? {
+    PG_URL            = "postgres://${local.postgres_config.username}:${local.postgres_config.password}@${local.postgres_config.host.private_ip}:${local.postgres_config.port}/${local.postgres_config.database}?sslmode=disable"
+    POSTGRES_USER     = local.postgres_config.username
+    POSTGRES_PASSWORD = local.postgres_config.password
+    POSTGRES_DB       = local.postgres_config.database
+    PGHOST            = local.postgres_config.host.private_ip
+    PGPORT            = local.postgres_config.port
+    PGUSER            = local.postgres_config.username
+    PGPASSWORD        = local.postgres_config.password
+    PGDATABASE        = local.postgres_config.database
+  } : {}
+
+  # Extract MongoDB configuration safely, defaulting to empty map if not available
+  mongodb_config = try(var.integration_host_state.mongodb, {})
+
+  # Set up MongoDB environment variables when MongoDB integration is available
+  mongodb_environment = try(local.mongodb_config.host.public_ip, "") != "" ? {
+    MONGO_URL         = "mongodb://${local.mongodb_config.username}:${local.mongodb_config.password}@${local.mongodb_config.host.public_ip}:${local.mongodb_config.port}/${local.mongodb_config.database}?directConnection=true"
+    MONGO_URL_PRIVATE = "mongodb://${local.mongodb_config.username}:${local.mongodb_config.password}@${local.mongodb_config.host.private_ip}:${local.mongodb_config.port}/${local.mongodb_config.database}?directConnection=true"
+  } : {}
 }
 
 # Extract information from the script output
diff --git a/enos/modules/vault_run_blackbox_test/outputs.tf b/enos/modules/vault_run_blackbox_test/outputs.tf
index 870103e9ab..7ce0860487 100644
--- a/enos/modules/vault_run_blackbox_test/outputs.tf
+++ b/enos/modules/vault_run_blackbox_test/outputs.tf
@@ -6,7 +6,6 @@ output "test_result" {
   value       = enos_local_exec.run_blackbox_test.stdout
 }
 
-
 output "test_results_summary" {
   description = "Summary of test results for dashboards"
   value = {
@@ -15,7 +14,7 @@ output "test_results_summary" {
     exit_code    = local.test_exit_code
     timestamp    = timestamp()
     json_file    = local.json_file_path
-    test_filter  = length(var.test_names) > 0 ? join(", ", var.test_names) : "all tests"
+    test_filter  = length(local.test_names) > 0 ? join(", ", local.test_names) : "all tests"
     test_package = var.test_package
   }
 }
diff --git a/enos/modules/vault_run_blackbox_test/plugin.tf b/enos/modules/vault_run_blackbox_test/plugin.tf
new file mode 100644
index 0000000000..a12c3e4496
--- /dev/null
+++ b/enos/modules/vault_run_blackbox_test/plugin.tf
@@ -0,0 +1,24 @@
+# Copyright IBM Corp. 2016, 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+# Plugin blackbox test configuration
+
+variable "plugin_config" {
+  type = object({
+    enabled = bool
+    type    = string
+  })
+  description = "Plugin configuration for blackbox tests. Set enabled=true and specify plugin type to enable plugin tests."
+  default = {
+    enabled = false
+    type    = ""
+  }
+}
+
+
+# Local variables for plugin environment setup
+locals {
+  plugin_environment = var.plugin_config.enabled ? {
+    PLUGIN_TYPE = var.plugin_config.type
+  } : {}
+}
diff --git a/enos/modules/vault_run_blackbox_test/scripts/run-test.sh b/enos/modules/vault_run_blackbox_test/scripts/run-test.sh
index aa5d157e55..a2f0675d58 100755
--- a/enos/modules/vault_run_blackbox_test/scripts/run-test.sh
+++ b/enos/modules/vault_run_blackbox_test/scripts/run-test.sh
@@ -13,18 +13,35 @@ fail() {
 [[ -z "${VAULT_TOKEN}" ]] && fail "VAULT_TOKEN env variable has not been set"
 [[ -z "${VAULT_ADDR}" ]] && fail "VAULT_ADDR env variable has not been set"
 [[ -z "${VAULT_TEST_PACKAGE}" ]] && fail "VAULT_TEST_PACKAGE env variable has not been set"
+[[ -z "${VAULT_EDITION}" ]] && fail "VAULT_EDITION env variable has not been set"
 
 # Check required dependencies
 echo "Checking required dependencies..."
 
 # Check if Go is installed
 if ! command -v go &> /dev/null; then
-    fail "Go is not installed or not in PATH. Please install Go to run tests."
+    echo "ERROR: Go is not installed or not found in PATH."
+    echo ""
+    echo "To resolve this issue:"
+    echo "  • On a developer machine: Install Go from https://golang.org/dl/"
+    echo "  • In CI: Ensure the setup-go action is configured properly"
+    echo "  • If Go is installed elsewhere, add it to your PATH environment variable"
+    echo ""
+    fail "Go is required to run blackbox tests."
 fi
 
+echo "Go version: $(go version)"
+
 # Check if gotestsum is installed (required)
 if ! command -v gotestsum &> /dev/null; then
-    fail "gotestsum is not installed or not in PATH. Please install gotestsum: go install gotest.tools/gotestsum@latest"
+    echo "ERROR: gotestsum is not installed or not found in PATH."
+    echo ""
+    echo "To resolve this issue:"
+    echo "  • Run 'make tools' to install required development tools"
+    echo "  • Ensure GOPATH/bin is in your PATH environment variable"
+    echo "  • Or manually install: go install gotest.tools/gotestsum@v1.13.0"
+    echo ""
+    fail "gotestsum is required to run blackbox tests."
 fi
 
 # Check if jq is available (needed for parsing test matrix)
@@ -60,18 +77,40 @@ echo "Running tests..."
 echo "Vault environment variables:"
 env | grep VAULT | sed 's/VAULT_TOKEN=.*/VAULT_TOKEN=***REDACTED***/'
 
+# For HTTP Vault addresses, inherited TLS CA settings can point to stale temp files.
+# TODO: Investigate why TLS CA env vars persist for HTTP Vault connections and remove this workaround after fixing root cause.
+if [[ "${VAULT_ADDR}" == http://* ]]; then
+    unset VAULT_CACERT VAULT_CAPATH
+fi
+
+case $VAULT_EDITION in
+    ent | ent.hsm | ent.hsm.fips1402 | ent.hsm.fips1403 | ent.fips1403 | ent.fips1402)
+        tags="-tags=ent,enterprise"
+        ;;
+    ce)
+        tags=""
+        ;;
+    *)
+        fail "unknown VAULT_EDITION: $VAULT_EDITION"
+        ;;
+esac
+
 # Build gotestsum command based on whether we have specific tests
+# Convert VAULT_TEST_PACKAGE to array to handle multiple package paths properly
+VAULT_TEST_PACKAGE=$(printf "%s" "$VAULT_TEST_PACKAGE")
+IFS=' ' read -r -a packages <<< "$VAULT_TEST_PACKAGE"
+
 set -x # Show commands being executed
 set +e # Temporarily disable exit on error
 if [ -n "$VAULT_TEST_MATRIX" ] && [ -f "$VAULT_TEST_MATRIX" ]; then
     echo "Using test matrix from: $VAULT_TEST_MATRIX"
     # Extract test names from matrix and create regex pattern
-    test_pattern=$(jq -r '.include[].test' "$VAULT_TEST_MATRIX" | paste -sd '|' -)
+    test_pattern=$(jq -r '[.include[].test] | join("|")' "$VAULT_TEST_MATRIX")
     echo "Running specific tests: $test_pattern"
-    gotestsum --junitfile="$junit_output" --format=standard-verbose --jsonfile="$json_output" -- -count=1 -run="$test_pattern" "$VAULT_TEST_PACKAGE"
+    gotestsum --junitfile="$junit_output" --format=standard-verbose --jsonfile="$json_output" -- -count=1 "${tags}" -run="$test_pattern" "${packages[@]}"
 else
     echo "Running all tests in package"
-    gotestsum --junitfile="$junit_output" --format=standard-verbose --jsonfile="$json_output" -- -count=1 "$VAULT_TEST_PACKAGE"
+    gotestsum --junitfile="$junit_output" --format=standard-verbose --jsonfile="$json_output" -- -count=1 "${tags}" "${packages[@]}"
 fi
 test_exit_code=$?
 set -e # Re-enable exit on error
diff --git a/enos/modules/vault_run_blackbox_test/variables.tf b/enos/modules/vault_run_blackbox_test/variables.tf
index 499b44473b..dc2867a7e2 100644
--- a/enos/modules/vault_run_blackbox_test/variables.tf
+++ b/enos/modules/vault_run_blackbox_test/variables.tf
@@ -14,6 +14,17 @@ variable "leader_public_ip" {
   description = "The public IP of the Vault leader"
 }
 
+variable "ip_version" {
+  type        = number
+  description = "The IP version used for the Vault TCP listener"
+  default     = 4
+
+  validation {
+    condition     = contains([4, 6], var.ip_version)
+    error_message = "The ip_version must be either 4 or 6"
+  }
+}
+
 variable "vault_root_token" {
   type        = string
   description = "The vault root token"
@@ -41,3 +52,45 @@ variable "vault_namespace" {
   description = "The Vault namespace to operate in (for HCP environments). Optional."
   default     = null
 }
+
+variable "integration_host_state" {
+  type        = any
+  description = "The state from the external integration setup"
+  default     = null
+}
+
+variable "vault_edition" {
+  type        = string
+  description = "The Vault edition (ce, ent, ent.hsm, ent.fips1402, ent.hsm.fips1402)"
+  default     = "ent"
+}
+
+variable "vault_product_version" {
+  type        = string
+  description = "The Vault product version (e.g., 1.15.0)"
+  default     = null
+}
+
+variable "vault_revision" {
+  type        = string
+  description = "The Vault git revision/commit SHA"
+  default     = null
+}
+
+variable "vault_build_date" {
+  type        = string
+  description = "The Vault build date"
+  default     = null
+}
+
+variable "vault_install_dir" {
+  type        = string
+  description = "The directory where Vault is installed"
+  default     = null
+}
+
+variable "test_env_vars" {
+  type        = map(string)
+  description = "Additional environment variables to pass to the test"
+  default     = {}
+}
diff --git a/enos/modules/vault_verify_replication/main.tf b/enos/modules/vault_update_license_ibm/main.tf
similarity index 51%
rename from enos/modules/vault_verify_replication/main.tf
rename to enos/modules/vault_update_license_ibm/main.tf
index 034d242a1b..f13ef39672 100644
--- a/enos/modules/vault_verify_replication/main.tf
+++ b/enos/modules/vault_update_license_ibm/main.tf
@@ -1,7 +1,6 @@
 # Copyright IBM Corp. 2016, 2025
 # SPDX-License-Identifier: BUSL-1.1
 
-
 terraform {
   required_providers {
     enos = {
@@ -12,33 +11,31 @@ terraform {
 
 variable "hosts" {
   type = map(object({
-    ipv6       = string
     private_ip = string
     public_ip  = string
   }))
   description = "The vault cluster instances that were created"
 }
 
-variable "vault_addr" {
+variable "vault_ibm_license_path" {
   type        = string
-  description = "The local vault API listen address"
+  description = "The path to the IBM PAO license file on the target machine"
 }
 
-variable "vault_edition" {
+variable "vault_ibm_license_edition" {
   type        = string
-  description = "The vault product edition"
-  default     = null
+  description = "The edition corresponding to the Vault entitlement to select in the IBM PAO license"
 }
 
-resource "enos_remote_exec" "smoke-verify-replication" {
+resource "enos_remote_exec" "vault_update_license_ibm" {
   for_each = var.hosts
 
   environment = {
-    VAULT_ADDR    = var.vault_addr
-    VAULT_EDITION = var.vault_edition
+    VAULT_IBM_LICENSE         = file(var.vault_ibm_license_path)
+    VAULT_IBM_LICENSE_EDITION = var.vault_ibm_license_edition
   }
 
-  scripts = [abspath("${path.module}/scripts/smoke-verify-replication.sh")]
+  scripts = [abspath("${path.module}/scripts/update-license.sh")]
 
   transport = {
     ssh = {
diff --git a/enos/modules/vault_update_license_ibm/scripts/update-license.sh b/enos/modules/vault_update_license_ibm/scripts/update-license.sh
new file mode 100755
index 0000000000..27413f2989
--- /dev/null
+++ b/enos/modules/vault_update_license_ibm/scripts/update-license.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2016, 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$VAULT_IBM_LICENSE" ]] && fail "VAULT_IBM_LICENSE env variable has not been set"
+[[ -z "$VAULT_IBM_LICENSE_EDITION" ]] && fail "VAULT_IBM_LICENSE_EDITION env variable has not been set"
+
+# Validate that $VAULT_IBM_LICENSE_EDITION is a valid edition option among "standard", "plus", and "premium"
+case "${VAULT_IBM_LICENSE_EDITION}" in
+  standard | plus | premium) ;;
+  *)
+    fail "IBM license edition '${VAULT_IBM_LICENSE_EDITION}' is not a valid edition. Valid editions are 'standard', 'plus', or 'premium'. Check your IBM license entitlements for the correct edition."
+    ;;
+esac
+
+# Update the license file with the new license and add the license entitlement to the vault configuration
+# Do this as a superuser because the files are owned by vault
+echo "$VAULT_IBM_LICENSE" | sudo tee /etc/vault.d/vault.lic > /dev/null
+echo "license_entitlement {
+  edition = \"$VAULT_IBM_LICENSE_EDITION\"
+}" | sudo tee -a /etc/vault.d/vault.hcl > /dev/null
+
+echo "License updated successfully"
diff --git a/enos/modules/vault_verify_ibm_license_update/main.tf b/enos/modules/vault_verify_ibm_license_update/main.tf
new file mode 100644
index 0000000000..ed93260974
--- /dev/null
+++ b/enos/modules/vault_verify_ibm_license_update/main.tf
@@ -0,0 +1,89 @@
+# Copyright IBM Corp. 2016, 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+terraform {
+  required_providers {
+    enos = {
+      source = "registry.terraform.io/hashicorp-forge/enos"
+    }
+  }
+}
+
+variable "vault_addr" {
+  type        = string
+  description = "The local vault API listen address"
+}
+
+variable "vault_cluster_addr_port" {
+  description = "The Raft cluster address port"
+  type        = string
+  default     = "8201"
+}
+
+variable "vault_install_dir" {
+  type        = string
+  description = "The directory where the Vault binary will be installed"
+}
+
+variable "hosts" {
+  type = map(object({
+    ipv6       = string
+    private_ip = string
+    public_ip  = string
+  }))
+  description = "The vault cluster instances that were created"
+}
+
+variable "vault_root_token" {
+  type        = string
+  description = "The vault root token"
+}
+
+variable "vault_ibm_license_edition" {
+  type        = string
+  description = "The expected Vault edition in use in the IBM PAO license."
+}
+
+resource "enos_remote_exec" "vault_verify_ibm_license_update" {
+  for_each = var.hosts
+
+  environment = {
+    VAULT_ADDR                = var.vault_addr
+    VAULT_CLUSTER_ADDR        = "${each.value.private_ip}:${var.vault_cluster_addr_port}"
+    VAULT_TOKEN               = var.vault_root_token
+    VAULT_INSTALL_DIR         = var.vault_install_dir
+    VAULT_IBM_LICENSE_EDITION = var.vault_ibm_license_edition
+  }
+
+  scripts = [abspath("${path.module}/scripts/license-get.sh")]
+
+  transport = {
+    ssh = {
+      host = each.value.public_ip
+    }
+  }
+}
+
+resource "enos_remote_exec" "vault_get_ibm_license_customer_id" {
+  depends_on = [enos_remote_exec.vault_verify_ibm_license_update]
+  for_each   = var.hosts
+
+  environment = {
+    VAULT_ADDR         = var.vault_addr
+    VAULT_CLUSTER_ADDR = "${each.value.private_ip}:${var.vault_cluster_addr_port}"
+    VAULT_TOKEN        = var.vault_root_token
+    VAULT_INSTALL_DIR  = var.vault_install_dir
+  }
+
+  scripts = [abspath("${path.module}/scripts/license-inspect.sh")]
+
+  transport = {
+    ssh = {
+      host = each.value.public_ip
+    }
+  }
+}
+
+output "customer_id" {
+  value = enos_remote_exec.vault_get_ibm_license_customer_id[0].stdout
+}
diff --git a/enos/modules/vault_verify_ibm_license_update/scripts/license-get.sh b/enos/modules/vault_verify_ibm_license_update/scripts/license-get.sh
new file mode 100755
index 0000000000..da91e5a3ee
--- /dev/null
+++ b/enos/modules/vault_verify_ibm_license_update/scripts/license-get.sh
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2016, 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+retry() {
+  local retries=$1
+  shift
+  local count=0
+
+  until "$@"; do
+    exit=$?
+    count=$((count + 1))
+    if [ "$count" -lt "$retries" ]; then
+      sleep 30
+    else
+      return "$exit"
+    fi
+  done
+
+  return 0
+}
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
+[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
+[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
+[[ -z "$VAULT_IBM_LICENSE_EDITION" ]] && fail "VAULT_IBM_LICENSE_EDITION env variable has not been set"
+
+binpath=${VAULT_INSTALL_DIR}/vault
+test -x "$binpath" || fail "unable to locate vault binary at $binpath"
+
+license_get() {
+  issuer=$($binpath license get -format=json | jq -r '.data.autoloaded.issuer')
+  edition=$($binpath license get -format=json | jq -r '.data.autoloaded.edition')
+
+  if [ "$issuer" == "pao.ibm.com" ] && [ "$edition" == "$VAULT_IBM_LICENSE_EDITION" ]; then
+    echo "License updated; using an IBM license with $VAULT_IBM_LICENSE_EDITION entitlement"
+    return 0
+  else
+    fail "Expected an IBM PAO license with $VAULT_IBM_LICENSE_EDITION entitlement, got issuer: $issuer and edition: $edition"
+  fi
+}
+
+retry 10 license_get
diff --git a/enos/modules/vault_verify_ibm_license_update/scripts/license-inspect.sh b/enos/modules/vault_verify_ibm_license_update/scripts/license-inspect.sh
new file mode 100755
index 0000000000..289cd06560
--- /dev/null
+++ b/enos/modules/vault_verify_ibm_license_update/scripts/license-inspect.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2016, 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
+[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
+[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
+
+binpath=${VAULT_INSTALL_DIR}/vault
+test -x "$binpath" || fail "unable to locate vault binary at $binpath"
+
+customer_id=$(sudo "$binpath" license inspect /etc/vault.d/vault.lic | grep "Customer ID" | awk -F: '{print $2}' | xargs)
+[[ -z "$customer_id" ]] && fail "Customer ID is empty in license inspect output"
+
+# Send customer ID to stdout so it can be extracted as output of this step
+echo "$customer_id"
diff --git a/enos/modules/vault_verify_replication/scripts/smoke-verify-replication.sh b/enos/modules/vault_verify_replication/scripts/smoke-verify-replication.sh
deleted file mode 100644
index 7c5ed1e838..0000000000
--- a/enos/modules/vault_verify_replication/scripts/smoke-verify-replication.sh
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-# Copyright IBM Corp. 2016, 2025
-# SPDX-License-Identifier: BUSL-1.1
-
-set -e
-
-function fail() {
-  echo "$1" 1>&2
-  exit 1
-}
-
-[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
-[[ -z "$VAULT_EDITION" ]] && fail "VAULT_EDITION env variable has not been set"
-
-# Replication status endpoint should have data.mode disabled for CE release
-status=$(curl "${VAULT_ADDR}/v1/sys/replication/status")
-if [ "$VAULT_EDITION" == "ce" ]; then
-  if [ "$(jq -r '.data.mode' <<< "$status")" != "disabled" ]; then
-    fail "replication data mode is not disabled for CE release!"
-  fi
-else
-  if [ "$(jq -r '.data.dr' <<< "$status")" == "" ]; then
-    fail "DR replication should be available for an ENT release!"
-  fi
-  if [ "$(jq -r '.data.performance' <<< "$status")" == "" ]; then
-    fail "Performance replication should be available for an ENT release!"
-  fi
-fi
diff --git a/enos/modules/vault_verify_undo_logs/main.tf b/enos/modules/vault_verify_undo_logs/main.tf
deleted file mode 100644
index d2e917918d..0000000000
--- a/enos/modules/vault_verify_undo_logs/main.tf
+++ /dev/null
@@ -1,77 +0,0 @@
-# Copyright IBM Corp. 2016, 2025
-# SPDX-License-Identifier: BUSL-1.1
-
-terraform {
-  required_providers {
-    enos = {
-      source = "registry.terraform.io/hashicorp-forge/enos"
-    }
-  }
-}
-
-variable "expected_state" {
-  type        = number
-  description = "The expected state to have in vault.core.replication.write_undo_logs telemetry. Must be either 1 for enabled or 0 for disabled."
-
-  validation {
-    condition     = contains([0, 1], var.expected_state)
-    error_message = "The expected_state must be either 0 or 1"
-  }
-}
-
-variable "hosts" {
-  type = map(object({
-    ipv6       = string
-    private_ip = string
-    public_ip  = string
-  }))
-  description = "The vault cluster target hosts to check"
-}
-
-variable "retry_interval" {
-  type        = number
-  description = "How many seconds to wait between each retry"
-  default     = 2
-}
-
-variable "timeout" {
-  type        = number
-  description = "The max number of seconds to wait before timing out"
-  default     = 60
-}
-
-variable "vault_addr" {
-  type        = string
-  description = "The local vault API listen address"
-}
-
-variable "vault_install_dir" {
-  type        = string
-  description = "The directory where the Vault binary will be installed"
-}
-
-variable "vault_root_token" {
-  type        = string
-  description = "The vault root token"
-}
-
-resource "enos_remote_exec" "smoke-verify-undo-logs" {
-  for_each = var.hosts
-
-  environment = {
-    EXPECTED_STATE    = var.expected_state
-    RETRY_INTERVAL    = var.retry_interval
-    TIMEOUT_SECONDS   = var.timeout
-    VAULT_ADDR        = var.vault_addr
-    VAULT_INSTALL_DIR = var.vault_install_dir
-    VAULT_TOKEN       = var.vault_root_token
-  }
-
-  scripts = [abspath("${path.module}/scripts/smoke-verify-undo-logs.sh")]
-
-  transport = {
-    ssh = {
-      host = each.value.public_ip
-    }
-  }
-}
diff --git a/enos/modules/vault_verify_undo_logs/scripts/smoke-verify-undo-logs.sh b/enos/modules/vault_verify_undo_logs/scripts/smoke-verify-undo-logs.sh
deleted file mode 100644
index 7af19f6b72..0000000000
--- a/enos/modules/vault_verify_undo_logs/scripts/smoke-verify-undo-logs.sh
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/usr/bin/env bash
-# Copyright IBM Corp. 2016, 2025
-# SPDX-License-Identifier: BUSL-1.1
-
-function fail() {
-  echo "$1" 1>&2
-  exit 1
-}
-
-[[ -z "$EXPECTED_STATE" ]] && fail "EXPECTED_STAE env variable has not been set"
-[[ -z "$RETRY_INTERVAL" ]] && fail "RETRY_INTERVAL env variable has not been set"
-[[ -z "$TIMEOUT_SECONDS" ]] && fail "TIMEOUT_SECONDS env variable has not been set"
-[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
-[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
-[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
-
-binpath=${VAULT_INSTALL_DIR}/vault
-test -x "$binpath" || fail "unable to locate vault binary at $binpath"
-
-begin_time=$(date +%s)
-end_time=$((begin_time + TIMEOUT_SECONDS))
-while [ "$(date +%s)" -lt "$end_time" ]; do
-  state=$($binpath read sys/metrics -format=json | jq -r '.data.Gauges[] | select(.Name == "vault.core.replication.write_undo_logs")')
-  target_undo_logs_status="$(jq -r '.Value' <<< "$state")"
-
-  if [ "$target_undo_logs_status" == "$EXPECTED_STATE" ]; then
-    echo "vault.core.replication.write_undo_logs has expected Value: \"${EXPECTED_STATE}\""
-    exit 0
-  fi
-
-  echo "Waiting for vault.core.replication.write_undo_logs to have Value: \"${EXPECTED_STATE}\""
-  sleep "$RETRY_INTERVAL"
-done
-
-fail "Timed out waiting for vault.core.replication.write_undo_logs to have Value: \"${EXPECTED_STATE}\""
diff --git a/enos/modules/vault_verify_version/main.tf b/enos/modules/vault_verify_version/main.tf
deleted file mode 100644
index 4114945a9f..0000000000
--- a/enos/modules/vault_verify_version/main.tf
+++ /dev/null
@@ -1,100 +0,0 @@
-# Copyright IBM Corp. 2016, 2025
-# SPDX-License-Identifier: BUSL-1.1
-
-terraform {
-  required_providers {
-    enos = {
-      source = "registry.terraform.io/hashicorp-forge/enos"
-    }
-  }
-}
-
-variable "hosts" {
-  type = map(object({
-    ipv6       = string
-    private_ip = string
-    public_ip  = string
-  }))
-  description = "The Vault cluster instances that were created"
-}
-
-variable "vault_addr" {
-  type        = string
-  description = "The local vault API listen address"
-}
-
-variable "vault_build_date" {
-  type        = string
-  description = "The Vault artifact build date"
-  default     = null
-}
-
-variable "vault_edition" {
-  type        = string
-  description = "The Vault product edition"
-  default     = null
-}
-
-variable "vault_install_dir" {
-  type        = string
-  description = "The directory where the Vault binary will be installed"
-}
-
-variable "vault_product_version" {
-  type        = string
-  description = "The Vault product version"
-  default     = null
-}
-
-variable "vault_revision" {
-  type        = string
-  description = "The Vault product revision"
-  default     = null
-}
-
-variable "vault_root_token" {
-  type        = string
-  description = "The Vault root token"
-  default     = null
-}
-
-resource "enos_remote_exec" "verify_cli_version" {
-  for_each = var.hosts
-
-  environment = {
-    VAULT_ADDR        = var.vault_addr,
-    VAULT_BUILD_DATE  = var.vault_build_date,
-    VAULT_EDITION     = var.vault_edition,
-    VAULT_INSTALL_DIR = var.vault_install_dir,
-    VAULT_REVISION    = var.vault_revision,
-    VAULT_TOKEN       = var.vault_root_token,
-    VAULT_VERSION     = var.vault_product_version,
-  }
-
-  scripts = [abspath("${path.module}/scripts/verify-cli-version.sh")]
-
-  transport = {
-    ssh = {
-      host = each.value.public_ip
-    }
-  }
-}
-
-resource "enos_remote_exec" "verify_cluster_version" {
-  for_each = var.hosts
-
-  environment = {
-    VAULT_ADDR       = var.vault_addr,
-    VAULT_BUILD_DATE = var.vault_build_date,
-    VAULT_TOKEN      = var.vault_root_token,
-    VAULT_VERSION    = var.vault_product_version,
-  }
-
-  scripts = [abspath("${path.module}/scripts/verify-cluster-version.sh")]
-
-  transport = {
-    ssh = {
-      host = each.value.public_ip
-    }
-  }
-}
diff --git a/enos/modules/vault_verify_version/scripts/verify-cli-version.sh b/enos/modules/vault_verify_version/scripts/verify-cli-version.sh
deleted file mode 100644
index 3834b3bbf7..0000000000
--- a/enos/modules/vault_verify_version/scripts/verify-cli-version.sh
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/usr/bin/env bash
-# Copyright IBM Corp. 2016, 2025
-# SPDX-License-Identifier: BUSL-1.1
-
-# Verify the Vault "version" includes the correct base version, build date,
-# revision SHA, and edition metadata.
-set -e
-
-fail() {
-  echo "$1" 1>&2
-  exit 1
-}
-
-[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
-[[ -z "$VAULT_BUILD_DATE" ]] && fail "VAULT_BUILD_DATE env variable has not been set"
-[[ -z "$VAULT_EDITION" ]] && fail "VAULT_EDITION env variable has not been set"
-[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
-[[ -z "$VAULT_REVISION" ]] && fail "VAULT_REVISION env variable has not been set"
-[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
-[[ -z "$VAULT_VERSION" ]] && fail "VAULT_VERSION env variable has not been set"
-
-binpath=${VAULT_INSTALL_DIR}/vault
-edition=${VAULT_EDITION}
-version=${VAULT_VERSION}
-sha=${VAULT_REVISION}
-build_date=${VAULT_BUILD_DATE}
-
-test -x "$binpath" || fail "unable to locate vault binary at $binpath"
-version_expected="Vault v$version ($sha), built $build_date"
-
-case "$edition" in
-  *ce) ;;
-  *ent) ;;
-  *ent.hsm) version_expected="$version_expected (cgo)" ;;
-  *ent.fips1403) version_expected="$version_expected (cgo)" ;;
-  *ent.hsm.fips1403) version_expected="$version_expected (cgo)" ;;
-  *) fail "Unknown Vault edition: ($edition)" ;;
-esac
-
-version_expected_nosha=$(echo "$version_expected" | awk '!($3="")' | sed 's/  / /' | sed -e 's/[[:space:]]*$//')
-version_output=$("$binpath" version)
-
-if [[ "$version_output" == "$version_expected_nosha" ]] || [[ "$version_output" == "$version_expected" ]]; then
-  echo "Version verification succeeded!"
-else
-  msg="$(printf "\nThe Vault cluster did not match the expected version, expected:\n%s\nor\n%s\ngot:\n%s" "$version_expected" "$version_expected_nosha" "$version_output")"
-  if type diff &> /dev/null; then
-    # Diff exits non-zero if we have a diff, which we want, so we'll guard against failing early.
-    if ! version_diff=$(diff  <(echo "$version_expected")  <(echo "$version_output") -u -L expected -L got); then
-      msg="$(printf "\nThe Vault cluster did not match the expected version:\n%s" "$version_diff")"
-    fi
-  fi
-
-  fail "$msg"
-fi
diff --git a/enos/modules/vault_verify_version/scripts/verify-cluster-version.sh b/enos/modules/vault_verify_version/scripts/verify-cluster-version.sh
deleted file mode 100644
index 1f131c263a..0000000000
--- a/enos/modules/vault_verify_version/scripts/verify-cluster-version.sh
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/usr/bin/env bash
-# Copyright IBM Corp. 2016, 2025
-# SPDX-License-Identifier: BUSL-1.1
-
-# Verify the Vault "version" includes the correct base version, build date,
-# revision SHA, and edition metadata.
-set -e
-
-fail() {
-  echo "$1" 1>&2
-  exit 1
-}
-
-[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
-[[ -z "$VAULT_BUILD_DATE" ]] && fail "VAULT_BUILD_DATE env variable has not been set"
-[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
-[[ -z "$VAULT_VERSION" ]] && fail "VAULT_VERSION env variable has not been set"
-
-# The sys/version-history endpoint only includes major.minor.patch, any other semver fields need to
-# be stripped out.
-if ! version=$(cut -d + -f1 <<< "$VAULT_VERSION" | cut -d - -f1); then
-  fail "failed to parse the expected version: $version"
-fi
-
-if ! vh=$(curl -s -X LIST -H "X-Vault-Token: $VAULT_TOKEN" http://127.0.0.1:8200/v1/sys/version-history | jq -eMc '.data'); then
-  fail "failed to Vault cluster version history: $vh"
-fi
-
-if ! out=$(jq -eMc --arg version "$version" '.keys | contains([$version])' <<< "$vh"); then
-  fail "cluster version history does not include our expected version: expected: $version, versions: $(jq -eMc '.keys' <<< "$vh"): output: $out"
-fi
-
-if ! out=$(jq -eMc --arg version "$version" --arg bd "$VAULT_BUILD_DATE" '.key_info[$version].build_date == $bd' <<< "$vh"); then
-  fail "cluster version history build date is not the expected date: expected: true, expected date: $VAULT_BUILD_DATE, key_info: $(jq -eMc '.key_info' <<< "$vh"), output: $out"
-fi
-
-printf "Cluster version information is valid!: %s\n" "$vh"
diff --git a/enos/modules/verify_log_secrets/main.tf b/enos/modules/verify_log_secrets/main.tf
index 8455afff5f..5087ac9b00 100644
--- a/enos/modules/verify_log_secrets/main.tf
+++ b/enos/modules/verify_log_secrets/main.tf
@@ -55,6 +55,12 @@ variable "vault_unit_name" {
   default     = "vault"
 }
 
+variable "vault_ibm_license_customer_id" {
+  type        = string
+  description = "The customer ID associated with the IBM license, if one is being used. This gets flagged by Radar in the logs, so we need to explicitly ignore it. The customer ID can be decoded from your license using the vault CLI: VAULT_LICENSE_PATH=<path>pao.lic vault license inspect"
+  default     = ""
+}
+
 resource "enos_bundle_install" "radar" {
   destination = var.radar_install_dir
 
@@ -78,12 +84,13 @@ resource "enos_remote_exec" "scan_logs_for_secrets" {
   ]
 
   environment = {
-    AUDIT_LOG_FILE_PATH     = var.audit_log_file_path
-    VAULT_ADDR              = var.vault_addr
-    VAULT_RADAR_INSTALL_DIR = var.radar_install_dir
-    VAULT_RADAR_LICENSE     = file(var.radar_license_path)
-    VAULT_TOKEN             = var.vault_root_token
-    VAULT_UNIT_NAME         = var.vault_unit_name
+    AUDIT_LOG_FILE_PATH           = var.audit_log_file_path
+    VAULT_ADDR                    = var.vault_addr
+    VAULT_RADAR_INSTALL_DIR       = var.radar_install_dir
+    VAULT_RADAR_LICENSE           = file(var.radar_license_path)
+    VAULT_TOKEN                   = var.vault_root_token
+    VAULT_UNIT_NAME               = var.vault_unit_name
+    VAULT_IBM_LICENSE_CUSTOMER_ID = var.vault_ibm_license_customer_id
   }
 
   scripts = [abspath("${path.module}/scripts/scan_logs_for_secrets.sh")]
diff --git a/enos/modules/verify_log_secrets/scripts/scan_logs_for_secrets.sh b/enos/modules/verify_log_secrets/scripts/scan_logs_for_secrets.sh
index ec82ac8de5..dce2b30862 100644
--- a/enos/modules/verify_log_secrets/scripts/scan_logs_for_secrets.sh
+++ b/enos/modules/verify_log_secrets/scripts/scan_logs_for_secrets.sh
@@ -55,6 +55,13 @@ cat >> "$HOME/.hashicorp/vault-radar/ignore.yaml" << EOF
   - "hmac-sha256:*"
 EOF
 
+# If we have an IBM license customer ID, add it to the ignore rules since it is expected to be present in the audit log and we don't want to fail on it.
+if [[ "$VAULT_IBM_LICENSE_CUSTOMER_ID" != "" ]]; then
+  cat >> "$HOME/.hashicorp/vault-radar/ignore.yaml" << EOF
+  - "$VAULT_IBM_LICENSE_CUSTOMER_ID"
+EOF
+fi
+
 # Scan the audit log for known secrets via the audit log and other secrets using radars built-in
 # secret types.
 if ! out=$("$radar_bin_path" scan file --offline --disable-ui -p audit.log --index-file index.jsonl -f json -o audit-secrets.json 2>&1); then
diff --git a/enos/modules/verify_secrets_engines/modules/create/kv.tf b/enos/modules/verify_secrets_engines/modules/create/kv.tf
index 6f004da958..38568153cf 100644
--- a/enos/modules/verify_secrets_engines/modules/create/kv.tf
+++ b/enos/modules/verify_secrets_engines/modules/create/kv.tf
@@ -61,9 +61,21 @@ resource "enos_remote_exec" "policy_write_kv_writer" {
   environment = {
     POLICY_NAME       = local.kv_write_policy_name
     POLICY_CONFIG     = <<-EOF
-      path "${local.kv_mount}/*" {
+      path "${local.kv_mount}/data/*" {
         capabilities = ["create", "update", "read", "delete", "list"]
       }
+      path "${local.kv_mount}/metadata/*" {
+        capabilities = ["read", "list", "delete"]
+      }
+      path "${local.kv_mount}/delete/*" {
+        capabilities = ["update"]
+      }
+      path "${local.kv_mount}/undelete/*" {
+        capabilities = ["update"]
+      }
+      path "${local.kv_mount}/destroy/*" {
+        capabilities = ["update"]
+      }
     EOF
     VAULT_ADDR        = var.vault_addr
     VAULT_TOKEN       = var.vault_root_token
@@ -107,7 +119,8 @@ resource "enos_remote_exec" "kv_put_secret_test" {
   depends_on = [
     enos_remote_exec.secrets_enable_kv_secret,
     enos_remote_exec.policy_write_kv_writer,
-    enos_remote_exec.identity_group_kv_writers
+    enos_remote_exec.identity_group_kv_writers,
+    enos_remote_exec.auth_login_testuser
   ]
   for_each = var.hosts
 
diff --git a/enos/modules/verify_secrets_engines/modules/create/ldap.tf b/enos/modules/verify_secrets_engines/modules/create/ldap.tf
index cde37bb374..443f266ba6 100644
--- a/enos/modules/verify_secrets_engines/modules/create/ldap.tf
+++ b/enos/modules/verify_secrets_engines/modules/create/ldap.tf
@@ -15,6 +15,7 @@ module "create_ldap_secret_engine" {
   vault_addr             = var.vault_addr
   vault_root_token       = var.vault_root_token
   vault_install_dir      = var.vault_install_dir
+  vault_audit_log_path   = var.vault_audit_log_path
 }
 
 locals {
diff --git a/enos/modules/verify_secrets_engines/modules/create/ldap/ldap.tf b/enos/modules/verify_secrets_engines/modules/create/ldap/ldap.tf
index 7a416d5b86..1211197d7c 100644
--- a/enos/modules/verify_secrets_engines/modules/create/ldap/ldap.tf
+++ b/enos/modules/verify_secrets_engines/modules/create/ldap/ldap.tf
@@ -35,6 +35,11 @@ variable "vault_root_token" {
   default     = null
 }
 
+variable "vault_audit_log_path" {
+  type        = string
+  description = "The file path for the audit device (passed from vault_cluster module)"
+}
+
 variable "ldap_password" {
   type        = string
   description = "The LDAP Server admin password"
@@ -74,8 +79,25 @@ output "ldap" {
   value = local.ldap_output
 }
 
+# Ensure that our base DN is available on the LDAP server before we attempt to
+# to mount the engine.
+module "wait_for_ldap_base_dn" {
+  source = "../../../../ldap_wait_for_search"
+
+  hosts         = { 0 : var.leader_host }
+  ldap_base_dn  = var.integration_host_state.ldap.base_dn
+  ldap_bind_dn  = "cn=admin,${var.integration_host_state.ldap.base_dn}"
+  ldap_host     = var.integration_host_state.ldap.host
+  ldap_password = var.integration_host_state.ldap.admin_pw
+  ldap_port     = var.integration_host_state.ldap.port
+}
+
 # Enable LDAP secrets engine
 resource "enos_remote_exec" "secrets_enable_ldap_secret" {
+  depends_on = [
+    module.wait_for_ldap_base_dn,
+  ]
+
   environment = {
     ENGINE            = local.ldap_output.ldap_mount
     MOUNT             = local.ldap_output.ldap_mount
@@ -93,7 +115,7 @@ resource "enos_remote_exec" "secrets_enable_ldap_secret" {
   }
 }
 
-# Setup OpenLDAP infrastructure 
+# Setup OpenLDAP infrastructure
 resource "enos_remote_exec" "ldap_setup" {
   depends_on = [
     enos_remote_exec.secrets_enable_ldap_secret
@@ -146,11 +168,38 @@ resource "enos_remote_exec" "ldap_secrets_config" {
   }
 }
 
+resource "enos_remote_exec" "ldap_password_policy" {
+  depends_on = [
+    enos_remote_exec.secrets_enable_ldap_secret,
+    enos_remote_exec.ldap_setup
+  ]
+
+  environment = {
+    MOUNT             = local.ldap_output.ldap_mount
+    LDAP_SERVER       = local.ldap_output.host.private_ip
+    LDAP_PORT         = local.ldap_output.port
+    LDAP_USERNAME     = local.ldap_output.username
+    LDAP_ADMIN_PW     = local.ldap_output.pw
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/ldap/add-ldap-password-policy.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}
+
 # Create a new Library set of service accounts
 # Test Case: Service Account Library - Create a new Library set of service accounts
 resource "enos_remote_exec" "ldap_library_set_create" {
   depends_on = [
     enos_remote_exec.ldap_secrets_config,
+    enos_remote_exec.ldap_password_policy,
   ]
 
   environment = {
@@ -185,7 +234,7 @@ resource "enos_remote_exec" "ldap_library_set_update" {
   environment = {
     REQPATH = "${local.ldap_output.ldap_mount}/library/test-set"
     PAYLOAD = jsonencode({
-      service_account_names        = "fizz,buzz"
+      service_account_names        = "fizz,buzz,john,candy,sam,alex,pat,kim,robin"
       ttl                          = "12h"
       max_ttl                      = "15h"
       disable_check_in_enforcement = true
@@ -253,9 +302,8 @@ resource "enos_remote_exec" "ldap_library_checkout_custom_ttl" {
   }
 }
 
-# Self Check-in (Explicit)
-# Test Case: Self Check-in (Explicit) - Return your checked-out account
-resource "enos_remote_exec" "ldap_library_self_checkin" {
+# Check in buzz to make it available for read tests
+resource "enos_remote_exec" "ldap_library_checkin_buzz" {
   depends_on = [
     enos_remote_exec.ldap_library_checkout_custom_ttl,
   ]
@@ -263,7 +311,7 @@ resource "enos_remote_exec" "ldap_library_self_checkin" {
   environment = {
     REQPATH = "${local.ldap_output.ldap_mount}/library/test-set/check-in"
     PAYLOAD = jsonencode({
-      service_account_names = "fizz,buzz"
+      service_account_names = ["buzz"]
     })
     VAULT_ADDR        = var.vault_addr
     VAULT_INSTALL_DIR = var.vault_install_dir
@@ -279,23 +327,68 @@ resource "enos_remote_exec" "ldap_library_self_checkin" {
   }
 }
 
-resource "enos_remote_exec" "ldap_password_policy" {
+resource "enos_remote_exec" "ldap_library_checkin_fizz" {
   depends_on = [
-    enos_remote_exec.secrets_enable_ldap_secret
+    enos_remote_exec.ldap_library_checkin_buzz,
   ]
 
   environment = {
-    MOUNT             = local.ldap_output.ldap_mount
-    LDAP_SERVER       = local.ldap_output.host.private_ip
-    LDAP_PORT         = local.ldap_output.port
-    LDAP_USERNAME     = local.ldap_output.username
-    LDAP_ADMIN_PW     = local.ldap_output.pw
+    REQPATH = "${local.ldap_output.ldap_mount}/library/test-set/check-in"
+    PAYLOAD = jsonencode({
+      service_account_names = ["fizz"]
+    })
     VAULT_ADDR        = var.vault_addr
     VAULT_INSTALL_DIR = var.vault_install_dir
     VAULT_TOKEN       = var.vault_root_token
   }
 
-  scripts = [abspath("${path.module}/../../../scripts/ldap/add-ldap-password-policy.sh")]
+  scripts = [abspath("${path.module}/../../../scripts/write.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}
+
+# Check-out another account for self check-in test
+# Test Case #9 (Part 1): Check-out a third account for explicit self check-in test
+resource "enos_remote_exec" "ldap_library_checkout_for_self_checkin" {
+  depends_on = [
+    enos_remote_exec.ldap_library_checkin_fizz,
+  ]
+
+  environment = {
+    REQPATH           = "${local.ldap_output.ldap_mount}/library/test-set/check-out"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/write.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}
+
+# Self Check-in (Explicit)
+# Test Case #9 (Part 2): Self Check-in (Explicit) - Return your checked-out account
+resource "enos_remote_exec" "ldap_library_self_checkin" {
+  depends_on = [
+    enos_remote_exec.ldap_library_checkout_for_self_checkin,
+  ]
+
+  environment = {
+    REQPATH           = "${local.ldap_output.ldap_mount}/library/test-set/check-in"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/write.sh")]
 
   transport = {
     ssh = {
diff --git a/enos/modules/verify_secrets_engines/modules/create/main.tf b/enos/modules/verify_secrets_engines/modules/create/main.tf
index 6105bdf517..cae107af97 100644
--- a/enos/modules/verify_secrets_engines/modules/create/main.tf
+++ b/enos/modules/verify_secrets_engines/modules/create/main.tf
@@ -94,6 +94,11 @@ variable "vault_root_token" {
   default     = null
 }
 
+variable "vault_audit_log_path" {
+  type        = string
+  description = "The file path for the audit device (passed from vault_cluster module)"
+}
+
 variable "vault_edition" {
   description = "The Vault binary edition (e.g., 'ce', 'ent', 'ent.fips1403', etc.)"
   type        = string
diff --git a/enos/modules/verify_secrets_engines/modules/create/ssh.tf b/enos/modules/verify_secrets_engines/modules/create/ssh.tf
index 69696e1a21..855c21df07 100644
--- a/enos/modules/verify_secrets_engines/modules/create/ssh.tf
+++ b/enos/modules/verify_secrets_engines/modules/create/ssh.tf
@@ -86,7 +86,8 @@ locals {
     "ecdsa-sha2-nistp521" = "P521"
   }
 
-  rsa_bit_options = [2048, 3072, 4096, 7680, 15360]
+  // NOTE: We cannot use >8192: https://github.com/golang/crypto/commit/890731877d85f71cfdc9554e7a27fec4684fc4c4
+  rsa_bit_options = [2048, 3072, 4096, 6144, 8192]
   rsa_bits        = local.rsa_bit_options[random_integer.rsa_bits_idx.result]
 
   # Extract the corresponding algorithm and curve
@@ -285,4 +286,4 @@ resource "enos_remote_exec" "ssh_generate_cert" {
       host = var.leader_host.public_ip
     }
   }
-}
\ No newline at end of file
+}
diff --git a/enos/modules/verify_secrets_engines/modules/read/ldap/ldap.tf b/enos/modules/verify_secrets_engines/modules/read/ldap/ldap.tf
index e9cfad2801..1e27bdff80 100644
--- a/enos/modules/verify_secrets_engines/modules/read/ldap/ldap.tf
+++ b/enos/modules/verify_secrets_engines/modules/read/ldap/ldap.tf
@@ -41,11 +41,6 @@ variable "vault_root_token" {
   default     = null
 }
 
-variable "vault_audit_log_path" {
-  type        = string
-  description = "The file path for the audit device, if enabled"
-}
-
 variable "credential_ttl_buffer" {
   description = "Buffer (seconds) to wait after LDAP credential TTL expiry"
   type        = number
@@ -94,12 +89,18 @@ variable "enable_auth_verification" {
   default     = true
 }
 
+
 variable "enable_dynamic_role_verification" {
   type        = bool
   description = "Enable LDAP secrets engine dynamic role"
   default     = true
 }
 
+variable "vault_audit_log_path" {
+  type        = string
+  description = "The file path for the audit device"
+}
+
 variable "enable_password_policy_verification" {
   type        = bool
   description = "Enable LDAP authentication verification"
@@ -116,6 +117,10 @@ variable "enable_static_role_verification" {
   default     = true
 }
 
+locals {
+  lease_checks_count = try(var.create_state.ldap.data.checkout_custom.lease_id, "") != "" ? 1 : 0
+}
+
 resource "enos_remote_exec" "ldap_verify_auth" {
   count = var.enable_auth_verification ? 1 : 0
   environment = {
@@ -228,7 +233,8 @@ resource "enos_remote_exec" "ldap_verify_dynamic_credentials_suite" {
   count = var.enable_dynamic_credentials_verification ? 1 : 0
 
   depends_on = [
-    enos_remote_exec.ldap_verify_secrets
+    enos_remote_exec.ldap_verify_secrets,
+    enos_remote_exec.ldap_verify_rotation
   ]
 
   environment = {
@@ -384,13 +390,15 @@ resource "enos_remote_exec" "ldap_verify_audit_trail" {
 # Renew Check-out Lease
 # Test Case #10: Renew Check-out Lease - Renew the lease for a checked-out account
 resource "enos_remote_exec" "ldap_library_checkout_lease_renew" {
+  count = local.lease_checks_count
+
   depends_on = [
     enos_remote_exec.ldap_verify_secrets,
   ]
 
   environment = {
     # LEASE_ID will be provided via create_state.ldap from the create module after checkout
-    LEASE_ID          = try(var.create_state.ldap.data.checkout_custom.lease_id, "")
+    LEASE_ID          = var.create_state.ldap.data.checkout_custom.lease_id
     VAULT_ADDR        = var.vault_addr
     VAULT_INSTALL_DIR = var.vault_install_dir
     VAULT_TOKEN       = var.vault_root_token
@@ -442,6 +450,265 @@ resource "enos_remote_exec" "verify_dynamic_role" {
 }
 
 
+# Self Check-in (Automatic on Revoke)
+# Test Case #12: Self Check-in (Automatic on Revoke) - Return account when lease expires (revoke)
+resource "enos_remote_exec" "ldap_library_checkout_lease_revoke" {
+  count = local.lease_checks_count
+
+  depends_on = [
+    enos_remote_exec.ldap_verify_secrets,
+  ]
+
+  environment = {
+    # LEASE_ID will be provided via create_state.ldap from the create module after checkout
+    LEASE_ID          = var.create_state.ldap.data.checkout_custom.lease_id
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/ldap-lease-revoke.sh")]
+
+  transport = {
+    ssh = {
+      host = var.hosts[0].public_ip
+    }
+  }
+}
+
+# Check Library Status
+# Test Case #14: Check Library Status - See which accounts are available/checked-out
+resource "enos_remote_exec" "ldap_library_status_read" {
+  depends_on = [
+    enos_remote_exec.ldap_verify_secrets,
+  ]
+
+  environment = {
+    REQPATH           = "${var.create_state.ldap.ldap_mount}/library/test-set/status"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/read.sh")]
+
+  transport = {
+    ssh = {
+      host = var.hosts[0].public_ip
+    }
+  }
+}
+
+# View Check-out Details
+# Test Case #15: View Check-out Details - Track which accounts are available/checked out
+resource "enos_remote_exec" "ldap_library_checkout_details" {
+  depends_on = [
+    enos_remote_exec.ldap_verify_secrets,
+  ]
+
+  environment = {
+    REQPATH           = "${var.create_state.ldap.ldap_mount}/library/test-set/status"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/read.sh")]
+
+  transport = {
+    ssh = {
+      host = var.hosts[0].public_ip
+    }
+  }
+}
+
+# Check-in Specific Accounts
+# Test Case #11: Check-in Specific Accounts - Explicitly check in accounts by name
+resource "enos_remote_exec" "ldap_library_checkin_specific" {
+  depends_on = [
+    enos_remote_exec.ldap_verify_secrets,
+    enos_remote_exec.ldap_library_checkout_details,
+  ]
+
+  environment = {
+    MOUNT             = var.create_state.ldap.ldap_mount
+    SET_NAME          = "test-set"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/ldap-library-checkin-specific.sh")]
+
+  transport = {
+    ssh = {
+      host = var.hosts[0].public_ip
+    }
+  }
+}
+
+# Force Check-in (Admin)
+# Test Case #13: Force Check-in (Admin) - Admin force check-in using /manage/ endpoint
+resource "enos_remote_exec" "ldap_library_force_checkin" {
+  depends_on = [
+    enos_remote_exec.ldap_verify_secrets,
+    enos_remote_exec.ldap_library_checkout_details,
+    enos_remote_exec.ldap_library_checkin_specific,
+  ]
+
+  environment = {
+    MOUNT             = var.create_state.ldap.ldap_mount
+    SET_NAME          = "test-set"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/ldap-library-force-checkin.sh")]
+
+  transport = {
+    ssh = {
+      host = var.hosts[0].public_ip
+    }
+  }
+}
+
+# Password Rotation on Check-in
+# Test Case #16: Password Rotation on Check-in - Verify password is rotated when account is checked back in
+resource "enos_remote_exec" "ldap_library_password_rotation" {
+  depends_on = [
+    enos_remote_exec.ldap_verify_secrets,
+    enos_remote_exec.ldap_library_checkout_details,
+    enos_remote_exec.ldap_library_checkin_specific,
+    enos_remote_exec.ldap_library_force_checkin,
+  ]
+
+  environment = {
+    MOUNT             = var.create_state.ldap.ldap_mount
+    SET_NAME          = "test-set"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/ldap-library-password-rotation.sh")]
+
+  transport = {
+    ssh = {
+      host = var.hosts[0].public_ip
+    }
+  }
+}
+
+# Password Retrieval on Check-out
+# Test Case #17: Password Retrieval on Check-out - Verify password is returned when account is checked out
+resource "enos_remote_exec" "ldap_library_password_checkout" {
+  depends_on = [
+    enos_remote_exec.ldap_verify_secrets,
+    enos_remote_exec.ldap_library_checkout_details,
+    enos_remote_exec.ldap_library_password_rotation,
+    enos_remote_exec.ldap_library_checkin_specific,
+    enos_remote_exec.ldap_library_force_checkin,
+  ]
+
+  environment = {
+    MOUNT             = var.create_state.ldap.ldap_mount
+    SET_NAME          = "test-set"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/ldap-library-password-checkout.sh")]
+
+  transport = {
+    ssh = {
+      host = var.hosts[0].public_ip
+    }
+  }
+}
+
+# Audit Trail for All Operations
+# Test Case #18: Audit Trail for All Operations - Verify Vault Core logs LDAP operations
+resource "enos_remote_exec" "ldap_library_verify_audit_trail" {
+  count = var.vault_audit_log_path != null ? 1 : 0
+
+  depends_on = [
+    enos_remote_exec.ldap_verify_secrets,
+    enos_remote_exec.ldap_library_checkout_details,
+    enos_remote_exec.ldap_library_password_rotation,
+    enos_remote_exec.ldap_library_checkout_lease_renew,
+    enos_remote_exec.ldap_library_checkout_lease_revoke,
+  ]
+
+  environment = {
+    MOUNT          = var.create_state.ldap.ldap_mount
+    AUDIT_LOG_PATH = var.vault_audit_log_path
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/ldap/verify-audit-trail.sh")]
+
+  transport = {
+    ssh = {
+      host = var.hosts[0].public_ip
+    }
+  }
+}
+
+# Optional Check-In Enforcement
+# Test Case #19: Optional Check-In Enforcement - Configure whether check-in is required
+resource "enos_remote_exec" "ldap_library_enforcement_config" {
+  depends_on = [
+    enos_remote_exec.ldap_verify_secrets,
+  ]
+
+  environment = {
+    MOUNT                        = var.create_state.ldap.ldap_mount
+    SET_NAME                     = "test-set-enforcement"
+    SERVICE_ACCOUNT_NAMES        = "alice,carol"
+    TTL                          = "10h"
+    MAX_TTL                      = "20h"
+    DISABLE_CHECK_IN_ENFORCEMENT = "true"
+    VAULT_ADDR                   = var.vault_addr
+    VAULT_INSTALL_DIR            = var.vault_install_dir
+    VAULT_TOKEN                  = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/ldap-library-enforcement-config.sh")]
+
+  transport = {
+    ssh = {
+      host = var.hosts[0].public_ip
+    }
+  }
+}
+
+# TTL Configuration
+# Test Case #20: TTL Configuration - Configure TTL per library
+resource "enos_remote_exec" "ldap_library_ttl_config" {
+  depends_on = [
+    enos_remote_exec.ldap_verify_secrets,
+  ]
+
+  environment = {
+    MOUNT             = var.create_state.ldap.ldap_mount
+    SET_NAME          = "test-set"
+    TTL               = "1h"
+    MAX_TTL           = "2h"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../../scripts/ldap-library-ttl-config.sh")]
+
+  transport = {
+    ssh = {
+      host = var.hosts[0].public_ip
+    }
+  }
+}
+
 # Verify Static role
 resource "enos_remote_exec" "ldap_static_roles" {
   count = var.enable_static_role_verification ? 1 : 0
diff --git a/enos/modules/verify_secrets_engines/modules/read/main.tf b/enos/modules/verify_secrets_engines/modules/read/main.tf
index 52bd24c027..57bd22c4c4 100644
--- a/enos/modules/verify_secrets_engines/modules/read/main.tf
+++ b/enos/modules/verify_secrets_engines/modules/read/main.tf
@@ -52,8 +52,7 @@ variable "vault_root_token" {
 
 variable "vault_audit_log_path" {
   type        = string
-  description = "The file path for the audit device"
-  default     = null
+  description = "The file path for the audit device (passed from vault_cluster module)"
 }
 
 variable "aws_enabled" {
diff --git a/enos/modules/verify_secrets_engines/scripts/ldap-lease-renew.sh b/enos/modules/verify_secrets_engines/scripts/ldap-lease-renew.sh
index 28c115c7af..7f84c949ce 100644
--- a/enos/modules/verify_secrets_engines/scripts/ldap-lease-renew.sh
+++ b/enos/modules/verify_secrets_engines/scripts/ldap-lease-renew.sh
@@ -9,16 +9,11 @@ fail() {
   exit 1
 }
 
+[[ -z "$LEASE_ID" ]] && fail "LEASE_ID env variable has not been set"
 [[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
 [[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
 [[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
 
-# Skip if LEASE_ID is empty (lease not available from checkout)
-if [[ -z "$LEASE_ID" ]] || [[ "$LEASE_ID" == "" ]]; then
-  echo "Warning: LEASE_ID not set, skipping lease renew test"
-  exit 0
-fi
-
 binpath=${VAULT_INSTALL_DIR}/vault
 test -x "$binpath" || fail "unable to locate vault binary at $binpath"
 
@@ -26,15 +21,8 @@ export VAULT_FORMAT=json
 
 echo "Vault LEASE RENEW request for lease_id: $LEASE_ID"
 
-set +e
-output=$("$binpath" lease renew "$LEASE_ID" 2>&1)
-exit_code=$?
-set -e
-
-# Always print output
-if [ "$exit_code" -eq 0 ]; then
+if output=$("$binpath" lease renew "$LEASE_ID" 2>&1); then
   printf "%s\n" "$output"
 else
-  printf "%s\n" "$output" >&2
-  fail "failed to renew lease: lease_id=${LEASE_ID} exit_code=${exit_code}"
+  fail "failed to renew lease: lease_id=${LEASE_ID}, exit_code=$?, output: ${output}"
 fi
diff --git a/enos/modules/verify_secrets_engines/scripts/ldap-lease-revoke.sh b/enos/modules/verify_secrets_engines/scripts/ldap-lease-revoke.sh
new file mode 100755
index 0000000000..9431074a5e
--- /dev/null
+++ b/enos/modules/verify_secrets_engines/scripts/ldap-lease-revoke.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2016, 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$LEASE_ID" ]] && fail "LEASE_ID env variable has not been set"
+[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
+[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
+[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
+
+binpath="${VAULT_INSTALL_DIR}/vault"
+test -x "$binpath" || fail "unable to locate vault binary at $binpath"
+
+export VAULT_FORMAT=json
+
+echo "Test Case #12: Self Check-in (Automatic on Revoke) for lease_id: $LEASE_ID"
+
+if output=$("$binpath" lease revoke "$LEASE_ID" 2>&1); then
+  printf "%s\n" "$output"
+  echo "Lease revoked successfully, account automatically checked in"
+else
+  fail "failed to revoke lease: lease_id=${LEASE_ID}, exit_code=$?, output: ${output}"
+fi
diff --git a/enos/modules/verify_secrets_engines/scripts/ldap-library-checkin-specific.sh b/enos/modules/verify_secrets_engines/scripts/ldap-library-checkin-specific.sh
new file mode 100755
index 0000000000..e4bed901a3
--- /dev/null
+++ b/enos/modules/verify_secrets_engines/scripts/ldap-library-checkin-specific.sh
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2016, 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set"
+[[ -z "$SET_NAME" ]] && fail "SET_NAME env variable has not been set"
+[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
+[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
+[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
+
+binpath="${VAULT_INSTALL_DIR}/vault"
+test -x "$binpath" || fail "unable to locate vault binary at $binpath"
+
+checkout_path="${MOUNT}/library/${SET_NAME}/check-out"
+checkin_path="${MOUNT}/library/${SET_NAME}/check-in"
+
+echo "Test Case #11: Check-in Specific Accounts for set=${SET_NAME}"
+
+export VAULT_FORMAT=json
+
+# Step 1: Check out an account to prepare for check-in test
+echo "Step 1: Checking out account to prepare for check-in test"
+if ! checkout_output=$("$binpath" write -format=json -f "$checkout_path" 2>&1); then
+  fail "checkout failed: exit_code=$?, output: ${checkout_output}"
+fi
+
+service_account=$(jq -r '.data.service_account_name' <<< "$checkout_output")
+if [[ -z "$service_account" ]]; then
+  fail "checkout response missing service_account_name: ${checkout_output}"
+fi
+
+echo "  Checked out: ${service_account}"
+
+# Step 2: Check in the specific account by name
+echo "Step 2: Checking in account by name: ${service_account}"
+if checkin_output=$(
+  "$binpath" write -format=json "$checkin_path" - << EOF 2>&1
+{
+  "service_account_names": ["${service_account}"]
+}
+EOF
+); then
+  printf "%s\n" "$checkin_output"
+
+  # Validate check-in was successful
+  if ! jq -re '.data.check_ins | length > 0' <<< "$checkin_output" > /dev/null; then
+    fail "check-in did not return any checked in accounts: ${checkin_output}"
+  fi
+
+  checked_in=$(jq -r '.data.check_ins | join(",")' <<< "$checkin_output")
+  echo "Successfully checked in accounts: ${checked_in}"
+
+  # Verify the account we checked in is the one we checked out
+  if [[ "$checked_in" != "$service_account" ]]; then
+    echo "Warning: Checked in account '${checked_in}' doesn't match checked out account '${service_account}'"
+  fi
+else
+  echo ""
+  echo "⚠  WARNING: Check-in failed - this may indicate LDAP connectivity issues in migration scenarios"
+  echo "Error output:"
+  echo "${checkin_output}"
+  echo ""
+  echo "✓ Test Case #11 completed with partial success:"
+  echo "  ✓ Step 1: Account check-out successful (${service_account})"
+  echo "  ✗ Step 2: Account check-in failed"
+  echo "NOTE: If check-in fails due to LDAP connectivity issues in migration scenarios, investigate LDAP configuration and connectivity in the new environment"
+  echo ""
+  exit 0
+fi
diff --git a/enos/modules/verify_secrets_engines/scripts/ldap-library-enforcement-config.sh b/enos/modules/verify_secrets_engines/scripts/ldap-library-enforcement-config.sh
new file mode 100755
index 0000000000..37c625f690
--- /dev/null
+++ b/enos/modules/verify_secrets_engines/scripts/ldap-library-enforcement-config.sh
@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2016, 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set"
+[[ -z "$SET_NAME" ]] && fail "SET_NAME env variable has not been set"
+[[ -z "$SERVICE_ACCOUNT_NAMES" ]] && fail "SERVICE_ACCOUNT_NAMES env variable has not been set"
+[[ -z "$TTL" ]] && fail "TTL env variable has not been set"
+[[ -z "$MAX_TTL" ]] && fail "MAX_TTL env variable has not been set"
+[[ -z "$DISABLE_CHECK_IN_ENFORCEMENT" ]] && fail "DISABLE_CHECK_IN_ENFORCEMENT env variable has not been set"
+[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
+[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
+[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
+
+binpath="${VAULT_INSTALL_DIR}/vault"
+test -x "$binpath" || fail "unable to locate vault binary at $binpath"
+
+library_path="${MOUNT}/library/${SET_NAME}"
+
+echo "Test Case #19: Optional Check-In Enforcement for set=${SET_NAME}"
+
+export VAULT_FORMAT=json
+
+echo "Configuring library with disable_check_in_enforcement=${DISABLE_CHECK_IN_ENFORCEMENT}"
+
+# Convert comma-separated SERVICE_ACCOUNT_NAMES to JSON array
+service_account_names_json=$(jq -RMec 'split(",")' <<< "$SERVICE_ACCOUNT_NAMES")
+
+if output=$(
+  "$binpath" write -format=json "$library_path" - << EOF 2>&1
+{
+  "service_account_names": ${service_account_names_json},
+  "ttl": "${TTL}",
+  "max_ttl": "${MAX_TTL}",
+  "disable_check_in_enforcement": ${DISABLE_CHECK_IN_ENFORCEMENT}
+}
+EOF
+); then
+  printf "%s\n" "$output"
+  echo " Library configured successfully with check-in enforcement setting"
+
+  # Read back configuration to verify
+  echo "Verifying configuration:"
+  read_output=$("$binpath" read -format=json "$library_path" 2>&1)
+
+  if jq -Merc --arg expected "$DISABLE_CHECK_IN_ENFORCEMENT" '.data.disable_check_in_enforcement as $got | ($expected | ascii_downcase) == ($got | tostring | ascii_downcase)' <<< "$read_output"; then
+    echo "✓ disable_check_in_enforcement verified: ${DISABLE_CHECK_IN_ENFORCEMENT}"
+  else
+    fail "disable_check_in_enforcement mismatch: expected=${DISABLE_CHECK_IN_ENFORCEMENT}"
+  fi
+else
+  fail "failed to configure library enforcement: set=${SET_NAME}, exit_code=$?, output: ${output}"
+fi
diff --git a/enos/modules/verify_secrets_engines/scripts/ldap-library-force-checkin.sh b/enos/modules/verify_secrets_engines/scripts/ldap-library-force-checkin.sh
new file mode 100755
index 0000000000..affbed97c3
--- /dev/null
+++ b/enos/modules/verify_secrets_engines/scripts/ldap-library-force-checkin.sh
@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2016, 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set"
+[[ -z "$SET_NAME" ]] && fail "SET_NAME env variable has not been set"
+[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
+[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
+[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
+
+binpath="${VAULT_INSTALL_DIR}/vault"
+test -x "$binpath" || fail "unable to locate vault binary at $binpath"
+
+checkout_path="${MOUNT}/library/${SET_NAME}/check-out"
+# Admin force check-in uses /manage/ endpoint
+checkin_path="${MOUNT}/library/manage/${SET_NAME}/check-in"
+
+echo "Test Case #13: Force Check-in (Admin) for set=${SET_NAME}"
+
+export VAULT_FORMAT=json
+
+# Step 1: Check out an account to prepare for force check-in test
+echo "Step 1: Checking out account to prepare for admin force check-in test"
+if ! checkout_output=$("$binpath" write -format=json -f "$checkout_path" 2>&1); then
+  fail "checkout failed: exit_code=$?, output: ${checkout_output}"
+fi
+
+service_account=$(jq -r '.data.service_account_name' <<< "$checkout_output")
+if [[ -z "$service_account" ]]; then
+  fail "checkout response missing service_account_name: ${checkout_output}"
+fi
+
+echo "  Checked out: ${service_account}"
+
+# Step 2: Admin force check-in via /manage/ endpoint
+echo "Step 2: Admin forcing check-in for account: ${service_account}"
+if checkin_output=$(
+  "$binpath" write -format=json "$checkin_path" - << EOF 2>&1
+{
+  "service_account_names": ["${service_account}"]
+}
+EOF
+); then
+  printf "%s\n" "$checkin_output"
+
+  # Validate admin force check-in was successful
+  if ! jq -re '.data.check_ins | length > 0' <<< "$checkin_output" > /dev/null; then
+    fail "admin force check-in did not return any checked in accounts: ${checkin_output}"
+  fi
+
+  checked_in=$(jq -r '.data.check_ins | join(",")' <<< "$checkin_output")
+  echo "Admin successfully forced check-in for accounts: ${checked_in}"
+
+  # Verify the account we checked in is the one we checked out
+  if [[ "$checked_in" != "$service_account" ]]; then
+    echo "Warning: Checked in account '${checked_in}' doesn't match checked out account '${service_account}'"
+  fi
+else
+  echo ""
+  echo "⚠  WARNING: Admin force check-in failed - this may indicate LDAP connectivity issues in migration scenarios"
+  echo "Error output:"
+  echo "${checkin_output}"
+  echo ""
+  echo "✓ Test Case #13 completed with partial success:"
+  echo "  ✓ Step 1: Account check-out successful (${service_account})"
+  echo "  ✗ Step 2: Admin force check-in failed"
+  echo "NOTE: If check-in fails due to LDAP connectivity issues in migration scenarios, investigate LDAP configuration and connectivity in the new environment"
+  echo ""
+  exit 0
+fi
diff --git a/enos/modules/verify_secrets_engines/scripts/ldap-library-password-checkout.sh b/enos/modules/verify_secrets_engines/scripts/ldap-library-password-checkout.sh
new file mode 100755
index 0000000000..b019ad696d
--- /dev/null
+++ b/enos/modules/verify_secrets_engines/scripts/ldap-library-password-checkout.sh
@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2016, 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set"
+[[ -z "$SET_NAME" ]] && fail "SET_NAME env variable has not been set"
+[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
+[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
+[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
+
+binpath="${VAULT_INSTALL_DIR}/vault"
+test -x "$binpath" || fail "unable to locate vault binary at $binpath"
+
+checkout_path="${MOUNT}/library/${SET_NAME}/check-out"
+
+echo "Test Case #17: Password Retrieval on Check-out for set=${SET_NAME}"
+
+export VAULT_FORMAT=json
+
+if output=$("$binpath" write -format=json -f "$checkout_path" 2>&1); then
+  printf "%s\n" "$output"
+
+  # Validate checkout response contains password
+  service_account=$(jq -r '.data.service_account_name' <<< "$output")
+  password=$(jq -r '.data.password' <<< "$output")
+  lease_id=$(jq -r '.lease_id' <<< "$output")
+
+  if [[ -z "$service_account" ]]; then
+    fail "checkout response missing service_account_name: out=${output}"
+  fi
+
+  if [[ -z "$password" ]]; then
+    fail "checkout response missing password: out=${output}"
+  fi
+
+  if [[ -z "$lease_id" ]]; then
+    fail "checkout response missing lease_id: out=${output}"
+  fi
+
+  echo "Password retrieval validated:"
+  echo "  Service Account: ${service_account}"
+  echo "  Password Length: ${#password} characters"
+  echo "  Lease ID: ${lease_id}"
+
+  # Check in the account so it's available for any subsequent tests
+  checkin_path="${MOUNT}/library/${SET_NAME}/check-in"
+  if checkin_output=$(
+    "$binpath" write -format=json "$checkin_path" - << EOF 2>&1
+{
+  "service_account_names": ["${service_account}"]
+}
+EOF
+  ); then
+    echo "  Checked in: ${service_account}"
+  else
+    echo "Warning: Check-in after test failed (non-fatal): ${checkin_output}"
+  fi
+else
+  printf "%s\n" "$output" >&2
+  fail "checkout failed: set=${SET_NAME}, exit_code=$?, output: ${output}"
+fi
diff --git a/enos/modules/verify_secrets_engines/scripts/ldap-library-password-rotation.sh b/enos/modules/verify_secrets_engines/scripts/ldap-library-password-rotation.sh
new file mode 100755
index 0000000000..75d6c229f1
--- /dev/null
+++ b/enos/modules/verify_secrets_engines/scripts/ldap-library-password-rotation.sh
@@ -0,0 +1,136 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2016, 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set"
+[[ -z "$SET_NAME" ]] && fail "SET_NAME env variable has not been set"
+[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
+[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
+[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
+
+binpath="${VAULT_INSTALL_DIR}/vault"
+test -x "$binpath" || fail "unable to locate vault binary at $binpath"
+
+checkout_path="${MOUNT}/library/${SET_NAME}/check-out"
+checkin_path="${MOUNT}/library/${SET_NAME}/check-in"
+
+echo "Test Case #16: Password Rotation on Check-in for set=${SET_NAME}"
+
+export VAULT_FORMAT=json
+
+# Poll mount configuration to ensure it's ready
+echo "Verifying mount is ready..."
+config_path="${MOUNT}/config"
+max_wait=30
+elapsed=0
+while [ "$elapsed" -lt "$max_wait" ]; do
+  if "$binpath" read -format=json "$config_path" > /dev/null 2>&1; then
+    echo "✓ Mount configuration ready"
+    break
+  fi
+  sleep 1
+  elapsed=$((elapsed + 1))
+done
+
+if [ "$elapsed" -ge "$max_wait" ]; then
+  fail "Mount configuration not ready after ${max_wait} seconds"
+fi
+
+# Step 1: Checkout an account to get initial password
+echo "Step 1: Checking out account to get initial password"
+if ! checkout1=$("$binpath" write -format=json -f "$checkout_path" 2>&1); then
+  fail "initial checkout failed: exit_code=$?, output: ${checkout1}"
+fi
+
+service_account1=$(jq -r '.data.service_account_name' <<< "$checkout1")
+password1=$(jq -r '.data.password' <<< "$checkout1")
+
+if [[ -z "$service_account1" || -z "$password1" ]]; then
+  fail "checkout response missing service_account_name or password: out=${checkout1}"
+fi
+
+echo "  Checked out: ${service_account1}"
+
+# Step 2: Check-in the account (this should trigger password rotation)
+echo "Step 2: Checking in account (triggers password rotation)"
+
+if checkin_output=$(
+  "$binpath" write -format=json "$checkin_path" - << EOF 2>&1
+{
+  "service_account_names": ["${service_account1}"]
+}
+EOF
+); then
+  echo "  Checked in: ${service_account1}"
+  checkin_succeeded=true
+else
+  checkin_succeeded=false
+  echo ""
+  echo "⚠ WARNING: Check-in failed - this may indicate LDAP connectivity issues in migration scenarios"
+  echo "Error output:"
+  echo "${checkin_output}"
+  echo ""
+fi
+
+# Only continue to Step 3 if check-in succeeded
+if [[ "$checkin_succeeded" == "false" ]]; then
+  echo "✓ Test Case #16 completed with partial success:"
+  echo "  ✓ Step 1: Account check-out successful"
+  echo "  ✗ Step 2: Account check-in failed "
+  echo "TODO: If check-in fails due to LDAP connectivity issues in migration scenarios, investigate LDAP configuration and connectivity in the new environment"
+  echo ""
+  exit 0
+fi
+
+# Wait for LDAP password propagation after rotation
+echo "  Waiting for LDAP password propagation..."
+sleep 3
+
+# Step 3: Checkout again to get new password
+echo "Step 3: Checking out again to verify password was rotated"
+if checkout2=$("$binpath" write -format=json -f "$checkout_path" 2>&1); then
+  service_account2=$(jq -r '.data.service_account_name' <<< "$checkout2")
+  password2=$(jq -r '.data.password' <<< "$checkout2")
+
+  if [[ -z "$service_account2" || -z "$password2" ]]; then
+    fail "second checkout response missing service_account_name or password: out=${checkout2}"
+  fi
+
+  echo "  Checked out: ${service_account2}"
+else
+  fail "second checkout failed: exit_code=$?, output: ${checkout2}"
+fi
+
+# Step 4: Verify password rotation
+if [[ "$service_account1" == "$service_account2" ]]; then
+  if [[ "$password1" == "$password2" ]]; then
+    fail "password did NOT rotate for ${service_account1}"
+  fi
+  echo "Password rotated successfully for ${service_account1}"
+else
+  echo "Note: Different account returned (${service_account2}), cannot directly verify rotation for ${service_account1}"
+  echo "Check-in process completed, password rotation expected per Vault behavior"
+fi
+
+printf "%s\n" "$checkin_output"
+
+# Step 5: Check in the second account so it's available for subsequent tests
+echo "Step 5: Checking in account to make it available for other tests"
+if final_checkin=$(
+  "$binpath" write -format=json "$checkin_path" - << EOF 2>&1
+{
+  "service_account_names": ["${service_account2}"]
+}
+EOF
+); then
+  echo "  Checked in: ${service_account2}"
+else
+  echo "Warning: Final check-in failed (non-fatal): ${final_checkin}"
+fi
diff --git a/enos/modules/verify_secrets_engines/scripts/ldap-library-ttl-config.sh b/enos/modules/verify_secrets_engines/scripts/ldap-library-ttl-config.sh
new file mode 100755
index 0000000000..401480e1c6
--- /dev/null
+++ b/enos/modules/verify_secrets_engines/scripts/ldap-library-ttl-config.sh
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2016, 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set"
+[[ -z "$SET_NAME" ]] && fail "SET_NAME env variable has not been set"
+[[ -z "$TTL" ]] && fail "TTL env variable has not been set"
+[[ -z "$MAX_TTL" ]] && fail "MAX_TTL env variable has not been set"
+[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
+[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
+[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
+
+binpath="${VAULT_INSTALL_DIR}/vault"
+test -x "$binpath" || fail "unable to locate vault binary at $binpath"
+
+library_path="${MOUNT}/library/${SET_NAME}"
+
+echo "Test Case #20: TTL Configuration for set=${SET_NAME}"
+
+export VAULT_FORMAT=json
+
+echo "Configuring TTL: ${TTL}, Max TTL: ${MAX_TTL}"
+
+if output=$(
+  "$binpath" write -format=json "$library_path" - << EOF 2>&1
+{
+  "ttl": "${TTL}",
+  "max_ttl": "${MAX_TTL}"
+}
+EOF
+); then
+  printf "%s\n" "$output"
+  echo "TTL configuration updated successfully"
+
+  # Read back configuration to verify
+  echo "Verifying TTL configuration:"
+  read_output=$("$binpath" read -format=json "$library_path" 2>&1)
+
+  configured_ttl=$(jq -r '.data.ttl' <<< "$read_output")
+  configured_max_ttl=$(jq -r '.data.max_ttl' <<< "$read_output")
+
+  echo "Configured TTL: ${configured_ttl}"
+  echo "Configured Max TTL: ${configured_max_ttl}"
+else
+  fail "failed to configure TTL: set=${SET_NAME}, exit_code=$?, output: ${output}"
+fi
diff --git a/enos/modules/verify_secrets_engines/scripts/ldap-secrets-config.sh b/enos/modules/verify_secrets_engines/scripts/ldap-secrets-config.sh
index cbdf800ad7..01e457276d 100755
--- a/enos/modules/verify_secrets_engines/scripts/ldap-secrets-config.sh
+++ b/enos/modules/verify_secrets_engines/scripts/ldap-secrets-config.sh
@@ -80,6 +80,190 @@ if ! ldapsearch -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -b "ou=users,dc=${LDA
 fi
 echo "OpenLDAP: Service account buzz verified"
 
+# Create service account john for library test (test case #11)
+echo "OpenLDAP: Creating service account john for library test"
+SERVICE_ACCOUNT_JOHN_LDIF="service_account_john.ldif"
+cat << EOF > ${SERVICE_ACCOUNT_JOHN_LDIF}
+# Service Account: john
+dn: uid=john,ou=users,dc=${LDAP_USERNAME},dc=com
+objectClass: inetOrgPerson
+sn: john
+cn: john
+uid: john
+mail: john@example.com
+userPassword: ${LDAP_ADMIN_PW}
+EOF
+ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${SERVICE_ACCOUNT_JOHN_LDIF} 2>&1 || echo "Warning: Service account john may already exist"
+
+# Verify the service account john was created
+echo "OpenLDAP: Verifying service account john exists"
+if ! ldapsearch -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -b "ou=users,dc=${LDAP_USERNAME},dc=com" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" "(uid=john)" > /dev/null 2>&1; then
+  fail "Failed to verify service account john exists in LDAP"
+fi
+echo "OpenLDAP: Service account john verified"
+
+# Create service account candy for library test (test case #13)
+echo "OpenLDAP: Creating service account candy for library test"
+SERVICE_ACCOUNT_CANDY_LDIF="service_account_candy.ldif"
+cat << EOF > ${SERVICE_ACCOUNT_CANDY_LDIF}
+# Service Account: candy
+dn: uid=candy,ou=users,dc=${LDAP_USERNAME},dc=com
+objectClass: inetOrgPerson
+sn: candy
+cn: candy
+uid: candy
+mail: candy@example.com
+userPassword: ${LDAP_ADMIN_PW}
+EOF
+ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${SERVICE_ACCOUNT_CANDY_LDIF} 2>&1 || echo "Warning: Service account candy may already exist"
+
+# Verify the service account candy was created
+echo "OpenLDAP: Verifying service account candy exists"
+if ! ldapsearch -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -b "ou=users,dc=${LDAP_USERNAME},dc=com" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" "(uid=candy)" > /dev/null 2>&1; then
+  fail "Failed to verify service account candy exists in LDAP"
+fi
+echo "OpenLDAP: Service account candy verified"
+
+# Create service account sam for library test (test case #16, #17)
+echo "OpenLDAP: Creating service account sam for library test"
+SERVICE_ACCOUNT_SAM_LDIF="service_account_sam.ldif"
+cat << EOF > ${SERVICE_ACCOUNT_SAM_LDIF}
+# Service Account: sam
+dn: uid=sam,ou=users,dc=${LDAP_USERNAME},dc=com
+objectClass: inetOrgPerson
+sn: sam
+cn: sam
+uid: sam
+mail: sam@example.com
+userPassword: ${LDAP_ADMIN_PW}
+EOF
+ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${SERVICE_ACCOUNT_SAM_LDIF} 2>&1 || echo "Warning: Service account sam may already exist"
+
+# Verify the service account sam was created
+echo "OpenLDAP: Verifying service account sam exists"
+if ! ldapsearch -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -b "ou=users,dc=${LDAP_USERNAME},dc=com" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" "(uid=sam)" > /dev/null 2>&1; then
+  fail "Failed to verify service account sam exists in LDAP"
+fi
+echo "OpenLDAP: Service account sam verified"
+
+# Create service account alex for library test (test case #16, #17)
+echo "OpenLDAP: Creating service account alex for library test"
+SERVICE_ACCOUNT_ALEX_LDIF="service_account_alex.ldif"
+cat << EOF > ${SERVICE_ACCOUNT_ALEX_LDIF}
+# Service Account: alex
+dn: uid=alex,ou=users,dc=${LDAP_USERNAME},dc=com
+objectClass: inetOrgPerson
+sn: alex
+cn: alex
+uid: alex
+mail: alex@example.com
+userPassword: ${LDAP_ADMIN_PW}
+EOF
+ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${SERVICE_ACCOUNT_ALEX_LDIF} 2>&1 || echo "Warning: Service account alex may already exist"
+
+# Verify the service account alex was created
+echo "OpenLDAP: Verifying service account alex exists"
+if ! ldapsearch -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -b "ou=users,dc=${LDAP_USERNAME},dc=com" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" "(uid=alex)" > /dev/null 2>&1; then
+  fail "Failed to verify service account alex exists in LDAP"
+fi
+echo "OpenLDAP: Service account alex verified"
+
+# Create service account pat for library test
+echo "OpenLDAP: Creating service account pat for library test"
+SERVICE_ACCOUNT_PAT_LDIF="service_account_pat.ldif"
+cat << EOF > ${SERVICE_ACCOUNT_PAT_LDIF}
+# Service Account: pat
+dn: uid=pat,ou=users,dc=${LDAP_USERNAME},dc=com
+objectClass: inetOrgPerson
+sn: pat
+cn: pat
+uid: pat
+mail: pat@example.com
+userPassword: ${LDAP_ADMIN_PW}
+EOF
+ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${SERVICE_ACCOUNT_PAT_LDIF} 2>&1 || echo "Warning: Service account pat may already exist"
+
+# Verify the service account pat was created
+echo "OpenLDAP: Verifying service account pat exists"
+if ! ldapsearch -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -b "ou=users,dc=${LDAP_USERNAME},dc=com" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" "(uid=pat)" > /dev/null 2>&1; then
+  fail "Failed to verify service account pat exists in LDAP"
+fi
+echo "OpenLDAP: Service account pat verified"
+
+# Create service account kim for library test
+echo "OpenLDAP: Creating service account kim for library test"
+SERVICE_ACCOUNT_KIM_LDIF="service_account_kim.ldif"
+cat << EOF > ${SERVICE_ACCOUNT_KIM_LDIF}
+# Service Account: kim
+dn: uid=kim,ou=users,dc=${LDAP_USERNAME},dc=com
+objectClass: inetOrgPerson
+sn: kim
+cn: kim
+uid: kim
+mail: kim@example.com
+userPassword: ${LDAP_ADMIN_PW}
+EOF
+ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${SERVICE_ACCOUNT_KIM_LDIF} 2>&1 || echo "Warning: Service account kim may already exist"
+
+# Verify the service account kim was created
+echo "OpenLDAP: Verifying service account kim exists"
+if ! ldapsearch -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -b "ou=users,dc=${LDAP_USERNAME},dc=com" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" "(uid=kim)" > /dev/null 2>&1; then
+  fail "Failed to verify service account kim exists in LDAP"
+fi
+echo "OpenLDAP: Service account kim verified"
+
+# Create service account robin for library test (test case #9)
+echo "OpenLDAP: Creating service account robin for library test"
+SERVICE_ACCOUNT_ROBIN_LDIF="service_account_robin.ldif"
+cat << EOF > ${SERVICE_ACCOUNT_ROBIN_LDIF}
+# Service Account: robin
+dn: uid=robin,ou=users,dc=${LDAP_USERNAME},dc=com
+objectClass: inetOrgPerson
+sn: robin
+cn: robin
+uid: robin
+mail: robin@example.com
+userPassword: ${LDAP_ADMIN_PW}
+EOF
+ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${SERVICE_ACCOUNT_ROBIN_LDIF} 2>&1 || echo "Warning: Service account robin may already exist"
+
+# Verify the service account robin was created
+echo "OpenLDAP: Verifying service account robin exists"
+if ! ldapsearch -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -b "ou=users,dc=${LDAP_USERNAME},dc=com" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" "(uid=robin)" > /dev/null 2>&1; then
+  fail "Failed to verify service account robin exists in LDAP"
+fi
+echo "OpenLDAP: Service account robin verified"
+
+# Create service account alice for enforcement test (test case #19)
+echo "OpenLDAP: Creating service account alice for enforcement test"
+SERVICE_ACCOUNT_ALICE_LDIF="service_account_alice.ldif"
+cat << EOF > ${SERVICE_ACCOUNT_ALICE_LDIF}
+# Service Account: alice
+dn: uid=alice,ou=users,dc=${LDAP_USERNAME},dc=com
+objectClass: inetOrgPerson
+sn: alice
+cn: alice
+uid: alice
+mail: alice@example.com
+userPassword: ${LDAP_ADMIN_PW}
+EOF
+ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${SERVICE_ACCOUNT_ALICE_LDIF} 2>&1 || echo "Warning: Service account alice may already exist"
+
+# Create service account carol for enforcement test (test case #19)
+echo "OpenLDAP: Creating service account carol for enforcement test"
+SERVICE_ACCOUNT_CAROL_LDIF="service_account_carol.ldif"
+cat << EOF > ${SERVICE_ACCOUNT_CAROL_LDIF}
+# Service Account: carol
+dn: uid=carol,ou=users,dc=${LDAP_USERNAME},dc=com
+objectClass: inetOrgPerson
+sn: carol
+cn: carol
+uid: carol
+mail: carol@example.com
+userPassword: ${LDAP_ADMIN_PW}
+EOF
+ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${SERVICE_ACCOUNT_CAROL_LDIF} 2>&1 || echo "Warning: Service account carol may already exist"
+
 echo "Vault: Configuring LDAP secrets engine at ${MOUNT}/config"
 "$binpath" write "${MOUNT}/config" \
   url="ldap://${LDAP_SERVER}:${LDAP_PORT}" \
diff --git a/enos/modules/verify_secrets_engines/scripts/ldap/Dynamic-roles/dynamic-roles-deletion.sh b/enos/modules/verify_secrets_engines/scripts/ldap/Dynamic-roles/dynamic-roles-deletion.sh
index 6b781279c6..8038aff5ec 100644
--- a/enos/modules/verify_secrets_engines/scripts/ldap/Dynamic-roles/dynamic-roles-deletion.sh
+++ b/enos/modules/verify_secrets_engines/scripts/ldap/Dynamic-roles/dynamic-roles-deletion.sh
@@ -119,6 +119,7 @@ test_role_deletion_with_active_leases() {
   "$binpath" lease revoke -prefix "${MOUNT}/creds/${lease_role}" > /dev/null 2>&1
 
   # Define the check function
+  # shellcheck disable=SC2329
   wait_for_user_deletion() {
     check_user=$(ldapsearch -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" \
         -b "dc=${LDAP_USERNAME},dc=com" \
diff --git a/enos/modules/verify_secrets_engines/scripts/ldap/setup.sh b/enos/modules/verify_secrets_engines/scripts/ldap/setup.sh
index dfc52d12e3..7632c92b73 100755
--- a/enos/modules/verify_secrets_engines/scripts/ldap/setup.sh
+++ b/enos/modules/verify_secrets_engines/scripts/ldap/setup.sh
@@ -38,7 +38,7 @@ dn: ou=groups,dc=$LDAP_USERNAME,dc=com
 objectClass: organizationalUnit
 ou: groups
 EOF
-ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${GROUP_LDIF}
+ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${GROUP_LDIF} || echo "OUs may already exist"
 
 ADMIN_LDIF="admin.ldif"
 cat << EOF > ${ADMIN_LDIF}
@@ -49,7 +49,7 @@ cn: admin
 description: LDAP administrator
 userPassword: $LDAP_ADMIN_PW
 EOF
-ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${ADMIN_LDIF}
+ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${ADMIN_LDIF} || echo "Admin may already exist"
 
 # Dedicated LDAP user for static role tests
 LDAP_STATIC_USERNAME="${LDAP_STATIC_USERNAME:-vault-static-user}"
@@ -79,7 +79,7 @@ objectClass: groupOfNames
 cn: devs
 member: uid=$LDAP_USERNAME,ou=users,dc=$LDAP_USERNAME,dc=com
 EOF
-ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${USER_LDIF}
+ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${USER_LDIF} || echo "Users may already exist"
 
 echo "Vault: Adding vault-admins group and adding existing user to it"
 ADMIN_GROUP_LDIF="vault-admins.ldif"
@@ -93,7 +93,7 @@ EOF
 ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" \
   -D "cn=admin,dc=${LDAP_USERNAME},dc=com" \
   -w "${LDAP_ADMIN_PW}" \
-  -f ${ADMIN_GROUP_LDIF}
+  -f ${ADMIN_GROUP_LDIF} || echo "Admin group may already exist"
 echo "LDAP configuration completed successfully."
 
 "$binpath" auth enable "${MOUNT}" > /dev/null 2>&1 || echo "Warning: Vault ldap auth already enabled"
diff --git a/enos/modules/verify_secrets_engines/scripts/ldap/static-roles.sh b/enos/modules/verify_secrets_engines/scripts/ldap/static-roles.sh
index 0fd524006d..8cc347b883 100644
--- a/enos/modules/verify_secrets_engines/scripts/ldap/static-roles.sh
+++ b/enos/modules/verify_secrets_engines/scripts/ldap/static-roles.sh
@@ -5,7 +5,7 @@
 set -euo pipefail
 
 fail() {
-  echo "ERROR: $1" 1>&2
+  printf "\nERROR: %s\n" "$1" 1>&2
   exit 1
 }
 
@@ -46,39 +46,56 @@ refresh_ldap_bind_credentials() {
   log "Refreshing LDAP bind credentials from static role"
 
   local current_bind_pw
-
-  current_bind_pw=$(
-    "$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" \
+  if ! current_bind_pw=$(
+    "$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" 2>&1 \
       | jq -r '.data.password'
-  )
+  ); then
+    fail "Failed to read current bindpass from ${MOUNT}/static-cred/${STATIC_ROLE_MAIN}: ${current_bind_pw}"
+  fi
+  [[ -n "$current_bind_pw" ]] || fail "Failed to get current bindpass from ${MOUNT}/static-cred/${STATIC_ROLE_MAIN}; returned value was blank"
 
-  [[ -n "$current_bind_pw" ]] || fail "Failed to read current bind password"
-
-  "$binpath" write "${MOUNT}/config" \
-    binddn="${LDAP_USER_DN}" \
-    bindpass="${current_bind_pw}" \
-    url="ldap://${LDAP_SERVER}:${LDAP_PORT}" \
-    userdn="ou=users,dc=${LDAP_USERNAME},dc=com" \
-    userattr="uid" \
-    > /dev/null \
-    || fail "Failed to update LDAP config with refreshed bind credentials"
+  if ! output=$(
+    "$binpath" write -format=json "${MOUNT}/config" - << EOF 2>&1
+{
+  "binddn": "${LDAP_USER_DN}",
+  "bindpass": "${current_bind_pw}",
+  "url": "ldap://${LDAP_SERVER}:${LDAP_PORT}",
+  "userdn": "ou=users,dc=${LDAP_USERNAME},dc=com",
+  "userattr": "uid"
+}
+EOF
+  ); then
+    fail "Failed to update LDAP config with refreshed bind credentials: ${output}"
+  fi
 }
 
 # TEST 1: Create Static Role (take over existing LDAP account)
 test_create_static_role() {
   echo "Create Static Role (take over existing LDAP account)"
-  "$binpath" write "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" \
-    dn="${LDAP_USER_DN}" \
-    username="${LDAP_USER}" \
-    rotation_period="${ROTATION_SHORT}" > /dev/null \
-    || fail "Failed to create static role"
 
-  ROLE_JSON=$("$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_MAIN}")
+  local output
+  if ! output=$(
+    "$binpath" write -format=json "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" - << EOF 2>&1
+{
+  "dn": "${LDAP_USER_DN}",
+  "username": "${LDAP_USER}",
+  "rotation_period": "${ROTATION_SHORT}"
+}
+EOF
+  ); then
+    fail "Failed to create static role: ${output}"
+  fi
 
+  local role_json
+  if ! role_json=$("$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read static role: ${role_json}"
+  fi
+
+  # Verify role was created with correct username and DN
   if ! jq -e \
     '.data.username == "'"${LDAP_USER}"'" and
      .data.dn == "'"${LDAP_USER_DN}"'"' \
-    <<< "$ROLE_JSON" > /dev/null; then
+    <<< "$role_json" > /dev/null; then
     fail "Static role created with incorrect attributes"
   fi
 }
@@ -86,17 +103,29 @@ test_create_static_role() {
 # TEST 2: Create Role Without Immediate Rotation
 test_create_without_initial_rotation() {
   echo "Create Role Without Immediate Rotation"
-  "$binpath" write "${MOUNT}/static-role/${STATIC_ROLE_SKIP}" \
-    dn="${LDAP_USER_DN}" \
-    username="${LDAP_USER}-skip" \
-    rotation_period="${ROTATION_LONG}" \
-    skip_initial_rotation=true > /dev/null
 
-  ROLE_JSON=$("$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_SKIP}")
+  local output
+  if ! output=$(
+    "$binpath" write -format=json "${MOUNT}/static-role/${STATIC_ROLE_SKIP}" - << EOF 2>&1
+{
+  "dn": "${LDAP_USER_DN}",
+  "username": "${LDAP_USER}-skip",
+  "rotation_period": "${ROTATION_LONG}",
+  "skip_initial_rotation": true
+}
+EOF
+  ); then
+    fail "Failed to create static role with skip_initial_rotation: ${output}"
+  fi
+
+  local role_json
+  if ! role_json=$("$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_SKIP}" 2>&1); then
+    fail "Failed to read static role: ${role_json}"
+  fi
 
   if ! jq -e \
     '.data.skip_initial_rotation == true' \
-    <<< "$ROLE_JSON" > /dev/null; then
+    <<< "$role_json" > /dev/null; then
     fail "skip_initial_rotation was not honored"
   fi
 }
@@ -104,27 +133,56 @@ test_create_without_initial_rotation() {
 # TEST 3: Update Static Role (allowed + forbidden updates)
 test_update_static_role() {
   echo "Update Static Role (allowed + forbidden updates)"
-  old_role_output=$("$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_MAIN}")
-  OLD_PERIOD=$(jq -r '.data.rotation_period' <<< "$old_role_output")
 
-  "$binpath" write "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" \
-    rotation_period="${ROTATION_LONG}" > /dev/null
+  local old_role_output
+  if ! old_role_output=$("$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read static role before update: ${old_role_output}"
+  fi
 
-  new_role_output=$("$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_MAIN}")
-  NEW_PERIOD=$(jq -r '.data.rotation_period' <<< "$new_role_output")
+  local old_period
+  old_period=$(jq -r '.data.rotation_period' <<< "$old_role_output")
 
-  [[ -n "$NEW_PERIOD" ]] || fail "rotation_period missing after update"
-  [[ "$OLD_PERIOD" != "$NEW_PERIOD" ]] || fail "rotation_period did not change"
+  local output
+  if ! output=$(
+    "$binpath" write -format=json "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" - << EOF 2>&1
+{
+  "rotation_period": "${ROTATION_LONG}"
+}
+EOF
+  ); then
+    fail "Failed to update rotation_period: ${output}"
+  fi
 
-  # Forbidden: username
-  if "$binpath" write "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" \
-    username="invalid-user" > /dev/null; then
+  local new_role_output
+  if ! new_role_output=$("$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read static role after update: ${new_role_output}"
+  fi
+
+  local new_period
+  new_period=$(jq -r '.data.rotation_period' <<< "$new_role_output")
+
+  [[ -n "$new_period" ]] || fail "rotation_period missing after update"
+  [[ "$old_period" != "$new_period" ]] || fail "rotation_period did not change"
+
+  # Verify forbidden update: username (should fail)
+  if output=$(
+    "$binpath" write -format=json "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" - << EOF 2>&1
+{
+  "username": "invalid-user"
+}
+EOF
+  ); then
     fail "Updating username should not be allowed"
   fi
 
-  # Forbidden: DN
-  if "$binpath" write "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" \
-    dn="uid=invalid,ou=users,dc=enos,dc=com" > /dev/null; then
+  # Verify forbidden update: DN (should fail)
+  if output=$(
+    "$binpath" write -format=json "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" - << EOF 2>&1
+{
+  "dn": "uid=invalid,ou=users,dc=enos,dc=com"
+}
+EOF
+  ); then
     fail "Updating DN should not be allowed"
   fi
 }
@@ -132,27 +190,31 @@ test_update_static_role() {
 # TEST 4: Read Static Role
 test_read_static_role() {
   echo "Read Static Role"
-  ROLE_JSON=$("$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_MAIN}")
 
-  # Stable fields
+  local role_json
+  if ! role_json=$("$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read static role: ${role_json}"
+  fi
+
+  # Verify username and DN match expected values
   if ! jq -e \
     '.data.username == "'"${LDAP_USER}"'" and
      .data.dn == "'"${LDAP_USER_DN}"'"' \
-    <<< "$ROLE_JSON" > /dev/null; then
+    <<< "$role_json" > /dev/null; then
     fail "Static role returned incorrect username or DN"
   fi
 
-  # rotation_period must exist (string value is normalized by Vault)
+  # Verify rotation_period exists (value is normalized by Vault)
   if ! jq -e \
     '.data | has("rotation_period")' \
-    <<< "$ROLE_JSON" > /dev/null; then
+    <<< "$role_json" > /dev/null; then
     fail "rotation_period missing"
   fi
 
-  # last_rotation_time may be null or absent early; ensure key exists OR is null-safe
+  # Verify last_rotation_time exists (may be null initially)
   if ! jq -e \
     '.data | has("last_rotation_time") or (.data.last_rotation_time == null)' \
-    <<< "$ROLE_JSON" > /dev/null; then
+    <<< "$role_json" > /dev/null; then
     fail "last_rotation_time missing"
   fi
 }
@@ -160,11 +222,16 @@ test_read_static_role() {
 # TEST 5: List Static Roles with hierarchical support
 test_list_static_roles() {
   echo "List Static Roles with hierarchical support"
-  roles=$(
-    "$binpath" list "${MOUNT}/static-role" \
-      | jq -r '.[]'
-  )
 
+  local roles
+  if ! roles=$(
+    "$binpath" list "${MOUNT}/static-role" 2>&1 \
+      | jq -r '.[]'
+  ); then
+    fail "Failed to list static roles: ${roles}"
+  fi
+
+  # Verify main role appears in the list
   if ! grep -qx "${STATIC_ROLE_MAIN}" <<< "$roles"; then
     fail "Static role ${STATIC_ROLE_MAIN} not found in role list"
   fi
@@ -173,15 +240,21 @@ test_list_static_roles() {
 # TEST 6: Request Static Credentials
 test_request_static_credentials() {
   echo "Request Static Credentials"
-  CREDS=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}")
 
+  local creds
+  if ! creds=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read static credentials: ${creds}"
+  fi
+
+  # Verify password exists and is non-empty
   if ! jq -e '.data.password | length > 0' \
-    <<< "$CREDS" > /dev/null; then
+    <<< "$creds" > /dev/null; then
     fail "Password missing from static credentials"
   fi
 
+  # Verify TTL is positive
   if ! jq -e '.data.ttl > 0' \
-    <<< "$CREDS" > /dev/null; then
+    <<< "$creds" > /dev/null; then
     fail "Invalid TTL returned"
   fi
 }
@@ -189,114 +262,179 @@ test_request_static_credentials() {
 # TEST 7: Manual Password Rotation
 test_manual_password_rotation() {
   echo "Manual Password Rotation"
-  old_cred_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}")
-  OLD_PW=$(jq -r '.data.password' <<< "$old_cred_output")
 
+  local old_cred_output
+  if ! old_cred_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read credentials before rotation: ${old_cred_output}"
+  fi
+
+  local old_password
+  old_password=$(jq -r '.data.password' <<< "$old_cred_output")
+
+  # Refresh LDAP bind credentials before rotation
   refresh_ldap_bind_credentials
-  "$binpath" write -f "${MOUNT}/rotate-role/${STATIC_ROLE_MAIN}" > /dev/null
 
-  new_cred_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}")
-  NEW_PW=$(jq -r '.data.password' <<< "$new_cred_output")
+  local output
+  if ! output=$("$binpath" write -f "${MOUNT}/rotate-role/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to manually rotate password: ${output}"
+  fi
 
-  [[ "$OLD_PW" != "$NEW_PW" ]] \
+  local new_cred_output
+  if ! new_cred_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read credentials after rotation: ${new_cred_output}"
+  fi
+
+  local new_password
+  new_password=$(jq -r '.data.password' <<< "$new_cred_output")
+
+  # Verify password changed after manual rotation
+  [[ "$old_password" != "$new_password" ]] \
     || fail "Manual password rotation did not change password"
 }
 
 # TEST 8: Automatic Password Rotation
 test_automatic_password_rotation() {
   echo "Automatic Password Rotation"
-  # Ensure role exists and is managed
-  "$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" > /dev/null \
-    || fail "Static role does not exist"
 
-  # Capture password BEFORE rotation
-  cred_before_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}")
-  PW_BEFORE=$(jq -r '.data.password' <<< "$cred_before_output")
-  [[ -n "$PW_BEFORE" ]] || fail "Initial password missing"
+  local output
+  # Verify role exists and is managed
+  if ! output=$("$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Static role does not exist: ${output}"
+  fi
 
-  # Ensure automatic rotation is enabled
-  "$binpath" write "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" \
-    rotation_period="${ROTATION_LONG}" > /dev/null \
-    || fail "Failed to enable automatic rotation"
+  local cred_before_output
+  if ! cred_before_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read credentials before rotation: ${cred_before_output}"
+  fi
 
-  # Trigger rotation path explicitly (scheduler-safe)
+  local password_before
+  password_before=$(jq -r '.data.password' <<< "$cred_before_output")
+  [[ -n "$password_before" ]] || fail "Initial password missing"
+
+  # Enable automatic rotation
+  if ! output=$(
+    "$binpath" write -format=json "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" - << EOF 2>&1
+{
+  "rotation_period": "${ROTATION_LONG}"
+}
+EOF
+  ); then
+    fail "Failed to enable automatic rotation: ${output}"
+  fi
+
+  # Refresh LDAP bind credentials and trigger rotation
   refresh_ldap_bind_credentials
-  "$binpath" write -f "${MOUNT}/rotate-role/${STATIC_ROLE_MAIN}" > /dev/null \
-    || fail "Failed to trigger password rotation"
 
-  # Capture password AFTER rotation
-  cred_after_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}")
-  PW_AFTER=$(jq -r '.data.password' <<< "$cred_after_output")
-  [[ -n "$PW_AFTER" ]] || fail "Rotated password missing"
+  if ! output=$("$binpath" write -f "${MOUNT}/rotate-role/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to trigger password rotation: ${output}"
+  fi
 
-  # Password must change
-  [[ "$PW_BEFORE" != "$PW_AFTER" ]] \
+  local cred_after_output
+  if ! cred_after_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read credentials after rotation: ${cred_after_output}"
+  fi
+
+  local password_after
+  password_after=$(jq -r '.data.password' <<< "$cred_after_output")
+  [[ -n "$password_after" ]] || fail "Rotated password missing"
+
+  # Verify password changed after rotation
+  [[ "$password_before" != "$password_after" ]] \
     || fail "Password did not change after rotation"
 }
 
 # TEST 9: Custom Password Generation
 test_custom_password_generation() {
   echo "Custom Password Generation"
-  "$binpath" write "sys/policies/password/${PASSWORD_POLICY}" \
-    policy='
-length = 20
 
-rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" }
-rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" }
-rule "charset" { charset = "0123456789" }
-' > /dev/null \
-    || fail "Failed to create password policy"
+  local output
+  # Create custom password policy
+  if ! output=$(
+    "$binpath" write -format=json "sys/policies/password/${PASSWORD_POLICY}" - << EOF 2>&1
+{
+  "policy": "length = 20\n\nrule \"charset\" { charset = \"abcdefghijklmnopqrstuvwxyz\" }\nrule \"charset\" { charset = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\" }\nrule \"charset\" { charset = \"0123456789\" }"
+}
+EOF
+  ); then
+    fail "Failed to create password policy: ${output}"
+  fi
 
-  "$binpath" write "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" \
-    password_policy="${PASSWORD_POLICY}" \
-    rotation_period="${ROTATION_SHORT}" \
-    > /dev/null \
-    || fail "Failed to attach password policy to static role"
+  # Attach password policy to static role
+  if ! output=$(
+    "$binpath" write -format=json "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" - << EOF 2>&1
+{
+  "password_policy": "${PASSWORD_POLICY}",
+  "rotation_period": "${ROTATION_SHORT}"
+}
+EOF
+  ); then
+    fail "Failed to attach password policy to static role: ${output}"
+  fi
 
-  # Force rotation so policy is applied
+  # Refresh LDAP bind credentials and force rotation to apply policy
   refresh_ldap_bind_credentials
-  "$binpath" write -f "${MOUNT}/rotate-role/${STATIC_ROLE_MAIN}" \
-    > /dev/null \
-    || fail "Failed to rotate password with custom policy"
 
-  cred_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}")
-  PW=$(jq -r '.data.password' <<< "$cred_output")
+  if ! output=$("$binpath" write -f "${MOUNT}/rotate-role/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to rotate password with custom policy: ${output}"
+  fi
 
-  [[ "${#PW}" -ge 20 ]] || fail "Password policy not applied"
+  local cred_output
+  if ! cred_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read credentials after policy rotation: ${cred_output}"
+  fi
+
+  local password
+  password=$(jq -r '.data.password' <<< "$cred_output")
+
+  # Verify password meets minimum length requirement from policy
+  [[ "${#password}" -ge 20 ]] || fail "Password policy not applied (expected length >= 20, got ${#password})"
 }
 
 # TEST 10: Check Password TTL
 test_check_password_ttl() {
   echo "Check Password TTL"
-  CREDS1=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}")
-  TTL1=$(jq -r '.data.ttl' <<< "$CREDS1")
 
-  # TTL must exist and be numeric
-  if ! [[ "$TTL1" =~ ^[0-9]+$ ]]; then
+  local creds_first
+  if ! creds_first=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read credentials for TTL check: ${creds_first}"
+  fi
+
+  local ttl_first
+  ttl_first=$(jq -r '.data.ttl' <<< "$creds_first")
+
+  # Verify TTL exists and is numeric
+  if ! [[ "$ttl_first" =~ ^[0-9]+$ ]]; then
     fail "TTL is missing or not a number"
   fi
 
-  # TTL must be positive
-  if ! [[ "$TTL1" -gt 0 ]]; then
+  # Verify TTL is positive
+  if ! [[ "$ttl_first" -gt 0 ]]; then
     fail "TTL is not positive"
   fi
 
   sleep 3
 
-  CREDS2=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}")
-  TTL2=$(jq -r '.data.ttl' <<< "$CREDS2")
+  local creds_second
+  if ! creds_second=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read credentials after wait: ${creds_second}"
+  fi
 
-  if ! [[ "$TTL2" =~ ^[0-9]+$ ]]; then
+  local ttl_second
+  ttl_second=$(jq -r '.data.ttl' <<< "$creds_second")
+
+  if ! [[ "$ttl_second" =~ ^[0-9]+$ ]]; then
     fail "TTL missing after wait"
   fi
 
-  # TTL should decrease (or rotate and reset)
-  if [[ "$TTL2" -ge "$TTL1" ]]; then
-    # If it increased, password must have rotated
-    PW1=$(jq -r '.data.password' <<< "$CREDS1")
-    PW2=$(jq -r '.data.password' <<< "$CREDS2")
+  # Verify TTL decreased or password rotated (which resets TTL)
+  if [[ "$ttl_second" -ge "$ttl_first" ]]; then
+    local password_first
+    password_first=$(jq -r '.data.password' <<< "$creds_first")
 
-    if [[ "$PW1" == "$PW2" ]]; then
+    local password_second
+    password_second=$(jq -r '.data.password' <<< "$creds_second")
+
+    if [[ "$password_first" == "$password_second" ]]; then
       fail "TTL did not decrease and password did not rotate"
     fi
   fi
@@ -305,46 +443,78 @@ test_check_password_ttl() {
 # TEST 11: Verify Last Vault Rotation is Present
 test_verify_last_rotation_time() {
   echo "Verify Last Vault Rotation is Present"
-  ROLE_JSON=$(
-    "$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_MAIN}"
-  ) || fail "Failed to read static role"
 
+  local role_json
+  if ! role_json=$("$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read static role: ${role_json}"
+  fi
+
+  # Verify last_vault_rotation field exists in role metadata
   jq -e '.data | has("last_vault_rotation")' \
-    <<< "$ROLE_JSON" > /dev/null \
+    <<< "$role_json" > /dev/null \
     || fail "last_vault_rotation is missing"
 }
 
 # TEST 12: Verify WAL Recovery on Startup
 test_wal_recovery_on_startup() {
   echo "Verify WAL Recovery on Startup"
-  cred_before_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}")
-  PW1=$(jq -r '.data.password' <<< "$cred_before_output")
 
-  role_before_output=$("$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_MAIN}")
-  T1=$(jq -r '.data.last_rotation_time' <<< "$role_before_output")
+  local cred_before_output
+  if ! cred_before_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read credentials before WAL test: ${cred_before_output}"
+  fi
 
-  # Break LDAP to force rotation failure
-  "$binpath" write "${MOUNT}/config" \
-    binddn="${LDAP_USER_DN}" \
-    bindpass="wrong-password" \
-    url="ldap://${LDAP_SERVER}:${LDAP_PORT}" \
-    userdn="ou=users,dc=${LDAP_USERNAME},dc=com" \
-    userattr="uid" > /dev/null
+  local password_before
+  password_before=$(jq -r '.data.password' <<< "$cred_before_output")
 
-  # Trigger rotation (WAL written, rotation fails)
+  local role_before_output
+  if ! role_before_output=$("$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read role before WAL test: ${role_before_output}"
+  fi
+
+  local rotation_time_before
+  rotation_time_before=$(jq -r '.data.last_rotation_time' <<< "$role_before_output")
+
+  local output
+  # Intentionally break LDAP config to force rotation failure
+  if ! output=$(
+    "$binpath" write -format=json "${MOUNT}/config" - << EOF 2>&1
+{
+  "binddn": "${LDAP_USER_DN}",
+  "bindpass": "wrong-password",
+  "url": "ldap://${LDAP_SERVER}:${LDAP_PORT}",
+  "userdn": "ou=users,dc=${LDAP_USERNAME},dc=com",
+  "userattr": "uid"
+}
+EOF
+  ); then
+    fail "Failed to break LDAP config for WAL test: ${output}"
+  fi
+
+  # Trigger rotation (WAL written, but rotation should fail)
   "$binpath" write -f "${MOUNT}/rotate-role/${STATIC_ROLE_MAIN}" \
     > /dev/null 2>&1 || true
 
-  # Assert rotation did NOT complete
-  cred_after_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}")
-  PW2=$(jq -r '.data.password' <<< "$cred_after_output")
+  local cred_after_output
+  if ! cred_after_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read credentials after failed rotation: ${cred_after_output}"
+  fi
 
-  role_after_output=$("$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_MAIN}")
-  T2=$(jq -r '.data.last_rotation_time' <<< "$role_after_output")
+  local password_after
+  password_after=$(jq -r '.data.password' <<< "$cred_after_output")
 
-  [[ "$PW1" == "$PW2" ]] \
+  local role_after_output
+  if ! role_after_output=$("$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read role after failed rotation: ${role_after_output}"
+  fi
+
+  local rotation_time_after
+  rotation_time_after=$(jq -r '.data.last_rotation_time' <<< "$role_after_output")
+
+  # Verify rotation did NOT complete (password and metadata unchanged)
+  [[ "$password_before" == "$password_after" ]] \
     || fail "Password changed despite failed rotation"
-  [[ "$T1" == "$T2" ]] \
+  [[ "$rotation_time_before" == "$rotation_time_after" ]] \
     || fail "Rotation metadata updated despite failure"
 
   # Restore LDAP config after intentional failure
@@ -354,35 +524,61 @@ test_wal_recovery_on_startup() {
 # TEST 13: Verify Rotation Retry on Failure
 test_rotation_retry_on_failure() {
   echo "Verify Rotation Retry on Failure"
-  # Initial password
-  cred_before_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}")
-  PW1=$(jq -r '.data.password' <<< "$cred_before_output")
 
-  # Break LDAP to force rotation failure
-  "$binpath" write "${MOUNT}/config" \
-    binddn="uid=invalid,ou=users,dc=enos,dc=com" \
-    bindpass="wrong-password" \
-    url="ldap://${LDAP_SERVER}:${LDAP_PORT}" \
-    userdn="ou=users,dc=${LDAP_USERNAME},dc=com" \
-    userattr="uid" > /dev/null
+  local cred_before_output
+  if ! cred_before_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read credentials before retry test: ${cred_before_output}"
+  fi
 
-  # First rotation attempt (fails, WAL created)
+  local password_initial
+  password_initial=$(jq -r '.data.password' <<< "$cred_before_output")
+
+  local output
+  # Intentionally break LDAP config to force rotation failure
+  if ! output=$(
+    "$binpath" write -format=json "${MOUNT}/config" - << EOF 2>&1
+{
+  "binddn": "uid=invalid,ou=users,dc=enos,dc=com",
+  "bindpass": "wrong-password",
+  "url": "ldap://${LDAP_SERVER}:${LDAP_PORT}",
+  "userdn": "ou=users,dc=${LDAP_USERNAME},dc=com",
+  "userattr": "uid"
+}
+EOF
+  ); then
+    fail "Failed to break LDAP config for retry test: ${output}"
+  fi
+
+  # First rotation attempt (should fail, WAL created)
   "$binpath" write -f "${MOUNT}/rotate-role/${STATIC_ROLE_MAIN}" \
     > /dev/null 2>&1 || true
 
-  # Password must remain unchanged
-  cred_after_first_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}")
-  PW2=$(jq -r '.data.password' <<< "$cred_after_first_output")
-  [[ "$PW1" == "$PW2" ]] \
+  local cred_after_first_output
+  if ! cred_after_first_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read credentials after first retry: ${cred_after_first_output}"
+  fi
+
+  local password_after_first
+  password_after_first=$(jq -r '.data.password' <<< "$cred_after_first_output")
+
+  # Verify password unchanged after first failed rotation
+  [[ "$password_initial" == "$password_after_first" ]] \
     || fail "Password changed on failed rotation"
 
-  # Second retry attempt (still fails, same WAL reused)
+  # Second rotation attempt (should still fail, same WAL reused)
   "$binpath" write -f "${MOUNT}/rotate-role/${STATIC_ROLE_MAIN}" \
     > /dev/null 2>&1 || true
 
-  cred_after_second_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}")
-  PW3=$(jq -r '.data.password' <<< "$cred_after_second_output")
-  [[ "$PW1" == "$PW3" ]] \
+  local cred_after_second_output
+  if ! cred_after_second_output=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read credentials after second retry: ${cred_after_second_output}"
+  fi
+
+  local password_after_second
+  password_after_second=$(jq -r '.data.password' <<< "$cred_after_second_output")
+
+  # Verify password unchanged across retries (WAL consistency)
+  [[ "$password_initial" == "$password_after_second" ]] \
     || fail "Password changed across retries (WAL inconsistency)"
 
   # Restore LDAP config after intentional failure
@@ -392,21 +588,28 @@ test_rotation_retry_on_failure() {
 # TEST 14: Managed User Tracking (duplicate username)
 test_duplicate_user_management() {
   echo "Managed User Tracking (duplicate username)"
+
+  local output
+  local status
   set +e
-  "$binpath" write "${MOUNT}/static-role/${STATIC_ROLE_DUP}" \
-    rotation_period="${ROTATION_LONG}" \
-    dn="${LDAP_USER_DN}" \
-    username="${LDAP_USER}" \
-    > /dev/null 2>&1
-  STATUS=$?
+  output=$(
+    "$binpath" write -format=json "${MOUNT}/static-role/${STATIC_ROLE_DUP}" - << EOF 2>&1
+{
+  "rotation_period": "${ROTATION_LONG}",
+  "dn": "${LDAP_USER_DN}",
+  "username": "${LDAP_USER}"
+}
+EOF
+  )
+  status=$?
   set -e
 
-  # Must fail
-  if [[ $STATUS -eq 0 ]]; then
+  # Verify creation fails (username already managed)
+  if [[ $status -eq 0 ]]; then
     fail "Duplicate username was incorrectly allowed"
   fi
 
-  # Role must NOT exist
+  # Verify role does NOT exist
   if "$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_DUP}" > /dev/null 2>&1; then
     fail "Duplicate role was created despite username already managed"
   fi
@@ -415,19 +618,28 @@ test_duplicate_user_management() {
 # TEST 15: Verify Password Rotation Not Happening
 test_password_rotation_not_happening() {
   echo "Verify Password Rotation Not Happening"
-  # First credential read
-  CREDS1=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}")
-  PW1=$(jq -r '.data.password' <<< "$CREDS1")
+
+  local creds_first
+  if ! creds_first=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read credentials for negative test: ${creds_first}"
+  fi
+
+  local password_first
+  password_first=$(jq -r '.data.password' <<< "$creds_first")
 
   # Short wait (well below rotation_period)
   sleep 2
 
-  # Second credential read
-  CREDS2=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}")
-  PW2=$(jq -r '.data.password' <<< "$CREDS2")
+  local creds_second
+  if ! creds_second=$("$binpath" read "${MOUNT}/static-cred/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to read credentials after wait: ${creds_second}"
+  fi
 
-  # Password MUST NOT change
-  if [[ "$PW1" != "$PW2" ]]; then
+  local password_second
+  password_second=$(jq -r '.data.password' <<< "$creds_second")
+
+  # Verify password did NOT change (negative test)
+  if [[ "$password_first" != "$password_second" ]]; then
     fail "Password rotated unexpectedly in negative test"
   fi
 }
@@ -435,21 +647,28 @@ test_password_rotation_not_happening() {
 # TEST 16: Verify Failure of Create Role due to Username Already Managed
 test_failure_create_role_username_already_managed() {
   echo "Verify Failure of Create Role due to Username Already Managed"
+
+  local output
+  local status
   set +e
-  "$binpath" write "${MOUNT}/static-role/${STATIC_ROLE_DUP}" \
-    dn="${LDAP_USER_DN}" \
-    username="${LDAP_USER}" \
-    rotation_period="${ROTATION_LONG}" \
-    > /dev/null 2>&1
-  STATUS=$?
+  output=$(
+    "$binpath" write -format=json "${MOUNT}/static-role/${STATIC_ROLE_DUP}" - << EOF 2>&1
+{
+  "dn": "${LDAP_USER_DN}",
+  "username": "${LDAP_USER}",
+  "rotation_period": "${ROTATION_LONG}"
+}
+EOF
+  )
+  status=$?
   set -e
 
-  # Must fail
-  if [[ $STATUS -eq 0 ]]; then
+  # Verify creation fails (username already managed)
+  if [[ $status -eq 0 ]]; then
     fail "Expected failure when creating role with managed username"
   fi
 
-  # Role must NOT exist
+  # Verify role does NOT exist
   if "$binpath" read "${MOUNT}/static-role/${STATIC_ROLE_DUP}" > /dev/null 2>&1; then
     fail "Duplicate role was created despite username already managed"
   fi
@@ -458,7 +677,12 @@ test_failure_create_role_username_already_managed() {
 # Cleanup
 cleanup() {
   echo "Deleting all roles"
-  "$binpath" delete "${MOUNT}/static-role/${STATIC_ROLE_MAIN}"
+
+  local output
+  if ! output=$("$binpath" delete "${MOUNT}/static-role/${STATIC_ROLE_MAIN}" 2>&1); then
+    fail "Failed to delete static role ${STATIC_ROLE_MAIN}: ${output}"
+  fi
+  # Note: STATIC_ROLE_SKIP cleanup commented out (test currently disabled)
   # "$binpath" delete "${MOUNT}/static-role/${STATIC_ROLE_SKIP}"
 }
 
diff --git a/enos/modules/verify_secrets_engines/scripts/ldap/vault_dynamic_credentials/verify-ttl-limits.sh b/enos/modules/verify_secrets_engines/scripts/ldap/vault_dynamic_credentials/verify-ttl-limits.sh
index 80d9b1aa0b..c4f1500c13 100755
--- a/enos/modules/verify_secrets_engines/scripts/ldap/vault_dynamic_credentials/verify-ttl-limits.sh
+++ b/enos/modules/verify_secrets_engines/scripts/ldap/vault_dynamic_credentials/verify-ttl-limits.sh
@@ -25,10 +25,31 @@ test -x "$binpath" || fail "unable to locate vault binary at $binpath"
 
 export VAULT_FORMAT=json
 
+# Generate dynamic credentials with retry to handle transient LDAP
+# connection timeouts (e.g. context deadline exceeded after root rotation)
+generate_creds_with_retry() {
+  local max_attempts=4
+  local count=0
+  local result
+
+  while [ "$count" -lt "$max_attempts" ]; do
+    if result=$("$binpath" read "${MOUNT}/creds/dynamic-role" 2>&1); then
+      echo "$result"
+      return 0
+    fi
+    count=$((count + 1))
+    if [ "$count" -lt "$max_attempts" ]; then
+      local wait=$((2 ** (count - 1)))
+      echo "Credential generation failed, retrying in ${wait}s... (attempt $((count + 1))/$max_attempts)" >&2
+      sleep "$wait"
+    fi
+  done
+
+  fail "Failed to generate credentials after $max_attempts attempts: ${result}"
+}
+
 echo "Test: Default TTL Verification"
-if ! creds=$("$binpath" read "${MOUNT}/creds/dynamic-role" 2>&1); then
-  fail "Failed to generate credentials: ${creds}"
-fi
+creds=$(generate_creds_with_retry)
 initial_duration=$(jq -r '.lease_duration' <<< "$creds")
 dn=$(jq -r '.data.distinguished_names[0]' <<< "$creds")
 password=$(jq -r '.data.password' <<< "$creds")
@@ -52,9 +73,7 @@ else
 fi
 
 echo "Test: Max TTL Enforcement"
-if ! creds=$("$binpath" read "${MOUNT}/creds/dynamic-role" 2>&1); then
-  fail "Failed to generate credentials: ${creds}"
-fi
+creds=$(generate_creds_with_retry)
 lease_id=$(jq -r '.lease_id' <<< "$creds")
 
 [[ -z "$lease_id" || "$lease_id" == "null" ]] && fail "No lease_id found"
diff --git a/enos/modules/verify_secrets_engines/scripts/ldap/verify-audit-trail.sh b/enos/modules/verify_secrets_engines/scripts/ldap/verify-audit-trail.sh
new file mode 100644
index 0000000000..d15352c66d
--- /dev/null
+++ b/enos/modules/verify_secrets_engines/scripts/ldap/verify-audit-trail.sh
@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2016, 2025
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set"
+[[ -z "$AUDIT_LOG_PATH" ]] && fail "AUDIT_LOG_PATH env variable has not been set"
+
+echo "Test Case #18: Audit Trail for All Operations"
+echo "Functionality: Vault Core handles audit logging automatically"
+echo "Expected Result: Audit logging is enabled and Vault Core automatically logs LDAP operations"
+echo ""
+echo "Verifying LDAP library operations are recorded in audit logs"
+echo "Audit log path: ${AUDIT_LOG_PATH}"
+
+# Check if audit log file exists
+if ! sudo test -f "$AUDIT_LOG_PATH"; then
+  fail "Audit log file not found at: ${AUDIT_LOG_PATH}"
+fi
+
+echo "✓ Audit log file exists"
+echo ""
+
+# Verify audit logging contains LDAP library operations
+# The backend.go code calls ldapEvent() for operations which triggers audit logging
+echo "Verifying Vault Core's automatic audit logging for LDAP library operations..."
+echo "Note: Check-out and check-in operations are performed in the 'create' module"
+echo "      (ldap_library_checkout_default_ttl, ldap_library_checkout_custom_ttl, ldap_library_self_checkin)"
+echo ""
+
+# Check for LDAP library operations in the audit log
+# Looking for paths like: ldap/library/test-set, ldap/library/test-set/check-out, etc.
+ldap_library_entries=$(sudo grep -c "${MOUNT}/library" "$AUDIT_LOG_PATH" 2> /dev/null || true)
+
+if [ "$ldap_library_entries" -eq 0 ]; then
+  fail "FAILED: No LDAP library operations found in audit log for mount: ${MOUNT}
+Vault Core should automatically log LDAP library operations via ldapEvent() calls"
+fi
+
+echo "Found ${ldap_library_entries} LDAP library operation entries in audit log"
+echo ""
+
+# Verify specific LDAP library lifecycle operations are logged
+echo "Verifying full lifecycle operations are logged:"
+echo ""
+
+# Check for library creation/configuration
+if sudo grep -q "${MOUNT}/library/test-set\"" "$AUDIT_LOG_PATH" 2> /dev/null; then
+  echo "✓ Library creation/configuration operations logged"
+else
+  fail "FAILED: Library creation operations not found in audit log"
+fi
+
+# Check for check-out operations
+checkout_count=$(sudo grep -c "check-out" "$AUDIT_LOG_PATH" 2> /dev/null || true)
+if [ "$checkout_count" -gt 0 ]; then
+  echo "✓ Account check-out operations logged (${checkout_count} entries)"
+else
+  fail "FAILED: No check-out operations found in audit log"
+fi
+
+# Check for check-in operations
+checkin_count=$(sudo grep -c "check-in" "$AUDIT_LOG_PATH" 2> /dev/null || true)
+if [ "$checkin_count" -gt 0 ]; then
+  echo "✓ Account check-in operations logged (${checkin_count} entries)"
+else
+  echo "⚠ Note: No check-in operations found in audit log"
+fi
+
+# Check for lease operations (renewal/revocation)
+lease_operations=$(sudo grep -c "sys/leases" "$AUDIT_LOG_PATH" 2> /dev/null || true)
+if [ "$lease_operations" -gt 0 ]; then
+  echo "✓ Lease operations (renew/revoke) logged (${lease_operations} entries)"
+else
+  echo "⚠ Note: No lease operations found (Test Cases #10 and #12 may be conditional)"
+fi
+
+echo ""
+echo "Summary: Vault Core's automatic audit logging is working correctly"
+echo "  - LDAP library operations are automatically logged by Vault Core"
+echo "  - Full lifecycle operations recorded: library creation, check-out, check-in, lease management"
+echo "  - Total LDAP library audit entries: ${ldap_library_entries}"
+
+exit 0
diff --git a/go.mod b/go.mod
index 7a16dfc35b..e152724fa9 100644
--- a/go.mod
+++ b/go.mod
@@ -10,7 +10,7 @@ module github.com/hashicorp/vault
 // semantic related to Go module handling), this comment should be updated to explain that.
 //
 // Whenever this value gets updated, sdk/go.mod should be updated to the same value.
-go 1.25.3
+go 1.26.3
 
 replace github.com/hashicorp/vault/api => ./api
 
@@ -31,20 +31,27 @@ replace github.com/99designs/keyring => github.com/Jeffail/keyring v1.2.3
 
 replace github.com/ma314smith/signedxml v1.1.1 => github.com/moov-io/signedxml v1.1.1
 
+// Use a fork of triton-go that removes an unnecessary jackc/pgx/v3 dependency
+// which has several CVEs that will never be fixed. We can move back to the
+// the upstream when/if this is resolved.
+// See: https://github.com/TritonDataCenter/triton-go/pull/207
+replace github.com/TritonDataCenter/triton-go/v2 => github.com/ryancragun/triton-go/v2 v2.0.0-20260514164147-e8b61dd0652d
+
 require (
-	cloud.google.com/go/cloudsqlconn v1.4.3
-	cloud.google.com/go/monitoring v1.24.2
-	cloud.google.com/go/spanner v1.85.1
-	cloud.google.com/go/storage v1.56.1
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0
+	cloud.google.com/go/cloudsqlconn v1.21.0
+	cloud.google.com/go/monitoring v1.26.0
+	cloud.google.com/go/spanner v1.89.0
+	cloud.google.com/go/storage v1.62.0
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.1
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
 	github.com/Azure/azure-storage-blob-go v0.15.0
 	github.com/Azure/go-autorest/autorest v0.11.29
 	github.com/Azure/go-autorest/autorest/adal v0.9.24
-	github.com/ProtonMail/go-crypto v1.2.0
-	github.com/ProtonMail/gopenpgp/v3 v3.2.1
+	github.com/ProtonMail/go-crypto v1.4.0
+	github.com/ProtonMail/gopenpgp/v3 v3.3.0
 	github.com/SAP/go-hdb v1.10.1
 	github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a
+	github.com/TritonDataCenter/triton-go/v2 v2.0.0-pre4
 	github.com/aerospike/aerospike-client-go/v8 v8.5.0
 	github.com/aliyun/alibaba-cloud-sdk-go v1.63.107
 	github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5
@@ -53,24 +60,24 @@ require (
 	github.com/armon/go-radix v1.0.0
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
 	github.com/aws/aws-sdk-go v1.55.8
-	github.com/aws/aws-sdk-go-v2/config v1.29.15
+	github.com/aws/aws-sdk-go-v2/config v1.32.14
+	github.com/aws/aws-sdk-go-v2/service/iam v1.53.6
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/chrismalek/oktasdk-go v0.0.0-20181212195951-3430665dfaa0
 	github.com/cockroachdb/cockroach-go/v2 v2.3.8
 	github.com/coder/websocket v1.8.12
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
 	github.com/denisenkom/go-mssqldb v0.12.3
-	github.com/docker/docker v28.4.0+incompatible
 	github.com/duosecurity/duo_api_golang v0.0.0-20250430191550-ac36954387e7
 	github.com/dustin/go-humanize v1.0.1
-	github.com/fatih/color v1.18.0
+	github.com/fatih/color v1.19.0
 	github.com/fatih/structs v1.1.0
-	github.com/gammazero/workerpool v1.1.3
+	github.com/gammazero/workerpool v1.2.1
 	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
 	github.com/go-errors/errors v1.5.1
-	github.com/go-git/go-git/v5 v5.14.0
-	github.com/go-jose/go-jose/v3 v3.0.4
-	github.com/go-ldap/ldap/v3 v3.4.12
+	github.com/go-git/go-git/v5 v5.19.1
+	github.com/go-jose/go-jose/v3 v3.0.5
+	github.com/go-ldap/ldap/v3 v3.4.13
 	github.com/go-sql-driver/mysql v1.9.3
 	github.com/go-test/deep v1.1.1
 	github.com/go-zookeeper/zk v1.0.3
@@ -79,9 +86,10 @@ require (
 	github.com/golang/protobuf v1.5.4
 	github.com/google/certificate-transparency-go v1.3.2
 	github.com/google/go-cmp v0.7.0
-	github.com/google/go-github v17.0.0+incompatible
+	github.com/google/go-github/v83 v83.0.0
 	github.com/google/go-metrics-stackdriver v0.2.0
-	github.com/hashicorp/cap v0.11.0
+	github.com/google/uuid v1.6.0
+	github.com/hashicorp/cap v0.13.0
 	github.com/hashicorp/cap/ldap v0.0.0-20250911140431-44d01434c285
 	github.com/hashicorp/cli v1.1.7
 	github.com/hashicorp/consul-template v0.41.1
@@ -90,9 +98,11 @@ require (
 	github.com/hashicorp/eventlogger v0.2.10
 	github.com/hashicorp/go-bexpr v0.1.12
 	github.com/hashicorp/go-cleanhttp v0.5.2
-	github.com/hashicorp/go-discover v1.1.1-0.20250922102917-55e5010ad859
+	github.com/hashicorp/go-discover v1.2.1-0.20260515152638-8c1c8adeb200
 	github.com/hashicorp/go-gcp-common v0.9.2
 	github.com/hashicorp/go-hclog v1.6.3
+	github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6
+	github.com/hashicorp/go-immutable-radix v1.3.1
 	github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.1
 	github.com/hashicorp/go-kms-wrapping/v2 v2.0.18
 	github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.10
@@ -104,8 +114,8 @@ require (
 	github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.13
 	github.com/hashicorp/go-memdb v1.3.5
 	github.com/hashicorp/go-multierror v1.1.1
-	github.com/hashicorp/go-pgmultiauth v1.0.0
-	github.com/hashicorp/go-plugin v1.6.3
+	github.com/hashicorp/go-pgmultiauth v1.1.0
+	github.com/hashicorp/go-plugin v1.8.0
 	github.com/hashicorp/go-raftchunking v0.6.3-0.20191002164813-7e9e8525653a
 	github.com/hashicorp/go-retryablehttp v0.7.8
 	github.com/hashicorp/go-rootcerts v1.0.2
@@ -125,7 +135,7 @@ require (
 	github.com/hashicorp/go-sockaddr v1.0.7
 	github.com/hashicorp/go-syslog v1.0.0
 	github.com/hashicorp/go-uuid v1.0.3
-	github.com/hashicorp/go-version v1.7.0
+	github.com/hashicorp/go-version v1.9.0
 	github.com/hashicorp/golang-lru v1.0.2
 	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/hashicorp/hcl v1.0.1-vault-7
@@ -140,61 +150,63 @@ require (
 	github.com/hashicorp/raft-snapshot v1.0.4
 	github.com/hashicorp/raft-wal v0.4.0
 	github.com/hashicorp/vault-hcp-lib v0.0.0-20250306185756-615fe2449b16
-	github.com/hashicorp/vault-plugin-auth-alicloud v0.22.0
-	github.com/hashicorp/vault-plugin-auth-azure v0.22.0
-	github.com/hashicorp/vault-plugin-auth-cf v0.22.0
-	github.com/hashicorp/vault-plugin-auth-gcp v0.22.0
-	github.com/hashicorp/vault-plugin-auth-jwt v0.25.0
-	github.com/hashicorp/vault-plugin-auth-kerberos v0.16.0
-	github.com/hashicorp/vault-plugin-auth-kubernetes v0.23.1
-	github.com/hashicorp/vault-plugin-auth-oci v0.20.1
-	github.com/hashicorp/vault-plugin-database-couchbase v0.15.0
-	github.com/hashicorp/vault-plugin-database-elasticsearch v0.19.0
-	github.com/hashicorp/vault-plugin-database-mongodbatlas v0.16.0
-	github.com/hashicorp/vault-plugin-database-redis v0.7.0
-	github.com/hashicorp/vault-plugin-database-redis-elasticache v0.8.0
-	github.com/hashicorp/vault-plugin-database-snowflake v0.15.0
-	github.com/hashicorp/vault-plugin-secrets-ad v0.21.0
-	github.com/hashicorp/vault-plugin-secrets-alicloud v0.21.0
-	github.com/hashicorp/vault-plugin-secrets-azure v0.23.0
-	github.com/hashicorp/vault-plugin-secrets-gcp v0.23.0
-	github.com/hashicorp/vault-plugin-secrets-gcpkms v0.22.0
-	github.com/hashicorp/vault-plugin-secrets-kubernetes v0.12.0
-	github.com/hashicorp/vault-plugin-secrets-kv v0.25.0
-	github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.16.0
-	github.com/hashicorp/vault-plugin-secrets-openldap v0.17.0
-	github.com/hashicorp/vault-plugin-secrets-terraform v0.13.0
+	github.com/hashicorp/vault-plugin-auth-alicloud v0.23.1
+	github.com/hashicorp/vault-plugin-auth-azure v0.24.0
+	github.com/hashicorp/vault-plugin-auth-cf v0.23.0
+	github.com/hashicorp/vault-plugin-auth-gcp v0.23.1
+	github.com/hashicorp/vault-plugin-auth-jwt v0.26.3
+	github.com/hashicorp/vault-plugin-auth-kerberos v0.17.1
+	github.com/hashicorp/vault-plugin-auth-kubernetes v0.24.1
+	github.com/hashicorp/vault-plugin-auth-oci v0.21.1
+	github.com/hashicorp/vault-plugin-database-couchbase v0.16.1
+	github.com/hashicorp/vault-plugin-database-elasticsearch v0.20.1
+	github.com/hashicorp/vault-plugin-database-mongodbatlas v0.17.1
+	github.com/hashicorp/vault-plugin-database-redis v0.8.1
+	github.com/hashicorp/vault-plugin-database-redis-elasticache v0.9.1
+	github.com/hashicorp/vault-plugin-database-snowflake v0.16.0
+	github.com/hashicorp/vault-plugin-secrets-ad v0.22.1
+	github.com/hashicorp/vault-plugin-secrets-alicloud v0.22.1
+	github.com/hashicorp/vault-plugin-secrets-azure v0.25.0
+	github.com/hashicorp/vault-plugin-secrets-gcp v0.24.0
+	github.com/hashicorp/vault-plugin-secrets-gcpkms v0.24.0
+	github.com/hashicorp/vault-plugin-secrets-kubernetes v0.13.1
+	github.com/hashicorp/vault-plugin-secrets-kv v0.26.2
+	github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.17.1
+	github.com/hashicorp/vault-plugin-secrets-openldap v0.18.0
+	github.com/hashicorp/vault-plugin-secrets-terraform v0.14.1
 	github.com/hashicorp/vault-testing-stepwise v0.3.3
-	github.com/hashicorp/vault/api v1.22.0
+	github.com/hashicorp/vault/api v1.23.0
 	github.com/hashicorp/vault/api/auth/approle v0.1.0
 	github.com/hashicorp/vault/api/auth/userpass v0.1.0
-	github.com/hashicorp/vault/sdk v0.23.0
+	github.com/hashicorp/vault/sdk v0.25.1
 	github.com/hashicorp/vault/vault/hcp_link/proto v0.0.0-20230201201504-b741fa893d77
 	github.com/influxdata/influxdb1-client v0.0.0-20200827194710-b269163b24ab
-	github.com/jackc/pgx/v4 v4.18.3
 	github.com/jcmturner/gokrb5/v8 v8.4.4
 	github.com/jefferai/isbadcipher v0.0.0-20190226160619-51d2077c035f
 	github.com/jefferai/jsonx v1.0.1
-	github.com/joyent/triton-go v1.7.1-0.20200416154420-6801d15b779f
-	github.com/klauspost/compress v1.18.0
+	github.com/klauspost/compress v1.18.5
 	github.com/kr/pretty v0.3.1
 	github.com/kr/text v0.2.0
 	github.com/mattn/go-colorable v0.1.14
-	github.com/mattn/go-isatty v0.0.20
+	github.com/mattn/go-isatty v0.0.22
 	github.com/michaelklishin/rabbit-hole/v2 v2.12.0
+	github.com/miekg/dns v1.1.50
 	github.com/mikesmitty/edkey v0.0.0-20170222072505-3356ea4e686a
 	github.com/mitchellh/copystructure v1.2.0
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/go-wordwrap v1.0.1
 	github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c
 	github.com/mitchellh/reflectwalk v1.0.2
+	github.com/moby/moby/api v1.54.0
+	github.com/moby/moby/client v0.3.0
 	github.com/ncw/swift v1.0.47
-	github.com/oklog/run v1.1.0
+	github.com/oklog/run v1.2.0
 	github.com/okta/okta-sdk-golang/v5 v5.0.2
 	github.com/oracle/oci-go-sdk v24.3.0+incompatible
 	github.com/ory/dockertest v3.3.5+incompatible
 	github.com/ory/dockertest/v3 v3.12.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible
+	github.com/pavlo-v-chernykh/keystore-go/v4 v4.5.0
 	github.com/pires/go-proxyproto v0.8.0
 	github.com/pkg/errors v0.9.1
 	github.com/posener/complete v1.2.3
@@ -209,71 +221,95 @@ require (
 	github.com/sethvargo/go-limiter v0.7.1
 	github.com/shirou/gopsutil/v3 v3.22.6
 	github.com/stretchr/testify v1.11.1
-	github.com/tink-crypto/tink-go/v2 v2.5.0
+	github.com/tink-crypto/tink-go/v2 v2.6.0
 	go.etcd.io/bbolt v1.4.0
 	go.etcd.io/etcd/client/pkg/v3 v3.6.0
 	go.etcd.io/etcd/client/v2 v2.305.17
 	go.etcd.io/etcd/client/v3 v3.6.0
 	go.mongodb.org/atlas v0.38.0
-	go.mongodb.org/mongo-driver v1.17.4
-	go.opentelemetry.io/otel v1.37.0
-	go.opentelemetry.io/otel/sdk v1.37.0
-	go.opentelemetry.io/otel/trace v1.37.0
+	go.mongodb.org/mongo-driver v1.17.9
+	go.opentelemetry.io/otel v1.43.0
+	go.opentelemetry.io/otel/sdk v1.43.0
+	go.opentelemetry.io/otel/trace v1.43.0
 	go.uber.org/atomic v1.11.0
-	golang.org/x/crypto v0.47.0
-	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
-	golang.org/x/net v0.48.0
-	golang.org/x/oauth2 v0.31.0
-	golang.org/x/sync v0.19.0
-	golang.org/x/sys v0.40.0
-	golang.org/x/term v0.39.0
-	golang.org/x/text v0.33.0
-	golang.org/x/tools v0.40.0
-	google.golang.org/api v0.251.0
-	google.golang.org/grpc v1.75.1
-	google.golang.org/protobuf v1.36.10
+	golang.org/x/crypto v0.52.0
+	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f
+	golang.org/x/net v0.55.0
+	golang.org/x/oauth2 v0.36.0
+	golang.org/x/sync v0.20.0
+	golang.org/x/sys v0.45.0
+	golang.org/x/term v0.43.0
+	golang.org/x/text v0.37.0
+	golang.org/x/tools v0.44.0
+	google.golang.org/api v0.279.0
+	google.golang.org/grpc v1.81.0
+	google.golang.org/protobuf v1.36.11
 	gopkg.in/ory-am/dockertest.v3 v3.3.4
-	k8s.io/apimachinery v0.34.1
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 	layeh.com/radius v0.0.0-20231213012653-1006025d24f8
+	software.sslmate.com/src/go-pkcs12 v0.7.1
 )
 
 require (
 	github.com/andybalholm/brotli v1.2.0 // indirect
-	github.com/apache/thrift v0.22.0 // indirect
+	// We're currently pulling v0.23.0 + a 32 bit fix: https://github.com/apache/thrift/commit/d2acd3c49e5832cb0179f72b111c4ad5bd89c4c5
+	// until a new version is release.
+	github.com/apache/thrift v0.23.1-0.20260429145742-d2acd3c49e58 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
+	github.com/docker/docker v28.4.0+incompatible // indirect
+	github.com/envoyproxy/go-control-plane/envoy v1.37.0 // indirect
+	github.com/fsnotify/fsnotify v1.6.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-openapi/swag/cmdutils v0.25.5 // indirect
+	github.com/go-openapi/swag/conv v0.25.5 // indirect
+	github.com/go-openapi/swag/fileutils v0.25.5 // indirect
+	github.com/go-openapi/swag/jsonname v0.25.5 // indirect
+	github.com/go-openapi/swag/jsonutils v0.25.5 // indirect
+	github.com/go-openapi/swag/loading v0.25.5 // indirect
+	github.com/go-openapi/swag/mangling v0.25.5 // indirect
+	github.com/go-openapi/swag/netutils v0.25.5 // indirect
+	github.com/go-openapi/swag/stringutils v0.25.5 // indirect
+	github.com/go-openapi/swag/typeutils v0.25.5 // indirect
+	github.com/go-openapi/swag/yamlutils v0.25.5 // indirect
+	github.com/go-resty/resty/v2 v2.16.5 // indirect
 	github.com/gofrs/flock v0.10.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 // indirect
 	github.com/klauspost/asmfmt v1.3.2 // indirect
 	github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 // indirect
 	github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 // indirect
 	github.com/moby/go-archive v0.1.0 // indirect
-	github.com/oracle/oci-go-sdk/v65 v65.101.1 // indirect
+	github.com/moby/sys/atomicwriter v0.1.0 // indirect
+	github.com/oklog/ulid/v2 v2.1.1 // indirect
+	github.com/oracle/oci-go-sdk/v65 v65.109.2 // indirect
+	github.com/std-uritemplate/std-uritemplate/go/v2 v2.0.3 // indirect
 	github.com/wadey/gocovmerge v0.0.0-20160331181800-b5bfa59ec0ad // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/telemetry v0.0.0-20251203150158-8fff8a5912fc // indirect
+	golang.org/x/telemetry v0.0.0-20260409153401-be6f6cb8b1fa // indirect
+	k8s.io/apimachinery v0.35.3 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
 
 require (
-	cel.dev/expr v0.24.0 // indirect
-	cloud.google.com/go v0.121.6 // indirect
-	cloud.google.com/go/auth v0.16.5 // indirect
+	cel.dev/expr v0.25.1 // indirect
+	cloud.google.com/go v0.123.0 // indirect
+	cloud.google.com/go/auth v0.20.0 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
-	cloud.google.com/go/iam v1.5.2 // indirect
-	cloud.google.com/go/kms v1.23.0 // indirect; indirect\
-	cloud.google.com/go/longrunning v0.6.7 // indirect
+	cloud.google.com/go/iam v1.8.0 // indirect
+	cloud.google.com/go/kms v1.27.0 // indirect; indirect\
+	cloud.google.com/go/longrunning v0.9.0 // indirect
 	dario.cat/mergo v1.0.2 // indirect
-	filippo.io/edwards25519 v1.1.0 // indirect
+	filippo.io/edwards25519 v1.2.0 // indirect
 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
 	github.com/99designs/keyring v1.2.2 // indirect
 	github.com/Azure/azure-pipeline-go v0.2.3 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0 // indirect
@@ -290,14 +326,14 @@ require (
 	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 // indirect
+	github.com/Azure/go-ntlmssp v0.1.1 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/DataDog/datadog-go v3.2.0+incompatible // indirect
-	github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 // indirect
+	github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.6.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.32.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.56.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.56.0 // indirect
 	github.com/Jeffail/gabs/v2 v2.1.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
@@ -308,27 +344,27 @@ require (
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/apache/arrow-go/v18 v18.4.0 // indirect
 	github.com/avast/retry-go/v4 v4.6.1 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.38.1 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.68 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/rds/auth v1.5.11 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.200.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecs v1.53.8 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.80.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.33.20 // indirect
-	github.com/aws/smithy-go v1.22.5 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.41.5
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.14 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/rds/auth v1.6.21 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.297.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecs v1.77.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.99.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.41.10
+	github.com/aws/smithy-go v1.24.3 // indirect
 	github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f // indirect
 	github.com/benbjohnson/immutable v0.4.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -339,63 +375,59 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible // indirect
 	github.com/circonus-labs/circonusllhist v0.1.3 // indirect
-	github.com/cloudflare/circl v1.6.2-0.20250618153321-aa837fd1539d // indirect
+	github.com/cloudflare/circl v1.6.3 // indirect
 	github.com/cloudfoundry-community/go-cfclient v0.0.0-20220930021109-9c4e6c59ccf1 // indirect
-	github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect
+	github.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2 // indirect
 	github.com/containerd/continuity v0.4.5 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/coreos/etcd v3.3.27+incompatible // indirect
-	github.com/coreos/go-oidc/v3 v3.15.0 // indirect
+	github.com/coreos/go-oidc/v3 v3.17.0 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/coreos/pkg v0.0.0-20220810130054-c7d1c02cb6cf // indirect
-	github.com/couchbase/gocb/v2 v2.11.1 // indirect
-	github.com/couchbase/gocbcore/v10 v10.8.1 // indirect
-	github.com/couchbase/gocbcoreps v0.1.4 // indirect
-	github.com/couchbase/goprotostellar v1.0.2 // indirect
+	github.com/couchbase/gocb/v2 v2.12.0 // indirect
+	github.com/couchbase/gocbcore/v10 v10.9.0 // indirect
+	github.com/couchbase/gocbcoreps v0.1.5-0.20260107140814-1c3a03f888f8 // indirect
+	github.com/couchbase/goprotostellar v1.0.5 // indirect
 	github.com/couchbaselabs/gocbconnstr/v2 v2.0.0 // indirect
-	github.com/cyphar/filepath-securejoin v0.5.1 // indirect
+	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
 	github.com/danieljoos/wincred v1.2.2 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
 	github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba // indirect
 	github.com/digitalocean/godo v1.7.5 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/cli v27.4.1+incompatible // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dvsekhvalnov/jose2go v1.7.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.3.3 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.7 // indirect
-	github.com/gammazero/deque v0.2.1 // indirect
+	github.com/gammazero/deque v1.2.1 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.6.2 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/go-git/go-billy/v5 v5.9.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/go-ldap/ldif v0.0.0-20250910174327-aa3bc3095c92 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
-	github.com/go-openapi/analysis v0.23.0 // indirect
-	github.com/go-openapi/errors v0.22.1 // indirect
-	github.com/go-openapi/jsonpointer v0.21.0 // indirect
-	github.com/go-openapi/jsonreference v0.21.0 // indirect
-	github.com/go-openapi/loads v0.22.0 // indirect
-	github.com/go-openapi/runtime v0.28.0 // indirect
-	github.com/go-openapi/spec v0.21.0 // indirect
-	github.com/go-openapi/strfmt v0.23.0 // indirect
-	github.com/go-openapi/swag v0.23.1 // indirect
-	github.com/go-openapi/validate v0.24.0 // indirect
+	github.com/go-openapi/analysis v0.24.3 // indirect
+	github.com/go-openapi/errors v0.22.7 // indirect
+	github.com/go-openapi/jsonpointer v0.22.5 // indirect
+	github.com/go-openapi/jsonreference v0.21.5 // indirect
+	github.com/go-openapi/loads v0.23.3 // indirect
+	github.com/go-openapi/runtime v0.29.3 // indirect
+	github.com/go-openapi/spec v0.22.4 // indirect
+	github.com/go-openapi/strfmt v0.26.0 // indirect
+	github.com/go-openapi/swag v0.25.5 // indirect
+	github.com/go-openapi/validate v0.25.2 // indirect
 	github.com/go-ozzo/ozzo-validation v3.6.0+incompatible // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
@@ -405,28 +437,24 @@ require (
 	github.com/golang/snappy v1.0.0 // indirect
 	github.com/google/flatbuffers v25.2.10+incompatible // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
-	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/go-querystring v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/google/uuid v1.6.0
-	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
-	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.15 // indirect
+	github.com/googleapis/gax-go/v2 v2.22.0 // indirect
 	github.com/gophercloud/gophercloud v0.1.0 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
-	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
 	github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect
 	github.com/hashicorp/cronexpr v1.1.2 // indirect
-	github.com/hashicorp/go-discover/provider/gce v0.0.0-20241120163552-5eb1507d16b4 // indirect
-	github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6
-	github.com/hashicorp/go-immutable-radix v1.3.1
+	github.com/hashicorp/go-discover/provider/gce v0.0.0-20260514184450-13fff3633a00 // indirect
 	github.com/hashicorp/go-metrics v0.5.4 // indirect
 	github.com/hashicorp/go-msgpack/v2 v2.1.2 // indirect
 	github.com/hashicorp/go-secure-stdlib/cryptoutil v0.1.1 // indirect
 	github.com/hashicorp/go-secure-stdlib/fileutil v0.1.0 // indirect
 	github.com/hashicorp/go-secure-stdlib/httputil v0.1.0 // indirect
-	github.com/hashicorp/go-secure-stdlib/plugincontainer v0.4.2 // indirect
-	github.com/hashicorp/go-slug v0.16.7 // indirect
-	github.com/hashicorp/go-tfe v1.93.0 // indirect
+	github.com/hashicorp/go-secure-stdlib/plugincontainer v0.5.0 // indirect
+	github.com/hashicorp/go-slug v0.16.8 // indirect
+	github.com/hashicorp/go-tfe v1.101.0 // indirect
 	github.com/hashicorp/jsonapi v1.4.3-0.20250220162346-81a76b606f3e // indirect
 	github.com/hashicorp/logutils v1.0.0 // indirect
 	github.com/hashicorp/mdns v1.0.4 // indirect
@@ -436,14 +464,9 @@ require (
 	github.com/hashicorp/vic v1.5.1-0.20190403131502-bbfe86ec9443 // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
-	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
-	github.com/jackc/pgconn v1.14.3 // indirect
-	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgproto3/v2 v2.3.3 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgtype v1.14.3 // indirect
-	github.com/jackc/pgx/v5 v5.7.6 // indirect
+	github.com/jackc/pgx/v5 v5.9.2
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
@@ -453,12 +476,11 @@ require (
 	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
 	github.com/jeffchao/backoff v0.0.0-20140404060208-9d7fd7aa17f2 // indirect
 	github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
 	github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kelseyhightower/envconfig v1.4.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.11 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
@@ -466,21 +488,19 @@ require (
 	github.com/lestrrat-go/iter v1.0.2 // indirect
 	github.com/lestrrat-go/jwx v1.2.29 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
-	github.com/linode/linodego v0.7.1 // indirect
+	github.com/linode/linodego v1.61.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
-	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/mattn/go-ieproxy v0.0.1 // indirect
 	github.com/mediocregopher/radix/v4 v4.1.4 // indirect
-	github.com/microsoft/kiota-abstractions-go v1.9.3 // indirect
+	github.com/microsoft/kiota-abstractions-go v1.9.4 // indirect
 	github.com/microsoft/kiota-authentication-azure-go v1.3.1 // indirect
-	github.com/microsoft/kiota-http-go v1.5.4 // indirect
-	github.com/microsoft/kiota-serialization-form-go v1.1.2 // indirect
+	github.com/microsoft/kiota-http-go v1.5.5 // indirect
+	github.com/microsoft/kiota-serialization-form-go v1.1.3 // indirect
 	github.com/microsoft/kiota-serialization-json-go v1.1.2 // indirect
 	github.com/microsoft/kiota-serialization-multipart-go v1.1.2 // indirect
-	github.com/microsoft/kiota-serialization-text-go v1.1.2 // indirect
-	github.com/microsoftgraph/msgraph-sdk-go v1.86.0 // indirect
+	github.com/microsoft/kiota-serialization-text-go v1.1.3 // indirect
+	github.com/microsoftgraph/msgraph-sdk-go v1.97.0 // indirect
 	github.com/microsoftgraph/msgraph-sdk-go-core v1.4.0 // indirect
-	github.com/miekg/dns v1.1.50 // indirect
 	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
 	github.com/mitchellh/hashstructure v1.1.0 // indirect
 	github.com/mitchellh/pointerstructure v1.2.1 // indirect
@@ -489,7 +509,7 @@ require (
 	github.com/moby/sys/sequential v0.6.0 // indirect
 	github.com/moby/sys/user v0.4.0 // indirect
 	github.com/moby/sys/userns v0.1.0 // indirect
-	github.com/moby/term v0.5.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/mongodb-forks/digest v1.1.0 // indirect
@@ -498,7 +518,6 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/natefinch/atomic v1.0.1 // indirect
 	github.com/nicolai86/scaleway-sdk v1.10.2-0.20180628010248-798f60e20bb2 // indirect
-	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/opencontainers/runc v1.2.8 // indirect
@@ -508,12 +527,12 @@ require (
 	github.com/petermattis/goid v0.0.0-20250721140440-ea1c0173183e // indirect
 	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
-	github.com/pjbgf/sha1cd v0.3.2 // indirect
+	github.com/pjbgf/sha1cd v0.6.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/renier/xmlrpc v0.0.0-20170708154548-ce4a1a486c03 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
@@ -523,15 +542,15 @@ require (
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
-	github.com/snowflakedb/gosnowflake v1.17.0 // indirect
+	github.com/snowflakedb/gosnowflake v1.19.0 // indirect
 	github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d // indirect
 	github.com/sony/gobreaker v0.5.0 // indirect
 	github.com/spf13/cast v1.7.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
-	github.com/std-uritemplate/std-uritemplate/go/v2 v2.0.3 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go v1.0.162 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.480 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cvm v1.0.480 // indirect
 	github.com/tilinna/clock v1.1.0 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
@@ -552,33 +571,32 @@ require (
 	github.com/zeebo/xxh3 v1.0.2 // indirect
 	go.etcd.io/etcd/api/v3 v3.6.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/detectors/gcp v1.37.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.62.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
-	go.opentelemetry.io/otel/metric v1.37.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.37.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.43.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.68.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/mod v0.31.0 // indirect
-	golang.org/x/time v0.13.0
+	go.uber.org/zap v1.27.1 // indirect
+	golang.org/x/mod v0.35.0 // indirect
+	golang.org/x/time v0.15.0
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
-	google.golang.org/genproto v0.0.0-20251002232023-7c0ddcbb5797 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250922171735-9219d122eba9 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4 // indirect; indirect\
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	google.golang.org/genproto v0.0.0-20260406210006-6f92a3bedf2d // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260406210006-6f92a3bedf2d // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260511170946-3700d4141b60 // indirect; indirect\
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/jcmturner/goidentity.v3 v3.0.0 // indirect
-	gopkg.in/resty.v1 v1.12.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.34.1 // indirect
-	k8s.io/client-go v0.34.1 // indirect
+	k8s.io/api v0.35.3 // indirect
+	k8s.io/client-go v0.35.3 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
diff --git a/go.sum b/go.sum
index 11755e497d..db90533d50 100644
--- a/go.sum
+++ b/go.sum
@@ -1,633 +1,39 @@
-cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
-cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
+cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4=
+cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
 cloud.google.com/go v0.39.0/go.mod h1:rVLT6fkc8chs9sfPtFc1SBH6em7n+ZoXaG+87tDISts=
-cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
-cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.44.3/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
-cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
-cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
-cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
-cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
-cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
-cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
-cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
-cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
-cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
-cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
-cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
-cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY=
-cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
-cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
-cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
-cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY=
-cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM=
-cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY=
-cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ=
-cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI=
-cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4=
-cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc=
-cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA=
-cloud.google.com/go v0.100.1/go.mod h1:fs4QogzfH5n2pBXBP9vRiU+eCny7lD2vmFZy79Iuw1U=
-cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A=
-cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc=
-cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU=
-cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRYtA=
-cloud.google.com/go v0.105.0/go.mod h1:PrLgOJNe5nfE9UMxKxgXj4mD3voiP+YQ6gdt6KMFOKM=
-cloud.google.com/go v0.107.0/go.mod h1:wpc2eNrD7hXUTy8EKS10jkxpZBjASrORK7goS+3YX2I=
-cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY=
-cloud.google.com/go v0.121.6 h1:waZiuajrI28iAf40cWgycWNgaXPO06dupuS+sgibK6c=
-cloud.google.com/go v0.121.6/go.mod h1:coChdst4Ea5vUpiALcYKXEpR1S9ZgXbhEzzMcMR66vI=
-cloud.google.com/go/accessapproval v1.4.0/go.mod h1:zybIuC3KpDOvotz59lFe5qxRZx6C75OtwbisN56xYB4=
-cloud.google.com/go/accessapproval v1.5.0/go.mod h1:HFy3tuiGvMdcd/u+Cu5b9NkO1pEICJ46IR82PoUdplw=
-cloud.google.com/go/accessapproval v1.6.0/go.mod h1:R0EiYnwV5fsRFiKZkPHr6mwyk2wxUJ30nL4j2pcFY2E=
-cloud.google.com/go/accesscontextmanager v1.3.0/go.mod h1:TgCBehyr5gNMz7ZaH9xubp+CE8dkrszb4oK9CWyvD4o=
-cloud.google.com/go/accesscontextmanager v1.4.0/go.mod h1:/Kjh7BBu/Gh83sv+K60vN9QE5NJcd80sU33vIe2IFPE=
-cloud.google.com/go/accesscontextmanager v1.6.0/go.mod h1:8XCvZWfYw3K/ji0iVnp+6pu7huxoQTLmxAbVjbloTtM=
-cloud.google.com/go/accesscontextmanager v1.7.0/go.mod h1:CEGLewx8dwa33aDAZQujl7Dx+uYhS0eay198wB/VumQ=
-cloud.google.com/go/aiplatform v1.22.0/go.mod h1:ig5Nct50bZlzV6NvKaTwmplLLddFx0YReh9WfTO5jKw=
-cloud.google.com/go/aiplatform v1.24.0/go.mod h1:67UUvRBKG6GTayHKV8DBv2RtR1t93YRu5B1P3x99mYY=
-cloud.google.com/go/aiplatform v1.27.0/go.mod h1:Bvxqtl40l0WImSb04d0hXFU7gDOiq9jQmorivIiWcKg=
-cloud.google.com/go/aiplatform v1.35.0/go.mod h1:7MFT/vCaOyZT/4IIFfxH4ErVg/4ku6lKv3w0+tFTgXQ=
-cloud.google.com/go/aiplatform v1.36.1/go.mod h1:WTm12vJRPARNvJ+v6P52RDHCNe4AhvjcIZ/9/RRHy/k=
-cloud.google.com/go/aiplatform v1.37.0/go.mod h1:IU2Cv29Lv9oCn/9LkFiiuKfwrRTq+QQMbW+hPCxJGZw=
-cloud.google.com/go/analytics v0.11.0/go.mod h1:DjEWCu41bVbYcKyvlws9Er60YE4a//bK6mnhWvQeFNI=
-cloud.google.com/go/analytics v0.12.0/go.mod h1:gkfj9h6XRf9+TS4bmuhPEShsh3hH8PAZzm/41OOhQd4=
-cloud.google.com/go/analytics v0.17.0/go.mod h1:WXFa3WSym4IZ+JiKmavYdJwGG/CvpqiqczmL59bTD9M=
-cloud.google.com/go/analytics v0.18.0/go.mod h1:ZkeHGQlcIPkw0R/GW+boWHhCOR43xz9RN/jn7WcqfIE=
-cloud.google.com/go/analytics v0.19.0/go.mod h1:k8liqf5/HCnOUkbawNtrWWc+UAzyDlW89doe8TtoDsE=
-cloud.google.com/go/apigateway v1.3.0/go.mod h1:89Z8Bhpmxu6AmUxuVRg/ECRGReEdiP3vQtk4Z1J9rJk=
-cloud.google.com/go/apigateway v1.4.0/go.mod h1:pHVY9MKGaH9PQ3pJ4YLzoj6U5FUDeDFBllIz7WmzJoc=
-cloud.google.com/go/apigateway v1.5.0/go.mod h1:GpnZR3Q4rR7LVu5951qfXPJCHquZt02jf7xQx7kpqN8=
-cloud.google.com/go/apigeeconnect v1.3.0/go.mod h1:G/AwXFAKo0gIXkPTVfZDd2qA1TxBXJ3MgMRBQkIi9jc=
-cloud.google.com/go/apigeeconnect v1.4.0/go.mod h1:kV4NwOKqjvt2JYR0AoIWo2QGfoRtn/pkS3QlHp0Ni04=
-cloud.google.com/go/apigeeconnect v1.5.0/go.mod h1:KFaCqvBRU6idyhSNyn3vlHXc8VMDJdRmwDF6JyFRqZ8=
-cloud.google.com/go/apigeeregistry v0.4.0/go.mod h1:EUG4PGcsZvxOXAdyEghIdXwAEi/4MEaoqLMLDMIwKXY=
-cloud.google.com/go/apigeeregistry v0.5.0/go.mod h1:YR5+s0BVNZfVOUkMa5pAR2xGd0A473vA5M7j247o1wM=
-cloud.google.com/go/apigeeregistry v0.6.0/go.mod h1:BFNzW7yQVLZ3yj0TKcwzb8n25CFBri51GVGOEUcgQsc=
-cloud.google.com/go/apikeys v0.4.0/go.mod h1:XATS/yqZbaBK0HOssf+ALHp8jAlNHUgyfprvNcBIszU=
-cloud.google.com/go/apikeys v0.5.0/go.mod h1:5aQfwY4D+ewMMWScd3hm2en3hCj+BROlyrt3ytS7KLI=
-cloud.google.com/go/apikeys v0.6.0/go.mod h1:kbpXu5upyiAlGkKrJgQl8A0rKNNJ7dQ377pdroRSSi8=
-cloud.google.com/go/appengine v1.4.0/go.mod h1:CS2NhuBuDXM9f+qscZ6V86m1MIIqPj3WC/UoEuR1Sno=
-cloud.google.com/go/appengine v1.5.0/go.mod h1:TfasSozdkFI0zeoxW3PTBLiNqRmzraodCWatWI9Dmak=
-cloud.google.com/go/appengine v1.6.0/go.mod h1:hg6i0J/BD2cKmDJbaFSYHFyZkgBEfQrDg/X0V5fJn84=
-cloud.google.com/go/appengine v1.7.0/go.mod h1:eZqpbHFCqRGa2aCdope7eC0SWLV1j0neb/QnMJVWx6A=
-cloud.google.com/go/appengine v1.7.1/go.mod h1:IHLToyb/3fKutRysUlFO0BPt5j7RiQ45nrzEJmKTo6E=
-cloud.google.com/go/area120 v0.5.0/go.mod h1:DE/n4mp+iqVyvxHN41Vf1CR602GiHQjFPusMFW6bGR4=
-cloud.google.com/go/area120 v0.6.0/go.mod h1:39yFJqWVgm0UZqWTOdqkLhjoC7uFfgXRC8g/ZegeAh0=
-cloud.google.com/go/area120 v0.7.0/go.mod h1:a3+8EUD1SX5RUcCs3MY5YasiO1z6yLiNLRiFrykbynY=
-cloud.google.com/go/area120 v0.7.1/go.mod h1:j84i4E1RboTWjKtZVWXPqvK5VHQFJRF2c1Nm69pWm9k=
-cloud.google.com/go/artifactregistry v1.6.0/go.mod h1:IYt0oBPSAGYj/kprzsBjZ/4LnG/zOcHyFHjWPCi6SAQ=
-cloud.google.com/go/artifactregistry v1.7.0/go.mod h1:mqTOFOnGZx8EtSqK/ZWcsm/4U8B77rbcLP6ruDU2Ixk=
-cloud.google.com/go/artifactregistry v1.8.0/go.mod h1:w3GQXkJX8hiKN0v+at4b0qotwijQbYUqF2GWkZzAhC0=
-cloud.google.com/go/artifactregistry v1.9.0/go.mod h1:2K2RqvA2CYvAeARHRkLDhMDJ3OXy26h3XW+3/Jh2uYc=
-cloud.google.com/go/artifactregistry v1.11.1/go.mod h1:lLYghw+Itq9SONbCa1YWBoWs1nOucMH0pwXN1rOBZFI=
-cloud.google.com/go/artifactregistry v1.11.2/go.mod h1:nLZns771ZGAwVLzTX/7Al6R9ehma4WUEhZGWV6CeQNQ=
-cloud.google.com/go/artifactregistry v1.12.0/go.mod h1:o6P3MIvtzTOnmvGagO9v/rOjjA0HmhJ+/6KAXrmYDCI=
-cloud.google.com/go/artifactregistry v1.13.0/go.mod h1:uy/LNfoOIivepGhooAUpL1i30Hgee3Cu0l4VTWHUC08=
-cloud.google.com/go/asset v1.5.0/go.mod h1:5mfs8UvcM5wHhqtSv8J1CtxxaQq3AdBxxQi2jGW/K4o=
-cloud.google.com/go/asset v1.7.0/go.mod h1:YbENsRK4+xTiL+Ofoj5Ckf+O17kJtgp3Y3nn4uzZz5s=
-cloud.google.com/go/asset v1.8.0/go.mod h1:mUNGKhiqIdbr8X7KNayoYvyc4HbbFO9URsjbytpUaW0=
-cloud.google.com/go/asset v1.9.0/go.mod h1:83MOE6jEJBMqFKadM9NLRcs80Gdw76qGuHn8m3h8oHQ=
-cloud.google.com/go/asset v1.10.0/go.mod h1:pLz7uokL80qKhzKr4xXGvBQXnzHn5evJAEAtZiIb0wY=
-cloud.google.com/go/asset v1.11.1/go.mod h1:fSwLhbRvC9p9CXQHJ3BgFeQNM4c9x10lqlrdEUYXlJo=
-cloud.google.com/go/asset v1.12.0/go.mod h1:h9/sFOa4eDIyKmH6QMpm4eUK3pDojWnUhTgJlk762Hg=
-cloud.google.com/go/asset v1.13.0/go.mod h1:WQAMyYek/b7NBpYq/K4KJWcRqzoalEsxz/t/dTk4THw=
-cloud.google.com/go/assuredworkloads v1.5.0/go.mod h1:n8HOZ6pff6re5KYfBXcFvSViQjDwxFkAkmUFffJRbbY=
-cloud.google.com/go/assuredworkloads v1.6.0/go.mod h1:yo2YOk37Yc89Rsd5QMVECvjaMKymF9OP+QXWlKXUkXw=
-cloud.google.com/go/assuredworkloads v1.7.0/go.mod h1:z/736/oNmtGAyU47reJgGN+KVoYoxeLBoj4XkKYscNI=
-cloud.google.com/go/assuredworkloads v1.8.0/go.mod h1:AsX2cqyNCOvEQC8RMPnoc0yEarXQk6WEKkxYfL6kGIo=
-cloud.google.com/go/assuredworkloads v1.9.0/go.mod h1:kFuI1P78bplYtT77Tb1hi0FMxM0vVpRC7VVoJC3ZoT0=
-cloud.google.com/go/assuredworkloads v1.10.0/go.mod h1:kwdUQuXcedVdsIaKgKTp9t0UJkE5+PAVNhdQm4ZVq2E=
-cloud.google.com/go/auth v0.16.5 h1:mFWNQ2FEVWAliEQWpAdH80omXFokmrnbDhUS9cBywsI=
-cloud.google.com/go/auth v0.16.5/go.mod h1:utzRfHMP+Vv0mpOkTRQoWD2q3BatTOoWbA7gCc2dUhQ=
+cloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE=
+cloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=
+cloud.google.com/go/auth v0.20.0 h1:kXTssoVb4azsVDoUiF8KvxAqrsQcQtB53DcSgta74CA=
+cloud.google.com/go/auth v0.20.0/go.mod h1:942/yi/itH1SsmpyrbnTMDgGfdy2BUqIKyd0cyYLc5Q=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
-cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0=
-cloud.google.com/go/automl v1.6.0/go.mod h1:ugf8a6Fx+zP0D59WLhqgTDsQI9w07o64uf/Is3Nh5p8=
-cloud.google.com/go/automl v1.7.0/go.mod h1:RL9MYCCsJEOmt0Wf3z9uzG0a7adTT1fe+aObgSpkCt8=
-cloud.google.com/go/automl v1.8.0/go.mod h1:xWx7G/aPEe/NP+qzYXktoBSDfjO+vnKMGgsApGJJquM=
-cloud.google.com/go/automl v1.12.0/go.mod h1:tWDcHDp86aMIuHmyvjuKeeHEGq76lD7ZqfGLN6B0NuU=
-cloud.google.com/go/baremetalsolution v0.3.0/go.mod h1:XOrocE+pvK1xFfleEnShBlNAXf+j5blPPxrhjKgnIFc=
-cloud.google.com/go/baremetalsolution v0.4.0/go.mod h1:BymplhAadOO/eBa7KewQ0Ppg4A4Wplbn+PsFKRLo0uI=
-cloud.google.com/go/baremetalsolution v0.5.0/go.mod h1:dXGxEkmR9BMwxhzBhV0AioD0ULBmuLZI8CdwalUxuss=
-cloud.google.com/go/batch v0.3.0/go.mod h1:TR18ZoAekj1GuirsUsR1ZTKN3FC/4UDnScjT8NXImFE=
-cloud.google.com/go/batch v0.4.0/go.mod h1:WZkHnP43R/QCGQsZ+0JyG4i79ranE2u8xvjq/9+STPE=
-cloud.google.com/go/batch v0.7.0/go.mod h1:vLZN95s6teRUqRQ4s3RLDsH8PvboqBK+rn1oevL159g=
-cloud.google.com/go/beyondcorp v0.2.0/go.mod h1:TB7Bd+EEtcw9PCPQhCJtJGjk/7TC6ckmnSFS+xwTfm4=
-cloud.google.com/go/beyondcorp v0.3.0/go.mod h1:E5U5lcrcXMsCuoDNyGrpyTm/hn7ne941Jz2vmksAxW8=
-cloud.google.com/go/beyondcorp v0.4.0/go.mod h1:3ApA0mbhHx6YImmuubf5pyW8srKnCEPON32/5hj+RmM=
-cloud.google.com/go/beyondcorp v0.5.0/go.mod h1:uFqj9X+dSfrheVp7ssLTaRHd2EHqSL4QZmH4e8WXGGU=
-cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
-cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
-cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
-cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
-cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
-cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/bigquery v1.42.0/go.mod h1:8dRTJxhtG+vwBKzE5OseQn/hiydoQN3EedCaOdYmxRA=
-cloud.google.com/go/bigquery v1.43.0/go.mod h1:ZMQcXHsl+xmU1z36G2jNGZmKp9zNY5BUua5wDgmNCfw=
-cloud.google.com/go/bigquery v1.44.0/go.mod h1:0Y33VqXTEsbamHJvJHdFmtqHvMIY28aK1+dFsvaChGc=
-cloud.google.com/go/bigquery v1.47.0/go.mod h1:sA9XOgy0A8vQK9+MWhEQTY6Tix87M/ZurWFIxmF9I/E=
-cloud.google.com/go/bigquery v1.48.0/go.mod h1:QAwSz+ipNgfL5jxiaK7weyOhzdoAy1zFm0Nf1fysJac=
-cloud.google.com/go/bigquery v1.49.0/go.mod h1:Sv8hMmTFFYBlt/ftw2uN6dFdQPzBlREY9yBh7Oy7/4Q=
-cloud.google.com/go/bigquery v1.50.0/go.mod h1:YrleYEh2pSEbgTBZYMJ5SuSr0ML3ypjRB1zgf7pvQLU=
-cloud.google.com/go/billing v1.4.0/go.mod h1:g9IdKBEFlItS8bTtlrZdVLWSSdSyFUZKXNS02zKMOZY=
-cloud.google.com/go/billing v1.5.0/go.mod h1:mztb1tBc3QekhjSgmpf/CV4LzWXLzCArwpLmP2Gm88s=
-cloud.google.com/go/billing v1.6.0/go.mod h1:WoXzguj+BeHXPbKfNWkqVtDdzORazmCjraY+vrxcyvI=
-cloud.google.com/go/billing v1.7.0/go.mod h1:q457N3Hbj9lYwwRbnlD7vUpyjq6u5U1RAOArInEiD5Y=
-cloud.google.com/go/billing v1.12.0/go.mod h1:yKrZio/eu+okO/2McZEbch17O5CB5NpZhhXG6Z766ss=
-cloud.google.com/go/billing v1.13.0/go.mod h1:7kB2W9Xf98hP9Sr12KfECgfGclsH3CQR0R08tnRlRbc=
-cloud.google.com/go/binaryauthorization v1.1.0/go.mod h1:xwnoWu3Y84jbuHa0zd526MJYmtnVXn0syOjaJgy4+dM=
-cloud.google.com/go/binaryauthorization v1.2.0/go.mod h1:86WKkJHtRcv5ViNABtYMhhNWRrD1Vpi//uKEy7aYEfI=
-cloud.google.com/go/binaryauthorization v1.3.0/go.mod h1:lRZbKgjDIIQvzYQS1p99A7/U1JqvqeZg0wiI5tp6tg0=
-cloud.google.com/go/binaryauthorization v1.4.0/go.mod h1:tsSPQrBd77VLplV70GUhBf/Zm3FsKmgSqgm4UmiDItk=
-cloud.google.com/go/binaryauthorization v1.5.0/go.mod h1:OSe4OU1nN/VswXKRBmciKpo9LulY41gch5c68htf3/Q=
-cloud.google.com/go/certificatemanager v1.3.0/go.mod h1:n6twGDvcUBFu9uBgt4eYvvf3sQ6My8jADcOVwHmzadg=
-cloud.google.com/go/certificatemanager v1.4.0/go.mod h1:vowpercVFyqs8ABSmrdV+GiFf2H/ch3KyudYQEMM590=
-cloud.google.com/go/certificatemanager v1.6.0/go.mod h1:3Hh64rCKjRAX8dXgRAyOcY5vQ/fE1sh8o+Mdd6KPgY8=
-cloud.google.com/go/channel v1.8.0/go.mod h1:W5SwCXDJsq/rg3tn3oG0LOxpAo6IMxNa09ngphpSlnk=
-cloud.google.com/go/channel v1.9.0/go.mod h1:jcu05W0my9Vx4mt3/rEHpfxc9eKi9XwsdDL8yBMbKUk=
-cloud.google.com/go/channel v1.11.0/go.mod h1:IdtI0uWGqhEeatSB62VOoJ8FSUhJ9/+iGkJVqp74CGE=
-cloud.google.com/go/channel v1.12.0/go.mod h1:VkxCGKASi4Cq7TbXxlaBezonAYpp1GCnKMY6tnMQnLU=
-cloud.google.com/go/cloudbuild v1.3.0/go.mod h1:WequR4ULxlqvMsjDEEEFnOG5ZSRSgWOywXYDb1vPE6U=
-cloud.google.com/go/cloudbuild v1.4.0/go.mod h1:5Qwa40LHiOXmz3386FrjrYM93rM/hdRr7b53sySrTqA=
-cloud.google.com/go/cloudbuild v1.6.0/go.mod h1:UIbc/w9QCbH12xX+ezUsgblrWv+Cv4Tw83GiSMHOn9M=
-cloud.google.com/go/cloudbuild v1.7.0/go.mod h1:zb5tWh2XI6lR9zQmsm1VRA+7OCuve5d8S+zJUul8KTg=
-cloud.google.com/go/cloudbuild v1.9.0/go.mod h1:qK1d7s4QlO0VwfYn5YuClDGg2hfmLZEb4wQGAbIgL1s=
-cloud.google.com/go/clouddms v1.3.0/go.mod h1:oK6XsCDdW4Ib3jCCBugx+gVjevp2TMXFtgxvPSee3OM=
-cloud.google.com/go/clouddms v1.4.0/go.mod h1:Eh7sUGCC+aKry14O1NRljhjyrr0NFC0G2cjwX0cByRk=
-cloud.google.com/go/clouddms v1.5.0/go.mod h1:QSxQnhikCLUw13iAbffF2CZxAER3xDGNHjsTAkQJcQA=
-cloud.google.com/go/cloudsqlconn v1.4.3 h1:/WYFbB1NtMtoMxCbqpzzTFPDkxxlLTPme390KEGaEPc=
-cloud.google.com/go/cloudsqlconn v1.4.3/go.mod h1:QL3tuStVOO70txb3rs4G8j5uMfo5ztZii8K3oGD3VYA=
-cloud.google.com/go/cloudtasks v1.5.0/go.mod h1:fD92REy1x5woxkKEkLdvavGnPJGEn8Uic9nWuLzqCpY=
-cloud.google.com/go/cloudtasks v1.6.0/go.mod h1:C6Io+sxuke9/KNRkbQpihnW93SWDU3uXt92nu85HkYI=
-cloud.google.com/go/cloudtasks v1.7.0/go.mod h1:ImsfdYWwlWNJbdgPIIGJWC+gemEGTBK/SunNQQNCAb4=
-cloud.google.com/go/cloudtasks v1.8.0/go.mod h1:gQXUIwCSOI4yPVK7DgTVFiiP0ZW/eQkydWzwVMdHxrI=
-cloud.google.com/go/cloudtasks v1.9.0/go.mod h1:w+EyLsVkLWHcOaqNEyvcKAsWp9p29dL6uL9Nst1cI7Y=
-cloud.google.com/go/cloudtasks v1.10.0/go.mod h1:NDSoTLkZ3+vExFEWu2UJV1arUyzVDAiZtdWcsUyNwBs=
-cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow=
-cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM=
-cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M=
-cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s=
-cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU=
-cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U=
-cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU=
-cloud.google.com/go/compute v1.12.0/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU=
-cloud.google.com/go/compute v1.12.1/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU=
-cloud.google.com/go/compute v1.13.0/go.mod h1:5aPTS0cUNMIc1CE546K+Th6weJUNQErARyZtRXDJ8GE=
-cloud.google.com/go/compute v1.14.0/go.mod h1:YfLtxrj9sU4Yxv+sXzZkyPjEyPBZfXHUvjxega5vAdo=
-cloud.google.com/go/compute v1.15.1/go.mod h1:bjjoF/NtFUrkD/urWfdHaKuOPDR5nWIs63rR+SXhcpA=
-cloud.google.com/go/compute v1.18.0/go.mod h1:1X7yHxec2Ga+Ss6jPyjxRxpu2uu7PLgsOVXvgU0yacs=
-cloud.google.com/go/compute v1.19.0/go.mod h1:rikpw2y+UMidAe9tISo04EHNOIf42RLYF/q8Bs93scU=
-cloud.google.com/go/compute v1.19.1/go.mod h1:6ylj3a05WF8leseCdIf77NK0g1ey+nj5IKd5/kvShxE=
-cloud.google.com/go/compute/metadata v0.1.0/go.mod h1:Z1VN+bulIf6bt4P/C37K4DyZYZEXYonfTBHHFPO/4UU=
-cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
-cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM=
-cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
+cloud.google.com/go/cloudsqlconn v1.21.0 h1:tXXKrKLsUwG+cTxpO2kehC6l8l8urHoNtDXtCv3iOpY=
+cloud.google.com/go/cloudsqlconn v1.21.0/go.mod h1:p4ts4hqj4CtBCwETUSzq05HV4XTRPzTsi+Cd1RQ5WWg=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
-cloud.google.com/go/contactcenterinsights v1.3.0/go.mod h1:Eu2oemoePuEFc/xKFPjbTuPSj0fYJcPls9TFlPNnHHY=
-cloud.google.com/go/contactcenterinsights v1.4.0/go.mod h1:L2YzkGbPsv+vMQMCADxJoT9YiTTnSEd6fEvCeHTYVck=
-cloud.google.com/go/contactcenterinsights v1.6.0/go.mod h1:IIDlT6CLcDoyv79kDv8iWxMSTZhLxSCofVV5W6YFM/w=
-cloud.google.com/go/container v1.6.0/go.mod h1:Xazp7GjJSeUYo688S+6J5V+n/t+G5sKBTFkKNudGRxg=
-cloud.google.com/go/container v1.7.0/go.mod h1:Dp5AHtmothHGX3DwwIHPgq45Y8KmNsgN3amoYfxVkLo=
-cloud.google.com/go/container v1.13.1/go.mod h1:6wgbMPeQRw9rSnKBCAJXnds3Pzj03C4JHamr8asWKy4=
-cloud.google.com/go/container v1.14.0/go.mod h1:3AoJMPhHfLDxLvrlVWaK57IXzaPnLaZq63WX59aQBfM=
-cloud.google.com/go/container v1.15.0/go.mod h1:ft+9S0WGjAyjDggg5S06DXj+fHJICWg8L7isCQe9pQA=
-cloud.google.com/go/containeranalysis v0.5.1/go.mod h1:1D92jd8gRR/c0fGMlymRgxWD3Qw9C1ff6/T7mLgVL8I=
-cloud.google.com/go/containeranalysis v0.6.0/go.mod h1:HEJoiEIu+lEXM+k7+qLCci0h33lX3ZqoYFdmPcoO7s4=
-cloud.google.com/go/containeranalysis v0.7.0/go.mod h1:9aUL+/vZ55P2CXfuZjS4UjQ9AgXoSw8Ts6lemfmxBxI=
-cloud.google.com/go/containeranalysis v0.9.0/go.mod h1:orbOANbwk5Ejoom+s+DUCTTJ7IBdBQJDcSylAx/on9s=
-cloud.google.com/go/datacatalog v1.3.0/go.mod h1:g9svFY6tuR+j+hrTw3J2dNcmI0dzmSiyOzm8kpLq0a0=
-cloud.google.com/go/datacatalog v1.5.0/go.mod h1:M7GPLNQeLfWqeIm3iuiruhPzkt65+Bx8dAKvScX8jvs=
-cloud.google.com/go/datacatalog v1.6.0/go.mod h1:+aEyF8JKg+uXcIdAmmaMUmZ3q1b/lKLtXCmXdnc0lbc=
-cloud.google.com/go/datacatalog v1.7.0/go.mod h1:9mEl4AuDYWw81UGc41HonIHH7/sn52H0/tc8f8ZbZIE=
-cloud.google.com/go/datacatalog v1.8.0/go.mod h1:KYuoVOv9BM8EYz/4eMFxrr4DUKhGIOXxZoKYF5wdISM=
-cloud.google.com/go/datacatalog v1.8.1/go.mod h1:RJ58z4rMp3gvETA465Vg+ag8BGgBdnRPEMMSTr5Uv+M=
-cloud.google.com/go/datacatalog v1.12.0/go.mod h1:CWae8rFkfp6LzLumKOnmVh4+Zle4A3NXLzVJ1d1mRm0=
-cloud.google.com/go/datacatalog v1.13.0/go.mod h1:E4Rj9a5ZtAxcQJlEBTLgMTphfP11/lNaAshpoBgemX8=
-cloud.google.com/go/dataflow v0.6.0/go.mod h1:9QwV89cGoxjjSR9/r7eFDqqjtvbKxAK2BaYU6PVk9UM=
-cloud.google.com/go/dataflow v0.7.0/go.mod h1:PX526vb4ijFMesO1o202EaUmouZKBpjHsTlCtB4parQ=
-cloud.google.com/go/dataflow v0.8.0/go.mod h1:Rcf5YgTKPtQyYz8bLYhFoIV/vP39eL7fWNcSOyFfLJE=
-cloud.google.com/go/dataform v0.3.0/go.mod h1:cj8uNliRlHpa6L3yVhDOBrUXH+BPAO1+KFMQQNSThKo=
-cloud.google.com/go/dataform v0.4.0/go.mod h1:fwV6Y4Ty2yIFL89huYlEkwUPtS7YZinZbzzj5S9FzCE=
-cloud.google.com/go/dataform v0.5.0/go.mod h1:GFUYRe8IBa2hcomWplodVmUx/iTL0FrsauObOM3Ipr0=
-cloud.google.com/go/dataform v0.6.0/go.mod h1:QPflImQy33e29VuapFdf19oPbE4aYTJxr31OAPV+ulA=
-cloud.google.com/go/dataform v0.7.0/go.mod h1:7NulqnVozfHvWUBpMDfKMUESr+85aJsC/2O0o3jWPDE=
-cloud.google.com/go/datafusion v1.4.0/go.mod h1:1Zb6VN+W6ALo85cXnM1IKiPw+yQMKMhB9TsTSRDo/38=
-cloud.google.com/go/datafusion v1.5.0/go.mod h1:Kz+l1FGHB0J+4XF2fud96WMmRiq/wj8N9u007vyXZ2w=
-cloud.google.com/go/datafusion v1.6.0/go.mod h1:WBsMF8F1RhSXvVM8rCV3AeyWVxcC2xY6vith3iw3S+8=
-cloud.google.com/go/datalabeling v0.5.0/go.mod h1:TGcJ0G2NzcsXSE/97yWjIZO0bXj0KbVlINXMG9ud42I=
-cloud.google.com/go/datalabeling v0.6.0/go.mod h1:WqdISuk/+WIGeMkpw/1q7bK/tFEZxsrFJOJdY2bXvTQ=
-cloud.google.com/go/datalabeling v0.7.0/go.mod h1:WPQb1y08RJbmpM3ww0CSUAGweL0SxByuW2E+FU+wXcM=
-cloud.google.com/go/dataplex v1.3.0/go.mod h1:hQuRtDg+fCiFgC8j0zV222HvzFQdRd+SVX8gdmFcZzA=
-cloud.google.com/go/dataplex v1.4.0/go.mod h1:X51GfLXEMVJ6UN47ESVqvlsRplbLhcsAt0kZCCKsU0A=
-cloud.google.com/go/dataplex v1.5.2/go.mod h1:cVMgQHsmfRoI5KFYq4JtIBEUbYwc3c7tXmIDhRmNNVQ=
-cloud.google.com/go/dataplex v1.6.0/go.mod h1:bMsomC/aEJOSpHXdFKFGQ1b0TDPIeL28nJObeO1ppRs=
-cloud.google.com/go/dataproc v1.7.0/go.mod h1:CKAlMjII9H90RXaMpSxQ8EU6dQx6iAYNPcYPOkSbi8s=
-cloud.google.com/go/dataproc v1.8.0/go.mod h1:5OW+zNAH0pMpw14JVrPONsxMQYMBqJuzORhIBfBn9uI=
-cloud.google.com/go/dataproc v1.12.0/go.mod h1:zrF3aX0uV3ikkMz6z4uBbIKyhRITnxvr4i3IjKsKrw4=
-cloud.google.com/go/dataqna v0.5.0/go.mod h1:90Hyk596ft3zUQ8NkFfvICSIfHFh1Bc7C4cK3vbhkeo=
-cloud.google.com/go/dataqna v0.6.0/go.mod h1:1lqNpM7rqNLVgWBJyk5NF6Uen2PHym0jtVJonplVsDA=
-cloud.google.com/go/dataqna v0.7.0/go.mod h1:Lx9OcIIeqCrw1a6KdO3/5KMP1wAmTc0slZWwP12Qq3c=
-cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
-cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/datastore v1.10.0/go.mod h1:PC5UzAmDEkAmkfaknstTYbNpgE49HAgW2J1gcgUfmdM=
-cloud.google.com/go/datastore v1.11.0/go.mod h1:TvGxBIHCS50u8jzG+AW/ppf87v1of8nwzFNgEZU1D3c=
-cloud.google.com/go/datastream v1.2.0/go.mod h1:i/uTP8/fZwgATHS/XFu0TcNUhuA0twZxxQ3EyCUQMwo=
-cloud.google.com/go/datastream v1.3.0/go.mod h1:cqlOX8xlyYF/uxhiKn6Hbv6WjwPPuI9W2M9SAXwaLLQ=
-cloud.google.com/go/datastream v1.4.0/go.mod h1:h9dpzScPhDTs5noEMQVWP8Wx8AFBRyS0s8KWPx/9r0g=
-cloud.google.com/go/datastream v1.5.0/go.mod h1:6TZMMNPwjUqZHBKPQ1wwXpb0d5VDVPl2/XoS5yi88q4=
-cloud.google.com/go/datastream v1.6.0/go.mod h1:6LQSuswqLa7S4rPAOZFVjHIG3wJIjZcZrw8JDEDJuIs=
-cloud.google.com/go/datastream v1.7.0/go.mod h1:uxVRMm2elUSPuh65IbZpzJNMbuzkcvu5CjMqVIUHrww=
-cloud.google.com/go/deploy v1.4.0/go.mod h1:5Xghikd4VrmMLNaF6FiRFDlHb59VM59YoDQnOUdsH/c=
-cloud.google.com/go/deploy v1.5.0/go.mod h1:ffgdD0B89tToyW/U/D2eL0jN2+IEV/3EMuXHA0l4r+s=
-cloud.google.com/go/deploy v1.6.0/go.mod h1:f9PTHehG/DjCom3QH0cntOVRm93uGBDt2vKzAPwpXQI=
-cloud.google.com/go/deploy v1.8.0/go.mod h1:z3myEJnA/2wnB4sgjqdMfgxCA0EqC3RBTNcVPs93mtQ=
-cloud.google.com/go/dialogflow v1.15.0/go.mod h1:HbHDWs33WOGJgn6rfzBW1Kv807BE3O1+xGbn59zZWI4=
-cloud.google.com/go/dialogflow v1.16.1/go.mod h1:po6LlzGfK+smoSmTBnbkIZY2w8ffjz/RcGSS+sh1el0=
-cloud.google.com/go/dialogflow v1.17.0/go.mod h1:YNP09C/kXA1aZdBgC/VtXX74G/TKn7XVCcVumTflA+8=
-cloud.google.com/go/dialogflow v1.18.0/go.mod h1:trO7Zu5YdyEuR+BhSNOqJezyFQ3aUzz0njv7sMx/iek=
-cloud.google.com/go/dialogflow v1.19.0/go.mod h1:JVmlG1TwykZDtxtTXujec4tQ+D8SBFMoosgy+6Gn0s0=
-cloud.google.com/go/dialogflow v1.29.0/go.mod h1:b+2bzMe+k1s9V+F2jbJwpHPzrnIyHihAdRFMtn2WXuM=
-cloud.google.com/go/dialogflow v1.31.0/go.mod h1:cuoUccuL1Z+HADhyIA7dci3N5zUssgpBJmCzI6fNRB4=
-cloud.google.com/go/dialogflow v1.32.0/go.mod h1:jG9TRJl8CKrDhMEcvfcfFkkpp8ZhgPz3sBGmAUYJ2qE=
-cloud.google.com/go/dlp v1.6.0/go.mod h1:9eyB2xIhpU0sVwUixfBubDoRwP+GjeUoxxeueZmqvmM=
-cloud.google.com/go/dlp v1.7.0/go.mod h1:68ak9vCiMBjbasxeVD17hVPxDEck+ExiHavX8kiHG+Q=
-cloud.google.com/go/dlp v1.9.0/go.mod h1:qdgmqgTyReTz5/YNSSuueR8pl7hO0o9bQ39ZhtgkWp4=
-cloud.google.com/go/documentai v1.7.0/go.mod h1:lJvftZB5NRiFSX4moiye1SMxHx0Bc3x1+p9e/RfXYiU=
-cloud.google.com/go/documentai v1.8.0/go.mod h1:xGHNEB7CtsnySCNrCFdCyyMz44RhFEEX2Q7UD0c5IhU=
-cloud.google.com/go/documentai v1.9.0/go.mod h1:FS5485S8R00U10GhgBC0aNGrJxBP8ZVpEeJ7PQDZd6k=
-cloud.google.com/go/documentai v1.10.0/go.mod h1:vod47hKQIPeCfN2QS/jULIvQTugbmdc0ZvxxfQY1bg4=
-cloud.google.com/go/documentai v1.16.0/go.mod h1:o0o0DLTEZ+YnJZ+J4wNfTxmDVyrkzFvttBXXtYRMHkM=
-cloud.google.com/go/documentai v1.18.0/go.mod h1:F6CK6iUH8J81FehpskRmhLq/3VlwQvb7TvwOceQ2tbs=
-cloud.google.com/go/domains v0.6.0/go.mod h1:T9Rz3GasrpYk6mEGHh4rymIhjlnIuB4ofT1wTxDeT4Y=
-cloud.google.com/go/domains v0.7.0/go.mod h1:PtZeqS1xjnXuRPKE/88Iru/LdfoRyEHYA9nFQf4UKpg=
-cloud.google.com/go/domains v0.8.0/go.mod h1:M9i3MMDzGFXsydri9/vW+EWz9sWb4I6WyHqdlAk0idE=
-cloud.google.com/go/edgecontainer v0.1.0/go.mod h1:WgkZ9tp10bFxqO8BLPqv2LlfmQF1X8lZqwW4r1BTajk=
-cloud.google.com/go/edgecontainer v0.2.0/go.mod h1:RTmLijy+lGpQ7BXuTDa4C4ssxyXT34NIuHIgKuP4s5w=
-cloud.google.com/go/edgecontainer v0.3.0/go.mod h1:FLDpP4nykgwwIfcLt6zInhprzw0lEi2P1fjO6Ie0qbc=
-cloud.google.com/go/edgecontainer v1.0.0/go.mod h1:cttArqZpBB2q58W/upSG++ooo6EsblxDIolxa3jSjbY=
-cloud.google.com/go/errorreporting v0.3.0/go.mod h1:xsP2yaAp+OAW4OIm60An2bbLpqIhKXdWR/tawvl7QzU=
-cloud.google.com/go/essentialcontacts v1.3.0/go.mod h1:r+OnHa5jfj90qIfZDO/VztSFqbQan7HV75p8sA+mdGI=
-cloud.google.com/go/essentialcontacts v1.4.0/go.mod h1:8tRldvHYsmnBCHdFpvU+GL75oWiBKl80BiqlFh9tp+8=
-cloud.google.com/go/essentialcontacts v1.5.0/go.mod h1:ay29Z4zODTuwliK7SnX8E86aUF2CTzdNtvv42niCX0M=
-cloud.google.com/go/eventarc v1.7.0/go.mod h1:6ctpF3zTnaQCxUjHUdcfgcA1A2T309+omHZth7gDfmc=
-cloud.google.com/go/eventarc v1.8.0/go.mod h1:imbzxkyAU4ubfsaKYdQg04WS1NvncblHEup4kvF+4gw=
-cloud.google.com/go/eventarc v1.10.0/go.mod h1:u3R35tmZ9HvswGRBnF48IlYgYeBcPUCjkr4BTdem2Kw=
-cloud.google.com/go/eventarc v1.11.0/go.mod h1:PyUjsUKPWoRBCHeOxZd/lbOOjahV41icXyUY5kSTvVY=
-cloud.google.com/go/filestore v1.3.0/go.mod h1:+qbvHGvXU1HaKX2nD0WEPo92TP/8AQuCVEBXNY9z0+w=
-cloud.google.com/go/filestore v1.4.0/go.mod h1:PaG5oDfo9r224f8OYXURtAsY+Fbyq/bLYoINEK8XQAI=
-cloud.google.com/go/filestore v1.5.0/go.mod h1:FqBXDWBp4YLHqRnVGveOkHDf8svj9r5+mUDLupOWEDs=
-cloud.google.com/go/filestore v1.6.0/go.mod h1:di5unNuss/qfZTw2U9nhFqo8/ZDSc466dre85Kydllg=
-cloud.google.com/go/firestore v1.9.0/go.mod h1:HMkjKHNTtRyZNiMzu7YAsLr9K3X2udY2AMwDaMEQiiE=
-cloud.google.com/go/functions v1.6.0/go.mod h1:3H1UA3qiIPRWD7PeZKLvHZ9SaQhR26XIJcC0A5GbvAk=
-cloud.google.com/go/functions v1.7.0/go.mod h1:+d+QBcWM+RsrgZfV9xo6KfA1GlzJfxcfZcRPEhDDfzg=
-cloud.google.com/go/functions v1.8.0/go.mod h1:RTZ4/HsQjIqIYP9a9YPbU+QFoQsAlYgrwOXJWHn1POY=
-cloud.google.com/go/functions v1.9.0/go.mod h1:Y+Dz8yGguzO3PpIjhLTbnqV1CWmgQ5UwtlpzoyquQ08=
-cloud.google.com/go/functions v1.10.0/go.mod h1:0D3hEOe3DbEvCXtYOZHQZmD+SzYsi1YbI7dGvHfldXw=
-cloud.google.com/go/functions v1.12.0/go.mod h1:AXWGrF3e2C/5ehvwYo/GH6O5s09tOPksiKhz+hH8WkA=
-cloud.google.com/go/functions v1.13.0/go.mod h1:EU4O007sQm6Ef/PwRsI8N2umygGqPBS/IZQKBQBcJ3c=
-cloud.google.com/go/gaming v1.5.0/go.mod h1:ol7rGcxP/qHTRQE/RO4bxkXq+Fix0j6D4LFPzYTIrDM=
-cloud.google.com/go/gaming v1.6.0/go.mod h1:YMU1GEvA39Qt3zWGyAVA9bpYz/yAhTvaQ1t2sK4KPUA=
-cloud.google.com/go/gaming v1.7.0/go.mod h1:LrB8U7MHdGgFG851iHAfqUdLcKBdQ55hzXy9xBJz0+w=
-cloud.google.com/go/gaming v1.8.0/go.mod h1:xAqjS8b7jAVW0KFYeRUxngo9My3f33kFmua++Pi+ggM=
-cloud.google.com/go/gaming v1.9.0/go.mod h1:Fc7kEmCObylSWLO334NcO+O9QMDyz+TKC4v1D7X+Bc0=
-cloud.google.com/go/gkebackup v0.2.0/go.mod h1:XKvv/4LfG829/B8B7xRkk8zRrOEbKtEam6yNfuQNH60=
-cloud.google.com/go/gkebackup v0.3.0/go.mod h1:n/E671i1aOQvUxT541aTkCwExO/bTer2HDlj4TsBRAo=
-cloud.google.com/go/gkebackup v0.4.0/go.mod h1:byAyBGUwYGEEww7xsbnUTBHIYcOPy/PgUWUtOeRm9Vg=
-cloud.google.com/go/gkeconnect v0.5.0/go.mod h1:c5lsNAg5EwAy7fkqX/+goqFsU1Da/jQFqArp+wGNr/o=
-cloud.google.com/go/gkeconnect v0.6.0/go.mod h1:Mln67KyU/sHJEBY8kFZ0xTeyPtzbq9StAVvEULYK16A=
-cloud.google.com/go/gkeconnect v0.7.0/go.mod h1:SNfmVqPkaEi3bF/B3CNZOAYPYdg7sU+obZ+QTky2Myw=
-cloud.google.com/go/gkehub v0.9.0/go.mod h1:WYHN6WG8w9bXU0hqNxt8rm5uxnk8IH+lPY9J2TV7BK0=
-cloud.google.com/go/gkehub v0.10.0/go.mod h1:UIPwxI0DsrpsVoWpLB0stwKCP+WFVG9+y977wO+hBH0=
-cloud.google.com/go/gkehub v0.11.0/go.mod h1:JOWHlmN+GHyIbuWQPl47/C2RFhnFKH38jH9Ascu3n0E=
-cloud.google.com/go/gkehub v0.12.0/go.mod h1:djiIwwzTTBrF5NaXCGv3mf7klpEMcST17VBTVVDcuaw=
-cloud.google.com/go/gkemulticloud v0.3.0/go.mod h1:7orzy7O0S+5kq95e4Hpn7RysVA7dPs8W/GgfUtsPbrA=
-cloud.google.com/go/gkemulticloud v0.4.0/go.mod h1:E9gxVBnseLWCk24ch+P9+B2CoDFJZTyIgLKSalC7tuI=
-cloud.google.com/go/gkemulticloud v0.5.0/go.mod h1:W0JDkiyi3Tqh0TJr//y19wyb1yf8llHVto2Htf2Ja3Y=
-cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc=
-cloud.google.com/go/gsuiteaddons v1.3.0/go.mod h1:EUNK/J1lZEZO8yPtykKxLXI6JSVN2rg9bN8SXOa0bgM=
-cloud.google.com/go/gsuiteaddons v1.4.0/go.mod h1:rZK5I8hht7u7HxFQcFei0+AtfS9uSushomRlg+3ua1o=
-cloud.google.com/go/gsuiteaddons v1.5.0/go.mod h1:TFCClYLd64Eaa12sFVmUyG62tk4mdIsI7pAnSXRkcFo=
-cloud.google.com/go/iam v0.1.0/go.mod h1:vcUNEa0pEm0qRVpmWepWaFMIAI8/hjB9mO8rNCJtF6c=
-cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY=
-cloud.google.com/go/iam v0.5.0/go.mod h1:wPU9Vt0P4UmCux7mqtRu6jcpPAb74cP1fh50J3QpkUc=
-cloud.google.com/go/iam v0.6.0/go.mod h1:+1AH33ueBne5MzYccyMHtEKqLE4/kJOibtffMHDMFMc=
-cloud.google.com/go/iam v0.7.0/go.mod h1:H5Br8wRaDGNc8XP3keLc4unfUUZeyH3Sfl9XpQEYOeg=
-cloud.google.com/go/iam v0.8.0/go.mod h1:lga0/y3iH6CX7sYqypWJ33hf7kkfXJag67naqGESjkE=
-cloud.google.com/go/iam v0.11.0/go.mod h1:9PiLDanza5D+oWFZiH1uG+RnRCfEGKoyl6yo4cgWZGY=
-cloud.google.com/go/iam v0.12.0/go.mod h1:knyHGviacl11zrtZUoDuYpDgLjvr28sLQaG0YB2GYAY=
-cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0=
-cloud.google.com/go/iam v1.5.2 h1:qgFRAGEmd8z6dJ/qyEchAuL9jpswyODjA2lS+w234g8=
-cloud.google.com/go/iam v1.5.2/go.mod h1:SE1vg0N81zQqLzQEwxL2WI6yhetBdbNQuTvIKCSkUHE=
-cloud.google.com/go/iap v1.4.0/go.mod h1:RGFwRJdihTINIe4wZ2iCP0zF/qu18ZwyKxrhMhygBEc=
-cloud.google.com/go/iap v1.5.0/go.mod h1:UH/CGgKd4KyohZL5Pt0jSKE4m3FR51qg6FKQ/z/Ix9A=
-cloud.google.com/go/iap v1.6.0/go.mod h1:NSuvI9C/j7UdjGjIde7t7HBz+QTwBcapPE07+sSRcLk=
-cloud.google.com/go/iap v1.7.0/go.mod h1:beqQx56T9O1G1yNPph+spKpNibDlYIiIixiqsQXxLIo=
-cloud.google.com/go/iap v1.7.1/go.mod h1:WapEwPc7ZxGt2jFGB/C/bm+hP0Y6NXzOYGjpPnmMS74=
-cloud.google.com/go/ids v1.1.0/go.mod h1:WIuwCaYVOzHIj2OhN9HAwvW+DBdmUAdcWlFxRl+KubM=
-cloud.google.com/go/ids v1.2.0/go.mod h1:5WXvp4n25S0rA/mQWAg1YEEBBq6/s+7ml1RDCW1IrcY=
-cloud.google.com/go/ids v1.3.0/go.mod h1:JBdTYwANikFKaDP6LtW5JAi4gubs57SVNQjemdt6xV4=
-cloud.google.com/go/iot v1.3.0/go.mod h1:r7RGh2B61+B8oz0AGE+J72AhA0G7tdXItODWsaA2oLs=
-cloud.google.com/go/iot v1.4.0/go.mod h1:dIDxPOn0UvNDUMD8Ger7FIaTuvMkj+aGk94RPP0iV+g=
-cloud.google.com/go/iot v1.5.0/go.mod h1:mpz5259PDl3XJthEmh9+ap0affn/MqNSP4My77Qql9o=
-cloud.google.com/go/iot v1.6.0/go.mod h1:IqdAsmE2cTYYNO1Fvjfzo9po179rAtJeVGUvkLN3rLE=
-cloud.google.com/go/kms v1.4.0/go.mod h1:fajBHndQ+6ubNw6Ss2sSd+SWvjL26RNo/dr7uxsnnOA=
-cloud.google.com/go/kms v1.5.0/go.mod h1:QJS2YY0eJGBg3mnDfuaCyLauWwBJiHRboYxJ++1xJNg=
-cloud.google.com/go/kms v1.6.0/go.mod h1:Jjy850yySiasBUDi6KFUwUv2n1+o7QZFyuUJg6OgjA0=
-cloud.google.com/go/kms v1.8.0/go.mod h1:4xFEhYFqvW+4VMELtZyxomGSYtSQKzM178ylFW4jMAg=
-cloud.google.com/go/kms v1.9.0/go.mod h1:qb1tPTgfF9RQP8e1wq4cLFErVuTJv7UsSC915J8dh3w=
-cloud.google.com/go/kms v1.10.0/go.mod h1:ng3KTUtQQU9bPX3+QGLsflZIHlkbn8amFAMY63m8d24=
-cloud.google.com/go/kms v1.10.1/go.mod h1:rIWk/TryCkR59GMC3YtHtXeLzd634lBbKenvyySAyYI=
-cloud.google.com/go/kms v1.23.0 h1:WaqAZsUptyHwOo9II8rFC1Kd2I+yvNsNP2IJ14H2sUw=
-cloud.google.com/go/kms v1.23.0/go.mod h1:rZ5kK0I7Kn9W4erhYVoIRPtpizjunlrfU4fUkumUp8g=
-cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic=
-cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI=
-cloud.google.com/go/language v1.7.0/go.mod h1:DJ6dYN/W+SQOjF8e1hLQXMF21AkH2w9wiPzPCJa2MIE=
-cloud.google.com/go/language v1.8.0/go.mod h1:qYPVHf7SPoNNiCL2Dr0FfEFNil1qi3pQEyygwpgVKB8=
-cloud.google.com/go/language v1.9.0/go.mod h1:Ns15WooPM5Ad/5no/0n81yUetis74g3zrbeJBE+ptUY=
-cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8=
-cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08=
-cloud.google.com/go/lifesciences v0.8.0/go.mod h1:lFxiEOMqII6XggGbOnKiyZ7IBwoIqA84ClvoezaA/bo=
-cloud.google.com/go/logging v1.6.1/go.mod h1:5ZO0mHHbvm8gEmeEUHrmDlTDSu5imF6MUP9OfilNXBw=
-cloud.google.com/go/logging v1.7.0/go.mod h1:3xjP2CjkM3ZkO73aj4ASA5wRPGGCRrPIAeNqVNkzY8M=
-cloud.google.com/go/logging v1.13.0 h1:7j0HgAp0B94o1YRDqiqm26w4q1rDMH7XNRU34lJXHYc=
-cloud.google.com/go/logging v1.13.0/go.mod h1:36CoKh6KA/M0PbhPKMq6/qety2DCAErbhXT62TuXALA=
-cloud.google.com/go/longrunning v0.1.1/go.mod h1:UUFxuDWkv22EuY93jjmDMFT5GPQKeFVJBIF6QlTqdsE=
-cloud.google.com/go/longrunning v0.3.0/go.mod h1:qth9Y41RRSUE69rDcOn6DdK3HfQfsUI0YSmW3iIlLJc=
-cloud.google.com/go/longrunning v0.4.1/go.mod h1:4iWDqhBZ70CvZ6BfETbvam3T8FMvLK+eFj0E6AaRQTo=
-cloud.google.com/go/longrunning v0.6.7 h1:IGtfDWHhQCgCjwQjV9iiLnUta9LBCo8R9QmAFsS/PrE=
-cloud.google.com/go/longrunning v0.6.7/go.mod h1:EAFV3IZAKmM56TyiE6VAP3VoTzhZzySwI/YI1s/nRsY=
-cloud.google.com/go/managedidentities v1.3.0/go.mod h1:UzlW3cBOiPrzucO5qWkNkh0w33KFtBJU281hacNvsdE=
-cloud.google.com/go/managedidentities v1.4.0/go.mod h1:NWSBYbEMgqmbZsLIyKvxrYbtqOsxY1ZrGM+9RgDqInM=
-cloud.google.com/go/managedidentities v1.5.0/go.mod h1:+dWcZ0JlUmpuxpIDfyP5pP5y0bLdRwOS4Lp7gMni/LA=
-cloud.google.com/go/maps v0.1.0/go.mod h1:BQM97WGyfw9FWEmQMpZ5T6cpovXXSd1cGmFma94eubI=
-cloud.google.com/go/maps v0.6.0/go.mod h1:o6DAMMfb+aINHz/p/jbcY+mYeXBoZoxTfdSQ8VAJaCw=
-cloud.google.com/go/maps v0.7.0/go.mod h1:3GnvVl3cqeSvgMcpRlQidXsPYuDGQ8naBis7MVzpXsY=
-cloud.google.com/go/mediatranslation v0.5.0/go.mod h1:jGPUhGTybqsPQn91pNXw0xVHfuJ3leR1wj37oU3y1f4=
-cloud.google.com/go/mediatranslation v0.6.0/go.mod h1:hHdBCTYNigsBxshbznuIMFNe5QXEowAuNmmC7h8pu5w=
-cloud.google.com/go/mediatranslation v0.7.0/go.mod h1:LCnB/gZr90ONOIQLgSXagp8XUW1ODs2UmUMvcgMfI2I=
-cloud.google.com/go/memcache v1.4.0/go.mod h1:rTOfiGZtJX1AaFUrOgsMHX5kAzaTQ8azHiuDoTPzNsE=
-cloud.google.com/go/memcache v1.5.0/go.mod h1:dk3fCK7dVo0cUU2c36jKb4VqKPS22BTkf81Xq617aWM=
-cloud.google.com/go/memcache v1.6.0/go.mod h1:XS5xB0eQZdHtTuTF9Hf8eJkKtR3pVRCcvJwtm68T3rA=
-cloud.google.com/go/memcache v1.7.0/go.mod h1:ywMKfjWhNtkQTxrWxCkCFkoPjLHPW6A7WOTVI8xy3LY=
-cloud.google.com/go/memcache v1.9.0/go.mod h1:8oEyzXCu+zo9RzlEaEjHl4KkgjlNDaXbCQeQWlzNFJM=
-cloud.google.com/go/metastore v1.5.0/go.mod h1:2ZNrDcQwghfdtCwJ33nM0+GrBGlVuh8rakL3vdPY3XY=
-cloud.google.com/go/metastore v1.6.0/go.mod h1:6cyQTls8CWXzk45G55x57DVQ9gWg7RiH65+YgPsNh9s=
-cloud.google.com/go/metastore v1.7.0/go.mod h1:s45D0B4IlsINu87/AsWiEVYbLaIMeUSoxlKKDqBGFS8=
-cloud.google.com/go/metastore v1.8.0/go.mod h1:zHiMc4ZUpBiM7twCIFQmJ9JMEkDSyZS9U12uf7wHqSI=
-cloud.google.com/go/metastore v1.10.0/go.mod h1:fPEnH3g4JJAk+gMRnrAnoqyv2lpUCqJPWOodSaf45Eo=
-cloud.google.com/go/monitoring v1.7.0/go.mod h1:HpYse6kkGo//7p6sT0wsIC6IBDET0RhIsnmlA53dvEk=
-cloud.google.com/go/monitoring v1.8.0/go.mod h1:E7PtoMJ1kQXWxPjB6mv2fhC5/15jInuulFdYYtlcvT4=
-cloud.google.com/go/monitoring v1.12.0/go.mod h1:yx8Jj2fZNEkL/GYZyTLS4ZtZEZN8WtDEiEqG4kLK50w=
-cloud.google.com/go/monitoring v1.13.0/go.mod h1:k2yMBAB1H9JT/QETjNkgdCGD9bPF712XiLTVr+cBrpw=
-cloud.google.com/go/monitoring v1.24.2 h1:5OTsoJ1dXYIiMiuL+sYscLc9BumrL3CarVLL7dd7lHM=
-cloud.google.com/go/monitoring v1.24.2/go.mod h1:x7yzPWcgDRnPEv3sI+jJGBkwl5qINf+6qY4eq0I9B4U=
-cloud.google.com/go/networkconnectivity v1.4.0/go.mod h1:nOl7YL8odKyAOtzNX73/M5/mGZgqqMeryi6UPZTk/rA=
-cloud.google.com/go/networkconnectivity v1.5.0/go.mod h1:3GzqJx7uhtlM3kln0+x5wyFvuVH1pIBJjhCpjzSt75o=
-cloud.google.com/go/networkconnectivity v1.6.0/go.mod h1:OJOoEXW+0LAxHh89nXd64uGG+FbQoeH8DtxCHVOMlaM=
-cloud.google.com/go/networkconnectivity v1.7.0/go.mod h1:RMuSbkdbPwNMQjB5HBWD5MpTBnNm39iAVpC3TmsExt8=
-cloud.google.com/go/networkconnectivity v1.10.0/go.mod h1:UP4O4sWXJG13AqrTdQCD9TnLGEbtNRqjuaaA7bNjF5E=
-cloud.google.com/go/networkconnectivity v1.11.0/go.mod h1:iWmDD4QF16VCDLXUqvyspJjIEtBR/4zq5hwnY2X3scM=
-cloud.google.com/go/networkmanagement v1.4.0/go.mod h1:Q9mdLLRn60AsOrPc8rs8iNV6OHXaGcDdsIQe1ohekq8=
-cloud.google.com/go/networkmanagement v1.5.0/go.mod h1:ZnOeZ/evzUdUsnvRt792H0uYEnHQEMaz+REhhzJRcf4=
-cloud.google.com/go/networkmanagement v1.6.0/go.mod h1:5pKPqyXjB/sgtvB5xqOemumoQNB7y95Q7S+4rjSOPYY=
-cloud.google.com/go/networksecurity v0.5.0/go.mod h1:xS6fOCoqpVC5zx15Z/MqkfDwH4+m/61A3ODiDV1xmiQ=
-cloud.google.com/go/networksecurity v0.6.0/go.mod h1:Q5fjhTr9WMI5mbpRYEbiexTzROf7ZbDzvzCrNl14nyU=
-cloud.google.com/go/networksecurity v0.7.0/go.mod h1:mAnzoxx/8TBSyXEeESMy9OOYwo1v+gZ5eMRnsT5bC8k=
-cloud.google.com/go/networksecurity v0.8.0/go.mod h1:B78DkqsxFG5zRSVuwYFRZ9Xz8IcQ5iECsNrPn74hKHU=
-cloud.google.com/go/notebooks v1.2.0/go.mod h1:9+wtppMfVPUeJ8fIWPOq1UnATHISkGXGqTkxeieQ6UY=
-cloud.google.com/go/notebooks v1.3.0/go.mod h1:bFR5lj07DtCPC7YAAJ//vHskFBxA5JzYlH68kXVdk34=
-cloud.google.com/go/notebooks v1.4.0/go.mod h1:4QPMngcwmgb6uw7Po99B2xv5ufVoIQ7nOGDyL4P8AgA=
-cloud.google.com/go/notebooks v1.5.0/go.mod h1:q8mwhnP9aR8Hpfnrc5iN5IBhrXUy8S2vuYs+kBJ/gu0=
-cloud.google.com/go/notebooks v1.7.0/go.mod h1:PVlaDGfJgj1fl1S3dUwhFMXFgfYGhYQt2164xOMONmE=
-cloud.google.com/go/notebooks v1.8.0/go.mod h1:Lq6dYKOYOWUCTvw5t2q1gp1lAp0zxAxRycayS0iJcqQ=
-cloud.google.com/go/optimization v1.1.0/go.mod h1:5po+wfvX5AQlPznyVEZjGJTMr4+CAkJf2XSTQOOl9l4=
-cloud.google.com/go/optimization v1.2.0/go.mod h1:Lr7SOHdRDENsh+WXVmQhQTrzdu9ybg0NecjHidBq6xs=
-cloud.google.com/go/optimization v1.3.1/go.mod h1:IvUSefKiwd1a5p0RgHDbWCIbDFgKuEdB+fPPuP0IDLI=
-cloud.google.com/go/orchestration v1.3.0/go.mod h1:Sj5tq/JpWiB//X/q3Ngwdl5K7B7Y0KZ7bfv0wL6fqVA=
-cloud.google.com/go/orchestration v1.4.0/go.mod h1:6W5NLFWs2TlniBphAViZEVhrXRSMgUGDfW7vrWKvsBk=
-cloud.google.com/go/orchestration v1.6.0/go.mod h1:M62Bevp7pkxStDfFfTuCOaXgaaqRAga1yKyoMtEoWPQ=
-cloud.google.com/go/orgpolicy v1.4.0/go.mod h1:xrSLIV4RePWmP9P3tBl8S93lTmlAxjm06NSm2UTmKvE=
-cloud.google.com/go/orgpolicy v1.5.0/go.mod h1:hZEc5q3wzwXJaKrsx5+Ewg0u1LxJ51nNFlext7Tanwc=
-cloud.google.com/go/orgpolicy v1.10.0/go.mod h1:w1fo8b7rRqlXlIJbVhOMPrwVljyuW5mqssvBtU18ONc=
-cloud.google.com/go/osconfig v1.7.0/go.mod h1:oVHeCeZELfJP7XLxcBGTMBvRO+1nQ5tFG9VQTmYS2Fs=
-cloud.google.com/go/osconfig v1.8.0/go.mod h1:EQqZLu5w5XA7eKizepumcvWx+m8mJUhEwiPqWiZeEdg=
-cloud.google.com/go/osconfig v1.9.0/go.mod h1:Yx+IeIZJ3bdWmzbQU4fxNl8xsZ4amB+dygAwFPlvnNo=
-cloud.google.com/go/osconfig v1.10.0/go.mod h1:uMhCzqC5I8zfD9zDEAfvgVhDS8oIjySWh+l4WK6GnWw=
-cloud.google.com/go/osconfig v1.11.0/go.mod h1:aDICxrur2ogRd9zY5ytBLV89KEgT2MKB2L/n6x1ooPw=
-cloud.google.com/go/oslogin v1.4.0/go.mod h1:YdgMXWRaElXz/lDk1Na6Fh5orF7gvmJ0FGLIs9LId4E=
-cloud.google.com/go/oslogin v1.5.0/go.mod h1:D260Qj11W2qx/HVF29zBg+0fd6YCSjSqLUkY/qEenQU=
-cloud.google.com/go/oslogin v1.6.0/go.mod h1:zOJ1O3+dTU8WPlGEkFSh7qeHPPSoxrcMbbK1Nm2iX70=
-cloud.google.com/go/oslogin v1.7.0/go.mod h1:e04SN0xO1UNJ1M5GP0vzVBFicIe4O53FOfcixIqTyXo=
-cloud.google.com/go/oslogin v1.9.0/go.mod h1:HNavntnH8nzrn8JCTT5fj18FuJLFJc4NaZJtBnQtKFs=
-cloud.google.com/go/phishingprotection v0.5.0/go.mod h1:Y3HZknsK9bc9dMi+oE8Bim0lczMU6hrX0UpADuMefr0=
-cloud.google.com/go/phishingprotection v0.6.0/go.mod h1:9Y3LBLgy0kDTcYET8ZH3bq/7qni15yVUoAxiFxnlSUA=
-cloud.google.com/go/phishingprotection v0.7.0/go.mod h1:8qJI4QKHoda/sb/7/YmMQ2omRLSLYSu9bU0EKCNI+Lk=
-cloud.google.com/go/policytroubleshooter v1.3.0/go.mod h1:qy0+VwANja+kKrjlQuOzmlvscn4RNsAc0e15GGqfMxg=
-cloud.google.com/go/policytroubleshooter v1.4.0/go.mod h1:DZT4BcRw3QoO8ota9xw/LKtPa8lKeCByYeKTIf/vxdE=
-cloud.google.com/go/policytroubleshooter v1.5.0/go.mod h1:Rz1WfV+1oIpPdN2VvvuboLVRsB1Hclg3CKQ53j9l8vw=
-cloud.google.com/go/policytroubleshooter v1.6.0/go.mod h1:zYqaPTsmfvpjm5ULxAyD/lINQxJ0DDsnWOP/GZ7xzBc=
-cloud.google.com/go/privatecatalog v0.5.0/go.mod h1:XgosMUvvPyxDjAVNDYxJ7wBW8//hLDDYmnsNcMGq1K0=
-cloud.google.com/go/privatecatalog v0.6.0/go.mod h1:i/fbkZR0hLN29eEWiiwue8Pb+GforiEIBnV9yrRUOKI=
-cloud.google.com/go/privatecatalog v0.7.0/go.mod h1:2s5ssIFO69F5csTXcwBP7NPFTZvps26xGzvQ2PQaBYg=
-cloud.google.com/go/privatecatalog v0.8.0/go.mod h1:nQ6pfaegeDAq/Q5lrfCQzQLhubPiZhSaNhIgfJlnIXs=
-cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
-cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
-cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
-cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
-cloud.google.com/go/pubsub v1.26.0/go.mod h1:QgBH3U/jdJy/ftjPhTkyXNj543Tin1pRYcdcPRnFIRI=
-cloud.google.com/go/pubsub v1.27.1/go.mod h1:hQN39ymbV9geqBnfQq6Xf63yNhUAhv9CZhzp5O6qsW0=
-cloud.google.com/go/pubsub v1.28.0/go.mod h1:vuXFpwaVoIPQMGXqRyUQigu/AX1S3IWugR9xznmcXX8=
-cloud.google.com/go/pubsub v1.30.0/go.mod h1:qWi1OPS0B+b5L+Sg6Gmc9zD1Y+HaM0MdUr7LsupY1P4=
-cloud.google.com/go/pubsublite v1.5.0/go.mod h1:xapqNQ1CuLfGi23Yda/9l4bBCKz/wC3KIJ5gKcxveZg=
-cloud.google.com/go/pubsublite v1.6.0/go.mod h1:1eFCS0U11xlOuMFV/0iBqw3zP12kddMeCbj/F3FSj9k=
-cloud.google.com/go/pubsublite v1.7.0/go.mod h1:8hVMwRXfDfvGm3fahVbtDbiLePT3gpoiJYJY+vxWxVM=
-cloud.google.com/go/recaptchaenterprise v1.3.1/go.mod h1:OdD+q+y4XGeAlxRaMn1Y7/GveP6zmq76byL6tjPE7d4=
-cloud.google.com/go/recaptchaenterprise/v2 v2.1.0/go.mod h1:w9yVqajwroDNTfGuhmOjPDN//rZGySaf6PtFVcSCa7o=
-cloud.google.com/go/recaptchaenterprise/v2 v2.2.0/go.mod h1:/Zu5jisWGeERrd5HnlS3EUGb/D335f9k51B/FVil0jk=
-cloud.google.com/go/recaptchaenterprise/v2 v2.3.0/go.mod h1:O9LwGCjrhGHBQET5CA7dd5NwwNQUErSgEDit1DLNTdo=
-cloud.google.com/go/recaptchaenterprise/v2 v2.4.0/go.mod h1:Am3LHfOuBstrLrNCBrlI5sbwx9LBg3te2N6hGvHn2mE=
-cloud.google.com/go/recaptchaenterprise/v2 v2.5.0/go.mod h1:O8LzcHXN3rz0j+LBC91jrwI3R+1ZSZEWrfL7XHgNo9U=
-cloud.google.com/go/recaptchaenterprise/v2 v2.6.0/go.mod h1:RPauz9jeLtB3JVzg6nCbe12qNoaa8pXc4d/YukAmcnA=
-cloud.google.com/go/recaptchaenterprise/v2 v2.7.0/go.mod h1:19wVj/fs5RtYtynAPJdDTb69oW0vNHYDBTbB4NvMD9c=
-cloud.google.com/go/recommendationengine v0.5.0/go.mod h1:E5756pJcVFeVgaQv3WNpImkFP8a+RptV6dDLGPILjvg=
-cloud.google.com/go/recommendationengine v0.6.0/go.mod h1:08mq2umu9oIqc7tDy8sx+MNJdLG0fUi3vaSVbztHgJ4=
-cloud.google.com/go/recommendationengine v0.7.0/go.mod h1:1reUcE3GIu6MeBz/h5xZJqNLuuVjNg1lmWMPyjatzac=
-cloud.google.com/go/recommender v1.5.0/go.mod h1:jdoeiBIVrJe9gQjwd759ecLJbxCDED4A6p+mqoqDvTg=
-cloud.google.com/go/recommender v1.6.0/go.mod h1:+yETpm25mcoiECKh9DEScGzIRyDKpZ0cEhWGo+8bo+c=
-cloud.google.com/go/recommender v1.7.0/go.mod h1:XLHs/W+T8olwlGOgfQenXBTbIseGclClff6lhFVe9Bs=
-cloud.google.com/go/recommender v1.8.0/go.mod h1:PkjXrTT05BFKwxaUxQmtIlrtj0kph108r02ZZQ5FE70=
-cloud.google.com/go/recommender v1.9.0/go.mod h1:PnSsnZY7q+VL1uax2JWkt/UegHssxjUVVCrX52CuEmQ=
-cloud.google.com/go/redis v1.7.0/go.mod h1:V3x5Jq1jzUcg+UNsRvdmsfuFnit1cfe3Z/PGyq/lm4Y=
-cloud.google.com/go/redis v1.8.0/go.mod h1:Fm2szCDavWzBk2cDKxrkmWBqoCiL1+Ctwq7EyqBCA/A=
-cloud.google.com/go/redis v1.9.0/go.mod h1:HMYQuajvb2D0LvMgZmLDZW8V5aOC/WxstZHiy4g8OiA=
-cloud.google.com/go/redis v1.10.0/go.mod h1:ThJf3mMBQtW18JzGgh41/Wld6vnDDc/F/F35UolRZPM=
-cloud.google.com/go/redis v1.11.0/go.mod h1:/X6eicana+BWcUda5PpwZC48o37SiFVTFSs0fWAJ7uQ=
-cloud.google.com/go/resourcemanager v1.3.0/go.mod h1:bAtrTjZQFJkiWTPDb1WBjzvc6/kifjj4QBYuKCCoqKA=
-cloud.google.com/go/resourcemanager v1.4.0/go.mod h1:MwxuzkumyTX7/a3n37gmsT3py7LIXwrShilPh3P1tR0=
-cloud.google.com/go/resourcemanager v1.5.0/go.mod h1:eQoXNAiAvCf5PXxWxXjhKQoTMaUSNrEfg+6qdf/wots=
-cloud.google.com/go/resourcemanager v1.6.0/go.mod h1:YcpXGRs8fDzcUl1Xw8uOVmI8JEadvhRIkoXXUNVYcVo=
-cloud.google.com/go/resourcemanager v1.7.0/go.mod h1:HlD3m6+bwhzj9XCouqmeiGuni95NTrExfhoSrkC/3EI=
-cloud.google.com/go/resourcesettings v1.3.0/go.mod h1:lzew8VfESA5DQ8gdlHwMrqZs1S9V87v3oCnKCWoOuQU=
-cloud.google.com/go/resourcesettings v1.4.0/go.mod h1:ldiH9IJpcrlC3VSuCGvjR5of/ezRrOxFtpJoJo5SmXg=
-cloud.google.com/go/resourcesettings v1.5.0/go.mod h1:+xJF7QSG6undsQDfsCJyqWXyBwUoJLhetkRMDRnIoXA=
-cloud.google.com/go/retail v1.8.0/go.mod h1:QblKS8waDmNUhghY2TI9O3JLlFk8jybHeV4BF19FrE4=
-cloud.google.com/go/retail v1.9.0/go.mod h1:g6jb6mKuCS1QKnH/dpu7isX253absFl6iE92nHwlBUY=
-cloud.google.com/go/retail v1.10.0/go.mod h1:2gDk9HsL4HMS4oZwz6daui2/jmKvqShXKQuB2RZ+cCc=
-cloud.google.com/go/retail v1.11.0/go.mod h1:MBLk1NaWPmh6iVFSz9MeKG/Psyd7TAgm6y/9L2B4x9Y=
-cloud.google.com/go/retail v1.12.0/go.mod h1:UMkelN/0Z8XvKymXFbD4EhFJlYKRx1FGhQkVPU5kF14=
-cloud.google.com/go/run v0.2.0/go.mod h1:CNtKsTA1sDcnqqIFR3Pb5Tq0usWxJJvsWOCPldRU3Do=
-cloud.google.com/go/run v0.3.0/go.mod h1:TuyY1+taHxTjrD0ZFk2iAR+xyOXEA0ztb7U3UNA0zBo=
-cloud.google.com/go/run v0.8.0/go.mod h1:VniEnuBwqjigv0A7ONfQUaEItaiCRVujlMqerPPiktM=
-cloud.google.com/go/run v0.9.0/go.mod h1:Wwu+/vvg8Y+JUApMwEDfVfhetv30hCG4ZwDR/IXl2Qg=
-cloud.google.com/go/scheduler v1.4.0/go.mod h1:drcJBmxF3aqZJRhmkHQ9b3uSSpQoltBPGPxGAWROx6s=
-cloud.google.com/go/scheduler v1.5.0/go.mod h1:ri073ym49NW3AfT6DZi21vLZrG07GXr5p3H1KxN5QlI=
-cloud.google.com/go/scheduler v1.6.0/go.mod h1:SgeKVM7MIwPn3BqtcBntpLyrIJftQISRrYB5ZtT+KOk=
-cloud.google.com/go/scheduler v1.7.0/go.mod h1:jyCiBqWW956uBjjPMMuX09n3x37mtyPJegEWKxRsn44=
-cloud.google.com/go/scheduler v1.8.0/go.mod h1:TCET+Y5Gp1YgHT8py4nlg2Sew8nUHMqcpousDgXJVQc=
-cloud.google.com/go/scheduler v1.9.0/go.mod h1:yexg5t+KSmqu+njTIh3b7oYPheFtBWGcbVUYF1GGMIc=
-cloud.google.com/go/secretmanager v1.6.0/go.mod h1:awVa/OXF6IiyaU1wQ34inzQNc4ISIDIrId8qE5QGgKA=
-cloud.google.com/go/secretmanager v1.8.0/go.mod h1:hnVgi/bN5MYHd3Gt0SPuTPPp5ENina1/LxM+2W9U9J4=
-cloud.google.com/go/secretmanager v1.9.0/go.mod h1:b71qH2l1yHmWQHt9LC80akm86mX8AL6X1MA01dW8ht4=
-cloud.google.com/go/secretmanager v1.10.0/go.mod h1:MfnrdvKMPNra9aZtQFvBcvRU54hbPD8/HayQdlUgJpU=
-cloud.google.com/go/security v1.5.0/go.mod h1:lgxGdyOKKjHL4YG3/YwIL2zLqMFCKs0UbQwgyZmfJl4=
-cloud.google.com/go/security v1.7.0/go.mod h1:mZklORHl6Bg7CNnnjLH//0UlAlaXqiG7Lb9PsPXLfD0=
-cloud.google.com/go/security v1.8.0/go.mod h1:hAQOwgmaHhztFhiQ41CjDODdWP0+AE1B3sX4OFlq+GU=
-cloud.google.com/go/security v1.9.0/go.mod h1:6Ta1bO8LXI89nZnmnsZGp9lVoVWXqsVbIq/t9dzI+2Q=
-cloud.google.com/go/security v1.10.0/go.mod h1:QtOMZByJVlibUT2h9afNDWRZ1G96gVywH8T5GUSb9IA=
-cloud.google.com/go/security v1.12.0/go.mod h1:rV6EhrpbNHrrxqlvW0BWAIawFWq3X90SduMJdFwtLB8=
-cloud.google.com/go/security v1.13.0/go.mod h1:Q1Nvxl1PAgmeW0y3HTt54JYIvUdtcpYKVfIB8AOMZ+0=
-cloud.google.com/go/securitycenter v1.13.0/go.mod h1:cv5qNAqjY84FCN6Y9z28WlkKXyWsgLO832YiWwkCWcU=
-cloud.google.com/go/securitycenter v1.14.0/go.mod h1:gZLAhtyKv85n52XYWt6RmeBdydyxfPeTrpToDPw4Auc=
-cloud.google.com/go/securitycenter v1.15.0/go.mod h1:PeKJ0t8MoFmmXLXWm41JidyzI3PJjd8sXWaVqg43WWk=
-cloud.google.com/go/securitycenter v1.16.0/go.mod h1:Q9GMaLQFUD+5ZTabrbujNWLtSLZIZF7SAR0wWECrjdk=
-cloud.google.com/go/securitycenter v1.18.1/go.mod h1:0/25gAzCM/9OL9vVx4ChPeM/+DlfGQJDwBy/UC8AKK0=
-cloud.google.com/go/securitycenter v1.19.0/go.mod h1:LVLmSg8ZkkyaNy4u7HCIshAngSQ8EcIRREP3xBnyfag=
-cloud.google.com/go/servicecontrol v1.4.0/go.mod h1:o0hUSJ1TXJAmi/7fLJAedOovnujSEvjKCAFNXPQ1RaU=
-cloud.google.com/go/servicecontrol v1.5.0/go.mod h1:qM0CnXHhyqKVuiZnGKrIurvVImCs8gmqWsDoqe9sU1s=
-cloud.google.com/go/servicecontrol v1.10.0/go.mod h1:pQvyvSRh7YzUF2efw7H87V92mxU8FnFDawMClGCNuAA=
-cloud.google.com/go/servicecontrol v1.11.0/go.mod h1:kFmTzYzTUIuZs0ycVqRHNaNhgR+UMUpw9n02l/pY+mc=
-cloud.google.com/go/servicecontrol v1.11.1/go.mod h1:aSnNNlwEFBY+PWGQ2DoM0JJ/QUXqV5/ZD9DOLB7SnUk=
-cloud.google.com/go/servicedirectory v1.4.0/go.mod h1:gH1MUaZCgtP7qQiI+F+A+OpeKF/HQWgtAddhTbhL2bs=
-cloud.google.com/go/servicedirectory v1.5.0/go.mod h1:QMKFL0NUySbpZJ1UZs3oFAmdvVxhhxB6eJ/Vlp73dfg=
-cloud.google.com/go/servicedirectory v1.6.0/go.mod h1:pUlbnWsLH9c13yGkxCmfumWEPjsRs1RlmJ4pqiNjVL4=
-cloud.google.com/go/servicedirectory v1.7.0/go.mod h1:5p/U5oyvgYGYejufvxhgwjL8UVXjkuw7q5XcG10wx1U=
-cloud.google.com/go/servicedirectory v1.8.0/go.mod h1:srXodfhY1GFIPvltunswqXpVxFPpZjf8nkKQT7XcXaY=
-cloud.google.com/go/servicedirectory v1.9.0/go.mod h1:29je5JjiygNYlmsGz8k6o+OZ8vd4f//bQLtvzkPPT/s=
-cloud.google.com/go/servicemanagement v1.4.0/go.mod h1:d8t8MDbezI7Z2R1O/wu8oTggo3BI2GKYbdG4y/SJTco=
-cloud.google.com/go/servicemanagement v1.5.0/go.mod h1:XGaCRe57kfqu4+lRxaFEAuqmjzF0r+gWHjWqKqBvKFo=
-cloud.google.com/go/servicemanagement v1.6.0/go.mod h1:aWns7EeeCOtGEX4OvZUWCCJONRZeFKiptqKf1D0l/Jc=
-cloud.google.com/go/servicemanagement v1.8.0/go.mod h1:MSS2TDlIEQD/fzsSGfCdJItQveu9NXnUniTrq/L8LK4=
-cloud.google.com/go/serviceusage v1.3.0/go.mod h1:Hya1cozXM4SeSKTAgGXgj97GlqUvF5JaoXacR1JTP/E=
-cloud.google.com/go/serviceusage v1.4.0/go.mod h1:SB4yxXSaYVuUBYUml6qklyONXNLt83U0Rb+CXyhjEeU=
-cloud.google.com/go/serviceusage v1.5.0/go.mod h1:w8U1JvqUqwJNPEOTQjrMHkw3IaIFLoLsPLvsE3xueec=
-cloud.google.com/go/serviceusage v1.6.0/go.mod h1:R5wwQcbOWsyuOfbP9tGdAnCAc6B9DRwPG1xtWMDeuPA=
-cloud.google.com/go/shell v1.3.0/go.mod h1:VZ9HmRjZBsjLGXusm7K5Q5lzzByZmJHf1d0IWHEN5X4=
-cloud.google.com/go/shell v1.4.0/go.mod h1:HDxPzZf3GkDdhExzD/gs8Grqk+dmYcEjGShZgYa9URw=
-cloud.google.com/go/shell v1.6.0/go.mod h1:oHO8QACS90luWgxP3N9iZVuEiSF84zNyLytb+qE2f9A=
-cloud.google.com/go/spanner v1.41.0/go.mod h1:MLYDBJR/dY4Wt7ZaMIQ7rXOTLjYrmxLE/5ve9vFfWos=
-cloud.google.com/go/spanner v1.44.0/go.mod h1:G8XIgYdOK+Fbcpbs7p2fiprDw4CaZX63whnSMLVBxjk=
-cloud.google.com/go/spanner v1.45.0/go.mod h1:FIws5LowYz8YAE1J8fOS7DJup8ff7xJeetWEo5REA2M=
-cloud.google.com/go/spanner v1.85.1 h1:cJx1ZD//C2QIfFQl8hSTn4twL8amAXtnayyflRIjj40=
-cloud.google.com/go/spanner v1.85.1/go.mod h1:bbwCXbM+zljwSPLZ44wZOdzcdmy89hbUGmM/r9sD0ws=
-cloud.google.com/go/speech v1.6.0/go.mod h1:79tcr4FHCimOp56lwC01xnt/WPJZc4v3gzyT7FoBkCM=
-cloud.google.com/go/speech v1.7.0/go.mod h1:KptqL+BAQIhMsj1kOP2la5DSEEerPDuOP/2mmkhHhZQ=
-cloud.google.com/go/speech v1.8.0/go.mod h1:9bYIl1/tjsAnMgKGHKmBZzXKEkGgtU+MpdDPTE9f7y0=
-cloud.google.com/go/speech v1.9.0/go.mod h1:xQ0jTcmnRFFM2RfX/U+rk6FQNUF6DQlydUSyoooSpco=
-cloud.google.com/go/speech v1.14.1/go.mod h1:gEosVRPJ9waG7zqqnsHpYTOoAS4KouMRLDFMekpJ0J0=
-cloud.google.com/go/speech v1.15.0/go.mod h1:y6oH7GhqCaZANH7+Oe0BhgIogsNInLlz542tg3VqeYI=
-cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
-cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
-cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
-cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
-cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
-cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
-cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y=
-cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc=
-cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s=
-cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y=
-cloud.google.com/go/storage v1.29.0/go.mod h1:4puEjyTKnku6gfKoTfNOU/W+a9JyuVNxjpS5GBrB8h4=
-cloud.google.com/go/storage v1.56.1 h1:n6gy+yLnHn0hTwBFzNn8zJ1kqWfR91wzdM8hjRF4wP0=
-cloud.google.com/go/storage v1.56.1/go.mod h1:C9xuCZgFl3buo2HZU/1FncgvvOgTAs/rnh4gF4lMg0s=
-cloud.google.com/go/storagetransfer v1.5.0/go.mod h1:dxNzUopWy7RQevYFHewchb29POFv3/AaBgnhqzqiK0w=
-cloud.google.com/go/storagetransfer v1.6.0/go.mod h1:y77xm4CQV/ZhFZH75PLEXY0ROiS7Gh6pSKrM8dJyg6I=
-cloud.google.com/go/storagetransfer v1.7.0/go.mod h1:8Giuj1QNb1kfLAiWM1bN6dHzfdlDAVC9rv9abHot2W4=
-cloud.google.com/go/storagetransfer v1.8.0/go.mod h1:JpegsHHU1eXg7lMHkvf+KE5XDJ7EQu0GwNJbbVGanEw=
-cloud.google.com/go/talent v1.1.0/go.mod h1:Vl4pt9jiHKvOgF9KoZo6Kob9oV4lwd/ZD5Cto54zDRw=
-cloud.google.com/go/talent v1.2.0/go.mod h1:MoNF9bhFQbiJ6eFD3uSsg0uBALw4n4gaCaEjBw9zo8g=
-cloud.google.com/go/talent v1.3.0/go.mod h1:CmcxwJ/PKfRgd1pBjQgU6W3YBwiewmUzQYH5HHmSCmM=
-cloud.google.com/go/talent v1.4.0/go.mod h1:ezFtAgVuRf8jRsvyE6EwmbTK5LKciD4KVnHuDEFmOOA=
-cloud.google.com/go/talent v1.5.0/go.mod h1:G+ODMj9bsasAEJkQSzO2uHQWXHHXUomArjWQQYkqK6c=
-cloud.google.com/go/texttospeech v1.4.0/go.mod h1:FX8HQHA6sEpJ7rCMSfXuzBcysDAuWusNNNvN9FELDd8=
-cloud.google.com/go/texttospeech v1.5.0/go.mod h1:oKPLhR4n4ZdQqWKURdwxMy0uiTS1xU161C8W57Wkea4=
-cloud.google.com/go/texttospeech v1.6.0/go.mod h1:YmwmFT8pj1aBblQOI3TfKmwibnsfvhIBzPXcW4EBovc=
-cloud.google.com/go/tpu v1.3.0/go.mod h1:aJIManG0o20tfDQlRIej44FcwGGl/cD0oiRyMKG19IQ=
-cloud.google.com/go/tpu v1.4.0/go.mod h1:mjZaX8p0VBgllCzF6wcU2ovUXN9TONFLd7iz227X2Xg=
-cloud.google.com/go/tpu v1.5.0/go.mod h1:8zVo1rYDFuW2l4yZVY0R0fb/v44xLh3llq7RuV61fPM=
-cloud.google.com/go/trace v1.3.0/go.mod h1:FFUE83d9Ca57C+K8rDl/Ih8LwOzWIV1krKgxg6N0G28=
-cloud.google.com/go/trace v1.4.0/go.mod h1:UG0v8UBqzusp+z63o7FK74SdFE+AXpCLdFb1rshXG+Y=
-cloud.google.com/go/trace v1.8.0/go.mod h1:zH7vcsbAhklH8hWFig58HvxcxyQbaIqMarMg9hn5ECA=
-cloud.google.com/go/trace v1.9.0/go.mod h1:lOQqpE5IaWY0Ixg7/r2SjixMuc6lfTFeO4QGM4dQWOk=
-cloud.google.com/go/trace v1.11.6 h1:2O2zjPzqPYAHrn3OKl029qlqG6W8ZdYaOWRyr8NgMT4=
-cloud.google.com/go/trace v1.11.6/go.mod h1:GA855OeDEBiBMzcckLPE2kDunIpC72N+Pq8WFieFjnI=
-cloud.google.com/go/translate v1.3.0/go.mod h1:gzMUwRjvOqj5i69y/LYLd8RrNQk+hOmIXTi9+nb3Djs=
-cloud.google.com/go/translate v1.4.0/go.mod h1:06Dn/ppvLD6WvA5Rhdp029IX2Mi3Mn7fpMRLPvXT5Wg=
-cloud.google.com/go/translate v1.5.0/go.mod h1:29YDSYveqqpA1CQFD7NQuP49xymq17RXNaUDdc0mNu0=
-cloud.google.com/go/translate v1.6.0/go.mod h1:lMGRudH1pu7I3n3PETiOB2507gf3HnfLV8qlkHZEyos=
-cloud.google.com/go/translate v1.7.0/go.mod h1:lMGRudH1pu7I3n3PETiOB2507gf3HnfLV8qlkHZEyos=
-cloud.google.com/go/video v1.8.0/go.mod h1:sTzKFc0bUSByE8Yoh8X0mn8bMymItVGPfTuUBUyRgxk=
-cloud.google.com/go/video v1.9.0/go.mod h1:0RhNKFRF5v92f8dQt0yhaHrEuH95m068JYOvLZYnJSw=
-cloud.google.com/go/video v1.12.0/go.mod h1:MLQew95eTuaNDEGriQdcYn0dTwf9oWiA4uYebxM5kdg=
-cloud.google.com/go/video v1.13.0/go.mod h1:ulzkYlYgCp15N2AokzKjy7MQ9ejuynOJdf1tR5lGthk=
-cloud.google.com/go/video v1.14.0/go.mod h1:SkgaXwT+lIIAKqWAJfktHT/RbgjSuY6DobxEp0C5yTQ=
-cloud.google.com/go/video v1.15.0/go.mod h1:SkgaXwT+lIIAKqWAJfktHT/RbgjSuY6DobxEp0C5yTQ=
-cloud.google.com/go/videointelligence v1.6.0/go.mod h1:w0DIDlVRKtwPCn/C4iwZIJdvC69yInhW0cfi+p546uU=
-cloud.google.com/go/videointelligence v1.7.0/go.mod h1:k8pI/1wAhjznARtVT9U1llUaFNPh7muw8QyOUpavru4=
-cloud.google.com/go/videointelligence v1.8.0/go.mod h1:dIcCn4gVDdS7yte/w+koiXn5dWVplOZkE+xwG9FgK+M=
-cloud.google.com/go/videointelligence v1.9.0/go.mod h1:29lVRMPDYHikk3v8EdPSaL8Ku+eMzDljjuvRs105XoU=
-cloud.google.com/go/videointelligence v1.10.0/go.mod h1:LHZngX1liVtUhZvi2uNS0VQuOzNi2TkY1OakiuoUOjU=
-cloud.google.com/go/vision v1.2.0/go.mod h1:SmNwgObm5DpFBme2xpyOyasvBc1aPdjvMk2bBk0tKD0=
-cloud.google.com/go/vision/v2 v2.2.0/go.mod h1:uCdV4PpN1S0jyCyq8sIM42v2Y6zOLkZs+4R9LrGYwFo=
-cloud.google.com/go/vision/v2 v2.3.0/go.mod h1:UO61abBx9QRMFkNBbf1D8B1LXdS2cGiiCRx0vSpZoUo=
-cloud.google.com/go/vision/v2 v2.4.0/go.mod h1:VtI579ll9RpVTrdKdkMzckdnwMyX2JILb+MhPqRbPsY=
-cloud.google.com/go/vision/v2 v2.5.0/go.mod h1:MmaezXOOE+IWa+cS7OhRRLK2cNv1ZL98zhqFFZaaH2E=
-cloud.google.com/go/vision/v2 v2.6.0/go.mod h1:158Hes0MvOS9Z/bDMSFpjwsUrZ5fPrdwuyyvKSGAGMY=
-cloud.google.com/go/vision/v2 v2.7.0/go.mod h1:H89VysHy21avemp6xcf9b9JvZHVehWbET0uT/bcuY/0=
-cloud.google.com/go/vmmigration v1.2.0/go.mod h1:IRf0o7myyWFSmVR1ItrBSFLFD/rJkfDCUTO4vLlJvsE=
-cloud.google.com/go/vmmigration v1.3.0/go.mod h1:oGJ6ZgGPQOFdjHuocGcLqX4lc98YQ7Ygq8YQwHh9A7g=
-cloud.google.com/go/vmmigration v1.5.0/go.mod h1:E4YQ8q7/4W9gobHjQg4JJSgXXSgY21nA5r8swQV+Xxc=
-cloud.google.com/go/vmmigration v1.6.0/go.mod h1:bopQ/g4z+8qXzichC7GW1w2MjbErL54rk3/C843CjfY=
-cloud.google.com/go/vmwareengine v0.1.0/go.mod h1:RsdNEf/8UDvKllXhMz5J40XxDrNJNN4sagiox+OI208=
-cloud.google.com/go/vmwareengine v0.2.2/go.mod h1:sKdctNJxb3KLZkE/6Oui94iw/xs9PRNC2wnNLXsHvH8=
-cloud.google.com/go/vmwareengine v0.3.0/go.mod h1:wvoyMvNWdIzxMYSpH/R7y2h5h3WFkx6d+1TIsP39WGY=
-cloud.google.com/go/vpcaccess v1.4.0/go.mod h1:aQHVbTWDYUR1EbTApSVvMq1EnT57ppDmQzZ3imqIk4w=
-cloud.google.com/go/vpcaccess v1.5.0/go.mod h1:drmg4HLk9NkZpGfCmZ3Tz0Bwnm2+DKqViEpeEpOq0m8=
-cloud.google.com/go/vpcaccess v1.6.0/go.mod h1:wX2ILaNhe7TlVa4vC5xce1bCnqE3AeH27RV31lnmZes=
-cloud.google.com/go/webrisk v1.4.0/go.mod h1:Hn8X6Zr+ziE2aNd8SliSDWpEnSS1u4R9+xXZmFiHmGE=
-cloud.google.com/go/webrisk v1.5.0/go.mod h1:iPG6fr52Tv7sGk0H6qUFzmL3HHZev1htXuWDEEsqMTg=
-cloud.google.com/go/webrisk v1.6.0/go.mod h1:65sW9V9rOosnc9ZY7A7jsy1zoHS5W9IAXv6dGqhMQMc=
-cloud.google.com/go/webrisk v1.7.0/go.mod h1:mVMHgEYH0r337nmt1JyLthzMr6YxwN1aAIEc2fTcq7A=
-cloud.google.com/go/webrisk v1.8.0/go.mod h1:oJPDuamzHXgUc+b8SiHRcVInZQuybnvEW72PqTc7sSg=
-cloud.google.com/go/websecurityscanner v1.3.0/go.mod h1:uImdKm2wyeXQevQJXeh8Uun/Ym1VqworNDlBXQevGMo=
-cloud.google.com/go/websecurityscanner v1.4.0/go.mod h1:ebit/Fp0a+FWu5j4JOmJEV8S8CzdTkAS77oDsiSqYWQ=
-cloud.google.com/go/websecurityscanner v1.5.0/go.mod h1:Y6xdCPy81yi0SQnDY1xdNTNpfY1oAgXUlcfN3B3eSng=
-cloud.google.com/go/workflows v1.6.0/go.mod h1:6t9F5h/unJz41YqfBmqSASJSXccBLtD1Vwf+KmJENM0=
-cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoISEXH2bcHC3M=
-cloud.google.com/go/workflows v1.8.0/go.mod h1:ysGhmEajwZxGn1OhGOGKsTXc5PyxOc0vfKf5Af+to4M=
-cloud.google.com/go/workflows v1.9.0/go.mod h1:ZGkj1aFIOd9c8Gerkjjq7OW7I5+l6cSvT3ujaO/WwSA=
-cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcPALq2CxzdePw=
+cloud.google.com/go/iam v1.8.0 h1:e5QOdN1zQ3MTWYtXIf2buX+jxqvo2sKqBCOLrteLd1M=
+cloud.google.com/go/iam v1.8.0/go.mod h1:IkWUaEeLK91WQqTKa/fi5xdHJbL49kv2j/vlAZQSJ+k=
+cloud.google.com/go/kms v1.27.0 h1:iYYgoD0HJIqz35A+He1G0dS5qTQzQsDXFsyXwzkUCXM=
+cloud.google.com/go/kms v1.27.0/go.mod h1:KPxrdf61iYEOZ86uPwR86muBpSik2y4Ion6e83fVl1Q=
+cloud.google.com/go/logging v1.14.0 h1:xpPpY8cVT6n9DgIRgrWyE+YEsGlO/994pWnbc7o5Eh4=
+cloud.google.com/go/logging v1.14.0/go.mod h1:jmI+Try/fZeOTOAer3wVYOuPf9WX9PyzhlSDoBAi4HM=
+cloud.google.com/go/longrunning v0.9.0 h1:0EzbDEGsAvOZNbqXopgniY0w0a1phvu5IdUFq8grmqY=
+cloud.google.com/go/longrunning v0.9.0/go.mod h1:pkTz846W7bF4o2SzdWJ40Hu0Re+UoNT6Q5t+igIcb8E=
+cloud.google.com/go/monitoring v1.26.0 h1:858kWP5akszJFeiWBSmQJIfS8vsCqkX9hjc7HPsv/tk=
+cloud.google.com/go/monitoring v1.26.0/go.mod h1:72NOVjJXHY/HBfoLT0+qlCZBT059+9VXLeAnL2PeeVM=
+cloud.google.com/go/spanner v1.89.0 h1:r3h5Z5RA8JRPf3HCvA6ujNhREIMhPY+MrDL9mkY8jS0=
+cloud.google.com/go/spanner v1.89.0/go.mod h1:okNuxnp1wdPaVoM5M28Al2irKZLkHhZ2Z+DW6/ZJWGw=
+cloud.google.com/go/storage v1.62.0 h1:w2pQJhpUqVerMON45vatE2FpCYsNTf7OHjkn6ux5mMU=
+cloud.google.com/go/storage v1.62.0/go.mod h1:T5hz3qzcpnxZ5LdKc7y8Tw7lh4v9zeeVyrD/cLJAzZU=
+cloud.google.com/go/trace v1.12.0 h1:XvWHYfr9q88cX4pZyou6qCcSagnuASyUq2ej1dB6NzQ=
+cloud.google.com/go/trace v1.12.0/go.mod h1:TOYfyeoyCGsSH0ifXD6Aius24uQI9xV3RyvOdljFIyg=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
-filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
-gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8=
-git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc=
+filippo.io/edwards25519 v1.2.0 h1:crnVqOiS4jqYleHd9vaKZ+HKtHfllngJIiOpNpoJsjo=
+filippo.io/edwards25519 v1.2.0/go.mod h1:xzAOLCNug/yB62zG1bQ8uziwrIqIuxhctzJT18Q77mc=
 github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 h1:/vQbFIOMbk2FiG/kXiLl8BRyzTWDw7gX/Hz7Dd5eDMs=
 github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4/go.mod h1:hN7oaIRCjzsZ2dE+yG5k+rsdt3qcwykqK6HVGcKwsw4=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
@@ -637,16 +43,16 @@ github.com/Azure/azure-pipeline-go v0.2.3/go.mod h1:x841ezTBIMG6O3lAcl8ATHnsOPVl
 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1 h1:5YTBM8QDVIBN3sxBil89WfdAAqDZbyJTgh688DSxX5w=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.1 h1:jHb/wfvRikGdxMXYV3QG/SzUOPYN9KEUUuC0Yd0/vC0=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.1/go.mod h1:pzBXCYn05zvYIrwLgtK8Ap8QcjRg+0i76tMQdWN6wOk=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.11.0/go.mod h1:HcM1YX14R7CJcghJGOYCgdezslRSVzqwLf/q+4Y2r/0=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0 h1:wL5IEG5zb7BVv1Kv0Xm92orq+5hB5Nipn3B5tn4Rqfk=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0/go.mod h1:J7MUC/wtRpfGVbQ5sIItY5/FuVWmvzlY21WAOfQnq/I=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1/go.mod h1:IYus9qsFobWIc2YVwe/WPjcnyCkPKtnHAqUYeebc8z0=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=
 github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.0/go.mod h1:yqy467j36fJxcRV2TzfVZ1pCb5vxm4BtZPUdYWe/Xo8=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0 h1:fhqpLE3UEXi9lPaBRpQ6XuRW0nU7hgg4zlmZZa+a9q4=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0/go.mod h1:7dCRMLwisfRH3dBupKeNCioWYUZ4SS09Z14H+7i8ZoY=
 github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 h1:m/sWOGCREuSBqg2htVQTBY8nOZpyajYztF0vUvSZTuM=
 github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0/go.mod h1:Pu5Zksi2KrU7LPbZbNINx6fuVrUp/ffvpxdDj+i8LeE=
 github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 h1:FbH3BbSb4bvGluTesZZ+ttN/MDsnMmQP36OSnDuSXqw=
@@ -705,12 +111,12 @@ github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+Z
 github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
 github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
-github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
-github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/Azure/go-ntlmssp v0.1.1 h1:l+FM/EEMb0U9QZE7mKNEDw5Mu3mFiaa2GKOoTSsNDPw=
+github.com/Azure/go-ntlmssp v0.1.1/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2jTSjQjSoihryI8GINRcs4xp8lNawg0FI=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
@@ -718,28 +124,26 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
 github.com/DataDog/datadog-go v2.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dXCilEuNEeAn20fdD4=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
-github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3 h1:2afWGsMzkIcN8Qm4mgPJKZWyroE5QBszMiDMYEBrnfw=
-github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.3/go.mod h1:dppbR7CwXD4pgtV9t3wD1812RaLDcBjtblcDF5f1vI0=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 h1:UQUsRi8WTzhZntp5313l+CHIAT95ojUI2lpP/ExlZa4=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0/go.mod h1:Cz6ft6Dkn3Et6l2v2a9/RpN7epQ1GtDlO6lj8bEcOvw=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 h1:owcC2UnmsZycprQ5RfRgjydWhuoxg71LUfyiQdijZuM=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0/go.mod h1:ZPpqegjbE99EPKsu3iUWV22A04wzGPcAY/ziSIQEEgs=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.53.0 h1:4LP6hvB4I5ouTbGgWtixJhgED6xdf67twf9PoY96Tbg=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.53.0/go.mod h1:jUZ5LYlw40WMd07qxcQJD5M40aUxrfwqQX1g7zxYnrQ=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 h1:Ron4zCA/yk6U7WOBXhTJcDpsUBG9npumK6xw2auFltQ=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0/go.mod h1:cSgYe11MCNYunTnRXrKiR/tHc0eoKjICUuWpNZoVCOo=
+github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.6.0 h1:BzsL0qE7LvtTEtXG7Dt5NS1EP0CQwI21HZfj9aGghhw=
+github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.6.0/go.mod h1:I7kE2kM3qCr9QPT4cU4cCFYkEpVyVr16YOGUHzy+nR0=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.32.0 h1:rIkQfkCOVKc1OiRCNcSDD8ml5RJlZbH/Xsq7lbpynwc=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.32.0/go.mod h1:RD2SsorTmYhF6HkTmDw7KmPYQk8OBYwTkuasChwv7R4=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.56.0 h1:O2sXMyJh8b7devAGdE+163xtRurt0RVpB6DIzX5vGfg=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.56.0/go.mod h1:hEpiGU18xf70qb3jbTcIggWAiEfX/cOIVc2OTe4OegA=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.56.0 h1:ZIT85vKP7LBS84XJ0WdJ3dPOX3iz4j3c0+lpajGQMyo=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.56.0/go.mod h1:rqP9UEhOXv9WhQ7Gjz+G5y/pf8+BJZW5/Ts0AhE0PwE=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.56.0 h1:0YP0+/ixwu+Uqeu/FGiBZNQ19huiUxxiPXIc9WsLKuQ=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.56.0/go.mod h1:6ZZMQhZKDvUvkJw2rc+oDP90tMMzuU/J+5HG1ZmPOmE=
 github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo=
 github.com/Jeffail/gabs/v2 v2.1.0 h1:6dV9GGOjoQgzWTQEltZPXlJdFloxvIq7DwqgxMCbq30=
 github.com/Jeffail/gabs/v2 v2.1.0/go.mod h1:xCn81vdHKxFUuWWAaD5jCTQDNPBMh5pPs9IJ+NcziBI=
 github.com/Jeffail/keyring v1.2.3 h1:WRmYdGPmHoJqX66KjGXQBALp6mUN00tD0ds5C4pqEsQ=
 github.com/Jeffail/keyring v1.2.3/go.mod h1:xIg4RDmDwDuUFoU4IzDIT3b+HV24JUYlzo6ILZUH3Sc=
-github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
 github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
-github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs=
@@ -750,10 +154,10 @@ github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw=
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/ProtonMail/go-crypto v1.2.0 h1:+PhXXn4SPGd+qk76TlEePBfOfivE0zkWFenhGhFLzWs=
-github.com/ProtonMail/go-crypto v1.2.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
-github.com/ProtonMail/gopenpgp/v3 v3.2.1 h1:ohRlKL5YwyIkN5kk7uBvijiMsyA57mK0yBEJg9xButU=
-github.com/ProtonMail/gopenpgp/v3 v3.2.1/go.mod h1:x7RduTo/0n/2PjTFRoEHApaxye/8PFbhoCquwfYBUGM=
+github.com/ProtonMail/go-crypto v1.4.0 h1:Zq/pbM3F5DFgJiMouxEdSVY44MVoQNEKp5d5QxIQceQ=
+github.com/ProtonMail/go-crypto v1.4.0/go.mod h1:e1OaTyu5SYVrO9gKOEhTc+5UcXtTUa+P3uLudwcgPqo=
+github.com/ProtonMail/gopenpgp/v3 v3.3.0 h1:N6rHCH5PWwB6zSRMgRj1EbAMQHUAAHxH3Oo4KibsPwY=
+github.com/ProtonMail/gopenpgp/v3 v3.3.0/go.mod h1:J+iNPt0/5EO9wRt7Eit9dRUlzyu3hiGX3zId6iuaKOk=
 github.com/SAP/go-hdb v1.10.1 h1:c9dGT5xHZNDwPL3NQcRpnNISn3MchwYaGoMZpCAllUs=
 github.com/SAP/go-hdb v1.10.1/go.mod h1:vxYDca44L2eRudZv5JAI6T+IygOfxb7vOCFh/Kj0pug=
 github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a h1:KFHLI4QGttB0i7M3qOkAo8Zn/GSsxwwCnInFqBaYtkM=
@@ -764,10 +168,7 @@ github.com/aerospike/aerospike-client-go/v8 v8.5.0 h1:5jRv6v9M9PgGXOxm1+XzqVM8dN
 github.com/aerospike/aerospike-client-go/v8 v8.5.0/go.mod h1:F3qwGJUMWOtqZha7O2VglfIDatH3Rj8wYhmI7bkHOfU=
 github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
 github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
-github.com/ajstarks/deck v0.0.0-20200831202436-30c9fc6549a9/go.mod h1:JynElWSGnm/4RlzPXRlREEwqTHAN3T56Bv2ITsFT3gY=
-github.com/ajstarks/deck/generate v0.0.0-20210309230005-c3f852c02e19/go.mod h1:T13YZdzov6OU0A1+RfKZiZN9ca6VeKdBdyDV+BY97Tk=
 github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw=
-github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b/go.mod h1:1KcenG0jGWcpt8ov532z81sp/kMMUG485J2InIOyADM=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -779,19 +180,14 @@ github.com/aliyun/alibaba-cloud-sdk-go v1.63.107 h1:qagvUyrgOnBIlVRQWOyCZGVKUIYb
 github.com/aliyun/alibaba-cloud-sdk-go v1.63.107/go.mod h1:SOSDHfe1kX91v3W5QiBsWSLqeLxImobbMX1mxrFHsVQ=
 github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5 h1:nWDRPCyCltiTsANwC/n3QZH7Vww33Npq9MKqlwRzI/c=
 github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
-github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
 github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
-github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/apache/arrow-go/v18 v18.4.0 h1:/RvkGqH517iY8bZKc4FD5/kkdwXJGjxf28JIXbJ/oB0=
 github.com/apache/arrow-go/v18 v18.4.0/go.mod h1:Aawvwhj8x2jURIzD9Moy72cF0FyJXOpkYpdmGRHcw14=
-github.com/apache/arrow/go/v10 v10.0.1/go.mod h1:YvhnlEePVnBS4+0z3fhPfUy7W1Ikj0Ih0vcRo/gZ1M0=
-github.com/apache/arrow/go/v11 v11.0.0/go.mod h1:Eg5OsL5H+e299f7u5ssuXsuHQVEGC4xei5aX110hRiI=
-github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU=
-github.com/apache/thrift v0.22.0 h1:r7mTJdj51TMDe6RtcmNdQxgn9XcyfGDOzegMDRg47uc=
-github.com/apache/thrift v0.22.0/go.mod h1:1e7J/O1Ae6ZQMTYdy9xa3w9k+XHWPfRvdPyJeynQ+/g=
+github.com/apache/thrift v0.23.1-0.20260429145742-d2acd3c49e58 h1:rDLE+tSW60VzRD7v5I+DU22Mjhmm+mfLc5Xl5dHkx6w=
+github.com/apache/thrift v0.23.1-0.20260429145742-d2acd3c49e58/go.mod h1:zPt6WxgvTOM6hF92y8C+MkEM5LMxZuk4JcQOiU4Esvs=
 github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
 github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
 github.com/apple/foundationdb/bindings/go v0.0.0-20190411004307-cd5c9d91fad2 h1:VoHKYIXEQU5LWoambPBOvYxyLqZYHuj+rj5DVnMUc3k=
@@ -815,53 +211,56 @@ github.com/avast/retry-go/v4 v4.6.1/go.mod h1:V6oF8njAwxJ5gRo1Q7Cxab24xs5NCWZBea
 github.com/aws/aws-sdk-go v1.34.0/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.55.8 h1:JRmEUbU52aJQZ2AjX4q4Wu7t4uZjOu71uyNmaWlUkJQ=
 github.com/aws/aws-sdk-go v1.55.8/go.mod h1:ZkViS9AqA6otK+JBBNH2++sx1sgxrPKcSzPPvQkUtXk=
-github.com/aws/aws-sdk-go-v2 v1.38.1 h1:j7sc33amE74Rz0M/PoCpsZQ6OunLqys/m5antM0J+Z8=
-github.com/aws/aws-sdk-go-v2 v1.38.1/go.mod h1:9Q0OoGQoboYIAJyslFyF1f5K1Ryddop8gqMhWx/n4Wg=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 h1:zAybnyUQXIZ5mok5Jqwlf58/TFE7uvd3IAsa1aF9cXs=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10/go.mod h1:qqvMj6gHLR/EXWZw4ZbqlPbQUyenf4h82UQUlKc+l14=
-github.com/aws/aws-sdk-go-v2/config v1.29.15 h1:I5XjesVMpDZXZEZonVfjI12VNMrYa38LtLnw4NtY5Ss=
-github.com/aws/aws-sdk-go-v2/config v1.29.15/go.mod h1:tNIp4JIPonlsgaO5hxO372a6gjhN63aSWl2GVl5QoBQ=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.68 h1:cFb9yjI02/sWHBSYXAtkamjzCuRymvmeFmt0TC0MbYY=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.68/go.mod h1:H6E+jBzyqUu8u0vGaU6POkK3P0NylYEeRZ6ynBpMqIk=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M=
-github.com/aws/aws-sdk-go-v2/feature/rds/auth v1.5.11 h1:qDk85oQdhwP4NR1RpkN+t40aN46/K96hF9J1vDRrkKM=
-github.com/aws/aws-sdk-go-v2/feature/rds/auth v1.5.11/go.mod h1:f3MkXuZsT+wY24nLIP+gFUuIVQkpVopxbpUD/GUZK0Q=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15 h1:7Zwtt/lP3KNRkeZre7soMELMGNoBrutx8nobg1jKWmo=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15/go.mod h1:436h2adoHb57yd+8W+gYPrrA9U/R/SuAuOO42Ushzhw=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34 h1:ZNTqv4nIdE/DiBfUUfXcLZ/Spcuz+RjeziUtNJackkM=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34/go.mod h1:zf7Vcd1ViW7cPqYWEHLHJkS50X0JS2IKz9Cgaj6ugrs=
-github.com/aws/aws-sdk-go-v2/service/ec2 v1.200.0 h1:3hH6o7Z2WeE1twvz44Aitn6Qz8DZN3Dh5IB4Eh2xq7s=
-github.com/aws/aws-sdk-go-v2/service/ec2 v1.200.0/go.mod h1:I76S7jN0nfsYTBtuTgTsJtK2Q8yJVDgrLr5eLN64wMA=
-github.com/aws/aws-sdk-go-v2/service/ecs v1.53.8 h1:v1OectQdV/L+KSFSiqK00fXGN8FbaljRfNFysmWB8D0=
-github.com/aws/aws-sdk-go-v2/service/ecs v1.53.8/go.mod h1:F0DbgxpvuSvtYun5poG67EHLvci4SgzsMVO6SsPUqKk=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.2 h1:BCG7DCXEXpNCcpwCxg1oi9pkJWH2+eZzTn9MY56MbVw=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.2/go.mod h1:iu6FSzgt+M2/x3Dk8zhycdIcHjEFb36IS8HVUVFoMg0=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 h1:moLQUoVq91LiqT1nbvzDukyqAlCv89ZmwaHw/ZFlFZg=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15/go.mod h1:ZH34PJUc8ApjBIfgQCFvkWcUDBtl/WTD+uiYHjd8igA=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.80.1 h1:xYEAf/6QHiTZDccKnPMbsMwlau13GsDsTgdue3wmHGw=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.80.1/go.mod h1:qbn305Je/IofWBJ4bJz/Q7pDEtnnoInw/dGt71v6rHE=
-github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 h1:1Gw+9ajCV1jogloEv1RRnvfRFia2cL6c9cuKV2Ps+G8=
-github.com/aws/aws-sdk-go-v2/service/sso v1.25.3/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 h1:hXmVKytPfTy5axZ+fYbR5d0cFmC3JvwLm5kM83luako=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs=
-github.com/aws/aws-sdk-go-v2/service/sts v1.33.20 h1:oIaQ1e17CSKaWmUTu62MtraRWVIosn/iONMuZt0gbqc=
-github.com/aws/aws-sdk-go-v2/service/sts v1.33.20/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
-github.com/aws/smithy-go v1.22.5 h1:P9ATCXPMb2mPjYBgueqJNCA5S9UfktsW0tTxi+a7eqw=
-github.com/aws/smithy-go v1.22.5/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
+github.com/aws/aws-sdk-go-v2 v1.41.5 h1:dj5kopbwUsVUVFgO4Fi5BIT3t4WyqIDjGKCangnV/yY=
+github.com/aws/aws-sdk-go-v2 v1.41.5/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 h1:eBMB84YGghSocM7PsjmmPffTa+1FBUeNvGvFou6V/4o=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8/go.mod h1:lyw7GFp3qENLh7kwzf7iMzAxDn+NzjXEAGjKS2UOKqI=
+github.com/aws/aws-sdk-go-v2/config v1.32.14 h1:opVIRo/ZbbI8OIqSOKmpFaY7IwfFUOCCXBsUpJOwDdI=
+github.com/aws/aws-sdk-go-v2/config v1.32.14/go.mod h1:U4/V0uKxh0Tl5sxmCBZ3AecYny4UNlVmObYjKuuaiOo=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.14 h1:n+UcGWAIZHkXzYt87uMFBv/l8THYELoX6gVcUvgl6fI=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.14/go.mod h1:cJKuyWB59Mqi0jM3nFYQRmnHVQIcgoxjEMAbLkpr62w=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 h1:NUS3K4BTDArQqNu2ih7yeDLaS3bmHD0YndtA6UP884g=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21/go.mod h1:YWNWJQNjKigKY1RHVJCuupeWDrrHjRqHm0N9rdrWzYI=
+github.com/aws/aws-sdk-go-v2/feature/rds/auth v1.6.21 h1:HFn8sVT87KWnGs2Q2gO/brPZc2bR0RXD++cYKRmABzk=
+github.com/aws/aws-sdk-go-v2/feature/rds/auth v1.6.21/go.mod h1:BGZ/K6gLGJt8K36j6gcsD7WVxmWt0MGBYtr57iLweio=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.13 h1:uMC4oL6G3MNhodo358QEqSDjrgvzV3TUQ58nyQSGq2E=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.22.13/go.mod h1:Cer86AE2686DvVUe57LPve3jUBmbujuaonSX8pNzGgw=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 h1:Rgg6wvjjtX8bNHcvi9OnXWwcE0a2vGpbwmtICOsvcf4=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21/go.mod h1:A/kJFst/nm//cyqonihbdpQZwiUhhzpqTsdbhDdRF9c=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 h1:PEgGVtPoB6NTpPrBgqSE5hE/o47Ij9qk/SEZFbUOe9A=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21/go.mod h1:p+hz+PRAYlY3zcpJhPwXlLC4C+kqn70WIHwnzAfs6ps=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 h1:qYQ4pzQ2Oz6WpQ8T3HvGHnZydA72MnLuFK9tJwmrbHw=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6/go.mod h1:O3h0IK87yXci+kg6flUKzJnWeziQUKciKrLjcatSNcY=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22 h1:rWyie/PxDRIdhNf4DzRk0lvjVOqFJuNnO8WwaIRVxzQ=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22/go.mod h1:zd/JsJ4P7oGfUhXn1VyLqaRZwPmZwg44Jf2dS84Dm3Y=
+github.com/aws/aws-sdk-go-v2/service/ec2 v1.297.0 h1:A+7NViqbMUCoTQFWjbSXdbzE4K5Ziu2zWJtZzAusm+A=
+github.com/aws/aws-sdk-go-v2/service/ec2 v1.297.0/go.mod h1:R+2BNtUfTfhPY0RH18oL02q116bakeBWjanrbnVBqkM=
+github.com/aws/aws-sdk-go-v2/service/ecs v1.77.0 h1:g3RYQmK6uRU5kOuwDthemuiiTbmwyGd8Wzf+k7cYWtk=
+github.com/aws/aws-sdk-go-v2/service/ecs v1.77.0/go.mod h1:QkWmubOYmjj3cHn7A4CoUU7BKJhVeo39Gp6NH7IyhZw=
+github.com/aws/aws-sdk-go-v2/service/iam v1.53.6 h1:GPQvvxy8+FDnD9xKYzGKJMjIm5xkVM5pd3bFgRldNSo=
+github.com/aws/aws-sdk-go-v2/service/iam v1.53.6/go.mod h1:RJNVc52A0K41fCDJOnsCLeWJf8mwa0q30fM3CfE9U18=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 h1:5EniKhLZe4xzL7a+fU3C2tfUN4nWIqlLesfrjkuPFTY=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13 h1:JRaIgADQS/U6uXDqlPiefP32yXTda7Kqfx+LgspooZM=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13/go.mod h1:CEuVn5WqOMilYl+tbccq8+N2ieCy0gVn3OtRb0vBNNM=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 h1:c31//R3xgIJMSC8S6hEVq+38DcvUlgFY0FM6mSI5oto=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21/go.mod h1:r6+pf23ouCB718FUxaqzZdbpYFyDtehyZcmP5KL9FkA=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21 h1:ZlvrNcHSFFWURB8avufQq9gFsheUgjVD9536obIknfM=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21/go.mod h1:cv3TNhVrssKR0O/xxLJVRfd2oazSnZnkUeTf6ctUwfQ=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.99.0 h1:hlSuz394kV0vhv9drL5lhuEFbEOEP1VyQpy15qWh1Pk=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.99.0/go.mod h1:uoA43SdFwacedBfSgfFSjjCvYe8aYBS7EnU5GZ/YKMM=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 h1:QKZH0S178gCmFEgst8hN0mCX1KxLgHBKKY/CLqwP8lg=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.9/go.mod h1:7yuQJoT+OoH8aqIxw9vwF+8KpvLZ8AWmvmUWHsGQZvI=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.15 h1:lFd1+ZSEYJZYvv9d6kXzhkZu07si3f+GQ1AaYwa2LUM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.15/go.mod h1:WSvS1NLr7JaPunCXqpJnWk1Bjo7IxzZXrZi1QQCkuqM=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19 h1:dzztQ1YmfPrxdrOiuZRMF6fuOwWlWpD2StNLTceKpys=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19/go.mod h1:YO8TrYtFdl5w/4vmjL8zaBSsiNp3w0L1FfKVKenZT7w=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.10 h1:p8ogvvLugcR/zLBXTXrTkj0RYBUdErbMnAFFp12Lm/U=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.10/go.mod h1:60dv0eZJfeVXfbT1tFJinbHrDfSJ2GZl4Q//OSSNAVw=
+github.com/aws/smithy-go v1.24.3 h1:XgOAaUgx+HhVBoP4v8n6HCQoTRDhoMghKqw4LNHsDNg=
+github.com/aws/smithy-go v1.24.3/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f h1:ZNv7On9kyUzm7fvRZumSyy/IUiSC7AzL0I1jKKtwooA=
 github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=
-github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/benbjohnson/immutable v0.4.0 h1:CTqXbEerYso8YzVPxmWxh2gnoRQbbB9X1quUC8+vGZA=
 github.com/benbjohnson/immutable v0.4.0/go.mod h1:iAr8OjJGLnLmVUr9MZ/rz4PWUy6Ouc2JLYuMArmvAJM=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
@@ -877,7 +276,6 @@ github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 h1:DDGfHa7BWjL4Yn
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
 github.com/boltdb/bolt v1.3.1 h1:JQmyP4ZBrce+ZQu0dY660FMfatumYDLun9hBCUVIkF4=
 github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
-github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/boombuler/barcode v1.0.1 h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs=
 github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
@@ -888,44 +286,24 @@ github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QH
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chrismalek/oktasdk-go v0.0.0-20181212195951-3430665dfaa0 h1:CWU8piLyqoi9qXEUwzOh5KFKGgmSU5ZhktJyYcq6ryQ=
 github.com/chrismalek/oktasdk-go v0.0.0-20181212195951-3430665dfaa0/go.mod h1:5d8DqS60xkj9k3aXfL3+mXBH0DPYO0FQjcKosxl+b/Q=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible h1:C29Ae4G5GtYyYMm1aztcyj/J5ckgJm2zwdDajFbx1NY=
 github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
 github.com/circonus-labs/circonusllhist v0.1.3 h1:TJH+oke8D16535+jHExHj4nQvzlZrj7ug5D7I/orNUA=
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cloudflare/circl v1.6.2-0.20250618153321-aa837fd1539d h1:IiIprFGH6SqstblP0Y9NIo3eaUJGkI/YDOFVSL64Uq4=
-github.com/cloudflare/circl v1.6.2-0.20250618153321-aa837fd1539d/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
+github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
 github.com/cloudfoundry-community/go-cfclient v0.0.0-20220930021109-9c4e6c59ccf1 h1:ef0OsiQjSQggHrLFAMDRiu6DfkVSElA5jfG1/Nkyu6c=
 github.com/cloudfoundry-community/go-cfclient v0.0.0-20220930021109-9c4e6c59ccf1/go.mod h1:sgaEj3tRn0hwe7GPdEUwxrdOqjBzyjyvyOCGf1OQyZY=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
-github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
-github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 h1:aQ3y1lwWyqYPiWZThqv1aFbZMiM9vblcSArJRf2Irls=
-github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
-github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
-github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
+github.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2 h1:aBangftG7EVZoUb69Os8IaYg++6uMOdKK83QtkkvJik=
+github.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2/go.mod h1:qwXFYgsP6T7XnJtbKlf1HP8AjxZZyzxMmc+Lq5GjlU4=
 github.com/cockroachdb/cockroach-go/v2 v2.3.8 h1:53yoUo4+EtrC1NrAEgnnad4AS3ntNvGup1PAXZ7UmpE=
 github.com/cockroachdb/cockroach-go/v2 v2.3.8/go.mod h1:9uH5jK4yQ3ZQUT9IXe4I2fHzMIF5+JC/oOdzTRgJYJk=
 github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 h1:sDMmm+q/3+BukdIpxwO365v/Rbspp2Nt5XntgQRXq8Q=
@@ -947,13 +325,12 @@ github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc
 github.com/coreos/etcd v3.3.27+incompatible h1:QIudLb9KeBsE5zyYxd1mjzRSkzLg9Wf9QlRwFgd6oTA=
 github.com/coreos/etcd v3.3.27+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
-github.com/coreos/go-oidc/v3 v3.15.0 h1:R6Oz8Z4bqWR7VFQ+sPSvZPQv4x8M+sJkDO5ojgwlyAg=
-github.com/coreos/go-oidc/v3 v3.15.0/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
+github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=
+github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
@@ -961,14 +338,14 @@ github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/coreos/pkg v0.0.0-20220810130054-c7d1c02cb6cf h1:GOPo6vn/vTN+3IwZBvXX0y5doJfSC7My0cdzelyOCsQ=
 github.com/coreos/pkg v0.0.0-20220810130054-c7d1c02cb6cf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
-github.com/couchbase/gocb/v2 v2.11.1 h1:xWDco7Qk/XSvGUjbUWRaXi0V35nsMijJnm4vHXN/rqY=
-github.com/couchbase/gocb/v2 v2.11.1/go.mod h1:aSh1Cmd1sPRpYyiBD5iWPehPWaTVF/oYhrtOAITWb/4=
-github.com/couchbase/gocbcore/v10 v10.8.1 h1:i4SnH0DH9APGC4GS2vS2m+3u08V7oJwviamOXdgAZOQ=
-github.com/couchbase/gocbcore/v10 v10.8.1/go.mod h1:OWKfU9R5Nm5V3QZBtfdZl5qCfgxtxTqOgXiNr4pn9/c=
-github.com/couchbase/gocbcoreps v0.1.4 h1:/iZVHMpuEw3lyNz9mIahMQffJOurl/opXyOGads/JbI=
-github.com/couchbase/gocbcoreps v0.1.4/go.mod h1:hBFpDNPnRno6HH5cRXExhqXYRmTsFJlFHQx7vztcXPk=
-github.com/couchbase/goprotostellar v1.0.2 h1:yoPbAL9sCtcyZ5e/DcU5PRMOEFaJrF9awXYu3VPfGls=
-github.com/couchbase/goprotostellar v1.0.2/go.mod h1:5/yqVnZlW2/NSbAWu1hPJCFBEwjxgpe0PFFOlRixnp4=
+github.com/couchbase/gocb/v2 v2.12.0 h1:IIIhOLJJHXHJ5Y876tgmhG9osmOaDPuepycJyJKj/14=
+github.com/couchbase/gocb/v2 v2.12.0/go.mod h1:MVrScUfHQI+/wIg5BJZd2LefgW+0sn9FfK2x89mW10Y=
+github.com/couchbase/gocbcore/v10 v10.9.0 h1:+O1ZF9/BZN2wE8qrPUwatR4BsXcffdIOZ8Lj/0tY3s4=
+github.com/couchbase/gocbcore/v10 v10.9.0/go.mod h1:OWKfU9R5Nm5V3QZBtfdZl5qCfgxtxTqOgXiNr4pn9/c=
+github.com/couchbase/gocbcoreps v0.1.5-0.20260107140814-1c3a03f888f8 h1:WwGhY3TYn2INQo88yzEhUMYFlgjRInA1dgfEa3UhAxw=
+github.com/couchbase/gocbcoreps v0.1.5-0.20260107140814-1c3a03f888f8/go.mod h1:AUR8DPPmvM+uMkb+Q01Y0mMXINdEY/jUL/qE+kPJ67s=
+github.com/couchbase/goprotostellar v1.0.5 h1:pmR4H87zbYymIdTR1owyUZsfQ7NupkfCuNLW4FIPBhE=
+github.com/couchbase/goprotostellar v1.0.5/go.mod h1:X58ot5FRqlBTBkwG/oI4klunpu4MApjGktheqeRWQw0=
 github.com/couchbaselabs/gocaves/client v0.0.0-20250107114554-f96479220ae8 h1:MQfvw4BiLTuyR69FuA5Kex+tXUeLkH+/ucJfVL1/hkM=
 github.com/couchbaselabs/gocaves/client v0.0.0-20250107114554-f96479220ae8/go.mod h1:AVekAZwIY2stsJOMWLAS/0uA/+qdp7pjO8EHnl61QkY=
 github.com/couchbaselabs/gocbconnstr/v2 v2.0.0 h1:HU9DlAYYWR69jQnLN6cpg0fh0hxW/8d5hnglCXXjW78=
@@ -976,12 +353,11 @@ github.com/couchbaselabs/gocbconnstr/v2 v2.0.0/go.mod h1:o7T431UOfFVHDNvMBUmUxpH
 github.com/cpuguy83/dockercfg v0.3.2 h1:DlJTyZGBDlXqUZ2Dk2Q3xHs/FtnooJJVaad2S9GKorA=
 github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
-github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
-github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/cyphar/filepath-securejoin v0.5.1 h1:eYgfMq5yryL4fbWfkLpFFy2ukSELzaJOTaUTuh+oF48=
-github.com/cyphar/filepath-securejoin v0.5.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
+github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
+github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
+github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
+github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
 github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -1003,17 +379,15 @@ github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi
 github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/docker/cli v27.4.1+incompatible h1:VzPiUlRJ/xh+otB75gva3r05isHMo5wXDfPRi5/b4hI=
 github.com/docker/cli v27.4.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/docker v28.4.0+incompatible h1:KVC7bz5zJY/4AZe/78BIvCnPsLaC9T/zh72xnlrTTOk=
 github.com/docker/docker v28.4.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/duosecurity/duo_api_golang v0.0.0-20250430191550-ac36954387e7 h1:2QX96efe1AvKmqAdqeAn3efxI3lr+EULVbzRxZ/rKGQ=
 github.com/duosecurity/duo_api_golang v0.0.0-20250430191550-ac36954387e7/go.mod h1:hJ6IPTuCAvWv+i9ubnPZB3VpVRuj/+SAblWFcI0mjEU=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
@@ -1021,8 +395,8 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/dvsekhvalnov/jose2go v1.7.0 h1:bnQc8+GMnidJZA8zc6lLEAb4xNrIqHwO+9TzqvtQZPo=
 github.com/dvsekhvalnov/jose2go v1.7.0/go.mod h1:QsHjhyTlD/lAVqn/NSbVZmSCGeDehTB/mPZadG+mhXU=
-github.com/ebitengine/purego v0.8.2 h1:jPPGWs2sZ1UgOSgD2bClL0MJIqu58nOmIcBuXr62z1I=
-github.com/ebitengine/purego v0.8.2/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/ebitengine/purego v0.8.4 h1:CF7LEKg5FFOsASUj0+QwaXf8Ht6TlFxg09+S9wz0omw=
+github.com/ebitengine/purego v0.8.4/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=
 github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
 github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=
@@ -1032,39 +406,27 @@ github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FM
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
-github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
-github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
-github.com/envoyproxy/go-control-plane v0.10.3/go.mod h1:fJJn/j26vwOu972OllsvAgJJM//w9BV6Fxbg2LuVd34=
-github.com/envoyproxy/go-control-plane v0.11.1-0.20230524094728-9239064ad72f/go.mod h1:sfYdkwUW4BA3PbKjySwjJy+O4Pu0h62rlqCMHNk+K+Q=
-github.com/envoyproxy/go-control-plane v0.13.4 h1:zEqyPVyku6IvWCFwux4x9RxkLOMUL+1vC9xUFv5l2/M=
-github.com/envoyproxy/go-control-plane v0.13.4/go.mod h1:kDfuBlDVsSj2MjrLEtRWtHlsWIFcGyB2RMO44Dc5GZA=
-github.com/envoyproxy/go-control-plane/envoy v1.32.4 h1:jb83lalDRZSpPWW2Z7Mck/8kXZ5CQAFYVjQcdVIr83A=
-github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1Zm+wSYE20UrLtt7JZMWiWQXQEw=
+github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=
+github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU=
+github.com/envoyproxy/go-control-plane/envoy v1.37.0 h1:u3riX6BoYRfF4Dr7dwSOroNfdSbEPe9Yyl09/B6wBrQ=
+github.com/envoyproxy/go-control-plane/envoy v1.37.0/go.mod h1:DReE9MMrmecPy+YvQOAOHNYMALuowAnbjjEMkkWOi6A=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo=
-github.com/envoyproxy/protoc-gen-validate v0.9.1/go.mod h1:OKNgG7TCp5pF4d6XftA0++PMirau2/yoOwVac3AbF2w=
-github.com/envoyproxy/protoc-gen-validate v0.10.1/go.mod h1:DRjgyB0I43LtJapqN6NiRwroiAU2PaFuvk/vjgh61ss=
-github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8=
-github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
+github.com/envoyproxy/protoc-gen-validate v1.3.3 h1:MVQghNeW+LZcmXe7SY1V36Z+WFMDjpqGAGacLe2T0ds=
+github.com/envoyproxy/protoc-gen-validate v1.3.3/go.mod h1:TsndJ/ngyIdQRhMcVVGDDHINPLWB7C82oDArY51KfB0=
 github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
 github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
-github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
-github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
+github.com/fatih/color v1.19.0 h1:Zp3PiM21/9Ld6FzSKyL5c/BULoe/ONr9KlbYVOfG8+w=
+github.com/fatih/color v1.19.0/go.mod h1:zNk67I0ZUT1bEGsSGyCZYZNrHuTkJJB+r6Q9VuMi0LE=
 github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
-github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
@@ -1077,10 +439,10 @@ github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sa
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/gabriel-vasile/mimetype v1.4.7 h1:SKFKl7kD0RiPdbht0s7hFtjl489WcQ1VyPW8ZzUMYCA=
 github.com/gabriel-vasile/mimetype v1.4.7/go.mod h1:GDlAgAyIRT27BhFl53XNAFtfjzOkLaF35JdEG0P7LtU=
-github.com/gammazero/deque v0.2.1 h1:qSdsbG6pgp6nL7A0+K/B7s12mcCY/5l5SIUpMOl+dC0=
-github.com/gammazero/deque v0.2.1/go.mod h1:LFroj8x4cMYCukHJDbxFCkT+r9AndaJnFMuZDV34tuU=
-github.com/gammazero/workerpool v1.1.3 h1:WixN4xzukFoN0XSeXF6puqEqFTl2mECI9S6W44HWy9Q=
-github.com/gammazero/workerpool v1.1.3/go.mod h1:wPjyBLDbyKnUn2XwwyD3EEwo9dHutia9/fwNmSHWACc=
+github.com/gammazero/deque v1.2.1 h1:9fnQVFCCZ9/NOc7ccTNqzoKd1tCWOqeI05/lPqFPMGQ=
+github.com/gammazero/deque v1.2.1/go.mod h1:5nSFkzVm+afG9+gy0VIowlqVAW4N8zNcMne+CMQVD2g=
+github.com/gammazero/workerpool v1.2.1 h1:MEDvUJsNYGuCvl1RwIXNKu2YtQtHqCSF9XWF04N7lqs=
+github.com/gammazero/workerpool v1.2.1/go.mod h1:E32GVRUanF4d6QtRmdss3AScgaDkIyrvPtgRQUWgmx4=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 h1:Mn26/9ZMNWSw9C9ERFA1PUxfmGpolnw2v0bKOREu5ew=
 github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32/go.mod h1:GIjDIg/heH5DOkXY3YJ/wNhfHsQHoXGjl8G8amsYQ1I=
@@ -1090,33 +452,24 @@ github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk=
 github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
-github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g=
-github.com/go-fonts/latin-modern v0.2.0/go.mod h1:rQVLdDMK+mK1xscDwsqM5J8U2jrRa3T0ecnM9pNujks=
-github.com/go-fonts/liberation v0.1.1/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY=
-github.com/go-fonts/liberation v0.2.0/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY=
-github.com/go-fonts/stix v0.1.0/go.mod h1:w/c1f0ldAUlJmLBvlbkvVXLAD+tAMqobIIQpmnUIzUY=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UNbRM=
-github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
+github.com/go-git/go-billy/v5 v5.9.0 h1:jItGXszUDRtR/AlferWPTMN4j38BQ88XnXKbilmmBPA=
+github.com/go-git/go-billy/v5 v5.9.0/go.mod h1:jCnQMLj9eUgGU7+ludSTYoZL/GGmii14RxKFj7ROgHw=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.14.0 h1:/MD3lCrGjCen5WfEAzKg00MJJffKhC8gzS80ycmCi60=
-github.com/go-git/go-git/v5 v5.14.0/go.mod h1:Z5Xhoia5PcWA3NF8vRLURn9E5FRhSl7dGj9ItW3Wk5k=
+github.com/go-git/go-git/v5 v5.19.1 h1:nX27AnaU43/K5bKktKwgBmR9lawoYVe1Ckg0rgzzN00=
+github.com/go-git/go-git/v5 v5.19.1/go.mod h1:Pb1v0c7/g8aGQJwx9Us09W85yGoyvSwuhEGMH7zjDKQ=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
-github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
-github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
-github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-jose/go-jose/v3 v3.0.5 h1:BLLJWbC4nMZOfuPVxoZIxeYsn6Nl2r1fITaJ78UQlVQ=
+github.com/go-jose/go-jose/v3 v3.0.5/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
-github.com/go-latex/latex v0.0.0-20210118124228-b3d85cf34e07/go.mod h1:CO1AlKB2CSIqUrmQPqA0gdRIlnLEY0gK5JGjh37zN5U=
-github.com/go-latex/latex v0.0.0-20210823091927-c0d11ff05a81/go.mod h1:SX0U8uGpxhq9o2S/CELCSUxEWWAuoCUcVCQWv7G2OCk=
-github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
-github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
+github.com/go-ldap/ldap/v3 v3.4.13 h1:+x1nG9h+MZN7h/lUi5Q3UZ0fJ1GyDQYbPvbuH38baDQ=
+github.com/go-ldap/ldap/v3 v3.4.13/go.mod h1:LxsGZV6vbaK0sIvYfsv47rfh4ca0JXokCoKjZxsszv0=
 github.com/go-ldap/ldif v0.0.0-20250910174327-aa3bc3095c92 h1:Eu8/ko8bvygFvum/PWUg5JrGQuWYNahEph8r3SErkSM=
 github.com/go-ldap/ldif v0.0.0-20250910174327-aa3bc3095c92/go.mod h1:F640vUoSS6Qg4nmesnVfHeZSJ0ArdMJ9eb0xB7wcitU=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
@@ -1131,30 +484,58 @@ github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab h1:xveKWz2iauee
 github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab/go.mod h1:/P9AEU963A2AYjv4d1V5eVL1CQbEJq6aCNHDDjibzu8=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
-github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU=
-github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo=
-github.com/go-openapi/errors v0.22.1 h1:kslMRRnK7NCb/CvR1q1VWuEQCEIsBGn5GgKD9e+HYhU=
-github.com/go-openapi/errors v0.22.1/go.mod h1:+n/5UdIqdVnLIJ6Q9Se8HNGUXYaY6CN8ImWzfi/Gzp0=
-github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
-github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
-github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
-github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
-github.com/go-openapi/loads v0.22.0 h1:ECPGd4jX1U6NApCGG1We+uEozOAvXvJSF4nnwHZ8Aco=
-github.com/go-openapi/loads v0.22.0/go.mod h1:yLsaTCS92mnSAZX5WWoxszLj0u+Ojl+Zs5Stn1oF+rs=
-github.com/go-openapi/runtime v0.28.0 h1:gpPPmWSNGo214l6n8hzdXYhPuJcGtziTOgUpvsFWGIQ=
-github.com/go-openapi/runtime v0.28.0/go.mod h1:QN7OzcS+XuYmkQLw05akXk0jRH/eZ3kb18+1KwW9gyc=
-github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9ZY=
-github.com/go-openapi/spec v0.21.0/go.mod h1:78u6VdPw81XU44qEWGhtr982gJ5BWg2c0I5XwVMotYk=
-github.com/go-openapi/strfmt v0.23.0 h1:nlUS6BCqcnAk0pyhi9Y+kdDVZdZMHfEKQiS4HaMgO/c=
-github.com/go-openapi/strfmt v0.23.0/go.mod h1:NrtIpfKtWIygRkKVsxh7XQMDQW5HKQl6S5ik2elW+K4=
-github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU=
-github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0=
-github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=
-github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
+github.com/go-openapi/analysis v0.24.3 h1:a1hrvMr8X0Xt69KP5uVTu5jH62DscmDifrLzNglAayk=
+github.com/go-openapi/analysis v0.24.3/go.mod h1:Nc+dWJ/FxZbhSow5Yh3ozg5CLJioB+XXT6MdLvJUsUw=
+github.com/go-openapi/errors v0.22.7 h1:JLFBGC0Apwdzw3484MmBqspjPbwa2SHvpDm0u5aGhUA=
+github.com/go-openapi/errors v0.22.7/go.mod h1://QW6SD9OsWtH6gHllUCddOXDL0tk0ZGNYHwsw4sW3w=
+github.com/go-openapi/jsonpointer v0.22.5 h1:8on/0Yp4uTb9f4XvTrM2+1CPrV05QPZXu+rvu2o9jcA=
+github.com/go-openapi/jsonpointer v0.22.5/go.mod h1:gyUR3sCvGSWchA2sUBJGluYMbe1zazrYWIkWPjjMUY0=
+github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe+pJyVWRdiE=
+github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw=
+github.com/go-openapi/loads v0.23.3 h1:g5Xap1JfwKkUnZdn+S0L3SzBDpcTIYzZ5Qaag0YDkKQ=
+github.com/go-openapi/loads v0.23.3/go.mod h1:NOH07zLajXo8y55hom0omlHWDVVvCwBM/S+csCK8LqA=
+github.com/go-openapi/runtime v0.29.3 h1:h5twGaEqxtQg40ePiYm9vFFH1q06Czd7Ot6ufdK0w/Y=
+github.com/go-openapi/runtime v0.29.3/go.mod h1:8A1W0/L5eyNJvKciqZtvIVQvYO66NlB7INMSZ9bw/oI=
+github.com/go-openapi/spec v0.22.4 h1:4pxGjipMKu0FzFiu/DPwN3CTBRlVM2yLf/YTWorYfDQ=
+github.com/go-openapi/spec v0.22.4/go.mod h1:WQ6Ai0VPWMZgMT4XySjlRIE6GP1bGQOtEThn3gcWLtQ=
+github.com/go-openapi/strfmt v0.26.0 h1:SDdQLyOEqu8W96rO1FRG1fuCtVyzmukky0zcD6gMGLU=
+github.com/go-openapi/strfmt v0.26.0/go.mod h1:Zslk5VZPOISLwmWTMBIS7oiVFem1o1EI6zULY8Uer7Y=
+github.com/go-openapi/swag v0.25.5 h1:pNkwbUEeGwMtcgxDr+2GBPAk4kT+kJ+AaB+TMKAg+TU=
+github.com/go-openapi/swag v0.25.5/go.mod h1:B3RT6l8q7X803JRxa2e59tHOiZlX1t8viplOcs9CwTA=
+github.com/go-openapi/swag/cmdutils v0.25.5 h1:yh5hHrpgsw4NwM9KAEtaDTXILYzdXh/I8Whhx9hKj7c=
+github.com/go-openapi/swag/cmdutils v0.25.5/go.mod h1:pdae/AFo6WxLl5L0rq87eRzVPm/XRHM3MoYgRMvG4A0=
+github.com/go-openapi/swag/conv v0.25.5 h1:wAXBYEXJjoKwE5+vc9YHhpQOFj2JYBMF2DUi+tGu97g=
+github.com/go-openapi/swag/conv v0.25.5/go.mod h1:CuJ1eWvh1c4ORKx7unQnFGyvBbNlRKbnRyAvDvzWA4k=
+github.com/go-openapi/swag/fileutils v0.25.5 h1:B6JTdOcs2c0dBIs9HnkyTW+5gC+8NIhVBUwERkFhMWk=
+github.com/go-openapi/swag/fileutils v0.25.5/go.mod h1:V3cT9UdMQIaH4WiTrUc9EPtVA4txS0TOmRURmhGF4kc=
+github.com/go-openapi/swag/jsonname v0.25.5 h1:8p150i44rv/Drip4vWI3kGi9+4W9TdI3US3uUYSFhSo=
+github.com/go-openapi/swag/jsonname v0.25.5/go.mod h1:jNqqikyiAK56uS7n8sLkdaNY/uq6+D2m2LANat09pKU=
+github.com/go-openapi/swag/jsonutils v0.25.5 h1:XUZF8awQr75MXeC+/iaw5usY/iM7nXPDwdG3Jbl9vYo=
+github.com/go-openapi/swag/jsonutils v0.25.5/go.mod h1:48FXUaz8YsDAA9s5AnaUvAmry1UcLcNVWUjY42XkrN4=
+github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5 h1:SX6sE4FrGb4sEnnxbFL/25yZBb5Hcg1inLeErd86Y1U=
+github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5/go.mod h1:/2KvOTrKWjVA5Xli3DZWdMCZDzz3uV/T7bXwrKWPquo=
+github.com/go-openapi/swag/loading v0.25.5 h1:odQ/umlIZ1ZVRteI6ckSrvP6e2w9UTF5qgNdemJHjuU=
+github.com/go-openapi/swag/loading v0.25.5/go.mod h1:I8A8RaaQ4DApxhPSWLNYWh9NvmX2YKMoB9nwvv6oW6g=
+github.com/go-openapi/swag/mangling v0.25.5 h1:hyrnvbQRS7vKePQPHHDso+k6CGn5ZBs5232UqWZmJZw=
+github.com/go-openapi/swag/mangling v0.25.5/go.mod h1:6hadXM/o312N/h98RwByLg088U61TPGiltQn71Iw0NY=
+github.com/go-openapi/swag/netutils v0.25.5 h1:LZq2Xc2QI8+7838elRAaPCeqJnHODfSyOa7ZGfxDKlU=
+github.com/go-openapi/swag/netutils v0.25.5/go.mod h1:lHbtmj4m57APG/8H7ZcMMSWzNqIQcu0RFiXrPUara14=
+github.com/go-openapi/swag/stringutils v0.25.5 h1:NVkoDOA8YBgtAR/zvCx5rhJKtZF3IzXcDdwOsYzrB6M=
+github.com/go-openapi/swag/stringutils v0.25.5/go.mod h1:PKK8EZdu4QJq8iezt17HM8RXnLAzY7gW0O1KKarrZII=
+github.com/go-openapi/swag/typeutils v0.25.5 h1:EFJ+PCga2HfHGdo8s8VJXEVbeXRCYwzzr9u4rJk7L7E=
+github.com/go-openapi/swag/typeutils v0.25.5/go.mod h1:itmFmScAYE1bSD8C4rS0W+0InZUBrB2xSPbWt6DLGuc=
+github.com/go-openapi/swag/yamlutils v0.25.5 h1:kASCIS+oIeoc55j28T4o8KwlV2S4ZLPT6G0iq2SSbVQ=
+github.com/go-openapi/swag/yamlutils v0.25.5/go.mod h1:Gek1/SjjfbYvM+Iq4QGwa/2lEXde9n2j4a3wI3pNuOQ=
+github.com/go-openapi/testify/enable/yaml/v2 v2.4.1 h1:NZOrZmIb6PTv5LTFxr5/mKV/FjbUzGE7E6gLz7vFoOQ=
+github.com/go-openapi/testify/enable/yaml/v2 v2.4.1/go.mod h1:r7dwsujEHawapMsxA69i+XMGZrQ5tRauhLAjV/sxg3Q=
+github.com/go-openapi/testify/v2 v2.4.1 h1:zB34HDKj4tHwyUQHrUkpV0Q0iXQ6dUCOQtIqn8hE6Iw=
+github.com/go-openapi/testify/v2 v2.4.1/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54=
+github.com/go-openapi/validate v0.25.2 h1:12NsfLAwGegqbGWr2CnvT65X/Q2USJipmJ9b7xDJZz0=
+github.com/go-openapi/validate v0.25.2/go.mod h1:Pgl1LpPPGFnZ+ys4/hTlDiRYQdI1ocKypgE+8Q8BLfY=
 github.com/go-ozzo/ozzo-validation v3.6.0+incompatible h1:msy24VGS42fKO9K1vLz82/GeYW1cILu7Nuuj1N3BBkE=
 github.com/go-ozzo/ozzo-validation v3.6.0+incompatible/go.mod h1:gsEKFIVnabGBt6mXmxK0MoFy+cZoTJY6mu5Ll3LVLBU=
-github.com/go-pdf/fpdf v0.5.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M=
-github.com/go-pdf/fpdf v0.6.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M=
+github.com/go-resty/resty/v2 v2.16.5 h1:hBKqmWrr7uRc3euHVqmh1HTHcKn99Smr7o5spptdhTM=
+github.com/go-resty/resty/v2 v2.16.5/go.mod h1:hkJtXbA2iKHzJheXYvQ8snQES5ZLGKMwQ07xAwp/fiA=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
 github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
@@ -1166,11 +547,10 @@ github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZ
 github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
-github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
-github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
+github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/go-zookeeper/zk v1.0.3 h1:7M2kwOsc//9VeeFiPtf+uSJlVpU66x9Ba5+8XK7/TDg=
 github.com/go-zookeeper/zk v1.0.3/go.mod h1:nOB03cncLtlp4t+UAkGSV+9beXP/akpekBwL+UX1Qcw=
-github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
@@ -1179,9 +559,6 @@ github.com/gocql/gocql v1.0.0/go.mod h1:3gM2c4D3AnkISwBxGnMMsS8Oy4y2lhbPRsH4xnJr
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/flock v0.10.0 h1:SHMXenfaB03KbroETaCMtbBg3Yn29v4w1r+tgy4ff4k=
 github.com/gofrs/flock v0.10.0/go.mod h1:FirDy1Ing0mI2+kB6wk+vyyAH+e6xiE+EYA0jnzV9jc=
-github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc=
-github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
@@ -1201,31 +578,17 @@ github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei
 github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EOqtpKwwwHI=
 github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
-github.com/golang/glog v1.1.0/go.mod h1:pfYeQZ3JWZoXTV5sFc986z3HTpwQs9At6P4ImfuP3NQ=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
-github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
-github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
-github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/mock v1.7.0-rc.1 h1:YojYx61/OLFsiv6Rw1Z96LpldJIy31o+UHmwAUMJ6/U=
 github.com/golang/mock v1.7.0-rc.1/go.mod h1:s42URUywIqd+OcERslBJvOjepvNymP31m3q8d/GkuRs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
@@ -1235,13 +598,10 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v1.0.0 h1:Oy607GVXHs7RtbggtPBnr2RmDArIsAefDwvrdWvRhGs=
 github.com/golang/snappy v1.0.0/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
@@ -1250,7 +610,6 @@ github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/certificate-transparency-go v1.3.2 h1:9ahSNZF2o7SYMaKaXhAumVEzXB2QaayzII9C8rv7v+A=
 github.com/google/certificate-transparency-go v1.3.2/go.mod h1:H5FpMUaGa5Ab2+KCYsxg6sELw3Flkl7pGZzWdBoYLXs=
-github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q=
 github.com/google/flatbuffers v25.2.10+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
@@ -1259,85 +618,45 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-github v17.0.0+incompatible h1:N0LgJ1j65A7kfXrZnUDaYCs/Sf4rEjNlfyDHW9dolSY=
-github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
+github.com/google/go-github/v83 v83.0.0 h1:Ydy4gAfqxrnFUwXAuKl/OMhhGa0KtMtnJ3EozIIuHT0=
+github.com/google/go-github/v83 v83.0.0/go.mod h1:gbqarhK37mpSu8Xy7sz21ITtznvzouyHSAajSaYCHe8=
 github.com/google/go-metrics-stackdriver v0.2.0 h1:rbs2sxHAPn2OtUj9JdR/Gij1YKGl0BTVD0augB+HEjE=
 github.com/google/go-metrics-stackdriver v0.2.0/go.mod h1:KLcPyp3dWJAFD+yHisGlJSZktIsTjb50eB72U2YZ9K0=
-github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
-github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
+github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0=
+github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
-github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
 github.com/google/martian/v3 v3.3.3 h1:DIhPTQrbPkgs2yJYdXU/eNACCG5DVQjySNRNlflZ9Fc=
 github.com/google/martian/v3 v3.3.3/go.mod h1:iEPrYcgCF7jA9OtScMFQyAlZZ4YXTKEtJ1E6RWzmBA0=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
 github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
-github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
 github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
-github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
-github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg=
-github.com/googleapis/enterprise-certificate-proxy v0.2.1/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
-github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
-github.com/googleapis/enterprise-certificate-proxy v0.3.6 h1:GW/XbdyBFQ8Qe+YAmFU9uHLo7OnF5tL52HFAgMmyrf4=
-github.com/googleapis/enterprise-certificate-proxy v0.3.6/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
+github.com/googleapis/enterprise-certificate-proxy v0.3.15 h1:xolVQTEXusUcAA5UgtyRLjelpFFHWlPQ4XfWGc7MBas=
+github.com/googleapis/enterprise-certificate-proxy v0.3.15/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=
-github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM=
-github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM=
-github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM=
-github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c=
-github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo=
-github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY=
-github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8=
-github.com/googleapis/gax-go/v2 v2.7.1/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
-github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo=
-github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
-github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4=
-github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
+github.com/googleapis/gax-go/v2 v2.22.0 h1:PjIWBpgGIVKGoCXuiCoP64altEJCj3/Ei+kSU5vlZD4=
+github.com/googleapis/gax-go/v2 v2.22.0/go.mod h1:irWBbALSr0Sk3qlqb9SyJ1h68WjgeFuiOzI4Rqw5+aY=
 github.com/gophercloud/gophercloud v0.1.0 h1:P/nh25+rzXouhytV2pUHBb65fnds26Ghl8/391+sT5o=
 github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
@@ -1352,19 +671,14 @@ github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w7
 github.com/gotestyourself/gotestyourself v2.2.0+incompatible h1:AQwinXlbQR2HvPjQZOmDhRqsv5mZf+Jb1RnSLxcqZcI=
 github.com/gotestyourself/gotestyourself v2.2.0+incompatible/go.mod h1:zZKM6oeNM8k+FRljX1mnzVYeS8wiGgQyvST1/GafPbY=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
-github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=
-github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
-github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90=
 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8=
 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4=
-github.com/hashicorp/cap v0.11.0 h1:tnMNgIWEdbmyx0fulrlLPNHowsprg34xFWflOEB3t1s=
-github.com/hashicorp/cap v0.11.0/go.mod h1:HKbv27kfps+wONFNyNTHpAQmU/DCjjDuB5HF6mFsqPQ=
+github.com/hashicorp/cap v0.13.0 h1:bzLS1er9am6hOiw//TEjmwZ3t975iFfRfvXY6VRLKEw=
+github.com/hashicorp/cap v0.13.0/go.mod h1:Kbu5owAOJzQ/HH4Ba/76wsIXN2tRiJgToJKBO2MAEFE=
 github.com/hashicorp/cap/ldap v0.0.0-20250911140431-44d01434c285 h1:vwg2CDaWTJJkr+5ivc2KUYx877gPAUEgq5QIPA/bKjw=
 github.com/hashicorp/cap/ldap v0.0.0-20250911140431-44d01434c285/go.mod h1:La1zaRmx2oqz79W9SpwQAPMfDUdBxZeoN2IaAQ8D4ow=
 github.com/hashicorp/cli v1.1.7 h1:/fZJ+hNdwfTSfsxMBa9WWMlfjUZbX8/LnUxgAd7lCVU=
@@ -1389,10 +703,10 @@ github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-discover v1.1.1-0.20250922102917-55e5010ad859 h1:CYvtQfS6WBZdva446zuZEpHxDfI3GTenOM4SCmGWUR8=
-github.com/hashicorp/go-discover v1.1.1-0.20250922102917-55e5010ad859/go.mod h1:NsxyJAVM+f1GYWjoAg1dtKU7I39rOWtUjFSm2Xmuvn4=
-github.com/hashicorp/go-discover/provider/gce v0.0.0-20241120163552-5eb1507d16b4 h1:ywaDsVo7n5ko12YD8uXjuQ8G2mQhC2mxAc4Kj3WW3GE=
-github.com/hashicorp/go-discover/provider/gce v0.0.0-20241120163552-5eb1507d16b4/go.mod h1:yxikfLXA8Y5JA3FcFTR720PfqVEFd0dZY9FBpmcsO54=
+github.com/hashicorp/go-discover v1.2.1-0.20260515152638-8c1c8adeb200 h1:NJSqJ+kvdZK/IupHVES/CSJkleZncphq7UpQPforF1Y=
+github.com/hashicorp/go-discover v1.2.1-0.20260515152638-8c1c8adeb200/go.mod h1:xUv/z0sbIbAiPBVEJqM+ARPEnwFud+DOTFBYXZvVuwc=
+github.com/hashicorp/go-discover/provider/gce v0.0.0-20260514184450-13fff3633a00 h1:hPzSKWVUHWRqu0nxrxxEWYmDD60Wr0nXk96Zh9I0sv0=
+github.com/hashicorp/go-discover/provider/gce v0.0.0-20260514184450-13fff3633a00/go.mod h1:XrIh8VjbyTDXhTpC+1DemSX/ox1BN8uwfPxc7yOPQMs=
 github.com/hashicorp/go-gatedio v0.5.0 h1:Jm1X5yP4yCqqWj5L1TgW7iZwCVPGtVc+mro5r/XX7Tg=
 github.com/hashicorp/go-gatedio v0.5.0/go.mod h1:Lr3t8L6IyxD3DAeaUxGcgl2JnRUpWMCsmBl4Omu/2t4=
 github.com/hashicorp/go-gcp-common v0.9.2 h1:hUZ46EdGwlbP+Ttrif6hlcfvtQGzJiS6FUbb649yAOQ=
@@ -1439,10 +753,10 @@ github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHh
 github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-pgmultiauth v1.0.0 h1:dJzw5y45y04Z3ThX/0DaNTrOrrt6Fe+jiuJzJ9r2M0g=
-github.com/hashicorp/go-pgmultiauth v1.0.0/go.mod h1:+wRFKBbDws/LM7hcxuclEUGDzzUgescGbdYo4EceYjc=
-github.com/hashicorp/go-plugin v1.6.3 h1:xgHB+ZUSYeuJi96WtxEjzi23uh7YQpznjGh0U0UUrwg=
-github.com/hashicorp/go-plugin v1.6.3/go.mod h1:MRobyh+Wc/nYy1V4KAXUiYfzxoYhs7V1mlH1Z7iY2h0=
+github.com/hashicorp/go-pgmultiauth v1.1.0 h1:zvMpJZZyLt3W8BNe8Qtf754/JOGNvFqg+DKufAQvIN4=
+github.com/hashicorp/go-pgmultiauth v1.1.0/go.mod h1:pLSHafzYwDUJdpmfqwQyurgaKppy2FFFqrEl37gn/hs=
+github.com/hashicorp/go-plugin v1.8.0 h1:ie8S6RRY8RvB2usYZv+AAZ/wBvx2AU5p5QeP5j/FORs=
+github.com/hashicorp/go-plugin v1.8.0/go.mod h1:BExt6KEaIYx804z8k4gRzRLEvxKVb+kn0NMcihqOqb8=
 github.com/hashicorp/go-raftchunking v0.6.3-0.20191002164813-7e9e8525653a h1:FmnBDwGwlTgugDGbVxwV8UavqSMACbGrUpfc98yFLR4=
 github.com/hashicorp/go-raftchunking v0.6.3-0.20191002164813-7e9e8525653a/go.mod h1:xbXnmKqX9/+RhPkJ4zrEx4738HacP72aaUPlT2RZ4sU=
 github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
@@ -1474,8 +788,8 @@ github.com/hashicorp/go-secure-stdlib/password v0.1.4 h1:h8gOB6qDRlOMvoMHOqtf4oT
 github.com/hashicorp/go-secure-stdlib/password v0.1.4/go.mod h1:DeLx56RZZdmwX8Q94fVQUetkXv6zVBfDtGAPJDh69AU=
 github.com/hashicorp/go-secure-stdlib/permitpool v1.0.0 h1:U6y5MXGiDVOOtkWJ6o/tu1TxABnI0yKTQWJr7z6BpNk=
 github.com/hashicorp/go-secure-stdlib/permitpool v1.0.0/go.mod h1:ecDb3o+8D4xtP0nTCufJaAVawHavy5M2eZ64Nq/8/LM=
-github.com/hashicorp/go-secure-stdlib/plugincontainer v0.4.2 h1:gCNiM4T5xEc4IpT8vM50CIO+AtElr5kO9l2Rxbq+Sz8=
-github.com/hashicorp/go-secure-stdlib/plugincontainer v0.4.2/go.mod h1:6ZM4ZdwClyAsiU2uDBmRHCvq0If/03BMbF9U+U7G5pA=
+github.com/hashicorp/go-secure-stdlib/plugincontainer v0.5.0 h1:nrkLBU6Src8qVLeFqkMufM8flnBezZ81Hobd+imG2YY=
+github.com/hashicorp/go-secure-stdlib/plugincontainer v0.5.0/go.mod h1:z/BT/VDf/nhSUSEZasALTTVBMYt76HfOe9Vuxj2krlI=
 github.com/hashicorp/go-secure-stdlib/regexp v1.0.0 h1:08mz6j5MsCG9sf8tvC8Lhboe/ZMiNg41IPSh6unK5T4=
 github.com/hashicorp/go-secure-stdlib/regexp v1.0.0/go.mod h1:n/Gj3sYIEEOYds8uKS55bFf7XiYvWN4e+d+UOA7r/YU=
 github.com/hashicorp/go-secure-stdlib/reloadutil v0.1.1 h1:SMGUnbpAcat8rIKHkBPjfv81yC46a8eCNZ2hsR2l1EI=
@@ -1484,24 +798,23 @@ github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
 github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.3 h1:xbrxd0U9XQW8qL1BAz2XrAjAF/P2vcqUTAues9c24B8=
 github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.3/go.mod h1:LWq2Sy8UoKKuK4lFuCNWSjJj57MhNNf2zzBWMtkAIX4=
-github.com/hashicorp/go-slug v0.16.7 h1:sBW8y1sX+JKOZKu9a+DQZuWDVaX+U9KFnk6+VDQvKcw=
-github.com/hashicorp/go-slug v0.16.7/go.mod h1:X5fm++dL59cDOX8j48CqHr4KARTQau7isGh0ZVxJB5I=
+github.com/hashicorp/go-slug v0.16.8 h1:f4/sDZqRsxx006HrE6e9BE5xO9lWXydKhVoH6Kb0v1M=
+github.com/hashicorp/go-slug v0.16.8/go.mod h1:hB4mUcVHl4RPu0205s0fwmB9i31MxQgeafGkko3FD+Y=
 github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
 github.com/hashicorp/go-sockaddr v1.0.7 h1:G+pTkSO01HpR5qCxg7lxfsFEZaG+C0VssTy/9dbT+Fw=
 github.com/hashicorp/go-sockaddr v1.0.7/go.mod h1:FZQbEYa1pxkQ7WLpyXJ6cbjpT8q0YgQaK/JakXqGyWw=
 github.com/hashicorp/go-syslog v1.0.0 h1:KaodqZuhUoZereWVIYmpUgZysurB1kBLX2j0MwMrUAE=
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
-github.com/hashicorp/go-tfe v1.93.0 h1:hJubwn1xNCo1iBO66iQkjyC+skR61cK1AQUj4O9vvuI=
-github.com/hashicorp/go-tfe v1.93.0/go.mod h1:QwqgCD5seztgp76CP7F0POJPflQNSqjIvBpVohg9X50=
+github.com/hashicorp/go-tfe v1.101.0 h1:Nq9CTfxiFyXqWSnfh2tC81ZU2pGcW6QUMKU43RmibrU=
+github.com/hashicorp/go-tfe v1.101.0/go.mod h1:JIqznMwZd8flUhPif5d2sprKcFkD4sWJSIQ6E8iAuIA=
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
-github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/go-version v1.9.0 h1:CeOIz6k+LoN3qX9Z0tyQrPtiB1DFYRPfCIBtaXPSCnA=
+github.com/hashicorp/go-version v1.9.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c=
 github.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
@@ -1549,54 +862,54 @@ github.com/hashicorp/serf v0.10.1 h1:Z1H2J60yRKvfDYAOZLd2MU0ND4AH/WDz7xYHDWQsIPY
 github.com/hashicorp/serf v0.10.1/go.mod h1:yL2t6BqATOLGc5HF7qbFkTfXoPIY0WZdWHfEvMqbG+4=
 github.com/hashicorp/vault-hcp-lib v0.0.0-20250306185756-615fe2449b16 h1:OYPMX3Td3XTL0Xk5N3Se1KLde630diD1X+v3wgJXDhQ=
 github.com/hashicorp/vault-hcp-lib v0.0.0-20250306185756-615fe2449b16/go.mod h1:v4RnW8isIioLAc11prbTczNCq9TiEWE5MwizMsgY5mE=
-github.com/hashicorp/vault-plugin-auth-alicloud v0.22.0 h1:lukm7hwIDQfDyG6IyvBu2tcT6j2bRuyyo22sWqH4w50=
-github.com/hashicorp/vault-plugin-auth-alicloud v0.22.0/go.mod h1:QCuzE/JFqigUf4DyyWyYKq6bvf2dmRKUW340CTy+HZ0=
-github.com/hashicorp/vault-plugin-auth-azure v0.22.0 h1:xvRYu2Xirn6gl/GvhPei7DJgJDDTEvsxxEHkBxuj/Iw=
-github.com/hashicorp/vault-plugin-auth-azure v0.22.0/go.mod h1:G/wFIXYlPQDXusYD54tlZIb3CDk2cy9OB9hUXyWkqf4=
-github.com/hashicorp/vault-plugin-auth-cf v0.22.0 h1:DTK733vsB2lBVwSLxra3/IuhlGdkQVW11T/q0qdXyis=
-github.com/hashicorp/vault-plugin-auth-cf v0.22.0/go.mod h1:qToMQoW7dX1egtJwEHd21I/7pgzg+DBEwRAytd+Pgtc=
-github.com/hashicorp/vault-plugin-auth-gcp v0.22.0 h1:c5LEJmHNV6VzbKTM9nn05uGLhu0VRnIsacCshj0AJ8M=
-github.com/hashicorp/vault-plugin-auth-gcp v0.22.0/go.mod h1:6WhVeAZUu+67H4tkXsnFoUU3+UaBFLlE6ffUHDkVM0o=
-github.com/hashicorp/vault-plugin-auth-jwt v0.25.0 h1:YdrZ+fGutoaaF/Hiw3+xtmcRalmqGH8sXRKIrkr5dsk=
-github.com/hashicorp/vault-plugin-auth-jwt v0.25.0/go.mod h1:HhfLJxvpYt10mrZoBTa+ToioN9HGOZbWYSR1UHqTMrs=
-github.com/hashicorp/vault-plugin-auth-kerberos v0.16.0 h1:bZpmQS26TorpeensFerDPM7z+NgZjrRj9IbdGRdjaLM=
-github.com/hashicorp/vault-plugin-auth-kerberos v0.16.0/go.mod h1:O6b92icQx0LGuknyVEVP/XgYjoYDNiTR9cJ1pEUuwjw=
-github.com/hashicorp/vault-plugin-auth-kubernetes v0.23.1 h1:9SW3Qu08RR9Tyn2K0wU4rcjQtYf1ykgPcyFgWs/TqTY=
-github.com/hashicorp/vault-plugin-auth-kubernetes v0.23.1/go.mod h1:Uzb/uPdIKqXmq3xo4NNT2+5HgXlxNfuDKwU2EqzwD8s=
-github.com/hashicorp/vault-plugin-auth-oci v0.20.1 h1:EZ987+/S95JJoh+D8DNvHb3kBFMsBmmEop+MFWUWhZw=
-github.com/hashicorp/vault-plugin-auth-oci v0.20.1/go.mod h1:+xx8inhi7pg39SP0JlxSgaXWxNMWmB4iNbjFfMac3bs=
-github.com/hashicorp/vault-plugin-database-couchbase v0.15.0 h1:6gLCOwwErqMgo9pJvsrOkg4tL7HmE95r3JVc14hSFSY=
-github.com/hashicorp/vault-plugin-database-couchbase v0.15.0/go.mod h1:KpGJp2QKCpMFhzMTdovoZFtx56Q7yQ8oO4fg+UuMGrI=
-github.com/hashicorp/vault-plugin-database-elasticsearch v0.19.0 h1:8vbxtLgvTEyve6mJt6aLuaje7NW3aEkJMjf20QFB0gs=
-github.com/hashicorp/vault-plugin-database-elasticsearch v0.19.0/go.mod h1:K0W2sRQPX2T0Rv4eRba5d048nDF1/XcjaI/IJ5EHD3I=
-github.com/hashicorp/vault-plugin-database-mongodbatlas v0.16.0 h1:/eF3lUTELNWU6NoHDLDdv0waibHHG281q7+RbwujGNU=
-github.com/hashicorp/vault-plugin-database-mongodbatlas v0.16.0/go.mod h1:er08o2cVwPpYbcOwlWDX7IdXzPs3gcgCiuujJ8jy6po=
-github.com/hashicorp/vault-plugin-database-redis v0.7.0 h1:bX7TjGaGehMEWdimbjoIfsXTSQK/uMSsUwwjjvatcDQ=
-github.com/hashicorp/vault-plugin-database-redis v0.7.0/go.mod h1:Hus6qqbgqFxIAJQexX7t/NefW80b0nMXt9BmMQgSnvo=
-github.com/hashicorp/vault-plugin-database-redis-elasticache v0.8.0 h1:WJArG0q8XOmnCqKXON/5i/8d0lOI/bsBSc0vSejpIOo=
-github.com/hashicorp/vault-plugin-database-redis-elasticache v0.8.0/go.mod h1:3NEQYiGDheoN2g73xAWzgHuzsIle+RnIr7qPO6hF+co=
-github.com/hashicorp/vault-plugin-database-snowflake v0.15.0 h1:j1A0JaZvY1aQyxjPQTsW7KA8oS1wCtAe8/m/n1lOCBE=
-github.com/hashicorp/vault-plugin-database-snowflake v0.15.0/go.mod h1:Y1QSlXgGj5j7cYYG6I/h7P4kJPkW1pT9AoTuEH4Il4Y=
-github.com/hashicorp/vault-plugin-secrets-ad v0.21.0 h1:hQ3NmPvlfqjUJOFVPsmLKtVjJLgTGC6svkL2CGoo8zs=
-github.com/hashicorp/vault-plugin-secrets-ad v0.21.0/go.mod h1:+DVIGigIqw63QjP3/3tHQnB8EYzc1YfhKsTr+WJGZns=
-github.com/hashicorp/vault-plugin-secrets-alicloud v0.21.0 h1:ywGi5dHIFAqpuC8NiDxSfKIP0WkomRIZXgG40+eY3Hg=
-github.com/hashicorp/vault-plugin-secrets-alicloud v0.21.0/go.mod h1:4g79uHg6DPsa4k6B6iEUK5vYDIAnkOlJJI5kZK1BAcE=
-github.com/hashicorp/vault-plugin-secrets-azure v0.23.0 h1:oetvEJqXP+2jGM9CfT/LjpJyuViNKdjPKFbDIkRdaPo=
-github.com/hashicorp/vault-plugin-secrets-azure v0.23.0/go.mod h1:QkmR0rnexjc330oUzoiuXFsA6OnxmI56h4jnDb1PKbY=
-github.com/hashicorp/vault-plugin-secrets-gcp v0.23.0 h1:hqZlxS4Ya0DBt+FutW6z6tSEdnwHFusY49x7TLKVrAw=
-github.com/hashicorp/vault-plugin-secrets-gcp v0.23.0/go.mod h1:OmRHszxWAV9MTwFeQKDQmrpRw9q+RMp1vohCuhkkr1k=
-github.com/hashicorp/vault-plugin-secrets-gcpkms v0.22.0 h1:z4loMjsAyTKiT4mYMmPNyVxQpetj9vD6dGEtTRxOV5A=
-github.com/hashicorp/vault-plugin-secrets-gcpkms v0.22.0/go.mod h1:pPaA7AchrBQ2i62x33vPRTux7wKZiKSfU6jayuv9hLI=
-github.com/hashicorp/vault-plugin-secrets-kubernetes v0.12.0 h1:xYuLtQHKvaZtmr6JXPqC4tH9n7zXoOWnpXrHcVTLqbo=
-github.com/hashicorp/vault-plugin-secrets-kubernetes v0.12.0/go.mod h1:k8eNkBBNHJwWKVo+WP/iM5xrlvPt65oPNPGwbgQQf14=
-github.com/hashicorp/vault-plugin-secrets-kv v0.25.0 h1:5Xx8Hub0nAoFLIHZ4d9tMpPG+MACHXLzed5i7hViKTk=
-github.com/hashicorp/vault-plugin-secrets-kv v0.25.0/go.mod h1:Xy3wQwAJxhVZweR2DXBrEgk1erkWKNrhYcuD4Gy4ACo=
-github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.16.0 h1:5/nin7vaRD0GyTCcXtX5cKa5JBuCAAs4e9zbmNbvTPY=
-github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.16.0/go.mod h1:1qO/1BrVkvKSuQm8cOtwLKN27TE0uu5PXxYRrTnpf2s=
-github.com/hashicorp/vault-plugin-secrets-openldap v0.17.0 h1:GpgYcuBL66zzFLkf143Q3zFr//BF/4jX/EXXy9wDUOM=
-github.com/hashicorp/vault-plugin-secrets-openldap v0.17.0/go.mod h1:UPWSw0hYY37sC4MeeoG9G8jN88DYi3L4MeJjRauhaBI=
-github.com/hashicorp/vault-plugin-secrets-terraform v0.13.0 h1:Rhahoi3L1dnZjNqlbUh1f59DMdmfdhsfBvaaX1vjejY=
-github.com/hashicorp/vault-plugin-secrets-terraform v0.13.0/go.mod h1:N1fdq0KpTbK/S4Yc4I04JqJ64+mkya4SZ+ychIYd3E4=
+github.com/hashicorp/vault-plugin-auth-alicloud v0.23.1 h1:Nz3vSccCqsU36zgJ3+zGU/KKgCgnrypWoAmT403D89A=
+github.com/hashicorp/vault-plugin-auth-alicloud v0.23.1/go.mod h1:s6MCWphgQ0dRyHoVRkGdqOdeLQtWq1pbsz9vpoAl/O0=
+github.com/hashicorp/vault-plugin-auth-azure v0.24.0 h1:RSzUR9g3HjaIVxJhwnSxGtcEFCeGgemuRSNMpM3q6hc=
+github.com/hashicorp/vault-plugin-auth-azure v0.24.0/go.mod h1:myKdKk/DooAtMT7sKady3NNqod/y6OoYfGL5+E83AqA=
+github.com/hashicorp/vault-plugin-auth-cf v0.23.0 h1:9xXHg2qcHmYAcQ+gN3stRBHTbbPu+MXfFCE3FDpze3U=
+github.com/hashicorp/vault-plugin-auth-cf v0.23.0/go.mod h1:CmyxJai6vSQo/3ipQYtyWzaDQvXwTm1LboU3wHcxwHY=
+github.com/hashicorp/vault-plugin-auth-gcp v0.23.1 h1:E13iJgR6bGAULjrAhstuQH2PxVTZdrWivT75J7RY5Tw=
+github.com/hashicorp/vault-plugin-auth-gcp v0.23.1/go.mod h1:7eXqptuyLNtPLdvwia0Bc139bMGlCgYJZqyhKmR4RWE=
+github.com/hashicorp/vault-plugin-auth-jwt v0.26.3 h1:MsdvAE/rqyUx4gsf31/ebga3wJ+kozosVqaI4Bbugkg=
+github.com/hashicorp/vault-plugin-auth-jwt v0.26.3/go.mod h1:lcmkcwQC9vWOO8BdLBK2/NZsKcXX+JtwsJU7jWhqRDA=
+github.com/hashicorp/vault-plugin-auth-kerberos v0.17.1 h1:eOlMi+w5VTdvMmyP18GPnckybjwFYLna0eXBLWsb+BQ=
+github.com/hashicorp/vault-plugin-auth-kerberos v0.17.1/go.mod h1:FET3h3/cvfy+H0PbQdMVgDZnBlgSFVhJbovrRRU+9Ic=
+github.com/hashicorp/vault-plugin-auth-kubernetes v0.24.1 h1:EBSaP3mKs0wffpJgmPWI+dU++8CLrC3uexdvmCON7/Y=
+github.com/hashicorp/vault-plugin-auth-kubernetes v0.24.1/go.mod h1:to9rJ8c0g0qC1++j55TrWjopLhuB0MKgt1PSRbdwhxg=
+github.com/hashicorp/vault-plugin-auth-oci v0.21.1 h1:PLMLH0VV3Wan2XS4l9KJOSlrabhpEihZS2HSuv4rFaY=
+github.com/hashicorp/vault-plugin-auth-oci v0.21.1/go.mod h1:EzPAiRkV/FeKL+cTZr3jK5AKKNVhyOVa3JT+RzCZy3k=
+github.com/hashicorp/vault-plugin-database-couchbase v0.16.1 h1:z5j7s7F1toEmvjABVP9TWDiFu+hrTt5fP830UmbFk+0=
+github.com/hashicorp/vault-plugin-database-couchbase v0.16.1/go.mod h1:JTHqEwHxRg33zxlVTQc2DltGv16YxfdMpNXNSkcUin8=
+github.com/hashicorp/vault-plugin-database-elasticsearch v0.20.1 h1:3zd0ePevbasBizY1hFXUS260/SiDyPVMnTI2QjaO/5g=
+github.com/hashicorp/vault-plugin-database-elasticsearch v0.20.1/go.mod h1:EhxEtPv54rn6EERQtq1BfTj46kHCtJUw2HhLqHjFa+8=
+github.com/hashicorp/vault-plugin-database-mongodbatlas v0.17.1 h1:/T4WDPgXDiSjZXMW+mtASfOjbhOrfAbzUJofiBBAjBk=
+github.com/hashicorp/vault-plugin-database-mongodbatlas v0.17.1/go.mod h1:mwGPgmf8+K/b3ckAl9gBYHUNfOxFZcpgW5hzzLyhkFo=
+github.com/hashicorp/vault-plugin-database-redis v0.8.1 h1:Twa0pqxNIrr0vydC8ihfy6HRSoKYbs6PRYkYq0hRR54=
+github.com/hashicorp/vault-plugin-database-redis v0.8.1/go.mod h1:ca3FvMm2hW2CKYKYppi/L0E8HxJx5sO8d3URv2tW2To=
+github.com/hashicorp/vault-plugin-database-redis-elasticache v0.9.1 h1:NlqDIIllehnOxJxluuLCeNX1oBL4xngr5hlmrd7UOC8=
+github.com/hashicorp/vault-plugin-database-redis-elasticache v0.9.1/go.mod h1:cTumDkl1k+M83I0KsGhRVNg/fGzevqQbFYGUzXG48fI=
+github.com/hashicorp/vault-plugin-database-snowflake v0.16.0 h1:gBUs6aFEsb1bnSf3Z7AtBdhA1BM4nHGT49fBANlv0F4=
+github.com/hashicorp/vault-plugin-database-snowflake v0.16.0/go.mod h1:eDg8zleyoTyrEzdqXq6xN+WGjAQISSyuyrOQRyHA31c=
+github.com/hashicorp/vault-plugin-secrets-ad v0.22.1 h1:Wqp6I0gSOI3kf3TK3JJeylDC0NNjrZoE+hJC6iVthvk=
+github.com/hashicorp/vault-plugin-secrets-ad v0.22.1/go.mod h1:xERfc+dNwlLEefQDcjhhhHPTJLs9komReccRKMsDoAs=
+github.com/hashicorp/vault-plugin-secrets-alicloud v0.22.1 h1:6JvSoeYU+tRSnc0eGNz+1ttFK8gfIqw/sXHme4h6CRY=
+github.com/hashicorp/vault-plugin-secrets-alicloud v0.22.1/go.mod h1:2tiBfbs4TXU1mHg7oJUThSac4mzRdnBOmt6ZBmfkV8o=
+github.com/hashicorp/vault-plugin-secrets-azure v0.25.0 h1:IYIGfFiw3ICLfVlF+YlPztthbc5pMaT3SwVr27VjERw=
+github.com/hashicorp/vault-plugin-secrets-azure v0.25.0/go.mod h1:S4E5R3RVpGWnzR0bDGDwpV0HlyNsMAIcuYuNlgWv2zo=
+github.com/hashicorp/vault-plugin-secrets-gcp v0.24.0 h1:cQ94yUwvDRt7+pUHUfvSjE/ORgKF31hO2p+6AwIHjX8=
+github.com/hashicorp/vault-plugin-secrets-gcp v0.24.0/go.mod h1:ZqfNKh3d0O/brwj3z7K1NjqNx0Is60G7zlBedijXrfI=
+github.com/hashicorp/vault-plugin-secrets-gcpkms v0.24.0 h1:kh3ULsvsqYLmJxRO2EW55Hbh0QCdnDkNTtGZoDhl07w=
+github.com/hashicorp/vault-plugin-secrets-gcpkms v0.24.0/go.mod h1:RK7XvCOc4haR0YXkUi8Rm+O2zBpBWAL4MefK4BkZz0E=
+github.com/hashicorp/vault-plugin-secrets-kubernetes v0.13.1 h1:ug+5nibS3AulD3ElaQeD42N0VJsTUwTRVPgJSj0ovvM=
+github.com/hashicorp/vault-plugin-secrets-kubernetes v0.13.1/go.mod h1:t34JjbPLaLrhvwb7iKmvW9y72o7ZhxGfN0Q3yClsV8Y=
+github.com/hashicorp/vault-plugin-secrets-kv v0.26.2 h1:5ruO7aTfQqOKIuC+G6hXQbBKXZ6sPGDA3s2oCtyGtdU=
+github.com/hashicorp/vault-plugin-secrets-kv v0.26.2/go.mod h1:VRZ9QtAibng01WsVj95vpF0oiEDuDTpBp2PSjxYyARI=
+github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.17.1 h1:WezfLs6aH9MOWLux1XJ/8Z2kJncVQWRHJ1hKfXIjRKg=
+github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.17.1/go.mod h1:3mLTbgTz8GShAf81IFT0WdKAUjJoIMg/qmucHJfHiD8=
+github.com/hashicorp/vault-plugin-secrets-openldap v0.18.0 h1:m2OlgzCKFlBP+/dpRMRsyu9gfwsWCWjJNRpU6UNgIE4=
+github.com/hashicorp/vault-plugin-secrets-openldap v0.18.0/go.mod h1:HO9g8SO9blk3ayPBaHA0dIo4YgpASSkY7fy2DEY57bI=
+github.com/hashicorp/vault-plugin-secrets-terraform v0.14.1 h1:okWkXeDbTElc1tA2TzPsNV5yEa1fcttXZFMIKn2fVQk=
+github.com/hashicorp/vault-plugin-secrets-terraform v0.14.1/go.mod h1:FjgfSW1exgLCnc2ALi6CKwux2NMuqiAzKf/hMPm6WWU=
 github.com/hashicorp/vault-testing-stepwise v0.3.3 h1:/PQhXpJln7UQf3NJmG61ucAxsvttd+a0kb5NKW01iIA=
 github.com/hashicorp/vault-testing-stepwise v0.3.3/go.mod h1:QzyV6ePJn+zQNouFkrAvR26gJlnZl/mBqhWrgfmwvJA=
 github.com/hashicorp/vault/vault/hcp_link/proto v0.0.0-20230201201504-b741fa893d77 h1:Y/+BtwxmRak3Us9jrByARvYW6uNeqZlEpMylIdXVIjY=
@@ -1608,72 +921,20 @@ github.com/hashicorp/yamux v0.1.2/go.mod h1:C+zze2n6e/7wshOZep2A70/aQU6QBRWJO/G6
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
-github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
-github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/influxdata/influxdb1-client v0.0.0-20200827194710-b269163b24ab h1:HqW4xhhynfjrtEiiSGcQUd6vrK23iMam1FO8rI7mwig=
 github.com/influxdata/influxdb1-client v0.0.0-20200827194710-b269163b24ab/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo=
-github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo=
-github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
-github.com/jackc/chunkreader/v2 v2.0.1 h1:i+RDz65UE+mmpjTfyz0MoVTnzeYxroil2G82ki7MGG8=
-github.com/jackc/chunkreader/v2 v2.0.1/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
-github.com/jackc/fake v0.0.0-20150926172116-812a484cc733/go.mod h1:WrMFNQdiFJ80sQsxDoMokWK1W5TQtxBFNpzWTD84ibQ=
-github.com/jackc/pgconn v0.0.0-20190420214824-7e0022ef6ba3/go.mod h1:jkELnwuX+w9qN5YIfX0fl88Ehu4XC3keFuOJJk9pcnA=
-github.com/jackc/pgconn v0.0.0-20190824142844-760dd75542eb/go.mod h1:lLjNuW/+OfW9/pnVKPazfWOgNfH2aPem8YQ7ilXGvJE=
-github.com/jackc/pgconn v0.0.0-20190831204454-2fabfa3c18b7/go.mod h1:ZJKsE/KZfsUgOEh9hBm+xYTstcNHg7UPMVJqRfQxq4s=
-github.com/jackc/pgconn v1.8.0/go.mod h1:1C2Pb36bGIP9QHGBYCjnyhqu7Rv3sGshaQUvmfGIB/o=
-github.com/jackc/pgconn v1.9.0/go.mod h1:YctiPyvzfU11JFxoXokUOOKQXQmDMoJL9vJzHH8/2JY=
-github.com/jackc/pgconn v1.9.1-0.20210724152538-d89c8390a530/go.mod h1:4z2w8XhRbP1hYxkpTuBjTS3ne3J48K83+u0zoyvg2pI=
-github.com/jackc/pgconn v1.14.3 h1:bVoTr12EGANZz66nZPkMInAV/KHD2TxH9npjXXgiB3w=
-github.com/jackc/pgconn v1.14.3/go.mod h1:RZbme4uasqzybK2RK5c65VsHxoyaml09lx3tXOcO/VM=
-github.com/jackc/pgio v1.0.0 h1:g12B9UwVnzGhueNavwioyEEpAmqMe1E/BN9ES+8ovkE=
-github.com/jackc/pgio v1.0.0/go.mod h1:oP+2QK2wFfUWgr+gxjoBH9KGBb31Eio69xUb0w5bYf8=
-github.com/jackc/pgmock v0.0.0-20190831213851-13a1b77aafa2/go.mod h1:fGZlG77KXmcq05nJLRkk0+p82V8B8Dw8KN2/V9c/OAE=
-github.com/jackc/pgmock v0.0.0-20201204152224-4fe30f7445fd/go.mod h1:hrBW0Enj2AZTNpt/7Y5rr2xe/9Mn757Wtb2xeBzPv2c=
-github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65 h1:DadwsjnMwFjfWc9y5Wi/+Zz7xoE5ALHsRQlOctkOiHc=
-github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65/go.mod h1:5R2h2EEX+qri8jOWMbJCtaPWkrrNc7OHwsp2TCqp7ak=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
-github.com/jackc/pgproto3 v1.1.0/go.mod h1:eR5FA3leWg7p9aeAqi37XOTgTIbkABlvcPB3E5rlc78=
-github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190420180111-c116219b62db/go.mod h1:bhq50y+xrl9n5mRYyCBFKkpRVTLYJVWeCc+mEAI3yXA=
-github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190609003834-432c2951c711/go.mod h1:uH0AWtUmuShn0bcesswc4aBTWGvw0cAxIJp+6OB//Wg=
-github.com/jackc/pgproto3/v2 v2.0.0-rc3/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
-github.com/jackc/pgproto3/v2 v2.0.0-rc3.0.20190831210041-4c03ce451f29/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
-github.com/jackc/pgproto3/v2 v2.0.6/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgproto3/v2 v2.1.1/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgproto3/v2 v2.3.3 h1:1HLSx5H+tXR9pW3in3zaztoEwQYRC9SQaYUHjTSUOag=
-github.com/jackc/pgproto3/v2 v2.3.3/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01CGwFsrv11mJRHWJ6aifDLfdV3aVjFF0zg=
-github.com/jackc/pgtype v0.0.0-20190824184912-ab885b375b90/go.mod h1:KcahbBH1nCMSo2DXpzsoWOAfFkdEtEJpPbVLq8eE+mc=
-github.com/jackc/pgtype v0.0.0-20190828014616-a8802b16cc59/go.mod h1:MWlu30kVJrUS8lot6TQqcg7mtthZ9T0EoIBFiJcmcyw=
-github.com/jackc/pgtype v1.8.1-0.20210724151600-32e20a603178/go.mod h1:C516IlIV9NKqfsMCXTdChteoXmwgUceqaLfjg2e3NlM=
-github.com/jackc/pgtype v1.14.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
-github.com/jackc/pgtype v1.14.3 h1:h6W9cPuHsRWQFTWUZMAKMgG5jSwQI0Zurzdvlx3Plus=
-github.com/jackc/pgtype v1.14.3/go.mod h1:aKeozOde08iifGosdJpz9MBZonJOUJxqNpPBcMJTlVA=
-github.com/jackc/pgx v3.3.0+incompatible/go.mod h1:0ZGrqGqkRlliWnWB4zKnWtjbSWbGkVEFm4TeybAXq+I=
-github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08CZQyj1PVQBHy9XOp5p8/SHH6a0psbY9Y=
-github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM=
-github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc=
-github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs=
-github.com/jackc/pgx/v4 v4.18.2/go.mod h1:Ey4Oru5tH5sB6tV7hDmfWFahwF15Eb7DNXlRKx2CkVw=
-github.com/jackc/pgx/v4 v4.18.3 h1:dE2/TrEsGX3RBprb3qryqSV9Y60iZN1C6i8IrmW9/BA=
-github.com/jackc/pgx/v4 v4.18.3/go.mod h1:Ey4Oru5tH5sB6tV7hDmfWFahwF15Eb7DNXlRKx2CkVw=
-github.com/jackc/pgx/v5 v5.7.6 h1:rWQc5FwZSPX58r1OQmkuaNicxdmExaEz5A2DO2hUuTk=
-github.com/jackc/pgx/v5 v5.7.6/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M=
-github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v1.3.0/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
+github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
+github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
-github.com/jarcoal/httpmock v1.2.0 h1:gSvTxxFR/MEMfsGrvRbdfpRUMBStovlSRLw0Ep1bwwc=
-github.com/jarcoal/httpmock v1.2.0/go.mod h1:oCoTsnAz4+UoOUIf5lJOWV2QQIW5UoeUI6aM2YnWAZk=
+github.com/jarcoal/httpmock v1.4.1 h1:0Ju+VCFuARfFlhVXFc2HxlcQkfB+Xq12/EotHko+x2A=
+github.com/jarcoal/httpmock v1.4.1/go.mod h1:ftW1xULwo+j0R0JJkJIIi7UKigZUXCLLanykgjwBXL0=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
@@ -1705,14 +966,10 @@ github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24/go.mod h1:T
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
-github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
-github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531 h1:hgVxRoDDPtQE68PT4LFvNlPz2nBKd3OMlGKIQ69OmR4=
 github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531/go.mod h1:fqTUQpVYBvhCNIsMXGl2GE9q6z94DIP6NtFKXCSTVbg=
 github.com/joshlf/testutil v0.0.0-20170608050642-b5d8aa79d93d h1:J8tJzRyiddAFF65YVgxli+TyWBi0f79Sld6rJP6CBcY=
 github.com/joshlf/testutil v0.0.0-20170608050642-b5d8aa79d93d/go.mod h1:b+Q3v8Yrg5o15d71PSUraUzYb+jWl6wQMSBXSGS/hv0=
-github.com/joyent/triton-go v1.7.1-0.20200416154420-6801d15b779f h1:ENpDacvnr8faw5ugQmEF1QYk+f/Y9lXFvuYmRxykago=
-github.com/joyent/triton-go v1.7.1-0.20200416154420-6801d15b779f/go.mod h1:KDSfL7qe5ZfQqvlDMkVjCztbmcpp/c8M77vhQP8ZPvk=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -1721,14 +978,11 @@ github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
 github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
-github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8=
 github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
@@ -1740,16 +994,12 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/asmfmt v1.3.2 h1:4Ri7ox3EwapiOjCki+hw14RyKk201CN4rzyCJRFLpK4=
 github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j0HLHbNSE=
-github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
-github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
-github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
-github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.11 h1:0OwqZRYI2rFrjS4kvkDnqJkKHdHaRnCm68/DY4OxRzU=
-github.com/klauspost/cpuid/v2 v2.2.11/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
+github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
@@ -1757,7 +1007,6 @@ github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NB
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
@@ -1776,29 +1025,18 @@ github.com/lestrrat-go/jwx v1.2.29/go.mod h1:hU8k2l6WF0ncx20uQdOmik/Gjg6E3/wIRtX
 github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
 github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
-github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/linode/linodego v0.7.1 h1:4WZmMpSA2NRwlPZcc0+4Gyn7rr99Evk9bnr0B3gXRKE=
-github.com/linode/linodego v0.7.1/go.mod h1:ga11n3ivecUrPCHN0rANxKmfWBJVkOXfLMZinAbj2sY=
+github.com/linode/linodego v1.61.0 h1:9g20NWl+/SbhDFj6X5EOZXtM2hBm1Mx8I9h8+F3l1LM=
+github.com/linode/linodego v1.61.0/go.mod h1:64o30geLNwR0NeYh5HM/WrVCBXcSqkKnRK3x9xoRuJI=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
-github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
-github.com/lyft/protoc-gen-star v0.6.1/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
-github.com/lyft/protoc-gen-star/v2 v2.0.1/go.mod h1:RcCdONR2ScXaYnQC5tUzxzlpA3WVYF7/opLeUgcQs/o=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE=
 github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
-github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
-github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
 github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11 h1:YFh+sjyJTMQSYjKwM4dFKhJPJC/wfo98tPUc17HdoYw=
 github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11/go.mod h1:Ah2dBMoxZEqk118as2T4u4fjfXarE0pPnMJaArZQZsI=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
-github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
@@ -1808,40 +1046,36 @@ github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stg
 github.com/mattn/go-ieproxy v0.0.1 h1:qiyop7gCflfhwCzGyeT0gro3sF9AIg9HU98JORTkqfI=
 github.com/mattn/go-ieproxy v0.0.1/go.mod h1:pYabZ6IHcRpFh7vIaLfK7rdcWgFEb3SFJ6/gNWuh88E=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.22 h1:j8l17JJ9i6VGPUFUYoTUKPSgKe/83EYU2zBC7YNKMw4=
+github.com/mattn/go-isatty v0.0.22/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
 github.com/mattn/go-runewidth v0.0.3/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
-github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mediocregopher/radix/v4 v4.1.4 h1:Uze6DEbEAvL+VHXUEu/EDBTkUk5CLct5h3nVSGpc6Ts=
 github.com/mediocregopher/radix/v4 v4.1.4/go.mod h1:ajchozX/6ELmydxWeWM6xCFHVpZ4+67LXHOTOVR0nCE=
 github.com/michaelklishin/rabbit-hole/v2 v2.12.0 h1:946p6jOYFcVJdtBBX8MwXvuBkpPjwm1Nm2Qg8oX+uFk=
 github.com/michaelklishin/rabbit-hole/v2 v2.12.0/go.mod h1:AN/3zyz7d++OHf+4WUo/LR0+Q5nlPHMaXasIsG/mPY0=
-github.com/microsoft/go-mssqldb v1.5.0 h1:CgENxkwtOBNj3Jg6T1X209y2blCfTTcwuOlznd2k9fk=
-github.com/microsoft/go-mssqldb v1.5.0/go.mod h1:lmWsjHD8XX/Txr0f8ZqgbEZSC+BZjmEQy/Ms+rLrvho=
-github.com/microsoft/kiota-abstractions-go v1.9.3 h1:cqhbqro+VynJ7kObmo7850h3WN2SbvoyhypPn8uJ1SE=
-github.com/microsoft/kiota-abstractions-go v1.9.3/go.mod h1:f06pl3qSyvUHEfVNkiRpXPkafx7khZqQEb71hN/pmuU=
+github.com/microsoft/go-mssqldb v1.9.8 h1:d4IFMvF/o+HdpXUqbBfzHvn/NlFA75YGcfHUUvDFJEM=
+github.com/microsoft/go-mssqldb v1.9.8/go.mod h1:eGSRSGAW4hKMy5YcAenhCDjIRm2rhqIdmmwgciMzLus=
+github.com/microsoft/kiota-abstractions-go v1.9.4 h1:VI3UVzSCQHHhRswe3jyaAQHUQWIFhUMp0z5mtZbTbcs=
+github.com/microsoft/kiota-abstractions-go v1.9.4/go.mod h1:f06pl3qSyvUHEfVNkiRpXPkafx7khZqQEb71hN/pmuU=
 github.com/microsoft/kiota-authentication-azure-go v1.3.1 h1:AGta92S6IL1E6ZMDb8YYB7NVNTIFUakbtLKUdY5RTuw=
 github.com/microsoft/kiota-authentication-azure-go v1.3.1/go.mod h1:26zylt2/KfKwEWZSnwHaMxaArpbyN/CuzkbotdYXF0g=
-github.com/microsoft/kiota-http-go v1.5.4 h1:wSUmL1J+bTQlAWHjbRkSwr+SPAkMVYeYxxB85Zw0KFs=
-github.com/microsoft/kiota-http-go v1.5.4/go.mod h1:L+5Ri+SzwELnUcNA0cpbFKp/pBbvypLh3Cd1PR6sjx0=
-github.com/microsoft/kiota-serialization-form-go v1.1.2 h1:SD6MATqNw+Dc5beILlsb/D87C36HKC/Zw7l+N9+HY2A=
-github.com/microsoft/kiota-serialization-form-go v1.1.2/go.mod h1:m4tY2JT42jAZmgbqFwPy3zGDF+NPJACuyzmjNXeuHio=
+github.com/microsoft/kiota-http-go v1.5.5 h1:K+jC3lq0kejeUETmh/C7TSIV+vdLuw1LT7NPPoNCxAE=
+github.com/microsoft/kiota-http-go v1.5.5/go.mod h1:L+5Ri+SzwELnUcNA0cpbFKp/pBbvypLh3Cd1PR6sjx0=
+github.com/microsoft/kiota-serialization-form-go v1.1.3 h1:eUY8eHXPFe4ma8cAdx0ya3g4NPlZgbPT+GlFC3xcgGY=
+github.com/microsoft/kiota-serialization-form-go v1.1.3/go.mod h1:RMO99zyik+NvZjdVcIeyu6ikyfuKhQtzq2RK0fWJJio=
 github.com/microsoft/kiota-serialization-json-go v1.1.2 h1:eJrPWeQ665nbjO0gsHWJ0Bw6V/ZHHU1OfFPaYfRG39k=
 github.com/microsoft/kiota-serialization-json-go v1.1.2/go.mod h1:deaGt7fjZarywyp7TOTiRsjfYiyWxwJJPQZytXwYQn8=
 github.com/microsoft/kiota-serialization-multipart-go v1.1.2 h1:1pUyA1QgIeKslQwbk7/ox1TehjlCUUT3r1f8cNlkvn4=
 github.com/microsoft/kiota-serialization-multipart-go v1.1.2/go.mod h1:j2K7ZyYErloDu7Kuuk993DsvfoP7LPWvAo7rfDpdPio=
-github.com/microsoft/kiota-serialization-text-go v1.1.2 h1:7OfKFlzdjpPygca/+OtqafkEqCWR7+94efUFGC28cLw=
-github.com/microsoft/kiota-serialization-text-go v1.1.2/go.mod h1:QNTcswkBPFY3QVBFmzfk00UMNViKQtV0AQKCrRw5ibM=
-github.com/microsoftgraph/msgraph-sdk-go v1.86.0 h1:kZSIJuRoP9BUD8xsWL6sk82ThsGhZvDonO8waKH5emU=
-github.com/microsoftgraph/msgraph-sdk-go v1.86.0/go.mod h1:h2fx0PGMpIfVX8u5nWTVXmTKTYzIR/uOwZQnX4ixwcM=
+github.com/microsoft/kiota-serialization-text-go v1.1.3 h1:8z7Cebn0YAAr++xswVgfdxZjnAZ4GOB9O7XP4+r5r/M=
+github.com/microsoft/kiota-serialization-text-go v1.1.3/go.mod h1:NDSvz4A3QalGMjNboKKQI9wR+8k+ih8UuagNmzIRgTQ=
+github.com/microsoftgraph/msgraph-sdk-go v1.97.0 h1:CWS3muHuVlX8nerNWtllzPpO4dWTl111kO4/pQkJfjU=
+github.com/microsoftgraph/msgraph-sdk-go v1.97.0/go.mod h1:3vZD5qsulctIsk1wb1Cf6tzi01k++3qaNqF+yGZwkVw=
 github.com/microsoftgraph/msgraph-sdk-go-core v1.4.0 h1:0SrIoFl7TQnMRrsi5TFaeNe0q8KO5lRzRp4GSCCL2So=
 github.com/microsoftgraph/msgraph-sdk-go-core v1.4.0/go.mod h1:A1iXs+vjsRjzANxF6UeKv2ACExG7fqTwHHbwh1FL+EE=
 github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
@@ -1883,6 +1117,10 @@ github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3N
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ=
 github.com/moby/go-archive v0.1.0/go.mod h1:G9B+YoujNohJmrIYFBpSd54GTUB4lt9S+xVQvsJyFuo=
+github.com/moby/moby/api v1.54.0 h1:7kbUgyiKcoBhm0UrWbdrMs7RX8dnwzURKVbZGy2GnL0=
+github.com/moby/moby/api v1.54.0/go.mod h1:8mb+ReTlisw4pS6BRzCMts5M49W5M7bKt1cJy/YbAqc=
+github.com/moby/moby/client v0.3.0 h1:UUGL5okry+Aomj3WhGt9Aigl3ZOxZGqR7XPo+RLPlKs=
+github.com/moby/moby/client v0.3.0/go.mod h1:HJgFbJRvogDQjbM8fqc1MCEm4mIAGMLjXbgwoZp6jCQ=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
 github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
 github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
@@ -1893,8 +1131,8 @@ github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs=
 github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
 github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
 github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=
-github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
-github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
+github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
+github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -1926,10 +1164,11 @@ github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLA
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
-github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA=
-github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU=
-github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
+github.com/oklog/run v1.2.0 h1:O8x3yXwah4A73hJdlrwo/2X6J62gE5qTMusH0dvz60E=
+github.com/oklog/run v1.2.0/go.mod h1:mgDbKRSwPhJfesJ4PntqFUbKQRZ50NgmZTSPlFA0YFk=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/oklog/ulid/v2 v2.1.1 h1:suPZ4ARWLOJLegGFiZZ1dFAkqzhMjL3J1TzI+5wHz8s=
+github.com/oklog/ulid/v2 v2.1.1/go.mod h1:rcEKHmBBKfef9DhnvX7y1HZBYxjXb0cP5ExxNsTT1QQ=
 github.com/okta/okta-sdk-golang/v5 v5.0.2 h1:eecvycE/XDX56IWTsOVhqfj5txCgqryTXzKy7wKEq78=
 github.com/okta/okta-sdk-golang/v5 v5.0.2/go.mod h1:T/vmECtJX33YPZSVD+sorebd8LLhe38Bi/VrFTjgVX0=
 github.com/olekukonko/tablewriter v0.0.0-20180130162743-b8a9be070da4/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
@@ -1951,15 +1190,14 @@ github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJw
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/opencontainers/runc v1.2.8 h1:RnEICeDReapbZ5lZEgHvj7E9Q3Eex9toYmaGBsbvU5Q=
 github.com/opencontainers/runc v1.2.8/go.mod h1:cC0YkmZcuvr+rtBZ6T7NBoVbMGNAdLa/21vIElJDOzI=
-github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b h1:FfH+VrHHk6Lxt9HdVS0PXzSXFyS2NbZKXv33FYPol0A=
 github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b/go.mod h1:AC62GU6hc0BrNm+9RK9VSiwa/EUe1bkIeFORAMcHvJU=
 github.com/oracle/oci-go-sdk v24.3.0+incompatible h1:x4mcfb4agelf1O4/1/auGlZ1lr97jXRSSN5MxTgG/zU=
 github.com/oracle/oci-go-sdk v24.3.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888=
 github.com/oracle/oci-go-sdk/v60 v60.0.0 h1:EJAWjEi4SY5Raha6iUzq4LTQ0uM5YFw/wat/L1ehIEM=
 github.com/oracle/oci-go-sdk/v60 v60.0.0/go.mod h1:krz+2gkSzlSL/L4PvP0Z9pZpag9HYLNtsMd1PmxlA2w=
-github.com/oracle/oci-go-sdk/v65 v65.101.1 h1:ZsrZxvffhaB/RqEPmp5zoCS5KCQU1yY8m9B4KXc1404=
-github.com/oracle/oci-go-sdk/v65 v65.101.1/go.mod h1:oB8jFGVc/7/zJ+DbleE8MzGHjhs2ioCz5stRTdZdIcY=
+github.com/oracle/oci-go-sdk/v65 v65.109.2 h1:epzga51qucVjF+8ci2oYYq+mi3cE0DACGmC139WecMM=
+github.com/oracle/oci-go-sdk/v65 v65.109.2/go.mod h1:8ZzvzuEG/cFLFZhxg/Mg1w19KqyXBKO3c17QIc5PkGs=
 github.com/ory/dockertest v3.3.5+incompatible h1:iLLK6SQwIhcbrG783Dghaaa3WPzGc+4Emza6EbVUUGA=
 github.com/ory/dockertest v3.3.5+incompatible/go.mod h1:1vX4m9wsvi00u5bseYwXaSnhNrne+V0E6LAcBILJdPs=
 github.com/ory/dockertest/v3 v3.12.0 h1:3oV9d0sDzlSQfHtIaB5k6ghUCVMVLpAY8hwrqoCyRCw=
@@ -1973,22 +1211,21 @@ github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0Mw
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
+github.com/pavlo-v-chernykh/keystore-go/v4 v4.5.0 h1:2nosf3P75OZv2/ZO/9Px5ZgZ5gbKrzA3joN1QMfOGMQ=
+github.com/pavlo-v-chernykh/keystore-go/v4 v4.5.0/go.mod h1:lAVhWwbNaveeJmxrxuSTxMgKpF6DjnuVpn6T8WiBwYQ=
+github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
 github.com/petermattis/goid v0.0.0-20250721140440-ea1c0173183e h1:D0bJD+4O3G4izvrQUmzCL80zazlN7EwJ0PPDhpJWC/I=
 github.com/petermattis/goid v0.0.0-20250721140440-ea1c0173183e/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
-github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2dXMnm1mY=
-github.com/phpdave11/gofpdi v1.0.12/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
-github.com/phpdave11/gofpdi v1.0.13/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
 github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
 github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
-github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU=
 github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pires/go-proxyproto v0.8.0 h1:5unRmEAPbHXHuLjDg01CxJWf91cw3lKHc/0xzKpXEe0=
 github.com/pires/go-proxyproto v0.8.0/go.mod h1:iknsfgnH8EkjrMeMyvfKByp9TiBZCKZM0jx2xmKqnVY=
-github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
-github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
+github.com/pjbgf/sha1cd v0.6.0 h1:3WJ8Wz8gvDz29quX1OcEmkAlUg9diU4GxJHqs0/XiwU=
+github.com/pjbgf/sha1cd v0.6.0/go.mod h1:lhpGlyHLpQZoxMv8HcgXvZEhcGs0PG/vsZnEJ7H0iCM=
 github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
@@ -1997,8 +1234,6 @@ github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
-github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -2024,9 +1259,8 @@ github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
@@ -2048,25 +1282,19 @@ github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoG
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rboyer/safeio v0.2.3 h1:gUybicx1kp8nuM4vO0GA5xTBX58/OBd8MQuErBfDxP8=
 github.com/rboyer/safeio v0.2.3/go.mod h1:d7RMmt7utQBJZ4B7f0H/cU/EdZibQAU1Y8NWepK2dS8=
-github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/renier/xmlrpc v0.0.0-20170708154548-ce4a1a486c03 h1:Wdi9nwnhFNAlseAOekn6B5G/+GMtks9UKbvRU/CMM/o=
 github.com/renier/xmlrpc v0.0.0-20170708154548-ce4a1a486c03/go.mod h1:gRAiPF5C5Nd0eyyRdqIu9qTiFSoZzpTq727b5B8fkkU=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
-github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
-github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
 github.com/rs/zerolog v1.4.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
-github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
-github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
-github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w=
-github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk=
+github.com/ryancragun/triton-go/v2 v2.0.0-20260514164147-e8b61dd0652d h1:81yc/fWETAUZ8c3KHPiQQtTAb22AuK7u5BkwEf5Y4+M=
+github.com/ryancragun/triton-go/v2 v2.0.0-20260514164147-e8b61dd0652d/go.mod h1:DGKtQE/Bn4/NN7bFxBtDaAvpLugG7IPj5t6dSxGwOLk=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/columnize v2.1.2+incompatible h1:C89EOx/XBWwIXl8wm8OPJBd7kPF25UfsK2X7Ph/zCAk=
 github.com/ryanuber/columnize v2.1.2+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
@@ -2088,16 +1316,13 @@ github.com/sethvargo/go-limiter v0.7.1 h1:wWNhTj0pxjyJ7wuJHpRJpYwJn+bUnjYfw2a85e
 github.com/sethvargo/go-limiter v0.7.1/go.mod h1:C0kbSFbiriE5k2FFOe18M1YZbAR2Fiwf72uGu0CXCcU=
 github.com/shirou/gopsutil/v3 v3.22.6 h1:FnHOFOh+cYAM0C30P+zysPISzlknLC5Z1G4EAElznfQ=
 github.com/shirou/gopsutil/v3 v3.22.6/go.mod h1:EdIubSnZhbAvBS1yJ7Xi+AShB/hxwLHOMz4MCYz7yMs=
-github.com/shirou/gopsutil/v4 v4.25.1 h1:QSWkTc+fu9LTAWfkZwZ6j8MSUk4A2LV7rbH0ZqmLjXs=
-github.com/shirou/gopsutil/v4 v4.25.1/go.mod h1:RoUCUpndaJFtT+2zsZzzmhvbfGoDCJ7nFXKJf8GqJbI=
+github.com/shirou/gopsutil/v4 v4.25.5 h1:rtd9piuSMGeU8g1RMXjZs9y9luK5BwtnG7dZaQUJAsc=
+github.com/shirou/gopsutil/v4 v4.25.5/go.mod h1:PfybzyydfZcN+JMMjkF6Zb8Mq1A/VcogFFg7hj50W9c=
 github.com/shoenig/test v1.7.0 h1:eWcHtTXa6QLnBvm0jgEabMRN/uJ4DMV3M8xUGgRkZmk=
 github.com/shoenig/test v1.7.0/go.mod h1:UxJ6u/x2v/TNs/LoLxBNJRV9DiwBBKYxXSyczsBHFoI=
-github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
-github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
@@ -2111,8 +1336,8 @@ github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykE
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a h1:pa8hGb/2YqsZKovtsgrwcDH1RZhVbTKCjLp47XpqCDs=
 github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
-github.com/snowflakedb/gosnowflake v1.17.0 h1:be50vC0buiOitvneyRHiqNkvPMcunGD3EcTnL2zYATg=
-github.com/snowflakedb/gosnowflake v1.17.0/go.mod h1:TaHvQGh9MA2lopZZMm1AvvENDfwcnKtuskIr1e6Fpic=
+github.com/snowflakedb/gosnowflake v1.19.0 h1:Oy/w5/hXiSJV09kgG9zpFZFjNRNvF5Cet7r6vzd87OQ=
+github.com/snowflakedb/gosnowflake v1.19.0/go.mod h1:7D4+cLepOWrerVsH+tevW3zdMJ5/WrEN7ZceAC6xBv0=
 github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d h1:bVQRCxQvfjNUeRqaY/uT0tFuvuFY0ulgnczuR684Xic=
 github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d/go.mod h1:Cw4GTlQccdRGSEf6KiMju767x0NEHE0YIVPJSaXjlsw=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
@@ -2122,17 +1347,14 @@ github.com/sony/gobreaker v0.5.0/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJ
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.1/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
-github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
-github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y=
 github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo=
@@ -2143,7 +1365,6 @@ github.com/streadway/amqp v1.0.0 h1:kuuDrUJFZL1QYL9hUNuCxNObNzB0bV/ZG5jV3RWAQgo=
 github.com/streadway/amqp v1.0.0/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
@@ -2160,22 +1381,23 @@ github.com/stretchr/testify v1.7.5/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-github.com/tencentcloud/tencentcloud-sdk-go v1.0.162 h1:8fDzz4GuVg4skjY2B0nMN7h6uN61EDVkuLyI2+qGHhI=
-github.com/tencentcloud/tencentcloud-sdk-go v1.0.162/go.mod h1:asUz5BPXxgoPGaRgZaVm1iGcUAuHyYUo1nXqKa83cvI=
-github.com/testcontainers/testcontainers-go v0.37.0 h1:L2Qc0vkTw2EHWQ08djon0D2uw7Z/PtHS/QzZZ5Ra/hg=
-github.com/testcontainers/testcontainers-go v0.37.0/go.mod h1:QPzbxZhQ6Bclip9igjLFj6z0hs01bU8lrl2dHQmgFGM=
-github.com/testcontainers/testcontainers-go/modules/postgres v0.37.0 h1:hsVwFkS6s+79MbKEO+W7A1wNIw1fmkMtF4fg83m6kbc=
-github.com/testcontainers/testcontainers-go/modules/postgres v0.37.0/go.mod h1:Qj/eGbRbO/rEYdcRLmN+bEojzatP/+NS1y8ojl2PQsc=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.480 h1:Dwnfdrk3KXpYRH9Kwrk9sHpZSOmrE7P9LBoNsYUJKR4=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.480/go.mod h1:7sCQWVkxcsR38nffDW057DRGk8mUjK1Ing/EFOK8s8Y=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cvm v1.0.480 h1:YEDZmv2ABU8QvwXEVTOQgVEQzDOByhz73vdjL6sERkE=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cvm v1.0.480/go.mod h1:zaBIuDDs+rC74X8Aog+LSu91GFtHYRYDC196RGTm2jk=
+github.com/testcontainers/testcontainers-go v0.38.0 h1:d7uEapLcv2P8AvH8ahLqDMMxda2W9gQN1nRbHS28HBw=
+github.com/testcontainers/testcontainers-go v0.38.0/go.mod h1:C52c9MoHpWO+C4aqmgSU+hxlR5jlEayWtgYrb8Pzz1w=
+github.com/testcontainers/testcontainers-go/modules/postgres v0.38.0 h1:KFdx9A0yF94K70T6ibSuvgkQQeX1xKlZVF3hEagXEtY=
+github.com/testcontainers/testcontainers-go/modules/postgres v0.38.0/go.mod h1:T/QRECND6N6tAKMxF1Za+G2tpwnGEHcODzHRsgIpw9M=
 github.com/tilinna/clock v1.0.2/go.mod h1:ZsP7BcY7sEEz7ktc0IVy8Us6boDrK8VradlKRUGfOao=
 github.com/tilinna/clock v1.1.0 h1:6IQQQCo6KoBxVudv6gwtY8o4eDfhHo8ojA5dP0MfhSs=
 github.com/tilinna/clock v1.1.0/go.mod h1:ZsP7BcY7sEEz7ktc0IVy8Us6boDrK8VradlKRUGfOao=
-github.com/tink-crypto/tink-go/v2 v2.5.0 h1:B8KLF6AofxdBIE4UJIaFbmoj5/1ehEtt7/MmzfI4Zpw=
-github.com/tink-crypto/tink-go/v2 v2.5.0/go.mod h1:2WbBA6pfNsAfBwDCggboaHeB2X29wkU8XHtGwh2YIk8=
+github.com/tink-crypto/tink-go/v2 v2.6.0 h1:+KHNBHhWH33Vn+igZWcsgdEPUxKwBMEe0QC60t388v4=
+github.com/tink-crypto/tink-go/v2 v2.6.0/go.mod h1:2WbBA6pfNsAfBwDCggboaHeB2X29wkU8XHtGwh2YIk8=
 github.com/tklauser/go-sysconf v0.3.10/go.mod h1:C8XykCvCb+Gn0oNCWPIlcb0RuglQTYaQ2hGm7jmxEFk=
 github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU=
 github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
@@ -2219,12 +1441,9 @@ github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZ
 github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
-github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M=
 github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw=
@@ -2239,7 +1458,6 @@ github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ=
 github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
-github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.4.0 h1:TU77id3TnN/zKr7CO/uk+fBCwF2jGcMuw2B/FMAzYIk=
 go.etcd.io/bbolt v1.4.0/go.mod h1:AsD+OCi/qPN1giOX1aiLAha3o1U8rAz65bvN4j0sRuk=
@@ -2253,94 +1471,65 @@ go.etcd.io/etcd/client/v3 v3.6.0 h1:/yjKzD+HW5v/3DVj9tpwFxzNbu8hjcKID183ug9duWk=
 go.etcd.io/etcd/client/v3 v3.6.0/go.mod h1:Jzk/Knqe06pkOZPHXsQ0+vNDvMQrgIqJ0W8DwPdMJMg=
 go.mongodb.org/atlas v0.38.0 h1:zfwymq20GqivGwxPZfypfUDry+WwMGVui97z1d8V4bU=
 go.mongodb.org/atlas v0.38.0/go.mod h1:DJYtM+vsEpPEMSkQzJnFHrT0sP7ev6cseZc/GGjJYG8=
-go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw=
-go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ=
+go.mongodb.org/mongo-driver v1.17.9 h1:IexDdCuuNJ3BHrELgBlyaH9p60JXAvdzWR128q+U5tU=
+go.mongodb.org/mongo-driver v1.17.9/go.mod h1:LlOhpH5NUEfhxcAwG0UEkMqwYcc4JU18gtCdGudk/tQ=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
-go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
-go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
-go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/detectors/gcp v1.37.0 h1:B+WbN9RPsvobe6q4vP6KgM8/9plR/HNjgGBrfcOlweA=
-go.opentelemetry.io/contrib/detectors/gcp v1.37.0/go.mod h1:K5zQ3TT7p2ru9Qkzk0bKtCql0RGkPj9pRjpXgZJZ+rU=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.62.0 h1:rbRJ8BBoVMsQShESYZ0FkvcITu8X8QNwJogcLUmDNNw=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.62.0/go.mod h1:ru6KHrNtNHxM4nD/vd6QrLVWgKhxPYgblq4VAtNawTQ=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=
-go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
-go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/detectors/gcp v1.43.0 h1:62yY3dT7/ShwOxzA0RsKRgshBmfElKI4d/Myu2OxDFU=
+go.opentelemetry.io/contrib/detectors/gcp v1.43.0/go.mod h1:RyaZMFY7yi1kAs45S6mbFGz8O8rqB0dTY14uzvG4LCs=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.68.0 h1:0Qx7VGBacMm9ZENQ7TnNObTYI4ShC+lHI16seduaxZo=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.68.0/go.mod h1:Sje3i3MjSPKTSPvVWCaL8ugBzJwik3u4smCjUeuupqg=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 h1:CqXxU8VOmDefoh0+ztfGaymYbhdB/tT3zs79QaZTNGY=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0/go.mod h1:BuhAPThV8PBHBvg8ZzZ/Ok3idOdhWIodywz2xEcRbJo=
+go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
+go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 h1:umZgi92IyxfXd/l4kaDhnKgY8rnN/cZcF1LKc6I8OQ8=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0/go.mod h1:4lVs6obhSVRb1EW5FhOuBTyiQhtRtAnnva9vD3yRfq8=
-go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0 h1:rixTyDGXFxRy1xzhKrotaHy3/KXdPhlWARrCgK+eqUY=
-go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0/go.mod h1:dowW6UsM9MKbJq5JTz2AMVp3/5iW5I/TStsk8S+CfHw=
-go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
-go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
-go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
-go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg=
-go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc=
-go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
-go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
-go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
-go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
-go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
-go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
-go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
-go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
-go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.42.0 h1:lSZHgNHfbmQTPfuTmWVkEu8J8qXaQwuV30pjCcAUvP8=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.42.0/go.mod h1:so9ounLcuoRDu033MW/E0AD4hhUjVqswrMF5FoZlBcw=
+go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
+go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
+go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
+go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
+go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
+go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
+go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
+go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
+go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A=
+go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
-go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
-go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
-go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
-go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
-go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
-go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
-go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
-go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc=
+go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
-golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
@@ -2348,71 +1537,33 @@ golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
-golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
-golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
+golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
+golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
-golang.org/x/exp v0.0.0-20191002040644-a1355ae1e2c3/go.mod h1:NOZ3BPKG0ec/BKJQgnvsSFpcKLM5xXVWnvZS97DWHgE=
 golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
-golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
-golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20220827204233-334a2380cb91/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
-golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
-golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
 golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20190910094157-69e4b8554b2a/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20200119044424-58c23975cae1/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20200430140353-33d19683fad8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20200618115811-c13761719519/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20201208152932-35266b937fa6/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20210216034530-4410531fe030/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20210607152325-775e3b0c77b9/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
-golang.org/x/image v0.0.0-20210628002857-a66eb6448b8d/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
-golang.org/x/image v0.0.0-20211028202545-6944b10bf410/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
-golang.org/x/image v0.0.0-20220302094943-723b81ca9867/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
-golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
-golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
-golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
-golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
+golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -2423,123 +1574,52 @@ golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
-golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
-golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
-golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
-golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
-golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
-golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
-golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
-golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
-golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec=
-golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I=
-golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw=
-golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
-golang.org/x/oauth2 v0.31.0 h1:8Fq0yVZLh4j4YA47vHKFTa9Ew5XIrCP8LC6UeNZnLxo=
-golang.org/x/oauth2 v0.31.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -2551,106 +1631,50 @@ golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190515120540-06a5c4944438/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190523142557-0e01d883c5c5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191112214154-59a1497f0cea/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210304124612-50617c2ba197/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211031064116-611d5d643895/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220829200755-d48e67d00261/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -2658,54 +1682,38 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
-golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/telemetry v0.0.0-20251203150158-8fff8a5912fc h1:bH6xUXay0AIFMElXG2rQ4uiE+7ncwtiOdPfYK1NK2XA=
-golang.org/x/telemetry v0.0.0-20251203150158-8fff8a5912fc/go.mod h1:hKdjCMrbv9skySur+Nek8Hd0uJ0GuxJIoIX2payrIdQ=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/telemetry v0.0.0-20260409153401-be6f6cb8b1fa h1:efT73AJZfAAUV7SOip6pWGkwJDzIGiKBZGVzHYa+ve4=
+golang.org/x/telemetry v0.0.0-20260409153401-be6f6cb8b1fa/go.mod h1:kHjTxDEnAu6/Nl9lDkzjWpR+bmKfxeiRuSDlsMb70gE=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
-golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
-golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
-golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
-golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
-golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20220922220347-f3bd1da661af/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.13.0 h1:eUlYslOIt32DgYD6utsuUeHs4d7AsEYLuIAdg7FlYgI=
-golang.org/x/time v0.13.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
+golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -2713,350 +1721,57 @@ golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190823170909-c4a336ef6a2f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190927191325-030b2cf1153e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
-golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
-golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201124115921-2c860bdd6e78/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
-golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
-golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
-golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da h1:noIWHXmPHxILtqtCOPIhSt0ABwskkZKjD3bXGnZGpNY=
 golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
 gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo=
 gonum.org/v1/gonum v0.8.2/go.mod h1:oe/vMfY3deqTw+1EZJhuvEW2iwGF1bW9wwu7XCu0+v0=
-gonum.org/v1/gonum v0.9.3/go.mod h1:TZumC3NeyVQskjXqmyWt4S3bINhy7B4eYwW69EbyX+0=
-gonum.org/v1/gonum v0.11.0/go.mod h1:fSG4YDCxxUZQJ7rKsQrj0gMOg00Il0Z96/qMA4bVQhA=
-gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
-gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
+gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
 gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw=
 gonum.org/v1/plot v0.0.0-20190515093506-e2840ee46a6b/go.mod h1:Wt8AAjI+ypCyYX3nZBvf6cAIx93T+c/OS2HFAYskSZc=
-gonum.org/v1/plot v0.9.0/go.mod h1:3Pcqqmp6RHvJI72kgb8fThyUnav364FOsdDo2aGW5lY=
-gonum.org/v1/plot v0.10.1/go.mod h1:VZW5OlhkL1mysU9vaqNHnsy86inf6Ot+jB3r+BczCEo=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.5.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
-google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
-google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
-google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
-google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
-google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
-google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
-google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
-google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
-google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo=
-google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4=
-google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw=
-google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU=
-google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k=
-google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
-google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
-google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI=
-google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I=
-google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo=
-google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g=
-google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA=
-google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8=
-google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs=
-google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA=
-google.golang.org/api v0.77.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA=
-google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw=
-google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg=
-google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o=
-google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6FO2g=
-google.golang.org/api v0.90.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
-google.golang.org/api v0.93.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
-google.golang.org/api v0.95.0/go.mod h1:eADj+UBuxkh5zlrSntJghuNeg8HwQ1w5lTKkuqaETEI=
-google.golang.org/api v0.96.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s=
-google.golang.org/api v0.97.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s=
-google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s=
-google.golang.org/api v0.99.0/go.mod h1:1YOf74vkVndF7pG6hIHuINsM7eWwpVTAfNMNiL91A08=
-google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70=
-google.golang.org/api v0.102.0/go.mod h1:3VFl6/fzoA+qNuS1N1/VfXY4LjoXN/wzeIp7TweWwGo=
-google.golang.org/api v0.103.0/go.mod h1:hGtW6nK1AC+d9si/UBhw8Xli+QMOf6xyNAyJw4qU9w0=
-google.golang.org/api v0.106.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY=
-google.golang.org/api v0.107.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY=
-google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY=
-google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI=
-google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0=
-google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg=
-google.golang.org/api v0.251.0 h1:6lea5nHRT8RUmpy9kkC2PJYnhnDAB13LqrLSVQlMIE8=
-google.golang.org/api v0.251.0/go.mod h1:Rwy0lPf/TD7+T2VhYcffCHhyyInyuxGjICxdfLqT7KI=
+google.golang.org/api v0.279.0 h1:hsx2M2OaRcaKtVYK6vXEUnQvdjnend7ZYES+lYaot74=
+google.golang.org/api v0.279.0/go.mod h1:B9TqLBwJqVjp1mtt7WeoQwWRwvu/400y5lETOql+giQ=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
-google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190508193815-b515fa19cec8/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
-google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
-google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
-google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
-google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
-google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
-google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24=
-google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k=
-google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k=
-google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
-google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
-google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w=
-google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
-google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E=
-google.golang.org/genproto v0.0.0-20220329172620-7be39ac1afc7/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
-google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
-google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20220722212130-b98a9ff5e252/go.mod h1:GkXuJDJ6aQ7lnJcRF+SJVgFdQhypqgl3LB1C9vabdRE=
-google.golang.org/genproto v0.0.0-20220801145646-83ce21fca29f/go.mod h1:iHe1svFLAZg9VWz891+QbRMwUv9O/1Ww+/mngYeThbc=
-google.golang.org/genproto v0.0.0-20220815135757-37a418bb8959/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
-google.golang.org/genproto v0.0.0-20220817144833-d7fd3f11b9b1/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
-google.golang.org/genproto v0.0.0-20220822174746-9e6da59bd2fc/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
-google.golang.org/genproto v0.0.0-20220829144015-23454907ede3/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
-google.golang.org/genproto v0.0.0-20220829175752-36a9c930ecbf/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
-google.golang.org/genproto v0.0.0-20220913154956-18f8339a66a5/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
-google.golang.org/genproto v0.0.0-20220914142337-ca0e39ece12f/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
-google.golang.org/genproto v0.0.0-20220915135415-7fd63a7952de/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
-google.golang.org/genproto v0.0.0-20220916172020-2692e8806bfa/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
-google.golang.org/genproto v0.0.0-20220919141832-68c03719ef51/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
-google.golang.org/genproto v0.0.0-20220920201722-2b89144ce006/go.mod h1:ht8XFiar2npT/g4vkk7O0WYS1sHOHbdujxbEp7CJWbw=
-google.golang.org/genproto v0.0.0-20220926165614-551eb538f295/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI=
-google.golang.org/genproto v0.0.0-20220926220553-6981cbe3cfce/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI=
-google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqwhZAwq4wsRUaVG555sVgsNmIjRtO7t/JH29U=
-google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM=
-google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM=
-google.golang.org/genproto v0.0.0-20221024153911-1573dae28c9c/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s=
-google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s=
-google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c/go.mod h1:CGI5F/G+E5bKwmfYo09AXuVN4dD894kIKUFmVbP2/Fo=
-google.golang.org/genproto v0.0.0-20221109142239-94d6d90a7d66/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221114212237-e4508ebdbee1/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221117204609-8f9c96812029/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221201164419-0e50fba7f41c/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221201204527-e3fa12d562f3/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
-google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd/go.mod h1:cTsE614GARnxrLsqKREzmNYJACSWWpAWdNMwnD7c2BE=
-google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230112194545-e10362b5ecf9/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230113154510-dbe35b8444a5/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230123190316-2c411cf9d197/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230124163310-31e0e69b6fc2/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230125152338-dcaf20b6aeaa/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230127162408-596548ed4efa/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230216225411-c8e22ba71e44/go.mod h1:8B0gmkoRebU8ukX6HP+4wrVQUY1+6PkQ44BSyIlflHA=
-google.golang.org/genproto v0.0.0-20230222225845-10f96fb3dbec/go.mod h1:3Dl5ZL0q0isWJt+FVcfpQyirqemEuLAK/iFvg1UP1Hw=
-google.golang.org/genproto v0.0.0-20230223222841-637eb2293923/go.mod h1:3Dl5ZL0q0isWJt+FVcfpQyirqemEuLAK/iFvg1UP1Hw=
-google.golang.org/genproto v0.0.0-20230303212802-e74f57abe488/go.mod h1:TvhZT5f700eVlTNwND1xoEZQeWTB2RY/65kplwl/bFA=
-google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s=
-google.golang.org/genproto v0.0.0-20230320184635-7606e756e683/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s=
-google.golang.org/genproto v0.0.0-20230323212658-478b75c54725/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
-google.golang.org/genproto v0.0.0-20230330154414-c0448cd141ea/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
-google.golang.org/genproto v0.0.0-20230331144136-dcfb400f0633/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
-google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU=
-google.golang.org/genproto v0.0.0-20251002232023-7c0ddcbb5797 h1:06qNPeHxbfl+OJluwQ2zOiTP6di3mvADTHnMYQuOKDQ=
-google.golang.org/genproto v0.0.0-20251002232023-7c0ddcbb5797/go.mod h1:OqVwZqqGV3h7k+YCVWXoTtwC2cs55RnDEUVMMadhxrc=
-google.golang.org/genproto/googleapis/api v0.0.0-20250922171735-9219d122eba9 h1:jm6v6kMRpTYKxBRrDkYAitNJegUeO1Mf3Kt80obv0gg=
-google.golang.org/genproto/googleapis/api v0.0.0-20250922171735-9219d122eba9/go.mod h1:LmwNphe5Afor5V3R5BppOULHOnt2mCIf+NxMd4XiygE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4 h1:i8QOKZfYg6AbGVZzUAY3LrNWCKF8O6zFisU9Wl9RER4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4/go.mod h1:HSkG/KdJWusxU1F6CNrwNDjBMgisKxGnc5dAZfT0mjQ=
+google.golang.org/genproto v0.0.0-20260406210006-6f92a3bedf2d h1:N1Ec54vZnIPd7MnxRiYLW+oY4fDR4BOS/LrssdD9+ek=
+google.golang.org/genproto v0.0.0-20260406210006-6f92a3bedf2d/go.mod h1:c2hJ1grtnH0xUiEKGDGkjGNTJ1Hy2LrblyKOHF0sqRM=
+google.golang.org/genproto/googleapis/api v0.0.0-20260406210006-6f92a3bedf2d h1:/aDRtSZJjyLQzm75d+a1wOJaqyKBMvIAfeQmoa3ORiI=
+google.golang.org/genproto/googleapis/api v0.0.0-20260406210006-6f92a3bedf2d/go.mod h1:etfGUgejTiadZAUaEP14NP97xi1RGeawqkjDARA/UOs=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260511170946-3700d4141b60 h1:seT2EwLWM78plQ7wcDfuWBc/4FAEAXDDiaSol4ku4qo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260511170946-3700d4141b60/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
-google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
-google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
-google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
-google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
-google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
-google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
-google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
-google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww=
-google.golang.org/grpc v1.52.3/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY=
-google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw=
-google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g=
-google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
-google.golang.org/grpc v1.75.1 h1:/ODCNEuf9VghjgO3rqLcfg8fiOP0nSluljWFlDxELLI=
-google.golang.org/grpc v1.75.1/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ=
-google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
+google.golang.org/grpc v1.81.0 h1:W3G9N3KQf3BU+YuCtGKJk0CmxQNbAISICD/9AORxLIw=
+google.golang.org/grpc v1.81.0/go.mod h1:xGH9GfzOyMTGIOXBJmXt+BX/V0kcdQbdcuwQ/zNw42I=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -3065,17 +1780,12 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
-google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -3085,10 +1795,9 @@ gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
@@ -3097,7 +1806,6 @@ gopkg.in/jcmturner/goidentity.v3 v3.0.0 h1:1duIyWiTaYvVx3YX2CYtpJbUFd7/UuPYCfgXt
 gopkg.in/jcmturner/goidentity.v3 v3.0.0/go.mod h1:oG2kH0IvSYNIu80dVAyu/yoefjq1mNfM5bm88whjWx4=
 gopkg.in/ory-am/dockertest.v3 v3.3.4 h1:oen8RiwxVNxtQ1pRoV4e4jqh6UjNsOuIZ1NXns6jdcw=
 gopkg.in/ory-am/dockertest.v3 v3.3.4/go.mod h1:s9mmoLkaGeAh97qygnNj4xWkiN7e1SKekYC6CovU+ek=
-gopkg.in/resty.v1 v1.12.0 h1:CuXP0Pjfw9rOuY6EP+UvtNvt5DSqHpIxILZKT/quCZI=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
@@ -3106,7 +1814,6 @@ gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRN
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -3124,69 +1831,31 @@ gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
-k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM=
-k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk=
-k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4=
-k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
-k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY=
-k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8=
+k8s.io/api v0.35.3 h1:pA2fiBc6+N9PDf7SAiluKGEBuScsTzd2uYBkA5RzNWQ=
+k8s.io/api v0.35.3/go.mod h1:9Y9tkBcFwKNq2sxwZTQh1Njh9qHl81D0As56tu42GA4=
+k8s.io/apimachinery v0.35.3 h1:MeaUwQCV3tjKP4bcwWGgZ/cp/vpsRnQzqO6J6tJyoF8=
+k8s.io/apimachinery v0.35.3/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
+k8s.io/client-go v0.35.3 h1:s1lZbpN4uI6IxeTM2cpdtrwHcSOBML1ODNTCCfsP1pg=
+k8s.io/client-go v0.35.3/go.mod h1:RzoXkc0mzpWIDvBrRnD+VlfXP+lRzqQjCmKtiwZ8Q9c=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 layeh.com/radius v0.0.0-20231213012653-1006025d24f8 h1:orYXpi6BJZdvgytfHH4ybOe4wHnLbbS71Cmd8mWdZjs=
 layeh.com/radius v0.0.0-20231213012653-1006025d24f8/go.mod h1:QRf+8aRqXc019kHkpcs/CTgyWXFzf+bxlsyuo2nAl1o=
-lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
-lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
-modernc.org/cc/v3 v3.36.0/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
-modernc.org/cc/v3 v3.36.2/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
-modernc.org/cc/v3 v3.36.3/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
-modernc.org/ccgo/v3 v3.0.0-20220428102840-41399a37e894/go.mod h1:eI31LL8EwEBKPpNpA4bU1/i+sKOwOrQy8D87zWUcRZc=
-modernc.org/ccgo/v3 v3.0.0-20220430103911-bc99d88307be/go.mod h1:bwdAnOoaIt8Ax9YdWGjxWsdkPcZyRPHqrOvJxaKAKGw=
-modernc.org/ccgo/v3 v3.16.4/go.mod h1:tGtX0gE9Jn7hdZFeU88slbTh1UtCYKusWOoCJuvkWsQ=
-modernc.org/ccgo/v3 v3.16.6/go.mod h1:tGtX0gE9Jn7hdZFeU88slbTh1UtCYKusWOoCJuvkWsQ=
-modernc.org/ccgo/v3 v3.16.8/go.mod h1:zNjwkizS+fIFDrDjIAgBSCLkWbJuHF+ar3QRn+Z9aws=
-modernc.org/ccgo/v3 v3.16.9/go.mod h1:zNMzC9A9xeNUepy6KuZBbugn3c0Mc9TeiJO4lgvkJDo=
-modernc.org/ccorpus v1.11.6/go.mod h1:2gEUTrWqdpH2pXsmTM1ZkjeSrUWDpjMu2T6m29L/ErQ=
-modernc.org/httpfs v1.0.6/go.mod h1:7dosgurJGp0sPaRanU53W4xZYKh14wfzX420oZADeHM=
-modernc.org/libc v0.0.0-20220428101251-2d5f3daf273b/go.mod h1:p7Mg4+koNjc8jkqwcoFBJx7tXkpj00G77X7A72jXPXA=
-modernc.org/libc v1.16.0/go.mod h1:N4LD6DBE9cf+Dzf9buBlzVJndKr/iJHG97vGLHYnb5A=
-modernc.org/libc v1.16.1/go.mod h1:JjJE0eu4yeK7tab2n4S1w8tlWd9MxXLRzheaRnAKymU=
-modernc.org/libc v1.16.17/go.mod h1:hYIV5VZczAmGZAnG15Vdngn5HSF5cSkbvfz2B7GRuVU=
-modernc.org/libc v1.16.19/go.mod h1:p7Mg4+koNjc8jkqwcoFBJx7tXkpj00G77X7A72jXPXA=
-modernc.org/libc v1.17.0/go.mod h1:XsgLldpP4aWlPlsjqKRdHPqCxCjISdHfM/yeWC5GyW0=
-modernc.org/libc v1.17.1/go.mod h1:FZ23b+8LjxZs7XtFMbSzL/EhPxNbfZbErxEHc7cbD9s=
-modernc.org/mathutil v1.2.2/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
-modernc.org/mathutil v1.4.1/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
-modernc.org/mathutil v1.5.0/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
-modernc.org/memory v1.1.1/go.mod h1:/0wo5ibyrQiaoUoH7f9D8dnglAmILJ5/cxZlRECf+Nw=
-modernc.org/memory v1.2.0/go.mod h1:/0wo5ibyrQiaoUoH7f9D8dnglAmILJ5/cxZlRECf+Nw=
-modernc.org/memory v1.2.1/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
-modernc.org/opt v0.1.1/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
-modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
-modernc.org/sqlite v1.18.1/go.mod h1:6ho+Gow7oX5V+OiOQ6Tr4xeqbx13UZ6t+Fw9IRUG4d4=
-modernc.org/strutil v1.1.1/go.mod h1:DE+MQQ/hjKBZS2zNInV5hhcipt5rLPWkmpbGeW5mmdw=
-modernc.org/strutil v1.1.3/go.mod h1:MEHNA7PdEnEwLvspRMtWTNnp2nnyvMfkimT1NKNAGbw=
-modernc.org/tcl v1.13.1/go.mod h1:XOLfOwzhkljL4itZkK6T72ckMgvj0BDsnKNdZVUOecw=
-modernc.org/token v1.0.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
-modernc.org/z v1.5.1/go.mod h1:eWFB510QWW5Th9YGZT81s+LwvaAs3Q2yr4sP0rmLkv8=
-rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
+pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
 rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
-rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
-rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
+software.sslmate.com/src/go-pkcs12 v0.7.1 h1:bxkUPRsvTPNRBZa4M/aSX4PyMOEbq3V8I6hbkG4F4Q8=
+software.sslmate.com/src/go-pkcs12 v0.7.1/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
diff --git a/helper/builtinplugins/builtinplugins_test.go b/helper/builtinplugins/builtinplugins_test.go
index 500663014b..e55bb8005c 100644
--- a/helper/builtinplugins/builtinplugins_test.go
+++ b/helper/builtinplugins/builtinplugins_test.go
@@ -50,9 +50,6 @@ func TestBuiltinPluginsWork(t *testing.T) {
 		},
 	)
 
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
 	vault.TestWaitActive(t, cores[0].Core)
 	client := cores[0].Client
diff --git a/helper/builtinplugins/registry_test.go b/helper/builtinplugins/registry_test.go
index 6e135f53ac..62d3832209 100644
--- a/helper/builtinplugins/registry_test.go
+++ b/helper/builtinplugins/registry_test.go
@@ -110,7 +110,7 @@ func Test_RegistryKeyCounts(t *testing.T) {
 			name:       "number of secrets plugins",
 			pluginType: consts.PluginTypeSecrets,
 			want:       19,
-			entWant:    4,
+			entWant:    5,
 		},
 	}
 	for _, tt := range tests {
@@ -257,10 +257,10 @@ func Test_RegistryMatchesGenOpenapi(t *testing.T) {
 
 		var (
 			credentialBackends   []string
-			credentialBackendsRe = regexp.MustCompile(leading + `vault auth enable (?:-.+ )*(?:"([a-zA-Z]+)"|([a-zA-Z]+))$`)
+			credentialBackendsRe = regexp.MustCompile(leading + `vault auth enable (?:-.+ )*(?:"([a-zA-Z-]+)"|([a-zA-Z-]+))$`)
 
 			secretsBackends   []string
-			secretsBackendsRe = regexp.MustCompile(leading + `vault secrets enable (?:-.+ )*(?:"([a-zA-Z]+)"|([a-zA-Z]+))$`)
+			secretsBackendsRe = regexp.MustCompile(leading + `vault secrets enable (?:-.+ )*(?:"([a-zA-Z-]+)"|([a-zA-Z-]+))$`)
 		)
 
 		scanner := bufio.NewScanner(f)
diff --git a/helper/identity/identity.go b/helper/identity/identity.go
index 8c04401536..7344f6f4e3 100644
--- a/helper/identity/identity.go
+++ b/helper/identity/identity.go
@@ -192,3 +192,36 @@ func ToSDKGroups(groups []*Group) []*logical.Group {
 	}
 	return ret
 }
+
+func (g *Group) SCIMClientID() string {
+	return g.ScimClientID
+}
+
+// SCIMFields are fields that can only be modified via SCIM, if the resource
+// is SCIM-owned. `scim_client_id` cannot ever be modified, so it is not
+// included in this list.
+func (g *Group) SCIMFields() []string {
+	return []string{"name", "member_entity_ids"}
+}
+
+func (e *Entity) SCIMClientID() string {
+	return e.ScimClientID
+}
+
+// SCIMFields are fields that can only be modified via SCIM, if the resource
+// is SCIM-owned. `scim_client_id` cannot ever be modified, so it is not
+// included in this list.
+func (e *Entity) SCIMFields() []string {
+	return []string{"name", "disabled", "metadata", "external_id"}
+}
+
+func (a *Alias) SCIMClientID() string {
+	return a.ScimClientID
+}
+
+// SCIMFields are fields that can only be modified via SCIM, if the resource
+// is SCIM-owned. `scim_client_id` cannot ever be modified, so it is not
+// included in this list.
+func (a *Alias) SCIMFields() []string {
+	return []string{"name", "mount_accessor", "canonical_id"}
+}
diff --git a/helper/identity/types.pb.go b/helper/identity/types.pb.go
index 98da732158..75ace54a67 100644
--- a/helper/identity/types.pb.go
+++ b/helper/identity/types.pb.go
@@ -540,7 +540,13 @@ type Alias struct {
 	// ensuring that authoritative lifecycle operations (like updates and deletes by
 	// an IGA) can only be performed by the client that owns the resource.
 	// @inject_tag: sentinel:"-"
-	ScimClientID  string `protobuf:"bytes,15,opt,name=scim_client_id,json=scimClientId,proto3" json:"scim_client_id,omitempty" sentinel:"-"`
+	ScimClientID string `protobuf:"bytes,15,opt,name=scim_client_id,json=scimClientId,proto3" json:"scim_client_id,omitempty" sentinel:"-"`
+	// external_id is the unique external identifier for an entity managed via
+	// an external IDP. This field does not always map 1:1 to a claim external_id.
+	// This mapping is done via configuration.
+	ExternalID string `protobuf:"bytes,16,opt,name=external_id,json=externalId,proto3" json:"external_id,omitempty"`
+	// issuer is the issuer claim for this alias
+	Issuer        string `protobuf:"bytes,17,opt,name=issuer,proto3" json:"issuer,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -680,38 +686,54 @@ func (x *Alias) GetScimClientID() string {
 	return ""
 }
 
+func (x *Alias) GetExternalID() string {
+	if x != nil {
+		return x.ExternalID
+	}
+	return ""
+}
+
+func (x *Alias) GetIssuer() string {
+	if x != nil {
+		return x.Issuer
+	}
+	return ""
+}
+
 // ScimClient defines the stored configuration for a single SCIM client.
-// This configuration links a client's identity within Vault to its specific
-// role and capabilities within the SCIM server.
+// This configuration links a client's identity within Vault to its
+// capabilities within the SCIM server.
 type ScimClient struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// ClientID is a unique identifier for this specific SCIM
 	// client configuration.
 	// @inject_tag: sentinel:"-"
 	ClientID string `protobuf:"bytes,1,opt,name=client_id,json=clientId,proto3" json:"client_id,omitempty" sentinel:"-"`
-	// ClientRole defines the client's function and authoritative power.
-	// It must be either "IGA" (authoritative) or "IDP" (standard).
-	// @inject_tag: sentinel:"-"
-	ClientRole string `protobuf:"bytes,2,opt,name=client_role,json=clientRole,proto3" json:"client_role,omitempty" sentinel:"-"`
 	// AccessGrantPrincipal is the Vault Entity ID that represents the SCIM
 	// client application itself. This is the principal that will be granted the
 	// necessary permissions to perform SCIM operations.
 	// @inject_tag: sentinel:"-"
-	AccessGrantPrincipal string `protobuf:"bytes,3,opt,name=access_grant_principal,json=accessGrantPrincipal,proto3" json:"access_grant_principal,omitempty" sentinel:"-"`
+	AccessGrantPrincipal string `protobuf:"bytes,2,opt,name=access_grant_principal,json=accessGrantPrincipal,proto3" json:"access_grant_principal,omitempty" sentinel:"-"`
 	// AliasMountAccessor is an optional field that specifies the mount accessor
-	// of an auth method where login aliases should be created for provisioned users.
-	// This is typically used for clients with the 'IDP' role.
+	// of an auth method where login aliases should be created for provisioned
+	// users. When set, the SCIM client will create both a Vault entity and an
+	// alias on the specified auth mount for each provisioned user. When empty,
+	// only entities are created.
 	// @inject_tag: sentinel:"-"
-	AliasMountAccessor string `protobuf:"bytes,4,opt,name=alias_mount_accessor,json=aliasMountAccessor,proto3" json:"alias_mount_accessor,omitempty" sentinel:"-"`
-	// ClientName is an user defined identifier for this specific SCIM
+	AliasMountAccessor string `protobuf:"bytes,3,opt,name=alias_mount_accessor,json=aliasMountAccessor,proto3" json:"alias_mount_accessor,omitempty" sentinel:"-"`
+	// ClientName is a user-defined identifier for this specific SCIM
 	// client configuration. (e.g., 'Okta-Prod', 'SailPoint-Dev').
 	// @inject_tag: sentinel:"-"
-	ClientName string `protobuf:"bytes,5,opt,name=client_name,json=clientName,proto3" json:"client_name,omitempty" sentinel:"-"`
+	ClientName string `protobuf:"bytes,4,opt,name=client_name,json=clientName,proto3" json:"client_name,omitempty" sentinel:"-"`
 	// NamespaceID is the identifier of the namespace to which this entity
 	// belongs to. Do not return this value over the API when reading the
 	// entity.
 	// @inject_tag: sentinel:"-"
-	NamespaceID   string `protobuf:"bytes,6,opt,name=namespace_id,json=namespaceID,proto3" json:"namespace_id,omitempty" sentinel:"-"`
+	NamespaceID string `protobuf:"bytes,5,opt,name=namespace_id,json=namespaceID,proto3" json:"namespace_id,omitempty" sentinel:"-"`
+	// Deleting indicates that the SCIM client is in the process of being deleted.
+	// This allows cascading cleanup to be eventually handled even if there are failures during the deletion process.
+	// @inject_tag: sentinel:"-"
+	Deleting      bool `protobuf:"varint,6,opt,name=deleting,proto3" json:"deleting,omitempty" sentinel:"-"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -753,13 +775,6 @@ func (x *ScimClient) GetClientID() string {
 	return ""
 }
 
-func (x *ScimClient) GetClientRole() string {
-	if x != nil {
-		return x.ClientRole
-	}
-	return ""
-}
-
 func (x *ScimClient) GetAccessGrantPrincipal() string {
 	if x != nil {
 		return x.AccessGrantPrincipal
@@ -788,6 +803,13 @@ func (x *ScimClient) GetNamespaceID() string {
 	return ""
 }
 
+func (x *ScimClient) GetDeleting() bool {
+	if x != nil {
+		return x.Deleting
+	}
+	return false
+}
+
 // Deprecated. Retained for backwards compatibility.
 type EntityStorageEntry struct {
 	state           protoimpl.MessageState `protogen:"open.v1"`
@@ -1119,7 +1141,7 @@ var file_helper_identity_types_proto_rawDesc = string([]byte{
 	0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x21, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
 	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0b, 0x2e, 0x6d, 0x66, 0x61, 0x2e, 0x53, 0x65,
 	0x63, 0x72, 0x65, 0x74, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22,
-	0x87, 0x06, 0x0a, 0x05, 0x41, 0x6c, 0x69, 0x61, 0x73, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18,
+	0xc0, 0x06, 0x0a, 0x05, 0x41, 0x6c, 0x69, 0x61, 0x73, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18,
 	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x61, 0x6e,
 	0x6f, 0x6e, 0x69, 0x63, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
 	0x0b, 0x63, 0x61, 0x6e, 0x6f, 0x6e, 0x69, 0x63, 0x61, 0x6c, 0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a,
@@ -1159,106 +1181,110 @@ var file_helper_identity_types_proto_rawDesc = string([]byte{
 	0x01, 0x28, 0x09, 0x52, 0x0e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x42, 0x75, 0x63, 0x6b, 0x65, 0x74,
 	0x4b, 0x65, 0x79, 0x12, 0x24, 0x0a, 0x0e, 0x73, 0x63, 0x69, 0x6d, 0x5f, 0x63, 0x6c, 0x69, 0x65,
 	0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x73, 0x63, 0x69,
-	0x6d, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x1a, 0x3b, 0x0a, 0x0d, 0x4d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65,
-	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05,
-	0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c,
-	0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x41, 0x0a, 0x13, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d,
-	0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a,
-	0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12,
-	0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
-	0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xf6, 0x01, 0x0a, 0x0a, 0x53, 0x63,
-	0x69, 0x6d, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x63, 0x6c, 0x69, 0x65,
-	0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x63, 0x6c, 0x69,
-	0x65, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f,
-	0x72, 0x6f, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x63, 0x6c, 0x69, 0x65,
-	0x6e, 0x74, 0x52, 0x6f, 0x6c, 0x65, 0x12, 0x34, 0x0a, 0x16, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73,
-	0x5f, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x5f, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x14, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x47, 0x72,
-	0x61, 0x6e, 0x74, 0x50, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x12, 0x30, 0x0a, 0x14,
-	0x61, 0x6c, 0x69, 0x61, 0x73, 0x5f, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x65,
-	0x73, 0x73, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x61, 0x6c, 0x69, 0x61,
-	0x73, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6f, 0x72, 0x12, 0x1f,
-	0x0a, 0x0b, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x05, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x0a, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12,
-	0x21, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18,
-	0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65,
-	0x49, 0x64, 0x22, 0x88, 0x05, 0x0a, 0x12, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x53, 0x74, 0x6f,
-	0x72, 0x61, 0x67, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x37, 0x0a, 0x08, 0x70, 0x65, 0x72,
-	0x73, 0x6f, 0x6e, 0x61, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x69, 0x64,
-	0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x50, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x49, 0x6e,
-	0x64, 0x65, 0x78, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e,
-	0x61, 0x73, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02,
-	0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x46, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61,
-	0x74, 0x61, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74,
-	0x69, 0x74, 0x79, 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67,
-	0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45,
-	0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x3f,
-	0x0a, 0x0d, 0x63, 0x72, 0x65, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18,
-	0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d,
-	0x70, 0x52, 0x0c, 0x63, 0x72, 0x65, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x69, 0x6d, 0x65, 0x12,
-	0x44, 0x0a, 0x10, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x74,
-	0x69, 0x6d, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
+	0x6d, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x65, 0x78, 0x74,
+	0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x10, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a,
+	0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x69, 0x73,
+	0x73, 0x75, 0x65, 0x72, 0x18, 0x11, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75,
+	0x65, 0x72, 0x1a, 0x3b, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e,
+	0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a,
+	0x41, 0x0a, 0x13, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
+	0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02,
+	0x38, 0x01, 0x22, 0xf1, 0x01, 0x0a, 0x0a, 0x53, 0x63, 0x69, 0x6d, 0x43, 0x6c, 0x69, 0x65, 0x6e,
+	0x74, 0x12, 0x1b, 0x0a, 0x09, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x34,
+	0x0a, 0x16, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x5f, 0x70,
+	0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x14,
+	0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x50, 0x72, 0x69, 0x6e, 0x63,
+	0x69, 0x70, 0x61, 0x6c, 0x12, 0x30, 0x0a, 0x14, 0x61, 0x6c, 0x69, 0x61, 0x73, 0x5f, 0x6d, 0x6f,
+	0x75, 0x6e, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6f, 0x72, 0x18, 0x03, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x12, 0x61, 0x6c, 0x69, 0x61, 0x73, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x41, 0x63,
+	0x63, 0x65, 0x73, 0x73, 0x6f, 0x72, 0x12, 0x1f, 0x0a, 0x0b, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74,
+	0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x63, 0x6c, 0x69,
+	0x65, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73,
+	0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x6e,
+	0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x08, 0x64, 0x65,
+	0x6c, 0x65, 0x74, 0x69, 0x6e, 0x67, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x64, 0x65,
+	0x6c, 0x65, 0x74, 0x69, 0x6e, 0x67, 0x22, 0x88, 0x05, 0x0a, 0x12, 0x45, 0x6e, 0x74, 0x69, 0x74,
+	0x79, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x37, 0x0a,
+	0x08, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x1b, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x50, 0x65, 0x72, 0x73, 0x6f,
+	0x6e, 0x61, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x70, 0x65,
+	0x72, 0x73, 0x6f, 0x6e, 0x61, 0x73, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x46, 0x0a, 0x08, 0x6d, 0x65,
+	0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x69,
+	0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x53, 0x74,
+	0x6f, 0x72, 0x61, 0x67, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64,
+	0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61,
+	0x74, 0x61, 0x12, 0x3f, 0x0a, 0x0d, 0x63, 0x72, 0x65, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x74,
+	0x69, 0x6d, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
 	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65,
-	0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0e, 0x6c, 0x61, 0x73, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74,
-	0x65, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x2a, 0x0a, 0x11, 0x6d, 0x65, 0x72, 0x67, 0x65, 0x64, 0x5f,
-	0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x69, 0x64, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09,
-	0x52, 0x0f, 0x6d, 0x65, 0x72, 0x67, 0x65, 0x64, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x49, 0x64,
-	0x73, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x18, 0x08, 0x20,
-	0x03, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x12, 0x26, 0x0a,
-	0x0f, 0x62, 0x75, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x68, 0x61, 0x73, 0x68,
-	0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x62, 0x75, 0x63, 0x6b, 0x65, 0x74, 0x4b, 0x65,
-	0x79, 0x48, 0x61, 0x73, 0x68, 0x12, 0x4d, 0x0a, 0x0b, 0x6d, 0x66, 0x61, 0x5f, 0x73, 0x65, 0x63,
-	0x72, 0x65, 0x74, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x69, 0x64, 0x65,
-	0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x53, 0x74, 0x6f, 0x72,
-	0x61, 0x67, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x2e, 0x4d, 0x66, 0x61, 0x53, 0x65, 0x63, 0x72,
-	0x65, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x6d, 0x66, 0x61, 0x53, 0x65, 0x63,
-	0x72, 0x65, 0x74, 0x73, 0x1a, 0x3b, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
-	0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38,
-	0x01, 0x1a, 0x4a, 0x0a, 0x0f, 0x4d, 0x66, 0x61, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x45,
-	0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x21, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0b, 0x2e, 0x6d, 0x66, 0x61, 0x2e, 0x53, 0x65, 0x63, 0x72,
-	0x65, 0x74, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xf9, 0x03,
-	0x0a, 0x11, 0x50, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x45, 0x6e,
-	0x74, 0x72, 0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x02, 0x69, 0x64, 0x12, 0x1b, 0x0a, 0x09, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x69, 0x64,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x49, 0x64,
-	0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x12,
-	0x25, 0x0a, 0x0e, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6f,
-	0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x41, 0x63,
-	0x63, 0x65, 0x73, 0x73, 0x6f, 0x72, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f,
-	0x70, 0x61, 0x74, 0x68, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6d, 0x6f, 0x75, 0x6e,
-	0x74, 0x50, 0x61, 0x74, 0x68, 0x12, 0x45, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
-	0x61, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69,
-	0x74, 0x79, 0x2e, 0x50, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x45,
-	0x6e, 0x74, 0x72, 0x79, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74,
-	0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x12, 0x0a, 0x04,
-	0x6e, 0x61, 0x6d, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65,
-	0x12, 0x3f, 0x0a, 0x0d, 0x63, 0x72, 0x65, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x69, 0x6d,
-	0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74,
-	0x61, 0x6d, 0x70, 0x52, 0x0c, 0x63, 0x72, 0x65, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x69, 0x6d,
-	0x65, 0x12, 0x44, 0x0a, 0x10, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65,
-	0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
+	0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0c, 0x63, 0x72, 0x65, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54,
+	0x69, 0x6d, 0x65, 0x12, 0x44, 0x0a, 0x10, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x75, 0x70, 0x64, 0x61,
+	0x74, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e,
+	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
+	0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0e, 0x6c, 0x61, 0x73, 0x74, 0x55,
+	0x70, 0x64, 0x61, 0x74, 0x65, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x2a, 0x0a, 0x11, 0x6d, 0x65, 0x72,
+	0x67, 0x65, 0x64, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x69, 0x64, 0x73, 0x18, 0x07,
+	0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x6d, 0x65, 0x72, 0x67, 0x65, 0x64, 0x45, 0x6e, 0x74, 0x69,
+	0x74, 0x79, 0x49, 0x64, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65,
+	0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65,
+	0x73, 0x12, 0x26, 0x0a, 0x0f, 0x62, 0x75, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x5f,
+	0x68, 0x61, 0x73, 0x68, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x62, 0x75, 0x63, 0x6b,
+	0x65, 0x74, 0x4b, 0x65, 0x79, 0x48, 0x61, 0x73, 0x68, 0x12, 0x4d, 0x0a, 0x0b, 0x6d, 0x66, 0x61,
+	0x5f, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2c,
+	0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79,
+	0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x2e, 0x4d, 0x66, 0x61,
+	0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x6d, 0x66,
+	0x61, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x1a, 0x3b, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61,
+	0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76,
+	0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x4a, 0x0a, 0x0f, 0x4d, 0x66, 0x61, 0x53, 0x65, 0x63, 0x72,
+	0x65, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x21, 0x0a, 0x05, 0x76, 0x61,
+	0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0b, 0x2e, 0x6d, 0x66, 0x61, 0x2e,
+	0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38,
+	0x01, 0x22, 0xf9, 0x03, 0x0a, 0x11, 0x50, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x49, 0x6e, 0x64,
+	0x65, 0x78, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x1b, 0x0a, 0x09, 0x65, 0x6e, 0x74, 0x69, 0x74,
+	0x79, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x65, 0x6e, 0x74, 0x69,
+	0x74, 0x79, 0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x74, 0x79,
+	0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x54,
+	0x79, 0x70, 0x65, 0x12, 0x25, 0x0a, 0x0e, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x61, 0x63, 0x63,
+	0x65, 0x73, 0x73, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6d, 0x6f, 0x75,
+	0x6e, 0x74, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6f, 0x72, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x6f,
+	0x75, 0x6e, 0x74, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09,
+	0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x50, 0x61, 0x74, 0x68, 0x12, 0x45, 0x0a, 0x08, 0x6d, 0x65, 0x74,
+	0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x69, 0x64,
+	0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x50, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x49, 0x6e,
+	0x64, 0x65, 0x78, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
+	0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
+	0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
+	0x6e, 0x61, 0x6d, 0x65, 0x12, 0x3f, 0x0a, 0x0d, 0x63, 0x72, 0x65, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
 	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69,
-	0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0e, 0x6c, 0x61, 0x73, 0x74, 0x55, 0x70, 0x64,
-	0x61, 0x74, 0x65, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x33, 0x0a, 0x16, 0x6d, 0x65, 0x72, 0x67, 0x65,
-	0x64, 0x5f, 0x66, 0x72, 0x6f, 0x6d, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x69, 0x64,
-	0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x09, 0x52, 0x13, 0x6d, 0x65, 0x72, 0x67, 0x65, 0x64, 0x46,
-	0x72, 0x6f, 0x6d, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x49, 0x64, 0x73, 0x1a, 0x3b, 0x0a, 0x0d,
-	0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a,
-	0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12,
-	0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
-	0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x2c, 0x5a, 0x2a, 0x67, 0x69, 0x74,
-	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72,
-	0x70, 0x2f, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2f, 0x68, 0x65, 0x6c, 0x70, 0x65, 0x72, 0x2f, 0x69,
-	0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0c, 0x63, 0x72, 0x65, 0x61, 0x74, 0x69, 0x6f,
+	0x6e, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x44, 0x0a, 0x10, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x75, 0x70,
+	0x64, 0x61, 0x74, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
+	0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0e, 0x6c, 0x61, 0x73,
+	0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x33, 0x0a, 0x16, 0x6d,
+	0x65, 0x72, 0x67, 0x65, 0x64, 0x5f, 0x66, 0x72, 0x6f, 0x6d, 0x5f, 0x65, 0x6e, 0x74, 0x69, 0x74,
+	0x79, 0x5f, 0x69, 0x64, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x09, 0x52, 0x13, 0x6d, 0x65, 0x72,
+	0x67, 0x65, 0x64, 0x46, 0x72, 0x6f, 0x6d, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x49, 0x64, 0x73,
+	0x1a, 0x3b, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72,
+	0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
+	0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x2c, 0x5a,
+	0x2a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68,
+	0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2f, 0x68, 0x65, 0x6c, 0x70,
+	0x65, 0x72, 0x2f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x33,
 })
 
 var (
diff --git a/helper/identity/types.proto b/helper/identity/types.proto
index 96e505483c..194f42c3f9 100644
--- a/helper/identity/types.proto
+++ b/helper/identity/types.proto
@@ -262,44 +262,54 @@ message Alias {
   // an IGA) can only be performed by the client that owns the resource.
   // @inject_tag: sentinel:"-"
   string scim_client_id = 15;
+
+  // external_id is the unique external identifier for an entity managed via
+  // an external IdP. This field does not always map 1:1 to a claim external_id.
+  // This mapping is done via configuration.
+  string external_id = 16;
+
+  // issuer is the issuer claim for this alias
+  string issuer = 17;
 }
 
 // ScimClient defines the stored configuration for a single SCIM client.
-// This configuration links a client's identity within Vault to its specific
-// role and capabilities within the SCIM server.
+// This configuration links a client's identity within Vault to its
+// capabilities within the SCIM server.
 message ScimClient {
   // ClientId is a unique identifier for this specific SCIM
   // client configuration.
   // @inject_tag: sentinel:"-"
   string client_id = 1;
 
-  // ClientRole defines the client's function and authoritative power.
-  // It must be either "IGA" (authoritative) or "IdP" (standard).
-  // @inject_tag: sentinel:"-"
-  string client_role = 2;
-
   // AccessGrantPrincipal is the Vault Entity ID that represents the SCIM
   // client application itself. This is the principal that will be granted the
   // necessary permissions to perform SCIM operations.
   // @inject_tag: sentinel:"-"
-  string access_grant_principal = 3;
+  string access_grant_principal = 2;
 
   // AliasMountAccessor is an optional field that specifies the mount accessor
-  // of an auth method where login aliases should be created for provisioned users.
-  // This is typically used for clients with the 'IdP' role.
+  // of an auth method where login aliases should be created for provisioned
+  // users. When set, the SCIM client will create both a Vault entity and an
+  // alias on the specified auth mount for each provisioned user. When empty,
+  // only entities are created.
   // @inject_tag: sentinel:"-"
-  string alias_mount_accessor = 4;
+  string alias_mount_accessor = 3;
 
-  // ClientName is an user defined identifier for this specific SCIM
+  // ClientName is a user-defined identifier for this specific SCIM
   // client configuration. (e.g., 'Okta-Prod', 'SailPoint-Dev').
   // @inject_tag: sentinel:"-"
-  string client_name = 5;
+  string client_name = 4;
 
   // NamespaceID is the identifier of the namespace to which this entity
   // belongs to. Do not return this value over the API when reading the
   // entity.
   // @inject_tag: sentinel:"-"
-  string namespace_id = 6;
+  string namespace_id = 5;
+
+  // Deleting indicates that the SCIM client is in the process of being deleted.
+  // This allows cascading cleanup to be eventually handled even if there are failures during the deletion process.
+  // @inject_tag: sentinel:"-"
+  bool deleting = 6;
 }
 
 // Deprecated. Retained for backwards compatibility.
diff --git a/helper/pkcs7/decrypt.go b/helper/pkcs7/decrypt.go
index eae0bb810d..e3277fba81 100644
--- a/helper/pkcs7/decrypt.go
+++ b/helper/pkcs7/decrypt.go
@@ -31,6 +31,8 @@ func (p7 *PKCS7) Decrypt(cert *x509.Certificate, pkey crypto.PrivateKey) ([]byte
 	if recipient.EncryptedKey == nil {
 		return nil, errors.New("pkcs7: no enveloped recipient for provided certificate")
 	}
+
+	// Try first with direct rsa.PrivateKeys, we support OAEP with it
 	switch pkey := pkey.(type) {
 	case *rsa.PrivateKey:
 		var contentKey []byte
@@ -53,6 +55,28 @@ func (p7 *PKCS7) Decrypt(cert *x509.Certificate, pkey crypto.PrivateKey) ([]byte
 		}
 		return data.EncryptedContentInfo.decrypt(contentKey)
 	}
+
+	// Next try to use crypto.Decrypter interface (support for managed keys)
+	if decrypter, ok := pkey.(crypto.Decrypter); ok {
+		var contentKey []byte
+		var err error
+
+		if _, ok := decrypter.Public().(*rsa.PublicKey); !ok {
+			return nil, fmt.Errorf("decrypter public key is not an RSA key: %w", ErrUnsupportedAlgorithm)
+		}
+
+		switch {
+		case recipient.KeyEncryptionAlgorithm.Algorithm.Equal(OIDEncryptionAlgorithmRSAOAEP):
+			return nil, fmt.Errorf("RSA OAEP decryption algorithm is not supported for decrypter interfaces")
+		default:
+			contentKey, err = decrypter.Decrypt(rand.Reader, recipient.EncryptedKey, nil)
+			if err != nil {
+				return nil, fmt.Errorf("failed PKCS1v15 decryption of content key using decrypter interface: %w", err)
+			}
+		}
+		return data.EncryptedContentInfo.decrypt(contentKey)
+	}
+
 	return nil, ErrUnsupportedAlgorithm
 }
 
diff --git a/helper/pkcs7/pkcs7.go b/helper/pkcs7/pkcs7.go
index b8a0500488..0429650c0a 100644
--- a/helper/pkcs7/pkcs7.go
+++ b/helper/pkcs7/pkcs7.go
@@ -122,8 +122,7 @@ func getDigestOIDForSignatureAlgorithm(digestAlg x509.SignatureAlgorithm) (asn1.
 // getOIDForEncryptionAlgorithm takes the private key type of the signer and
 // the OID of a digest algorithm to return the appropriate signerInfo.DigestEncryptionAlgorithm
 func getOIDForEncryptionAlgorithm(pkey crypto.PrivateKey, OIDDigestAlg asn1.ObjectIdentifier) (asn1.ObjectIdentifier, error) {
-	switch pkey.(type) {
-	case *rsa.PrivateKey:
+	rsaAlgos := func() (asn1.ObjectIdentifier, error) {
 		switch {
 		default:
 			return OIDEncryptionAlgorithmRSA, nil
@@ -138,7 +137,8 @@ func getOIDForEncryptionAlgorithm(pkey crypto.PrivateKey, OIDDigestAlg asn1.Obje
 		case OIDDigestAlg.Equal(OIDDigestAlgorithmSHA512):
 			return OIDEncryptionAlgorithmRSASHA512, nil
 		}
-	case *ecdsa.PrivateKey:
+	}
+	ecdsaAlgos := func() (asn1.ObjectIdentifier, error) {
 		switch {
 		case OIDDigestAlg.Equal(OIDDigestAlgorithmSHA1):
 			return OIDDigestAlgorithmECDSASHA1, nil
@@ -148,10 +148,32 @@ func getOIDForEncryptionAlgorithm(pkey crypto.PrivateKey, OIDDigestAlg asn1.Obje
 			return OIDDigestAlgorithmECDSASHA384, nil
 		case OIDDigestAlg.Equal(OIDDigestAlgorithmSHA512):
 			return OIDDigestAlgorithmECDSASHA512, nil
+		default:
+			return nil, fmt.Errorf("pkcs7: unsupported ECDSA digest algorithm: %s", OIDDigestAlg.String())
 		}
+	}
+	switch pkey.(type) {
+	case *rsa.PrivateKey:
+		return rsaAlgos()
+	case *ecdsa.PrivateKey:
+		return ecdsaAlgos()
 	case *dsa.PrivateKey:
 		return OIDDigestAlgorithmDSA, nil
 	}
+
+	// Support managed keys
+	if decrypter, ok := pkey.(crypto.Decrypter); ok {
+		if _, ok := decrypter.Public().(*rsa.PublicKey); ok {
+			return rsaAlgos()
+		}
+		if _, ok := decrypter.Public().(*ecdsa.PublicKey); ok {
+			return ecdsaAlgos()
+		}
+		if _, ok := decrypter.Public().(*dsa.PublicKey); ok {
+			return OIDDigestAlgorithmDSA, nil
+		}
+	}
+
 	return nil, fmt.Errorf("pkcs7: cannot convert encryption algorithm to oid, unknown private key type %T", pkey)
 }
 
diff --git a/helper/pluginconsts/plugin_consts.go b/helper/pluginconsts/plugin_consts.go
index 285a51ce39..9190b1a10d 100644
--- a/helper/pluginconsts/plugin_consts.go
+++ b/helper/pluginconsts/plugin_consts.go
@@ -42,6 +42,7 @@ const (
 	SecretEngineNomad         = "nomad"
 	SecretEngineOpenLDAP      = "openldap"
 	SecretEngineLDAP          = "ldap"
+	SecretEnginePkiExternalCa = "pki-external-ca"
 	SecretEnginePostgresql    = "postgresql"
 	SecretEngineRabbitMQ      = "rabbitmq"
 	SecretEngineSpiffe        = "spiffe"
@@ -64,6 +65,7 @@ const (
 	// SecretEngineDatabase is the entry type for all databases, i.e. this is the combined
 	// database type for every database.
 	SecretEngineDatabase = "database"
+	SecretEngineOS       = "vault-plugin-secrets-os"
 )
 
 // These DB consts match the type returned from database plugin's Type() method.
diff --git a/helper/testhelpers/consul/cluster_storage.go b/helper/testhelpers/consul/cluster_storage.go
index ed3c1b4f75..52c7dec036 100644
--- a/helper/testhelpers/consul/cluster_storage.go
+++ b/helper/testhelpers/consul/cluster_storage.go
@@ -6,6 +6,7 @@ package consul
 import (
 	"context"
 	"fmt"
+	"sync/atomic"
 
 	"github.com/hashicorp/vault/sdk/helper/testcluster"
 )
@@ -16,9 +17,10 @@ type ClusterStorage struct {
 	// your test. Leave empty for latest OSS (defined in consulhelper.go).
 	ConsulVersion    string
 	ConsulEnterprise bool
-
-	cleanup func()
-	config  *Config
+	ConsulConfig     string
+	cleanup          func()
+	config           *Config
+	started          atomic.Bool
 }
 
 var _ testcluster.ClusterStorage = &ClusterStorage{}
@@ -28,16 +30,20 @@ func NewClusterStorage() *ClusterStorage {
 }
 
 func (s *ClusterStorage) Start(ctx context.Context, opts *testcluster.ClusterOptions) error {
+	if s.started.Load() {
+		return nil
+	}
 	prefix := ""
 	if opts != nil && opts.ClusterName != "" {
 		prefix = fmt.Sprintf("%s-", opts.ClusterName)
 	}
-	cleanup, config, err := RunContainer(ctx, prefix, s.ConsulVersion, s.ConsulEnterprise, true)
+	cleanup, config, err := RunContainerConfig(ctx, prefix, s.ConsulVersion, s.ConsulEnterprise, true, s.ConsulConfig)
 	if err != nil {
 		return err
 	}
 	s.cleanup = cleanup
 	s.config = config
+	s.started.Store(true)
 
 	return nil
 }
diff --git a/helper/testhelpers/consul/consulhelper.go b/helper/testhelpers/consul/consulhelper.go
index eaa0ff9d4c..b0a2b2603e 100644
--- a/helper/testhelpers/consul/consulhelper.go
+++ b/helper/testhelpers/consul/consulhelper.go
@@ -61,6 +61,13 @@ func PrepareTestContainer(t *testing.T, version string, isEnterprise bool, doBoo
 // is used by `PrepareTestContainer` which is used typically in tests that rely
 // on Consul but run tested code within the test process.
 func RunContainer(ctx context.Context, namePrefix, version string, isEnterprise bool, doBootstrapSetup bool) (func(), *Config, error) {
+	return RunContainerConfig(ctx, namePrefix, version, isEnterprise, doBootstrapSetup, "")
+}
+
+// RunContainerConfig starts Consul with an optional additional config string.
+// The addlConfig variable should be hcl and will be added to the default
+// Consul configuration
+func RunContainerConfig(ctx context.Context, namePrefix, version string, isEnterprise bool, doBootstrapSetup bool, addlConfig string) (func(), *Config, error) {
 	if retAddress := os.Getenv("CONSUL_HTTP_ADDR"); retAddress != "" {
 		shp, err := docker.NewServiceHostPortParse(retAddress)
 		if err != nil {
@@ -105,12 +112,16 @@ func RunContainer(ctx context.Context, namePrefix, version string, isEnterprise
 		repo = dockerRepo
 	}
 
+	cmd := []string{"agent", "-dev", "-client", "0.0.0.0", "-hcl", config}
+	if addlConfig != "" {
+		cmd = append(cmd, "-hcl", addlConfig)
+	}
 	dockerOpts := docker.RunOptions{
 		ContainerName: name,
 		ImageRepo:     repo,
 		ImageTag:      version,
 		Env:           envVars,
-		Cmd:           []string{"agent", "-dev", "-client", "0.0.0.0", "-hcl", config},
+		Cmd:           cmd,
 		Ports:         []string{"8500/tcp"},
 		AuthUsername:  os.Getenv("CONSUL_DOCKER_USERNAME"),
 		AuthPassword:  os.Getenv("CONSUL_DOCKER_PASSWORD"),
diff --git a/helper/testhelpers/ldap/ldaphelper.go b/helper/testhelpers/ldap/ldaphelper.go
index 4de3e40db0..2b022ac170 100644
--- a/helper/testhelpers/ldap/ldaphelper.go
+++ b/helper/testhelpers/ldap/ldaphelper.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"runtime"
 	"strings"
+	"sync"
 	"testing"
 	"time"
 
@@ -17,6 +18,24 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/ldaputil"
 )
 
+// safeBuffer is a thread-safe bytes.Buffer wrapper
+type safeBuffer struct {
+	buf bytes.Buffer
+	mu  sync.Mutex
+}
+
+func (s *safeBuffer) Write(p []byte) (n int, err error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	return s.buf.Write(p)
+}
+
+func (s *safeBuffer) String() string {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	return s.buf.String()
+}
+
 // DefaultVersion is the default version of the container to pull.
 // NOTE: This is currently pinned to a sha instead of "master", see: https://github.com/rroemhild/docker-test-openldap/issues/62
 const DefaultVersion = "sha256:f4d9c5ba97f9662e9aea082b4aa89233994ca6e232abc1952d5d90da7e16b0eb"
@@ -28,7 +47,7 @@ func PrepareTestContainer(t *testing.T, version string) (cleanup func(), cfg *ld
 		t.Skip("Skipping, as this image is not supported on ARM architectures")
 	}
 
-	logsWriter := bytes.NewBuffer([]byte{})
+	logsWriter := &safeBuffer{}
 
 	runner, err := docker.NewServiceRunner(docker.RunOptions{
 		ImageRepo:     "ghcr.io/rroemhild/docker-test-openldap",
diff --git a/helper/testhelpers/minimal/minimal.go b/helper/testhelpers/minimal/minimal.go
index 5903db136c..b1327f51cf 100644
--- a/helper/testhelpers/minimal/minimal.go
+++ b/helper/testhelpers/minimal/minimal.go
@@ -20,10 +20,10 @@ import (
 )
 
 // NewTestSoloCluster is a simpler version of NewTestCluster that only creates
-// single-node clusters.  It is intentionally minimalist, if you need something
-// from vault.TestClusterOptions, use NewTestCluster instead.  It should work fine
-// with a nil config argument.  There is no need to call Start or Cleanup or
-// TestWaitActive on the resulting cluster.
+// single-node clusters. It is intentionally minimalist, if you need something
+// from vault.TestClusterOptions, use NewTestCluster instead. It should work fine
+// with a nil config argument. There is no need to call Cleanup or TestWaitActive
+// on the resulting cluster.
 func NewTestSoloCluster(t testing.TB, config *vault.CoreConfig) *vault.TestCluster {
 	logger := corehelpers.NewTestLogger(t)
 
@@ -71,11 +71,15 @@ func NewTestSoloCluster(t testing.TB, config *vault.CoreConfig) *vault.TestClust
 		mycfg.BuiltinRegistry = builtinplugins.Registry
 	}
 
+	// Apply the entConfig values to mycfg too.
+	if config != nil {
+		vault.TestApplyEntBaseConfig(mycfg, config)
+	}
+
 	cluster := vault.NewTestCluster(t, mycfg, &vault.TestClusterOptions{
 		NumCores:    1,
 		HandlerFunc: http.Handler,
 		Logger:      logger,
 	})
-	t.Cleanup(cluster.Cleanup)
 	return cluster
 }
diff --git a/helper/testhelpers/seal/sealhelper.go b/helper/testhelpers/seal/sealhelper.go
index 5c5b7e48c5..5df55a7425 100644
--- a/helper/testhelpers/seal/sealhelper.go
+++ b/helper/testhelpers/seal/sealhelper.go
@@ -4,8 +4,10 @@
 package sealhelper
 
 import (
+	"fmt"
 	"path"
 	"strconv"
+	"strings"
 	"testing"
 
 	"github.com/hashicorp/vault/api"
@@ -14,9 +16,12 @@ import (
 	"github.com/hashicorp/vault/helper/testhelpers/teststorage"
 	"github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/vault/sdk/helper/testcluster"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/docker"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/vault"
 	"github.com/hashicorp/vault/vault/seal"
+	"github.com/stretchr/testify/require"
 )
 
 type TransitSealServer struct {
@@ -36,7 +41,6 @@ func NewTransitSealServer(t testing.TB, idx int) *TransitSealServer {
 	}
 	teststorage.InmemBackendSetup(conf, opts)
 	cluster := vault.NewTestCluster(t, conf, opts)
-	cluster.Start()
 
 	if err := cluster.Cores[0].Client.Sys().Mount("transit", &api.MountInput{
 		Type: "transit",
@@ -79,3 +83,62 @@ func (tss *TransitSealServer) MakeSeal(t testing.TB, key string) (vault.Seal, er
 	}
 	return vault.NewAutoSeal(access), nil
 }
+
+type TransitDockerSealServer struct {
+	cluster *docker.DockerCluster
+	t       *testing.T
+}
+
+func NewTransitDockerSealServer(t *testing.T) *TransitDockerSealServer {
+	opts := docker.DefaultOptions(t)
+	opts.NumCores = 1
+	opts.ImageRepo, opts.ImageTag = "hashicorp/vault", "latest"
+	opts.VaultNodeConfig.StorageOptions = map[string]string{
+		"performance_multiplier": "1",
+	}
+	opts.DisableTLS = true // simplify, this way we don't have to deal with ca
+	opts.ClusterName = strings.ReplaceAll(t.Name()+"-transit", "/", "-")
+	return &TransitDockerSealServer{t: t, cluster: docker.NewTestDockerCluster(t, opts)}
+}
+
+func (tc *TransitDockerSealServer) APIClient() *api.Client {
+	return tc.cluster.Nodes()[0].APIClient()
+}
+
+func (tc *TransitDockerSealServer) SealWithPriorityAndDisabled(name string, idx int, disabled bool, priority int) testcluster.VaultNodeSealConfig {
+	seal := tc.Seal(name, idx)
+	seal.Config["disabled"] = strconv.FormatBool(disabled)
+	seal.Config["priority"] = strconv.Itoa(priority)
+	return seal
+}
+
+// Seal creates a seal using the given mount name and an idx that identifies a key.
+// The mount and key will be created.
+func (tc *TransitDockerSealServer) Seal(name string, idx int) testcluster.VaultNodeSealConfig {
+	client := tc.cluster.Nodes()[0].APIClient()
+	if m, _ := client.Sys().GetMount(name); m == nil {
+		require.NoError(tc.t, client.Sys().Mount(name, &api.MountInput{
+			Type: "transit",
+		}))
+	}
+
+	keyName := fmt.Sprintf("transit-seal-%d", idx+1)
+
+	_, err := client.Logical().Write(path.Join(name, "keys", keyName), nil)
+	require.NoError(tc.t, err)
+
+	return testcluster.VaultNodeSealConfig{
+		Type: "transit",
+		Config: map[string]string{
+			// For another docker container to talk to this cluster they
+			// must use the real api address, not the remapped localhost
+			// address test code uses.
+			"address":    tc.cluster.Nodes()[0].(*docker.DockerClusterNode).RealAPIAddr,
+			"token":      tc.cluster.GetRootToken(),
+			"mount_path": name,
+			"key_name":   keyName,
+			"name":       strings.ReplaceAll(name, " ", "_") + "-" + keyName,
+			"priority":   "1",
+		},
+	}
+}
diff --git a/helper/testhelpers/testimages/hsm.go b/helper/testhelpers/testimages/hsm.go
new file mode 100644
index 0000000000..1a4d41af4b
--- /dev/null
+++ b/helper/testhelpers/testimages/hsm.go
@@ -0,0 +1,252 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: MPL-2.0
+
+package testimages
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/vault/helper/constants"
+	dockhelper "github.com/hashicorp/vault/sdk/helper/docker"
+	"github.com/stretchr/testify/require"
+)
+
+// GetImageRepoAndTag returns an image repo and tag that can be used to start a vault
+// node via docker.  Env vars are used as inputs: either VAULT_BINARY and VAULT_IMAGE
+// if hsm is false, or VAULT_HSM_BINARY and VAULT_HSM_IMAGE if hsm is true.
+//
+// If a matching image var is set, we split that on ":" and return the two pieces
+// as the repo and tag.  If instead a matching binary var is set, we create an image
+// using a vault-enterprise docker image as a starting point, then add softhsm
+// (when hsm is true) and the specified binary to it.  If neither the image or binary var
+// are set, we fail the test.
+//
+// For devs on their workstations, they can either create an image or a binary and
+// set the env vars appropriately.  Creating an hsm linux binary is more challenging and
+// time-consuming than creating a regular binary, so we don't want to impose that
+// on people running tests that don't require one.
+//
+// See also tools/testimagemaker for a way to build an image for this purpose
+// from the CLI.
+func GetImageRepoAndTag(t *testing.T, hsm bool) (string, string) {
+	t.Helper()
+	repo, tag, output, err := CreateOrReturnDockerImage(hsm)
+	if err != nil && output != nil {
+		t.Logf("docker image create output: %s", output)
+	}
+
+	require.NoError(t, err)
+
+	// t.Logf("used bin=%s (%q) and img=%s (%q) to create %s:%s", bin, os.Getenv(bin), img, os.Getenv(img), repo, tag)
+	t.Cleanup(func() {
+		// When image build fails, it doesn't always return an error, but typically the error
+		// is visible in the output
+		if t.Failed() && output != nil {
+			t.Logf("docker image create output: %s", output)
+		}
+	})
+
+	return repo, tag
+}
+
+// CreateOrReturnDockerImage looks at the vaultBinary and vaultImage params.
+// If vaultImage is populated, it is split by ":" and the two pieces are returned
+// as the repo and tag.  If vault_binary is populated, an image is created based on
+// the latest hsm image.
+// (TODO: currently hardcoded as "docker.io/hashicorp/vault-enterprise:2.0.1-ent.hsm")
+// This is done by installing SoftHSM and the vaultBinary on top of that image.
+// If neither is populated an error is returned.
+func CreateOrReturnDockerImage(hsm bool) (repo string, tag string, output []byte, err error) {
+	binVar, imgVar := "VAULT_BINARY", "VAULT_IMAGE"
+	if hsm {
+		binVar, imgVar = "VAULT_HSM_BINARY", "VAULT_HSM_IMAGE"
+	}
+	bin, img := os.Getenv(binVar), os.Getenv(imgVar)
+	switch {
+	case bin == "" && img == "":
+		return "", "", nil, fmt.Errorf("no docker image or binary provided")
+	case img != "":
+		// Ignore the binary if an image is specified
+		pieces := strings.Split(img, ":")
+		if len(pieces) != 2 {
+			return "", "", nil, fmt.Errorf("bad input image format %q", img)
+		}
+		return pieces[0], pieces[1], nil, nil
+	default:
+		base := "hashicorp/vault"
+		if constants.IsEnterprise {
+			base += "-enterprise"
+		}
+		repo := base + "-ci"
+		tag := "latest"
+		source := "docker.io/" + base + ":latest"
+		if hsm {
+			source = "docker.io/hashicorp/vault-enterprise:2.0.1-ent.hsm"
+			tag = "latest-hsm"
+		}
+		target := fmt.Sprintf("%s:%s", repo, tag)
+		var output []byte
+		var err error
+		if hsm {
+			output, err = CreateHSMDockerImage(source, target, bin)
+		} else {
+			output, err = CreateNonHSMDockerImage(source, target, bin)
+		}
+		return repo, tag, output, err
+	}
+}
+
+func createBuildContextWithBinary(vaultBinary string) (dockhelper.BuildContext, error) {
+	f, err := os.Open(vaultBinary)
+	if err != nil {
+		return nil, fmt.Errorf("error opening vault binary file: %w", err)
+	}
+	data, err := io.ReadAll(f)
+	if err != nil {
+		return nil, fmt.Errorf("error reading vault binary file: %w", err)
+	}
+
+	bCtx := dockhelper.NewBuildContext()
+	bCtx["vault"] = &dockhelper.FileContents{
+		Data: data,
+		Mode: 0o755,
+	}
+
+	return bCtx, nil
+}
+
+// createDockerImage creates an image named toImage from the given context and Dockerfile.
+func createDockerImage(toImage, containerFile string, bCtx dockhelper.BuildContext) ([]byte, error) {
+	client, err := dockhelper.NewDockerAPI()
+	if err != nil {
+		return nil, err
+	}
+
+	output, err := dockhelper.BuildImage(context.Background(), client, containerFile, bCtx,
+		dockhelper.BuildRemove(true),
+		dockhelper.BuildForceRemove(true),
+		dockhelper.BuildPullParent(true),
+		dockhelper.BuildTags([]string{toImage}))
+	if err != nil {
+		return nil, fmt.Errorf("error building docker image: %w (output: %s)", err, output)
+	}
+
+	return output, nil
+}
+
+func CreateNonHSMDockerImage(fromImage, toImage, vaultBinary string) ([]byte, error) {
+	bCtx := dockhelper.NewBuildContext()
+	var err error
+	bCtx, err = createBuildContextWithBinary(vaultBinary)
+	if err != nil {
+		return nil, err
+	}
+
+	containerFile := fmt.Sprintf(`
+FROM %s
+USER root
+
+COPY vault /bin/vault
+
+USER vault
+CMD ["server", "-dev"]
+`, fromImage)
+	return createDockerImage(toImage, containerFile, bCtx)
+}
+
+// CreateHSMDockerImage creates a new vault-enterprise hsm docker image from an existing
+// hsm image.  The new image includes softhsm, and optionally a new vault binary.
+func CreateHSMDockerImage(fromImage, toImage, vaultBinary string) ([]byte, error) {
+	bCtx := dockhelper.NewBuildContext()
+	if vaultBinary != "" {
+		var err error
+		bCtx, err = createBuildContextWithBinary(vaultBinary)
+		if err != nil {
+			return nil, err
+		}
+	}
+	bCtx["setup-softhsm.sh"] = &dockhelper.FileContents{
+		Data: []byte(`#!/bin/bash
+
+mkdir -p /vault/file/softhsm/tokens
+
+# only create a new slot if there isn't an existing one
+if [ ! -e /vault/file/hsm-slot ]; then
+	softhsm2-util --init-token --slot 0 --so-pin=12345 --pin=12345 --label "vault" | grep -oE '[0-9]+$' > /vault/file/hsm-slot
+fi
+
+exec docker-entrypoint.sh "$@"
+`),
+		Mode: 0o755,
+	}
+
+	bCtx["centos-stream.repo"] = &dockhelper.FileContents{
+		Data: []byte(`
+[centos-10-baseos]
+name=CentOS Stream 10 - BaseOS
+baseurl=https://mirror.stream.centos.org/10-stream/BaseOS/$basearch/os/
+gpgcheck=0
+enabled=1
+
+[centos-10-appstream]
+name=CentOS Stream 10 - AppStream
+baseurl=https://mirror.stream.centos.org/10-stream/AppStream/$basearch/os/
+gpgcheck=0
+enabled=1
+`),
+		Mode: 0o644,
+	}
+
+	containerFile := fmt.Sprintf(`FROM %s AS builder
+USER root
+
+COPY centos-stream.repo /etc/yum.repos.d
+
+RUN microdnf install -y tar gzip wget make gcc gcc-c++ openssl-devel sudo microdnf automake autoconf libtool pkg-config
+
+RUN pwd
+
+RUN wget https://github.com/softhsm/SoftHSMv2/archive/refs/tags/2.7.0.tar.gz
+RUN echo "be14a5820ec457eac5154462ffae51ba5d8a643f6760514d4b4b83a77be91573 2.7.0.tar.gz" | sha256sum -c
+RUN tar -xzf 2.7.0.tar.gz
+
+# disable GOST cryptography as it requires extra plugins
+RUN cd SoftHSMv2-2.7.0 && sh autogen.sh && ./configure --disable-gost && make
+
+FROM %s
+
+USER root
+
+COPY --from=builder /SoftHSMv2-2.7.0/src/lib/.libs/libsofthsm2.so /usr/lib64/libsofthsm2.so
+COPY --from=builder /SoftHSMv2-2.7.0/src/bin/util/softhsm2-util /usr/bin/softhsm2-util
+COPY --from=builder /SoftHSMv2-2.7.0/src/lib/common/softhsm2.conf /etc/softhsm2.conf
+RUN mkdir /usr/local/lib/softhsm && ln /usr/lib64/libsofthsm2.so /usr/local/lib/softhsm/libsofthsm2.so
+
+# Put the tokens under /vault/file since that's the data volume, and if we want
+# to start a cluster using a pre-existing volume (i.e. resuming from a previous
+# cluster) we need the tokens in order to unseal/unsealwrap.
+RUN sed -i 's|directories.tokendir = .*|directories.tokendir = /vault/file/softhsm/tokens|g' /etc/softhsm2.conf
+
+RUN sed -i 's/log.level = ERROR/log.level = DEBUG/' /etc/softhsm2.conf
+
+COPY setup-softhsm.sh /usr/local/bin/setup-softhsm.sh
+
+COPY vault /bin/vault
+
+USER vault
+CMD ["server", "-dev"]
+ENTRYPOINT ["setup-softhsm.sh"]
+`, fromImage, fromImage)
+	return createDockerImage(toImage, containerFile, bCtx)
+}
+
+const (
+	PKCS11Library    = "/usr/lib64/libsofthsm2.so"
+	PKCS11Pin        = "12345"
+	PKCS11TokenLabel = "vault"
+)
diff --git a/http/auth_token_test.go b/http/auth_token_test.go
index 32f5aa5e17..f5b3898597 100644
--- a/http/auth_token_test.go
+++ b/http/auth_token_test.go
@@ -63,7 +63,7 @@ func TestAuthTokenCreate(t *testing.T) {
 		t.Fatal(err)
 	}
 	if secret.Auth.LeaseDuration != 3600 {
-		t.Errorf("expected 1h, got %q", secret.Auth.LeaseDuration)
+		t.Errorf("expected 1h, got %d", secret.Auth.LeaseDuration)
 	}
 
 	renewCreateRequest := &api.TokenCreateRequest{
@@ -76,7 +76,7 @@ func TestAuthTokenCreate(t *testing.T) {
 		t.Fatal(err)
 	}
 	if secret.Auth.LeaseDuration != 3600 {
-		t.Errorf("expected 1h, got %q", secret.Auth.LeaseDuration)
+		t.Errorf("expected 1h, got %d", secret.Auth.LeaseDuration)
 	}
 	if secret.Auth.Renewable {
 		t.Errorf("expected non-renewable token")
@@ -88,7 +88,7 @@ func TestAuthTokenCreate(t *testing.T) {
 		t.Fatal(err)
 	}
 	if secret.Auth.LeaseDuration != 3600 {
-		t.Errorf("expected 1h, got %q", secret.Auth.LeaseDuration)
+		t.Errorf("expected 1h, got %d", secret.Auth.LeaseDuration)
 	}
 	if !secret.Auth.Renewable {
 		t.Errorf("expected renewable token")
@@ -113,7 +113,7 @@ func TestAuthTokenCreate(t *testing.T) {
 		t.Fatal(err)
 	}
 	if secret.Auth.LeaseDuration != 3600 {
-		t.Errorf("expected 3600 seconds, got %q", secret.Auth.LeaseDuration)
+		t.Errorf("expected 3600 seconds, got %d", secret.Auth.LeaseDuration)
 	}
 }
 
@@ -253,9 +253,6 @@ func TestToken_InvalidTokenError(t *testing.T) {
 		HandlerFunc: Handler,
 	})
 
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
 	vault.TestWaitActive(t, cores[0].Core)
 
diff --git a/http/custom_header_test.go b/http/custom_header_test.go
index d0f90387e1..ca295a8910 100644
--- a/http/custom_header_test.go
+++ b/http/custom_header_test.go
@@ -4,6 +4,7 @@
 package http
 
 import (
+	"net/http"
 	"testing"
 
 	"github.com/hashicorp/vault/vault"
@@ -83,8 +84,8 @@ func TestCustomResponseHeaders(t *testing.T) {
 	testResponseStatus(t, resp, 200)
 	testResponseHeader(t, resp, customHeader200)
 
-	resp = testHttpGet(t, token, addr+"/v1/sys/generate-root/update")
-	testResponseStatus(t, resp, 400)
+	resp = testHttpGet(t, token, addr+"/v1/sys/rekey/verify")
+	testResponseStatus(t, resp, http.StatusBadRequest)
 	testResponseHeader(t, resp, defaultCustomHeaders)
 	testResponseHeader(t, resp, customHeader4xx)
 	testResponseHeader(t, resp, customHeader400)
diff --git a/http/forwarded_for_test.go b/http/forwarded_for_test.go
index e463b15699..0fc5eb7086 100644
--- a/http/forwarded_for_test.go
+++ b/http/forwarded_for_test.go
@@ -54,8 +54,6 @@ func TestHandler_XForwardedFor(t *testing.T) {
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 			HandlerFunc: HandlerFunc(testHandler),
 		})
-		cluster.Start()
-		defer cluster.Cleanup()
 		client := cluster.Cores[0].Client
 
 		req := client.NewRequest("GET", "/")
@@ -97,8 +95,6 @@ func TestHandler_XForwardedFor(t *testing.T) {
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 			HandlerFunc: HandlerFunc(testHandler),
 		})
-		cluster.Start()
-		defer cluster.Cleanup()
 		client := cluster.Cores[0].Client
 
 		req := client.NewRequest("GET", "/")
@@ -133,8 +129,6 @@ func TestHandler_XForwardedFor(t *testing.T) {
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 			HandlerFunc: HandlerFunc(testHandler),
 		})
-		cluster.Start()
-		defer cluster.Cleanup()
 		client := cluster.Cores[0].Client
 
 		req := client.NewRequest("GET", "/")
@@ -167,8 +161,6 @@ func TestHandler_XForwardedFor(t *testing.T) {
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 			HandlerFunc: HandlerFunc(testHandler),
 		})
-		cluster.Start()
-		defer cluster.Cleanup()
 		client := cluster.Cores[0].Client
 
 		req := client.NewRequest("GET", "/")
@@ -201,8 +193,6 @@ func TestHandler_XForwardedFor(t *testing.T) {
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 			HandlerFunc: HandlerFunc(testHandler),
 		})
-		cluster.Start()
-		defer cluster.Cleanup()
 		client := cluster.Cores[0].Client
 
 		req := client.NewRequest("GET", "/")
@@ -238,8 +228,6 @@ func TestHandler_XForwardedFor(t *testing.T) {
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 			HandlerFunc: HandlerFunc(testHandler),
 		})
-		cluster.Start()
-		defer cluster.Cleanup()
 		client := cluster.Cores[0].Client
 
 		req := client.NewRequest("GET", "/")
@@ -276,8 +264,6 @@ func TestHandler_XForwardedFor(t *testing.T) {
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 			HandlerFunc: HandlerFunc(testHandler),
 		})
-		cluster.Start()
-		defer cluster.Cleanup()
 		client := cluster.Cores[0].Client
 
 		req := client.NewRequest("GET", "/")
@@ -313,8 +299,6 @@ func TestHandler_XForwardedFor(t *testing.T) {
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 			HandlerFunc: HandlerFunc(testHandler),
 		})
-		cluster.Start()
-		defer cluster.Cleanup()
 		client := cluster.Cores[0].Client
 
 		req := client.NewRequest("GET", "/")
@@ -352,8 +336,6 @@ func TestHandler_XForwardedFor(t *testing.T) {
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 			HandlerFunc: HandlerFunc(testHandler),
 		})
-		cluster.Start()
-		defer cluster.Cleanup()
 		client := cluster.Cores[0].Client
 
 		req := client.NewRequest("GET", "/")
@@ -393,8 +375,6 @@ func TestHandler_XForwardedFor(t *testing.T) {
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 			HandlerFunc: HandlerFunc(testHandler),
 		})
-		cluster.Start()
-		defer cluster.Cleanup()
 		client := cluster.Cores[0].Client
 
 		req := client.NewRequest("GET", "/")
@@ -431,8 +411,6 @@ func TestHandler_XForwardedFor(t *testing.T) {
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 			HandlerFunc: HandlerFunc(testHandler),
 		})
-		cluster.Start()
-		defer cluster.Cleanup()
 		client := cluster.Cores[0].Client
 
 		req := client.NewRequest("GET", "/")
@@ -459,8 +437,6 @@ func TestHandler_XForwardedFor(t *testing.T) {
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 			HandlerFunc: HandlerFunc(testHandler),
 		})
-		cluster.Start()
-		defer cluster.Cleanup()
 		client := cluster.Cores[0].Client
 
 		req := client.NewRequest("GET", "/")
diff --git a/http/forwarding_bench_test.go b/http/forwarding_bench_test.go
index 1849791188..8392c6185d 100644
--- a/http/forwarding_bench_test.go
+++ b/http/forwarding_bench_test.go
@@ -35,8 +35,6 @@ func BenchmarkHTTP_Forwarding_Stress(b *testing.B) {
 		HandlerFunc: Handler,
 		Logger:      logging.NewVaultLoggerWithWriter(ioutil.Discard, log.Error),
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	cores := cluster.Cores
 
 	// make it easy to get access to the active
diff --git a/http/forwarding_test.go b/http/forwarding_test.go
index 1e54a6b5c9..a8e9bb15ea 100644
--- a/http/forwarding_test.go
+++ b/http/forwarding_test.go
@@ -39,14 +39,8 @@ func TestHTTP_Fallback_Bad_Address(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	cores := cluster.Cores
 
-	// make it easy to get access to the active
-	core := cores[0].Core
-	vault.TestWaitActive(t, core)
-
 	addrs := []string{
 		fmt.Sprintf("https://127.0.0.1:%d", cores[1].Listeners[0].Address.Port),
 		fmt.Sprintf("https://127.0.0.1:%d", cores[2].Listeners[0].Address.Port),
@@ -87,14 +81,8 @@ func TestHTTP_Fallback_Disabled(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	cores := cluster.Cores
 
-	// make it easy to get access to the active
-	core := cores[0].Core
-	vault.TestWaitActive(t, core)
-
 	addrs := []string{
 		fmt.Sprintf("https://127.0.0.1:%d", cores[1].Listeners[0].Address.Port),
 		fmt.Sprintf("https://127.0.0.1:%d", cores[2].Listeners[0].Address.Port),
@@ -144,13 +132,8 @@ func testHTTP_Forwarding_Stress_Common(t *testing.T, parallel bool, num uint32)
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	cores := cluster.Cores
-
-	// make it easy to get access to the active
 	core := cores[0].Core
-	vault.TestWaitActive(t, core)
 
 	wg := sync.WaitGroup{}
 
@@ -452,14 +435,8 @@ func TestHTTP_Forwarding_ClientTLS(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	cores := cluster.Cores
 
-	// make it easy to get access to the active
-	core := cores[0].Core
-	vault.TestWaitActive(t, core)
-
 	transport := cleanhttp.DefaultTransport()
 	transport.TLSClientConfig = cores[0].TLSConfig()
 	if err := http2.ConfigureTransport(transport); err != nil {
@@ -565,12 +542,8 @@ func TestHTTP_Forwarding_HelpOperation(t *testing.T) {
 	cluster := vault.NewTestCluster(t, &vault.CoreConfig{}, &vault.TestClusterOptions{
 		HandlerFunc: Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	cores := cluster.Cores
 
-	vault.TestWaitActive(t, cores[0].Core)
-
 	testHelp := func(client *api.Client) {
 		help, err := client.Help("auth/token")
 		if err != nil {
@@ -589,12 +562,8 @@ func TestHTTP_Forwarding_LocalOnly(t *testing.T) {
 	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 		HandlerFunc: Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	cores := cluster.Cores
 
-	vault.TestWaitActive(t, cores[0].Core)
-
 	testLocalOnly := func(client *api.Client) {
 		_, err := client.Logical().Read("sys/config/state/sanitized")
 		if err == nil {
diff --git a/http/handler.go b/http/handler.go
index 00d0d13876..d7c70033b5 100644
--- a/http/handler.go
+++ b/http/handler.go
@@ -6,6 +6,7 @@ package http
 import (
 	"bytes"
 	"context"
+	"crypto/rand"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
@@ -21,8 +22,10 @@ import (
 	"net/textproto"
 	"net/url"
 	"os"
+	"path"
 	"regexp"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/hashicorp/errwrap"
@@ -94,6 +97,12 @@ const (
 	// to pass the snapshot ID
 	VaultSnapshotRecoverHeader = "X-Vault-Recover-Snapshot-Id"
 
+	// DefaultMaxTokenHeaderSize is the default maximum size in bytes for an
+	// authentication token passed in the X-Vault-Token and Authorization: Bearer
+	// headers. This is to prevent a denial of service attack via unbounded
+	// header values. Can be overridden per listener.
+	DefaultMaxTokenHeaderSize = 8 * 1024 // 8 KB
+
 	// CustomMaxJSONDepth specifies the maximum nesting depth of a JSON object.
 	// This limit is designed to prevent stack exhaustion attacks from deeply
 	// nested JSON payloads, which could otherwise lead to a denial-of-service
@@ -181,6 +190,25 @@ var (
 	oidcProtectedPathRegex = regexp.MustCompile(`^identity/oidc/provider/\w(([\w-.]+)?\w)?/userinfo$`)
 )
 
+// TokenHeaderMaxBytes returns the http.Server.MaxHeaderBytes value for the
+// given listener configuration. A negative CustomMaxTokenHeaderSize disables
+// the limit; zero falls back to DefaultMaxTokenHeaderSize.
+func TokenHeaderMaxBytes(lnConfig *configutil.Listener) int {
+	if lnConfig == nil {
+		return DefaultMaxTokenHeaderSize
+	}
+	switch {
+	case lnConfig.CustomMaxTokenHeaderSize < 0:
+		// Limit explicitly disabled; leave http.Server.MaxHeaderBytes unset so
+		// the stdlib default (1 MB) applies.
+		return 0
+	case lnConfig.CustomMaxTokenHeaderSize > 0:
+		return int(lnConfig.CustomMaxTokenHeaderSize)
+	default:
+		return DefaultMaxTokenHeaderSize
+	}
+}
+
 func init() {
 	alwaysRedirectPaths.AddPaths([]string{
 		"sys/storage/raft/snapshot",
@@ -208,9 +236,52 @@ func (h HandlerFunc) Handler(props *vault.HandlerProperties) http.Handler {
 
 var _ vault.HandlerHandler = HandlerFunc(func(props *vault.HandlerProperties) http.Handler { return nil })
 
+type handlerSettings struct {
+	unauthRekey            bool
+	unauthGenerateRoot     bool
+	unauthDROperationToken bool
+}
+
+func getHandlerSettings(core *vault.Core) handlerSettings {
+	return handlerSettings{
+		unauthRekey:            core.GetEnableUnauthRekey(),
+		unauthGenerateRoot:     core.GetEnableUnauthGenerateRoot(),
+		unauthDROperationToken: core.GetEnableUnauthDROperationToken(),
+	}
+}
+
 // handler returns an http.Handler for the API. This can be used on
 // its own to mount the Vault API within another web server.
 func handler(props *vault.HandlerProperties) http.Handler {
+	var l sync.RWMutex
+	settings := getHandlerSettings(props.Core)
+	hws := handlerWithSettings(props, settings)
+
+	return http.HandlerFunc(func(writer http.ResponseWriter, req *http.Request) {
+		newSettings := getHandlerSettings(props.Core)
+
+		l.RLock()
+		changed := settings != newSettings
+		// Create a local copy so that we don't have to hold the lock while
+		// running the handler
+		myhws := hws
+		l.RUnlock()
+
+		if changed {
+			l.Lock()
+			if settings != newSettings {
+				settings = newSettings
+				hws = handlerWithSettings(props, settings)
+				myhws = hws
+			}
+			l.Unlock()
+		}
+
+		myhws.ServeHTTP(writer, req)
+	})
+}
+
+func handlerWithSettings(props *vault.HandlerProperties, settings handlerSettings) http.Handler {
 	core := props.Core
 
 	// Create the muxer to handle the actual endpoints
@@ -246,16 +317,27 @@ func handler(props *vault.HandlerProperties) http.Handler {
 			WithRedactClusterName(props.ListenerConfig.RedactClusterName),
 			WithRedactVersion(props.ListenerConfig.RedactVersion)))
 		mux.Handle("/v1/sys/monitor", handleLogicalNoForward(core, chrootNamespace))
-		mux.Handle("/v1/sys/generate-root/attempt", handleRequestForwarding(core,
-			handleAuditNonLogical(core, handleSysGenerateRootAttempt(core, vault.GenerateStandardRootTokenStrategy))))
-		mux.Handle("/v1/sys/generate-root/update", handleRequestForwarding(core,
-			handleAuditNonLogical(core, handleSysGenerateRootUpdate(core, vault.GenerateStandardRootTokenStrategy))))
-		mux.Handle("/v1/sys/rekey/init", handleRequestForwarding(core, handleSysRekeyInit(core, false)))
-		mux.Handle("/v1/sys/rekey/update", handleRequestForwarding(core, handleSysRekeyUpdate(core, false)))
-		mux.Handle("/v1/sys/rekey/verify", handleRequestForwarding(core, handleSysRekeyVerify(core, false)))
-		mux.Handle("/v1/sys/rekey-recovery-key/init", handleRequestForwarding(core, handleSysRekeyInit(core, true)))
-		mux.Handle("/v1/sys/rekey-recovery-key/update", handleRequestForwarding(core, handleSysRekeyUpdate(core, true)))
-		mux.Handle("/v1/sys/rekey-recovery-key/verify", handleRequestForwarding(core, handleSysRekeyVerify(core, true)))
+
+		// Register generate-root endpoints as unauthenticated handlers only if unauthGenerateRoot is true.
+		// When false, these endpoints will be handled by the sys backend as authenticated endpoints.
+		if settings.unauthGenerateRoot {
+			mux.Handle("/v1/sys/generate-root/attempt", handleRequestForwarding(core,
+				handleAuditNonLogical(core, handleSysGenerateRootAttempt(core, vault.GenerateStandardRootTokenStrategy))))
+			mux.Handle("/v1/sys/generate-root/update", handleRequestForwarding(core,
+				handleAuditNonLogical(core, handleSysGenerateRootUpdate(core, vault.GenerateStandardRootTokenStrategy))))
+		}
+
+		// Register rekey endpoints as unauthenticated handlers only if unauthRekey is true.
+		// When false (the default), these endpoints will be handled by the sys backend as authenticated endpoints.
+		if settings.unauthRekey {
+			mux.Handle("/v1/sys/rekey/init", handleRequestForwarding(core, handleSysRekeyInit(core, false)))
+			mux.Handle("/v1/sys/rekey/update", handleRequestForwarding(core, handleSysRekeyUpdate(core, false)))
+			mux.Handle("/v1/sys/rekey/verify", handleRequestForwarding(core, handleSysRekeyVerify(core, false)))
+			mux.Handle("/v1/sys/rekey-recovery-key/init", handleRequestForwarding(core, handleSysRekeyInit(core, true)))
+			mux.Handle("/v1/sys/rekey-recovery-key/update", handleRequestForwarding(core, handleSysRekeyUpdate(core, true)))
+			mux.Handle("/v1/sys/rekey-recovery-key/verify", handleRequestForwarding(core, handleSysRekeyVerify(core, true)))
+		}
+
 		mux.Handle("/v1/sys/storage/raft/bootstrap", handleSysRaftBootstrap(core))
 		mux.Handle("/v1/sys/storage/raft/join", handleSysRaftJoin(core))
 		mux.Handle("/v1/sys/internal/ui/feature-flags", handleSysInternalFeatureFlags(core))
@@ -302,7 +384,9 @@ func handler(props *vault.HandlerProperties) http.Handler {
 		} else {
 			mux.Handle("/v1/sys/in-flight-req", handleLogicalNoForward(core, chrootNamespace))
 		}
-		entAdditionalRoutes(mux, core)
+		if settings.unauthDROperationToken {
+			entDROperationRoutes(mux, core)
+		}
 	}
 
 	// Build up a chain of wrapping handlers.
@@ -313,6 +397,7 @@ func handler(props *vault.HandlerProperties) http.Handler {
 	wrappedHandler = rateLimitQuotaWrapping(wrappedHandler, core)
 	wrappedHandler = entWrapGenericHandler(core, wrappedHandler, props)
 	wrappedHandler = wrapMaxRequestSizeHandler(wrappedHandler, props)
+	wrappedHandler = wrapTokenHeaderSizeHandler(wrappedHandler, props)
 	wrappedHandler = priority.WrapRequestPriorityHandler(wrappedHandler)
 
 	// Add an extra wrapping handler if the DisablePrintableCheck listener
@@ -375,10 +460,7 @@ func (w *copyResponseWriter) WriteHeader(code int) {
 
 func handleAuditNonLogical(core *vault.Core, h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		origBody := new(bytes.Buffer)
-		reader := io.NopCloser(io.TeeReader(r.Body, origBody))
-		r.Body = reader
-		req, _, status, err := buildLogicalRequestNoAuth(core.PerfStandby(), core.RouterAccess(), w, r)
+		req, origBody, status, err := buildLogicalRequestNoAuth(core.PerfStandby(), core.RouterAccess(), w, r)
 		if err != nil || status != 0 {
 			respondError(w, status, err)
 			return
@@ -427,6 +509,13 @@ func wrapGenericHandler(core *vault.Core, h http.Handler, props *vault.HandlerPr
 
 	var hf func(w http.ResponseWriter, r *http.Request)
 	hf = func(w http.ResponseWriter, r *http.Request) {
+		// Generate CSP nonce once for this request
+		cspNonce, err := generateCSPNonce()
+		if err != nil {
+			respondError(w, http.StatusInternalServerError, fmt.Errorf("failed to generate CSP nonce: %w", err))
+			return
+		}
+
 		// This block needs to be here so that upon sending SIGHUP, custom response
 		// headers are also reloaded into the handlers.
 		var customHeaders map[string][]*logical.CustomHeader
@@ -437,17 +526,19 @@ func wrapGenericHandler(core *vault.Core, h http.Handler, props *vault.HandlerPr
 				customHeaders = listenerCustomHeaders.StatusCodeHeaderMap
 			}
 		}
+
 		// saving start time for the in-flight requests
 		inFlightReqStartTime := time.Now()
 
-		nw := logical.NewStatusHeaderResponseWriter(w, customHeaders)
+		nw := logical.NewStatusHeaderResponseWriter(w, customHeaders, cspNonce)
 
 		// Set the Cache-Control header for all the responses returned
 		// by Vault
 		nw.Header().Set("Cache-Control", "no-store")
 
-		// Start with the request context
+		// Start with the request context and store the CSP nonce
 		ctx := r.Context()
+		ctx = context.WithValue(ctx, cspNonceContextKey{}, cspNonce)
 		var cancelFunc context.CancelFunc
 		// Add our timeout, but not for the monitor or events endpoints, as they are streaming
 		// Request URL path for sys/monitor looks like /v1/sys/monitor
@@ -476,7 +567,36 @@ func wrapGenericHandler(core *vault.Core, h http.Handler, props *vault.HandlerPr
 
 		// Extract the namespace from the header before we modify it
 		ns := r.Header.Get(consts.NamespaceHeaderName)
+
+		originalPath := r.URL.Path
+		// cleanPath is copied directly from net/http/server.go
+		// it returns the canonical path for p, eliminating . and .. elements.
+		cleanPath := func(p string) string {
+			if p == "" {
+				return "/"
+			}
+			if p[0] != '/' {
+				p = "/" + p
+			}
+			np := path.Clean(p)
+			// path.Clean removes trailing slash except for root;
+			// put the trailing slash back if necessary.
+			if p[len(p)-1] == '/' && np != "/" {
+				// Fast path for common case of p being the string we want:
+				if len(p) == len(np)+1 && strings.HasPrefix(p, np) {
+					np = p
+				} else {
+					np += "/"
+				}
+			}
+			return np
+		}
+		cleanedPath := cleanPath(originalPath)
 		switch {
+		case originalPath != cleanedPath:
+			http.Redirect(w, r, r.URL.Path, http.StatusTemporaryRedirect)
+			cancelFunc()
+			return
 		case strings.HasPrefix(r.URL.Path, "/v1/"):
 			// Setting the namespace in the header to be included in the error message
 			newR, status, err := adjustRequest(core, props.ListenerConfig, r)
@@ -735,6 +855,15 @@ func WrapForwardedForHandler(h http.Handler, l *configutil.Listener) http.Handle
 	})
 }
 
+// generateCSPNonce generates a cryptographically secure random nonce for CSP
+func generateCSPNonce() (string, error) {
+	nonceBytes := make([]byte, 16)
+	if _, err := rand.Read(nonceBytes); err != nil {
+		return "", fmt.Errorf("failed to generate CSP nonce: %w", err)
+	}
+	return base64.StdEncoding.EncodeToString(nonceBytes), nil
+}
+
 func handleUIHeaders(core *vault.Core, h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		header := w.Header()
@@ -745,8 +874,22 @@ func handleUIHeaders(core *vault.Core, h http.Handler) http.Handler {
 			return
 		}
 
+		// Retrieve CSP nonce from request context (generated in wrapGenericHandler)
+		nonce, ok := req.Context().Value(cspNonceContextKey{}).(string)
+		if !ok || nonce == "" {
+			// Fallback: generate a new nonce if not found in context
+			nonce, err = generateCSPNonce()
+			if err != nil {
+				respondError(w, http.StatusInternalServerError, err)
+				return
+			}
+		}
+
 		for k := range userHeaders {
 			v := userHeaders.Get(k)
+			if k == "Content-Security-Policy" {
+				v = logical.MergeNonceIntoCSP(v, nonce, "style-src")
+			}
 			header.Set(k, v)
 		}
 
@@ -754,16 +897,74 @@ func handleUIHeaders(core *vault.Core, h http.Handler) http.Handler {
 	})
 }
 
+// cspNonceContextKey is used to store the CSP nonce in the request context
+type cspNonceContextKey struct{}
+
 func handleUI(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		// The fileserver handler strips trailing slashes and does a redirect.
 		// We don't want the redirect to happen so we preemptively trim the slash
 		// here.
 		req.URL.Path = strings.TrimSuffix(req.URL.Path, "/")
+
+		// For relevant HTML requests, wrap the response writer to inject the nonce
+		hasExtension := strings.Contains(req.URL.Path, ".")
+		if !hasExtension {
+			nonce, ok := req.Context().Value(cspNonceContextKey{}).(string)
+			if ok && nonce != "" {
+				nrw := &nonceResponseWriter{
+					ResponseWriter: w,
+					nonce:          nonce,
+				}
+				h.ServeHTTP(nrw, req)
+				// Flush the buffered content after the handler completes
+				nrw.flush()
+				return
+			}
+		}
+
 		h.ServeHTTP(w, req)
 	})
 }
 
+// nonceResponseWriter wraps http.ResponseWriter to inject CSP nonce into HTML
+type nonceResponseWriter struct {
+	http.ResponseWriter
+	nonce       string
+	wroteHeader bool
+	buf         bytes.Buffer
+}
+
+func (nrw *nonceResponseWriter) Write(b []byte) (int, error) {
+	if !nrw.wroteHeader {
+		nrw.WriteHeader(http.StatusOK)
+	}
+
+	// Buffer the content
+	nrw.buf.Write(b)
+	return len(b), nil
+}
+
+func (nrw *nonceResponseWriter) WriteHeader(statusCode int) {
+	if nrw.wroteHeader {
+		return
+	}
+	nrw.wroteHeader = true
+	nrw.ResponseWriter.WriteHeader(statusCode)
+}
+
+func (nrw *nonceResponseWriter) flush() {
+	// Inject nonce into buffered content
+	htmlContent := nrw.buf.String()
+	if htmlContent != "" && nrw.nonce != "" {
+		nonceMetaTag := fmt.Sprintf(`<meta name="csp-nonce" content="%s">`, nrw.nonce)
+		htmlContent = strings.Replace(htmlContent, "<head>", "<head>\n    "+nonceMetaTag, 1)
+	}
+
+	// Write the modified content
+	nrw.ResponseWriter.Write([]byte(htmlContent))
+}
+
 func handleUIStub() http.Handler {
 	stubHTML := `
 	<!DOCTYPE html>
@@ -1456,6 +1657,23 @@ func respondErrorCommon(w http.ResponseWriter, req *logical.Request, resp *logic
 			respondErrorAndData(w, statusCode, data, newErr)
 			return true
 		}
+		if body := resp.Data[logical.HTTPRawBodyError]; body != nil {
+			if code := resp.Data[logical.HTTPStatusCode]; code != nil {
+				if i, ok := code.(int); ok {
+					// Defensively ignore non-int status codes
+					statusCode = i
+				}
+			}
+			switch v := body.(type) {
+			case string:
+				logical.RespondWithBody(w, statusCode, v)
+			case []byte:
+				logical.RespondWithBody(w, statusCode, string(v))
+			default:
+				respondError(w, http.StatusInternalServerError, fmt.Errorf("unable to decode body: %w", newErr))
+			}
+			return true
+		}
 	}
 	respondError(w, statusCode, newErr)
 	return true
diff --git a/http/handler_test.go b/http/handler_test.go
index e91fd40c83..fb48fd9543 100644
--- a/http/handler_test.go
+++ b/http/handler_test.go
@@ -491,6 +491,7 @@ func TestSysMounts_headerAuth(t *testing.T) {
 					"max_lease_ttl":               json.Number("0"),
 					"force_no_cache":              false,
 					"passthrough_request_headers": []interface{}{"Authorization"},
+					"allowed_response_headers":    []interface{}{"Location"},
 				},
 				"local":                  false,
 				"seal_wrap":              false,
@@ -592,6 +593,7 @@ func TestSysMounts_headerAuth(t *testing.T) {
 				"max_lease_ttl":               json.Number("0"),
 				"force_no_cache":              false,
 				"passthrough_request_headers": []interface{}{"Authorization"},
+				"allowed_response_headers":    []interface{}{"Location"},
 			},
 			"local":                  false,
 			"seal_wrap":              false,
@@ -895,14 +897,8 @@ func TestHandler_Parse_Form(t *testing.T) {
 	cluster := vault.NewTestCluster(t, &vault.CoreConfig{}, &vault.TestClusterOptions{
 		HandlerFunc: Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
 
-	core := cores[0].Core
-	vault.TestWaitActive(t, core)
-
 	c := cleanhttp.DefaultClient()
 	c.Transport = &http.Transport{
 		TLSClientConfig: &tls.Config{
@@ -965,8 +961,6 @@ func TestHandler_MaxRequestSize(t *testing.T) {
 		HandlerFunc: Handler,
 		NumCores:    1,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	client := cluster.Cores[0].Client
 	_, err := client.KVv2("secret").Put(context.Background(), "foo", map[string]interface{}{
@@ -1201,8 +1195,6 @@ func TestHandler_JSONLimitQuotaWrappers(t *testing.T) {
 					},
 				},
 			})
-			cluster.Start()
-			defer cluster.Cleanup()
 
 			client := cluster.Cores[0].Client
 			client.SetToken(cluster.RootToken)
@@ -1251,9 +1243,6 @@ func TestAutoSnapshotLoadForwarded(t *testing.T) {
 		HandlerFunc: Handler,
 	})
 
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	client := cluster.Cores[1].Client
 	client.SetToken(cluster.RootToken)
 
diff --git a/http/http_test.go b/http/http_test.go
index 259b23571a..1fead416c6 100644
--- a/http/http_test.go
+++ b/http/http_test.go
@@ -20,11 +20,6 @@ import (
 )
 
 func testHttpGet(t *testing.T, token string, addr string) *http.Response {
-	loggedToken := token
-	if len(token) == 0 {
-		loggedToken = "<empty>"
-	}
-	t.Logf("Token is %s", loggedToken)
 	return testHttpData(t, "GET", token, addr, "", nil, false, 0, false)
 }
 
@@ -159,7 +154,22 @@ func testResponseHeader(t *testing.T, resp *http.Response, expectedHeaders map[s
 	t.Helper()
 	for k, v := range expectedHeaders {
 		hv := resp.Header.Get(k)
-		if v != hv {
+		// Special handling for Content-Security-Policy header which may have a nonce appended
+		if k == "Content-Security-Policy" {
+			// Check if the actual header starts with the expected value
+			// and optionally contains a nonce directive
+			if !strings.HasPrefix(hv, v) {
+				t.Fatalf("expected header value %v to start with %v, got %v", k, v, hv)
+			}
+			// Verify that if there's additional content, it's a valid nonce directive
+			if len(hv) > len(v) {
+				remainder := strings.TrimPrefix(hv, v)
+				// Should start with ; and contain style-src 'nonce-
+				if !strings.HasPrefix(remainder, ";style-src 'nonce-") {
+					t.Fatalf("expected CSP header %v=%v to have nonce appended, got %v=%v", k, v, k, hv)
+				}
+			}
+		} else if v != hv {
 			t.Fatalf("expected header value %v=%v, got %v=%v", k, v, k, hv)
 		}
 	}
diff --git a/http/logical.go b/http/logical.go
index 95a5fe4ee9..36e1618fe0 100644
--- a/http/logical.go
+++ b/http/logical.go
@@ -6,6 +6,7 @@ package http
 import (
 	"bufio"
 	"bytes"
+	"crypto/subtle"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -376,7 +377,9 @@ func handleLogicalRecovery(raw *vault.RawBackend, token *atomic.String) http.Han
 			return
 		}
 		reqToken := r.Header.Get(consts.AuthHeaderName)
-		if reqToken == "" || token.Load() == "" || reqToken != token.Load() {
+		expectedToken := token.Load()
+
+		if reqToken == "" || expectedToken == "" || subtle.ConstantTimeCompare([]byte(reqToken), []byte(expectedToken)) != 1 {
 			respondError(w, http.StatusForbidden, nil)
 			return
 		}
diff --git a/http/logical_test.go b/http/logical_test.go
index ad22616e69..6e5ca3de0d 100644
--- a/http/logical_test.go
+++ b/http/logical_test.go
@@ -708,15 +708,7 @@ func TestLogical_AuditPort(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: Handler,
 	})
-
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	cores := cluster.Cores
-
-	core := cores[0].Core
 	c := cluster.Cores[0].Client
-	vault.TestWaitActive(t, core)
 
 	if err := c.Sys().Mount("kv/", &api.MountInput{
 		Type: "kv-v2",
@@ -812,15 +804,7 @@ func TestLogical_ErrRelativePath(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: Handler,
 	})
-
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	cores := cluster.Cores
-
-	core := cores[0].Core
 	c := cluster.Cores[0].Client
-	vault.TestWaitActive(t, core)
 
 	err := c.Sys().EnableAuthWithOptions("userpass", &api.EnableAuthOptions{
 		Type: "userpass",
@@ -917,15 +901,7 @@ func TestLogical_AuditEnabled_ShouldLogPluginMetadata_Auth(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: Handler,
 	})
-
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	cores := cluster.Cores
-
-	core := cores[0].Core
 	c := cluster.Cores[0].Client
-	vault.TestWaitActive(t, core)
 
 	// Enable the audit backend
 	tempDir := t.TempDir()
@@ -997,15 +973,7 @@ func TestLogical_AuditEnabled_ShouldLogPluginMetadata_Secret(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: Handler,
 	})
-
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	cores := cluster.Cores
-
-	core := cores[0].Core
 	c := cluster.Cores[0].Client
-	vault.TestWaitActive(t, core)
 
 	if err := c.Sys().Mount("kv/", &api.MountInput{
 		Type: "kv-v2",
diff --git a/http/plugin_test.go b/http/plugin_test.go
index 29a4e6b1a1..c1700b09cf 100644
--- a/http/plugin_test.go
+++ b/http/plugin_test.go
@@ -50,12 +50,10 @@ func getPluginClusterAndCore(t *testing.T, logger log.Logger) (*vault.TestCluste
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: Handler,
 	})
-	cluster.Start()
 
 	cores := cluster.Cores
 	core := cores[0]
 
-	vault.TestWaitActive(t, core.Core)
 	vault.TestAddTestPlugin(t, core.Core, "mock-plugin", consts.PluginTypeSecrets, "", "TestPlugin_PluginMain",
 		[]string{fmt.Sprintf("%s=%s", pluginutil.PluginCACertPEMEnv, cluster.CACertPEMFile)})
 
@@ -101,8 +99,7 @@ func TestPlugin_MockList(t *testing.T) {
 	logger := log.New(&log.LoggerOptions{
 		Mutex: &sync.Mutex{},
 	})
-	cluster, core := getPluginClusterAndCore(t, logger)
-	defer cluster.Cleanup()
+	_, core := getPluginClusterAndCore(t, logger)
 
 	_, err := core.Client.Logical().Write("mock/kv/foo", map[string]interface{}{
 		"value": "baz",
@@ -139,8 +136,7 @@ func TestPlugin_MockRawResponse(t *testing.T) {
 	logger := log.New(&log.LoggerOptions{
 		Mutex: &sync.Mutex{},
 	})
-	cluster, core := getPluginClusterAndCore(t, logger)
-	defer cluster.Cleanup()
+	_, core := getPluginClusterAndCore(t, logger)
 
 	resp, err := core.Client.RawRequest(core.Client.NewRequest("GET", "/v1/mock/raw"))
 	if err != nil {
@@ -164,8 +160,7 @@ func TestPlugin_GetParams(t *testing.T) {
 	logger := log.New(&log.LoggerOptions{
 		Mutex: &sync.Mutex{},
 	})
-	cluster, core := getPluginClusterAndCore(t, logger)
-	defer cluster.Cleanup()
+	_, core := getPluginClusterAndCore(t, logger)
 
 	_, err := core.Client.Logical().Write("mock/kv/foo", map[string]interface{}{
 		"value": "baz",
diff --git a/http/sys_config_state_test.go b/http/sys_config_state_test.go
index a837911851..6921e626b8 100644
--- a/http/sys_config_state_test.go
+++ b/http/sys_config_state_test.go
@@ -183,6 +183,7 @@ func TestSysConfigState_Sanitized(t *testing.T) {
 				"post_unseal_trace_directory":    "",
 				"remove_irrevocable_lease_after": json.Number("0"),
 				"allow_audit_log_prefixing":      false,
+				"enable_unauthenticated_access":  nil,
 			}
 
 			if tc.expectedHAStorageOutput != nil {
diff --git a/http/sys_generate_root.go b/http/sys_generate_root.go
index 37bbdf0cd4..394e4086bf 100644
--- a/http/sys_generate_root.go
+++ b/http/sys_generate_root.go
@@ -4,14 +4,9 @@
 package http
 
 import (
-	"encoding/base64"
-	"encoding/hex"
-	"errors"
-	"fmt"
 	"io"
 	"net/http"
 
-	"github.com/hashicorp/go-secure-stdlib/base62"
 	"github.com/hashicorp/vault/vault"
 )
 
@@ -34,108 +29,36 @@ func handleSysGenerateRootAttemptGet(core *vault.Core, w http.ResponseWriter, r
 	ctx, cancel := core.GetContext()
 	defer cancel()
 
-	// Get the current seal configuration
-	barrierConfig, err := core.SealAccess().BarrierConfig(ctx)
+	status, code, err := vault.HandleSysGenerateRootAttemptGet(ctx, core, otp, true)
 	if err != nil {
-		respondError(w, http.StatusInternalServerError, err)
+		respondError(w, code, err)
 		return
 	}
-	if barrierConfig == nil {
-		respondError(w, http.StatusBadRequest, fmt.Errorf("server is not yet initialized"))
-		return
-	}
-
-	sealConfig := barrierConfig
-	if core.SealAccess().RecoveryKeySupported() {
-		sealConfig, err = core.SealAccess().RecoveryConfig(ctx)
-		if err != nil {
-			respondError(w, http.StatusInternalServerError, err)
-			return
-		}
-	}
-
-	// Get the generation configuration
-	generationConfig, err := core.GenerateRootConfiguration()
-	if err != nil {
-		respondError(w, http.StatusInternalServerError, err)
-		return
-	}
-
-	// Get the progress
-	progress, err := core.GenerateRootProgress()
-	if err != nil {
-		respondError(w, http.StatusInternalServerError, err)
-		return
-	}
-	var otpLength int
-	if core.DisableSSCTokens() {
-		otpLength = vault.TokenLength + vault.OldTokenPrefixLength
-	} else {
-		otpLength = vault.TokenLength + vault.TokenPrefixLength
-	}
-
-	// Format the status
-	status := &GenerateRootStatusResponse{
-		Started:   false,
-		Progress:  progress,
-		Required:  sealConfig.SecretThreshold,
-		Complete:  false,
-		OTPLength: otpLength,
-		OTP:       otp,
-	}
-	if generationConfig != nil {
-		status.Nonce = generationConfig.Nonce
-		status.Started = true
-		status.PGPFingerprint = generationConfig.PGPFingerprint
-	}
 
 	respondOk(w, status)
 }
 
 func handleSysGenerateRootAttemptPut(core *vault.Core, w http.ResponseWriter, r *http.Request, generateStrategy vault.GenerateRootStrategy) {
 	// Parse the request
-	var req GenerateRootInitRequest
+	var req vault.GenerateRootInitRequest
 	if _, err := parseJSONRequest(core.PerfStandby(), r, w, &req); err != nil && err != io.EOF {
 		respondError(w, http.StatusBadRequest, err)
 		return
 	}
 
-	var err error
-	var genned bool
-
-	switch {
-	case len(req.PGPKey) > 0, len(req.OTP) > 0:
-	default:
-		genned = true
-		if core.DisableSSCTokens() {
-			req.OTP, err = base62.Random(vault.TokenLength + vault.OldTokenPrefixLength)
-		} else {
-			req.OTP, err = base62.Random(vault.TokenLength + vault.TokenPrefixLength)
-		}
-		if err != nil {
-			respondError(w, http.StatusInternalServerError, err)
-			return
-		}
-	}
-
-	// Attemptialize the generation
-	if err := core.GenerateRootInit(req.OTP, req.PGPKey, generateStrategy); err != nil {
-		respondError(w, http.StatusBadRequest, err)
+	otp, code, err := vault.HandleSysGenerateRootAttemptPut(core, generateStrategy, &req, true)
+	if err != nil {
+		respondError(w, code, err)
 		return
 	}
 
-	if genned {
-		handleSysGenerateRootAttemptGet(core, w, r, req.OTP)
-		return
-	}
-
-	handleSysGenerateRootAttemptGet(core, w, r, "")
+	handleSysGenerateRootAttemptGet(core, w, r, otp)
 }
 
 func handleSysGenerateRootAttemptDelete(core *vault.Core, w http.ResponseWriter, r *http.Request) {
-	err := core.GenerateRootCancel()
+	code, err := vault.HandleSysGenerateRootAttemptDelete(core, true)
 	if err != nil {
-		respondError(w, http.StatusInternalServerError, err)
+		respondError(w, code, err)
 		return
 	}
 	respondOk(w, nil)
@@ -144,81 +67,21 @@ func handleSysGenerateRootAttemptDelete(core *vault.Core, w http.ResponseWriter,
 func handleSysGenerateRootUpdate(core *vault.Core, generateStrategy vault.GenerateRootStrategy) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Parse the request
-		var req GenerateRootUpdateRequest
+		var req vault.GenerateRootUpdateRequest
 		if _, err := parseJSONRequest(core.PerfStandby(), r, w, &req); err != nil {
 			respondError(w, http.StatusBadRequest, err)
 			return
 		}
-		if req.Key == "" {
-			respondError(
-				w, http.StatusBadRequest,
-				errors.New("'key' must be specified in request body as JSON"))
-			return
-		}
-
-		// Decode the key, which is base64 or hex encoded
-		min, max := core.BarrierKeyLength()
-		key, err := hex.DecodeString(req.Key)
-		// We check min and max here to ensure that a string that is base64
-		// encoded but also valid hex will not be valid and we instead base64
-		// decode it
-		if err != nil || len(key) < min || len(key) > max {
-			key, err = base64.StdEncoding.DecodeString(req.Key)
-			if err != nil {
-				respondError(
-					w, http.StatusBadRequest,
-					errors.New("'key' must be a valid hex or base64 string"))
-				return
-			}
-		}
 
 		ctx, cancel := core.GetContext()
 		defer cancel()
 
-		// Use the key to make progress on root generation
-		result, err := core.GenerateRootUpdate(ctx, key, req.Nonce, generateStrategy)
+		resp, code, err := vault.HandleSysGenerateRootUpdate(ctx, core, generateStrategy, &req, true)
 		if err != nil {
-			respondError(w, http.StatusBadRequest, err)
+			respondError(w, code, err)
 			return
 		}
 
-		resp := &GenerateRootStatusResponse{
-			Complete:       result.Progress == result.Required,
-			Nonce:          req.Nonce,
-			Progress:       result.Progress,
-			Required:       result.Required,
-			Started:        true,
-			EncodedToken:   result.EncodedToken,
-			PGPFingerprint: result.PGPFingerprint,
-		}
-
-		if generateStrategy == vault.GenerateStandardRootTokenStrategy {
-			resp.EncodedRootToken = result.EncodedToken
-		}
-
 		respondOk(w, resp)
 	})
 }
-
-type GenerateRootInitRequest struct {
-	OTP    string `json:"otp"`
-	PGPKey string `json:"pgp_key"`
-}
-
-type GenerateRootStatusResponse struct {
-	Nonce            string `json:"nonce"`
-	Started          bool   `json:"started"`
-	Progress         int    `json:"progress"`
-	Required         int    `json:"required"`
-	Complete         bool   `json:"complete"`
-	EncodedToken     string `json:"encoded_token"`
-	EncodedRootToken string `json:"encoded_root_token"`
-	PGPFingerprint   string `json:"pgp_fingerprint"`
-	OTP              string `json:"otp"`
-	OTPLength        int    `json:"otp_length"`
-}
-
-type GenerateRootUpdateRequest struct {
-	Nonce string
-	Key   string
-}
diff --git a/http/sys_generate_root_test.go b/http/sys_generate_root_test.go
index 6dce3b361e..6217a0702b 100644
--- a/http/sys_generate_root_test.go
+++ b/http/sys_generate_root_test.go
@@ -26,90 +26,201 @@ import (
 
 var tokenLength string = fmt.Sprintf("%d", vault.TokenLength+vault.TokenPrefixLength)
 
-func TestSysGenerateRootAttempt_Status(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-	TestServerAuth(t, addr, token)
-
-	resp, err := http.Get(addr + "/v1/sys/generate-root/attempt")
-	if err != nil {
-		t.Fatalf("err: %s", err)
+// TestSysGenerateRoot_Status verifies the initial output of sys/generate-root/attempt,
+// prior to actually starting a root token generation.
+func TestSysGenerateRoot_Status(t *testing.T) {
+	testCases := []struct {
+		name                     string
+		enableUnauthGenerateRoot bool
+		useToken                 bool
+		expectError              bool
+	}{
+		{
+			name:                     "default-unauthenticated",
+			enableUnauthGenerateRoot: true,
+			useToken:                 false,
+			expectError:              false,
+		},
+		{
+			name:                     "default-authenticated",
+			enableUnauthGenerateRoot: true,
+			useToken:                 true,
+			expectError:              false,
+		},
+		{
+			name:                     "auth-required-without-token",
+			enableUnauthGenerateRoot: false,
+			useToken:                 false,
+			expectError:              true,
+		},
+		{
+			name:                     "auth-required-with-token",
+			enableUnauthGenerateRoot: false,
+			useToken:                 true,
+			expectError:              false,
+		},
 	}
 
-	var actual map[string]interface{}
-	expected := map[string]interface{}{
-		"started":            false,
-		"progress":           json.Number("0"),
-		"required":           json.Number("3"),
-		"complete":           false,
-		"encoded_token":      "",
-		"encoded_root_token": "",
-		"pgp_fingerprint":    "",
-		"nonce":              "",
-		"otp_length":         json.Number(tokenLength),
-	}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &actual)
-	expected["otp"] = actual["otp"]
-	if diff := deep.Equal(actual, expected); diff != nil {
-		t.Fatal(diff)
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			conf := &vault.CoreConfig{}
+			if tc.enableUnauthGenerateRoot {
+				conf.EnableUnauthenticatedAccess = []string{"generate-root"}
+			}
+			cluster := vault.NewTestCluster(t, conf, &vault.TestClusterOptions{
+				HandlerFunc: Handler,
+				NumCores:    1,
+			})
+			cl := cluster.Cores[0].Client
+
+			if tc.useToken {
+				cl.SetToken(cluster.RootToken)
+			} else {
+				cl.SetToken("")
+			}
+
+			resp, err := cl.Logical().Read("sys/generate-root/attempt")
+
+			if tc.expectError {
+				if err == nil {
+					t.Fatal("expected error but got none")
+				}
+				return
+			}
+
+			if err != nil {
+				t.Fatalf("err: %s", err)
+			}
+
+			actual := resp.Data
+			expected := map[string]interface{}{
+				"started":            false,
+				"progress":           json.Number("0"),
+				"required":           json.Number("3"),
+				"complete":           false,
+				"nonce":              "",
+				"otp":                "",
+				"otp_length":         json.Number("28"),
+				"pgp_fingerprint":    "",
+				"encoded_token":      "",
+				"encoded_root_token": "",
+			}
+
+			if !reflect.DeepEqual(actual, expected) {
+				t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
+			}
+		})
 	}
 }
 
 func TestSysGenerateRootAttempt_Setup_OTP(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-	TestServerAuth(t, addr, token)
-
-	resp := testHttpPut(t, token, addr+"/v1/sys/generate-root/attempt", nil)
-	testResponseStatus(t, resp, 200)
-
-	var actual map[string]interface{}
-	expected := map[string]interface{}{
-		"started":            true,
-		"progress":           json.Number("0"),
-		"required":           json.Number("3"),
-		"complete":           false,
-		"encoded_token":      "",
-		"encoded_root_token": "",
-		"pgp_fingerprint":    "",
-		"otp_length":         json.Number(tokenLength),
-	}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &actual)
-	if actual["nonce"].(string) == "" {
-		t.Fatalf("nonce was empty")
-	}
-	expected["nonce"] = actual["nonce"]
-	expected["otp"] = actual["otp"]
-	if diff := deep.Equal(actual, expected); diff != nil {
-		t.Fatal(diff)
+	testCases := []struct {
+		name                     string
+		enableUnauthGenerateRoot bool
+		useToken                 bool
+		expectError              bool
+	}{
+		{
+			name:                     "unauthenticated",
+			enableUnauthGenerateRoot: true,
+			useToken:                 false,
+			expectError:              false,
+		},
+		{
+			name:                     "authenticated",
+			enableUnauthGenerateRoot: true,
+			useToken:                 true,
+			expectError:              false,
+		},
+		{
+			name:                     "auth-required",
+			enableUnauthGenerateRoot: false,
+			useToken:                 true,
+			expectError:              false,
+		},
+		{
+			name:                     "auth-required-no-token",
+			enableUnauthGenerateRoot: false,
+			useToken:                 false,
+			expectError:              true,
+		},
 	}
 
-	resp = testHttpGet(t, token, addr+"/v1/sys/generate-root/attempt")
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			conf := &vault.CoreConfig{}
+			if tc.enableUnauthGenerateRoot {
+				conf.EnableUnauthenticatedAccess = []string{"generate-root"}
+			}
+			cluster := vault.NewTestCluster(t, conf, &vault.TestClusterOptions{
+				DisableTLS:  true,
+				HandlerFunc: Handler,
+				NumCores:    1,
+			})
+			cl := cluster.Cores[0].Client
 
-	actual = map[string]interface{}{}
-	expected = map[string]interface{}{
-		"started":            true,
-		"progress":           json.Number("0"),
-		"required":           json.Number("3"),
-		"complete":           false,
-		"encoded_token":      "",
-		"encoded_root_token": "",
-		"pgp_fingerprint":    "",
-		"otp":                "",
-		"otp_length":         json.Number(tokenLength),
-	}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &actual)
-	if actual["nonce"].(string) == "" {
-		t.Fatalf("nonce was empty")
-	}
-	expected["nonce"] = actual["nonce"]
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
+			reqToken := ""
+			if tc.useToken {
+				reqToken = cl.Token()
+			}
+			addr := cl.Address()
+
+			resp := testHttpPut(t, reqToken, addr+"/v1/sys/generate-root/attempt", nil)
+
+			if tc.expectError {
+				testResponseStatus(t, resp, http.StatusForbidden)
+				return
+			}
+			testResponseStatus(t, resp, http.StatusOK)
+
+			var actual map[string]interface{}
+			testResponseBody(t, resp, &actual)
+
+			expected := map[string]interface{}{
+				"started":            true,
+				"progress":           json.Number("0"),
+				"required":           json.Number("3"),
+				"complete":           false,
+				"encoded_token":      "",
+				"encoded_root_token": "",
+				"pgp_fingerprint":    "",
+				"otp_length":         json.Number(tokenLength),
+			}
+
+			if actual["nonce"].(string) == "" {
+				t.Fatalf("nonce was empty")
+			}
+			expected["nonce"] = actual["nonce"]
+			expected["otp"] = actual["otp"]
+
+			if diff := deep.Equal(actual, expected); diff != nil {
+				t.Fatal(diff)
+			}
+
+			resp = testHttpGet(t, reqToken, addr+"/v1/sys/generate-root/attempt")
+
+			actual = map[string]interface{}{}
+			expected = map[string]interface{}{
+				"started":            true,
+				"progress":           json.Number("0"),
+				"required":           json.Number("3"),
+				"complete":           false,
+				"encoded_token":      "",
+				"encoded_root_token": "",
+				"pgp_fingerprint":    "",
+				"otp":                "",
+				"otp_length":         json.Number(tokenLength),
+			}
+			testResponseStatus(t, resp, http.StatusOK)
+			testResponseBody(t, resp, &actual)
+			if actual["nonce"].(string) == "" {
+				t.Fatalf("nonce was empty")
+			}
+			expected["nonce"] = actual["nonce"]
+			if !reflect.DeepEqual(actual, expected) {
+				t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
+			}
+		})
 	}
 }
 
@@ -122,7 +233,7 @@ func TestSysGenerateRootAttempt_Setup_PGP(t *testing.T) {
 	resp := testHttpPut(t, token, addr+"/v1/sys/generate-root/attempt", map[string]interface{}{
 		"pgp_key": pgpkeys.TestPubKey1,
 	})
-	testResponseStatus(t, resp, 200)
+	testResponseStatus(t, resp, http.StatusOK)
 
 	resp = testHttpGet(t, token, addr+"/v1/sys/generate-root/attempt")
 
@@ -138,7 +249,7 @@ func TestSysGenerateRootAttempt_Setup_PGP(t *testing.T) {
 		"otp":                "",
 		"otp_length":         json.Number(tokenLength),
 	}
-	testResponseStatus(t, resp, 200)
+	testResponseStatus(t, resp, http.StatusOK)
 	testResponseBody(t, resp, &actual)
 	if actual["nonce"].(string) == "" {
 		t.Fatalf("nonce was empty")
@@ -149,64 +260,6 @@ func TestSysGenerateRootAttempt_Setup_PGP(t *testing.T) {
 	}
 }
 
-func TestSysGenerateRootAttempt_Cancel(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-	TestServerAuth(t, addr, token)
-
-	resp := testHttpPut(t, token, addr+"/v1/sys/generate-root/attempt", nil)
-
-	var actual map[string]interface{}
-	expected := map[string]interface{}{
-		"started":            true,
-		"progress":           json.Number("0"),
-		"required":           json.Number("3"),
-		"complete":           false,
-		"encoded_token":      "",
-		"encoded_root_token": "",
-		"pgp_fingerprint":    "",
-		"otp_length":         json.Number(tokenLength),
-	}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &actual)
-	if actual["nonce"].(string) == "" {
-		t.Fatalf("nonce was empty")
-	}
-	expected["nonce"] = actual["nonce"]
-	expected["otp"] = actual["otp"]
-	if diff := deep.Equal(actual, expected); diff != nil {
-		t.Fatal(diff)
-	}
-
-	resp = testHttpDelete(t, token, addr+"/v1/sys/generate-root/attempt")
-	testResponseStatus(t, resp, 204)
-
-	resp, err := http.Get(addr + "/v1/sys/generate-root/attempt")
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-
-	actual = map[string]interface{}{}
-	expected = map[string]interface{}{
-		"started":            false,
-		"progress":           json.Number("0"),
-		"required":           json.Number("3"),
-		"complete":           false,
-		"encoded_token":      "",
-		"encoded_root_token": "",
-		"pgp_fingerprint":    "",
-		"nonce":              "",
-		"otp":                "",
-		"otp_length":         json.Number(tokenLength),
-	}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &actual)
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
-	}
-}
-
 func enableNoopAudit(t *testing.T, token string, core *vault.Core) {
 	t.Helper()
 	auditReq := &logical.Request{
@@ -270,7 +323,7 @@ func TestSysGenerateRoot_ReAttemptUpdate(t *testing.T) {
 	TestServerAuth(t, addr, token)
 
 	resp := testHttpPut(t, token, addr+"/v1/sys/generate-root/attempt", nil)
-	testResponseStatus(t, resp, 200)
+	testResponseStatus(t, resp, http.StatusOK)
 
 	resp = testHttpDelete(t, token, addr+"/v1/sys/generate-root/attempt")
 	testResponseStatus(t, resp, 204)
@@ -279,199 +332,295 @@ func TestSysGenerateRoot_ReAttemptUpdate(t *testing.T) {
 		"pgp_key": pgpkeys.TestPubKey1,
 	})
 
-	testResponseStatus(t, resp, 200)
+	testResponseStatus(t, resp, http.StatusOK)
 }
 
 func TestSysGenerateRoot_Update_OTP(t *testing.T) {
-	var records *[][]byte
-	ln, addr, token, keys := testServerWithAudit(t, &records)
-	defer ln.Close()
+	testCases := []struct {
+		name                     string
+		enableUnauthGenerateRoot bool
+		useToken                 bool
+		expectError              bool
+	}{
+		{
+			name:                     "unauthenticated",
+			enableUnauthGenerateRoot: true,
+			useToken:                 false,
+			expectError:              false,
+		},
+		{
+			name:                     "authenticated",
+			enableUnauthGenerateRoot: true,
+			useToken:                 true,
+			expectError:              false,
+		},
+		{
+			name:                     "auth-required",
+			enableUnauthGenerateRoot: false,
+			useToken:                 true,
+			expectError:              false,
+		},
+		{
+			name:                     "auth-required-no-token",
+			enableUnauthGenerateRoot: false,
+			useToken:                 false,
+			expectError:              true,
+		},
+	}
 
-	resp := testHttpPut(t, token, addr+"/v1/sys/generate-root/attempt", map[string]interface{}{})
-	var rootGenerationStatus map[string]interface{}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &rootGenerationStatus)
-	otp := rootGenerationStatus["otp"].(string)
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			conf := &vault.CoreConfig{}
+			if tc.enableUnauthGenerateRoot {
+				conf.EnableUnauthenticatedAccess = []string{"generate-root"}
+			}
+			cluster := vault.NewTestCluster(t, conf, &vault.TestClusterOptions{
+				DisableTLS:  true,
+				HandlerFunc: Handler,
+				NumCores:    1,
+			})
+			cl := cluster.Cores[0].Client
+			reqToken := ""
+			if tc.useToken {
+				reqToken = cl.Token()
+			}
+			addr := cl.Address()
 
-	var actual map[string]interface{}
-	var expected map[string]interface{}
-	for i, key := range keys {
-		resp = testHttpPut(t, token, addr+"/v1/sys/generate-root/update", map[string]interface{}{
-			"nonce": rootGenerationStatus["nonce"].(string),
-			"key":   hex.EncodeToString(key),
+			resp := testHttpPut(t, reqToken, addr+"/v1/sys/generate-root/attempt", map[string]interface{}{})
+			var rootGenerationStatus map[string]interface{}
+			if tc.expectError {
+				testResponseStatus(t, resp, http.StatusForbidden)
+				return
+			}
+			testResponseStatus(t, resp, http.StatusOK)
+			testResponseBody(t, resp, &rootGenerationStatus)
+			otp := rootGenerationStatus["otp"].(string)
+
+			var actual map[string]interface{}
+			var expected map[string]interface{}
+			for i, key := range cluster.BarrierKeys {
+				resp = testHttpPut(t, reqToken, addr+"/v1/sys/generate-root/update", map[string]interface{}{
+					"nonce": rootGenerationStatus["nonce"].(string),
+					"key":   hex.EncodeToString(key),
+				})
+
+				actual = map[string]interface{}{}
+				expected = map[string]interface{}{
+					"complete":        false,
+					"nonce":           rootGenerationStatus["nonce"].(string),
+					"progress":        json.Number(fmt.Sprintf("%d", i+1)),
+					"required":        json.Number(fmt.Sprintf("%d", len(cluster.BarrierKeys))),
+					"started":         true,
+					"pgp_fingerprint": "",
+					"otp":             "",
+					"otp_length":      json.Number("0"),
+				}
+				if i+1 == len(cluster.BarrierKeys) {
+					expected["complete"] = true
+				}
+				testResponseStatus(t, resp, http.StatusOK)
+				testResponseBody(t, resp, &actual)
+			}
+
+			if actual["encoded_token"] == nil || actual["encoded_token"] == "" {
+				t.Fatalf("no encoded token found in response")
+			}
+			if actual["encoded_root_token"] == nil || actual["encoded_root-token"] == "" {
+				t.Fatalf("no encoded root token found in response")
+			}
+			expected["encoded_token"] = actual["encoded_token"]
+			expected["encoded_root_token"] = actual["encoded_root_token"]
+			expected["encoded_token"] = actual["encoded_token"]
+
+			if !reflect.DeepEqual(actual, expected) {
+				t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
+			}
+
+			tokenBytes, err := base64.RawStdEncoding.DecodeString(expected["encoded_token"].(string))
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			tokenBytes, err = xor.XORBytes(tokenBytes, []byte(otp))
+			if err != nil {
+				t.Fatal(err)
+			}
+			newRootToken := string(tokenBytes)
+
+			actual = map[string]interface{}{}
+			expected = map[string]interface{}{
+				"id":               newRootToken,
+				"display_name":     "root",
+				"meta":             interface{}(nil),
+				"num_uses":         json.Number("0"),
+				"policies":         []interface{}{"root"},
+				"orphan":           true,
+				"creation_ttl":     json.Number("0"),
+				"ttl":              json.Number("0"),
+				"path":             "auth/token/root",
+				"explicit_max_ttl": json.Number("0"),
+				"expire_time":      nil,
+				"entity_id":        "",
+				"type":             "service",
+			}
+
+			resp = testHttpGet(t, newRootToken, addr+"/v1/auth/token/lookup-self")
+			testResponseStatus(t, resp, http.StatusOK)
+			testResponseBody(t, resp, &actual)
+
+			expected["creation_time"] = actual["data"].(map[string]interface{})["creation_time"]
+			expected["accessor"] = actual["data"].(map[string]interface{})["accessor"]
+
+			if !reflect.DeepEqual(actual["data"], expected) {
+				t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual["data"])
+			}
 		})
-
-		actual = map[string]interface{}{}
-		expected = map[string]interface{}{
-			"complete":        false,
-			"nonce":           rootGenerationStatus["nonce"].(string),
-			"progress":        json.Number(fmt.Sprintf("%d", i+1)),
-			"required":        json.Number(fmt.Sprintf("%d", len(keys))),
-			"started":         true,
-			"pgp_fingerprint": "",
-			"otp":             "",
-			"otp_length":      json.Number("0"),
-		}
-		if i+1 == len(keys) {
-			expected["complete"] = true
-		}
-		testResponseStatus(t, resp, 200)
-		testResponseBody(t, resp, &actual)
-	}
-
-	if actual["encoded_token"] == nil || actual["encoded_token"] == "" {
-		t.Fatalf("no encoded token found in response")
-	}
-	if actual["encoded_root_token"] == nil || actual["encoded_root-token"] == "" {
-		t.Fatalf("no encoded root token found in response")
-	}
-	expected["encoded_token"] = actual["encoded_token"]
-	expected["encoded_root_token"] = actual["encoded_root_token"]
-	expected["encoded_token"] = actual["encoded_token"]
-
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
-	}
-
-	tokenBytes, err := base64.RawStdEncoding.DecodeString(expected["encoded_token"].(string))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	tokenBytes, err = xor.XORBytes(tokenBytes, []byte(otp))
-	if err != nil {
-		t.Fatal(err)
-	}
-	newRootToken := string(tokenBytes)
-
-	actual = map[string]interface{}{}
-	expected = map[string]interface{}{
-		"id":               newRootToken,
-		"display_name":     "root",
-		"meta":             interface{}(nil),
-		"num_uses":         json.Number("0"),
-		"policies":         []interface{}{"root"},
-		"orphan":           true,
-		"creation_ttl":     json.Number("0"),
-		"ttl":              json.Number("0"),
-		"path":             "auth/token/root",
-		"explicit_max_ttl": json.Number("0"),
-		"expire_time":      nil,
-		"entity_id":        "",
-		"type":             "service",
-	}
-
-	resp = testHttpGet(t, newRootToken, addr+"/v1/auth/token/lookup-self")
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &actual)
-
-	expected["creation_time"] = actual["data"].(map[string]interface{})["creation_time"]
-	expected["accessor"] = actual["data"].(map[string]interface{})["accessor"]
-
-	if !reflect.DeepEqual(actual["data"], expected) {
-		t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual["data"])
-	}
-
-	for _, r := range *records {
-		t.Log(string(r))
 	}
 }
 
 func TestSysGenerateRoot_Update_PGP(t *testing.T) {
-	core, keys, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-	TestServerAuth(t, addr, token)
-
-	resp := testHttpPut(t, token, addr+"/v1/sys/generate-root/attempt", map[string]interface{}{
-		"pgp_key": pgpkeys.TestPubKey1,
-	})
-	testResponseStatus(t, resp, 200)
-
-	// We need to get the nonce first before we update
-	resp, err := http.Get(addr + "/v1/sys/generate-root/attempt")
-	if err != nil {
-		t.Fatalf("err: %s", err)
+	testCases := []struct {
+		name                     string
+		enableUnauthGenerateRoot bool
+		useToken                 bool
+		expectError              bool
+	}{
+		{
+			name:                     "unauthenticated",
+			enableUnauthGenerateRoot: true,
+			useToken:                 false,
+			expectError:              false,
+		},
+		{
+			name:                     "authenticated",
+			enableUnauthGenerateRoot: true,
+			useToken:                 true,
+			expectError:              false,
+		},
+		{
+			name:                     "auth-required",
+			enableUnauthGenerateRoot: false,
+			useToken:                 true,
+			expectError:              false,
+		},
+		{
+			name:                     "auth-required-no-token",
+			enableUnauthGenerateRoot: false,
+			useToken:                 false,
+			expectError:              true,
+		},
 	}
-	var rootGenerationStatus map[string]interface{}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &rootGenerationStatus)
 
-	var actual map[string]interface{}
-	var expected map[string]interface{}
-	for i, key := range keys {
-		resp = testHttpPut(t, token, addr+"/v1/sys/generate-root/update", map[string]interface{}{
-			"nonce": rootGenerationStatus["nonce"].(string),
-			"key":   hex.EncodeToString(key),
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			conf := &vault.CoreConfig{}
+			if tc.enableUnauthGenerateRoot {
+				conf.EnableUnauthenticatedAccess = []string{"generate-root"}
+			}
+			cluster := vault.NewTestCluster(t, conf, &vault.TestClusterOptions{
+				DisableTLS:  true,
+				HandlerFunc: Handler,
+				NumCores:    1,
+			})
+			cl := cluster.Cores[0].Client
+			reqToken := ""
+			if tc.useToken {
+				reqToken = cl.Token()
+			}
+			addr := cl.Address()
+
+			resp := testHttpPut(t, reqToken, addr+"/v1/sys/generate-root/attempt", map[string]interface{}{
+				"pgp_key": pgpkeys.TestPubKey1,
+			})
+			if tc.expectError {
+				testResponseStatus(t, resp, http.StatusForbidden)
+				return
+			}
+			testResponseStatus(t, resp, http.StatusOK)
+
+			// We need to get the nonce first before we update
+			resp = testHttpGet(t, reqToken, addr+"/v1/sys/generate-root/attempt")
+			var rootGenerationStatus map[string]interface{}
+			testResponseStatus(t, resp, http.StatusOK)
+			testResponseBody(t, resp, &rootGenerationStatus)
+
+			var actual map[string]interface{}
+			var expected map[string]interface{}
+			for i, key := range cluster.BarrierKeys {
+				resp = testHttpPut(t, reqToken, addr+"/v1/sys/generate-root/update", map[string]interface{}{
+					"nonce": rootGenerationStatus["nonce"].(string),
+					"key":   hex.EncodeToString(key),
+				})
+
+				actual = map[string]interface{}{}
+				expected = map[string]interface{}{
+					"complete":        false,
+					"nonce":           rootGenerationStatus["nonce"].(string),
+					"progress":        json.Number(fmt.Sprintf("%d", i+1)),
+					"required":        json.Number(fmt.Sprintf("%d", len(cluster.BarrierKeys))),
+					"started":         true,
+					"pgp_fingerprint": "816938b8a29146fbe245dd29e7cbaf8e011db793",
+					"otp":             "",
+					"otp_length":      json.Number("0"),
+				}
+				if i+1 == len(cluster.BarrierKeys) {
+					expected["complete"] = true
+				}
+				testResponseStatus(t, resp, http.StatusOK)
+				testResponseBody(t, resp, &actual)
+			}
+
+			if actual["encoded_token"] == nil || actual["encoded_token"] == "" {
+				t.Fatalf("no encoded token found in response")
+			}
+			if actual["encoded_root_token"] == nil || actual["encoded_root-token"] == "" {
+				t.Fatalf("no encoded root token found in response")
+			}
+			expected["encoded_token"] = actual["encoded_token"]
+			expected["encoded_root_token"] = actual["encoded_root_token"]
+			expected["encoded_token"] = actual["encoded_token"]
+
+			if !reflect.DeepEqual(actual, expected) {
+				t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
+			}
+
+			decodedTokenBuf, err := pgpkeys.DecryptBytes(actual["encoded_token"].(string), pgpkeys.TestPrivKey1)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if decodedTokenBuf == nil {
+				t.Fatal("decoded root token buffer is nil")
+			}
+
+			newRootToken := decodedTokenBuf.String()
+
+			actual = map[string]interface{}{}
+			expected = map[string]interface{}{
+				"id":               newRootToken,
+				"display_name":     "root",
+				"meta":             interface{}(nil),
+				"num_uses":         json.Number("0"),
+				"policies":         []interface{}{"root"},
+				"orphan":           true,
+				"creation_ttl":     json.Number("0"),
+				"ttl":              json.Number("0"),
+				"path":             "auth/token/root",
+				"explicit_max_ttl": json.Number("0"),
+				"expire_time":      nil,
+				"entity_id":        "",
+				"type":             "service",
+			}
+
+			resp = testHttpGet(t, newRootToken, addr+"/v1/auth/token/lookup-self")
+			testResponseStatus(t, resp, http.StatusOK)
+			testResponseBody(t, resp, &actual)
+
+			expected["creation_time"] = actual["data"].(map[string]interface{})["creation_time"]
+			expected["accessor"] = actual["data"].(map[string]interface{})["accessor"]
+
+			if diff := deep.Equal(actual["data"], expected); diff != nil {
+				t.Fatal(diff)
+			}
 		})
-
-		actual = map[string]interface{}{}
-		expected = map[string]interface{}{
-			"complete":        false,
-			"nonce":           rootGenerationStatus["nonce"].(string),
-			"progress":        json.Number(fmt.Sprintf("%d", i+1)),
-			"required":        json.Number(fmt.Sprintf("%d", len(keys))),
-			"started":         true,
-			"pgp_fingerprint": "816938b8a29146fbe245dd29e7cbaf8e011db793",
-			"otp":             "",
-			"otp_length":      json.Number("0"),
-		}
-		if i+1 == len(keys) {
-			expected["complete"] = true
-		}
-		testResponseStatus(t, resp, 200)
-		testResponseBody(t, resp, &actual)
-	}
-
-	if actual["encoded_token"] == nil || actual["encoded_token"] == "" {
-		t.Fatalf("no encoded token found in response")
-	}
-	if actual["encoded_root_token"] == nil || actual["encoded_root-token"] == "" {
-		t.Fatalf("no encoded root token found in response")
-	}
-	expected["encoded_token"] = actual["encoded_token"]
-	expected["encoded_root_token"] = actual["encoded_root_token"]
-	expected["encoded_token"] = actual["encoded_token"]
-
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
-	}
-
-	decodedTokenBuf, err := pgpkeys.DecryptBytes(actual["encoded_token"].(string), pgpkeys.TestPrivKey1)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if decodedTokenBuf == nil {
-		t.Fatal("decoded root token buffer is nil")
-	}
-
-	newRootToken := decodedTokenBuf.String()
-
-	actual = map[string]interface{}{}
-	expected = map[string]interface{}{
-		"id":               newRootToken,
-		"display_name":     "root",
-		"meta":             interface{}(nil),
-		"num_uses":         json.Number("0"),
-		"policies":         []interface{}{"root"},
-		"orphan":           true,
-		"creation_ttl":     json.Number("0"),
-		"ttl":              json.Number("0"),
-		"path":             "auth/token/root",
-		"explicit_max_ttl": json.Number("0"),
-		"expire_time":      nil,
-		"entity_id":        "",
-		"type":             "service",
-	}
-
-	resp = testHttpGet(t, newRootToken, addr+"/v1/auth/token/lookup-self")
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &actual)
-
-	expected["creation_time"] = actual["data"].(map[string]interface{})["creation_time"]
-	expected["accessor"] = actual["data"].(map[string]interface{})["accessor"]
-
-	if diff := deep.Equal(actual["data"], expected); diff != nil {
-		t.Fatal(diff)
 	}
 }
diff --git a/http/sys_hostinfo_test.go b/http/sys_hostinfo_test.go
index 670f225413..fb79a1d95d 100644
--- a/http/sys_hostinfo_test.go
+++ b/http/sys_hostinfo_test.go
@@ -15,12 +15,8 @@ func TestSysHostInfo(t *testing.T) {
 	cluster := vault.NewTestCluster(t, &vault.CoreConfig{}, &vault.TestClusterOptions{
 		HandlerFunc: Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	cores := cluster.Cores
 
-	vault.TestWaitActive(t, cores[0].Core)
-
 	// Query against the active node, should get host information back
 	secret, err := cores[0].Client.Logical().Read("sys/host-info")
 	if err != nil {
diff --git a/http/sys_init_test.go b/http/sys_init_test.go
index 72d9da4926..42c0d97567 100644
--- a/http/sys_init_test.go
+++ b/http/sys_init_test.go
@@ -168,8 +168,6 @@ func TestSysInit_Put_ValidateParams_AutoUnseal(t *testing.T) {
 		Logger:      corehelpers.NewTestLogger(t).Named("transit-seal" + strconv.Itoa(0)),
 	}
 	cluster := vault.NewTestCluster(t, conf, opts)
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	cores := cluster.Cores
 	core := cores[0].Core
diff --git a/http/sys_monitor_test.go b/http/sys_monitor_test.go
index 91f39052b8..a079f020e3 100644
--- a/http/sys_monitor_test.go
+++ b/http/sys_monitor_test.go
@@ -20,7 +20,6 @@ func TestSysMonitorUnknownLogLevel(t *testing.T) {
 		HandlerFunc: Handler,
 		NumCores:    1,
 	})
-	defer cluster.Cleanup()
 
 	client := cluster.Cores[0].Client
 	request := client.NewRequest("GET", "/v1/sys/monitor")
@@ -46,7 +45,6 @@ func TestSysMonitorUnknownLogFormat(t *testing.T) {
 		HandlerFunc: Handler,
 		NumCores:    1,
 	})
-	defer cluster.Cleanup()
 
 	client := cluster.Cores[0].Client
 	request := client.NewRequest("GET", "/v1/sys/monitor")
@@ -72,7 +70,6 @@ func TestSysMonitorStreamingLogs(t *testing.T) {
 		HandlerFunc: Handler,
 		NumCores:    1,
 	})
-	defer cluster.Cleanup()
 
 	client := cluster.Cores[0].Client
 	stopCh := testhelpers.GenerateDebugLogs(t, client)
diff --git a/http/sys_mount_test.go b/http/sys_mount_test.go
index 8c15bb54ca..0d19fb2912 100644
--- a/http/sys_mount_test.go
+++ b/http/sys_mount_test.go
@@ -95,6 +95,7 @@ func TestSysMounts(t *testing.T) {
 					"max_lease_ttl":               json.Number("0"),
 					"force_no_cache":              false,
 					"passthrough_request_headers": []interface{}{"Authorization"},
+					"allowed_response_headers":    []interface{}{"Location"},
 				},
 				"local":                  false,
 				"seal_wrap":              false,
@@ -179,6 +180,7 @@ func TestSysMounts(t *testing.T) {
 				"max_lease_ttl":               json.Number("0"),
 				"force_no_cache":              false,
 				"passthrough_request_headers": []interface{}{"Authorization"},
+				"allowed_response_headers":    []interface{}{"Location"},
 			},
 			"local":                  false,
 			"seal_wrap":              false,
@@ -327,6 +329,7 @@ func TestSysMount(t *testing.T) {
 					"max_lease_ttl":               json.Number("0"),
 					"force_no_cache":              false,
 					"passthrough_request_headers": []interface{}{"Authorization"},
+					"allowed_response_headers":    []interface{}{"Location"},
 				},
 				"local":                  false,
 				"seal_wrap":              false,
@@ -427,6 +430,7 @@ func TestSysMount(t *testing.T) {
 				"max_lease_ttl":               json.Number("0"),
 				"force_no_cache":              false,
 				"passthrough_request_headers": []interface{}{"Authorization"},
+				"allowed_response_headers":    []interface{}{"Location"},
 			},
 			"local":                  false,
 			"seal_wrap":              false,
@@ -676,6 +680,7 @@ func TestSysRemount(t *testing.T) {
 					"max_lease_ttl":               json.Number("0"),
 					"force_no_cache":              false,
 					"passthrough_request_headers": []interface{}{"Authorization"},
+					"allowed_response_headers":    []interface{}{"Location"},
 				},
 				"local":                  false,
 				"seal_wrap":              false,
@@ -776,6 +781,7 @@ func TestSysRemount(t *testing.T) {
 				"max_lease_ttl":               json.Number("0"),
 				"force_no_cache":              false,
 				"passthrough_request_headers": []interface{}{"Authorization"},
+				"allowed_response_headers":    []interface{}{"Location"},
 			},
 			"local":                  false,
 			"seal_wrap":              false,
@@ -908,6 +914,7 @@ func TestSysUnmount(t *testing.T) {
 					"max_lease_ttl":               json.Number("0"),
 					"force_no_cache":              false,
 					"passthrough_request_headers": []interface{}{"Authorization"},
+					"allowed_response_headers":    []interface{}{"Location"},
 				},
 				"local":                  false,
 				"seal_wrap":              false,
@@ -992,6 +999,7 @@ func TestSysUnmount(t *testing.T) {
 				"max_lease_ttl":               json.Number("0"),
 				"force_no_cache":              false,
 				"passthrough_request_headers": []interface{}{"Authorization"},
+				"allowed_response_headers":    []interface{}{"Location"},
 			},
 			"local":                  false,
 			"seal_wrap":              false,
@@ -1233,6 +1241,7 @@ func TestSysTuneMount(t *testing.T) {
 					"max_lease_ttl":               json.Number("0"),
 					"force_no_cache":              false,
 					"passthrough_request_headers": []interface{}{"Authorization"},
+					"allowed_response_headers":    []interface{}{"Location"},
 				},
 				"local":                  false,
 				"seal_wrap":              false,
@@ -1333,6 +1342,7 @@ func TestSysTuneMount(t *testing.T) {
 				"max_lease_ttl":               json.Number("0"),
 				"force_no_cache":              false,
 				"passthrough_request_headers": []interface{}{"Authorization"},
+				"allowed_response_headers":    []interface{}{"Location"},
 			},
 			"local":                  false,
 			"seal_wrap":              false,
@@ -1507,6 +1517,7 @@ func TestSysTuneMount(t *testing.T) {
 					"max_lease_ttl":               json.Number("0"),
 					"force_no_cache":              false,
 					"passthrough_request_headers": []interface{}{"Authorization"},
+					"allowed_response_headers":    []interface{}{"Location"},
 				},
 				"local":                  false,
 				"seal_wrap":              false,
@@ -1607,6 +1618,7 @@ func TestSysTuneMount(t *testing.T) {
 				"max_lease_ttl":               json.Number("0"),
 				"force_no_cache":              false,
 				"passthrough_request_headers": []interface{}{"Authorization"},
+				"allowed_response_headers":    []interface{}{"Location"},
 			},
 			"local":                  false,
 			"seal_wrap":              false,
diff --git a/http/sys_policy_test.go b/http/sys_policy_test.go
index c6924bc1ff..91880bb6a8 100644
--- a/http/sys_policy_test.go
+++ b/http/sys_policy_test.go
@@ -29,11 +29,11 @@ func TestSysPolicies(t *testing.T) {
 		"auth":           nil,
 		"mount_type":     "system",
 		"data": map[string]interface{}{
-			"policies": []interface{}{"default", "root"},
-			"keys":     []interface{}{"default", "root"},
+			"policies": []interface{}{"default", "default-ceiling", "root"},
+			"keys":     []interface{}{"default", "default-ceiling", "root"},
 		},
-		"policies": []interface{}{"default", "root"},
-		"keys":     []interface{}{"default", "root"},
+		"policies": []interface{}{"default", "default-ceiling", "root"},
+		"keys":     []interface{}{"default", "default-ceiling", "root"},
 	}
 	testResponseStatus(t, resp, 200)
 	testResponseBody(t, resp, &actual)
@@ -98,11 +98,11 @@ func TestSysWritePolicy(t *testing.T) {
 		"auth":           nil,
 		"mount_type":     "system",
 		"data": map[string]interface{}{
-			"policies": []interface{}{"default", "foo", "root"},
-			"keys":     []interface{}{"default", "foo", "root"},
+			"policies": []interface{}{"default", "default-ceiling", "foo", "root"},
+			"keys":     []interface{}{"default", "default-ceiling", "foo", "root"},
 		},
-		"policies": []interface{}{"default", "foo", "root"},
-		"keys":     []interface{}{"default", "foo", "root"},
+		"policies": []interface{}{"default", "default-ceiling", "foo", "root"},
+		"keys":     []interface{}{"default", "default-ceiling", "foo", "root"},
 	}
 	testResponseStatus(t, resp, 200)
 	testResponseBody(t, resp, &actual)
@@ -134,6 +134,7 @@ func TestSysDeletePolicy(t *testing.T) {
 	// Also attempt to delete these since they should not be allowed (ignore
 	// responses, if they exist later that's sufficient)
 	resp = testHttpDelete(t, token, addr+"/v1/sys/policy/default")
+	resp = testHttpDelete(t, token, addr+"/v1/sys/policy/default-ceiling")
 	resp = testHttpDelete(t, token, addr+"/v1/sys/policy/response-wrapping")
 
 	resp = testHttpGet(t, token, addr+"/v1/sys/policy")
@@ -148,11 +149,11 @@ func TestSysDeletePolicy(t *testing.T) {
 		"auth":           nil,
 		"mount_type":     "system",
 		"data": map[string]interface{}{
-			"policies": []interface{}{"default", "root"},
-			"keys":     []interface{}{"default", "root"},
+			"policies": []interface{}{"default", "default-ceiling", "root"},
+			"keys":     []interface{}{"default", "default-ceiling", "root"},
 		},
-		"policies": []interface{}{"default", "root"},
-		"keys":     []interface{}{"default", "root"},
+		"policies": []interface{}{"default", "default-ceiling", "root"},
+		"keys":     []interface{}{"default", "default-ceiling", "root"},
 	}
 	testResponseStatus(t, resp, 200)
 	testResponseBody(t, resp, &actual)
diff --git a/http/sys_raft.go b/http/sys_raft.go
index b2055d674c..9b5b435934 100644
--- a/http/sys_raft.go
+++ b/http/sys_raft.go
@@ -23,6 +23,7 @@ func handleSysRaftBootstrap(core *vault.Core) http.Handler {
 		case "POST", "PUT":
 			if core.Sealed() {
 				respondError(w, http.StatusBadRequest, errors.New("node must be unsealed to bootstrap"))
+				return
 			}
 
 			if err := core.RaftBootstrap(context.Background(), false); err != nil {
@@ -87,7 +88,9 @@ func handleSysRaftJoinPost(core *vault.Core, w http.ResponseWriter, r *http.Requ
 		},
 	}
 
-	joined, err := core.JoinRaftCluster(context.Background(), leaderInfos, req.NonVoter)
+	ctx, cancel := core.GetContext()
+	defer cancel()
+	joined, err := core.JoinRaftCluster(ctx, leaderInfos, req.NonVoter)
 	if err != nil {
 		respondError(w, http.StatusInternalServerError, err)
 		return
diff --git a/http/sys_rekey.go b/http/sys_rekey.go
index a9d9618fa5..a9a526604e 100644
--- a/http/sys_rekey.go
+++ b/http/sys_rekey.go
@@ -5,14 +5,10 @@ package http
 
 import (
 	"context"
-	"encoding/base64"
-	"encoding/hex"
-	"errors"
 	"fmt"
 	"net/http"
 	"time"
 
-	"github.com/hashicorp/vault/helper/pgpkeys"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/vault"
 )
@@ -51,94 +47,25 @@ func handleSysRekeyInit(core *vault.Core, recovery bool) http.Handler {
 }
 
 func handleSysRekeyInitGet(ctx context.Context, core *vault.Core, recovery bool, w http.ResponseWriter, r *http.Request) {
-	barrierConfig, barrierConfErr := core.SealAccess().BarrierConfig(ctx)
-	if barrierConfErr != nil {
-		respondError(w, http.StatusInternalServerError, barrierConfErr)
-		return
-	}
-	if barrierConfig == nil {
-		respondError(w, http.StatusBadRequest, fmt.Errorf("server is not yet initialized"))
-		return
-	}
-
-	// Get the rekey configuration
-	rekeyConf, err := core.RekeyConfig(recovery)
+	status, code, err := vault.HandleSysRekeyInitGet(ctx, core, recovery, true)
 	if err != nil {
-		respondError(w, err.Code(), err)
+		respondError(w, code, err)
 		return
 	}
 
-	sealThreshold, err := core.RekeyThreshold(ctx, recovery)
-	if err != nil {
-		respondError(w, err.Code(), err)
-		return
-	}
-
-	// Format the status
-	status := &RekeyStatusResponse{
-		Started:  false,
-		T:        0,
-		N:        0,
-		Required: sealThreshold,
-	}
-	if rekeyConf != nil {
-		// Get the progress
-		started, progress, err := core.RekeyProgress(recovery, false)
-		if err != nil {
-			respondError(w, err.Code(), err)
-			return
-		}
-
-		status.Nonce = rekeyConf.Nonce
-		status.Started = started
-		status.T = rekeyConf.SecretThreshold
-		status.N = rekeyConf.SecretShares
-		status.Progress = progress
-		status.VerificationRequired = rekeyConf.VerificationRequired
-		status.VerificationNonce = rekeyConf.VerificationNonce
-		if rekeyConf.PGPKeys != nil && len(rekeyConf.PGPKeys) != 0 {
-			pgpFingerprints, err := pgpkeys.GetFingerprints(rekeyConf.PGPKeys, nil)
-			if err != nil {
-				respondError(w, http.StatusInternalServerError, err)
-				return
-			}
-			status.PGPFingerprints = pgpFingerprints
-			status.Backup = rekeyConf.Backup
-		}
-	}
 	respondOk(w, status)
 }
 
 func handleSysRekeyInitPut(ctx context.Context, core *vault.Core, recovery bool, w http.ResponseWriter, r *http.Request) {
 	// Parse the request
-	var req RekeyRequest
+	var req *vault.RekeyRequest
 	if _, err := parseJSONRequest(core.PerfStandby(), r, w, &req); err != nil {
 		respondError(w, http.StatusBadRequest, err)
 		return
 	}
-
-	if req.Backup && len(req.PGPKeys) == 0 {
-		respondError(w, http.StatusBadRequest, fmt.Errorf("cannot request a backup of the new keys without providing PGP keys for encryption"))
-		return
-	}
-
-	if len(req.PGPKeys) > 0 && len(req.PGPKeys) != req.SecretShares {
-		respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys for rekey"))
-		return
-	}
-
-	// Initialize the rekey
-	err := core.RekeyInit(&vault.SealConfig{
-		SecretShares:         req.SecretShares,
-		SecretThreshold:      req.SecretThreshold,
-		StoredShares:         req.StoredShares,
-		PGPKeys:              req.PGPKeys,
-		Backup:               req.Backup,
-		VerificationRequired: req.RequireVerification,
-		Created:              time.Now().UTC(),
-	}, recovery)
+	code, err := vault.HandleSysRekeyInitPut(core, recovery, req, true)
 	if err != nil {
-		respondError(w, err.Code(), err)
+		respondError(w, code, err)
 		return
 	}
 
@@ -146,13 +73,13 @@ func handleSysRekeyInitPut(ctx context.Context, core *vault.Core, recovery bool,
 }
 
 func handleSysRekeyInitDelete(ctx context.Context, core *vault.Core, recovery bool, w http.ResponseWriter, r *http.Request) {
-	var req RekeyDeleteRequest
+	var req vault.RekeyDeleteRequest
 	if _, err := parseJSONRequest(core.PerfStandby(), r, w, &req); err != nil {
 		respondError(w, http.StatusBadRequest, err)
 		return
 	}
 
-	if err := core.RekeyCancel(recovery, req.Nonce, 10*time.Minute); err != nil {
+	if err := core.RekeyCancel(recovery, req.Nonce, 10*time.Minute, true); err != nil {
 		respondError(w, err.Code(), err)
 		return
 	}
@@ -168,67 +95,26 @@ func handleSysRekeyUpdate(core *vault.Core, recovery bool) http.Handler {
 		}
 
 		// Parse the request
-		var req RekeyUpdateRequest
+		var req vault.RekeyUpdateRequest
 		if _, err := parseJSONRequest(core.PerfStandby(), r, w, &req); err != nil {
 			respondError(w, http.StatusBadRequest, err)
 			return
 		}
-		if req.Key == "" {
-			respondError(
-				w, http.StatusBadRequest,
-				errors.New("'key' must be specified in request body as JSON"))
-			return
-		}
-
-		// Decode the key, which is base64 or hex encoded
-		min, max := core.BarrierKeyLength()
-		key, err := hex.DecodeString(req.Key)
-		// We check min and max here to ensure that a string that is base64
-		// encoded but also valid hex will not be valid and we instead base64
-		// decode it
-		if err != nil || len(key) < min || len(key) > max {
-			key, err = base64.StdEncoding.DecodeString(req.Key)
-			if err != nil {
-				respondError(
-					w, http.StatusBadRequest,
-					errors.New("'key' must be a valid hex or base64 string"))
-				return
-			}
-		}
 
 		ctx, cancel := core.GetContext()
 		defer cancel()
 
-		// Use the key to make progress on rekey
-		result, rekeyErr := core.RekeyUpdate(ctx, key, req.Nonce, recovery)
-		if rekeyErr != nil {
-			respondError(w, rekeyErr.Code(), rekeyErr)
+		result, code, err := vault.HandleSysRekeyUpdatePut(ctx, core, recovery, &req, true)
+		if err != nil {
+			respondError(w, code, err)
+			return
+		}
+		if result != nil {
+			respondOk(w, result)
 			return
 		}
 
-		// Format the response
-		resp := &RekeyUpdateResponse{}
-		if result != nil {
-			resp.Complete = true
-			resp.Nonce = req.Nonce
-			resp.Backup = result.Backup
-			resp.PGPFingerprints = result.PGPFingerprints
-			resp.VerificationRequired = result.VerificationRequired
-			resp.VerificationNonce = result.VerificationNonce
-
-			// Encode the keys
-			keys := make([]string, 0, len(result.SecretShares))
-			keysB64 := make([]string, 0, len(result.SecretShares))
-			for _, k := range result.SecretShares {
-				keys = append(keys, hex.EncodeToString(k))
-				keysB64 = append(keysB64, base64.StdEncoding.EncodeToString(k))
-			}
-			resp.Keys = keys
-			resp.KeysB64 = keysB64
-			respondOk(w, resp)
-		} else {
-			handleSysRekeyInitGet(ctx, core, recovery, w, r)
-		}
+		handleSysRekeyInitGet(r.Context(), core, recovery, w, r)
 	})
 }
 
@@ -266,47 +152,17 @@ func handleSysRekeyVerify(core *vault.Core, recovery bool) http.Handler {
 }
 
 func handleSysRekeyVerifyGet(ctx context.Context, core *vault.Core, recovery bool, w http.ResponseWriter, r *http.Request) {
-	barrierConfig, barrierConfErr := core.SealAccess().BarrierConfig(ctx)
-	if barrierConfErr != nil {
-		respondError(w, http.StatusInternalServerError, barrierConfErr)
-		return
-	}
-	if barrierConfig == nil {
-		respondError(w, http.StatusBadRequest, fmt.Errorf("server is not yet initialized"))
-		return
-	}
-
-	// Get the rekey configuration
-	rekeyConf, err := core.RekeyConfig(recovery)
+	status, code, err := vault.HandleSysRekeyVerifyGet(ctx, core, recovery, true)
 	if err != nil {
-		respondError(w, err.Code(), err)
-		return
-	}
-	if rekeyConf == nil {
-		respondError(w, http.StatusBadRequest, errors.New("no rekey configuration found"))
+		respondError(w, code, err)
 		return
 	}
 
-	// Get the progress
-	started, progress, err := core.RekeyProgress(recovery, true)
-	if err != nil {
-		respondError(w, err.Code(), err)
-		return
-	}
-
-	// Format the status
-	status := &RekeyVerificationStatusResponse{
-		Started:  started,
-		Nonce:    rekeyConf.VerificationNonce,
-		T:        rekeyConf.SecretThreshold,
-		N:        rekeyConf.SecretShares,
-		Progress: progress,
-	}
 	respondOk(w, status)
 }
 
 func handleSysRekeyVerifyDelete(ctx context.Context, core *vault.Core, recovery bool, w http.ResponseWriter, r *http.Request) {
-	if err := core.RekeyVerifyRestart(recovery); err != nil {
+	if err := core.RekeyVerifyRestart(recovery, true); err != nil {
 		respondError(w, err.Code(), err)
 		return
 	}
@@ -316,112 +172,25 @@ func handleSysRekeyVerifyDelete(ctx context.Context, core *vault.Core, recovery
 
 func handleSysRekeyVerifyPut(ctx context.Context, core *vault.Core, recovery bool, w http.ResponseWriter, r *http.Request) {
 	// Parse the request
-	var req RekeyVerificationUpdateRequest
+	var req vault.RekeyVerificationUpdateRequest
 	if _, err := parseJSONRequest(core.PerfStandby(), r, w, &req); err != nil {
 		respondError(w, http.StatusBadRequest, err)
 		return
 	}
-	if req.Key == "" {
-		respondError(
-			w, http.StatusBadRequest,
-			errors.New("'key' must be specified in request body as JSON"))
-		return
-	}
-
-	// Decode the key, which is base64 or hex encoded
-	min, max := core.BarrierKeyLength()
-	key, err := hex.DecodeString(req.Key)
-	// We check min and max here to ensure that a string that is base64
-	// encoded but also valid hex will not be valid and we instead base64
-	// decode it
-	if err != nil || len(key) < min || len(key) > max {
-		key, err = base64.StdEncoding.DecodeString(req.Key)
-		if err != nil {
-			respondError(
-				w, http.StatusBadRequest,
-				errors.New("'key' must be a valid hex or base64 string"))
-			return
-		}
-	}
 
 	ctx, cancel := core.GetContext()
 	defer cancel()
 
-	// Use the key to make progress on rekey
-	result, rekeyErr := core.RekeyVerify(ctx, key, req.Nonce, recovery)
-	if rekeyErr != nil {
-		respondError(w, rekeyErr.Code(), rekeyErr)
+	resp, code, err := vault.HandleSysRekeyVerifyPut(ctx, core, recovery, true, &req)
+	if err != nil {
+		respondError(w, code, err)
 		return
 	}
 
 	// Format the response
-	resp := &RekeyVerificationUpdateResponse{}
-	if result != nil {
-		resp.Complete = true
-		resp.Nonce = result.Nonce
+	if resp != nil {
 		respondOk(w, resp)
 	} else {
 		handleSysRekeyVerifyGet(ctx, core, recovery, w, r)
 	}
 }
-
-type RekeyRequest struct {
-	SecretShares        int      `json:"secret_shares"`
-	SecretThreshold     int      `json:"secret_threshold"`
-	StoredShares        int      `json:"stored_shares"`
-	PGPKeys             []string `json:"pgp_keys"`
-	Backup              bool     `json:"backup"`
-	RequireVerification bool     `json:"require_verification"`
-}
-
-type RekeyStatusResponse struct {
-	Nonce                string   `json:"nonce"`
-	Started              bool     `json:"started"`
-	T                    int      `json:"t"`
-	N                    int      `json:"n"`
-	Progress             int      `json:"progress"`
-	Required             int      `json:"required"`
-	PGPFingerprints      []string `json:"pgp_fingerprints"`
-	Backup               bool     `json:"backup"`
-	VerificationRequired bool     `json:"verification_required"`
-	VerificationNonce    string   `json:"verification_nonce,omitempty"`
-}
-
-type RekeyUpdateRequest struct {
-	Nonce string
-	Key   string
-}
-
-type RekeyUpdateResponse struct {
-	Nonce                string   `json:"nonce"`
-	Complete             bool     `json:"complete"`
-	Keys                 []string `json:"keys"`
-	KeysB64              []string `json:"keys_base64"`
-	PGPFingerprints      []string `json:"pgp_fingerprints"`
-	Backup               bool     `json:"backup"`
-	VerificationRequired bool     `json:"verification_required"`
-	VerificationNonce    string   `json:"verification_nonce,omitempty"`
-}
-
-type RekeyVerificationUpdateRequest struct {
-	Nonce string `json:"nonce"`
-	Key   string `json:"key"`
-}
-
-type RekeyVerificationStatusResponse struct {
-	Nonce    string `json:"nonce"`
-	Started  bool   `json:"started"`
-	T        int    `json:"t"`
-	N        int    `json:"n"`
-	Progress int    `json:"progress"`
-}
-
-type RekeyVerificationUpdateResponse struct {
-	Nonce    string `json:"nonce"`
-	Complete bool   `json:"complete"`
-}
-
-type RekeyDeleteRequest struct {
-	Nonce string `json:"nonce"`
-	Key   string `json:"key"`
-}
diff --git a/http/sys_rekey_test.go b/http/sys_rekey_test.go
index babe79c179..860e3300aa 100644
--- a/http/sys_rekey_test.go
+++ b/http/sys_rekey_test.go
@@ -7,23 +7,22 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"reflect"
 	"testing"
 
 	"github.com/go-test/deep"
-	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
 	"github.com/hashicorp/vault/vault"
+	"github.com/stretchr/testify/require"
 )
 
 // Test to check if the API errors out when wrong number of PGP keys are
 // supplied for rekey
 func TestSysRekey_Init_pgpKeysEntriesForRekey(t *testing.T) {
 	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
-		HandlerFunc:             Handler,
-		RequestResponseCallback: schema.ResponseValidatingCallback(t),
+		HandlerFunc: Handler,
+		NumCores:    1,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	cl := cluster.Cores[0].Client
 
 	_, err := cl.Logical().Write("sys/rekey/init", map[string]interface{}{
@@ -37,47 +36,93 @@ func TestSysRekey_Init_pgpKeysEntriesForRekey(t *testing.T) {
 }
 
 func TestSysRekey_Init_Status(t *testing.T) {
-	t.Run("status-barrier-default", func(t *testing.T) {
-		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
-			HandlerFunc:             Handler,
-			RequestResponseCallback: schema.ResponseValidatingCallback(t),
-		})
-		cluster.Start()
-		defer cluster.Cleanup()
-		cl := cluster.Cores[0].Client
-
-		resp, err := cl.Logical().Read("sys/rekey/init")
-		if err != nil {
-			t.Fatalf("err: %s", err)
-		}
-
-		actual := resp.Data
-		expected := map[string]interface{}{
-			"started":               false,
-			"t":                     json.Number("0"),
-			"n":                     json.Number("0"),
-			"progress":              json.Number("0"),
-			"required":              json.Number("3"),
-			"pgp_fingerprints":      interface{}(nil),
-			"backup":                false,
-			"nonce":                 "",
-			"verification_required": false,
-		}
-
-		if !reflect.DeepEqual(actual, expected) {
-			t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
-		}
+	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
+		HandlerFunc: Handler,
+		NumCores:    1,
 	})
+	cl := cluster.Cores[0].Client
+
+	testCases := []struct {
+		name              string
+		enableUnauthRekey bool
+		useToken          bool
+		expectError       bool
+	}{
+		{
+			name:              "default-unauthenticated",
+			enableUnauthRekey: true,
+			useToken:          false,
+			expectError:       false,
+		},
+		{
+			name:              "default-authenticated",
+			enableUnauthRekey: true,
+			useToken:          true,
+			expectError:       false,
+		},
+		{
+			name:              "auth-required-without-token",
+			enableUnauthRekey: false,
+			useToken:          false,
+			expectError:       true,
+		},
+		{
+			name:              "auth-required-with-token",
+			enableUnauthRekey: false,
+			useToken:          true,
+			expectError:       false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			cluster.Cores[0].Core.SetEnableUnauthRekey(tc.enableUnauthRekey)
+
+			if tc.useToken {
+				cl.SetToken(cluster.RootToken)
+			} else {
+				cl.SetToken("")
+			}
+
+			resp, err := cl.Logical().Read("sys/rekey/init")
+
+			if tc.expectError {
+				if err == nil {
+					t.Fatal("expected error but got none")
+				}
+				return
+			}
+
+			if err != nil {
+				t.Fatalf("err: %s", err)
+			}
+
+			actual := resp.Data
+			expected := map[string]interface{}{
+				"started":               false,
+				"t":                     json.Number("0"),
+				"n":                     json.Number("0"),
+				"progress":              json.Number("0"),
+				"required":              json.Number("3"),
+				"pgp_fingerprints":      interface{}(nil),
+				"backup":                false,
+				"nonce":                 "",
+				"verification_required": false,
+			}
+
+			if !reflect.DeepEqual(actual, expected) {
+				t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
+			}
+		})
+	}
 }
 
 func TestSysRekey_Init_Setup(t *testing.T) {
 	t.Run("init-barrier-barrier-key", func(t *testing.T) {
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
-			HandlerFunc:             Handler,
-			RequestResponseCallback: schema.ResponseValidatingCallback(t),
+			HandlerFunc: Handler,
+			NumCores:    1,
 		})
-		cluster.Start()
-		defer cluster.Cleanup()
 		cl := cluster.Cores[0].Client
 
 		// Start rekey
@@ -142,11 +187,9 @@ func TestSysRekey_Init_Setup(t *testing.T) {
 func TestSysRekey_Init_Cancel(t *testing.T) {
 	t.Run("cancel-barrier-barrier-key", func(t *testing.T) {
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
-			HandlerFunc:             Handler,
-			RequestResponseCallback: schema.ResponseValidatingCallback(t),
+			HandlerFunc: Handler,
+			NumCores:    1,
 		})
-		cluster.Start()
-		defer cluster.Cleanup()
 		cl := cluster.Cores[0].Client
 
 		initResp, err := cl.Logical().Write("sys/rekey/init", map[string]interface{}{
@@ -198,73 +241,146 @@ func TestSysRekey_badKey(t *testing.T) {
 }
 
 func TestSysRekey_Update(t *testing.T) {
-	t.Run("rekey-barrier-barrier-key", func(t *testing.T) {
-		core, keys, token := vault.TestCoreUnsealed(t)
-		ln, addr := TestServer(t, core)
-		defer ln.Close()
-		TestServerAuth(t, addr, token)
+	testCases := []struct {
+		name              string
+		enableUnauthRekey bool
+		useToken          bool
+		expectInitError   bool
+		expectUpdateError bool
+	}{
+		{
+			name:              "unauthenticated",
+			enableUnauthRekey: true,
+			useToken:          false,
+			expectInitError:   false,
+			expectUpdateError: false,
+		},
+		{
+			name:              "authenticated",
+			enableUnauthRekey: true,
+			useToken:          true,
+			expectInitError:   false,
+			expectUpdateError: false,
+		},
+		{
+			name:              "auth-required",
+			enableUnauthRekey: false,
+			useToken:          true,
+			expectInitError:   false,
+			expectUpdateError: false,
+		},
+		{
+			name:              "auth-required-no-token",
+			enableUnauthRekey: false,
+			useToken:          false,
+			expectInitError:   true,
+			expectUpdateError: true,
+		},
+	}
 
-		resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{
-			"secret_shares":    5,
-			"secret_threshold": 3,
-		})
-		var rekeyStatus map[string]interface{}
-		testResponseStatus(t, resp, 200)
-		testResponseBody(t, resp, &rekeyStatus)
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			conf := &vault.CoreConfig{}
+			if tc.enableUnauthRekey {
+				conf.EnableUnauthenticatedAccess = []string{"rekey"}
+			}
+			cluster := vault.NewTestCluster(t, conf, &vault.TestClusterOptions{
+				DisableTLS:  true,
+				HandlerFunc: Handler,
+				NumCores:    1,
+			})
+			cl := cluster.Cores[0].Client
 
-		var actual map[string]interface{}
-		var expected map[string]interface{}
+			reqToken := ""
+			if tc.useToken {
+				reqToken = cl.Token()
+			}
+			addr := cl.Address()
 
-		for i, key := range keys {
-			resp = testHttpPut(t, token, addr+"/v1/sys/rekey/update", map[string]interface{}{
-				"nonce": rekeyStatus["nonce"].(string),
-				"key":   hex.EncodeToString(key),
+			resp := testHttpPut(t, reqToken, addr+"/v1/sys/rekey/init", map[string]interface{}{
+				"secret_shares":    5,
+				"secret_threshold": 3,
 			})
 
-			actual = map[string]interface{}{}
-			expected = map[string]interface{}{
-				"started":               true,
-				"nonce":                 rekeyStatus["nonce"].(string),
-				"backup":                false,
-				"pgp_fingerprints":      interface{}(nil),
-				"required":              json.Number("3"),
-				"t":                     json.Number("3"),
-				"n":                     json.Number("5"),
-				"progress":              json.Number(fmt.Sprintf("%d", i+1)),
-				"verification_required": false,
+			if tc.expectInitError {
+				testResponseStatus(t, resp, http.StatusForbidden)
+				return
 			}
+
+			var rekeyStatus map[string]interface{}
 			testResponseStatus(t, resp, 200)
-			testResponseBody(t, resp, &actual)
+			testResponseBody(t, resp, &rekeyStatus)
 
-			if i+1 == len(keys) {
-				delete(expected, "started")
-				delete(expected, "required")
-				delete(expected, "t")
-				delete(expected, "n")
-				delete(expected, "progress")
-				expected["complete"] = true
-				expected["keys"] = actual["keys"]
-				expected["keys_base64"] = actual["keys_base64"]
+			var actual map[string]interface{}
+			var expected map[string]interface{}
+
+			if !tc.expectUpdateError {
+				// Test with a bad key to ensure that we format errors the same way
+				resp = testHttpPut(t, reqToken, addr+"/v1/sys/rekey/update", map[string]interface{}{
+					"nonce": rekeyStatus["nonce"].(string),
+					"key":   hex.EncodeToString([]byte("badkey")),
+				})
+				testResponseStatus(t, resp, http.StatusBadRequest)
+				testResponseBody(t, resp, &actual)
+				require.Equal(t, map[string]any{"errors": []any{"key is shorter than minimum 16 bytes"}}, actual)
 			}
 
-			if i+1 < len(keys) && (actual["nonce"] == nil || actual["nonce"].(string) == "") {
-				t.Fatalf("expected a nonce, i is %d, actual is %#v", i, actual)
+			for i, key := range cluster.BarrierKeys {
+				resp = testHttpPut(t, reqToken, addr+"/v1/sys/rekey/update", map[string]interface{}{
+					"nonce": rekeyStatus["nonce"].(string),
+					"key":   hex.EncodeToString(key),
+				})
+
+				if tc.expectUpdateError {
+					testResponseStatus(t, resp, http.StatusForbidden)
+					return
+				}
+
+				actual = map[string]interface{}{}
+				expected = map[string]interface{}{
+					"started":               true,
+					"nonce":                 rekeyStatus["nonce"].(string),
+					"backup":                false,
+					"pgp_fingerprints":      interface{}(nil),
+					"required":              json.Number("3"),
+					"t":                     json.Number("3"),
+					"n":                     json.Number("5"),
+					"progress":              json.Number(fmt.Sprintf("%d", i+1)),
+					"verification_required": false,
+				}
+				testResponseStatus(t, resp, 200)
+				testResponseBody(t, resp, &actual)
+
+				if i+1 == len(cluster.BarrierKeys) {
+					delete(expected, "started")
+					delete(expected, "required")
+					delete(expected, "t")
+					delete(expected, "n")
+					delete(expected, "progress")
+					expected["complete"] = true
+					expected["keys"] = actual["keys"]
+					expected["keys_base64"] = actual["keys_base64"]
+				}
+
+				if i+1 < len(cluster.BarrierKeys) && (actual["nonce"] == nil || actual["nonce"].(string) == "") {
+					t.Fatalf("expected a nonce, i is %d, actual is %#v", i, actual)
+				}
+
+				if !reflect.DeepEqual(actual, expected) {
+					t.Fatalf("\nexpected: \n%#v\nactual: \n%#v", expected, actual)
+				}
 			}
 
-			if !reflect.DeepEqual(actual, expected) {
-				t.Fatalf("\nexpected: \n%#v\nactual: \n%#v", expected, actual)
+			retKeys := actual["keys"].([]interface{})
+			if len(retKeys) != 5 {
+				t.Fatalf("bad: %#v", retKeys)
 			}
-		}
-
-		retKeys := actual["keys"].([]interface{})
-		if len(retKeys) != 5 {
-			t.Fatalf("bad: %#v", retKeys)
-		}
-		keysB64 := actual["keys_base64"].([]interface{})
-		if len(keysB64) != 5 {
-			t.Fatalf("bad: %#v", keysB64)
-		}
-	})
+			keysB64 := actual["keys_base64"].([]interface{})
+			if len(keysB64) != 5 {
+				t.Fatalf("bad: %#v", keysB64)
+			}
+		})
+	}
 }
 
 func TestSysRekey_ReInitUpdate(t *testing.T) {
diff --git a/http/sys_wrapping_test.go b/http/sys_wrapping_test.go
index 9d97741dbe..60d18ccefa 100644
--- a/http/sys_wrapping_test.go
+++ b/http/sys_wrapping_test.go
@@ -20,15 +20,7 @@ func TestHTTP_Wrapping(t *testing.T) {
 	cluster := vault.NewTestCluster(t, &vault.CoreConfig{}, &vault.TestClusterOptions{
 		HandlerFunc: Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
-
-	// make it easy to get access to the active
-	core := cores[0].Core
-	vault.TestWaitActive(t, core)
-
 	client := cores[0].Client
 	client.SetToken(cluster.RootToken)
 
diff --git a/http/testing.go b/http/testing.go
index 795582ee58..c29c35c79c 100644
--- a/http/testing.go
+++ b/http/testing.go
@@ -36,10 +36,16 @@ func TestServerWithListenerAndProperties(tb testing.TB, ln net.Listener, addr st
 	mux.Handle("/_test/auth", http.HandlerFunc(testHandleAuth))
 	mux.Handle("/", Handler.Handler(props))
 
+	var lnConfig *configutil.Listener
+	if props != nil {
+		lnConfig = props.ListenerConfig
+	}
+
 	server := &http.Server{
-		Addr:     ln.Addr().String(),
-		Handler:  mux,
-		ErrorLog: core.Logger().StandardLogger(nil),
+		Addr:           ln.Addr().String(),
+		Handler:        mux,
+		ErrorLog:       core.Logger().StandardLogger(nil),
+		MaxHeaderBytes: TokenHeaderMaxBytes(lnConfig),
 	}
 	go server.Serve(ln)
 }
diff --git a/http/token_header_size_test.go b/http/token_header_size_test.go
new file mode 100644
index 0000000000..6c15df5246
--- /dev/null
+++ b/http/token_header_size_test.go
@@ -0,0 +1,510 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package http
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"strings"
+	"testing"
+	"time"
+
+	cleanhttp "github.com/hashicorp/go-cleanhttp"
+	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/vault"
+	"github.com/stretchr/testify/require"
+)
+
+// sendTokenHeaderRequest builds and dispatches an HTTP GET to addr, placing
+// token in the named header. For "Authorization", the value is wrapped as a
+// Bearer token per RFC 6750.
+func sendTokenHeaderRequest(t *testing.T, client *http.Client, addr, headerName, token string) (*http.Response, error) {
+	t.Helper()
+	req, err := http.NewRequest(http.MethodGet, addr+"/v1/auth/token/lookup-self", nil)
+	require.NoError(t, err)
+	if headerName == "Authorization" {
+		req.Header.Set("Authorization", "Bearer "+token)
+	} else {
+		req.Header.Set(headerName, token)
+	}
+	return client.Do(req)
+}
+
+// newTestClusterForTokenHeader creates a NewTestCluster with default settings
+// and returns the cluster, an HTTP client configured with TLS, and the address.
+func newTestClusterForTokenHeader(t *testing.T, opts *vault.TestClusterOptions) (*http.Client, string) {
+	t.Helper()
+	if opts == nil {
+		opts = &vault.TestClusterOptions{}
+	}
+	opts.HandlerFunc = Handler
+	cluster := vault.NewTestCluster(t, nil, opts)
+
+	core := cluster.Cores[0]
+	transport := cleanhttp.DefaultPooledTransport()
+	transport.TLSClientConfig = core.TLSConfig()
+	httpClient := &http.Client{Transport: transport, Timeout: 15 * time.Second}
+	return httpClient, core.Client.Address()
+}
+
+// TestTokenHeader_ExceedsDefaultLimit_IsRejected verifies that tokens larger than
+// DefaultMaxTokenHeaderSize are rejected with 431 before token validation occurs.
+func TestTokenHeader_ExceedsDefaultLimit_IsRejected(t *testing.T) {
+	t.Parallel()
+
+	client, addr := newTestClusterForTokenHeader(t, nil)
+
+	cases := []struct {
+		name       string
+		headerSize int
+		headerName string
+	}{
+		{
+			name:       "just-over-limit-x-vault-token",
+			headerSize: DefaultMaxTokenHeaderSize + 1,
+			headerName: consts.AuthHeaderName,
+		},
+		{
+			name:       "just-over-limit-authorization-bearer",
+			headerSize: DefaultMaxTokenHeaderSize + 1,
+			headerName: "Authorization",
+		},
+		{
+			name:       "100kb-x-vault-token",
+			headerSize: 100 * 1024,
+			headerName: consts.AuthHeaderName,
+		},
+		{
+			name:       "100kb-authorization-bearer",
+			headerSize: 100 * 1024,
+			headerName: "Authorization",
+		},
+		{
+			name:       "900kb-x-vault-token",
+			headerSize: 900 * 1024,
+			headerName: consts.AuthHeaderName,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			token := strings.Repeat("x", tc.headerSize)
+			resp, err := sendTokenHeaderRequest(t, client, addr, tc.headerName, token)
+			require.NoError(t, err)
+			defer resp.Body.Close()
+
+			require.Equal(t, http.StatusRequestHeaderFieldsTooLarge, resp.StatusCode,
+				"token of %d bytes must be rejected by Vault middleware (want 431, not 403)",
+				tc.headerSize)
+		})
+	}
+}
+
+// TestTokenHeader_WithinDefaultLimit_IsProcessed verifies that tokens at or
+// below DefaultMaxTokenHeaderSize reach token validation normally (403, not 400).
+func TestTokenHeader_WithinDefaultLimit_IsProcessed(t *testing.T) {
+	t.Parallel()
+
+	client, addr := newTestClusterForTokenHeader(t, nil)
+
+	cases := []struct {
+		name       string
+		headerSize int
+		headerName string
+	}{
+		{
+			name:       "512b-x-vault-token",
+			headerSize: 512,
+			headerName: consts.AuthHeaderName,
+		},
+		{
+			name:       "512b-authorization-bearer",
+			headerSize: 512,
+			headerName: "Authorization",
+		},
+		{
+			name:       "4kb-x-vault-token",
+			headerSize: 4 * 1024,
+			headerName: consts.AuthHeaderName,
+		},
+		{
+			name:       "at-limit-x-vault-token",
+			headerSize: DefaultMaxTokenHeaderSize,
+			headerName: consts.AuthHeaderName,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			token := strings.Repeat("x", tc.headerSize)
+			resp, err := sendTokenHeaderRequest(t, client, addr, tc.headerName, token)
+			require.NoError(t, err)
+			defer resp.Body.Close()
+
+			require.Equal(t, http.StatusForbidden, resp.StatusCode,
+				"token of %d bytes is within the limit and must reach validation", tc.headerSize)
+		})
+	}
+}
+
+// TestTokenHeader_ConfigurableLimit_Enforced verifies that an operator can
+// lower the token header size limit via the listener configuration, and that
+// Vault enforces the configured value rather than DefaultMaxTokenHeaderSize.
+func TestTokenHeader_ConfigurableLimit_Enforced(t *testing.T) {
+	t.Parallel()
+
+	const customLimit = 1024 // 1 KB — well below the default 8 KB
+	client, addr := newTestClusterForTokenHeader(t, &vault.TestClusterOptions{
+		DefaultHandlerProperties: vault.HandlerProperties{
+			ListenerConfig: &configutil.Listener{
+				CustomMaxTokenHeaderSize: customLimit,
+			},
+		},
+	})
+
+	oversized := strings.Repeat("x", customLimit+1)
+	resp, err := sendTokenHeaderRequest(t, client, addr, consts.AuthHeaderName, oversized)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	require.Equal(t, http.StatusRequestHeaderFieldsTooLarge, resp.StatusCode,
+		"token exceeding custom limit of %d bytes must be rejected with 431", customLimit)
+
+	atLimit := strings.Repeat("x", customLimit)
+	resp2, err := sendTokenHeaderRequest(t, client, addr, consts.AuthHeaderName, atLimit)
+	require.NoError(t, err)
+	defer resp2.Body.Close()
+
+	require.Equal(t, http.StatusForbidden, resp2.StatusCode,
+		"token at the custom limit (%d bytes) must reach validation", customLimit)
+}
+
+// TestTokenHeader_MultipleAuthorizationHeaders_BypassPrevented verifies that an
+// oversized Bearer token is rejected even when a non-Bearer Authorization header
+// precedes it in the request.
+func TestTokenHeader_MultipleAuthorizationHeaders_BypassPrevented(t *testing.T) {
+	t.Parallel()
+
+	client, addr := newTestClusterForTokenHeader(t, nil)
+
+	oversizedBearer := strings.Repeat("x", DefaultMaxTokenHeaderSize+1)
+
+	req, err := http.NewRequest(http.MethodGet, addr+"/v1/auth/token/lookup-self", nil)
+	require.NoError(t, err)
+	req.Header.Add("Authorization", "Basic dXNlcjpwYXNz")
+	req.Header.Add("Authorization", "Bearer "+oversizedBearer)
+
+	resp, err := client.Do(req)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	require.Equal(t, http.StatusRequestHeaderFieldsTooLarge, resp.StatusCode,
+		"oversized Bearer token must be rejected even when a non-Bearer Authorization header precedes it")
+}
+
+// TestTokenHeader_DisabledLimit_AllowsOversizedToken verifies that setting
+// max_token_header_size = -1 in the listener config fully disables the check,
+// allowing tokens larger than DefaultMaxTokenHeaderSize to reach validation.
+func TestTokenHeader_DisabledLimit_AllowsOversizedToken(t *testing.T) {
+	t.Parallel()
+
+	client, addr := newTestClusterForTokenHeader(t, &vault.TestClusterOptions{
+		DefaultHandlerProperties: vault.HandlerProperties{
+			ListenerConfig: &configutil.Listener{
+				CustomMaxTokenHeaderSize: -1,
+			},
+		},
+	})
+
+	oversized := strings.Repeat("x", DefaultMaxTokenHeaderSize*2)
+	resp, err := sendTokenHeaderRequest(t, client, addr, consts.AuthHeaderName, oversized)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	require.Equal(t, http.StatusForbidden, resp.StatusCode,
+		"with max_token_header_size = -1 the size guard must not fire; token must reach validation")
+}
+
+// TestTokenHeader_ErrorResponseFormat verifies that oversized-token rejections
+// return a valid Vault JSON error envelope with an "errors" array.
+func TestTokenHeader_ErrorResponseFormat(t *testing.T) {
+	t.Parallel()
+
+	client, addr := newTestClusterForTokenHeader(t, nil)
+
+	token := strings.Repeat("x", DefaultMaxTokenHeaderSize+1)
+	resp, err := sendTokenHeaderRequest(t, client, addr, consts.AuthHeaderName, token)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	require.Equal(t, http.StatusRequestHeaderFieldsTooLarge, resp.StatusCode)
+	require.Equal(t, "application/json", resp.Header.Get("Content-Type"))
+
+	body, err := io.ReadAll(resp.Body)
+	require.NoError(t, err)
+
+	var envelope struct {
+		Errors []string `json:"errors"`
+	}
+	require.NoError(t, json.Unmarshal(body, &envelope),
+		"response body must be valid JSON: %s", string(body))
+	require.NotEmpty(t, envelope.Errors,
+		"response must contain at least one error message")
+	require.Contains(t, envelope.Errors[0], "authentication token",
+		"error message must describe the token size violation")
+}
+
+// TestTokenHeader_NoAuthHeader_Unaffected verifies that requests with no
+// authentication header pass through wrapTokenHeaderSizeHandler unchanged.
+func TestTokenHeader_NoAuthHeader_Unaffected(t *testing.T) {
+	t.Parallel()
+
+	client, addr := newTestClusterForTokenHeader(t, nil)
+
+	req, err := http.NewRequest(http.MethodGet, addr+"/v1/auth/token/lookup-self", nil)
+	require.NoError(t, err)
+
+	resp, err := client.Do(req)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	require.Equal(t, http.StatusForbidden, resp.StatusCode,
+		"requests with no auth header must not be rejected by the size guard")
+}
+
+// BenchmarkTokenHeader_ProcessingCost measures the per-request overhead of
+// wrapTokenHeaderSizeHandler at increasing token sizes.
+func BenchmarkTokenHeader_ProcessingCost(b *testing.B) {
+	core, _, _ := vault.TestCoreUnsealed(b)
+	ln, addr := TestServer(b, core)
+	defer ln.Close()
+
+	sizes := []struct {
+		label string
+		bytes int
+	}{
+		{"1KB", 1 * 1024},
+		{"8KB", 8 * 1024},   // at default limit
+		{"64KB", 64 * 1024}, // above default limit — fast-rejected by wrapTokenHeaderSizeHandler
+		{"512KB", 512 * 1024},
+	}
+
+	client := cleanhttp.DefaultClient()
+	client.Timeout = 30 * time.Second
+
+	for _, sz := range sizes {
+		token := strings.Repeat("x", sz.bytes)
+		b.Run(fmt.Sprintf("size=%s", sz.label), func(b *testing.B) {
+			b.ReportAllocs()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				req, _ := http.NewRequest(http.MethodGet, addr+"/v1/auth/token/lookup-self", nil)
+				req.Header.Set(consts.AuthHeaderName, token)
+				resp, err := client.Do(req)
+				if err == nil {
+					io.Copy(io.Discard, resp.Body)
+					resp.Body.Close()
+				}
+			}
+		})
+	}
+}
+
+// TestTokenHeaderMaxBytes_NilConfig verifies that a nil listener config
+// returns DefaultMaxTokenHeaderSize.
+func TestTokenHeaderMaxBytes_NilConfig(t *testing.T) {
+	t.Parallel()
+	require.Equal(t, DefaultMaxTokenHeaderSize, TokenHeaderMaxBytes(nil))
+}
+
+// TestTokenHeaderMaxBytes_ZeroCustomSize verifies that a zero CustomMaxTokenHeaderSize
+// falls back to DefaultMaxTokenHeaderSize.
+func TestTokenHeaderMaxBytes_ZeroCustomSize(t *testing.T) {
+	t.Parallel()
+	lnConfig := &configutil.Listener{} // CustomMaxTokenHeaderSize == 0
+	require.Equal(t, DefaultMaxTokenHeaderSize, TokenHeaderMaxBytes(lnConfig))
+}
+
+// TestTokenHeaderMaxBytes_CustomSize verifies that a positive CustomMaxTokenHeaderSize
+// is returned verbatim.
+func TestTokenHeaderMaxBytes_CustomSize(t *testing.T) {
+	t.Parallel()
+	lnConfig := &configutil.Listener{CustomMaxTokenHeaderSize: 4096}
+	require.Equal(t, 4096, TokenHeaderMaxBytes(lnConfig))
+}
+
+// TestTokenHeaderMaxBytes_Disabled verifies that max_token_header_size = -1
+// returns 0, leaving http.Server.MaxHeaderBytes at the Go stdlib default.
+func TestTokenHeaderMaxBytes_Disabled(t *testing.T) {
+	t.Parallel()
+	lnConfig := &configutil.Listener{CustomMaxTokenHeaderSize: -1}
+	require.Equal(t, 0, TokenHeaderMaxBytes(lnConfig))
+}
+
+// TestTokenHeader_StdlibBackstop_NonAuthHeaderRejected verifies that setting
+// MaxHeaderBytes on http.Server rejects oversized non-authentication headers that
+// wrapTokenHeaderSizeHandler does not inspect.
+func TestTokenHeader_StdlibBackstop_NonAuthHeaderRejected(t *testing.T) {
+	t.Parallel()
+
+	core, _, _ := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+
+	oversizedValue := strings.Repeat("x", DefaultMaxTokenHeaderSize*2)
+
+	req, err := http.NewRequest(http.MethodGet, addr+"/v1/sys/health", nil)
+	require.NoError(t, err)
+	req.Header.Set("X-Evil-Header", oversizedValue)
+
+	client := cleanhttp.DefaultClient()
+	client.Timeout = 15 * time.Second
+	resp, err := client.Do(req)
+	if err == nil {
+		defer resp.Body.Close()
+		require.NotEqual(t, http.StatusOK, resp.StatusCode,
+			"oversized non-auth header must not reach the application layer")
+	}
+}
+
+// TestTokenHeaderMaxBytes_ServerUsesCorrectDefault verifies that an http.Server
+// built with TokenHeaderMaxBytes(nil) enforces the limit on any header.
+func TestTokenHeaderMaxBytes_ServerUsesCorrectDefault(t *testing.T) {
+	t.Parallel()
+
+	reached := false
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		reached = true
+		w.WriteHeader(http.StatusOK)
+	})
+
+	srv := &http.Server{
+		Handler:        inner,
+		MaxHeaderBytes: TokenHeaderMaxBytes(nil),
+	}
+
+	// Start on a random port.
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	go func() {
+		if err := srv.Serve(ln); err != nil && err != http.ErrServerClosed {
+			t.Errorf("srv.Serve: %v", err)
+		}
+	}()
+	t.Cleanup(func() { srv.Close() })
+
+	addr := "http://" + ln.Addr().String()
+
+	t.Run("within_limit_reaches_handler", func(t *testing.T) {
+		reached = false
+		req, err := http.NewRequest(http.MethodGet, addr+"/", nil)
+		require.NoError(t, err)
+		req.Header.Set("X-Test", strings.Repeat("a", DefaultMaxTokenHeaderSize-200))
+		resp, err := cleanhttp.DefaultClient().Do(req)
+		require.NoError(t, err)
+		defer resp.Body.Close()
+		require.Equal(t, http.StatusOK, resp.StatusCode)
+		require.True(t, reached, "handler should have been called for a within-limit request")
+	})
+
+	t.Run("exceeds_limit_rejected_by_stdlib", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodGet, addr+"/", nil)
+		require.NoError(t, err)
+		// 2× to exceed the stdlib's effective limit (MaxHeaderBytes + 4096).
+		req.Header.Set("X-Evil", strings.Repeat("x", DefaultMaxTokenHeaderSize*2))
+		resp, err := cleanhttp.DefaultClient().Do(req)
+		if err == nil {
+			defer resp.Body.Close()
+			require.NotEqual(t, http.StatusOK, resp.StatusCode,
+				"stdlib must reject a request whose headers exceed MaxHeaderBytes")
+		}
+	})
+}
+
+// TestTokenHeader_ClusterListener_SkipsCheck verifies that the cluster listener
+// does not re-enforce the token header size limit on forwarded requests.
+// This prevents a regression where a user raising CustomMaxTokenHeaderSize above
+// the default would see forwarded requests rejected by the active node's cluster
+// listener, which only knows the default limit (same failure mode as the JSON
+// limits regression fixed by DisableJSONLimitParsing).
+func TestTokenHeader_ClusterListener_SkipsCheck(t *testing.T) {
+	// A token that exceeds the default limit but would be allowed by a custom
+	// API-listener limit of 16 KB. The cluster listener must pass it through
+	// without re-checking.
+	oversizedForDefault := strings.Repeat("a", DefaultMaxTokenHeaderSize+100)
+
+	// Cluster listener is configured identically to how server.go sets it up:
+	// DisableTokenHeaderSizeParsing = true, no CustomMaxTokenHeaderSize override.
+	clusterProps := &vault.HandlerProperties{
+		ListenerConfig: &configutil.Listener{
+			DisableTokenHeaderSizeParsing: true,
+		},
+	}
+
+	reached := false
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		reached = true
+		w.WriteHeader(http.StatusOK)
+	})
+
+	clusterHandler := wrapTokenHeaderSizeHandler(inner, clusterProps)
+
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	srv := &http.Server{Handler: clusterHandler}
+	go func() {
+		if err := srv.Serve(ln); err != nil && err != http.ErrServerClosed {
+			t.Errorf("srv.Serve: %v", err)
+		}
+	}()
+	t.Cleanup(func() { srv.Close() })
+
+	addr := "http://" + ln.Addr().String()
+
+	t.Run("oversized_token_passes_cluster_listener", func(t *testing.T) {
+		reached = false
+		req, err := http.NewRequest(http.MethodGet, addr+"/", nil)
+		require.NoError(t, err)
+		req.Header.Set(consts.AuthHeaderName, oversizedForDefault)
+		resp, err := cleanhttp.DefaultClient().Do(req)
+		require.NoError(t, err)
+		defer resp.Body.Close()
+		require.Equal(t, http.StatusOK, resp.StatusCode,
+			"cluster listener must not re-enforce the token size limit on forwarded requests")
+		require.True(t, reached, "inner handler should be reached on the cluster listener")
+	})
+
+	t.Run("api_listener_still_enforces_default_limit", func(t *testing.T) {
+		// Confirm the same token is rejected by a normal API-listener handler
+		// (no DisableTokenHeaderSizeParsing), so we know the test token really does
+		// exceed the default limit.
+		apiProps := &vault.HandlerProperties{
+			ListenerConfig: &configutil.Listener{},
+		}
+		apiHandler := wrapTokenHeaderSizeHandler(inner, apiProps)
+
+		apiLn, err := net.Listen("tcp", "127.0.0.1:0")
+		require.NoError(t, err)
+		apiSrv := &http.Server{Handler: apiHandler}
+		go func() {
+			if err := apiSrv.Serve(apiLn); err != nil && err != http.ErrServerClosed {
+				t.Errorf("apiSrv.Serve: %v", err)
+			}
+		}()
+		t.Cleanup(func() { apiSrv.Close() })
+
+		req, err := http.NewRequest(http.MethodGet, "http://"+apiLn.Addr().String()+"/", nil)
+		require.NoError(t, err)
+		req.Header.Set(consts.AuthHeaderName, oversizedForDefault)
+		resp, err := cleanhttp.DefaultClient().Do(req)
+		require.NoError(t, err)
+		defer resp.Body.Close()
+		require.Equal(t, http.StatusRequestHeaderFieldsTooLarge, resp.StatusCode,
+			"API listener must reject a token that exceeds the default size limit")
+	})
+}
diff --git a/http/unwrapping_raw_body_test.go b/http/unwrapping_raw_body_test.go
index e4b12c8894..50cce834c4 100644
--- a/http/unwrapping_raw_body_test.go
+++ b/http/unwrapping_raw_body_test.go
@@ -21,11 +21,6 @@ func TestUnwrapping_Raw_Body(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	core := cluster.Cores[0].Core
-	vault.TestWaitActive(t, core)
 	client := cluster.Cores[0].Client
 
 	// Mount a k/v backend, version 2
diff --git a/http/util.go b/http/util.go
index b89255888a..18d550742e 100644
--- a/http/util.go
+++ b/http/util.go
@@ -15,6 +15,7 @@ import (
 	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/limits"
+	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/vault"
@@ -23,6 +24,8 @@ import (
 
 var nonVotersAllowed = false
 
+const maxTokenHeaderSizeDefault = 0
+
 // ctxKeyRoleBasedQuota is used to signal that role-based quota resolution
 // is needed for the request.
 type ctxKeyRoleBasedQuota struct{}
@@ -45,6 +48,58 @@ func resetBodyIfRead(r *http.Request, buf *bytes.Buffer) *http.Request {
 	return r
 }
 
+// wrapTokenHeaderSizeHandler rejects requests whose authentication token header
+// exceeds the configured size limit.
+func wrapTokenHeaderSizeHandler(handler http.Handler, props *vault.HandlerProperties) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		var maxTokenHeaderSize int64
+		if props.ListenerConfig != nil {
+			// Skip the check on the cluster listener. Forwarded requests have
+			// already been validated at the API listener on the originating node,
+			// so re-checking here would cause a regression when a custom limit
+			// larger than the default is configured.
+			if props.ListenerConfig.DisableTokenHeaderSizeParsing {
+				handler.ServeHTTP(w, r)
+				return
+			}
+			maxTokenHeaderSize = props.ListenerConfig.CustomMaxTokenHeaderSize
+		}
+		if maxTokenHeaderSize == maxTokenHeaderSizeDefault {
+			maxTokenHeaderSize = DefaultMaxTokenHeaderSize
+		}
+
+		if maxTokenHeaderSize > 0 {
+			bearerPrefix := "Bearer "
+			tokenLen := int64(len(r.Header.Get(consts.AuthHeaderName)))
+			if tokenLen > maxTokenHeaderSize {
+				respondError(w, http.StatusRequestHeaderFieldsTooLarge,
+					fmt.Errorf("authentication token exceeds maximum allowed header size of %d bytes", maxTokenHeaderSize))
+				return
+			}
+
+			// Iterate all Authorization headers to mirror getTokenFromReq, which
+			// ranges over r.Header["Authorization"] to find the first Bearer value.
+			// Using r.Header.Get would only check the first header and could be
+			// bypassed by placing a non-Bearer Authorization header first.
+			for _, v := range r.Header["Authorization"] {
+				if !strings.HasPrefix(v, bearerPrefix) {
+					continue
+				}
+				bearerTokenLen := int64(len(strings.TrimSpace(v[len(bearerPrefix):])))
+				if bearerTokenLen > maxTokenHeaderSize {
+					respondError(w, http.StatusRequestHeaderFieldsTooLarge,
+						fmt.Errorf("authentication token exceeds maximum allowed header size of %d bytes", maxTokenHeaderSize))
+					return
+				}
+				// Only the first Bearer value is used by getTokenFromReq; stop after checking it.
+				break
+			}
+		}
+
+		handler.ServeHTTP(w, r)
+	})
+}
+
 // wrapMaxRequestSizeHandler limits the size of the request body to the
 // configured size
 func wrapMaxRequestSizeHandler(handler http.Handler, props *vault.HandlerProperties) http.Handler {
diff --git a/http/util_oss.go b/http/util_oss.go
index d275e1aef2..77232f5815 100644
--- a/http/util_oss.go
+++ b/http/util_oss.go
@@ -19,7 +19,7 @@ func entWrapGenericHandler(core *vault.Core, in http.Handler, props *vault.Handl
 	return wrapGenericHandler(core, in, props)
 }
 
-func entAdditionalRoutes(mux *http.ServeMux, core *vault.Core) {}
+func entDROperationRoutes(mux *http.ServeMux, core *vault.Core) {}
 
 func entAdjustResponse(core *vault.Core, w http.ResponseWriter, req *logical.Request) {
 }
diff --git a/internalshared/configutil/listener.go b/internalshared/configutil/listener.go
index d0413f8aed..6af9c61e78 100644
--- a/internalshared/configutil/listener.go
+++ b/internalshared/configutil/listener.go
@@ -19,6 +19,7 @@ import (
 	"github.com/hashicorp/go-sockaddr/template"
 	"github.com/hashicorp/hcl"
 	"github.com/hashicorp/hcl/hcl/ast"
+	"github.com/hashicorp/hcl/hcl/token"
 	"github.com/hashicorp/vault/helper/namespace"
 )
 
@@ -176,6 +177,15 @@ type Listener struct {
 	// CustomMaxJSONToken determines the maximum number of tokens in a JSON.
 	CustomMaxJSONTokenRaw interface{} `hcl:"max_json_token"`
 	CustomMaxJSONToken    int64       `hcl:"-"`
+
+	// DisableTokenHeaderSizeParsing disables the token header size check. This is only applicable
+	// to the listener config passed into the Cluster listener since forwarded requests have already
+	// been checked via the API listener on the originating node.
+	DisableTokenHeaderSizeParsing bool `hcl:"-"`
+
+	// CustomMaxTokenHeaderSize defines the maximum allowed size in bytes for an authentication token header.
+	CustomMaxTokenHeaderSizeRaw interface{} `hcl:"max_token_header_size"`
+	CustomMaxTokenHeaderSize    int64       `hcl:"-"`
 }
 
 // AgentAPI allows users to select which parts of the Agent API they want enabled.
@@ -194,6 +204,7 @@ func (l *Listener) GoString() string {
 
 func (l *Listener) Validate(path string) []ConfigError {
 	results := append(ValidateUnusedFields(l.UnusedKeys, path), ValidateUnusedFields(l.Telemetry.UnusedKeys, path)...)
+	results = append(results, l.validateForwardedForSettings(path)...)
 	return append(results, ValidateUnusedFields(l.Profiling.UnusedKeys, path)...)
 }
 
@@ -499,6 +510,13 @@ func (l *Listener) parseRequestSettings() error {
 		return err
 	}
 
+	if err := parseAndClearInt(&l.CustomMaxTokenHeaderSizeRaw, &l.CustomMaxTokenHeaderSize); err != nil {
+		return fmt.Errorf("error parsing max_token_header_size: %w", err)
+	}
+	// A negative value disables the check entirely, matching the max_request_size
+	// convention. Unlike the CustomMaxJSON* fields, negative is intentionally
+	// allowed here (not an error).
+
 	return nil
 }
 
@@ -647,6 +665,80 @@ func (l *Listener) parseForwardedForSettings() error {
 	return nil
 }
 
+func (l *Listener) validateForwardedForSettings(fileName string) []ConfigError {
+	configErrors := []ConfigError{}
+
+	if len(l.XForwardedForAuthorizedAddrs) == 0 {
+		if l.XForwardedForRejectNotAuthorizedRaw != nil {
+			configErrors = append(configErrors, ConfigError{
+				"x_forwarded_for_authorized_addrs is not set, so forwarding is not enabled but x_forwarded_for_reject_not_authorized was set",
+				token.Pos{
+					Filename: fileName,
+				},
+			})
+		}
+		if l.XForwardedForRejectNotPresentRaw != nil {
+			configErrors = append(configErrors, ConfigError{
+				"x_forwarded_for_authorized_addrs is not set, so forwarding is not enabled but x_forwarded_for_reject_not_present was set",
+				token.Pos{
+					Filename: fileName,
+				},
+			})
+		}
+		if l.XForwardedForHopSkipsRaw != nil {
+			configErrors = append(configErrors, ConfigError{
+				"x_forwarded_for_authorized_addrs is not set, so forwarding is not enabled but x_forwarded_for_hops_skips was set",
+				token.Pos{
+					Filename: fileName,
+				},
+			})
+		}
+		if l.XForwardedForClientCertHeader != "" {
+			configErrors = append(configErrors, ConfigError{
+				"x_forwarded_for_authorized_addrs is not set, so forwarding is not enabled but x_forwarded_for_client_cert_header was set",
+				token.Pos{
+					Filename: fileName,
+				},
+			})
+		}
+		if l.XForwardedForClientCertHeaderDecoders != "" {
+			configErrors = append(configErrors, ConfigError{
+				"x_forwarded_for_authorized_addrs is not set, so forwarding is not enabled but x_forwarded_for_client_cert_header_decoders was set",
+				token.Pos{
+					Filename: fileName,
+				},
+			})
+		}
+	}
+
+	if l.XForwardedForClientCertHeader == "" && l.XForwardedForClientCertHeaderDecoders != "" {
+		configErrors = append(configErrors, ConfigError{
+			"x_forwarded_for_client_cert_header_decoders was set, but not x_forwarded_for_client_cert_header was set to be decoded",
+			token.Pos{
+				Filename: fileName,
+			},
+		})
+	}
+	if l.XForwardedForClientCertHeader != "" && l.XForwardedForClientCertHeaderDecoders == "" {
+		configErrors = append(configErrors, ConfigError{
+			"x_forwarded_for_client_cert_header was set, but no x_forwarded_for_client_cert_header_decoders were set to decode that header",
+			token.Pos{
+				Filename: fileName,
+			},
+		})
+	}
+	if strings.Contains(l.XForwardedForClientCertHeaderDecoders, "DER") && !strings.HasSuffix(l.XForwardedForClientCertHeaderDecoders, "DER") {
+		configErrors = append(configErrors, ConfigError{
+			"x_forwarded_for_client_cert_header_decoders DER decoder actually decodes PEM into DER, and therefore can only function as the final decoder",
+			token.Pos{
+				Filename: fileName,
+			},
+		})
+	}
+
+	return configErrors
+}
+
 // parseTelemetrySettings attempts to parse the raw listener telemetry settings.
 // The state of the listener will be modified, raw data will be cleared upon
 // successful parsing.
diff --git a/internalshared/configutil/listener_test.go b/internalshared/configutil/listener_test.go
index 4620f164c6..730ed1dd17 100644
--- a/internalshared/configutil/listener_test.go
+++ b/internalshared/configutil/listener_test.go
@@ -232,6 +232,8 @@ func TestListener_parseRequestSettings(t *testing.T) {
 		expectedCustomMaxJSONArrayElementCount int64
 		rawCustomMaxJSONToken                  any
 		expectedCustomMaxJSONToken             int64
+		rawCustomMaxTokenHeaderSize            any
+		expectedCustomMaxTokenHeaderSize       int64
 		isErrorExpected                        bool
 		errorMessage                           string
 	}{
@@ -323,6 +325,23 @@ func TestListener_parseRequestSettings(t *testing.T) {
 			expectedCustomMaxJSONToken: 500000,
 			isErrorExpected:            false,
 		},
+		"max-token-header-size-bad": {
+			rawCustomMaxTokenHeaderSize: "badvalue",
+			isErrorExpected:             true,
+			errorMessage:                "error parsing max_token_header_size",
+		},
+		// -1 is valid: it disables the token header size limit entirely,
+		// following the same convention as max_request_size = -1.
+		"max-token-header-size-disable": {
+			rawCustomMaxTokenHeaderSize:      "-1",
+			expectedCustomMaxTokenHeaderSize: -1,
+			isErrorExpected:                  false,
+		},
+		"max-token-header-size-good": {
+			rawCustomMaxTokenHeaderSize:      "4096",
+			expectedCustomMaxTokenHeaderSize: 4096,
+			isErrorExpected:                  false,
+		},
 	}
 
 	for name, tc := range tests {
@@ -341,6 +360,7 @@ func TestListener_parseRequestSettings(t *testing.T) {
 				CustomMaxJSONObjectEntryCountRaw:  tc.rawCustomMaxJSONObjectEntryCount,
 				CustomMaxJSONArrayElementCountRaw: tc.rawCustomMaxJSONArrayElementCount,
 				CustomMaxJSONTokenRaw:             tc.rawCustomMaxJSONToken,
+				CustomMaxTokenHeaderSizeRaw:       tc.rawCustomMaxTokenHeaderSize,
 			}
 
 			err := l.parseRequestSettings()
@@ -357,6 +377,7 @@ func TestListener_parseRequestSettings(t *testing.T) {
 				require.Equal(t, tc.expectedCustomMaxJSONObjectEntryCount, l.CustomMaxJSONObjectEntryCount)
 				require.Equal(t, tc.expectedCustomMaxJSONArrayElementCount, l.CustomMaxJSONArrayElementCount)
 				require.Equal(t, tc.expectedCustomMaxJSONToken, l.CustomMaxJSONToken)
+				require.Equal(t, tc.expectedCustomMaxTokenHeaderSize, l.CustomMaxTokenHeaderSize)
 				require.Equal(t, tc.expectedRequireRequestHeader, l.RequireRequestHeader)
 				require.Equal(t, tc.expectedDisableRequestLimiter, l.DisableRequestLimiter)
 				require.Equal(t, tc.expectedDuration, l.MaxRequestDuration)
@@ -367,6 +388,7 @@ func TestListener_parseRequestSettings(t *testing.T) {
 				require.Nil(t, l.CustomMaxJSONObjectEntryCountRaw)
 				require.Nil(t, l.CustomMaxJSONArrayElementCountRaw)
 				require.Nil(t, l.CustomMaxJSONTokenRaw)
+				require.Nil(t, l.CustomMaxTokenHeaderSizeRaw)
 				require.Nil(t, l.MaxRequestDurationRaw)
 				require.Nil(t, l.RequireRequestHeaderRaw)
 				require.Nil(t, l.DisableRequestLimiterRaw)
diff --git a/main.go b/main.go
index 7ceceeeeb0..8e47ce2632 100644
--- a/main.go
+++ b/main.go
@@ -1,6 +1,8 @@
 // Copyright IBM Corp. 2016, 2025
 // SPDX-License-Identifier: BUSL-1.1
 
+//go:debug cryptocustomrand=1
+
 package main // import "github.com/hashicorp/vault"
 
 import (
diff --git a/physical/aerospike/aerospike_test.go b/physical/aerospike/aerospike_test.go
index e8cc91532e..71ddcc2218 100644
--- a/physical/aerospike/aerospike_test.go
+++ b/physical/aerospike/aerospike_test.go
@@ -11,11 +11,11 @@ import (
 	"time"
 
 	aero "github.com/aerospike/aerospike-client-go/v8"
-	"github.com/docker/docker/api/types/container"
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/sdk/helper/docker"
 	"github.com/hashicorp/vault/sdk/helper/logging"
 	"github.com/hashicorp/vault/sdk/physical"
+	"github.com/moby/moby/api/types/container"
 )
 
 func TestAerospikeBackend(t *testing.T) {
diff --git a/physical/cockroachdb/cockroachdb.go b/physical/cockroachdb/cockroachdb.go
index d4042b5e8e..1ed284043f 100644
--- a/physical/cockroachdb/cockroachdb.go
+++ b/physical/cockroachdb/cockroachdb.go
@@ -20,7 +20,7 @@ import (
 	"github.com/hashicorp/go-secure-stdlib/permitpool"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
 	"github.com/hashicorp/vault/sdk/physical"
-	_ "github.com/jackc/pgx/v4/stdlib"
+	_ "github.com/jackc/pgx/v5/stdlib"
 )
 
 // Verify CockroachDBBackend satisfies the correct interfaces
diff --git a/physical/consul/consul.go b/physical/consul/consul.go
index 25fb88c5c8..8cde037583 100644
--- a/physical/consul/consul.go
+++ b/physical/consul/consul.go
@@ -348,8 +348,8 @@ func (c *ConsulBackend) txnInternal(ctx context.Context, txns []*physical.TxnEnt
 
 	ok, resp, _, err := c.txn.Txn(ops, queryOpts)
 	if err != nil {
-		if strings.Contains(err.Error(), "is too large") {
-			return fmt.Errorf("%s: %w", physical.ErrValueTooLarge, err)
+		if strings.Contains(err.Error(), " too large") {
+			return errors.Join(physical.ErrValueSize, err)
 		}
 		return err
 	}
diff --git a/physical/manta/manta.go b/physical/manta/manta.go
index ba608214a3..402e3d2fbb 100644
--- a/physical/manta/manta.go
+++ b/physical/manta/manta.go
@@ -15,14 +15,14 @@ import (
 	"strings"
 	"time"
 
+	triton "github.com/TritonDataCenter/triton-go/v2"
+	"github.com/TritonDataCenter/triton-go/v2/authentication"
+	"github.com/TritonDataCenter/triton-go/v2/errors"
+	"github.com/TritonDataCenter/triton-go/v2/storage"
 	metrics "github.com/armon/go-metrics"
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-secure-stdlib/permitpool"
 	"github.com/hashicorp/vault/sdk/physical"
-	triton "github.com/joyent/triton-go"
-	"github.com/joyent/triton-go/authentication"
-	"github.com/joyent/triton-go/errors"
-	"github.com/joyent/triton-go/storage"
 )
 
 const mantaDefaultRootStore = "/stor"
diff --git a/physical/manta/manta_test.go b/physical/manta/manta_test.go
index 0c797d32ae..3518f2e1af 100644
--- a/physical/manta/manta_test.go
+++ b/physical/manta/manta_test.go
@@ -12,14 +12,14 @@ import (
 	"testing"
 	"time"
 
+	triton "github.com/TritonDataCenter/triton-go/v2"
+	"github.com/TritonDataCenter/triton-go/v2/authentication"
+	tt "github.com/TritonDataCenter/triton-go/v2/errors"
+	"github.com/TritonDataCenter/triton-go/v2/storage"
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-secure-stdlib/permitpool"
 	"github.com/hashicorp/vault/sdk/helper/logging"
 	"github.com/hashicorp/vault/sdk/physical"
-	triton "github.com/joyent/triton-go"
-	"github.com/joyent/triton-go/authentication"
-	tt "github.com/joyent/triton-go/errors"
-	"github.com/joyent/triton-go/storage"
 )
 
 func TestMantaBackend(t *testing.T) {
diff --git a/physical/postgresql/postgresql.go b/physical/postgresql/postgresql.go
index 64d45c10d3..7464a4d3c5 100644
--- a/physical/postgresql/postgresql.go
+++ b/physical/postgresql/postgresql.go
@@ -232,7 +232,7 @@ func getAuthConfig(ctx context.Context, url string, conf map[string]string, log
 
 		authOptions.AuthMethod = pgmultiauth.AWSAuth
 		authOptions.AWSDBRegion = conf["aws_db_region"]
-	case "azure_msi":
+	case "azure_msi", "azure":
 		authOptions.AuthMethod = pgmultiauth.AzureAuth
 		authOptions.AzureClientID = conf["azure_client_id"]
 	case "gcp_iam":
diff --git a/physical/postgresql/postgresql_test.go b/physical/postgresql/postgresql_test.go
index 7c2f45525c..74e0791108 100644
--- a/physical/postgresql/postgresql_test.go
+++ b/physical/postgresql/postgresql_test.go
@@ -15,7 +15,7 @@ import (
 	"github.com/hashicorp/vault/helper/testhelpers/postgresql"
 	"github.com/hashicorp/vault/sdk/helper/logging"
 	"github.com/hashicorp/vault/sdk/physical"
-	_ "github.com/jackc/pgx/v4/stdlib"
+	_ "github.com/jackc/pgx/v5/stdlib"
 )
 
 func TestPostgreSQLBackend(t *testing.T) {
diff --git a/physical/raft/fsm.go b/physical/raft/fsm.go
index 3e7bf052e5..ccf6381daf 100644
--- a/physical/raft/fsm.go
+++ b/physical/raft/fsm.go
@@ -781,7 +781,7 @@ func (f *FSM) ApplyBatch(logs []*raft.Log) []interface{} {
 							go f.restoreCb(context.Background())
 						}
 					default:
-						return fmt.Errorf("%q is not a supported transaction operation", op.OpType)
+						return fmt.Errorf("%d is not a supported transaction operation", op.OpType)
 					}
 					if err != nil {
 						return err
diff --git a/physical/raft/raft.go b/physical/raft/raft.go
index 2f6b946a6a..f122cefde4 100644
--- a/physical/raft/raft.go
+++ b/physical/raft/raft.go
@@ -1080,6 +1080,9 @@ func ApplyConfigSettings(logger log.Logger, parsedConf map[string]string, config
 		if err != nil {
 			return err
 		}
+		if multiplier <= 0 {
+			return fmt.Errorf("performance_multiplier must be greater than 0")
+		}
 	}
 	config.ElectionTimeout *= time.Duration(multiplier)
 	config.HeartbeatTimeout *= time.Duration(multiplier)
@@ -2013,7 +2016,7 @@ func (b *RaftBackend) validateCommandEntrySizes(command *LogData) (uint64, error
 		if op.OpType == putOp {
 			entrySize := b.entrySizeLimitForPath(op.Key)
 			if len(op.Value) > int(entrySize) {
-				return 0, fmt.Errorf("%s, max value size for key %s is %d, got %d", physical.ErrValueTooLarge, op.Key, entrySize, len(op.Value))
+				return 0, fmt.Errorf("%w, max value size for key %s is %d, got %d", physical.ErrValueSize, op.Key, entrySize, len(op.Value))
 			}
 			if entrySize > largestEntryLimit {
 				largestEntryLimit = entrySize
diff --git a/physical/raft/raft_test.go b/physical/raft/raft_test.go
index 490aa9358f..f4e1ba563a 100644
--- a/physical/raft/raft_test.go
+++ b/physical/raft/raft_test.go
@@ -950,6 +950,20 @@ func TestRaft_Backend_Performance(t *testing.T) {
 		if localConfig.LeaderLeaseTimeout != defaultConfig.LeaderLeaseTimeout {
 			t.Fatalf("bad config: %v", localConfig)
 		}
+
+		b.conf = map[string]string{
+			"path":                   dir,
+			"performance_multiplier": "0",
+		}
+
+		localConfig = raft.DefaultConfig()
+		err = ApplyConfigSettings(b.logger, b.conf, localConfig)
+		if err == nil {
+			t.Fatal("expected error for performance_multiplier=0")
+		}
+		if !strings.Contains(err.Error(), "performance_multiplier") {
+			t.Fatalf("expected error to mention performance_multiplier, got: %v", err)
+		}
 	})
 }
 
diff --git a/plugins/database/hana/hana.go b/plugins/database/hana/hana.go
index 96345dffa3..fcf71f8a65 100644
--- a/plugins/database/hana/hana.go
+++ b/plugins/database/hana/hana.go
@@ -344,25 +344,27 @@ func (h *HANA) revokeUserDefault(ctx context.Context, req dbplugin.DeleteUserReq
 	}
 	defer tx.Rollback()
 
+	quotedUsername := dbutil.QuoteIdentifier(req.Username)
+
 	// Disable server login for user
-	disableStmt, err := tx.PrepareContext(ctx, fmt.Sprintf("ALTER USER %s DEACTIVATE USER NOW", req.Username))
+	disableStmt, err := tx.PrepareContext(ctx, fmt.Sprintf("ALTER USER %s DEACTIVATE USER NOW", quotedUsername))
 	if err != nil {
-		return dbplugin.DeleteUserResponse{}, err
+		return dbplugin.DeleteUserResponse{}, fmt.Errorf("failed to prepare disable-user statement: %w", err)
 	}
 	defer disableStmt.Close()
 	if _, err := disableStmt.ExecContext(ctx); err != nil {
-		return dbplugin.DeleteUserResponse{}, err
+		return dbplugin.DeleteUserResponse{}, fmt.Errorf("failed to execute disable-user statement: %w", err)
 	}
 
 	// Invalidates current sessions and performs soft drop (drop if no dependencies)
 	// if hard drop is desired, custom revoke statements should be written for role
-	dropStmt, err := tx.PrepareContext(ctx, fmt.Sprintf("DROP USER %s RESTRICT", req.Username))
+	dropStmt, err := tx.PrepareContext(ctx, fmt.Sprintf("DROP USER %s RESTRICT", quotedUsername))
 	if err != nil {
-		return dbplugin.DeleteUserResponse{}, err
+		return dbplugin.DeleteUserResponse{}, fmt.Errorf("failed to prepare drop-user statement: %w", err)
 	}
 	defer dropStmt.Close()
 	if _, err := dropStmt.ExecContext(ctx); err != nil {
-		return dbplugin.DeleteUserResponse{}, err
+		return dbplugin.DeleteUserResponse{}, fmt.Errorf("failed to execute drop-user statement: %w", err)
 	}
 
 	// Commit transaction
diff --git a/plugins/database/hana/hana_test.go b/plugins/database/hana/hana_test.go
index abb7543865..94f024e970 100644
--- a/plugins/database/hana/hana_test.go
+++ b/plugins/database/hana/hana_test.go
@@ -256,6 +256,82 @@ func TestHANA_DeleteUser(t *testing.T) {
 	}
 }
 
+// TestHANA_DeleteUser_DefaultRevoke_QuotesIdentifier_PreventsInjection verifies
+// that the default revoke path quotes the username as an identifier and does not
+// execute injected SQL.
+func TestHANA_DeleteUser_DefaultRevoke_QuotesIdentifier_PreventsInjection(t *testing.T) {
+	if os.Getenv("HANA_URL") == "" || os.Getenv("VAULT_ACC") != "1" {
+		t.SkipNow()
+	}
+	connURL := os.Getenv("HANA_URL")
+
+	connectionDetails := map[string]interface{}{
+		"connection_url": connURL,
+	}
+
+	initReq := dbplugin.InitializeRequest{
+		Config:           connectionDetails,
+		VerifyConnection: true,
+	}
+
+	db := new()
+	dbtesting.AssertInitialize(t, db, initReq)
+	defer dbtesting.AssertClose(t, db)
+
+	cleanupUser := func(username string) {
+		_, _ = db.DeleteUser(context.Background(), dbplugin.DeleteUserRequest{
+			Username: username,
+			Statements: dbplugin.Statements{
+				Commands: []string{testHANADrop},
+			},
+		})
+	}
+
+	decoyPassword := "Decoy_ThirtyTwo_Chars_Password_1"
+	victimPassword := "Victim_ThirtyTwo_Chars_Password_2"
+
+	decoy := dbtesting.AssertNewUser(t, db, dbplugin.NewUserRequest{
+		UsernameConfig: dbplugin.UsernameMetadata{
+			DisplayName: "decoy",
+			RoleName:    "sqli",
+		},
+		Password: decoyPassword,
+		Statements: dbplugin.Statements{
+			Commands: []string{testHANARole},
+		},
+		Expiration: time.Now().Add(time.Hour),
+	})
+	t.Cleanup(func() { cleanupUser(decoy.Username) })
+
+	victim := dbtesting.AssertNewUser(t, db, dbplugin.NewUserRequest{
+		UsernameConfig: dbplugin.UsernameMetadata{
+			DisplayName: "victim",
+			RoleName:    "sqli",
+		},
+		Password: victimPassword,
+		Statements: dbplugin.Statements{
+			Commands: []string{testHANARole},
+		},
+		Expiration: time.Now().Add(time.Hour),
+	})
+	t.Cleanup(func() { cleanupUser(victim.Username) })
+
+	assertCredsExist(t, connURL, decoy.Username, decoyPassword)
+	assertCredsExist(t, connURL, victim.Username, victimPassword)
+
+	injectedUsername := fmt.Sprintf(`%s"; DROP USER "%s" CASCADE; --`, decoy.Username, victim.Username)
+
+	_, err := db.DeleteUser(context.Background(), dbplugin.DeleteUserRequest{
+		Username: injectedUsername,
+		Statements: dbplugin.Statements{
+			Commands: []string{},
+		},
+	})
+	require.Error(t, err)
+
+	assertCredsExist(t, connURL, victim.Username, victimPassword)
+}
+
 func testCredsExist(t testing.TB, connURL, username, password string) error {
 	// Log in with the new creds
 	parts := strings.Split(connURL, "@")
diff --git a/plugins/database/mssql/mssql.go b/plugins/database/mssql/mssql.go
index 497619db31..17709e2dd6 100644
--- a/plugins/database/mssql/mssql.go
+++ b/plugins/database/mssql/mssql.go
@@ -189,20 +189,19 @@ func (m *MSSQL) DeleteUser(ctx context.Context, req dbplugin.DeleteUserRequest)
 
 	merr := &multierror.Error{}
 
-	// Execute each query
+	// Execute each command string as a single batch rather than splitting on
+	// semicolons. Splitting on ";" destroys the batch boundary, causing subsequent
+	// statements (e.g. DROP USER) to run in the wrong database context and fail.
 	for _, stmt := range req.Statements.Commands {
-		for _, query := range strutil.ParseArbitraryStringSlice(stmt, ";") {
-			query = strings.TrimSpace(query)
-			if len(query) == 0 {
-				continue
-			}
+		if strings.TrimSpace(stmt) == "" {
+			continue
+		}
 
-			m := map[string]string{
-				"name": req.Username,
-			}
-			if err := dbtxn.ExecuteDBQueryDirect(ctx, db, m, query); err != nil {
-				merr = multierror.Append(merr, err)
-			}
+		m := map[string]string{
+			"name": req.Username,
+		}
+		if err := dbtxn.ExecuteDBQueryDirect(ctx, db, m, stmt); err != nil {
+			merr = multierror.Append(merr, err)
 		}
 	}
 
@@ -272,12 +271,17 @@ func (m *MSSQL) revokeUserDefault(ctx context.Context, username string) error {
 		revokeStmts = append(revokeStmts, fmt.Sprintf("KILL %d;", sessionID))
 	}
 
-	// Query for database users using undocumented stored procedure for now since
-	// it is the easiest way to get this information;
-	// we need to drop the database users before we can drop the login and the role
-	// This isn't done in a transaction because even if we fail along the way,
-	// we want to remove as much access as possible
-	stmt, err := db.PrepareContext(ctx, "EXEC master.dbo.sp_msloginmappings @p1;")
+	// selectUserSQL identifies database-level users associated with a server login.
+	// We use a join on sys.server_principals and sys.database_principals instead
+	// of the undocumented sp_msloginmappings procedure. This allows revocation
+	// to function with 'VIEW ANY DEFINITION' instead of 'sysadmin' privileges,
+	// supporting "Least Privilege" security models.
+	//
+	// Note: This identifies users within the current database context. We must
+	// drop these database users before the server-level login can be removed.
+	// We execute this outside of a transaction to ensure we revoke as much
+	// access as possible, even if a single DROP statement fails.
+	stmt, err := db.PrepareContext(ctx, selectUserSQL)
 	if err != nil {
 		return err
 	}
@@ -443,3 +447,13 @@ ALTER LOGIN [{{username}}] WITH PASSWORD = '{{password}}'
 const alterUserContainedSQL = `
 ALTER USER [{{username}}] WITH PASSWORD = '{{password}}'
 `
+
+const selectUserSQL = ` SELECT
+    l.name AS LoginName,
+    DB_NAME() AS DBName,
+    u.name AS UserName,
+    'Member' AS UserOrAlias
+	FROM sys.server_principals l
+	JOIN sys.database_principals u ON l.sid = u.sid
+	WHERE l.name = @p1;
+`
diff --git a/plugins/database/mssql/mssql_test.go b/plugins/database/mssql/mssql_test.go
index e304bf6b45..87c2699a4a 100644
--- a/plugins/database/mssql/mssql_test.go
+++ b/plugins/database/mssql/mssql_test.go
@@ -405,6 +405,75 @@ func TestMSSQLDeleteUserContainedDB(t *testing.T) {
 	assertContainedDBCredsDoNotExist(t, connURL, dbUser)
 }
 
+// TestMSSQLDeleteUserWithBatch verifies that USE database context switches work correctly when statements are executed as a single batch.
+func TestMSSQLDeleteUserWithBatch(t *testing.T) {
+	cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
+	defer cleanup()
+
+	dbUser := "vaultuser"
+	initPassword := "p4$sw0rd"
+
+	// Create a test database
+	setupDB, err := sql.Open("mssql", connURL)
+	if err != nil {
+		t.Fatalf("Failed to open connection for setup: %s", err)
+	}
+	defer setupDB.Close()
+
+	_, err = setupDB.ExecContext(context.Background(), "CREATE DATABASE testdb")
+	if err != nil {
+		t.Fatalf("Failed to create test database: %s", err)
+	}
+
+	// Create login in master and user in testdb
+	createSQL := `
+CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';
+USE [testdb];
+CREATE USER [{{name}}] FOR LOGIN [{{name}}];`
+
+	err = createTestMSSQLUser(connURL, dbUser, initPassword, createSQL)
+	if err != nil {
+		t.Fatalf("Failed to create user: %s", err)
+	}
+
+	assertCredsExist(t, connURL, dbUser, initPassword)
+
+	initReq := dbplugin.InitializeRequest{
+		Config: map[string]interface{}{
+			"connection_url": connURL,
+		},
+		VerifyConnection: true,
+	}
+
+	db := new()
+	dbtesting.AssertInitializeCircleCiTest(t, db, initReq)
+	defer dbtesting.AssertClose(t, db)
+
+	deleteReq := dbplugin.DeleteUserRequest{
+		Username: dbUser,
+		Statements: dbplugin.Statements{
+			Commands: []string{
+				`USE [testdb]; DROP USER [{{name}}]; USE [master]; DROP LOGIN [{{name}}];`,
+			},
+		},
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
+	defer cancel()
+
+	deleteResp, err := db.DeleteUser(ctx, deleteReq)
+	if err != nil {
+		t.Fatalf("Failed to delete user with batch statement: %s", err)
+	}
+
+	expectedResp := dbplugin.DeleteUserResponse{}
+	if !reflect.DeepEqual(deleteResp, expectedResp) {
+		t.Fatalf("Fields missing from expected response: Actual: %#v", deleteResp)
+	}
+
+	assertCredsDoNotExist(t, connURL, dbUser, initPassword)
+}
+
 func TestMSSQLContainedDBSQLSanitization(t *testing.T) {
 	cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
 	defer cleanup()
diff --git a/plugins/database/postgresql/postgresql.go b/plugins/database/postgresql/postgresql.go
index 5153683ca4..d0b17db29f 100644
--- a/plugins/database/postgresql/postgresql.go
+++ b/plugins/database/postgresql/postgresql.go
@@ -23,7 +23,7 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/dbtxn"
 	"github.com/hashicorp/vault/sdk/helper/template"
 	"github.com/hashicorp/vault/sdk/logical"
-	_ "github.com/jackc/pgx/v4/stdlib"
+	_ "github.com/jackc/pgx/v5/stdlib"
 )
 
 const (
diff --git a/plugins/database/redshift/redshift.go b/plugins/database/redshift/redshift.go
index 8a95c3eb46..a1efb3bcab 100644
--- a/plugins/database/redshift/redshift.go
+++ b/plugins/database/redshift/redshift.go
@@ -17,7 +17,7 @@ import (
 	"github.com/hashicorp/vault/sdk/database/helper/dbutil"
 	"github.com/hashicorp/vault/sdk/helper/dbtxn"
 	"github.com/hashicorp/vault/sdk/helper/template"
-	_ "github.com/jackc/pgx/v4/stdlib"
+	_ "github.com/jackc/pgx/v5/stdlib"
 )
 
 const (
@@ -353,6 +353,14 @@ func (r *RedShift) customDeleteUser(ctx context.Context, req dbplugin.DeleteUser
 	return dbplugin.DeleteUserResponse{}, tx.Commit()
 }
 
+func quoteLiteral(value string) string {
+	end := strings.IndexRune(value, 0)
+	if end > -1 {
+		value = value[:end]
+	}
+	return `'` + strings.ReplaceAll(value, `'`, `''`) + `'`
+}
+
 func (r *RedShift) defaultDeleteUser(ctx context.Context, req dbplugin.DeleteUserRequest) (dbplugin.DeleteUserResponse, error) {
 	db, err := r.getConnection(ctx)
 	if err != nil {
@@ -448,7 +456,7 @@ SELECT COUNT(process) INTO qtyconns FROM stv_sessions WHERE user_name=dbusername
 END
 $$;`)
 
-		revocationStmts = append(revocationStmts, fmt.Sprintf(`call terminateloop('%s');`, username))
+		revocationStmts = append(revocationStmts, fmt.Sprintf(`call terminateloop(%s);`, quoteLiteral(username)))
 	}
 
 	// again, here, we do not stop on error, as we want to remove as
diff --git a/plugins/database/redshift/redshift_test.go b/plugins/database/redshift/redshift_test.go
index 630afe51df..6c0086109a 100644
--- a/plugins/database/redshift/redshift_test.go
+++ b/plugins/database/redshift/redshift_test.go
@@ -16,6 +16,7 @@ import (
 	"github.com/hashicorp/go-uuid"
 	dbplugin "github.com/hashicorp/vault/sdk/database/dbplugin/v5"
 	dbtesting "github.com/hashicorp/vault/sdk/database/dbplugin/v5/testing"
+	"github.com/hashicorp/vault/sdk/database/helper/dbutil"
 	"github.com/hashicorp/vault/sdk/helper/dbtxn"
 	thutils "github.com/hashicorp/vault/sdk/helper/testhelpers/utils"
 	"github.com/stretchr/testify/require"
@@ -391,6 +392,72 @@ func TestRedshift_DeleteUser(t *testing.T) {
 	dbtesting.AssertClose(t, db)
 }
 
+// TestRedshift_DeleteUser_DefaultRevoke_QuotesLiteral_PreventsInjection verifies
+// that the default revoke path quotes the username as a SQL string literal and
+// does not execute injected SQL.
+func TestRedshift_DeleteUser_DefaultRevoke_QuotesLiteral_PreventsInjection(t *testing.T) {
+	if os.Getenv(vaultACC) != "1" {
+		t.SkipNow()
+	}
+
+	thutils.SkipUnlessEnvVarsSet(t, credNames)
+
+	connURL, url, _, _, err := redshiftEnv()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	connectionDetails := map[string]interface{}{
+		"connection_url": connURL,
+	}
+
+	db := newRedshift()
+	dbtesting.AssertInitialize(t, db, dbplugin.InitializeRequest{
+		Config:           connectionDetails,
+		VerifyConnection: true,
+	})
+	defer dbtesting.AssertClose(t, db)
+
+	victimPassword := "SuperSecretPa55word!"
+	victimResp := dbtesting.AssertNewUser(t, db, dbplugin.NewUserRequest{
+		UsernameConfig: dbplugin.UsernameMetadata{
+			DisplayName: "victim",
+			RoleName:    "test",
+		},
+		Statements: dbplugin.Statements{Commands: []string{testRedshiftRole}},
+		Password:   victimPassword,
+		Expiration: time.Now().Add(1 * time.Hour),
+	})
+	victimUsername := victimResp.Username
+	t.Cleanup(func() {
+		dropRedshiftUser(t, connURL, victimUsername)
+	})
+
+	if err := testCredsExist(t, url, victimUsername, victimPassword); err != nil {
+		t.Fatalf("Could not connect with victim credentials: %s", err)
+	}
+
+	maliciousUsername := fmt.Sprintf(`decoy'); DROP USER %s; --`, dbutil.QuoteIdentifier(victimUsername))
+	createQuotedRedshiftUser(t, connURL, maliciousUsername, victimPassword)
+	t.Cleanup(func() {
+		dropRedshiftUser(t, connURL, maliciousUsername)
+	})
+
+	require.True(t, redshiftUserExists(t, connURL, maliciousUsername), "malicious decoy user should exist before delete")
+
+	_, err = db.DeleteUser(context.Background(), dbplugin.DeleteUserRequest{
+		Username:   maliciousUsername,
+		Statements: dbplugin.Statements{Commands: []string{}},
+	})
+	require.NoError(t, err)
+
+	require.True(t, redshiftUserExists(t, connURL, victimUsername), "victim user should still exist after deleting the malicious decoy user")
+	require.False(t, redshiftUserExists(t, connURL, maliciousUsername), "malicious decoy user should be deleted")
+	if err := testCredsExist(t, url, victimUsername, victimPassword); err != nil {
+		t.Fatalf("Victim credentials should remain valid after decoy deletion: %s", err)
+	}
+}
+
 func testCredsExist(t testing.TB, url, username, password string) error {
 	t.Helper()
 
@@ -403,6 +470,54 @@ func testCredsExist(t testing.TB, url, username, password string) error {
 	return db.Ping()
 }
 
+func redshiftUserExists(t testing.TB, connURL, username string) bool {
+	t.Helper()
+
+	db, err := sql.Open("pgx", connURL)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer db.Close()
+
+	var exists bool
+	err = db.QueryRowContext(context.Background(), "SELECT exists (SELECT usename FROM pg_user WHERE usename=$1);", username).Scan(&exists)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return exists
+}
+
+func createQuotedRedshiftUser(t testing.TB, connURL, username, password string) {
+	t.Helper()
+
+	db, err := sql.Open("pgx", connURL)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer db.Close()
+
+	query := fmt.Sprintf("CREATE USER %s WITH PASSWORD %s;", dbutil.QuoteIdentifier(username), quoteLiteral(password))
+	if _, err := db.ExecContext(context.Background(), query); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func dropRedshiftUser(t testing.TB, connURL, username string) {
+	t.Helper()
+
+	db, err := sql.Open("pgx", connURL)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer db.Close()
+
+	query := fmt.Sprintf("DROP USER IF EXISTS %s;", dbutil.QuoteIdentifier(username))
+	if _, err := db.ExecContext(context.Background(), query); err != nil {
+		t.Fatal(err)
+	}
+}
+
 func TestRedshift_DefaultUsernameTemplate(t *testing.T) {
 	if os.Getenv(vaultACC) != "1" {
 		t.SkipNow()
@@ -506,6 +621,45 @@ func TestRedshift_CustomUsernameTemplate(t *testing.T) {
 	dbtesting.AssertClose(t, db)
 }
 
+// TestQuoteLiteral verifies SQL string-literal quoting behavior for Redshift revoke statements.
+// This is important to prevent SQL injection in the default revocation path, which
+// does not use parameterized queries and instead relies on proper quoting of the username.
+func TestQuoteLiteral(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "plain value",
+			input:    "alice",
+			expected: "'alice'",
+		},
+		{
+			name:     "single quote is escaped",
+			input:    "o'reilly",
+			expected: "'o''reilly'",
+		},
+		{
+			name:     "empty string",
+			input:    "",
+			expected: "''",
+		},
+		{
+			name:     "value is truncated at null byte",
+			input:    "abc\x00def",
+			expected: "'abc'",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := quoteLiteral(tc.input)
+			require.Equal(t, tc.expected, got)
+		})
+	}
+}
+
 const testRedshiftRole = `
 CREATE USER "{{name}}" WITH PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; 
 GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "{{name}}";
@@ -547,10 +701,10 @@ func createTestPGUser(t *testing.T, connURL string, username, password, query st
 	t.Helper()
 
 	db, err := sql.Open("pgx", connURL)
-	defer db.Close()
 	if err != nil {
 		t.Fatal(err)
 	}
+	defer db.Close()
 
 	// Start a transaction
 	ctx := context.Background()
diff --git a/scripts/docker/Dockerfile b/scripts/docker/Dockerfile
index 62ad403f25..a2ff6fd848 100644
--- a/scripts/docker/Dockerfile
+++ b/scripts/docker/Dockerfile
@@ -61,6 +61,9 @@ EXPOSE 8200
 COPY ./scripts/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 ENTRYPOINT ["docker-entrypoint.sh"]
 
+# Use the Vault user as the default user for starting this container.
+USER vault
+
 # By default you'll get a single-node development server that stores everything
 # in RAM and bootstraps itself. Don't use this configuration for production.
 CMD ["server", "-dev"]
diff --git a/scripts/gen_openapi.sh b/scripts/gen_openapi.sh
index fc91149009..8901db0be1 100755
--- a/scripts/gen_openapi.sh
+++ b/scripts/gen_openapi.sh
@@ -93,6 +93,7 @@ vault secrets enable "transit"
 if vault version | grep -q "+ent"; then
     vault secrets enable "keymgmt"
     vault secrets enable "kmip"
+    vault secrets enable "pki-external-ca"
     vault secrets enable "transform"
     vault secrets enable "spiffe"
     vault auth enable "saml"
diff --git a/sdk/database/dbplugin/databasemiddleware.go b/sdk/database/dbplugin/databasemiddleware.go
index 07b0b1a6a9..38e9d87271 100644
--- a/sdk/database/dbplugin/databasemiddleware.go
+++ b/sdk/database/dbplugin/databasemiddleware.go
@@ -14,6 +14,7 @@ import (
 	"github.com/hashicorp/errwrap"
 	log "github.com/hashicorp/go-hclog"
 	metrics "github.com/hashicorp/go-metrics/compat"
+	"github.com/jackc/pgx/v5/pgconn"
 	"google.golang.org/grpc/status"
 )
 
@@ -296,7 +297,7 @@ func (mw *DatabaseErrorSanitizerMiddleware) RotateRootCredentials(ctx context.Co
 
 func (mw *DatabaseErrorSanitizerMiddleware) Initialize(ctx context.Context, conf map[string]interface{}, verifyConnection bool) error {
 	_, err := mw.Init(ctx, conf, verifyConnection)
-	return err
+	return mw.sanitize(err)
 }
 
 func (mw *DatabaseErrorSanitizerMiddleware) Init(ctx context.Context, conf map[string]interface{}, verifyConnection bool) (saveConf map[string]interface{}, err error) {
@@ -313,9 +314,11 @@ func (mw *DatabaseErrorSanitizerMiddleware) sanitize(err error) error {
 	if err == nil {
 		return nil
 	}
-	if errwrap.ContainsType(err, new(url.Error)) {
+
+	if errwrap.ContainsType(err, new(url.Error)) || errwrap.ContainsType(err, new(pgconn.ParseConfigError)) {
 		return errors.New("unable to parse connection url")
 	}
+
 	if mw.secretsFn != nil {
 		for k, v := range mw.secretsFn() {
 			if k == "" {
diff --git a/sdk/database/dbplugin/v5/middleware.go b/sdk/database/dbplugin/v5/middleware.go
index 97ea0ef46d..8e0871d9a1 100644
--- a/sdk/database/dbplugin/v5/middleware.go
+++ b/sdk/database/dbplugin/v5/middleware.go
@@ -14,6 +14,7 @@ import (
 	log "github.com/hashicorp/go-hclog"
 	metrics "github.com/hashicorp/go-metrics/compat"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/jackc/pgx/v5/pgconn"
 	"google.golang.org/grpc/status"
 )
 
@@ -299,9 +300,11 @@ func (mw DatabaseErrorSanitizerMiddleware) sanitize(err error) error {
 	if err == nil {
 		return nil
 	}
-	if errwrap.ContainsType(err, new(url.Error)) {
+
+	if errwrap.ContainsType(err, new(url.Error)) || errwrap.ContainsType(err, new(pgconn.ParseConfigError)) {
 		return errors.New("unable to parse connection url")
 	}
+
 	if mw.secretsFn == nil {
 		return err
 	}
diff --git a/sdk/database/helper/connutil/cloudsql.go b/sdk/database/helper/connutil/cloudsql.go
index a5b2b2d506..5a8d8c9fd6 100644
--- a/sdk/database/helper/connutil/cloudsql.go
+++ b/sdk/database/helper/connutil/cloudsql.go
@@ -7,7 +7,7 @@ import (
 	"fmt"
 
 	"cloud.google.com/go/cloudsqlconn"
-	"cloud.google.com/go/cloudsqlconn/postgres/pgxv4"
+	"cloud.google.com/go/cloudsqlconn/postgres/pgxv5"
 )
 
 func (c *SQLConnectionProducer) getCloudSQLDriverType() (string, error) {
@@ -37,7 +37,7 @@ func (c *SQLConnectionProducer) registerDrivers(driverName string, credentials s
 	// using switch case for future extensibility
 	switch typ {
 	case cloudSQLPostgres:
-		return pgxv4.RegisterDriver(driverName, opts...)
+		return pgxv5.RegisterDriver(driverName, opts...)
 	}
 
 	return nil, fmt.Errorf("unrecognized cloudsql type encountered: %s", typ)
diff --git a/sdk/database/helper/connutil/postgres.go b/sdk/database/helper/connutil/postgres.go
index f8ad876c5a..519418ea55 100644
--- a/sdk/database/helper/connutil/postgres.go
+++ b/sdk/database/helper/connutil/postgres.go
@@ -41,9 +41,9 @@ import (
 	"strings"
 
 	"github.com/hashicorp/vault/sdk/helper/pluginutil"
-	"github.com/jackc/pgconn"
-	"github.com/jackc/pgx/v4"
-	"github.com/jackc/pgx/v4/stdlib"
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgconn"
+	"github.com/jackc/pgx/v5/stdlib"
 )
 
 // openPostgres parses the connection string and opens a connection to the database.
diff --git a/sdk/database/helper/connutil/sql.go b/sdk/database/helper/connutil/sql.go
index 80ebc7d134..c8289ae3b9 100644
--- a/sdk/database/helper/connutil/sql.go
+++ b/sdk/database/helper/connutil/sql.go
@@ -23,8 +23,8 @@ import (
 	"github.com/hashicorp/vault/sdk/database/helper/cacheutil"
 	"github.com/hashicorp/vault/sdk/database/helper/dbutil"
 	"github.com/hashicorp/vault/sdk/helper/pluginutil"
-	"github.com/jackc/pgx/v4"
-	"github.com/jackc/pgx/v4/stdlib"
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/stdlib"
 	"github.com/mitchellh/mapstructure"
 )
 
diff --git a/sdk/go.mod b/sdk/go.mod
index 1868748990..935a579601 100644
--- a/sdk/go.mod
+++ b/sdk/go.mod
@@ -1,13 +1,12 @@
 module github.com/hashicorp/vault/sdk
 
-go 1.25.0
+go 1.25.7
 
 require (
-	cloud.google.com/go/cloudsqlconn v1.4.3
+	cloud.google.com/go/cloudsqlconn v1.21.0
 	github.com/armon/go-radix v1.0.0
 	github.com/cenkalti/backoff/v4 v4.3.0
-	github.com/docker/docker v28.3.3+incompatible
-	github.com/docker/go-connections v0.5.0
+	github.com/containerd/errdefs v1.0.0
 	github.com/evanphx/json-patch/v5 v5.6.0
 	github.com/fatih/structs v1.1.0
 	github.com/go-ldap/ldap/v3 v3.4.10
@@ -24,7 +23,7 @@ require (
 	github.com/hashicorp/go-kms-wrapping/v2 v2.0.18
 	github.com/hashicorp/go-metrics v0.5.4
 	github.com/hashicorp/go-multierror v1.1.1
-	github.com/hashicorp/go-plugin v1.6.1
+	github.com/hashicorp/go-plugin v1.8.0
 	github.com/hashicorp/go-retryablehttp v0.7.8
 	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2
 	github.com/hashicorp/go-secure-stdlib/cryptoutil v0.1.1
@@ -32,7 +31,7 @@ require (
 	github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0
 	github.com/hashicorp/go-secure-stdlib/password v0.1.4
 	github.com/hashicorp/go-secure-stdlib/permitpool v1.0.0
-	github.com/hashicorp/go-secure-stdlib/plugincontainer v0.4.2
+	github.com/hashicorp/go-secure-stdlib/plugincontainer v0.5.0
 	github.com/hashicorp/go-secure-stdlib/regexp v1.0.0
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2
 	github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.3
@@ -42,73 +41,67 @@ require (
 	github.com/hashicorp/golang-lru v1.0.2
 	github.com/hashicorp/hcl v1.0.1-vault-7
 	github.com/hashicorp/vault/api v1.16.0
+	github.com/jackc/pgx/v5 v5.9.2
 	github.com/mitchellh/copystructure v1.2.0
 	github.com/mitchellh/mapstructure v1.5.0
+	github.com/moby/go-archive v0.1.0
+	github.com/moby/moby/api v1.54.0
+	github.com/moby/moby/client v0.3.0
 	github.com/pierrec/lz4 v2.6.1+incompatible
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/ryanuber/go-glob v1.0.0
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	github.com/tink-crypto/tink-go/v2 v2.2.0
 	go.uber.org/atomic v1.11.0
-	golang.org/x/crypto v0.45.0
-	golang.org/x/net v0.47.0
-	golang.org/x/text v0.31.0
-	google.golang.org/grpc v1.70.0
-	google.golang.org/protobuf v1.36.5
+	golang.org/x/crypto v0.52.0
+	golang.org/x/net v0.55.0
+	golang.org/x/text v0.37.0
+	google.golang.org/grpc v1.81.0
+	google.golang.org/protobuf v1.36.11
 )
 
 require (
-	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
-	github.com/moby/go-archive v0.1.0 // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
+	golang.org/x/sync v0.20.0 // indirect
 )
 
 require (
-	cloud.google.com/go/auth v0.14.1 // indirect
-	cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect
-	cloud.google.com/go/compute/metadata v0.6.0 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
-	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/Masterminds/semver/v3 v3.3.1 // indirect
+	cloud.google.com/go/auth v0.20.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	github.com/Azure/go-ntlmssp v0.1.1 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/armon/go-metrics v0.4.1 // indirect
+	github.com/armon/go-metrics v0.4.1
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/fatih/color v1.18.0 // indirect
+	github.com/fatih/color v1.19.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/frankban/quicktest v1.14.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/gofrs/uuid v4.3.0+incompatible // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
-	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.15 // indirect
+	github.com/googleapis/gax-go/v2 v2.22.0 // indirect
 	github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
-	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
-	github.com/jackc/pgconn v1.14.3
-	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgproto3/v2 v2.3.3 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgtype v1.14.3 // indirect
-	github.com/jackc/pgx/v4 v4.18.3
 	github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-isatty v0.0.22 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
@@ -116,9 +109,9 @@ require (
 	github.com/moby/sys/user v0.4.0 // indirect
 	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/oklog/run v1.1.0 // indirect
+	github.com/oklog/run v1.2.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/petermattis/goid v0.0.0-20250721140440-ea1c0173183e // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
@@ -126,23 +119,21 @@ require (
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/sasha-s/go-deadlock v0.3.5
-	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/oauth2 v0.28.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/term v0.37.0 // indirect
-	golang.org/x/time v0.10.0 // indirect
-	google.golang.org/api v0.221.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250207221924-e9438ea467c6 // indirect
+	golang.org/x/oauth2 v0.36.0 // indirect
+	golang.org/x/sys v0.45.0 // indirect
+	golang.org/x/term v0.43.0 // indirect
+	golang.org/x/time v0.15.0 // indirect
+	google.golang.org/api v0.279.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260511170946-3700d4141b60 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/sdk/go.sum b/sdk/go.sum
index 710bde08ea..61465fdaff 100644
--- a/sdk/go.sum
+++ b/sdk/go.sum
@@ -1,26 +1,22 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go/auth v0.14.1 h1:AwoJbzUdxA/whv1qj3TLKwh3XX5sikny2fc40wUl+h0=
-cloud.google.com/go/auth v0.14.1/go.mod h1:4JHUxlGXisL0AW8kXPtUF6ztuOksyfUQNFjfsOCXkPM=
-cloud.google.com/go/auth/oauth2adapt v0.2.7 h1:/Lc7xODdqcEw8IrZ9SvwnlLX6j9FHQM74z6cBk9Rw6M=
-cloud.google.com/go/auth/oauth2adapt v0.2.7/go.mod h1:NTbTTzfvPl1Y3V1nPpOgl2w6d/FjO7NNUQaWSox6ZMc=
-cloud.google.com/go/cloudsqlconn v1.4.3 h1:/WYFbB1NtMtoMxCbqpzzTFPDkxxlLTPme390KEGaEPc=
-cloud.google.com/go/cloudsqlconn v1.4.3/go.mod h1:QL3tuStVOO70txb3rs4G8j5uMfo5ztZii8K3oGD3VYA=
-cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I=
-cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
-filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
-filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
+cloud.google.com/go/auth v0.20.0 h1:kXTssoVb4azsVDoUiF8KvxAqrsQcQtB53DcSgta74CA=
+cloud.google.com/go/auth v0.20.0/go.mod h1:942/yi/itH1SsmpyrbnTMDgGfdy2BUqIKyd0cyYLc5Q=
+cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
+cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
+cloud.google.com/go/cloudsqlconn v1.21.0 h1:tXXKrKLsUwG+cTxpO2kehC6l8l8urHoNtDXtCv3iOpY=
+cloud.google.com/go/cloudsqlconn v1.21.0/go.mod h1:p4ts4hqj4CtBCwETUSzq05HV4XTRPzTsi+Cd1RQ5WWg=
+cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
+cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
+filippo.io/edwards25519 v1.2.0 h1:crnVqOiS4jqYleHd9vaKZ+HKtHfllngJIiOpNpoJsjo=
+filippo.io/edwards25519 v1.2.0/go.mod h1:xzAOLCNug/yB62zG1bQ8uziwrIqIuxhctzJT18Q77mc=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
-github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
-github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/Azure/go-ntlmssp v0.1.1 h1:l+FM/EEMb0U9QZE7mKNEDw5Mu3mFiaa2GKOoTSsNDPw=
+github.com/Azure/go-ntlmssp v0.1.1/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
-github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
-github.com/Masterminds/semver/v3 v3.3.1 h1:QtNSWtVZ3nBfk8mAOu/B6v7FMJ+NHTIgUPi7rj+4nv4=
-github.com/Masterminds/semver/v3 v3.3.1/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@@ -38,8 +34,8 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bufbuild/protocompile v0.10.0 h1:+jW/wnLMLxaCEG8AX9lD0bQ5v9h1RUiMKOBOT5ll9dM=
-github.com/bufbuild/protocompile v0.10.0/go.mod h1:G9qQIQo0xZ6Uyj6CMNz0saGmx2so+KONo8/KrELABiY=
+github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw=
+github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c=
 github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
 github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
@@ -52,17 +48,12 @@ github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6D
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
-github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
 github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
 github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
 github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -70,10 +61,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
-github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -83,8 +72,8 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7
 github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
 github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
-github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
-github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
+github.com/fatih/color v1.19.0 h1:Zp3PiM21/9Ld6FzSKyL5c/BULoe/ONr9KlbYVOfG8+w=
+github.com/fatih/color v1.19.0/go.mod h1:zNk67I0ZUT1bEGsSGyCZYZNrHuTkJJB+r6Q9VuMi0LE=
 github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -93,8 +82,8 @@ github.com/frankban/quicktest v1.14.0 h1:+cqqvzZV87b4adx/5ayVOaYZ2CrvM4ejQvUdBzP
 github.com/frankban/quicktest v1.14.0/go.mod h1:NeW+ay9A/U67EYXNFA1nPE8e/tnQv/09mUdL/ijj8og=
 github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
 github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
-github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@@ -104,21 +93,16 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
-github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
+github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
+github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
-github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc=
-github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=
@@ -158,21 +142,17 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
 github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.4 h1:XYIDZApgAnrN1c855gTgghdIA6Stxb52D5RnLI1SLyw=
-github.com/googleapis/enterprise-certificate-proxy v0.3.4/go.mod h1:YKe7cfqYXjKGpGvmSg28/fFvhNzinZQm8DGnaburhGA=
-github.com/googleapis/gax-go/v2 v2.14.1 h1:hb0FFeiPaQskmvakKu5EbCbpntQn48jyHuvrkurSS/Q=
-github.com/googleapis/gax-go/v2 v2.14.1/go.mod h1:Hb/NubMaVM88SrNkvl8X/o8XWwDJEPqouaLeN2IUxoA=
+github.com/googleapis/enterprise-certificate-proxy v0.3.15 h1:xolVQTEXusUcAA5UgtyRLjelpFFHWlPQ4XfWGc7MBas=
+github.com/googleapis/enterprise-certificate-proxy v0.3.15/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
+github.com/googleapis/gax-go/v2 v2.22.0 h1:PjIWBpgGIVKGoCXuiCoP64altEJCj3/Ei+kSU5vlZD4=
+github.com/googleapis/gax-go/v2 v2.22.0/go.mod h1:irWBbALSr0Sk3qlqb9SyJ1h68WjgeFuiOzI4Rqw5+aY=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
-github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 h1:/c3QmbOGMGTOumP2iT/rCwB7b0QDGLKzqOmktBjT+Is=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1/go.mod h1:5SN9VR2LTsRFsrEC6FHgRbTWrTHu6tqPeKxEQv15giM=
 github.com/hashicorp/cap/ldap v0.0.0-20250911140431-44d01434c285 h1:vwg2CDaWTJJkr+5ivc2KUYx877gPAUEgq5QIPA/bKjw=
 github.com/hashicorp/cap/ldap v0.0.0-20250911140431-44d01434c285/go.mod h1:La1zaRmx2oqz79W9SpwQAPMfDUdBxZeoN2IaAQ8D4ow=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -196,8 +176,8 @@ github.com/hashicorp/go-metrics v0.5.4 h1:8mmPiIJkTPPEbAiV97IxdAGNdRdaWwVap1BU6e
 github.com/hashicorp/go-metrics v0.5.4/go.mod h1:CG5yz4NZ/AI/aQt9Ucm/vdBnbh7fvmv4lxZ350i+QQI=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-plugin v1.6.1 h1:P7MR2UP6gNKGPp+y7EZw2kOiq4IR9WiqLvp0XOsVdwI=
-github.com/hashicorp/go-plugin v1.6.1/go.mod h1:XPHFku2tFo3o3QKFgSYo+cghcUhw1NA1hZyMK0PWAw0=
+github.com/hashicorp/go-plugin v1.8.0 h1:ie8S6RRY8RvB2usYZv+AAZ/wBvx2AU5p5QeP5j/FORs=
+github.com/hashicorp/go-plugin v1.8.0/go.mod h1:BExt6KEaIYx804z8k4gRzRLEvxKVb+kn0NMcihqOqb8=
 github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
 github.com/hashicorp/go-retryablehttp v0.7.8 h1:ylXZWnqa7Lhqpk0L1P1LzDtGcCR0rPVUrx/c8Unxc48=
 github.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3iS0jrZ7LvzFGFmuKbw=
@@ -215,8 +195,8 @@ github.com/hashicorp/go-secure-stdlib/password v0.1.4 h1:h8gOB6qDRlOMvoMHOqtf4oT
 github.com/hashicorp/go-secure-stdlib/password v0.1.4/go.mod h1:DeLx56RZZdmwX8Q94fVQUetkXv6zVBfDtGAPJDh69AU=
 github.com/hashicorp/go-secure-stdlib/permitpool v1.0.0 h1:U6y5MXGiDVOOtkWJ6o/tu1TxABnI0yKTQWJr7z6BpNk=
 github.com/hashicorp/go-secure-stdlib/permitpool v1.0.0/go.mod h1:ecDb3o+8D4xtP0nTCufJaAVawHavy5M2eZ64Nq/8/LM=
-github.com/hashicorp/go-secure-stdlib/plugincontainer v0.4.2 h1:gCNiM4T5xEc4IpT8vM50CIO+AtElr5kO9l2Rxbq+Sz8=
-github.com/hashicorp/go-secure-stdlib/plugincontainer v0.4.2/go.mod h1:6ZM4ZdwClyAsiU2uDBmRHCvq0If/03BMbF9U+U7G5pA=
+github.com/hashicorp/go-secure-stdlib/plugincontainer v0.5.0 h1:nrkLBU6Src8qVLeFqkMufM8flnBezZ81Hobd+imG2YY=
+github.com/hashicorp/go-secure-stdlib/plugincontainer v0.5.0/go.mod h1:z/BT/VDf/nhSUSEZasALTTVBMYt76HfOe9Vuxj2krlI=
 github.com/hashicorp/go-secure-stdlib/regexp v1.0.0 h1:08mz6j5MsCG9sf8tvC8Lhboe/ZMiNg41IPSh6unK5T4=
 github.com/hashicorp/go-secure-stdlib/regexp v1.0.0/go.mod h1:n/Gj3sYIEEOYds8uKS55bFf7XiYvWN4e+d+UOA7r/YU=
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
@@ -240,57 +220,14 @@ github.com/hashicorp/vault/api v1.16.0 h1:nbEYGJiAPGzT9U4oWgaaB0g+Rj8E59QuHKyA5L
 github.com/hashicorp/vault/api v1.16.0/go.mod h1:KhuUhzOD8lDSk29AtzNjgAu2kxRA9jL9NAbkFlqvkBA=
 github.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8=
 github.com/hashicorp/yamux v0.1.2/go.mod h1:C+zze2n6e/7wshOZep2A70/aQU6QBRWJO/G6FT1wIns=
-github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo=
-github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
-github.com/jackc/chunkreader/v2 v2.0.1 h1:i+RDz65UE+mmpjTfyz0MoVTnzeYxroil2G82ki7MGG8=
-github.com/jackc/chunkreader/v2 v2.0.1/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
-github.com/jackc/pgconn v0.0.0-20190420214824-7e0022ef6ba3/go.mod h1:jkELnwuX+w9qN5YIfX0fl88Ehu4XC3keFuOJJk9pcnA=
-github.com/jackc/pgconn v0.0.0-20190824142844-760dd75542eb/go.mod h1:lLjNuW/+OfW9/pnVKPazfWOgNfH2aPem8YQ7ilXGvJE=
-github.com/jackc/pgconn v0.0.0-20190831204454-2fabfa3c18b7/go.mod h1:ZJKsE/KZfsUgOEh9hBm+xYTstcNHg7UPMVJqRfQxq4s=
-github.com/jackc/pgconn v1.8.0/go.mod h1:1C2Pb36bGIP9QHGBYCjnyhqu7Rv3sGshaQUvmfGIB/o=
-github.com/jackc/pgconn v1.9.0/go.mod h1:YctiPyvzfU11JFxoXokUOOKQXQmDMoJL9vJzHH8/2JY=
-github.com/jackc/pgconn v1.9.1-0.20210724152538-d89c8390a530/go.mod h1:4z2w8XhRbP1hYxkpTuBjTS3ne3J48K83+u0zoyvg2pI=
-github.com/jackc/pgconn v1.14.3 h1:bVoTr12EGANZz66nZPkMInAV/KHD2TxH9npjXXgiB3w=
-github.com/jackc/pgconn v1.14.3/go.mod h1:RZbme4uasqzybK2RK5c65VsHxoyaml09lx3tXOcO/VM=
-github.com/jackc/pgio v1.0.0 h1:g12B9UwVnzGhueNavwioyEEpAmqMe1E/BN9ES+8ovkE=
-github.com/jackc/pgio v1.0.0/go.mod h1:oP+2QK2wFfUWgr+gxjoBH9KGBb31Eio69xUb0w5bYf8=
-github.com/jackc/pgmock v0.0.0-20190831213851-13a1b77aafa2/go.mod h1:fGZlG77KXmcq05nJLRkk0+p82V8B8Dw8KN2/V9c/OAE=
-github.com/jackc/pgmock v0.0.0-20201204152224-4fe30f7445fd/go.mod h1:hrBW0Enj2AZTNpt/7Y5rr2xe/9Mn757Wtb2xeBzPv2c=
-github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65 h1:DadwsjnMwFjfWc9y5Wi/+Zz7xoE5ALHsRQlOctkOiHc=
-github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65/go.mod h1:5R2h2EEX+qri8jOWMbJCtaPWkrrNc7OHwsp2TCqp7ak=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
-github.com/jackc/pgproto3 v1.1.0/go.mod h1:eR5FA3leWg7p9aeAqi37XOTgTIbkABlvcPB3E5rlc78=
-github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190420180111-c116219b62db/go.mod h1:bhq50y+xrl9n5mRYyCBFKkpRVTLYJVWeCc+mEAI3yXA=
-github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190609003834-432c2951c711/go.mod h1:uH0AWtUmuShn0bcesswc4aBTWGvw0cAxIJp+6OB//Wg=
-github.com/jackc/pgproto3/v2 v2.0.0-rc3/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
-github.com/jackc/pgproto3/v2 v2.0.0-rc3.0.20190831210041-4c03ce451f29/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
-github.com/jackc/pgproto3/v2 v2.0.6/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgproto3/v2 v2.1.1/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgproto3/v2 v2.3.3 h1:1HLSx5H+tXR9pW3in3zaztoEwQYRC9SQaYUHjTSUOag=
-github.com/jackc/pgproto3/v2 v2.3.3/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01CGwFsrv11mJRHWJ6aifDLfdV3aVjFF0zg=
-github.com/jackc/pgtype v0.0.0-20190824184912-ab885b375b90/go.mod h1:KcahbBH1nCMSo2DXpzsoWOAfFkdEtEJpPbVLq8eE+mc=
-github.com/jackc/pgtype v0.0.0-20190828014616-a8802b16cc59/go.mod h1:MWlu30kVJrUS8lot6TQqcg7mtthZ9T0EoIBFiJcmcyw=
-github.com/jackc/pgtype v1.8.1-0.20210724151600-32e20a603178/go.mod h1:C516IlIV9NKqfsMCXTdChteoXmwgUceqaLfjg2e3NlM=
-github.com/jackc/pgtype v1.14.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
-github.com/jackc/pgtype v1.14.3 h1:h6W9cPuHsRWQFTWUZMAKMgG5jSwQI0Zurzdvlx3Plus=
-github.com/jackc/pgtype v1.14.3/go.mod h1:aKeozOde08iifGosdJpz9MBZonJOUJxqNpPBcMJTlVA=
-github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08CZQyj1PVQBHy9XOp5p8/SHH6a0psbY9Y=
-github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM=
-github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc=
-github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs=
-github.com/jackc/pgx/v4 v4.18.2/go.mod h1:Ey4Oru5tH5sB6tV7hDmfWFahwF15Eb7DNXlRKx2CkVw=
-github.com/jackc/pgx/v4 v4.18.3 h1:dE2/TrEsGX3RBprb3qryqSV9Y60iZN1C6i8IrmW9/BA=
-github.com/jackc/pgx/v4 v4.18.3/go.mod h1:Ey4Oru5tH5sB6tV7hDmfWFahwF15Eb7DNXlRKx2CkVw=
-github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v1.3.0/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
+github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
+github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
@@ -304,8 +241,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/jhump/protoreflect v1.16.0 h1:54fZg+49widqXYQ0b+usAFHbMkBGR4PpXrsHc8+TBDg=
-github.com/jhump/protoreflect v1.16.0/go.mod h1:oYPd7nPvcBw/5wlDfm/AVmU9zH9BgqGCI469pGxfj/8=
+github.com/jhump/protoreflect v1.17.0 h1:qOEr613fac2lOuTgWN4tPAtLL7fUSbuJL5X5XumQh94=
+github.com/jhump/protoreflect v1.17.0/go.mod h1:h9+vUUL38jiBzck8ck+6G/aeMX8Z4QUY/NiJPwPNi+8=
 github.com/jimlambrt/gldap v0.1.13 h1:jxmVQn0lfmFbM9jglueoau5LLF/IGRti0SKf0vB753M=
 github.com/jimlambrt/gldap v0.1.13/go.mod h1:nlC30c7xVphjImg6etk7vg7ZewHCCvl1dfAhO3ZJzPg=
 github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531 h1:hgVxRoDDPtQE68PT4LFvNlPz2nBKd3OMlGKIQ69OmR4=
@@ -319,12 +256,9 @@ github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -332,37 +266,24 @@ github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NB
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
-github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
-github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
-github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.22 h1:j8l17JJ9i6VGPUFUYoTUKPSgKe/83EYU2zBC7YNKMw4=
+github.com/mattn/go-isatty v0.0.22/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/microsoft/go-mssqldb v1.5.0 h1:CgENxkwtOBNj3Jg6T1X209y2blCfTTcwuOlznd2k9fk=
-github.com/microsoft/go-mssqldb v1.5.0/go.mod h1:lmWsjHD8XX/Txr0f8ZqgbEZSC+BZjmEQy/Ms+rLrvho=
+github.com/microsoft/go-mssqldb v1.9.8 h1:d4IFMvF/o+HdpXUqbBfzHvn/NlFA75YGcfHUUvDFJEM=
+github.com/microsoft/go-mssqldb v1.9.8/go.mod h1:eGSRSGAW4hKMy5YcAenhCDjIRm2rhqIdmmwgciMzLus=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU=
-github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
@@ -371,34 +292,32 @@ github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3N
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ=
 github.com/moby/go-archive v0.1.0/go.mod h1:G9B+YoujNohJmrIYFBpSd54GTUB4lt9S+xVQvsJyFuo=
+github.com/moby/moby/api v1.54.0 h1:7kbUgyiKcoBhm0UrWbdrMs7RX8dnwzURKVbZGy2GnL0=
+github.com/moby/moby/api v1.54.0/go.mod h1:8mb+ReTlisw4pS6BRzCMts5M49W5M7bKt1cJy/YbAqc=
+github.com/moby/moby/client v0.3.0 h1:UUGL5okry+Aomj3WhGt9Aigl3ZOxZGqR7XPo+RLPlKs=
+github.com/moby/moby/client v0.3.0/go.mod h1:HJgFbJRvogDQjbM8fqc1MCEm4mIAGMLjXbgwoZp6jCQ=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
 github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
-github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
 github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
 github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
 github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs=
 github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
 github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
 github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=
-github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
-github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
-github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA=
-github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU=
+github.com/oklog/run v1.2.0 h1:O8x3yXwah4A73hJdlrwo/2X6J62gE5qTMusH0dvz60E=
+github.com/oklog/run v1.2.0/go.mod h1:mgDbKRSwPhJfesJ4PntqFUbKQRZ50NgmZTSPlFA0YFk=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
-github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
@@ -441,31 +360,22 @@ github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0leargg
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
-github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
-github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
-github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/sasha-s/go-deadlock v0.3.5 h1:tNCOEEDG6tBqrNDOX35j/7hL5FcFViG6awUGROb2NsU=
 github.com/sasha-s/go-deadlock v0.3.5/go.mod h1:bugP6EGbdGYObIlx7pUZtWqlvo8k9H6vCBBsiChJQ5U=
-github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
-github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
-github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
@@ -473,86 +383,52 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tink-crypto/tink-go/v2 v2.2.0 h1:L2Da0F2Udh2agtKztdr69mV/KpnY3/lGTkMgLTVIXlA=
 github.com/tink-crypto/tink-go/v2 v2.2.0/go.mod h1:JJ6PomeNPF3cJpfWC0lgyTES6zpJILkAX0cJNwlS3xU=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0 h1:t6wl9SPayj+c7lEIFgm4ooDBZVb01IhLB4InpomhRw8=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0/go.mod h1:iSDOcsnSA5INXzZtwaBPrKp/lWu/V14Dd+llD0oI2EA=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 h1:umZgi92IyxfXd/l4kaDhnKgY8rnN/cZcF1LKc6I8OQ8=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0/go.mod h1:4lVs6obhSVRb1EW5FhOuBTyiQhtRtAnnva9vD3yRfq8=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiyYCU9snn1CU=
-go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
-go.opentelemetry.io/proto/otlp v1.1.0 h1:2Di21piLrCqJ3U3eXGCTPHE9R8Nh+0uglSnOyxikMeI=
-go.opentelemetry.io/proto/otlp v1.1.0/go.mod h1:GpBHCBWiqvVLDqmHZsoMM3C5ySeKTC7ej/RNTae6MdY=
-go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 h1:CqXxU8VOmDefoh0+ztfGaymYbhdB/tT3zs79QaZTNGY=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0/go.mod h1:BuhAPThV8PBHBvg8ZzZ/Ok3idOdhWIodywz2xEcRbJo=
+go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
+go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
+go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
+go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
+go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
+go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
+go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
+go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
+go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
+go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
-go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
-go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
-go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
-go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
-go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
+golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
@@ -567,11 +443,8 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
@@ -582,18 +455,17 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
-golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -601,18 +473,14 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -625,7 +493,6 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -633,17 +500,15 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
-golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -652,13 +517,11 @@ golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
@@ -666,53 +529,44 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
-golang.org/x/time v0.10.0 h1:3usCWA8tQn0L8+hFJQNgzpWbd89begxN66o1Ojdn5L4=
-golang.org/x/time v0.10.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
+golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
+golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190823170909-c4a336ef6a2f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.221.0 h1:qzaJfLhDsbMeFee8zBRdt/Nc+xmOuafD/dbdgGfutOU=
-google.golang.org/api v0.221.0/go.mod h1:7sOU2+TL4TxUTdbi0gWgAIg7tH5qBXxoyhtL+9x3biQ=
+gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
+gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
+google.golang.org/api v0.279.0 h1:hsx2M2OaRcaKtVYK6vXEUnQvdjnend7ZYES+lYaot74=
+google.golang.org/api v0.279.0/go.mod h1:B9TqLBwJqVjp1mtt7WeoQwWRwvu/400y5lETOql+giQ=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 h1:ToEetK57OidYuqD4Q5w+vfEnPvPpuTwedCNVohYJfNk=
-google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 h1:CkkIfIt50+lT6NHAVoRYEyAvQGFM7xEwXUUywFvEb3Q=
-google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576/go.mod h1:1R3kvZ1dtP3+4p4d3G8uJ8rFk/fWlScl38vanWACI08=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250207221924-e9438ea467c6 h1:2duwAxN2+k0xLNpjnHTXoMUgnv6VPSp5fiqTuwSxjmI=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250207221924-e9438ea467c6/go.mod h1:8BS3B93F/U1juMFq9+EDk+qOT5CO1R9IzXxG3PTqiRk=
+google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7 h1:XzmzkmB14QhVhgnawEVsOn6OFsnpyxNPRY9QV01dNB0=
+google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7/go.mod h1:L43LFes82YgSonw6iTXTxXUX1OlULt4AQtkik4ULL/I=
+google.golang.org/genproto/googleapis/api v0.0.0-20260319201613-d00831a3d3e7 h1:41r6JMbpzBMen0R/4TZeeAmGXSJC7DftGINUodzTkPI=
+google.golang.org/genproto/googleapis/api v0.0.0-20260319201613-d00831a3d3e7/go.mod h1:EIQZ5bFCfRQDV4MhRle7+OgjNtZ6P1PiZBgAKuxXu/Y=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260511170946-3700d4141b60 h1:seT2EwLWM78plQ7wcDfuWBc/4FAEAXDDiaSol4ku4qo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260511170946-3700d4141b60/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.70.0 h1:pWFv03aZoHzlRKHWicjsZytKAiYCtNS0dHbXnIdq7jQ=
-google.golang.org/grpc v1.70.0/go.mod h1:ofIJqVKDXx/JiXrwr2IG4/zwdH9txy3IlF40RmcJSQw=
+google.golang.org/grpc v1.81.0 h1:W3G9N3KQf3BU+YuCtGKJk0CmxQNbAISICD/9AORxLIw=
+google.golang.org/grpc v1.81.0/go.mod h1:xGH9GfzOyMTGIOXBJmXt+BX/V0kcdQbdcuwQ/zNw42I=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -723,8 +577,8 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -732,7 +586,6 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -745,4 +598,5 @@ gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
+pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
+pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
diff --git a/sdk/helper/automatedrotationutil/fields.go b/sdk/helper/automatedrotationutil/fields.go
index 04f292f814..7b291fc175 100644
--- a/sdk/helper/automatedrotationutil/fields.go
+++ b/sdk/helper/automatedrotationutil/fields.go
@@ -97,6 +97,8 @@ func (p *AutomatedRotationParams) ParseAutomatedRotationFields(d *framework.Fiel
 	return nil
 }
 
+// Use PopulateSetAutomatedRotationData instead, *unless* all these
+// fields are necessary to maintain backwards compatibility with the plugin's pre-existing response API.
 // PopulateAutomatedRotationData adds PluginIdentityTokenParams info into the given map.
 func (p *AutomatedRotationParams) PopulateAutomatedRotationData(m map[string]interface{}) {
 	m["rotation_schedule"] = p.RotationSchedule
@@ -106,6 +108,26 @@ func (p *AutomatedRotationParams) PopulateAutomatedRotationData(m map[string]int
 	m["rotation_policy"] = p.RotationPolicy
 }
 
+// PopulateSetAutomatedRotationData adds PluginIdentityTokenParams info into the given map, based
+// on which fields were set for rotation. Setting a rotation schedule will not return a rotation
+// period, and setting a rotation period will not return a rotation schedule or rotation window.
+func (p *AutomatedRotationParams) PopulateSetAutomatedRotationData(m map[string]interface{}) {
+	// Always set these even if they are zero values, to avoid confusion.
+	m["disable_automated_rotation"] = p.DisableAutomatedRotation
+	m["rotation_policy"] = p.RotationPolicy
+
+	// Set both of these if a schedule is set.
+	if p.RotationSchedule != "" {
+		m["rotation_schedule"] = p.RotationSchedule
+		m["rotation_window"] = p.RotationWindow.Seconds()
+	}
+
+	// Set this if a period is set.
+	if p.RotationPeriod != 0 {
+		m["rotation_period"] = p.RotationPeriod.Seconds()
+	}
+}
+
 // PopulateRotationInfo adds RotationInfoResponseParams info into the given map.
 func (p *RotationInfoResponseParams) PopulateRotationInfo(m map[string]interface{}) {
 	// Only set last_vault_rotation and next_vault_rotation if they are non-zero
@@ -228,3 +250,9 @@ func AddAutomatedRotationFieldsWithGroup(m map[string]*framework.FieldSchema, gr
 func AddAutomatedRotationFields(m map[string]*framework.FieldSchema) {
 	AddAutomatedRotationFieldsWithGroup(m, "default")
 }
+
+// Equals returns true if the automated rotation parameters match the other instance.
+// Useful for detecting configuration changes after parsing new field data.
+func (p *AutomatedRotationParams) Equals(other AutomatedRotationParams) bool {
+	return *p == other
+}
diff --git a/sdk/helper/automatedrotationutil/fields_test.go b/sdk/helper/automatedrotationutil/fields_test.go
index e5542983ce..335761792e 100644
--- a/sdk/helper/automatedrotationutil/fields_test.go
+++ b/sdk/helper/automatedrotationutil/fields_test.go
@@ -284,6 +284,87 @@ func TestPopulateAutomatedRotationData(t *testing.T) {
 	}
 }
 
+func TestPopulateSetAutomatedRotationData(t *testing.T) {
+	tests := []struct {
+		name        string
+		inputParams *AutomatedRotationParams
+		expected    map[string]interface{}
+		unexpected  map[string]interface{}
+	}{
+		{
+			name: "only schedule and window set",
+			expected: map[string]interface{}{
+				"rotation_schedule":          "*/15 * * * *",
+				"rotation_window":            time.Duration(60).Seconds(),
+				"rotation_policy":            "",
+				"disable_automated_rotation": false,
+			},
+			unexpected: map[string]interface{}{
+				"rotation_period": "",
+			},
+			inputParams: &AutomatedRotationParams{
+				RotationSchedule:         "*/15 * * * *",
+				RotationWindow:           60,
+				RotationPeriod:           0,
+				DisableAutomatedRotation: false,
+			},
+		},
+		{
+			name: "only schedule set",
+			expected: map[string]interface{}{
+				"rotation_schedule":          "*/15 * * * *",
+				"rotation_window":            time.Duration(0).Seconds(),
+				"rotation_policy":            "",
+				"disable_automated_rotation": false,
+			},
+			unexpected: map[string]interface{}{
+				"rotation_period": "",
+			},
+			inputParams: &AutomatedRotationParams{
+				RotationSchedule:         "*/15 * * * *",
+				RotationPeriod:           0,
+				DisableAutomatedRotation: false,
+			},
+		},
+		{
+			name: "only period set",
+			expected: map[string]interface{}{
+				"rotation_period":            time.Duration(120).Seconds(),
+				"rotation_policy":            "",
+				"disable_automated_rotation": false,
+			},
+			unexpected: map[string]interface{}{
+				"rotation_schedule": "",
+				"rotation_window":   "",
+			},
+			inputParams: &AutomatedRotationParams{
+				RotationSchedule:         "",
+				RotationWindow:           0,
+				RotationPeriod:           120,
+				DisableAutomatedRotation: false,
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			m := make(map[string]interface{})
+
+			tt.inputParams.PopulateSetAutomatedRotationData(m)
+
+			if !reflect.DeepEqual(m, tt.expected) {
+				t.Errorf("PopulateSetAutomatedRotationData() error comparing values; got %v, expected %v", m, tt.expected)
+			}
+
+			for k, v := range tt.unexpected {
+				if m[k] == v {
+					t.Errorf("PopulateSetAutomatedRotationData() unexpected value for key %s; got %v", k, m[k])
+				}
+			}
+		})
+	}
+}
+
 func TestShouldRegisterRotationJob(t *testing.T) {
 	tests := []struct {
 		name        string
@@ -444,3 +525,222 @@ func TestAddAutomatedRotationFields(t *testing.T) {
 		})
 	}
 }
+
+func TestAutomatedRotationParams_Equals(t *testing.T) {
+	testcases := []struct {
+		name     string
+		p1       AutomatedRotationParams
+		p2       AutomatedRotationParams
+		expected bool
+	}{
+		{
+			name: "equal-all-fields",
+			p1: AutomatedRotationParams{
+				RotationSchedule:         "*/15 * * * *",
+				RotationWindow:           60 * time.Second,
+				RotationPeriod:           0,
+				DisableAutomatedRotation: false,
+				RotationPolicy:           "policy1",
+			},
+			p2: AutomatedRotationParams{
+				RotationSchedule:         "*/15 * * * *",
+				RotationWindow:           60 * time.Second,
+				RotationPeriod:           0,
+				DisableAutomatedRotation: false,
+				RotationPolicy:           "policy1",
+			},
+			expected: true,
+		},
+		{
+			name: "equal-zero-values",
+			p1: AutomatedRotationParams{
+				RotationSchedule:         "",
+				RotationWindow:           0,
+				RotationPeriod:           0,
+				DisableAutomatedRotation: false,
+				RotationPolicy:           "",
+			},
+			p2: AutomatedRotationParams{
+				RotationSchedule:         "",
+				RotationWindow:           0,
+				RotationPeriod:           0,
+				DisableAutomatedRotation: false,
+				RotationPolicy:           "",
+			},
+			expected: true,
+		},
+		{
+			name: "different-schedule",
+			p1: AutomatedRotationParams{
+				RotationSchedule:         "*/15 * * * *",
+				RotationWindow:           60 * time.Second,
+				RotationPeriod:           0,
+				DisableAutomatedRotation: false,
+				RotationPolicy:           "policy1",
+			},
+			p2: AutomatedRotationParams{
+				RotationSchedule:         "*/30 * * * *",
+				RotationWindow:           60 * time.Second,
+				RotationPeriod:           0,
+				DisableAutomatedRotation: false,
+				RotationPolicy:           "policy1",
+			},
+			expected: false,
+		},
+		{
+			name: "different-window",
+			p1: AutomatedRotationParams{
+				RotationSchedule:         "*/15 * * * *",
+				RotationWindow:           60 * time.Second,
+				RotationPeriod:           0,
+				DisableAutomatedRotation: false,
+				RotationPolicy:           "policy1",
+			},
+			p2: AutomatedRotationParams{
+				RotationSchedule:         "*/15 * * * *",
+				RotationWindow:           120 * time.Second,
+				RotationPeriod:           0,
+				DisableAutomatedRotation: false,
+				RotationPolicy:           "policy1",
+			},
+			expected: false,
+		},
+		{
+			name: "different-period",
+			p1: AutomatedRotationParams{
+				RotationSchedule:         "",
+				RotationWindow:           0,
+				RotationPeriod:           10 * time.Second,
+				DisableAutomatedRotation: false,
+				RotationPolicy:           "policy1",
+			},
+			p2: AutomatedRotationParams{
+				RotationSchedule:         "",
+				RotationWindow:           0,
+				RotationPeriod:           20 * time.Second,
+				DisableAutomatedRotation: false,
+				RotationPolicy:           "policy1",
+			},
+			expected: false,
+		},
+		{
+			name: "different-disable-flag",
+			p1: AutomatedRotationParams{
+				RotationSchedule:         "*/15 * * * *",
+				RotationWindow:           60 * time.Second,
+				RotationPeriod:           0,
+				DisableAutomatedRotation: false,
+				RotationPolicy:           "policy1",
+			},
+			p2: AutomatedRotationParams{
+				RotationSchedule:         "*/15 * * * *",
+				RotationWindow:           60 * time.Second,
+				RotationPeriod:           0,
+				DisableAutomatedRotation: true,
+				RotationPolicy:           "policy1",
+			},
+			expected: false,
+		},
+		{
+			name: "different-policy",
+			p1: AutomatedRotationParams{
+				RotationSchedule:         "*/15 * * * *",
+				RotationWindow:           60 * time.Second,
+				RotationPeriod:           0,
+				DisableAutomatedRotation: false,
+				RotationPolicy:           "policy1",
+			},
+			p2: AutomatedRotationParams{
+				RotationSchedule:         "*/15 * * * *",
+				RotationWindow:           60 * time.Second,
+				RotationPeriod:           0,
+				DisableAutomatedRotation: false,
+				RotationPolicy:           "policy2",
+			},
+			expected: false,
+		},
+	}
+
+	for _, tt := range testcases {
+		t.Run(tt.name, func(t *testing.T) {
+			result := tt.p1.Equals(tt.p2)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
+func TestAutomatedRotationParams_Equals_Embedded(t *testing.T) {
+	// Test with embedded struct
+	type ConfigWithRotationParams struct {
+		Name string
+		AutomatedRotationParams
+	}
+
+	testcases := []struct {
+		name     string
+		c1       ConfigWithRotationParams
+		c2       ConfigWithRotationParams
+		expected bool
+	}{
+		{
+			name: "embedded-equal",
+			c1: ConfigWithRotationParams{
+				Name: "config1",
+				AutomatedRotationParams: AutomatedRotationParams{
+					RotationSchedule:         "*/15 * * * *",
+					RotationWindow:           60 * time.Second,
+					RotationPeriod:           0,
+					DisableAutomatedRotation: false,
+					RotationPolicy:           "policy1",
+				},
+			},
+			c2: ConfigWithRotationParams{
+				Name: "config2", // Different name, but we only compare AutomatedRotationParams
+				AutomatedRotationParams: AutomatedRotationParams{
+					RotationSchedule:         "*/15 * * * *",
+					RotationWindow:           60 * time.Second,
+					RotationPeriod:           0,
+					DisableAutomatedRotation: false,
+					RotationPolicy:           "policy1",
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "embedded-different",
+			c1: ConfigWithRotationParams{
+				Name: "config1",
+				AutomatedRotationParams: AutomatedRotationParams{
+					RotationSchedule:         "*/15 * * * *",
+					RotationWindow:           60 * time.Second,
+					RotationPeriod:           0,
+					DisableAutomatedRotation: false,
+					RotationPolicy:           "policy1",
+				},
+			},
+			c2: ConfigWithRotationParams{
+				Name: "config1",
+				AutomatedRotationParams: AutomatedRotationParams{
+					RotationSchedule:         "*/30 * * * *",
+					RotationWindow:           60 * time.Second,
+					RotationPeriod:           0,
+					DisableAutomatedRotation: false,
+					RotationPolicy:           "policy1",
+				},
+			},
+			expected: false,
+		},
+	}
+
+	for _, tt := range testcases {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test comparing the embedded fields directly
+			result := tt.c1.AutomatedRotationParams.Equals(tt.c2.AutomatedRotationParams)
+			assert.Equal(t, tt.expected, result)
+
+			// Test using method promotion
+			result2 := tt.c1.Equals(tt.c2.AutomatedRotationParams)
+			assert.Equal(t, tt.expected, result2)
+		})
+	}
+}
diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go
index 0e34dca079..efa1bdc3db 100644
--- a/sdk/helper/certutil/helpers.go
+++ b/sdk/helper/certutil/helpers.go
@@ -106,7 +106,7 @@ var KeyUsageOID = asn1.ObjectIdentifier([]int{2, 5, 29, 15})
 // id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }
 var ExtendedKeyUsageOID = asn1.ObjectIdentifier([]int{2, 5, 29, 37})
 
-// OID for Freshest (aka Delta) CRL from RFC 5280: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.15
+// OID for Freshest CRL (aka Delta CRL Distribution Point) from RFC 5280: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.15
 var FreshestCrlOid = asn1.ObjectIdentifier([]int{2, 5, 29, 46})
 
 // GetHexFormatted returns the byte buffer formatted in hex with
@@ -1359,7 +1359,9 @@ func signCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertBun
 		for _, ext := range data.CSR.Extensions {
 			switch {
 			case ext.Id.Equal(ExtensionBasicConstraintsOID):
-				if data.Params.UseCSRValues {
+				// For now only copy basic constraint extensions for non-ca use-cases,
+				// we don't properly handle max path length constraints otherwise
+				if data.Params.UseCSRValues && !data.Params.IsCA {
 					isCa, _, err := ParseBasicConstraintExtension(ext)
 					if err != nil {
 						return nil, errutil.UserError{Err: fmt.Sprintf("refusing to accept CSR with invalid Basic Constraints extension: %s", err.Error())}
@@ -2030,7 +2032,7 @@ func ParseCertificateToFields(certificate x509.Certificate) (map[string]interfac
 		"province":                  makeCommaSeparatedString(certificate.Subject.Province),
 		"street_address":            makeCommaSeparatedString(certificate.Subject.StreetAddress),
 		"postal_code":               makeCommaSeparatedString(certificate.Subject.PostalCode),
-		"serial_number":             certificate.Subject.SerialNumber,
+		"serial_number":             SerialFromCert(&certificate),
 		"ttl":                       (certificate.NotAfter.Sub(certificate.NotBefore)).String(),
 		"max_path_length":           certificate.MaxPathLen,
 		"permitted_dns_domains":     strings.Join(certificate.PermittedDNSDomains, ","),
@@ -2217,6 +2219,7 @@ type distributionPointName struct {
 	RelativeName pkix.RDNSequence `asn1:"optional,tag:1"`
 }
 
+// Delta CRL Distribution Point is the same thing as Freshest CRL
 func CreateDeltaCRLExtension(deltaUrls []string) (pkix.Extension, error) {
 	if deltaUrls == nil || len(deltaUrls) == 0 {
 		return pkix.Extension{}, fmt.Errorf("since no delta crl distribution points were provided, the extension returned is empty")
@@ -2301,3 +2304,11 @@ func AddDeltaCRLExtension(data *CreationBundle, certTemplate *x509.Certificate)
 	}
 	return nil
 }
+
+func SerialFromCert(cert *x509.Certificate) string {
+	return SerialFromBigInt(cert.SerialNumber)
+}
+
+func SerialFromBigInt(serial *big.Int) string {
+	return strings.TrimSpace(GetHexFormatted(serial.Bytes(), ":"))
+}
diff --git a/sdk/helper/certutil/types.go b/sdk/helper/certutil/types.go
index 4514e70c59..262760feed 100644
--- a/sdk/helper/certutil/types.go
+++ b/sdk/helper/certutil/types.go
@@ -728,8 +728,8 @@ func (b *CAInfoBundle) GetCAChain() []*CertBlock {
 func (b *CAInfoBundle) GetFullChain() []*CertBlock {
 	var chain []*CertBlock
 
-	// Some bundles already include the root included in the chain,
-	// so don't include it twice.
+	// Add the current CA certificate to the chain only if it is not already the first certificate.
+	// This prevents duplicate root (self-signed) certificates in the CA chain.
 	if len(b.CAChain) == 0 || !bytes.Equal(b.CAChain[0].Bytes, b.CertificateBytes) {
 		chain = append(chain, &CertBlock{
 			Certificate: b.Certificate,
diff --git a/sdk/helper/consts/token_consts_ce.go b/sdk/helper/consts/token_consts_ce.go
new file mode 100644
index 0000000000..ff9902fe0c
--- /dev/null
+++ b/sdk/helper/consts/token_consts_ce.go
@@ -0,0 +1,10 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build !enterprise
+
+package consts
+
+func GetEnterpriseTokenPrefix() string {
+	return "unimplemented"
+}
diff --git a/sdk/helper/docker/ldap.go b/sdk/helper/docker/ldap.go
new file mode 100644
index 0000000000..600a12999b
--- /dev/null
+++ b/sdk/helper/docker/ldap.go
@@ -0,0 +1,119 @@
+// Copyright IBM Corp. 2016, 2026
+// SPDX-License-Identifier: MPL-2.0
+
+package docker
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"runtime"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/cap/ldap"
+	"github.com/hashicorp/vault/sdk/helper/ldaputil"
+)
+
+// safeBuffer is a thread-safe bytes.Buffer wrapper
+type safeBuffer struct {
+	buf bytes.Buffer
+	mu  sync.Mutex
+}
+
+func (s *safeBuffer) Write(p []byte) (n int, err error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	return s.buf.Write(p)
+}
+
+func (s *safeBuffer) String() string {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	return s.buf.String()
+}
+
+// DefaultLDAPVersion is the default version of the container to pull.
+// NOTE: This is currently pinned to a sha instead of "master", see: https://github.com/rroemhild/docker-test-openldap/issues/62
+const DefaultLDAPVersion = "sha256:f4d9c5ba97f9662e9aea082b4aa89233994ca6e232abc1952d5d90da7e16b0eb"
+
+func PrepareLDAPTestContainer(t *testing.T, version string) (cleanup func(), cfg *ldaputil.ConfigEntry) {
+	// note: this image isn't supported on arm64 architecture in CI.
+	// but if you're running on Apple Silicon, feel free to comment out the code below locally.
+	if strings.Contains(runtime.GOARCH, "arm") {
+		t.Skip("Skipping, as this image is not supported on ARM architectures")
+	}
+
+	logsWriter := &safeBuffer{}
+
+	runner, err := NewServiceRunner(RunOptions{
+		ImageRepo:     "ghcr.io/rroemhild/docker-test-openldap",
+		ImageTag:      version,
+		ContainerName: "ldap",
+		Ports:         []string{"10389/tcp"},
+		// Env:        []string{"LDAP_DEBUG_LEVEL=384"},
+		LogStderr: logsWriter,
+		LogStdout: logsWriter,
+	})
+	if err != nil {
+		t.Fatalf("could not start local LDAP docker container: %s", err)
+	}
+
+	cfg = new(ldaputil.ConfigEntry)
+	cfg.UserDN = "ou=people,dc=planetexpress,dc=com"
+	cfg.UserAttr = "cn"
+	cfg.UserFilter = "({{.UserAttr}}={{.Username}})"
+	cfg.BindDN = "cn=admin,dc=planetexpress,dc=com"
+	cfg.BindPassword = "GoodNewsEveryone"
+	cfg.GroupDN = "ou=people,dc=planetexpress,dc=com"
+	cfg.GroupAttr = "cn"
+	cfg.RequestTimeout = 60
+	cfg.MaximumPageSize = 1000
+
+	var started bool
+
+	ctx, _ := context.WithTimeout(t.Context(), 1*time.Minute)
+	for i := 0; i < 3; i++ {
+		svc, err := runner.StartService(ctx, func(ctx context.Context, host string, port int) (ServiceConfig, error) {
+			connURL := fmt.Sprintf("ldap://%s:%d", host, port)
+			cfg.Url = connURL
+
+			client, err := ldap.NewClient(ctx, ldaputil.ConvertConfig(cfg))
+			if err != nil {
+				return nil, err
+			}
+
+			defer client.Close(ctx)
+
+			_, err = client.Authenticate(ctx, "Philip J. Fry", "fry")
+			if err != nil {
+				return nil, err
+			}
+
+			return NewServiceURLParse(connURL)
+		})
+		if err != nil {
+			t.Logf("could not start local LDAP docker container: %s", err)
+			t.Log("Docker container logs: ")
+			t.Log(logsWriter.String())
+			continue
+		}
+
+		started = true
+		cleanup = func() {
+			if t.Failed() {
+				t.Log(logsWriter.String())
+			}
+			svc.Cleanup()
+		}
+		break
+	}
+
+	if !started {
+		t.FailNow()
+	}
+
+	return cleanup, cfg
+}
diff --git a/sdk/helper/docker/testhelpers.go b/sdk/helper/docker/testhelpers.go
index 60ee1fcd45..b5b73d4e44 100644
--- a/sdk/helper/docker/testhelpers.go
+++ b/sdk/helper/docker/testhelpers.go
@@ -10,6 +10,7 @@ import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/url"
@@ -20,18 +21,14 @@ import (
 	"time"
 
 	"github.com/cenkalti/backoff/v4"
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/filters"
-	"github.com/docker/docker/api/types/image"
-	"github.com/docker/docker/api/types/mount"
-	"github.com/docker/docker/api/types/network"
-	"github.com/docker/docker/api/types/strslice"
-	"github.com/docker/docker/client"
-	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/stdcopy"
-	"github.com/docker/go-connections/nat"
+	"github.com/containerd/errdefs"
 	"github.com/hashicorp/go-uuid"
+	"github.com/moby/go-archive"
+	"github.com/moby/moby/api/pkg/stdcopy"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/api/types/mount"
+	"github.com/moby/moby/api/types/network"
+	"github.com/moby/moby/client"
 )
 
 const DockerAPIVersion = "1.44"
@@ -68,7 +65,7 @@ type RunOptions struct {
 }
 
 func NewDockerAPI() (*client.Client, error) {
-	return client.NewClientWithOpts(client.FromEnv, client.WithVersion(DockerAPIVersion))
+	return client.New(client.FromEnv, client.WithVersion(DockerAPIVersion))
 }
 
 func NewServiceRunner(opts RunOptions) (*Runner, error) {
@@ -81,16 +78,16 @@ func NewServiceRunner(opts RunOptions) (*Runner, error) {
 		opts.NetworkName = os.Getenv("TEST_DOCKER_NETWORK_NAME")
 	}
 	if opts.NetworkName != "" {
-		nets, err := dapi.NetworkList(context.TODO(), network.ListOptions{
-			Filters: filters.NewArgs(filters.Arg("name", opts.NetworkName)),
+		nets, err := dapi.NetworkList(context.TODO(), client.NetworkListOptions{
+			Filters: make(client.Filters).Add("name", opts.NetworkName),
 		})
 		if err != nil {
 			return nil, err
 		}
-		if len(nets) != 1 {
-			return nil, fmt.Errorf("expected exactly one docker network named %q, got %d", opts.NetworkName, len(nets))
+		if len(nets.Items) != 1 {
+			return nil, fmt.Errorf("expected exactly one docker network named %q, got %d", opts.NetworkName, len(nets.Items))
 		}
-		opts.NetworkID = nets[0].ID
+		opts.NetworkID = nets.Items[0].ID
 	}
 	if opts.NetworkID == "" {
 		opts.NetworkID = os.Getenv("TEST_DOCKER_NETWORK_ID")
@@ -209,18 +206,16 @@ var _ io.Writer = &LogConsumerWriter{}
 func (d *Runner) StartNewService(ctx context.Context, addSuffix, forceLocalAddr bool, connect ServiceAdapter) (*Service, string, error) {
 	if d.RunOptions.PreDelete {
 		name := d.RunOptions.ContainerName
-		matches, err := d.DockerAPI.ContainerList(ctx, container.ListOptions{
+		matches, err := d.DockerAPI.ContainerList(ctx, client.ContainerListOptions{
 			All: true,
 			// TODO use labels to ensure we don't delete anything we shouldn't
-			Filters: filters.NewArgs(
-				filters.Arg("name", name),
-			),
+			Filters: make(client.Filters).Add("name", name),
 		})
 		if err != nil {
 			return nil, "", fmt.Errorf("failed to list containers named %q", name)
 		}
-		for _, cont := range matches {
-			err = d.DockerAPI.ContainerRemove(ctx, cont.ID, container.RemoveOptions{Force: true})
+		for _, cont := range matches.Items {
+			_, err = d.DockerAPI.ContainerRemove(ctx, cont.ID, client.ContainerRemoveOptions{Force: true})
 			if err != nil {
 				return nil, "", fmt.Errorf("failed to pre-delete container named %q", name)
 			}
@@ -258,8 +253,8 @@ func (d *Runner) StartNewService(ctx context.Context, addSuffix, forceLocalAddr
 
 	cleanup := func() {
 		for i := 0; i < 10; i++ {
-			err := d.DockerAPI.ContainerRemove(ctx, result.Container.ID, container.RemoveOptions{Force: true})
-			if err == nil || client.IsErrNotFound(err) {
+			_, err := d.DockerAPI.ContainerRemove(ctx, result.Container.ID, client.ContainerRemoveOptions{Force: true})
+			if err == nil || errdefs.IsNotFound(err) {
 				return
 			}
 			time.Sleep(1 * time.Second)
@@ -278,8 +273,8 @@ func (d *Runner) StartNewService(ctx context.Context, addSuffix, forceLocalAddr
 
 	var config ServiceConfig
 	err = backoff.Retry(func() error {
-		container, err := d.DockerAPI.ContainerInspect(ctx, result.Container.ID)
-		if err != nil || !container.State.Running {
+		inspectRes, err := d.DockerAPI.ContainerInspect(ctx, result.Container.ID, client.ContainerInspectOptions{})
+		if err != nil || !inspectRes.Container.State.Running {
 			return backoff.Permanent(fmt.Errorf("failed inspect or container %q not running: %w", result.Container.ID, err))
 		}
 
@@ -330,7 +325,7 @@ func (d *Runner) createLogConsumer(containerId string, wg *sync.WaitGroup) func(
 func (d *Runner) consumeLogs(containerId string, wg *sync.WaitGroup, logStdout, logStderr io.Writer) {
 	// We must run inside a goroutine because we're using Follow:true,
 	// and StdCopy will block until the log stream is closed.
-	stream, err := d.DockerAPI.ContainerLogs(context.Background(), containerId, container.LogsOptions{
+	stream, err := d.DockerAPI.ContainerLogs(context.Background(), containerId, client.ContainerLogsOptions{
 		ShowStdout: true,
 		ShowStderr: true,
 		Timestamps: !d.RunOptions.OmitLogTimestamps,
@@ -351,12 +346,12 @@ func (d *Runner) consumeLogs(containerId string, wg *sync.WaitGroup, logStdout,
 type Service struct {
 	Config      ServiceConfig
 	Cleanup     func()
-	Container   *types.ContainerJSON
+	Container   *container.InspectResponse
 	StartResult *StartResult
 }
 
 type StartResult struct {
-	Container *types.ContainerJSON
+	Container *container.InspectResponse
 	Addrs     []string
 	RealIP    string
 }
@@ -384,13 +379,17 @@ func (d *Runner) Start(ctx context.Context, addSuffix, forceLocalAddr bool) (*St
 		Cmd:      d.RunOptions.Cmd,
 	}
 	if len(d.RunOptions.Ports) > 0 {
-		cfg.ExposedPorts = make(map[nat.Port]struct{})
+		cfg.ExposedPorts = network.PortSet{}
 		for _, p := range d.RunOptions.Ports {
-			cfg.ExposedPorts[nat.Port(p)] = struct{}{}
+			port, err := network.ParsePort(p)
+			if err != nil {
+				return nil, err
+			}
+			cfg.ExposedPorts[port] = struct{}{}
 		}
 	}
 	if len(d.RunOptions.Entrypoint) > 0 {
-		cfg.Entrypoint = strslice.StrSlice(d.RunOptions.Entrypoint)
+		cfg.Entrypoint = d.RunOptions.Entrypoint
 	}
 
 	hostConfig := &container.HostConfig{
@@ -411,7 +410,7 @@ func (d *Runner) Start(ctx context.Context, addSuffix, forceLocalAddr bool) (*St
 	}
 
 	// best-effort pull
-	var opts image.CreateOptions
+	var opts client.ImagePullOptions
 	if d.RunOptions.AuthUsername != "" && d.RunOptions.AuthPassword != "" {
 		var buf bytes.Buffer
 		auth := map[string]string{
@@ -423,7 +422,7 @@ func (d *Runner) Start(ctx context.Context, addSuffix, forceLocalAddr bool) (*St
 		}
 		opts.RegistryAuth = base64.URLEncoding.EncodeToString(buf.Bytes())
 	}
-	resp, _ := d.DockerAPI.ImageCreate(ctx, cfg.Image, opts)
+	resp, _ := d.DockerAPI.ImagePull(ctx, cfg.Image, opts)
 	if resp != nil {
 		_, _ = io.ReadAll(resp)
 	}
@@ -437,40 +436,45 @@ func (d *Runner) Start(ctx context.Context, addSuffix, forceLocalAddr bool) (*St
 		})
 	}
 
-	c, err := d.DockerAPI.ContainerCreate(ctx, cfg, hostConfig, netConfig, nil, cfg.Hostname)
+	c, err := d.DockerAPI.ContainerCreate(ctx, client.ContainerCreateOptions{
+		Config:           cfg,
+		HostConfig:       hostConfig,
+		NetworkingConfig: netConfig,
+		Name:             cfg.Hostname,
+	})
 	if err != nil {
 		return nil, fmt.Errorf("container create failed: %v", err)
 	}
 
 	for from, to := range d.RunOptions.CopyFromTo {
-		if err := copyToContainer(ctx, d.DockerAPI, c.ID, from, to); err != nil {
-			_ = d.DockerAPI.ContainerRemove(ctx, c.ID, container.RemoveOptions{})
-			return nil, err
+		if err := CopyToContainer(ctx, d.DockerAPI, c.ID, from, to); err != nil {
+			_, err1 := d.DockerAPI.ContainerRemove(ctx, c.ID, client.ContainerRemoveOptions{})
+			return nil, errors.Join(err, err1)
 		}
 	}
 
-	err = d.DockerAPI.ContainerStart(ctx, c.ID, container.StartOptions{})
+	_, err = d.DockerAPI.ContainerStart(ctx, c.ID, client.ContainerStartOptions{})
 	if err != nil {
-		_ = d.DockerAPI.ContainerRemove(ctx, c.ID, container.RemoveOptions{})
-		return nil, fmt.Errorf("container start failed: %v", err)
+		_, err1 := d.DockerAPI.ContainerRemove(ctx, c.ID, client.ContainerRemoveOptions{})
+		return nil, fmt.Errorf("container start failed: %v", errors.Join(err, err1))
 	}
 
-	inspect, err := d.DockerAPI.ContainerInspect(ctx, c.ID)
+	inspect, err := d.DockerAPI.ContainerInspect(ctx, c.ID, client.ContainerInspectOptions{})
 	if err != nil {
-		_ = d.DockerAPI.ContainerRemove(ctx, c.ID, container.RemoveOptions{})
-		return nil, err
+		_, err1 := d.DockerAPI.ContainerRemove(ctx, c.ID, client.ContainerRemoveOptions{})
+		return nil, errors.Join(err, err1)
 	}
 
 	var addrs []string
-	for _, port := range d.RunOptions.Ports {
-		pieces := strings.Split(port, "/")
-		if len(pieces) < 2 {
-			return nil, fmt.Errorf("expected port of the form 1234/tcp, got: %s", port)
+	for _, portS := range d.RunOptions.Ports {
+		port, err := network.ParsePort(portS)
+		if err != nil {
+			return nil, err
 		}
 		if d.RunOptions.NetworkID != "" && !forceLocalAddr {
-			addrs = append(addrs, fmt.Sprintf("%s:%s", cfg.Hostname, pieces[0]))
+			addrs = append(addrs, fmt.Sprintf("%s:%d", cfg.Hostname, port.Num()))
 		} else {
-			mapped, ok := inspect.NetworkSettings.Ports[nat.Port(port)]
+			mapped, ok := inspect.Container.NetworkSettings.Ports[port]
 			if !ok || len(mapped) == 0 {
 				return nil, fmt.Errorf("no port mapping found for %s", port)
 			}
@@ -480,19 +484,19 @@ func (d *Runner) Start(ctx context.Context, addSuffix, forceLocalAddr bool) (*St
 
 	var realIP string
 	if d.RunOptions.NetworkID == "" {
-		if len(inspect.NetworkSettings.Networks) > 1 {
-			return nil, fmt.Errorf("Set d.RunOptions.NetworkName instead for container with multiple networks: %v", inspect.NetworkSettings.Networks)
+		if len(inspect.Container.NetworkSettings.Networks) > 1 {
+			return nil, fmt.Errorf("Set d.RunOptions.NetworkName instead for container with multiple networks: %v", inspect.Container.NetworkSettings.Networks)
 		}
-		for _, network := range inspect.NetworkSettings.Networks {
-			realIP = network.IPAddress
+		for _, ntwrk := range inspect.Container.NetworkSettings.Networks {
+			realIP = ntwrk.IPAddress.String()
 			break
 		}
 	} else {
-		realIP = inspect.NetworkSettings.Networks[d.RunOptions.NetworkName].IPAddress
+		realIP = inspect.Container.NetworkSettings.Networks[d.RunOptions.NetworkName].IPAddress.String()
 	}
 
 	return &StartResult{
-		Container: &inspect,
+		Container: &inspect.Container,
 		Addrs:     addrs,
 		RealIP:    realIP,
 	}, nil
@@ -500,28 +504,35 @@ func (d *Runner) Start(ctx context.Context, addSuffix, forceLocalAddr bool) (*St
 
 func (d *Runner) RefreshFiles(ctx context.Context, containerID string) error {
 	for from, to := range d.RunOptions.CopyFromTo {
-		if err := copyToContainer(ctx, d.DockerAPI, containerID, from, to); err != nil {
+		if err := CopyToContainer(ctx, d.DockerAPI, containerID, from, to); err != nil {
 			// TODO too drastic?
-			_ = d.DockerAPI.ContainerRemove(ctx, containerID, container.RemoveOptions{})
-			return err
+			_, err1 := d.DockerAPI.ContainerRemove(ctx, containerID, client.ContainerRemoveOptions{})
+			return errors.Join(err, err1)
 		}
 	}
-	return d.DockerAPI.ContainerKill(ctx, containerID, "SIGHUP")
+
+	_, err := d.DockerAPI.ContainerKill(ctx, containerID, client.ContainerKillOptions{
+		Signal: "SIGHUP",
+	})
+	return err
 }
 
 func (d *Runner) Stop(ctx context.Context, containerID string) error {
 	if d.RunOptions.NetworkID != "" {
-		if err := d.DockerAPI.NetworkDisconnect(ctx, d.RunOptions.NetworkID, containerID, true); err != nil {
+		if _, err := d.DockerAPI.NetworkDisconnect(ctx, d.RunOptions.NetworkID, client.NetworkDisconnectOptions{
+			Container: containerID,
+			Force:     true,
+		}); err != nil {
 			return fmt.Errorf("error disconnecting network (%v): %v", d.RunOptions.NetworkID, err)
 		}
 	}
 
 	// timeout in seconds
 	timeout := 5
-	options := container.StopOptions{
+	options := client.ContainerStopOptions{
 		Timeout: &timeout,
 	}
-	if err := d.DockerAPI.ContainerStop(ctx, containerID, options); err != nil {
+	if _, err := d.DockerAPI.ContainerStop(ctx, containerID, options); err != nil {
 		return fmt.Errorf("error stopping container: %v", err)
 	}
 
@@ -529,7 +540,7 @@ func (d *Runner) Stop(ctx context.Context, containerID string) error {
 }
 
 func (d *Runner) RestartContainerWithTimeout(ctx context.Context, containerID string, timeout int) error {
-	err := d.DockerAPI.ContainerRestart(ctx, containerID, container.StopOptions{Timeout: &timeout})
+	_, err := d.DockerAPI.ContainerRestart(ctx, containerID, client.ContainerRestartOptions{Timeout: &timeout})
 	if err != nil {
 		return fmt.Errorf("failed to restart container: %s", err)
 	}
@@ -544,7 +555,7 @@ func (d *Runner) RestartContainerWithTimeout(ctx context.Context, containerID st
 }
 
 func (d *Runner) Restart(ctx context.Context, containerID string) error {
-	if err := d.DockerAPI.ContainerStart(ctx, containerID, container.StartOptions{}); err != nil {
+	if _, err := d.DockerAPI.ContainerStart(ctx, containerID, client.ContainerStartOptions{}); err != nil {
 		return err
 	}
 
@@ -552,10 +563,14 @@ func (d *Runner) Restart(ctx context.Context, containerID string) error {
 		NetworkID: d.RunOptions.NetworkID,
 	}
 
-	return d.DockerAPI.NetworkConnect(ctx, d.RunOptions.NetworkID, containerID, ends)
+	_, err := d.DockerAPI.NetworkConnect(ctx, d.RunOptions.NetworkID, client.NetworkConnectOptions{
+		Container:      containerID,
+		EndpointConfig: ends,
+	})
+	return err
 }
 
-func copyToContainer(ctx context.Context, dapi *client.Client, containerID, from, to string) error {
+func CopyToContainer(ctx context.Context, dapi *client.Client, containerID, from, to string) error {
 	srcInfo, err := archive.CopyInfoSourcePath(from, false)
 	if err != nil {
 		return fmt.Errorf("error copying from source %q: %v", from, err)
@@ -574,7 +589,11 @@ func copyToContainer(ctx context.Context, dapi *client.Client, containerID, from
 		return fmt.Errorf("error preparing copy from %q -> %q: %v", from, to, err)
 	}
 	defer content.Close()
-	err = dapi.CopyToContainer(ctx, containerID, dstDir, content, container.CopyToContainerOptions{})
+	_, err = dapi.CopyToContainer(ctx, containerID, client.CopyToContainerOptions{
+		DestinationPath: dstDir,
+		Content:         content,
+		CopyUIDGID:      true,
+	})
 	if err != nil {
 		return fmt.Errorf("error copying from %q -> %q: %v", from, to, err)
 	}
@@ -583,14 +602,14 @@ func copyToContainer(ctx context.Context, dapi *client.Client, containerID, from
 }
 
 type RunCmdOpt interface {
-	Apply(cfg *container.ExecOptions) error
+	Apply(cfg *client.ExecCreateOptions) error
 }
 
 type RunCmdUser string
 
 var _ RunCmdOpt = (*RunCmdUser)(nil)
 
-func (u RunCmdUser) Apply(cfg *container.ExecOptions) error {
+func (u RunCmdUser) Apply(cfg *client.ExecCreateOptions) error {
 	cfg.User = string(u)
 	return nil
 }
@@ -600,7 +619,7 @@ func (d *Runner) RunCmdWithOutput(ctx context.Context, container string, cmd []s
 }
 
 func RunCmdWithOutput(api *client.Client, ctx context.Context, containerID string, cmd []string, opts ...RunCmdOpt) ([]byte, []byte, int, error) {
-	runCfg := container.ExecOptions{
+	runCfg := client.ExecCreateOptions{
 		AttachStdout: true,
 		AttachStderr: true,
 		Cmd:          cmd,
@@ -612,12 +631,12 @@ func RunCmdWithOutput(api *client.Client, ctx context.Context, containerID strin
 		}
 	}
 
-	ret, err := api.ContainerExecCreate(ctx, containerID, runCfg)
+	ret, err := api.ExecCreate(ctx, containerID, runCfg)
 	if err != nil {
 		return nil, nil, -1, fmt.Errorf("error creating execution environment: %v\ncfg: %v\n", err, runCfg)
 	}
 
-	resp, err := api.ContainerExecAttach(ctx, ret.ID, container.ExecAttachOptions{})
+	resp, err := api.ExecAttach(ctx, ret.ID, client.ExecAttachOptions{})
 	if err != nil {
 		return nil, nil, -1, fmt.Errorf("error attaching to command execution: %v\ncfg: %v\nret: %v\n", err, runCfg, ret)
 	}
@@ -633,7 +652,7 @@ func RunCmdWithOutput(api *client.Client, ctx context.Context, containerID strin
 	stderr := stderrB.Bytes()
 
 	// Fetch return code.
-	info, err := api.ContainerExecInspect(ctx, ret.ID)
+	info, err := api.ExecInspect(ctx, ret.ID, client.ExecInspectOptions{})
 	if err != nil {
 		return stdout, stderr, -1, fmt.Errorf("error reading command exit code: %v", err)
 	}
@@ -646,7 +665,7 @@ func (d *Runner) RunCmdInBackground(ctx context.Context, container string, cmd [
 }
 
 func RunCmdInBackground(api *client.Client, ctx context.Context, containerID string, cmd []string, opts ...RunCmdOpt) (string, error) {
-	runCfg := container.ExecOptions{
+	runCfg := client.ExecCreateOptions{
 		AttachStdout: true,
 		AttachStderr: true,
 		Cmd:          cmd,
@@ -658,12 +677,12 @@ func RunCmdInBackground(api *client.Client, ctx context.Context, containerID str
 		}
 	}
 
-	ret, err := api.ContainerExecCreate(ctx, containerID, runCfg)
+	ret, err := api.ExecCreate(ctx, containerID, runCfg)
 	if err != nil {
 		return "", fmt.Errorf("error creating execution environment: %w\ncfg: %v\n", err, runCfg)
 	}
 
-	err = api.ContainerExecStart(ctx, ret.ID, container.ExecStartOptions{})
+	_, err = api.ExecStart(ctx, ret.ID, client.ExecStartOptions{})
 	if err != nil {
 		return "", fmt.Errorf("error starting command execution: %w\ncfg: %v\nret: %v\n", err, runCfg, ret)
 	}
@@ -805,14 +824,14 @@ func (bCtx *BuildContext) ToTarball() (io.Reader, error) {
 }
 
 type BuildOpt interface {
-	Apply(cfg *types.ImageBuildOptions) error
+	Apply(cfg *client.ImageBuildOptions) error
 }
 
 type BuildRemove bool
 
 var _ BuildOpt = (*BuildRemove)(nil)
 
-func (u BuildRemove) Apply(cfg *types.ImageBuildOptions) error {
+func (u BuildRemove) Apply(cfg *client.ImageBuildOptions) error {
 	cfg.Remove = bool(u)
 	return nil
 }
@@ -821,7 +840,7 @@ type BuildForceRemove bool
 
 var _ BuildOpt = (*BuildForceRemove)(nil)
 
-func (u BuildForceRemove) Apply(cfg *types.ImageBuildOptions) error {
+func (u BuildForceRemove) Apply(cfg *client.ImageBuildOptions) error {
 	cfg.ForceRemove = bool(u)
 	return nil
 }
@@ -830,7 +849,7 @@ type BuildPullParent bool
 
 var _ BuildOpt = (*BuildPullParent)(nil)
 
-func (u BuildPullParent) Apply(cfg *types.ImageBuildOptions) error {
+func (u BuildPullParent) Apply(cfg *client.ImageBuildOptions) error {
 	cfg.PullParent = bool(u)
 	return nil
 }
@@ -839,7 +858,7 @@ type BuildArgs map[string]*string
 
 var _ BuildOpt = (*BuildArgs)(nil)
 
-func (u BuildArgs) Apply(cfg *types.ImageBuildOptions) error {
+func (u BuildArgs) Apply(cfg *client.ImageBuildOptions) error {
 	cfg.BuildArgs = u
 	return nil
 }
@@ -848,7 +867,7 @@ type BuildTags []string
 
 var _ BuildOpt = (*BuildTags)(nil)
 
-func (u BuildTags) Apply(cfg *types.ImageBuildOptions) error {
+func (u BuildTags) Apply(cfg *client.ImageBuildOptions) error {
 	cfg.Tags = u
 	return nil
 }
@@ -860,7 +879,7 @@ func (d *Runner) BuildImage(ctx context.Context, containerfile string, container
 }
 
 func BuildImage(ctx context.Context, api *client.Client, containerfile string, containerContext BuildContext, opts ...BuildOpt) ([]byte, error) {
-	var cfg types.ImageBuildOptions
+	var cfg client.ImageBuildOptions
 
 	// Build container context tarball, provisioning containerfile in.
 	containerContext[containerfilePath] = PathContentsFromBytes([]byte(containerfile))
@@ -891,51 +910,53 @@ func BuildImage(ctx context.Context, api *client.Client, containerfile string, c
 }
 
 func (d *Runner) CopyTo(containerID string, destination string, contents BuildContext) error {
-	// XXX: currently we use the default options but we might want to allow
-	// modifying cfg.CopyUIDGID in the future.
-	var cfg container.CopyToContainerOptions
-
 	// Convert our provided contents to a tarball to ship up.
 	tar, err := contents.ToTarball()
 	if err != nil {
 		return fmt.Errorf("failed to build contents into tarball: %v", err)
 	}
 
-	return d.DockerAPI.CopyToContainer(context.Background(), containerID, destination, tar, cfg)
+	_, err = d.DockerAPI.CopyToContainer(context.Background(), containerID, client.CopyToContainerOptions{
+		DestinationPath: destination,
+		Content:         tar,
+	})
+	return err
 }
 
 func (d *Runner) CopyFrom(container string, source string) (BuildContext, *container.PathStat, error) {
-	reader, stat, err := d.DockerAPI.CopyFromContainer(context.Background(), container, source)
+	res, err := d.DockerAPI.CopyFromContainer(context.Background(), container, client.CopyFromContainerOptions{
+		SourcePath: source,
+	})
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to read %v from container: %v", source, err)
 	}
 
-	result, err := BuildContextFromTarball(reader)
+	result, err := BuildContextFromTarball(res.Content)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to build archive from result: %v", err)
 	}
 
-	return result, &stat, nil
+	return result, &res.Stat, nil
 }
 
 func (d *Runner) GetNetworkAndAddresses(container string) (map[string]string, error) {
-	response, err := d.DockerAPI.ContainerInspect(context.Background(), container)
+	response, err := d.DockerAPI.ContainerInspect(context.Background(), container, client.ContainerInspectOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch container inspection data: %v", err)
 	}
 
-	if response.NetworkSettings == nil || len(response.NetworkSettings.Networks) == 0 {
+	if response.Container.NetworkSettings == nil || len(response.Container.NetworkSettings.Networks) == 0 {
 		return nil, fmt.Errorf("container (%v) had no associated network settings: %v", container, response)
 	}
 
 	ret := make(map[string]string)
-	ns := response.NetworkSettings.Networks
+	ns := response.Container.NetworkSettings.Networks
 	for network, data := range ns {
 		if data == nil {
 			continue
 		}
 
-		ret[network] = data.IPAddress
+		ret[network] = data.IPAddress.String()
 	}
 
 	if len(ret) == 0 {
diff --git a/sdk/helper/identitytpl/templating.go b/sdk/helper/identitytpl/templating.go
index 303a8649a5..ffbe572453 100644
--- a/sdk/helper/identitytpl/templating.go
+++ b/sdk/helper/identitytpl/templating.go
@@ -21,11 +21,15 @@ var (
 	ErrNoEntityAttachedToToken       = errors.New("string contains entity template directives but no entity was provided")
 	ErrNoGroupsAttachedToToken       = errors.New("string contains groups template directives but no groups were provided")
 	ErrTemplateValueNotFound         = errors.New("no value could be found for one of the template directives")
+	ErrTemplatedWildcard             = errors.New("globs and wildcards are not allowed in template result")
 )
 
 const (
 	ACLTemplating = iota // must be the first value for backwards compatibility
 	JSONTemplating
+
+	// QuotedTemplating is like ACLTemplating, but quotes are escaped (for example `a "` becomes `a \"`)
+	QuotedTemplating
 )
 
 type PopulateStringInput struct {
@@ -52,19 +56,25 @@ type templateHandlerFunc func(interface{}, ...string) (string, error)
 // aclTemplateHandler processes known parameter data types when operating
 // in ACL mode.
 func aclTemplateHandler(v interface{}, keys ...string) (string, error) {
+	return simpleTemplateHandler(v, keys, func(s string) string {
+		return s
+	})
+}
+
+func simpleTemplateHandler(v interface{}, keys []string, quoteFunc func(s string) string) (string, error) {
 	switch t := v.(type) {
 	case string:
 		if t == "" {
 			return "", ErrTemplateValueNotFound
 		}
-		return t, nil
+		return quoteFunc(t), nil
 	case []string:
 		return "", ErrTemplateValueNotFound
 	case map[string]string:
 		if len(keys) > 0 {
 			val, ok := t[keys[0]]
 			if ok {
-				return val, nil
+				return quoteFunc(val), nil
 			}
 		}
 		return "", ErrTemplateValueNotFound
@@ -73,6 +83,17 @@ func aclTemplateHandler(v interface{}, keys ...string) (string, error) {
 	return "", fmt.Errorf("unknown type: %T", v)
 }
 
+// quotedTemplateHandler uses strconv.Quote to quote values
+func quotedTemplateHandler(v interface{}, keys ...string) (string, error) {
+	return simpleTemplateHandler(v, keys, func(s string) string {
+		escaped := strconv.Quote(s)
+		if len(escaped) < 2 {
+			return escaped
+		}
+		return escaped[1 : len(escaped)-1]
+	})
+}
+
 // jsonTemplateHandler processes known parameter data types when operating
 // in JSON mode.
 func jsonTemplateHandler(v interface{}, keys ...string) (string, error) {
@@ -119,6 +140,8 @@ func PopulateString(p PopulateStringInput) (bool, string, error) {
 		p.templateHandler = aclTemplateHandler
 	case JSONTemplating:
 		p.templateHandler = jsonTemplateHandler
+	case QuotedTemplating:
+		p.templateHandler = quotedTemplateHandler
 	default:
 		return false, "", fmt.Errorf("unknown mode %q", p.Mode)
 	}
@@ -156,6 +179,10 @@ func PopulateString(p PopulateStringInput) (bool, string, error) {
 				if err != nil {
 					return false, "", err
 				}
+				// Reject wildcards in the template output
+				if strings.ContainsAny(tmplStr, "*+") {
+					return false, "", ErrTemplatedWildcard
+				}
 				b.WriteString(tmplStr)
 				b.WriteString(splitPiece[1])
 			}
@@ -230,7 +257,7 @@ func performTemplating(input string, p *PopulateStringInput) (string, error) {
 				}
 			}
 			if alias == nil {
-				if p.Mode == ACLTemplating {
+				if p.Mode == ACLTemplating || p.Mode == QuotedTemplating {
 					return "", errors.New("alias not found")
 				}
 
diff --git a/sdk/helper/identitytpl/templating_test.go b/sdk/helper/identitytpl/templating_test.go
index 269ec6444e..881a7d4e28 100644
--- a/sdk/helper/identitytpl/templating_test.go
+++ b/sdk/helper/identitytpl/templating_test.go
@@ -380,70 +380,202 @@ func TestPopulate_Basic(t *testing.T) {
 			aliasCustomMetadata: map[string]string{"foo": "abc", "bar": "123"},
 			output:              `{}`,
 		},
+		// QuotedTemplating tests
+		{
+			mode:       QuotedTemplating,
+			name:       "SPIFFE quote in the middle",
+			input:      "{{identity.entity.name}}",
+			entityName: `entity"name`,
+			output:     `entity\"name`,
+		},
+		{
+			mode:     QuotedTemplating,
+			name:     "SPIFFE quoted value",
+			input:    "{{identity.entity.metadata.color}}",
+			metadata: map[string]string{"color": `"green blue"`},
+			output:   `\"green blue\"`,
+		},
+		{
+			mode:          QuotedTemplating,
+			name:          "escaped alias accessor not found",
+			input:         "{{identity.entity.aliases.aws_123.custom_metadata.foo}}",
+			aliasAccessor: "not_gonna_match",
+			err:           errors.New("alias not found"),
+		},
+		{
+			mode:     QuotedTemplating,
+			name:     "escaped metadata object disallowed",
+			input:    "{{identity.entity.metadata}}",
+			metadata: map[string]string{"foo": "bar"},
+			err:      ErrTemplateValueNotFound,
+		},
+		// wildcard templating tests
+		{
+			name:       "wildcard_glob_entity_injection",
+			input:      "path {{identity.entity.name}} {",
+			entityName: "admin*",
+			err:        ErrTemplatedWildcard,
+		},
+		{
+			name:                "wildcard_glob_alias_injection",
+			input:               `path "data/{{identity.entity.aliases.foomount.custom_metadata.dept}}/*" {`,
+			aliasAccessor:       "foomount",
+			aliasCustomMetadata: map[string]string{"dept": "*"},
+			err:                 ErrTemplatedWildcard,
+		},
+		{
+			name:       "wildcard_glob_group_injection",
+			input:      `path "{{identity.groups.ids.groupID.name}}" {\n\tval = {{identity.entity.name}}\n}`,
+			entityName: "entityName",
+			groupName:  "groupName*",
+			err:        ErrTemplatedWildcard,
+		},
+		{
+			name:       "wildcard_glob_outside_of_template",
+			input:      `path "{{identity.entity.name}}*" {`,
+			entityName: "admin",
+			output:     `path "admin*" {`,
+		},
+		{
+			name:     "wildcard_segment_injection",
+			input:    `path "secret/data/teams/{{identity.entity.metadata.team}}/config" {`,
+			metadata: map[string]string{"team": "+"},
+			err:      ErrTemplatedWildcard,
+		},
+		{
+			name: "wildcard_full_example",
+			input: `path "secret/data/{{identity.entity.name}}/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path"secret/metadata/{{identity.entity.metadata.team}}/*" {
+    capabilities = ["read", "list"]
+}`,
+			entityName: "*",
+			metadata:   map[string]string{"team": "admin"},
+			err:        ErrTemplatedWildcard,
+		},
+
+		// json templating versions of the wildcard tests
+		{
+			mode:       JSONTemplating,
+			name:       "json_wildcard_glob_entity_injection",
+			input:      "{{identity.entity.name}}",
+			entityName: "admin*",
+			err:        ErrTemplatedWildcard,
+		},
+		{
+			mode:                JSONTemplating,
+			name:                "json_wildcard_glob_alias_injection",
+			input:               "data/{{identity.entity.aliases.foomount.custom_metadata.dept}}/*",
+			aliasAccessor:       "foomount",
+			aliasCustomMetadata: map[string]string{"dept": "*"},
+			err:                 ErrTemplatedWildcard,
+		},
+		{
+			mode:      JSONTemplating,
+			name:      "json_wildcard_glob_group_injection",
+			input:     "{{identity.groups.ids.groupID.name}}",
+			groupName: "groupName*",
+			err:       ErrTemplatedWildcard,
+		},
+		{
+			mode:       JSONTemplating,
+			name:       "json_wildcard_glob_outside_of_template",
+			input:      "secret/data/{{identity.entity.name}}/*",
+			entityName: "admin",
+			output:     `secret/data/"admin"/*`,
+		},
+		{
+			mode:     JSONTemplating,
+			name:     "json_wildcard_segment_injection",
+			input:    "secret/data/teams/{{identity.entity.metadata.team}}/config",
+			metadata: map[string]string{"team": "+"},
+			err:      ErrTemplatedWildcard,
+		},
+		{
+			mode: JSONTemplating,
+			name: "json_wildcard_full_example",
+			input: `{
+  "path": {
+    "secret/data/{{identity.entity.name}}/*": {
+      "capabilities": ["create", "read", "update", "delete", "list"]
+    },
+    "secret/metadata/{{identity.entity.metadata.team}}/*": {
+      "capabilities": ["read", "list"]
+    }
+  }
+}`,
+			entityName: "*",
+			metadata:   map[string]string{"team": "admin"},
+			err:        ErrTemplatedWildcard,
+		},
 	}
 
 	for _, test := range tests {
-		var entity *logical.Entity
-		if !test.nilEntity {
-			entity = &logical.Entity{
-				ID:       "entityID",
-				Name:     test.entityName,
-				Metadata: test.metadata,
+		t.Run(test.name, func(t *testing.T) {
+			var entity *logical.Entity
+			if !test.nilEntity {
+				entity = &logical.Entity{
+					ID:       "entityID",
+					Name:     test.entityName,
+					Metadata: test.metadata,
+				}
 			}
-		}
-		if test.aliasAccessor != "" {
-			entity.Aliases = []*logical.Alias{
-				{
-					MountAccessor:  test.aliasAccessor,
-					ID:             test.aliasID,
-					Name:           test.aliasName,
-					Metadata:       test.aliasMetadata,
-					CustomMetadata: test.aliasCustomMetadata,
-				},
+			if test.aliasAccessor != "" {
+				entity.Aliases = []*logical.Alias{
+					{
+						MountAccessor:  test.aliasAccessor,
+						ID:             test.aliasID,
+						Name:           test.aliasName,
+						Metadata:       test.aliasMetadata,
+						CustomMetadata: test.aliasCustomMetadata,
+					},
+				}
 			}
-		}
-		var groups []*logical.Group
-		if test.groupName != "" {
-			groups = append(groups, &logical.Group{
-				ID:          "groupID",
-				Name:        test.groupName,
-				Metadata:    test.groupMetadata,
-				NamespaceID: "root",
-			})
-		}
-
-		if test.groupMemberships != nil {
-			for i, groupName := range test.groupMemberships {
+			var groups []*logical.Group
+			if test.groupName != "" {
 				groups = append(groups, &logical.Group{
-					ID:   fmt.Sprintf("%s_%d", groupName, i),
-					Name: groupName,
+					ID:          "groupID",
+					Name:        test.groupName,
+					Metadata:    test.groupMetadata,
+					NamespaceID: "root",
 				})
 			}
-		}
 
-		subst, out, err := PopulateString(PopulateStringInput{
-			Mode:              test.mode,
-			ValidityCheckOnly: test.validityCheckOnly,
-			String:            test.input,
-			Entity:            entity,
-			Groups:            groups,
-			NamespaceID:       "root",
-			Now:               test.now,
+			if test.groupMemberships != nil {
+				for i, groupName := range test.groupMemberships {
+					groups = append(groups, &logical.Group{
+						ID:   fmt.Sprintf("%s_%d", groupName, i),
+						Name: groupName,
+					})
+				}
+			}
+
+			subst, out, err := PopulateString(PopulateStringInput{
+				Mode:              test.mode,
+				ValidityCheckOnly: test.validityCheckOnly,
+				String:            test.input,
+				Entity:            entity,
+				Groups:            groups,
+				NamespaceID:       "root",
+				Now:               test.now,
+			})
+			if err != nil {
+				if test.err == nil {
+					t.Fatalf("%s: expected success, got error: %v", test.name, err)
+				}
+				if err.Error() != test.err.Error() {
+					t.Fatalf("%s: got error: %v", test.name, err)
+				}
+			}
+			if out != test.output {
+				t.Fatalf("%s: bad output: %s, expected: %s", test.name, out, test.output)
+			}
+			if err == nil && !subst && out != test.input {
+				t.Fatalf("%s: bad subst flag", test.name)
+			}
 		})
-		if err != nil {
-			if test.err == nil {
-				t.Fatalf("%s: expected success, got error: %v", test.name, err)
-			}
-			if err.Error() != test.err.Error() {
-				t.Fatalf("%s: got error: %v", test.name, err)
-			}
-		}
-		if out != test.output {
-			t.Fatalf("%s: bad output: %s, expected: %s", test.name, out, test.output)
-		}
-		if err == nil && !subst && out != test.input {
-			t.Fatalf("%s: bad subst flag", test.name)
-		}
 	}
 }
 
diff --git a/sdk/helper/keysutil/lock_manager.go b/sdk/helper/keysutil/lock_manager.go
index eb9e421d21..42a7a3b3b5 100644
--- a/sdk/helper/keysutil/lock_manager.go
+++ b/sdk/helper/keysutil/lock_manager.go
@@ -74,6 +74,9 @@ type PolicyRequest struct {
 
 	// HybridConfig contains the key types and parameters for hybrid keys
 	HybridConfig HybridKeyConfig
+
+	// WriteLocked determines whether the returned policy will have an exclusive lock
+	WriteLocked bool
 }
 
 type HybridKeyConfig struct {
@@ -298,7 +301,7 @@ func (lm *LockManager) BackupPolicy(ctx context.Context, storage logical.Storage
 	return backup, nil
 }
 
-// When the function returns, if caching was disabled, the Policy's lock must
+// When the function returns, the Policy's lock must
 // be unlocked when the caller is done (and it should not be re-locked).
 func (lm *LockManager) GetPolicy(ctx context.Context, req PolicyRequest, rand io.Reader) (retP *Policy, retUpserted bool, retErr error) {
 	var p *Policy
@@ -315,6 +318,7 @@ func (lm *LockManager) GetPolicy(ctx context.Context, req PolicyRequest, rand io
 		if atomic.LoadUint32(&p.deleted) == 1 {
 			return nil, false, nil
 		}
+		p.Lock(req.WriteLocked)
 		return p, false, nil
 	}
 
@@ -328,10 +332,10 @@ func (lm *LockManager) GetPolicy(ctx context.Context, req PolicyRequest, rand io
 	// return from here with the lock still held.
 	cleanup := func() {
 		switch {
-		// If using the cache we always unlock, the caller locks the policy
-		// themselves
-		case lm.useCache:
+		// If using the cache we use the policy request to determine which lock type to use
+		case lm.useCache && retP != nil:
 			lock.Unlock()
+			retP.Lock(req.WriteLocked)
 
 		// If not using the cache, if we aren't returning a policy the caller
 		// doesn't have a lock, so we must unlock
diff --git a/sdk/helper/keysutil/policy.go b/sdk/helper/keysutil/policy.go
index 174e841254..605e0efd7b 100644
--- a/sdk/helper/keysutil/policy.go
+++ b/sdk/helper/keysutil/policy.go
@@ -35,6 +35,7 @@ import (
 
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/hashicorp/vault/sdk/helper/cryptoutil"
 	"github.com/hashicorp/vault/sdk/helper/errutil"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
@@ -1662,6 +1663,25 @@ func (p *Policy) verifyEd25519WithPublicKey(input []byte, sigBytes []byte, pub e
 	return true, nil
 }
 
+// When x509.ParsePKCS8PrivateKey fails it suggests alternative parser functions (e.g.,
+// "failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)"
+// Instead, return an error that clearly states private keys must be PKCS#8.
+func formatPKCS8ParsingError(key []byte, err error) error {
+	if err == nil {
+		return nil
+	}
+	const message = "error parsing asymmetric key: private key must be encoded as PKCS#8"
+	_, format, _ := certutil.ParseDERKey(key)
+	switch format {
+	case certutil.ECBlock:
+		return fmt.Errorf("%s; detected key format: EC PRIVATE KEY (SEC1)\n - original error: %w", message, err)
+	case certutil.PKCS1Block:
+		return fmt.Errorf("%s; detected key format: RSA PRIVATE KEY (PKCS#1)\n - original error: %w", message, err)
+	default:
+		return fmt.Errorf("%s: %w", message, err)
+	}
+}
+
 func (p *Policy) Import(ctx context.Context, storage logical.Storage, key []byte, randReader io.Reader) error {
 	return p.ImportPublicOrPrivate(ctx, storage, key, true, randReader)
 }
@@ -1720,7 +1740,7 @@ func (p *Policy) ImportPublicOrPrivate(ctx context.Context, storage logical.Stor
 					var edErr error
 					parsedKey, edErr = ParsePKCS8Ed25519PrivateKey(key)
 					if edErr != nil {
-						return fmt.Errorf("error parsing asymmetric key:\n - assuming contents are an ed25519 private key: %s\n - original error: %v", edErr, err)
+						return fmt.Errorf("error parsing asymmetric key:\n - assuming contents are an ed25519 private key: %s\n - original error: %w", edErr, err)
 					}
 
 					// Parsing as Ed25519-in-PKCS8-ECPrivateKey succeeded!
@@ -1733,7 +1753,7 @@ func (p *Policy) ImportPublicOrPrivate(ctx context.Context, storage logical.Stor
 
 					// Parsing as RSA-PSS in PKCS8 succeeded!
 				} else {
-					return fmt.Errorf("error parsing asymmetric key: %s", err)
+					return formatPKCS8ParsingError(key, err)
 				}
 			}
 		} else {
@@ -2408,7 +2428,7 @@ func (p *Policy) ImportPrivateKeyForVersion(ctx context.Context, storage logical
 			var edErr error
 			parsedPrivateKey, edErr = ParsePKCS8Ed25519PrivateKey(key)
 			if edErr != nil {
-				return fmt.Errorf("error parsing asymmetric key:\n - assuming contents are an ed25519 private key: %s\n - original error: %v", edErr, err)
+				return fmt.Errorf("error parsing asymmetric key:\n - assuming contents are an ed25519 private key: %s\n - original error: %w", edErr, err)
 			}
 
 			// Parsing as Ed25519-in-PKCS8-ECPrivateKey succeeded!
@@ -2421,7 +2441,7 @@ func (p *Policy) ImportPrivateKeyForVersion(ctx context.Context, storage logical
 
 			// Parsing as RSA-PSS in PKCS8 succeeded!
 		} else {
-			return fmt.Errorf("error parsing asymmetric key: %s", err)
+			return formatPKCS8ParsingError(key, err)
 		}
 	}
 
diff --git a/sdk/helper/keysutil/policy_test.go b/sdk/helper/keysutil/policy_test.go
index e6f4ce065c..0c07f5c2be 100644
--- a/sdk/helper/keysutil/policy_test.go
+++ b/sdk/helper/keysutil/policy_test.go
@@ -210,9 +210,7 @@ func testKeyUpgradeCommon(t *testing.T, lm *LockManager) {
 	if !upserted {
 		t.Fatal("expected an upsert")
 	}
-	if !lm.useCache {
-		p.Unlock()
-	}
+	p.Unlock()
 
 	testBytes := make([]byte, len(p.Keys["1"].Key))
 	copy(testBytes, p.Keys["1"].Key)
@@ -259,9 +257,7 @@ func testArchivingUpgradeCommon(t *testing.T, lm *LockManager) {
 	if p == nil {
 		t.Fatal("nil policy")
 	}
-	if !lm.useCache {
-		p.Unlock()
-	}
+	p.Unlock()
 
 	// Store the initial key in the archive
 	keysArchive := []KeyEntry{{}, p.Keys["1"]}
@@ -316,9 +312,7 @@ func testArchivingUpgradeCommon(t *testing.T, lm *LockManager) {
 	if p == nil {
 		t.Fatal("nil policy")
 	}
-	if !lm.useCache {
-		p.Unlock()
-	}
+	p.Unlock()
 
 	checkKeys(t, ctx, p, storage, keysArchive, "upgrade", 10, 10, 10)
 
@@ -356,9 +350,7 @@ func testArchivingUpgradeCommon(t *testing.T, lm *LockManager) {
 	if p == nil {
 		t.Fatal("policy nil after bad delete")
 	}
-	if !lm.useCache {
-		p.Unlock()
-	}
+	p.Unlock()
 
 	// Now do it properly
 	p.DeletionAllowed = true
@@ -394,8 +386,8 @@ func testArchivingUpgradeCommon(t *testing.T, lm *LockManager) {
 func Test_Archiving(t *testing.T) {
 	lockManagerWithCache, _ := NewLockManager(true, 0)
 	lockManagerWithoutCache, _ := NewLockManager(false, 0)
-	testArchivingUpgradeCommon(t, lockManagerWithCache)
-	testArchivingUpgradeCommon(t, lockManagerWithoutCache)
+	testArchivingCommon(t, lockManagerWithCache)
+	testArchivingCommon(t, lockManagerWithoutCache)
 }
 
 func testArchivingCommon(t *testing.T, lm *LockManager) {
@@ -419,9 +411,7 @@ func testArchivingCommon(t *testing.T, lm *LockManager) {
 	if p == nil {
 		t.Fatal("nil policy")
 	}
-	if !lm.useCache {
-		p.Unlock()
-	}
+	p.Unlock()
 
 	// Store the initial key in the archive
 	keysArchive := []KeyEntry{{}, p.Keys["1"]}
@@ -573,6 +563,7 @@ func Test_StorageErrorSafety(t *testing.T) {
 	if p == nil {
 		t.Fatal("nil policy")
 	}
+	defer p.Unlock()
 
 	// Store the initial key in the archive
 	keysArchive := []KeyEntry{{}, p.Keys["1"]}
@@ -620,6 +611,7 @@ func Test_BadUpgrade(t *testing.T) {
 	if p == nil {
 		t.Fatal("nil policy")
 	}
+	defer p.Unlock()
 
 	orig, err := copystructure.Copy(p)
 	if err != nil {
@@ -685,6 +677,7 @@ func Test_BadArchive(t *testing.T) {
 	if p == nil {
 		t.Fatal("nil policy")
 	}
+	defer p.Unlock()
 
 	for i := 2; i <= 10; i++ {
 		err = p.Rotate(ctx, storage, rand.Reader)
@@ -753,11 +746,16 @@ func Test_Import(t *testing.T) {
 	if err != nil {
 		t.Fatalf("error generating test keys: %s", err)
 	}
+	nonPKCS8Keys, err := generateNonPKCS8FormatKeys()
+	if err != nil {
+		t.Fatalf("error generating non-PKCS#8 test keys: %s", err)
+	}
 
 	tests := map[string]struct {
 		policy      Policy
 		key         []byte
 		shouldError bool
+		wantErr     string
 	}{
 		"import AES key": {
 			policy: Policy{
@@ -799,17 +797,63 @@ func Test_Import(t *testing.T) {
 			key:         testKeys[KeyType_AES256_GCM96],
 			shouldError: true,
 		},
+		"import incorrect rsa key format": {
+			policy: Policy{
+				Name: "test-non-pkcs8-rsa-key",
+				Type: KeyType_RSA2048,
+			},
+			key:         nonPKCS8Keys[KeyType_RSA2048],
+			shouldError: true,
+			wantErr:     "error parsing asymmetric key: private key must be encoded as PKCS#8; detected key format: RSA PRIVATE KEY (PKCS#1)",
+		},
+		"import incorrect ecdsa key format": {
+			policy: Policy{
+				Name: "test-non-pkcs8-ecdsa-key",
+				Type: KeyType_ECDSA_P256,
+			},
+			key:         nonPKCS8Keys[KeyType_ECDSA_P256],
+			shouldError: true,
+			wantErr:     "error parsing asymmetric key: private key must be encoded as PKCS#8; detected key format: EC PRIVATE KEY (SEC1)",
+		},
 	}
 
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
-			if err := test.policy.Import(ctx, storage, test.key, rand.Reader); (err != nil) != test.shouldError {
+			err := test.policy.Import(ctx, storage, test.key, rand.Reader)
+			if (err != nil) != test.shouldError {
 				t.Fatalf("error importing key: %s", err)
 			}
+
+			if test.wantErr != "" && (err == nil || !strings.Contains(err.Error(), test.wantErr)) {
+				t.Fatalf("expected error containing: %q, got %q", test.wantErr, err)
+			}
 		})
 	}
 }
 
+func generateNonPKCS8FormatKeys() (map[KeyType][]byte, error) {
+	keyMap := make(map[KeyType][]byte)
+
+	rsaKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+	keyMap[KeyType_RSA2048] = x509.MarshalPKCS1PrivateKey(rsaKey)
+
+	ecdsaKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+
+	sec1DER, err := x509.MarshalECPrivateKey(ecdsaKey)
+	if err != nil {
+		return nil, err
+	}
+	keyMap[KeyType_ECDSA_P256] = sec1DER
+
+	return keyMap, nil
+}
+
 func generateTestKeys() (map[KeyType][]byte, error) {
 	keyMap := make(map[KeyType][]byte)
 
@@ -883,6 +927,7 @@ func BenchmarkSymmetric(b *testing.B) {
 		KeyType: KeyType_AES256_GCM96,
 		Name:    "test",
 	}, rand.Reader)
+	defer p.Unlock()
 	key, _ := p.GetKey(nil, 1, 32)
 	pt := make([]byte, 10)
 	ad := make([]byte, 10)
diff --git a/sdk/helper/ldaputil/config.go b/sdk/helper/ldaputil/config.go
index 0ed2eb3845..fcb0b90500 100644
--- a/sdk/helper/ldaputil/config.go
+++ b/sdk/helper/ldaputil/config.go
@@ -17,13 +17,30 @@ import (
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/go-secure-stdlib/tlsutil"
 	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/strutil"
 )
 
-var ldapDerefAliasMap = map[string]int{
-	"never":     ldap.NeverDerefAliases,
-	"finding":   ldap.DerefFindingBaseObj,
-	"searching": ldap.DerefInSearching,
-	"always":    ldap.DerefAlways,
+var (
+	ldapDerefAliasMap = map[string]int{
+		"never":     ldap.NeverDerefAliases,
+		"finding":   ldap.DerefFindingBaseObj,
+		"searching": ldap.DerefInSearching,
+		"always":    ldap.DerefAlways,
+	}
+
+	cannotDeriveUserBindDNError = errors.New("cannot derive UserBindDN")
+)
+
+const (
+	SchemaAD       = "ad"
+	SchemaOpenLDAP = "openldap"
+)
+
+// SupportedSchemas returns a slice of different LDAP schemas supported
+// by the plugin. This is used to change behavior when modifying
+// user passwords (for example, during root password rotation).
+func SupportedSchemas() []string {
+	return []string{SchemaOpenLDAP, SchemaAD}
 }
 
 // ConfigFields returns all the config fields that can potentially be used by the LDAP client.
@@ -287,6 +304,11 @@ Default: ({{.UserAttr}}={{.Username}})`,
 			Description: "If true, matching sAMAccountName attribute values will be allowed to login when upndomain is defined.",
 			Default:     false,
 		},
+		"schema": {
+			Type:        framework.TypeString,
+			Description: "LDAP schema type: 'ad' for Active Directory, 'openldap' for OpenLDAP. Determines root password rotation behavior.",
+			Default:     SchemaOpenLDAP,
+		},
 	}
 }
 
@@ -468,6 +490,10 @@ func NewConfigEntry(existing *ConfigEntry, d *framework.FieldData) (*ConfigEntry
 	if _, ok := d.Raw["enable_samaccountname_login"]; ok || !hadExisting {
 		cfg.EnableSamaccountnameLogin = d.Get("enable_samaccountname_login").(bool)
 	}
+	if _, ok := d.Raw["schema"]; ok || !hadExisting {
+		rawSchema := d.Get("schema").(string)
+		cfg.Schema = NormalizedSchema(rawSchema)
+	}
 
 	return cfg, nil
 }
@@ -498,6 +524,7 @@ type ConfigEntry struct {
 	ConnectionTimeout        int    `json:"connection_timeout"` // deprecated: use RequestTimeout
 	DerefAliases             string `json:"dereference_aliases"`
 	MaximumPageSize          int    `json:"max_page_size"`
+	Schema                   string `json:"schema"`
 
 	// These json tags deviate from snake case because there was a past issue
 	// where the tag was being ignored, causing it to be jsonified as "CaseSensitiveNames", etc.
@@ -541,6 +568,7 @@ func (c *ConfigEntry) PasswordlessMap() map[string]interface{} {
 		"dereference_aliases":         c.DerefAliases,
 		"max_page_size":               c.MaximumPageSize,
 		"enable_samaccountname_login": c.EnableSamaccountnameLogin,
+		"schema":                      NormalizedSchema(c.Schema), // LDAP schema type for password operations
 	}
 	if c.CaseSensitiveNames != nil {
 		m["case_sensitive_names"] = *c.CaseSensitiveNames
@@ -563,14 +591,24 @@ func validateCertificate(pemBlock []byte) error {
 	return nil
 }
 
-func (c *ConfigEntry) Validate() error {
+// Validates self-managed configs without requiring changing the delicate preexisting validation logic.
+func (c *ConfigEntry) ValidateSelfManaged(schemas ...string) error {
+	err := c.Validate(schemas...)
+	if err != nil && errors.Is(err, cannotDeriveUserBindDNError) {
+		// Do not enforce UserBindDN for self-managed LDAP configurations.
+		return nil
+	}
+	return err
+}
+
+func (c *ConfigEntry) Validate(schemas ...string) error {
 	if len(c.Url) == 0 {
 		return errors.New("at least one url must be provided")
 	}
 	// Note: This logic is driven by the logic in GetUserBindDN.
 	// If updating this, please also update the logic there.
 	if !c.DiscoverDN && (c.BindDN == "" || c.BindPassword == "") && c.UPNDomain == "" && c.UserDN == "" {
-		return errors.New("cannot derive UserBindDN")
+		return cannotDeriveUserBindDNError
 	}
 	tlsMinVersion, ok := tlsutil.TLSLookup[c.TLSMinVersion]
 	if !ok {
@@ -593,6 +631,15 @@ func (c *ConfigEntry) Validate() error {
 			return errwrap.Wrapf("failed to parse client X509 key pair: {{err}}", err)
 		}
 	}
+	normalizedSchema := NormalizedSchema(c.Schema)
+	// use the default schema list if none provided
+	supportedSchemas := SupportedSchemas()
+	if len(schemas) > 0 {
+		supportedSchemas = schemas
+	}
+	if !strutil.StrListContains(supportedSchemas, normalizedSchema) {
+		return fmt.Errorf("unsupported schema type %q: must be one of %v", c.Schema, supportedSchemas)
+	}
 	return nil
 }
 
@@ -648,3 +695,11 @@ func min(a, b int) int {
 	}
 	return b
 }
+
+func NormalizedSchema(schema string) string {
+	normalizedSchema := strings.ToLower(strings.TrimSpace(schema))
+	if normalizedSchema == "" {
+		return SchemaOpenLDAP
+	}
+	return normalizedSchema
+}
diff --git a/sdk/helper/ldaputil/config_test.go b/sdk/helper/ldaputil/config_test.go
index 31bd42359e..8dd02a6e40 100644
--- a/sdk/helper/ldaputil/config_test.go
+++ b/sdk/helper/ldaputil/config_test.go
@@ -5,6 +5,7 @@ package ldaputil
 
 import (
 	"encoding/json"
+	"strings"
 	"testing"
 
 	"github.com/go-test/deep"
@@ -68,6 +69,325 @@ func TestConfig(t *testing.T) {
 			t.Errorf("expected false UseTokenGroups from JSON but got %t", configFromJSON.UseTokenGroups)
 		}
 	})
+
+	t.Run("default_schema_type", func(t *testing.T) {
+		if config.Schema != SchemaOpenLDAP {
+			t.Errorf("expected default Schema %s but got %s", SchemaOpenLDAP, config.Schema)
+		}
+	})
+}
+
+func TestNormalizedSchema(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "empty_string_defaults_to_openldap",
+			input:    "",
+			expected: SchemaOpenLDAP,
+		},
+		{
+			name:     "lowercase_ad",
+			input:    "ad",
+			expected: SchemaAD,
+		},
+		{
+			name:     "uppercase_AD",
+			input:    "AD",
+			expected: SchemaAD,
+		},
+		{
+			name:     "mixed_case_Ad",
+			input:    "Ad",
+			expected: SchemaAD,
+		},
+		{
+			name:     "lowercase_openldap",
+			input:    "openldap",
+			expected: SchemaOpenLDAP,
+		},
+		{
+			name:     "uppercase_OPENLDAP",
+			input:    "OPENLDAP",
+			expected: SchemaOpenLDAP,
+		},
+		{
+			name:     "mixed_case_OpenLDAP",
+			input:    "OpenLDAP",
+			expected: SchemaOpenLDAP,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := NormalizedSchema(tt.input)
+			if result != tt.expected {
+				t.Errorf("NormalizedSchema(%q) = %q, want %q", tt.input, result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestSchemaInConfigEntry(t *testing.T) {
+	t.Run("new_config_defaults_to_openldap", func(t *testing.T) {
+		s := &framework.FieldData{Schema: ConfigFields()}
+		config, err := NewConfigEntry(nil, s)
+		if err != nil {
+			t.Fatal("error getting default config")
+		}
+
+		if config.Schema != SchemaOpenLDAP {
+			t.Errorf("expected default Schema %s but got %s", SchemaOpenLDAP, config.Schema)
+		}
+	})
+
+	t.Run("schema_normalized_on_create", func(t *testing.T) {
+		schema := ConfigFields()
+		data := &framework.FieldData{
+			Raw: map[string]interface{}{
+				"schema": "AD",
+			},
+			Schema: schema,
+		}
+
+		config, err := NewConfigEntry(nil, data)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		if config.Schema != SchemaAD {
+			t.Errorf("expected normalized Schema 'ad' but got %s", config.Schema)
+		}
+	})
+
+	t.Run("schema_in_passwordless_map", func(t *testing.T) {
+		config := &ConfigEntry{
+			Schema: SchemaAD,
+		}
+
+		m := config.PasswordlessMap()
+		schema, ok := m["schema"]
+		if !ok {
+			t.Error("schema not found in PasswordlessMap")
+		}
+
+		if schema != SchemaAD {
+			t.Errorf("expected schema %s in map but got %v", SchemaAD, schema)
+		}
+	})
+
+	t.Run("schema_update_existing_config", func(t *testing.T) {
+		existingConfig := &ConfigEntry{
+			Url:    "ldap://127.0.0.1",
+			Schema: SchemaOpenLDAP,
+		}
+
+		schema := ConfigFields()
+		data := &framework.FieldData{
+			Raw: map[string]interface{}{
+				"schema": "AD",
+			},
+			Schema: schema,
+		}
+
+		updatedConfig, err := NewConfigEntry(existingConfig, data)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		if updatedConfig.Schema != SchemaAD {
+			t.Errorf("expected updated Schema 'ad' but got %s", updatedConfig.Schema)
+		}
+	})
+}
+
+func TestSupportedSchemas(t *testing.T) {
+	schemas := SupportedSchemas()
+
+	expectedSchemas := []string{SchemaOpenLDAP, SchemaAD}
+	if len(schemas) != len(expectedSchemas) {
+		t.Errorf("expected %d schemas but got %d", len(expectedSchemas), len(schemas))
+	}
+
+	for _, expected := range expectedSchemas {
+		found := false
+		for _, schema := range schemas {
+			if schema == expected {
+				found = true
+				break
+			}
+		}
+		if !found {
+			t.Errorf("expected schema %q not found in SupportedSchemas()", expected)
+		}
+	}
+}
+
+func TestSchemaValidation(t *testing.T) {
+	t.Run("valid_openldap_schema", func(t *testing.T) {
+		config := &ConfigEntry{
+			Url:           "ldap://127.0.0.1",
+			UserDN:        "ou=users,dc=example,dc=com",
+			Schema:        SchemaOpenLDAP,
+			TLSMinVersion: "tls12",
+			TLSMaxVersion: "tls12",
+		}
+
+		if err := config.Validate(); err != nil {
+			t.Errorf("expected no error for valid openldap schema, got: %v", err)
+		}
+	})
+
+	t.Run("valid_ad_schema", func(t *testing.T) {
+		config := &ConfigEntry{
+			Url:           "ldap://127.0.0.1",
+			UserDN:        "ou=users,dc=example,dc=com",
+			Schema:        SchemaAD,
+			TLSMinVersion: "tls12",
+			TLSMaxVersion: "tls12",
+		}
+
+		if err := config.Validate(); err != nil {
+			t.Errorf("expected no error for valid ad schema, got: %v", err)
+		}
+	})
+
+	t.Run("empty_schema_passes_validation", func(t *testing.T) {
+		config := &ConfigEntry{
+			Url:           "ldap://127.0.0.1",
+			UserDN:        "ou=users,dc=example,dc=com",
+			Schema:        "",
+			TLSMinVersion: "tls12",
+			TLSMaxVersion: "tls12",
+		}
+
+		if err := config.Validate(); err != nil {
+			t.Errorf("expected no error for empty schema (defaults to openldap), got: %v", err)
+		}
+	})
+
+	t.Run("generic_unsupported_schema_fails_validation", func(t *testing.T) {
+		config := &ConfigEntry{
+			Url:           "ldap://127.0.0.1",
+			UserDN:        "ou=users,dc=example,dc=com",
+			Schema:        "unsupported_schema",
+			TLSMinVersion: "tls12",
+			TLSMaxVersion: "tls12",
+		}
+
+		err := config.Validate()
+		if err == nil {
+			t.Error("expected error for unsupported schema, got nil")
+		}
+
+		if err != nil && !strings.Contains(err.Error(), "unsupported schema") {
+			t.Errorf("expected error message to contain 'unsupported schema', got: %v", err)
+		}
+	})
+
+	t.Run("freeipa_schema_fails_validation", func(t *testing.T) {
+		config := &ConfigEntry{
+			Url:           "ldap://127.0.0.1",
+			UserDN:        "ou=users,dc=example,dc=com",
+			Schema:        "freeipa",
+			TLSMinVersion: "tls12",
+			TLSMaxVersion: "tls12",
+		}
+
+		err := config.Validate()
+		if err == nil {
+			t.Error("expected error for unsupported schema 'freeipa', got nil")
+		}
+
+		if err != nil && !strings.Contains(err.Error(), "freeipa") {
+			t.Errorf("expected error message to include 'freeipa', got: %v", err)
+		}
+	})
+
+	t.Run("typo_in_schema_fails_validation", func(t *testing.T) {
+		// Test common typos like "adc" instead of "ad"
+		config := &ConfigEntry{
+			Url:           "ldap://127.0.0.1",
+			UserDN:        "ou=users,dc=example,dc=com",
+			Schema:        "adc",
+			TLSMinVersion: "tls12",
+			TLSMaxVersion: "tls12",
+		}
+
+		err := config.Validate()
+		if err == nil {
+			t.Error("expected error for typo schema 'adc', got nil")
+		}
+
+		// Verify error message is helpful
+		if err != nil && !strings.Contains(err.Error(), "unsupported schema") {
+			t.Errorf("expected error message to contain 'unsupported schema', got: %v", err)
+		}
+		if err != nil && !strings.Contains(err.Error(), "adc") {
+			t.Errorf("expected error message to include the unsupported value 'adc', got: %v", err)
+		}
+	})
+
+	t.Run("normalized_unsupported_schema_fails_validation", func(t *testing.T) {
+		// Test that even after normalization (lowercase), unsupported schemas fail
+		schema := ConfigFields()
+		data := &framework.FieldData{
+			Raw: map[string]interface{}{
+				"url":    "ldap://127.0.0.1",
+				"userdn": "ou=users,dc=example,dc=com",
+				"schema": "UNSUPPORTED_SCHEMAS",
+			},
+			Schema: schema,
+		}
+
+		config, err := NewConfigEntry(nil, data)
+		if err != nil {
+			t.Errorf("expected config entry to be created: %s", err)
+		}
+
+		// should fail schema validation even after normalization
+		err = config.Validate()
+		// Verify the error message is helpful
+		if err != nil {
+			if !strings.Contains(err.Error(), "unsupported schema") {
+				t.Errorf("expected error message to contain %q, got: %v", "unsupported schema", err)
+			}
+		}
+	})
+
+	t.Run("self_managed_schema_validation_does_not_require_userbinddn", func(t *testing.T) {
+		config := &ConfigEntry{
+			Url:           "ldap://127.0.0.1",
+			Schema:        SchemaOpenLDAP,
+			TLSMinVersion: "tls12",
+			TLSMaxVersion: "tls12",
+		}
+
+		// The original validation logic should receive an error for failing to derive UserBindDN.
+		if err := config.Validate(); err == nil {
+			t.Error("expected Validate() to return an error when UserBindDN cannot be derived, got nil")
+		}
+
+		// The self-managed validation should discard only the UserBindDN derivation error and pass successfully.
+		if err := config.ValidateSelfManaged(); err != nil {
+			t.Errorf("expected ValidateSelfManaged() to succeed without UserBindDN fields, got: %v", err)
+		}
+
+		config = &ConfigEntry{
+			Url:           "ldap://127.0.0.1",
+			UserDN:        "ou=users,dc=example,dc=com",
+			Schema:        "unsupported_schema",
+			TLSMinVersion: "tls12",
+			TLSMaxVersion: "tls12",
+		}
+
+		// The self-managed validation should still fail on other validation errors like unsupported schema, even if userdn is set.
+		if err := config.ValidateSelfManaged(); err == nil {
+			t.Error("expected ValidateSelfManaged() to return an error for unsupported schema, got nil")
+		}
+	})
 }
 
 func testConfig(t *testing.T) *ConfigEntry {
@@ -84,6 +404,7 @@ func testConfig(t *testing.T) *ConfigEntry {
 		ConnectionTimeout: 15,
 		ClientTLSCert:     "",
 		ClientTLSKey:      "",
+		Schema:            SchemaOpenLDAP,
 	}
 }
 
@@ -144,7 +465,8 @@ var jsonConfig = []byte(`{
 	"request_timeout": 30,
 	"connection_timeout": 15,
 	"ClientTLSCert":  "",
-	"ClientTLSKey":   ""
+	"ClientTLSKey":   "",
+	"schema": "openldap"
 }`)
 
 var jsonConfigDefault = []byte(`
@@ -179,6 +501,7 @@ var jsonConfigDefault = []byte(`
   "CaseSensitiveNames": false,
   "ClientTLSCert": "",
   "ClientTLSKey": "",
-  "enable_samaccountname_login": false
+  "enable_samaccountname_login": false,
+  "schema": "openldap"
 }
 `)
diff --git a/sdk/helper/locksutil/locks.go b/sdk/helper/locksutil/locks.go
index 378cd8f5f0..1897daf96c 100644
--- a/sdk/helper/locksutil/locks.go
+++ b/sdk/helper/locksutil/locks.go
@@ -54,10 +54,19 @@ func LockIndexForKey(key string) uint8 {
 	return uint8(cryptoutil.Blake2b256Hash(key)[0])
 }
 
+// LockForKey returns the striped lock entry for a key.
+// Different logical keys can hash to the same underlying lock, so callers must
+// not assume two keys imply two distinct RWMutexes. If a code path needs to
+// lock more than one key, prefer LocksForKeys to deduplicate aliased stripes and
+// avoid self-deadlocking by re-entering the same lock.
 func LockForKey(locks []*LockEntry, key string) *LockEntry {
 	return locks[LockIndexForKey(key)]
 }
 
+// LocksForKeys returns the unique striped lock entries for a set of keys in a
+// stable slice order. Use this when a code path needs more than one keyed lock:
+// it deduplicates keys that alias to the same stripe and supports consistent
+// acquisition ordering across callers.
 func LocksForKeys(locks []*LockEntry, keys []string) []*LockEntry {
 	lockIndexes := make(map[uint8]struct{}, len(keys))
 	for _, k := range keys {
diff --git a/sdk/helper/ocsp/client.go b/sdk/helper/ocsp/client.go
index 71f75f168a..6b9e844be7 100644
--- a/sdk/helper/ocsp/client.go
+++ b/sdk/helper/ocsp/client.go
@@ -924,12 +924,28 @@ func (c *Client) extractOCSPCacheResponseValue(cacheValue *ocspCachedResponse, s
 
 	sdkOcspStatus := internalStatusCodeToSDK(cacheValue.status)
 
-	return validateOCSP(conf, &ocsp.Response{
+	status, err := validateOCSP(conf, &ocsp.Response{
 		ProducedAt: time.Unix(int64(cacheValue.producedAt), 0).UTC(),
 		ThisUpdate: time.Unix(int64(cacheValue.thisUpdate), 0).UTC(),
 		NextUpdate: time.Unix(int64(cacheValue.nextUpdate), 0).UTC(),
 		Status:     sdkOcspStatus,
 	})
+	if err != nil {
+		return nil, err
+	}
+
+	// If this cached OCSP response is going to expire in the next 15 seconds treat this as a missed cache.  This
+	// prevents an error where the OCSP response is valid now, but is not valid after OCSP responses from other certs
+	// has returned.  OCSP timeouts are generally 5-15 seconds.
+	if curTime.Add(15 * time.Second).After(time.Unix(int64(cacheValue.nextUpdate), 0).UTC()) {
+		return &ocspStatus{
+			code: ocspCacheExpired,
+			err: fmt.Errorf("ocsp response expires within 15 seconds.  treating as expired to provide grade period. current: %v, nextUpdate time: %v",
+				time.Unix(int64(currentTime), 0).UTC(), time.Unix(int64(cacheValue.nextUpdate), 0).UTC()),
+		}, nil
+	}
+
+	return status, nil
 }
 
 func internalStatusCodeToSDK(internalStatusCode ocspStatusCode) int {
diff --git a/sdk/helper/ocsp/ocsp_test.go b/sdk/helper/ocsp/ocsp_test.go
index fcd868e2d6..50a6ec8fc7 100644
--- a/sdk/helper/ocsp/ocsp_test.go
+++ b/sdk/helper/ocsp/ocsp_test.go
@@ -208,6 +208,13 @@ func TestUnitCheckOCSPResponseCache(t *testing.T) {
 	if err == nil && isValidOCSPStatus(ost.code) {
 		t.Fatalf("should have failed.")
 	}
+
+	// buffer-time check
+	c.ocspResponseCache.Add(dummyKey, &ocspCachedResponse{time: float64(currentTime), nextUpdate: float64(currentTime)})
+	ost, err = c.checkOCSPResponseCache(&dummyKey, subject, issuer, conf)
+	if err == nil && isValidOCSPStatus(ost.code) {
+		t.Fatalf("should have failed.")
+	}
 }
 
 // TestUnitValidOCSPResponse validates various combinations of acceptable OCSP responses
diff --git a/sdk/helper/pluginidentityutil/fields.go b/sdk/helper/pluginidentityutil/fields.go
index 8347806b72..6cd0ee8f95 100644
--- a/sdk/helper/pluginidentityutil/fields.go
+++ b/sdk/helper/pluginidentityutil/fields.go
@@ -75,3 +75,9 @@ func AddPluginIdentityTokenFieldsWithGroup(m map[string]*framework.FieldSchema,
 func AddPluginIdentityTokenFields(m map[string]*framework.FieldSchema) {
 	AddPluginIdentityTokenFieldsWithGroup(m, "default")
 }
+
+// Equals returns true if the plugin identity token parameters match the other instance.
+// Useful for detecting configuration changes after parsing new field data.
+func (p *PluginIdentityTokenParams) Equals(other PluginIdentityTokenParams) bool {
+	return *p == other
+}
diff --git a/sdk/helper/pluginidentityutil/fields_test.go b/sdk/helper/pluginidentityutil/fields_test.go
index f726537ece..a63777d4a6 100644
--- a/sdk/helper/pluginidentityutil/fields_test.go
+++ b/sdk/helper/pluginidentityutil/fields_test.go
@@ -232,3 +232,144 @@ func TestAddPluginIdentityTokenFields(t *testing.T) {
 		})
 	}
 }
+
+func TestPluginIdentityTokenParams_Equals(t *testing.T) {
+	testcases := []struct {
+		name     string
+		p1       PluginIdentityTokenParams
+		p2       PluginIdentityTokenParams
+		expected bool
+	}{
+		{
+			name: "equal-all-fields",
+			p1: PluginIdentityTokenParams{
+				IdentityTokenTTL:      10 * time.Second,
+				IdentityTokenAudience: "test-aud",
+			},
+			p2: PluginIdentityTokenParams{
+				IdentityTokenTTL:      10 * time.Second,
+				IdentityTokenAudience: "test-aud",
+			},
+			expected: true,
+		},
+		{
+			name: "equal-zero-values",
+			p1: PluginIdentityTokenParams{
+				IdentityTokenTTL:      0,
+				IdentityTokenAudience: "",
+			},
+			p2: PluginIdentityTokenParams{
+				IdentityTokenTTL:      0,
+				IdentityTokenAudience: "",
+			},
+			expected: true,
+		},
+		{
+			name: "different-ttl",
+			p1: PluginIdentityTokenParams{
+				IdentityTokenTTL:      10 * time.Second,
+				IdentityTokenAudience: "test-aud",
+			},
+			p2: PluginIdentityTokenParams{
+				IdentityTokenTTL:      20 * time.Second,
+				IdentityTokenAudience: "test-aud",
+			},
+			expected: false,
+		},
+		{
+			name: "different-audience",
+			p1: PluginIdentityTokenParams{
+				IdentityTokenTTL:      10 * time.Second,
+				IdentityTokenAudience: "test-aud",
+			},
+			p2: PluginIdentityTokenParams{
+				IdentityTokenTTL:      10 * time.Second,
+				IdentityTokenAudience: "different-aud",
+			},
+			expected: false,
+		},
+		{
+			name: "different-both",
+			p1: PluginIdentityTokenParams{
+				IdentityTokenTTL:      10 * time.Second,
+				IdentityTokenAudience: "test-aud",
+			},
+			p2: PluginIdentityTokenParams{
+				IdentityTokenTTL:      20 * time.Second,
+				IdentityTokenAudience: "different-aud",
+			},
+			expected: false,
+		},
+	}
+
+	for _, tt := range testcases {
+		t.Run(tt.name, func(t *testing.T) {
+			result := tt.p1.Equals(tt.p2)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
+func TestPluginIdentityTokenParams_Equals_Embedded(t *testing.T) {
+	// Test with embedded struct
+	type ConfigWithIdentityParams struct {
+		Name string
+		PluginIdentityTokenParams
+	}
+
+	testcases := []struct {
+		name     string
+		c1       ConfigWithIdentityParams
+		c2       ConfigWithIdentityParams
+		expected bool
+	}{
+		{
+			name: "embedded-equal",
+			c1: ConfigWithIdentityParams{
+				Name: "config1",
+				PluginIdentityTokenParams: PluginIdentityTokenParams{
+					IdentityTokenTTL:      10 * time.Second,
+					IdentityTokenAudience: "test-aud",
+				},
+			},
+			c2: ConfigWithIdentityParams{
+				Name: "config2", // Different name, but we only compare PluginIdentityTokenParams
+				PluginIdentityTokenParams: PluginIdentityTokenParams{
+					IdentityTokenTTL:      10 * time.Second,
+					IdentityTokenAudience: "test-aud",
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "embedded-different",
+			c1: ConfigWithIdentityParams{
+				Name: "config1",
+				PluginIdentityTokenParams: PluginIdentityTokenParams{
+					IdentityTokenTTL:      10 * time.Second,
+					IdentityTokenAudience: "test-aud",
+				},
+			},
+			c2: ConfigWithIdentityParams{
+				Name: "config1",
+				PluginIdentityTokenParams: PluginIdentityTokenParams{
+					IdentityTokenTTL:      20 * time.Second,
+					IdentityTokenAudience: "test-aud",
+				},
+			},
+			expected: false,
+		},
+	}
+
+	for _, tt := range testcases {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test comparing the embedded fields directly
+			result := tt.c1.PluginIdentityTokenParams.Equals(tt.c2.PluginIdentityTokenParams)
+			assert.Equal(t, tt.expected, result)
+
+			// Test using method promotion
+			result2 := tt.c1.Equals(tt.c2.PluginIdentityTokenParams)
+			assert.Equal(t, tt.expected, result2)
+		})
+	}
+}
diff --git a/sdk/helper/testcluster/blackbox/assertions.go b/sdk/helper/testcluster/blackbox/assertions.go
index 7d138fe276..cab4eb8e7f 100644
--- a/sdk/helper/testcluster/blackbox/assertions.go
+++ b/sdk/helper/testcluster/blackbox/assertions.go
@@ -74,6 +74,17 @@ func (ma *MapAssertion) HasKey(key string, expected any) *MapAssertion {
 	return ma
 }
 
+func (ma *MapAssertion) GetKey(key string) any {
+	ma.t.Helper()
+
+	val, ok := ma.data[key]
+	if !ok {
+		ma.t.Fatalf("[%s] missing expected key: %q", ma.path, key)
+	}
+
+	return val
+}
+
 func (ma *MapAssertion) HasKeyCustom(key string, f func(val any) bool) *MapAssertion {
 	ma.t.Helper()
 
diff --git a/sdk/helper/testcluster/blackbox/plugin_binary.go b/sdk/helper/testcluster/blackbox/plugin_binary.go
new file mode 100644
index 0000000000..14ab713bf0
--- /dev/null
+++ b/sdk/helper/testcluster/blackbox/plugin_binary.go
@@ -0,0 +1,199 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package blackbox
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+// PluginBinaryInfo contains information about a plugin binary
+type PluginBinaryInfo struct {
+	Name        string
+	Path        string
+	SHA256      string
+	Version     string
+	PluginType  string
+	Environment map[string]string
+}
+
+// BuildPluginBinary builds a plugin binary from source code
+func BuildPluginBinary(t *testing.T, sourcePath, outputPath string) error {
+	t.Helper()
+
+	// Ensure the output directory exists
+	outputDir := filepath.Dir(outputPath)
+	if err := os.MkdirAll(outputDir, 0o755); err != nil {
+		return fmt.Errorf("failed to create output directory %s: %w", outputDir, err)
+	}
+
+	// Build the plugin binary
+	cmd := exec.Command("go", "build", "-o", outputPath, sourcePath)
+	cmd.Env = append(os.Environ(), "CGO_ENABLED=0") // Ensure static binary
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed to build plugin binary: %w\nOutput: %s", err, output)
+	}
+
+	t.Logf("Successfully built plugin binary: %s", outputPath)
+	return nil
+}
+
+// DeployPluginBinary deploys a plugin binary to the plugin directory
+func DeployPluginBinary(t *testing.T, binaryPath, pluginDir string) error {
+	t.Helper()
+
+	// Ensure the plugin directory exists
+	if err := os.MkdirAll(pluginDir, 0o755); err != nil {
+		return fmt.Errorf("failed to create plugin directory %s: %w", pluginDir, err)
+	}
+
+	// Copy the binary to the plugin directory
+	binaryName := filepath.Base(binaryPath)
+	targetPath := filepath.Join(pluginDir, binaryName)
+
+	sourceFile, err := os.Open(binaryPath)
+	if err != nil {
+		return fmt.Errorf("failed to open source binary %s: %w", binaryPath, err)
+	}
+	defer sourceFile.Close()
+
+	targetFile, err := os.Create(targetPath)
+	if err != nil {
+		return fmt.Errorf("failed to create target binary %s: %w", targetPath, err)
+	}
+	defer targetFile.Close()
+
+	if _, err := io.Copy(targetFile, sourceFile); err != nil {
+		return fmt.Errorf("failed to copy binary: %w", err)
+	}
+
+	// Make the binary executable
+	if err := os.Chmod(targetPath, 0o755); err != nil {
+		return fmt.Errorf("failed to make binary executable: %w", err)
+	}
+
+	t.Logf("Successfully deployed plugin binary to: %s", targetPath)
+	return nil
+}
+
+// ValidatePluginBinary validates a plugin binary
+func ValidatePluginBinary(t *testing.T, binaryPath string) error {
+	t.Helper()
+
+	// Check if the file exists
+	if _, err := os.Stat(binaryPath); err != nil {
+		return fmt.Errorf("plugin binary not found at %s: %w", binaryPath, err)
+	}
+
+	// Check if the file is executable
+	info, err := os.Stat(binaryPath)
+	if err != nil {
+		return fmt.Errorf("failed to get binary info: %w", err)
+	}
+
+	if info.Mode()&0o111 == 0 {
+		return fmt.Errorf("plugin binary %s is not executable", binaryPath)
+	}
+
+	// Try to run the binary with --help to see if it's a valid plugin
+	cmd := exec.Command(binaryPath, "--help")
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Logf("Note: Plugin binary %s may not support --help flag: %v", binaryPath, err)
+	} else {
+		t.Logf("Plugin binary %s validation output: %s", binaryPath, string(output))
+	}
+
+	t.Logf("Plugin binary validation passed for: %s", binaryPath)
+	return nil
+}
+
+// GetPluginBinaryInfo extracts information about a plugin binary
+func GetPluginBinaryInfo(t *testing.T, binaryPath string) (*PluginBinaryInfo, error) {
+	t.Helper()
+
+	// Calculate SHA256
+	f, err := os.Open(binaryPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open binary for SHA256 calculation: %w", err)
+	}
+	defer f.Close()
+
+	hasher := sha256.New()
+	if _, err := io.Copy(hasher, f); err != nil {
+		return nil, fmt.Errorf("failed to calculate SHA256: %w", err)
+	}
+
+	sha256Sum := hex.EncodeToString(hasher.Sum(nil))
+	binaryName := filepath.Base(binaryPath)
+
+	info := &PluginBinaryInfo{
+		Name:        strings.TrimSuffix(binaryName, filepath.Ext(binaryName)),
+		Path:        binaryPath,
+		SHA256:      sha256Sum,
+		PluginType:  "unknown", // Will be determined by usage context
+		Environment: make(map[string]string),
+	}
+
+	return info, nil
+}
+
+// ComparePluginVersions compares two plugin sessions for differences
+func ComparePluginVersions(t *testing.T, v1, v2 *PluginSession) (*PluginDiff, error) {
+	t.Helper()
+
+	diff := &PluginDiff{
+		PluginName: v1.PluginName,
+		V1Info:     v1.GetPluginInfo(),
+		V2Info:     v2.GetPluginInfo(),
+		Changes:    make(map[string]interface{}),
+	}
+
+	// Compare binary paths (for external plugins)
+	if !v1.IsBuiltin && !v2.IsBuiltin {
+		if v1.BinaryPath != v2.BinaryPath {
+			diff.Changes["binary_path"] = map[string]string{
+				"old": v1.BinaryPath,
+				"new": v2.BinaryPath,
+			}
+		}
+	}
+
+	// Compare configuration
+	for key, v1Val := range v1.Config {
+		if v2Val, exists := v2.Config[key]; !exists {
+			diff.Changes["config_removed_"+key] = v1Val
+		} else if v1Val != v2Val {
+			diff.Changes["config_changed_"+key] = map[string]interface{}{
+				"old": v1Val,
+				"new": v2Val,
+			}
+		}
+	}
+
+	for key, v2Val := range v2.Config {
+		if _, exists := v1.Config[key]; !exists {
+			diff.Changes["config_added_"+key] = v2Val
+		}
+	}
+
+	return diff, nil
+}
+
+// PluginDiff represents differences between plugin versions
+type PluginDiff struct {
+	PluginName string
+	V1Info     map[string]interface{}
+	V2Info     map[string]interface{}
+	Changes    map[string]interface{}
+}
diff --git a/sdk/helper/testcluster/blackbox/plugin_config.go b/sdk/helper/testcluster/blackbox/plugin_config.go
new file mode 100644
index 0000000000..ea79acdf94
--- /dev/null
+++ b/sdk/helper/testcluster/blackbox/plugin_config.go
@@ -0,0 +1,174 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package blackbox
+
+import (
+	"fmt"
+	"testing"
+)
+
+// PluginConfig represents a plugin configuration with validation
+type PluginConfig struct {
+	Type        string                     `json:"type"`
+	Name        string                     `json:"name"`
+	Config      map[string]interface{}     `json:"config"`
+	Policies    []string                   `json:"policies,omitempty"`
+	Environment map[string]string          `json:"environment,omitempty"`
+	Required    []string                   `json:"required,omitempty"` // Required config fields
+	Optional    []string                   `json:"optional,omitempty"` // Optional config fields
+	Validators  map[string]ConfigValidator `json:"-"`                  // Field validators
+}
+
+// ConfigValidator validates a configuration field
+type ConfigValidator func(value interface{}) error
+
+// NewPluginConfig creates a new plugin configuration with validation
+func NewPluginConfig(pluginType, pluginName string) *PluginConfig {
+	return &PluginConfig{
+		Type:        pluginType,
+		Name:        pluginName,
+		Config:      make(map[string]interface{}),
+		Environment: make(map[string]string),
+		Validators:  make(map[string]ConfigValidator),
+	}
+}
+
+// SetRequired sets the required configuration fields
+func (pc *PluginConfig) SetRequired(fields ...string) *PluginConfig {
+	pc.Required = fields
+	return pc
+}
+
+// SetOptional sets the optional configuration fields
+func (pc *PluginConfig) SetOptional(fields ...string) *PluginConfig {
+	pc.Optional = fields
+	return pc
+}
+
+// AddValidator adds a validator for a specific field
+func (pc *PluginConfig) AddValidator(field string, validator ConfigValidator) *PluginConfig {
+	pc.Validators[field] = validator
+	return pc
+}
+
+// SetConfig sets a configuration value
+func (pc *PluginConfig) SetConfig(key string, value interface{}) *PluginConfig {
+	pc.Config[key] = value
+	return pc
+}
+
+// SetEnvironment sets an environment variable
+func (pc *PluginConfig) SetEnvironment(key, value string) *PluginConfig {
+	pc.Environment[key] = value
+	return pc
+}
+
+// ValidateConfig validates the plugin configuration
+func (pc *PluginConfig) ValidateConfig() error {
+	// Check required fields
+	for _, field := range pc.Required {
+		if _, exists := pc.Config[field]; !exists {
+			return fmt.Errorf("required configuration field '%s' is missing", field)
+		}
+	}
+
+	// Run field validators
+	for field, validator := range pc.Validators {
+		if value, exists := pc.Config[field]; exists {
+			if err := validator(value); err != nil {
+				return fmt.Errorf("validation failed for field '%s': %w", field, err)
+			}
+		}
+	}
+
+	return nil
+}
+
+// ============================================================================
+// Common Configuration Validators
+// ============================================================================
+
+// StringValidator validates that a value is a string
+func StringValidator(value interface{}) error {
+	if _, ok := value.(string); !ok {
+		return fmt.Errorf("expected string, got %T", value)
+	}
+	return nil
+}
+
+// IntValidator validates that a value is an integer
+func IntValidator(value interface{}) error {
+	switch value.(type) {
+	case int, int64, int32:
+		return nil
+	case float64:
+		// JSON numbers are often decoded as float64
+		return nil
+	default:
+		return fmt.Errorf("expected integer, got %T", value)
+	}
+}
+
+// BoolValidator validates that a value is a boolean
+func BoolValidator(value interface{}) error {
+	if _, ok := value.(bool); !ok {
+		return fmt.Errorf("expected boolean, got %T", value)
+	}
+	return nil
+}
+
+// NonEmptyStringValidator validates that a value is a non-empty string
+func NonEmptyStringValidator(value interface{}) error {
+	str, ok := value.(string)
+	if !ok {
+		return fmt.Errorf("expected string, got %T", value)
+	}
+	if str == "" {
+		return fmt.Errorf("string cannot be empty")
+	}
+	return nil
+}
+
+// ============================================================================
+// Configuration Management Functions
+// ============================================================================
+
+// LoadPluginConfig loads a plugin configuration from a file
+func LoadPluginConfig(t *testing.T, configPath string) (*PluginConfig, error) {
+	t.Helper()
+
+	// Framework teams can implement JSON/YAML/etc. loading here
+	return &PluginConfig{
+		Type:        "unknown",
+		Name:        "unknown",
+		Config:      make(map[string]interface{}),
+		Environment: make(map[string]string),
+		Validators:  make(map[string]ConfigValidator),
+	}, nil
+}
+
+// ApplyPluginConfig applies a plugin configuration to a session
+func ApplyPluginConfig(ps *PluginSession, config *PluginConfig) error {
+	// Validate the configuration
+	if err := config.ValidateConfig(); err != nil {
+		return fmt.Errorf("configuration validation failed: %w", err)
+	}
+
+	// Apply configuration
+	for key, value := range config.Config {
+		ps.Config[key] = value
+	}
+
+	// Apply environment variables
+	for key, value := range config.Environment {
+		ps.Environment[key] = value
+	}
+
+	// Apply the configuration to the plugin
+	if len(ps.Config) > 0 {
+		ps.MustConfigure(ps.Config)
+	}
+
+	return nil
+}
diff --git a/sdk/helper/testcluster/blackbox/plugin_registry.go b/sdk/helper/testcluster/blackbox/plugin_registry.go
new file mode 100644
index 0000000000..4b8886971f
--- /dev/null
+++ b/sdk/helper/testcluster/blackbox/plugin_registry.go
@@ -0,0 +1,136 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package blackbox
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+// BuiltinPluginRegistry manages built-in plugin factories
+type BuiltinPluginRegistry struct {
+	AuthFactories     map[string]logical.Factory
+	SecretsFactories  map[string]logical.Factory
+	DatabaseFactories map[string]logical.Factory
+}
+
+// NewBuiltinPluginRegistry creates a new built-in plugin registry
+func NewBuiltinPluginRegistry() *BuiltinPluginRegistry {
+	return &BuiltinPluginRegistry{
+		AuthFactories:     make(map[string]logical.Factory),
+		SecretsFactories:  make(map[string]logical.Factory),
+		DatabaseFactories: make(map[string]logical.Factory),
+	}
+}
+
+// RegisterAuthPlugin registers a built-in auth plugin factory
+func (r *BuiltinPluginRegistry) RegisterAuthPlugin(name string, factory logical.Factory) {
+	r.AuthFactories[name] = factory
+}
+
+// RegisterSecretsPlugin registers a built-in secrets plugin factory
+func (r *BuiltinPluginRegistry) RegisterSecretsPlugin(name string, factory logical.Factory) {
+	r.SecretsFactories[name] = factory
+}
+
+// RegisterDatabasePlugin registers a built-in database plugin factory
+func (r *BuiltinPluginRegistry) RegisterDatabasePlugin(name string, factory logical.Factory) {
+	r.DatabaseFactories[name] = factory
+}
+
+// GetBuiltinPluginFactory retrieves a built-in plugin factory by type and name
+func (r *BuiltinPluginRegistry) GetBuiltinPluginFactory(pluginType, pluginName string) (logical.Factory, error) {
+	switch pluginType {
+	case "auth":
+		if factory, exists := r.AuthFactories[pluginName]; exists {
+			return factory, nil
+		}
+		return nil, fmt.Errorf("auth plugin %s not found in registry", pluginName)
+	case "secret":
+		if factory, exists := r.SecretsFactories[pluginName]; exists {
+			return factory, nil
+		}
+		return nil, fmt.Errorf("secrets plugin %s not found in registry", pluginName)
+	case "database":
+		if factory, exists := r.DatabaseFactories[pluginName]; exists {
+			return factory, nil
+		}
+		return nil, fmt.Errorf("database plugin %s not found in registry", pluginName)
+	default:
+		return nil, fmt.Errorf("unsupported plugin type: %s", pluginType)
+	}
+}
+
+// ListBuiltinPlugins lists all built-in plugins of a given type
+func (r *BuiltinPluginRegistry) ListBuiltinPlugins(pluginType string) []string {
+	var plugins []string
+
+	switch pluginType {
+	case "auth":
+		for name := range r.AuthFactories {
+			plugins = append(plugins, name)
+		}
+	case "secret":
+		for name := range r.SecretsFactories {
+			plugins = append(plugins, name)
+		}
+	case "database":
+		for name := range r.DatabaseFactories {
+			plugins = append(plugins, name)
+		}
+	}
+
+	return plugins
+}
+
+// GetAllBuiltinPlugins returns all registered built-in plugins
+func (r *BuiltinPluginRegistry) GetAllBuiltinPlugins() map[string][]string {
+	return map[string][]string{
+		"auth":     r.ListBuiltinPlugins("auth"),
+		"secret":   r.ListBuiltinPlugins("secret"),
+		"database": r.ListBuiltinPlugins("database"),
+	}
+}
+
+// DefaultBuiltinPluginRegistry returns a registry with common built-in plugins
+func DefaultBuiltinPluginRegistry() *BuiltinPluginRegistry {
+	registry := NewBuiltinPluginRegistry()
+
+	// Teams can register actual plugin factories here using the provided methods:
+	// registry.RegisterSecretsPlugin("kv", kvFactory)
+	// registry.RegisterSecretsPlugin("transit", transitFactory)
+	// registry.RegisterAuthPlugin("userpass", userpassFactory)
+	// registry.RegisterDatabasePlugin("postgres", postgresFactory)
+
+	return registry
+}
+
+// ============================================================================
+// Global Registry and Convenience Functions
+// ============================================================================
+
+// Global registry instance for convenience
+var DefaultRegistry = DefaultBuiltinPluginRegistry()
+
+// Convenience functions for global registry access
+func GetBuiltinPluginFactory(pluginType, pluginName string) (logical.Factory, error) {
+	return DefaultRegistry.GetBuiltinPluginFactory(pluginType, pluginName)
+}
+
+func ListBuiltinPlugins(pluginType string) []string {
+	return DefaultRegistry.ListBuiltinPlugins(pluginType)
+}
+
+func RegisterBuiltinAuthPlugin(name string, factory logical.Factory) {
+	DefaultRegistry.RegisterAuthPlugin(name, factory)
+}
+
+func RegisterBuiltinSecretsPlugin(name string, factory logical.Factory) {
+	DefaultRegistry.RegisterSecretsPlugin(name, factory)
+}
+
+func RegisterBuiltinDatabasePlugin(name string, factory logical.Factory) {
+	DefaultRegistry.RegisterDatabasePlugin(name, factory)
+}
diff --git a/sdk/helper/testcluster/blackbox/plugin_utils.go b/sdk/helper/testcluster/blackbox/plugin_utils.go
new file mode 100644
index 0000000000..0f8c5a32a6
--- /dev/null
+++ b/sdk/helper/testcluster/blackbox/plugin_utils.go
@@ -0,0 +1,143 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package blackbox
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+// ExtendedPluginRegistration provides enhanced registration with metadata
+func (s *Session) ExtendedPluginRegistration(pluginName, binaryPath, pluginType string, metadata map[string]interface{}) error {
+	s.t.Helper()
+
+	// First, validate the binary
+	if err := ValidatePluginBinary(s.t, binaryPath); err != nil {
+		return fmt.Errorf("plugin binary validation failed: %w", err)
+	}
+
+	// Get binary info
+	binaryInfo, err := GetPluginBinaryInfo(s.t, binaryPath)
+	if err != nil {
+		return fmt.Errorf("failed to get plugin binary info: %w", err)
+	}
+
+	// Perform standard registration
+	s.MustRegisterPlugin(pluginName, binaryPath, pluginType)
+
+	// Store metadata (this would typically be stored in a database or file)
+	s.t.Logf("Plugin %s registered with SHA256: %s", pluginName, binaryInfo.SHA256)
+	if metadata != nil {
+		s.t.Logf("Plugin %s metadata: %+v", pluginName, metadata)
+	}
+
+	return nil
+}
+
+// BatchPluginRegistration registers multiple plugins at once
+func (s *Session) BatchPluginRegistration(plugins []PluginRegistrationRequest) error {
+	s.t.Helper()
+
+	for _, plugin := range plugins {
+		if err := s.ExtendedPluginRegistration(plugin.Name, plugin.BinaryPath, plugin.Type, plugin.Metadata); err != nil {
+			return fmt.Errorf("failed to register plugin %s: %w", plugin.Name, err)
+		}
+	}
+
+	s.t.Logf("Successfully registered %d plugins", len(plugins))
+	return nil
+}
+
+// PluginRegistrationRequest represents a plugin registration request
+type PluginRegistrationRequest struct {
+	Name       string
+	BinaryPath string
+	Type       string
+	Metadata   map[string]interface{}
+}
+
+// ============================================================================
+// Built-in Plugin Direct Access Utilities
+// ============================================================================
+
+// NewBuiltinPluginSessionFromRegistry creates a plugin session from the registry
+func (s *Session) NewBuiltinPluginSessionFromRegistry(pluginType, pluginName string) (*PluginSession, error) {
+	s.t.Helper()
+
+	factory, err := GetBuiltinPluginFactory(pluginType, pluginName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get built-in plugin factory: %w", err)
+	}
+
+	return s.NewBuiltinPluginSession(pluginType, pluginName, factory), nil
+}
+
+// ============================================================================
+// Setup Helper Functions for Built-in Plugins
+// ============================================================================
+
+// SetupBuiltinAuthPlugin creates and registers a built-in auth plugin
+func SetupBuiltinAuthPlugin(v *Session, pluginName string, factory logical.Factory) *PluginSession {
+	v.t.Helper()
+
+	ps := v.NewBuiltinPluginSession("auth", pluginName, factory)
+	ps.MustRegisterAndEnable()
+
+	return ps
+}
+
+// SetupBuiltinSecretsPlugin creates and registers a built-in secrets plugin
+func SetupBuiltinSecretsPlugin(v *Session, pluginName string, factory logical.Factory) *PluginSession {
+	v.t.Helper()
+
+	ps := v.NewBuiltinPluginSession("secret", pluginName, factory)
+	ps.MustRegisterAndEnable()
+
+	return ps
+}
+
+// SetupBuiltinDatabasePlugin creates and registers a built-in database plugin
+func SetupBuiltinDatabasePlugin(v *Session, pluginName string, factory logical.Factory) *PluginSession {
+	v.t.Helper()
+
+	ps := v.NewBuiltinPluginSession("database", pluginName, factory)
+	ps.MustRegisterAndEnable()
+
+	return ps
+}
+
+// ============================================================================
+// Setup Helper Functions for External Plugins
+// ============================================================================
+
+// SetupExternalAuthPlugin creates and registers an external auth plugin
+func SetupExternalAuthPlugin(v *Session, pluginName, binaryPath string) *PluginSession {
+	v.t.Helper()
+
+	ps := v.NewExternalPluginSession("auth", pluginName, binaryPath)
+	ps.MustRegisterAndEnable()
+
+	return ps
+}
+
+// SetupExternalSecretsPlugin creates and registers an external secrets plugin
+func SetupExternalSecretsPlugin(v *Session, pluginName, binaryPath string) *PluginSession {
+	v.t.Helper()
+
+	ps := v.NewExternalPluginSession("secret", pluginName, binaryPath)
+	ps.MustRegisterAndEnable()
+
+	return ps
+}
+
+// SetupExternalDatabasePlugin creates and registers an external database plugin
+func SetupExternalDatabasePlugin(v *Session, pluginName, binaryPath string) *PluginSession {
+	v.t.Helper()
+
+	ps := v.NewExternalPluginSession("database", pluginName, binaryPath)
+	ps.MustRegisterAndEnable()
+
+	return ps
+}
diff --git a/sdk/helper/testcluster/blackbox/session.go b/sdk/helper/testcluster/blackbox/session.go
index c827ab7631..f6e8829646 100644
--- a/sdk/helper/testcluster/blackbox/session.go
+++ b/sdk/helper/testcluster/blackbox/session.go
@@ -9,7 +9,10 @@ import (
 	"fmt"
 	"os"
 	"path"
+	"slices"
+	"strings"
 	"testing"
+	"time"
 
 	"github.com/hashicorp/vault/api"
 	"github.com/stretchr/testify/require"
@@ -18,11 +21,24 @@ import (
 // Session holds the test context and Vault client
 type Session struct {
 	t         *testing.T
+	NoCleanup bool
 	Client    *api.Client
 	Namespace string
 }
 
-func New(t *testing.T) *Session {
+func (s *Session) T() *testing.T {
+	return s.t
+}
+
+type SessionOpts func(s *Session)
+
+func WithNoCleanup() SessionOpts {
+	return func(s *Session) {
+		s.NoCleanup = true
+	}
+}
+
+func New(t *testing.T, opts ...SessionOpts) *Session {
 	t.Helper()
 
 	addr := os.Getenv("VAULT_ADDR")
@@ -37,22 +53,69 @@ func New(t *testing.T) *Session {
 
 	config := api.DefaultConfig()
 	config.Address = addr
+	config.Timeout = 120 * time.Second // Increase timeout for LDAP operations that verify service accounts
 
 	privClient, err := api.NewClient(config)
 	require.NoError(t, err)
 	privClient.SetToken(token)
 
-	nsName := fmt.Sprintf("bbsdk-%s", randomString(8))
+	// Auto-detect protocol: if we get HTTP/HTTPS mismatch, retry with correct protocol
+	if strings.HasPrefix(addr, "http://") {
+		// Try HTTP first, but be ready to switch to HTTPS
+		testResp, testErr := privClient.Sys().Health()
+		if testErr != nil && (strings.Contains(testErr.Error(), "Client sent an HTTP request to an HTTPS server") ||
+			strings.Contains(testErr.Error(), "server gave HTTP response to HTTPS client")) {
+			// Server is using HTTPS, create completely fresh config
+			httpsAddr := strings.Replace(addr, "http://", "https://", 1)
+
+			httpsConfig := api.DefaultConfig()
+			httpsConfig.Address = httpsAddr
+			httpsConfig.Timeout = 120 * time.Second
+
+			// Disable TLS verification for test environments
+			tlsConfig := &api.TLSConfig{
+				Insecure: true,
+			}
+			if err := httpsConfig.ConfigureTLS(tlsConfig); err != nil {
+				require.NoError(t, err, "Failed to configure TLS")
+			}
+
+			privClient, err = api.NewClient(httpsConfig)
+			require.NoError(t, err)
+			privClient.SetToken(token)
+			t.Logf("Auto-detected HTTPS protocol, switched from %s to %s (TLS verification disabled)", addr, httpsAddr)
+		} else if testErr != nil && testResp == nil {
+			// Some other error, fail normally
+			require.NoError(t, testErr, "Failed to connect to Vault at %s", addr)
+		}
+	}
+
+	// Use timestamp to ensure uniqueness across test retries
+	nsName := fmt.Sprintf("bbsdk-%d-%s", time.Now().UnixNano(), randomString(8))
 	nsURLPath := fmt.Sprintf("sys/namespaces/%s", nsName)
 
+	// Try to create the namespace, but if it already exists (from a previous failed run),
+	// delete it first and retry
 	_, err = privClient.Logical().Write(nsURLPath, nil)
-	require.NoError(t, err)
-
-	t.Cleanup(func() {
-		_, err = privClient.Logical().Delete(nsURLPath)
-		require.NoError(t, err)
-		t.Logf("Cleaned up namespace %s", nsName)
-	})
+	if err != nil {
+		// Check if namespace already exists
+		if resp, readErr := privClient.Logical().Read(nsURLPath); readErr == nil && resp != nil {
+			t.Logf("RETRY DETECTED: Namespace %s already exists from previous failed test run, cleaning up and retrying", nsName)
+			_, delErr := privClient.Logical().Delete(nsURLPath)
+			if delErr != nil {
+				t.Fatalf("RETRY CLEANUP FAILED: Could not delete existing namespace %s: %v (original creation error: %v)", nsName, delErr, err)
+			}
+			// Retry creation after deletion
+			_, err = privClient.Logical().Write(nsURLPath, nil)
+			if err != nil {
+				t.Fatalf("RETRY FAILED: Could not create namespace %s after cleanup: %v", nsName, err)
+			}
+			t.Logf("RETRY SUCCESS: Namespace %s created after cleanup", nsName)
+		} else {
+			// This is the initial failure, not a retry
+			require.NoError(t, err, "INITIAL TEST FAILURE: Failed to create namespace %s. If you see this error followed by a retry with a different error, the cluster state was not properly reset.", nsName)
+		}
+	}
 
 	// session client should get the full namespace of parent + test
 	fullNSPath := nsName
@@ -72,6 +135,23 @@ func New(t *testing.T) *Session {
 		Namespace: nsName,
 	}
 
+	for opt := range slices.Values(opts) {
+		opt(session)
+	}
+
+	t.Cleanup(func() {
+		if session.NoCleanup {
+			t.Logf("WARN: NoCleanup has been set, not cleaning up namespace")
+			return
+		}
+		privClient.SetClientTimeout(time.Second)
+		session.Eventually(func() error {
+			_, err = privClient.Logical().Delete(nsURLPath)
+			return err
+		})
+		t.Logf("Cleaned up namespace %s", nsName)
+	})
+
 	// make sure the namespace has been created
 	session.Eventually(func() error {
 		// this runs inside the new namespace, so if it succeeds, we're good
diff --git a/sdk/helper/testcluster/blackbox/session_autopilot.go b/sdk/helper/testcluster/blackbox/session_autopilot.go
new file mode 100644
index 0000000000..16319f345c
--- /dev/null
+++ b/sdk/helper/testcluster/blackbox/session_autopilot.go
@@ -0,0 +1,58 @@
+// Copyright IBM Corp. 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package blackbox
+
+import (
+	"errors"
+	"time"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/stretchr/testify/require"
+)
+
+func (s *Session) AssertAutopilotHealthy() {
+	s.t.Helper()
+
+	// query the autopilot state endpoint and verify that all nodes are healthy according to autopilot
+	healthy, err := s.autopilotStateHealthy()
+	require.NoError(s.t, err)
+	require.Truef(s.t, healthy, "expected autopilot state to be healthy")
+}
+
+func (s *Session) autopilotState() (*api.Secret, error) {
+	// query the autopilot state endpoint and verify that all nodes are healthy according to autopilot
+	var state *api.Secret
+	return state, s.Req(
+		func(c *api.Client) error {
+			var err error
+			state, err = c.Logical().Read("sys/storage/raft/autopilot/state")
+			return err
+		},
+		WithClientRootNamespace(),
+		WithClientTimeout(2*time.Second),
+	)
+}
+
+func (s *Session) autopilotStateHealthy() (bool, error) {
+	state, err := s.autopilotState()
+	if err != nil {
+		return false, err
+	}
+
+	if state == nil {
+		return false, errors.New("no raft data response")
+	}
+
+	health, ok := state.Data["healthy"]
+	if !ok {
+		return false, errors.New("raft data missing 'healthy' key")
+	}
+
+	healthy, ok := health.(bool)
+	if !ok {
+		return false, errors.New("raft data 'healthy' key is unknown type")
+	}
+
+	return healthy, nil
+}
diff --git a/sdk/helper/testcluster/blackbox/session_client.go b/sdk/helper/testcluster/blackbox/session_client.go
new file mode 100644
index 0000000000..d2d180be27
--- /dev/null
+++ b/sdk/helper/testcluster/blackbox/session_client.go
@@ -0,0 +1,67 @@
+// Copyright IBM Corp. 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package blackbox
+
+import (
+	"os"
+	"time"
+
+	"github.com/hashicorp/vault/api"
+)
+
+type ClientOpt func(*api.Client)
+
+func WithClientRootNamespace() ClientOpt {
+	return func(c *api.Client) {
+		c.ClearNamespace()
+	}
+}
+
+func WithClientParentNamespace() ClientOpt {
+	return func(c *api.Client) {
+		c.SetNamespace(getParentNamespace())
+	}
+}
+
+func WithClientTimeout(d time.Duration) ClientOpt {
+	return func(c *api.Client) {
+		c.SetClientTimeout(d)
+	}
+}
+
+func (s *Session) Req(fn func(*api.Client) error, opts ...ClientOpt) error {
+	s.t.Helper()
+
+	c, err := api.NewClient(s.Client.CloneConfig())
+	if err != nil {
+		return err
+	}
+
+	for _, opt := range opts {
+		opt(c)
+	}
+
+	return fn(c)
+}
+
+// GetParentNamespace returns the namespace from VAULT_NAMESPACE environment variable.
+// The blackbox test framework auto-creates a unique child namespace for each test
+// (e.g., "admin/bbsdk-xxxxx") for isolation. VAULT_NAMESPACE contains the base namespace
+// (e.g., "admin"), which is the parent of the test's namespace.
+// Example: VAULT_NAMESPACE="admin" → test runs in "admin/bbsdk-xxxxx" → returns "admin"
+// Note: This doesn't traverse the namespace hierarchy - it simply returns VAULT_NAMESPACE,
+// which happens to be the parent of the test namespace.
+func (s *Session) GetParentNamespace() string {
+	return getParentNamespace()
+}
+
+func getParentNamespace() string {
+	ns := os.Getenv("VAULT_NAMESPACE")
+	// If VAULT_NAMESPACE is not set, default to root namespace (empty string).
+	// This handles cases where tests run in non-namespaced environments.
+	if ns == "" {
+		return ""
+	}
+	return ns
+}
diff --git a/sdk/helper/testcluster/blackbox/session_cluster.go b/sdk/helper/testcluster/blackbox/session_cluster.go
new file mode 100644
index 0000000000..79b6e803ff
--- /dev/null
+++ b/sdk/helper/testcluster/blackbox/session_cluster.go
@@ -0,0 +1,89 @@
+// Copyright IBM Corp. 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package blackbox
+
+import (
+	"fmt"
+	"time"
+)
+
+// AssertClusterHealthy verifies that the cluster is healthy, with fallback for managed environments
+// like HCP where raft APIs may not be accessible. This is the recommended method for general
+// cluster health checks in blackbox tests. Uses backoff helper for reasonable retry logic.
+//
+// Deprecated: Use s.EventuallyClusterHealthy() with an explicit timeout
+// retry times.
+func (s *Session) AssertClusterHealthy() {
+	s.t.Helper()
+
+	s.EventuallyClusterHealthyUnsealed(1 * time.Minute)
+}
+
+// EventuallyClusterHealthyUnsealed verifies that the cluster is healthy and
+// unsealed.
+func (s *Session) EventuallyClusterHealthyUnsealed(timeout time.Duration) {
+	s.t.Helper()
+
+	hasActiveNode := func() error {
+		// First, wait until we have an active HA node
+		_, err := s.haActiveNode()
+		return err
+	}
+
+	autopilotHealthyIfRaft := func() error {
+		// Now, make sure autopilot is healthy if we're using integrated storage
+		// and we have the necessary permissions.
+		if s.GetParentNamespace() != "" {
+			s.t.Log("Skipping autopilot health check because we've been configured with a parent namespace and autopilot needs root namespace access")
+			return nil
+		}
+
+		storage, err := s.getConfigStorageType()
+		if err != nil {
+			return err
+		}
+
+		if storage != "raft" {
+			return nil
+		}
+
+		healthy, err := s.autopilotStateHealthy()
+		if err != nil {
+			return err
+		}
+
+		if !healthy {
+			return fmt.Errorf("raft autopilot state is not healthy")
+		}
+
+		return nil
+	}
+
+	clusterUnsealed := func() error {
+		sealed, err := s.sealed()
+		if err != nil {
+			return err
+		}
+
+		if sealed {
+			return fmt.Errorf("cluster is sealed")
+		}
+
+		return nil
+	}
+
+	// Go through our checks and wait for each.
+	started := time.Now()
+	for _, check := range []func() error{
+		hasActiveNode,
+		autopilotHealthyIfRaft,
+		clusterUnsealed,
+	} {
+		if timeout < 0 {
+			s.t.Fatal("timed out waiting for cluster to be healthy")
+		}
+		s.EventuallyWithTimeout(check, timeout)
+		timeout -= time.Since(started)
+	}
+}
diff --git a/sdk/helper/testcluster/blackbox/session_config.go b/sdk/helper/testcluster/blackbox/session_config.go
new file mode 100644
index 0000000000..177b4a977b
--- /dev/null
+++ b/sdk/helper/testcluster/blackbox/session_config.go
@@ -0,0 +1,89 @@
+// Copyright IBM Corp. 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package blackbox
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/stretchr/testify/require"
+)
+
+func (s *Session) MustSanitizedConfig() *api.Secret {
+	s.t.Helper()
+
+	var config *api.Secret
+	err := s.Req(
+		func(c *api.Client) error {
+			var err error
+			config, err = c.Logical().Read("sys/config/state/sanitized")
+			return err
+		},
+		WithClientRootNamespace(),
+		WithClientTimeout(2*time.Second),
+	)
+
+	require.NoError(s.t, err)
+	require.NotNil(s.t, config)
+
+	return config
+}
+
+func (s *Session) MustGetConfigStorageType() string {
+	s.t.Helper()
+
+	sanitizedConfig := s.MustSanitizedConfig()
+	// Verify we have at least one server configured
+	storageType := s.AssertSecret(sanitizedConfig).
+		Data().
+		GetMap("storage").
+		GetKey("type")
+
+	storage, ok := storageType.(string)
+	if !ok {
+		s.t.Fatalf("cluster storage is unknown: %v", storageType)
+	}
+
+	if storage == "" {
+		s.t.Fatal("cluster storage is empty")
+	}
+
+	s.t.Logf("cluster is using storage type: %s", storage)
+
+	return storage
+}
+
+func (s *Session) getConfigStorageType() (string, error) {
+	s.t.Helper()
+
+	var storageTypeStr string
+	getStorageType := func(c *api.Client) error {
+		secret, err := c.Logical().Read("sys/seal-status")
+		if err != nil {
+			return err
+		}
+
+		if secret == nil || len(secret.Data) < 1 {
+			return fmt.Errorf("seal-status is empty")
+		}
+
+		storage, ok := secret.Data["storage_type"]
+		if !ok {
+			return fmt.Errorf("seal-status does not include storage_type")
+		}
+
+		storageTypeStr, ok = storage.(string)
+		if !ok {
+			return fmt.Errorf("malformed storage type")
+		}
+
+		return nil
+	}
+
+	return storageTypeStr, s.Req(
+		getStorageType,
+		WithClientTimeout(2*time.Second),
+	)
+}
diff --git a/sdk/helper/testcluster/blackbox/session_dynamic.go b/sdk/helper/testcluster/blackbox/session_dynamic.go
index d2af876ab2..75ad43b6c7 100644
--- a/sdk/helper/testcluster/blackbox/session_dynamic.go
+++ b/sdk/helper/testcluster/blackbox/session_dynamic.go
@@ -9,7 +9,7 @@ import (
 	"os"
 
 	"github.com/hashicorp/vault/api"
-	_ "github.com/jackc/pgx/v4/stdlib"
+	_ "github.com/jackc/pgx/v5/stdlib"
 	"github.com/stretchr/testify/require"
 )
 
diff --git a/sdk/helper/testcluster/blackbox/session_ha.go b/sdk/helper/testcluster/blackbox/session_ha.go
new file mode 100644
index 0000000000..906e81ab1e
--- /dev/null
+++ b/sdk/helper/testcluster/blackbox/session_ha.go
@@ -0,0 +1,85 @@
+// Copyright IBM Corp. 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package blackbox
+
+import (
+	"errors"
+	"time"
+
+	"github.com/hashicorp/vault/api"
+)
+
+// getClusterNodeCount returns the number of nodes in the cluster
+func (s *Session) getClusterNodeCount() (int, error) {
+	nodes, err := s.haNodes()
+	if err != nil {
+		return 0, err
+	}
+
+	return len(nodes), nil
+}
+
+// haNodes returns a slice of nodes from the ha-status endpoint.
+func (s *Session) haNodes() ([]map[string]any, error) {
+	res := []map[string]any{}
+
+	return res, s.Req(
+		func(c *api.Client) error {
+			status, err := c.Logical().Read("sys/ha-status")
+			if err != nil {
+				return err
+			}
+			if status == nil {
+				return errors.New("no ha-status returned")
+			}
+
+			nodesAny, ok := status.Data["nodes"]
+			if !ok {
+				return errors.New("no HA nodes found in ha-status")
+			}
+
+			nodes, ok := nodesAny.([]any)
+			if !ok {
+				return errors.New("invalid ha-status response body")
+			}
+
+			for _, node := range nodes {
+				nv, ok := node.(map[string]any)
+				if !ok {
+					return errors.New("malformed node in ha-status response body")
+				}
+				res = append(res, nv)
+			}
+
+			return nil
+		},
+		WithClientTimeout(2*time.Second),
+	)
+}
+
+// haActiveNode returns the active node from ha-status.
+func (s *Session) haActiveNode() (map[string]any, error) {
+	nodes, err := s.haNodes()
+	if err != nil {
+		return nil, err
+	}
+
+	for _, node := range nodes {
+		active, ok := node["active_node"]
+		if !ok {
+			continue
+		}
+
+		activeVal, ok := active.(bool)
+		if !ok {
+			continue
+		}
+
+		if activeVal {
+			return node, nil
+		}
+	}
+
+	return nil, errors.New("no active node in ha-status")
+}
diff --git a/sdk/helper/testcluster/blackbox/session_logical.go b/sdk/helper/testcluster/blackbox/session_logical.go
index c3d8601b8e..b847f5bbc5 100644
--- a/sdk/helper/testcluster/blackbox/session_logical.go
+++ b/sdk/helper/testcluster/blackbox/session_logical.go
@@ -10,6 +10,12 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func (s *Session) Read(path string) (*api.Secret, error) {
+	s.t.Helper()
+
+	return s.Client.Logical().Read(path)
+}
+
 func (s *Session) MustWrite(path string, data map[string]any) *api.Secret {
 	s.t.Helper()
 
@@ -26,6 +32,14 @@ func (s *Session) MustRead(path string) *api.Secret {
 	return secret
 }
 
+func (s *Session) MustList(path string) *api.Secret {
+	s.t.Helper()
+
+	secret, err := s.Client.Logical().List(path)
+	require.NoError(s.t, err)
+	return secret
+}
+
 // MustReadRequired is a stricter version of MustRead that fails if a 404/nil is returned
 func (s *Session) MustReadRequired(path string) *api.Secret {
 	s.t.Helper()
@@ -51,3 +65,10 @@ func (s *Session) MustReadKV2(mountPath, secretPath string) *api.Secret {
 	fullPath := path.Join(mountPath, "data", secretPath)
 	return s.MustRead(fullPath)
 }
+
+func (s *Session) MustDelete(path string) {
+	s.t.Helper()
+
+	_, err := s.Client.Logical().Delete(path)
+	require.NoError(s.t, err)
+}
diff --git a/sdk/helper/testcluster/blackbox/session_metrics.go b/sdk/helper/testcluster/blackbox/session_metrics.go
new file mode 100644
index 0000000000..94d689164e
--- /dev/null
+++ b/sdk/helper/testcluster/blackbox/session_metrics.go
@@ -0,0 +1,100 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package blackbox
+
+import (
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/hashicorp/vault/api"
+)
+
+// MetricsResponse represents the response from sys/metrics endpoint
+type MetricsResponse struct {
+	Data struct {
+		Gauges []struct {
+			Name   string            `json:"Name"`
+			Value  float64           `json:"Value"`
+			Labels map[string]string `json:"Labels"`
+		} `json:"Gauges"`
+		Counters []struct {
+			Name   string            `json:"Name"`
+			Count  int               `json:"Count"`
+			Sum    float64           `json:"Sum"`
+			Labels map[string]string `json:"Labels"`
+		} `json:"Counters"`
+		Samples []struct {
+			Name   string            `json:"Name"`
+			Count  int               `json:"Count"`
+			Sum    float64           `json:"Sum"`
+			Labels map[string]string `json:"Labels"`
+		} `json:"Samples"`
+	} `json:"data"`
+}
+
+// AssertMetricGaugeValue verifies that a specific gauge metric has the expected value
+// This method includes retry logic with configurable timeout
+// Note: retryInterval parameter is ignored as the SDK uses a fixed 200ms interval
+func (s *Session) AssertMetricGaugeValue(gaugeName string, expectedValue float64, timeout time.Duration, retryInterval time.Duration) {
+	s.t.Helper()
+
+	s.EventuallyWithTimeout(func() error {
+		var secret *api.Secret
+		var err error
+
+		// sys/metrics is only available at root namespace, use Req() to avoid race conditions
+		err = s.Req(func(c *api.Client) error {
+			secret, err = c.Logical().Read("sys/metrics")
+			return err
+		}, WithClientRootNamespace())
+		if err != nil {
+			return fmt.Errorf("failed to read sys/metrics: %w", err)
+		}
+
+		if secret == nil || secret.Data == nil {
+			return fmt.Errorf("sys/metrics returned nil data")
+		}
+
+		// Marshal and unmarshal to get proper structure
+		dataBytes, err := json.Marshal(secret.Data)
+		if err != nil {
+			return fmt.Errorf("failed to marshal metrics data: %w", err)
+		}
+
+		var metricsData struct {
+			Gauges []struct {
+				Name   string            `json:"Name"`
+				Value  float64           `json:"Value"`
+				Labels map[string]string `json:"Labels"`
+			} `json:"Gauges"`
+		}
+
+		if err := json.Unmarshal(dataBytes, &metricsData); err != nil {
+			return fmt.Errorf("failed to unmarshal metrics data: %w", err)
+		}
+
+		// Find the gauge by name
+		var found bool
+		var actualValue float64
+		for _, gauge := range metricsData.Gauges {
+			if gauge.Name == gaugeName {
+				found = true
+				actualValue = gauge.Value
+				break
+			}
+		}
+
+		if !found {
+			return fmt.Errorf("gauge metric %q not found in sys/metrics response", gaugeName)
+		}
+
+		if actualValue != expectedValue {
+			return fmt.Errorf("gauge %q has value %.0f, expected %.0f", gaugeName, actualValue, expectedValue)
+		}
+
+		s.t.Logf("Gauge metric %q has expected value: %.0f", gaugeName, expectedValue)
+		return nil
+	}, timeout)
+}
diff --git a/sdk/helper/testcluster/blackbox/session_plugin.go b/sdk/helper/testcluster/blackbox/session_plugin.go
index 35aa2d7cb0..5da6bbf0be 100644
--- a/sdk/helper/testcluster/blackbox/session_plugin.go
+++ b/sdk/helper/testcluster/blackbox/session_plugin.go
@@ -6,11 +6,13 @@ package blackbox
 import (
 	"crypto/sha256"
 	"encoding/hex"
+	"fmt"
 	"io"
 	"os"
 	"path/filepath"
 
 	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/stretchr/testify/require"
 )
 
@@ -62,3 +64,623 @@ func (s *Session) AssertPluginConfigured(path string) {
 	configPath := filepath.Join(path, "config")
 	s.MustRead(configPath)
 }
+
+// PluginSession extends the base Session with plugin-specific functionality
+// supporting both built-in and external plugins
+type PluginSession struct {
+	*Session
+	PluginType  string                 // "auth", "secret", or "database"
+	PluginName  string                 // Name of the plugin
+	MountPath   string                 // Mount path for the plugin
+	IsBuiltin   bool                   // Distinguishes built-in vs external plugins
+	BinaryPath  string                 // Only for external plugins
+	Factory     logical.Factory        // Only for built-in plugins
+	Environment map[string]string      // Environment variables for external plugins
+	Config      map[string]interface{} // Plugin configuration
+}
+
+// PluginSessionOptions provides configuration for creating a PluginSession
+type PluginSessionOptions struct {
+	PluginType  string
+	PluginName  string
+	MountPath   string
+	Config      map[string]interface{}
+	Environment map[string]string
+}
+
+// NewBuiltinPluginSession creates a new plugin session for built-in plugins
+func (s *Session) NewBuiltinPluginSession(pluginType, pluginName string, factory logical.Factory) *PluginSession {
+	s.t.Helper()
+
+	mountPath := fmt.Sprintf("%s-builtin-%s", pluginName, randomString(6))
+
+	ps := &PluginSession{
+		Session:     s,
+		PluginType:  pluginType,
+		PluginName:  pluginName,
+		MountPath:   mountPath,
+		IsBuiltin:   true,
+		Factory:     factory,
+		Environment: make(map[string]string),
+		Config:      make(map[string]interface{}),
+	}
+
+	s.t.Cleanup(func() {
+		ps.cleanup()
+	})
+
+	return ps
+}
+
+// NewExternalPluginSession creates a new plugin session for external plugins
+func (s *Session) NewExternalPluginSession(pluginType, pluginName, binaryPath string) *PluginSession {
+	s.t.Helper()
+
+	mountPath := fmt.Sprintf("%s-external-%s", pluginName, randomString(6))
+
+	ps := &PluginSession{
+		Session:     s,
+		PluginType:  pluginType,
+		PluginName:  pluginName,
+		MountPath:   mountPath,
+		IsBuiltin:   false,
+		BinaryPath:  binaryPath,
+		Environment: make(map[string]string),
+		Config:      make(map[string]interface{}),
+	}
+
+	s.t.Cleanup(func() {
+		ps.cleanup()
+	})
+
+	return ps
+}
+
+// NewPluginSessionWithOptions creates a plugin session using the provided options
+func (s *Session) NewPluginSessionWithOptions(opts PluginSessionOptions, isBuiltin bool, factoryOrPath interface{}) *PluginSession {
+	s.t.Helper()
+
+	mountPath := opts.MountPath
+	if mountPath == "" {
+		prefix := "builtin"
+		if !isBuiltin {
+			prefix = "external"
+		}
+		mountPath = fmt.Sprintf("%s-%s-%s", opts.PluginName, prefix, randomString(6))
+	}
+
+	ps := &PluginSession{
+		Session:     s,
+		PluginType:  opts.PluginType,
+		PluginName:  opts.PluginName,
+		MountPath:   mountPath,
+		IsBuiltin:   isBuiltin,
+		Environment: opts.Environment,
+		Config:      opts.Config,
+	}
+
+	if ps.Environment == nil {
+		ps.Environment = make(map[string]string)
+	}
+	if ps.Config == nil {
+		ps.Config = make(map[string]interface{})
+	}
+
+	if isBuiltin {
+		if factory, ok := factoryOrPath.(logical.Factory); ok {
+			ps.Factory = factory
+		} else {
+			s.t.Fatalf("Expected logical.Factory for built-in plugin, got %T", factoryOrPath)
+		}
+	} else {
+		if binaryPath, ok := factoryOrPath.(string); ok {
+			ps.BinaryPath = binaryPath
+		} else {
+			s.t.Fatalf("Expected string binary path for external plugin, got %T", factoryOrPath)
+		}
+	}
+
+	s.t.Cleanup(func() {
+		ps.cleanup()
+	})
+
+	return ps
+}
+
+// MustRegisterAndEnable registers and enables the plugin based on its type
+func (ps *PluginSession) MustRegisterAndEnable() {
+	ps.t.Helper()
+
+	if ps.IsBuiltin {
+		ps.mustEnableBuiltinPlugin()
+	} else {
+		ps.mustRegisterAndEnableExternalPlugin()
+	}
+
+	// Apply any initial configuration
+	if len(ps.Config) > 0 {
+		ps.MustConfigure(ps.Config)
+	}
+}
+
+// mustEnableBuiltinPlugin enables a built-in plugin directly
+func (ps *PluginSession) mustEnableBuiltinPlugin() {
+	ps.t.Helper()
+
+	switch ps.PluginType {
+	case "auth":
+		ps.Session.MustEnableAuth(ps.MountPath, &api.EnableAuthOptions{Type: ps.PluginName})
+	case "secret":
+		ps.Session.MustEnableSecretsEngine(ps.MountPath, &api.MountInput{Type: ps.PluginName})
+	case "database":
+		// Database plugins are typically mounted under the database secrets engine
+		ps.Session.MustEnableSecretsEngine(ps.MountPath, &api.MountInput{Type: "database"})
+	default:
+		ps.t.Fatalf("Unsupported plugin type for built-in plugin: %s", ps.PluginType)
+	}
+}
+
+// mustRegisterAndEnableExternalPlugin registers and enables an external plugin
+func (ps *PluginSession) mustRegisterAndEnableExternalPlugin() {
+	ps.t.Helper()
+
+	// Register the external plugin
+	ps.Session.MustRegisterPlugin(ps.PluginName, ps.BinaryPath, ps.PluginType)
+
+	// Enable the plugin
+	ps.Session.MustEnablePlugin(ps.MountPath, ps.PluginName, ps.PluginType)
+}
+
+// MustConfigure applies configuration to the plugin
+func (ps *PluginSession) MustConfigure(config map[string]interface{}) {
+	ps.t.Helper()
+
+	configPath := ps.getConfigPath()
+	ps.Session.MustWrite(configPath, config)
+
+	// Store the configuration for reference
+	for k, v := range config {
+		ps.Config[k] = v
+	}
+}
+
+// MustTestPluginHealth performs basic health checks on the plugin
+func (ps *PluginSession) MustTestPluginHealth() {
+	ps.t.Helper()
+
+	switch ps.PluginType {
+	case "auth":
+		ps.mustTestAuthPluginHealth()
+	case "secret":
+		ps.mustTestSecretsPluginHealth()
+	case "database":
+		ps.mustTestDatabasePluginHealth()
+	default:
+		ps.t.Fatalf("Unsupported plugin type: %s", ps.PluginType)
+	}
+}
+
+// mustTestAuthPluginHealth tests basic auth plugin functionality
+func (ps *PluginSession) mustTestAuthPluginHealth() {
+	ps.t.Helper()
+
+	// Test that we can read the plugin configuration
+	configPath := ps.getConfigPath()
+	_, err := ps.Client.Logical().Read(configPath)
+	if err != nil {
+		ps.t.Logf("Note: Could not read auth plugin config at %s (this may be expected): %v", configPath, err)
+	}
+
+	// Test that the auth method is listed
+	auths, err := ps.Client.Sys().ListAuth()
+	require.NoError(ps.t, err)
+
+	expectedPath := ps.MountPath + "/"
+	if auths[expectedPath] == nil {
+		ps.t.Fatalf("Auth method %s not found in auth list", expectedPath)
+	}
+
+	ps.t.Logf("Auth plugin %s health check passed", ps.PluginName)
+}
+
+// mustTestSecretsPluginHealth tests basic secrets plugin functionality
+func (ps *PluginSession) mustTestSecretsPluginHealth() {
+	ps.t.Helper()
+
+	// Test that we can read the plugin configuration
+	configPath := ps.getConfigPath()
+	_, err := ps.Client.Logical().Read(configPath)
+	if err != nil {
+		ps.t.Logf("Note: Could not read secrets plugin config at %s (this may be expected): %v", configPath, err)
+	}
+
+	// Test that the secrets engine is listed
+	mounts, err := ps.Client.Sys().ListMounts()
+	require.NoError(ps.t, err)
+
+	expectedPath := ps.MountPath + "/"
+	if mounts[expectedPath] == nil {
+		ps.t.Fatalf("Secrets engine %s not found in mounts list", expectedPath)
+	}
+
+	ps.t.Logf("Secrets plugin %s health check passed", ps.PluginName)
+}
+
+// mustTestDatabasePluginHealth tests basic database plugin functionality
+func (ps *PluginSession) mustTestDatabasePluginHealth() {
+	ps.t.Helper()
+
+	// For database plugins, test that the database secrets engine is mounted
+	mounts, err := ps.Client.Sys().ListMounts()
+	require.NoError(ps.t, err)
+
+	expectedPath := ps.MountPath + "/"
+	mount := mounts[expectedPath]
+	if mount == nil {
+		ps.t.Fatalf("Database secrets engine %s not found in mounts list", expectedPath)
+	}
+
+	if mount.Type != "database" {
+		ps.t.Fatalf("Expected mount type 'database', got '%s'", mount.Type)
+	}
+
+	ps.t.Logf("Database plugin %s health check passed", ps.PluginName)
+}
+
+// MustTestPluginReload tests plugin reload functionality
+func (ps *PluginSession) MustTestPluginReload() {
+	ps.t.Helper()
+
+	if ps.IsBuiltin {
+		ps.t.Logf("Skipping reload test for built-in plugin %s (reload not applicable)", ps.PluginName)
+		return
+	}
+
+	// Test plugin reload for external plugins
+	reloadInput := &api.ReloadPluginInput{
+		Plugin: ps.PluginName,
+	}
+
+	reloadID, err := ps.Client.Sys().ReloadPlugin(reloadInput)
+	require.NoError(ps.t, err)
+	require.NotEmpty(ps.t, reloadID)
+
+	ps.t.Logf("Successfully reloaded external plugin %s (reload ID: %s)", ps.PluginName, reloadID)
+}
+
+// MustTestPluginUpgrade tests plugin upgrade functionality (external plugins only)
+func (ps *PluginSession) MustTestPluginUpgrade(newBinaryPath string) {
+	ps.t.Helper()
+
+	if ps.IsBuiltin {
+		ps.t.Skip("Plugin upgrades not applicable for built-in plugins")
+		return
+	}
+
+	// Store original binary path
+	originalBinaryPath := ps.BinaryPath
+
+	// Register the new plugin version
+	newPluginName := ps.PluginName + "-v2"
+	ps.Session.MustRegisterPlugin(newPluginName, newBinaryPath, ps.PluginType)
+
+	// Test that both versions are registered
+	ps.Session.AssertPluginRegistered(ps.PluginName)
+	ps.Session.AssertPluginRegistered(newPluginName)
+
+	// Cleanup: restore original state
+	ps.t.Cleanup(func() {
+		ps.BinaryPath = originalBinaryPath
+	})
+
+	ps.t.Logf("Successfully tested plugin upgrade from %s to %s", ps.PluginName, newPluginName)
+}
+
+// GetMountPath returns the mount path for this plugin session
+func (ps *PluginSession) GetMountPath() string {
+	return ps.MountPath
+}
+
+// GetPluginInfo returns basic information about the plugin
+func (ps *PluginSession) GetPluginInfo() map[string]interface{} {
+	return map[string]interface{}{
+		"plugin_type": ps.PluginType,
+		"plugin_name": ps.PluginName,
+		"mount_path":  ps.MountPath,
+		"is_builtin":  ps.IsBuiltin,
+		"binary_path": ps.BinaryPath,
+		"environment": ps.Environment,
+		"config":      ps.Config,
+	}
+}
+
+// UpdateConfig merges new configuration with existing config
+func (ps *PluginSession) UpdateConfig(newConfig map[string]interface{}) {
+	ps.t.Helper()
+
+	// Merge configurations
+	for k, v := range newConfig {
+		ps.Config[k] = v
+	}
+
+	// Apply the updated configuration
+	ps.MustConfigure(ps.Config)
+}
+
+// getConfigPath returns the configuration path for the plugin
+func (ps *PluginSession) getConfigPath() string {
+	switch ps.PluginType {
+	case "auth":
+		return filepath.Join("auth", ps.MountPath, "config")
+	case "secret":
+		return filepath.Join(ps.MountPath, "config")
+	case "database":
+		return filepath.Join(ps.MountPath, "config", ps.PluginName)
+	default:
+		return filepath.Join(ps.MountPath, "config")
+	}
+}
+
+// cleanup performs cleanup operations for the plugin session
+func (ps *PluginSession) cleanup() {
+	if ps.Session == nil || ps.Session.Client == nil {
+		return
+	}
+
+	ps.t.Logf("Cleaning up plugin session: %s (%s)", ps.PluginName, ps.MountPath)
+
+	// Disable the plugin mount
+	var err error
+	switch ps.PluginType {
+	case "auth":
+		err = ps.Client.Sys().DisableAuth(ps.MountPath)
+	case "secret", "database":
+		err = ps.Client.Sys().Unmount(ps.MountPath)
+	}
+
+	if err != nil {
+		ps.t.Logf("Warning: Failed to cleanup plugin mount %s: %v", ps.MountPath, err)
+	}
+
+	// For external plugins, optionally deregister (commented out to avoid affecting other tests)
+	// if !ps.IsBuiltin {
+	//     _, err := ps.Client.Logical().Delete(filepath.Join("sys/plugins/catalog", ps.PluginType, ps.PluginName))
+	//     if err != nil {
+	//         ps.t.Logf("Warning: Failed to deregister plugin %s: %v", ps.PluginName, err)
+	//     }
+	// }
+}
+
+// ============================================================================
+// Plugin Testing Utilities and Helpers
+// ============================================================================
+
+// TestEndpointExists checks if a plugin endpoint exists and is accessible
+func (ps *PluginSession) TestEndpointExists(path string) bool {
+	ps.t.Helper()
+
+	fullPath := ps.buildPath(path)
+	_, err := ps.Client.Logical().Read(fullPath)
+
+	// We consider the endpoint to exist if we get any response (including errors)
+	// that indicate the endpoint exists but may require different parameters/auth
+	return err == nil || !isNotFoundError(err)
+}
+
+// WriteAndValidate writes data to a plugin endpoint and returns the response
+func (ps *PluginSession) WriteAndValidate(path string, data map[string]interface{}) (*api.Secret, error) {
+	ps.t.Helper()
+
+	fullPath := ps.buildPath(path)
+	return ps.Client.Logical().Write(fullPath, data)
+}
+
+// ReadAndValidate reads from a plugin endpoint and returns the response
+func (ps *PluginSession) ReadAndValidate(path string) (*api.Secret, error) {
+	ps.t.Helper()
+
+	fullPath := ps.buildPath(path)
+	return ps.Client.Logical().Read(fullPath)
+}
+
+// DeleteAndValidate deletes from a plugin endpoint and returns the response
+func (ps *PluginSession) DeleteAndValidate(path string) (*api.Secret, error) {
+	ps.t.Helper()
+
+	fullPath := ps.buildPath(path)
+	return ps.Client.Logical().Delete(fullPath)
+}
+
+// ListAndValidate lists from a plugin endpoint and returns the response
+func (ps *PluginSession) ListAndValidate(path string) (*api.Secret, error) {
+	ps.t.Helper()
+
+	fullPath := ps.buildPath(path)
+	return ps.Client.Logical().List(fullPath)
+}
+
+// ExpectError expects an operation to fail and validates the error
+func (ps *PluginSession) ExpectError(operation func() (*api.Secret, error)) error {
+	ps.t.Helper()
+
+	_, err := operation()
+	if err == nil {
+		return fmt.Errorf("expected operation to fail, but it succeeded")
+	}
+	return nil // Error was expected
+}
+
+// ExpectSuccess expects an operation to succeed and returns the response
+func (ps *PluginSession) ExpectSuccess(operation func() (*api.Secret, error)) *api.Secret {
+	ps.t.Helper()
+
+	resp, err := operation()
+	require.NoError(ps.t, err, "Expected operation to succeed")
+	return resp
+}
+
+// ValidateResponse validates that a response has expected properties
+func (ps *PluginSession) ValidateResponse(resp *api.Secret, validations ...ResponseValidator) {
+	ps.t.Helper()
+
+	for _, validation := range validations {
+		if err := validation(resp); err != nil {
+			ps.t.Fatalf("Response validation failed: %v", err)
+		}
+	}
+}
+
+// ResponseValidator validates aspects of an API response
+type ResponseValidator func(*api.Secret) error
+
+// HasDataField validates that response has a specific data field
+func HasDataField(field string) ResponseValidator {
+	return func(resp *api.Secret) error {
+		if resp == nil || resp.Data == nil {
+			return fmt.Errorf("response or data is nil")
+		}
+		if _, exists := resp.Data[field]; !exists {
+			return fmt.Errorf("response missing expected field: %s", field)
+		}
+		return nil
+	}
+}
+
+// HasDataValue validates that response has a specific data field with expected value
+func HasDataValue(field string, expectedValue interface{}) ResponseValidator {
+	return func(resp *api.Secret) error {
+		if resp == nil || resp.Data == nil {
+			return fmt.Errorf("response or data is nil")
+		}
+		value, exists := resp.Data[field]
+		if !exists {
+			return fmt.Errorf("response missing expected field: %s", field)
+		}
+		if value != expectedValue {
+			return fmt.Errorf("field %s has value %v, expected %v", field, value, expectedValue)
+		}
+		return nil
+	}
+}
+
+// IsNotEmpty validates that response data is not empty
+func IsNotEmpty() ResponseValidator {
+	return func(resp *api.Secret) error {
+		if resp == nil || resp.Data == nil || len(resp.Data) == 0 {
+			return fmt.Errorf("response data is empty")
+		}
+		return nil
+	}
+}
+
+// HasAuth validates that response has authentication information
+func HasAuth() ResponseValidator {
+	return func(resp *api.Secret) error {
+		if resp == nil || resp.Auth == nil {
+			return fmt.Errorf("response has no authentication information")
+		}
+		return nil
+	}
+}
+
+// HasLease validates that response has lease information
+func HasLease() ResponseValidator {
+	return func(resp *api.Secret) error {
+		if resp == nil || resp.LeaseID == "" {
+			return fmt.Errorf("response has no lease information")
+		}
+		return nil
+	}
+}
+
+// TestSequence runs a sequence of operations and validates them
+func (ps *PluginSession) TestSequence(operations ...SequenceOperation) {
+	ps.t.Helper()
+
+	for i, op := range operations {
+		ps.t.Logf("Executing sequence operation %d: %s", i+1, op.Name)
+		if err := op.Execute(ps); err != nil {
+			ps.t.Fatalf("Sequence operation %d (%s) failed: %v", i+1, op.Name, err)
+		}
+	}
+}
+
+// SequenceOperation represents a single operation in a test sequence
+type SequenceOperation struct {
+	Name    string
+	Execute func(*PluginSession) error
+}
+
+// WriteOp creates a write operation for test sequences
+func WriteOp(name, path string, data map[string]interface{}, validators ...ResponseValidator) SequenceOperation {
+	return SequenceOperation{
+		Name: name,
+		Execute: func(ps *PluginSession) error {
+			resp, err := ps.WriteAndValidate(path, data)
+			if err != nil {
+				return err
+			}
+			ps.ValidateResponse(resp, validators...)
+			return nil
+		},
+	}
+}
+
+// ReadOp creates a read operation for test sequences
+func ReadOp(name, path string, validators ...ResponseValidator) SequenceOperation {
+	return SequenceOperation{
+		Name: name,
+		Execute: func(ps *PluginSession) error {
+			resp, err := ps.ReadAndValidate(path)
+			if err != nil {
+				return err
+			}
+			ps.ValidateResponse(resp, validators...)
+			return nil
+		},
+	}
+}
+
+// DeleteOp creates a delete operation for test sequences
+func DeleteOp(name, path string) SequenceOperation {
+	return SequenceOperation{
+		Name: name,
+		Execute: func(ps *PluginSession) error {
+			_, err := ps.DeleteAndValidate(path)
+			return err
+		},
+	}
+}
+
+// buildPath constructs the full path for a plugin endpoint
+func (ps *PluginSession) buildPath(path string) string {
+	if ps.PluginType == "auth" {
+		return filepath.Join("auth", ps.MountPath, path)
+	}
+	return filepath.Join(ps.MountPath, path)
+}
+
+// isNotFoundError checks if an error indicates the endpoint was not found
+func isNotFoundError(err error) bool {
+	if err == nil {
+		return false
+	}
+	// This is a simple check - in practice you might want more sophisticated error detection
+	return fmt.Sprintf("%v", err) == "404 Not Found" ||
+		fmt.Sprintf("%v", err) == "405 Method Not Allowed"
+}
+
+// TestExpectedError tests that a write operation fails as expected
+func (ps *PluginSession) TestExpectedError(path string, data map[string]interface{}) error {
+	ps.t.Helper()
+
+	fullPath := ps.buildPath(path)
+	_, err := ps.Client.Logical().Write(fullPath, data)
+
+	if err == nil {
+		return fmt.Errorf("expected write to %s to fail, but it succeeded", fullPath)
+	}
+
+	// Return nil to indicate the error was expected
+	return nil
+}
diff --git a/sdk/helper/testcluster/blackbox/session_raft.go b/sdk/helper/testcluster/blackbox/session_raft.go
index 32cc416125..d9eb0faf91 100644
--- a/sdk/helper/testcluster/blackbox/session_raft.go
+++ b/sdk/helper/testcluster/blackbox/session_raft.go
@@ -4,6 +4,7 @@
 package blackbox
 
 import (
+	"fmt"
 	"time"
 
 	"github.com/hashicorp/vault/api"
@@ -31,20 +32,78 @@ func (s *Session) AssertRaftStable(numNodes int, allowNonVoters bool) {
 	}
 }
 
-func (s *Session) AssertRaftHealthy() {
+func (s *Session) raftConfig() (*api.Secret, error) {
+	// TODO
+	// query the autopilot state endpoint and verify that all nodes are healthy according to autopilot
+	var state *api.Secret
+	return state, s.Req(
+		func(c *api.Client) error {
+			var err error
+			state, err = c.Logical().Read("sys/storage/raft/autopilot/state")
+			return err
+		},
+		WithClientRootNamespace(),
+		WithClientTimeout(2*time.Second),
+	)
+}
+
+// EventuallyRaftClusterHealthy verifies that the raft cluster eventually becomes
+// healthy regardless of node count.
+func (s *Session) EventuallyRaftClusterHealthy(timeout time.Duration) {
 	s.t.Helper()
 
-	// query the autopilot state endpoint and verify that all nodes are healthy according to autopilot
+	s.EventuallyWithTimeout(
+		func() error {
+			healthy, err := s.autopilotStateHealthy()
+			if err != nil {
+				return err
+			}
+
+			if !healthy {
+				return fmt.Errorf("expected raft state to be healthy: got %t", healthy)
+			}
+
+			return nil
+		}, timeout,
+	)
+
+	// TODO: Perhaps move the server config and voter checks into the retry above.
+
+	// Get raft configuration to ensure we have at least one node
 	secret, err := s.WithRootNamespace(func() (*api.Secret, error) {
-		return s.Client.Logical().Read("sys/storage/raft/autopilot/state")
+		return s.Client.Logical().Read("sys/storage/raft/configuration")
 	})
 
 	require.NoError(s.t, err)
 	require.NotNil(s.t, secret)
 
-	_ = s.AssertSecret(secret).
+	// Verify we have at least one server configured
+	servers := s.AssertSecret(secret).
 		Data().
-		HasKey("healthy", true)
+		GetMap("config").
+		GetSlice("servers")
+
+	// Ensure we have at least 1 server
+	if len(servers.data) < 1 {
+		s.t.Fatal("Expected at least 1 raft server, got 0")
+	}
+
+	// Verify that we have at least one voter in the cluster
+	hasVoter := false
+	for _, server := range servers.data {
+		if serverMap, ok := server.(map[string]any); ok {
+			if voter, exists := serverMap["voter"]; exists {
+				if voterBool, ok := voter.(bool); ok && voterBool {
+					hasVoter = true
+					break
+				}
+			}
+		}
+	}
+
+	if !hasVoter {
+		s.t.Fatal("Expected at least one voter in the raft cluster")
+	}
 }
 
 // AssertRaftClusterHealthy verifies that the raft cluster is healthy regardless of node count
@@ -54,7 +113,7 @@ func (s *Session) AssertRaftClusterHealthy() {
 	s.t.Helper()
 
 	// First verify autopilot reports the cluster as healthy
-	s.AssertRaftHealthy()
+	s.AssertAutopilotHealthy()
 
 	// Get raft configuration to ensure we have at least one node
 	secret, err := s.WithRootNamespace(func() (*api.Secret, error) {
@@ -96,8 +155,10 @@ func (s *Session) AssertRaftClusterHealthy() {
 func (s *Session) MustRaftRemovePeer(nodeID string) {
 	s.t.Helper()
 
-	_, err := s.Client.Logical().Write("sys/storage/raft/remove-peer", map[string]any{
-		"server_id": nodeID,
+	_, err := s.WithRootNamespace(func() (*api.Secret, error) {
+		return s.Client.Logical().Write("sys/storage/raft/remove-peer", map[string]any{
+			"server_id": nodeID,
+		})
 	})
 	require.NoError(s.t, err)
 }
@@ -148,252 +209,55 @@ func (s *Session) MustStepDownLeader() {
 	require.NoError(s.t, err)
 }
 
-// GetClusterNodeCount returns the number of nodes in the raft cluster
-func (s *Session) GetClusterNodeCount() int {
+// MustGetClusterNodeCount returns the number of nodes in the cluster
+func (s *Session) MustGetClusterNodeCount() int {
 	s.t.Helper()
 
+	count, err := s.getClusterNodeCount()
+	require.NoError(s.t, err)
+
+	return count
+}
+
+// MustGetNonLeaderNode returns a non-leader node ID from the raft cluster
+func (s *Session) MustGetNonLeaderNode() string {
+	s.t.Helper()
+
+	// Get current leader
+	leader := s.MustGetCurrentLeader()
+
+	// Get raft configuration
 	secret, err := s.WithRootNamespace(func() (*api.Secret, error) {
 		return s.Client.Logical().Read("sys/storage/raft/configuration")
 	})
-	if err != nil {
-		s.t.Logf("Failed to read raft configuration: %v", err)
-		return 0
-	}
-
-	if secret == nil {
-		s.t.Log("Raft configuration response was nil")
-		return 0
-	}
+	require.NoError(s.t, err)
+	require.NotNil(s.t, secret)
 
 	configData, ok := secret.Data["config"].(map[string]any)
-	if !ok {
-		s.t.Log("Could not parse raft config data")
-		return 0
-	}
+	require.True(s.t, ok, "Could not parse raft config data")
 
 	serversData, ok := configData["servers"].([]any)
-	if !ok {
-		s.t.Log("Could not parse raft servers data")
-		return 0
-	}
+	require.True(s.t, ok, "Could not parse raft servers data")
 
-	return len(serversData)
-}
-
-// WaitForNewLeader waits for a new leader to be elected that is different from initialLeader
-// and for the cluster to become healthy. For single-node clusters, it just waits for the
-// cluster to become healthy again after stepdown.
-func (s *Session) WaitForNewLeader(initialLeader string, timeoutSeconds int) {
-	s.t.Helper()
-
-	// Check cluster size to handle single-node case
-	nodeCount := s.GetClusterNodeCount()
-	if nodeCount <= 1 {
-		s.t.Logf("Single-node cluster detected, waiting for cluster to recover after stepdown...")
-
-		// For single-node clusters, just wait for the same leader to come back and be healthy
-		timeout := time.After(time.Duration(timeoutSeconds) * time.Second)
-		ticker := time.NewTicker(1 * time.Second)
-		defer ticker.Stop()
-
-		for {
-			select {
-			case <-timeout:
-				s.t.Fatalf("Timeout waiting for single-node cluster to recover after %d seconds", timeoutSeconds)
-			case <-ticker.C:
-				// Check if cluster is healthy again
-				secret, err := s.WithRootNamespace(func() (*api.Secret, error) {
-					return s.Client.Logical().Read("sys/storage/raft/autopilot/state")
-				})
-				if err != nil {
-					s.t.Logf("Error reading autopilot state: %v, retrying...", err)
-					continue
-				}
-
-				if secret == nil {
-					s.t.Logf("No autopilot state returned, retrying...")
-					continue
-				}
-
-				healthy, ok := secret.Data["healthy"].(bool)
-				if !ok {
-					s.t.Logf("Autopilot healthy status not found, retrying...")
-					continue
-				}
-
-				if healthy {
-					s.t.Log("Single-node cluster has recovered and is healthy")
-					return
-				} else {
-					s.t.Logf("Single-node cluster not yet healthy, waiting...")
-				}
-			}
-		}
-	}
-
-	// Multi-node cluster logic - wait for actual leader change
-	timeout := time.After(time.Duration(timeoutSeconds) * time.Second)
-	ticker := time.NewTicker(1 * time.Second)
-	defer ticker.Stop()
-
-	newLeaderFound := false
-	var currentLeader string
-
-	for {
-		select {
-		case <-timeout:
-			if newLeaderFound {
-				s.t.Fatalf("Timeout waiting for cluster to become healthy after %d seconds (new leader: %s)", timeoutSeconds, currentLeader)
-			} else {
-				s.t.Fatalf("Timeout waiting for new leader election after %d seconds", timeoutSeconds)
-			}
-		case <-ticker.C:
-			// First, check if a new leader has been elected
-			if !newLeaderFound {
-				secret, err := s.WithRootNamespace(func() (*api.Secret, error) {
-					return s.Client.Logical().Read("sys/leader")
-				})
-				if err != nil {
-					s.t.Logf("Error reading leader status: %v, retrying...", err)
-					continue
-				}
-
-				if secret == nil {
-					s.t.Logf("No leader data returned, retrying...")
-					continue
-				}
-
-				leaderAddress, ok := secret.Data["leader_address"].(string)
-				if !ok || leaderAddress == "" {
-					s.t.Logf("No leader address found, retrying...")
-					continue
-				}
-
-				if leaderAddress != initialLeader {
-					s.t.Logf("New leader elected: %s (was: %s)", leaderAddress, initialLeader)
-					currentLeader = leaderAddress
-					newLeaderFound = true
-				} else {
-					s.t.Logf("Still waiting for new leader, current: %s", leaderAddress)
-					continue
-				}
-			}
-
-			// Once we have a new leader, wait for cluster to be healthy
-			if newLeaderFound {
-				secret, err := s.WithRootNamespace(func() (*api.Secret, error) {
-					return s.Client.Logical().Read("sys/storage/raft/autopilot/state")
-				})
-				if err != nil {
-					s.t.Logf("Error reading autopilot state: %v, retrying...", err)
-					continue
-				}
-
-				if secret == nil {
-					s.t.Logf("No autopilot state returned, retrying...")
-					continue
-				}
-
-				healthy, ok := secret.Data["healthy"].(bool)
-				if !ok {
-					s.t.Logf("Autopilot healthy status not found, retrying...")
-					continue
-				}
-
-				if healthy {
-					s.t.Logf("Cluster is now healthy with new leader: %s", currentLeader)
-					return
-				} else {
-					s.t.Logf("Cluster not yet healthy, waiting...")
-				}
-			}
-		}
-	}
-}
-
-// AssertClusterHealthy verifies that the cluster is healthy, with fallback for managed environments
-// like HCP where raft APIs may not be accessible. This is the recommended method for general
-// cluster health checks in blackbox tests. It includes retry logic for Docker environments
-// where the cluster may not be immediately ready.
-func (s *Session) AssertClusterHealthy() {
-	s.t.Helper()
-
-	// For Docker environments, wait for the cluster to be ready with retry logic
-	maxRetries := 30
-	retryDelay := 2 * time.Second
-
-	for attempt := 1; attempt <= maxRetries; attempt++ {
-		// Try raft-based health check first (works for self-managed clusters)
-		secret, err := s.WithRootNamespace(func() (*api.Secret, error) {
-			return s.Client.Logical().Read("sys/storage/raft/autopilot/state")
-		})
-
-		if err == nil && secret != nil {
-			// Check if autopilot reports healthy
-			if healthy, ok := secret.Data["healthy"].(bool); ok && healthy {
-				// Raft API is available and healthy, use full raft health check
-				s.AssertRaftClusterHealthy()
-				return
-			} else if ok && !healthy {
-				// Raft API available but not healthy yet, retry if we have attempts left
-				if attempt < maxRetries {
-					s.t.Logf("Cluster not yet healthy (attempt %d/%d), waiting %v...", attempt, maxRetries, retryDelay)
-					time.Sleep(retryDelay)
-					continue
-				} else {
-					s.t.Fatalf("Cluster failed to become healthy after %d attempts", maxRetries)
-				}
-			}
-		}
-
-		// Raft API not accessible or no healthy status - check basic connectivity
-		sealStatus, err := s.WithRootNamespace(func() (*api.Secret, error) {
-			return s.Client.Logical().Read("sys/seal-status")
-		})
-		if err != nil {
-			if attempt < maxRetries {
-				s.t.Logf("Failed to read seal status (attempt %d/%d): %v, retrying in %v...", attempt, maxRetries, err, retryDelay)
-				time.Sleep(retryDelay)
-				continue
-			}
-			require.NoError(s.t, err, "Failed to read seal status - cluster may be unreachable")
-		}
-
-		if sealStatus == nil {
-			if attempt < maxRetries {
-				s.t.Logf("Seal status response was nil (attempt %d/%d), retrying in %v...", attempt, maxRetries, retryDelay)
-				time.Sleep(retryDelay)
-				continue
-			}
-			require.NotNil(s.t, sealStatus, "Seal status response was nil")
-		}
-
-		// Verify cluster is unsealed
-		sealed, ok := sealStatus.Data["sealed"].(bool)
+	// Find a non-leader node
+	for _, server := range serversData {
+		serverMap, ok := server.(map[string]any)
 		if !ok {
-			if attempt < maxRetries {
-				s.t.Logf("Could not determine seal status (attempt %d/%d), retrying in %v...", attempt, maxRetries, retryDelay)
-				time.Sleep(retryDelay)
-				continue
-			}
-			require.True(s.t, ok, "Could not determine seal status")
+			continue
 		}
 
-		if sealed {
-			if attempt < maxRetries {
-				s.t.Logf("Cluster is sealed (attempt %d/%d), retrying in %v...", attempt, maxRetries, retryDelay)
-				time.Sleep(retryDelay)
-				continue
-			}
-			require.False(s.t, sealed, "Cluster is sealed")
+		nodeID, ok := serverMap["node_id"].(string)
+		if !ok {
+			continue
 		}
 
-		// If we get here, cluster is unsealed and responsive
-		if secret != nil {
-			s.t.Log("Cluster health verified (self-managed environment)")
-		} else {
-			s.t.Log("Cluster health verified (managed environment - raft APIs not accessible)")
+		// Check if this is not the leader
+		address, ok := serverMap["address"].(string)
+		if ok && address != leader {
+			return nodeID
 		}
-		return
 	}
+
+	s.t.Fatal("Could not find a non-leader node in the cluster")
+	return ""
 }
diff --git a/sdk/helper/testcluster/blackbox/session_replication.go b/sdk/helper/testcluster/blackbox/session_replication.go
new file mode 100644
index 0000000000..f7ec38d3e2
--- /dev/null
+++ b/sdk/helper/testcluster/blackbox/session_replication.go
@@ -0,0 +1,63 @@
+// Copyright IBM Corp. 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package blackbox
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/stretchr/testify/require"
+)
+
+// GetDRReplicationMode gets the DR replication mode of the node
+func (s *Session) GetDRReplicationMode() (string, error) {
+	secret, err := s.WithRootNamespace(func() (*api.Secret, error) {
+		return s.Client.Logical().Read("sys/replication/dr/status")
+	})
+	if err != nil {
+		return "", err
+	}
+
+	if secret == nil {
+		return "", fmt.Errorf("empty status response")
+	}
+
+	mode, ok := secret.Data["mode"]
+	if !ok {
+		return "", fmt.Errorf("no mode field in status response")
+	}
+
+	return mode.(string), nil
+}
+
+func (s *Session) AssertReplicationDisabled() {
+	s.assertReplicationStatus("ce", "disabled")
+}
+
+func (s *Session) AssertDRReplicationStatus(expectedMode string) {
+	s.assertReplicationStatus("dr", expectedMode)
+}
+
+func (s *Session) AssertPerformanceReplicationStatus(expectedMode string) {
+	s.assertReplicationStatus("performance", expectedMode)
+}
+
+func (s *Session) assertReplicationStatus(which, expectedMode string) {
+	s.t.Helper()
+
+	secret, err := s.WithRootNamespace(func() (*api.Secret, error) {
+		return s.Client.Logical().Read("sys/replication/status")
+	})
+
+	require.NoError(s.t, err)
+	require.NotNil(s.t, secret)
+
+	data := s.AssertSecret(secret).Data()
+
+	if which == "ce" {
+		data.HasKey("mode", "disabled")
+	} else {
+		data.GetMap(which).HasKey("mode", expectedMode)
+	}
+}
diff --git a/sdk/helper/testcluster/blackbox/session_seal.go b/sdk/helper/testcluster/blackbox/session_seal.go
new file mode 100644
index 0000000000..be609b1146
--- /dev/null
+++ b/sdk/helper/testcluster/blackbox/session_seal.go
@@ -0,0 +1,27 @@
+// Copyright IBM Corp. 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package blackbox
+
+import (
+	"errors"
+)
+
+func (s *Session) sealed() (bool, error) {
+	sealStatus, err := s.Client.Logical().Read("sys/seal-status")
+	if err != nil {
+		return true, err
+	}
+
+	if sealStatus == nil {
+		return true, errors.New("seal status response was nil")
+	}
+
+	// Verify cluster is unsealed
+	sealed, ok := sealStatus.Data["sealed"].(bool)
+	if !ok {
+		return true, errors.New("could not determine seal status")
+	}
+
+	return sealed, nil
+}
diff --git a/sdk/helper/testcluster/blackbox/session_status.go b/sdk/helper/testcluster/blackbox/session_status.go
index e158866653..4117205cf7 100644
--- a/sdk/helper/testcluster/blackbox/session_status.go
+++ b/sdk/helper/testcluster/blackbox/session_status.go
@@ -8,7 +8,6 @@ import (
 	"os/exec"
 	"strings"
 
-	"github.com/hashicorp/vault/api"
 	"github.com/stretchr/testify/require"
 )
 
@@ -42,6 +41,87 @@ func (s *Session) AssertUnsealedAny() {
 	s.t.Logf("Vault is unsealed (seal type: %s)", status.Type)
 }
 
+// AssertVersion verifies the Vault version via sys/version-history API
+func (s *Session) AssertVersion(version string) {
+	s.t.Helper()
+
+	// strip off any version metadata
+	b, _, _ := strings.Cut(version, "+")
+	expectedVersion, _, _ := strings.Cut(b, "-")
+
+	secret, err := s.Client.Logical().List("sys/version-history")
+	require.NoError(s.t, err)
+
+	keysRaw, ok := secret.Data["keys"].([]any)
+	if !ok {
+		s.t.Fatal("sys/version-history missing 'keys'")
+	}
+
+	found := false
+	for _, k := range keysRaw {
+		if kStr, ok := k.(string); ok && kStr == expectedVersion {
+			found = true
+			break
+		}
+	}
+
+	if !found {
+		s.t.Fatalf("expected to find %s in version history but didn't", expectedVersion)
+	}
+}
+
+// AssertBuildDate verifies the Vault build date via sys/version-history API
+func (s *Session) AssertBuildDate(version, buildDate string) {
+	s.t.Helper()
+
+	// strip off any version metadata
+	b, _, _ := strings.Cut(version, "+")
+	expectedVersion, _, _ := strings.Cut(b, "-")
+
+	secret, err := s.Client.Logical().List("sys/version-history")
+	require.NoError(s.t, err)
+
+	keyInfoRaw, ok := secret.Data["key_info"].(map[string]any)
+	if !ok {
+		s.t.Fatal("sys/version-history missing 'key_info'")
+	}
+
+	versionInfo, ok := keyInfoRaw[expectedVersion].(map[string]any)
+	if !ok {
+		s.t.Fatalf("version %s not found in key_info", expectedVersion)
+	}
+
+	actualBuildDate, ok := versionInfo["build_date"].(string)
+	if !ok {
+		s.t.Fatal("build_date not found in version info")
+	}
+
+	if actualBuildDate != buildDate {
+		s.t.Fatalf("build date mismatch: expected %s, got %s", buildDate, actualBuildDate)
+	}
+}
+
+// AssertRevision verifies the Vault revision/SHA from CLI output
+func (s *Session) AssertRevision(revision string) {
+	s.t.Helper()
+
+	// make sure the binary exists first
+	_, err := exec.LookPath("vault")
+	require.NoError(s.t, err)
+
+	cmd := exec.Command("vault", "version")
+	out, err := cmd.CombinedOutput()
+	require.NoError(s.t, err)
+
+	output := string(out)
+
+	if !strings.Contains(output, fmt.Sprintf("'%s'", revision)) {
+		s.t.Fatalf("CLI revision mismatch. expected %s in output: %s", revision, output)
+	}
+}
+
+// AssertCLIVersion verifies the complete Vault CLI version output
+// Deprecated: Use AssertVersion, AssertBuildDate, and AssertRevision separately for more granular testing
 func (s *Session) AssertCLIVersion(version, sha, buildDate, edition string) {
 	s.t.Helper()
 
@@ -70,61 +150,10 @@ func (s *Session) AssertCLIVersion(version, sha, buildDate, edition string) {
 	}
 }
 
-func (s *Session) AssertServerVersion(version string) {
+// AssertServerVersion verifies the Vault server version and build date via sys/version-history API
+// Deprecated: Use AssertVersion and AssertBuildDate separately for more granular testing
+func (s *Session) AssertServerVersion(version, buildDate string) {
 	s.t.Helper()
-
-	// strip off any version metadata
-	b, _, _ := strings.Cut(version, "+")
-	expectedVersion, _, _ := strings.Cut(b, "-")
-
-	secret, err := s.Client.Logical().List("sys/version-history")
-	require.NoError(s.t, err)
-
-	keysRaw, ok := secret.Data["keys"].([]any)
-	if !ok {
-		s.t.Fatal("sys/version-history missing 'keys'")
-	}
-
-	found := false
-	for _, k := range keysRaw {
-		if kStr, ok := k.(string); ok && kStr == expectedVersion {
-			found = true
-			break
-		}
-	}
-
-	if !found {
-		s.t.Fatalf("expected to find %s in version history but didn't", expectedVersion)
-	}
-}
-
-func (s *Session) AssertReplicationDisabled() {
-	s.assertReplicationStatus("ce", "disabled")
-}
-
-func (s *Session) AssertDRReplicationStatus(expectedMode string) {
-	s.assertReplicationStatus("dr", expectedMode)
-}
-
-func (s *Session) AssertPerformanceReplicationStatus(expectedMode string) {
-	s.assertReplicationStatus("performance", expectedMode)
-}
-
-func (s *Session) assertReplicationStatus(which, expectedMode string) {
-	s.t.Helper()
-
-	secret, err := s.WithRootNamespace(func() (*api.Secret, error) {
-		return s.Client.Logical().Read("sys/replication/status")
-	})
-
-	require.NoError(s.t, err)
-	require.NotNil(s.t, secret)
-
-	data := s.AssertSecret(secret).Data()
-
-	if which == "ce" {
-		data.HasKey("mode", "disabled")
-	} else {
-		data.GetMap(which).HasKey("mode", expectedMode)
-	}
+	s.AssertVersion(version)
+	s.AssertBuildDate(version, buildDate)
 }
diff --git a/sdk/helper/testcluster/blackbox/session_util.go b/sdk/helper/testcluster/blackbox/session_util.go
index c079a52b3e..0fe65ddc0b 100644
--- a/sdk/helper/testcluster/blackbox/session_util.go
+++ b/sdk/helper/testcluster/blackbox/session_util.go
@@ -11,9 +11,15 @@ import (
 
 // Eventually retries the function 'fn' until it returns nil or timeout occurs.
 func (s *Session) Eventually(fn func() error) {
+	s.EventuallyWithTimeout(fn, 5*time.Second)
+}
+
+// EventuallyWithTimeout retries the function 'fn' until it returns nil or timeout occurs.
+// Use this for operations that may take longer than the default 5 seconds.
+func (s *Session) EventuallyWithTimeout(fn func() error, timeout time.Duration) {
 	s.t.Helper()
 
-	timeout := time.After(5 * time.Second)
+	timeoutChan := time.After(timeout)
 	ticker := time.NewTicker(200 * time.Millisecond)
 	defer ticker.Stop()
 
@@ -21,8 +27,8 @@ func (s *Session) Eventually(fn func() error) {
 
 	for {
 		select {
-		case <-timeout:
-			s.t.Fatalf("Eventually failed after 5s. Last error: %v", lastErr)
+		case <-timeoutChan:
+			s.t.Fatalf("Eventually failed after %v. Last error: %v", timeout, lastErr)
 		case <-ticker.C:
 			lastErr = fn()
 			if lastErr == nil {
@@ -41,3 +47,18 @@ func (s *Session) WithRootNamespace(fn func() (*api.Secret, error)) (*api.Secret
 
 	return fn()
 }
+
+// WithParentNamespace temporarily switches to the parent namespace (e.g., "admin" in HVD)
+// and executes the provided function, then restores the original namespace.
+func (s *Session) WithParentNamespace(fn func() (*api.Secret, error)) (*api.Secret, error) {
+	s.t.Helper()
+
+	oldNamespace := s.Client.Namespace()
+	defer s.Client.SetNamespace(oldNamespace)
+
+	// Get the parent namespace from environment (e.g., "admin" in HVD)
+	parentNS := s.GetParentNamespace()
+	s.Client.SetNamespace(parentNS)
+
+	return fn()
+}
diff --git a/sdk/helper/testcluster/docker/environment.go b/sdk/helper/testcluster/docker/environment.go
index 0c85c0a617..3d95109d3e 100644
--- a/sdk/helper/testcluster/docker/environment.go
+++ b/sdk/helper/testcluster/docker/environment.go
@@ -19,7 +19,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"maps"
 	"math/big"
 	mathrand "math/rand"
@@ -33,9 +32,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/volume"
-	docker "github.com/docker/docker/client"
 	"github.com/hashicorp/go-cleanhttp"
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-multierror"
@@ -45,6 +41,8 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/strutil"
 	"github.com/hashicorp/vault/sdk/helper/testcluster"
 	"github.com/hashicorp/vault/sdk/helper/tlsutil"
+	"github.com/moby/moby/api/types/container"
+	docker "github.com/moby/moby/client"
 	"github.com/stretchr/testify/require"
 	uberAtomic "go.uber.org/atomic"
 	"golang.org/x/net/http2"
@@ -82,6 +80,7 @@ type DockerCluster struct {
 	storage      testcluster.ClusterStorage
 	disableMlock bool
 	disableTLS   bool
+	cleanupOnce  sync.Once
 }
 
 func (dc *DockerCluster) NamedLogger(s string) log.Logger {
@@ -119,6 +118,9 @@ func (dc *DockerCluster) GetRecoveryKeys() [][]byte {
 }
 
 func (dc *DockerCluster) GetBarrierOrRecoveryKeys() [][]byte {
+	if r := dc.GetRecoveryKeys(); len(r) > 0 {
+		return r
+	}
 	return dc.GetBarrierKeys()
 }
 
@@ -144,7 +146,9 @@ func (dc *DockerCluster) GetCACertPEMFile() string {
 }
 
 func (dc *DockerCluster) Cleanup() {
-	dc.cleanup()
+	dc.cleanupOnce.Do(func() {
+		dc.cleanup()
+	})
 }
 
 func (dc *DockerCluster) cleanup() error {
@@ -172,16 +176,23 @@ func (n *DockerClusterNode) Name() string {
 	return n.Cluster.ClusterName + "-" + n.NodeID
 }
 
-func (dc *DockerCluster) setupNode0(ctx context.Context) error {
+func (dc *DockerCluster) setupNode0(ctx context.Context, hasSealConfig bool) error {
 	client := dc.ClusterNodes[0].client
 
 	var resp *api.InitResponse
 	var err error
+	req := &api.InitRequest{
+		SecretShares:    3,
+		SecretThreshold: 3,
+	}
+	if hasSealConfig {
+		req = &api.InitRequest{
+			RecoveryShares:    3,
+			RecoveryThreshold: 3,
+		}
+	}
 	for ctx.Err() == nil {
-		resp, err = client.Sys().Init(&api.InitRequest{
-			SecretShares:    3,
-			SecretThreshold: 3,
-		})
+		resp, err = client.Sys().Init(req)
 		if err == nil && resp != nil {
 			break
 		}
@@ -214,7 +225,9 @@ func (dc *DockerCluster) setupNode0(ctx context.Context) error {
 	client.SetToken(dc.rootToken)
 	dc.ClusterNodes[0].client = client
 
-	err = testcluster.UnsealNode(ctx, dc, 0)
+	if !hasSealConfig {
+		err = testcluster.UnsealNode(ctx, dc, 0)
+	}
 	if err != nil {
 		return err
 	}
@@ -226,6 +239,9 @@ func (dc *DockerCluster) setupNode0(ctx context.Context) error {
 
 		return nil
 	})
+	if err != nil {
+		return err
+	}
 
 	status, err := client.Sys().SealStatusWithContext(ctx)
 	if err != nil {
@@ -407,12 +423,16 @@ func (n *DockerClusterNode) setupCert(ip string) error {
 }
 
 func NewTestDockerCluster(t *testing.T, opts *DockerClusterOptions) *DockerCluster {
+	t.Helper()
+
 	dc, err := NewTestDockerClusterWithErr(t, opts)
 	require.NoError(t, err)
 	return dc
 }
 
 func NewTestDockerClusterWithErr(t *testing.T, opts *DockerClusterOptions) (*DockerCluster, error) {
+	t.Helper()
+
 	if opts == nil {
 		opts = &DockerClusterOptions{DisableMlock: true}
 	}
@@ -420,7 +440,7 @@ func NewTestDockerClusterWithErr(t *testing.T, opts *DockerClusterOptions) (*Doc
 		opts.ClusterName = strings.ReplaceAll(t.Name(), "/", "-")
 	}
 	if opts.Logger == nil {
-		opts.Logger = logging.NewVaultLogger(log.Trace).Named(t.Name())
+		opts.Logger = logging.NewVaultLogger(log.Trace).Named(opts.ClusterName)
 	}
 	if opts.NetworkName == "" {
 		opts.NetworkName = os.Getenv("TEST_DOCKER_NETWORK_NAME")
@@ -432,6 +452,8 @@ func NewTestDockerClusterWithErr(t *testing.T, opts *DockerClusterOptions) (*Doc
 	dc, err := NewDockerCluster(ctx, opts)
 	if err == nil {
 		dc.Logger.Trace("cluster started", "helpful_env", fmt.Sprintf("VAULT_TOKEN=%s VAULT_CACERT=/vault/config/ca.pem", dc.GetRootToken()))
+		// Register cleanup with t.Cleanup so it's automatically called when the test ends
+		t.Cleanup(dc.Cleanup)
 	}
 	return dc, err
 }
@@ -461,6 +483,9 @@ func NewDockerCluster(ctx context.Context, opts *DockerClusterOptions) (*DockerC
 		storage:      opts.Storage,
 		disableMlock: opts.DisableMlock,
 		disableTLS:   opts.DisableTLS,
+		barrierKeys:  opts.BarrierKeys,
+		recoveryKeys: opts.RecoveryKeys,
+		rootToken:    opts.RootToken,
 	}
 
 	if err := dc.setupDockerCluster(ctx, opts); err != nil {
@@ -486,7 +511,7 @@ type DockerClusterNode struct {
 	tlsConfig            *tls.Config
 	WorkDir              string
 	Cluster              *DockerCluster
-	Container            *types.ContainerJSON
+	Container            *container.InspectResponse
 	DockerAPI            *docker.Client
 	runner               *dockhelper.Runner
 	Logger               log.Logger
@@ -616,7 +641,9 @@ func (n *DockerClusterNode) Cleanup() {
 
 // Stop kills the container of the node
 func (n *DockerClusterNode) Stop() {
+	n.Logger.Trace("stopping node")
 	n.cleanupContainer()
+	n.Logger.Trace("node stopped")
 }
 
 func (n *DockerClusterNode) cleanup() error {
@@ -649,17 +676,7 @@ func (n *DockerClusterNode) createTLSDisabledListenerConfig() map[string]interfa
 	}}
 }
 
-func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOptions) error {
-	if n.DataVolumeName == "" {
-		vol, err := n.DockerAPI.VolumeCreate(ctx, volume.CreateOptions{})
-		if err != nil {
-			return err
-		}
-		n.DataVolumeName = vol.Name
-		n.cleanupVolume = func() {
-			_ = n.DockerAPI.VolumeRemove(ctx, vol.Name, false)
-		}
-	}
+func (n *DockerClusterNode) writeConfig(opts *DockerClusterOptions) ([]string, error) {
 	vaultCfg := map[string]interface{}{}
 	var listenerConfig []map[string]interface{}
 
@@ -692,7 +709,7 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
 				for _, suite := range config.TLSCipherSuites {
 					name, err := tlsutil.GetCipherName(suite)
 					if err != nil {
-						return fmt.Errorf("bad TLSCipherSuite %d on listener %d: %w", suite, i, err)
+						return nil, fmt.Errorf("bad TLSCipherSuite %d on listener %d: %w", suite, i, err)
 					}
 					suites = append(suites, name)
 				}
@@ -701,7 +718,7 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
 			listenerConfig = append(listenerConfig, cfg)
 			portStr := fmt.Sprintf("%d/tcp", config.Port)
 			if strutil.StrListContains(ports, portStr) {
-				return fmt.Errorf("duplicate port %d specified", config.Port)
+				return nil, fmt.Errorf("duplicate port %d specified", config.Port)
 			}
 			ports = append(ports, portStr)
 		}
@@ -729,12 +746,45 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
 		storageOpts = opts.Storage.Opts()
 	}
 
-	if opts != nil && opts.VaultNodeConfig != nil {
+	if opts.VaultNodeConfig != nil {
 		for k, v := range opts.VaultNodeConfig.StorageOptions {
 			if _, ok := storageOpts[k].(string); !ok {
 				storageOpts[k] = v
 			}
 		}
+		if len(opts.VaultNodeConfig.Seal) > 0 {
+			var seals []map[string]any
+			for _, seal := range opts.VaultNodeConfig.Seal {
+				seals = append(seals, map[string]any{
+					seal.Type: seal.Config,
+				})
+			}
+			vaultCfg["seal"] = seals
+		}
+		if len(opts.VaultNodeConfig.KMSLibrary) > 0 {
+			libs := []map[string][]map[string]any{}
+			for _, kmsl := range opts.VaultNodeConfig.KMSLibrary {
+				libs = append(libs, map[string][]map[string]any{
+					kmsl.Type: {
+						{
+							"name":    kmsl.Name,
+							"library": kmsl.Library,
+						},
+					},
+				})
+			}
+			vaultCfg["kms_library"] = libs
+		}
+		if opts.VaultNodeConfig.Entropy != nil {
+			vaultCfg["entropy"] = []map[string]map[string]any{
+				{
+					"seal": map[string]any{
+						"seal_name": opts.VaultNodeConfig.Entropy.SealName,
+						"mode":      "augmentation",
+					},
+				},
+			}
+		}
 	}
 	vaultCfg["storage"] = map[string]interface{}{
 		storageType: storageOpts,
@@ -753,43 +803,66 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
 
 	vaultCfg["administrative_namespace_path"] = opts.AdministrativeNamespacePath
 
-	systemJSON, err := json.Marshal(vaultCfg)
-	if err != nil {
-		return err
-	}
-	err = os.WriteFile(filepath.Join(n.WorkDir, "system.json"), systemJSON, 0o644)
-	if err != nil {
-		return err
-	}
-
 	if opts.VaultNodeConfig != nil {
 		localCfg := *opts.VaultNodeConfig
 		if opts.VaultNodeConfig.LicensePath != "" {
 			b, err := os.ReadFile(opts.VaultNodeConfig.LicensePath)
 			if err != nil || len(b) == 0 {
-				return fmt.Errorf("unable to read LicensePath at %q: %w", opts.VaultNodeConfig.LicensePath, err)
+				return nil, fmt.Errorf("unable to read LicensePath at %q: %w", opts.VaultNodeConfig.LicensePath, err)
 			}
 			localCfg.LicensePath = "/vault/config/license"
 			dest := filepath.Join(n.WorkDir, "license")
 			err = os.WriteFile(dest, b, 0o644)
 			if err != nil {
-				return fmt.Errorf("error writing license to %q: %w", dest, err)
+				return nil, fmt.Errorf("error writing license to %q: %w", dest, err)
 			}
+		}
+		localJSON, err := json.Marshal(localCfg)
+		if err != nil {
+			return nil, err
+		}
+		var conf map[string]interface{}
+		if err := json.Unmarshal(localJSON, &conf); err != nil {
+			return nil, err
+		}
+		for k, v := range conf {
+			vaultCfg[k] = v
+		}
+	}
 
-		}
-		userJSON, err := json.Marshal(localCfg)
+	configJSON, err := json.Marshal(vaultCfg)
+	if err != nil {
+		return nil, err
+	}
+	err = os.WriteFile(filepath.Join(n.WorkDir, "config.json"), configJSON, 0o644)
+	if err != nil {
+		return nil, err
+	}
+	n.Logger.Trace("node config", "config.json", string(configJSON))
+	return ports, nil
+}
+
+func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOptions) error {
+	if n.DataVolumeName == "" {
+		vol, err := n.DockerAPI.VolumeCreate(ctx, docker.VolumeCreateOptions{})
 		if err != nil {
 			return err
 		}
-		err = os.WriteFile(filepath.Join(n.WorkDir, "user.json"), userJSON, 0o644)
-		if err != nil {
-			return err
+		n.DataVolumeName = vol.Volume.Name
+		n.Logger.Trace("created volume", "name", n.DataVolumeName)
+		n.cleanupVolume = func() {
+			n.Logger.Trace("cleanup volume", "name", n.DataVolumeName)
+			_, _ = n.DockerAPI.VolumeRemove(ctx, vol.Volume.Name, docker.VolumeRemoveOptions{})
 		}
 	}
+	ports, err := n.writeConfig(opts)
+	if err != nil {
+		return err
+	}
 
 	if !opts.DisableTLS {
 		// Create a temporary cert so vault will start up
-		err = n.setupCert("127.0.0.1")
+		err := n.setupCert("127.0.0.1")
 		if err != nil {
 			return err
 		}
@@ -807,7 +880,7 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
 	wg.Add(1)
 	var seenLogs uberAtomic.Bool
 	logConsumer := func(s string) {
-		if seenLogs.CAS(false, true) {
+		if seenLogs.CompareAndSwap(false, true) {
 			wg.Done()
 		}
 		n.Logger.Trace(s)
@@ -818,7 +891,7 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
 	lastTS := ""
 	logStdout := &LogConsumerWriter{logConsumer}
 	logStderr := &LogConsumerWriter{func(s string) {
-		if seenLogs.CAS(false, true) {
+		if seenLogs.CompareAndSwap(false, true) {
 			wg.Done()
 		}
 		d := json.NewDecoder(strings.NewReader(s))
@@ -845,17 +918,13 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
 
 	if opts.DisableTLS {
 		postStartFunc = func(containerID string, realIP string) error {
-			// If we signal Vault before it installs its sighup handler, it'll die.
-			wg.Wait()
-			n.Logger.Trace("running poststart", "containerID", containerID, "IP", realIP)
-			return n.runner.RefreshFiles(ctx, containerID)
+			return nil
 		}
 	}
 
 	envs := []string{
 		// For now we're using disable_mlock, because this is for testing
 		// anyway, and because it prevents us using external plugins.
-		"SKIP_SETCAP=true",
 		"VAULT_LOG_FORMAT=json",
 		"VAULT_LICENSE=" + opts.VaultLicense,
 		"VAULT_DISABLE_MLOCK=" + strconv.FormatBool(opts.DisableMlock),
@@ -880,7 +949,7 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
 		PreDelete:         true,
 		DoNotAutoRemove:   true,
 		PostStart:         postStartFunc,
-		Capabilities:      []string{"NET_ADMIN"},
+		Capabilities:      []string{"NET_ADMIN", "IPC_LOCK", "SETFCAP"},
 		OmitLogTimestamps: true,
 		VolumeNameToMountPoint: map[string]string{
 			n.DataVolumeName: "/vault/file",
@@ -898,6 +967,11 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
 			return err
 		}
 	}
+
+	protocol := "https"
+	if opts.DisableTLS {
+		protocol = "http"
+	}
 	svc, _, err := r.StartNewService(ctx, false, false, func(ctx context.Context, host string, port int) (dockhelper.ServiceConfig, error) {
 		config, err := n.apiConfig()
 		if err != nil {
@@ -924,7 +998,7 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
 	netName := opts.NetworkName
 	if netName == "" {
 		if len(svc.Container.NetworkSettings.Networks) > 1 {
-			return fmt.Errorf("Set d.RunOptions.NetworkName instead for container with multiple networks: %v", svc.Container.NetworkSettings.Networks)
+			return fmt.Errorf("set d.RunOptions.NetworkName instead for container with multiple networks: %v", svc.Container.NetworkSettings.Networks)
 		}
 		for netName = range svc.Container.NetworkSettings.Networks {
 			// Networks above is a map; we just need to find the first and
@@ -933,7 +1007,7 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
 		}
 	}
 	n.ContainerNetworkName = netName
-	n.ContainerIPAddress = svc.Container.NetworkSettings.Networks[netName].IPAddress
+	n.ContainerIPAddress = svc.Container.NetworkSettings.Networks[netName].IPAddress.String()
 	n.RealAPIAddr = protocol + "://" + n.ContainerIPAddress + ":8200"
 	n.cleanupContainer = svc.Cleanup
 
@@ -967,7 +1041,8 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
 }
 
 func (n *DockerClusterNode) Pause(ctx context.Context) error {
-	return n.DockerAPI.ContainerPause(ctx, n.Container.ID)
+	_, err := n.DockerAPI.ContainerPause(ctx, n.Container.ID, docker.ContainerPauseOptions{})
+	return err
 }
 
 func (n *DockerClusterNode) Restart(ctx context.Context) error {
@@ -977,20 +1052,23 @@ func (n *DockerClusterNode) Restart(ctx context.Context) error {
 		return err
 	}
 
-	resp, err := n.DockerAPI.ContainerInspect(ctx, n.Container.ID)
+	resp, err := n.DockerAPI.ContainerInspect(ctx, n.Container.ID, docker.ContainerInspectOptions{})
 	if err != nil {
 		return fmt.Errorf("error inspecting container after restart: %s", err)
 	}
 
 	var port int
-	if len(resp.NetworkSettings.Ports) > 0 {
-		for key, binding := range resp.NetworkSettings.Ports {
+	if len(resp.Container.NetworkSettings.Ports) > 0 {
+		for key, binding := range resp.Container.NetworkSettings.Ports {
 			if len(binding) < 1 {
 				continue
 			}
 
-			if key == "8200/tcp" {
+			if key.String() == "8200/tcp" {
 				port, err = strconv.Atoi(binding[0].HostPort)
+				if err != nil {
+					return err
+				}
 			}
 		}
 	}
@@ -1016,6 +1094,27 @@ func (n *DockerClusterNode) Restart(ctx context.Context) error {
 	return nil
 }
 
+func (n *DockerClusterNode) Signal(ctx context.Context, signal string) error {
+	_, err := n.DockerAPI.ContainerKill(ctx, n.Container.ID, docker.ContainerKillOptions{
+		Signal: signal,
+	})
+	return err
+}
+
+func (n *DockerClusterNode) UpdateConfig(ctx context.Context, opts *DockerClusterOptions) error {
+	_, err := n.writeConfig(opts)
+	if err != nil {
+		return err
+	}
+
+	// Copy the updated config to the container
+	if err := dockhelper.CopyToContainer(ctx, n.DockerAPI, n.Container.ID, n.WorkDir, "/vault/config"); err != nil {
+		return fmt.Errorf("failed to copy config to container: %w", err)
+	}
+
+	return nil
+}
+
 func (n *DockerClusterNode) AddNetworkDelay(ctx context.Context, delay time.Duration, targetIP string) error {
 	ip := net.ParseIP(targetIP)
 	if ip == nil {
@@ -1041,7 +1140,7 @@ func (n *DockerClusterNode) AddNetworkDelay(ctx context.Context, delay time.Dura
 			// Its handle must be unique, so we base it on targetIP
 			fmt.Sprintf("tc filter add dev eth0 parent 1:0 protocol ip pref 55 handle ::%x u32 match ip dst %s flowid 2:1", lastOctet, targetIP),
 		}, "; "),
-	})
+	}, dockhelper.RunCmdUser("root"))
 	if err != nil {
 		return err
 	}
@@ -1064,7 +1163,7 @@ func (n *DockerClusterNode) PartitionFromCluster(ctx context.Context) error {
 	stdout, stderr, exitCode, err := n.runner.RunCmdWithOutput(ctx, n.Container.ID, []string{
 		"/bin/sh",
 		"-xec", strings.Join([]string{
-			fmt.Sprintf("echo partitioning container from network"),
+			"echo partitioning container from network",
 			"apk add iproute2",
 			"apk add iptables",
 			// Get the gateway address for the bridge so we can allow host to
@@ -1080,7 +1179,7 @@ func (n *DockerClusterNode) PartitionFromCluster(ctx context.Context) error {
 			"iptables -I INPUT -i eth0 ! -s \"$GW\" -j DROP",
 			"iptables -I OUTPUT -o eth0 ! -d \"$GW\" -j DROP",
 		}, "; "),
-	})
+	}, dockhelper.RunCmdUser("root"))
 	if err != nil {
 		return err
 	}
@@ -1099,7 +1198,7 @@ func (n *DockerClusterNode) UnpartitionFromCluster(ctx context.Context) error {
 	stdout, stderr, exitCode, err := n.runner.RunCmdWithOutput(ctx, n.Container.ID, []string{
 		"/bin/sh",
 		"-xec", strings.Join([]string{
-			fmt.Sprintf("echo un-partitioning container from network"),
+			"echo un-partitioning container from network",
 			// Get the gateway address for the bridge so we can allow host to
 			// container traffic still.
 			"GW=$(ip r | grep default | grep eth0 | cut -f 3 -d' ')",
@@ -1108,7 +1207,7 @@ func (n *DockerClusterNode) UnpartitionFromCluster(ctx context.Context) error {
 			"iptables -D INPUT -i eth0 ! -s \"$GW\" -j DROP | true",
 			"iptables -D OUTPUT -o eth0 ! -d \"$GW\" -j DROP | true",
 		}, "; "),
-	})
+	}, dockhelper.RunCmdUser("root"))
 	if err != nil {
 		return err
 	}
@@ -1186,7 +1285,7 @@ func (dc *DockerCluster) setupDockerCluster(ctx context.Context, opts *DockerClu
 		}
 		dc.tmpDir = opts.TmpDir
 	} else {
-		tempDir, err := ioutil.TempDir("", "vault-test-cluster-")
+		tempDir, err := os.MkdirTemp("", "vault-test-cluster-")
 		if err != nil {
 			return err
 		}
@@ -1227,17 +1326,34 @@ func (dc *DockerCluster) setupDockerCluster(ctx context.Context, opts *DockerClu
 		if opts.SkipInit {
 			continue
 		}
+		hasSealConfig := opts.VaultNodeConfig != nil && len(opts.VaultNodeConfig.Seal) > 0
 		if i == 0 {
-			if err := dc.setupNode0(ctx); err != nil {
+			if err := dc.setupNode0(ctx, hasSealConfig); err != nil {
 				return err
 			}
 		} else {
-			if err := dc.joinNode(ctx, i, 0); err != nil {
+			if err := dc.joinNode(ctx, i, 0, hasSealConfig); err != nil {
 				return err
 			}
 		}
 	}
 
+	if opts.SkipInit && !opts.SkipUnsealWaitActiveNode {
+		if len(opts.VaultNodeConfig.Seal) == 0 {
+			if err := testcluster.UnsealAllNodes(ctx, dc); err != nil {
+				return err
+			}
+		}
+		if _, err := testcluster.WaitForActiveNode(ctx, dc); err != nil {
+			return err
+		}
+		status, err := dc.ClusterNodes[0].APIClient().Sys().SealStatusWithContext(ctx)
+		if err != nil {
+			return err
+		}
+		dc.ID = status.ClusterID
+	}
+
 	return nil
 }
 
@@ -1250,7 +1366,7 @@ func (dc *DockerCluster) AddNode(ctx context.Context, opts *DockerClusterOptions
 		return err
 	}
 
-	return dc.joinNode(ctx, len(dc.ClusterNodes)-1, leaderIdx)
+	return dc.joinNode(ctx, len(dc.ClusterNodes)-1, leaderIdx, len(opts.VaultNodeConfig.Seal) > 0)
 }
 
 const MaxContainerNameLen = 63
@@ -1340,7 +1456,7 @@ func copyDirContents(to string, from string) error {
 	return nil
 }
 
-func (dc *DockerCluster) joinNode(ctx context.Context, nodeIdx int, leaderIdx int) error {
+func (dc *DockerCluster) joinNode(ctx context.Context, nodeIdx int, leaderIdx int, autoseal bool) error {
 	if dc.storage != nil && dc.storage.Type() != "raft" {
 		// Storage is not raft so nothing to do but unseal.
 		return testcluster.UnsealNode(ctx, dc, nodeIdx)
@@ -1371,6 +1487,9 @@ func (dc *DockerCluster) joinNode(ctx context.Context, nodeIdx int, leaderIdx in
 		return fmt.Errorf("failed to join cluster: %w", err)
 	}
 
+	if autoseal {
+		return nil
+	}
 	return testcluster.UnsealNode(ctx, dc, nodeIdx)
 }
 
diff --git a/sdk/helper/testcluster/types.go b/sdk/helper/testcluster/types.go
index d61a55d2e0..23a5ed3f85 100644
--- a/sdk/helper/testcluster/types.go
+++ b/sdk/helper/testcluster/types.go
@@ -45,11 +45,7 @@ type VaultNodeConfig struct {
 	// 	 DisableMlock bool  `hcl:"disable_mlock"`
 
 	// Not configurable yet:
-	//   Listeners []*Listener `hcl:"-"`
-	//   Seals   []*KMS   `hcl:"-"`
-	//   Entropy *Entropy `hcl:"-"`
 	//   Telemetry *Telemetry `hcl:"telemetry"`
-	//   HCPLinkConf *HCPLinkConfig `hcl:"cloud"`
 	//   PidFile string `hcl:"pid_file"`
 	//   ServiceRegistrationType        string
 	//   ServiceRegistrationOptions    map[string]string
@@ -58,6 +54,9 @@ type VaultNodeConfig struct {
 	AdditionalListeners      []VaultNodeListenerConfig `json:"-"`
 	CustomListenerConfigOpts map[string]interface{}    `json:"-"`
 	AdditionalTCPPorts       []int                     `json:"-"`
+	Seal                     []VaultNodeSealConfig     `json:"-"`
+	KMSLibrary               []VaultNodeKMSLibrary     `json:"-"`
+	Entropy                  *VaultNodeEntropy         `json:"-"`
 
 	DefaultMaxRequestDuration      time.Duration `json:"default_max_request_duration"`
 	LogFormat                      string        `json:"log_format"`
@@ -83,6 +82,8 @@ type VaultNodeConfig struct {
 	EnableResponseHeaderRaftNodeID bool          `json:"enable_response_header_raft_node_id"`
 	LicensePath                    string        `json:"license_path"`
 	FeatureFlags                   []string      `json:"feature_flags,omitempty"`
+	EnableUnauthenticatedAccess    []string      `json:"enable_unauthenticated_access,omitempty"`
+	EnableMultiSeal                bool          `json:"enable_multiseal"`
 }
 
 type ClusterNode struct {
@@ -99,6 +100,10 @@ type ClusterOptions struct {
 	ClusterName                 string
 	KeepStandbysSealed          bool
 	SkipInit                    bool
+	SkipUnsealWaitActiveNode    bool
+	BarrierKeys                 [][]byte
+	RecoveryKeys                [][]byte
+	RootToken                   string
 	CACert                      []byte
 	NumCores                    int
 	TmpDir                      string
@@ -117,6 +122,21 @@ type VaultNodeListenerConfig struct {
 	TLSCipherSuites   []uint16
 }
 
+type VaultNodeSealConfig struct {
+	Type   string
+	Config map[string]string
+}
+
+type VaultNodeKMSLibrary struct {
+	Type    string
+	Name    string
+	Library string
+}
+
+type VaultNodeEntropy struct {
+	SealName string
+}
+
 type CA struct {
 	CACert        *x509.Certificate
 	CACertBytes   []byte
diff --git a/sdk/helper/testcluster/util.go b/sdk/helper/testcluster/util.go
index 83d3cb739c..27ef53ed2b 100644
--- a/sdk/helper/testcluster/util.go
+++ b/sdk/helper/testcluster/util.go
@@ -89,6 +89,27 @@ func UnsealNode(ctx context.Context, cluster VaultCluster, nodeIdx int) error {
 	return NodeHealthy(ctx, cluster, nodeIdx)
 }
 
+func UnsealNodeWithOptions(ctx context.Context, cluster VaultCluster, nodeIdx int, reset, migrate bool) error {
+	if nodeIdx >= len(cluster.Nodes()) {
+		return fmt.Errorf("invalid nodeIdx %d for cluster", nodeIdx)
+	}
+	node := cluster.Nodes()[nodeIdx]
+	client := node.APIClient()
+
+	for _, key := range cluster.GetBarrierOrRecoveryKeys() {
+		_, err := client.Sys().UnsealWithOptionsWithContext(ctx, &api.UnsealOpts{
+			Key:     hex.EncodeToString(key),
+			Reset:   reset,
+			Migrate: migrate,
+		})
+		if err != nil {
+			return err
+		}
+	}
+
+	return NodeHealthy(ctx, cluster, nodeIdx)
+}
+
 func UnsealAllNodes(ctx context.Context, cluster VaultCluster) error {
 	for i := range cluster.Nodes() {
 		if err := UnsealNode(ctx, cluster, i); err != nil {
diff --git a/sdk/helper/testhelpers/dnstest/server.go b/sdk/helper/testhelpers/dnstest/server.go
index 68472c3fe3..38e4509a64 100644
--- a/sdk/helper/testhelpers/dnstest/server.go
+++ b/sdk/helper/testhelpers/dnstest/server.go
@@ -14,10 +14,21 @@ import (
 
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/sdk/helper/docker"
+	"github.com/moby/moby/client"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
+type TestServerConfig struct {
+	DockerNetworkName string
+	Logger            hclog.Logger
+	Domains           []ServerDomain
+	TSigKeys          []TSigKey
+}
+type ServerDomain struct {
+	Domain      string
+	TSIGKeyName string
+}
 type TestServer struct {
 	t   *testing.T
 	ctx context.Context
@@ -27,11 +38,11 @@ type TestServer struct {
 	network string
 	startup *docker.Service
 
-	lock       sync.Mutex
-	serial     int
-	forwarders []string
-	domains    []string
-	records    map[string]map[string][]string // domain -> record -> value(s).
+	lock     sync.Mutex
+	serial   int
+	tsigKeys []TSigKey
+	domains  []ServerDomain
+	records  map[string]map[string][]string // domain -> record -> value(s).
 
 	cleanup func()
 }
@@ -41,21 +52,66 @@ func SetupResolver(t *testing.T, domain string) *TestServer {
 }
 
 func SetupResolverOnNetwork(t *testing.T, domain string, network string) *TestServer {
+	return SetupResolverOnNetworkWithLogger(t, domain, network, hclog.NewNullLogger())
+}
+
+func SetupResolverOnNetworkWithLogger(t *testing.T, domain string, network string, logger hclog.Logger) *TestServer {
+	config := TestServerConfig{
+		Logger:            logger,
+		DockerNetworkName: network,
+		Domains: []ServerDomain{
+			{Domain: domain},
+		},
+	}
+	return SetupResolverWithConfig(t, config)
+}
+
+func SetupResolverWithConfig(t *testing.T, config TestServerConfig) *TestServer {
 	var ts TestServer
 	ts.t = t
 	ts.ctx = context.Background()
-	ts.domains = []string{domain}
+	ts.tsigKeys = config.TSigKeys
+	ts.domains = config.Domains
 	ts.records = map[string]map[string][]string{}
-	ts.network = network
-	ts.log = hclog.L()
+	ts.network = config.DockerNetworkName
+	ts.log = config.Logger
 
-	ts.setupRunner(domain, network)
-	ts.startContainer(network)
+	validateReferencedTSIGKeysExist(t, config)
+
+	if len(ts.domains) == 0 {
+		t.Fatal("no domains configured")
+	}
+
+	ts.setupRunner(ts.domains[0].Domain, ts.network)
+	ts.startContainer(ts.network)
 	ts.PushConfig()
 
 	return &ts
 }
 
+func validateReferencedTSIGKeysExist(t *testing.T, tsc TestServerConfig) {
+	var missingTSIGKeys []string
+	for _, domain := range tsc.Domains {
+		if len(domain.TSIGKeyName) == 0 {
+			continue
+		}
+
+		found := false
+		for _, tsigKey := range tsc.TSigKeys {
+			if domain.TSIGKeyName == tsigKey.KeyName {
+				found = true
+				break
+			}
+		}
+		if !found {
+			missingTSIGKeys = append(missingTSIGKeys, fmt.Sprintf("TSIG key name: %q referenced by domain %q", domain.TSIGKeyName, domain.Domain))
+		}
+	}
+	if len(missingTSIGKeys) > 0 {
+		t.Fatalf("missing TSIG keys: %s", missingTSIGKeys)
+	}
+}
+
 func (ts *TestServer) setupRunner(domain string, network string) {
 	var err error
 	ts.runner, err = docker.NewServiceRunner(docker.RunOptions{
@@ -65,9 +121,9 @@ func (ts *TestServer) setupRunner(domain string, network string) {
 		NetworkName:   network,
 		Ports:         []string{"53/udp"},
 		// DNS container logging was disabled to reduce content within CI logs.
-		//LogConsumer: func(s string) {
-		//	ts.log.Info(s)
-		//},
+		LogConsumer: func(s string) {
+			ts.log.Trace(s)
+		},
 	})
 	require.NoError(ts.t, err)
 }
@@ -97,7 +153,7 @@ func (ts *TestServer) startContainer(network string) {
 	}
 
 	result, _, err := ts.runner.StartNewService(ts.ctx, true, true, connUpFunc)
-	require.NoError(ts.t, err, "failed to start dns resolver for "+ts.domains[0])
+	require.NoError(ts.t, err, "failed to start dns resolver for "+ts.domains[0].Domain)
 	ts.startup = result
 
 	if ts.startup.StartResult.RealIP == "" {
@@ -119,44 +175,46 @@ func (ts *TestServer) startContainer(network string) {
 }
 
 func (ts *TestServer) buildNamedConf() string {
-	forwarders := "\n"
-	if len(ts.forwarders) > 0 {
-		forwarders = "\tforwarders {\n"
-		for _, forwarder := range ts.forwarders {
-			forwarders += "\t\t" + forwarder + ";\n"
-		}
-		forwarders += "\t};\n"
-	}
-
 	zones := "\n"
-	for _, domain := range ts.domains {
-		zones += fmt.Sprintf("zone \"%s\" {\n", domain)
+	for _, ds := range ts.domains {
+		updateType := "none"
+		if len(ds.TSIGKeyName) > 0 {
+			updateType = fmt.Sprintf(`key "%s"`, ds.TSIGKeyName)
+		}
+
+		zones += fmt.Sprintf("zone \"%s\" {\n", ds.Domain)
 		zones += "\ttype primary;\n"
-		zones += fmt.Sprintf("\tfile \"%s.zone\";\n", domain)
-		zones += "\tallow-update {\n\t\tnone;\n\t};\n"
+		zones += fmt.Sprintf("\tfile \"%s.zone\";\n", ds.Domain)
+		zones += fmt.Sprintf("\tallow-update {\n\t\t%s;\n\t};\n", updateType)
 		zones += "\tnotify no;\n"
 		zones += "};\n\n"
 	}
 
-	// Reverse lookups are not handles as they're not presently necessary.
+	tsigKeys := "\n"
+	for _, key := range ts.tsigKeys {
+		tsigKeys += fmt.Sprintf("key \"%s\"{\n", key.KeyName)
+		tsigKeys += fmt.Sprintf("\talgorithm \"%s\";\n", key.Algorithm.String())
+		tsigKeys += fmt.Sprintf("\tsecret \"%s\";\n", key.Secret)
+		tsigKeys += "};\n\n"
+	}
 
 	cfg := `options {
 	directory "/var/cache/bind";
-
 	dnssec-validation no;
-
-	` + forwarders + `
+	querylog yes;
 };
 
-` + zones
+` + tsigKeys + zones
 
 	return cfg
 }
 
-func (ts *TestServer) buildZoneFile(target string) string {
+func (ts *TestServer) buildZoneFile(sd ServerDomain) string {
 	// One second TTL by default to allow quick refreshes.
 	zone := "$TTL 1;\n"
 
+	target := sd.Domain
+
 	ts.serial += 1
 	zone += fmt.Sprintf("@\tIN\tSOA\tns.%v.\troot.%v.\t(\n", target, target)
 	zone += fmt.Sprintf("\t\t\t%d;\n\t\t\t1;\n\t\t\t1;\n\t\t\t2;\n\t\t\t1;\n\t\t\t)\n\n", ts.serial)
@@ -195,10 +253,10 @@ func (ts *TestServer) pushZoneFiles() {
 	contents := docker.NewBuildContext()
 
 	for _, domain := range ts.domains {
-		path := "/var/cache/bind/" + domain + ".zone"
+		path := "/var/cache/bind/" + domain.Domain + ".zone"
 		zoneFile := ts.buildZoneFile(domain)
 		contents[path] = docker.PathContentsFromString(zoneFile)
-		contents[path].SetOwners(0, 142) // root, bind
+		contents[path].SetOwners(142, 142) // bind, bind allow updates through RFC2136
 
 		ts.log.Info(fmt.Sprintf("Generated bind9 zone file for %v (%s):\n%v\n", domain, path, zoneFile))
 	}
@@ -233,7 +291,7 @@ func (ts *TestServer) PushConfig() {
 		// to make sure it has been updated more recently than when the
 		// last update was written. Then issue a new SIGHUP.
 		for _, domain := range ts.domains {
-			path := "/var/cache/bind/" + domain + ".zone"
+			path := "/var/cache/bind/" + domain.Domain + ".zone"
 			touchCmd := []string{"touch", path}
 
 			_, _, _, err := ts.runner.RunCmdWithOutput(ts.ctx, ts.startup.Container.ID, touchCmd)
@@ -242,7 +300,7 @@ func (ts *TestServer) PushConfig() {
 				return
 			}
 		}
-		ts.runner.DockerAPI.ContainerKill(ts.ctx, ts.startup.Container.ID, "SIGHUP")
+		ts.runner.DockerAPI.ContainerKill(ts.ctx, ts.startup.Container.ID, client.ContainerKillOptions{Signal: "SIGHUP"})
 
 		// Connect to our bind resolver.
 		resolver := &net.Resolver{
@@ -259,14 +317,14 @@ func (ts *TestServer) PushConfig() {
 		// last domain has the given serial number, which also appears in the
 		// NS record so we can fetch it via Go.
 		lastDomain := ts.domains[len(ts.domains)-1]
-		records, err := resolver.LookupNS(ts.ctx, lastDomain)
+		records, err := resolver.LookupNS(ts.ctx, lastDomain.Domain)
 		if err != nil {
-			assert.NoError(ct, err, "failed to lookup NS record for %v", lastDomain)
+			assert.NoError(ct, err, "failed to lookup NS record for %v", lastDomain.Domain)
 			return
 		}
 
-		assert.Len(ct, records, 1, "expected only 1 NS record for %v", lastDomain)
-		assert.Equal(ct, fmt.Sprintf("ns%d.%v.", ts.serial, lastDomain), records[0].Host, "reload hasn't completed")
+		assert.Len(ct, records, 1, "expected only 1 NS record for %v", lastDomain.Domain)
+		assert.Equal(ct, fmt.Sprintf("ns%d.%v.", ts.serial, lastDomain.Domain), records[0].Host, "reload hasn't completed")
 	}, 15*time.Second, 100*time.Millisecond)
 }
 
@@ -283,12 +341,12 @@ func (ts *TestServer) AddDomain(domain string) {
 	defer ts.lock.Unlock()
 
 	for _, existing := range ts.domains {
-		if existing == domain {
+		if existing.Domain == domain {
 			return
 		}
 	}
 
-	ts.domains = append(ts.domains, domain)
+	ts.domains = append(ts.domains, ServerDomain{Domain: domain})
 }
 
 func (ts *TestServer) AddRecord(domain string, record string, value string) {
@@ -297,7 +355,7 @@ func (ts *TestServer) AddRecord(domain string, record string, value string) {
 
 	foundDomain := false
 	for _, existing := range ts.domains {
-		if strings.HasSuffix(domain, existing) {
+		if strings.HasSuffix(domain, existing.Domain) {
 			foundDomain = true
 			break
 		}
@@ -329,7 +387,7 @@ func (ts *TestServer) RemoveRecord(domain string, record string, value string) {
 
 	foundDomain := false
 	for _, existing := range ts.domains {
-		if strings.HasSuffix(domain, existing) {
+		if strings.HasSuffix(domain, existing.Domain) {
 			foundDomain = true
 			break
 		}
@@ -363,7 +421,7 @@ func (ts *TestServer) RemoveRecordsOfTypeForDomain(domain string, record string)
 
 	foundDomain := false
 	for _, existing := range ts.domains {
-		if strings.HasSuffix(domain, existing) {
+		if strings.HasSuffix(domain, existing.Domain) {
 			foundDomain = true
 			break
 		}
@@ -387,7 +445,7 @@ func (ts *TestServer) RemoveRecordsForDomain(domain string) {
 
 	foundDomain := false
 	for _, existing := range ts.domains {
-		if strings.HasSuffix(domain, existing) {
+		if strings.HasSuffix(domain, existing.Domain) {
 			foundDomain = true
 			break
 		}
diff --git a/sdk/helper/testhelpers/dnstest/tsigkeys.go b/sdk/helper/testhelpers/dnstest/tsigkeys.go
new file mode 100644
index 0000000000..fb95cb8b93
--- /dev/null
+++ b/sdk/helper/testhelpers/dnstest/tsigkeys.go
@@ -0,0 +1,89 @@
+// Copyright IBM Corp. 2026
+// SPDX-License-Identifier: MPL-2.0
+
+package dnstest
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+)
+
+// TSIGAlgorithm represents the supported TSIG algorithm types
+type TSIGAlgorithm int
+
+const (
+	HmacSHA1 TSIGAlgorithm = iota
+	HmacSHA224
+	HmacSHA256
+	HmacSHA384
+	HmacSHA512
+)
+
+// String returns the string representation of the algorithm
+func (a TSIGAlgorithm) String() string {
+	switch a {
+	case HmacSHA1:
+		return "hmac-sha1"
+	case HmacSHA224:
+		return "hmac-sha224"
+	case HmacSHA256:
+		return "hmac-sha256"
+	case HmacSHA384:
+		return "hmac-sha384"
+	case HmacSHA512:
+		return "hmac-sha512"
+	default:
+		return "unknown"
+	}
+}
+
+// Bits returns the key size in bits for the algorithm
+func (a TSIGAlgorithm) Bits() int {
+	switch a {
+	case HmacSHA1:
+		return 160
+	case HmacSHA224:
+		return 224
+	case HmacSHA256:
+		return 256
+	case HmacSHA384:
+		return 384
+	case HmacSHA512:
+		return 512
+	default:
+		return 0
+	}
+}
+
+type TSigKey struct {
+	KeyName   string
+	Algorithm TSIGAlgorithm
+	Secret    string
+}
+
+// GenerateTSIGKey generates a base64 std encoded TSIG key for the specified algorithm
+func GenerateTSIGKey(keyName string, algorithm TSIGAlgorithm) (TSigKey, error) {
+	if keyName == "" {
+		return TSigKey{}, fmt.Errorf("empty key name")
+	}
+
+	bits := algorithm.Bits()
+	if bits == 0 {
+		return TSigKey{}, fmt.Errorf("unsupported algorithm: %v", algorithm)
+	}
+
+	// Calculate byte length from bits
+	byteLength := bits / 8
+
+	// Generate random bytes
+	key := make([]byte, byteLength)
+	_, err := rand.Read(key)
+	if err != nil {
+		return TSigKey{}, fmt.Errorf("failed to generate random key: %w", err)
+	}
+
+	// Encode to base64
+	encodedKey := base64.StdEncoding.EncodeToString(key)
+	return TSigKey{KeyName: keyName, Algorithm: algorithm, Secret: encodedKey}, nil
+}
diff --git a/sdk/logical/auth.go b/sdk/logical/auth.go
index 86a225b575..c3bfb01a5a 100644
--- a/sdk/logical/auth.go
+++ b/sdk/logical/auth.go
@@ -90,6 +90,12 @@ type Auth struct {
 	// matching groups, the entity ID of the user will be added.
 	GroupAliases []*Alias `json:"group_aliases" mapstructure:"group_aliases" structs:"group_aliases"`
 
+	// ActorEntityID is the entity ID of the actor performing the request.
+	ActorEntityID string `json:"actor_entity_id,omitempty" mapstructure:"actor_entity_id" structs:"actor_entity_id"`
+
+	// ActorEntityName is the name of the actor entity performing the request.
+	ActorEntityName string `json:"actor_entity_name,omitempty" mapstructure:"actor_entity_name" structs:"actor_entity_name"`
+
 	// The set of CIDRs that this token can be used with
 	BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs"`
 
@@ -118,6 +124,13 @@ type Auth struct {
 	// HTTPRequestPriority contains potential information about the request
 	// priority based on required path capabilities
 	HTTPRequestPriority *uint8 `json:"http_request_priority"`
+
+	// AuthorizationDetails holds fine-grained authorization constraints for the request.
+	// Each element is a JSON object with at minimum a "type" field.
+	// It is nil when the token does not carry authorization details.
+	// It is not included in plugin RPC serialization because it is only needed at request-routing
+	// time and not during plugin Renew or Revoke operations.
+	AuthorizationDetails []AuthorizationDetail `json:"authorization_details,omitempty"`
 }
 
 func (a *Auth) GoString() string {
diff --git a/sdk/logical/auth_test.go b/sdk/logical/auth_test.go
new file mode 100644
index 0000000000..9f48c459d0
--- /dev/null
+++ b/sdk/logical/auth_test.go
@@ -0,0 +1,55 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: MPL-2.0
+
+package logical
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// TestAuth_ActorEntityFields verifies that ActorEntityID and ActorEntityName
+// round-trip correctly through JSON marshalling and unmarshalling, and that
+// both fields appear with their expected JSON keys when set.
+func TestAuth_ActorEntityFields(t *testing.T) {
+	t.Parallel()
+
+	auth := &Auth{
+		EntityID:        "subject-entity-123",
+		DisplayName:     "subject-user",
+		ActorEntityID:   "actor-entity-456",
+		ActorEntityName: "actor-service",
+	}
+
+	data, err := json.Marshal(auth)
+	require.NoError(t, err)
+	require.Contains(t, string(data), `"actor_entity_id":"actor-entity-456"`)
+	require.Contains(t, string(data), `"actor_entity_name":"actor-service"`)
+
+	var auth2 Auth
+	err = json.Unmarshal(data, &auth2)
+	require.NoError(t, err)
+	require.Equal(t, "actor-entity-456", auth2.ActorEntityID)
+	require.Equal(t, "actor-service", auth2.ActorEntityName)
+}
+
+// TestAuth_ActorEntityFields_OmitEmpty verifies that ActorEntityID and
+// ActorEntityName are omitted from the JSON output when not set, preventing
+// empty actor fields from appearing in audit entries for requests without
+// an actor entity.
+func TestAuth_ActorEntityFields_OmitEmpty(t *testing.T) {
+	t.Parallel()
+
+	auth := &Auth{
+		EntityID:    "subject-entity-123",
+		DisplayName: "subject-user",
+		// ActorEntityID and ActorEntityName intentionally not set
+	}
+
+	data, err := json.Marshal(auth)
+	require.NoError(t, err)
+	require.NotContains(t, string(data), "actor_entity_id")
+	require.NotContains(t, string(data), "actor_entity_name")
+}
diff --git a/sdk/logical/certificate_counter.go b/sdk/logical/certificate_counter.go
index 0504c06d4d..811f6fe73e 100644
--- a/sdk/logical/certificate_counter.go
+++ b/sdk/logical/certificate_counter.go
@@ -6,6 +6,7 @@ package logical
 import (
 	"crypto/x509"
 	"math"
+	"time"
 )
 
 // CertificateCounter is an interface for incrementing the count of issued and stored
@@ -28,16 +29,20 @@ type CertCount struct {
 	// purposes. Each certificate's billable units = (Validity Hours ÷ 730), rounded to 4 decimal
 	// places.
 	PkiDurationAdjustedCerts float64
+	SSHIssuedCerts           float64
+	SSHIssuedOTPs            float64
 }
 
 func (i *CertCount) Add(other CertCount) {
 	i.IssuedCerts += other.IssuedCerts
 	i.StoredCerts += other.StoredCerts
 	i.PkiDurationAdjustedCerts += other.PkiDurationAdjustedCerts
+	i.SSHIssuedCerts += other.SSHIssuedCerts
+	i.SSHIssuedOTPs += other.SSHIssuedOTPs
 }
 
 func (i *CertCount) IsZero() bool {
-	return i.IssuedCerts == 0 && i.StoredCerts == 0 && i.PkiDurationAdjustedCerts == 0
+	return i.IssuedCerts == 0 && i.StoredCerts == 0 && i.PkiDurationAdjustedCerts == 0 && i.SSHIssuedCerts == 0 && i.SSHIssuedOTPs == 0
 }
 
 // durationAdjustedCertificateCount calculates the billable units for a certificate based on its
@@ -53,11 +58,18 @@ func durationAdjustedCertificateCount(validitySeconds int64) float64 {
 	validityHours := float64(validitySeconds) / 3600.0
 	units := validityHours / standardDuration
 	// Round to 4 decimal places
-	return math.Round(units*10000) / 10000
+	ret := math.Round(units*10000) / 10000
+	if ret == 0.0 && validitySeconds > 0 {
+		// Ensure we don't return 0.0, which would be interpreted as no billable units.
+		return 0.0001
+	}
+	return ret
 }
 
 type CertCountIncrementer interface {
 	AddIssuedCertificate(stored bool, cert *x509.Certificate) CertCountIncrementer
+	AddSSHCertificate(ttl time.Duration) CertCountIncrementer
+	AddSSHOTP() CertCountIncrementer
 }
 
 type certCountIncrementer struct {
@@ -88,3 +100,21 @@ func (c *certCountIncrementer) AddIssuedCertificate(stored bool, cert *x509.Cert
 
 	return c
 }
+
+func (c *certCountIncrementer) AddSSHCertificate(ttl time.Duration) CertCountIncrementer {
+	count := CertCount{
+		SSHIssuedCerts: durationAdjustedCertificateCount(int64(ttl.Seconds())),
+	}
+
+	c.counter.AddCount(count)
+
+	return c
+}
+
+func (c *certCountIncrementer) AddSSHOTP() CertCountIncrementer {
+	c.counter.AddCount(CertCount{
+		SSHIssuedOTPs: 0.0014,
+	})
+
+	return c
+}
diff --git a/sdk/logical/certificate_counter_test.go b/sdk/logical/certificate_counter_test.go
index 4d449878bf..889cee2e26 100644
--- a/sdk/logical/certificate_counter_test.go
+++ b/sdk/logical/certificate_counter_test.go
@@ -17,7 +17,7 @@ func Test_durationAdjustedCertificateCount(t *testing.T) {
 		{
 			name:            "zero duration",
 			validitySeconds: 0,
-			want:            0.0,
+			want:            0, // If the duration is zero, the normalized unit should be zero
 		},
 		{
 			name:            "1 hour",
@@ -72,12 +72,12 @@ func Test_durationAdjustedCertificateCount(t *testing.T) {
 		{
 			name:            "very small duration - 1 second",
 			validitySeconds: 1,
-			want:            0.0, // 1/3600/730 = 0.00000038... rounds to 0.0
+			want:            0.0001, // 1/3600/730 = 0.00000038... rounds to 0.0 but should return default minimum 0.0001
 		},
 		{
 			name:            "very small duration - 60 seconds",
 			validitySeconds: 60,
-			want:            0.0, // 60/3600/730 = 0.000023... rounds to 0.0
+			want:            0.0001, // 60/3600/730 = 0.000023... rounds to 0.0 and should return default minimum 0.0001
 		},
 		{
 			name:            "very small duration - 600 seconds",
diff --git a/sdk/logical/events.go b/sdk/logical/events.go
index d50672ab77..fa438da26d 100644
--- a/sdk/logical/events.go
+++ b/sdk/logical/events.go
@@ -105,12 +105,19 @@ func (x *EventReceived) BexprDatum() any {
 		}
 	}
 
+	sourcePluginMount := ""
+	isLocal := false
+	if x.PluginInfo != nil {
+		sourcePluginMount = x.PluginInfo.MountPath
+		isLocal = x.PluginInfo.IsLocal
+	}
+
 	return &EventReceivedBexpr{
 		EventType:           x.EventType,
 		Operation:           operation,
-		SourcePluginMount:   x.PluginInfo.MountPath,
+		SourcePluginMount:   sourcePluginMount,
 		DataPath:            dataPath,
 		Namespace:           x.Namespace,
-		SourcePluginIsLocal: x.PluginInfo.IsLocal,
+		SourcePluginIsLocal: isLocal,
 	}
 }
diff --git a/sdk/logical/identity.pb.go b/sdk/logical/identity.pb.go
index 8968db90f3..77c75d24de 100644
--- a/sdk/logical/identity.pb.go
+++ b/sdk/logical/identity.pb.go
@@ -141,7 +141,13 @@ type Alias struct {
 	// Local indicates if the alias only belongs to the cluster where it was
 	// created. If true, the alias will be stored in a location that are ignored
 	// by the performance replication subsystem.
-	Local         bool `protobuf:"varint,8,opt,name=local,proto3" json:"local,omitempty"`
+	Local bool `protobuf:"varint,8,opt,name=local,proto3" json:"local,omitempty"`
+	// external_id is the unique external identifier for an entity managed via
+	// an external IDP. This field does not always map 1:1 to a claim external_id.
+	// This mapping is done via configuration.
+	ExternalID string `protobuf:"bytes,9,opt,name=external_id,json=externalId,proto3" json:"external_id,omitempty"`
+	// issuer is the issuer claim for this alias
+	Issuer        string `protobuf:"bytes,10,opt,name=issuer,proto3" json:"issuer,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -232,6 +238,20 @@ func (x *Alias) GetLocal() bool {
 	return false
 }
 
+func (x *Alias) GetExternalID() string {
+	if x != nil {
+		return x.ExternalID
+	}
+	return ""
+}
+
+func (x *Alias) GetIssuer() string {
+	if x != nil {
+		return x.Issuer
+	}
+	return ""
+}
+
 type Group struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// ID is the unique identifier for the group
@@ -499,7 +519,7 @@ var file_sdk_logical_identity_proto_rawDesc = string([]byte{
 	0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
 	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76,
 	0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75,
-	0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xb1, 0x03, 0x0a, 0x05, 0x41, 0x6c, 0x69, 0x61, 0x73, 0x12,
+	0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xea, 0x03, 0x0a, 0x05, 0x41, 0x6c, 0x69, 0x61, 0x73, 0x12,
 	0x1d, 0x0a, 0x0a, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20,
 	0x01, 0x28, 0x09, 0x52, 0x09, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x12, 0x25,
 	0x0a, 0x0e, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6f, 0x72,
@@ -518,60 +538,63 @@ var file_sdk_logical_identity_proto_rawDesc = string([]byte{
 	0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e,
 	0x74, 0x72, 0x79, 0x52, 0x0e, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x4d, 0x65, 0x74, 0x61, 0x64,
 	0x61, 0x74, 0x61, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x18, 0x08, 0x20, 0x01,
-	0x28, 0x08, 0x52, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x1a, 0x3b, 0x0a, 0x0d, 0x4d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65,
-	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05,
-	0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c,
-	0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x41, 0x0a, 0x13, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d,
-	0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a,
-	0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12,
-	0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
-	0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xc5, 0x01, 0x0a, 0x05, 0x47, 0x72,
-	0x6f, 0x75, 0x70, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x02, 0x49, 0x44, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x38, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64,
-	0x61, 0x74, 0x61, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x6c, 0x6f, 0x67, 0x69,
-	0x63, 0x61, 0x6c, 0x2e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
-	0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
-	0x61, 0x12, 0x21, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69,
-	0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61,
-	0x63, 0x65, 0x49, 0x64, 0x1a, 0x3b, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
-	0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38,
-	0x01, 0x22, 0xa2, 0x01, 0x0a, 0x0b, 0x4d, 0x46, 0x41, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x49,
-	0x44, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x23, 0x0a, 0x0d, 0x75, 0x73, 0x65, 0x73, 0x5f, 0x70, 0x61,
-	0x73, 0x73, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x75, 0x73,
-	0x65, 0x73, 0x50, 0x61, 0x73, 0x73, 0x63, 0x6f, 0x64, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61,
-	0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x36,
-	0x0a, 0x17, 0x73, 0x65, 0x6c, 0x66, 0x5f, 0x65, 0x6e, 0x72, 0x6f, 0x6c, 0x6c, 0x6d, 0x65, 0x6e,
-	0x74, 0x5f, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52,
-	0x15, 0x73, 0x65, 0x6c, 0x66, 0x45, 0x6e, 0x72, 0x6f, 0x6c, 0x6c, 0x6d, 0x65, 0x6e, 0x74, 0x45,
-	0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0x3a, 0x0a, 0x10, 0x4d, 0x46, 0x41, 0x43, 0x6f, 0x6e,
-	0x73, 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74, 0x41, 0x6e, 0x79, 0x12, 0x26, 0x0a, 0x03, 0x61, 0x6e,
-	0x79, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6c, 0x6f, 0x67, 0x69, 0x63, 0x61,
-	0x6c, 0x2e, 0x4d, 0x46, 0x41, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x49, 0x44, 0x52, 0x03, 0x61,
-	0x6e, 0x79, 0x22, 0xea, 0x01, 0x0a, 0x0e, 0x4d, 0x46, 0x41, 0x52, 0x65, 0x71, 0x75, 0x69, 0x72,
-	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x24, 0x0a, 0x0e, 0x6d, 0x66, 0x61, 0x5f, 0x72, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x6d,
-	0x66, 0x61, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x49, 0x64, 0x12, 0x54, 0x0a, 0x0f, 0x6d,
-	0x66, 0x61, 0x5f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74, 0x73, 0x18, 0x02,
-	0x20, 0x03, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x6c, 0x6f, 0x67, 0x69, 0x63, 0x61, 0x6c, 0x2e, 0x4d,
-	0x46, 0x41, 0x52, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x4d, 0x66,
+	0x28, 0x08, 0x52, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x12, 0x1f, 0x0a, 0x0b, 0x65, 0x78, 0x74,
+	0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a,
+	0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x69, 0x73,
+	0x73, 0x75, 0x65, 0x72, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75,
+	0x65, 0x72, 0x1a, 0x3b, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e,
+	0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a,
+	0x41, 0x0a, 0x13, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
+	0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02,
+	0x38, 0x01, 0x22, 0xc5, 0x01, 0x0a, 0x05, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x12, 0x0e, 0x0a, 0x02,
+	0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x44, 0x12, 0x12, 0x0a, 0x04,
+	0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65,
+	0x12, 0x38, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x03, 0x20, 0x03,
+	0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x6c, 0x6f, 0x67, 0x69, 0x63, 0x61, 0x6c, 0x2e, 0x47, 0x72, 0x6f,
+	0x75, 0x70, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79,
+	0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x21, 0x0a, 0x0c, 0x6e, 0x61,
+	0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x1a, 0x3b, 0x0a,
+	0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10,
+	0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79,
+	0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xa2, 0x01, 0x0a, 0x0b, 0x4d,
+	0x46, 0x41, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x49, 0x44, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79,
+	0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x0e,
+	0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x23,
+	0x0a, 0x0d, 0x75, 0x73, 0x65, 0x73, 0x5f, 0x70, 0x61, 0x73, 0x73, 0x63, 0x6f, 0x64, 0x65, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x75, 0x73, 0x65, 0x73, 0x50, 0x61, 0x73, 0x73, 0x63,
+	0x6f, 0x64, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x36, 0x0a, 0x17, 0x73, 0x65, 0x6c, 0x66, 0x5f,
+	0x65, 0x6e, 0x72, 0x6f, 0x6c, 0x6c, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x65, 0x6e, 0x61, 0x62, 0x6c,
+	0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x15, 0x73, 0x65, 0x6c, 0x66, 0x45, 0x6e,
+	0x72, 0x6f, 0x6c, 0x6c, 0x6d, 0x65, 0x6e, 0x74, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22,
+	0x3a, 0x0a, 0x10, 0x4d, 0x46, 0x41, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74,
+	0x41, 0x6e, 0x79, 0x12, 0x26, 0x0a, 0x03, 0x61, 0x6e, 0x79, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b,
+	0x32, 0x14, 0x2e, 0x6c, 0x6f, 0x67, 0x69, 0x63, 0x61, 0x6c, 0x2e, 0x4d, 0x46, 0x41, 0x4d, 0x65,
+	0x74, 0x68, 0x6f, 0x64, 0x49, 0x44, 0x52, 0x03, 0x61, 0x6e, 0x79, 0x22, 0xea, 0x01, 0x0a, 0x0e,
+	0x4d, 0x46, 0x41, 0x52, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x24,
+	0x0a, 0x0e, 0x6d, 0x66, 0x61, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x69, 0x64,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x6d, 0x66, 0x61, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x49, 0x64, 0x12, 0x54, 0x0a, 0x0f, 0x6d, 0x66, 0x61, 0x5f, 0x63, 0x6f, 0x6e, 0x73,
+	0x74, 0x72, 0x61, 0x69, 0x6e, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2b, 0x2e,
+	0x6c, 0x6f, 0x67, 0x69, 0x63, 0x61, 0x6c, 0x2e, 0x4d, 0x46, 0x41, 0x52, 0x65, 0x71, 0x75, 0x69,
+	0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x4d, 0x66, 0x61, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72,
+	0x61, 0x69, 0x6e, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0e, 0x6d, 0x66, 0x61, 0x43,
+	0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74, 0x73, 0x1a, 0x5c, 0x0a, 0x13, 0x4d, 0x66,
 	0x61, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72,
-	0x79, 0x52, 0x0e, 0x6d, 0x66, 0x61, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74,
-	0x73, 0x1a, 0x5c, 0x0a, 0x13, 0x4d, 0x66, 0x61, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69,
-	0x6e, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2f, 0x0a, 0x05, 0x76, 0x61,
-	0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x6c, 0x6f, 0x67, 0x69,
-	0x63, 0x61, 0x6c, 0x2e, 0x4d, 0x46, 0x41, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, 0x6e,
-	0x74, 0x41, 0x6e, 0x79, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42,
-	0x28, 0x5a, 0x26, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61,
-	0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2f, 0x73, 0x64,
-	0x6b, 0x2f, 0x6c, 0x6f, 0x67, 0x69, 0x63, 0x61, 0x6c, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x33,
+	0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
+	0x6b, 0x65, 0x79, 0x12, 0x2f, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x19, 0x2e, 0x6c, 0x6f, 0x67, 0x69, 0x63, 0x61, 0x6c, 0x2e, 0x4d, 0x46, 0x41,
+	0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74, 0x41, 0x6e, 0x79, 0x52, 0x05, 0x76,
+	0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x28, 0x5a, 0x26, 0x67, 0x69, 0x74, 0x68,
+	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70,
+	0x2f, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2f, 0x73, 0x64, 0x6b, 0x2f, 0x6c, 0x6f, 0x67, 0x69, 0x63,
+	0x61, 0x6c, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 })
 
 var (
diff --git a/sdk/logical/identity.proto b/sdk/logical/identity.proto
index 1ecee1e053..54b43623c2 100644
--- a/sdk/logical/identity.proto
+++ b/sdk/logical/identity.proto
@@ -61,6 +61,14 @@ message Alias {
   // created. If true, the alias will be stored in a location that are ignored
   // by the performance replication subsystem.
   bool local = 8;
+
+  // external_id is the unique external identifier for an entity managed via
+  // an external IdP. This field does not always map 1:1 to a claim external_id.
+  // This mapping is done via configuration.
+  string external_id = 9;
+
+  // issuer is the issuer claim for this alias
+  string issuer = 10;
 }
 
 message Group {
diff --git a/sdk/logical/keyusage_enumer.go b/sdk/logical/keyusage_enumer.go
index 83998c4a2a..fa813655e5 100644
--- a/sdk/logical/keyusage_enumer.go
+++ b/sdk/logical/keyusage_enumer.go
@@ -6,9 +6,9 @@ import (
 	"fmt"
 )
 
-const _KeyUsageName = "encryptdecryptsignverifywrapunwrapgenerate_random"
+const _KeyUsageName = "encryptdecryptsignverifywrapunwrapgenerate_randommac"
 
-var _KeyUsageIndex = [...]uint8{0, 7, 14, 18, 24, 28, 34, 49}
+var _KeyUsageIndex = [...]uint8{0, 7, 14, 18, 24, 28, 34, 49, 52}
 
 func (i KeyUsage) String() string {
 	i -= 1
@@ -18,7 +18,7 @@ func (i KeyUsage) String() string {
 	return _KeyUsageName[_KeyUsageIndex[i]:_KeyUsageIndex[i+1]]
 }
 
-var _KeyUsageValues = []KeyUsage{1, 2, 3, 4, 5, 6, 7}
+var _KeyUsageValues = []KeyUsage{1, 2, 3, 4, 5, 6, 7, 8}
 
 var _KeyUsageNameToValueMap = map[string]KeyUsage{
 	_KeyUsageName[0:7]:   1,
@@ -28,6 +28,7 @@ var _KeyUsageNameToValueMap = map[string]KeyUsage{
 	_KeyUsageName[24:28]: 5,
 	_KeyUsageName[28:34]: 6,
 	_KeyUsageName[34:49]: 7,
+	_KeyUsageName[49:52]: 8,
 }
 
 // KeyUsageString retrieves an enum value from the enum constants string name.
diff --git a/sdk/logical/logical.go b/sdk/logical/logical.go
index 0d82b8584e..841a518a5b 100644
--- a/sdk/logical/logical.go
+++ b/sdk/logical/logical.go
@@ -122,7 +122,10 @@ type Factory func(context.Context, *BackendConfig) (Backend, error)
 
 // Paths is the structure of special paths that is used for SpecialPaths.
 type Paths struct {
-	// Root are the API paths that require a root token to access
+	// Root are the API paths that require a root token to access.
+	// These can't be regular expressions; each entry is either an exact match,
+	// a prefix match (append '*' as a suffix), or a wildcard segment match
+	// (use '+' in a segment, e.g. 'foo/+/bar').
 	Root []string
 
 	// Unauthenticated are the API paths that can be accessed without any auth.
diff --git a/sdk/logical/managed_key.go b/sdk/logical/managed_key.go
index 37540f5567..fe543888db 100644
--- a/sdk/logical/managed_key.go
+++ b/sdk/logical/managed_key.go
@@ -22,6 +22,7 @@ const (
 	KeyUsageWrap
 	KeyUsageUnwrap
 	KeyUsageGenerateRandom
+	KeyUsageMAC
 )
 
 type ManagedKey interface {
diff --git a/sdk/logical/request.go b/sdk/logical/request.go
index 4ba4bd4043..c6155a3a9f 100644
--- a/sdk/logical/request.go
+++ b/sdk/logical/request.go
@@ -86,6 +86,10 @@ func IndexStateFromContext(ctx context.Context) *WALState {
 	return s
 }
 
+// AuthorizationDetail stores one enterprise token authorization detail object.
+// The "type" field is required.
+type AuthorizationDetail map[string]any
+
 // Request is a struct that stores the parameters and context of a request
 // being made to Vault. It is used to abstract the details of the higher level
 // request protocol from the handlers.
@@ -137,6 +141,26 @@ type Request struct {
 	// hashed.
 	ClientToken string `json:"client_token" structs:"client_token" mapstructure:"client_token" sentinel:""`
 
+	// EnterpriseTokenMetadata stores enterprise token metadata.
+	EnterpriseTokenMetadata string `json:"enterprise_token_metadata" structs:"enterprise_token_metadata" mapstructure:"enterprise_token_metadata" sentinel:""`
+
+	// EnterpriseTokenIssuer stores the enterprise token issuer.
+	EnterpriseTokenIssuer string `json:"enterprise_token_issuer,omitempty" structs:"enterprise_token_issuer" mapstructure:"enterprise_token_issuer"`
+
+	// EnterpriseTokenTransaction stores the enterprise token transaction claim.
+	EnterpriseTokenTransaction string `json:"enterprise_token_transaction,omitempty" structs:"enterprise_token_transaction" mapstructure:"enterprise_token_transaction"`
+
+	// EnterpriseTokenAudience stores enterprise token audience values.
+	EnterpriseTokenAudience []string `json:"enterprise_token_audience,omitempty" structs:"enterprise_token_audience" mapstructure:"enterprise_token_audience"`
+
+	// EnterpriseTokenAuthorizationDetails stores enterprise token authorization details.
+	EnterpriseTokenAuthorizationDetails []AuthorizationDetail `json:"enterprise_token_authorization_details,omitempty" structs:"enterprise_token_authorization_details" mapstructure:"enterprise_token_authorization_details"`
+
+	// EnterpriseTokenAuthorizationDetailsPresent indicates whether the inbound
+	// enterprise token included an authorization_details claim at all. This lets
+	// callers distinguish "claim missing" from "claim present but empty".
+	EnterpriseTokenAuthorizationDetailsPresent bool `json:"enterprise_token_authorization_details_present,omitempty" structs:"enterprise_token_authorization_details_present" mapstructure:"enterprise_token_authorization_details_present"`
+
 	// ClientTokenAccessor is provided to the core so that the it can get
 	// logged as part of request audit logging.
 	ClientTokenAccessor string `json:"client_token_accessor" structs:"client_token_accessor" mapstructure:"client_token_accessor" sentinel:""`
@@ -187,6 +211,12 @@ type Request struct {
 	// to make this request
 	EntityID string `json:"entity_id" structs:"entity_id" mapstructure:"entity_id" sentinel:""`
 
+	// ActorEntityID is the entity ID of the actor in a request.
+	ActorEntityID string `json:"actor_entity_id" structs:"actor_entity_id" mapstructure:"actor_entity_id" sentinel:""`
+
+	// ActorEntityName is the name of the actor entity in a request.
+	ActorEntityName string `json:"actor_entity_name" structs:"actor_entity_name" mapstructure:"actor_entity_name" sentinel:""`
+
 	// PolicyOverride indicates that the requestor wishes to override
 	// soft-mandatory Sentinel policies
 	PolicyOverride bool `json:"policy_override" structs:"policy_override" mapstructure:"policy_override"`
@@ -257,8 +287,11 @@ type Request struct {
 	// client token.
 	ClientID string `json:"client_id" structs:"client_id" mapstructure:"client_id" sentinel:""`
 
-	// InboundSSCToken is the token that arrives on an inbound request, supplied
-	// by the vault user.
+	// InboundSSCToken stores the original token value as supplied by the caller
+	// on the inbound request (header/body), before token decoding or
+	// normalization (for example SSCT decoding or enterprise token normalization
+	// to internal IDs). This allows response/forwarding paths to preserve the
+	// caller-visible token representation when needed.
 	InboundSSCToken string
 
 	// When a request has been forwarded, contains information of the host the request was forwarded 'from'
diff --git a/sdk/logical/response.go b/sdk/logical/response.go
index f80cb83093..8a0a1518d0 100644
--- a/sdk/logical/response.go
+++ b/sdk/logical/response.go
@@ -11,6 +11,7 @@ import (
 	"net"
 	"net/http"
 	"strconv"
+	"strings"
 	"sync/atomic"
 
 	"github.com/hashicorp/vault/sdk/helper/wrapping"
@@ -29,6 +30,12 @@ const (
 	// avoided like the HTTPContentType. The value must be a byte slice.
 	HTTPRawBody = "http_raw_body"
 
+	// HTTPRawBodyError is similar to HTTPRawBody.  The difference is that
+	// HTTPRawBodyError is specifically intended for endpoints that want to manage
+	// their error response directly.  This was added to mitigate the risk of
+	// causing regressions in the error responses of existing HTTPRawBody users.
+	HTTPRawBodyError = "http_raw_body_error"
+
 	// HTTPStatusCode is the response code of the HTTP body that goes with the HTTPContentType.
 	// This can only be specified for non-secrets, and should should be similarly
 	// avoided like the HTTPContentType. The value must be an integer.
@@ -261,14 +268,16 @@ type StatusHeaderResponseWriter struct {
 	wroteHeader bool
 	StatusCode  int
 	headers     map[string][]*CustomHeader
+	cspNonce    string
 }
 
-func NewStatusHeaderResponseWriter(w http.ResponseWriter, h map[string][]*CustomHeader) *StatusHeaderResponseWriter {
+func NewStatusHeaderResponseWriter(w http.ResponseWriter, h map[string][]*CustomHeader, cspNonce string) *StatusHeaderResponseWriter {
 	return &StatusHeaderResponseWriter{
 		wrapped:     w,
 		wroteHeader: false,
 		StatusCode:  200,
 		headers:     h,
+		cspNonce:    cspNonce,
 	}
 }
 
@@ -326,7 +335,12 @@ func (w *StatusHeaderResponseWriter) setCustomResponseHeaders(status int) {
 	// setter function to set the headers
 	setter := func(hvl []*CustomHeader) {
 		for _, hv := range hvl {
-			w.Header().Set(hv.Name, hv.Value)
+			headerValue := hv.Value
+			// Inject CSP nonce if this is a Content-Security-Policy header and we have a nonce
+			if hv.Name == "Content-Security-Policy" && w.cspNonce != "" {
+				headerValue = MergeNonceIntoCSP(headerValue, w.cspNonce, "style-src")
+			}
+			w.Header().Set(hv.Name, headerValue)
 		}
 	}
 
@@ -347,6 +361,37 @@ func (w *StatusHeaderResponseWriter) setCustomResponseHeaders(status int) {
 	return
 }
 
+// MergeNonceIntoCSP merges a nonce into the specified directive of a CSP policy
+func MergeNonceIntoCSP(cspPolicy, nonce string, targetDirective string) string {
+	if cspPolicy == "" || nonce == "" {
+		return cspPolicy
+	}
+
+	nonceDirective := fmt.Sprintf("'nonce-%s'", nonce)
+	directives := strings.Split(cspPolicy, ";")
+	directiveFound := false
+
+	for i, directive := range directives {
+		directive = strings.TrimSpace(directive)
+		if strings.HasPrefix(directive, targetDirective) {
+			directiveFound = true
+			// Check if nonce is already present
+			if !strings.Contains(directive, nonceDirective) {
+				// Add nonce after the directive keyword
+				directives[i] = directive + " " + nonceDirective
+			}
+			break
+		}
+	}
+
+	// If target directive doesn't exist, add it
+	if !directiveFound {
+		directives = append(directives, targetDirective+" "+nonceDirective)
+	}
+
+	return strings.Join(directives, ";")
+}
+
 var _ WrappingResponseWriter = &StatusHeaderResponseWriter{}
 
 // ResolveRoleResponse returns a standard response to be returned by functions handling a ResolveRoleOperation
diff --git a/sdk/logical/response_util.go b/sdk/logical/response_util.go
index 3408524aca..231dc08ca9 100644
--- a/sdk/logical/response_util.go
+++ b/sdk/logical/response_util.go
@@ -4,6 +4,7 @@
 package logical
 
 import (
+	"bytes"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -196,24 +197,38 @@ func AdjustErrorStatusCode(status *int, err error) {
 	}
 }
 
+type errorResponse struct {
+	Errors []string `json:"errors"`
+}
+
+// GenerateNonLogicalErrorResponse returns a struct that can be serialized to
+// JSON as part of reporting an error to callers.  It is used by some older APIs
+// that live in the http layer which don't use logical.Response, as well as by
+// some that do but are emulating the older ones.
+func GenerateNonLogicalErrorResponse(status int, err error) *errorResponse {
+	resp := &errorResponse{Errors: make([]string, 0, 1)}
+	if err != nil {
+		resp.Errors = append(resp.Errors, err.Error())
+	}
+
+	return resp
+}
+
 func RespondError(w http.ResponseWriter, status int, err error) {
 	AdjustErrorStatusCode(&status, err)
 
 	defer IncrementResponseStatusCodeMetric(status)
 
+	var b bytes.Buffer
+	enc := json.NewEncoder(&b)
+	enc.Encode(GenerateNonLogicalErrorResponse(status, err))
+	RespondWithBody(w, status, b.String())
+}
+
+func RespondWithBody(w http.ResponseWriter, status int, body string) {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(status)
-
-	type ErrorResponse struct {
-		Errors []string `json:"errors"`
-	}
-	resp := &ErrorResponse{Errors: make([]string, 0, 1)}
-	if err != nil {
-		resp.Errors = append(resp.Errors, err.Error())
-	}
-
-	enc := json.NewEncoder(w)
-	enc.Encode(resp)
+	w.Write([]byte(body))
 }
 
 func RespondErrorAndData(w http.ResponseWriter, status int, data interface{}, err error) {
diff --git a/sdk/logical/token.go b/sdk/logical/token.go
index f2caca9c9d..f1aad686f4 100644
--- a/sdk/logical/token.go
+++ b/sdk/logical/token.go
@@ -36,6 +36,8 @@ const (
 	// TokenTypeDefault is sent back by the mount, create Batch tokens
 	TokenTypeDefaultBatch
 
+	TokenTypeEnt
+
 	// ClientIDTWEDelimiter Delimiter between the string fields used to generate a client
 	// ID for tokens without entities. This is the 0 character, which
 	// is a non-printable string. Please see unicode.IsPrint for details.
@@ -67,6 +69,8 @@ func (t *TokenType) UnmarshalJSON(b []byte) error {
 		*t = TokenTypeDefaultService
 	case `"default-batch"`:
 		*t = TokenTypeDefaultBatch
+	case `"ent"`:
+		*t = TokenTypeEnt
 	default:
 		return fmt.Errorf("unknown token type %q", s)
 	}
@@ -75,6 +79,8 @@ func (t *TokenType) UnmarshalJSON(b []byte) error {
 
 // TokenEntry is used to represent a given token
 type TokenEntry struct {
+	EntToken
+
 	Type TokenType `json:"type" mapstructure:"type" structs:"type" sentinel:""`
 
 	// ID of this entry, generally a random UUID
@@ -253,7 +259,7 @@ func (te *TokenEntry) SentinelGet(key string) (interface{}, error) {
 	case "type":
 		teType := te.Type
 		switch teType {
-		case TokenTypeBatch, TokenTypeService:
+		case TokenTypeBatch, TokenTypeService, TokenTypeEnt:
 		case TokenTypeDefault:
 			teType = TokenTypeService
 		default:
diff --git a/sdk/logical/token_ce.go b/sdk/logical/token_ce.go
new file mode 100644
index 0000000000..c888da8976
--- /dev/null
+++ b/sdk/logical/token_ce.go
@@ -0,0 +1,16 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build !enterprise
+
+package logical
+
+type (
+	EntToken struct{}
+)
+
+// IsStorageBacked reports whether this token has backing token storage.
+// Community edition tokens always use token storage.
+func (te *TokenEntry) IsStorageBacked() bool {
+	return te != nil
+}
diff --git a/sdk/logical/tokentype_enumer.go b/sdk/logical/tokentype_enumer.go
index 9b350a74d3..39156d7cb3 100644
--- a/sdk/logical/tokentype_enumer.go
+++ b/sdk/logical/tokentype_enumer.go
@@ -6,9 +6,9 @@ import (
 	"fmt"
 )
 
-const _TokenTypeName = "defaultservicebatchdefault-servicedefault-batch"
+const _TokenTypeName = "defaultservicebatchdefault-servicedefault-batchent"
 
-var _TokenTypeIndex = [...]uint8{0, 7, 14, 19, 34, 47}
+var _TokenTypeIndex = [...]uint8{0, 7, 14, 19, 34, 47, 50}
 
 func (i TokenType) String() string {
 	if i >= TokenType(len(_TokenTypeIndex)-1) {
@@ -17,7 +17,7 @@ func (i TokenType) String() string {
 	return _TokenTypeName[_TokenTypeIndex[i]:_TokenTypeIndex[i+1]]
 }
 
-var _TokenTypeValues = []TokenType{0, 1, 2, 3, 4}
+var _TokenTypeValues = []TokenType{0, 1, 2, 3, 4, 5}
 
 var _TokenTypeNameToValueMap = map[string]TokenType{
 	_TokenTypeName[0:7]:   0,
@@ -25,6 +25,7 @@ var _TokenTypeNameToValueMap = map[string]TokenType{
 	_TokenTypeName[14:19]: 2,
 	_TokenTypeName[19:34]: 3,
 	_TokenTypeName[34:47]: 4,
+	_TokenTypeName[47:50]: 5,
 }
 
 // TokenTypeString retrieves an enum value from the enum constants string name.
diff --git a/sdk/physical/inmem/inmem.go b/sdk/physical/inmem/inmem.go
index 4365d7ff04..aac7feaac9 100644
--- a/sdk/physical/inmem/inmem.go
+++ b/sdk/physical/inmem/inmem.go
@@ -6,7 +6,6 @@ package inmem
 import (
 	"context"
 	"errors"
-	"fmt"
 	"os"
 	"strconv"
 	"strings"
@@ -176,7 +175,7 @@ func (i *InmemBackend) PutInternal(ctx context.Context, entry *physical.Entry) e
 	}
 
 	if i.maxValueSize > 0 && len(entry.Value) > i.maxValueSize {
-		return fmt.Errorf("%s", physical.ErrValueTooLarge)
+		return physical.ErrValueSize
 	}
 
 	i.root.Insert(entry.Key, entry.Value)
diff --git a/sdk/physical/path_error.go b/sdk/physical/path_error.go
new file mode 100644
index 0000000000..37b05aefaf
--- /dev/null
+++ b/sdk/physical/path_error.go
@@ -0,0 +1,146 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package physical
+
+import (
+	"context"
+	"errors"
+	"math/rand"
+	"strings"
+	"sync"
+	"time"
+
+	log "github.com/hashicorp/go-hclog"
+)
+
+// PathErrorInjector wraps a physical backend and injects errors on storage
+// operations whose keys match configured path prefixes. Unlike ErrorInjector,
+// it does not support a global error rate — errors are only injected for
+// paths that have been explicitly configured via SetErrorPercentageForPath.
+//
+// This is useful for tests that need surgical failure injection on specific
+// storage paths (e.g. packer buckets) without affecting unrelated operations.
+type PathErrorInjector struct {
+	backend    Backend
+	pathErrors map[string]int
+	mu         sync.RWMutex
+	randMu     sync.Mutex
+	random     *rand.Rand
+}
+
+// TransactionalPathErrorInjector is the transactional version of
+// PathErrorInjector.
+type TransactionalPathErrorInjector struct {
+	*PathErrorInjector
+	Transactional
+}
+
+var (
+	_ Backend       = (*PathErrorInjector)(nil)
+	_ Transactional = (*TransactionalPathErrorInjector)(nil)
+)
+
+// NewPathErrorInjector creates a new PathErrorInjector wrapping the given
+// backend. No errors are injected until SetErrorPercentageForPath is called.
+func NewPathErrorInjector(b Backend, logger log.Logger) *PathErrorInjector {
+	logger.Info("creating path error injector")
+	return &PathErrorInjector{
+		backend:    b,
+		pathErrors: make(map[string]int),
+		random:     rand.New(rand.NewSource(int64(time.Now().Nanosecond()))),
+	}
+}
+
+// NewTransactionalPathErrorInjector creates a new transactional
+// PathErrorInjector wrapping the given backend.
+func NewTransactionalPathErrorInjector(b Backend, logger log.Logger) *TransactionalPathErrorInjector {
+	return &TransactionalPathErrorInjector{
+		PathErrorInjector: NewPathErrorInjector(b, logger),
+		Transactional:     b.(Transactional),
+	}
+}
+
+// SetErrorPercentageForPath sets an error injection percentage for a specific
+// path prefix. Any storage operation whose key starts with the given prefix
+// will fail with the configured probability (0-100). The longest matching
+// prefix wins when multiple prefixes match a key. This method is safe for
+// concurrent use.
+func (e *PathErrorInjector) SetErrorPercentageForPath(path string, p int) {
+	e.mu.Lock()
+	e.pathErrors[path] = p
+	e.mu.Unlock()
+}
+
+func (e *PathErrorInjector) addError(key string) error {
+	e.mu.RLock()
+	percent := 0
+	longestMatch := 0
+	for prefix, p := range e.pathErrors {
+		if strings.HasPrefix(key, prefix) && len(prefix) > longestMatch {
+			longestMatch = len(prefix)
+			percent = p
+		}
+	}
+	e.mu.RUnlock()
+
+	if percent == 0 {
+		return nil
+	}
+
+	e.randMu.Lock()
+	roll := e.random.Intn(100)
+	e.randMu.Unlock()
+
+	if roll < percent {
+		return errors.New("random error")
+	}
+	return nil
+}
+
+func (e *PathErrorInjector) Put(ctx context.Context, entry *Entry) error {
+	if err := e.addError(entry.Key); err != nil {
+		return err
+	}
+	return e.backend.Put(ctx, entry)
+}
+
+func (e *PathErrorInjector) Get(ctx context.Context, key string) (*Entry, error) {
+	if err := e.addError(key); err != nil {
+		return nil, err
+	}
+	return e.backend.Get(ctx, key)
+}
+
+func (e *PathErrorInjector) Delete(ctx context.Context, key string) error {
+	if err := e.addError(key); err != nil {
+		return err
+	}
+	return e.backend.Delete(ctx, key)
+}
+
+func (e *PathErrorInjector) List(ctx context.Context, prefix string) ([]string, error) {
+	if err := e.addError(prefix); err != nil {
+		return nil, err
+	}
+	return e.backend.List(ctx, prefix)
+}
+
+func (e *TransactionalPathErrorInjector) Transaction(ctx context.Context, txns []*TxnEntry) error {
+	for _, txn := range txns {
+		if txn != nil {
+			if err := e.addError(txn.Entry.Key); err != nil {
+				return err
+			}
+		}
+	}
+	return e.Transactional.Transaction(ctx, txns)
+}
+
+// TransactionLimits implements physical.TransactionalLimits
+func (e *TransactionalPathErrorInjector) TransactionLimits() (int, int) {
+	if tl, ok := e.Transactional.(TransactionalLimits); ok {
+		return tl.TransactionLimits()
+	}
+	return 0, 0
+}
diff --git a/sdk/physical/physical.go b/sdk/physical/physical.go
index 9baa60795b..add5f1ede0 100644
--- a/sdk/physical/physical.go
+++ b/sdk/physical/physical.go
@@ -5,6 +5,7 @@ package physical
 
 import (
 	"context"
+	"errors"
 	"strings"
 
 	log "github.com/hashicorp/go-hclog"
@@ -28,6 +29,9 @@ const (
 	ErrKeyTooLarge   = "put failed due to key being too large"
 )
 
+// ErrValueSize is the error returned when the value is too large
+var ErrValueSize = errors.New(ErrValueTooLarge)
+
 // Backend is the interface required for a physical
 // backend. A physical backend is used to durably store
 // data outside of Vault. As such, it is completely untrusted,
diff --git a/sdk/plugin/grpc_system.go b/sdk/plugin/grpc_system.go
index df7d35c4f2..bf66efc1ac 100644
--- a/sdk/plugin/grpc_system.go
+++ b/sdk/plugin/grpc_system.go
@@ -250,11 +250,12 @@ func (s *gRPCSystemViewClient) GetRotationInformation(ctx context.Context, req *
 func (s *gRPCSystemViewClient) RegisterRotationJobWithResponse(ctx context.Context, req *rotation.RotationJobConfigureRequest) (*rotation.RotationInfo, error) {
 	cfgReq := &pb.RegisterRotationJobRequest{
 		Job: &pb.RotationJobInput{
-			Name:             req.Name,
-			MountPoint:       req.MountPoint,
-			Path:             req.ReqPath,
-			RotationSchedule: req.RotationSchedule,
-			RotationPolicy:   req.RotationPolicy,
+			Name:                           req.Name,
+			MountPoint:                     req.MountPoint,
+			Path:                           req.ReqPath,
+			RotationSchedule:               req.RotationSchedule,
+			RotationPolicy:                 req.RotationPolicy,
+			MigratedLegacyNextRotationTime: req.MigratedLegacyNextRotationTime.Unix(),
 
 			// on the side outbound from the plugin, we convert duration to seconds, so seconds get sent over the wire
 			RotationWindow: int64(req.RotationWindow.Seconds()),
@@ -534,8 +535,9 @@ func (s *gRPCSystemViewServer) RegisterRotationJobWithResponse(ctx context.Conte
 		// on the side inbound to vault, we convert seconds back to time.Duration
 		// Note: this value is seconds (as per the outbound client call, despite being int64)
 		// The field is int64 because of gRPC reasons, not time.Duration reasons
-		RotationWindow: time.Duration(req.Job.RotationWindow) * time.Second,
-		RotationPeriod: time.Duration(req.Job.RotationPeriod) * time.Second,
+		RotationWindow:                 time.Duration(req.Job.RotationWindow) * time.Second,
+		RotationPeriod:                 time.Duration(req.Job.RotationPeriod) * time.Second,
+		MigratedLegacyNextRotationTime: time.Unix(req.Job.MigratedLegacyNextRotationTime, 0).UTC(),
 	}
 
 	resp, err := s.impl.RegisterRotationJobWithResponse(ctx, cfgReq)
@@ -553,30 +555,13 @@ func (s *gRPCSystemViewServer) RegisterRotationJobWithResponse(ctx context.Conte
 }
 
 func (s *gRPCSystemViewServer) RegisterRotationJob(ctx context.Context, req *pb.RegisterRotationJobRequest) (*pb.RegisterRotationJobResponse, error) {
-	if s.impl == nil {
-		return nil, errMissingSystemView
-	}
-
-	cfgReq := &rotation.RotationJobConfigureRequest{
-		Name:             req.Job.Name,
-		MountPoint:       req.Job.MountPoint,
-		ReqPath:          req.Job.Path,
-		RotationSchedule: req.Job.RotationSchedule,
-		RotationPolicy:   req.Job.RotationPolicy,
-		// on the side inbound to vault, we convert seconds back to time.Duration
-		// Note: this value is seconds (as per the outbound client call, despite being int64)
-		// The field is int64 because of gRPC reasons, not time.Duration reasons
-		RotationWindow: time.Duration(req.Job.RotationWindow) * time.Second,
-		RotationPeriod: time.Duration(req.Job.RotationPeriod) * time.Second,
-	}
-
-	rotationID, err := s.impl.RegisterRotationJob(ctx, cfgReq)
+	resp, err := s.RegisterRotationJobWithResponse(ctx, req)
 	if err != nil {
-		return &pb.RegisterRotationJobResponse{}, status.Error(codes.Internal, err.Error())
+		return &pb.RegisterRotationJobResponse{}, err
 	}
 
 	return &pb.RegisterRotationJobResponse{
-		RotationID: rotationID,
+		RotationID: resp.GetInfo().GetRotationID(),
 	}, nil
 }
 
diff --git a/sdk/plugin/pb/backend.pb.go b/sdk/plugin/pb/backend.pb.go
index 5b04176889..caa05db35d 100644
--- a/sdk/plugin/pb/backend.pb.go
+++ b/sdk/plugin/pb/backend.pb.go
@@ -3644,16 +3644,17 @@ func (x *RegisterRotationJobResponse) GetErr() string {
 }
 
 type RotationJobInput struct {
-	state            protoimpl.MessageState `protogen:"open.v1"`
-	Name             string                 `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
-	MountPoint       string                 `protobuf:"bytes,2,opt,name=mount_point,json=mountPoint,proto3" json:"mount_point,omitempty"`
-	Path             string                 `protobuf:"bytes,3,opt,name=path,proto3" json:"path,omitempty"`
-	RotationSchedule string                 `protobuf:"bytes,4,opt,name=rotation_schedule,json=rotationSchedule,proto3" json:"rotation_schedule,omitempty"`
-	RotationWindow   int64                  `protobuf:"varint,5,opt,name=rotation_window,json=rotationWindow,proto3" json:"rotation_window,omitempty"`
-	RotationPeriod   int64                  `protobuf:"varint,6,opt,name=rotation_period,json=rotationPeriod,proto3" json:"rotation_period,omitempty"`
-	RotationPolicy   string                 `protobuf:"bytes,7,opt,name=rotation_policy,json=rotationPolicy,proto3" json:"rotation_policy,omitempty"`
-	unknownFields    protoimpl.UnknownFields
-	sizeCache        protoimpl.SizeCache
+	state                          protoimpl.MessageState `protogen:"open.v1"`
+	Name                           string                 `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	MountPoint                     string                 `protobuf:"bytes,2,opt,name=mount_point,json=mountPoint,proto3" json:"mount_point,omitempty"`
+	Path                           string                 `protobuf:"bytes,3,opt,name=path,proto3" json:"path,omitempty"`
+	RotationSchedule               string                 `protobuf:"bytes,4,opt,name=rotation_schedule,json=rotationSchedule,proto3" json:"rotation_schedule,omitempty"`
+	RotationWindow                 int64                  `protobuf:"varint,5,opt,name=rotation_window,json=rotationWindow,proto3" json:"rotation_window,omitempty"`
+	RotationPeriod                 int64                  `protobuf:"varint,6,opt,name=rotation_period,json=rotationPeriod,proto3" json:"rotation_period,omitempty"`
+	RotationPolicy                 string                 `protobuf:"bytes,7,opt,name=rotation_policy,json=rotationPolicy,proto3" json:"rotation_policy,omitempty"`
+	MigratedLegacyNextRotationTime int64                  `protobuf:"varint,8,opt,name=migrated_legacy_next_rotation_time,json=migratedLegacyNextRotationTime,proto3" json:"migrated_legacy_next_rotation_time,omitempty"`
+	unknownFields                  protoimpl.UnknownFields
+	sizeCache                      protoimpl.SizeCache
 }
 
 func (x *RotationJobInput) Reset() {
@@ -3735,6 +3736,13 @@ func (x *RotationJobInput) GetRotationPolicy() string {
 	return ""
 }
 
+func (x *RotationJobInput) GetMigratedLegacyNextRotationTime() int64 {
+	if x != nil {
+		return x.MigratedLegacyNextRotationTime
+	}
+	return 0
+}
+
 type DeregisterRotationRequestInput struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	MountPoint    string                 `protobuf:"bytes,1,opt,name=mount_point,json=mountPoint,proto3" json:"mount_point,omitempty"`
@@ -4689,7 +4697,7 @@ var file_sdk_plugin_pb_backend_proto_rawDesc = string([]byte{
 	0x4a, 0x6f, 0x62, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x72,
 	0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
 	0x52, 0x0a, 0x72, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x10, 0x0a, 0x03,
-	0x65, 0x72, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x65, 0x72, 0x72, 0x22, 0x83,
+	0x65, 0x72, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x65, 0x72, 0x72, 0x22, 0xcf,
 	0x02, 0x0a, 0x10, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6f, 0x62, 0x49, 0x6e,
 	0x70, 0x75, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
 	0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x6d, 0x6f, 0x75, 0x6e, 0x74,
@@ -4706,208 +4714,213 @@ var file_sdk_plugin_pb_backend_proto_rawDesc = string([]byte{
 	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x65, 0x72, 0x69, 0x6f, 0x64, 0x12, 0x27, 0x0a, 0x0f, 0x72,
 	0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x07,
 	0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x72, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x6f,
-	0x6c, 0x69, 0x63, 0x79, 0x22, 0x5c, 0x0a, 0x1e, 0x44, 0x65, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74,
-	0x65, 0x72, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x49, 0x6e, 0x70, 0x75, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f,
-	0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x6d, 0x6f, 0x75,
-	0x6e, 0x74, 0x50, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x72, 0x65, 0x71, 0x5f, 0x70,
-	0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x72, 0x65, 0x71, 0x50, 0x61,
-	0x74, 0x68, 0x22, 0x54, 0x0a, 0x1c, 0x44, 0x65, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72,
-	0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6f, 0x62, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x12, 0x34, 0x0a, 0x03, 0x72, 0x65, 0x71, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x22, 0x2e, 0x70, 0x62, 0x2e, 0x44, 0x65, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x52,
-	0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x49, 0x6e,
-	0x70, 0x75, 0x74, 0x52, 0x03, 0x72, 0x65, 0x71, 0x22, 0x8e, 0x01, 0x0a, 0x0a, 0x43, 0x6f, 0x6e,
-	0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x72, 0x65, 0x6d, 0x6f, 0x74,
-	0x65, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x72, 0x65,
-	0x6d, 0x6f, 0x74, 0x65, 0x41, 0x64, 0x64, 0x72, 0x12, 0x1f, 0x0a, 0x0b, 0x72, 0x65, 0x6d, 0x6f,
-	0x74, 0x65, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0a, 0x72,
-	0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x3e, 0x0a, 0x10, 0x63, 0x6f, 0x6e,
-	0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x70, 0x62, 0x2e, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74,
-	0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
-	0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x22, 0xbb, 0x04, 0x0a, 0x0f, 0x43, 0x6f,
-	0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x18, 0x0a,
-	0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x07,
-	0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x2d, 0x0a, 0x12, 0x68, 0x61, 0x6e, 0x64, 0x73,
-	0x68, 0x61, 0x6b, 0x65, 0x5f, 0x63, 0x6f, 0x6d, 0x70, 0x6c, 0x65, 0x74, 0x65, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x08, 0x52, 0x11, 0x68, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x43, 0x6f,
-	0x6d, 0x70, 0x6c, 0x65, 0x74, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x64, 0x69, 0x64, 0x5f, 0x72, 0x65,
-	0x73, 0x75, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x64, 0x69, 0x64, 0x52,
-	0x65, 0x73, 0x75, 0x6d, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x5f,
-	0x73, 0x75, 0x69, 0x74, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0b, 0x63, 0x69, 0x70,
-	0x68, 0x65, 0x72, 0x53, 0x75, 0x69, 0x74, 0x65, 0x12, 0x2f, 0x0a, 0x13, 0x6e, 0x65, 0x67, 0x6f,
-	0x74, 0x69, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18,
-	0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x6e, 0x65, 0x67, 0x6f, 0x74, 0x69, 0x61, 0x74, 0x65,
-	0x64, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x41, 0x0a, 0x1d, 0x6e, 0x65, 0x67,
-	0x6f, 0x74, 0x69, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
-	0x5f, 0x69, 0x73, 0x5f, 0x6d, 0x75, 0x74, 0x75, 0x61, 0x6c, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08,
-	0x52, 0x1a, 0x6e, 0x65, 0x67, 0x6f, 0x74, 0x69, 0x61, 0x74, 0x65, 0x64, 0x50, 0x72, 0x6f, 0x74,
-	0x6f, 0x63, 0x6f, 0x6c, 0x49, 0x73, 0x4d, 0x75, 0x74, 0x75, 0x61, 0x6c, 0x12, 0x1f, 0x0a, 0x0b,
-	0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x0a, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x41, 0x0a,
-	0x11, 0x70, 0x65, 0x65, 0x72, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
-	0x65, 0x73, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x62, 0x2e, 0x43, 0x65,
-	0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x10,
-	0x70, 0x65, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73,
-	0x12, 0x3d, 0x0a, 0x0f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x64, 0x5f, 0x63, 0x68, 0x61,
-	0x69, 0x6e, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x62, 0x2e, 0x43,
-	0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52,
-	0x0e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x64, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x73, 0x12,
-	0x42, 0x0a, 0x1d, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
-	0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x73,
-	0x18, 0x0a, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x1b, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x43, 0x65,
-	0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
-	0x6d, 0x70, 0x73, 0x12, 0x23, 0x0a, 0x0d, 0x6f, 0x63, 0x73, 0x70, 0x5f, 0x72, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, 0x6f, 0x63, 0x73, 0x70,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x6c, 0x73, 0x5f,
-	0x75, 0x6e, 0x69, 0x71, 0x75, 0x65, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x74, 0x6c,
-	0x73, 0x55, 0x6e, 0x69, 0x71, 0x75, 0x65, 0x22, 0x2a, 0x0a, 0x0b, 0x43, 0x65, 0x72, 0x74, 0x69,
-	0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x61, 0x73, 0x6e, 0x31, 0x5f, 0x64,
-	0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x61, 0x73, 0x6e, 0x31, 0x44,
-	0x61, 0x74, 0x61, 0x22, 0x47, 0x0a, 0x10, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
-	0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x12, 0x33, 0x0a, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69,
-	0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0f, 0x2e,
-	0x70, 0x62, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x0c,
-	0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x22, 0x5b, 0x0a, 0x10,
-	0x53, 0x65, 0x6e, 0x64, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x12, 0x1d, 0x0a, 0x0a, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x12,
-	0x28, 0x0a, 0x05, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12,
-	0x2e, 0x6c, 0x6f, 0x67, 0x69, 0x63, 0x61, 0x6c, 0x2e, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x44, 0x61,
-	0x74, 0x61, 0x52, 0x05, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x22, 0x72, 0x0a, 0x18, 0x52, 0x65, 0x63,
-	0x6f, 0x72, 0x64, 0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x0f, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x79, 0x70, 0x65,
-	0x12, 0x2b, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17,
-	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
-	0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x32, 0xa5, 0x03,
-	0x0a, 0x07, 0x42, 0x61, 0x63, 0x6b, 0x65, 0x6e, 0x64, 0x12, 0x3e, 0x0a, 0x0d, 0x48, 0x61, 0x6e,
-	0x64, 0x6c, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x15, 0x2e, 0x70, 0x62, 0x2e,
-	0x48, 0x61, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x41, 0x72, 0x67,
-	0x73, 0x1a, 0x16, 0x2e, 0x70, 0x62, 0x2e, 0x48, 0x61, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x30, 0x0a, 0x0c, 0x53, 0x70, 0x65,
-	0x63, 0x69, 0x61, 0x6c, 0x50, 0x61, 0x74, 0x68, 0x73, 0x12, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45,
-	0x6d, 0x70, 0x74, 0x79, 0x1a, 0x15, 0x2e, 0x70, 0x62, 0x2e, 0x53, 0x70, 0x65, 0x63, 0x69, 0x61,
-	0x6c, 0x50, 0x61, 0x74, 0x68, 0x73, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x53, 0x0a, 0x14, 0x48,
-	0x61, 0x6e, 0x64, 0x6c, 0x65, 0x45, 0x78, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x63, 0x65, 0x43, 0x68,
-	0x65, 0x63, 0x6b, 0x12, 0x1c, 0x2e, 0x70, 0x62, 0x2e, 0x48, 0x61, 0x6e, 0x64, 0x6c, 0x65, 0x45,
-	0x78, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x63, 0x65, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x41, 0x72, 0x67,
-	0x73, 0x1a, 0x1d, 0x2e, 0x70, 0x62, 0x2e, 0x48, 0x61, 0x6e, 0x64, 0x6c, 0x65, 0x45, 0x78, 0x69,
-	0x73, 0x74, 0x65, 0x6e, 0x63, 0x65, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x70, 0x6c, 0x79,
-	0x12, 0x1f, 0x0a, 0x07, 0x43, 0x6c, 0x65, 0x61, 0x6e, 0x75, 0x70, 0x12, 0x09, 0x2e, 0x70, 0x62,
-	0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74,
-	0x79, 0x12, 0x31, 0x0a, 0x0d, 0x49, 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x4b,
-	0x65, 0x79, 0x12, 0x15, 0x2e, 0x70, 0x62, 0x2e, 0x49, 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61,
-	0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45,
-	0x6d, 0x70, 0x74, 0x79, 0x12, 0x26, 0x0a, 0x05, 0x53, 0x65, 0x74, 0x75, 0x70, 0x12, 0x0d, 0x2e,
-	0x70, 0x62, 0x2e, 0x53, 0x65, 0x74, 0x75, 0x70, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x0e, 0x2e, 0x70,
-	0x62, 0x2e, 0x53, 0x65, 0x74, 0x75, 0x70, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x35, 0x0a, 0x0a,
-	0x49, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x12, 0x12, 0x2e, 0x70, 0x62, 0x2e,
-	0x49, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x13,
-	0x2e, 0x70, 0x62, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x52, 0x65,
-	0x70, 0x6c, 0x79, 0x12, 0x20, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x09, 0x2e, 0x70, 0x62,
-	0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x0d, 0x2e, 0x70, 0x62, 0x2e, 0x54, 0x79, 0x70, 0x65,
-	0x52, 0x65, 0x70, 0x6c, 0x79, 0x32, 0xd5, 0x01, 0x0a, 0x07, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67,
-	0x65, 0x12, 0x31, 0x0a, 0x04, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x13, 0x2e, 0x70, 0x62, 0x2e, 0x53,
-	0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x14,
-	0x2e, 0x70, 0x62, 0x2e, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x4c, 0x69, 0x73, 0x74, 0x52,
-	0x65, 0x70, 0x6c, 0x79, 0x12, 0x2e, 0x0a, 0x03, 0x47, 0x65, 0x74, 0x12, 0x12, 0x2e, 0x70, 0x62,
-	0x2e, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x47, 0x65, 0x74, 0x41, 0x72, 0x67, 0x73, 0x1a,
-	0x13, 0x2e, 0x70, 0x62, 0x2e, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x47, 0x65, 0x74, 0x52,
-	0x65, 0x70, 0x6c, 0x79, 0x12, 0x2e, 0x0a, 0x03, 0x50, 0x75, 0x74, 0x12, 0x12, 0x2e, 0x70, 0x62,
-	0x2e, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x50, 0x75, 0x74, 0x41, 0x72, 0x67, 0x73, 0x1a,
-	0x13, 0x2e, 0x70, 0x62, 0x2e, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x50, 0x75, 0x74, 0x52,
-	0x65, 0x70, 0x6c, 0x79, 0x12, 0x37, 0x0a, 0x06, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x12, 0x15,
-	0x2e, 0x70, 0x62, 0x2e, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x44, 0x65, 0x6c, 0x65, 0x74,
-	0x65, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x16, 0x2e, 0x70, 0x62, 0x2e, 0x53, 0x74, 0x6f, 0x72, 0x61,
-	0x67, 0x65, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x32, 0x94, 0x09,
-	0x0a, 0x0a, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x56, 0x69, 0x65, 0x77, 0x12, 0x2a, 0x0a, 0x0f,
-	0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x4c, 0x65, 0x61, 0x73, 0x65, 0x54, 0x54, 0x4c, 0x12,
-	0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x0c, 0x2e, 0x70, 0x62, 0x2e,
-	0x54, 0x54, 0x4c, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x26, 0x0a, 0x0b, 0x4d, 0x61, 0x78, 0x4c,
-	0x65, 0x61, 0x73, 0x65, 0x54, 0x54, 0x4c, 0x12, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70,
-	0x74, 0x79, 0x1a, 0x0c, 0x2e, 0x70, 0x62, 0x2e, 0x54, 0x54, 0x4c, 0x52, 0x65, 0x70, 0x6c, 0x79,
-	0x12, 0x26, 0x0a, 0x07, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x12, 0x09, 0x2e, 0x70, 0x62,
-	0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x10, 0x2e, 0x70, 0x62, 0x2e, 0x54, 0x61, 0x69, 0x6e,
-	0x74, 0x65, 0x64, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x36, 0x0a, 0x0f, 0x43, 0x61, 0x63, 0x68,
-	0x69, 0x6e, 0x67, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x09, 0x2e, 0x70, 0x62,
-	0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x18, 0x2e, 0x70, 0x62, 0x2e, 0x43, 0x61, 0x63, 0x68,
-	0x69, 0x6e, 0x67, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x52, 0x65, 0x70, 0x6c, 0x79,
-	0x12, 0x38, 0x0a, 0x10, 0x52, 0x65, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53,
-	0x74, 0x61, 0x74, 0x65, 0x12, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a,
-	0x19, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x65, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x47, 0x0a, 0x10, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x57, 0x72, 0x61, 0x70, 0x44, 0x61, 0x74, 0x61, 0x12, 0x18,
-	0x2e, 0x70, 0x62, 0x2e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x57, 0x72, 0x61, 0x70,
-	0x44, 0x61, 0x74, 0x61, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x19, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x57, 0x72, 0x61, 0x70, 0x44, 0x61, 0x74, 0x61, 0x52, 0x65,
-	0x70, 0x6c, 0x79, 0x12, 0x30, 0x0a, 0x0c, 0x4d, 0x6c, 0x6f, 0x63, 0x6b, 0x45, 0x6e, 0x61, 0x62,
-	0x6c, 0x65, 0x64, 0x12, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x15,
-	0x2e, 0x70, 0x62, 0x2e, 0x4d, 0x6c, 0x6f, 0x63, 0x6b, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64,
-	0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x2c, 0x0a, 0x0a, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x4d, 0x6f,
-	0x75, 0x6e, 0x74, 0x12, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x13,
-	0x2e, 0x70, 0x62, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65,
-	0x70, 0x6c, 0x79, 0x12, 0x35, 0x0a, 0x0a, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x49, 0x6e, 0x66,
-	0x6f, 0x12, 0x12, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x49, 0x6e, 0x66,
-	0x6f, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x13, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74,
-	0x79, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x2a, 0x0a, 0x09, 0x50, 0x6c,
-	0x75, 0x67, 0x69, 0x6e, 0x45, 0x6e, 0x76, 0x12, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70,
-	0x74, 0x79, 0x1a, 0x12, 0x2e, 0x70, 0x62, 0x2e, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x45, 0x6e,
-	0x76, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x3f, 0x0a, 0x0f, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73,
-	0x46, 0x6f, 0x72, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x12, 0x2e, 0x70, 0x62, 0x2e, 0x45,
-	0x6e, 0x74, 0x69, 0x74, 0x79, 0x49, 0x6e, 0x66, 0x6f, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x18, 0x2e,
-	0x70, 0x62, 0x2e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x46, 0x6f, 0x72, 0x45, 0x6e, 0x74, 0x69,
-	0x74, 0x79, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x68, 0x0a, 0x1a, 0x47, 0x65, 0x6e, 0x65, 0x72,
-	0x61, 0x74, 0x65, 0x50, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x46, 0x72, 0x6f, 0x6d, 0x50,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x25, 0x2e, 0x70, 0x62, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72,
-	0x61, 0x74, 0x65, 0x50, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x46, 0x72, 0x6f, 0x6d, 0x50,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x70,
-	0x62, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x50, 0x61, 0x73, 0x73, 0x77, 0x6f,
-	0x72, 0x64, 0x46, 0x72, 0x6f, 0x6d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x70, 0x6c,
-	0x79, 0x12, 0x2e, 0x0a, 0x0b, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x6e, 0x66, 0x6f,
-	0x12, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x14, 0x2e, 0x70, 0x62,
-	0x2e, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x70, 0x6c,
-	0x79, 0x12, 0x5c, 0x0a, 0x15, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x49, 0x64, 0x65,
-	0x6e, 0x74, 0x69, 0x74, 0x79, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x20, 0x2e, 0x70, 0x62, 0x2e,
-	0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79,
-	0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x70,
-	0x62, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69,
-	0x74, 0x79, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12,
-	0x48, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e,
-	0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x17, 0x2e, 0x70, 0x62, 0x2e, 0x52,
-	0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x1a, 0x15, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x56, 0x0a, 0x13, 0x52, 0x65, 0x67,
-	0x69, 0x73, 0x74, 0x65, 0x72, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6f, 0x62,
+	0x6c, 0x69, 0x63, 0x79, 0x12, 0x4a, 0x0a, 0x22, 0x6d, 0x69, 0x67, 0x72, 0x61, 0x74, 0x65, 0x64,
+	0x5f, 0x6c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x5f, 0x6e, 0x65, 0x78, 0x74, 0x5f, 0x72, 0x6f, 0x74,
+	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x03,
+	0x52, 0x1e, 0x6d, 0x69, 0x67, 0x72, 0x61, 0x74, 0x65, 0x64, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79,
+	0x4e, 0x65, 0x78, 0x74, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x69, 0x6d, 0x65,
+	0x22, 0x5c, 0x0a, 0x1e, 0x44, 0x65, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x52, 0x6f,
+	0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x49, 0x6e, 0x70,
+	0x75, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x70, 0x6f, 0x69, 0x6e,
+	0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x50, 0x6f,
+	0x69, 0x6e, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x72, 0x65, 0x71, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x72, 0x65, 0x71, 0x50, 0x61, 0x74, 0x68, 0x22, 0x54,
+	0x0a, 0x1c, 0x44, 0x65, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x52, 0x6f, 0x74, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6f, 0x62, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x34,
+	0x0a, 0x03, 0x72, 0x65, 0x71, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x70, 0x62,
+	0x2e, 0x44, 0x65, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x52, 0x6f, 0x74, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x49, 0x6e, 0x70, 0x75, 0x74, 0x52,
+	0x03, 0x72, 0x65, 0x71, 0x22, 0x8e, 0x01, 0x0a, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74,
+	0x69, 0x6f, 0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x5f, 0x61, 0x64,
+	0x64, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65,
+	0x41, 0x64, 0x64, 0x72, 0x12, 0x1f, 0x0a, 0x0b, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x5f, 0x70,
+	0x6f, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0a, 0x72, 0x65, 0x6d, 0x6f, 0x74,
+	0x65, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x3e, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74,
+	0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x13, 0x2e, 0x70, 0x62, 0x2e, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x53,
+	0x74, 0x61, 0x74, 0x65, 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e,
+	0x53, 0x74, 0x61, 0x74, 0x65, 0x22, 0xbb, 0x04, 0x0a, 0x0f, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
+	0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72,
+	0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73,
+	0x69, 0x6f, 0x6e, 0x12, 0x2d, 0x0a, 0x12, 0x68, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65,
+	0x5f, 0x63, 0x6f, 0x6d, 0x70, 0x6c, 0x65, 0x74, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52,
+	0x11, 0x68, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x43, 0x6f, 0x6d, 0x70, 0x6c, 0x65,
+	0x74, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x64, 0x69, 0x64, 0x5f, 0x72, 0x65, 0x73, 0x75, 0x6d, 0x65,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x64, 0x69, 0x64, 0x52, 0x65, 0x73, 0x75, 0x6d,
+	0x65, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x5f, 0x73, 0x75, 0x69, 0x74,
+	0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0b, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x53,
+	0x75, 0x69, 0x74, 0x65, 0x12, 0x2f, 0x0a, 0x13, 0x6e, 0x65, 0x67, 0x6f, 0x74, 0x69, 0x61, 0x74,
+	0x65, 0x64, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x05, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x12, 0x6e, 0x65, 0x67, 0x6f, 0x74, 0x69, 0x61, 0x74, 0x65, 0x64, 0x50, 0x72, 0x6f,
+	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x41, 0x0a, 0x1d, 0x6e, 0x65, 0x67, 0x6f, 0x74, 0x69, 0x61,
+	0x74, 0x65, 0x64, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x5f, 0x69, 0x73, 0x5f,
+	0x6d, 0x75, 0x74, 0x75, 0x61, 0x6c, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x1a, 0x6e, 0x65,
+	0x67, 0x6f, 0x74, 0x69, 0x61, 0x74, 0x65, 0x64, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
+	0x49, 0x73, 0x4d, 0x75, 0x74, 0x75, 0x61, 0x6c, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x65, 0x72, 0x76,
+	0x65, 0x72, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73,
+	0x65, 0x72, 0x76, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x41, 0x0a, 0x11, 0x70, 0x65, 0x65,
+	0x72, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x18, 0x08,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x62, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
+	0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x10, 0x70, 0x65, 0x65, 0x72,
+	0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x12, 0x3d, 0x0a, 0x0f,
+	0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x64, 0x5f, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x73, 0x18,
+	0x09, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x62, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69,
+	0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x0e, 0x76, 0x65, 0x72,
+	0x69, 0x66, 0x69, 0x65, 0x64, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x73, 0x12, 0x42, 0x0a, 0x1d, 0x73,
+	0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
+	0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x73, 0x18, 0x0a, 0x20, 0x03,
+	0x28, 0x0c, 0x52, 0x1b, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
+	0x69, 0x63, 0x61, 0x74, 0x65, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x73, 0x12,
+	0x23, 0x0a, 0x0d, 0x6f, 0x63, 0x73, 0x70, 0x5f, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x18, 0x0b, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, 0x6f, 0x63, 0x73, 0x70, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x6c, 0x73, 0x5f, 0x75, 0x6e, 0x69, 0x71,
+	0x75, 0x65, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x74, 0x6c, 0x73, 0x55, 0x6e, 0x69,
+	0x71, 0x75, 0x65, 0x22, 0x2a, 0x0a, 0x0b, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
+	0x74, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x61, 0x73, 0x6e, 0x31, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x61, 0x73, 0x6e, 0x31, 0x44, 0x61, 0x74, 0x61, 0x22,
+	0x47, 0x0a, 0x10, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68,
+	0x61, 0x69, 0x6e, 0x12, 0x33, 0x0a, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
+	0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0f, 0x2e, 0x70, 0x62, 0x2e, 0x43,
+	0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x0c, 0x63, 0x65, 0x72, 0x74,
+	0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x22, 0x5b, 0x0a, 0x10, 0x53, 0x65, 0x6e, 0x64,
+	0x45, 0x76, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a,
+	0x65, 0x76, 0x65, 0x6e, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x09, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x12, 0x28, 0x0a, 0x05, 0x65,
+	0x76, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x6c, 0x6f, 0x67,
+	0x69, 0x63, 0x61, 0x6c, 0x2e, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x44, 0x61, 0x74, 0x61, 0x52, 0x05,
+	0x65, 0x76, 0x65, 0x6e, 0x74, 0x22, 0x72, 0x0a, 0x18, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x4f,
+	0x62, 0x73, 0x65, 0x72, 0x76, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x12, 0x29, 0x0a, 0x10, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x6f, 0x62, 0x73,
+	0x65, 0x72, 0x76, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x12, 0x2b, 0x0a, 0x04,
+	0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x67, 0x6f, 0x6f,
+	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72,
+	0x75, 0x63, 0x74, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x32, 0xa5, 0x03, 0x0a, 0x07, 0x42, 0x61,
+	0x63, 0x6b, 0x65, 0x6e, 0x64, 0x12, 0x3e, 0x0a, 0x0d, 0x48, 0x61, 0x6e, 0x64, 0x6c, 0x65, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x15, 0x2e, 0x70, 0x62, 0x2e, 0x48, 0x61, 0x6e, 0x64,
+	0x6c, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x16, 0x2e,
+	0x70, 0x62, 0x2e, 0x48, 0x61, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x30, 0x0a, 0x0c, 0x53, 0x70, 0x65, 0x63, 0x69, 0x61, 0x6c,
+	0x50, 0x61, 0x74, 0x68, 0x73, 0x12, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79,
+	0x1a, 0x15, 0x2e, 0x70, 0x62, 0x2e, 0x53, 0x70, 0x65, 0x63, 0x69, 0x61, 0x6c, 0x50, 0x61, 0x74,
+	0x68, 0x73, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x53, 0x0a, 0x14, 0x48, 0x61, 0x6e, 0x64, 0x6c,
+	0x65, 0x45, 0x78, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x63, 0x65, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x12,
+	0x1c, 0x2e, 0x70, 0x62, 0x2e, 0x48, 0x61, 0x6e, 0x64, 0x6c, 0x65, 0x45, 0x78, 0x69, 0x73, 0x74,
+	0x65, 0x6e, 0x63, 0x65, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x1d, 0x2e,
+	0x70, 0x62, 0x2e, 0x48, 0x61, 0x6e, 0x64, 0x6c, 0x65, 0x45, 0x78, 0x69, 0x73, 0x74, 0x65, 0x6e,
+	0x63, 0x65, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x1f, 0x0a, 0x07,
+	0x43, 0x6c, 0x65, 0x61, 0x6e, 0x75, 0x70, 0x12, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70,
+	0x74, 0x79, 0x1a, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x31, 0x0a,
+	0x0d, 0x49, 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x15,
+	0x2e, 0x70, 0x62, 0x2e, 0x49, 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65,
+	0x79, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79,
+	0x12, 0x26, 0x0a, 0x05, 0x53, 0x65, 0x74, 0x75, 0x70, 0x12, 0x0d, 0x2e, 0x70, 0x62, 0x2e, 0x53,
+	0x65, 0x74, 0x75, 0x70, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x0e, 0x2e, 0x70, 0x62, 0x2e, 0x53, 0x65,
+	0x74, 0x75, 0x70, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x35, 0x0a, 0x0a, 0x49, 0x6e, 0x69, 0x74,
+	0x69, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x12, 0x12, 0x2e, 0x70, 0x62, 0x2e, 0x49, 0x6e, 0x69, 0x74,
+	0x69, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x13, 0x2e, 0x70, 0x62, 0x2e,
+	0x49, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12,
+	0x20, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70,
+	0x74, 0x79, 0x1a, 0x0d, 0x2e, 0x70, 0x62, 0x2e, 0x54, 0x79, 0x70, 0x65, 0x52, 0x65, 0x70, 0x6c,
+	0x79, 0x32, 0xd5, 0x01, 0x0a, 0x07, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x12, 0x31, 0x0a,
+	0x04, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x13, 0x2e, 0x70, 0x62, 0x2e, 0x53, 0x74, 0x6f, 0x72, 0x61,
+	0x67, 0x65, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x14, 0x2e, 0x70, 0x62, 0x2e,
+	0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x4c, 0x69, 0x73, 0x74, 0x52, 0x65, 0x70, 0x6c, 0x79,
+	0x12, 0x2e, 0x0a, 0x03, 0x47, 0x65, 0x74, 0x12, 0x12, 0x2e, 0x70, 0x62, 0x2e, 0x53, 0x74, 0x6f,
+	0x72, 0x61, 0x67, 0x65, 0x47, 0x65, 0x74, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x13, 0x2e, 0x70, 0x62,
+	0x2e, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x47, 0x65, 0x74, 0x52, 0x65, 0x70, 0x6c, 0x79,
+	0x12, 0x2e, 0x0a, 0x03, 0x50, 0x75, 0x74, 0x12, 0x12, 0x2e, 0x70, 0x62, 0x2e, 0x53, 0x74, 0x6f,
+	0x72, 0x61, 0x67, 0x65, 0x50, 0x75, 0x74, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x13, 0x2e, 0x70, 0x62,
+	0x2e, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x50, 0x75, 0x74, 0x52, 0x65, 0x70, 0x6c, 0x79,
+	0x12, 0x37, 0x0a, 0x06, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x12, 0x15, 0x2e, 0x70, 0x62, 0x2e,
+	0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41, 0x72, 0x67,
+	0x73, 0x1a, 0x16, 0x2e, 0x70, 0x62, 0x2e, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x44, 0x65,
+	0x6c, 0x65, 0x74, 0x65, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x32, 0x94, 0x09, 0x0a, 0x0a, 0x53, 0x79,
+	0x73, 0x74, 0x65, 0x6d, 0x56, 0x69, 0x65, 0x77, 0x12, 0x2a, 0x0a, 0x0f, 0x44, 0x65, 0x66, 0x61,
+	0x75, 0x6c, 0x74, 0x4c, 0x65, 0x61, 0x73, 0x65, 0x54, 0x54, 0x4c, 0x12, 0x09, 0x2e, 0x70, 0x62,
+	0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x0c, 0x2e, 0x70, 0x62, 0x2e, 0x54, 0x54, 0x4c, 0x52,
+	0x65, 0x70, 0x6c, 0x79, 0x12, 0x26, 0x0a, 0x0b, 0x4d, 0x61, 0x78, 0x4c, 0x65, 0x61, 0x73, 0x65,
+	0x54, 0x54, 0x4c, 0x12, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x0c,
+	0x2e, 0x70, 0x62, 0x2e, 0x54, 0x54, 0x4c, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x26, 0x0a, 0x07,
+	0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x12, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70,
+	0x74, 0x79, 0x1a, 0x10, 0x2e, 0x70, 0x62, 0x2e, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x52,
+	0x65, 0x70, 0x6c, 0x79, 0x12, 0x36, 0x0a, 0x0f, 0x43, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x67, 0x44,
+	0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70,
+	0x74, 0x79, 0x1a, 0x18, 0x2e, 0x70, 0x62, 0x2e, 0x43, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x67, 0x44,
+	0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x38, 0x0a, 0x10,
+	0x52, 0x65, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x65,
+	0x12, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x19, 0x2e, 0x70, 0x62,
+	0x2e, 0x52, 0x65, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74,
+	0x65, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x47, 0x0a, 0x10, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x57, 0x72, 0x61, 0x70, 0x44, 0x61, 0x74, 0x61, 0x12, 0x18, 0x2e, 0x70, 0x62, 0x2e,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x57, 0x72, 0x61, 0x70, 0x44, 0x61, 0x74, 0x61,
+	0x41, 0x72, 0x67, 0x73, 0x1a, 0x19, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x57, 0x72, 0x61, 0x70, 0x44, 0x61, 0x74, 0x61, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12,
+	0x30, 0x0a, 0x0c, 0x4d, 0x6c, 0x6f, 0x63, 0x6b, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12,
+	0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x15, 0x2e, 0x70, 0x62, 0x2e,
+	0x4d, 0x6c, 0x6f, 0x63, 0x6b, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x52, 0x65, 0x70, 0x6c,
+	0x79, 0x12, 0x2c, 0x0a, 0x0a, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x12,
+	0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x13, 0x2e, 0x70, 0x62, 0x2e,
+	0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12,
+	0x35, 0x0a, 0x0a, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x12, 0x2e,
+	0x70, 0x62, 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x49, 0x6e, 0x66, 0x6f, 0x41, 0x72, 0x67,
+	0x73, 0x1a, 0x13, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x49, 0x6e, 0x66,
+	0x6f, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x2a, 0x0a, 0x09, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e,
+	0x45, 0x6e, 0x76, 0x12, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x12,
+	0x2e, 0x70, 0x62, 0x2e, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x45, 0x6e, 0x76, 0x52, 0x65, 0x70,
+	0x6c, 0x79, 0x12, 0x3f, 0x0a, 0x0f, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x46, 0x6f, 0x72, 0x45,
+	0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x12, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74,
+	0x79, 0x49, 0x6e, 0x66, 0x6f, 0x41, 0x72, 0x67, 0x73, 0x1a, 0x18, 0x2e, 0x70, 0x62, 0x2e, 0x47,
+	0x72, 0x6f, 0x75, 0x70, 0x73, 0x46, 0x6f, 0x72, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x65,
+	0x70, 0x6c, 0x79, 0x12, 0x68, 0x0a, 0x1a, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x50,
+	0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x46, 0x72, 0x6f, 0x6d, 0x50, 0x6f, 0x6c, 0x69, 0x63,
+	0x79, 0x12, 0x25, 0x2e, 0x70, 0x62, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x50,
+	0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x46, 0x72, 0x6f, 0x6d, 0x50, 0x6f, 0x6c, 0x69, 0x63,
+	0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x70, 0x62, 0x2e, 0x47, 0x65,
+	0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x50, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x46, 0x72,
+	0x6f, 0x6d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x2e, 0x0a,
+	0x0b, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x09, 0x2e, 0x70,
+	0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x14, 0x2e, 0x70, 0x62, 0x2e, 0x43, 0x6c, 0x75,
+	0x73, 0x74, 0x65, 0x72, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x5c, 0x0a,
+	0x15, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74,
+	0x79, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x20, 0x2e, 0x70, 0x62, 0x2e, 0x47, 0x65, 0x6e, 0x65,
+	0x72, 0x61, 0x74, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x54, 0x6f, 0x6b, 0x65,
+	0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x70, 0x62, 0x2e, 0x47, 0x65,
+	0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x54, 0x6f,
+	0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x48, 0x0a, 0x16, 0x47,
+	0x65, 0x74, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x72, 0x6d,
+	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x17, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x15,
+	0x2e, 0x70, 0x62, 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x66, 0x6f,
+	0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x56, 0x0a, 0x13, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65,
+	0x72, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6f, 0x62, 0x12, 0x1e, 0x2e, 0x70,
+	0x62, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69,
+	0x6f, 0x6e, 0x4a, 0x6f, 0x62, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x70,
+	0x62, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69,
+	0x6f, 0x6e, 0x4a, 0x6f, 0x62, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x6b, 0x0a,
+	0x1f, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f,
+	0x6e, 0x4a, 0x6f, 0x62, 0x57, 0x69, 0x74, 0x68, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
 	0x12, 0x1e, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x52, 0x6f,
 	0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6f, 0x62, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x1a, 0x1f, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x52, 0x6f,
-	0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6f, 0x62, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x12, 0x6b, 0x0a, 0x1f, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x52, 0x6f, 0x74,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6f, 0x62, 0x57, 0x69, 0x74, 0x68, 0x52, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74,
-	0x65, 0x72, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6f, 0x62, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x1a, 0x28, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74,
-	0x65, 0x72, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6f, 0x62, 0x57, 0x69, 0x74,
-	0x68, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x44,
-	0x0a, 0x15, 0x44, 0x65, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x52, 0x6f, 0x74, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6f, 0x62, 0x12, 0x20, 0x2e, 0x70, 0x62, 0x2e, 0x44, 0x65, 0x72,
-	0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4a,
-	0x6f, 0x62, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45,
-	0x6d, 0x70, 0x74, 0x79, 0x32, 0x36, 0x0a, 0x06, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x12, 0x2c,
-	0x0a, 0x09, 0x53, 0x65, 0x6e, 0x64, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x12, 0x14, 0x2e, 0x70, 0x62,
-	0x2e, 0x53, 0x65, 0x6e, 0x64, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x1a, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x32, 0x4c, 0x0a, 0x0c,
-	0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x3c, 0x0a, 0x11,
-	0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x12, 0x1c, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x4f, 0x62, 0x73,
-	0x65, 0x72, 0x76, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
-	0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x42, 0x2a, 0x5a, 0x28, 0x67, 0x69,
-	0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f,
-	0x72, 0x70, 0x2f, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2f, 0x73, 0x64, 0x6b, 0x2f, 0x70, 0x6c, 0x75,
-	0x67, 0x69, 0x6e, 0x2f, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x1a, 0x28, 0x2e, 0x70, 0x62, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x52, 0x6f,
+	0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6f, 0x62, 0x57, 0x69, 0x74, 0x68, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x12, 0x44, 0x0a, 0x15, 0x44, 0x65,
+	0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x4a, 0x6f, 0x62, 0x12, 0x20, 0x2e, 0x70, 0x62, 0x2e, 0x44, 0x65, 0x72, 0x65, 0x67, 0x69, 0x73,
+	0x74, 0x65, 0x72, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4a, 0x6f, 0x62, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x09, 0x2e, 0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79,
+	0x32, 0x36, 0x0a, 0x06, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x12, 0x2c, 0x0a, 0x09, 0x53, 0x65,
+	0x6e, 0x64, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x12, 0x14, 0x2e, 0x70, 0x62, 0x2e, 0x53, 0x65, 0x6e,
+	0x64, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x09, 0x2e,
+	0x70, 0x62, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x32, 0x4c, 0x0a, 0x0c, 0x4f, 0x62, 0x73, 0x65,
+	0x72, 0x76, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x3c, 0x0a, 0x11, 0x52, 0x65, 0x63, 0x6f,
+	0x72, 0x64, 0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1c, 0x2e,
+	0x70, 0x62, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x09, 0x2e, 0x70, 0x62,
+	0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x42, 0x2a, 0x5a, 0x28, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
+	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x76,
+	0x61, 0x75, 0x6c, 0x74, 0x2f, 0x73, 0x64, 0x6b, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2f,
+	0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 })
 
 var (
diff --git a/sdk/plugin/pb/backend.proto b/sdk/plugin/pb/backend.proto
index 32f9ad78e3..af4bf5f89c 100644
--- a/sdk/plugin/pb/backend.proto
+++ b/sdk/plugin/pb/backend.proto
@@ -672,6 +672,7 @@ message RotationJobInput {
   int64 rotation_window = 5;
   int64 rotation_period = 6;
   string rotation_policy = 7;
+  int64 migrated_legacy_next_rotation_time = 8;
 }
 
 message DeregisterRotationRequestInput {
diff --git a/sdk/rotation/rotation_job.go b/sdk/rotation/rotation_job.go
index 92b786c6f1..a5cf2f8df5 100644
--- a/sdk/rotation/rotation_job.go
+++ b/sdk/rotation/rotation_job.go
@@ -29,11 +29,12 @@ type RotationJob struct {
 	// RotationID is the ID returned to the user to manage this secret.
 	// This is generated by Vault core. Any set value will be ignored.
 	// For requests, this will always be blank.
-	RotationID     string `sentinel:""`
-	Path           string
-	MountPoint     string
-	Name           string
-	RotationPolicy string
+	RotationID                     string `sentinel:""`
+	Path                           string
+	MountPoint                     string
+	Name                           string
+	RotationPolicy                 string
+	MigratedLegacyNextRotationTime time.Time
 }
 
 type RotationJobConfigureRequest struct {
@@ -44,6 +45,10 @@ type RotationJobConfigureRequest struct {
 	RotationWindow   time.Duration
 	RotationPeriod   time.Duration
 	RotationPolicy   string
+	// MigratedLegacyNextRotationTime is an optional field that will override the calculated NextVaultRotation time for
+	// only the *first* rotation of the job. This is intended for migrating any existing scheduled rotations from a
+	// plugin-managed rotation queue onto the Rotation Manager, without skipping its next scheduled rotation.
+	MigratedLegacyNextRotationTime time.Time
 }
 
 type RotationJobDeregisterRequest struct {
@@ -121,10 +126,11 @@ func newRotationJob(configRequest *RotationJobConfigureRequest) (*RotationJob, e
 		RotationOptions: RotationOptions{
 			Schedule: rs,
 		},
-		MountPoint:     configRequest.MountPoint,
-		Path:           configRequest.ReqPath,
-		Name:           configRequest.Name,
-		RotationPolicy: configRequest.RotationPolicy,
+		MountPoint:                     configRequest.MountPoint,
+		Path:                           configRequest.ReqPath,
+		Name:                           configRequest.Name,
+		RotationPolicy:                 configRequest.RotationPolicy,
+		MigratedLegacyNextRotationTime: configRequest.MigratedLegacyNextRotationTime,
 	}, nil
 }
 
diff --git a/sdk/rotation/rotation_job_test.go b/sdk/rotation/rotation_job_test.go
index 6b4f79f045..4c342d3c99 100644
--- a/sdk/rotation/rotation_job_test.go
+++ b/sdk/rotation/rotation_job_test.go
@@ -7,6 +7,7 @@ import (
 	"reflect"
 	"strings"
 	"testing"
+	"time"
 )
 
 func TestConfigureRotationJob(t *testing.T) {
@@ -19,33 +20,36 @@ func TestConfigureRotationJob(t *testing.T) {
 		{
 			name: "no rotation params",
 			req: &RotationJobConfigureRequest{
-				MountPoint:       "aws",
-				ReqPath:          "config/root",
-				RotationSchedule: "",
-				RotationWindow:   60,
-				RotationPeriod:   0,
+				MountPoint:                     "aws",
+				ReqPath:                        "config/root",
+				RotationSchedule:               "",
+				RotationWindow:                 60,
+				RotationPeriod:                 0,
+				MigratedLegacyNextRotationTime: time.Time{},
 			},
 			expectedError: "RotationSchedule or RotationPeriod is required to set up rotation job",
 		},
 		{
 			name: "no mount point",
 			req: &RotationJobConfigureRequest{
-				MountPoint:       "",
-				ReqPath:          "config/root",
-				RotationSchedule: "",
-				RotationWindow:   60,
-				RotationPeriod:   5,
+				MountPoint:                     "",
+				ReqPath:                        "config/root",
+				RotationSchedule:               "",
+				RotationWindow:                 60,
+				RotationPeriod:                 5,
+				MigratedLegacyNextRotationTime: time.Time{},
 			},
 			expectedError: "MountPoint is required",
 		},
 		{
 			name: "no req path",
 			req: &RotationJobConfigureRequest{
-				MountPoint:       "aws",
-				ReqPath:          "",
-				RotationSchedule: "",
-				RotationWindow:   60,
-				RotationPeriod:   5,
+				MountPoint:                     "aws",
+				ReqPath:                        "",
+				RotationSchedule:               "",
+				RotationWindow:                 60,
+				RotationPeriod:                 5,
+				MigratedLegacyNextRotationTime: time.Time{},
 			},
 			expectedError: "ReqPath is required",
 		},
diff --git a/tools/pipeline/go.mod b/tools/pipeline/go.mod
index a885e94553..cf8973f06a 100644
--- a/tools/pipeline/go.mod
+++ b/tools/pipeline/go.mod
@@ -1,6 +1,6 @@
 module github.com/hashicorp/vault/tools/pipeline
 
-go 1.24.0
+go 1.25.0
 
 // We have test modules in here but they ought to be completely ignored
 ignore internal/pkg/golang/fixtures
@@ -9,17 +9,17 @@ require (
 	github.com/Masterminds/semver v1.5.0
 	github.com/PuerkitoBio/goquery v1.11.0
 	github.com/avast/retry-go/v4 v4.6.1
-	github.com/google/go-github/v81 v81.0.0
+	github.com/google/go-github/v83 v83.0.0
 	github.com/hashicorp/hcl/v2 v2.24.0
 	github.com/hashicorp/releases-api v0.2.3
 	github.com/jedib0t/go-pretty/v6 v6.6.8
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
 	github.com/shurcooL/githubv4 v0.0.0-20240727222349-48295856cce7
 	github.com/spf13/cobra v1.9.1
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	github.com/veqryn/slog-context v0.8.0
 	github.com/zclconf/go-cty v1.17.0
-	golang.org/x/mod v0.29.0
+	golang.org/x/mod v0.34.0
 	golang.org/x/oauth2 v0.31.0
 )
 
@@ -28,6 +28,7 @@ require (
 	github.com/andybalholm/cascadia v1.3.3 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/fatih/color v1.18.0 // indirect
@@ -44,13 +45,14 @@ require (
 	github.com/go-openapi/swag v0.23.1 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/go-querystring v1.2.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/go-hclog v1.6.3 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jackc/pgx/v5 v5.9.2 // indirect
 	github.com/jessevdk/go-flags v1.6.1 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
@@ -68,15 +70,16 @@ require (
 	github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 // indirect
 	github.com/spf13/pflag v1.0.7 // indirect
 	go.mongodb.org/mongo-driver v1.17.4 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/otel v1.37.0 // indirect
-	go.opentelemetry.io/otel/metric v1.37.0 // indirect
-	go.opentelemetry.io/otel/trace v1.37.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
-	golang.org/x/tools v0.38.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/tools v0.43.0 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/tools/pipeline/go.sum b/tools/pipeline/go.sum
index ff17171c00..ad38496dc3 100644
--- a/tools/pipeline/go.sum
+++ b/tools/pipeline/go.sum
@@ -30,8 +30,8 @@ github.com/avast/retry-go/v4 v4.6.1 h1:VkOLRubHdisGrHnTu89g08aQEWEgRU7LVEop3GbIc
 github.com/avast/retry-go/v4 v4.6.1/go.mod h1:V6oF8njAwxJ5gRo1Q7Cxab24xs5NCWZBeaHHBklR8mA=
 github.com/aws/aws-sdk-go v1.55.6 h1:cSg4pvZ3m8dgYcgqB97MrcdjUmZ1BeMYKUxMMB89IPk=
 github.com/aws/aws-sdk-go v1.55.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
-github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -77,14 +77,13 @@ github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
 github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/golang-migrate/migrate/v4 v4.14.1 h1:qmRd/rNGjM1r3Ve5gHd5ZplytrD02UcItYNxJ3iUHHE=
 github.com/golang-migrate/migrate/v4 v4.14.1/go.mod h1:l7Ks0Au6fYHuUIxUhQ0rcVX1uLlJg54C/VvW7tvxSz0=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-github/v81 v81.0.0 h1:hTLugQRxSLD1Yei18fk4A5eYjOGLUBKAl/VCqOfFkZc=
-github.com/google/go-github/v81 v81.0.0/go.mod h1:upyjaybucIbBIuxgJS7YLOZGziyvvJ92WX6WEBNE3sM=
-github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
-github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
+github.com/google/go-github/v83 v83.0.0 h1:Ydy4gAfqxrnFUwXAuKl/OMhhGa0KtMtnJ3EozIIuHT0=
+github.com/google/go-github/v83 v83.0.0/go.mod h1:gbqarhK37mpSu8Xy7sz21ITtznvzouyHSAajSaYCHe8=
+github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0=
+github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
@@ -111,8 +110,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.7.5 h1:JHGfMnQY+IEtGM63d+NGMjoRpysB2JBwDr5fsngwmJs=
-github.com/jackc/pgx/v5 v5.7.5/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M=
+github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
+github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jedib0t/go-pretty/v6 v6.6.8 h1:JnnzQeRz2bACBobIaa/r+nqjvws4yEhcmaZ4n1QzsEc=
@@ -171,8 +170,8 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/secure-systems-lab/go-securesystemslib v0.7.0 h1:OwvJ5jQf9LnIAS83waAjPbcMsODrTQUpJ02eNLUoxBg=
 github.com/secure-systems-lab/go-securesystemslib v0.7.0/go.mod h1:/2gYnlnHVQ6xeGtfIqFy7Do03K4cdCY0A/GlJLDKLHI=
@@ -188,8 +187,8 @@ github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tinylib/msgp v1.1.8 h1:FCXC1xanKO4I8plpHGH2P7koL/RzZs12l/+r7vakfm0=
 github.com/tinylib/msgp v1.1.8/go.mod h1:qkpG+2ldGg4xRFmx+jfTvZPxfGFhi64BcnL9vkCm/Tw=
 github.com/veqryn/slog-context v0.8.0 h1:lDhwAgjwx52K5StqqQzi5d0Y/F4SNyGZbsXGd8MtucM=
@@ -201,16 +200,16 @@ github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6
 github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM=
 go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw=
 go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
-go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
-go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
-go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
-go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw=
-go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg=
-go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
-go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
+go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
+go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
+go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
+go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
+go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
+go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
+go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -219,15 +218,15 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
-golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
-golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
+golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
@@ -237,8 +236,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
 golang.org/x/oauth2 v0.31.0 h1:8Fq0yVZLh4j4YA47vHKFTa9Ew5XIrCP8LC6UeNZnLxo=
 golang.org/x/oauth2 v0.31.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -248,8 +247,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -267,8 +266,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -287,8 +286,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -297,10 +296,9 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
+golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
 google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
diff --git a/tools/pipeline/internal/cmd/generate.go b/tools/pipeline/internal/cmd/generate.go
index 46aafbd47f..24fc874587 100644
--- a/tools/pipeline/internal/cmd/generate.go
+++ b/tools/pipeline/internal/cmd/generate.go
@@ -3,16 +3,19 @@
 
 package cmd
 
-import "github.com/spf13/cobra"
+import (
+	"github.com/spf13/cobra"
+)
 
 func newGenerateCmd() *cobra.Command {
 	generateCmd := &cobra.Command{
 		Use:   "generate",
-		Short: "Pipeline configuration generation tasks",
-		Long:  "Pipeline configuration generation tasks",
+		Short: "Generate code and dynamic configuration in the context of the pipeline",
+		Long:  "Generate code and dynamic configuration in the context of the pipeline",
 	}
 
-	generateCmd.AddCommand(newGenerateEnosDynamicConfigCmd())
+	// Add subcommands
+	generateCmd.AddCommand(newGenerateTemplateCmd())
 
 	return generateCmd
 }
diff --git a/tools/pipeline/internal/cmd/generate_enos_dynamic_config.go b/tools/pipeline/internal/cmd/generate_enos_dynamic_config.go
deleted file mode 100644
index 9f5e32eb0d..0000000000
--- a/tools/pipeline/internal/cmd/generate_enos_dynamic_config.go
+++ /dev/null
@@ -1,57 +0,0 @@
-// Copyright IBM Corp. 2016, 2025
-// SPDX-License-Identifier: BUSL-1.1
-
-package cmd
-
-import (
-	"context"
-
-	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/generate"
-	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/releases"
-	"github.com/spf13/cobra"
-)
-
-// skipVersionsDefault are versions that we skip by default. This list can grow as necessary.
-var skipVersionsDefault = []string{
-	"1.16.0", // 1.16.0 artifacts were revoked, always skip it if it's in the range
-}
-
-var genEnosDynamicConfigReq = &generate.EnosDynamicConfigReq{
-	VersionLister: releases.NewClient(),
-}
-
-func newGenerateEnosDynamicConfigCmd() *cobra.Command {
-	enosDynCfgCmd := &cobra.Command{
-		Use:   "enos-dynamic-config",
-		Short: "Generate dynamic Enos configuration files",
-		Long: `Create branch specific Enos configuration dynamically. We do this to set the various
-sample attribute variables on per-branch basis.`,
-		RunE: runGenerateEnosDynamicConfig,
-	}
-
-	enosDynCfgCmd.PersistentFlags().StringVarP(&genEnosDynamicConfigReq.VaultVersion, "version", "v", "", "The version of Vault")
-	enosDynCfgCmd.PersistentFlags().StringVarP(&genEnosDynamicConfigReq.VaultEdition, "edition", "e", "", "The edition of Vault. Can either be 'ce' or 'enterprise'")
-	enosDynCfgCmd.PersistentFlags().StringVarP(&genEnosDynamicConfigReq.EnosDir, "dir", "d", ".", "The enos directory to create the configuration in")
-	enosDynCfgCmd.PersistentFlags().UintVarP(&genEnosDynamicConfigReq.NMinus, "nminus", "n", 3, "Instead of setting a dedicated lower bound, calculate N-X from the upper")
-	enosDynCfgCmd.PersistentFlags().StringSliceVarP(&genEnosDynamicConfigReq.Skip, "skip", "s", skipVersionsDefault, "Skip these versions. Can be provided none-to-many times")
-	enosDynCfgCmd.PersistentFlags().StringVar(&genEnosDynamicConfigReq.FileName, "file", "enos-dynamic-config.hcl", "The name of the file to write the configuration into")
-
-	err := enosDynCfgCmd.MarkPersistentFlagRequired("edition")
-	if err != nil {
-		panic(err)
-	}
-	err = enosDynCfgCmd.MarkPersistentFlagRequired("version")
-	if err != nil {
-		panic(err)
-	}
-
-	return enosDynCfgCmd
-}
-
-func runGenerateEnosDynamicConfig(cmd *cobra.Command, args []string) error {
-	cmd.SilenceUsage = true // Don't spam the usage on failure
-
-	_, err := genEnosDynamicConfigReq.Run(context.TODO())
-
-	return err
-}
diff --git a/tools/pipeline/internal/cmd/generate_template.go b/tools/pipeline/internal/cmd/generate_template.go
new file mode 100644
index 0000000000..90546ed421
--- /dev/null
+++ b/tools/pipeline/internal/cmd/generate_template.go
@@ -0,0 +1,98 @@
+// Copyright IBM Corp. 2016, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package cmd
+
+import (
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/generate"
+	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/releases"
+	"github.com/spf13/cobra"
+)
+
+var generateTemplateReq = &generate.GenerateTemplateReq{
+	VersionLister: releases.NewClient(),
+}
+
+func newGenerateTemplateCmd() *cobra.Command {
+	templateCmd := &cobra.Command{
+		Use:   "template [template-path] [output-path]",
+		Short: "Generate output from Go templates with pipeline data",
+		Args:  cobra.RangeArgs(1, 2),
+		RunE:  runGenerateTemplateCmd,
+		Long: `Generate output by rendering Go templates with access to pipeline data. It's currently limited to release data but the idea is to eventually extend it to any request types that would be useful to embed into templates via template functions.
+
+The template has access to a context object with the following fields:
+  - .Version: Current version (set via --version flag)
+  - .Edition: Current edition (set via --edition flag)
+  - .GeneratedAt: Timestamp when template was rendered
+
+Available template functions:
+
+  - VersionsNMinus(product, edition, upperBound, nminus, cadence, versionsToSkip...)
+    Use this to list all version between the upperBound and n-x. The candence must be set to 'minor' or 'major' depending on whether n-minus should be treated as minor or major bumps. Returns a list of strings.
+
+    - VersionsNMinusTransition(product, edition, upperBound, nminus, current cadence, transitionVersion, priorCadence, versionsToSkip skip...)
+    Like VersionsNMinus, except that it supports two different release candences by supplying both and a transition version. Useful for navigating a change in release candence. Returns a list of strings.
+
+  - VersionsBounded(product, edition, upperBound, lowerBound, cadence, versionsToSkip...)
+    Use this to list all version between two bounds. The candence must be set to 'minor' or 'major' depending on whether n-minus should be treated as minor or major bumps. Returns a list of strings.
+
+  - VersionsBoundedTransition(product, edition, upperBound, lowerBound, current cadence, transitionVersion, priorCadence, versionsToSkip ...)
+    Like VersionsBounded, except that it supports two different release candences by supplying both and a transition version. Useful for navigating a change in release candence. Returns a list of strings.
+
+  - ParseVersion(version)
+    Parse version string to semver. Returns a *semver.Version that you can access methods and fields on. See https://pkg.go.dev/github.com/Masterminds/semver
+
+  - CompareVersions(v1, v2)
+    Parse and compare two different versions. Returns an int. See https://pkg.go.dev/github.com/Masterminds/semver#Version.Compare
+
+  - FilterVersions(listOfVersions, semverConstraint)
+    Filter a list of versions by a semver constraint. Returns a list of strings.
+
+Examples:
+  # Render template with current version
+  pipeline generate template my-template.tmpl output.txt --version 1.18.0 --edition enterprise
+
+  # Read from stdin, write to stdout
+  cat template.tmpl | pipeline generate template - --version 1.18.0
+
+  # Use current version in template
+  {{ .Version }} - Current version
+  {{ VersionsNMinus "vault" "enterprise" .Version 3 "minor" }} - Get all n-3 versions from the .Version (passed in via --version) using a minor version cadence.`,
+	}
+
+	templateCmd.Flags().StringVarP(&generateTemplateReq.Version, "version", "v", "", "Current version to expose in template context")
+	templateCmd.Flags().StringVarP(&generateTemplateReq.Edition, "edition", "e", "", "Current edition to expose in template context")
+
+	return templateCmd
+}
+
+func runGenerateTemplateCmd(cmd *cobra.Command, args []string) error {
+	cmd.SilenceUsage = true // Don't spam the usage on failure
+
+	generateTemplateReq.TemplatePath = args[0]
+	if len(args) > 1 {
+		generateTemplateReq.OutputPath = args[1]
+	}
+
+	res, err := generateTemplateReq.Run(cmd.Context())
+	if err != nil {
+		return fmt.Errorf("generating template: %w", err)
+	}
+
+	if res.OutputPath != "" {
+		err = os.WriteFile(res.OutputPath, res.RenderedTemplate, 0o755)
+	} else {
+		_, err = io.Writer.Write(os.Stdout, res.RenderedTemplate)
+	}
+
+	if err != nil {
+		return fmt.Errorf("generating template: %w", err)
+	}
+
+	return nil
+}
diff --git a/tools/pipeline/internal/cmd/github.go b/tools/pipeline/internal/cmd/github.go
index 8af77d1f6a..e3b10a8446 100644
--- a/tools/pipeline/internal/cmd/github.go
+++ b/tools/pipeline/internal/cmd/github.go
@@ -10,7 +10,7 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/google/go-github/v81/github"
+	"github.com/google/go-github/v83/github"
 	"github.com/shurcooL/githubv4"
 	"github.com/spf13/cobra"
 	"golang.org/x/oauth2"
diff --git a/tools/pipeline/internal/cmd/releases_list_versions.go b/tools/pipeline/internal/cmd/releases_list_versions.go
index 7a4337a448..ecde470e8d 100644
--- a/tools/pipeline/internal/cmd/releases_list_versions.go
+++ b/tools/pipeline/internal/cmd/releases_list_versions.go
@@ -18,17 +18,23 @@ var listReleaseVersionsReq = &releases.ListVersionsReq{
 func newReleasesVersionsBetweenCmd() *cobra.Command {
 	versionsCmd := &cobra.Command{
 		Use:   "versions",
-		Short: "Create a list of Vault versions between a lower and upper bound",
-		Long:  "Create a list of Vault versions between a lower and upper bound",
+		Short: "Create a list of product versions between a lower and upper bound",
+		Long:  "Create a list of product versions between a lower and upper bound",
 		RunE:  runListVersionsReq,
 	}
 
 	versionsCmd.PersistentFlags().StringVarP(&listReleaseVersionsReq.UpperBound, "upper", "u", "", "The highest version to include")
 	versionsCmd.PersistentFlags().StringVarP(&listReleaseVersionsReq.LowerBound, "lower", "l", "", "The lowest version to include")
 	versionsCmd.PersistentFlags().UintVarP(&listReleaseVersionsReq.NMinus, "nminus", "n", 0, "Instead of setting a dedicated lower bound, calculate N-X from the upper")
-	versionsCmd.PersistentFlags().StringVarP(&listReleaseVersionsReq.LicenseClass, "edition", "e", "", "The edition of Vault. Can either be 'ce' or 'enterprise'")
+	versionsCmd.PersistentFlags().StringVarP(&listReleaseVersionsReq.LicenseClass, "edition", "e", "", "The edition of the product. Can either be 'ce' or 'enterprise'")
 	versionsCmd.PersistentFlags().StringSliceVarP(&listReleaseVersionsReq.Skip, "skip", "s", []string{}, "Skip this version. Can be provided none-to-many times")
 
+	// Cadence flags for version calculation
+	versionsCmd.PersistentFlags().StringVar((*string)(&listReleaseVersionsReq.Cadence), "cadence", "major", "Version cadence for n-minus calculation: 'minor' or 'major' (default: major)")
+	versionsCmd.PersistentFlags().StringVar(&listReleaseVersionsReq.TransitionVersion, "transition-version", "", "Last version of previous cadence (optional, for cadence transitions)")
+	versionsCmd.PersistentFlags().StringVar((*string)(&listReleaseVersionsReq.PriorCadence), "prior-cadence", "", "If the product transitioned from an older release candence to a new one, this defines the prior cadence type: 'minor' or 'major' (required if transition-version is set)")
+	versionsCmd.PersistentFlags().StringVar(&listReleaseVersionsReq.ProductName, "product", "vault", "Product name")
+
 	err := versionsCmd.MarkPersistentFlagRequired("upper")
 	if err != nil {
 		panic(err)
diff --git a/tools/pipeline/internal/pkg/changed/config_test.go b/tools/pipeline/internal/pkg/changed/config_test.go
index c197d73113..67c7786f6a 100644
--- a/tools/pipeline/internal/pkg/changed/config_test.go
+++ b/tools/pipeline/internal/pkg/changed/config_test.go
@@ -8,7 +8,7 @@ import (
 	"path/filepath"
 	"testing"
 
-	gh "github.com/google/go-github/v81/github"
+	gh "github.com/google/go-github/v83/github"
 	"github.com/stretchr/testify/require"
 )
 
diff --git a/tools/pipeline/internal/pkg/changed/file.go b/tools/pipeline/internal/pkg/changed/file.go
index b5ac87603b..2d3dd02459 100644
--- a/tools/pipeline/internal/pkg/changed/file.go
+++ b/tools/pipeline/internal/pkg/changed/file.go
@@ -8,7 +8,7 @@ import (
 	"slices"
 	"strings"
 
-	gh "github.com/google/go-github/v81/github"
+	gh "github.com/google/go-github/v83/github"
 )
 
 // File represents a changed file in a PR or commit.
diff --git a/tools/pipeline/internal/pkg/config/config_test.go b/tools/pipeline/internal/pkg/config/config_test.go
index bef5de46a1..571e98fb44 100644
--- a/tools/pipeline/internal/pkg/config/config_test.go
+++ b/tools/pipeline/internal/pkg/config/config_test.go
@@ -10,7 +10,7 @@ import (
 	"path/filepath"
 	"testing"
 
-	"github.com/google/go-github/v81/github"
+	"github.com/google/go-github/v83/github"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/changed"
 	"github.com/stretchr/testify/require"
 	"github.com/zclconf/go-cty/cty"
diff --git a/tools/pipeline/internal/pkg/generate/enos_dynamic_config.go b/tools/pipeline/internal/pkg/generate/enos_dynamic_config.go
deleted file mode 100644
index 1517b78b88..0000000000
--- a/tools/pipeline/internal/pkg/generate/enos_dynamic_config.go
+++ /dev/null
@@ -1,207 +0,0 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package generate
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"log/slog"
-	"os"
-	"path/filepath"
-	"slices"
-
-	"github.com/Masterminds/semver"
-	"github.com/hashicorp/hcl/v2/gohcl"
-	"github.com/hashicorp/hcl/v2/hclwrite"
-	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/metadata"
-	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/releases"
-	slogctx "github.com/veqryn/slog-context"
-)
-
-// EnosDynamicConfigReq is a request to generate dynamic enos configuration
-type EnosDynamicConfigReq struct {
-	VaultEdition string
-	VaultVersion string
-	EnosDir      string
-	FileName     string
-	Skip         []string
-	NMinus       uint
-	releases.VersionLister
-}
-
-// EnosDynamicConfigRes is a response from a request to generate dynamic enos configuration
-type EnosDynamicConfigRes struct {
-	Globals *Globals `json:"globals,omitempty" hcl:"globals,block" cty:"globals"`
-}
-
-// Globals are our dynamic globals
-type Globals struct {
-	SampleAttributes *SampleAttrs `json:"sample_attributes,omitempty" hcl:"sample_attributes" cty:"sample_attributes"`
-}
-
-// SampleAttrs are the dynamic sample attributes that we'll write as globals
-type SampleAttrs struct {
-	AWSRegion             []string `json:"aws_region,omitempty" hcl:"aws_region" cty:"aws_region"`
-	DistroVersionAmzn     []string `json:"distro_version_amzn,omitempty" hcl:"distro_version_amzn" cty:"distro_version_amzn"`
-	DistroVersionRhel     []string `json:"distro_version_rhel,omitempty" hcl:"distro_version_rhel" cty:"distro_version_rhel"`
-	DistroVersionSles     []string `json:"distro_version_sles,omitempty" hcl:"distro_version_sles" cty:"distro_version_sles"`
-	DistroVersionUbuntu   []string `json:"distro_version_ubuntu,omitempty" hcl:"distro_version_ubuntu" cty:"distro_version_ubuntu"`
-	UpgradeInitialVersion []string `json:"upgrade_initial_version,omitempty" hcl:"upgrade_initial_version" cty:"upgrade_initial_version"`
-}
-
-// Validate validates the request parameters
-func (e *EnosDynamicConfigReq) Validate(ctx context.Context) error {
-	if e == nil {
-		return errors.New("enos dynamic config req: validate: uninitialized")
-	}
-
-	slog.Default().DebugContext(ctx, "validating enos dynamic config request")
-
-	if e.FileName == "" {
-		return errors.New("no destination file name set")
-	}
-
-	if e.VersionLister == nil {
-		return errors.New("no version lister set")
-	}
-
-	if !slices.Contains(metadata.Editions, e.VaultEdition) {
-		return fmt.Errorf("unknown edition: %s", e.VaultEdition)
-	}
-
-	_, err := semver.NewVersion(e.VaultVersion)
-	if err != nil {
-		return fmt.Errorf("invalid version: %s: %w", e.VaultVersion, err)
-	}
-
-	s, err := os.Stat(e.EnosDir)
-	if err != nil {
-		return fmt.Errorf("invalid enos dir: %s: %w", e.EnosDir, err)
-	}
-
-	if !s.IsDir() {
-		return fmt.Errorf("invalid enos dir: %s is not a directory", e.EnosDir)
-	}
-
-	return nil
-}
-
-// Run runs the dynamic configuration request
-func (e *EnosDynamicConfigReq) Run(ctx context.Context) (*EnosDynamicConfigRes, error) {
-	if e == nil {
-		return nil, fmt.Errorf("enos-dynamic-config-req uninitialized")
-	}
-
-	ctx = slogctx.Append(ctx,
-		slog.String("vault-edition", e.VaultEdition),
-		slog.String("vault-version", e.VaultVersion),
-		slog.String("file-name", e.FileName),
-		slog.String("dir", e.EnosDir),
-		slog.Uint64("n-minnux", uint64(e.NMinus)),
-		"skip", e.Skip,
-	)
-	slog.Default().DebugContext(ctx, "running enos dynamic config request")
-
-	err := e.Validate(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	res := &EnosDynamicConfigRes{}
-	res.Globals, err = e.getGlobals(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return res, e.writeFile(ctx, res)
-}
-
-func (e *EnosDynamicConfigReq) getGlobals(ctx context.Context) (*Globals, error) {
-	var err error
-	res := &Globals{}
-	res.SampleAttributes, err = e.getSampleAttrs(ctx)
-
-	return res, err
-}
-
-func (e *EnosDynamicConfigReq) getSampleAttrs(ctx context.Context) (*SampleAttrs, error) {
-	// Create our HCL body
-	// TODO: Move this to pipeline config
-	attrs := &SampleAttrs{
-		// Use the cheapest regions
-		AWSRegion: []string{"us-east-1", "us-west-2"},
-		// Current distro defaults
-		DistroVersionAmzn:   []string{"2023"},
-		DistroVersionRhel:   []string{"8.10", "9.7", "10.1"},
-		DistroVersionSles:   []string{"15.7", "16.0"},
-		DistroVersionUbuntu: []string{"22.04", "24.04"},
-	}
-
-	// Create our initial upgrade version list. We'll find all released versions between N-3 -> Current
-	// version, minus any explicitly skipped versions that have been set. Since CE and Ent do not share
-	// the same version lineage now we'll also have to figure that in as well.
-	versionReq := &releases.ListVersionsReq{
-		VersionLister: e.VersionLister,
-		LicenseClass:  e.VaultEdition,
-		UpperBound:    e.VaultVersion,
-		NMinus:        e.NMinus,
-		Skip:          e.Skip,
-	}
-
-	versionRes, err := versionReq.Run(ctx)
-	if err != nil {
-		return nil, err
-	}
-	attrs.UpgradeInitialVersion = versionRes.Versions
-
-	return attrs, nil
-}
-
-// writeFile creates the dynamic config file and writes the dynamic data into it
-func (e *EnosDynamicConfigReq) writeFile(ctx context.Context, res *EnosDynamicConfigRes) error {
-	select {
-	case <-ctx.Done():
-		return ctx.Err()
-	default:
-	}
-
-	slog.Default().DebugContext(ctx, "writing enos dynamic config request")
-
-	// Make sure our path is valid
-	path, err := filepath.Abs(filepath.Join(e.EnosDir, e.FileName))
-	if err != nil {
-		return fmt.Errorf("expanding path dynamic config request path: %w", err)
-	}
-
-	f, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o644)
-	if err != nil {
-		return fmt.Errorf("opening dynamic config request destination file: %w", err)
-	}
-	defer f.Close()
-
-	if _, err = f.WriteString(`# Copyright (c) HashiCorp, Inc.
-# SPDX-License-Identifier: BUSL-1.1
-
-# Code generated by pipeline generate enos-dynamic-config DO NOT EDIT.
-
-# This file is overwritten in CI as it contains branch specific and sometimes ever-changing values.
-# It's checked in here so that enos samples and scenarios can be performed, just be aware that this
-# might change out from under you.
-`); err != nil {
-		return err
-	}
-
-	hf := hclwrite.NewEmptyFile()
-	gohcl.EncodeIntoBody(res, hf.Body())
-	bytes := hclwrite.Format(hf.Bytes())
-
-	slog.Default().InfoContext(ctx, "writing enos dynamic config request",
-		"path", path,
-		"hcl", string(bytes),
-	)
-	_, err = f.Write(bytes)
-
-	return err
-}
diff --git a/tools/pipeline/internal/pkg/generate/enos_dynamic_config_test.go b/tools/pipeline/internal/pkg/generate/enos_dynamic_config_test.go
deleted file mode 100644
index ddf523e4d2..0000000000
--- a/tools/pipeline/internal/pkg/generate/enos_dynamic_config_test.go
+++ /dev/null
@@ -1,276 +0,0 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package generate
-
-import (
-	"context"
-	"os"
-	"path/filepath"
-	"slices"
-	"testing"
-
-	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/releases"
-	"github.com/stretchr/testify/require"
-)
-
-var testAPIVersions = []string{
-	"1.16.10+ent.hsm.fips1402",
-	"1.16.10+ent.fips1402",
-	"1.16.10+ent.hsm",
-	"1.16.10+ent",
-	"1.17.6+ent.hsm.fips1402",
-	"1.17.6+ent.fips1402",
-	"1.17.6+ent.hsm",
-	"1.17.6+ent",
-	"1.18.0-rc1+ent.hsm.fips1402",
-	"1.18.0-rc1+ent.fips1402",
-	"1.18.0-rc1+ent.hsm",
-	"1.18.0-rc1+ent",
-	"1.17.5+ent.hsm.fips1402",
-	"1.17.5+ent.fips1402",
-	"1.17.5+ent.hsm",
-	"1.17.5+ent",
-	"1.16.9+ent.hsm.fips1402",
-	"1.16.9+ent.fips1402",
-	"1.16.9+ent.hsm",
-	"1.16.9+ent",
-	"1.17.4+ent.hsm.fips1402",
-	"1.17.4+ent.fips1402",
-	"1.17.4+ent.hsm",
-	"1.17.4+ent",
-	"1.16.8+ent.hsm.fips1402",
-	"1.16.8+ent.fips1402",
-	"1.16.8+ent.hsm",
-	"1.16.8+ent",
-	"1.17.3+ent.hsm.fips1402",
-	"1.17.3+ent.fips1402",
-	"1.17.3+ent.hsm",
-	"1.16.7+ent.hsm.fips1402",
-	"1.17.3+ent",
-	"1.16.7+ent.fips1402",
-	"1.16.7+ent.hsm",
-	"1.16.7+ent",
-	"1.17.2+ent.hsm.fips1402",
-	"1.17.2+ent.fips1402",
-	"1.17.2+ent.hsm",
-	"1.17.2+ent",
-	"1.16.6+ent.hsm.fips1402",
-	"1.16.6+ent.fips1402",
-	"1.16.6+ent.hsm",
-	"1.16.6+ent",
-}
-
-var testAllVersions = []string{
-	"1.16.6",
-	"1.16.7",
-	"1.16.8",
-	"1.16.9",
-	"1.16.10",
-	"1.17.2",
-	"1.17.3",
-	"1.17.4",
-	"1.17.5",
-	"1.17.6",
-	"1.18.0-rc1",
-}
-
-func Test_EnosDynamicConfigReq_Validate(t *testing.T) {
-	t.Parallel()
-
-	for name, test := range map[string]struct {
-		in   *EnosDynamicConfigReq
-		fail bool
-	}{
-		"ce edition": {
-			in: &EnosDynamicConfigReq{
-				VaultEdition:  "ce",
-				VaultVersion:  "1.18.0",
-				EnosDir:       t.TempDir(),
-				FileName:      "test.hcl",
-				VersionLister: releases.NewMockClient(testAPIVersions),
-			},
-		},
-		"oss edition": {
-			in: &EnosDynamicConfigReq{
-				VaultEdition:  "oss",
-				VaultVersion:  "1.18.0",
-				EnosDir:       t.TempDir(),
-				FileName:      "test.hcl",
-				VersionLister: releases.NewMockClient(testAPIVersions),
-			},
-		},
-		"ent edition": {
-			in: &EnosDynamicConfigReq{
-				VaultEdition:  "ent",
-				VaultVersion:  "1.18.0",
-				EnosDir:       t.TempDir(),
-				FileName:      "test.hcl",
-				VersionLister: releases.NewMockClient(testAPIVersions),
-			},
-		},
-		"enterprise edition": {
-			in: &EnosDynamicConfigReq{
-				VaultEdition:  "enterprise",
-				VaultVersion:  "1.18.0",
-				EnosDir:       t.TempDir(),
-				FileName:      "test.hcl",
-				VersionLister: releases.NewMockClient(testAPIVersions),
-			},
-		},
-		"ent.hsm edition": {
-			in: &EnosDynamicConfigReq{
-				VaultEdition:  "ent.hsm",
-				VaultVersion:  "1.18.0",
-				EnosDir:       t.TempDir(),
-				FileName:      "test.hcl",
-				VersionLister: releases.NewMockClient(testAPIVersions),
-			},
-		},
-		"ent.fips1402 edition": {
-			in: &EnosDynamicConfigReq{
-				VaultEdition:  "ent.fips1402",
-				VaultVersion:  "1.18.0",
-				EnosDir:       t.TempDir(),
-				FileName:      "test.hcl",
-				VersionLister: releases.NewMockClient(testAPIVersions),
-			},
-		},
-		"ent.hsm.fips1402 edition": {
-			in: &EnosDynamicConfigReq{
-				VaultEdition:  "ent.hsm.fips1402",
-				VaultVersion:  "1.18.0",
-				EnosDir:       t.TempDir(),
-				FileName:      "test.hcl",
-				VersionLister: releases.NewMockClient(testAPIVersions),
-			},
-		},
-		"unknown edition": {
-			in: &EnosDynamicConfigReq{
-				VaultEdition: "ent.nope",
-				VaultVersion: "1.18.0",
-				EnosDir:      t.TempDir(),
-				FileName:     "test.hcl",
-			},
-			fail: true,
-		},
-		"invalid version": {
-			in: &EnosDynamicConfigReq{
-				VaultEdition: "ent.hsm.fips1402",
-				VaultVersion: "vault-1.18.0",
-				EnosDir:      t.TempDir(),
-				FileName:     "test.hcl",
-			},
-			fail: true,
-		},
-		"target dir doesn't exist": {
-			in: &EnosDynamicConfigReq{
-				VaultEdition: "ent.hsm.fips1402",
-				VaultVersion: "1.18.0",
-			},
-			fail: true,
-		},
-		"no file name": {
-			in: &EnosDynamicConfigReq{
-				VaultEdition: "ent.hsm.fips1402",
-				VaultVersion: "1.18.0",
-				EnosDir:      t.TempDir(),
-			},
-			fail: true,
-		},
-		"no version lister": {
-			in: &EnosDynamicConfigReq{
-				VaultEdition: "ent.hsm.fips1402",
-				VaultVersion: "1.18.0",
-				EnosDir:      t.TempDir(),
-				FileName:     "test.hcl",
-			},
-			fail: true,
-		},
-	} {
-		t.Run(name, func(t *testing.T) {
-			t.Parallel()
-			err := test.in.Validate(context.Background())
-			if test.fail {
-				require.Error(t, err)
-			} else {
-				require.NoError(t, err)
-			}
-		})
-	}
-}
-
-func Test_EnosDynamicConfigReq_Run(t *testing.T) {
-	t.Parallel()
-
-	for desc, test := range map[string]struct {
-		req  *EnosDynamicConfigReq
-		res  func() *EnosDynamicConfigRes
-		hcl  []byte
-		fail bool
-	}{
-		"default config": {
-			req: &EnosDynamicConfigReq{
-				FileName:      "test.hcl",
-				VaultEdition:  "ent.hsm.fips1402",
-				VaultVersion:  "1.18.0",
-				Skip:          []string{"1.17.2", "1.17.5"},
-				NMinus:        2,
-				EnosDir:       t.TempDir(),
-				VersionLister: releases.NewMockClient(testAPIVersions),
-			},
-			res: func() *EnosDynamicConfigRes {
-				versions := testAllVersions
-				versions = slices.DeleteFunc(versions, func(v string) bool {
-					return v == "1.17.2" || v == "1.17.5"
-				})
-				return &EnosDynamicConfigRes{
-					Globals: &Globals{
-						SampleAttributes: &SampleAttrs{
-							AWSRegion:             []string{"us-east-1", "us-west-2"},
-							DistroVersionAmzn:     []string{"2023"},
-							DistroVersionRhel:     []string{"8.10", "9.7", "10.1"},
-							DistroVersionSles:     []string{"15.7", "16.0"},
-							DistroVersionUbuntu:   []string{"22.04", "24.04"},
-							UpgradeInitialVersion: versions,
-						},
-					},
-				}
-			},
-			hcl: []byte(`# Copyright (c) HashiCorp, Inc.
-# SPDX-License-Identifier: BUSL-1.1
-
-# Code generated by pipeline generate enos-dynamic-config DO NOT EDIT.
-
-# This file is overwritten in CI as it contains branch specific and sometimes ever-changing values.
-# It's checked in here so that enos samples and scenarios can be performed, just be aware that this
-# might change out from under you.
-
-globals {
-  sample_attributes = {
-    aws_region              = ["us-east-1", "us-west-2"]
-    distro_version_amzn     = ["2023"]
-    distro_version_rhel     = ["8.10", "9.7", "10.1"]
-    distro_version_sles     = ["15.7", "16.0"]
-    distro_version_ubuntu   = ["22.04", "24.04"]
-    upgrade_initial_version = ["1.16.6", "1.16.7", "1.16.8", "1.16.9", "1.16.10", "1.17.3", "1.17.4", "1.17.6", "1.18.0-rc1"]
-  }
-}
-`),
-		},
-	} {
-		t.Run(desc, func(t *testing.T) {
-			t.Parallel()
-			res, err := test.req.Run(context.Background())
-			if test.fail {
-				require.Error(t, err)
-				return
-			}
-			require.NoError(t, err)
-			require.EqualValues(t, test.res(), res)
-			b, err := os.ReadFile(filepath.Join(test.req.EnosDir, test.req.FileName))
-			require.NoError(t, err)
-			require.EqualValuesf(t, test.hcl, b, string(b))
-		})
-	}
-}
diff --git a/tools/pipeline/internal/pkg/generate/fixtures/test-cadence.tmpl b/tools/pipeline/internal/pkg/generate/fixtures/test-cadence.tmpl
new file mode 100644
index 0000000000..643e6da6d2
--- /dev/null
+++ b/tools/pipeline/internal/pkg/generate/fixtures/test-cadence.tmpl
@@ -0,0 +1,51 @@
+# Cadence Template Test
+# Generated at {{ .GeneratedAt.Format "2006-01-02 15:04:05" }}
+
+## Current Version Context
+- Current Version: {{ .Version }}
+
+## Cadence Functions
+
+### VersionsNMinus - Minor Cadence
+Get last 3 versions with minor cadence:
+{{- $minorVersions := VersionsNMinus "vault" "enterprise" "1.18.0" 3 "minor" }}
+{{- range $minorVersions }}
+  - {{ . }}
+{{- end }}
+
+### VersionsNMinus - Major Cadence
+Get last 1 version with major cadence:
+{{- $majorVersions := VersionsNMinus "vault" "enterprise" "1.18.0" 1 "major" }}
+{{- range $majorVersions }}
+  - {{ . }}
+{{- end }}
+
+### VersionsNMinusTransition
+Get versions with cadence transition (major cadence, transitioned from minor at 1.15.2):
+{{- $transitionVersions := VersionsNMinusTransition "vault" "enterprise" "1.18.0" 2 "major" "1.15.2" "minor" }}
+{{- range $transitionVersions }}
+  - {{ . }}
+{{- end }}
+
+### VersionsBoundedTransition - With Transition
+Get versions with cadence transition (major cadence, transitioned from minor at 1.15.2):
+{{- $boundedTransition := VersionsBoundedTransition "vault" "enterprise" "1.18.0" "1.15.0" "major" "1.15.2" "minor" }}
+{{- range $boundedTransition }}
+  - {{ . }}
+{{- end }}
+
+## Comparison: Regular vs Cadence Functions
+
+### Regular VersionsNMinus (no cadence awareness)
+{{- $regular := VersionsNMinus "vault" "enterprise" "1.18.0" 3 "minor" }}
+Regular ({{ len $regular }} versions):
+{{- range $regular }}
+  - {{ . }}
+{{- end }}
+
+### Cadence-aware VersionsNMinusTransition (minor cadence)
+{{- $cadenceAware := VersionsNMinusTransition "vault" "enterprise" "1.18.0" 3 "minor" "" "" }}
+Cadence-aware ({{ len $cadenceAware }} versions):
+{{- range $cadenceAware }}
+  - {{ . }}
+{{- end }}
diff --git a/tools/pipeline/internal/pkg/generate/fixtures/test-functions.tmpl b/tools/pipeline/internal/pkg/generate/fixtures/test-functions.tmpl
new file mode 100644
index 0000000000..2ecefd67d1
--- /dev/null
+++ b/tools/pipeline/internal/pkg/generate/fixtures/test-functions.tmpl
@@ -0,0 +1,73 @@
+# Template Functions Test
+# Generated at {{ .GeneratedAt.Format "2006-01-02 15:04:05" }}
+
+## Current Version Context
+- Current Version: {{ .Version }}
+
+## Version Utilities
+
+### ParseVersion
+{{- $v1 := "1.16.0" }}
+{{- $v2 := "1.17.0" }}
+- ParseVersion {{ $v1 }}: {{ ParseVersion $v1 }}
+- ParseVersion {{ $v2 }}: {{ ParseVersion $v2 }}
+
+### CompareVersions
+- CompareVersions {{ $v1 }} vs {{ $v2 }}: {{ CompareVersions $v1 $v2 }}
+  (Returns: -1 if v1 < v2, 0 if equal, 1 if v1 > v2)
+
+## Version Listing Functions
+
+### VersionsNMinus
+{{- if .Version }}
+Get last 3 versions before current version ({{ .Version }}):
+{{- $nminus := VersionsNMinus "vault" "enterprise" .Version 3 "minor" }}
+{{- range $nminus }}
+  - {{ . }}
+{{- end }}
+{{- else }}
+Example: VersionsNMinus "vault" "enterprise" "1.18.0" 3
+{{- $nminus := VersionsNMinus "vault" "enterprise" "1.18.0" 3 "minor" }}
+{{- range $nminus }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+
+### VersionsBounded
+Get versions between 1.17.0 and 1.18.0:
+{{- $bounded := VersionsBounded "vault" "enterprise" "1.18.0" "1.17.0" "minor" }}
+{{- range $bounded }}
+  - {{ . }}
+{{- end }}
+
+### FilterVersions
+{{- $allVersions := VersionsNMinus "vault" "enterprise" "1.18.0" 5 "minor" }}
+All versions (last 5):
+{{- range $allVersions }}
+  - {{ . }}
+{{- end }}
+
+Filtered to ~1.17.0:
+{{- $filtered := FilterVersions $allVersions "~1.17.0" }}
+{{- range $filtered }}
+  - {{ . }}
+{{- end }}
+
+### Skip Versions
+Get versions skipping 1.17.5:
+{{- $skipped := VersionsNMinus "vault" "enterprise" "1.18.0" 3 "minor" "1.17.5" }}
+{{- range $skipped }}
+  - {{ . }}
+{{- end }}
+
+### Version Comparison in Template Logic
+{{- $currentVer := "1.18.0" }}
+{{- $compareVer := "1.17.0" }}
+{{- $cmp := CompareVersions $currentVer $compareVer }}
+{{- if eq $cmp 1 }}
+{{ $currentVer }} is newer than {{ $compareVer }}
+{{- else if eq $cmp -1 }}
+{{ $currentVer }} is older than {{ $compareVer }}
+{{- else }}
+{{ $currentVer }} equals {{ $compareVer }}
+{{- end }}
diff --git a/tools/pipeline/internal/pkg/generate/fixtures/test-template.tmpl b/tools/pipeline/internal/pkg/generate/fixtures/test-template.tmpl
new file mode 100644
index 0000000000..4a92bc95bc
--- /dev/null
+++ b/tools/pipeline/internal/pkg/generate/fixtures/test-template.tmpl
@@ -0,0 +1,16 @@
+# Generated at {{ .GeneratedAt.Format "2006-01-02 15:04:05" }}
+# Current Version: {{ .Version }}
+
+# Get last 3 versions before current version
+Versions (N-Minus 3):
+{{- $versions := VersionsNMinus "vault" "enterprise" .Version 3 "minor" }}
+{{- range $versions }}
+  - {{ . }}
+{{- end }}
+
+# Example: Get versions between bounds
+Versions (Bounded 1.17.0 to 1.18.0):
+{{- $bounded := VersionsBounded "vault" "enterprise" "1.18.0" "1.17.0" "minor" }}
+{{- range $bounded }}
+  - {{ . }}
+{{- end }}
diff --git a/tools/pipeline/internal/pkg/generate/template.go b/tools/pipeline/internal/pkg/generate/template.go
new file mode 100644
index 0000000000..6d69318659
--- /dev/null
+++ b/tools/pipeline/internal/pkg/generate/template.go
@@ -0,0 +1,293 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+// Package generate implements our configuration file generation. We use it to
+// generate configuration files dynamically in CI.
+package generate
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"text/template"
+	"time"
+
+	"github.com/Masterminds/semver"
+	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/releases"
+)
+
+// GenerateTemplateReq is our request to generate a template with pipeline
+// context.
+type GenerateTemplateReq struct {
+	TemplatePath  string                 // Path to template or "-" for stdin
+	OutputPath    string                 // Path to output or "" for stdout
+	Version       string                 // Current product version to expose in templates (optional)
+	Edition       string                 // Current product edition to expose in templates (optional)
+	VersionLister releases.VersionLister // How to get version information
+}
+
+// GenerateTemplateRes is our GenerateTemplateReq response. It contains the
+// bytes of the rendered template. NOTE: It does not write to OutputPath, that
+// is up to the caller.
+type GenerateTemplateRes struct {
+	RenderedTemplate []byte
+	TemplatePath     string // Path to template or "-" for stdin
+	OutputPath       string // Path to output or "" for stdout
+}
+
+// TemplateContext is the root context object available in templates.
+type TemplateContext struct {
+	VersionLister releases.VersionLister
+	GeneratedAt   time.Time // When the template was rendered
+	Version       string    // Current version (optional, empty if not provided)
+	Edition       string    // Current product edition (optional, empty if not provided)
+}
+
+// Run runs the template generation request.
+func (r *GenerateTemplateReq) Run(ctx context.Context) (*GenerateTemplateRes, error) {
+	res := &GenerateTemplateRes{
+		TemplatePath: r.TemplatePath,
+		OutputPath:   r.OutputPath,
+	}
+
+	tc := &TemplateContext{
+		GeneratedAt:   time.Now().UTC(),
+		VersionLister: r.VersionLister,
+		Version:       r.Version,
+		Edition:       r.Edition,
+	}
+
+	var err error
+	res.RenderedTemplate, err = r.renderTemplate(ctx, tc)
+	if err != nil {
+		err = fmt.Errorf("rendering template: %w", err)
+	}
+
+	return res, err
+}
+
+// Render executes the template rendering process.
+func (r *GenerateTemplateReq) renderTemplate(ctx context.Context, tc *TemplateContext) ([]byte, error) {
+	if r == nil {
+		return nil, errors.New("uninitialized")
+	}
+
+	var body []byte
+	var err error
+	if r.TemplatePath == "-" {
+		body, err = io.ReadAll(os.Stdin)
+	} else {
+		body, err = os.ReadFile(r.TemplatePath)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("reading contents of template: %w", err)
+	}
+
+	template, err := template.New("template").Funcs(templateFuncsFor(ctx, tc)).Parse(string(body))
+	if err != nil {
+		return nil, fmt.Errorf("parsing template: %w", err)
+	}
+
+	buf := &bytes.Buffer{}
+	if err := template.Execute(buf, tc); err != nil {
+		return nil, fmt.Errorf("executing template: %w", err)
+	}
+
+	return buf.Bytes(), nil
+}
+
+// templateFuncsFor returns the function map for template execution
+func templateFuncsFor(ctx context.Context, tc *TemplateContext) template.FuncMap {
+	return template.FuncMap{
+		// Version listing functions
+		"VersionsNMinus":            versionsNMinusFunc(ctx, tc),
+		"VersionsBounded":           versionsBoundedFunc(ctx, tc),
+		"VersionsNMinusTransition":  versionsNMinusTransitionFunc(ctx, tc),
+		"VersionsBoundedTransition": versionsBoundedTransitionFunc(ctx, tc),
+
+		// Version utilities
+		"ParseVersion":    parseVersionFunc,
+		"CompareVersions": compareVersionsFunc,
+		"FilterVersions":  filterVersionsFunc,
+	}
+}
+
+// versionsNMinusFunc returns a function that lists released versions using
+// n-minus.
+func versionsNMinusFunc(ctx context.Context, tc *TemplateContext) func(
+	product, edition, upperBound string,
+	nminus uint,
+	cadence releases.VersionCadence,
+	skip ...string) ([]string, error) {
+	return func(
+		product, edition, upperBound string,
+		nminus uint,
+		cadence releases.VersionCadence,
+		skip ...string,
+	) ([]string, error) {
+		req := &releases.ListVersionsReq{
+			VersionLister: tc.VersionLister,
+			Cadence:       cadence,
+			ProductName:   product,
+			LicenseClass:  edition,
+			UpperBound:    upperBound,
+			NMinus:        nminus,
+			Skip:          skip,
+		}
+
+		res, err := req.Run(ctx)
+		if err != nil {
+			return nil, err
+		}
+
+		return res.Versions, nil
+	}
+}
+
+// versionsBoundedFunc returns a function that lists released versions using
+// explicit bounds.
+func versionsBoundedFunc(ctx context.Context, tc *TemplateContext) func(
+	product, edition, upperBound, lowerBound string,
+	cadence releases.VersionCadence,
+	skip ...string) ([]string, error) {
+	return func(
+		product, edition, upperBound, lowerBound string,
+		cadence releases.VersionCadence,
+		skip ...string,
+	) ([]string, error) {
+		req := &releases.ListVersionsReq{
+			VersionLister: tc.VersionLister,
+			Cadence:       cadence,
+			ProductName:   product,
+			LicenseClass:  edition,
+			UpperBound:    upperBound,
+			LowerBound:    lowerBound,
+			Skip:          skip,
+		}
+
+		res, err := req.Run(ctx)
+		if err != nil {
+			return nil, err
+		}
+
+		return res.Versions, nil
+	}
+}
+
+// versionsNMinusTransitionFuncction that lists released versions using n-minus
+// with cadence support.
+func versionsNMinusTransitionFunc(ctx context.Context, tc *TemplateContext) func(
+	product, edition, upperBound string,
+	nminus uint,
+	cadence, transitionVersion, priorCadence string,
+	skip ...string,
+) ([]string, error) {
+	return func(
+		product, edition, upperBound string,
+		nminus uint,
+		cadence, transitionVersion, priorCadence string,
+		skip ...string,
+	) ([]string, error) {
+		req := &releases.ListVersionsReq{
+			VersionLister:     tc.VersionLister,
+			ProductName:       product,
+			LicenseClass:      edition,
+			UpperBound:        upperBound,
+			NMinus:            nminus,
+			Cadence:           releases.VersionCadence(cadence),
+			TransitionVersion: transitionVersion,
+			PriorCadence:      releases.VersionCadence(priorCadence),
+			Skip:              skip,
+		}
+
+		res, err := req.Run(ctx)
+		if err != nil {
+			return nil, err
+		}
+
+		return res.Versions, nil
+	}
+}
+
+// versionsBoundedTransitionFunc returns a function that lists released versions
+// using explicit bounds with cadence support.
+func versionsBoundedTransitionFunc(ctx context.Context, tc *TemplateContext) func(
+	product, edition, upperBound, lowerBound, cadence string,
+	transitionVersion, priorCadence string,
+	skip ...string,
+) ([]string, error) {
+	return func(
+		product, edition, upperBound, lowerBound, cadence string,
+		transitionVersion, priorCadence string,
+		skip ...string,
+	) ([]string, error) {
+		req := &releases.ListVersionsReq{
+			VersionLister:     tc.VersionLister,
+			ProductName:       product,
+			LicenseClass:      edition,
+			UpperBound:        upperBound,
+			LowerBound:        lowerBound,
+			Cadence:           releases.VersionCadence(cadence),
+			TransitionVersion: transitionVersion,
+			PriorCadence:      releases.VersionCadence(priorCadence),
+			Skip:              skip,
+		}
+
+		res, err := req.Run(ctx)
+		if err != nil {
+			return nil, err
+		}
+
+		return res.Versions, nil
+	}
+}
+
+// parseVersionFunc parses a version string into a semver.Version
+func parseVersionFunc(version string) (*semver.Version, error) {
+	v, err := semver.NewVersion(version)
+	if err != nil {
+		return nil, err
+	}
+	return v, nil
+}
+
+// compareVersionsFunc compares two version strings
+// Returns: -1 if v1 < v2, 0 if v1 == v2, 1 if v1 > v2
+func compareVersionsFunc(v1, v2 string) (int, error) {
+	ver1, err := semver.NewVersion(v1)
+	if err != nil {
+		return 0, err
+	}
+
+	ver2, err := semver.NewVersion(v2)
+	if err != nil {
+		return 0, err
+	}
+
+	return ver1.Compare(ver2), nil
+}
+
+// filterVersionsFunc filters versions based on a semver constraint
+func filterVersionsFunc(versions []string, constraint string) ([]string, error) {
+	c, err := semver.NewConstraint(constraint)
+	if err != nil {
+		return nil, err
+	}
+
+	var filtered []string
+	for _, v := range versions {
+		ver, err := semver.NewVersion(v)
+		if err != nil {
+			// Skip invalid versions
+			continue
+		}
+		if c.Check(ver) {
+			filtered = append(filtered, v)
+		}
+	}
+
+	return filtered, nil
+}
diff --git a/tools/pipeline/internal/pkg/generate/template_test.go b/tools/pipeline/internal/pkg/generate/template_test.go
new file mode 100644
index 0000000000..58c156760f
--- /dev/null
+++ b/tools/pipeline/internal/pkg/generate/template_test.go
@@ -0,0 +1,650 @@
+// Copyright IBM Corp. 2016, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package generate
+
+import (
+	"context"
+	"os"
+	"strings"
+	"testing"
+	"text/template"
+	"time"
+
+	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/releases"
+	"github.com/stretchr/testify/require"
+)
+
+// Test_GenerateTemplateReq_Run tests running the Test_GenerateTemplateReq's
+// Run with mocked version data.
+func Test_GenerateTemplateReq_Run(t *testing.T) {
+	t.Parallel()
+
+	mockVersions := []string{
+		"1.16.10+ent",
+		"1.17.6+ent",
+		"1.17.5+ent",
+		"1.16.9+ent",
+		"1.17.4+ent",
+		"1.16.8+ent",
+	}
+
+	for name, test := range map[string]struct {
+		req        *GenerateTemplateReq
+		template   string
+		expected   string
+		shouldFail bool
+	}{
+		"template with version context": {
+			req: &GenerateTemplateReq{
+				TemplatePath:  "-",
+				OutputPath:    "",
+				Version:       "1.18.0",
+				VersionLister: releases.NewMockClient(mockVersions),
+			},
+			template: `Current Version: {{ .Version }}`,
+			expected: `Current Version: 1.18.0`,
+		},
+		"template without version context": {
+			req: &GenerateTemplateReq{
+				TemplatePath:  "-",
+				OutputPath:    "",
+				Version:       "",
+				VersionLister: releases.NewMockClient(mockVersions),
+			},
+			template: `{{- if .Version }}Version: {{ .Version }}{{ else }}No version{{ end }}`,
+			expected: `No version`,
+		},
+		"template using version in function": {
+			req: &GenerateTemplateReq{
+				TemplatePath:  "-",
+				OutputPath:    "",
+				Version:       "1.18.0",
+				VersionLister: releases.NewMockClient(mockVersions),
+			},
+			template: `{{- $versions := VersionsNMinus "vault" "enterprise" .Version 2 "minor" }}{{ range $versions }}{{ . }} {{ end }}`,
+			expected: `1.16.8 1.16.9 1.16.10 1.17.4 1.17.5 1.17.6`,
+		},
+		"template with GeneratedAt": {
+			req: &GenerateTemplateReq{
+				TemplatePath:  "-",
+				OutputPath:    "",
+				Version:       "",
+				VersionLister: releases.NewMockClient(mockVersions),
+			},
+			template: `Generated: {{ if .GeneratedAt.IsZero }}zero{{ else }}{{ .GeneratedAt.Format "2006" }}{{ end }}`,
+			expected: `Generated: zero`,
+		},
+		"template with version utilities": {
+			req: &GenerateTemplateReq{
+				TemplatePath:  "-",
+				OutputPath:    "",
+				Version:       "1.18.0",
+				VersionLister: releases.NewMockClient(mockVersions),
+			},
+			template: `{{- $v := ParseVersion .Version }}{{ $v.Major }}.{{ $v.Minor }}`,
+			expected: `1.18`,
+		},
+		"template with version comparison": {
+			req: &GenerateTemplateReq{
+				TemplatePath:  "-",
+				OutputPath:    "",
+				Version:       "1.18.0",
+				VersionLister: releases.NewMockClient(mockVersions),
+			},
+			template: `{{- $cmp := CompareVersions .Version "1.17.0" }}{{ if eq $cmp 1 }}newer{{ else }}older{{ end }}`,
+			expected: `newer`,
+		},
+		"template with bounded versions": {
+			req: &GenerateTemplateReq{
+				TemplatePath:  "-",
+				OutputPath:    "",
+				Version:       "",
+				VersionLister: releases.NewMockClient(mockVersions),
+			},
+			template: `{{- $versions := VersionsBounded "vault" "enterprise" "1.17.6" "1.17.4" "minor" }}{{ range $versions }}{{ . }} {{ end }}`,
+			expected: `1.17.4 1.17.5 1.17.6`,
+		},
+		"template with filter versions": {
+			req: &GenerateTemplateReq{
+				TemplatePath:  "-",
+				OutputPath:    "",
+				Version:       "",
+				VersionLister: releases.NewMockClient(mockVersions),
+			},
+			template: `{{- $all := VersionsNMinus "vault" "enterprise" "1.18.0" 5 "minor" }}{{- $filtered := FilterVersions $all "~1.17.0" }}{{ range $filtered }}{{ . }} {{ end }}`,
+			expected: `1.17.4 1.17.5 1.17.6`,
+		},
+		"complex template with version": {
+			req: &GenerateTemplateReq{
+				TemplatePath:  "-",
+				OutputPath:    "",
+				Version:       "1.18.0",
+				VersionLister: releases.NewMockClient(mockVersions),
+			},
+			template: `# Version: {{ .Version }}
+{{- $versions := VersionsNMinus "vault" "enterprise" .Version 3 "minor" }}
+Versions:
+{{- range $versions }}
+  - {{ . }}
+{{- end }}`,
+			expected: `# Version: 1.18.0
+Versions:
+  - 1.16.8
+  - 1.16.9
+  - 1.16.10
+  - 1.17.4
+  - 1.17.5
+  - 1.17.6`,
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			// Create a temporary template by writing to stdin simulation
+			// For testing, we'll directly set the template content
+			tc := &TemplateContext{
+				VersionLister: test.req.VersionLister,
+				Version:       test.req.Version,
+			}
+
+			// Parse and render template
+			rendered, err := renderTemplateString(t.Context(), tc, test.template)
+			if test.shouldFail {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+			require.Equal(t, test.expected, strings.TrimSpace(string(rendered)))
+		})
+	}
+}
+
+// Test_GenerateTemplateReq_Validate tests running the Test_GenerateTemplateReq's
+// Validate with mocked version data.
+func Test_GenerateTemplateReq_Validate(t *testing.T) {
+	t.Parallel()
+
+	for name, test := range map[string]struct {
+		req        *GenerateTemplateReq
+		shouldFail bool
+	}{
+		"valid request with version": {
+			req: &GenerateTemplateReq{
+				TemplatePath:  "test.tmpl",
+				OutputPath:    "output.txt",
+				Version:       "1.18.0",
+				VersionLister: releases.NewMockClient([]string{}),
+			},
+		},
+		"valid request without version": {
+			req: &GenerateTemplateReq{
+				TemplatePath:  "test.tmpl",
+				OutputPath:    "output.txt",
+				Version:       "",
+				VersionLister: releases.NewMockClient([]string{}),
+			},
+		},
+		"valid request with stdin": {
+			req: &GenerateTemplateReq{
+				TemplatePath:  "-",
+				OutputPath:    "",
+				Version:       "1.18.0",
+				VersionLister: releases.NewMockClient([]string{}),
+			},
+		},
+		"valid request with stdout": {
+			req: &GenerateTemplateReq{
+				TemplatePath:  "test.tmpl",
+				OutputPath:    "",
+				Version:       "1.18.0",
+				VersionLister: releases.NewMockClient([]string{}),
+			},
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			if test.shouldFail {
+				require.Nil(t, test.req)
+			} else {
+				require.NotNil(t, test.req)
+				require.NotNil(t, test.req.VersionLister)
+			}
+		})
+	}
+}
+
+// Test_TemplateFunctions tests the template functions.
+func Test_TemplateFunctions(t *testing.T) {
+	t.Parallel()
+
+	mockVersions := []string{
+		"1.14.3+ent",
+		"1.15.6+ent",
+		"1.16.10+ent",
+		"1.17.6+ent",
+		"1.17.5+ent",
+		"1.16.9+ent",
+		"1.17.4+ent",
+	}
+
+	ctx := context.Background()
+	tc := &TemplateContext{
+		VersionLister: releases.NewMockClient(mockVersions),
+		Version:       "1.18.0",
+	}
+
+	t.Run("ParseVersion", func(t *testing.T) {
+		t.Parallel()
+		v, err := parseVersionFunc("1.18.0")
+		require.NoError(t, err)
+		require.Equal(t, int64(1), v.Major())
+		require.Equal(t, int64(18), v.Minor())
+		require.Equal(t, int64(0), v.Patch())
+	})
+
+	t.Run("ParseVersion invalid", func(t *testing.T) {
+		t.Parallel()
+		_, err := parseVersionFunc("invalid")
+		require.Error(t, err)
+	})
+
+	t.Run("CompareVersions", func(t *testing.T) {
+		t.Parallel()
+		cmp, err := compareVersionsFunc("1.18.0", "1.17.0")
+		require.NoError(t, err)
+		require.Equal(t, 1, cmp)
+
+		cmp, err = compareVersionsFunc("1.17.0", "1.18.0")
+		require.NoError(t, err)
+		require.Equal(t, -1, cmp)
+
+		cmp, err = compareVersionsFunc("1.18.0", "1.18.0")
+		require.NoError(t, err)
+		require.Equal(t, 0, cmp)
+	})
+
+	t.Run("FilterVersions", func(t *testing.T) {
+		t.Parallel()
+		versions := []string{"1.16.10", "1.17.6", "1.17.5", "1.17.4"}
+		filtered, err := filterVersionsFunc(versions, "~1.17.0")
+		require.NoError(t, err)
+		require.Equal(t, []string{"1.17.6", "1.17.5", "1.17.4"}, filtered)
+	})
+
+	t.Run("VersionsNMinus", func(t *testing.T) {
+		t.Parallel()
+		fn := versionsNMinusFunc(ctx, tc)
+		versions, err := fn("vault", "enterprise", "1.18.0", 3, "minor")
+		require.NoError(t, err)
+		require.Equal(t, []string{"1.15.6", "1.16.9", "1.16.10", "1.17.4", "1.17.5", "1.17.6"}, versions)
+	})
+
+	t.Run("VersionsBounded", func(t *testing.T) {
+		t.Parallel()
+		fn := versionsBoundedFunc(ctx, tc)
+		versions, err := fn("vault", "enterprise", "1.17.6", "1.17.4", "minor")
+		require.NoError(t, err)
+		require.Equal(t, []string{"1.17.4", "1.17.5", "1.17.6"}, versions)
+	})
+
+	t.Run("VersionsNMinusTransition", func(t *testing.T) {
+		t.Parallel()
+		fn := versionsNMinusTransitionFunc(ctx, tc)
+		versions, err := fn("vault", "enterprise", "1.18.0", 3, "minor", "", "")
+		require.NoError(t, err)
+		require.Equal(t, []string{"1.15.6", "1.16.9", "1.16.10", "1.17.4", "1.17.5", "1.17.6"}, versions)
+	})
+
+	t.Run("VersionsNMinusTransition with transition", func(t *testing.T) {
+		t.Parallel()
+
+		// Mock versions that simulate a cadence transition
+		transitionVersions := []string{
+			"1.15.0+ent",
+			"1.15.1+ent",
+			"1.15.2+ent",
+			"1.16.0+ent",
+			"1.17.0+ent",
+			"1.19.3+ent",
+			"1.19.4+ent",
+			"1.20.1+ent",
+			"1.21.1+ent",
+			"1.21.2+ent",
+			"2.0.0-beta1+ent",
+			"2.0.0+ent",
+			"2.1.0+ent",
+		}
+
+		tc := &TemplateContext{
+			VersionLister: releases.NewMockClient(transitionVersions),
+			Version:       "2.1.1+ent",
+		}
+		fn := versionsNMinusTransitionFunc(ctx, tc)
+
+		// Test major cadence with transition from minor
+		versions, err := fn("vault", "enterprise", "2.1.1", 3, "major", "1.21.2", "minor")
+		require.NoError(t, err)
+		require.Equal(t, []string{"1.19.3", "1.19.4", "1.20.1", "1.21.1", "1.21.2", "2.0.0-beta1", "2.0.0", "2.1.0"}, versions)
+	})
+
+	t.Run("VersionsBoundedTransition", func(t *testing.T) {
+		t.Parallel()
+		// Mock versions that simulate a cadence transition
+		transitionVersions := []string{
+			"1.15.0+ent",
+			"1.15.1+ent",
+			"1.15.2+ent",
+			"1.16.0+ent",
+			"1.17.0+ent",
+			"1.19.3+ent",
+			"1.19.4+ent",
+			"1.20.1+ent",
+			"1.21.1+ent",
+			"1.21.2+ent",
+			"2.0.0-beta1+ent",
+			"2.0.0+ent",
+			"2.1.0+ent",
+		}
+
+		tc := &TemplateContext{
+			VersionLister: releases.NewMockClient(transitionVersions),
+			Version:       "2.1.1+ent",
+		}
+		fn := versionsBoundedTransitionFunc(ctx, tc)
+
+		// Test major cadence with transition from minor
+		versions, err := fn("vault", "enterprise", "2.1.1", "1.20.1", "major", "1.21.2", "minor")
+		require.NoError(t, err)
+
+		// Test with minor cadence
+		require.NoError(t, err)
+		require.Equal(t, []string{"1.20.1", "1.21.1", "1.21.2", "2.0.0-beta1", "2.0.0", "2.1.0"}, versions)
+	})
+}
+
+// Test_FixtureTemplates tests rendering our templates in ./fixtures
+func Test_FixtureTemplates(t *testing.T) {
+	t.Parallel()
+
+	mockVersions := []string{
+		"1.16.10+ent",
+		"1.17.6+ent",
+		"1.17.5+ent",
+		"1.16.9+ent",
+		"1.17.4+ent",
+		"1.16.8+ent",
+		"1.17.0+ent",
+		"1.17.1+ent",
+		"1.17.2+ent",
+		"1.17.3+ent",
+		"1.18.0+ent",
+	}
+
+	// Fixed time for consistent test output
+	fixedTime := time.Date(2024, 1, 15, 10, 30, 0, 0, time.UTC)
+
+	for name, test := range map[string]struct {
+		fixturePath string
+		version     string
+		expected    string
+	}{
+		"test-template.tmpl": {
+			fixturePath: "fixtures/test-template.tmpl",
+			version:     "1.18.0",
+			expected: `# Generated at 2024-01-15 10:30:00
+# Current Version: 1.18.0
+
+# Get last 3 versions before current version
+Versions (N-Minus 3):
+  - 1.16.8
+  - 1.16.9
+  - 1.16.10
+  - 1.17.0
+  - 1.17.1
+  - 1.17.2
+  - 1.17.3
+  - 1.17.4
+  - 1.17.5
+  - 1.17.6
+  - 1.18.0
+
+# Example: Get versions between bounds
+Versions (Bounded 1.17.0 to 1.18.0):
+  - 1.17.0
+  - 1.17.1
+  - 1.17.2
+  - 1.17.3
+  - 1.17.4
+  - 1.17.5
+  - 1.17.6
+  - 1.18.0
+`,
+		},
+		"test-functions.tmpl": {
+			fixturePath: "fixtures/test-functions.tmpl",
+			version:     "1.18.0",
+			expected: `# Template Functions Test
+# Generated at 2024-01-15 10:30:00
+
+## Current Version Context
+- Current Version: 1.18.0
+
+## Version Utilities
+
+### ParseVersion
+- ParseVersion 1.16.0: 1.16.0
+- ParseVersion 1.17.0: 1.17.0
+
+### CompareVersions
+- CompareVersions 1.16.0 vs 1.17.0: -1
+  (Returns: -1 if v1 < v2, 0 if equal, 1 if v1 > v2)
+
+## Version Listing Functions
+
+### VersionsNMinus
+Get last 3 versions before current version (1.18.0):
+  - 1.16.8
+  - 1.16.9
+  - 1.16.10
+  - 1.17.0
+  - 1.17.1
+  - 1.17.2
+  - 1.17.3
+  - 1.17.4
+  - 1.17.5
+  - 1.17.6
+  - 1.18.0
+
+### VersionsBounded
+Get versions between 1.17.0 and 1.18.0:
+  - 1.17.0
+  - 1.17.1
+  - 1.17.2
+  - 1.17.3
+  - 1.17.4
+  - 1.17.5
+  - 1.17.6
+  - 1.18.0
+
+### FilterVersions
+All versions (last 5):
+  - 1.16.8
+  - 1.16.9
+  - 1.16.10
+  - 1.17.0
+  - 1.17.1
+  - 1.17.2
+  - 1.17.3
+  - 1.17.4
+  - 1.17.5
+  - 1.17.6
+  - 1.18.0
+
+Filtered to ~1.17.0:
+  - 1.17.0
+  - 1.17.1
+  - 1.17.2
+  - 1.17.3
+  - 1.17.4
+  - 1.17.5
+  - 1.17.6
+
+### Skip Versions
+Get versions skipping 1.17.5:
+  - 1.16.8
+  - 1.16.9
+  - 1.16.10
+  - 1.17.0
+  - 1.17.1
+  - 1.17.2
+  - 1.17.3
+  - 1.17.4
+  - 1.17.6
+  - 1.18.0
+
+### Version Comparison in Template Logic
+1.18.0 is newer than 1.17.0
+`,
+		},
+		"test-cadence.tmpl": {
+			fixturePath: "fixtures/test-cadence.tmpl",
+			version:     "1.18.0",
+			expected: `# Cadence Template Test
+# Generated at 2024-01-15 10:30:00
+
+## Current Version Context
+- Current Version: 1.18.0
+
+## Cadence Functions
+
+### VersionsNMinus - Minor Cadence
+Get last 3 versions with minor cadence:
+  - 1.16.8
+  - 1.16.9
+  - 1.16.10
+  - 1.17.0
+  - 1.17.1
+  - 1.17.2
+  - 1.17.3
+  - 1.17.4
+  - 1.17.5
+  - 1.17.6
+  - 1.18.0
+
+### VersionsNMinus - Major Cadence
+Get last 1 version with major cadence:
+  - 1.16.8
+  - 1.16.9
+  - 1.16.10
+  - 1.17.0
+  - 1.17.1
+  - 1.17.2
+  - 1.17.3
+  - 1.17.4
+  - 1.17.5
+  - 1.17.6
+  - 1.18.0
+
+### VersionsNMinusTransition
+Get versions with cadence transition (major cadence, transitioned from minor at 1.15.2):
+  - 1.16.8
+  - 1.16.9
+  - 1.16.10
+  - 1.17.0
+  - 1.17.1
+  - 1.17.2
+  - 1.17.3
+  - 1.17.4
+  - 1.17.5
+  - 1.17.6
+  - 1.18.0
+
+### VersionsBoundedTransition - With Transition
+Get versions with cadence transition (major cadence, transitioned from minor at 1.15.2):
+  - 1.16.8
+  - 1.16.9
+  - 1.16.10
+  - 1.17.0
+  - 1.17.1
+  - 1.17.2
+  - 1.17.3
+  - 1.17.4
+  - 1.17.5
+  - 1.17.6
+  - 1.18.0
+
+## Comparison: Regular vs Cadence Functions
+
+### Regular VersionsNMinus (no cadence awareness)
+Regular (11 versions):
+  - 1.16.8
+  - 1.16.9
+  - 1.16.10
+  - 1.17.0
+  - 1.17.1
+  - 1.17.2
+  - 1.17.3
+  - 1.17.4
+  - 1.17.5
+  - 1.17.6
+  - 1.18.0
+
+### Cadence-aware VersionsNMinusTransition (minor cadence)
+Cadence-aware (11 versions):
+  - 1.16.8
+  - 1.16.9
+  - 1.16.10
+  - 1.17.0
+  - 1.17.1
+  - 1.17.2
+  - 1.17.3
+  - 1.17.4
+  - 1.17.5
+  - 1.17.6
+  - 1.18.0
+`,
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			ctx := context.Background()
+			tc := &TemplateContext{
+				GeneratedAt:   fixedTime,
+				VersionLister: releases.NewMockClient(mockVersions),
+				Version:       test.version,
+			}
+
+			// Read and render the template directly
+			body, err := os.ReadFile(test.fixturePath)
+			require.NoError(t, err)
+
+			tmpl, err := template.New("test").Funcs(templateFuncsFor(ctx, tc)).Parse(string(body))
+			require.NoError(t, err)
+
+			var buf strings.Builder
+			err = tmpl.Execute(&buf, tc)
+			require.NoError(t, err)
+			require.Equal(t, test.expected, buf.String())
+		})
+	}
+}
+
+// renderTemplateString is a helper function to render a template string for testing
+func renderTemplateString(ctx context.Context, tc *TemplateContext, templateStr string) ([]byte, error) {
+	// We need to simulate the template rendering without file I/O
+	tmpl, err := template.New("test").Funcs(templateFuncsFor(ctx, tc)).Parse(templateStr)
+	if err != nil {
+		return nil, err
+	}
+
+	var buf strings.Builder
+	if err := tmpl.Execute(&buf, tc); err != nil {
+		return nil, err
+	}
+
+	return []byte(buf.String()), nil
+}
diff --git a/tools/pipeline/internal/pkg/github/add_assignees.go b/tools/pipeline/internal/pkg/github/add_assignees.go
index 580d2a52bb..1b7bcb8d0f 100644
--- a/tools/pipeline/internal/pkg/github/add_assignees.go
+++ b/tools/pipeline/internal/pkg/github/add_assignees.go
@@ -8,7 +8,7 @@ import (
 	"log/slog"
 	"slices"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	slogctx "github.com/veqryn/slog-context"
 )
 
diff --git a/tools/pipeline/internal/pkg/github/add_assignees_test.go b/tools/pipeline/internal/pkg/github/add_assignees_test.go
new file mode 100644
index 0000000000..7c40d95a10
--- /dev/null
+++ b/tools/pipeline/internal/pkg/github/add_assignees_test.go
@@ -0,0 +1,188 @@
+// Copyright IBM Corp. 2016, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package github
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	libgithub "github.com/google/go-github/v83/github"
+	"github.com/stretchr/testify/require"
+)
+
+// Test_addAssignees tests the addAssignees helper function with various input scenarios
+// including single/multiple assignees, empty lists, filtering of empty strings, and
+// deduplication of logins.
+func Test_addAssignees(t *testing.T) {
+	t.Parallel()
+
+	for name, test := range map[string]struct {
+		logins        []string
+		shouldCall    bool
+		expectedError bool
+	}{
+		"single assignee": {
+			logins:     []string{"user1"},
+			shouldCall: true,
+		},
+		"multiple assignees": {
+			logins:     []string{"user1", "user2", "user3"},
+			shouldCall: true,
+		},
+		"empty login list": {
+			logins:     []string{},
+			shouldCall: false,
+		},
+		"nil login list": {
+			logins:     nil,
+			shouldCall: false,
+		},
+		"logins with empty strings": {
+			logins:     []string{"user1", "", "user2", ""},
+			shouldCall: true, // Empty strings should be filtered out
+		},
+		"only empty strings": {
+			logins:     []string{"", "", ""},
+			shouldCall: false, // All empty, should skip
+		},
+		"duplicate logins": {
+			logins:     []string{"user1", "user1", "user2"},
+			shouldCall: true, // Duplicates should be compacted
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			called := false
+			client, mux, teardown := setupTestClient(t)
+			defer teardown()
+
+			if test.shouldCall {
+				mux.HandleFunc("/repos/test-owner/test-repo/issues/123/assignees", func(w http.ResponseWriter, r *http.Request) {
+					require.Equal(t, http.MethodPost, r.Method)
+					called = true
+					w.WriteHeader(http.StatusCreated)
+					w.Write([]byte(`{"assignees": []}`))
+				})
+			}
+
+			err := addAssignees(
+				context.Background(),
+				client,
+				"test-owner",
+				"test-repo",
+				123,
+				test.logins,
+			)
+
+			if test.expectedError {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+
+			require.Equal(t, test.shouldCall, called, "API call expectation mismatch")
+		})
+	}
+}
+
+// Test_addReviewers tests the addReviewers helper function with various input scenarios
+// including single/multiple reviewers, empty lists, filtering of empty strings, and
+// deduplication of logins.
+func Test_addReviewers(t *testing.T) {
+	t.Parallel()
+
+	for name, test := range map[string]struct {
+		logins        []string
+		shouldCall    bool
+		expectedError bool
+	}{
+		"single reviewer": {
+			logins:     []string{"user1"},
+			shouldCall: true,
+		},
+		"multiple reviewers": {
+			logins:     []string{"user1", "user2", "user3"},
+			shouldCall: true,
+		},
+		"empty login list": {
+			logins:     []string{},
+			shouldCall: false,
+		},
+		"nil login list": {
+			logins:     nil,
+			shouldCall: false,
+		},
+		"logins with empty strings": {
+			logins:     []string{"user1", "", "user2", ""},
+			shouldCall: true, // Empty strings should be filtered out
+		},
+		"only empty strings": {
+			logins:     []string{"", "", ""},
+			shouldCall: false, // All empty, should skip
+		},
+		"duplicate logins": {
+			logins:     []string{"user1", "user1", "user2"},
+			shouldCall: true, // Duplicates should be compacted
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			called := false
+			client, mux, teardown := setupTestClient(t)
+			defer teardown()
+
+			if test.shouldCall {
+				mux.HandleFunc("/repos/test-owner/test-repo/pulls/123/requested_reviewers", func(w http.ResponseWriter, r *http.Request) {
+					require.Equal(t, http.MethodPost, r.Method)
+					called = true
+					w.WriteHeader(http.StatusCreated)
+					w.Write([]byte(`{"users": [], "teams": []}`))
+				})
+			}
+
+			err := addReviewers(
+				context.Background(),
+				client,
+				"test-owner",
+				"test-repo",
+				123,
+				test.logins,
+			)
+
+			if test.expectedError {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+
+			require.Equal(t, test.shouldCall, called, "API call expectation mismatch")
+		})
+	}
+}
+
+// setupTestClient creates a test GitHub client with a mock HTTP server for testing.
+// It returns the client, the HTTP mux for registering handlers, and a teardown function
+// that should be called to clean up the server when the test completes.
+func setupTestClient(t *testing.T) (*libgithub.Client, *http.ServeMux, func()) {
+	t.Helper()
+
+	mux := http.NewServeMux()
+	server := httptest.NewServer(mux)
+
+	client := libgithub.NewClient(nil)
+	serverURL, err := url.Parse(server.URL + "/")
+	require.NoError(t, err)
+	client.BaseURL = serverURL
+
+	teardown := func() {
+		server.Close()
+	}
+
+	return client, mux, teardown
+}
diff --git a/tools/pipeline/internal/pkg/github/add_reviewers.go b/tools/pipeline/internal/pkg/github/add_reviewers.go
new file mode 100644
index 0000000000..e8e765f6b8
--- /dev/null
+++ b/tools/pipeline/internal/pkg/github/add_reviewers.go
@@ -0,0 +1,39 @@
+// Copyright IBM Corp. 2016, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package github
+
+import (
+	"context"
+	"log/slog"
+	"slices"
+
+	libgithub "github.com/google/go-github/v83/github"
+	slogctx "github.com/veqryn/slog-context"
+)
+
+// addReviewers requests reviews from the given logins on the pull request
+func addReviewers(
+	ctx context.Context,
+	github *libgithub.Client,
+	owner string,
+	repo string,
+	number int,
+	logins []string,
+) error {
+	logins = slices.Compact(slices.DeleteFunc(logins, func(a string) bool {
+		return a == ""
+	}))
+	ctx = slogctx.Append(ctx, slog.Any("reviewer-logins", logins))
+
+	if len(logins) < 1 {
+		slog.Default().InfoContext(ctx, "skipping pull request review requests because no logins were provided")
+		return nil
+	}
+
+	slog.Default().DebugContext(ctx, "requesting reviews on pull request")
+	_, _, err := github.PullRequests.RequestReviewers(ctx, owner, repo, number, libgithub.ReviewersRequest{
+		Reviewers: logins,
+	})
+	return err
+}
diff --git a/tools/pipeline/internal/pkg/github/check_commit_status.go b/tools/pipeline/internal/pkg/github/check_commit_status.go
index 7496e704c5..2bab6654be 100644
--- a/tools/pipeline/internal/pkg/github/check_commit_status.go
+++ b/tools/pipeline/internal/pkg/github/check_commit_status.go
@@ -10,7 +10,7 @@ import (
 	"slices"
 	"strings"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/jedib0t/go-pretty/v6/table"
 )
 
diff --git a/tools/pipeline/internal/pkg/github/check_go_mod_diff_request.go b/tools/pipeline/internal/pkg/github/check_go_mod_diff_request.go
index 0009a4b56c..33c1124ec7 100644
--- a/tools/pipeline/internal/pkg/github/check_go_mod_diff_request.go
+++ b/tools/pipeline/internal/pkg/github/check_go_mod_diff_request.go
@@ -11,7 +11,7 @@ import (
 	"log/slog"
 	"os"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	libgit "github.com/hashicorp/vault/tools/pipeline/internal/pkg/git/client"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/golang"
 	"github.com/jedib0t/go-pretty/v6/table"
diff --git a/tools/pipeline/internal/pkg/github/close_copied_origin_pull_request.go b/tools/pipeline/internal/pkg/github/close_copied_origin_pull_request.go
index 4cf9683b9b..dcdb4d5bad 100644
--- a/tools/pipeline/internal/pkg/github/close_copied_origin_pull_request.go
+++ b/tools/pipeline/internal/pkg/github/close_copied_origin_pull_request.go
@@ -12,7 +12,7 @@ import (
 	"slices"
 	"strings"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/jedib0t/go-pretty/v6/table"
 	"github.com/shurcooL/githubv4"
 	slogctx "github.com/veqryn/slog-context"
diff --git a/tools/pipeline/internal/pkg/github/commit.go b/tools/pipeline/internal/pkg/github/commit.go
index da852d810d..5e5c0c392f 100644
--- a/tools/pipeline/internal/pkg/github/commit.go
+++ b/tools/pipeline/internal/pkg/github/commit.go
@@ -7,7 +7,7 @@ import (
 	"context"
 	"log/slog"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	slogctx "github.com/veqryn/slog-context"
 )
 
diff --git a/tools/pipeline/internal/pkg/github/copy_pull_request.go b/tools/pipeline/internal/pkg/github/copy_pull_request.go
index 5f9c2effe3..5214194bcd 100644
--- a/tools/pipeline/internal/pkg/github/copy_pull_request.go
+++ b/tools/pipeline/internal/pkg/github/copy_pull_request.go
@@ -15,7 +15,7 @@ import (
 	"slices"
 	"strings"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	libgit "github.com/hashicorp/vault/tools/pipeline/internal/pkg/git/client"
 	"github.com/jedib0t/go-pretty/v6/table"
 	slogctx "github.com/veqryn/slog-context"
diff --git a/tools/pipeline/internal/pkg/github/copy_pull_request_test.go b/tools/pipeline/internal/pkg/github/copy_pull_request_test.go
index a042ad2141..6c3b585b36 100644
--- a/tools/pipeline/internal/pkg/github/copy_pull_request_test.go
+++ b/tools/pipeline/internal/pkg/github/copy_pull_request_test.go
@@ -6,7 +6,7 @@ package github
 import (
 	"testing"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/stretchr/testify/require"
 )
 
diff --git a/tools/pipeline/internal/pkg/github/create_backport.go b/tools/pipeline/internal/pkg/github/create_backport.go
index e3ea4b78be..31441e5f46 100644
--- a/tools/pipeline/internal/pkg/github/create_backport.go
+++ b/tools/pipeline/internal/pkg/github/create_backport.go
@@ -15,7 +15,7 @@ import (
 	"slices"
 	"strings"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/changed"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/config"
 	libgit "github.com/hashicorp/vault/tools/pipeline/internal/pkg/git/client"
@@ -677,7 +677,6 @@ func (r *CreateBackportReq) backportRef(
 			Strategy: libgit.MergeStrategyORT,
 			StrategyOptions: []libgit.MergeStrategyOption{
 				libgit.MergeStrategyOptionTheirs,
-				libgit.MergeStrategyOptionIgnoreSpaceChange,
 			},
 		})
 		if err != nil {
@@ -760,6 +759,35 @@ func (r *CreateBackportReq) backportRef(
 		return res
 	}
 
+	// Request review from the PR author
+	err = addReviewers(
+		ctx,
+		github,
+		r.Owner,
+		r.Repo,
+		int(res.PullRequest.GetNumber()),
+		[]string{pr.GetUser().GetLogin()},
+	)
+	if err != nil {
+		res.Error = fmt.Errorf("requesting review from PR author on backport pull request %w", err)
+		return res
+	}
+
+	// Copy non-backport labels from the original PR to the backport PR
+	labelsToAdd := filterNonBackportLabels(pr.Labels, r.BackportLabelPrefix)
+	err = addLabelsToIssue(
+		ctx,
+		github,
+		r.Owner,
+		r.Repo,
+		int(res.PullRequest.GetNumber()),
+		labelsToAdd,
+	)
+	if err != nil {
+		res.Error = fmt.Errorf("adding labels to backport PR: %w", err)
+		return res
+	}
+
 	return res
 }
 
diff --git a/tools/pipeline/internal/pkg/github/create_backport_test.go b/tools/pipeline/internal/pkg/github/create_backport_test.go
index 6c627fa6ec..c6f43d705f 100644
--- a/tools/pipeline/internal/pkg/github/create_backport_test.go
+++ b/tools/pipeline/internal/pkg/github/create_backport_test.go
@@ -8,7 +8,7 @@ import (
 	"errors"
 	"testing"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/changed"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/config"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/releases"
@@ -746,3 +746,76 @@ func TestCreateBackportRes_Err(t *testing.T) {
 		})
 	}
 }
+
+// Test_filterNonBackportLabels tests the label filtering functionality
+func Test_filterNonBackportLabels(t *testing.T) {
+	t.Parallel()
+
+	for name, test := range map[string]struct {
+		backportPrefix string
+		sourceLabels   Labels
+		expectedLabels []string
+	}{
+		"no labels": {
+			backportPrefix: "backport",
+			sourceLabels:   Labels{},
+			expectedLabels: nil,
+		},
+		"only backport labels": {
+			backportPrefix: "backport",
+			sourceLabels: Labels{
+				&libgithub.Label{Name: libgithub.Ptr("backport/1.18.x")},
+				&libgithub.Label{Name: libgithub.Ptr("backport/1.19.x")},
+			},
+			expectedLabels: nil,
+		},
+		"mixed labels": {
+			backportPrefix: "backport",
+			sourceLabels: Labels{
+				&libgithub.Label{Name: libgithub.Ptr("bug")},
+				&libgithub.Label{Name: libgithub.Ptr("backport/1.18.x")},
+				&libgithub.Label{Name: libgithub.Ptr("enhancement")},
+				&libgithub.Label{Name: libgithub.Ptr("backport/ce/main")},
+				&libgithub.Label{Name: libgithub.Ptr("docs")},
+			},
+			expectedLabels: []string{"bug", "enhancement", "docs"},
+		},
+		"no backport labels": {
+			backportPrefix: "backport",
+			sourceLabels: Labels{
+				&libgithub.Label{Name: libgithub.Ptr("bug")},
+				&libgithub.Label{Name: libgithub.Ptr("enhancement")},
+				&libgithub.Label{Name: libgithub.Ptr("docs")},
+				&libgithub.Label{Name: libgithub.Ptr("priority/high")},
+			},
+			expectedLabels: []string{"bug", "enhancement", "docs", "priority/high"},
+		},
+		"custom backport prefix": {
+			backportPrefix: "cherry-pick",
+			sourceLabels: Labels{
+				&libgithub.Label{Name: libgithub.Ptr("bug")},
+				&libgithub.Label{Name: libgithub.Ptr("cherry-pick/1.18.x")},
+				&libgithub.Label{Name: libgithub.Ptr("enhancement")},
+			},
+			expectedLabels: []string{"bug", "enhancement"},
+		},
+		"backport-like but different prefix": {
+			backportPrefix: "backport",
+			sourceLabels: Labels{
+				&libgithub.Label{Name: libgithub.Ptr("backup/daily")},
+				&libgithub.Label{Name: libgithub.Ptr("backport/1.18.x")},
+				&libgithub.Label{Name: libgithub.Ptr("enhancement")},
+			},
+			expectedLabels: []string{"backup/daily", "enhancement"},
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			filteredLabels := filterNonBackportLabels(test.sourceLabels, test.backportPrefix)
+
+			require.Equal(t, test.expectedLabels, filteredLabels,
+				"filtered labels should match expected labels")
+		})
+	}
+}
diff --git a/tools/pipeline/internal/pkg/github/find_workflow_artifact.go b/tools/pipeline/internal/pkg/github/find_workflow_artifact.go
index 3bdccb90d3..636ddfe945 100644
--- a/tools/pipeline/internal/pkg/github/find_workflow_artifact.go
+++ b/tools/pipeline/internal/pkg/github/find_workflow_artifact.go
@@ -13,7 +13,7 @@ import (
 	"regexp"
 	"slices"
 
-	gh "github.com/google/go-github/v81/github"
+	gh "github.com/google/go-github/v83/github"
 	"github.com/jedib0t/go-pretty/v6/table"
 	slogctx "github.com/veqryn/slog-context"
 )
diff --git a/tools/pipeline/internal/pkg/github/issue.go b/tools/pipeline/internal/pkg/github/issue.go
index e817c82c00..ab65cddc5c 100644
--- a/tools/pipeline/internal/pkg/github/issue.go
+++ b/tools/pipeline/internal/pkg/github/issue.go
@@ -7,7 +7,7 @@ import (
 	"context"
 	"log/slog"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	slogctx "github.com/veqryn/slog-context"
 )
 
diff --git a/tools/pipeline/internal/pkg/github/labels.go b/tools/pipeline/internal/pkg/github/labels.go
new file mode 100644
index 0000000000..4f5b60e53c
--- /dev/null
+++ b/tools/pipeline/internal/pkg/github/labels.go
@@ -0,0 +1,54 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package github
+
+import (
+	"context"
+	"log/slog"
+	"strings"
+
+	libgithub "github.com/google/go-github/v83/github"
+	slogctx "github.com/veqryn/slog-context"
+)
+
+// filterNonBackportLabels returns a slice of label names that do not have the
+// specified backport prefix, filtering out backport labels from the input labels
+func filterNonBackportLabels(labels Labels, backportPrefix string) []string {
+	var labelsToAdd []string
+	for _, label := range labels {
+		if label.GetName() != "" && !strings.HasPrefix(label.GetName(), backportPrefix+"/") {
+			labelsToAdd = append(labelsToAdd, label.GetName())
+		}
+	}
+	return labelsToAdd
+}
+
+// addLabelsToIssue adds the given labels to the issue or pull request
+func addLabelsToIssue(
+	ctx context.Context,
+	github *libgithub.Client,
+	owner string,
+	repo string,
+	number int,
+	labels []string,
+) error {
+	if len(labels) < 1 {
+		slog.Default().DebugContext(ctx, "skipping label assignment because no labels were provided")
+		return nil
+	}
+
+	ctx = slogctx.Append(ctx,
+		slog.String("labels", strings.Join(labels, ", ")),
+		slog.Int("issue-number", number),
+	)
+
+	slog.Default().DebugContext(ctx, "adding labels to issue or pull request")
+	_, _, err := github.Issues.AddLabelsToIssue(ctx, owner, repo, number, labels)
+	if err != nil {
+		return err
+	}
+
+	slog.Default().DebugContext(ctx, "successfully added labels to issue or pull request")
+	return nil
+}
diff --git a/tools/pipeline/internal/pkg/github/list_changed_files.go b/tools/pipeline/internal/pkg/github/list_changed_files.go
index 23b1279c98..994b3c1251 100644
--- a/tools/pipeline/internal/pkg/github/list_changed_files.go
+++ b/tools/pipeline/internal/pkg/github/list_changed_files.go
@@ -10,7 +10,7 @@ import (
 	"fmt"
 	"strings"
 
-	gh "github.com/google/go-github/v81/github"
+	gh "github.com/google/go-github/v83/github"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/changed"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/config"
 	"github.com/jedib0t/go-pretty/v6/table"
diff --git a/tools/pipeline/internal/pkg/github/list_commit_statuses.go b/tools/pipeline/internal/pkg/github/list_commit_statuses.go
index 6e91399e0f..1efa061b54 100644
--- a/tools/pipeline/internal/pkg/github/list_commit_statuses.go
+++ b/tools/pipeline/internal/pkg/github/list_commit_statuses.go
@@ -8,7 +8,7 @@ import (
 	"errors"
 	"fmt"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/jedib0t/go-pretty/v6/table"
 )
 
diff --git a/tools/pipeline/internal/pkg/github/list_workflow_runs.go b/tools/pipeline/internal/pkg/github/list_workflow_runs.go
index e4af16a646..9cb45f6cf2 100644
--- a/tools/pipeline/internal/pkg/github/list_workflow_runs.go
+++ b/tools/pipeline/internal/pkg/github/list_workflow_runs.go
@@ -10,7 +10,7 @@ import (
 	"net/http"
 	"sync"
 
-	gh "github.com/google/go-github/v81/github"
+	gh "github.com/google/go-github/v83/github"
 )
 
 // PerPageMax is the maximum number of entities to request for enpoints that
diff --git a/tools/pipeline/internal/pkg/github/pull_request.go b/tools/pipeline/internal/pkg/github/pull_request.go
index df1e274c41..bb5300b629 100644
--- a/tools/pipeline/internal/pkg/github/pull_request.go
+++ b/tools/pipeline/internal/pkg/github/pull_request.go
@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"log/slog"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/shurcooL/githubv4"
 	slogctx "github.com/veqryn/slog-context"
 )
diff --git a/tools/pipeline/internal/pkg/github/sync_branch_request.go b/tools/pipeline/internal/pkg/github/sync_branch_request.go
index 93e5464711..69b7510245 100644
--- a/tools/pipeline/internal/pkg/github/sync_branch_request.go
+++ b/tools/pipeline/internal/pkg/github/sync_branch_request.go
@@ -13,7 +13,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/hashicorp/vault/tools/pipeline/internal/pkg/config"
 	gitpkg "github.com/hashicorp/vault/tools/pipeline/internal/pkg/git"
 	gitclient "github.com/hashicorp/vault/tools/pipeline/internal/pkg/git/client"
diff --git a/tools/pipeline/internal/pkg/github/templates_test.go b/tools/pipeline/internal/pkg/github/templates_test.go
index 83d61bf674..38e963d17c 100644
--- a/tools/pipeline/internal/pkg/github/templates_test.go
+++ b/tools/pipeline/internal/pkg/github/templates_test.go
@@ -8,7 +8,7 @@ import (
 	"io"
 	"testing"
 
-	libgithub "github.com/google/go-github/v81/github"
+	libgithub "github.com/google/go-github/v83/github"
 	"github.com/stretchr/testify/require"
 )
 
diff --git a/tools/pipeline/internal/pkg/github/workflows.go b/tools/pipeline/internal/pkg/github/workflows.go
index 0bc86120ea..029718a182 100644
--- a/tools/pipeline/internal/pkg/github/workflows.go
+++ b/tools/pipeline/internal/pkg/github/workflows.go
@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"log/slog"
 
-	gh "github.com/google/go-github/v81/github"
+	gh "github.com/google/go-github/v83/github"
 	slogctx "github.com/veqryn/slog-context"
 )
 
diff --git a/tools/pipeline/internal/pkg/releases/list_versions.go b/tools/pipeline/internal/pkg/releases/list_versions.go
index 2e48a347b4..a26d30e9d8 100644
--- a/tools/pipeline/internal/pkg/releases/list_versions.go
+++ b/tools/pipeline/internal/pkg/releases/list_versions.go
@@ -15,13 +15,33 @@ import (
 	slogctx "github.com/veqryn/slog-context"
 )
 
+// VersionCadence defines the type of version increment for n-minus calculations.
+type VersionCadence string
+
+const (
+	// CadenceMinor increments by minor version (e.g., 1.20 -> 1.17 for n-minus 3)
+	CadenceMinor VersionCadence = "minor"
+
+	// CadenceMajor increments by major version (e.g., 5.0.0 -> 2.0.0 for n-minus 3)
+	CadenceMajor VersionCadence = "major"
+)
+
 // ListVersionsReq is a request to list versions from the releases API.
 type ListVersionsReq struct {
-	UpperBound   string
-	LowerBound   string
-	NMinus       uint
-	Skip         []string
-	LicenseClass string
+	UpperBound string         // The upper bound of our range
+	LowerBound string         // The lower bound of our range
+	NMinus     uint           // Another way of specifying our lower bound. Calculate our lower as upper-N
+	Cadence    VersionCadence // The release candence to use when calculating the lower bound from n-minus
+	// If we transitioned from a different cadence, this is the _last_ version in that cadence
+	TransitionVersion string
+	// If we've transitioned from one release candence to another, eg: minor releases to major, which version is the transition
+	PriorCadence VersionCadence
+
+	Skip         []string // Specifically exclude some versions from the list
+	LicenseClass string   // Which license class to look for, either
+
+	ProductName string // Which product to search for
+
 	VersionLister
 }
 
@@ -40,6 +60,10 @@ func (req *ListVersionsReq) Validate(ctx context.Context) error {
 		return errors.New("releases list versions req: unitialized")
 	}
 
+	if req.ProductName == "" {
+		return errors.New("no product name provided")
+	}
+
 	// Allow callers to pass in "oss" or "ce" but always rewrite it to what the releases API expects.
 	if slices.Contains(metadata.CeEditions, req.LicenseClass) {
 		req.LicenseClass = string(LicenseClassCE)
@@ -63,6 +87,34 @@ func (req *ListVersionsReq) Validate(ctx context.Context) error {
 		return errors.New("releases list versions req: only one of a lower bound floor or nminus option can be configured")
 	}
 
+	// Validate cadence configuration
+	if req.Cadence != "" && req.Cadence != CadenceMinor && req.Cadence != CadenceMajor {
+		return fmt.Errorf("releases list versions req: invalid cadence: %s: must be 'minor' or 'major'", req.Cadence)
+	}
+
+	// If transition version is specified, transition cadence must also be specified
+	if req.TransitionVersion != "" {
+		if req.PriorCadence == "" {
+			return errors.New("releases list versions req: transition cadence must be specified when transition version is set")
+		}
+		if req.PriorCadence != CadenceMinor && req.PriorCadence != CadenceMajor {
+			return fmt.Errorf("releases list versions req: invalid transition cadence: %s: must be 'minor' or 'major'", req.PriorCadence)
+		}
+		if req.PriorCadence == req.Cadence {
+			return errors.New("releases list versions req: transition cadence must be different from current cadence")
+		}
+		// Validate transition version is a valid semver
+		_, err := semver.NewVersion(req.TransitionVersion)
+		if err != nil {
+			return fmt.Errorf("releases list versions req: invalid transition version: %w", err)
+		}
+	}
+
+	// If transition cadence is specified, transition version must also be specified
+	if req.PriorCadence != "" && req.TransitionVersion == "" {
+		return errors.New("releases list versions req: transition version must be specified when transition cadence is set")
+	}
+
 	return nil
 }
 
@@ -80,27 +132,11 @@ func (req *ListVersionsReq) VersionRange() (*semver.Version, *semver.Version, er
 			return nil, nil, fmt.Errorf("releases list versions req: invalid lower bound version: %w", err)
 		}
 	} else if req.NMinus != 0 {
-		// This is quite naive. We only consider minor versions and pay no attention to whether or not
-		// going backwards should bump us back to a different major/minor version. We also do not
-		// consider preleases here at all so RC's will still go back two minor versions. In the event
-		// that we bump major versions we'll have to revisit this.
-		floor, err = semver.NewVersion(req.UpperBound)
-		if err != nil {
-			return nil, nil, fmt.Errorf("releases list versions req: invalid upper bound version: %w", err)
-		}
-
-		minor := floor.Minor() - int64(req.NMinus)
-		if minor < 0 {
-			return nil, nil, fmt.Errorf("releases list versions req: impossible nminus version, cannot subtract %d from %d", req.NMinus, floor.Minor())
-		}
-
-		// Create a new version with the new minor. Always set the patch to zero to allow for the full
-		// range.
-		nv := fmt.Sprintf("%d.%d.0", floor.Major(), minor)
-		floor, err = semver.NewVersion(nv)
-		if err != nil {
-			return nil, nil, fmt.Errorf("releases list versions req: invalid nminus version: %s", nv)
+		// Calculate floor based on cadence
+		if req.TransitionVersion != "" {
+			return req.calculateFloorWithTransition(ceil)
 		}
+		return req.calculateFloor(ceil)
 	} else {
 		return nil, nil, fmt.Errorf("releases list versions req: no floor version or nminus has been specified")
 	}
@@ -108,6 +144,123 @@ func (req *ListVersionsReq) VersionRange() (*semver.Version, *semver.Version, er
 	return floor, ceil, nil
 }
 
+// calculateFloor calculates the floor version based on the current cadence
+func (req *ListVersionsReq) calculateFloor(ceil *semver.Version) (*semver.Version, *semver.Version, error) {
+	// Default to minor cadence for backward compatibility
+	cadence := req.Cadence
+	if cadence == "" {
+		cadence = CadenceMinor
+	}
+
+	switch cadence {
+	case CadenceMajor:
+		return req.calculateMajorCadenceFloor(ceil)
+	case CadenceMinor:
+		return req.calculateMinorCadenceFloor(ceil)
+	default:
+		return nil, nil, fmt.Errorf("releases list versions req: unknown cadence: %s", cadence)
+	}
+}
+
+// calculateMinorCadenceFloor calculates the floor version using minor version increments
+func (req *ListVersionsReq) calculateMinorCadenceFloor(ceil *semver.Version) (*semver.Version, *semver.Version, error) {
+	minor := ceil.Minor() - int64(req.NMinus)
+	if minor < 0 {
+		return nil, nil, fmt.Errorf("releases list versions req: impossible nminus: cannot subtract %d from minor version %d", req.NMinus, ceil.Minor())
+	}
+
+	floorStr := fmt.Sprintf("%d.%d.0", ceil.Major(), minor)
+	floor, err := semver.NewVersion(floorStr)
+	if err != nil {
+		return nil, nil, fmt.Errorf("releases list versions req: invalid calculated floor: %s: %w", floorStr, err)
+	}
+
+	return floor, ceil, nil
+}
+
+// calculateMajorCadenceFloor calculates the floor version using major version increments
+func (req *ListVersionsReq) calculateMajorCadenceFloor(ceil *semver.Version) (*semver.Version, *semver.Version, error) {
+	major := ceil.Major() - int64(req.NMinus)
+	if major < 0 {
+		return nil, nil, fmt.Errorf("releases list versions req: impossible nminus: cannot subtract %d from major version %d", req.NMinus, ceil.Major())
+	}
+
+	floorStr := fmt.Sprintf("%d.0.0", major)
+	floor, err := semver.NewVersion(floorStr)
+	if err != nil {
+		return nil, nil, fmt.Errorf("releases list versions req: invalid calculated floor: %s: %w", floorStr, err)
+	}
+
+	return floor, ceil, nil
+}
+
+// decrement takes in a version and a cadence and returns a new version that has been decremented
+// based on the cadence.
+func (req *ListVersionsReq) decrement(ver *semver.Version, cadence VersionCadence) (*semver.Version, error) {
+	var vs string
+
+	switch cadence {
+	case CadenceMajor:
+		vs = fmt.Sprintf("%d.0.0", ver.Major()-1)
+	case CadenceMinor:
+		vs = fmt.Sprintf("%d.%d.0", ver.Major(), ver.Minor()-1)
+	default:
+		return nil, fmt.Errorf("unsupported cadence: %s", cadence)
+	}
+
+	v, err := semver.NewVersion(vs)
+	if err != nil {
+		err = fmt.Errorf("decrementing version %s from candence %s to %s: %w", ver.String(), cadence, vs, err)
+	}
+
+	return v, err
+}
+
+// calculateFloorWithTransition calculates the floor version when transitioning between cadences
+func (req *ListVersionsReq) calculateFloorWithTransition(ceil *semver.Version) (*semver.Version, *semver.Version, error) {
+	transition, err := semver.NewVersion(req.TransitionVersion)
+	if err != nil {
+		return nil, nil, fmt.Errorf("releases list versions req: invalid transition version: %w", err)
+	}
+
+	// Default to minor cadence for backward compatibility
+	if req.Cadence == "" {
+		req.Cadence = CadenceMinor
+	}
+
+	floor, err := semver.NewVersion(ceil.String())
+	if err != nil {
+		return nil, nil, fmt.Errorf("releases list versions req: invalid ceiling version: %w", err)
+	}
+
+	// Interate backwards with the current cadence unless we're equal to our transition version
+	for range req.NMinus {
+		// If our floor is less than the transition or equal to it then we're using the prior candence
+		if floor.LessThan(transition) || floor.Equal(transition) {
+			floor, err = req.decrement(floor, req.PriorCadence)
+			if err != nil {
+				return nil, nil, fmt.Errorf("releases list versions req: calculating nminus floor with transition: %w", err)
+			}
+		} else {
+			// Our floor is greater than the transition. Test if we decrement the current cadence. If we
+			// Go below the transition then our current floor is the transition.
+			floor, err = req.decrement(floor, req.Cadence)
+			if err != nil {
+				return nil, nil, fmt.Errorf("releases list versions req: calculating nminus floor with transition: %w", err)
+			}
+
+			if floor.LessThan(transition) {
+				floor, err = semver.NewVersion(transition.String())
+				if err != nil {
+					return nil, nil, fmt.Errorf("releases list versions req: calculating nminus floor with transition: %w", err)
+				}
+			}
+		}
+	}
+
+	return floor, ceil, nil
+}
+
 // Run the versions between request by determining our upper and lower version boundaries, using
 // them to get a list of versions from the configured VersionLister, and then filtering out any
 // skipped versions.
@@ -123,6 +276,9 @@ func (req *ListVersionsReq) Run(ctx context.Context) (*ListVersionsRes, error) {
 		slog.String("lower-bound", req.LowerBound),
 		slog.Uint64("n-minus", uint64(req.NMinus)),
 		slog.String("edition", string(req.LicenseClass)),
+		slog.String("cadence", string(req.Cadence)),
+		slog.String("transition-version", req.TransitionVersion),
+		slog.String("prior-cadence", string(req.PriorCadence)),
 		"skip", req.Skip,
 	)
 	slog.Default().DebugContext(ctx, "running releases list version request")
@@ -139,7 +295,7 @@ func (req *ListVersionsReq) Run(ctx context.Context) (*ListVersionsRes, error) {
 	}
 
 	versions, err := req.VersionLister.ListVersions(
-		ctx, "vault", LicenseClass(req.LicenseClass), ceil, floor,
+		ctx, req.ProductName, LicenseClass(req.LicenseClass), ceil, floor,
 	)
 	if err != nil {
 		return nil, err
diff --git a/tools/pipeline/internal/pkg/releases/list_versions_cadence_test.go b/tools/pipeline/internal/pkg/releases/list_versions_cadence_test.go
new file mode 100644
index 0000000000..be4100c972
--- /dev/null
+++ b/tools/pipeline/internal/pkg/releases/list_versions_cadence_test.go
@@ -0,0 +1,420 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package releases
+
+import (
+	"testing"
+
+	"github.com/Masterminds/semver"
+	"github.com/stretchr/testify/require"
+)
+
+//	TestListVersionsReq_calculateMinorCadenceFloor tests calculating the floor
+//
+// when given a version and nminus with a minor cadence.
+func TestListVersionsReq_calculateMinorCadenceFloor(t *testing.T) {
+	t.Parallel()
+
+	tests := map[string]struct {
+		upperBound string
+		nminus     uint
+		floor      string
+		shouldFail bool
+	}{
+		"basic minor cadence": {
+			upperBound: "1.20.5",
+			nminus:     3,
+			floor:      "1.17.0",
+		},
+		"minor cadence with patch version": {
+			upperBound: "1.18.3",
+			nminus:     2,
+			floor:      "1.16.0",
+		},
+		"minor cadence nminus 1": {
+			upperBound: "1.15.0",
+			nminus:     1,
+			floor:      "1.14.0",
+		},
+		"minor cadence cannot negatively traverse past zero": {
+			upperBound: "1.2.0",
+			nminus:     5,
+			shouldFail: true,
+		},
+		"nminus equals minor version": {
+			upperBound: "1.3.0",
+			nminus:     3,
+			floor:      "1.0.0",
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			req := &ListVersionsReq{
+				UpperBound: test.upperBound,
+				NMinus:     test.nminus,
+				Cadence:    CadenceMinor,
+			}
+
+			ceil, err := semver.NewVersion(test.upperBound)
+			require.NoError(t, err)
+
+			floor, gotCeil, err := req.calculateMinorCadenceFloor(ceil)
+
+			if test.shouldFail {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+			require.Equal(t, test.floor, floor.String())
+			require.Equal(t, ceil, gotCeil)
+		})
+	}
+}
+
+// TestListVersionsReq_calculateMajorCadenceFloor tests calculating the floor
+// when given a version and nminus with a major cadence.
+func TestListVersionsReq_calculateMajorCadenceFloor(t *testing.T) {
+	t.Parallel()
+
+	tests := map[string]struct {
+		upperBound string
+		nminus     uint
+		floor      string
+		shouldFail bool
+	}{
+		"basic major cadence": {
+			upperBound: "5.1.3",
+			nminus:     3,
+			floor:      "2.0.0",
+		},
+		"major cadence with minor and patch": {
+			upperBound: "10.5.2",
+			nminus:     2,
+			floor:      "8.0.0",
+		},
+		"major cadence nminus 1": {
+			upperBound: "7.0.0",
+			nminus:     1,
+			floor:      "6.0.0",
+		},
+		"major cadence cannot negatively traverse past zero": {
+			upperBound: "2.0.0",
+			nminus:     5,
+			shouldFail: true,
+		},
+		"nminus equals major version": {
+			upperBound: "3.0.0",
+			nminus:     3,
+			floor:      "0.0.0",
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			req := &ListVersionsReq{
+				UpperBound: test.upperBound,
+				NMinus:     test.nminus,
+				Cadence:    CadenceMajor,
+			}
+
+			ceil, err := semver.NewVersion(test.upperBound)
+			require.NoError(t, err)
+
+			floor, gotCeil, err := req.calculateMajorCadenceFloor(ceil)
+
+			if test.shouldFail {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+			require.Equal(t, test.floor, floor.String())
+			require.Equal(t, ceil, gotCeil)
+		})
+	}
+}
+
+// TestListVersionsReq_calculateMajorCadenceFloor tests calculating the floor
+// when given a version and nminus with a cadence transition.
+func TestListVersionsReq_calculateFloorWithTransition(t *testing.T) {
+	t.Parallel()
+
+	tests := map[string]struct {
+		upperBound        string
+		transitionVersion string
+		nminus            uint
+		cadence           VersionCadence
+		priorCadence      VersionCadence
+		floor             string
+		shouldFail        bool
+	}{
+		"minor to major transition - basic": {
+			upperBound:        "3.0.0",
+			transitionVersion: "1.22.0",
+			nminus:            3,
+			cadence:           CadenceMajor,
+			priorCadence:      CadenceMinor,
+			floor:             "1.21.0",
+		},
+		"minor to major transition - all in major": {
+			upperBound:        "10.0.0",
+			transitionVersion: "1.22.0",
+			nminus:            3,
+			cadence:           CadenceMajor,
+			priorCadence:      CadenceMinor,
+			floor:             "7.0.0",
+		},
+		"minor to major transition - split evenly": {
+			upperBound:        "3.0.0",
+			transitionVersion: "1.21.0",
+			nminus:            4,
+			cadence:           CadenceMajor,
+			priorCadence:      CadenceMinor,
+			floor:             "1.19.0",
+		},
+		"impossible major to minor transition": {
+			upperBound:        "1.20.0",
+			transitionVersion: "5.0.0",
+			nminus:            3,
+			cadence:           CadenceMinor,
+			priorCadence:      CadenceMajor,
+			shouldFail:        true,
+		},
+		"major to minor transition - all in major": {
+			upperBound:        "5.2.0",
+			transitionVersion: "5.0.0",
+			nminus:            3,
+			cadence:           CadenceMinor,
+			priorCadence:      CadenceMajor,
+			floor:             "4.0.0",
+		},
+		"minor to major transition - upper bound in prior cadence": {
+			upperBound:        "1.20.0",
+			transitionVersion: "3.0.0",
+			nminus:            3,
+			cadence:           CadenceMajor,
+			priorCadence:      CadenceMinor,
+			floor:             "1.17.0",
+		},
+		"invalid transition - cannot transition to the same cadence": {
+			upperBound:        "3.0.0",
+			transitionVersion: "1.22.0",
+			nminus:            3,
+			cadence:           CadenceMinor,
+			priorCadence:      CadenceMinor,
+			shouldFail:        true,
+		},
+		"impossible nminus in transition cadence": {
+			upperBound:        "3.0.0",
+			transitionVersion: "1.1.0",
+			nminus:            5,
+			cadence:           CadenceMajor,
+			priorCadence:      CadenceMinor,
+			shouldFail:        true,
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			req := &ListVersionsReq{
+				UpperBound:        test.upperBound,
+				TransitionVersion: test.transitionVersion,
+				NMinus:            test.nminus,
+				Cadence:           test.cadence,
+				PriorCadence:      test.priorCadence,
+			}
+
+			ceil, err := semver.NewVersion(test.upperBound)
+			require.NoError(t, err)
+
+			floor, gotCeil, err := req.calculateFloorWithTransition(ceil)
+
+			if test.shouldFail {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+			require.Equal(t, test.floor, floor.String())
+			require.Equal(t, ceil, gotCeil)
+		})
+	}
+}
+
+// TestListVersionsReq_calculateFloor tests the outer floor calculation func.
+func TestListVersionsReq_calculateFloor(t *testing.T) {
+	t.Parallel()
+
+	tests := map[string]struct {
+		upperBound string
+		nminus     uint
+		cadence    VersionCadence
+		floor      string
+		shouldFail bool
+	}{
+		"default to minor cadence when not specified": {
+			upperBound: "1.20.0",
+			nminus:     3,
+			cadence:    "",
+			floor:      "1.17.0",
+		},
+		"explicit minor cadence": {
+			upperBound: "1.20.0",
+			nminus:     3,
+			cadence:    CadenceMinor,
+			floor:      "1.17.0",
+		},
+		"explicit major cadence": {
+			upperBound: "5.0.0",
+			nminus:     3,
+			cadence:    CadenceMajor,
+			floor:      "2.0.0",
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			req := &ListVersionsReq{
+				UpperBound: test.upperBound,
+				NMinus:     test.nminus,
+				Cadence:    test.cadence,
+			}
+
+			ceil, err := semver.NewVersion(test.upperBound)
+			require.NoError(t, err)
+
+			floor, gotCeil, err := req.calculateFloor(ceil)
+
+			if test.shouldFail {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+			require.Equal(t, test.floor, floor.String())
+			require.Equal(t, ceil, gotCeil)
+		})
+	}
+}
+
+// TestListVersionsReq_Validate_Cadence tests the request validation.
+func TestListVersionsReq_Validate_Cadence(t *testing.T) {
+	t.Parallel()
+
+	tests := map[string]struct {
+		req        *ListVersionsReq
+		shouldFail bool
+	}{
+		"valid minor cadence": {
+			req: &ListVersionsReq{
+				UpperBound:    "1.20.0",
+				NMinus:        3,
+				LicenseClass:  "oss",
+				Cadence:       CadenceMinor,
+				VersionLister: NewMockClient([]string{}),
+			},
+		},
+		"valid major cadence": {
+			req: &ListVersionsReq{
+				UpperBound:    "5.0.0",
+				NMinus:        3,
+				LicenseClass:  "oss",
+				Cadence:       CadenceMajor,
+				VersionLister: NewMockClient([]string{}),
+			},
+		},
+		"invalid cadence value": {
+			req: &ListVersionsReq{
+				UpperBound:    "1.20.0",
+				NMinus:        3,
+				LicenseClass:  "oss",
+				Cadence:       "invalid",
+				VersionLister: NewMockClient([]string{}),
+			},
+			shouldFail: true,
+		},
+		"valid transition with both cadences": {
+			req: &ListVersionsReq{
+				UpperBound:        "3.0.0",
+				NMinus:            3,
+				LicenseClass:      "oss",
+				Cadence:           CadenceMajor,
+				TransitionVersion: "1.22.0",
+				PriorCadence:      CadenceMinor,
+				VersionLister:     NewMockClient([]string{}),
+			},
+		},
+		"transition version without transition cadence": {
+			req: &ListVersionsReq{
+				UpperBound:        "3.0.0",
+				NMinus:            3,
+				LicenseClass:      "oss",
+				Cadence:           CadenceMajor,
+				TransitionVersion: "1.22.0",
+				VersionLister:     NewMockClient([]string{}),
+			},
+			shouldFail: true,
+		},
+		"transition cadence without transition version": {
+			req: &ListVersionsReq{
+				UpperBound:    "3.0.0",
+				NMinus:        3,
+				LicenseClass:  "oss",
+				Cadence:       CadenceMajor,
+				PriorCadence:  CadenceMinor,
+				VersionLister: NewMockClient([]string{}),
+			},
+			shouldFail: true,
+		},
+		"same cadence for current and transition": {
+			req: &ListVersionsReq{
+				UpperBound:        "3.0.0",
+				NMinus:            3,
+				LicenseClass:      "oss",
+				Cadence:           CadenceMinor,
+				TransitionVersion: "1.22.0",
+				PriorCadence:      CadenceMinor,
+				VersionLister:     NewMockClient([]string{}),
+			},
+			shouldFail: true,
+		},
+		"invalid transition version format": {
+			req: &ListVersionsReq{
+				UpperBound:        "3.0.0",
+				NMinus:            3,
+				LicenseClass:      "oss",
+				Cadence:           CadenceMajor,
+				TransitionVersion: "invalid",
+				PriorCadence:      CadenceMinor,
+				VersionLister:     NewMockClient([]string{}),
+			},
+			shouldFail: true,
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			test.req.ProductName = "vault"
+			err := test.req.Validate(t.Context())
+
+			if test.shouldFail {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
diff --git a/tools/pipeline/internal/pkg/releases/list_versions_test.go b/tools/pipeline/internal/pkg/releases/list_versions_test.go
index cac3689dbc..1f1eb4efed 100644
--- a/tools/pipeline/internal/pkg/releases/list_versions_test.go
+++ b/tools/pipeline/internal/pkg/releases/list_versions_test.go
@@ -158,6 +158,7 @@ func Test_VersionReq_Run(t *testing.T) {
 	} {
 		t.Run(desc, func(t *testing.T) {
 			t.Parallel()
+			test.req.ProductName = "vault"
 			res, err := test.req.Run(context.Background())
 			if test.fail {
 				require.Error(t, err)
diff --git a/tools/semgrep/ci/fmt-printf.yml b/tools/semgrep/ci/fmt-printf.yml
index 2fe673f89e..a78ffc607f 100644
--- a/tools/semgrep/ci/fmt-printf.yml
+++ b/tools/semgrep/ci/fmt-printf.yml
@@ -15,5 +15,6 @@ rules:
         - "*_test.go"
         - "cmd/*.go"
         - "cmd/**/*.go"
+        - "tools/*/main.go"
         - sdk/database/dbplugin/server.go # effectively a cmd
         - sdk/database/dbplugin/v5/plugin_server.go # effectively a cmd
diff --git a/tools/testimagemaker/main.go b/tools/testimagemaker/main.go
new file mode 100644
index 0000000000..0aae487e01
--- /dev/null
+++ b/tools/testimagemaker/main.go
@@ -0,0 +1,42 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: MPL-2.0
+
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+
+	"github.com/hashicorp/vault/helper/testhelpers/testimages"
+)
+
+func main() {
+	var source, target, binary string
+	var hsm bool
+
+	flag.StringVar(&source, "source", "", "Source image name")
+	flag.StringVar(&target, "target", "", "Target image name")
+	flag.StringVar(&binary, "binary", "", "Binary path")
+	flag.BoolVar(&hsm, "hsm", false, "HSM style image")
+	flag.Parse()
+
+	if source == "" || target == "" || binary == "" {
+		fmt.Fprintf(os.Stderr, "Error: all of the flags -source, -target, and -binary are required\n\n")
+		flag.Usage()
+		os.Exit(1)
+	}
+
+	var output []byte
+	var err error
+	if hsm {
+		output, err = testimages.CreateHSMDockerImage(source, target, binary)
+	} else {
+		output, err = testimages.CreateNonHSMDockerImage(source, target, binary)
+	}
+	fmt.Println(string(output))
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %s\n", err.Error())
+		os.Exit(1)
+	}
+}
diff --git a/ui/DEP_OVERRIDE_REPORT.md b/ui/DEP_OVERRIDE_REPORT.md
new file mode 100644
index 0000000000..4506b50abd
--- /dev/null
+++ b/ui/DEP_OVERRIDE_REPORT.md
@@ -0,0 +1,271 @@
+# 🛡️ PNPM Override Audit Report
+
+Generated on: 2026-03-19, 10:45:45 a.m.
+
+## `@babel/runtime`
+**Target Override:** `7.27.0`
+
+⚠️ **REQUIRED**
+
+> These packages will continue to receive the overridden version until they are updated to naturally resolve to >= 7.27.0.
+
+| Parent Package | Naturally Resolved Version |
+| :--- | :--- |
+| `ember-cli-babel@7.26.11` | `7.12.18` |
+| `ember-cli-babel@8.2.0` | `7.12.18` |
+
+---
+## `@embroider/macros`
+**Target Override:** `1.15.0`
+
+✅ **SAFE TO REMOVE**
+
+> All packages naturally resolve to >= 1.15.0 without the override.
+
+---
+## `@messageformat/runtime`
+**Target Override:** `3.0.2`
+
+✅ **SAFE TO REMOVE**
+
+> All packages naturally resolve to >= 3.0.2 without the override.
+
+---
+## `ajv@6.12.6`
+**Target Override:** `6.14.0`
+
+✅ **SAFE TO REMOVE**
+
+> All packages naturally resolve to >= 6.14.0 without the override.
+
+---
+## `ajv@8.17.1`
+**Target Override:** `8.18.0`
+
+✅ **SAFE TO REMOVE**
+
+> All packages naturally resolve to >= 8.18.0 without the override.
+
+---
+## `ansi-html`
+**Target Override:** `0.0.8`
+
+⚠️ **REQUIRED**
+
+> These packages will continue to receive the overridden version until they are updated to naturally resolve to >= 0.0.8.
+
+| Parent Package | Naturally Resolved Version |
+| :--- | :--- |
+| `broccoli-middleware@2.1.1` | `0.0.7` |
+| `broccoli@3.5.2` | `0.0.7` |
+
+---
+## `async`
+**Target Override:** `2.6.4`
+
+⚠️ **REQUIRED**
+
+> These packages will continue to receive the overridden version until they are updated to naturally resolve to >= 2.6.4.
+
+| Parent Package | Naturally Resolved Version |
+| :--- | :--- |
+| `fireworm@0.7.2` | `0.2.10` |
+
+---
+## `braces`
+**Target Override:** `3.0.3`
+
+⚠️ **REQUIRED**
+
+> These packages will continue to receive the overridden version until they are updated to naturally resolve to >= 3.0.3.
+
+| Parent Package | Naturally Resolved Version |
+| :--- | :--- |
+| `micromatch@3.1.10` | `2.3.2` |
+
+---
+## `eslint-utils`
+**Target Override:** `1.4.3`
+
+✅ **SAFE TO REMOVE**
+
+> All packages naturally resolve to >= 1.4.3 without the override.
+
+---
+## `express`
+**Target Override:** `4.22.1`
+
+✅ **SAFE TO REMOVE**
+
+> All packages naturally resolve to >= 4.22.1 without the override.
+
+---
+## `https-proxy-agent`
+**Target Override:** `2.2.4`
+
+✅ **SAFE TO REMOVE**
+
+> All packages naturally resolve to >= 2.2.4 without the override.
+
+---
+## `ini`
+**Target Override:** `1.3.8`
+
+✅ **SAFE TO REMOVE**
+
+> All packages naturally resolve to >= 1.3.8 without the override.
+
+---
+## `json5`
+**Target Override:** `1.0.2`
+
+❓ **UNKNOWN (Error)**
+
+> The script encountered an error resolving this package:
+> `Command failed: pnpm list "json5" --recursive --depth Infinity --json`
+
+---
+## `kind-of`
+**Target Override:** `6.0.3`
+
+⚠️ **REQUIRED**
+
+> These packages will continue to receive the overridden version until they are updated to naturally resolve to >= 6.0.3.
+
+| Parent Package | Naturally Resolved Version |
+| :--- | :--- |
+| `has-values@1.0.0` | `4.0.0` |
+| `is-number@3.0.0` | `3.2.2` |
+| `object-copy@0.1.0` | `3.2.2` |
+| `snapdragon-util@3.0.1` | `3.2.2` |
+| `to-object-path@0.3.0` | `3.2.2` |
+
+---
+## `markdown-it`
+**Target Override:** `14.1.1`
+
+⚠️ **REQUIRED**
+
+> These packages will continue to receive the overridden version until they are updated to naturally resolve to >= 14.1.1.
+
+| Parent Package | Naturally Resolved Version |
+| :--- | :--- |
+| `ember-cli@5.8.1` | `13.0.2` |
+| `markdown-it-terminal@0.4.0` | `13.0.2` |
+
+---
+## `micromatch`
+**Target Override:** `4.0.8`
+
+⚠️ **REQUIRED**
+
+> These packages will continue to receive the overridden version until they are updated to naturally resolve to >= 4.0.8.
+
+| Parent Package | Naturally Resolved Version |
+| :--- | :--- |
+| `anymatch@2.0.0` | `3.1.10` |
+| `findup-sync@2.0.0` | `3.1.10` |
+| `sane@4.1.0` | `3.1.10` |
+
+---
+## `minimatch@<3.1.3`
+**Target Override:** `3.1.5`
+
+✅ **SAFE TO REMOVE**
+
+> All packages naturally resolve to >= 3.1.5 without the override.
+
+---
+## `minimatch@>=5.0.0 <5.1.7`
+**Target Override:** `5.1.9`
+
+✅ **SAFE TO REMOVE**
+
+> All packages naturally resolve to >= 5.1.9 without the override.
+
+---
+## `minimatch@>=7.0.0 <7.4.7`
+**Target Override:** `7.4.9`
+
+✅ **SAFE TO REMOVE**
+
+> All packages naturally resolve to >= 7.4.9 without the override.
+
+---
+## `minimatch@>=8.0.0 <8.0.5`
+**Target Override:** `8.0.7`
+
+✅ **SAFE TO REMOVE**
+
+> All packages naturally resolve to >= 8.0.7 without the override.
+
+---
+## `minimatch@>=9.0.0 <9.0.6`
+**Target Override:** `9.0.9`
+
+✅ **SAFE TO REMOVE**
+
+> All packages naturally resolve to >= 9.0.9 without the override.
+
+---
+## `prismjs`
+**Target Override:** `1.30.0`
+
+✅ **SAFE TO REMOVE**
+
+> All packages naturally resolve to >= 1.30.0 without the override.
+
+---
+## `qs`
+**Target Override:** `6.14.1`
+
+⚠️ **REQUIRED**
+
+> These packages will continue to receive the overridden version until they are updated to naturally resolve to >= 6.14.1.
+
+| Parent Package | Naturally Resolved Version |
+| :--- | :--- |
+| `body-parser@1.20.3` | `6.13.0` |
+
+---
+## `rollup`
+**Target Override:** `2.80.0`
+
+⚠️ **REQUIRED**
+
+> These packages will continue to receive the overridden version until they are updated to naturally resolve to >= 2.80.0.
+
+| Parent Package | Naturally Resolved Version |
+| :--- | :--- |
+| `@rollup/plugin-replace@2.3.0` | `1.32.1` |
+| `broccoli-rollup@4.0.0` | `1.32.1` |
+
+---
+## `serialize-javascript`
+**Target Override:** `3.1.0`
+
+✅ **SAFE TO REMOVE**
+
+> All packages naturally resolve to >= 3.1.0 without the override.
+
+---
+## `socket.io`
+**Target Override:** `4.8.1`
+
+✅ **SAFE TO REMOVE**
+
+> All packages naturally resolve to >= 4.8.1 without the override.
+
+---
+## `underscore`
+**Target Override:** `1.13.7`
+
+⚠️ **REQUIRED**
+
+> These packages will continue to receive the overridden version until they are updated to naturally resolve to >= 1.13.7.
+
+| Parent Package | Naturally Resolved Version |
+| :--- | :--- |
+| `nomnom@1.8.1` | `1.6.0` |
+
+---
diff --git a/ui/README.md b/ui/README.md
index f60450218e..df2dfa2475 100644
--- a/ui/README.md
+++ b/ui/README.md
@@ -1,8 +1,5 @@
 **Table of Contents**
 
-<!-- START doctoc generated TOC please keep comment here to allow auto update -->
-<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
-
 - [Vault UI](#vault-ui)
   - [Ember CLI Version Upgrade Matrix](#ember-cli-version-upgrade-matrix)
   - [Prerequisites](#prerequisites)
@@ -18,8 +15,6 @@
     - [Contributing / Best Practices](#contributing--best-practices)
   - [Further Reading / Useful Links](#further-reading--useful-links)
 
-<!-- END doctoc generated TOC please keep comment here to allow auto update -->
-
 # Vault UI
 
 This README outlines the details of collaborating on this Ember application.
@@ -43,9 +38,8 @@ Respective versions for `ember-cli`, `ember-source` and `ember-data` for each ve
 You will need the following things properly installed on your computer.
 
 - [Git](https://git-scm.com/)
-- [Node.js](https://nodejs.org/)
+- [nvm](https://github.com/nvm-sh/nvm) to install and switch to the Node.js version mirrored in the repo root `.nvmrc` and `.node-version` files
 - [pnpm](https://pnpm.io/)
-- [Ember CLI](https://cli.emberjs.com/release/)
 - [Google Chrome](https://google.com/chrome/)
 
 ## Running a Vault Server
@@ -67,18 +61,22 @@ _All of the commands below assume you're in the `ui/` directory._
 > and enable live rebuilding of the application as you change the UI application code.
 > Visit your app at [http://localhost:4200](http://localhost:4200).
 
-1. Install dependencies:
+1. Use the mirrored Node.js version from the repo root:
+
+`nvm use`
+
+2. Install dependencies:
 
 `pnpm i`
 
-2. Run Vault UI and proxy back to a Vault server running on the default port, 8200:
+3. Run Vault UI and proxy back to a Vault server running on the default port, 8200:
 
 `pnpm start`
 
 > If your Vault server is running on a different port you can use the
 > long-form version of the npm script:
 
-`ember server --proxy=http://localhost:PORT`
+`pnpm exec ember server --proxy=http://localhost:PORT`
 
 ### Mirage
 
@@ -114,22 +112,22 @@ setting `VAULT_UI` environment variable.
 | `pnpm start`                                      | start the app with live reloading (vault must be running on port :8200) |
 | `export MIRAGE_DEV_HANDLER=<handler>; pnpm start` | start the app with the mocked mirage backend, with handler provided     |
 | `make static-dist && make dev-ui`                 | build a Vault binary with UI assets (run from root directory not `/ui`) |
-| `ember g component foo -ir core`                  | generate a component in the /addon engine                               |
+| `pnpm exec ember g component foo -ir core`        | generate a component in the /addon engine                               |
 | `pnpm test:filter`                                | run non-enterprise in the browser                                       |
 | `pnpm test:filter -f='<test name>'`               | run tests in the browser, filtering by test name                        |
 | `pnpm lint:js`                                    | lint javascript files                                                   |
 
 ### Code Generators
 
-Make use of the many generators for code, try `ember help generate` for more details. If you're using a component that can be widely-used, consider making it an `addon` component instead (see [this PR](https://github.com/hashicorp/vault/pull/6629) for more details)
+Make use of the many generators for code, try `pnpm exec ember help generate` for more details. If you're using a component that can be widely-used, consider making it an `addon` component instead (see [this PR](https://github.com/hashicorp/vault/pull/6629) for more details)
 
 eg. a reusable component named foo that you'd like in the core engine (read more about Ember engines [here](https://ember-engines.com/docs)).
 
-- `ember g component foo -ir core`
+- `pnpm exec ember g component foo -ir core`
 
 The above command creates a template-only component by default. If you'd like to add a backing class, add the `-gc` flag:
 
-- `ember g component foo -gc -ir core`
+- `pnpm exec ember g component foo -gc -ir core`
 
 ### Running Tests
 
diff --git a/ui/app/adapters/cluster.js b/ui/app/adapters/cluster.js
index 8578a1529a..01670f8672 100644
--- a/ui/app/adapters/cluster.js
+++ b/ui/app/adapters/cluster.js
@@ -193,10 +193,20 @@ export default ApplicationAdapter.extend({
       // progress the operation
       url += 'update';
     }
-    return this.ajax(url, verb, {
+
+    const ajaxOptions = {
       data,
       unauthenticated: true,
-    });
+    };
+
+    // If a token is provided, use it for authentication
+    if (options?.token) {
+      ajaxOptions.headers = {
+        'X-Vault-Token': options.token,
+      };
+    }
+
+    return this.ajax(url, verb, ajaxOptions);
   },
 
   replicationAction(action, replicationMode, clusterMode, data) {
diff --git a/ui/app/adapters/keymgmt/key.js b/ui/app/adapters/keymgmt/key.js
deleted file mode 100644
index d1765a158b..0000000000
--- a/ui/app/adapters/keymgmt/key.js
+++ /dev/null
@@ -1,179 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import ApplicationAdapter from '../application';
-import { encodePath } from 'vault/utils/path-encoding-helpers';
-import ControlGroupError from '../../lib/control-group-error';
-import { service } from '@ember/service';
-
-function pickKeys(obj, picklist) {
-  const data = {};
-  Object.keys(obj).forEach((key) => {
-    if (picklist.indexOf(key) >= 0) {
-      data[key] = obj[key];
-    }
-  });
-  return data;
-}
-
-export default class KeymgmtKeyAdapter extends ApplicationAdapter {
-  @service store;
-  namespace = 'v1';
-
-  pathForType() {
-    // backend name prepended in buildURL method
-    return 'key';
-  }
-
-  buildURL(modelName, id, snapshot, requestType, query) {
-    let url = super.buildURL(...arguments);
-    if (snapshot) {
-      url = url.replace('key', `${snapshot.attr('backend')}/key`);
-    } else if (query) {
-      url = url.replace('key', `${query.backend}/key`);
-    }
-    return url;
-  }
-
-  url(backend, id, type) {
-    const url = `${this.buildURL()}/${backend}/key`;
-    if (id) {
-      if (type === 'ROTATE') {
-        return url + '/' + encodePath(id) + '/rotate';
-      } else if (type === 'PROVIDERS') {
-        return url + '/' + encodePath(id) + '/kms';
-      }
-      return url + '/' + encodePath(id);
-    }
-    return url;
-  }
-
-  _updateKey(backend, name, serialized) {
-    // Only these two attributes are allowed to be updated
-    const data = pickKeys(serialized, ['deletion_allowed', 'min_enabled_version']);
-    return this.ajax(this.url(backend, name), 'PUT', { data });
-  }
-
-  _createKey(backend, name, serialized) {
-    // Only type is allowed on create
-    const data = pickKeys(serialized, ['type']);
-    return this.ajax(this.url(backend, name), 'POST', { data });
-  }
-
-  async createRecord(store, type, snapshot) {
-    const data = store.serializerFor(type.modelName).serialize(snapshot);
-    const name = snapshot.attr('name');
-    const backend = snapshot.attr('backend');
-    // Keys must be created and then updated
-    await this._createKey(backend, name, data);
-    if (snapshot.attr('deletionAllowed')) {
-      try {
-        await this._updateKey(backend, name, data);
-      } catch {
-        throw new Error(`Key ${name} was created, but not all settings were saved`);
-      }
-    }
-    return {
-      data: {
-        ...data,
-        id: name,
-        backend,
-      },
-    };
-  }
-
-  updateRecord(store, type, snapshot) {
-    const data = store.serializerFor(type.modelName).serialize(snapshot);
-    const name = snapshot.attr('name');
-    const backend = snapshot.attr('backend');
-    return this._updateKey(backend, name, data);
-  }
-
-  distribute(backend, kms, key, data) {
-    return this.ajax(`${this.buildURL()}/${backend}/kms/${encodePath(kms)}/key/${encodePath(key)}`, 'PUT', {
-      data: { ...data },
-    });
-  }
-
-  async getProvider(backend, name) {
-    try {
-      const resp = await this.ajax(this.url(backend, name, 'PROVIDERS'), 'GET', {
-        data: {
-          list: true,
-        },
-      });
-      return resp.data.keys ? resp.data.keys[0] : null;
-    } catch (e) {
-      if (e.httpStatus === 404) {
-        // No results, not distributed yet
-        return null;
-      } else if (e.httpStatus === 403) {
-        return { permissionsError: true };
-      }
-      throw e;
-    }
-  }
-
-  getDistribution(backend, kms, key) {
-    const url = `${this.buildURL()}/${backend}/kms/${kms}/key/${key}`;
-    return this.ajax(url, 'GET')
-      .then((res) => {
-        return {
-          ...res.data,
-          purposeArray: res.data.purpose.split(','),
-        };
-      })
-      .catch((e) => {
-        if (e instanceof ControlGroupError) {
-          throw e;
-        }
-        return null;
-      });
-  }
-
-  async queryRecord(store, type, query) {
-    const { id, backend, recordOnly = false } = query;
-    const keyData = await this.ajax(this.url(backend, id), 'GET');
-    keyData.data.id = id;
-    keyData.data.backend = backend;
-    let provider, distribution;
-    if (!recordOnly) {
-      provider = await this.getProvider(backend, id);
-      if (provider && !provider.permissionsError) {
-        distribution = await this.getDistribution(backend, provider, id);
-      }
-    }
-    return { ...keyData, provider, distribution };
-  }
-
-  async query(store, type, query) {
-    const { backend, provider } = query;
-    const providerAdapter = store.adapterFor('keymgmt/provider');
-    const url = provider ? providerAdapter.buildKeysURL(query) : this.url(backend);
-
-    return this.ajax(url, 'GET', {
-      data: {
-        list: true,
-      },
-    }).then((res) => {
-      res.backend = backend;
-      return res;
-    });
-  }
-
-  async rotateKey(backend, id) {
-    const keyModel = this.store.peekRecord('keymgmt/key', id);
-    const result = await this.ajax(this.url(backend, id, 'ROTATE'), 'PUT');
-    await keyModel.reload();
-    return result;
-  }
-
-  removeFromProvider(model) {
-    const url = `${this.buildURL()}/${model.backend}/kms/${model.provider}/key/${model.name}`;
-    return this.ajax(url, 'DELETE').then(() => {
-      model.provider = null;
-    });
-  }
-}
diff --git a/ui/app/adapters/keymgmt/provider.js b/ui/app/adapters/keymgmt/provider.js
deleted file mode 100644
index 4112309c9a..0000000000
--- a/ui/app/adapters/keymgmt/provider.js
+++ /dev/null
@@ -1,70 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import ApplicationAdapter from '../application';
-import { all } from 'rsvp';
-
-export default class KeymgmtKeyAdapter extends ApplicationAdapter {
-  namespace = 'v1';
-  listPayload = { data: { list: true } };
-
-  pathForType() {
-    // backend name prepended in buildURL method
-    return 'kms';
-  }
-  buildURL(modelName, id, snapshot, requestType, query) {
-    let url = super.buildURL(...arguments);
-    if (snapshot) {
-      url = url.replace('kms', `${snapshot.attr('backend')}/kms`);
-    } else if (query) {
-      url = url.replace('kms', `${query.backend}/kms`);
-    }
-    return url;
-  }
-  buildKeysURL(query) {
-    const url = this.buildURL('keymgmt/provider', null, null, 'query', query);
-    return `${url}/${query.provider}/key`;
-  }
-  async createRecord(store, { modelName }, snapshot) {
-    // create uses PUT instead of POST
-    const data = store.serializerFor(modelName).serialize(snapshot);
-    const url = this.buildURL(modelName, snapshot.attr('name'), snapshot, 'updateRecord');
-    return this.ajax(url, 'PUT', { data }).then(() => data);
-  }
-  findRecord(store, type, name) {
-    return super.findRecord(...arguments).then((resp) => {
-      resp.data = { ...resp.data, name };
-      return resp;
-    });
-  }
-  async query(store, type, query) {
-    const { backend } = query;
-    const url = this.buildURL(type.modelName, null, null, 'query', query);
-    return this.ajax(url, 'GET', this.listPayload).then(async (resp) => {
-      // additional data is needed to fullfil the list view requirements
-      // pull in full record for listed items
-      const records = await all(
-        resp.data.keys.map((name) => this.findRecord(store, type, name, this._mockSnapshot(query.backend)))
-      );
-      resp.data.keys = records.map((record) => record.data);
-      resp.backend = backend;
-      return resp;
-    });
-  }
-  async queryRecord(store, type, query) {
-    return this.findRecord(store, type, query.id, this._mockSnapshot(query.backend));
-  }
-
-  // when using find in query or queryRecord overrides snapshot is not available
-  // ultimately buildURL requires the snapshot to pull the backend name for the dynamic segment
-  // since we have the backend value from the query generate a mock snapshot
-  _mockSnapshot(backend) {
-    return {
-      attr(prop) {
-        return prop === 'backend' ? backend : null;
-      },
-    };
-  }
-}
diff --git a/ui/app/adapters/oidc/client.js b/ui/app/adapters/oidc/client.js
deleted file mode 100644
index 75a2aaa929..0000000000
--- a/ui/app/adapters/oidc/client.js
+++ /dev/null
@@ -1,12 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import NamedPathAdapter from '../named-path';
-
-export default class OidcClientAdapter extends NamedPathAdapter {
-  pathForType() {
-    return 'identity/oidc/client';
-  }
-}
diff --git a/ui/app/adapters/oidc/provider.js b/ui/app/adapters/oidc/provider.js
deleted file mode 100644
index 85820b9396..0000000000
--- a/ui/app/adapters/oidc/provider.js
+++ /dev/null
@@ -1,12 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import NamedPathAdapter from '../named-path';
-
-export default class OidcProviderAdapter extends NamedPathAdapter {
-  pathForType() {
-    return 'identity/oidc/provider';
-  }
-}
diff --git a/ui/app/adapters/oidc/scope.js b/ui/app/adapters/oidc/scope.js
deleted file mode 100644
index fd9960c288..0000000000
--- a/ui/app/adapters/oidc/scope.js
+++ /dev/null
@@ -1,12 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import NamedPathAdapter from '../named-path';
-
-export default class OidcScopeAdapter extends NamedPathAdapter {
-  pathForType() {
-    return 'identity/oidc/scope';
-  }
-}
diff --git a/ui/app/adapters/role-ssh.js b/ui/app/adapters/role-ssh.js
deleted file mode 100644
index 4fbd56590e..0000000000
--- a/ui/app/adapters/role-ssh.js
+++ /dev/null
@@ -1,106 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { resolve, allSettled } from 'rsvp';
-import ApplicationAdapter from './application';
-import { encodePath } from 'vault/utils/path-encoding-helpers';
-
-export default ApplicationAdapter.extend({
-  namespace: 'v1',
-
-  createOrUpdate(store, type, snapshot, requestType) {
-    const { name, backend } = snapshot.record;
-    const serializer = store.serializerFor(type.modelName);
-    const data = serializer.serialize(snapshot, requestType);
-    const url = this.urlForRole(backend, name);
-
-    return this.ajax(url, 'POST', { data }).then((resp) => {
-      // Ember data doesn't like 204 responses except for DELETE method
-      const response = resp || { data: {} };
-      response.data.name = name;
-      return response;
-    });
-  },
-
-  createRecord() {
-    return this.createOrUpdate(...arguments);
-  },
-
-  updateRecord() {
-    return this.createOrUpdate(...arguments, 'update');
-  },
-
-  deleteRecord(store, type, snapshot) {
-    const { id } = snapshot;
-    return this.ajax(this.urlForRole(snapshot.record.backend, id), 'DELETE');
-  },
-
-  pathForType() {
-    return 'roles';
-  },
-
-  urlForRole(backend, id) {
-    let url = `${this.buildURL()}/${encodePath(backend)}/roles`;
-    if (id) {
-      url = url + '/' + encodePath(id);
-    }
-    return url;
-  },
-
-  optionsForQuery(id) {
-    const data = {};
-    if (!id) {
-      data['list'] = true;
-    }
-    return { data };
-  },
-
-  fetchByQuery(store, query) {
-    const { id, backend } = query;
-    let zeroAddressAjax = resolve();
-    const queryAjax = this.ajax(this.urlForRole(backend, id), 'GET', this.optionsForQuery(id));
-    if (!id) {
-      zeroAddressAjax = this.findAllZeroAddress(store, query);
-    }
-
-    return allSettled([queryAjax, zeroAddressAjax]).then((results) => {
-      // query result 404d, so throw the adapterError
-      if (!results[0].value) {
-        throw results[0].reason;
-      }
-      const resp = {
-        id,
-        name: id,
-        backend,
-        data: {},
-      };
-
-      results.forEach((result) => {
-        if (result.value) {
-          if (result.value.data.roles) {
-            resp.data = { ...resp.data, zero_address_roles: result.value.data.roles };
-          } else {
-            resp.data = { ...resp.data, ...result.value.data };
-          }
-        }
-      });
-      return resp;
-    });
-  },
-
-  findAllZeroAddress(store, query) {
-    const { backend } = query;
-    const url = `/v1/${encodePath(backend)}/config/zeroaddress`;
-    return this.ajax(url, 'GET');
-  },
-
-  query(store, type, query) {
-    return this.fetchByQuery(store, query);
-  },
-
-  queryRecord(store, type, query) {
-    return this.fetchByQuery(store, query);
-  },
-});
diff --git a/ui/app/adapters/secret-engine.js b/ui/app/adapters/secret-engine.js
index 174a507d89..eb66a5959f 100644
--- a/ui/app/adapters/secret-engine.js
+++ b/ui/app/adapters/secret-engine.js
@@ -99,19 +99,4 @@ export default ApplicationAdapter.extend({
       return this.ajax(`/v1/${path}/${apiPath}`, options.isDelete ? 'DELETE' : 'POST', { data });
     }
   },
-
-  saveZeroAddressConfig(store, type, snapshot) {
-    const path = encodePath(snapshot.id);
-    const roles = store
-      .peekAll('role-ssh')
-      .filter((role) => role.zeroAddress)
-      .map((role) => role.id)
-      .join(',');
-    const url = `/v1/${path}/config/zeroaddress`;
-    const data = { roles };
-    if (roles === '') {
-      return this.ajax(url, 'DELETE');
-    }
-    return this.ajax(url, 'POST', { data });
-  },
 });
diff --git a/ui/app/adapters/ssh-otp-credential.js b/ui/app/adapters/ssh-otp-credential.js
deleted file mode 100644
index 8f7a862d2c..0000000000
--- a/ui/app/adapters/ssh-otp-credential.js
+++ /dev/null
@@ -1,12 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import SSHAdapter from './ssh';
-
-export default SSHAdapter.extend({
-  url(role) {
-    return `/v1/${role.backend}/creds/${role.name}`;
-  },
-});
diff --git a/ui/app/adapters/ssh-sign.js b/ui/app/adapters/ssh-sign.js
deleted file mode 100644
index 35522e7081..0000000000
--- a/ui/app/adapters/ssh-sign.js
+++ /dev/null
@@ -1,12 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import SSHAdapter from './ssh';
-
-export default SSHAdapter.extend({
-  url(role) {
-    return `/v1/${role.backend}/sign/${role.name}`;
-  },
-});
diff --git a/ui/app/adapters/ssh.js b/ui/app/adapters/ssh.js
deleted file mode 100644
index 413b752fa7..0000000000
--- a/ui/app/adapters/ssh.js
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { assert } from '@ember/debug';
-import ApplicationAdapter from './application';
-
-export default ApplicationAdapter.extend({
-  namespace: 'v1',
-
-  url(/*role*/) {
-    assert('Override the `url` method to extend the SSH adapter', false);
-  },
-
-  createRecord(store, type, snapshot, requestType) {
-    const serializer = store.serializerFor(type.modelName);
-    const data = serializer.serialize(snapshot, requestType);
-    const role = snapshot.attr('role');
-
-    return this.ajax(this.url(role), 'POST', { data }).then((response) => {
-      response.id = snapshot.id;
-      response.modelName = type.modelName;
-      store.pushPayload(type.modelName, response);
-    });
-  },
-});
diff --git a/ui/app/adapters/totp-key.js b/ui/app/adapters/totp-key.js
deleted file mode 100644
index c746b953b1..0000000000
--- a/ui/app/adapters/totp-key.js
+++ /dev/null
@@ -1,65 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import ApplicationAdapter from './application';
-import { encodePath } from 'vault/utils/path-encoding-helpers';
-import { isEmpty } from '@ember/utils';
-
-export default class TotpKeyAdapter extends ApplicationAdapter {
-  namespace = 'v1';
-
-  // TOTP keys can only be created, so no need for an update method
-  createRecord(store, type, snapshot) {
-    const { name, backend } = snapshot.record;
-    const serializer = store.serializerFor(type.modelName);
-    const data = serializer.serialize(snapshot);
-    const url = this.urlForKey(backend, name);
-
-    return this.ajax(url, 'POST', { data }).then((resp) => {
-      // Ember data doesn't like 204 responses except for DELETE method
-      const response = resp || { data: {} };
-      response.data.id = name;
-      return response;
-    });
-  }
-
-  deleteRecord(store, type, snapshot) {
-    const { id } = snapshot;
-    return this.ajax(this.urlForKey(snapshot.record.backend, id), 'DELETE');
-  }
-
-  urlForKey(backend, id) {
-    let url = `${this.buildURL()}/${encodePath(backend)}/keys`;
-
-    if (!isEmpty(id)) {
-      url = `${url}/${encodePath(id)}`;
-    }
-
-    return url;
-  }
-
-  query(store, type, query) {
-    const { backend } = query;
-    return this.ajax(this.urlForKey(backend), 'GET', { data: { list: true } }).then((resp) => {
-      resp.backend = backend;
-      return resp;
-    });
-  }
-
-  queryRecord(store, type, query) {
-    const { id, backend } = query;
-    return this.ajax(this.urlForKey(backend, id), 'GET').then((resp) => {
-      resp.id = id;
-      resp.backend = backend;
-      return resp;
-    });
-  }
-
-  generateCode(backend, id) {
-    return this.ajax(`${this.buildURL()}/${encodePath(backend)}/code/${id}`, 'GET').then((res) => {
-      return res.data;
-    });
-  }
-}
diff --git a/ui/app/app.js b/ui/app/app.js
index d7a0c908f4..6364657d36 100644
--- a/ui/app/app.js
+++ b/ui/app/app.js
@@ -47,6 +47,7 @@ export default class App extends Application {
     replication: {
       dependencies: {
         services: [
+          'api',
           'auth',
           'capabilities',
           'flash-messages',
diff --git a/ui/app/components/alphabet-edit.hbs b/ui/app/components/alphabet-edit.hbs
index 4bab79d111..435e927f38 100644
--- a/ui/app/components/alphabet-edit.hbs
+++ b/ui/app/components/alphabet-edit.hbs
@@ -11,13 +11,13 @@
 {{#if (eq @mode "show")}}
   <Toolbar>
     <ToolbarActions>
-      {{#if @model.updatePath.canDelete}}
+      {{#if @capabilities.canDelete}}
         <Hds::Button @text="Delete alphabet" @color="secondary" class="toolbar-button" {{on "click" this.onDelete}} />
         <div class="toolbar-separator"></div>
       {{/if}}
-      {{#if @model.updatePath.canUpdate}}
+      {{#if @capabilities.canUpdate}}
         <ToolbarSecretLink
-          @secret={{concat @model.idPrefix @model.id}}
+          @secret={{concat "alphabet/" @form.data.name}}
           @mode="edit"
           data-test-edit-link={{true}}
           @replace={{true}}
@@ -34,27 +34,8 @@
     <div class="box is-sideless is-fullwidth is-marginless">
       <MessageError @errorMessage={{this.errorMessage}} />
       <NamespaceReminder @mode={{@mode}} @noun="transform alphabet" />
-      {{#each @model.attrs as |attr|}}
-        {{#if (and (eq attr.name "name") (eq @mode "edit"))}}
-          <label for={{attr.name}} class="is-label">
-            {{attr.options.label}}
-          </label>
-          {{#if attr.options.subText}}
-            <p class="sub-text">{{attr.options.subText}}</p>
-          {{/if}}
-          <input
-            data-test-input={{attr.name}}
-            id={{attr.name}}
-            autocomplete="off"
-            spellcheck="false"
-            value={{or (get @model attr.name) @model.id}}
-            readonly
-            class="field input is-readOnly"
-            type={{attr.type}}
-          />
-        {{else}}
-          <FormField data-test-field @attr={{attr}} @model={{@model}} />
-        {{/if}}
+      {{#each @form.formFields as |field|}}
+        <FormField data-test-field @attr={{field}} @model={{@form}} @mode={{@mode}} />
       {{/each}}
     </div>
     <div class="field is-grouped-split box is-fullwidth is-bottomless">
@@ -65,7 +46,7 @@
             @text="Cancel"
             @color="secondary"
             @route="vault.cluster.secrets.backend.list-root"
-            @model={{@model.backend}}
+            @model={{@form.data.backend}}
             @query={{hash tab="alphabet"}}
           />
         {{else}}
@@ -73,8 +54,7 @@
             @text="Cancel"
             @color="secondary"
             @route="vault.cluster.secrets.backend.show"
-            @models={{array @model.backend (concat "alphabet/" @model.id)}}
-            @query={{hash tab="alphabet"}}
+            @models={{array @form.data.backend (concat "alphabet/" @form.data.name)}}
           />
         {{/if}}
       </Hds::ButtonSet>
@@ -82,23 +62,22 @@
   </form>
 {{else}}
   <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
-    {{#each @model.attrs as |attr|}}
-      {{#if (eq attr.type "object")}}
+    {{#each @form.formFields as |field|}}
+      {{#if (eq field.type "object")}}
         <InfoTableRow
-          @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
-          @value={{stringify (get @model attr.name)}}
+          @label={{capitalize (or field.options.label (humanize (dasherize field.name)))}}
+          @value={{stringify (get @form.data field.name)}}
         />
-      {{else if (eq attr.type "array")}}
+      {{else if (eq field.type "array")}}
         <InfoTableRow
-          @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
-          @value={{get @model attr.name}}
-          @type={{attr.type}}
-          @isLink={{eq attr.name "transformations"}}
+          @label={{capitalize (or field.options.label (humanize (dasherize field.name)))}}
+          @value={{get @form.data field.name}}
+          @type={{field.type}}
         />
       {{else}}
         <InfoTableRow
-          @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
-          @value={{get @model attr.name}}
+          @label={{capitalize (or field.options.label (humanize (dasherize field.name)))}}
+          @value={{get @form.data field.name}}
         />
       {{/if}}
     {{/each}}
diff --git a/ui/app/components/alphabet-edit.js b/ui/app/components/alphabet-edit.js
index 3f8e9db83f..95fea0ffe6 100644
--- a/ui/app/components/alphabet-edit.js
+++ b/ui/app/components/alphabet-edit.js
@@ -7,7 +7,6 @@ import Component from '@glimmer/component';
 import { tracked } from '@glimmer/tracking';
 import { action } from '@ember/object';
 import { service } from '@ember/service';
-import errorMessage from 'vault/utils/error-message';
 
 /**
  * @module AlphabetEdit
@@ -15,21 +14,23 @@ import errorMessage from 'vault/utils/error-message';
  *
  * @example
  * ```js
- *   <AlphabetEdit @model={{this.model}} @mode={{this.mode}} />
+ *   <AlphabetEdit @form={{this.form}} @capabilities={{this.capabilities}} @mode={{this.mode}} />
  * ```
- * @param {object} model - This is the transform alphabet model.
+ * @param {object} form - AlphabetForm instance with data and formFields.
+ * @param {object} capabilities - Object with canDelete, canUpdate, canRead capabilities.
  * @param {string} mode - Is either show, create or edit.
  */
 
 export default class AlphabetEditComponent extends Component {
   @service flashMessages;
   @service router;
+  @service api;
 
   @tracked errorMessage = '';
 
   get breadcrumbs() {
     // ideally this is created on the controller in the parent route but this is a generic route and adding breadcrumbs to the controller requires a larger refactor.
-    const { backend } = this.args.model;
+    const backend = this.args.form?.data?.backend;
     return [
       {
         label: backend,
@@ -47,48 +48,47 @@ export default class AlphabetEditComponent extends Component {
     } else if (this.args?.mode === 'edit') {
       return 'Edit Alphabet';
     } else {
-      return this.args?.model?.id;
+      return this.args?.form?.data?.name;
     }
   }
 
   transition(route = 'show') {
     this.errorMessage = '';
-    const { backend, id } = this.args.model;
+    const { backend, name } = this.args.form.data;
     if (route === 'list') {
       this.router.transitionTo('vault.cluster.secrets.backend.list-root', backend, {
         queryParams: { tab: 'alphabet' },
       });
       return;
     } else {
-      this.router.transitionTo('vault.cluster.secrets.backend.show', `alphabet/${id}`);
+      this.router.transitionTo('vault.cluster.secrets.backend.show', `alphabet/${name}`);
     }
   }
 
   @action async createOrUpdate(event) {
     event.preventDefault();
 
-    if (!this.args.model.hasDirtyAttributes) {
-      this.flashMessages.info('No changes detected.');
-      this.transition();
-      return;
-    }
+    const { name, alphabet, backend } = this.args.form.data;
 
     try {
-      await this.args.model.save();
+      await this.api.secrets.transformWriteAlphabet(name, backend, { alphabet });
       this.flashMessages.success('Alphabet saved.');
       this.transition();
     } catch (e) {
-      this.errorMessage = errorMessage(e);
+      const { message } = await this.api.parseError(e);
+      this.errorMessage = message;
     }
   }
 
   @action async onDelete() {
+    const { name, backend } = this.args.form.data;
     try {
-      await this.args.model.destroyRecord();
+      await this.api.secrets.transformDeleteAlphabet(name, backend);
       this.flashMessages.success('Alphabet deleted.');
       this.transition('list');
     } catch (e) {
-      this.errorMessage = errorMessage(e);
+      const { message } = await this.api.parseError(e);
+      this.errorMessage = message;
     }
   }
 }
diff --git a/ui/app/components/auth/form/cert.ts b/ui/app/components/auth/form/cert.ts
new file mode 100644
index 0000000000..02c82e12f2
--- /dev/null
+++ b/ui/app/components/auth/form/cert.ts
@@ -0,0 +1,42 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import AuthBase from './base';
+
+import type { CertLoginApiResponse } from 'vault/vault/auth/methods';
+
+/**
+ * @module Auth::Form::Cert
+ * see Auth::Base
+ * */
+
+export default class AuthFormCert extends AuthBase {
+  loginFields = [
+    {
+      name: 'name',
+      label: 'Role name',
+      helperText: 'Leave blank to match any certificate role.',
+    },
+  ];
+
+  async loginRequest(formData: { name: string; path: string }) {
+    const { path, name } = formData;
+
+    const { auth } = (await this.api.auth.certLogin(path, {
+      name,
+    })) as CertLoginApiResponse;
+
+    const { cert_name, common_name } = auth?.metadata || {};
+    const displayName =
+      cert_name && common_name ? `${cert_name}/${common_name}` : cert_name || common_name || '';
+
+    return this.normalizeAuthResponse(auth, {
+      authMountPath: path,
+      displayName,
+      token: auth.client_token,
+      ttl: auth.lease_duration,
+    });
+  }
+}
diff --git a/ui/app/components/billing/date-range.hbs b/ui/app/components/billing/date-range.hbs
new file mode 100644
index 0000000000..f1546521f7
--- /dev/null
+++ b/ui/app/components/billing/date-range.hbs
@@ -0,0 +1,40 @@
+{{!
+  Copyright IBM Corp. 2016, 2025
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+<Hds::Layout::Flex class="has-top-margin-l" @align="center">
+  <Hds::Dropdown @isInline={{true}} as |D|>
+    <D.ToggleButton
+      @text="{{date-format this.selectedDate.month 'MMMM yyyy'}}"
+      @color="secondary"
+      data-test-dropdown="Date range"
+    />
+    {{#each this.dateDropdownOptions as |option|}}
+      <D.Checkmark
+        @selected={{eq option.value this.selectedDate.month}}
+        {{on "click" (fn this.updateSelectedDropdownOption option.value)}}
+        data-test-popup-menu={{option.value}}
+      >
+        {{option.label}}
+      </D.Checkmark>
+    {{/each}}
+  </Hds::Dropdown>
+  <Hds::Text::Body
+    @tag="p"
+    @size="200"
+    @color="foreground-primary"
+    class="has-left-margin-s"
+    data-test-text-body="Last updated date time"
+  >
+    {{#if @isSelectedDateInvalid}}
+      No data available.
+    {{else}}
+      {{#if @isCurrentMonth}}
+        Values update every 10 minutes.
+      {{/if}}
+      Last updated:
+      {{date-format @selectedDateOption.updated_at "MMMM d, yyyy, hh:mm:ss aaa" withTimeZone=true}}
+    {{/if}}
+  </Hds::Text::Body>
+</Hds::Layout::Flex>
\ No newline at end of file
diff --git a/ui/app/components/billing/date-range.ts b/ui/app/components/billing/date-range.ts
new file mode 100644
index 0000000000..457cfb0c79
--- /dev/null
+++ b/ui/app/components/billing/date-range.ts
@@ -0,0 +1,41 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+import { action } from '@ember/object';
+import { dateFormat } from 'core/helpers/date-format';
+
+import type { Month } from 'vault/vault/billing/overview';
+
+interface Args {
+  months: Month[];
+  onDateChange: (selectedMonth: Month | null | undefined) => void;
+  selectedDateOption: Month | null | undefined;
+}
+
+export default class BillingDateRange extends Component<Args> {
+  get selectedDate() {
+    return this.args.selectedDateOption;
+  }
+
+  get dateDropdownOptions() {
+    const options = [];
+
+    for (const option of this.args.months) {
+      const formattedDate = dateFormat([option.month, 'MMMM yyyy'], {});
+      options.push({ label: formattedDate, value: option.month });
+    }
+
+    return options;
+  }
+
+  @action
+  updateSelectedDropdownOption(dropdownOption: string) {
+    const selectedDateOption: Month | undefined = this.args.months.find(
+      (option) => option.month === dropdownOption
+    );
+    this.args.onDateChange(selectedDateOption);
+  }
+}
diff --git a/ui/app/components/billing/metric-card.hbs b/ui/app/components/billing/metric-card.hbs
new file mode 100644
index 0000000000..8642ada8af
--- /dev/null
+++ b/ui/app/components/billing/metric-card.hbs
@@ -0,0 +1,43 @@
+{{!
+  Copyright IBM Corp. 2016, 2025
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+<Hds::Card::Container class="has-padding-m" @level="mid" @hasBorder={{true}} data-test-card-container={{@title}}>
+  <Hds::Text::Display @tag="h2" @size="300" @weight="medium" class="has-bottom-margin-xxs">
+    {{@title}}
+  </Hds::Text::Display>
+  <Hds::Text::Body @tag="p" @color="foreground-faint" class="has-bottom-margin-m">
+    {{this.description}}
+  </Hds::Text::Body>
+  <Hds::Layout::Flex @direction="row" @gap="16" @wrap="wrap">
+    <Hds::Layout::Flex::Item @basis="15%" @grow={{true}} @shrink={{true}}>
+      <Hds::Text::Display @tag="h3" @color="foreground-primary">
+        Total
+      </Hds::Text::Display>
+      <Hds::Text::Body @tag="p">{{or this.total "0"}}</Hds::Text::Body>
+    </Hds::Layout::Flex::Item>
+    {{#each-in @metrics as |metricKey metricValue|}}
+      {{#if (eq metricKey this.normalizedBillableMetrics.ID_TOKEN_UNITS_OIDC)}}
+        <Hds::Layout::Flex::Item @basis="20%" @grow={{true}} @shrink={{true}} data-test-metric-detail={{metricKey}} />
+      {{/if}}
+      {{#let (this.metricDetails metricKey) as |display|}}
+        <Hds::Layout::Flex::Item @basis="20%" @grow={{true}} @shrink={{true}} data-test-metric-detail={{metricKey}}>
+          {{#if display.tooltipText}}
+            <Hds::Text::Display @tag="h3" @color="foreground-primary">
+              {{display.label}}
+              <Hds::TooltipButton @text={{display.tooltipText}} aria-label={{display.label}}>
+                <Hds::Icon @name="info" />
+              </Hds::TooltipButton>
+            </Hds::Text::Display>
+          {{else}}
+            <Hds::Text::Display @tag="h3" @color="foreground-primary">
+              {{display.label}}
+            </Hds::Text::Display>
+          {{/if}}
+          <Hds::Text::Body @tag="p" data-test-metric-detail-value={{metricKey}}>{{or metricValue "0"}}</Hds::Text::Body>
+        </Hds::Layout::Flex::Item>
+      {{/let}}
+    {{/each-in}}
+  </Hds::Layout::Flex>
+</Hds::Card::Container>
\ No newline at end of file
diff --git a/ui/app/components/billing/metric-card.ts b/ui/app/components/billing/metric-card.ts
new file mode 100644
index 0000000000..62cdc7c995
--- /dev/null
+++ b/ui/app/components/billing/metric-card.ts
@@ -0,0 +1,102 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+import { toLabel } from 'core/helpers/to-label';
+import { calculateSum, toFixedDisplay } from 'vault/utils/chart-helpers';
+import { NormalizedBillingMetrics } from 'vault/utils/metrics-helpers';
+
+interface Args {
+  title: string;
+  metrics: Record<string, number>;
+}
+
+export default class MetricCard extends Component<Args> {
+  normalizedBillableMetrics = NormalizedBillingMetrics;
+
+  get total() {
+    const sums = Object.values(this.args.metrics).filter((metric) => metric !== undefined);
+    if (this.args.title === 'Credential units') {
+      const totalCredentialUnits = calculateSum(sums, 4);
+
+      if (typeof totalCredentialUnits === 'number') {
+        return toFixedDisplay(totalCredentialUnits, 4);
+      }
+
+      return totalCredentialUnits;
+    }
+
+    return calculateSum(sums);
+  }
+
+  get description() {
+    switch (this.args.title) {
+      case 'Secrets':
+        return 'Highest number of static secrets, static roles, and dynamic roles managed on the cluster during the month. Secrets replicated to this cluster are not counted.';
+      case 'Credential units':
+        return 'Certificates, tokens, and other credentials issued during the month, adjusted by their duration.';
+      case 'Data protection calls':
+        return 'Total number of data elements processed.';
+      case 'Managed keys':
+        return 'Highest number of cryptographic keys managed on the cluster during the month. Keys replicated to this cluster are not counted.';
+      default:
+        return '';
+    }
+  }
+
+  metricDetailsMap: Record<string, { label: string; tooltipText?: string }> = {
+    [NormalizedBillingMetrics.STATIC_SECRETS_KV]: {
+      label: 'KV Secrets',
+    },
+    [NormalizedBillingMetrics.DYNAMIC_ROLES_TOTAL]: {
+      label: 'Dynamic roles',
+      tooltipText: 'Highest number of dynamic roles for the month',
+    },
+    [NormalizedBillingMetrics.AUTO_ROTATED_ROLES_TOTAL]: {
+      label: 'Static roles',
+      tooltipText: 'Highest number of static roles for the month',
+    },
+    [NormalizedBillingMetrics.PKI_UNITS_TOTAL]: {
+      label: 'PKI units',
+      tooltipText: 'Total number of X.509 certificates issued, normalized by their duration.',
+    },
+    [NormalizedBillingMetrics.SSH_UNITS_OTP_UNITS]: {
+      label: 'SSH OTP units',
+      tooltipText:
+        'Total number of SSH one-time passwords issued, normalized by their duration. Each OTP is 0.0014 units.',
+    },
+    [NormalizedBillingMetrics.ID_TOKEN_UNITS_OIDC]: {
+      label: 'OIDC token units',
+      tooltipText: 'Total number of ID tokens issued, normalized by their duration.',
+    },
+    [NormalizedBillingMetrics.ID_TOKEN_UNITS_SPIFFE]: {
+      label: 'SPIFFE JWT units',
+      tooltipText: 'Total number of SPIFFE JWT tokens issued, normalized by their duration.',
+    },
+    [NormalizedBillingMetrics.SSH_UNITS_CERTIFICATE_UNITS]: {
+      label: 'SSH certificate units',
+      tooltipText: 'Total number of SSH certificates issued, normalized by their duration.',
+    },
+    [NormalizedBillingMetrics.DATA_PROTECTION_CALLS_TRANSIT]: {
+      label: 'Transit',
+    },
+    [NormalizedBillingMetrics.DATA_PROTECTION_CALLS_TRANSFORM]: {
+      label: 'Transform',
+    },
+    [NormalizedBillingMetrics.DATA_PROTECTION_CALLS_GCPKMS]: {
+      label: 'GCP KMS',
+    },
+    [NormalizedBillingMetrics.MANAGED_KEYS_TOTP]: {
+      label: 'TOTP',
+    },
+    [NormalizedBillingMetrics.MANAGED_KEYS_KMSE]: {
+      label: 'KMSE',
+    },
+  };
+
+  metricDetails = (key: string): { label: string; tooltipText?: string; count?: number } => {
+    return this.metricDetailsMap[key] || { label: toLabel([key]) };
+  };
+}
diff --git a/ui/app/components/billing/page/overview.hbs b/ui/app/components/billing/page/overview.hbs
new file mode 100644
index 0000000000..6142cd3bc0
--- /dev/null
+++ b/ui/app/components/billing/page/overview.hbs
@@ -0,0 +1,64 @@
+{{!
+  Copyright IBM Corp. 2016, 2025
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+<Page::Header @title="Billing metrics">
+  <:breadcrumbs>
+    <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
+  </:breadcrumbs>
+  <:description>
+    <Hds::Text::Body>
+      Data reflects usage across this Vault cluster. Billing metrics determine license utilization.
+    </Hds::Text::Body>
+  </:description>
+</Page::Header>
+
+<Billing::DateRange
+  @months={{this.months}}
+  @onDateChange={{this.onDateChange}}
+  @selectedDateOption={{this.selectedDate}}
+  @isSelectedDateInvalid={{this.isSelectedDateInvalid}}
+  @isCurrentMonth={{this.isCurrentMonth}}
+/>
+
+<Hds::Layout::Flex @direction="row" @gap="16" @wrap={{true}} class="has-top-margin-s">
+  <Hds::Layout::Flex::Item @basis="30%" @grow={{true}} @shrink={{true}}>
+    <Billing::SummaryCard @title="Summary" @normalizedMetricData={{this.normalizedMetricData}} />
+
+    <Hds::Card::Container class="has-padding-m has-top-margin-m" @level="mid" @hasBorder={{true}}>
+      <Hds::Text::Display @tag="h2" @size="400" @weight="medium" class="has-bottom-margin-m">
+        Resources
+      </Hds::Text::Display>
+      <Hds::Link::Standalone
+        @icon="docs-link"
+        @text="How are billing metrics calculated?"
+        @iconPosition="trailing"
+        @href={{doc-link "/vault/gui/billing-metrics"}}
+      />
+    </Hds::Card::Container>
+  </Hds::Layout::Flex::Item>
+
+  <Hds::Layout::Flex::Item @basis="60%" @grow={{true}} @shrink={{true}}>
+    <Hds::Layout::Flex
+      @direction="row"
+      @gap="16"
+      @wrap={{true}}
+      @align="center"
+      @justify="space-between"
+      class="has-bottom-margin-s"
+    >
+      <Hds::Text::Display @tag="h2" @weight="medium" @size="400">Details by metric</Hds::Text::Display>
+      <Hds::Link::Standalone
+        @icon="docs-link"
+        @text="Learn more about metrics"
+        @href={{doc-link "/vault/gui/billing-metrics"}}
+      />
+    </Hds::Layout::Flex>
+    <Hds::Layout::Flex @direction="column" @gap="16">
+      {{#each-in this.detailsByMetric as |cardTitle cardKey|}}
+        <Billing::MetricCard @title={{cardTitle}} @metrics={{this.metricsForCard cardKey}} />
+      {{/each-in}}
+    </Hds::Layout::Flex>
+  </Hds::Layout::Flex::Item>
+</Hds::Layout::Flex>
\ No newline at end of file
diff --git a/ui/app/components/billing/page/overview.ts b/ui/app/components/billing/page/overview.ts
new file mode 100644
index 0000000000..31676dac01
--- /dev/null
+++ b/ui/app/components/billing/page/overview.ts
@@ -0,0 +1,186 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+import { tracked } from '@glimmer/tracking';
+import { action } from '@ember/object';
+import { service } from '@ember/service';
+import { normalizeMetricData, NormalizedBillingMetrics } from 'vault/utils/metrics-helpers';
+import { subMonths } from 'date-fns';
+import { formatInTimeZone } from 'date-fns-tz';
+
+import type ApiService from 'vault/services/api';
+import type { Month, NormalizedMetricsData } from 'vault/vault/billing/overview';
+import type { SystemReadBillingOverviewResponse } from '@hashicorp/vault-client-typescript';
+
+const REFRESH_PERIOD_MS = 10 * 60 * 1000 + 30 * 1000; // 10 minutes 30 seconds
+export const INVALID_DATE_TIME = '0001-01-01T00:00:00Z';
+
+export default class BillingPageOverview extends Component {
+  @service declare readonly api: ApiService;
+
+  @tracked selectedDateOption: Month | null | undefined = null;
+  @tracked normalizedMetricData: NormalizedMetricsData | undefined = {};
+  @tracked months: Month[] = [];
+
+  /** Reference to the scheduled timer, used to cancel on cleanup. */
+  private _timer: ReturnType<typeof setTimeout> | null = null;
+
+  /** Milliseconds to wait between each poll. Updated dynamically based on API response. */
+  private _interval = 5000;
+
+  invalidDateTime = INVALID_DATE_TIME;
+
+  detailsByMetric = {
+    Secrets: [
+      NormalizedBillingMetrics.STATIC_SECRETS_KV,
+      NormalizedBillingMetrics.DYNAMIC_ROLES_TOTAL,
+      NormalizedBillingMetrics.AUTO_ROTATED_ROLES_TOTAL,
+    ],
+    'Credential units': [
+      NormalizedBillingMetrics.PKI_UNITS_TOTAL,
+      NormalizedBillingMetrics.SSH_UNITS_OTP_UNITS,
+      NormalizedBillingMetrics.SSH_UNITS_CERTIFICATE_UNITS,
+      NormalizedBillingMetrics.ID_TOKEN_UNITS_OIDC,
+      NormalizedBillingMetrics.ID_TOKEN_UNITS_SPIFFE,
+    ],
+    'Data protection calls': [
+      NormalizedBillingMetrics.DATA_PROTECTION_CALLS_TRANSFORM,
+      NormalizedBillingMetrics.DATA_PROTECTION_CALLS_TRANSIT,
+      NormalizedBillingMetrics.DATA_PROTECTION_CALLS_GCPKMS,
+    ],
+    'Managed keys': [NormalizedBillingMetrics.MANAGED_KEYS_TOTP, NormalizedBillingMetrics.MANAGED_KEYS_KMSE],
+  };
+
+  constructor(owner: unknown, args: object) {
+    super(owner, args);
+    this.initializeBillingMetrics();
+  }
+
+  get isCurrentMonth() {
+    if (!this.selectedDateOption?.month) return false;
+    const selectedDate = new Date(`${this.selectedDateOption.month}-01T00:00:00Z`);
+    const currentDate = new Date();
+
+    return (
+      selectedDate.getUTCFullYear() === currentDate.getUTCFullYear() &&
+      selectedDate.getUTCMonth() === currentDate.getUTCMonth()
+    );
+  }
+
+  get selectedDate() {
+    return this.selectedDateOption ?? this.months[0] ?? null;
+  }
+
+  get isSelectedDateInvalid() {
+    return this.selectedDate?.updated_at === this.invalidDateTime;
+  }
+
+  /**
+   * Calculates how long to wait before the next poll based on when the data was last updated.
+   * Waits until 10m30s after `updated_at`, so polls align with the server's refresh cadence.
+   */
+  calculatePollingInterval(updatedAt: string): number {
+    const msUntilRefresh = new Date(updatedAt).getTime() + REFRESH_PERIOD_MS - Date.now();
+    // If data is already stale, wait a full period rather than re-polling the api immediately.
+    return msUntilRefresh > 0 ? msUntilRefresh : REFRESH_PERIOD_MS;
+  }
+
+  fetchBillingMetrics = async () => {
+    const today = new Date();
+    const currentMonth = formatInTimeZone(today, 'UTC', 'yyyy-MM');
+    const previousMonth = formatInTimeZone(subMonths(today, 1), 'UTC', 'yyyy-MM');
+
+    const response: SystemReadBillingOverviewResponse | null | undefined =
+      await this.api.sys.systemReadBillingOverview(currentMonth, undefined, previousMonth);
+
+    this.months = (response?.months?.slice(0, 2) as Month[]) || [];
+    const updatedMonthFromSelectedMonth = this.months.find(
+      (month: Month) => month.month === this.selectedDateOption?.month
+    );
+    const updatedMonth: Month | undefined = updatedMonthFromSelectedMonth || this.months[0];
+
+    if (updatedMonth?.updated_at) {
+      this._interval = this.calculatePollingInterval(updatedMonth.updated_at);
+    }
+
+    this.selectedDateOption = updatedMonth ?? null;
+    this.normalizedMetricData = normalizeMetricData(updatedMonth);
+    return this.months;
+  };
+
+  async initializeBillingMetrics() {
+    await this.fetchBillingMetrics();
+    this.updatePollingState();
+  }
+
+  updatePollingState() {
+    if (this.isCurrentMonth) {
+      this.startPoll();
+    } else {
+      this.stopPoll();
+    }
+  }
+
+  /**
+   * Starts the polling loop and repeatedly invokes fetchBillingMetrics on each interval.
+   */
+  startPoll() {
+    if (this._timer) return;
+
+    const poll = async () => {
+      try {
+        await this.fetchBillingMetrics();
+      } catch (e) {
+        // Error fetching billing metrics
+      } finally {
+        // Schedule the next poll using the current interval value,
+        // which may have been updated by the callback.
+        this._timer = setTimeout(poll, this._interval);
+      }
+    };
+
+    this._timer = setTimeout(poll, this._interval);
+  }
+
+  /**
+   * Stops the polling loop and cancels any pending scheduled poll.
+   */
+  stopPoll() {
+    if (this._timer) {
+      clearTimeout(this._timer);
+      this._timer = null;
+    }
+  }
+
+  metricsForCard = (cardData: string[]) => {
+    const metrics: NormalizedMetricsData = {};
+    // Iterate over keys for that card's data
+    // so only relevant metrics are passed to each card
+    for (const key of cardData) {
+      metrics[key] = this.normalizedMetricData?.[key];
+    }
+
+    return metrics;
+  };
+
+  @action
+  async onDateChange(dropdownOption: Month | null | undefined) {
+    this.selectedDateOption = dropdownOption;
+    this.normalizedMetricData = normalizeMetricData(dropdownOption);
+
+    if (this.isCurrentMonth) {
+      this.stopPoll();
+      await this.fetchBillingMetrics();
+    }
+
+    this.updatePollingState();
+  }
+
+  willDestroy() {
+    super.willDestroy();
+    this.stopPoll();
+  }
+}
diff --git a/ui/app/components/billing/summary-card.hbs b/ui/app/components/billing/summary-card.hbs
new file mode 100644
index 0000000000..065582a48a
--- /dev/null
+++ b/ui/app/components/billing/summary-card.hbs
@@ -0,0 +1,43 @@
+{{!
+  Copyright IBM Corp. 2016, 2025
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+<Hds::Card::Container class="has-padding-m" @level="mid" @hasBorder={{true}} data-test-card-container="Summary">
+  <Hds::Text::Display @tag="h2" @size="400" @weight="medium" class="has-bottom-margin-m">
+    {{@title}}
+  </Hds::Text::Display>
+  <Hds::Layout::Flex @direction="column" @gap="16">
+    {{#each this.summaryMetricKeys as |cardKey|}}
+      {{#let (this.summaryMetric cardKey) as |summaryInfo|}}
+        <Hds::Layout::Flex @direction="row" @gap="16" @alignItems="center">
+          <Hds::Layout::Flex::Item @basis="65%" @grow={{true}}>
+            {{#if summaryInfo.tooltipText}}
+              <Hds::Text::Display @size="200" @weight="semibold" @color="foreground-primary">
+                {{summaryInfo.label}}
+                <Hds::TooltipButton @text={{summaryInfo.tooltipText}} aria-label={{summaryInfo.label}}>
+                  <Hds::Icon @name="info" />
+                </Hds::TooltipButton>
+              </Hds::Text::Display>
+            {{else}}
+              <Hds::Text::Display @color="foreground-primary">
+                {{summaryInfo.label}}
+              </Hds::Text::Display>
+            {{/if}}
+          </Hds::Layout::Flex::Item>
+          <Hds::Layout::Flex::Item @basis="35%" @grow={{false}}>
+            {{#if summaryInfo.showBadge}}
+              <Hds::Badge
+                @text={{if summaryInfo.total "Enabled" "Not enabled"}}
+                @color={{if summaryInfo.total "success" "neutral"}}
+                @size="small"
+              />
+            {{else}}
+              <Hds::Text::Body>{{summaryInfo.total}}</Hds::Text::Body>
+            {{/if}}
+          </Hds::Layout::Flex::Item>
+        </Hds::Layout::Flex>
+      {{/let}}
+    {{/each}}
+  </Hds::Layout::Flex>
+</Hds::Card::Container>
\ No newline at end of file
diff --git a/ui/app/components/billing/summary-card.ts b/ui/app/components/billing/summary-card.ts
new file mode 100644
index 0000000000..fed7f086a7
--- /dev/null
+++ b/ui/app/components/billing/summary-card.ts
@@ -0,0 +1,73 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+import { toLabel } from 'core/helpers/to-label';
+import { NormalizedMetricsData } from 'vault/vault/billing/overview';
+import { NormalizedBillingMetrics } from 'vault/utils/metrics-helpers';
+import { toFixedDisplay } from 'vault/utils/chart-helpers';
+
+interface SummaryMetricInfo {
+  label: string;
+  tooltipText?: string;
+  count?: number;
+  showBadge?: boolean;
+  total?: number | string | boolean | undefined;
+}
+interface Args {
+  title: string;
+  metrics: Record<string, number>;
+  normalizedMetricData: NormalizedMetricsData;
+}
+
+export default class SummaryCard extends Component<Args> {
+  summaryMetricKeys = [
+    NormalizedBillingMetrics.STATIC_SECRETS_TOTAL,
+    NormalizedBillingMetrics.CREDENTIAL_UNITS_TOTAL,
+    NormalizedBillingMetrics.DATA_PROTECTION_CALLS_TOTAL,
+    NormalizedBillingMetrics.MANAGED_KEYS_TOTAL,
+    NormalizedBillingMetrics.KMIP_USED_IN_MONTH,
+    NormalizedBillingMetrics.EXTERNAL_PLUGINS_TOTAL,
+  ];
+
+  summaryMetricMap: Record<string, SummaryMetricInfo> = {
+    [NormalizedBillingMetrics.STATIC_SECRETS_TOTAL]: {
+      label: 'Secrets',
+    },
+    [NormalizedBillingMetrics.CREDENTIAL_UNITS_TOTAL]: {
+      label: 'Credential units',
+    },
+    [NormalizedBillingMetrics.DATA_PROTECTION_CALLS_TOTAL]: {
+      label: 'Data protection calls',
+    },
+    [NormalizedBillingMetrics.MANAGED_KEYS_TOTAL]: {
+      label: 'Managed keys',
+    },
+    [NormalizedBillingMetrics.KMIP_USED_IN_MONTH]: {
+      label: 'KMIP',
+      tooltipText: 'Whether KMIP was enabled on the cluster at any time during the month.',
+      showBadge: true,
+    },
+    [NormalizedBillingMetrics.EXTERNAL_PLUGINS_TOTAL]: {
+      label: 'Custom plugins',
+      tooltipText:
+        'Highest number of non-official plugins enabled on the cluster at any time during the month.',
+    },
+  };
+
+  summaryMetric = (key: string): SummaryMetricInfo => {
+    if (this.summaryMetricMap?.[key]) {
+      const value = this.args.normalizedMetricData[key];
+      // Format CREDENTIAL_UNITS_TOTAL with 4 decimal places to preserve trailing zeros
+      if (key === NormalizedBillingMetrics.CREDENTIAL_UNITS_TOTAL && typeof value === 'number') {
+        this.summaryMetricMap[key].total = toFixedDisplay(value, 4);
+      } else {
+        this.summaryMetricMap[key].total = value;
+      }
+    }
+
+    return this.summaryMetricMap[key] || { label: toLabel([key]) };
+  };
+}
diff --git a/ui/app/components/clients/charts/carbon-chart.hbs b/ui/app/components/clients/charts/carbon-chart.hbs
new file mode 100644
index 0000000000..08af4e8f0b
--- /dev/null
+++ b/ui/app/components/clients/charts/carbon-chart.hbs
@@ -0,0 +1,6 @@
+{{!
+  Copyright IBM Corp. 2016, 2025
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+<div data-carbon-chart ...attributes {{carbon-chart @chartData @chartOptions @chartType}}></div>
\ No newline at end of file
diff --git a/ui/app/components/clients/charts/vertical-bar-basic.hbs b/ui/app/components/clients/charts/vertical-bar-basic.hbs
deleted file mode 100644
index b0e59acf58..0000000000
--- a/ui/app/components/clients/charts/vertical-bar-basic.hbs
+++ /dev/null
@@ -1,113 +0,0 @@
-{{!
-  Copyright IBM Corp. 2016, 2025
-  SPDX-License-Identifier: BUSL-1.1
-}}
-
-<div class="lineal-chart" data-test-chart={{or @chartTitle "vertical bar chart"}}>
-  <Lineal::Fluid as |width|>
-    {{#let
-      (scale-band domain=this.xDomain range=(array 0 width) padding=0.1)
-      (scale-linear range=(array this.chartHeight 0) domain=this.yDomain)
-      (scale-linear range=(array 0 this.chartHeight) domain=this.yDomain)
-      as |xScale yScale hScale|
-    }}
-      <svg width={{width}} height={{this.chartHeight}}>
-        <title>{{@chartTitle}}</title>
-
-        {{#if (and xScale.isValid yScale.isValid)}}
-          <Lineal::Axis
-            @scale={{yScale}}
-            @tickCount="4"
-            @tickPadding={{10}}
-            @tickSizeInner={{concat "-" width}}
-            @tickFormat={{this.formatTicksY}}
-            @orientation="left"
-            @includeDomain={{false}}
-            class="lineal-axis"
-            data-test-y-axis
-          />
-          <Lineal::Axis
-            @scale={{xScale}}
-            @orientation="bottom"
-            transform="translate(0,{{yScale.range.min}})"
-            @includeDomain={{false}}
-            @tickSize="0"
-            @tickPadding={{10}}
-            class="lineal-axis"
-            data-test-x-axis
-          />
-        {{/if}}
-        <Lineal::Bars
-          @data={{this.chartData}}
-          @x="x"
-          @y="y"
-          @height="y"
-          @width={{this.barWidth}}
-          @xScale={{xScale}}
-          @yScale={{yScale}}
-          @heightScale={{hScale}}
-          transform="translate({{this.barOffset xScale.bandwidth}},0)"
-          fill="transparent"
-          stroke="transparent"
-          class="lineal-chart-bar"
-          data-test-vertical-bar
-        />
-        {{#if (and xScale.isValid yScale.isValid)}}
-          {{#each this.chartData as |d|}}
-            <rect
-              role="button"
-              aria-label="Show exact counts for {{d.legendX}}"
-              x="0"
-              y="0"
-              height={{this.chartHeight}}
-              width={{xScale.bandwidth}}
-              fill="transparent"
-              stroke="transparent"
-              transform="translate({{xScale.compute d.x}})"
-              {{on "mouseover" (fn (mut this.activeDatum) d)}}
-              {{on "mouseout" (fn (mut this.activeDatum) null)}}
-              data-test-interactive-area={{d.x}}
-            />
-          {{/each}}
-        {{/if}}
-      </svg>
-      {{#if this.activeDatum}}
-        <div
-          class="chart-tooltip"
-          role="status"
-          {{style
-            --x=(this.tooltipX (xScale.compute this.activeDatum.x) xScale.bandwidth)
-            --y=(this.tooltipY (hScale.compute this.activeDatum.y))
-          }}
-        >
-          <div data-test-tooltip>
-            <p class="bold" data-test-tooltip-month>{{this.activeDatum.legendX}}</p>
-            <p data-test-tooltip-count>{{this.activeDatum.tooltip}}</p>
-          </div>
-          <div class="chart-tooltip-arrow"></div>
-        </div>
-      {{/if}}
-    {{/let}}
-  </Lineal::Fluid>
-</div>
-{{#if @showTable}}
-  <details data-test-underlying-data>
-    <summary>Underlying data</summary>
-    <Hds::Table @caption="Underlying data">
-      <:head as |H|>
-        <H.Tr>
-          <H.Th>Month</H.Th>
-          <H.Th>{{if @dataKey (humanize @dataKey)}} Count</H.Th>
-        </H.Tr>
-      </:head>
-      <:body as |B|>
-        {{#each this.chartData as |row|}}
-          <B.Tr>
-            <B.Td>{{row.legendX}}</B.Td>
-            <B.Td>{{row.legendY}}</B.Td>
-          </B.Tr>
-        {{/each}}
-      </:body>
-    </Hds::Table>
-  </details>
-{{/if}}
\ No newline at end of file
diff --git a/ui/app/components/clients/charts/vertical-bar-basic.ts b/ui/app/components/clients/charts/vertical-bar-basic.ts
deleted file mode 100644
index dab1d18b5a..0000000000
--- a/ui/app/components/clients/charts/vertical-bar-basic.ts
+++ /dev/null
@@ -1,98 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@glimmer/component';
-import { tracked } from '@glimmer/tracking';
-import { BAR_WIDTH, numericalAxisLabel } from 'vault/utils/chart-helpers';
-import { formatNumber } from 'core/helpers/format-number';
-import { parseAPITimestamp } from 'core/utils/date-formatters';
-
-import type { MonthlyChartData } from 'vault/vault/client-counts/charts';
-import type { TotalClients } from 'vault/vault/client-counts/activity-api';
-
-interface Args {
-  data: MonthlyChartData[];
-  dataKey: string;
-  chartTitle: string;
-  chartHeight?: number;
-}
-
-interface ChartData {
-  x: string;
-  y: number | null;
-  tooltip: string;
-  legendX: string;
-  legendY: string;
-}
-
-/**
- * @module VerticalBarBasic
- * Renders a vertical bar chart of counts fora single data point (@dataKey) over time.
- *
- * @example
- <Clients::Charts::VerticalBarBasic
-    @chartTitle="Secret Sync client counts"
-    @data={{this.model}}
-    @dataKey="secret_syncs"
-    @showTable={{true}}
-    @chartHeight={{200}}
-  />
- */
-export default class VerticalBarBasic extends Component<Args> {
-  barWidth = BAR_WIDTH;
-
-  @tracked activeDatum: ChartData | null = null;
-
-  get chartHeight() {
-    return this.args.chartHeight || 190;
-  }
-
-  get chartData() {
-    return this.args.data.map((d): ChartData => {
-      const xValue = d.timestamp as string;
-      const yValue = (d[this.args.dataKey as keyof TotalClients] as number) ?? null;
-      return {
-        x: parseAPITimestamp(xValue, 'M/yy') as string,
-        y: yValue,
-        tooltip:
-          yValue === null ? 'No data' : `${formatNumber([yValue])} ${this.args.dataKey.replace(/_/g, ' ')}`,
-        legendX: parseAPITimestamp(xValue, 'MMMM yyyy') as string,
-        legendY: (yValue ?? 'No data').toString(),
-      };
-    });
-  }
-
-  get yDomain() {
-    const counts: number[] = this.chartData
-      .map((d) => d.y)
-      .flatMap((num) => (typeof num === 'number' ? [num] : []));
-    const max = Math.max(...counts);
-    // if max is <=4, hardcode 4 which is the y-axis tickCount so y-axes are not decimals
-    return [0, max <= 4 ? 4 : max];
-  }
-
-  get xDomain() {
-    const months = this.chartData.map((d) => d.x);
-    return new Set(months);
-  }
-
-  // TEMPLATE HELPERS
-  barOffset = (bandwidth: number) => {
-    return (bandwidth - this.barWidth) / 2;
-  };
-
-  tooltipX = (original: number, bandwidth: number) => {
-    return (original + bandwidth / 2).toString();
-  };
-
-  tooltipY = (original: number) => {
-    if (!original) return `0`;
-    return `${original}`;
-  };
-
-  formatTicksY = (num: number): string => {
-    return numericalAxisLabel(num) || num.toString();
-  };
-}
diff --git a/ui/app/components/clients/charts/vertical-bar-stacked.hbs b/ui/app/components/clients/charts/vertical-bar-stacked.hbs
deleted file mode 100644
index c1a3d9ab0a..0000000000
--- a/ui/app/components/clients/charts/vertical-bar-stacked.hbs
+++ /dev/null
@@ -1,123 +0,0 @@
-{{!
-  Copyright IBM Corp. 2016, 2025
-  SPDX-License-Identifier: BUSL-1.1
-}}
-
-<div class="lineal-chart" data-test-chart={{or @chartTitle "stacked vertical bar chart"}}>
-  <Lineal::Fluid as |width|>
-    {{#let
-      (scale-band domain=this.xBounds range=(array 0 width) padding=0.1)
-      (scale-linear range=(array this.chartHeight 0) domain=this.yBounds)
-      (scale-linear range=(array 0 this.chartHeight) domain=this.yBounds)
-      as |xScale yScale hScale|
-    }}
-      <svg width={{width}} height={{this.chartHeight}}>
-        <title>{{@chartTitle}}</title>
-
-        {{#if (and xScale.isValid yScale.isValid)}}
-          <Lineal::Axis
-            @includeDomain={{false}}
-            @orientation="left"
-            @scale={{yScale}}
-            @tickCount="4"
-            @tickFormat={{this.formatTicksY}}
-            @tickPadding={{10}}
-            @tickSizeInner={{concat "-" width}}
-            class="lineal-axis"
-            data-test-y-axis
-          />
-          <Lineal::Axis
-            @includeDomain={{false}}
-            @orientation="bottom"
-            @scale={{xScale}}
-            @tickFormat={{this.formatTicksX}}
-            @tickPadding={{10}}
-            @tickSize="0"
-            class="lineal-axis"
-            transform="translate(0,{{yScale.range.min}})"
-            data-test-x-axis
-          />
-        {{/if}}
-
-        <Lineal::VBars
-          @data={{this.chartData}}
-          @x="timestamp"
-          @y="counts"
-          @width={{this.barWidth}}
-          @xScale={{xScale}}
-          @yScale={{yScale}}
-          @color="clientType"
-          @colorScale="stacked-bar"
-          transform="translate({{this.barOffset xScale.bandwidth}},0)"
-          data-test-vertical-bar
-        />
-
-        {{! TOOLTIP target rectangles }}
-        {{#if (and xScale.isValid yScale.isValid)}}
-          {{#each this.aggregatedData as |d|}}
-            <rect
-              role="button"
-              aria-label="Show exact counts for {{d.legendX}}"
-              x="0"
-              y="0"
-              height={{this.chartHeight}}
-              width={{xScale.bandwidth}}
-              fill="transparent"
-              stroke="transparent"
-              transform="translate({{xScale.compute d.x}})"
-              {{on "mouseover" (fn (mut this.activeDatum) d)}}
-              {{on "mouseout" (fn (mut this.activeDatum) null)}}
-              data-test-interactive-area={{d.x}}
-            />
-          {{/each}}
-        {{/if}}
-      </svg>
-
-      {{#if this.activeDatum}}
-        <div
-          class="chart-tooltip"
-          role="status"
-          {{style
-            --x=(this.tooltipX (xScale.compute this.activeDatum.x) xScale.bandwidth)
-            --y=(this.tooltipY (hScale.compute this.activeDatum.y))
-          }}
-        >
-          <div data-test-tooltip>
-            <p class="bold">{{this.activeDatum.legendX}}</p>
-            {{#each this.activeDatum.legendY as |stat|}}
-              <p>{{stat}}</p>
-            {{/each}}
-          </div>
-          <div class="chart-tooltip-arrow"></div>
-        </div>
-      {{/if}}
-
-    {{/let}}
-  </Lineal::Fluid>
-</div>
-
-{{#if @showTable}}
-  <details data-test-underlying-data>
-    <summary>{{@chartTitle}} data</summary>
-    <Hds::Table @caption="Underlying data">
-      <:head as |H|>
-        <H.Tr>
-          <H.Th>Timestamp</H.Th>
-          {{#each this.dataKeys as |key|}}
-            <H.Th>{{humanize key}}</H.Th>
-          {{/each}}
-        </H.Tr>
-      </:head>
-      <:body as |B|>
-        {{#each @data as |row|}}
-          <B.Tr>
-            <B.Td>{{row.timestamp}}</B.Td>
-            {{#each this.dataKeys as |key|}}
-              <B.Td>{{or (get row key) "-"}}</B.Td>
-            {{/each}}
-          </B.Tr>
-        {{/each}}
-      </:body>
-    </Hds::Table>
-  </details>
-{{/if}}
\ No newline at end of file
diff --git a/ui/app/components/clients/charts/vertical-bar-stacked.ts b/ui/app/components/clients/charts/vertical-bar-stacked.ts
deleted file mode 100644
index 8c56776ebe..0000000000
--- a/ui/app/components/clients/charts/vertical-bar-stacked.ts
+++ /dev/null
@@ -1,143 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@glimmer/component';
-import { tracked } from '@glimmer/tracking';
-import { BAR_WIDTH, numericalAxisLabel } from 'vault/utils/chart-helpers';
-import { formatNumber } from 'core/helpers/format-number';
-import { parseAPITimestamp } from 'core/utils/date-formatters';
-import { flatGroup } from 'd3-array';
-
-import type { MonthlyChartData } from 'vault/vault/client-counts/charts';
-import type { ClientTypes } from 'vault/vault/client-counts/activity-api';
-
-interface Args {
-  chartHeight?: number;
-  chartLegend: Legend[];
-  chartTitle: string;
-  data: MonthlyChartData[];
-}
-
-interface Legend {
-  key: ClientTypes;
-  label: string;
-}
-interface AggregatedDatum {
-  x: string;
-  y: number;
-  legendX: string;
-  legendY: string[];
-}
-
-interface DatumBase {
-  timestamp: string;
-  clientType: string;
-}
-// separated because "A mapped type may not declare properties or methods."
-type ChartDatum = DatumBase & {
-  [key in ClientTypes]?: number | undefined;
-};
-
-/**
- * @module VerticalBarStacked
- * Renders a stacked bar chart of counts for different client types over time. Which client types render
- * is mapped from the "key" values of the @legend arg
- *
- * @example
- * <Clients::Charts::VerticalBarStacked
- * @chartTitle="Total monthly usage"
- * @data={{this.byMonthClients}}
- * @chartLegend={{this.legend}}
- * @chartHeight={{250}}
- * />
- */
-export default class VerticalBarStacked extends Component<Args> {
-  barWidth = BAR_WIDTH;
-  @tracked activeDatum: AggregatedDatum | null = null;
-
-  get chartHeight() {
-    return this.args.chartHeight || 190;
-  }
-
-  get dataKeys(): ClientTypes[] {
-    return this.args.chartLegend.map((l: Legend) => l.key);
-  }
-
-  label(legendKey: string) {
-    return this.args.chartLegend.find((l: Legend) => l.key === legendKey)?.label;
-  }
-
-  get chartData() {
-    let dataset: [string, number | undefined, string, ChartDatum[]][] = [];
-    // each datum needs to be its own object
-    for (const key of this.dataKeys) {
-      const chartData: ChartDatum[] = this.args.data.map((d: MonthlyChartData) => ({
-        timestamp: d.timestamp,
-        clientType: key,
-        [key]: d[key],
-      }));
-
-      const group = flatGroup(
-        chartData,
-        // order here must match destructure order in return below
-        (d) => d.timestamp,
-        (d) => d[key],
-        (d) => d.clientType
-      );
-      dataset = [...dataset, ...group];
-    }
-
-    return dataset.map(([timestamp, counts, clientType]) => ({
-      timestamp, // x value
-      counts, // y value
-      clientType, // corresponds to chart's @color arg
-    }));
-  }
-
-  // for yBounds scale, tooltip target area and tooltip text data
-  get aggregatedData(): AggregatedDatum[] {
-    return this.args.data.map((datum: MonthlyChartData) => {
-      const values = this.dataKeys
-        .map((k: string) => datum[k as ClientTypes])
-        .filter((count) => Number.isInteger(count));
-      const sum = values.length ? values.reduce((sum, currentValue) => sum + currentValue, 0) : null;
-      const xValue = datum.timestamp;
-      return {
-        x: xValue,
-        y: sum ?? 0, // y-axis point where tooltip renders
-        legendX: parseAPITimestamp(xValue, 'MMMM yyyy') as string,
-        legendY:
-          sum === null
-            ? ['No data']
-            : this.dataKeys.map((k) => `${formatNumber([datum[k]])} ${this.label(k)}`),
-      };
-    });
-  }
-
-  get yBounds() {
-    const counts: number[] = this.aggregatedData
-      .map((d) => d.y)
-      .flatMap((num) => (typeof num === 'number' ? [num] : []));
-    const max = Math.max(...counts);
-    // if max is <=4, hardcode 4 which is the y-axis tickCount so y-axes are not decimals
-    return [0, max <= 4 ? 4 : max];
-  }
-
-  get xBounds() {
-    const domain = this.chartData.map((d) => d.timestamp);
-    return new Set(domain);
-  }
-
-  // TEMPLATE HELPERS
-  barOffset = (bandwidth: number) => (bandwidth - this.barWidth) / 2;
-
-  tooltipX = (original: number, bandwidth: number) => (original + bandwidth / 2).toString();
-
-  tooltipY = (original: number) => (!original ? '0' : `${original}`);
-
-  formatTicksX = (timestamp: string): string => parseAPITimestamp(timestamp, 'M/yy') as string;
-
-  formatTicksY = (num: number): string => numericalAxisLabel(num) || num.toString();
-}
diff --git a/ui/app/components/clients/date-range.hbs b/ui/app/components/clients/date-range.hbs
index 0699385039..2b2d67dae2 100644
--- a/ui/app/components/clients/date-range.hbs
+++ b/ui/app/components/clients/date-range.hbs
@@ -4,12 +4,9 @@
 }}
 
 <div ...attributes>
-  <div class="is-flex-column align-items-end">
+  <div class="is-flex-column">
     {{! Enterprise should always have a @billingStartTime but as a fallback allow the user to query dates manually }}
     {{#if (and @billingStartTime this.version.isEnterprise)}}
-      <Hds::Text::Display @tag="p" @size="100" class="has-bottom-margin-xs" data-test-text-display="change-billing-data">
-        {{if this.flags.isHvdManaged "Change data period" "Change billing period"}}
-      </Hds::Text::Display>
       <Hds::Dropdown class="has-left-margin-xs" as |D|>
         <D.ToggleButton @text={{this.formatDate @startTimestamp}} @color="secondary" data-test-date-range-edit />
         <D.Description @text="Current period" />
diff --git a/ui/app/components/clients/no-data.hbs b/ui/app/components/clients/no-data.hbs
index 1e71d4cf48..8d8ad8a588 100644
--- a/ui/app/components/clients/no-data.hbs
+++ b/ui/app/components/clients/no-data.hbs
@@ -4,7 +4,7 @@
 }}
 
 {{#if (or @config.reporting_enabled (eq @config.enabled "default-enabled") (eq @config.enabled "enable"))}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
     <A.Header data-test-empty-state-title @title="No data received" @titleTag="h2" />
     <A.Body
       data-test-empty-state-message
@@ -12,14 +12,14 @@
     />
   </Hds::ApplicationState>
 {{else if @config}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
     <A.Header data-test-empty-state-title @title="Data tracking is disabled" @titleTag="h2" />
     <A.Body
       data-test-empty-state-message
       @text="Tracking is disabled, and no data is being collected. To turn it on, edit the configuration."
     />
     {{#if @canUpdate}}
-      <A.Footer as |F|>
+      <A.Footer data-test-empty-state-actions as |F|>
         <F.LinkStandalone
           @icon="chevron-right"
           @iconPosition="trailing"
@@ -31,7 +31,7 @@
     {{/if}}
   </Hds::ApplicationState>
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
     <A.Header data-test-empty-state-title @title="Activity configuration data is unavailable" @titleTag="h2" />
     <A.Body
       data-test-empty-state-message
diff --git a/ui/app/components/clients/page-header.hbs b/ui/app/components/clients/page-header.hbs
index 33aa3284d4..bb938dbd86 100644
--- a/ui/app/components/clients/page-header.hbs
+++ b/ui/app/components/clients/page-header.hbs
@@ -9,21 +9,6 @@
       @breadcrumbs={{array (hash label="Vault" route="vault.cluster.dashboard" icon="vault") (hash label="Client usage")}}
     />
   </:breadcrumbs>
-  <:subtitle>
-    {{#if @activityTimestamp}}
-      Dashboard last updated:
-      {{date-format @activityTimestamp "MMM d yyyy, h:mm:ss aaa" withTimeZone=true}}
-      <Hds::Button
-        @color="tertiary"
-        @icon="reload"
-        @isIconOnly={{true}}
-        @size="small"
-        @text="Refresh page"
-        data-test-button="Refresh page"
-        {{on "click" this.refreshRoute}}
-      />
-    {{/if}}
-  </:subtitle>
   <:description>
     {{#if (and this.version.isEnterprise @billingStartTime)}}
       {{! Enterprise should always have a @billingStartTime but as a fallback allow the user to query dates manually. }}
@@ -56,11 +41,32 @@
         </Hds::Text::Body>
       </div>
     {{/if}}
+
+    View the number and source of active Vault clients on the cluster to track license compliance.
+    <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/client-count"}}>
+      Learn more
+    </Hds::Link::Inline>
+
+    {{#if @activityTimestamp}}
+      <Hds::Text::Body @tag="p" @color="faint">
+        Dashboard last updated:
+        {{date-format @activityTimestamp "MMM d yyyy, h:mm:ss aaa" withTimeZone=true}}
+        <Hds::Button
+          @color="tertiary"
+          @icon="reload"
+          @isIconOnly={{true}}
+          @size="small"
+          @text="Refresh page"
+          data-test-button="Refresh page"
+          {{on "click" this.refreshRoute}}
+        />
+      </Hds::Text::Body>
+    {{/if}}
   </:description>
   <:actions>
     {{#if this.showExportButton}}
       <Hds::Button
-        class="has-font-weight-normal align-items-end align-self-end"
+        class="has-font-weight-normal"
         data-test-export-button
         @text="Export activity data"
         @color="secondary"
diff --git a/ui/app/components/clients/page/client-list.hbs b/ui/app/components/clients/page/client-list.hbs
index 23387c856f..a861f40242 100644
--- a/ui/app/components/clients/page/client-list.hbs
+++ b/ui/app/components/clients/page/client-list.hbs
@@ -55,10 +55,13 @@
 
                     <:emptyState>
                       {{#if (and (eq tabName "Secret sync") (not this.flags.secretsSyncIsActivated))}}
-                        <Hds::ApplicationState @align="center" as |A|>
-                          <A.Header @title="No secret sync clients" @titleTag="h2" />
-                          <A.Body @text="No data is available because Secrets Sync has not been activated." />
-                          <A.Footer as |F|>
+                        <Hds::ApplicationState class="is-marginless" as |A|>
+                          <A.Header @title="No secret sync clients" @titleTag="h2" data-test-empty-state-title />
+                          <A.Body
+                            @text="No data is available because Secrets Sync has not been activated."
+                            data-test-empty-state-message
+                          />
+                          <A.Footer data-test-empty-state-actions as |F|>
                             <F.LinkStandalone
                               @icon="chevron-right"
                               @iconPosition="trailing"
@@ -68,14 +71,15 @@
                           </A.Footer>
                         </Hds::ApplicationState>
                       {{else}}
-                        <Hds::ApplicationState @align="center" as |A|>
-                          <A.Header @title="No data found" @titleTag="h2" />
+                        <Hds::ApplicationState class="is-marginless" as |A|>
+                          <A.Header @title="No data found" @titleTag="h2" data-test-empty-state-title />
                           <A.Body
                             @text="Select another client type {{if
                               this.filtersAreApplied
                               'or update filters'
                               ''
                             }} to view client count data."
+                            data-test-empty-state-message
                           />
                         </Hds::ApplicationState>
                       {{/if}}
@@ -90,7 +94,7 @@
     </:table>
   </Clients::CountsCard>
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
     <A.Header data-test-empty-state-title @title="No data found" @titleTag="h2" />
     <A.Body data-test-empty-state-message @text="No data to export in provided time range." />
   </Hds::ApplicationState>
diff --git a/ui/app/components/clients/page/counts.hbs b/ui/app/components/clients/page/counts.hbs
index f2956de69b..24ffd4efdd 100644
--- a/ui/app/components/clients/page/counts.hbs
+++ b/ui/app/components/clients/page/counts.hbs
@@ -2,7 +2,7 @@
   Copyright IBM Corp. 2016, 2025
   SPDX-License-Identifier: BUSL-1.1
 }}
-<div class="has-border-bottom-light">
+<div>
   <Clients::PageHeader
     @billingStartTime={{@config.billing_start_timestamp}}
     @retentionMonths={{@config.retention_months}}
@@ -16,13 +16,6 @@
 </div>
 
 <div class="has-top-bottom-margin">
-  <Hds::Text::Body @tag="p" @size="100" class="has-bottom-margin-s">
-    This is the dashboard for your overall client count usage. Review Vault's
-    <Hds::Link::Inline @href={{doc-link "/vault/docs/concepts/client-count"}} @isHrefExternal={{true}}>
-      client counting documentation</Hds::Link::Inline>
-    for more information.
-  </Hds::Text::Body>
-
   {{#if this.trackingDisabled}}
     <Hds::Alert @type="inline" @color="warning" class="has-bottom-margin-s" as |A|>
       <A.Title data-test-counts-disabled>Tracking is disabled</A.Title>
@@ -77,7 +70,7 @@
       {{yield}}
     {{else}}
       {{! Empty state for no data in the selected date range }}
-      <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+      <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
         <A.Header data-test-empty-state-title @title="No data received" @titleTag="h2" />
         <A.Body
           data-test-empty-state-message
@@ -91,7 +84,7 @@
     {{/if}}
   {{else if (and this.version.isCommunity (or (not @startTimestamp) (not @endTimestamp)))}}
     {{! Empty state for community without start or end query param }}
-    <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
       <A.Header
         data-test-empty-state-title
         @title="Input the start and end dates to view client attribution by path."
diff --git a/ui/app/components/clients/page/overview.hbs b/ui/app/components/clients/page/overview.hbs
index f95f8fc467..9a75741ef7 100644
--- a/ui/app/components/clients/page/overview.hbs
+++ b/ui/app/components/clients/page/overview.hbs
@@ -27,10 +27,10 @@
         @showPaginationSizeSelector={{true}}
       >
         <:emptyState>
-          <Hds::ApplicationState @align="center" as |A|>
-            <A.Header @title="No data found" @titleTag="h2" />
-            <A.Body @text="Clear or change filters to view client count data." />
-            <A.Footer as |F|>
+          <Hds::ApplicationState class="is-marginless" as |A|>
+            <A.Header @title="No data found" @titleTag="h2" data-test-empty-state-title />
+            <A.Body @text="Clear or change filters to view client count data." data-test-empty-state-message />
+            <A.Footer data-test-empty-state-actions as |F|>
               <F.LinkStandalone
                 @icon="file-text"
                 @text="Client count documentation"
diff --git a/ui/app/components/clients/running-total.hbs b/ui/app/components/clients/running-total.hbs
index 930cd30c91..3c91e2a9b3 100644
--- a/ui/app/components/clients/running-total.hbs
+++ b/ui/app/components/clients/running-total.hbs
@@ -4,43 +4,43 @@
 }}
 
 {{#if @byMonthClients.length}}
-  <Clients::CountsCard @title="Client usage trends" @description={{this.chartContainerText}} @legend={{this.chartLegend}}>
-
+  <Clients::CountsCard @title="Client usage trends" @description={{this.chartContainerText}}>
     <:dataLeft>
-      <Hds::Text::Body @tag="p">Client count and type distribution</Hds::Text::Body>
-      <VaultReporting::DonutChart
-        @data={{this.donutChartData}}
-        @title={{if this.flags.isHvdManaged "Total unique clients" "Total clients"}}
-        class="donut-chart"
+      <Clients::Charts::CarbonChart
+        @chartData={{this.donutChartData}}
+        @chartOptions={{this.donutChartOptions}}
+        @chartType={{this.chartTypes.DONUT}}
+        data-test-chart="Client count and type distribution"
       />
     </:dataLeft>
 
     <:dataRight>
-      <div class="flex space-between has-bottom-margin-xl left-padding-16">
-        <Hds::Text::Body @tag="p">Client usage by month</Hds::Text::Body>
-        <Hds::Form::Toggle::Field
-          data-test-input="toggle view"
-          {{on "change" (fn (mut this.showStacked) (not this.showStacked))}}
-          as |F|
-        >
-          <F.Label>Split by client type</F.Label>
-        </Hds::Form::Toggle::Field>
+      <div class="chart-container">
+        <div class="chart-container-toggle">
+          <Hds::Form::Toggle::Field
+            data-test-input="toggle view"
+            {{on "change" (fn (mut this.showStacked) (not this.showStacked))}}
+            as |F|
+          >
+            <F.Label>Split by client type</F.Label>
+          </Hds::Form::Toggle::Field>
+        </div>
+        {{#if this.showStacked}}
+          <Clients::Charts::CarbonChart
+            @chartData={{this.stackedChartData}}
+            @chartOptions={{this.stackedChartOptions}}
+            @chartType={{this.chartTypes.STACKED_BAR}}
+            data-test-chart="Client usage by month (stacked)"
+          />
+        {{else}}
+          <Clients::Charts::CarbonChart
+            @chartData={{this.simpleChartData}}
+            @chartOptions={{this.simpleChartOptions}}
+            @chartType={{this.chartTypes.SIMPLE_BAR}}
+            data-test-chart="Client usage by month (simple)"
+          />
+        {{/if}}
       </div>
-      {{#if this.showStacked}}
-        <Clients::Charts::VerticalBarStacked
-          @chartTitle="Client usage by month"
-          @data={{this.runningTotalData}}
-          @chartLegend={{this.chartLegend}}
-          @chartHeight={{200}}
-        />
-      {{else}}
-        <Clients::Charts::VerticalBarBasic
-          @chartTitle="Client usage by month"
-          @data={{this.runningTotalData}}
-          @dataKey={{this.dataKey}}
-          @chartHeight={{200}}
-        />
-      {{/if}}
     </:dataRight>
   </Clients::CountsCard>
 {{else}}
diff --git a/ui/app/components/clients/running-total.ts b/ui/app/components/clients/running-total.ts
index 2b220ae492..341d93dac9 100644
--- a/ui/app/components/clients/running-total.ts
+++ b/ui/app/components/clients/running-total.ts
@@ -7,22 +7,39 @@ import Component from '@glimmer/component';
 import { tracked } from '@glimmer/tracking';
 import { service } from '@ember/service';
 import { toLabel } from 'core/helpers/to-label';
+import { ScaleTypes, TruncationTypes } from '@carbon/charts';
+import { parseAPITimestamp } from 'core/utils/date-formatters';
+import type { BarChartOptions, DonutChartOptions } from '@carbon/charts/dist/interfaces';
+import { CHART_TYPES } from 'vault/modifiers/carbon-chart';
 
 import type { ByMonthClients, ByMonthNewClients, TotalClients } from 'vault/vault/client-counts/activity-api';
 import type FlagsService from 'vault/services/flags';
 import type VersionService from 'vault/services/version';
 
+interface ChartDataPoint {
+  group: string;
+  key: string;
+  value: number | null;
+  legendX?: string;
+}
+
 interface Args {
   byMonthClients: ByMonthClients[] | ByMonthNewClients[];
   runningTotals: TotalClients;
 }
 
+const CHART_HEIGHT = '300px';
+const MIN_STACKED_Y_AXIS_MAX = 4;
+
 export default class RunningTotal extends Component<Args> {
   @service declare readonly flags: FlagsService;
   @service declare readonly version: VersionService;
 
   @tracked showStacked = false;
 
+  // Export chart types for use in template
+  chartTypes = CHART_TYPES;
+
   get chartContainerText() {
     const range = this.version.isEnterprise ? 'billing period' : 'date range';
     return this.flags.isHvdManaged
@@ -47,25 +64,306 @@ export default class RunningTotal extends Component<Args> {
 
   get donutChartData() {
     return [
-      { value: this.args.runningTotals.entity_clients, label: 'Entity clients' },
-      { value: this.args.runningTotals.non_entity_clients, label: 'Non-entity clients' },
-      { value: this.args.runningTotals.acme_clients, label: 'ACME clients' },
+      { group: 'Entity clients', value: this.args.runningTotals.entity_clients },
+      { group: 'Non-entity clients', value: this.args.runningTotals.non_entity_clients },
+      { group: 'ACME clients', value: this.args.runningTotals.acme_clients },
       ...(this.flags.secretsSyncIsActivated
-        ? [{ value: this.args.runningTotals.secret_syncs, label: 'Secret sync clients' }]
+        ? [{ group: 'Secret sync clients', value: this.args.runningTotals.secret_syncs }]
         : []),
     ];
   }
 
+  get donutChartOptions(): DonutChartOptions {
+    const title = 'Client count and type distribution';
+    const donutLabel = this.flags.isHvdManaged ? 'Total unique clients' : 'Total clients';
+    const total = this.args.runningTotals.clients;
+    const legendOrder = this.donutChartData.map((d) => d.group);
+    return {
+      title,
+      color: {
+        scale: this.categoricalColorScale,
+      },
+      pie: {
+        sortFunction: () => 0,
+      },
+      donut: {
+        center: {
+          label: donutLabel,
+          number: total,
+          numberFormatter: (value: number) => value.toLocaleString(),
+        },
+      },
+      legend: {
+        enabled: true,
+        alignment: 'center',
+        order: legendOrder,
+        truncation: {
+          type: TruncationTypes.NONE,
+        },
+      },
+      toolbar: {
+        enabled: false,
+      },
+      accessibility: {
+        svgAriaLabel: title,
+      },
+      height: CHART_HEIGHT,
+    };
+  }
+
   get chartLegend() {
     if (this.showStacked) {
-      return [
-        { key: 'entity_clients', label: 'Entity clients' },
-        { key: 'non_entity_clients', label: 'Non-entity clients' },
-        { key: 'acme_clients', label: 'ACME clients' },
-        // MUST BE LAST because conditionally renders and legend color mapping for stacked bars will be off otherwise
-        ...(this.flags.secretsSyncIsActivated ? [{ key: 'secret_syncs', label: 'Secret sync clients' }] : []),
-      ];
+      return this.stackedLegend;
     }
     return [{ key: this.dataKey, label: toLabel([this.dataKey]) }];
   }
+
+  get stackedLegend() {
+    return [
+      { key: 'entity_clients', label: 'Entity clients' },
+      { key: 'non_entity_clients', label: 'Non-entity clients' },
+      { key: 'acme_clients', label: 'ACME clients' },
+      // MUST BE LAST because conditionally renders and legend color mapping for stacked bars will be off otherwise
+      ...(this.flags.secretsSyncIsActivated ? [{ key: 'secret_syncs', label: 'Secret sync clients' }] : []),
+    ];
+  }
+
+  get categoricalColorScale() {
+    return {
+      'Entity clients': 'var(--clients-chart-color-first)',
+      'Non-entity clients': 'var(--clients-chart-color-second)',
+      'ACME clients': 'var(--clients-chart-color-third)',
+      'Secret sync clients': 'var(--clients-chart-color-fourth)',
+    };
+  }
+
+  get simpleColorScale() {
+    return {
+      'New clients': 'var(--clients-chart-color-single)',
+      Clients: 'var(--clients-chart-color-single)',
+    };
+  }
+
+  /**
+   * Transforms monthly data into simple bar chart format
+   */
+  get simpleChartData(): ChartDataPoint[] {
+    if (!this.runningTotalData || this.runningTotalData.length === 0) {
+      return [];
+    }
+
+    return this.runningTotalData.map((monthData) => {
+      const value = (monthData as unknown as Record<string, number | string>)[this.dataKey];
+      const month = parseAPITimestamp(monthData.timestamp, 'M/yy');
+      const label = toLabel([this.dataKey]);
+
+      return {
+        group: label,
+        key: month,
+        value: typeof value === 'number' ? value : null,
+        legendX: parseAPITimestamp(monthData.timestamp, 'MMMM yyyy'),
+      };
+    });
+  }
+
+  /**
+   * Transforms monthly data into stacked bar chart format
+   */
+  get stackedChartData(): ChartDataPoint[] {
+    if (!this.runningTotalData || this.runningTotalData.length === 0) {
+      return [];
+    }
+
+    const result: ChartDataPoint[] = [];
+
+    this.runningTotalData.forEach((monthData) => {
+      const month = parseAPITimestamp(monthData.timestamp, 'M/yy');
+      const formattedMonth = parseAPITimestamp(monthData.timestamp, 'MMMM yyyy');
+
+      this.stackedLegend.forEach((legend) => {
+        const rawValue = (monthData as unknown as Record<string, number | null>)[legend.key];
+        result.push({
+          group: legend.label,
+          key: month,
+          value: typeof rawValue === 'number' ? rawValue : null,
+          legendX: formattedMonth,
+        });
+      });
+    });
+
+    return result;
+  }
+
+  /**
+   * Calculates the y-axis domain for simple chart
+   */
+  get simpleYDomain(): [number, number] {
+    const values = this.simpleChartData.map((d) => d.value).filter((v): v is number => v !== null);
+    const max = Math.max(...values, 0);
+    return [0, Math.ceil(max * 1.1)];
+  }
+
+  /**
+   * Calculates the y-axis domain for stacked chart
+   * Calculates the maximum stacked total for each month
+   */
+  get stackedYDomain(): [number, number] {
+    // Calculate the sum of all client types for each month
+    const stackedTotals = new Map<string, number>();
+
+    this.runningTotalData.forEach((monthData) => {
+      const timestamp = monthData.timestamp;
+      const total = this.stackedLegend.reduce((sum, legend) => {
+        const value = (monthData as unknown as Record<string, number | string>)[legend.key] || 0;
+        return sum + (typeof value === 'number' ? value : 0);
+      }, 0);
+      stackedTotals.set(timestamp, total);
+    });
+
+    const max = Math.max(...Array.from(stackedTotals.values()), 0);
+    return [0, Math.max(max, MIN_STACKED_Y_AXIS_MAX)];
+  }
+
+  /**
+   * Generates Carbon Charts configuration options for simple bar chart
+   */
+  get simpleChartOptions(): BarChartOptions {
+    return {
+      title: 'Client usage by month',
+      color: {
+        pairing: {
+          option: 3,
+        },
+        scale: this.simpleColorScale,
+      },
+      height: CHART_HEIGHT,
+      axes: {
+        left: {
+          mapsTo: 'value',
+          scaleType: ScaleTypes.LINEAR,
+          domain: this.simpleYDomain,
+        },
+        bottom: {
+          mapsTo: 'key',
+          scaleType: ScaleTypes.LABELS,
+        },
+      },
+      legend: {
+        alignment: 'center',
+        enabled: true,
+        truncation: {
+          type: TruncationTypes.NONE,
+        },
+      },
+      toolbar: {
+        enabled: false,
+      },
+      bars: {
+        maxWidth: 20,
+      },
+      tooltip: {
+        customHTML: (data: ChartDataPoint[]) => {
+          if (!data || data.length === 0) return '';
+
+          const firstPoint = data[0];
+          if (!firstPoint) return '';
+
+          const month = firstPoint.legendX || firstPoint.key;
+          const value = firstPoint.value;
+          const label = toLabel([this.dataKey]);
+
+          if (value === null) {
+            return `
+              <div class="cds--tooltip cds--tooltip--shown carbon-chart-tooltip">
+                <p class="tooltip-month">${month}</p>
+                <p class="tooltip-value">No data</p>
+              </div>
+            `;
+          }
+
+          const formattedValue = value.toLocaleString();
+          return `
+            <div class="cds--tooltip cds--tooltip--shown carbon-chart-tooltip">
+              <p class="tooltip-month">${month}</p>
+              <p class="tooltip-value">${formattedValue} ${label}</p>
+            </div>
+          `;
+        },
+      },
+    };
+  }
+
+  /**
+   * Generates Carbon Charts configuration options for stacked bar chart
+   */
+  get stackedChartOptions(): BarChartOptions {
+    return {
+      title: 'Client usage by month',
+      height: CHART_HEIGHT,
+      color: {
+        pairing: {
+          option: 1,
+        },
+        scale: this.categoricalColorScale,
+      },
+      axes: {
+        bottom: {
+          mapsTo: 'key',
+          scaleType: ScaleTypes.LABELS,
+        },
+        left: {
+          mapsTo: 'value',
+          scaleType: ScaleTypes.LINEAR,
+          domain: this.stackedYDomain,
+        },
+      },
+      bars: {
+        maxWidth: 20,
+      },
+      legend: {
+        enabled: true,
+        alignment: 'center',
+        truncation: {
+          type: TruncationTypes.NONE,
+        },
+      },
+      toolbar: {
+        enabled: false,
+      },
+      tooltip: {
+        customHTML: (data: ChartDataPoint[]) => {
+          if (!data || data.length === 0) return '';
+
+          const firstPoint = data[0];
+          if (!firstPoint) return '';
+
+          const month = firstPoint.legendX || firstPoint.key;
+          const hasData = data.some((d) => d.value !== null);
+
+          if (!hasData) {
+            return `
+              <div class="cds--tooltip cds--tooltip--shown carbon-chart-tooltip">
+                <p class="tooltip-month">${month}</p>
+                <p class="tooltip-value">No data</p>
+              </div>
+            `;
+          }
+
+          const rows = data
+            .map((d) => {
+              const formattedValue = (d.value ?? 0).toLocaleString();
+              return `<p class="tooltip-value">${formattedValue} ${d.group}</p>`;
+            })
+            .join('');
+
+          return `
+            <div class="cds--tooltip cds--tooltip--shown carbon-chart-tooltip">
+              <p class="tooltip-month">${month}</p>
+              ${rows}
+            </div>
+          `;
+        },
+      },
+    };
+  }
 }
diff --git a/ui/app/components/dashboard/client-count-card.hbs b/ui/app/components/dashboard/client-count-card.hbs
deleted file mode 100644
index 876e7e18a7..0000000000
--- a/ui/app/components/dashboard/client-count-card.hbs
+++ /dev/null
@@ -1,46 +0,0 @@
-{{!
-  Copyright IBM Corp. 2016, 2025
-  SPDX-License-Identifier: BUSL-1.1
-}}
-
-<Hds::Card::Container @hasBorder={{true}} class="has-padding-l" data-test-card="client-count">
-  <div class="is-flex-between">
-    <h2 class="title is-4 has-bottom-margin-xxs" data-test-client-count-title>
-      Client count
-    </h2>
-
-    <LinkTo @route="vault.cluster.clients">Details</LinkTo>
-  </div>
-
-  <hr class="has-background-gray-100" />
-
-  {{#if this.fetchClientActivity.isRunning}}
-    <VaultLogoSpinner />
-  {{else}}
-    {{#if this.activityData}}
-      <div class="is-grid grid-2-columns grid-gap-2 has-top-margin-m grid-align-items-start is-flex-v-centered">
-        <StatText @label="Total" @value={{this.activityData.total.clients}} @size="l" @subText={{this.statSubText.total}} />
-        <StatText @label="New" @value={{this.currentMonthActivityTotalCount}} @size="l" @subText={{this.statSubText.new}} />
-      </div>
-
-      <div class="has-top-margin-l is-flex-center">
-        <Hds::Button
-          @text="Refresh"
-          @isIconOnly={{true}}
-          @color="tertiary"
-          @icon="sync"
-          disabled={{this.fetchClientActivity.isRunning}}
-          class="has-padding-xxs"
-          {{on "click" (perform this.fetchClientActivity)}}
-          data-test-refresh
-        />
-        <small class="has-left-margin-xs has-text-grey" data-test-updated-timestamp>
-          Updated
-          {{date-format this.updatedAt "MMM d yyyy, h:mm:ss aaa" withTimeZone=true}}
-        </small>
-      </div>
-    {{else}}
-      <Clients::NoData @config={{this.activityConfig}} @canUpdate={{this.canUpdateActivityConfig}} />
-    {{/if}}
-  {{/if}}
-</Hds::Card::Container>
\ No newline at end of file
diff --git a/ui/app/components/dashboard/overview.hbs b/ui/app/components/dashboard/overview.hbs
index 19ec359bc4..f6aeeac858 100644
--- a/ui/app/components/dashboard/overview.hbs
+++ b/ui/app/components/dashboard/overview.hbs
@@ -3,50 +3,59 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Dashboard::VaultVersionTitle @version={{@version}} />
+<Page::Header
+  @title="Vault {{@version.versionDisplay}}"
+  @icon="dashboard"
+  @description="Review the status of your Vault cluster, including: currently enabled secrets engines and authentication methods, and system configurations."
+  class="dashboard-header-with-gradient has-bottom-margin-xl"
+>
+  <:badges>
+    {{#if @version.isEnterprise}}
+      <Hds::Badge @text={{this.namespace.currentNamespace}} @icon="org" data-test-badge-namespace />
+    {{/if}}
+  </:badges>
+</Page::Header>
 
 <div class="has-bottom-margin-xl">
-  <div class="is-flex-row gap-24">
+  <Hds::Layout::Flex @wrap={{true}} @gap="32" as |LF|>
     {{#if @version.isEnterprise}}
-      <div class="is-flex-column is-flex-1 gap-24">
-        {{#if (and (has-permission "clients" routeParams="activity") this.shouldShowClientCount)}}
-          <Dashboard::ClientCountCard />
-        {{/if}}
+      <LF.Item @basis="58%" @grow={{true}} @shrink={{true}}>
+        <Dashboard::Widgets::SecretsEngines @secretsEngines={{@secretsEngines}} />
         {{#if
           (and (has-permission "status" routeParams="replication") (not (is-empty-value @replication)) @isRootNamespace)
         }}
-          <Dashboard::ReplicationCard
+          <Dashboard::Widgets::Replication
             @replication={{@replication}}
             @version={{@version}}
             @refresh={{@refreshModel}}
             @updatedAt={{@replicationUpdatedAt}}
+            class="has-top-margin-xl"
           />
         {{/if}}
-        <Dashboard::SecretsEnginesCard @secretsEngines={{@secretsEngines}} />
-      </div>
+        {{#if @vaultConfiguration}}
+          <Dashboard::Widgets::ClusterConfiguration @vaultConfiguration={{@vaultConfiguration}} />
+        {{/if}}
+      </LF.Item>
 
-      <div class="is-flex-column is-flex-1 gap-24">
-        <Dashboard::QuickActionsCard @secretsEngines={{@secretsEngines}} />
-        {{#if @vaultConfiguration}}
-          <Dashboard::VaultConfigurationDetailsCard @vaultConfiguration={{@vaultConfiguration}} />
+      <LF.Item @basis="38%" @grow={{true}} @shrink={{true}}>
+        <Dashboard::Widgets::QuickActions @secretsEngines={{@secretsEngines}} />
+        {{#if (and (has-permission "clients" routeParams="activity") this.shouldShowClientCount)}}
+          <Dashboard::Widgets::ClientCount class="has-top-margin-xl" />
         {{/if}}
-        <div>
-          <Dashboard::LearnMoreCard @isEnterprise={{@version.isEnterprise}} />
-        </div>
-      </div>
+
+        <Dashboard::Widgets::LearnMore @isEnterprise={{@version.isEnterprise}} class="has-top-margin-xl" />
+      </LF.Item>
     {{else}}
-      <div class="is-flex-column is-flex-1 gap-24">
-        <Dashboard::SecretsEnginesCard @secretsEngines={{@secretsEngines}} />
-        <div>
-          <Dashboard::LearnMoreCard @isEnterprise={{@version.isEnterprise}} />
-        </div>
-      </div>
-      <div class="is-flex-column is-flex-1 gap-24">
-        <Dashboard::QuickActionsCard @secretsEngines={{@secretsEngines}} />
+      <LF.Item @basis="58%" @grow={{true}} @shrink={{true}}>
+        <Dashboard::Widgets::SecretsEngines @secretsEngines={{@secretsEngines}} />
         {{#if @vaultConfiguration}}
-          <Dashboard::VaultConfigurationDetailsCard @vaultConfiguration={{@vaultConfiguration}} />
+          <Dashboard::Widgets::ClusterConfiguration @vaultConfiguration={{@vaultConfiguration}} />
         {{/if}}
-      </div>
+      </LF.Item>
+      <LF.Item @basis="38%" @grow={{true}} @shrink={{true}}>
+        <Dashboard::Widgets::QuickActions @secretsEngines={{@secretsEngines}} />
+        <Dashboard::Widgets::LearnMore @isEnterprise={{@version.isEnterprise}} class="has-top-margin-xl" />
+      </LF.Item>
     {{/if}}
-  </div>
+  </Hds::Layout::Flex>
 </div>
\ No newline at end of file
diff --git a/ui/app/components/dashboard/overview.ts b/ui/app/components/dashboard/overview.ts
index f6bc041b4c..99dad3acf6 100644
--- a/ui/app/components/dashboard/overview.ts
+++ b/ui/app/components/dashboard/overview.ts
@@ -13,7 +13,7 @@ export type Args = {
   replication: unknown;
   secretsEngines: unknown;
   vaultConfiguration: unknown;
-  version: { isEnterprise: boolean; hasPKIOnly: boolean };
+  version: { isEnterprise: boolean; hasPKIOnly: boolean; hasConsumptionBilling: boolean };
 };
 
 export default class OverviewComponent extends Component<Args> {
@@ -36,6 +36,9 @@ export default class OverviewComponent extends Component<Args> {
     // don't show client count if this is a PKI-only Secrets cluster
     if (version.hasPKIOnly) return false;
 
+    // don't show client count if this is a Consumption Billing cluster
+    if (version.hasConsumptionBilling) return false;
+
     // HVD clusters
     if (namespace.inHvdAdminNamespace) return true;
 
diff --git a/ui/app/components/dashboard/replication-card.hbs b/ui/app/components/dashboard/replication-card.hbs
deleted file mode 100644
index 12900fcee9..0000000000
--- a/ui/app/components/dashboard/replication-card.hbs
+++ /dev/null
@@ -1,105 +0,0 @@
-{{!
-  Copyright IBM Corp. 2016, 2025
-  SPDX-License-Identifier: BUSL-1.1
-}}
-<Hds::Card::Container @hasBorder={{true}} class="has-padding-l" data-test-card="replication">
-
-  <div class="is-flex-between">
-    <h2 class="title is-4 has-bottom-margin-xxs" data-test-client-count-title>
-      Cluster replication status
-    </h2>
-
-    {{#if (or @replication.dr.clusterId @replication.performance.clusterId)}}
-      <LinkTo @route="vault.cluster.replication.index">
-        Details
-      </LinkTo>
-    {{/if}}
-  </div>
-
-  {{! check if dr replication and performance replication exists }}
-  {{#if (or @replication.dr.clusterId @replication.performance.clusterId)}}
-    <hr class="has-background-gray-100" />
-    {{! check if user has access to both perf replication and dr replication }}
-    {{#if (and @version.hasPerfReplication @version.hasDRReplication)}}
-      <div
-        class="is-grid grid-2-columns grid-gap-2 has-top-margin-m has-bottom-margin-xs grid-align-items-start"
-        data-test-type="dr-perf"
-      >
-        <Dashboard::ReplicationStateText
-          @title="DR{{if (not-eq @replication.dr.mode 'disabled') (concat ' ' @replication.dr.mode)}}"
-          @name="dr"
-          @state={{@replication.dr.state}}
-          @clusterStates={{cluster-states @replication.dr.state}}
-        />
-        <Dashboard::ReplicationStateText
-          @title="Performance{{if
-            (not-eq @replication.performance.mode 'disabled')
-            (concat ' ' @replication.performance.mode)
-          }}"
-          @name="performance"
-          @state={{if @replication.performance.clusterId @replication.performance.state "not set up"}}
-          @clusterStates={{if @replication.performance.clusterId (cluster-states @replication.performance.state)}}
-        />
-      </div>
-      {{! if user only has access to dr replication }}
-    {{else if @version.hasDRReplication}}
-      <LinkTo
-        class="title is-5 has-text-weight-semibold is-marginless"
-        @route="vault.cluster.replication.mode.index"
-        @model="dr"
-      >
-        DR Primary
-      </LinkTo>
-
-      <div
-        class="is-grid grid-2-columns grid-gap-2 has-top-margin-m has-bottom-margin-m grid-align-items-start"
-        data-test-type="dr"
-      >
-        <Dashboard::ReplicationStateText
-          @title="state"
-          @state={{@replication.dr.state}}
-          @clusterStates={{cluster-states @replication.dr.state}}
-          @subText="The current operating state of the cluster."
-        />
-        <StatText
-          @label="known secondaries"
-          @value={{@replication.dr.knownSecondaries.length}}
-          @size="l"
-          @subText="Number of secondaries connected to this primary."
-          data-test-stat-text="known secondaries"
-        />
-      </div>
-    {{/if}}
-    <div class="has-top-margin-s is-flex-center">
-      <Hds::Button
-        @text="Refresh"
-        @isIconOnly={{true}}
-        @color="tertiary"
-        @icon="sync"
-        class="has-padding-xxs"
-        {{on "click" @refresh}}
-        data-test-refresh
-      />
-      <small class="has-left-margin-xs has-text-grey">
-        Updated
-        {{date-format @updatedAt "MMM d yyyy, h:mm:ss aaa" withTimeZone=true}}
-      </small>
-    </div>
-  {{else}}
-    <Hds::ApplicationState @align="center" data-test-empty-state="replication" class="has-top-margin-l" as |A|>
-      <A.Header data-test-empty-state-title @title="Replication not set up" @titleTag="h2" />
-      <A.Body
-        data-test-empty-state-message
-        @text="Data will be listed here. Enable a primary replication cluster to get started."
-      />
-      <A.Footer data-test-empty-state-actions as |F|>
-        <F.LinkStandalone
-          @icon="chevron-right"
-          @iconPosition="trailing"
-          @text="Enable replication"
-          @route="vault.cluster.replication"
-        />
-      </A.Footer>
-    </Hds::ApplicationState>
-  {{/if}}
-</Hds::Card::Container>
\ No newline at end of file
diff --git a/ui/app/components/dashboard/replication-state-text.hbs b/ui/app/components/dashboard/replication-state-text.hbs
deleted file mode 100644
index 0cd954e334..0000000000
--- a/ui/app/components/dashboard/replication-state-text.hbs
+++ /dev/null
@@ -1,36 +0,0 @@
-{{!
-Copyright IBM Corp. 2016, 2025
-SPDX-License-Identifier: BUSL-1.1
-}}
-
-<div ...attributes>
-  <h2 class="is-size-5 has-text-weight-semibold has-bottom-margin-xs" data-test-title={{@title}}>
-    {{@title}}
-  </h2>
-
-  {{#if @subText}}
-    <div class="title is-8 has-font-weight-normal has-text-grey-dark" data-test-subtext={{@title}}>
-      {{@subText}}
-    </div>
-  {{/if}}
-
-  <Hds::TooltipButton @text="The cluster's current operating state" aria-label="The cluster's current operating state">
-    <div class="is-flex-v-centered">
-      <Hds::Text::Display
-        class="title is-4 has-text-weight-semibold has-top-margin-xxs has-bottom-margin-xxs has-right-padding-sm"
-        data-test-replication-status-title={{@title}}
-      >
-        {{or @state "not set up"}}
-      </Hds::Text::Display>
-
-      {{#let (or @clusterStates.glyph "x-circle") as |icon|}}
-        <Hds::Icon
-          @isInline={{true}}
-          @name={{icon}}
-          class={{if @clusterStates.isOk "has-text-success" "has-text-danger"}}
-          data-test-replication-icon={{icon}}
-        />
-      {{/let}}
-    </div>
-  </Hds::TooltipButton>
-</div>
\ No newline at end of file
diff --git a/ui/app/components/dashboard/secrets-engines-card.hbs b/ui/app/components/dashboard/secrets-engines-card.hbs
deleted file mode 100644
index 3b6f18daa5..0000000000
--- a/ui/app/components/dashboard/secrets-engines-card.hbs
+++ /dev/null
@@ -1,96 +0,0 @@
-{{!
-  Copyright IBM Corp. 2016, 2025
-  SPDX-License-Identifier: BUSL-1.1
-}}
-
-<Hds::Card::Container
-  @hasBorder={{true}}
-  class="has-padding-l {{if this.filteredSecretsEngines 'secrets-engines-card'}}"
-  data-test-card="secrets-engines"
->
-  <div class="is-flex-between">
-    <h2 class="title is-4 has-left-margin-xxs" data-test-dashboard-card-header="Secrets engines">Secrets engines</h2>
-
-    {{#if this.filteredSecretsEngines}}
-      <LinkTo class="has-right-margin-4" @route="vault.cluster.secrets.backends">
-        Details
-      </LinkTo>
-    {{/if}}
-  </div>
-
-  {{#if this.filteredSecretsEngines}}
-    <Hds::Table @caption="Five secrets engines" class="is-border-spacing-revert" data-test-dashboard-table="Secrets engines">
-      <:body as |B|>
-        {{#each this.firstFiveSecretsEngines as |backend|}}
-          <B.Tr data-test-secrets-engines-row={{backend.id}}>
-            <B.Td class="is-flex-between is-flex-center gap-16">
-              <div>
-                <div class="is-grid align-items-center linked-block-title">
-                  {{#if backend.icon}}
-                    <Hds::Icon @name={{backend.icon}} @title="{{or backend.engineType backend.path}} type backend" />
-                  {{/if}}
-                  {{#if backend.path}}
-                    {{#if backend.isSupportedBackend}}
-                      <LinkTo
-                        @route={{backend.backendLink}}
-                        @model={{backend.id}}
-                        class="has-text-black has-text-weight-semibold truncate-first-line"
-                        data-test-secret-path={{backend.path}}
-                      >
-                        {{backend.path}}
-                      </LinkTo>
-                    {{else}}
-                      <span class="has-text-grey" data-test-secret-path={{backend.path}}>{{backend.path}}</span>
-                    {{/if}}
-                  {{/if}}
-                </div>
-                {{#if backend.accessor}}
-                  <code class="has-text-grey is-size-8" data-test-accessor>
-                    {{backend.accessor}}
-                  </code>
-                {{/if}}
-                {{#if backend.description}}
-                  <div data-test-description class="truncate-first-line overflow-wrap word-break">
-                    {{backend.description}}
-                  </div>
-                {{/if}}
-              </div>
-              {{#if backend.isSupportedBackend}}
-                <LinkTo @route={{backend.backendLink}} @model={{backend.id}} class="has-text-weight-semibold" data-test-view>
-                  View
-                </LinkTo>
-              {{/if}}
-            </B.Td>
-          </B.Tr>
-        {{/each}}
-      </:body>
-    </Hds::Table>
-
-    {{#if (gt this.filteredSecretsEngines.length 5)}}
-      <p class="is-size-9 has-top-margin-xs has-text-grey" data-test-secrets-engine-total-help-text>
-        Showing 5 out of
-        {{this.filteredSecretsEngines.length}}
-        secret engines. Navigate to
-        <Hds::Link::Inline @route="vault.cluster.secrets.backends">details</Hds::Link::Inline>
-        to view more.
-      </p>
-    {{/if}}
-
-  {{else}}
-    <Hds::ApplicationState @align="center" data-test-empty-state="secrets-engines" class="has-top-margin-l" as |A|>
-      <A.Header data-test-empty-state-title @title="No secrets engines enabled" @titleTag="h2" />
-      <A.Body
-        data-test-empty-state-message
-        @text="Secret engines will be listed here. Enable a secret engine to get started."
-      />
-      <A.Footer data-test-empty-state-actions as |F|>
-        <F.LinkStandalone
-          @icon="chevron-right"
-          @iconPosition="trailing"
-          @text="Enable a secrets engine"
-          @route="vault.cluster.secrets.enable"
-        />
-      </A.Footer>
-    </Hds::ApplicationState>
-  {{/if}}
-</Hds::Card::Container>
\ No newline at end of file
diff --git a/ui/app/components/dashboard/vault-configuration-details-card.hbs b/ui/app/components/dashboard/vault-configuration-details-card.hbs
deleted file mode 100644
index 3d0a5d8cac..0000000000
--- a/ui/app/components/dashboard/vault-configuration-details-card.hbs
+++ /dev/null
@@ -1,43 +0,0 @@
-{{!
-  Copyright IBM Corp. 2016, 2025
-  SPDX-License-Identifier: BUSL-1.1
-}}
-
-<Hds::Card::Container @hasBorder={{true}} class="has-padding-l" data-test-card="configuration-details">
-  <h2 class="title is-4" data-test-dashboard-card-header="configuration">Configuration details</h2>
-
-  <Hds::Table @caption="Vault configuration details" class="is-border-spacing-revert">
-    <:body as |B|>
-      <B.Tr>
-        <B.Td>API_ADDR</B.Td>
-        <B.Td data-test-vault-config-details="api_addr">{{or @vaultConfiguration.api_addr "None"}}</B.Td>
-      </B.Tr>
-      <B.Tr>
-        <B.Td>Default lease TTL</B.Td>
-        <B.Td data-test-vault-config-details="default_lease_ttl">{{format-duration
-            @vaultConfiguration.default_lease_ttl
-          }}</B.Td>
-      </B.Tr>
-      <B.Tr>
-        <B.Td>Max lease TTL</B.Td>
-        <B.Td data-test-vault-config-details="max_lease_ttl">{{format-duration @vaultConfiguration.max_lease_ttl}}</B.Td>
-      </B.Tr>
-      <B.Tr>
-        <B.Td>TLS</B.Td>
-        <B.Td data-test-vault-config-details="tls">{{this.tls}}</B.Td>
-      </B.Tr>
-      <B.Tr>
-        <B.Td>Log format</B.Td>
-        <B.Td data-test-vault-config-details="log_format">{{or @vaultConfiguration.log_format "None"}}</B.Td>
-      </B.Tr>
-      <B.Tr>
-        <B.Td>Log level</B.Td>
-        <B.Td data-test-vault-config-details="log_level">{{@vaultConfiguration.log_level}}</B.Td>
-      </B.Tr>
-      <B.Tr>
-        <B.Td>Storage type</B.Td>
-        <B.Td data-test-vault-config-details="type">{{@vaultConfiguration.storage.type}}</B.Td>
-      </B.Tr>
-    </:body>
-  </Hds::Table>
-</Hds::Card::Container>
\ No newline at end of file
diff --git a/ui/app/components/dashboard/vault-configuration-details-card.js b/ui/app/components/dashboard/vault-configuration-details-card.js
deleted file mode 100644
index 4514bc2584..0000000000
--- a/ui/app/components/dashboard/vault-configuration-details-card.js
+++ /dev/null
@@ -1,30 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@glimmer/component';
-
-/**
- * @module DashboardVaultConfigurationCard
- * DashboardVaultConfigurationCard component are used to display vault configuration.
- *
- * @example
- * ```js
- * <DashboardVaultConfigurationCard @vaultConfiguration={{@model.vaultConfiguration}} />
- * ```
- * @param {object} vaultConfiguration - object of vault configuration key/values
- */
-
-export default class DashboardSecretsEnginesCard extends Component {
-  get tls() {
-    // since the default for tls_disable is false it may not be in the config
-    // consider tls enabled if tls_disable is undefined or false AND both tls_cert_file and tls_key_file are defined
-    const tlsListener = this.args.vaultConfiguration?.listeners.find((listener) => {
-      const { tls_disable, tls_cert_file, tls_key_file } = listener.config || {};
-      return !tls_disable && tls_cert_file && tls_key_file;
-    });
-
-    return tlsListener ? 'Enabled' : 'Disabled';
-  }
-}
diff --git a/ui/app/components/dashboard/vault-version-title.hbs b/ui/app/components/dashboard/vault-version-title.hbs
deleted file mode 100644
index fe32f375af..0000000000
--- a/ui/app/components/dashboard/vault-version-title.hbs
+++ /dev/null
@@ -1,14 +0,0 @@
-{{!
-  Copyright IBM Corp. 2016, 2025
-  SPDX-License-Identifier: BUSL-1.1
-}}
-
-<Page::Header @title="Vault {{@version.versionDisplay}}">
-  <:badges>
-    {{#if @version.isEnterprise}}
-      <Hds::Badge @text={{this.namespace.currentNamespace}} @icon="org" data-test-badge-namespace />
-    {{/if}}
-  </:badges>
-</Page::Header>
-
-<hr class="has-top-margin-xxs has-bottom-margin-l has-background-gray-200" />
\ No newline at end of file
diff --git a/ui/app/components/dashboard/vault-version-title.js b/ui/app/components/dashboard/vault-version-title.js
deleted file mode 100644
index 8c38d98213..0000000000
--- a/ui/app/components/dashboard/vault-version-title.js
+++ /dev/null
@@ -1,21 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@glimmer/component';
-import { service } from '@ember/service';
-
-/**
- * @module DashboardVaultVersionTitle
- * DashboardVaultVersionTitle component are use to display the vault version title and the badges
- *
- * @example
- * ```js
- * <Dashboard::VaultVersionTitle @version={{this.versionSvc}} />
- * ```
- */
-
-export default class DashboardVaultVersionTitle extends Component {
-  @service namespace;
-}
diff --git a/ui/app/components/dashboard/widgets/client-count.hbs b/ui/app/components/dashboard/widgets/client-count.hbs
new file mode 100644
index 0000000000..7691dca4c5
--- /dev/null
+++ b/ui/app/components/dashboard/widgets/client-count.hbs
@@ -0,0 +1,54 @@
+{{!
+  Copyright IBM Corp. 2016, 2026
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+<div data-test-widget="client count" ...attributes>
+  <Hds::Layout::Flex @justify="space-between">
+    <Hds::Text::Display @size="300" data-test-text-display="Client count">Client count</Hds::Text::Display>
+    <Hds::Link::Standalone @icon="arrow-right" @text="Details" @iconPosition="trailing" @route="vault.cluster.clients" />
+  </Hds::Layout::Flex>
+
+  {{#if (and this.activityData (not this.fetchClientActivity.isRunning))}}
+    <div class="has-top-margin-s">
+      <Hds::Text::Body @tag="p" @size="100" @color="faint" data-test-text-body="Client count updated at">
+        Updated
+        {{date-format this.updatedAt "MMMM d, yyyy, h:mm:ss aaa" withTimeZone=true}}
+      </Hds::Text::Body>
+    </div>
+  {{/if}}
+
+  {{#if this.fetchClientActivity.isRunning}}
+    <VaultLogoSpinner />
+  {{else}}
+    {{#if this.activityData}}
+      <Hds::Table class="has-top-margin-s" @caption="Client count">
+        <:body as |B|>
+          <B.Tr data-test-table-row="0">
+            <B.Td class="one-half-width" data-test-table-data="total">Total</B.Td>
+            <B.Td class="one-half-width" data-test-table-data="total value">{{or this.activityData.total.clients "-"}}</B.Td>
+          </B.Tr>
+          <B.Tr data-test-table-row="1">
+            <B.Td class="one-half-width" data-test-table-data="new">New</B.Td>
+            <B.Td class="one-half-width" data-test-table-data="new value">
+              {{or this.currentMonthActivityTotalCount "-"}}
+            </B.Td>
+          </B.Tr>
+        </:body>
+      </Hds::Table>
+      <Hds::Text::Body
+        @tag="p"
+        @color="faint"
+        @size="100"
+        class="has-top-margin-xs has-bottom-margin-xs"
+        data-test-text-body="Client count total"
+      >Total:
+        {{this.statSubText.total}}</Hds::Text::Body>
+      <Hds::Text::Body @tag="p" @color="faint" @size="100" data-test-text-body="Client count new">New:
+        {{this.statSubText.new}}</Hds::Text::Body>
+
+    {{else}}
+      <Clients::NoData @config={{this.activityConfig}} @canUpdate={{this.canUpdateActivityConfig}} />
+    {{/if}}
+  {{/if}}
+</div>
\ No newline at end of file
diff --git a/ui/app/components/dashboard/client-count-card.ts b/ui/app/components/dashboard/widgets/client-count.ts
similarity index 95%
rename from ui/app/components/dashboard/client-count-card.ts
rename to ui/app/components/dashboard/widgets/client-count.ts
index 1c02e2771f..1417b11cae 100644
--- a/ui/app/components/dashboard/client-count-card.ts
+++ b/ui/app/components/dashboard/widgets/client-count.ts
@@ -30,11 +30,11 @@ import type {
 } from 'vault/client-counts/activity-api';
 
 /**
- * @module DashboardClientCountCard
- * DashboardClientCountCard component are used to display total and new client count information
+ * @module Dashboard::Widgets::ClientCount
+ * Dashboard widget component to display total and new client count information
  *
  * @example
- * <Dashboard::ClientCountCard />
+ * <Dashboard::Widgets::ClientCount />
  */
 
 export default class DashboardClientCountCard extends Component<object> {
diff --git a/ui/app/components/dashboard/widgets/cluster-configuration.hbs b/ui/app/components/dashboard/widgets/cluster-configuration.hbs
new file mode 100644
index 0000000000..03c607ff44
--- /dev/null
+++ b/ui/app/components/dashboard/widgets/cluster-configuration.hbs
@@ -0,0 +1,53 @@
+{{!
+  Copyright IBM Corp. 2016, 2025
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+<div class="has-top-margin-xl" data-test-widget="cluster configuration">
+  <Hds::Text::Display data-test-text-display="Cluster information" @size="300">
+    Cluster information
+  </Hds::Text::Display>
+
+  <Hds::Table class="has-top-margin-m" @caption="Vault cluster configuration">
+    <:body as |B|>
+      <B.Tr data-test-table-row="0">
+        <B.Td class="one-half-width">API_ADDR</B.Td>
+        <B.Td class="one-half-width" data-test-table-data="api_addr value">{{or @vaultConfiguration.api_addr "None"}}</B.Td>
+      </B.Tr>
+      <B.Tr data-test-table-row="1">
+        <B.Td class="one-half-width">Default lease TTL</B.Td>
+        <B.Td class="one-half-width" data-test-table-data="default_lease_ttl value">{{format-duration
+            @vaultConfiguration.default_lease_ttl
+          }}</B.Td>
+      </B.Tr>
+      <B.Tr data-test-table-row="2">
+        <B.Td class="one-half-width">Max lease TTL</B.Td>
+        <B.Td class="one-half-width" data-test-table-data="max_lease_ttl value">{{format-duration
+            @vaultConfiguration.max_lease_ttl
+          }}</B.Td>
+      </B.Tr>
+      <B.Tr data-test-table-row="3">
+        <B.Td class="one-half-width">TLS</B.Td>
+        <B.Td class="one-half-width" data-test-table-data="tls value"><Hds::Badge
+            @text={{this.tls}}
+            @color={{if (eq this.tls "Enabled") "success" "critical"}}
+          /></B.Td>
+      </B.Tr>
+      <B.Tr data-test-table-row="4">
+        <B.Td class="one-half-width">Log format</B.Td>
+        <B.Td class="one-half-width" data-test-table-data="log_format value">{{or
+            @vaultConfiguration.log_format
+            "None"
+          }}</B.Td>
+      </B.Tr>
+      <B.Tr data-test-table-row="5">
+        <B.Td class="one-half-width">Log level</B.Td>
+        <B.Td class="one-half-width" data-test-table-data="log_level value">{{@vaultConfiguration.log_level}}</B.Td>
+      </B.Tr>
+      <B.Tr data-test-table-row="6">
+        <B.Td class="one-half-width">Storage type</B.Td>
+        <B.Td class="one-half-width" data-test-table-data="type value">{{@vaultConfiguration.storage.type}}</B.Td>
+      </B.Tr>
+    </:body>
+  </Hds::Table>
+</div>
\ No newline at end of file
diff --git a/ui/app/components/dashboard/widgets/cluster-configuration.ts b/ui/app/components/dashboard/widgets/cluster-configuration.ts
new file mode 100644
index 0000000000..6d2ed8c53a
--- /dev/null
+++ b/ui/app/components/dashboard/widgets/cluster-configuration.ts
@@ -0,0 +1,58 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+
+interface VaultListenerConfig {
+  tls_disable?: boolean;
+  tls_cert_file?: string;
+  tls_key_file?: string;
+}
+
+interface VaultListener {
+  config?: VaultListenerConfig;
+}
+
+interface VaultStorage {
+  type?: string;
+}
+
+interface VaultConfiguration {
+  api_addr?: string;
+  default_lease_ttl?: number | string;
+  max_lease_ttl?: number | string;
+  log_format?: string;
+  log_level?: string;
+  storage?: VaultStorage;
+  listeners: VaultListener[];
+}
+
+export interface Args {
+  vaultConfiguration?: VaultConfiguration;
+}
+
+/**
+ * @module Dashboard::Widgets::ClusterConfiguration
+ * Dashboard widget component to display vault cluster configuration details.
+ *
+ * @example
+ * ```js
+ * <Dashboard::Widgets::ClusterConfiguration @vaultConfiguration={{@model.vaultConfiguration}} />
+ * ```
+ * @param {VaultConfiguration} vaultConfiguration - Vault configuration object with listeners, storage, etc.
+ */
+
+export default class DashboardWidgetsClusterConfiguration extends Component<Args> {
+  get tls() {
+    // since the default for tls_disable is false it may not be in the config
+    // consider tls enabled if tls_disable is undefined or false AND both tls_cert_file and tls_key_file are defined
+    const tlsListener = this.args.vaultConfiguration?.listeners?.find((listener) => {
+      const { tls_disable, tls_cert_file, tls_key_file } = listener.config || {};
+      return !tls_disable && tls_cert_file && tls_key_file;
+    });
+
+    return tlsListener ? 'Enabled' : 'Disabled';
+  }
+}
diff --git a/ui/app/components/dashboard/learn-more-card.hbs b/ui/app/components/dashboard/widgets/learn-more.hbs
similarity index 68%
rename from ui/app/components/dashboard/learn-more-card.hbs
rename to ui/app/components/dashboard/widgets/learn-more.hbs
index ded80fcfa6..53c741fe27 100644
--- a/ui/app/components/dashboard/learn-more-card.hbs
+++ b/ui/app/components/dashboard/widgets/learn-more.hbs
@@ -3,12 +3,14 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Hds::Card::Container @hasBorder={{true}} class="has-padding-l" data-test-card="learn-more">
-  <h2 class="title is-4 has-bottom-margin-xxs" data-test-learn-more-title>Learn more</h2>
-  <div class="sub-text" data-test-learn-more-subtext>
+<div data-test-card="learn-more" ...attributes>
+  <Hds::Text::Display @size="300" data-test-text-display="Learn more">Learn more</Hds::Text::Display>
+
+  <Hds::Text::Body @tag="p" @size="100" @color="faint" class="has-top-margin-s" data-test-text-body="Learn more description">
     Explore the features of Vault and learn advance practices with the following tutorials and documentation.
-  </div>
-  <div class="has-top-margin-xs" data-test-learn-more-links>
+  </Hds::Text::Body>
+
+  <div class="has-top-margin-s" data-test-learn-more-links>
     {{#each this.learnMoreLinks as |learnMoreLink|}}
       {{#if
         (or
@@ -28,4 +30,4 @@
 
     {{/each}}
   </div>
-</Hds::Card::Container>
\ No newline at end of file
+</div>
\ No newline at end of file
diff --git a/ui/app/components/dashboard/learn-more-card.ts b/ui/app/components/dashboard/widgets/learn-more.ts
similarity index 80%
rename from ui/app/components/dashboard/learn-more-card.ts
rename to ui/app/components/dashboard/widgets/learn-more.ts
index 27b7501d08..9883f58c64 100644
--- a/ui/app/components/dashboard/learn-more-card.ts
+++ b/ui/app/components/dashboard/widgets/learn-more.ts
@@ -6,16 +6,16 @@
 import Component from '@glimmer/component';
 
 /**
- * @module DashboardLearnMoreCard
- * DashboardLearnMoreCard component are used to display external links
+ * @module DashboardWidgetsLearnMore
+ * DashboardWidgetsLearnMore component are used to display external links
  *
  * @example
  * ```js
- * <DashboardLearnMoreCard  />
+ * <DashboardWidgetsLearnMore  />
  * ```
  */
 
-export default class DashboardLearnMoreCard extends Component {
+export default class DashboardWidgetsLearnMore extends Component {
   get learnMoreLinks() {
     return [
       {
diff --git a/ui/app/components/dashboard/quick-actions-card.hbs b/ui/app/components/dashboard/widgets/quick-actions.hbs
similarity index 65%
rename from ui/app/components/dashboard/quick-actions-card.hbs
rename to ui/app/components/dashboard/widgets/quick-actions.hbs
index 2a26f74e7e..813b2a6a40 100644
--- a/ui/app/components/dashboard/quick-actions-card.hbs
+++ b/ui/app/components/dashboard/widgets/quick-actions.hbs
@@ -3,10 +3,55 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Hds::Card::Container @hasBorder={{true}} class="has-padding-l" data-test-card="quick-actions">
-  <h2 class="title is-4">Quick actions</h2>
+<div data-test-card="quick-actions">
+  <Hds::Text::Display @size="300" data-test-text-display="Quick actions">Quick actions</Hds::Text::Display>
+  <div class="has-top-margin-s has-bottom-margin-s">
+    <Hds::Button
+      @text="Create ACL policy"
+      @route="vault.cluster.policies.create"
+      @model="acl"
+      @icon="arrow-right"
+      @iconPosition="trailing"
+      @color="secondary"
+      class="has-bottom-margin-m"
+    />
+    <Hds::Button
+      @text="Secrets sync"
+      @route="vault.cluster.sync.secrets.overview"
+      @icon="arrow-right"
+      @iconPosition="trailing"
+      @color="secondary"
+      class="has-bottom-margin-m"
+    />
+    <Hds::Button
+      @text="API explorer"
+      @route="vault.cluster.tools.open-api-explorer.index"
+      @icon="arrow-right"
+      @iconPosition="trailing"
+      @color="secondary"
+      class="has-bottom-margin-m"
+    />
+    <Hds::Button
+      @text="Set up MFA"
+      @route="vault.cluster.access.mfa.methods.create"
+      @icon="arrow-right"
+      @iconPosition="trailing"
+      @color="secondary"
+      class="has-bottom-margin-m"
+    />
+    <Hds::Button
+      @text="Usage metrics"
+      @route="vault.cluster.usage-reporting"
+      @icon="arrow-right"
+      @iconPosition="trailing"
+      @color="secondary"
+      class="has-bottom-margin-m"
+    />
+  </div>
+
   {{#if this.filteredSecretsEngines}}
-    <div class="has-top-margin-m has-bottom-margin-l">
+    <Hds::Separator @spacing="0" />
+    <div class="has-top-margin-s has-bottom-margin-s">
       <Hds::Form::SuperSelect::Single::Field
         @options={{this.filteredSecretsEngines}}
         @selected={{this.selectedEngine}}
@@ -18,7 +63,7 @@
         data-test-super-select="secrets-engines"
         as |F|
       >
-        <F.Label>Secrets engines</F.Label>
+        <F.Label data-test-form-label="Select secret engine mount">Select secret engine mount</F.Label>
         <F.HelperText>Supported engines include databases, KV version 2, and PKI.</F.HelperText>
         <F.Options>{{F.options.id}}</F.Options>
       </Hds::Form::SuperSelect::Single::Field>
@@ -62,15 +107,15 @@
               data-test-super-select="params"
               as |F|
             >
-              <F.Label data-test-card-subtitle="param">{{this.searchSelectParams.title}}</F.Label>
+              <F.Label data-test-form-label="param">{{this.searchSelectParams.title}}</F.Label>
               <F.Options>{{F.options}}</F.Options>
             </Hds::Form::SuperSelect::Single::Field>
           {{else}}
             <InputSearch
+              @id={{this.searchSelectParams.title}}
               @label={{this.searchSelectParams.title}}
               @placeholder={{this.searchSelectParams.inputPlaceholder}}
               @onChange={{fn (mut this.paramValue)}}
-              data-test-param-input
             />
           {{/if}}
         </div>
@@ -84,27 +129,6 @@
           />
         </div>
       {{/if}}
-    {{else}}
-      <Hds::ApplicationState @align="center" data-test-empty-state="no-mount-selected" as |A|>
-        <A.Header data-test-empty-state-title @title="No mount selected" @titleTag="h2" />
-        <A.Body data-test-empty-state-message @text="Select a mount above to get started." />
-      </Hds::ApplicationState>
     {{/if}}
-  {{else}}
-    <Hds::ApplicationState @align="center" data-test-empty-state="quick-actions" as |A|>
-      <A.Header data-test-empty-state-title @title="Welcome to quick actions" @titleTag="h2" />
-      <A.Body
-        data-test-empty-state-message
-        @text="Access secret engine actions easily. Enable a compatible secret engine (such as database, KV version 2, or PKI) to get started."
-      />
-      <A.Footer data-test-empty-state-actions as |F|>
-        <F.LinkStandalone
-          @icon="chevron-right"
-          @iconPosition="trailing"
-          @text="Enable a secrets engine"
-          @route="vault.cluster.secrets.enable"
-        />
-      </A.Footer>
-    </Hds::ApplicationState>
   {{/if}}
-</Hds::Card::Container>
\ No newline at end of file
+</div>
\ No newline at end of file
diff --git a/ui/app/components/dashboard/quick-actions-card.ts b/ui/app/components/dashboard/widgets/quick-actions.ts
similarity index 87%
rename from ui/app/components/dashboard/quick-actions-card.ts
rename to ui/app/components/dashboard/widgets/quick-actions.ts
index c682b39e7a..ee2cd2257b 100644
--- a/ui/app/components/dashboard/quick-actions-card.ts
+++ b/ui/app/components/dashboard/widgets/quick-actions.ts
@@ -11,11 +11,11 @@ import { pathIsDirectory } from 'kv/utils/kv-breadcrumbs';
 import { task } from 'ember-concurrency';
 import { waitFor } from '@ember/test-waiters';
 import {
-  DatabaseListStaticRolesListEnum,
-  DatabaseListRolesListEnum,
-  PkiListRolesListEnum,
-  PkiListCertsListEnum,
-  PkiListIssuersListEnum,
+  SecretsApiDatabaseListStaticRolesListEnum,
+  SecretsApiDatabaseListRolesListEnum,
+  SecretsApiPkiListRolesListEnum,
+  SecretsApiPkiListCertsListEnum,
+  SecretsApiPkiListIssuersListEnum,
 } from '@hashicorp/vault-client-typescript';
 
 import type RouterService from '@ember/routing/router-service';
@@ -25,13 +25,13 @@ import type SecretsEngineResource from 'vault/resources/secrets/engine';
 import type { StandardListResponse, PkiListIssuersResponse } from '@hashicorp/vault-client-typescript';
 
 /**
- * @module DashboardQuickActionsCard
- * DashboardQuickActionsCard component allows users to see a list of secrets engines filtered by
+ * @module Dashboard::Widgets::QuickActions
+ * Dashboard widget component that allows users to see a list of secrets engines filtered by
  * kv, pki and database and perform certain actions based on the type of secret engine selected
  *
  * @example
  * ```js
- *   <Dashboard::QuickActionsCard @secretsEngines={{@model.secretsEngines}} />
+ *   <Dashboard::Widgets::QuickActions @secretsEngines={{@model.secretsEngines}} />
  * ```
  */
 
@@ -39,7 +39,7 @@ interface Args {
   secretsEngines: SecretsEngineResource[];
 }
 
-export default class DashboardQuickActionsCard extends Component<Args> {
+export default class DashboardWidgetsQuickActions extends Component<Args> {
   @service declare readonly router: RouterService;
   @service declare readonly api: ApiService;
   @service declare readonly flashMessages: FlashMessageService;
@@ -131,15 +131,15 @@ export default class DashboardQuickActionsCard extends Component<Args> {
 
     if (action === 'Generate credentials for database') {
       return [
-        secrets.databaseListStaticRoles(id, DatabaseListStaticRolesListEnum.TRUE),
-        secrets.databaseListRoles(id, DatabaseListRolesListEnum.TRUE),
+        secrets.databaseListStaticRoles(id, SecretsApiDatabaseListStaticRolesListEnum.TRUE),
+        secrets.databaseListRoles(id, SecretsApiDatabaseListRolesListEnum.TRUE),
       ];
     } else if (action === 'Issue certificate') {
-      return [secrets.pkiListRoles(id, PkiListRolesListEnum.TRUE)];
+      return [secrets.pkiListRoles(id, SecretsApiPkiListRolesListEnum.TRUE)];
     } else if (action === 'View certificate') {
-      return [secrets.pkiListCerts(id, PkiListCertsListEnum.TRUE)];
+      return [secrets.pkiListCerts(id, SecretsApiPkiListCertsListEnum.TRUE)];
     } else if (action === 'View issuer') {
-      return [secrets.pkiListIssuers(id, PkiListIssuersListEnum.TRUE)];
+      return [secrets.pkiListIssuers(id, SecretsApiPkiListIssuersListEnum.TRUE)];
     }
     return [];
   }
diff --git a/ui/app/components/dashboard/widgets/replication.hbs b/ui/app/components/dashboard/widgets/replication.hbs
new file mode 100644
index 0000000000..90dfbd0dcf
--- /dev/null
+++ b/ui/app/components/dashboard/widgets/replication.hbs
@@ -0,0 +1,109 @@
+{{!
+  Copyright IBM Corp. 2016, 2026
+  SPDX-License-Identifier: BUSL-1.1
+}}
+<div data-test-card="replication" ...attributes>
+  <div class="is-flex-between">
+    <Hds::Text::Display @size="300" data-test-text-display="Cluster replication">Cluster replication</Hds::Text::Display>
+
+    {{#if (or @replication.dr.clusterId @replication.performance.clusterId)}}
+      <Hds::Link::Standalone
+        @icon="arrow-right"
+        @text="Details"
+        @iconPosition="trailing"
+        @route="vault.cluster.replication.index"
+        data-test-link-to="Details"
+      />
+    {{else}}
+      <Hds::Link::Standalone
+        @icon="arrow-right"
+        @text="Enable replication"
+        @iconPosition="trailing"
+        @route="vault.cluster.replication"
+        data-test-link-to="Enable replication"
+      />
+    {{/if}}
+  </div>
+
+  <div class="has-top-margin-s">
+    <Hds::Text::Body @tag="p" @size="100" @color="faint">
+      Updated
+      {{date-format @updatedAt "MMMM d, yyyy, h:mm:ss aaa" withTimeZone=true}}
+    </Hds::Text::Body>
+  </div>
+  {{#if (or @version.hasPerfReplication @version.hasDRReplication)}}
+    <Hds::Table class="has-top-margin-s" @caption="Vault configuration details">
+      <:body as |B|>
+        {{#if @version.hasDRReplication}}
+          <B.Tr data-test-table-row="0">
+            <B.Td class="one-half-width" data-test-table-data="DR">
+              <Hds::Text::Body @tag="p" @color="faint" class="is-flex align-items-center">
+                Disaster recovery
+                {{if (not-eq @replication.dr.mode "disabled") @replication.dr.mode}}
+                <Hds::TooltipButton
+                  @text="The cluster's current operating state."
+                  aria-label="The cluster's current operating state."
+                  class="has-left-margin-xs"
+                >
+                  <Hds::Icon @name="info" @color="faint" @size="16" />
+                </Hds::TooltipButton>
+              </Hds::Text::Body>
+              {{#if (not-eq @replication.dr.mode "disabled")}}
+                <Hds::Text::Body @tag="p" @color="faint" class="has-top-margin-s is-flex align-items-center">
+                  Known secondaries
+                  <Hds::TooltipButton
+                    @text="Number of secondaries connected to the primary."
+                    aria-label="Number of secondaries connected to the primary."
+                    class="has-left-margin-xs"
+                  >
+                    <Hds::Icon @name="info" @color="faint" @size="16" />
+                  </Hds::TooltipButton>
+                </Hds::Text::Body>
+              {{/if}}
+            </B.Td>
+            <B.Td class="one-half-width" data-test-table-data="DR value">
+              {{#let (cluster-states @replication.dr.state) as |clusterState|}}
+                <Hds::Badge
+                  data-test-badge="DR"
+                  @color={{if @replication.dr.clusterId clusterState.color "warning"}}
+                  @text={{if @replication.dr.clusterId (capitalize @replication.dr.state) "Not set up"}}
+                />
+              {{/let}}
+              {{#if (not-eq @replication.dr.mode "disabled")}}
+                <Hds::Text::Body @tag="p" class="has-top-margin-s">
+                  {{or @replication.dr.knownSecondaries.length 0}}
+                </Hds::Text::Body>
+              {{/if}}
+            </B.Td>
+          </B.Tr>
+        {{/if}}
+        {{#if @version.hasPerfReplication}}
+          <B.Tr data-test-table-row="1">
+            <B.Td class="one-half-width" data-test-table-data="Performance">
+              <Hds::Text::Body @tag="p" @color="faint" class="is-flex align-items-center">
+                Performance replication
+                {{if (not-eq @replication.performance.mode "disabled") @replication.performance.mode}}
+                <Hds::TooltipButton
+                  @text="The cluster's current operating state."
+                  aria-label="The cluster's current operating state."
+                  class="has-left-margin-xs"
+                >
+                  <Hds::Icon @name="info" @color="faint" @size="16" />
+                </Hds::TooltipButton>
+              </Hds::Text::Body>
+            </B.Td>
+            <B.Td class="one-half-width" data-test-table-data="Performance value">
+              {{#let (cluster-states @replication.performance.state) as |clusterState|}}
+                <Hds::Badge
+                  data-test-badge="Performance"
+                  @color={{if @replication.performance.clusterId clusterState.color "warning"}}
+                  @text={{if @replication.performance.clusterId (capitalize @replication.performance.state) "Not set up"}}
+                />
+              {{/let}}
+            </B.Td>
+          </B.Tr>
+        {{/if}}
+      </:body>
+    </Hds::Table>
+  {{/if}}
+</div>
\ No newline at end of file
diff --git a/ui/app/components/dashboard/widgets/secrets-engines.hbs b/ui/app/components/dashboard/widgets/secrets-engines.hbs
new file mode 100644
index 0000000000..a0ddc1e749
--- /dev/null
+++ b/ui/app/components/dashboard/widgets/secrets-engines.hbs
@@ -0,0 +1,98 @@
+{{!
+  Copyright IBM Corp. 2016, 2026
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+<div data-test-card="secrets-engines">
+  <Hds::Layout::Flex @justify="space-between">
+    <Hds::Text::Display @size="300" data-test-text-display="Secrets engines">Secrets engines</Hds::Text::Display>
+
+    {{#if this.filteredSecretsEngines}}
+      <Hds::Link::Standalone
+        @icon="arrow-right"
+        @text="View all"
+        @iconPosition="trailing"
+        @route="vault.cluster.secrets.backends"
+      />
+    {{/if}}
+  </Hds::Layout::Flex>
+
+  <div class="has-top-margin-s has-bottom-margin-s">
+    <Hds::Text::Body @tag="p" @size="100" @color="faint">
+      {{#if (gt this.filteredSecretsEngines.length 5)}}
+        Displaying 5 out of
+        {{this.filteredSecretsEngines.length}}
+        secret engines.
+      {{/if}}
+    </Hds::Text::Body>
+  </div>
+
+  {{#if this.filteredSecretsEngines}}
+    <Hds::Table @caption="Five secrets engines" data-test-table="Secrets engines">
+      <:head as |H|>
+        <H.Tr>
+          <H.Th>Path</H.Th>
+          <H.Th>Type</H.Th>
+          <H.Th>Accessor</H.Th>
+        </H.Tr>
+      </:head>
+      <:body as |B|>
+        {{#each this.firstFiveSecretsEngines as |backend|}}
+          <B.Tr data-test-table-row={{backend.id}}>
+            <B.Td class="is-flex-between is-flex-center gap-16">
+              <div class="is-grid align-items-center linked-block-title">
+                {{#if backend.icon}}
+                  <Hds::Icon @name={{backend.icon}} @title="{{or backend.engineType backend.path}} type backend" />
+                {{/if}}
+                {{#if backend.path}}
+                  {{#if backend.isSupportedBackend}}
+                    <LinkTo
+                      @route={{backend.backendLink}}
+                      @model={{backend.id}}
+                      class="has-text-black has-text-weight-semibold truncate-first-line"
+                      data-test-secret-path={{backend.path}}
+                    >
+                      {{backend.path}}
+                    </LinkTo>
+                  {{else}}
+                    <span class="has-text-grey" data-test-secret-path={{backend.path}}>{{backend.path}}</span>
+                  {{/if}}
+                {{/if}}
+              </div>
+            </B.Td>
+            <B.Td>
+              {{#if backend.type}}
+                <code class="has-text-grey is-size-8" data-test-type>
+                  {{backend.type}}
+                </code>
+              {{/if}}
+            </B.Td>
+            <B.Td>
+              {{#if backend.accessor}}
+                <div data-test-secret-accessor>
+                  {{backend.accessor}}
+                </div>
+              {{/if}}
+            </B.Td>
+          </B.Tr>
+        {{/each}}
+      </:body>
+    </Hds::Table>
+  {{else}}
+    <Hds::ApplicationState data-test-empty-state="secrets-engines" class="is-marginless has-top-padding-l" as |A|>
+      <A.Header data-test-empty-state-title @title="No secrets engines enabled" @titleTag="h2" />
+      <A.Body
+        data-test-empty-state-message
+        @text="Secret engines will be listed here. Enable a secret engine to get started."
+      />
+      <A.Footer data-test-empty-state-actions as |F|>
+        <F.LinkStandalone
+          @icon="chevron-right"
+          @iconPosition="trailing"
+          @text="Enable a secrets engine"
+          @route="vault.cluster.secrets.enable"
+        />
+      </A.Footer>
+    </Hds::ApplicationState>
+  {{/if}}
+</div>
\ No newline at end of file
diff --git a/ui/app/components/dashboard/secrets-engines-card.ts b/ui/app/components/dashboard/widgets/secrets-engines.ts
similarity index 66%
rename from ui/app/components/dashboard/secrets-engines-card.ts
rename to ui/app/components/dashboard/widgets/secrets-engines.ts
index ff675e16bf..c6eff455c2 100644
--- a/ui/app/components/dashboard/secrets-engines-card.ts
+++ b/ui/app/components/dashboard/widgets/secrets-engines.ts
@@ -8,12 +8,12 @@ import Component from '@glimmer/component';
 import type SecretsEngineResource from 'vault/resources/secrets/engine';
 
 /**
- * @module DashboardSecretsEnginesCard
- * DashboardSecretsEnginesCard component are used to display 5 secrets engines to the user.
+ * @module DashboardWidgetsSecretsEngines
+ * DashboardWidgetsSecretsEngines component are used to display 5 secrets engines to the user.
  *
  * @example
  * ```js
- * <DashboardSecretsEnginesCard @secretsEngines={{@model.secretsEngines}} />
+ * <DashboardWidgetsSecretsEngines @secretsEngines={{@model.secretsEngines}} />
  * ```
  * @param {array} secretsEngines - list of secrets engines
  */
@@ -22,7 +22,7 @@ interface Args {
   secretsEngines: SecretsEngineResource[];
 }
 
-export default class DashboardSecretsEnginesCard extends Component<Args> {
+export default class DashboardWidgetsSecretsEngines extends Component<Args> {
   get filteredSecretsEngines() {
     return this.args.secretsEngines?.filter((secretEngine) => secretEngine.shouldIncludeInList);
   }
diff --git a/ui/app/components/database-connection.hbs b/ui/app/components/database-connection.hbs
index 2462d2ed22..b78627ae67 100644
--- a/ui/app/components/database-connection.hbs
+++ b/ui/app/components/database-connection.hbs
@@ -5,7 +5,12 @@
 
 <Page::Header @title={{this.title}}>
   <:breadcrumbs>
-    <KeyValueHeader @path="vault.cluster.secrets.backend.show" @mode={{this.mode}} @root={{@root}} @showCurrent={{true}} />
+    <KeyValueHeader
+      @path="vault.cluster.secrets.backend.show"
+      @mode={{this.mode}}
+      @root={{this.breadcrumbs}}
+      @showCurrent={{true}}
+    />
   </:breadcrumbs>
 </Page::Header>
 
@@ -143,7 +148,7 @@
             {{/each-in}}
           {{/each}}
         {{else}}
-          <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+          <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
             <A.Header data-test-empty-state-title @title="No plugin selected" @titleTag="h2" />
             <A.Body data-test-empty-state-message @text="Select a plugin type to be able to configure it." />
           </Hds::ApplicationState>
@@ -157,7 +162,7 @@
       <div class="form-section box is-shadowless is-fullwidth">
         <h3 class="title is-5">Statements</h3>
         {{#if (eq @model.statementFields null)}}
-          <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+          <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
             <A.Header data-test-empty-state-title @title="No plugin selected" @titleTag="h2" />
             <A.Body data-test-empty-state-message @text="Select a plugin type to be able to configure it." />
           </Hds::ApplicationState>
@@ -309,14 +314,8 @@
     </div>
   </form>
 {{else if (eq @model.isAvailablePlugin false)}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-    <A.Header
-      data-test-empty-state-title
-      @icon="skip"
-      class="align-items-end"
-      @title="Database type unavailable"
-      @titleTag="h2"
-    />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header data-test-empty-state-title @icon="skip" @title="Database type unavailable" @titleTag="h2" />
     <A.Body
       data-test-empty-state-message
       @text="This database type cannot be viewed in the UI. You will have to use the API or CLI to perform actions here."
diff --git a/ui/app/components/database-connection.js b/ui/app/components/database-connection.js
index 173892cbbe..1eff075e6e 100644
--- a/ui/app/components/database-connection.js
+++ b/ui/app/components/database-connection.js
@@ -33,11 +33,18 @@ export default class DatabaseConnectionEdit extends Component {
   @tracked
   showSaveModal = false; // used for create mode
 
+  breadcrumbs = [
+    { label: 'Vault', text: 'Vault', icon: 'vault', path: 'vault.cluster.dashboard' },
+    { text: 'Secrets engines', path: 'vault.cluster.secrets.backends' },
+    this.args.root,
+    { label: this.title, text: this.title },
+  ];
+
   get title() {
     if (this.args?.mode === 'create') {
-      return 'Create Connection';
+      return 'Create connection';
     } else if (this.args?.mode === 'edit') {
-      return 'Edit Connection';
+      return 'Edit connection';
     } else {
       return this.args?.model?.id;
     }
diff --git a/ui/app/components/database-role-edit.hbs b/ui/app/components/database-role-edit.hbs
index 4c39c9e349..5d691cbc58 100644
--- a/ui/app/components/database-role-edit.hbs
+++ b/ui/app/components/database-role-edit.hbs
@@ -5,7 +5,12 @@
 
 <Page::Header @title={{this.title}}>
   <:breadcrumbs>
-    <KeyValueHeader @path="vault.cluster.secrets.backend.show" @mode={{@mode}} @root={{@root}} @showCurrent={{true}} />
+    <KeyValueHeader
+      @path="vault.cluster.secrets.backend.show"
+      @mode={{@mode}}
+      @root={{this.breadcrumbs}}
+      @showCurrent={{true}}
+    />
   </:breadcrumbs>
 </Page::Header>
 
@@ -141,7 +146,7 @@
           @modelValidations={{this.modelValidations}}
         />
       {{else}}
-        <Hds::ApplicationState @align="center" class="bottom-padding-32" as |A|>
+        <Hds::ApplicationState class="bottom-padding-32 is-marginless" as |A|>
           <A.Header data-test-empty-state-title @title="No database connection selected" @titleTag="h2" />
           <A.Body data-test-empty-state-message @text="Choose a connection to be able to configure a role type." />
         </Hds::ApplicationState>
diff --git a/ui/app/components/database-role-edit.js b/ui/app/components/database-role-edit.js
index 9d015b867b..740f6f9534 100644
--- a/ui/app/components/database-role-edit.js
+++ b/ui/app/components/database-role-edit.js
@@ -44,6 +44,13 @@ export default class DatabaseRoleEdit extends Component {
     }
   }
 
+  breadcrumbs = [
+    { label: 'Vault', text: 'Vault', icon: 'vault', path: 'vault.cluster.dashboard' },
+    { text: 'Secrets engines', path: 'vault.cluster.secrets.backends' },
+    this.args.root,
+    { label: this.title, text: this.title },
+  ];
+
   isValid() {
     const { isValid, state } = this.args.model.validate();
     this.modelValidations = isValid ? null : state;
@@ -59,9 +66,9 @@ export default class DatabaseRoleEdit extends Component {
 
   get title() {
     if (this.args?.mode === 'create') {
-      return 'Create Role';
+      return 'Create role';
     } else if (this.args?.mode === 'edit') {
-      return 'Edit Role';
+      return 'Edit role';
     } else {
       return this.args?.model?.id;
     }
diff --git a/ui/app/components/database-role-setting-form.hbs b/ui/app/components/database-role-setting-form.hbs
index d8b846f66f..0bcaabe9f0 100644
--- a/ui/app/components/database-role-setting-form.hbs
+++ b/ui/app/components/database-role-setting-form.hbs
@@ -37,7 +37,7 @@
       {{/each}}
     </div>
   {{else}}
-    <Hds::ApplicationState @align="center" class="top-padding-32 bottom-padding-32" as |A|>
+    <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
       <A.Header data-test-empty-state-title @title="No role type selected" @titleTag="h2" />
       <A.Body data-test-empty-state-message @text="Select a type of role to be able to configure it" />
     </Hds::ApplicationState>
@@ -54,7 +54,7 @@
         {{/each}}
       </div>
     {{else}}
-      <Hds::ApplicationState @align="center" class="top-padding-32 bottom-padding-32" as |A|>
+      <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
         <A.Header data-test-empty-state-title @title="No role type selected" @titleTag="h2" />
         <A.Body
           data-test-empty-state-message
diff --git a/ui/app/components/file-to-array-buffer.hbs b/ui/app/components/file-to-array-buffer.hbs
index 77a3969f2b..921fa33813 100644
--- a/ui/app/components/file-to-array-buffer.hbs
+++ b/ui/app/components/file-to-array-buffer.hbs
@@ -15,7 +15,7 @@
     {{/if}}
   </Hds::Form::FileInput::Field>
   {{#if this.filename}}
-    <p class="help has-text-grey">
+    <p class="help has-text-grey" data-test-file-info>
       This file is
       {{this.fileSize}}
       and was created on
diff --git a/ui/app/components/form/v2/apply.hbs b/ui/app/components/form/v2/apply.hbs
new file mode 100644
index 0000000000..e3d424cdde
--- /dev/null
+++ b/ui/app/components/form/v2/apply.hbs
@@ -0,0 +1,76 @@
+{{!
+  Copyright IBM Corp. 2016, 2025
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+<Hds::Text::Display @tag="h1" @size="400" data-test-text-display="Step title">
+  Choose your implementation method
+</Hds::Text::Display>
+
+<Hds::Form::RadioCard::Group @name="implementation-method" @alignment="center" as |G|>
+  {{#each this.creationMethodOptions as |option|}}
+    <G.RadioCard
+      @alignment="left"
+      @checked={{eq option.label this.creationMethodChoice}}
+      {{on "change" (fn this.onChange option)}}
+      data-test-radio-card={{option.label}}
+      as |R|
+    >
+      <R.Icon @name={{option.icon}} />
+      <R.Label>{{option.label}}</R.Label>
+      {{#if option.isRecommended}}
+        <R.Badge @color="highlight" @text="Recommended" />
+      {{/if}}
+      <R.Description>{{option.description}}</R.Description>
+    </G.RadioCard>
+  {{/each}}
+</Hds::Form::RadioCard::Group>
+
+{{#unless (eq this.creationMethodChoice this.methods.UI)}}
+  <Hds::Text::Display @tag="h2" @size="400">Edit configuration</Hds::Text::Display>
+  <Hds::Text::Body @tag="p">
+    This configuration is generated based on your input in the previous step.
+    {{#if (eq this.creationMethodChoice this.methods.APICLI)}}
+      Copy it and run it in your terminal/use with Vault API to apply.
+    {{else}}
+      Copy and paste it directly to your Terraform Vault Provider terminal. For more details on the configuration language,
+      read the
+      <Hds::Link::Inline @href={{doc-link "/terraform/tutorials/configuration-language"}}>Terraform guide</Hds::Link::Inline>.
+    {{/if}}
+  </Hds::Text::Body>
+  <Hds::Card::Container @hasBorder={{true}} class="has-top-padding-m has-bottom-padding-m side-padding-24">
+    {{#if (eq this.creationMethodChoice this.methods.APICLI)}}
+      <CodeGenerator::AutomationSnippets @customTabs={{this.customTabs}} @onTabChange={{this.onTabChange}} />
+    {{else}}
+      <Hds::CodeBlock
+        @language="hcl"
+        @value={{this.tfSnippet}}
+        @hasLineNumbers={{true}}
+        @hasCopyButton={{true}}
+        data-test-field="terraform"
+      />
+      <div class="is-flex-end has-top-margin-l has-bottom-margin-s">
+        <div>
+          <DownloadButton
+            @color="secondary"
+            @filename="vault-resources"
+            @data={{this.tfSnippet}}
+            @extension="tf"
+            @stringify={{true}}
+            @text="Export as tf file"
+          />
+        </div>
+      </div>
+    {{/if}}
+  </Hds::Card::Container>
+{{/unless}}
+
+<div class="is-flex-center is-flex-between">
+  <Hds::Button @text="Back" @color="tertiary" @icon="chevron-left" {{on "click" @onBack}} />
+  <div>
+    <Hds::Button @text="Done & exit" @color="secondary" {{on "click" @onDone}} />
+    {{#if (eq this.creationMethodChoice this.methods.UI)}}
+      <Hds::Button @text="Apply changes" @color="primary" {{on "click" @onApply}} />
+    {{/if}}
+  </div>
+</div>
\ No newline at end of file
diff --git a/ui/app/components/form/v2/apply.ts b/ui/app/components/form/v2/apply.ts
new file mode 100644
index 0000000000..e0443fce77
--- /dev/null
+++ b/ui/app/components/form/v2/apply.ts
@@ -0,0 +1,104 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { action } from '@ember/object';
+import { service } from '@ember/service';
+import Component from '@glimmer/component';
+import { generateCurlCommand } from 'core/utils/code-generators/api';
+import { generateCliWriteCommand } from 'core/utils/code-generators/cli';
+import { terraformGenericResourceTemplate } from 'core/utils/code-generators/terraform';
+import { CreationMethod } from 'vault/utils/constants/snippet';
+
+import type V2Form from 'vault/forms/v2/v2-form';
+import type NamespaceService from 'vault/services/namespace';
+import type SnippetService from 'vault/services/snippet';
+
+interface Args {
+  form: V2Form;
+  onBack: () => void;
+  onDone: () => void;
+  onApply: () => void;
+}
+
+interface CreationMethodChoice {
+  icon: string;
+  label: CreationMethod;
+  description: string;
+  isRecommended?: boolean;
+}
+
+export default class FormV2Apply extends Component<Args> {
+  @service declare readonly namespace: NamespaceService;
+  @service declare readonly snippet: SnippetService;
+
+  methods = CreationMethod;
+
+  creationMethodOptions: CreationMethodChoice[] = [
+    {
+      icon: 'terraform-color',
+      label: CreationMethod.TERRAFORM,
+      description:
+        'Manage configurations by Infrastructure as Code. This creation method improves resilience and ensures common compliance requirements.',
+      isRecommended: true,
+    },
+    {
+      icon: 'terminal-screen',
+      label: CreationMethod.APICLI,
+      description:
+        'Manage namespaces directly via the Vault CLI or REST API. Best for quick updates, custom scripting, or terminal-based workflows.',
+    },
+    {
+      icon: 'sidebar',
+      label: CreationMethod.UI,
+      description:
+        'Apply changes immediately. Note: Changes made in the UI will be overwritten by any future updates made via Infrastructure as Code (Terraform).',
+    },
+  ];
+
+  get creationMethodChoice() {
+    return this.snippet.creationMethodChoice;
+  }
+
+  get selectedTabIdx() {
+    return this.snippet.selectedTabIdx;
+  }
+
+  get requestData() {
+    const { payload } = this.args.form;
+    // payload has a top level key -- we need the actual data object for creating the snippets
+    return Object.values(payload)[0] as Record<string, unknown>;
+  }
+
+  get tfSnippet() {
+    const { config } = this.args.form;
+    return terraformGenericResourceTemplate(config.path, this.requestData, config.name, this.namespace.path);
+  }
+
+  get customTabs() {
+    const { config } = this.args.form;
+    return [
+      {
+        key: 'api',
+        label: 'API',
+        snippet: generateCurlCommand(config.path, this.requestData, this.namespace.path),
+      },
+      {
+        key: 'cli',
+        label: 'CLI',
+        snippet: generateCliWriteCommand(config.path, this.requestData),
+      },
+    ];
+  }
+
+  @action
+  onChange(choice: CreationMethodChoice) {
+    this.snippet.setCreationMethod(choice.label, this.tfSnippet, this.customTabs);
+  }
+
+  @action
+  onTabChange(idx: number) {
+    this.snippet.setSelectedTab(idx, this.tfSnippet, this.customTabs);
+  }
+}
diff --git a/ui/app/components/form/v2/error-alert.hbs b/ui/app/components/form/v2/error-alert.hbs
new file mode 100644
index 0000000000..9f7090e04a
--- /dev/null
+++ b/ui/app/components/form/v2/error-alert.hbs
@@ -0,0 +1,8 @@
+{{!
+  Copyright IBM Corp. 2016, 2025
+  SPDX-License-Identifier: BUSL-1.1
+}}
+<Hds::Alert @type="inline" @color="critical" as |A|>
+  <A.Title>{{this.title}}</A.Title>
+  <A.Description>{{@error}}</A.Description>
+</Hds::Alert>
\ No newline at end of file
diff --git a/ui/app/components/form/v2/error-alert.ts b/ui/app/components/form/v2/error-alert.ts
new file mode 100644
index 0000000000..0460b6fbe3
--- /dev/null
+++ b/ui/app/components/form/v2/error-alert.ts
@@ -0,0 +1,29 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+
+interface Args {
+  /** Error message to display */
+  error?: string;
+  /** Optional custom title (defaults to "Submission error") */
+  title?: string;
+}
+
+/**
+ * Form::V2::ErrorAlert displays submission errors in a consistent format.
+ * Used by both Form::V2 and Form::V2::Wizard for standardized error display.
+ *
+ * @example
+ * ```handlebars
+ * <Form::V2::ErrorAlert @error={{this.submissionError}} />
+ * <Form::V2::ErrorAlert @error={{this.error}} @title="Configuration Error" />
+ * ```
+ */
+export default class FormV2ErrorAlert extends Component<Args> {
+  get title(): string {
+    return this.args.title || 'Submission error';
+  }
+}
diff --git a/ui/app/components/form/v2/field.hbs b/ui/app/components/form/v2/field.hbs
new file mode 100644
index 0000000000..895bdbebc7
--- /dev/null
+++ b/ui/app/components/form/v2/field.hbs
@@ -0,0 +1,213 @@
+{{!
+  Copyright IBM Corp. 2016, 2025
+  SPDX-License-Identifier: BUSL-1.1
+}}
+{{!
+  TODO: Support other field types based on field.type.
+    - [ ] Key Value Input
+    - [ ] File Input
+}}
+
+{{#if (eq @field.type "TextArea")}}
+  <Hds::Form::Textarea::Field
+    @value={{@value}}
+    @isInvalid={{this.isInvalid}}
+    @isRequired={{@field.isRequired}}
+    @isDisabled={{@field.isDisabled}}
+    name={{this.name}}
+    placeholder={{@field.placeholder}}
+    {{on "input" (pick "target.value" (fn this.handleChange this.name))}}
+    as |F|
+  >
+    <F.Label>{{this.label}}</F.Label>
+    {{#if this.helperText}}
+      <F.HelperText>{{this.helperText}}</F.HelperText>
+    {{/if}}
+    {{#if this.isInvalid}}
+      <F.Error as |E|>
+        {{#each this.errors as |errorMessage|}}
+          <E.Message>{{errorMessage}}</E.Message>
+        {{/each}}
+      </F.Error>
+    {{/if}}
+  </Hds::Form::Textarea::Field>
+
+{{else if (eq @field.type "Select")}}
+  <Hds::Form::Select::Field
+    @value={{@value}}
+    @isInvalid={{this.isInvalid}}
+    @isRequired={{@field.isRequired}}
+    @isDisabled={{@field.isDisabled}}
+    name={{this.name}}
+    {{on "change" (pick "target.value" (fn this.handleChange this.name))}}
+    as |F|
+  >
+    <F.Label>{{this.label}}</F.Label>
+    {{#if this.helperText}}
+      <F.HelperText>{{this.helperText}}</F.HelperText>
+    {{/if}}
+
+    <F.Options>
+      {{#if @field.placeholder}}
+        <option value="">{{@field.placeholder}}</option>
+      {{/if}}
+
+      {{#each @field.options as |opt|}}
+        <option selected={{eq @value opt.value}} value={{opt.value}}>
+          {{opt.label}}
+        </option>
+      {{/each}}
+
+    </F.Options>
+    {{#if this.isInvalid}}
+      <F.Error as |E|>
+        {{#each this.errors as |errorMessage|}}
+          <E.Message>{{errorMessage}}</E.Message>
+        {{/each}}
+      </F.Error>
+    {{/if}}
+  </Hds::Form::Select::Field>
+
+{{else if (eq @field.type "Toggle")}}
+  <Hds::Form::Toggle::Field
+    checked={{@value}}
+    name={{this.name}}
+    disabled={{@field.isDisabled}}
+    {{on "change" (pick "target.checked" (fn this.handleChange this.name))}}
+    as |F|
+  >
+    <F.Label>{{this.label}}</F.Label>
+    {{#if this.helperText}}
+      <F.HelperText>{{this.helperText}}</F.HelperText>
+    {{/if}}
+  </Hds::Form::Toggle::Field>
+
+{{else if (eq @field.type "Checkbox")}}
+  <Hds::Form::Checkbox::Field
+    checked={{@value}}
+    @isInvalid={{this.isInvalid}}
+    @isRequired={{@field.isRequired}}
+    @isDisabled={{@field.isDisabled}}
+    name={{this.name}}
+    {{on "change" (pick "target.checked" (fn this.handleChange this.name))}}
+    as |F|
+  >
+    <F.Label>{{this.label}}</F.Label>
+    {{#if this.helperText}}
+      <F.HelperText>{{this.helperText}}</F.HelperText>
+    {{/if}}
+    {{#if this.isInvalid}}
+      <F.Error as |E|>
+        {{#each this.errors as |errorMessage|}}
+          <E.Message>{{errorMessage}}</E.Message>
+        {{/each}}
+      </F.Error>
+    {{/if}}
+  </Hds::Form::Checkbox::Field>
+
+{{else if (eq @field.type "Radio")}}
+  <Hds::Form::Radio::Group @name={{this.name}} as |G|>
+    <G.Legend>{{this.label}}</G.Legend>
+    {{#if this.helperText}}
+      <G.HelperText>{{this.helperText}}</G.HelperText>
+    {{/if}}
+    {{#each @field.options as |option|}}
+      <G.RadioField
+        checked={{eq @value option.value}}
+        @isDisabled={{@field.isDisabled}}
+        {{on "change" (fn this.handleChange this.name option.value)}}
+        as |F|
+      >
+        <F.Label>{{option.label}}</F.Label>
+      </G.RadioField>
+    {{/each}}
+    {{#if this.isInvalid}}
+      <G.Error as |E|>
+        {{#each this.errors as |errorMessage|}}
+          <E.Message>{{errorMessage}}</E.Message>
+        {{/each}}
+      </G.Error>
+    {{/if}}
+  </Hds::Form::Radio::Group>
+
+{{else if (eq @field.type "RadioCard")}}
+  <Hds::Form::RadioCard::Group @name={{this.name}} @alignment="left" as |G|>
+    <G.Legend>{{this.label}}</G.Legend>
+    {{#if this.helperText}}
+      <G.HelperText>{{this.helperText}}</G.HelperText>
+    {{/if}}
+    {{#each @field.options as |option|}}
+      <G.RadioCard
+        checked={{eq @value option.value}}
+        @isDisabled={{@field.isDisabled}}
+        {{on "change" (fn this.handleChange this.name option.value)}}
+        as |R|
+      >
+        <R.Label>{{option.label}}</R.Label>
+        {{#if option.description}}
+          <R.Description>{{option.description}}</R.Description>
+        {{/if}}
+      </G.RadioCard>
+    {{/each}}
+    {{#if this.isInvalid}}
+      <G.Error as |E|>
+        {{#each this.errors as |errorMessage|}}
+          <E.Message>{{errorMessage}}</E.Message>
+        {{/each}}
+      </G.Error>
+    {{/if}}
+  </Hds::Form::RadioCard::Group>
+
+{{else if (eq @field.type "MaskedInput")}}
+  <Hds::Form::MaskedInput::Field
+    @value={{@value}}
+    @isInvalid={{this.isInvalid}}
+    @isRequired={{@field.isRequired}}
+    @isDisabled={{@field.isDisabled}}
+    name={{this.name}}
+    placeholder={{@field.placeholder}}
+    {{on "input" (pick "target.value" (fn this.handleChange this.name))}}
+    as |F|
+  >
+    <F.Label>{{this.label}}</F.Label>
+    {{#if this.helperText}}
+      <F.HelperText>{{this.helperText}}</F.HelperText>
+    {{/if}}
+    {{#if this.isInvalid}}
+      <F.Error as |E|>
+        {{#each this.errors as |errorMessage|}}
+          <E.Message>{{errorMessage}}</E.Message>
+        {{/each}}
+      </F.Error>
+    {{/if}}
+  </Hds::Form::MaskedInput::Field>
+
+{{else}}
+  {{!
+    Fallback for TextInput type and unsupported field types.
+    For unsupported types, a console warning is logged.
+  }}
+  <Hds::Form::TextInput::Field
+    @type={{this.inputType}}
+    @value={{@value}}
+    @isInvalid={{this.isInvalid}}
+    @isRequired={{@field.isRequired}}
+    name={{this.name}}
+    placeholder={{@field.placeholder}}
+    disabled={{@field.isDisabled}}
+    {{on "input" (pick "target.value" (fn this.handleChange this.name))}}
+    as |F|
+  >
+    <F.Label>{{this.label}}</F.Label>
+    {{#if this.helperText}}
+      <F.HelperText>{{this.helperText}}</F.HelperText>
+    {{/if}}
+    {{#if this.isInvalid}}
+      <F.Error as |E|>
+        {{#each this.errors as |errorMessage|}}
+          <E.Message>{{errorMessage}}</E.Message>
+        {{/each}}
+      </F.Error>
+    {{/if}}
+  </Hds::Form::TextInput::Field>
+{{/if}}
\ No newline at end of file
diff --git a/ui/app/components/form/v2/field.ts b/ui/app/components/form/v2/field.ts
new file mode 100644
index 0000000000..b9676eb198
--- /dev/null
+++ b/ui/app/components/form/v2/field.ts
@@ -0,0 +1,87 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+import type { FieldValue, FormField } from 'vault/forms/v2/form-config';
+
+/**
+ * FormV2Field component renders a single form field based on its configuration.
+ * Supports multiple value types (string, number, boolean, arrays) and delegates
+ * change events to the parent form component.
+ * Displays validation errors passed from the parent FormState.
+ */
+interface Args {
+  field: FormField;
+  value?: FieldValue;
+  errors?: string[];
+  onChange: (name: string, value: FieldValue) => void;
+}
+
+export default class FormV2Field extends Component<Args> {
+  constructor(owner: unknown, args: Args) {
+    super(owner, args);
+    // Log warning for unsupported field types
+    this.checkUnsupportedType();
+  }
+
+  get name(): string {
+    return this.args.field.name;
+  }
+
+  get label(): string {
+    return this.args.field.label;
+  }
+
+  get helperText(): string | undefined {
+    return this.args.field.helperText;
+  }
+
+  get inputType(): string {
+    return this.args.field.inputType || 'text';
+  }
+
+  get value(): FieldValue {
+    return this.args.value;
+  }
+
+  get errors(): string[] {
+    return this.args.errors || [];
+  }
+
+  get isInvalid(): boolean {
+    return this.errors.length > 0;
+  }
+
+  /**
+   * Checks if the field type is supported and logs a warning for unsupported types.
+   * Called in constructor to ensure warning is logged once when component is created.
+   */
+  private checkUnsupportedType(): void {
+    const supportedTypes = [
+      'TextInput',
+      'TextArea',
+      'Select',
+      'Toggle',
+      'Checkbox',
+      'Radio',
+      'RadioCard',
+      'MaskedInput',
+    ];
+    const isUnsupported = !supportedTypes.includes(this.args.field.type);
+
+    if (isUnsupported) {
+      console.warn(
+        `[Form::V2::Field] Unsupported field type "${this.args.field.type}" for field "${this.args.field.label}". Falling back to text input.`
+      );
+    }
+  }
+
+  /**
+   * Handles field value changes, supporting multiple value types
+   */
+  handleChange = (name: string, value: FieldValue): void => {
+    this.args.onChange(name, value);
+  };
+}
diff --git a/ui/app/components/form/v2/index.hbs b/ui/app/components/form/v2/index.hbs
new file mode 100644
index 0000000000..8bc9bfb085
--- /dev/null
+++ b/ui/app/components/form/v2/index.hbs
@@ -0,0 +1,28 @@
+{{!
+  Copyright IBM Corp. 2016, 2025
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+{{! TODO: Add form-level title and description here - AC 12/25 }}
+<Form::V2::Renderer
+  @form={{this.form}}
+  @renderFields={{not @hideFields}}
+  @error={{this.submissionError}}
+  ...attributes
+  as |Form|
+>
+  {{#if (has-block)}}
+    {{! Consumer provided custom content (e.g., wizard buttons) }}
+    {{yield Form this.submitTask}}
+  {{else}}
+    {{! No custom content - render default submit button }}
+    <Form.Section>
+      <Hds::Button
+        @text="Submit"
+        type="submit"
+        disabled={{or (not this.form.isValid) this.submitTask.isRunning}}
+        {{on "click" (perform this.submitTask)}}
+      />
+    </Form.Section>
+  {{/if}}
+</Form::V2::Renderer>
\ No newline at end of file
diff --git a/ui/app/components/form/v2/index.ts b/ui/app/components/form/v2/index.ts
new file mode 100644
index 0000000000..3e49df26c8
--- /dev/null
+++ b/ui/app/components/form/v2/index.ts
@@ -0,0 +1,63 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { service } from '@ember/service';
+import Component from '@glimmer/component';
+import { tracked } from '@glimmer/tracking';
+import { task } from 'ember-concurrency';
+import type V2Form from 'vault/forms/v2/v2-form';
+import type ApiService from 'vault/services/api';
+
+interface Args {
+  form: V2Form;
+  hideFields?: boolean;
+  onSuccess?: (response: unknown) => void;
+  onError?: (errorMessage: string) => void;
+}
+
+export default class FormV2 extends Component<Args> {
+  @service declare readonly api: ApiService;
+  @tracked submissionError?: string;
+  @tracked lastResponse?: unknown;
+
+  get form() {
+    return this.args.form;
+  }
+
+  /**
+   * Handles form submission with validation and API call.
+   * Uses ember-concurrency to prevent double-submission and provide derived state.
+   * Invokes component callbacks before form config callbacks for wizard orchestration.
+   */
+  submitTask = task({ drop: true }, async () => {
+    const { isValid } = this.form.validateForm();
+    if (!isValid) return;
+
+    try {
+      const response = await this.form.submit(this.api);
+      this.lastResponse = response;
+
+      // Call component's onSuccess first (for wizard orchestration)
+      this.args.onSuccess?.(response);
+
+      // Then call form config's onSuccess (for custom logic)
+      this.form.config.onSuccess?.(response);
+
+      return response;
+    } catch (error) {
+      const { message } = await this.api.parseError(error);
+      this.submissionError = message;
+
+      // Call component's onError first (for wizard orchestration)
+      this.args.onError?.(message);
+
+      // Then call form config's onError (for custom logic)
+      this.form.config.onError?.(message);
+
+      // Re-throw to maintain task error state
+      throw error;
+    }
+  });
+}
diff --git a/ui/app/components/form/v2/renderer.hbs b/ui/app/components/form/v2/renderer.hbs
new file mode 100644
index 0000000000..3c6a27a3fa
--- /dev/null
+++ b/ui/app/components/form/v2/renderer.hbs
@@ -0,0 +1,33 @@
+{{!
+  Copyright IBM Corp. 2016, 2025
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+<Hds::Form ...attributes as |Form|>
+  {{#if @error}}
+    <Form.Section>
+      <Form::V2::ErrorAlert @error={{@error}} />
+    </Form.Section>
+  {{/if}}
+
+  {{#if @renderFields}}
+    {{#each @form.config.sections as |section|}}
+      {{#if (this.isSectionVisible section)}}
+        <Form::V2::Section @section={{section}} @formComponent={{Form}}>
+          {{#each section.fields as |field|}}
+            {{#if (this.isFieldVisible field)}}
+              <Form::V2::Field
+                @field={{field}}
+                @value={{get @form.payload field.name}}
+                @errors={{this.getFieldErrors field.name}}
+                @onChange={{this.handleFieldChange}}
+              />
+            {{/if}}
+          {{/each}}
+        </Form::V2::Section>
+      {{/if}}
+    {{/each}}
+  {{/if}}
+
+  {{yield Form}}
+</Hds::Form>
\ No newline at end of file
diff --git a/ui/app/components/form/v2/renderer.ts b/ui/app/components/form/v2/renderer.ts
new file mode 100644
index 0000000000..a7f9309d0b
--- /dev/null
+++ b/ui/app/components/form/v2/renderer.ts
@@ -0,0 +1,71 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+import type { FieldValue, FormField, FormSection, VisibilityRule } from 'vault/forms/v2/form-config';
+import type V2Form from 'vault/forms/v2/v2-form';
+
+interface Args {
+  /** The V2Form instance containing payload, config, and validation state */
+  form: V2Form;
+  /** Optional error message to display at the top of the form */
+  error?: string;
+  /** Whether to render form fields (used by wizard's apply step) */
+  renderFields?: boolean;
+}
+
+/**
+ * Form::V2::Renderer is a shared form rendering component that encapsulates
+ * the common form structure (Hds::Form, error alerts, sections, and fields).
+ *
+ * Usage:
+ * ```handlebars
+ * <Form::V2::Renderer @form={{this.form}} @error={{this.submissionError}} as |Form|>
+ *   <Form.Section>
+ *     <Hds::Button @text="Submit" type="submit" ... />
+ *   </Form.Section>
+ * </Form::V2::Renderer>
+ * ```
+ *
+ * The component yields the Hds::Form context for consumers to define
+ * their own submit/navigation UI.
+ */
+export default class FormV2Renderer extends Component<Args> {
+  /**
+   * Get validation errors for a specific field.
+   * Arrow function to preserve `this` context when called from template.
+   */
+  getFieldErrors = (fieldName: string): string[] => {
+    return this.args.form.getErrors(fieldName);
+  };
+
+  /**
+   * Handle field value changes.
+   * Arrow function to preserve `this` context when called from template.
+   */
+  handleFieldChange = (name: string, value: FieldValue): void => {
+    this.args.form.set(name, value);
+  };
+
+  isSectionVisible = (section: FormSection): boolean => {
+    return this.#isVisible(section.isVisible);
+  };
+
+  isFieldVisible = (field: FormField): boolean => {
+    return this.#isVisible(field.isVisible);
+  };
+
+  #isVisible(rule?: VisibilityRule): boolean {
+    if (typeof rule === 'function') {
+      return rule(this.args.form.payload);
+    }
+
+    if (typeof rule === 'boolean') {
+      return rule;
+    }
+
+    return true;
+  }
+}
diff --git a/ui/app/components/form/v2/section.hbs b/ui/app/components/form/v2/section.hbs
new file mode 100644
index 0000000000..f9545f3985
--- /dev/null
+++ b/ui/app/components/form/v2/section.hbs
@@ -0,0 +1,21 @@
+{{!
+  Copyright IBM Corp. 2016, 2025
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+{{#let @formComponent as |Form|}}
+  <Form.Section>
+    {{#if @section.title}}
+      <Form.SectionHeader>
+        <Form.SectionHeaderTitle @tag="h2">{{@section.title}}</Form.SectionHeaderTitle>
+        {{#if @section.description}}
+          <Form.SectionHeaderDescription>
+            {{@section.description}}
+          </Form.SectionHeaderDescription>
+        {{/if}}
+      </Form.SectionHeader>
+    {{/if}}
+
+    {{yield}}
+  </Form.Section>
+{{/let}}
\ No newline at end of file
diff --git a/ui/app/components/form/v2/wizard.hbs b/ui/app/components/form/v2/wizard.hbs
new file mode 100644
index 0000000000..3f7b7392a5
--- /dev/null
+++ b/ui/app/components/form/v2/wizard.hbs
@@ -0,0 +1,95 @@
+{{!
+  Copyright IBM Corp. 2016, 2025
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+<Hds::Stepper::Nav
+  @currentStep={{this.currentStepIndex}}
+  @ariaLabel="{{this.config.title}} wizard"
+  @onStepChange={{this.onStepChange}}
+  ...attributes
+  as |S|
+>
+  {{#each @config.steps as |step|}}
+    <S.Step>
+      <:title>{{step.title}}</:title>
+      <:description>{{step.description}}</:description>
+    </S.Step>
+
+    <S.Panel>
+      {{#if step.heading}}
+        <h3>{{step.heading}}</h3>
+      {{/if}}
+      {{#if step.description}}
+        <p>{{step.description}}</p>
+      {{/if}}
+
+      {{! Delegate to Form::V2 component with wizard callbacks }}
+      <Form::V2
+        @form={{this.currentForm}}
+        @onSuccess={{this.onStepSuccess}}
+        @onError={{this.onStepError}}
+        as |Form submitTask|
+      >
+        {{! Custom wizard navigation buttons }}
+        <Form.Section>
+          <Hds::ButtonSet class="is-flex-center is-flex-between">
+            {{#unless this.isFirstStep}}
+              <Hds::Button @text="Back" @color="tertiary" @icon="chevron-left" {{on "click" this.previousStep}} />
+            {{/unless}}
+
+            <div class="margin-left-auto">
+              {{#if @config.applyChanges}}
+                <Hds::Button
+                  @text="Continue"
+                  @color="primary"
+                  type="submit"
+                  disabled={{or (not this.currentForm.isValid) submitTask.isRunning}}
+                  {{on "click" (perform submitTask)}}
+                />
+              {{else}}
+
+                <Hds::Button
+                  @text={{if this.isLastStep "Complete" "Continue"}}
+                  @color="primary"
+                  type="submit"
+                  disabled={{or (not this.currentForm.isValid) submitTask.isRunning}}
+                  class="margin-left-auto"
+                  {{on "click" (perform submitTask)}}
+                />
+              {{/if}}
+            </div>
+          </Hds::ButtonSet>
+        </Form.Section>
+      </Form::V2>
+    </S.Panel>
+  {{/each}}
+
+  {{!
+    * Optional apply changes step defined in WizardConfig
+    * The Form::V2 component still handles submission, validation, error handling etc.
+    * The renderer bypasses rendering the form fields when the applyChanges block is present 
+   }}
+  {{#if this.config.applyChanges}}
+    <S.Step>
+      <:title>Apply changes</:title>
+    </S.Step>
+
+    <S.Panel>
+      <Form::V2
+        @form={{this.currentForm}}
+        @hideFields={{true}}
+        @onSuccess={{@onSuccess}}
+        @onError={{this.onStepError}}
+        as |Form submitTask|
+      >
+        <Form::V2::Apply
+          @form={{this.currentForm}}
+          @onBack={{this.previousStep}}
+          @onApply={{perform submitTask}}
+          @onDone={{@onCancel}}
+        />
+      </Form::V2>
+    </S.Panel>
+  {{/if}}
+</Hds::Stepper::Nav>
\ No newline at end of file
diff --git a/ui/app/components/form/v2/wizard.ts b/ui/app/components/form/v2/wizard.ts
new file mode 100644
index 0000000000..c1ab25f225
--- /dev/null
+++ b/ui/app/components/form/v2/wizard.ts
@@ -0,0 +1,219 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { action } from '@ember/object';
+import { service } from '@ember/service';
+import Component from '@glimmer/component';
+import { tracked } from '@glimmer/tracking';
+import type { FormConfig, WizardConfig, WizardState, WizardStepState } from 'vault/forms/v2/form-config';
+import V2Form from 'vault/forms/v2/v2-form';
+import type ApiService from 'vault/services/api';
+
+interface Args {
+  config: WizardConfig;
+  onCancel: () => void;
+  onSuccess: () => void;
+}
+
+/**
+ * Form::V2::Wizard manages multi-step wizard flows with cross-step data sharing.
+ * Delegates form submission to Form::V2 components via callback pattern.
+ *
+ * Usage:
+ * ```handlebars
+ * <Form::V2::Wizard @config={{this.wizardConfig}} />
+ * ```
+ *
+ * Features:
+ * - Sequential step navigation
+ * - Cross-step data flow via wizardState
+ * - Dynamic payload resolution (supports functions)
+ * - Delegates submission/validation to Form::V2 components
+ */
+export default class FormV2Wizard extends Component<Args> {
+  @service declare readonly api: ApiService;
+  @tracked currentStepIndex = 0;
+  @tracked wizardState: WizardState = {};
+
+  // Cache the form for the current step (cleared on navigation)
+  #currentFormCache?: V2Form<any, any>;
+
+  get config(): WizardConfig {
+    return this.args.config;
+  }
+
+  get steps() {
+    return this.config.steps;
+  }
+
+  get currentStep() {
+    return this.steps[this.currentStepIndex];
+  }
+
+  get currentStepName() {
+    return this.currentStep?.name;
+  }
+
+  /**
+   * Get or create the V2Form instance for the current step.
+   * Resolves dynamic payloads using current wizard state.
+   * Cached to preserve field changes during a single step.
+   */
+  get currentForm(): V2Form<any, any> {
+    // Return cached form if it exists for current step
+    if (this.#currentFormCache) {
+      return this.#currentFormCache;
+    }
+
+    // Special case: apply step uses the last real step's form
+    // When isApplyingChanges is true, currentStepIndex === steps.length,
+    // so we need to use the last actual step instead
+    const step = this.isApplyingChanges
+      ? this.steps[this.steps.length - 1]
+      : this.steps[this.currentStepIndex];
+
+    const resolvedPayload = this.#resolvePayload(step?.formConfig.payload);
+
+    const resolvedConfig = {
+      ...step?.formConfig,
+      payload: resolvedPayload,
+    } as FormConfig<any, any>;
+
+    const form = new V2Form<any, any>(resolvedConfig);
+    // eslint-disable-next-line ember/no-side-effects
+    this.#currentFormCache = form;
+
+    return form;
+  }
+
+  get currentStepState(): WizardStepState | undefined {
+    return this.currentStepName ? this.wizardState[this.currentStepName] : undefined;
+  }
+
+  get stepCount() {
+    return this.config.applyChanges ? this.steps.length + 1 : this.steps.length;
+  }
+  get isFirstStep() {
+    return this.currentStepIndex === 0;
+  }
+
+  get isLastStep() {
+    return this.currentStepIndex === this.stepCount - 1;
+  }
+
+  get isApplyingChanges() {
+    return this.isLastStep && this.config.applyChanges;
+  }
+
+  get canAdvance() {
+    // Can advance if current step has a response (successfully completed)
+    return !!this.currentStepState?.response;
+  }
+
+  /**
+   * Resolves a payload that might be a function or a static object.
+   *
+   * Function payloads enable cross-step data sharing in wizards by reading
+   * from wizardState to pre-populate form fields based on previous steps.
+   *
+   * Example: A mount path entered in step 1 can be reused in steps 2 and 3
+   * by defining their payloads as functions that read from wizardState:
+   *
+   * ```typescript
+   * payload: (wizardState) => ({
+   *   mount_path: wizardState.step1?.payload?.path || 'default/'
+   * })
+   * ```
+   *
+   * This ensures consistency across steps and improves UX by avoiding
+   * repetitive data entry.
+   */
+  #resolvePayload(payload: any): any {
+    if (typeof payload === 'function') {
+      return payload(this.wizardState);
+    }
+
+    return payload;
+  }
+
+  /**
+   * Updates wizard state after a step submission.
+   * Stores only data - execution state is derived from task properties.
+   */
+  #updateWizardState(stepName: string, payload: any, response: any, error?: string) {
+    this.wizardState = {
+      ...this.wizardState,
+      [stepName]: {
+        payload,
+        response,
+        error,
+      },
+    };
+  }
+
+  /**
+   * Handles successful step submission from Form::V2 component.
+   * Updates wizard state and advances to next step.
+   */
+  @action
+  onStepSuccess(response: unknown) {
+    const stepName = this.currentStepName || '';
+    const payload = this.currentForm.payload;
+
+    // Update wizard state with response
+    this.#updateWizardState(stepName, payload, response);
+
+    // Auto-advance if not last step
+    if (!this.isLastStep) {
+      this.nextStep();
+    }
+  }
+
+  /**
+   * Handles failed step submission from Form::V2 component.
+   * Updates wizard state with error message.
+   */
+  @action
+  onStepError(errorMessage: string) {
+    const stepName = this.currentStepName || '';
+
+    // Store error in wizard state
+    this.#updateWizardState(stepName, this.currentForm.payload, null, errorMessage);
+  }
+
+  @action
+  nextStep() {
+    if (this.currentStepIndex < this.stepCount - 1) {
+      this.currentStepIndex++;
+      // Clear form cache so next step gets fresh form with resolved payload
+      this.#currentFormCache = undefined;
+    }
+  }
+
+  @action
+  previousStep() {
+    if (this.currentStepIndex > 0) {
+      this.currentStepIndex--;
+      // Clear form cache when navigating back
+      this.#currentFormCache = undefined;
+    }
+  }
+
+  @action
+  onStepChange(_event: Event, stepIndex: number) {
+    // Only allow navigating to completed steps or previous steps
+    const targetStep = this.steps[stepIndex];
+    const targetStepState = this.wizardState[targetStep?.name || ''];
+
+    // Can navigate if:
+    // 1. Step is already completed (has response), OR
+    // 2. It's a previous step (allow going back)
+    if (targetStepState?.response || stepIndex <= this.currentStepIndex) {
+      this.currentStepIndex = stepIndex;
+      // Clear form cache to re-resolve payload with current wizard state
+      this.#currentFormCache = undefined;
+    }
+  }
+}
diff --git a/ui/app/components/generate-credentials-database.hbs b/ui/app/components/generate-credentials-database.hbs
index 3df000fc27..b2c900f36d 100644
--- a/ui/app/components/generate-credentials-database.hbs
+++ b/ui/app/components/generate-credentials-database.hbs
@@ -41,22 +41,22 @@
     <InfoTableRow @label="Password" @value={{@model.password}}>
       <MaskedInput @value={{@model.password}} @name="Password" @displayOnly={{true}} @allowCopy={{true}} />
     </InfoTableRow>
-    <InfoTableRow @label="Lease ID" @value={{@model.leaseId}} />
-    <InfoTableRow @label="Lease Duration" @value={{format-duration @model.leaseDuration}} />
+    <InfoTableRow @label="Lease ID" @value={{@model.lease_id}} />
+    <InfoTableRow @label="Lease Duration" @value={{format-duration @model.lease_duration}} />
   {{/if}}
   {{! STATIC ROLE }}
   {{#if (and (eq @roleType "static") @model.username)}}
     <InfoTableRow
       @label="Last Vault rotation"
-      @value={{date-format @model.lastVaultRotation "MMMM d yyyy, h:mm:ss a"}}
-      @tooltipText={{@model.lastVaultRotation}}
+      @value={{date-format @model.last_vault_rotation "MMMM d yyyy, h:mm:ss a"}}
+      @tooltipText={{@model.last_vault_rotation}}
       @addCopyButton={{true}}
     />
     <InfoTableRow @label="Password" @value={{@model.password}}>
       <MaskedInput @value={{@model.password}} @name="Password" @displayOnly={{true}} @allowCopy={{true}} />
     </InfoTableRow>
     <InfoTableRow @label="Username" @value={{@model.username}} />
-    <InfoTableRow @label="Rotation Period" @value={{format-duration @model.rotationPeriod}} />
+    <InfoTableRow @label="Rotation Period" @value={{format-duration @model.rotation_period}} />
     <InfoTableRow @label="Time Remaining" @value={{format-duration @model.ttl}} />
   {{/if}}
 </div>
diff --git a/ui/app/components/generate-credentials-ssh.hbs b/ui/app/components/generate-credentials-ssh.hbs
new file mode 100644
index 0000000000..3a857eccfe
--- /dev/null
+++ b/ui/app/components/generate-credentials-ssh.hbs
@@ -0,0 +1,77 @@
+{{!
+  Copyright IBM Corp. 2016, 2026
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+<Page::Header @title="Generate SSH Credentials">
+  <:breadcrumbs>
+    <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
+  </:breadcrumbs>
+</Page::Header>
+
+{{#if this.otpData}}
+  <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
+    <Hds::Alert @type="inline" @color="warning" class="has-top-bottom-margin" data-test-warning as |A|>
+      <A.Title>Warning</A.Title>
+      <A.Description>
+        You will not be able to access this information later, so please copy the information below.
+      </A.Description>
+    </Hds::Alert>
+    {{#each this.otpDisplayRows as |row|}}
+      {{#if row.masked}}
+        <InfoTableRow @label={{row.label}} @value={{row.value}}>
+          <MaskedInput @value={{row.value}} @name="key" @displayOnly={{true}} @allowCopy={{true}} />
+        </InfoTableRow>
+      {{else}}
+        <InfoTableRow @label={{row.label}} @value={{row.value}} />
+      {{/if}}
+    {{/each}}
+  </div>
+  <div class="field is-grouped box is-fullwidth is-bottomless">
+    <div class="control">
+      <Hds::Copy::Button
+        @text="Copy credentials"
+        @textToCopy={{this.otpData.key}}
+        @onError={{(fn (set-flash-message "Clipboard copy failed. The Clipboard API requires a secure context." "danger"))}}
+        class="primary"
+      />
+    </div>
+    <div class="control">
+      <Hds::Button @text="Back" @color="secondary" {{on "click" this.reset}} data-test-back-button />
+    </div>
+  </div>
+{{else}}
+  <form {{on "submit" (perform this.generate)}} data-test-secret-generate-form>
+    <div class="box is-sideless is-fullwidth is-marginless">
+      <NamespaceReminder @mode="generate" @noun="credential" />
+      <MessageError @errorMessage={{this.errorMessage}} />
+      {{#each this.credentialForm.formFields as |attr|}}
+        <FormField
+          data-test-field
+          @attr={{attr}}
+          @model={{this.credentialForm}}
+          @modelValidations={{this.modelValidations}}
+        />
+      {{/each}}
+      {{#if this.invalidFormAlert}}
+        <AlertInline @type="danger" @message={{this.invalidFormAlert}} class="has-top-padding-s" />
+      {{/if}}
+    </div>
+    <Hds::ButtonSet class="has-top-bottom-margin">
+      <Hds::Button
+        @text="Generate"
+        @icon={{if this.generate.isRunning "loading"}}
+        type="submit"
+        disabled={{this.generate.isRunning}}
+        data-test-submit
+      />
+      <Hds::Button
+        @text="Cancel"
+        @route="vault.cluster.secrets.backend.list-root"
+        @color="secondary"
+        @model={{@backendPath}}
+        data-test-cancel
+      />
+    </Hds::ButtonSet>
+  </form>
+{{/if}}
\ No newline at end of file
diff --git a/ui/app/components/generate-credentials-ssh.ts b/ui/app/components/generate-credentials-ssh.ts
new file mode 100644
index 0000000000..f7e9118151
--- /dev/null
+++ b/ui/app/components/generate-credentials-ssh.ts
@@ -0,0 +1,90 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+import { service } from '@ember/service';
+import { action } from '@ember/object';
+import { tracked } from '@glimmer/tracking';
+import { task } from 'ember-concurrency';
+import { waitFor } from '@ember/test-waiters';
+import SshOtpCredentialForm from 'vault/forms/ssh/otp-credential';
+
+import type ApiService from 'vault/services/api';
+import type ControlGroupService from 'vault/vault/services/control-group';
+
+interface Args {
+  backendPath: string;
+  roleName: string;
+}
+
+export default class GenerateCredentialsSsh extends Component<Args> {
+  @service declare readonly api: ApiService;
+  @service declare readonly controlGroup: ControlGroupService;
+
+  @tracked credentialForm = new SshOtpCredentialForm();
+  @tracked otpData: Record<string, unknown> | null = null;
+  @tracked errorMessage: string | null = null;
+  @tracked modelValidations: Record<string, unknown> | null = null;
+  @tracked invalidFormAlert: string | null = null;
+
+  get otpDisplayRows() {
+    const data = this.otpData;
+    if (!data) return [];
+    return [
+      { label: 'Username', value: data['username'] },
+      { label: 'IP Address', value: data['ip'] },
+      { label: 'Key', value: data['key'], masked: true },
+      { label: 'Key type', value: data['key_type'] },
+      { label: 'Port', value: data['port'] },
+    ].filter((f) => f.value != null && f.value !== '');
+  }
+
+  get breadcrumbs() {
+    const { backendPath, roleName } = this.args;
+    return [
+      { label: backendPath, route: 'vault.cluster.secrets.backend', model: backendPath },
+      { label: 'Credentials', route: 'vault.cluster.secrets.backend', model: backendPath },
+      { label: roleName, route: 'vault.cluster.secrets.backend.show', model: roleName },
+      { label: 'Generate SSH credentials' },
+    ];
+  }
+
+  generate = task(
+    waitFor(async (evt: Event) => {
+      evt.preventDefault();
+      this.errorMessage = null;
+
+      const { isValid, state, invalidFormMessage, data } = this.credentialForm.toJSON();
+      this.modelValidations = isValid ? null : state;
+      this.invalidFormAlert = isValid ? null : invalidFormMessage;
+      if (!isValid) return;
+      try {
+        const result = await this.api.secrets.sshGenerateCredentials(
+          this.args.roleName,
+          this.args.backendPath,
+          data
+        );
+        this.otpData = (result.data as Record<string, unknown>) ?? {};
+      } catch (error) {
+        const { message, response } = await this.api.parseError(error);
+        if (response?.isControlGroupError) {
+          this.controlGroup.saveTokenFromError(response);
+          this.errorMessage = this.controlGroup.logFromError(response).content;
+        } else {
+          this.errorMessage = message;
+        }
+      }
+    })
+  );
+
+  @action
+  reset() {
+    this.otpData = null;
+    this.credentialForm = new SshOtpCredentialForm();
+    this.errorMessage = null;
+    this.modelValidations = null;
+    this.invalidFormAlert = null;
+  }
+}
diff --git a/ui/app/components/generate-credentials-totp.js b/ui/app/components/generate-credentials-totp.js
index f8b22220fd..e1fc32bb29 100644
--- a/ui/app/components/generate-credentials-totp.js
+++ b/ui/app/components/generate-credentials-totp.js
@@ -14,7 +14,7 @@ const SHOW_ROUTE = 'vault.cluster.secrets.backend.show';
 export default class GenerateCredentialsTotp extends Component {
   @tracked elapsedTime = 0;
   @tracked totpCode = null;
-  @service store;
+  @service api;
   @service router;
 
   title = 'Generate TOTP code';
@@ -61,8 +61,8 @@ export default class GenerateCredentialsTotp extends Component {
   async generateTotpCode(backend, keyName) {
     // refreshing will generate a new code if the period has expired.
     try {
-      const totpCode = await this.store.adapterFor('totp-key').generateCode(backend, keyName);
-      this.totpCode = totpCode.code;
+      const resp = await this.api.secrets.totpGenerateCode(keyName, backend);
+      this.totpCode = resp?.data?.code ?? null;
     } catch (e) {
       // swallow error, non-essential data
       return;
diff --git a/ui/app/components/generate-credentials.ts b/ui/app/components/generate-credentials.ts
index 93930ef03b..27dfda5300 100644
--- a/ui/app/components/generate-credentials.ts
+++ b/ui/app/components/generate-credentials.ts
@@ -16,12 +16,6 @@ import type RouterService from '@ember/routing/router-service';
 import type Store from '@ember-data/store';
 
 const CREDENTIAL_TYPES = {
-  ssh: {
-    model: 'ssh-otp-credential',
-    title: 'Generate SSH Credentials',
-    formFields: ['username', 'ip'],
-    displayFields: ['username', 'ip', 'key', 'keyType', 'port'],
-  },
   aws: {
     model: 'aws-credential',
     title: 'Generate AWS Credentials',
@@ -42,7 +36,7 @@ const CREDENTIAL_TYPES = {
 interface Args {
   awsRoleType: string | undefined;
   backendPath: string;
-  backendType: 'ssh' | 'aws';
+  backendType: 'aws';
   roleName: string;
 }
 
diff --git a/ui/app/components/generated-item-list.hbs b/ui/app/components/generated-item-list.hbs
index 0ec1ed8b89..fa45b2e64f 100644
--- a/ui/app/components/generated-item-list.hbs
+++ b/ui/app/components/generated-item-list.hbs
@@ -47,16 +47,20 @@
   as |list|
 >
   {{#if list.empty}}
-    <list.empty
-      @title="No {{pluralize @itemType}} yet"
-      @message="A list of {{pluralize @itemType}} will be listed here. Create your first {{@itemType}} to get started."
-    >
-      <Hds::Link::Standalone
-        @icon="plus"
-        @text="Create {{singularize @itemType}}"
-        @route="vault.cluster.access.method.item.create"
-        @models={{array @methodModel.id @itemType}}
+    <list.empty class="top-padding-32 is-marginless" data-test-list-view-empty-state as |A|>
+      <A.Header @title="No {{pluralize @itemType}} yet" @titleTag="h2" data-test-empty-state-title />
+      <A.Body
+        @text="A list of {{pluralize @itemType}} will be listed here. Create your first {{@itemType}} to get started."
+        data-test-empty-state-message
       />
+      <A.Footer data-test-empty-state-actions as |F|>
+        <F.LinkStandalone
+          @icon="plus"
+          @text="Create {{singularize @itemType}}"
+          @route="vault.cluster.access.method.item.create"
+          @models={{array @methodModel.id @itemType}}
+        />
+      </A.Footer>
     </list.empty>
   {{else if list.item}}
     <ListItem @linkParams={{array "vault.cluster.access.method.item.show" @methodModel.id @itemType list.item.id}} as |Item|>
diff --git a/ui/app/components/identity/edit-form.hbs b/ui/app/components/identity/edit-form.hbs
index c532a233de..7073c953ee 100644
--- a/ui/app/components/identity/edit-form.hbs
+++ b/ui/app/components/identity/edit-form.hbs
@@ -3,15 +3,15 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-{{#if (and (eq this.mode "edit") this.model.canDelete)}}
+{{#if (and (eq @mode "edit") @model.canDelete)}}
   <Toolbar>
     <ToolbarActions>
       <ConfirmAction
         class="toolbar-button"
         @buttonColor="secondary"
-        @buttonText="Delete {{this.model.identityType}}"
-        @confirmTitle="Delete this {{this.model.identityType}}?"
-        @onConfirmAction={{action "deleteItem" this.model}}
+        @buttonText="Delete {{@model.identityType}}"
+        @confirmTitle="Delete this {{@model.identityType}}?"
+        @onConfirmAction={{action "deleteItem" @model}}
       />
     </ToolbarActions>
   </Toolbar>
@@ -19,41 +19,28 @@
 
 <form {{action (perform this.save) on="submit"}}>
   <div class="box is-sideless is-fullwidth is-marginless">
-    <NamespaceReminder @mode={{this.mode}} @noun={{lowercase (humanize this.model.identityType)}} />
-    <MessageError @model={{this.model}} />
-    {{#if (eq this.mode "merge")}}
+    <NamespaceReminder @mode={{@mode}} @noun={{lowercase (humanize @model.identityType)}} />
+    <MessageError @model={{@model}} />
+    {{#if (eq @mode "merge")}}
       <Hds::Alert @type="inline" @color="warning" class="has-bottom-margin-s" as |A|>
         <A.Title>Warning</A.Title>
         <A.Description>Metadata on merged entities is not preserved, you will need to recreate it on the entity you merge to.</A.Description>
       </Hds::Alert>
     {{/if}}
-    {{#each this.model.fields as |attr|}}
+    {{#each @model.fields as |attr|}}
       <FormField data-test-field={{true}} @attr={{attr}} @model={{@model}}>
         <div class="form-section">
-          {{#if this.model.canCreatePolicies}}
-            <SearchSelectWithModal
-              @id="policies"
-              @label="Policies"
-              @labelClass="title is-4"
-              @models={{array "policy/acl" "policy/rgp"}}
-              @inputValue={{@model.policies}}
-              @onChange={{action (mut this.model.policies)}}
-              @fallbackComponent="string-list"
-              @modalFormTemplate="modal-form/policy-template"
-              @excludeOptions={{array "root"}}
-            />
-          {{else}}
-            <SearchSelect
-              @id="policies"
-              @label="Policies"
-              @labelClass="title is-4"
-              @models={{array "policy/acl" "policy/rgp"}}
-              @inputValue={{@model.policies}}
-              @onChange={{action (mut this.model.policies)}}
-              @fallbackComponent="string-list"
-              @disallowNewItems={{true}}
-            />
-          {{/if}}
+          <SearchSelect
+            @id="policies"
+            @label="Policies"
+            @labelClass="title is-4"
+            @options={{this.policies}}
+            @inputValue={{@model.policies}}
+            @onChange={{fn (mut @model.policies)}}
+            @onCreate={{this.onCreatePolicy}}
+            @fallbackComponent="string-list"
+            @disallowNewItems={{not @model.canCreatePolicies}}
+          />
         </div>
       </FormField>
     {{/each}}
@@ -63,24 +50,32 @@
     <div class="field is-grouped">
       <Hds::ButtonSet>
         <Hds::Button
-          @text={{if (eq this.mode "create") "Create" "Save"}}
+          @text={{if (eq @mode "create") "Create" "Save"}}
           @icon={{if this.save.isRunning "loading"}}
           type="submit"
           disabled={{this.save.isRunning}}
           data-test-submit
         />
-        {{#if (or (eq this.mode "merge") (eq this.mode "create"))}}
+        {{#if (or (eq @mode "merge") (eq @mode "create"))}}
           <Hds::Button @text="Cancel" @color="secondary" @route={{this.cancelLink}} data-test-cancel-link />
         {{else}}
           <Hds::Button
             @text="Cancel"
             @color="secondary"
             @route={{this.cancelLink}}
-            @models={{array this.model.id "details"}}
+            @models={{array @model.id "details"}}
             data-test-cancel-link
           />
         {{/if}}
       </Hds::ButtonSet>
     </div>
   </div>
-</form>
\ No newline at end of file
+</form>
+
+{{#if this.policyForm}}
+  <PolicyFormModal
+    @form={{this.policyForm}}
+    @onSave={{fn (mut this.policyForm) null}}
+    @onCancel={{fn (mut this.policyForm) null}}
+  />
+{{/if}}
\ No newline at end of file
diff --git a/ui/app/components/identity/edit-form.js b/ui/app/components/identity/edit-form.js
index 803be3797d..37f3544017 100644
--- a/ui/app/components/identity/edit-form.js
+++ b/ui/app/components/identity/edit-form.js
@@ -3,32 +3,47 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
+import Component from '@glimmer/component';
+import { tracked } from '@glimmer/tracking';
 import { service } from '@ember/service';
-import Component from '@ember/component';
-import { computed } from '@ember/object';
+import { action } from '@ember/object';
 import { task } from 'ember-concurrency';
 import { humanize } from 'vault/helpers/humanize';
 import { waitFor } from '@ember/test-waiters';
+import PolicyForm from 'vault/forms/policy';
+import {
+  SystemApiPoliciesListAclPoliciesListEnum,
+  SystemApiSystemListPoliciesRgpListEnum,
+} from '@hashicorp/vault-client-typescript';
 
-export default Component.extend({
-  flashMessages: service(),
-  store: service(),
-  'data-test-component': 'identity-edit-form',
-  attributeBindings: ['data-test-component'],
-  model: null,
+export default class IdentityEditFormComponent extends Component {
+  @service flashMessages;
+  @service store;
+  @service api;
 
-  // 'create', 'edit', 'merge'
-  mode: 'create',
-  /*
-   * @param Function
-   * @public
-   *
-   * Optional param to call a function upon successfully saving an entity
-   */
-  onSave: () => {},
+  @tracked policies = [];
+  @tracked policyForm;
 
-  cancelLink: computed('mode', 'model.identityType', function () {
-    const { model, mode } = this;
+  constructor() {
+    super(...arguments);
+    // fetch policies to populate dropdown in form
+    this.fetchPolicies();
+  }
+
+  async fetchPolicies() {
+    const [aclResult, rgpResult] = await Promise.allSettled([
+      this.api.sys.policiesListAclPolicies(SystemApiPoliciesListAclPoliciesListEnum.TRUE),
+      this.api.sys.systemListPoliciesRgp(SystemApiSystemListPoliciesRgpListEnum.TRUE),
+    ]);
+    const aclPolicies = aclResult.status === 'fulfilled' ? aclResult.value.keys : [];
+    const rgpPolicies = rgpResult.status === 'fulfilled' ? rgpResult.value.keys : [];
+    this.policies = [...aclPolicies, ...rgpPolicies]
+      .filter((name) => name !== 'root')
+      .map((policy) => ({ id: policy }));
+  }
+
+  get cancelLink() {
+    const { model, mode } = this.args;
     const routes = {
       'create-entity': 'vault.cluster.access.identity',
       'edit-entity': 'vault.cluster.access.identity.show',
@@ -42,7 +57,7 @@ export default Component.extend({
     };
     const key = model ? `${mode}-${model.identityType}` : 'merge-entity-alias';
     return routes[key];
-  }),
+  }
 
   getMessage(model, isDelete = false) {
     const mode = this.mode;
@@ -55,23 +70,23 @@ export default Component.extend({
       return `Successfully ${action} ${typeDisplay} ${model.id}.`;
     }
     return `Successfully ${action} ${typeDisplay}.`;
-  },
+  }
 
-  save: task(
-    waitFor(function* () {
-      const model = this.model;
+  save = task(
+    waitFor(async () => {
+      const { model } = this.args;
       const message = this.getMessage(model);
 
       try {
-        yield model.save();
+        await model.save();
       } catch (err) {
         // err will display via model state
         return;
       }
       this.flashMessages.success(message);
-      yield this.onSave({ saveType: 'save', model });
+      await this.args.onSave({ saveType: 'save', model });
     })
-  ).drop(),
+  );
 
   willDestroy() {
     // components are torn down after store is disconnected and will cause an error if attempt to unload record
@@ -80,17 +95,20 @@ export default Component.extend({
     if (noTeardown && model && model.isDirty && !model.isDestroyed && !model.isDestroying) {
       model.rollbackAttributes();
     }
-    this._super(...arguments);
-  },
+    super.willDestroy(...arguments);
+  }
 
-  actions: {
-    deleteItem(model) {
-      const message = this.getMessage(model, true);
-      const flash = this.flashMessages;
-      model.destroyRecord().then(() => {
-        flash.success(message);
-        return this.onSave({ saveType: 'delete', model });
-      });
-    },
-  },
-});
+  @action
+  deleteItem(model) {
+    const message = this.getMessage(model, true);
+    const flash = this.flashMessages;
+    model.destroyRecord().then(() => {
+      flash.success(message);
+      return this.args.onSave({ saveType: 'delete', model });
+    });
+  }
+  @action
+  onCreatePolicy(name) {
+    this.policyForm = new PolicyForm({ name, enforcement_level: 'hard-mandatory' }, { isNew: true });
+  }
+}
diff --git a/ui/app/components/identity/entity-nav.hbs b/ui/app/components/identity/entity-nav.hbs
index 47e855fec9..5b355469d2 100644
--- a/ui/app/components/identity/entity-nav.hbs
+++ b/ui/app/components/identity/entity-nav.hbs
@@ -3,12 +3,12 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title={{titleize (pluralize this.identityType)}}>
+<Page::Header @title={{titleize (pluralize @identityType)}} @description={{this.description}}>
   <:breadcrumbs>
     <Page::Breadcrumbs
       @breadcrumbs={{array
         (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
-        (hash label=(titleize (pluralize this.identityType)))
+        (hash label=(titleize (pluralize @identityType)))
       }}
     />
   </:breadcrumbs>
@@ -17,12 +17,12 @@
 <nav class="tabs" aria-label="navigation for entities">
   <ul>
     <li>
-      <LinkTo @route="vault.cluster.access.identity.index" @model={{pluralize this.identityType}}>
-        {{capitalize (pluralize this.identityType)}}
+      <LinkTo @route="vault.cluster.access.identity.index" @model={{pluralize @identityType}}>
+        {{capitalize (pluralize @identityType)}}
       </LinkTo>
     </li>
     <li>
-      <LinkTo @route="vault.cluster.access.identity.aliases.index" @model={{pluralize this.identityType}}>
+      <LinkTo @route="vault.cluster.access.identity.aliases.index" @model={{pluralize @identityType}}>
         Aliases
       </LinkTo>
     </li>
@@ -30,30 +30,30 @@
 </nav>
 
 <Toolbar>
-  {{#if this.model.meta.total}}
+  {{#if @model.meta.total}}
     <ToolbarFilters>
-      <Identity::LookupInput @type={{this.identityType}} />
+      <Identity::LookupInput @type={{@identityType}} />
     </ToolbarFilters>
   {{/if}}
   <ToolbarActions>
-    {{#if (eq this.identityType "entity")}}
+    {{#if (eq @identityType "entity")}}
       <ToolbarLink
         @route={{"vault.cluster.access.identity.merge"}}
-        @model={{pluralize this.identityType}}
+        @model={{pluralize @identityType}}
         data-test-entity-merge-link={{true}}
       >
         Merge
-        {{pluralize this.identityType}}
+        {{pluralize @identityType}}
       </ToolbarLink>
     {{/if}}
     <ToolbarLink
       @route="vault.cluster.access.identity.create"
-      @model={{pluralize this.identityType}}
+      @model={{pluralize @identityType}}
       @type="add"
       data-test-entity-create-link={{true}}
     >
       Create
-      {{this.identityType}}
+      {{@identityType}}
     </ToolbarLink>
   </ToolbarActions>
 </Toolbar>
\ No newline at end of file
diff --git a/ui/app/components/identity/entity-nav.js b/ui/app/components/identity/entity-nav.js
deleted file mode 100644
index 2b674eb095..0000000000
--- a/ui/app/components/identity/entity-nav.js
+++ /dev/null
@@ -1,8 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@ember/component';
-
-export default Component.extend({});
diff --git a/ui/app/components/identity/entity-nav.ts b/ui/app/components/identity/entity-nav.ts
new file mode 100644
index 0000000000..62a487bd1c
--- /dev/null
+++ b/ui/app/components/identity/entity-nav.ts
@@ -0,0 +1,23 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+
+interface Args {
+  identityType: 'entity' | 'group';
+  model: {
+    meta: {
+      total: number;
+    };
+  };
+}
+
+export default class EntityNavComponent extends Component<Args> {
+  get description() {
+    return this.args.identityType === 'entity'
+      ? 'Create and manage unique identities for human and non-human identities to serve as the canonical reference ID for policies and metadata.'
+      : 'Create and name logical collections of entities to simplify policy management and permission scaling across your organization.';
+  }
+}
diff --git a/ui/app/components/identity/item-alias/alias-metadata.hbs b/ui/app/components/identity/item-alias/alias-metadata.hbs
index 651cb4dd10..dbd68343fa 100644
--- a/ui/app/components/identity/item-alias/alias-metadata.hbs
+++ b/ui/app/components/identity/item-alias/alias-metadata.hbs
@@ -19,7 +19,7 @@
     </div>
   </div>
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
     <A.Header data-test-empty-state-title @title="No metadata associated with {{@model.name}} yet" @titleTag="h2" />
   </Hds::ApplicationState>
 {{/each-in}}
\ No newline at end of file
diff --git a/ui/app/components/identity/item-aliases.hbs b/ui/app/components/identity/item-aliases.hbs
index b69ec6b0ab..938e0358cb 100644
--- a/ui/app/components/identity/item-aliases.hbs
+++ b/ui/app/components/identity/item-aliases.hbs
@@ -29,7 +29,7 @@
     </div>
   </LinkedBlock>
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
     <A.Header
       data-test-empty-state-title
       @title="No {{@model.identityType}} aliases for {{@model.name}} yet"
diff --git a/ui/app/components/identity/item-groups.hbs b/ui/app/components/identity/item-groups.hbs
index 7035f54962..0d31bdbc55 100644
--- a/ui/app/components/identity/item-groups.hbs
+++ b/ui/app/components/identity/item-groups.hbs
@@ -18,7 +18,7 @@
     </LinkedBlock>
   {{/each}}
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
     <A.Header data-test-empty-state-title @title="{{@model.name}} is not a member of any groups." @titleTag="h2" />
   </Hds::ApplicationState>
 {{/if}}
\ No newline at end of file
diff --git a/ui/app/components/identity/item-members.hbs b/ui/app/components/identity/item-members.hbs
index a67c8f8d80..93f4c5c5c2 100644
--- a/ui/app/components/identity/item-members.hbs
+++ b/ui/app/components/identity/item-members.hbs
@@ -45,7 +45,7 @@
     </LinkedBlock>
   {{/each}}
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
     <A.Header data-test-empty-state-title @title="No members in this group yet" @titleTag="h2" />
   </Hds::ApplicationState>
 {{/if}}
\ No newline at end of file
diff --git a/ui/app/components/identity/item-metadata.hbs b/ui/app/components/identity/item-metadata.hbs
index 514f470614..4099ea8efd 100644
--- a/ui/app/components/identity/item-metadata.hbs
+++ b/ui/app/components/identity/item-metadata.hbs
@@ -22,7 +22,7 @@
     </div>
   </div>
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
     <A.Header data-test-empty-state-title @title="No metadata for {{@model.name}}" @titleTag="h2" />
     <A.Body
       data-test-empty-state-message
diff --git a/ui/app/components/identity/item-parent-groups.hbs b/ui/app/components/identity/item-parent-groups.hbs
index c09fbd6eda..93aba68a26 100644
--- a/ui/app/components/identity/item-parent-groups.hbs
+++ b/ui/app/components/identity/item-parent-groups.hbs
@@ -22,7 +22,7 @@
     </LinkedBlock>
   {{/each}}
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
     <A.Header data-test-empty-state-title @title="This group has no parent groups yet" @titleTag="h2" />
   </Hds::ApplicationState>
 {{/if}}
\ No newline at end of file
diff --git a/ui/app/components/identity/item-policies.hbs b/ui/app/components/identity/item-policies.hbs
index ac5376030f..b33eb3f9f5 100644
--- a/ui/app/components/identity/item-policies.hbs
+++ b/ui/app/components/identity/item-policies.hbs
@@ -23,7 +23,7 @@
     </div>
   </LinkedBlock>
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
     <A.Header data-test-empty-state-title @title="No policies associated with {{@model.name}} yet" @titleTag="h2" />
   </Hds::ApplicationState>
 {{/each}}
\ No newline at end of file
diff --git a/ui/app/components/keymgmt/distribute.hbs b/ui/app/components/keymgmt/distribute.hbs
index 68fed818a3..d59a523e25 100644
--- a/ui/app/components/keymgmt/distribute.hbs
+++ b/ui/app/components/keymgmt/distribute.hbs
@@ -15,16 +15,15 @@
       <div class="field" data-test-keymgmt-dist-key>
         <SearchSelect
           @id="key"
-          @models={{array "keymgmt/key"}}
+          @options={{this.keyOptions}}
           @onChange={{this.handleKeySelect}}
           @passObject={{true}}
           @inputValue={{this.formData.key}}
           @subText="Type to use the name of an existing key that you’d like to add to this provider, or to create one."
           @wildcardLabel="key"
           @label="Key name"
-          @fallbackComponent="string-list"
+          @fallbackComponent={{unless this.canListKeys "string-list"}}
           @selectLimit="1"
-          @backend={{@backend}}
           @disallowNewItems={{false}}
         >
           {{#if (and this.validMatchError.key (not this.isNewKey))}}
@@ -94,15 +93,14 @@
       <div class="field">
         <SearchSelect
           @id="provider"
-          @models={{array "keymgmt/provider"}}
+          @options={{this.providerOptions}}
           @onChange={{this.handleProvider}}
           @passObject={{false}}
           @inputValue={{this.formData.provider}}
           @subText="Select a provider in Vault. If it doesn’t exist yet, you’ll need to add it first."
           @label="Provider"
-          @fallbackComponent="input-search"
+          @fallbackComponent={{unless this.canListProviders "input-search"}}
           @selectLimit="1"
-          @backend={{@backend}}
           @disallowNewItems={{true}}
           data-test-keymgmt-dist-provider
         >
diff --git a/ui/app/components/keymgmt/distribute.js b/ui/app/components/keymgmt/distribute.js
index 41bb93d99c..51ebcd7785 100644
--- a/ui/app/components/keymgmt/distribute.js
+++ b/ui/app/components/keymgmt/distribute.js
@@ -7,9 +7,15 @@ import Component from '@glimmer/component';
 import { action } from '@ember/object';
 import { service } from '@ember/service';
 import { tracked } from '@glimmer/tracking';
-import { KEY_TYPES } from '../../models/keymgmt/key';
 import { task } from 'ember-concurrency';
 import { waitFor } from '@ember/test-waiters';
+import {
+  KeyManagementUpdateKeyRequestTypeEnum,
+  SecretsApiKeyManagementListKeysListEnum,
+  SecretsApiKeyManagementListKmsProvidersListEnum,
+} from '@hashicorp/vault-client-typescript';
+
+const KEY_TYPES = Object.values(KeyManagementUpdateKeyRequestTypeEnum);
 
 /**
  * @module KeymgmtDistribute
@@ -19,7 +25,7 @@ import { waitFor } from '@ember/test-waiters';
  * ```js
  * <KeymgmtDistribute @backend="keymgmt" @key="my-key" @provider="my-kms" />
  * ```
- * @param {string} backend - name of backend, which will be the basis of other store queries
+ * @param {string} backend - name of backend, which is used in API requests
  * @param {string} [key] - key is the name of the existing key which is being distributed. Will hide the key field in UI
  * @param {string} [provider] - provider is the name of the existing provider which is being distributed to. Will hide the provider field in UI
  */
@@ -37,14 +43,16 @@ const VALID_TYPES_BY_PROVIDER = {
   azurekeyvault: ['rsa-2048', 'rsa-3072', 'rsa-4096'],
 };
 export default class KeymgmtDistribute extends Component {
-  @service pagination;
-  @service store;
+  @service api;
   @service flashMessages;
-  @service router;
 
   @tracked keyModel;
   @tracked isNewKey = false;
+  @tracked keyOptions = [];
+  @tracked canListKeys = true;
   @tracked providerType;
+  @tracked providerOptions = [];
+  @tracked canListProviders = true;
   @tracked formData;
   @tracked formErrors;
 
@@ -57,9 +65,13 @@ export default class KeymgmtDistribute extends Component {
     // Side effects to get types of key or provider passed in
     if (this.args.provider) {
       this.getProviderType(this.args.provider);
+    } else {
+      this.fetchProviderOptions();
     }
     if (this.args.key) {
       this.getKeyInfo(this.args.key);
+    } else {
+      this.fetchKeyOptions();
     }
     this.formData.operations = [];
   }
@@ -122,29 +134,42 @@ export default class KeymgmtDistribute extends Component {
   }
 
   async getKeyInfo(keyName, isNew = false) {
-    let key;
     if (isNew) {
       this.isNewKey = true;
-      key = this.store.createRecord(`keymgmt/key`, {
+      this.keyModel = {
         backend: this.args.backend,
-        id: keyName,
         name: keyName,
-      });
+        type: null,
+      };
     } else {
-      key = await this.store
-        .queryRecord(`keymgmt/key`, {
-          backend: this.args.backend,
-          id: keyName,
-          recordOnly: true,
-        })
-        .catch(() => {
-          // Key type isn't essential for distributing, so if
-          // we can't read it for some reason swallow the error
-          // and allow the API to respond with any key/provider
-          // type matching errors
-        });
+      try {
+        const { data } = await this.api.secrets.keyManagementReadKey(keyName, this.args.backend);
+        this.keyModel = { ...data, name: keyName, backend: this.args.backend };
+      } catch (error) {
+        // Key type isn't essential for distributing, so if
+        // we can't read it for some reason swallow the error
+        // and allow the API to respond with any key/provider
+        // type matching errors
+        this.keyModel = null;
+      }
+    }
+  }
+
+  async fetchKeyOptions() {
+    try {
+      const { keys } = await this.api.secrets.keyManagementListKeys(
+        this.args.backend,
+        SecretsApiKeyManagementListKeysListEnum.TRUE
+      );
+      this.keyOptions = (keys || []).map((name) => ({ id: name, name }));
+      this.canListKeys = true;
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 403) {
+        this.canListKeys = false;
+      }
+      this.keyOptions = [];
     }
-    this.keyModel = key;
   }
 
   async getProviderType(id) {
@@ -153,22 +178,32 @@ export default class KeymgmtDistribute extends Component {
       return;
     }
 
-    const provider = await this.store
-      .queryRecord('keymgmt/provider', {
-        backend: this.args.backend,
-        id,
-      })
-      .catch(() => {});
-    this.providerType = provider?.provider;
+    try {
+      const { data } = await this.api.secrets.keyManagementReadKmsProvider(id, this.args.backend);
+      this.providerType = data.provider;
+    } catch {
+      this.providerType = '';
+    }
+  }
+
+  async fetchProviderOptions() {
+    try {
+      const { keys } = await this.api.secrets.keyManagementListKmsProviders(
+        this.args.backend,
+        SecretsApiKeyManagementListKmsProvidersListEnum.TRUE
+      );
+      this.providerOptions = (keys || []).map((name) => ({ id: name, name }));
+      this.canListProviders = true;
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 403) {
+        this.canListProviders = false;
+      }
+      this.providerOptions = [];
+    }
   }
 
   destroyKey() {
-    if (this.isNewKey) {
-      // Delete record from store if it was created here
-      this.keyModel.destroyRecord().finally(() => {
-        this.keyModel = null;
-      });
-    }
     this.isNewKey = false;
     this.keyModel = null;
   }
@@ -184,22 +219,19 @@ export default class KeymgmtDistribute extends Component {
     return { key, provider, purpose: operations.join(','), protection };
   }
 
-  distributeKey(backend, data) {
-    const adapter = this.store.adapterFor('keymgmt/key');
+  async distributeKey(backend, data) {
     const { key, provider, purpose, protection } = data;
-    return adapter
-      .distribute(backend, provider, key, { purpose, protection })
-      .then(() => {
-        this.flashMessages.success(`Successfully distributed key ${key} to ${provider}`);
-        // update keys on provider model
-        this.pagination.clearDataset('keymgmt/key');
-        const providerModel = this.store.peekRecord('keymgmt/provider', provider);
-        providerModel.fetchKeys(providerModel.keys?.meta?.currentPage || 1);
-        this.args.onClose();
-      })
-      .catch((e) => {
-        this.formErrors = `${e.errors}`;
+    try {
+      await this.api.secrets.keyManagementDistributeKeyInKmsProvider(key, provider, backend, {
+        purpose,
+        protection,
       });
+      this.flashMessages.success(`Successfully distributed key ${key} to ${provider}`);
+      this.args.onClose();
+    } catch (error) {
+      const { message } = await this.api.parseError(error);
+      this.formErrors = message;
+    }
   }
 
   @action
@@ -216,7 +248,9 @@ export default class KeymgmtDistribute extends Component {
   }
   @action
   handleKeyType(evt) {
-    this.keyModel.set('type', evt.target.value);
+    if (this.keyModel) {
+      this.keyModel = { ...this.keyModel, type: evt.target.value };
+    }
   }
 
   @action
@@ -233,13 +267,33 @@ export default class KeymgmtDistribute extends Component {
 
   @action
   async handleKeySelect(selected) {
-    const selectedKey = selected[0] || null;
-    if (!selectedKey) {
+    let keyName;
+    let isNew = false;
+
+    if (typeof selected === 'string') {
+      keyName = selected;
+    } else if (Array.isArray(selected)) {
+      const selectedKey = selected[0] || null;
+      if (!selectedKey) {
+        this.formData.key = null;
+        return this.destroyKey();
+      }
+
+      if (typeof selectedKey === 'string') {
+        keyName = selectedKey;
+      } else {
+        keyName = selectedKey.id;
+        isNew = !!selectedKey.isNew;
+      }
+    }
+
+    if (!keyName) {
       this.formData.key = null;
       return this.destroyKey();
     }
-    this.formData.key = selectedKey.id;
-    return this.getKeyInfo(selectedKey.id, selectedKey.isNew);
+
+    this.formData.key = keyName;
+    return this.getKeyInfo(keyName, isNew);
   }
 
   @task
@@ -254,18 +308,16 @@ export default class KeymgmtDistribute extends Component {
     }
     if (this.isNewKey) {
       try {
-        yield this.keyModel.save();
+        // Create the key first
+        const keyData = { type: this.keyModel.type };
+        yield this.api.secrets.keyManagementUpdateKey(this.keyModel.name, backend, keyData);
         this.flashMessages.success(`Successfully created key ${this.keyModel.name}`);
-      } catch (e) {
-        this.flashMessages.danger(`Error creating new key ${this.keyModel.name}: ${e.errors}`);
+      } catch (error) {
+        const { message } = yield this.api.parseError(error);
+        this.flashMessages.danger(`Error creating new key ${this.keyModel.name}: ${message}`);
         return;
       }
     }
     yield this.distributeKey(backend, data);
-    // Reload key to get dist info
-    yield this.store.queryRecord(`keymgmt/key`, {
-      backend: this.args.backend,
-      id: this.keyModel.name,
-    });
   }
 }
diff --git a/ui/app/components/keymgmt/key-edit.hbs b/ui/app/components/keymgmt/key-edit.hbs
index 30ae8bbc3f..cb65fc3fcc 100644
--- a/ui/app/components/keymgmt/key-edit.hbs
+++ b/ui/app/components/keymgmt/key-edit.hbs
@@ -5,12 +5,16 @@
 
 <Page::Header @title={{this.title}}>
   <:breadcrumbs>
-    <KeyValueHeader @path="vault.cluster.secrets.backend.show" @mode={{this.mode}} @root={{@root}} @showCurrent={{true}} />
+    <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
 </Page::Header>
 
 {{#if this.isDistributing}}
-  <Keymgmt::Distribute @backend={{@model.backend}} @key={{@model.id}} @onClose={{fn (mut this.isDistributing) false}} />
+  <Keymgmt::Distribute
+    @backend={{@form.data.backend}}
+    @key={{@form.data.name}}
+    @onClose={{fn (mut this.isDistributing) false}}
+  />
 {{else}}
   {{#if (eq this.mode "show")}}
     <div class="tabs-container box is-sideless is-fullwidth is-paddingless is-marginless" data-test-keymgmt-key-toolbar>
@@ -19,7 +23,7 @@
           <li class={{if (not-eq @tab "versions") "active"}}>
             <LinkTo
               @route="vault.cluster.secrets.backend.show"
-              @model={{@model.id}}
+              @model={{@form.data.name}}
               @query={{hash tab=""}}
               data-test-tab="Details"
             >
@@ -29,7 +33,7 @@
           <li class={{if (eq @tab "versions") "active"}}>
             <LinkTo
               @route="vault.cluster.secrets.backend.show"
-              @model={{@model.id}}
+              @model={{@form.data.name}}
               @query={{hash tab="versions"}}
               data-test-tab="Versions"
             >
@@ -41,7 +45,7 @@
     </div>
     <Toolbar>
       <ToolbarActions>
-        {{#unless @model.distribution}}
+        {{#unless @form.data.distribution}}
           <Hds::Button
             @text="Distribute key"
             @color="secondary"
@@ -50,17 +54,17 @@
             data-test-keymgmt-key-distribute
           />
         {{/unless}}
-        {{#if @model.canDelete}}
+        {{#if @capabilities.canDelete}}
           <Hds::Button
             @text="Destroy key"
             @color="secondary"
             class="toolbar-button"
-            disabled={{not @model.deletionAllowed}}
+            disabled={{not @form.data.deletion_allowed}}
             {{on "click" (fn (mut this.isDeleteModalOpen) true)}}
             data-test-keymgmt-key-destroy
           />
         {{/if}}
-        {{#if @model.provider}}
+        {{#if this.hasValidProvider}}
           <ConfirmAction
             class="toolbar-button"
             @buttonText="Remove key"
@@ -72,7 +76,7 @@
             data-test-keymgmt-key-remove
           />
         {{/if}}
-        {{#if (or @model.canDelete @model.provider)}}
+        {{#if (or @capabilities.canDelete this.hasValidProvider)}}
           <div class="toolbar-separator"></div>
         {{/if}}
         <ConfirmAction
@@ -87,9 +91,9 @@
           @isRunning={{this.rotateKey.isRunning}}
           data-test-keymgmt-key-rotate
         />
-        {{#if @model.canEdit}}
+        {{#if @capabilities.canEdit}}
           <ToolbarSecretLink
-            @secret={{@model.id}}
+            @secret={{@form.data.name}}
             @mode="edit"
             @replace={{true}}
             @queryParams={{hash itemType="key"}}
@@ -105,35 +109,31 @@
   {{#if this.isMutable}}
     <form {{on "submit" (perform this.saveKey)}}>
       <div class="box is-sideless is-fullwidth is-marginless">
-        {{#let (if (eq @mode "create") "createFields" "updateFields") as |fieldsKey|}}
-          {{#each (get @model fieldsKey) as |attr|}}
-            <FormField data-test-field={{true}} @attr={{attr}} @model={{@model}} />
-          {{/each}}
-          <div class="field is-grouped box is-fullwidth is-bottomless">
-            <Hds::ButtonSet>
-              <Hds::Button
-                @text={{if this.isCreating "Create key" "Update"}}
-                @icon={{if this.saveTask.isRunning "loading"}}
-                type="submit"
-                disabled={{this.saveTask.isRunning}}
-                data-test-keymgmt-key-submit
-              />
-              <Hds::Button
-                @text="Cancel"
-                @color="secondary"
-                @route={{if this.isCreating @root.path "vault.cluster.secrets.backend.show"}}
-                @model={{if this.isCreating @root.model @model.id}}
-                @query={{unless this.isCreating (hash itemType="key") (hash itemType="")}}
-                disabled={{this.savekey.isRunning}}
-                data-test-keymgmt-key-cancel
-              />
-            </Hds::ButtonSet>
-          </div>
-        {{/let}}
+        <FormFieldGroups @model={{@form}} @mode={{@mode}} @groupName="formFieldGroups" />
+        <div class="field is-grouped box is-fullwidth is-bottomless">
+          <Hds::ButtonSet>
+            <Hds::Button
+              @text={{if this.isCreating "Create key" "Update"}}
+              @icon={{if this.saveKey.isRunning "loading"}}
+              type="submit"
+              disabled={{this.saveKey.isRunning}}
+              data-test-keymgmt-key-submit
+            />
+            <Hds::Button
+              @text="Cancel"
+              @color="secondary"
+              @route={{if this.isCreating @root.path "vault.cluster.secrets.backend.show"}}
+              @model={{if this.isCreating @root.model @form.data.name}}
+              @query={{unless this.isCreating (hash itemType="key") (hash itemType="")}}
+              disabled={{this.saveKey.isRunning}}
+              data-test-keymgmt-key-cancel
+            />
+          </Hds::ButtonSet>
+        </div>
       </div>
     </form>
   {{else if (eq @tab "versions")}}
-    {{#each @model.versions as |version|}}
+    {{#each @form.data.versions as |version|}}
       <div class="list-item-row" data-test-keymgmt-key-version>
         <div class="columns is-mobile">
           <div class="column is-3 has-text-weight-bold">
@@ -144,9 +144,9 @@
             {{date-from-now version.creation_time addSuffix=true}}
           </div>
           <div class="column is-6 is-flex-center">
-            {{#if (eq @model.minEnabledVersion version.id)}}
+            {{#if (eq @form.data.min_enabled_version version.id)}}
               <Icon @name="check-circle-fill" class="has-text-success" />
-              <span data-test-keymgmt-key-current-min>Current mininum enabled version</span>
+              <span data-test-keymgmt-key-current-min>Current minimum enabled version</span>
             {{/if}}
           </div>
         </div>
@@ -155,51 +155,54 @@
   {{else}}
     <div class="has-top-margin-xl has-bottom-margin-s">
       <h2 class="title is-5 has-border-bottom-light has-bottom-padding-s">Key details</h2>
-      {{#each @model.showFields as |attr|}}
+      {{#each this.displayFields as |field|}}
         <InfoTableRow
           @alwaysRender={{true}}
-          @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
-          @value={{get @model attr.name}}
-          @defaultShown={{attr.options.defaultShown}}
-          @formatDate={{if (eq attr.type "date") "MMM d yyyy, h:mm:ss aaa"}}
+          @label={{this.label field}}
+          @value={{get @form.data field}}
+          @defaultShown={{this.defaultShown field}}
+          @formatDate={{this.formatDate field}}
         />
       {{/each}}
     </div>
     <div class="has-top-margin-xl has-bottom-margin-s">
-      <h2 class="title is-5 {{if @model.distribution 'has-border-bottom-light' 'is-borderless'}}">
+      <h2 class="title is-5 {{if @form.data.distribution 'has-border-bottom-light' 'is-borderless'}}">
         Distribution details
       </h2>
-      {{#if @model.provider.permissionsError}}
-        <Hds::ApplicationState @align="center" class="top-padding-32 bottom-padding-32" as |A|>
+      {{#if @form.data.provider.permissionsError}}
+        <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
           <A.Header
             @title="You are not authorized"
             @titleTag="h2"
             @errorCode="403"
             @icon="minus-circle"
-            class="align-items-end"
+            data-test-empty-state-title
           />
           <A.Body
             @text={{concat
               "You must be granted permissions to see whether this key is distributed. Ask your administrator if you think you should have access to LIST /"
-              @model.backend
+              @form.data.backend
               "/key/"
-              @model.name
+              @form.data.name
               "/kms."
             }}
+            data-test-empty-state-message
           />
         </Hds::ApplicationState>
-      {{else if (is-empty-value @model.provider)}}
+      {{else if (is-empty-value @form.data.provider)}}
         <Hds::ApplicationState
-          @align="center"
           data-test-keymgmt-dist-empty-state
-          class="top-padding-32 bottom-padding-32"
+          class="top-padding-32 bottom-padding-32 is-marginless"
           as |A|
         >
-          <A.Header @title="Key not distributed" @titleTag="h2" />
-          <A.Body @text="When this key is distributed to a destination, those details will appear here." />
-          {{#if @model.canListProviders}}
-            <A.Footer>
-              <Hds::Button
+          <A.Header @title="Key not distributed" @titleTag="h2" data-test-empty-state-title />
+          <A.Body
+            @text="When this key is distributed to a destination, those details will appear here."
+            data-test-empty-state-message
+          />
+          {{#if @capabilities.canListProviders}}
+            <A.Footer data-test-empty-state-actions as |F|>
+              <F.Button
                 @text="Distribute key"
                 @icon="chevron-right"
                 @iconPosition="trailing"
@@ -210,20 +213,24 @@
           {{/if}}
         </Hds::ApplicationState>
       {{else}}
-        <InfoTableRow @label="Distributed" @value={{@model.provider}}>
-          <LinkTo @route="vault.cluster.secrets.backend.show" @model={{@model.provider}} @query={{hash itemType="provider"}}>
-            <Icon @name="check-circle-fill" class="has-text-success" />{{@model.provider}}
+        <InfoTableRow @label="Distributed" @value={{@form.data.provider}}>
+          <LinkTo
+            @route="vault.cluster.secrets.backend.show"
+            @model={{@form.data.provider}}
+            @query={{hash itemType="provider"}}
+          >
+            <Icon @name="check-circle-fill" class="has-text-success" />{{@form.data.provider}}
           </LinkTo>
         </InfoTableRow>
-        {{#if @model.distribution}}
-          {{#each @model.distFields as |attr|}}
+        {{#if @form.data.distribution}}
+          {{#each this.distributionFields as |attr|}}
             <InfoTableRow
               @alwaysRender={{true}}
               @label={{capitalize (or attr.label (humanize (dasherize attr.name)))}}
               @value={{if
                 (eq attr.name "protection")
-                (uppercase (get @model.distribution attr.name))
-                (get @model.distribution attr.name)
+                (uppercase (get @form.data.distribution attr.name))
+                (get @form.data.distribution attr.name)
               }}
               @defaultShown={{attr.defaultShown}}
               @helperText={{attr.subText}}
@@ -231,22 +238,23 @@
             />
           {{/each}}
         {{else}}
-          <Hds::ApplicationState @align="center" class="top-padding-32 bottom-padding-32" as |A|>
+          <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
             <A.Header
               @title="You are not authorized"
               @titleTag="h2"
               @errorCode="403"
               @icon="minus-circle"
-              class="align-items-end"
+              data-test-empty-state-title
             />
             <A.Body
               @text={{concat
                 "You must be granted permissions to view distribution details for this key. Ask your administrator if you think you should have access to GET /"
-                @model.backend
+                @form.data.backend
                 "/key/"
-                @model.name
+                @form.data.name
                 "/kms."
               }}
+              data-test-empty-state-message
             />
           </Hds::ApplicationState>
         {{/if}}
@@ -259,15 +267,14 @@
   @title="Destroy key?"
   @onClose={{fn (mut this.isDeleteModalOpen) false}}
   @isActive={{this.isDeleteModalOpen}}
-  @confirmText={{@model.name}}
+  @confirmText={{@form.data.name}}
   @toConfirmMsg="deleting the key"
-  @onConfirm={{fn this.deleteKey @model.id}}
+  @onConfirm={{fn this.deleteKey @form.data.name}}
 >
   <p>
     Destroying the
-    <strong>{{@model.name}}</strong>
+    <strong>{{@form.data.name}}</strong>
     key means that the underlying data will be lost and the key will become unusable for cryptographic operations. It is
     unrecoverable.
   </p>
-  <MessageError @model={{this.model}} @errorMessage={{this.error}} />
 </ConfirmationModal>
\ No newline at end of file
diff --git a/ui/app/components/keymgmt/key-edit.js b/ui/app/components/keymgmt/key-edit.js
index 383e9096ca..9d5232263b 100644
--- a/ui/app/components/keymgmt/key-edit.js
+++ b/ui/app/components/keymgmt/key-edit.js
@@ -9,6 +9,7 @@ import { action } from '@ember/object';
 import { tracked } from '@glimmer/tracking';
 import { task } from 'ember-concurrency';
 import { waitFor } from '@ember/test-waiters';
+import { isValidProvider } from 'vault/utils/keymgmt-provider-utils';
 
 /**
  * @module KeymgmtKeyEdit
@@ -26,30 +27,94 @@ import { waitFor } from '@ember/test-waiters';
 const LIST_ROOT_ROUTE = 'vault.cluster.secrets.backend.list-root';
 const SHOW_ROUTE = 'vault.cluster.secrets.backend.show';
 export default class KeymgmtKeyEdit extends Component {
-  @service store;
+  @service api;
   @service router;
   @service flashMessages;
   @tracked isDeleteModalOpen = false;
+  @tracked isDistributing = false;
+
+  get breadcrumbs() {
+    return [
+      {
+        label: 'Vault',
+        icon: 'vault',
+        route: 'vault.cluster.dashboard',
+      },
+      {
+        label: 'Secrets engines',
+        route: 'vault.cluster.secrets.backends',
+      },
+      {
+        label: this.args.form.data.backend,
+        route: 'vault.cluster.secrets.backend.list-root',
+        model: this.args.form.data.backend,
+      },
+      { label: this.title },
+    ];
+  }
+
+  displayFields = [
+    'name',
+    'created',
+    'type',
+    'deletion_allowed',
+    'latest_version',
+    'min_enabled_version',
+    'last_rotated',
+  ];
+
+  label(field) {
+    const labels = {
+      name: 'Key name',
+      created: 'Created',
+      type: 'Type',
+      deletion_allowed: 'Allow deletion',
+      latest_version: 'Current version',
+      min_enabled_version: 'Minimum enabled version',
+      last_rotated: 'Last rotated',
+    };
+    return labels[field] || field;
+  }
+
+  defaultShown(field) {
+    const defaults = {
+      min_enabled_version: 'All versions enabled',
+      last_rotated: 'Not yet rotated',
+    };
+    return defaults[field];
+  }
+
+  formatDate(field) {
+    const dateFields = ['created', 'last_rotated'];
+    return dateFields.includes(field) ? 'MMM d yyyy, h:mm:ss aaa' : undefined;
+  }
+
+  distributionFields = [
+    {
+      name: 'name',
+      type: 'string',
+      label: 'Distributed name',
+      subText: 'The name given to the key by the provider.',
+    },
+    { name: 'purpose', type: 'string', label: 'Key Purpose' },
+    { name: 'protection', type: 'string', subText: 'Where cryptographic operations are performed.' },
+  ];
 
   get title() {
     if (this.isDistributing) {
-      return 'Distribute Key';
+      return 'Distribute key';
     } else if (this.args.mode === 'create') {
-      return 'Create Key';
+      return 'Create key';
     } else if (this.args.mode === 'edit') {
-      return 'Edit Key';
+      return 'Edit key';
     }
-    return this.args.model.id;
+    return this.args.form.data.name;
   }
 
   get mode() {
     return this.args.mode || 'show';
   }
 
-  get keyAdapter() {
-    return this.store.adapterFor('keymgmt/key');
-  }
-
   get isMutable() {
     return ['create', 'edit'].includes(this.args.mode);
   }
@@ -58,68 +123,101 @@ export default class KeymgmtKeyEdit extends Component {
     return this.args.mode === 'create';
   }
 
+  get hasValidProvider() {
+    return isValidProvider(this.args.form?.data?.provider);
+  }
+
   @task
   @waitFor
   *saveKey(evt) {
     evt.preventDefault();
-    const { model } = this.args;
+    const { form } = this.args;
+    const backend = form.data.backend;
+    const name = form.data.name;
+
     try {
-      yield model.save();
-      this.router.transitionTo(SHOW_ROUTE, model.name);
+      if (this.isCreating) {
+        yield this.api.secrets.keyManagementUpdateKey(name, backend, { type: form.data.type });
+
+        // These fields can only be set after key creation
+        try {
+          yield this.api.secrets.keyManagementUpdateKey(name, backend, {
+            deletion_allowed: form.data.deletion_allowed,
+            min_enabled_version: form.data.min_enabled_version || 0,
+          });
+        } catch (error) {
+          this.flashMessages.danger(`Key ${name} was created, but not all settings were saved`);
+          this.router.transitionTo(SHOW_ROUTE, name);
+          return;
+        }
+      } else {
+        yield this.api.secrets.keyManagementUpdateKey(name, backend, {
+          deletion_allowed: form.data.deletion_allowed,
+          min_enabled_version: form.data.min_enabled_version,
+        });
+      }
+
+      this.router.transitionTo(SHOW_ROUTE, name);
     } catch (error) {
-      let errorMessage = error;
-      if (error.errors) {
-        // if errors come directly from API they will be in this shape
-        errorMessage = error.errors.join('. ');
-      }
-      this.flashMessages.danger(errorMessage);
-      if (!error.errors) {
-        // If error was custom from save, only partial fail
-        // so it's safe to show the key
-        this.router.transitionTo(SHOW_ROUTE, model.name);
-      }
+      const { message } = yield this.api.parseError(error);
+      this.flashMessages.danger(message);
     }
   }
 
   @task
   @waitFor
   *removeKey() {
+    const { form } = this.args;
+    const backend = form.data.backend;
+    const name = form.data.name;
+    const provider = form.data.provider;
+
+    if (!this.hasValidProvider) {
+      this.flashMessages.danger('Cannot remove key: invalid provider');
+      return;
+    }
+
     try {
-      yield this.keyAdapter.removeFromProvider(this.args.model);
-      yield this.args.model.reload();
+      yield this.api.secrets.keyManagementDeleteKeyInKmsProvider(name, provider, backend);
       this.flashMessages.success('Key has been successfully removed from provider');
+      this.router.refresh();
     } catch (error) {
-      this.flashMessages.danger(error.errors?.join('. '));
+      const { message } = yield this.api.parseError(error);
+      this.flashMessages.danger(message);
     }
   }
 
   @action
   deleteKey() {
-    const secret = this.args.model;
-    const backend = secret.backend;
-    secret
-      .destroyRecord()
+    const { form } = this.args;
+    const backend = form.data.backend;
+    const name = form.data.name;
+
+    this.api.secrets
+      .keyManagementDeleteKey(name, backend)
       .then(() => {
         this.router.transitionTo(LIST_ROOT_ROUTE, backend);
       })
-      .catch((e) => {
-        this.flashMessages.danger(e.errors?.join('. '));
+      .catch(async (e) => {
+        const { message } = await this.api.parseError(e);
+        this.flashMessages.danger(message);
       });
   }
 
   @task
   @waitFor
   *rotateKey() {
-    const id = this.args.model.name;
-    const backend = this.args.model.backend;
-    const adapter = this.keyAdapter;
-    yield adapter
-      .rotateKey(backend, id)
-      .then(() => {
-        this.flashMessages.success(`Success: ${id} connection was rotated`);
-      })
-      .catch((e) => {
-        this.flashMessages.danger(e.errors);
-      });
+    const { form } = this.args;
+    const name = form.data.name;
+    const backend = form.data.backend;
+
+    try {
+      yield this.api.secrets.keyManagementRotateKey(name, backend);
+      this.flashMessages.success(`Success: ${name} key was rotated`);
+      this.router.refresh();
+    } catch (error) {
+      const { message } = yield this.api.parseError(error);
+      this.flashMessages.danger(message);
+    }
   }
 }
diff --git a/ui/app/components/keymgmt/provider-edit.hbs b/ui/app/components/keymgmt/provider-edit.hbs
index 85899b5212..1a2461ce9e 100644
--- a/ui/app/components/keymgmt/provider-edit.hbs
+++ b/ui/app/components/keymgmt/provider-edit.hbs
@@ -5,25 +5,29 @@
 
 <Page::Header @title={{this.title}} @subtitle={{this.subtitle}}>
   <:breadcrumbs>
-    <KeyValueHeader @path="vault.cluster.secrets.backend.show" @mode={{@mode}} @root={{@root}} @showCurrent={{true}} />
+    <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
 </Page::Header>
 
 {{#if this.isDistributing}}
-  <Keymgmt::Distribute @backend={{@model.backend}} @provider={{@model.id}} @onClose={{fn (mut this.isDistributing) false}} />
+  <Keymgmt::Distribute
+    @backend={{@form.data.backend}}
+    @provider={{@form.data.name}}
+    @onClose={{fn (mut this.isDistributing) false}}
+  />
 {{else}}
   {{#if this.isShowing}}
     <div class="tabs-container box is-sideless is-fullwidth is-paddingless is-marginless">
       <nav class="tabs" aria-label="navigation for managing providers">
         <ul>
           <li class={{unless this.viewingKeys "active"}} data-test-kms-provider-tab="details">
-            <LinkTo @route="vault.cluster.secrets.backend.show" @model={{@model.id}} @query={{hash tab=""}}>
+            <LinkTo @route="vault.cluster.secrets.backend.show" @model={{@form.data.name}} @query={{hash tab=""}}>
               Details
             </LinkTo>
           </li>
-          {{#if @model.canListKeys}}
+          {{#if @capabilities.canListKeys}}
             <li class={{if this.viewingKeys "active"}} data-test-kms-provider-tab="keys">
-              <LinkTo @route="vault.cluster.secrets.backend.show" @model={{@model.id}} @query={{hash tab="keys"}}>
+              <LinkTo @route="vault.cluster.secrets.backend.show" @model={{@form.data.name}} @query={{hash tab="keys"}}>
                 Keys
               </LinkTo>
             </li>
@@ -34,10 +38,10 @@
     {{#unless this.viewingKeys}}
       <Toolbar
         data-test-kms-provider-details-actions
-        aria-label="options for managing for key/management provider {{@model.id}}"
+        aria-label="options for managing for key/management provider {{@form.data.name}}"
       >
         <ToolbarActions>
-          {{#if @model.canDelete}}
+          {{#if @capabilities.canDelete}}
             <ConfirmAction
               @buttonText="Delete provider"
               class="toolbar-button"
@@ -45,20 +49,20 @@
               @confirmTitle="Delete this provider?"
               @onConfirmAction={{this.onDelete}}
               @disabledMessage={{if
-                @model.keys.length
+                this.keyCount
                 (concat
                   "This provider cannot be deleted until all "
-                  @model.keys.length
+                  this.keyCount
                   " key(s) distributed to it are revoked. This can be done from the Keys tab."
                 )
               }}
               data-test-kms-provider-delete
             />
           {{/if}}
-          {{#if (and @model.canDelete (or @model.canListKeys @model.canEdit))}}
+          {{#if (and @capabilities.canDelete (or @capabilities.canListKeys @capabilities.canEdit))}}
             <div class="toolbar-separator"></div>
           {{/if}}
-          {{#if (or @model.canListKeys @model.canCreateKeys)}}
+          {{#if (or @capabilities.canListKeys @capabilities.canCreateKeys)}}
             <Hds::Button
               @text="Distribute key"
               @icon="chevron-right"
@@ -69,13 +73,13 @@
               data-test-distribute-key
             />
           {{/if}}
-          {{#if @model.canEdit}}
+          {{#if @capabilities.canEdit}}
             <ToolbarSecretLink
-              @secret={{@model.id}}
+              @secret={{@form.data.name}}
               @mode="edit"
               @replace={{true}}
               @queryParams={{hash itemType="provider"}}
-              disabled={{(not @model.canEdit)}}
+              disabled={{(not @capabilities.canEdit)}}
             >
               Update credentials
             </ToolbarSecretLink>
@@ -87,24 +91,34 @@
     <form aria-label="update credentials" {{on "submit" this.onSave}}>
       <div class="box is-sideless is-fullwidth is-marginless">
         {{#if this.isCreating}}
-          {{#each @model.createFields as |attr index|}}
+          {{#each @form.createFields as |attr index|}}
             {{#if (eq index 2)}}
               <div class="has-border-top-light">
                 <h2 class="title is-5 has-top-margin-l has-bottom-margin-m" data-test-kms-provider-config-title>
                   Provider configuration
                 </h2>
               </div>
-              {{#if @model.provider}}
+              {{#if @form.data.provider}}
                 {{! Only show last field if provider selected }}
-                <FormField @attr={{attr}} @model={{@model}} @modelValidations={{this.modelValidations}} />
+                <FormField
+                  @attr={{attr}}
+                  @model={{@form}}
+                  @modelValidations={{this.modelValidations}}
+                  @onChange={{this.onFieldChange}}
+                />
               {{else}}
-                <Hds::ApplicationState @align="center" class="top-padding-32 bottom-padding-32" as |A|>
-                  <A.Header @title="No provider selected" @titleTag="h2" />
-                  <A.Body @text="Select a provider in order to configure it." />
+                <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
+                  <A.Header @title="No provider selected" @titleTag="h2" data-test-empty-state-title />
+                  <A.Body @text="Select a provider in order to configure it." data-test-empty-state-message />
                 </Hds::ApplicationState>
               {{/if}}
             {{else}}
-              <FormField @attr={{attr}} @model={{@model}} @modelValidations={{this.modelValidations}} />
+              <FormField
+                @attr={{attr}}
+                @model={{@form}}
+                @modelValidations={{this.modelValidations}}
+                @onChange={{this.onFieldChange}}
+              />
             {{/if}}
           {{/each}}
         {{/if}}
@@ -116,8 +130,13 @@
             Old credentials cannot be read and will be lost as soon as new ones are added. Do this carefully.
           </p>
         {{/unless}}
-        {{#each @model.credentialFields as |cred|}}
-          <FormField @attr={{cred}} @model={{@model}} @modelValidations={{this.modelValidations}} />
+        {{#each @form.credentialFields as |cred|}}
+          <FormField
+            @attr={{cred}}
+            @model={{@form}}
+            @modelValidations={{this.modelValidations}}
+            @onChange={{this.onFieldChange}}
+          />
         {{/each}}
       </div>
       <div class="field is-grouped box is-fullwidth is-bottomless">
@@ -133,7 +152,7 @@
             @text="Cancel"
             @color="secondary"
             @route={{if this.isCreating @root.path "vault.cluster.secrets.backend.show"}}
-            @model={{if this.isCreating @root.model @model.id}}
+            @model={{if this.isCreating @root.model @form.data.name}}
             @query={{if this.isCreating (hash tab="provider") (hash itemType="provider")}}
             disabled={{this.saveTask.isRunning}}
             data-test-kms-provider-cancel
@@ -147,8 +166,8 @@
     <div class="has-bottom-margin-s">
       {{#if this.viewingKeys}}
         {{#let (options-for-backend "keymgmt" "key") as |options|}}
-          {{#if @model.keys.meta.total}}
-            {{#each @model.keys as |key|}}
+          {{#if @form.data.keys.meta.total}}
+            {{#each @form.data.keys as |key|}}
               <SecretList::Item
                 @item={{key}}
                 @backendModel={{@root}}
@@ -161,16 +180,16 @@
               />
             {{/each}}
             <Hds::Pagination::Numbered
-              @currentPage={{@model.keys.meta.currentPage}}
-              @currentPageSize={{@model.keys.meta.pageSize}}
+              @currentPage={{@form.data.keys.meta.currentPage}}
+              @currentPageSize={{@form.data.keys.meta.pageSize}}
               @route="vault.cluster.secrets.backend.show"
               @showSizeSelector={{false}}
-              @totalItems={{@model.keys.meta.total}}
+              @totalItems={{@form.data.keys.meta.total}}
               @onPageChange={{perform this.fetchKeys}}
             />
 
           {{else}}
-            <Hds::ApplicationState @align="center" class="top-padding-32 bottom-padding-32" as |A|>
+            <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
               <A.Header @title="No keys for this provider" @titleTag="h2" />
               <A.Body @text="Keys for this provider will be listed here. Add a key to get started." />
               <A.Footer as |F|>
@@ -185,28 +204,28 @@
           {{/if}}
         {{/let}}
       {{else}}
-        {{#each @model.showFields as |attr|}}
-          {{#if attr.hasBlock}}
-            <InfoTableRow @label={{attr.label}} @value={{attr.value}} data-test-kms-provider-field={{attr.name}}>
-              {{#if attr.icon}}
-                <Icon @name={{attr.icon}} class="icon" />
-              {{/if}}
-              {{#if attr.isLink}}
-                <LinkTo @route="vault.cluster.secrets.backend.show" @model={{@model.id}} @query={{hash tab="keys"}}>
-                  {{attr.value}}
+        {{#each this.displayFields as |field|}}
+          {{#if (eq field "provider")}}
+            <InfoTableRow
+              @label={{this.label field}}
+              @value={{this.providerTypeName @form.data.provider}}
+              data-test-kms-provider-field={{field}}
+            >
+              <Icon @name={{this.providerIcon @form.data.provider}} class="icon" />
+              {{this.providerTypeName @form.data.provider}}
+            </InfoTableRow>
+          {{else if (eq field "keys")}}
+            <InfoTableRow @label={{this.label field}} @value={{this.keysValue}} data-test-kms-provider-field={{field}}>
+              {{#if this.keyCount}}
+                <LinkTo @route="vault.cluster.secrets.backend.show" @model={{@form.data.name}} @query={{hash tab="keys"}}>
+                  {{this.keysValue}}
                 </LinkTo>
               {{else}}
-                {{attr.value}}
+                {{this.keysValue}}
               {{/if}}
             </InfoTableRow>
           {{else}}
-            <InfoTableRow
-              @alwaysRender={{true}}
-              @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
-              @value={{get @model attr.name}}
-              @defaultShown={{attr.options.defaultShown}}
-              @formatDate={{if (eq attr.type "date") "MMM d yyyy, h:mm:ss aaa"}}
-            />
+            <InfoTableRow @alwaysRender={{true}} @label={{this.label field}} @value={{get @form.data field}} />
           {{/if}}
         {{/each}}
       {{/if}}
diff --git a/ui/app/components/keymgmt/provider-edit.js b/ui/app/components/keymgmt/provider-edit.js
index cf53eed6af..ddd16b8dc1 100644
--- a/ui/app/components/keymgmt/provider-edit.js
+++ b/ui/app/components/keymgmt/provider-edit.js
@@ -9,7 +9,9 @@ import { action } from '@ember/object';
 import { tracked } from '@glimmer/tracking';
 import { task } from 'ember-concurrency';
 import { waitFor } from '@ember/test-waiters';
-import { removeFromArray } from 'vault/helpers/remove-from-array';
+import { paginate } from 'core/utils/paginate-list';
+import { getKeymgmtProviderIcon } from 'vault/utils/keymgmt-provider-utils';
+import { SecretsApiKeyManagementListKeysInKmsProviderListEnum } from '@hashicorp/vault-client-typescript';
 
 /**
  * @module KeymgmtProviderEdit
@@ -17,17 +19,23 @@ import { removeFromArray } from 'vault/helpers/remove-from-array';
  *
  * @example
  * ```js
- * <KeymgmtProviderEdit @model={model} @mode="show" />
+ * <KeymgmtProviderEdit @form={form} @mode="show" />
  * ```
- * @param {object} model - model is the data from the store
+ * @param {object} form - form is the data backing create/edit/show
  * @param {string} mode - mode controls which view is shown on the component - show | create |
  * @param {string} [tab] - Options are "details" or "keys" for the show mode only
  */
 
 export default class KeymgmtProviderEdit extends Component {
+  @service api;
+  @service capabilities;
   @service router;
   @service flashMessages;
 
+  @tracked modelValidations;
+  @tracked invalidFormAlert;
+  @tracked isDistributing = false;
+
   constructor() {
     super(...arguments);
     // key count displayed in details tab and keys are listed in keys tab
@@ -36,7 +44,62 @@ export default class KeymgmtProviderEdit extends Component {
     }
   }
 
-  @tracked modelValidations;
+  displayFields = ['name', 'provider', 'key_collection', 'keys'];
+
+  label(field) {
+    const labels = {
+      name: 'Provider name',
+      provider: 'Type',
+      key_collection: 'Key Vault instance name',
+      keys: 'Keys',
+    };
+    return labels[field] || field;
+  }
+
+  providerTypeName(provider) {
+    return (
+      {
+        azurekeyvault: 'Azure Key Vault',
+        awskms: 'AWS Key Management Service',
+        gcpckms: 'Google Cloud Key Management Service',
+      }[provider] || provider
+    );
+  }
+
+  providerIcon(provider) {
+    return getKeymgmtProviderIcon(provider);
+  }
+
+  get keyCount() {
+    return this.args.form.data.keys?.length || 0;
+  }
+
+  get keysValue() {
+    if (this.keyCount) {
+      return `${this.keyCount} ${this.keyCount > 1 ? 'keys' : 'key'}`;
+    }
+    return this.args.capabilities?.canListKeys ? 'None' : 'You do not have permission to list keys';
+  }
+
+  get breadcrumbs() {
+    return [
+      {
+        label: 'Vault',
+        icon: 'vault',
+        route: 'vault.cluster.dashboard',
+      },
+      {
+        label: 'Secrets engines',
+        route: 'vault.cluster.secrets.backends',
+      },
+      {
+        label: this.args.form.data.backend,
+        route: 'vault.cluster.secrets.backend.list-root',
+        model: this.args.form.data.backend,
+      },
+      { label: this.title },
+    ];
+  }
 
   get title() {
     if (this.isDistributing) {
@@ -51,7 +114,7 @@ export default class KeymgmtProviderEdit extends Component {
   }
 
   get subtitle() {
-    return this.isShowing ? this.args.model.id : '';
+    return this.isShowing ? this.args.form.data.name : '';
   }
 
   get isShowing() {
@@ -67,30 +130,81 @@ export default class KeymgmtProviderEdit extends Component {
   @task
   @waitFor
   *saveTask() {
-    const { model } = this.args;
+    const { form } = this.args;
+    const { backend, name, provider, key_collection, credentials } = form.data;
     try {
-      yield model.save();
-      this.router.transitionTo('vault.cluster.secrets.backend.show', model.id, {
+      yield this.api.secrets.keyManagementWriteKmsProvider(name, backend, {
+        provider,
+        key_collection,
+        credentials,
+      });
+
+      this.router.transitionTo('vault.cluster.secrets.backend.show', name, {
         queryParams: { itemType: 'provider' },
       });
     } catch (error) {
-      this.flashMessages.danger(error.errors.join('. '));
+      const { message } = yield this.api.parseError(error);
+      this.flashMessages.danger(message);
     }
   }
+
   @task
   @waitFor
   *fetchKeys(page) {
+    const { form, capabilities } = this.args;
+    const backend = form.data.backend;
+    const providerName = form.data.name;
+
+    if (!capabilities?.canListKeys) {
+      form.data.keys = [];
+      return;
+    }
+
     try {
-      yield this.args.model.fetchKeys(page);
+      const { keys } = yield this.api.secrets.keyManagementListKeysInKmsProvider(
+        providerName,
+        backend,
+        SecretsApiKeyManagementListKeysInKmsProviderListEnum.TRUE
+      );
+
+      const keyNames = keys || [];
+      const pathsToFetch = keyNames.map((keyName) =>
+        this.capabilities.pathFor('keymgmtKey', { backend, name: keyName })
+      );
+      const keyCapabilities = yield this.capabilities.fetch(pathsToFetch);
+
+      const keysList = keyNames.map((keyName) => {
+        const keyPath = this.capabilities.pathFor('keymgmtKey', { backend, name: keyName });
+        return {
+          id: keyName,
+          name: keyName,
+          backend,
+          icon: 'key',
+          type: 'key',
+          canRead: keyCapabilities[keyPath]?.canRead || false,
+          canEdit: keyCapabilities[keyPath]?.canUpdate || false,
+          canDelete: keyCapabilities[keyPath]?.canDelete || false,
+        };
+      });
+
+      form.data.keys = paginate(keysList, { page: Number(page) || 1 });
     } catch (error) {
-      this.flashMessages.danger(error.errors.join('. '));
+      const { message, status } = yield this.api.parseError(error);
+      if (status === 404) {
+        form.data.keys = [];
+      } else {
+        this.flashMessages.danger(message);
+      }
     }
   }
 
   @action
   async onSave(event) {
     event.preventDefault();
-    const { isValid, state } = await this.args.model.validate();
+    const { isValid, state, invalidFormMessage } = this.args.form.toJSON();
+    this.modelValidations = isValid ? null : state;
+    this.invalidFormAlert = invalidFormMessage;
+
     if (isValid) {
       this.modelValidations = null;
       this.saveTask.perform();
@@ -98,24 +212,38 @@ export default class KeymgmtProviderEdit extends Component {
       this.modelValidations = state;
     }
   }
+
+  @action
+  onFieldChange(path) {
+    if (path !== 'provider') return;
+
+    // Clear stale validation state on updating Type field so old provider errors do not persist.
+    this.modelValidations = null;
+    this.invalidFormAlert = null;
+  }
+
   @action
   async onDelete() {
     try {
-      const { model, root } = this.args;
-      await model.destroyRecord();
+      const { form, root } = this.args;
+      await this.api.secrets.keyManagementDeleteKmsProvider(form.data.name, form.data.backend);
       this.router.transitionTo(root.path, root.model, { queryParams: { tab: 'provider' } });
     } catch (error) {
-      this.flashMessages.danger(error.errors.join('. '));
+      const { message } = await this.api.parseError(error);
+      this.flashMessages.danger(message);
     }
   }
+
   @action
   async onDeleteKey(model) {
     try {
-      const providerKeys = removeFromArray(this.args.model.keys, model);
-      await model.destroyRecord();
-      this.args.model.keys = providerKeys;
+      const backend = this.args.form.data.backend;
+      const providerName = this.args.form.data.name;
+      await this.api.secrets.keyManagementDeleteKeyInKmsProvider(model.id, providerName, backend);
+      this.fetchKeys.perform(this.args.form.data.keys?.meta.currentPage || 1);
     } catch (error) {
-      this.flashMessages.danger(error.errors.join('. '));
+      const { message } = await this.api.parseError(error);
+      this.flashMessages.danger(message);
     }
   }
 }
diff --git a/ui/app/components/license-info.hbs b/ui/app/components/license-info.hbs
index 3780ff3850..6026a8ff7d 100644
--- a/ui/app/components/license-info.hbs
+++ b/ui/app/components/license-info.hbs
@@ -9,6 +9,12 @@
       @breadcrumbs={{array (hash label="Vault" route="vault.cluster.dashboard" icon="vault") (hash label="License")}}
     />
   </:breadcrumbs>
+  <:description>
+    View your Vault Enterprise license ID, status, expiration date, and feature entitlements.
+    <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/license"}}>
+      Learn more
+    </Hds::Link::Inline>
+  </:description>
 </Page::Header>
 
 <section class="box is-sideless is-marginless is-shadowless is-fullwidth">
diff --git a/ui/lib/core/app/components/certificate-card.js b/ui/app/components/manage-dropdown.ts
similarity index 57%
rename from ui/lib/core/app/components/certificate-card.js
rename to ui/app/components/manage-dropdown.ts
index 3da3cd13f7..e524fcb744 100644
--- a/ui/lib/core/app/components/certificate-card.js
+++ b/ui/app/components/manage-dropdown.ts
@@ -3,4 +3,4 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-export { default } from 'core/components/certificate-card';
+export { default } from 'core/components/manage-dropdown';
diff --git a/ui/app/components/mfa/login-enforcement-list-item.hbs b/ui/app/components/mfa/login-enforcement-list-item.hbs
index 4d9a0d227f..1c284e6277 100644
--- a/ui/app/components/mfa/login-enforcement-list-item.hbs
+++ b/ui/app/components/mfa/login-enforcement-list-item.hbs
@@ -5,7 +5,7 @@
 
 <LinkedBlock
   class="list-item-row"
-  @params={{array "vault.cluster.access.mfa.enforcements.enforcement" @model.id}}
+  @params={{array "vault.cluster.access.mfa.enforcements.enforcement" @model.name}}
   data-test-list-item={{@model.name}}
 >
   <div class="level is-mobile">
diff --git a/ui/app/components/mfa/method-form.hbs b/ui/app/components/mfa/method-form.hbs
index 31e8bc9da0..10d27f0b49 100644
--- a/ui/app/components/mfa/method-form.hbs
+++ b/ui/app/components/mfa/method-form.hbs
@@ -4,8 +4,8 @@
 }}
 
 <div class="box is-sideless is-fullwidth is-marginless" ...attributes>
-  {{#each @model.attrs as |attr|}}
-    <FormField @attr={{attr}} @model={{@model}} @modelValidations={{or @validations this.editValidations}} />
+  {{#each @form.formFields as |field|}}
+    <FormField @attr={{field}} @model={{@form}} @modelValidations={{@validations}} />
   {{/each}}
 </div>
 {{#if @hasActions}}
@@ -24,10 +24,10 @@
 {{/if}}
 
 <ConfirmationModal
-  @title="Edit {{@model.type}} configuration?"
+  @title="Edit {{@form.type}} configuration?"
   @onClose={{action (mut this.isEditModalActive) false}}
   @isActive={{this.isEditModalActive}}
-  @confirmText={{@model.type}}
+  @confirmText={{@form.type}}
   @onConfirm={{perform this.save}}
 >
   <p>
diff --git a/ui/app/components/mfa/method-form.js b/ui/app/components/mfa/method-form.js
index 575ae038b2..c5163cb4bf 100644
--- a/ui/app/components/mfa/method-form.js
+++ b/ui/app/components/mfa/method-form.js
@@ -22,36 +22,45 @@ import { task } from 'ember-concurrency';
  * @param {onClose} [onClose] - callback when cancel is triggered
  */
 export default class MfaMethodForm extends Component {
-  @service store;
   @service flashMessages;
+  @service api;
 
   @tracked editValidations;
   @tracked isEditModalActive = false;
 
   @task
   *save() {
+    const { data } = this.args.form.toJSON();
+
     try {
-      yield this.args.model.save();
+      if (this.args.form.type === 'totp') {
+        yield this.api.identity.mfaUpdateTotpMethod(data.id, { ...data });
+      } else if (this.args.form.type === 'duo') {
+        yield this.api.identity.mfaUpdateDuoMethod(data.id, { ...data });
+      } else if (this.args.form.type === 'okta') {
+        yield this.api.identity.mfaUpdateOktaMethod(data.id, { ...data });
+      } else if (this.args.form.type === 'pingid') {
+        yield this.api.identity.mfaUpdatePingIdaMethod(data.id, { ...data });
+      }
       this.args.onSave();
     } catch (e) {
       this.flashMessages.danger(e.errors?.join('. ') || e.message);
     }
   }
 
+  @action
+  cancel() {
+    this.args?.onClose?.();
+  }
+
   @action
   async initSave(e) {
     e.preventDefault();
-    const { isValid, state } = await this.args.model.validate();
+    const { isValid, state } = await this.args.form.toJSON();
     if (isValid) {
       this.isEditModalActive = true;
     } else {
       this.editValidations = state;
     }
   }
-
-  @action
-  cancel() {
-    this.args.model.rollbackAttributes();
-    this.args.onClose();
-  }
 }
diff --git a/ui/app/components/mfa/method-list-item.hbs b/ui/app/components/mfa/method-list-item.hbs
index b29f269b0c..170b37c9ca 100644
--- a/ui/app/components/mfa/method-list-item.hbs
+++ b/ui/app/components/mfa/method-list-item.hbs
@@ -14,7 +14,7 @@
         <Hds::Icon @size="24" @name={{@model.icon}} class="has-text-grey" data-test-mfa-method-list-icon={{@model.type}} />
         <div>
           <span class="has-text-weight-semibold has-text-black">
-            {{@model.name}}
+            {{@model.displayName}}
           </span>
           <Hds::Badge @text={{@model.id}} class="has-left-margin-xs" />
           {{#if @model.namespace_path}}
diff --git a/ui/app/components/mfa/mfa-login-enforcement-form.hbs b/ui/app/components/mfa/mfa-login-enforcement-form.hbs
index 063cb2cc77..87457ccd48 100644
--- a/ui/app/components/mfa/mfa-login-enforcement-form.hbs
+++ b/ui/app/components/mfa/mfa-login-enforcement-form.hbs
@@ -2,149 +2,132 @@
   Copyright IBM Corp. 2016, 2025
   SPDX-License-Identifier: BUSL-1.1
 }}
-
 <div ...attributes>
-  <FormFieldLabel
-    for="name"
-    @label="Name"
-    @subText="The name for this enforcement. Giving it a name means that you can refer to it again later. This name will not be editable later."
-    data-test-mlef-label="name"
-  />
-  <input
-    autocomplete="off"
-    spellcheck="false"
-    value={{@model.name}}
-    disabled={{not @model.isNew}}
-    class="input field {{if this.errors.name.errors 'has-error-border'}}"
-    data-test-mlef-input="name"
-    id="name"
-    {{on "input" (pipe (pick "target.value") (fn (mut @model.name)))}}
-  />
-  {{#if this.errors.name.errors}}
-    <AlertInline @type="danger" @message={{join ", " this.errors.name.errors}} />
-  {{/if}}
-
-  {{#unless @isInline}}
-    <div class="field">
-      <FormFieldLabel
-        for="methods"
-        @label="MFA methods"
-        @subText="The MFA method(s) that this enforcement will apply to."
-        data-test-mlef-label="methods"
-      />
-      {{! component only computes inputValue on init -- ensure Ember Data hasMany promise has resolved }}
-      {{#if @model.mfa_methods.isFulfilled}}
-        <SearchSelect
-          @id="methods"
-          @placeholder="Type to search for existing MFA methods"
-          @inputValue={{map-by "id" this.mfaMethods}}
-          @shouldRenderName={{true}}
-          @disallowNewItems={{true}}
-          @models={{array "mfa-method"}}
-          @onChange={{this.onMethodChange}}
-          data-test-mlef-search="methods"
-        />
-      {{/if}}
-      {{#if this.errors.mfa_methods.errors}}
-        <AlertInline @type="danger" @message={{join ", " this.errors.mfa_methods.errors}} />
-      {{/if}}
-    </div>
-  {{/unless}}
-
-  <div>
-    <FormFieldLabel
-      for="targets"
-      @label="Targets"
-      @subText="The list of authentication types, authentication mounts, groups, and/or entities that will require this MFA configuration."
-      data-test-mlef-label="targets"
-    />
-    {{#each this.targets as |target|}}
-      <div class="is-flex-center has-border-top-light" data-test-mlef-target={{target.label}}>
-        <InfoTableRow @label={{target.label}} class="is-flex-grow-1 has-no-shadow">
-          {{#if target.value.id}}
-            {{target.value.name}}
-            <Hds::Badge @text={{target.value.id}} class="has-left-margin-s" />
-          {{else}}
-            {{target.value}}
+  {{#each @form.formFieldGroups as |fieldGroup|}}
+    {{#each-in fieldGroup as |group fields|}}
+      {{#if (eq group "name")}}
+        {{#each fields as |field|}}
+          <FormField @attr={{field}} @model={{@form}} @modelValidations={{or @modelErrors this.modelErrors}} />
+        {{/each}}
+      {{else if (eq group "mfa_methods")}}
+        {{#unless @isInline}}
+          {{#each fields as |field|}}
+            <FormField @attr={{field}} @model={{@form}} @modelValidations={{or @modelErrors this.modelErrors}}>
+              {{#if @methods}}
+                <SearchSelect
+                  @id="methods"
+                  @placeholder="Type to search for existing MFA methods"
+                  @inputValue={{map-by "id" @form.mfa_methods}}
+                  @parentManageSelected={{@form.mfa_methods}}
+                  @shouldRenderName={{true}}
+                  @disallowNewItems={{true}}
+                  @options={{@methods}}
+                  @nameKey="displayName"
+                  @onChange={{this.onMethodChange}}
+                  data-test-mlef-search="methods"
+                />
+              {{/if}}
+            </FormField>
+          {{/each}}
+        {{/unless}}
+      {{else if (eq group "targets")}}
+        <div>
+          <FormFieldLabel
+            for="targets"
+            @label="Targets"
+            @subText="The list of authentication types, authentication mounts, groups, and/or entities that will require this MFA configuration."
+            data-test-mlef-label="targets"
+          />
+          {{#each this.targets as |target|}}
+            <div class="is-flex-center has-border-top-light" data-test-mlef-target={{target.label}}>
+              <InfoTableRow @label={{target.label}} class="is-flex-grow-1 has-no-shadow">
+                {{#if target.value.id}}
+                  {{target.value.name}}
+                  <Hds::Badge @text={{target.value.id}} class="has-left-margin-s" />
+                {{else}}
+                  {{target.value}}
+                {{/if}}
+              </InfoTableRow>
+              <Hds::Button
+                @text="Remove target"
+                @icon="trash"
+                @isIconOnly={{true}}
+                @color="secondary"
+                data-test-mlef-remove-target={{target.label}}
+                {{on "click" (fn this.removeTarget target)}}
+              />
+            </div>
+          {{/each}}
+          <div class="is-flex-row {{if this.targets 'has-top-padding-s has-border-top-light'}}">
+            <Select
+              class="is-marginless"
+              @options={{this.targetTypes}}
+              @labelAttribute="label"
+              @valueAttribute="type"
+              @selectedValue={{this.selectedTargetType}}
+              @onChange={{this.onTargetSelect}}
+              @name="target-type"
+              data-test-mlef-select="target-type"
+              aria-label="Target type"
+            />
+            <div class="has-left-margin-s is-flex-grow-1">
+              {{#if (eq this.selectedTargetType "accessor")}}
+                <MountAccessorSelect
+                  @value={{this.selectedTargetValue}}
+                  @showAccessor={{true}}
+                  @noDefault={{true}}
+                  @onChange={{this.setTargetValue}}
+                  @filterToken={{true}}
+                  data-test-mlef-select="accessor"
+                />
+              {{else if (eq this.selectedTargetType "method")}}
+                <Select
+                  @options={{this.authMethods}}
+                  @labelAttribute="displayName"
+                  @valueAttribute="value"
+                  @isFullwidth={{true}}
+                  @noDefault={{true}}
+                  @selectedValue={{this.selectedTargetValue}}
+                  @onChange={{this.setTargetValue}}
+                  @name="Auth method"
+                  data-test-mlef-select="auth-method"
+                  aria-label="Auth method"
+                />
+              {{else}}
+                <SearchSelect
+                  @id="existing-targets"
+                  @placeholder="Search for an existing target"
+                  @options={{this.searchSelect.options}}
+                  @parentManageSelected={{this.searchSelect.selected}}
+                  @shouldRenderName={{true}}
+                  @selectLimit={{1}}
+                  @onChange={{this.setTargetValue}}
+                  data-test-mlef-search={{this.selectedTargetType}}
+                />
+              {{/if}}
+            </div>
+            <Hds::Button
+              @text="Add"
+              @color="secondary"
+              class="has-left-margin-s"
+              disabled={{not this.selectedTargetValue}}
+              data-test-mlef-add-target
+              {{on "click" this.addTarget}}
+            />
+          </div>
+          {{#if this.errors.targets.errors}}
+            <AlertInline class="has-top-padding-s" @type="danger" @message={{join ", " this.errors.targets.errors}} />
           {{/if}}
-        </InfoTableRow>
-        <Hds::Button
-          @text="Remove target"
-          @icon="trash"
-          @isIconOnly={{true}}
-          @color="secondary"
-          data-test-mlef-remove-target={{target.label}}
-          {{on "click" (fn this.removeTarget target)}}
-        />
-      </div>
-    {{/each}}
-    <div class="is-flex-row {{if this.targets 'has-top-padding-s has-border-top-light'}}">
-      <Select
-        class="is-marginless"
-        @options={{this.targetTypes}}
-        @labelAttribute="label"
-        @valueAttribute="type"
-        @selectedValue={{this.selectedTargetType}}
-        @onChange={{this.onTargetSelect}}
-        @name="target-type"
-        data-test-mlef-select="target-type"
-        aria-label="Target type"
-      />
-      <div class="has-left-margin-s is-flex-grow-1">
-        {{#if (eq this.selectedTargetType "accessor")}}
-          <MountAccessorSelect
-            @value={{this.selectedTargetValue}}
-            @showAccessor={{true}}
-            @noDefault={{true}}
-            @onChange={{this.setTargetValue}}
-            @filterToken={{true}}
-            data-test-mlef-select="accessor"
-          />
-        {{else if (eq this.selectedTargetType "method")}}
-          <Select
-            @options={{this.authMethods}}
-            @labelAttribute="displayName"
-            @valueAttribute="value"
-            @isFullwidth={{true}}
-            @noDefault={{true}}
-            @selectedValue={{this.selectedTargetValue}}
-            @onChange={{this.setTargetValue}}
-            @name="Auth method"
-            data-test-mlef-select="auth-method"
-            aria-label="Auth method"
-          />
-        {{else}}
-          <SearchSelect
-            @id="existing-targets"
-            @placeholder="Search for an existing target"
-            @options={{this.searchSelect.options}}
-            @parentManageSelected={{this.searchSelect.selected}}
-            @shouldRenderName={{true}}
-            @selectLimit={{1}}
-            @onChange={{this.setTargetValue}}
-            data-test-mlef-search={{this.selectedTargetType}}
-          />
-        {{/if}}
-      </div>
-      <Hds::Button
-        @text="Add"
-        @color="secondary"
-        class="has-left-margin-s"
-        disabled={{not this.selectedTargetValue}}
-        data-test-mlef-add-target
-        {{on "click" this.addTarget}}
-      />
-    </div>
-    {{#if this.errors.targets.errors}}
-      <AlertInline class="has-top-padding-s" @type="danger" @message={{join ", " this.errors.targets.errors}} />
-    {{/if}}
-  </div>
+        </div>
+      {{/if}}
+    {{/each-in}}
+  {{/each}}
   {{#unless @isInline}}
     <hr />
     <div class="has-top-padding-s">
       <Hds::ButtonSet>
         <Hds::Button
-          @text={{if @model.isNew "Create" "Update"}}
+          @text={{if @form.isNew "Create" "Update"}}
           @icon={{if this.save.isRunning "loading"}}
           disabled={{this.save.isRunning}}
           data-test-mlef-save
diff --git a/ui/app/components/mfa/mfa-login-enforcement-form.js b/ui/app/components/mfa/mfa-login-enforcement-form.js
index dd8add26a3..7ed7f6c924 100644
--- a/ui/app/components/mfa/mfa-login-enforcement-form.js
+++ b/ui/app/components/mfa/mfa-login-enforcement-form.js
@@ -8,9 +8,10 @@ import { tracked } from '@glimmer/tracking';
 import { action } from '@ember/object';
 import { service } from '@ember/service';
 import { task } from 'ember-concurrency';
-import { addManyToArray, addToArray } from 'vault/helpers/add-to-array';
+import { addToArray } from 'vault/helpers/add-to-array';
 import { removeFromArray } from 'vault/helpers/remove-from-array';
 import AuthMethodResource from 'vault/resources/auth/method';
+import { prepareTargets } from 'vault/utils/mfa-login-enforcement-helpers';
 
 /**
  * @module MfaLoginEnforcementForm
@@ -22,7 +23,7 @@ import AuthMethodResource from 'vault/resources/auth/method';
  * ```
  * @callback onSave
  * @callback onClose
- * @param {Object} model - login enforcement model
+ * @param {Object} model - login enforcement form model
  * @param {Object} [isInline] - toggles inline display of form -- method selector and actions are hidden and should be handled externally
  * @param {Object} [modelErrors] - model validations state object if handling actions externally when displaying inline
  * @param {onSave} [onSave] - triggered on save success
@@ -30,16 +31,16 @@ import AuthMethodResource from 'vault/resources/auth/method';
  */
 
 export default class MfaLoginEnforcementForm extends Component {
-  @service store;
   @service flashMessages;
   @service api;
 
   targetTypes = [
     { label: 'Authentication mount', type: 'accessor', key: 'auth_method_accessors' },
     { label: 'Authentication method', type: 'method', key: 'auth_method_types' },
-    { label: 'Group', type: 'identity/group', key: 'identity_groups' },
-    { label: 'Entity', type: 'identity/entity', key: 'identity_entities' },
+    { label: 'Group', type: 'identity/group', key: 'identity_group_ids' },
+    { label: 'Entity', type: 'identity/entity', key: 'identity_entity_ids' },
   ];
+
   searchSelectOptions = null;
 
   @tracked name;
@@ -67,12 +68,12 @@ export default class MfaLoginEnforcementForm extends Component {
   }
 
   async flattenTargets() {
-    for (const { label, key } of this.targetTypes) {
-      const targetArray = await this.args.model[key];
-      const targets = targetArray.map((value) => ({ label, key, value }));
-      this.targets = addManyToArray(this.targets, targets);
-    }
+    const preparedTargets = await prepareTargets(this.args.form, this.api, {
+      includeFormFields: true,
+    });
+    this.targets = preparedTargets;
   }
+
   async resetTargetState() {
     this.selectedTargetValue = null;
     const options = this.searchSelectOptions || {};
@@ -80,7 +81,9 @@ export default class MfaLoginEnforcementForm extends Component {
       const types = ['identity/group', 'identity/entity'];
       for (const type of types) {
         try {
-          options[type] = await this.store.query(type, {});
+          const apiMethod = type === 'identity/group' ? 'groupListById' : 'entityListById';
+          const response = await this.api.identity[apiMethod](true);
+          options[type] = this.api.keyInfoToArray(response);
         } catch (error) {
           options[type] = [];
         }
@@ -103,32 +106,57 @@ export default class MfaLoginEnforcementForm extends Component {
   }
 
   async fetchMfaMethods() {
-    // mfa_methods is a hasMany on the model, thus returning a PromiseProxyArray. Before it can be accessed on the template we need to resolve it first.
-    this.mfaMethods = await this.args.model.mfa_methods;
+    // @methods now contains API response data (plain objects) instead of Ember Data models
+    const methods = this.args.methods || [];
+
+    // If the form already has mfa_methods set (e.g., editing existing enforcement),
+    // filter to show only the selected methods
+    if (this.args.form.mfa_methods && this.args.form.mfa_methods.length > 0) {
+      this.mfaMethods = methods.filter((method) => this.args.form.mfa_methods.includes(method.id));
+    } else {
+      // For new enforcements, start with empty selection
+      this.mfaMethods = [];
+    }
   }
 
   get selectedTarget() {
     return this.targetTypes.find((tt) => tt.type === this.selectedTargetType);
   }
+
   get errors() {
     return this.args.modelErrors || this.modelErrors;
   }
 
   updateModelForKey(key) {
-    const newValue = this.targets.filter((t) => t.key === key).map((t) => t.value);
-    this.args.model[key] = newValue;
+    // For identity entities and groups, extract IDs from the model objects
+    if (key === 'identity_entity_ids' || key === 'identity_group_ids') {
+      const newValue = this.targets.filter((t) => t.key === key).map((t) => t.value.id);
+      this.args.form[key] = newValue;
+    } else {
+      const newValue = this.targets.filter((t) => t.key === key).map((t) => t.value);
+      this.args.form[key] = newValue;
+    }
   }
 
   @task
   *save() {
     this.modelErrors = {};
     // check validity state first and abort if invalid
-    const { isValid, state } = this.args.model.validate();
+    const { data, isValid, state } = this.args.form.toJSON();
+
     if (!isValid) {
       this.modelErrors = state;
     } else {
       try {
-        yield this.args.model.save();
+        const { name, mfa_methods, ...enforcementData } = data;
+        yield this.api.identity.mfaWriteLoginEnforcement(name, {
+          ...enforcementData,
+          auth_method_accessors: enforcementData.auth_method_accessors || [],
+          auth_method_types: enforcementData.auth_method_types || [],
+          identity_entity_ids: enforcementData.identity_entity_ids || [],
+          identity_group_ids: enforcementData.identity_group_ids || [],
+          mfa_method_ids: mfa_methods || [],
+        });
         this.args.onSave();
       } catch (error) {
         const message = error.errors ? error.errors.join('. ') : error.message;
@@ -139,18 +167,12 @@ export default class MfaLoginEnforcementForm extends Component {
 
   @action
   async onMethodChange(selectedIds) {
-    // first make sure the async relationship is loaded
-    const methods = await this.args.model.mfa_methods;
-    // then remove items that are no longer selected
-    const updatedList = methods.filter((model) => {
-      return selectedIds.includes(model.id);
-    });
-    // then add selected items that don't exist in the list already
-    const modelIds = updatedList.map((model) => model.id);
-    const toAdd = selectedIds
-      .filter((id) => !modelIds.includes(id))
-      .map((id) => this.store.peekRecord('mfa-method', id));
-    this.args.model.mfa_methods = addManyToArray(updatedList, toAdd);
+    // Update the form's mfa_methods field with the selected IDs
+    this.args.form.mfa_methods = selectedIds;
+
+    // Update mfaMethods to reflect the current selection for the SearchSelect component
+    const methods = this.args.methods || [];
+    this.mfaMethods = methods.filter((method) => selectedIds.includes(method.id));
   }
 
   @action
@@ -162,8 +184,9 @@ export default class MfaLoginEnforcementForm extends Component {
   setTargetValue(selected) {
     const { type } = this.selectedTarget;
     if (type.includes('identity')) {
-      // for identity groups and entities grab model from store as value
-      this.selectedTargetValue = this.store.peekRecord(type, selected[0]);
+      // Find the selected item from the already-fetched options
+      const selectedItem = this.searchSelectOptions[type].find((item) => item.id === selected[0]);
+      this.selectedTargetValue = selectedItem;
     } else {
       this.selectedTargetValue = selected;
     }
@@ -188,7 +211,6 @@ export default class MfaLoginEnforcementForm extends Component {
   @action
   cancel() {
     // revert model changes
-    this.args.model.rollbackAttributes();
     this.args.onClose();
   }
 }
diff --git a/ui/app/components/mfa/mfa-login-enforcement-header.js b/ui/app/components/mfa/mfa-login-enforcement-header.js
index d81edc630f..2b10bf3934 100644
--- a/ui/app/components/mfa/mfa-login-enforcement-header.js
+++ b/ui/app/components/mfa/mfa-login-enforcement-header.js
@@ -7,6 +7,8 @@ import Component from '@glimmer/component';
 import { tracked } from '@glimmer/tracking';
 import { service } from '@ember/service';
 import { action } from '@ember/object';
+import { fetchMfaLoginEnforcements } from 'vault/utils/mfa-login-enforcement-helpers';
+import MfaLoginEnforcementForm from 'vault/forms/mfa/login-enforcement';
 
 /**
  * @module MfaLoginEnforcementHeader
@@ -27,7 +29,7 @@ import { action } from '@ember/object';
  */
 
 export default class MfaLoginEnforcementHeaderComponent extends Component {
-  @service store;
+  @service api;
 
   constructor() {
     super(...arguments);
@@ -36,29 +38,31 @@ export default class MfaLoginEnforcementHeaderComponent extends Component {
     }
   }
 
-  @tracked enforcements = [];
+  breadcrumbs = [
+    {
+      label: 'Vault',
+      route: 'vault.cluster.dashboard',
+      icon: 'vault',
+    },
+    {
+      label: 'Multi-factor authentication',
+      route: 'vault.cluster.access.mfa.methods.index',
+    },
+    {
+      label: 'Enforcements',
+      route: 'vault.cluster.access.mfa.enforcements.index',
+    },
+    {
+      label: this.args.heading,
+    },
+  ];
 
-  get breadcrumbs() {
-    return [
-      {
-        label: 'Vault',
-        route: 'vault.cluster.dashboard',
-        icon: 'vault',
-      },
-      {
-        label: 'Enforcements',
-        route: 'vault.cluster.access.mfa.enforcements.index',
-      },
-      {
-        label: this.args.heading,
-      },
-    ];
-  }
+  @tracked enforcements = [];
 
   async fetchEnforcements() {
     try {
       // cache initial values for lookup in select handler
-      this._enforcements = await this.store.query('mfa-login-enforcement', {});
+      this._enforcements = await fetchMfaLoginEnforcements(this.api);
       this.enforcements = [...this._enforcements];
     } catch (error) {
       this.enforcements = [];
@@ -68,7 +72,12 @@ export default class MfaLoginEnforcementHeaderComponent extends Component {
   @action
   onEnforcementSelect([name]) {
     // search select returns array of strings, in this case enforcement name
-    // lookup model and pass to callback
-    this.args.onEnforcementSelect(this._enforcements.find((enf) => enf.name === name));
+    // lookup enforcement data and wrap in form instance
+    const enforcementData = this._enforcements.find((enf) => enf.id === name);
+    if (enforcementData) {
+      // Create a form instance from the API data
+      const enforcementForm = new MfaLoginEnforcementForm(enforcementData, { isNew: false });
+      this.args.onEnforcementSelect(enforcementForm);
+    }
   }
 }
diff --git a/ui/app/components/modal-form/FYI.md b/ui/app/components/modal-form/FYI.md
deleted file mode 100644
index 35b65b1b4f..0000000000
--- a/ui/app/components/modal-form/FYI.md
+++ /dev/null
@@ -1,3 +0,0 @@
-These templates parent form components that render within a modal to create inline items via SearchSelectWithModal.
-The modal opens when a user searches for an item that doesn't exist and clicks 'No results found for "${term}". Click here to create it.'
-The templates are rendered using the {{component}} helper in 'search-select-with-modal.hbs' and are responsible for creating the model passed to the form.
diff --git a/ui/app/components/modal-form/oidc-assignment-template.hbs b/ui/app/components/modal-form/oidc-assignment-template.hbs
deleted file mode 100644
index cd82ee1a62..0000000000
--- a/ui/app/components/modal-form/oidc-assignment-template.hbs
+++ /dev/null
@@ -1,6 +0,0 @@
-{{!
-  Copyright IBM Corp. 2016, 2025
-  SPDX-License-Identifier: BUSL-1.1
-}}
-
-<Oidc::AssignmentForm @onSave={{this.onSave}} @model={{this.assignment}} @onCancel={{@onCancel}} />
\ No newline at end of file
diff --git a/ui/app/components/modal-form/oidc-assignment-template.js b/ui/app/components/modal-form/oidc-assignment-template.js
deleted file mode 100644
index 34e3fa577e..0000000000
--- a/ui/app/components/modal-form/oidc-assignment-template.js
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@glimmer/component';
-import { action } from '@ember/object';
-import { service } from '@ember/service';
-import { tracked } from '@glimmer/tracking';
-
-/**
- * @module ModalForm::OidcAssignmentTemplate
- * ModalForm::OidcAssignmentTemplate components render within a modal and create a model using the input from the search select. The model is passed to the oidc/assignment-form.
- *
- * @example
- *  <ModalForm::OidcAssignmentTemplate
- *    @nameInput="new-item-name"
- *    @onSave={{this.closeModal}}
- *    @onCancel={{@onCancel}}
- *  />
- * ```
- * @callback onCancel - callback triggered when cancel button is clicked
- * @callback onSave - callback triggered when save button is clicked
- * @param {string} nameInput - the name of the newly created assignment
- */
-
-export default class OidcAssignmentTemplate extends Component {
-  @service store;
-  @tracked assignment = null; // model record passed to oidc/assignment-form
-
-  constructor() {
-    super(...arguments);
-    this.assignment = this.store.createRecord('oidc/assignment', { name: this.args.nameInput });
-  }
-
-  @action onSave(assignmentModel) {
-    this.args.onSave(assignmentModel);
-    // Reset component assignment for next use
-    this.assignment = null;
-  }
-}
diff --git a/ui/app/components/modal-form/oidc-key-template.hbs b/ui/app/components/modal-form/oidc-key-template.hbs
deleted file mode 100644
index baf6e328bd..0000000000
--- a/ui/app/components/modal-form/oidc-key-template.hbs
+++ /dev/null
@@ -1,6 +0,0 @@
-{{!
-  Copyright IBM Corp. 2016, 2025
-  SPDX-License-Identifier: BUSL-1.1
-}}
-
-<Oidc::KeyForm @onSave={{this.onSave}} @model={{this.key}} @onCancel={{@onCancel}} @isModalForm={{true}} />
\ No newline at end of file
diff --git a/ui/app/components/modal-form/oidc-key-template.js b/ui/app/components/modal-form/oidc-key-template.js
deleted file mode 100644
index 382d2a9963..0000000000
--- a/ui/app/components/modal-form/oidc-key-template.js
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@glimmer/component';
-import { action } from '@ember/object';
-import { service } from '@ember/service';
-import { tracked } from '@glimmer/tracking';
-
-/**
- * @module ModalForm::OidcKeyTemplate
- * ModalForm::OidcKeyTemplate components render within a modal and create a model using the input from the search select. The model is passed to the oidc/key-form.
- *
- * @example
- *  <ModalForm::OidcKeyTemplate
- *    @nameInput="new-key-name"
- *    @onSave={{this.closeModal}}
- *    @onCancel={{@onCancel}}
- *  />
- *
- * @callback onCancel - callback triggered when cancel button is clicked
- * @callback onSave - callback triggered when save button is clicked
- * @param {string} nameInput - the name of the newly created key
- */
-
-export default class OidcKeyTemplate extends Component {
-  @service store;
-  @tracked key = null; // model record passed to oidc/key-form
-
-  constructor() {
-    super(...arguments);
-    this.key = this.store.createRecord('oidc/key', { name: this.args.nameInput });
-  }
-
-  @action onSave(keyModel) {
-    this.args.onSave(keyModel);
-    // Reset component key for next use
-    this.key = null;
-  }
-}
diff --git a/ui/app/components/modal-form/policy-template.hbs b/ui/app/components/modal-form/policy-template.hbs
deleted file mode 100644
index a270b808e3..0000000000
--- a/ui/app/components/modal-form/policy-template.hbs
+++ /dev/null
@@ -1,33 +0,0 @@
-{{!
-  Copyright IBM Corp. 2016, 2025
-  SPDX-License-Identifier: BUSL-1.1
-}}
-
-{{#if this.policy.policyType}}
-  <Hds::Tabs as |T|>
-    <T.Tab data-test-tab-your-policy>
-      Your Policy
-    </T.Tab>
-    <T.Tab Tab data-test-tab-example-policy>
-      Example Policy
-    </T.Tab>
-
-    <T.Panel>
-      <PolicyForm @onSave={{this.onSave}} @model={{this.policy}} @onCancel={{@onCancel}} @isCompact={{true}} />
-    </T.Panel>
-    <T.Panel class="has-top-padding-m">
-      <PolicyExample @policyType={{this.policy.policyType}} />
-    </T.Panel>
-  </Hds::Tabs>
-{{else}}
-  <Select
-    @name="policyType"
-    @label="Type"
-    @options={{this.policyOptions}}
-    @isFullwidth={{true}}
-    @selectedValue={{this.policy.policyType}}
-    @onChange={{this.setPolicyType}}
-    @noDefault={{true}}
-  />
-  <EmptyState @title="No policy type selected" @message="Select a policy type to continue creating." />
-{{/if}}
\ No newline at end of file
diff --git a/ui/app/components/modal-form/policy-template.js b/ui/app/components/modal-form/policy-template.js
deleted file mode 100644
index 781dc155cb..0000000000
--- a/ui/app/components/modal-form/policy-template.js
+++ /dev/null
@@ -1,53 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@glimmer/component';
-import { action } from '@ember/object';
-import { service } from '@ember/service';
-import { tracked } from '@glimmer/tracking';
-
-/**
- * @module ModalForm::PolicyTemplate
- * ModalForm::PolicyTemplate components are meant to render within a modal for creating a new policy of unknown type.
- *
- * @example
- *  <ModalForm::PolicyTemplate
- *    @nameInput="new-item-name"
- *    @onSave={{this.closeModal}}
- *    @onCancel={{this.closeModal}}
- *  />
- * ```
- * @callback onCancel - callback triggered when cancel button is clicked
- * @callback onSave - callback triggered when save button is clicked
- * @param {string} nameInput - the name of the newly created policy
- */
-
-export default class PolicyTemplate extends Component {
-  @service store;
-  @service version;
-
-  @tracked policy = null; // model record passed to policy-form
-
-  get policyOptions() {
-    return [
-      { label: 'ACL Policy', value: 'acl', isDisabled: false },
-      { label: 'Role Governing Policy', value: 'rgp', isDisabled: !this.version.hasSentinel },
-    ];
-  }
-
-  @action
-  setPolicyType(type) {
-    if (this.policy) this.policy.unloadRecord(); // if user selects a different type, clear from store before creating a new record
-    // Create form model once type is chosen
-    this.policy = this.store.createRecord(`policy/${type}`, { name: this.args.nameInput });
-  }
-
-  @action
-  onSave(policyModel) {
-    this.args.onSave(policyModel);
-    // Reset component policy for next use
-    this.policy = null;
-  }
-}
diff --git a/ui/app/components/mount-backend-form.hbs b/ui/app/components/mount-backend-form.hbs
index 2db2ec3557..fc1ca37010 100644
--- a/ui/app/components/mount-backend-form.hbs
+++ b/ui/app/components/mount-backend-form.hbs
@@ -21,20 +21,21 @@
       />
 
       <FormFieldGroups @model={{this.mountForm}} @renderGroup="Method Options" @groupName="formFieldGroups">
-        <:identityTokenKey>
-          <SearchSelectWithModal
-            @id="key"
-            @fallbackComponent="input-search"
-            @inputValue={{this.mountForm.data.config.identity_token_key}}
-            @onChange={{this.handleIdentityTokenKeyChange}}
-            @models={{array "oidc/key"}}
-            @selectLimit="1"
-            @modalFormTemplate="modal-form/oidc-key-template"
-            @placeholder="Search for an existing OIDC key, or type a new key name to create it."
-            @fallbackComponentPlaceholder="Input a key name"
-            @modalSubtext="This key will be created in the OIDC key path."
-          />
-        </:identityTokenKey>
+        <SearchSelect
+          @id="oidc-key"
+          @fallbackComponent="input-search"
+          @options={{this.oidcKeys}}
+          @inputValue={{this.mountForm.data.config.identity_token_key}}
+          @selectLimit="1"
+          @placeholder={{if
+            this.oidcKeys
+            "Search for an existing OIDC key, or type a new key name to create it."
+            "Input a key name"
+          }}
+          @onChange={{this.handleIdentityTokenKeyChange}}
+          @onCreate={{this.onCreateOidcKey}}
+          data-test-field="config.identity_token_key"
+        />
       </FormFieldGroups>
 
       <div class="field is-grouped box is-fullwidth is-bottomless">
@@ -66,4 +67,21 @@
       @pluginCatalogError={{@mountModel.pluginCatalogError}}
     />
   {{/if}}
-</div>
\ No newline at end of file
+</div>
+
+{{#if this.oidcKeyForm}}
+  <Hds::Modal id="oidc-key-modal" @onClose={{fn (mut this.oidcKeyForm) null}} as |M|>
+    <M.Header data-test-modal-title>Create new key</M.Header>
+    <M.Body>
+      <p class="has-bottom-margin-s" data-test-modal-subtext>
+        This key will be created in the OIDC key path.
+      </p>
+      <Oidc::KeyForm
+        @form={{this.oidcKeyForm}}
+        @onSave={{fn (mut this.oidcKeyForm) null}}
+        @onCancel={{fn (mut this.oidcKeyForm) null}}
+        @isModalForm={{true}}
+      />
+    </M.Body>
+  </Hds::Modal>
+{{/if}}
\ No newline at end of file
diff --git a/ui/app/components/mount-backend-form.ts b/ui/app/components/mount-backend-form.ts
index c75e918baf..450d8a2c55 100644
--- a/ui/app/components/mount-backend-form.ts
+++ b/ui/app/components/mount-backend-form.ts
@@ -3,21 +3,24 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
+import { action, set } from '@ember/object';
+import { service } from '@ember/service';
+import { waitFor } from '@ember/test-waiters';
 import Component from '@glimmer/component';
 import { tracked } from '@glimmer/tracking';
-import { service } from '@ember/service';
-import { action, set } from '@ember/object';
+import { filterEnginesByMountCategory } from 'core/utils/all-engines-metadata';
 import { task } from 'ember-concurrency';
-import { waitFor } from '@ember/test-waiters';
-import { filterEnginesByMountCategory } from 'vault/utils/all-engines-metadata';
 import { MOUNT_CATEGORIES } from 'vault/utils/plugin-catalog-helpers';
+import { ALL_ENGINES } from 'core/utils/all-engines-metadata';
+import { IdentityApiOidcListKeysListEnum } from '@hashicorp/vault-client-typescript';
+import OidcKeyForm from 'vault/forms/oidc/key';
 
-import type FlashMessageService from 'vault/services/flash-messages';
+import type { ApiError } from '@ember-data/adapter/error';
 import type Store from '@ember-data/store';
 import type AuthMethodForm from 'vault/forms/auth/method';
-import type CapabilitiesService from 'vault/services/capabilities';
 import type ApiService from 'vault/services/api';
-import type { ApiError } from '@ember-data/adapter/error';
+import type CapabilitiesService from 'vault/services/capabilities';
+import type FlashMessageService from 'vault/services/flash-messages';
 import type { ValidationMap } from 'vault/vault/app-types';
 
 /**
@@ -54,8 +57,9 @@ export default class MountBackendForm extends Component<Args> {
   // validation related properties
   @tracked modelValidations: ValidationMap | null = null;
   @tracked invalidFormAlert: string | null = null;
-
   @tracked errorMessage: string | string[] = '';
+  @tracked oidcKeys: { id: string }[] = [];
+  @tracked oidcKeyForm: OidcKeyForm | null = null;
 
   get mountForm(): AuthMethodForm {
     return this.args.mountModel;
@@ -126,6 +130,22 @@ export default class MountBackendForm extends Component<Args> {
     }
   }
 
+  async fetchOidcKeys(type: string) {
+    // an additional form field for identity_token_key is displayed for WIF engines
+    // fetch oidc keys to populate the search select component
+    this.oidcKeys = [];
+    const isWIF = !!ALL_ENGINES.find((engine) => engine.type === type && engine.isWIF);
+    if (isWIF) {
+      try {
+        const { keys } = await this.api.identity.oidcListKeys(IdentityApiOidcListKeysListEnum.TRUE);
+        // SearchSelect requires options to be objects
+        this.oidcKeys = keys?.map((key) => ({ id: key })) || [];
+      } catch (e) {
+        // swallow fetch error and fallback component will be used
+      }
+    }
+  }
+
   @task
   @waitFor
   *mountBackend(event: Event) {
@@ -160,6 +180,7 @@ export default class MountBackendForm extends Component<Args> {
   @action
   setMountType(value: string) {
     this.mountForm.type = value;
+    this.fetchOidcKeys(value);
     this.checkPathChange(value);
   }
 
@@ -169,4 +190,9 @@ export default class MountBackendForm extends Component<Args> {
     const { config } = this.mountForm.data;
     config.identity_token_key = Array.isArray(value) ? value[0] : value;
   }
+
+  @action
+  onCreateOidcKey(name: string) {
+    this.oidcKeyForm = new OidcKeyForm({ name }, { isNew: true });
+  }
 }
diff --git a/ui/app/components/mount-backend/type-form.js b/ui/app/components/mount-backend/type-form.js
index d1859a3e5a..fcc4a3bb32 100644
--- a/ui/app/components/mount-backend/type-form.js
+++ b/ui/app/components/mount-backend/type-form.js
@@ -3,18 +3,18 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import Component from '@glimmer/component';
-import { service } from '@ember/service';
 import { action } from '@ember/object';
+import { service } from '@ember/service';
+import Component from '@glimmer/component';
 import { tracked } from '@glimmer/tracking';
+import { filterEnginesByMountCategory } from 'core/utils/all-engines-metadata';
 import keys from 'core/utils/keys';
-import { filterEnginesByMountCategory } from 'vault/utils/all-engines-metadata';
 import {
-  enhanceEnginesWithCatalogData,
   categorizeEnginesByStatus,
+  enhanceEnginesWithCatalogData,
   MOUNT_CATEGORIES,
-  PLUGIN_TYPES,
   PLUGIN_CATEGORIES,
+  PLUGIN_TYPES,
 } from 'vault/utils/plugin-catalog-helpers';
 
 /**
diff --git a/ui/app/components/mount/secrets-engine-form.hbs b/ui/app/components/mount/secrets-engine-form.hbs
index eb661f8d79..b38a451e94 100644
--- a/ui/app/components/mount/secrets-engine-form.hbs
+++ b/ui/app/components/mount/secrets-engine-form.hbs
@@ -107,21 +107,21 @@
     />
 
     <FormFieldGroups @model={{@model.form}} @renderGroup="Method Options" @groupName="formFieldGroups">
-      <:identityTokenKey>
-        <SearchSelectWithModal
-          @id="key"
-          @fallbackComponent="input-search"
-          @inputValue={{@model.form.data.config.identity_token_key}}
-          @onChange={{this.handleIdentityTokenKeyChange}}
-          @models={{array "oidc/key"}}
-          @selectLimit="1"
-          @modalFormTemplate="modal-form/oidc-key-template"
-          @placeholder="Search for an existing OIDC key, or type a new key name to create it."
-          @fallbackComponentPlaceholder="Input a key name"
-          @modalSubtext="This key will be created in the OIDC key path."
-          data-test-field="config.identity_token_key"
-        />
-      </:identityTokenKey>
+      <SearchSelect
+        @id="oidc-key"
+        @fallbackComponent="input-search"
+        @options={{@model.oidcKeys}}
+        @inputValue={{@model.form.data.config.identity_token_key}}
+        @selectLimit="1"
+        @placeholder={{if
+          @model.oidcKeys
+          "Search for an existing OIDC key, or type a new key name to create it."
+          "Input a key name"
+        }}
+        @onChange={{this.handleIdentityTokenKeyChange}}
+        @onCreate={{this.onCreateOidcKey}}
+        data-test-field="config.identity_token_key"
+      />
     </FormFieldGroups>
 
     <div class="field is-grouped box is-fullwidth is-bottomless">
@@ -144,4 +144,21 @@
       {{/if}}
     </div>
   </form>
-</div>
\ No newline at end of file
+</div>
+
+{{#if this.oidcKeyForm}}
+  <Hds::Modal id="oidc-key-modal" @onClose={{fn (mut this.oidcKeyForm) null}} as |M|>
+    <M.Header data-test-modal-title>Create new key</M.Header>
+    <M.Body>
+      <p class="has-bottom-margin-s" data-test-modal-subtext>
+        This key will be created in the OIDC key path.
+      </p>
+      <Oidc::KeyForm
+        @onSave={{fn (mut this.oidcKeyForm) null}}
+        @form={{this.oidcKeyForm}}
+        @onCancel={{fn (mut this.oidcKeyForm) null}}
+        @isModalForm={{true}}
+      />
+    </M.Body>
+  </Hds::Modal>
+{{/if}}
\ No newline at end of file
diff --git a/ui/app/components/mount/secrets-engine-form.ts b/ui/app/components/mount/secrets-engine-form.ts
index f0ccb854ac..aa7471bd74 100644
--- a/ui/app/components/mount/secrets-engine-form.ts
+++ b/ui/app/components/mount/secrets-engine-form.ts
@@ -9,6 +9,7 @@ import { capitalize } from '@ember/string';
 import Component from '@glimmer/component';
 import { tracked } from '@glimmer/tracking';
 import { task } from 'ember-concurrency';
+import OidcKeyForm from 'vault/forms/oidc/key';
 
 import type Router from '@ember/routing/router';
 import type FlashMessagesService from 'ember-cli-flash/services/flash-messages';
@@ -16,8 +17,16 @@ import type SecretsEngineForm from 'vault/forms/secrets/engine';
 import type ApiService from 'vault/services/api';
 import type CapabilitiesService from 'vault/services/capabilities';
 import type VersionService from 'vault/services/version';
-import { isAddonEngine } from 'vault/utils/all-engines-metadata';
-import { getExternalPluginNameFromBuiltin } from 'vault/utils/external-plugin-helpers';
+import { isAddonEngine, VERSIONED_ENGINE_TYPES } from 'vault/utils/all-engines-metadata';
+import {
+  supportedSecretBackends,
+  SupportedSecretBackendsEnum,
+} from 'vault/helpers/supported-secret-backends';
+import engineDisplayData from 'vault/helpers/engines-display-data';
+import {
+  getEffectiveEngineType,
+  getExternalPluginNameFromBuiltin,
+} from 'vault/utils/external-plugin-helpers';
 import type { EngineVersionInfo } from 'vault/utils/plugin-catalog-helpers';
 import { sortVersions } from 'vault/utils/version-utils';
 import type { ValidationMap } from 'vault/vault/app-types';
@@ -41,8 +50,8 @@ interface Args {
     hasUnversionedPlugins?: boolean;
     pinnedVersion?: string | null;
   };
-  onMountSuccess?: (type: string, path: string, useEngineRoute: boolean) => void;
 }
+const SUPPORTED_BACKENDS = supportedSecretBackends();
 
 /**
  * @module Mount::SecretsEngineForm
@@ -56,7 +65,7 @@ interface Args {
  *
  * @example
  * ```hbs
- * <Mount::SecretsEngineForm @model={{this.model}} @onMountSuccess={{this.onMountSuccess}} />
+ * <Mount::SecretsEngineForm @model={{this.model}} />
  * ```
  */
 export default class MountSecretsEngineFormComponent extends Component<Args> {
@@ -71,6 +80,8 @@ export default class MountSecretsEngineFormComponent extends Component<Args> {
   @tracked errorMessage: string | string[] = '';
   @tracked pluginRegistrationType: 'builtin' | 'external' = PluginRegistrationType.BUILTIN;
   @tracked selectedPluginVersion = '';
+  @tracked oidcKeys: { id: string }[] = [];
+  @tracked oidcKeyForm: OidcKeyForm | null = null;
 
   _originalBuiltinType = '';
 
@@ -273,7 +284,8 @@ export default class MountSecretsEngineFormComponent extends Component<Args> {
   async saveKvConfig(path: string, formData: SecretsEngineForm['data']) {
     const { options, kv_config = {} } = formData;
     const { max_versions, cas_required, delete_version_after } = kv_config;
-    const isKvV2 = options?.version === 2 && ['kv', 'generic'].includes(this.args.model.form.normalizedType);
+    const isKvV2 =
+      options?.version === 2 && VERSIONED_ENGINE_TYPES.includes(this.args.model.form.normalizedType);
     const hasConfig = max_versions || cas_required || delete_version_after;
 
     if (isKvV2 && hasConfig) {
@@ -332,6 +344,13 @@ export default class MountSecretsEngineFormComponent extends Component<Args> {
     // Only submit form if validations pass
     const { isValid, state, invalidFormMessage, data } = mountModel.toJSON();
 
+    // hold options to tune external kv version after mounting
+    let options;
+    if (type === 'vault-plugin-secrets-kv') {
+      options = data.options;
+      delete data.options;
+    }
+
     if (!isValid) {
       this.formValidations = state;
       this.invalidFormAlert = invalidFormMessage;
@@ -351,21 +370,18 @@ export default class MountSecretsEngineFormComponent extends Component<Args> {
 
       this.flashMessages.success(`Successfully mounted the ${mountModel.type} secrets engine at ${path}.`);
 
+      // external versions of KV doesn't allow version to be set when mounting, so we need to tune to the selected version after
+      if (type === 'vault-plugin-secrets-kv') {
+        yield this.api.sys.mountsTuneConfigurationParameters(path, {
+          options,
+        });
+      }
+
       // Determine if we should use engine routes
-      const version = data.options?.version;
+      const version = options ? options.version : data.options?.version;
       const useEngineRoute = isAddonEngine(mountModel.normalizedType, Number(version));
 
-      // Call success callback or navigate
-      if (this.args.onMountSuccess) {
-        this.args.onMountSuccess(type, path, useEngineRoute);
-      } else {
-        // Default navigation
-        if (useEngineRoute) {
-          this.router.transitionTo('vault.cluster.secrets.backend.index', path);
-        } else {
-          this.router.transitionTo('vault.cluster.secrets.backend.list-root', path);
-        }
-      }
+      this.onMountSuccess(type, path, useEngineRoute);
     } catch (error) {
       const { status, response, message } = yield this.api.parseError(error);
       this.onMountError(status, response.errors, message);
@@ -449,4 +465,38 @@ export default class MountSecretsEngineFormComponent extends Component<Args> {
       this.args.model.form.handlePluginVersionChange(this.args.model.availableVersions);
     }
   }
+
+  @action
+  onMountSuccess(type: string, path: string, useEngineRoute = false) {
+    let transition;
+    const engineInfo = engineDisplayData(type);
+    const effectiveType = getEffectiveEngineType(type);
+
+    if (engineInfo && SUPPORTED_BACKENDS.includes(effectiveType as SupportedSecretBackendsEnum)) {
+      if (useEngineRoute && engineInfo.engineRoute) {
+        transition = this.router.transitionTo(
+          `vault.cluster.secrets.backend.${engineInfo.engineRoute}`,
+          path
+        );
+      } else {
+        // For keymgmt, we need to land on provider tab by default using query params
+        const queryParams = effectiveType === 'keymgmt' ? { tab: 'provider' } : {};
+        transition = this.router.transitionTo('vault.cluster.secrets.backend.index', path, { queryParams });
+      }
+    } else if (engineInfo) {
+      // transitions recognized but unsupported engines to general settings configuration page
+      transition = this.router.transitionTo(
+        'vault.cluster.secrets.backend.configuration.general-settings',
+        path
+      );
+    } else {
+      transition = this.router.transitionTo('vault.cluster.secrets.backends');
+    }
+    return transition?.followRedirects();
+  }
+
+  @action
+  onCreateOidcKey(name: string) {
+    this.oidcKeyForm = new OidcKeyForm({ name }, { isNew: true });
+  }
 }
diff --git a/ui/app/components/oidc/assignment-form.hbs b/ui/app/components/oidc/assignment-form.hbs
index b2783b29e0..812466ba15 100644
--- a/ui/app/components/oidc/assignment-form.hbs
+++ b/ui/app/components/oidc/assignment-form.hbs
@@ -6,48 +6,46 @@
 <form {{on "submit" (perform this.save)}}>
   <div class="box is-sideless is-fullwidth is-marginless">
     <MessageError @errorMessage={{this.errorBanner}} />
-    <FormFieldLabel for="name" @label="Name" />
-    <input
-      autocomplete="off"
-      spellcheck="false"
-      value={{@model.name}}
-      disabled={{not @model.isNew}}
-      class="input field {{if this.modelValidations.name.errors 'has-error-border'}}"
-      {{on "input" this.handleOperation}}
-      data-test-input="name"
-      id="name"
-    />
-    {{#if this.modelValidations.name.errors}}
-      <AlertInline @type="danger" @message={{join ", " this.modelValidations.name.errors}} />
+
+    <FormFieldGroups @model={{@form}} @groupName="formFieldGroups" @modelValidations={{this.modelValidations}} as |field|>
+      {{#if (eq field.name "entity_ids")}}
+        <SearchSelect
+          @id="entities"
+          @placeholder="Search"
+          @options={{@entities}}
+          @inputValue={{@form.data.entity_ids}}
+          @shouldRenderName={{true}}
+          @onChange={{fn (mut @form.data.entity_ids)}}
+          @disallowNewItems={{true}}
+          @fallbackComponent="string-list"
+          data-test-search-select="entities"
+        />
+      {{else if (eq field.name "group_ids")}}
+        <SearchSelect
+          @id="groups"
+          @placeholder="Search"
+          @options={{@groups}}
+          @inputValue={{@form.data.group_ids}}
+          @shouldRenderName={{true}}
+          @onChange={{fn (mut @form.data.group_ids)}}
+          @disallowNewItems={{true}}
+          @fallbackComponent="string-list"
+          data-test-search-select="groups"
+        />
+      {{/if}}
+    </FormFieldGroups>
+    {{#if this.modelValidations.targets.errors}}
+      <AlertInline
+        @type="danger"
+        @message={{this.modelValidations.targets.errors}}
+        class="has-top-padding-s"
+        data-test-validation-error="target"
+      />
     {{/if}}
-    <SearchSelect
-      @id="entities"
-      @label="Entities"
-      @placeholder="Search"
-      @models={{array "identity/entity"}}
-      @inputValue={{@model.entityIds}}
-      @shouldRenderName={{true}}
-      @onChange={{this.onEntitiesSelect}}
-      @disallowNewItems={{true}}
-      @fallbackComponent="string-list"
-      data-test-search-select="entities"
-    />
-    <SearchSelect
-      @id="groups"
-      @label="Groups"
-      @placeholder="Search"
-      @models={{array "identity/group"}}
-      @inputValue={{@model.groupIds}}
-      @shouldRenderName={{true}}
-      @onChange={{this.onGroupsSelect}}
-      @disallowNewItems={{true}}
-      @fallbackComponent="string-list"
-      data-test-search-select="groups"
-    />
   </div>
   <div class="has-top-padding-s">
     <Hds::Button
-      @text={{if @model.isNew "Create" "Update"}}
+      @text={{if @form.isNew "Create" "Update"}}
       @icon={{if this.save.isRunning "loading"}}
       type="submit"
       disabled={{this.save.isRunning}}
@@ -58,11 +56,18 @@
       @color="secondary"
       class="has-left-margin-s"
       disabled={{this.save.isRunning}}
-      {{on "click" this.cancel}}
+      {{on "click" (fn @onCancel undefined)}}
       data-test-oidc-assignment-cancel
     />
-    {{#if this.modelValidations.targets.errors}}
-      <AlertInline @type="danger" @message={{join ", " this.modelValidations.targets.errors}} class="has-top-padding-s" />
+    {{#if this.invalidFormMessage}}
+      <div class="control">
+        <AlertInline
+          @type="danger"
+          class="has-top-padding-s"
+          @message={{this.invalidFormMessage}}
+          data-test-invalid-form-alert
+        />
+      </div>
     {{/if}}
   </div>
 </form>
\ No newline at end of file
diff --git a/ui/app/components/oidc/assignment-form.js b/ui/app/components/oidc/assignment-form.js
index 3efe400837..6d02642ced 100644
--- a/ui/app/components/oidc/assignment-form.js
+++ b/ui/app/components/oidc/assignment-form.js
@@ -4,10 +4,10 @@
  */
 
 import Component from '@glimmer/component';
-import { action } from '@ember/object';
 import { service } from '@ember/service';
-import { task } from 'ember-concurrency';
 import { tracked } from '@glimmer/tracking';
+import { task } from 'ember-concurrency';
+import { waitFor } from '@ember/test-waiters';
 
 /**
  * @module Oidc::AssignmentForm
@@ -15,62 +15,47 @@ import { tracked } from '@glimmer/tracking';
  *
  * @example
  * ```js
- * <Oidc::AssignmentForm @model={this.model}
+ * <Oidc::AssignmentForm @form={this.form}
  * @onCancel={transition-to "vault.cluster.access.oidc.assignment"} @param1={{param1}}
  * @onSave={transition-to "vault.cluster.access.oidc.assignments.assignment.details" this.model.name}
  * />
  * ```
 
- * @param {object} model - The parent's model
+ * @param {object} form - Form class
  * @callback onCancel - callback triggered when cancel button is clicked
  * @callback onSave - callback triggered when save button is clicked*
  */
 
 export default class OidcAssignmentFormComponent extends Component {
-  @service store;
+  @service api;
   @service flashMessages;
+
   @tracked modelValidations;
+  @tracked invalidFormMessage;
   @tracked errorBanner;
 
-  @task
-  *save(event) {
-    event.preventDefault();
-    try {
-      const { isValid, state } = this.args.model.validate();
-      this.modelValidations = isValid ? null : state;
-      if (isValid) {
-        const { isNew, name } = this.args.model;
-        yield this.args.model.save();
-        this.flashMessages.success(`Successfully ${isNew ? 'created' : 'updated'} the assignment ${name}.`);
-        // this form is sometimes used in modal, passing the model notifies
-        // the parent if the save was successful
-        this.args.onSave(this.args.model);
+  save = task(
+    waitFor(async (event) => {
+      event.preventDefault();
+      try {
+        const { isValid, state, invalidFormMessage, data } = this.args.form.toJSON();
+        this.modelValidations = isValid ? null : state;
+        this.invalidFormMessage = invalidFormMessage;
+
+        if (isValid) {
+          const { name, ...payload } = data;
+          await this.api.identity.oidcWriteAssignment(name, payload);
+          this.flashMessages.success(
+            `Successfully ${this.args.form.isNew ? 'created' : 'updated'} the assignment ${name}.`
+          );
+          // this form is sometimes used in modal, passing the model notifies
+          // the parent if the save was successful
+          this.args.onSave(this.args.form);
+        }
+      } catch (error) {
+        const { message } = await this.api.parseError(error);
+        this.errorBanner = message;
       }
-    } catch (error) {
-      const message = error.errors ? error.errors.join('. ') : error.message;
-      this.errorBanner = message;
-    }
-  }
-
-  @action
-  cancel() {
-    const method = this.args.model.isNew ? 'unloadRecord' : 'rollbackAttributes';
-    this.args.model[method]();
-    this.args.onCancel();
-  }
-
-  @action
-  handleOperation({ target }) {
-    this.args.model.name = target.value;
-  }
-
-  @action
-  onEntitiesSelect(selectedIds) {
-    this.args.model.entityIds = selectedIds;
-  }
-
-  @action
-  onGroupsSelect(selectedIds) {
-    this.args.model.groupIds = selectedIds;
-  }
+    })
+  );
 }
diff --git a/ui/app/components/oidc/client-form.hbs b/ui/app/components/oidc/client-form.hbs
index 25db12ed84..66d0122d3e 100644
--- a/ui/app/components/oidc/client-form.hbs
+++ b/ui/app/components/oidc/client-form.hbs
@@ -3,7 +3,7 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title="{{if @model.isNew 'Create' 'Edit'}} Application">
+<Page::Header @title="{{if @form.isNew 'Create' 'Edit'}} Application">
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
@@ -12,12 +12,21 @@
 <form {{on "submit" (perform this.save)}}>
   <div class="box is-sideless is-fullwidth is-bottomless">
     <MessageError @errorMessage={{this.errorBanner}} />
-    {{#each @model.formFields as |attr|}}
-      <FormField @attr={{attr}} @model={{@model}} @modelValidations={{this.modelValidations}} />
-    {{/each}}
-
-    {{! MORE OPTIONS TOGGLE }}
-    <FormFieldGroups @renderGroup="More options" @model={{@model}} @modelValidations={{this.modelValidations}} />
+    <FormFieldGroups @model={{@form}} @groupName="formFieldGroups" @modelValidations={{this.modelValidations}}>
+      {{! keys are fetched in route and passed into select component }}
+      <SearchSelect
+        @id="oidc-client-form-key-select"
+        @options={{@keys}}
+        @selectLimit="1"
+        @disallowNewItems={{true}}
+        @fallbackComponent="input-search"
+        @onChange={{this.onKeyChange}}
+        @inputValue={{if @form.data.key (array @form.data.key)}}
+        @disabled={{not @form.isNew}}
+        class="is-marginless"
+        data-test-search-select="keys"
+      />
+    </FormFieldGroups>
   </div>
   {{! RADIO CARD + SEARCH SELECT }}
   <div class="box is-sideless is-fullwidth is-marginless has-top-padding-xxl">
@@ -43,24 +52,23 @@
       />
     </div>
     {{#if (eq this.radioCardGroupValue "limited")}}
-      <SearchSelectWithModal
-        @id="assignments"
+      <SearchSelect
+        @id="oidc-client-form-assignments-select"
         @label="Assignment name"
         @subText="Search for an existing assignment, or type a new name to create it."
-        @models={{array "oidc/assignment"}}
-        @inputValue={{this.modelAssignments}}
+        @options={{@assignments}}
+        @parentManageSelected={{this.modelAssignments}}
         @onChange={{this.handleAssignmentSelection}}
-        @excludeOptions={{array "allow_all"}}
+        @onCreate={{this.onAssignmentCreate}}
         @fallbackComponent="string-list"
-        @modalFormTemplate="modal-form/oidc-assignment-template"
-        @modalSubtext="Use assignment to specify which Vault entities and groups are allowed to authenticate."
+        data-test-search-select="assignments"
       />
     {{/if}}
   </div>
   <div class="field box is-fullwidth is-bottomless">
     <div class="control">
       <Hds::Button
-        @text={{if @model.isNew "Create" "Update"}}
+        @text={{if @form.isNew "Create" "Update"}}
         @icon={{if this.save.isRunning "loading"}}
         type="submit"
         disabled={{this.save.isRunning}}
@@ -71,7 +79,7 @@
         @color="secondary"
         class="has-left-margin-s"
         disabled={{this.save.isRunning}}
-        {{on "click" this.cancel}}
+        {{on "click" @onCancel}}
         data-test-oidc-client-cancel
       />
     </div>
@@ -81,4 +89,24 @@
       </div>
     {{/if}}
   </div>
-</form>
\ No newline at end of file
+</form>
+
+{{#if this.oidcAssignmentForm}}
+  <Hds::Modal id="search-select-modal" @onClose={{fn (mut this.oidcAssignmentForm) null}} as |M|>
+    <M.Header data-test-modal-title>
+      Create new assignment
+    </M.Header>
+    <M.Body>
+      <p class="has-bottom-margin-s" data-test-modal-subtext>
+        Use assignment to specify which Vault entities and groups are allowed to authenticate.
+      </p>
+      <Oidc::AssignmentForm
+        @form={{this.oidcAssignmentForm}}
+        @entities={{this.entities}}
+        @groups={{this.groups}}
+        @onCancel={{fn (mut this.oidcAssignmentForm) null}}
+        @onSave={{fn (mut this.oidcAssignmentForm) null}}
+      />
+    </M.Body>
+  </Hds::Modal>
+{{/if}}
\ No newline at end of file
diff --git a/ui/app/components/oidc/client-form.js b/ui/app/components/oidc/client-form.js
index cfbc353909..36ad5d5fdb 100644
--- a/ui/app/components/oidc/client-form.js
+++ b/ui/app/components/oidc/client-form.js
@@ -8,47 +8,67 @@ import { action } from '@ember/object';
 import { service } from '@ember/service';
 import { tracked } from '@glimmer/tracking';
 import { task } from 'ember-concurrency';
+import { waitFor } from '@ember/test-waiters';
+import OidcAssignmentForm from 'vault/forms/oidc/assignment';
+import {
+  IdentityApiEntityListByIdListEnum,
+  IdentityApiGroupListByIdListEnum,
+} from '@hashicorp/vault-client-typescript';
 /**
  * @module OidcClientForm
  * OidcClientForm components are used to create and update OIDC clients (a.k.a. applications)
  *
  * @example
  * ```js
- * <OidcClientForm @model={{this.model}} />
+ * <OidcClientForm @form={{this.model}} />
  * ```
- * @param {Object} model - oidc client model
+ * @param {Object} form - oidc client form
  * @callback onCancel - callback triggered when cancel button is clicked
  * @callback onSave - callback triggered on save success
- * @param {boolean} [isInline=false] - true when form is rendered within a modal
  */
 
 export default class OidcClientForm extends Component {
   @service flashMessages;
+  @service api;
+
   @tracked modelValidations;
   @tracked errorBanner;
   @tracked invalidFormAlert;
-  @tracked radioCardGroupValue =
-    !this.args.model.assignments || this.args.model.assignments.includes('allow_all')
-      ? 'allow_all'
-      : 'limited';
+  @tracked radioCardGroupValue = 'limited';
+  @tracked oidcAssignmentForm;
+  @tracked entities;
+  @tracked groups;
+
+  constructor() {
+    super(...arguments);
+    const { assignments } = this.args.form.data;
+    if (!assignments || assignments.includes('allow_all')) {
+      this.radioCardGroupValue = 'allow_all';
+    }
+  }
 
   get breadcrumbs() {
-    const applicationOrDetailsBreadcrumb = this.args.model.isNew
-      ? { label: 'Applications', route: 'vault.cluster.access.oidc.clients' }
-      : {
-          label: 'Details',
-          route: 'vault.cluster.access.oidc.clients.client.details',
-          model: this.args.model.name,
-        };
-    return [
+    const { isNew } = this.args.form;
+    const { name } = this.args.form.data;
+    const crumbs = [
       { label: 'Vault', route: 'vault.cluster.dashboard', icon: 'vault' },
-      applicationOrDetailsBreadcrumb,
-      { label: this.args.model.isNew ? 'Create Application' : 'Edit Application' },
+      { label: 'OIDC provider: Applications', route: 'vault.cluster.access.oidc.clients' },
     ];
+
+    if (!isNew) {
+      crumbs.push({
+        label: name,
+        route: 'vault.cluster.access.oidc.clients.client.details',
+        model: name,
+      });
+    }
+
+    crumbs.push({ label: isNew ? 'Create application' : 'Edit application' });
+    return crumbs;
   }
 
   get modelAssignments() {
-    const { assignments } = this.args.model;
+    const { assignments } = this.args.form.data;
     if (assignments.includes('allow_all') && assignments.length === 1) {
       return [];
     } else {
@@ -60,50 +80,69 @@ export default class OidcClientForm extends Component {
   handleAssignmentSelection(selection) {
     // if array then coming from search-select component, set selection as model assignments
     if (Array.isArray(selection)) {
-      this.args.model.assignments = selection;
+      this.args.form.data.assignments = selection;
     } else {
       // otherwise update radio button value and reset assignments so
       // UI always reflects a user's selection (including when no assignments are selected)
       this.radioCardGroupValue = selection;
-      this.args.model.assignments = [];
+      this.args.form.data.assignments = [];
     }
   }
 
   @action
-  cancel() {
-    const method = this.args.model.isNew ? 'unloadRecord' : 'rollbackAttributes';
-    this.args.model[method]();
-    this.args.onCancel();
+  async onAssignmentCreate(name) {
+    // fetch entities and groups for assignment form component
+    if (!this.entities || !this.groups) {
+      const [entitiesResult, groupsResult] = await Promise.allSettled([
+        this.api.identity.entityListById(IdentityApiEntityListByIdListEnum.TRUE),
+        this.api.identity.groupListById(IdentityApiGroupListByIdListEnum.TRUE),
+      ]);
+      this.entities =
+        entitiesResult.status === 'fulfilled' ? this.api.keyInfoToArray(entitiesResult.value) : [];
+      this.groups = groupsResult.status === 'fulfilled' ? this.api.keyInfoToArray(groupsResult.value) : [];
+    }
+    this.oidcAssignmentForm = new OidcAssignmentForm({ name }, { isNew: true });
   }
 
-  @task
-  *save(event) {
-    event.preventDefault();
-    try {
-      const { isValid, state, invalidFormMessage } = this.args.model.validate();
-      this.modelValidations = isValid ? null : state;
-      this.invalidFormAlert = invalidFormMessage;
-      if (isValid) {
-        if (this.radioCardGroupValue === 'allow_all') {
-          // the backend permits 'allow_all' AND other assignments, though 'allow_all' will take precedence
-          // the UI limits the config by allowing either 'allow_all' OR a list of other assignments
-          // note: when editing the UI removes any additional assignments previously configured via CLI
-          this.args.model.assignments = ['allow_all'];
-        }
-        // if TTL components are toggled off, set to default lease duration
-        const { idTokenTtl, accessTokenTtl } = this.args.model;
-        // value returned from API is a number, and string when from form action
-        if (Number(idTokenTtl) === 0) this.args.model.idTokenTtl = '24h';
-        if (Number(accessTokenTtl) === 0) this.args.model.accessTokenTtl = '24h';
-        const { isNew, name } = this.args.model;
-        yield this.args.model.save();
-        this.flashMessages.success(`Successfully ${isNew ? 'created' : 'updated'} the application ${name}.`);
-        this.args.onSave();
-      }
-    } catch (error) {
-      const message = error.errors ? error.errors.join('. ') : error.message;
-      this.errorBanner = message;
-      this.invalidFormAlert = 'There was an error submitting this form.';
-    }
+  @action
+  onKeyChange([key]) {
+    this.args.form.data.key = key;
   }
+
+  save = task(
+    waitFor(async (event) => {
+      event.preventDefault();
+      try {
+        const { isNew } = this.args.form;
+        const { isValid, state, invalidFormMessage, data } = this.args.form.toJSON();
+        this.modelValidations = isValid ? null : state;
+        this.invalidFormAlert = invalidFormMessage;
+
+        if (isValid) {
+          if (this.radioCardGroupValue === 'allow_all') {
+            // the backend permits 'allow_all' AND other assignments, though 'allow_all' will take precedence
+            // the UI limits the config by allowing either 'allow_all' OR a list of other assignments
+            // note: when editing the UI removes any additional assignments previously configured via CLI
+            data.assignments = ['allow_all'];
+          }
+          // if TTL components are toggled off, set to default lease duration
+          const { id_token_ttl, access_token_ttl } = data;
+          // value returned from API is a number, and string when from form action
+          if (Number(id_token_ttl) === 0) data.id_token_ttl = '24h';
+          if (Number(access_token_ttl) === 0) data.access_token_ttl = '24h';
+
+          const { name, ...payload } = data;
+          await this.api.identity.oidcWriteClient(name, payload);
+          this.flashMessages.success(
+            `Successfully ${isNew ? 'created' : 'updated'} the application ${name}.`
+          );
+          this.args.onSave();
+        }
+      } catch (error) {
+        const { message } = await this.api.parseError(error);
+        this.errorBanner = message;
+        this.invalidFormAlert = 'There was an error submitting this form.';
+      }
+    })
+  );
 }
diff --git a/ui/app/components/oidc/client-list.hbs b/ui/app/components/oidc/client-list.hbs
index b4fdaddb83..3bbb3f76f9 100644
--- a/ui/app/components/oidc/client-list.hbs
+++ b/ui/app/components/oidc/client-list.hbs
@@ -3,7 +3,7 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-{{#each @model as |client|}}
+{{#each @model.clients as |client|}}
   <LinkedBlock
     class="list-item-row"
     @params={{array "vault.cluster.access.oidc.clients.client.details" client.name}}
@@ -18,13 +18,13 @@
           </span>
           <div class="has-text-grey is-size-8">
             Client ID:
-            {{client.clientId}}
+            {{client.client_id}}
           </div>
         </div>
       </div>
       <div class="level-right is-flex is-paddingless is-marginless">
         <div class="level-item">
-          {{#if (or client.canRead client.canEdit)}}
+          {{#if (has-capability @model.capabilities "read" "update" pathKey="oidcClient" params=client)}}
             <Hds::Dropdown @isInline={{true}} @listPosition="bottom-right" as |dd|>
               <dd.ToggleIcon
                 @icon="more-horizontal"
@@ -32,19 +32,23 @@
                 @hasChevron={{false}}
                 data-test-popup-menu-trigger
               />
-              {{#if client.canRead}}
+              {{#if (has-capability @model.capabilities "read" pathKey="oidcClient" params=client)}}
                 <dd.Interactive
                   @route="vault.cluster.access.oidc.clients.client.details"
                   @model={{client.name}}
                   data-test-oidc-client-menu-link="details"
-                >Details</dd.Interactive>
+                >
+                  Details
+                </dd.Interactive>
               {{/if}}
-              {{#if client.canEdit}}
+              {{#if (has-capability @model.capabilities "update" pathKey="oidcClient" params=client)}}
                 <dd.Interactive
                   @route="vault.cluster.access.oidc.clients.client.edit"
                   @model={{client.name}}
                   data-test-oidc-client-menu-link="edit"
-                >Edit</dd.Interactive>
+                >
+                  Edit
+                </dd.Interactive>
               {{/if}}
             </Hds::Dropdown>
           {{/if}}
diff --git a/ui/app/components/oidc/key-form.hbs b/ui/app/components/oidc/key-form.hbs
index 161c28b31f..4168e7236a 100644
--- a/ui/app/components/oidc/key-form.hbs
+++ b/ui/app/components/oidc/key-form.hbs
@@ -6,9 +6,7 @@
 <form {{on "submit" (perform this.save)}}>
   <div class="box is-sideless is-fullwidth is-bottomless">
     <MessageError @errorMessage={{this.errorBanner}} />
-    {{#each @model.formFields as |attr|}}
-      <FormField @attr={{attr}} @model={{@model}} @modelValidations={{this.modelValidations}} />
-    {{/each}}
+    <FormFieldGroups @model={{@form}} @groupName="formFieldGroups" @modelValidations={{this.modelValidations}} />
   </div>
   {{#unless @isModalForm}}
     {{! RADIO CARD + SEARCH SELECT }}
@@ -32,26 +30,28 @@
           @value="limited"
           @groupValue={{this.radioCardGroupValue}}
           @onChange={{this.handleClientSelection}}
-          @disabled={{@model.isNew}}
+          @disabled={{@form.isNew}}
           @tooltipMessage={{if
-            @model.isNew
+            @form.isNew
             "This option has been disabled for now. To limit access, you must first create an application that references this key."
           }}
         />
       </div>
       {{#if (eq this.radioCardGroupValue "limited")}}
+        {{! clients are fetched in route and passed into select component }}
         <SearchSelect
-          @id="allowedClientIds"
+          @id="oidc-key-form-client-select"
           @label="Application name"
           @subText="Select which applications are allowed to use this key. Only applications that currently reference this key will appear in the dropdown."
-          @models={{array "oidc/client"}}
-          @inputValue={{@model.allowedClientIds}}
+          @options={{@clients}}
+          @parentManageSelected={{this.selectedClients}}
           @onChange={{this.handleClientSelection}}
           @disallowNewItems={{true}}
           @fallbackComponent="string-list"
           @passObject={{true}}
-          @objectKeys={{array "clientId"}}
-          @queryObject={{this.filterDropdownOptions}}
+          @objectKeys={{array "client_id"}}
+          @shouldRenderName={{true}}
+          @renderTooltip={{this.renderTooltip}}
         />
       {{/if}}
     </div>
@@ -59,7 +59,7 @@
   <div class="field box is-fullwidth is-bottomless">
     <div class="control">
       <Hds::Button
-        @text={{if @model.isNew "Create" "Update"}}
+        @text={{if @form.isNew "Create" "Update"}}
         @icon={{if this.save.isRunning "loading"}}
         type="submit"
         disabled={{this.save.isRunning}}
@@ -70,7 +70,7 @@
         @color="secondary"
         class="has-left-margin-s"
         disabled={{this.save.isRunning}}
-        {{on "click" this.cancel}}
+        {{on "click" @onCancel}}
         data-test-oidc-key-cancel
       />
     </div>
diff --git a/ui/app/components/oidc/key-form.js b/ui/app/components/oidc/key-form.js
index b00e5e96b7..e1cd7cfe24 100644
--- a/ui/app/components/oidc/key-form.js
+++ b/ui/app/components/oidc/key-form.js
@@ -8,6 +8,7 @@ import { action } from '@ember/object';
 import { service } from '@ember/service';
 import { tracked } from '@glimmer/tracking';
 import { task } from 'ember-concurrency';
+import { waitFor } from '@ember/test-waiters';
 
 /**
  * @module OidcKeyForm
@@ -26,72 +27,87 @@ import { task } from 'ember-concurrency';
  */
 
 export default class OidcKeyForm extends Component {
-  @service store;
+  @service api;
   @service flashMessages;
+
   @tracked errorBanner;
   @tracked invalidFormAlert;
   @tracked modelValidations;
-  @tracked radioCardGroupValue =
-    // If "*" is provided, all clients are allowed: https://developer.hashicorp.com/vault/api-docs/secret/identity/oidc-provider#parameters
-    !this.args.model.allowedClientIds || this.args.model.allowedClientIds.includes('*')
-      ? 'allow_all'
-      : 'limited';
+  @tracked radioCardGroupValue = 'limited';
+  @tracked selectedClients = [];
 
-  get filterDropdownOptions() {
-    // query object sent to search-select so only clients that reference this key appear in dropdown
-    return { paramKey: 'key', filterFor: [this.args.model.name] };
+  constructor() {
+    super(...arguments);
+    // If "*" is provided, all clients are allowed: https://developer.hashicorp.com/vault/api-docs/secret/identity/oidc-provider#parameters
+    const { allowed_client_ids } = this.args.form.data;
+    if (!allowed_client_ids || allowed_client_ids.includes('*')) {
+      this.radioCardGroupValue = 'allow_all';
+    }
+    // initialize selectedClients for SearchSelect component with allowed_client_ids from form data
+    this.updateSelectedClients();
+  }
+
+  // function passed to search select
+  renderTooltip(selection, dropdownOptions) {
+    // if a client has been deleted it will not exist in dropdownOptions (response from search select's query)
+    const clientExists = !!dropdownOptions.find((opt) => opt.client_id === selection);
+    return !clientExists ? 'The application associated with this client_id no longer exists' : false;
+  }
+
+  updateSelectedClients() {
+    const { data } = this.args.form;
+    this.selectedClients = data.allowed_client_ids?.map((clientId) =>
+      this.args.clients.find((client) => client.client_id === clientId)
+    );
   }
 
   @action
   handleClientSelection(selection) {
-    // if array then coming from search-select component, set selection as model clients
+    const { data } = this.args.form;
+    // when triggered from search-select component an array is passed
+    // set selection as clients
     if (Array.isArray(selection)) {
-      this.args.model.allowedClientIds = selection.map((client) => client.clientId);
+      data.allowed_client_ids = selection.map((client) => client.client_id);
     } else {
       // otherwise update radio button value and reset clients so
       // UI always reflects a user's selection (including when no clients are selected)
       this.radioCardGroupValue = selection;
-      this.args.model.allowedClientIds = [];
+      data.allowed_client_ids = [];
     }
+    // update selectedClients which appear in SearchSelect
+    this.updateSelectedClients();
   }
 
-  @action
-  cancel() {
-    const method = this.args.model.isNew ? 'unloadRecord' : 'rollbackAttributes';
-    this.args.model[method]();
-    this.args.onCancel();
-  }
+  save = task(
+    waitFor(async (event) => {
+      event.preventDefault();
+      try {
+        const { isNew } = this.args.form;
+        const { isValid, state, invalidFormMessage, data } = this.args.form.toJSON();
+        this.modelValidations = isValid ? null : state;
+        this.invalidFormAlert = invalidFormMessage;
 
-  @task
-  *save(event) {
-    event.preventDefault();
-    try {
-      const { isValid, state, invalidFormMessage } = this.args.model.validate();
-      this.modelValidations = isValid ? null : state;
-      this.invalidFormAlert = invalidFormMessage;
-      if (isValid) {
-        const { isNew, name } = this.args.model;
-        if (this.radioCardGroupValue === 'allow_all') {
-          this.args.model.allowedClientIds = ['*'];
+        if (isValid) {
+          if (this.radioCardGroupValue === 'allow_all') {
+            data.allowed_client_ids = ['*'];
+          }
+          // if TTL components are toggled off, set to default lease duration
+          const { rotation_period, verification_ttl } = data;
+          // value returned from API is a number, and string when from form action
+          if (Number(rotation_period) === 0) data.rotation_period = '24h';
+          if (Number(verification_ttl) === 0) data.verification_ttl = '24h';
+
+          const { name, ...payload } = data;
+          await this.api.identity.oidcWriteKey(name, payload);
+          this.flashMessages.success(`Successfully ${isNew ? 'created' : 'updated'} the key ${name}.`);
+          // this form is sometimes used in a modal, passing the form notifies the parent the save was successful
+          this.args.onSave(this.args.form);
         }
-        // if TTL components are toggled off, set to default lease duration
-        const { rotationPeriod, verificationTtl } = this.args.model;
-        // value returned from API is a number, and string when from form action
-        if (Number(rotationPeriod) === 0) this.args.model.rotationPeriod = '24h';
-        if (Number(verificationTtl) === 0) this.args.model.verificationTtl = '24h';
-        yield this.args.model.save();
-        this.flashMessages.success(
-          `Successfully ${isNew ? 'created' : 'updated'} the key
-          ${name}.`
-        );
-        // this form is sometimes used in a modal, passing the model notifies
-        // the parent if the save was successful
-        this.args.onSave(this.args.model);
+      } catch (error) {
+        const { message } = await this.api.parseError(error);
+        this.errorBanner = message;
+        this.invalidFormAlert = 'There was an error submitting this form.';
       }
-    } catch (error) {
-      const message = error.errors ? error.errors.join('. ') : error.message;
-      this.errorBanner = message;
-      this.invalidFormAlert = 'There was an error submitting this form.';
-    }
-  }
+    })
+  );
 }
diff --git a/ui/app/components/oidc/provider-form.hbs b/ui/app/components/oidc/provider-form.hbs
index 7e39b8263b..9e96b08392 100644
--- a/ui/app/components/oidc/provider-form.hbs
+++ b/ui/app/components/oidc/provider-form.hbs
@@ -3,48 +3,28 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title="{{if @model.isNew 'Create' 'Edit'}} Provider">
+<Page::Header @title="{{if @form.isNew 'Create' 'Edit'}} Provider">
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
 </Page::Header>
 
-<form {{on "submit" (perform this.save)}} {{did-insert this.setIssuer @model}}>
+<form {{on "submit" (perform this.save)}}>
   <div class="box is-sideless is-fullwidth is-bottomless">
     <MessageError @errorMessage={{this.errorBanner}} />
-    {{! name field }}
-    <FormField
-      data-test-field={{true}}
-      @attr={{get @model.formFields "0"}}
-      @model={{@model}}
-      @modelValidations={{this.modelValidations}}
-    />
-    {{#let (get @model.formFields "1") as |attr|}}
-      <FormFieldLabel
-        for={{attr.name}}
-        @label="Issuer"
-        @helpText={{attr.options.helpText}}
-        @subText={{attr.options.subText}}
-        @docLink={{attr.options.docLink}}
+    <FormFieldGroups @model={{@form}} @groupName="formFieldGroups" @modelValidations={{this.modelValidations}}>
+      {{! scopes are fetched in route and passed into select component }}
+      <SearchSelect
+        @id="oidc-provider-form-scope-select"
+        @options={{@scopes}}
+        @selectLimit="1"
+        @disallowNewItems={{true}}
+        @fallbackComponent="string-list"
+        @onChange={{fn (mut @form.data.scopes_supported)}}
+        @inputValue={{if @form.data.scopes_supported (array @form.data.scopes_supported)}}
+        class="is-marginless"
       />
-      <Input
-        data-test-field={{true}}
-        data-test-input={{attr.name}}
-        id={{attr.name}}
-        autocomplete="off"
-        spellcheck="false"
-        @value={{@model.issuer}}
-        class="input {{if this.validationError 'has-error-border'}}"
-        placeholder={{attr.options.placeholderText}}
-      />
-    {{/let}}
-    {{! scopesSupported field }}
-    <FormField
-      data-test-field={{true}}
-      @attr={{get @model.formFields "2"}}
-      @model={{@model}}
-      @modelValidations={{this.modelValidations}}
-    />
+    </FormFieldGroups>
   </div>
   {{! RADIO CARD + SEARCH SELECT }}
   <div class="box is-sideless is-fullwidth is-marginless has-top-padding-xxl">
@@ -70,16 +50,18 @@
       />
     </div>
     {{#if (eq this.radioCardGroupValue "limited")}}
+      {{! clients are fetched in route and passed into select component }}
       <SearchSelect
-        @id="allowedClientIds"
+        @id="oidc-provider-form-client-select"
         @label="Application name"
-        @models={{array "oidc/client"}}
-        @inputValue={{@model.allowedClientIds}}
+        @options={{@clients}}
+        @parentManageSelected={{this.selectedClients}}
         @onChange={{this.handleClientSelection}}
         @disallowNewItems={{true}}
         @fallbackComponent="string-list"
         @passObject={{true}}
-        @objectKeys={{array "clientId"}}
+        @objectKeys={{array "client_id"}}
+        @shouldRenderName={{true}}
         @renderTooltip={{this.renderTooltip}}
       />
     {{/if}}
@@ -87,7 +69,7 @@
   <div class="field box is-fullwidth is-bottomless">
     <div class="control">
       <Hds::Button
-        @text={{if @model.isNew "Create" "Update"}}
+        @text={{if @form.isNew "Create" "Update"}}
         @icon={{if this.save.isRunning "loading"}}
         type="submit"
         disabled={{this.save.isRunning}}
@@ -98,7 +80,7 @@
         @color="secondary"
         class="has-left-margin-s"
         disabled={{this.save.isRunning}}
-        {{on "click" this.cancel}}
+        {{on "click" @onCancel}}
         data-test-oidc-provider-cancel
       />
     </div>
diff --git a/ui/app/components/oidc/provider-form.js b/ui/app/components/oidc/provider-form.js
index 0fc2431702..2bfab4c1b4 100644
--- a/ui/app/components/oidc/provider-form.js
+++ b/ui/app/components/oidc/provider-form.js
@@ -8,105 +8,119 @@ import { action } from '@ember/object';
 import { service } from '@ember/service';
 import { tracked } from '@glimmer/tracking';
 import { task } from 'ember-concurrency';
-import parseURL from 'core/utils/parse-url';
+import { waitFor } from '@ember/test-waiters';
+
 /**
  * @module OidcProviderForm
  * OidcProviderForm components are used to create and update OIDC providers
  *
  * @example
  * ```js
- * <OidcProviderForm @model={{this.model}} />
+ * <OidcProviderForm @form={{this.model.form}} @scopes={{this.model.scopes}} />
  * ```
  * @callback onCancel
  * @callback onSave
- * @param {Object} model - oidc client model
+ * @param {Object} form - oidc provider form
+ * @param {Array} scopes - array of scopes to populate dropdown in form
+ * @param {Array} clients - array of clients to populate dropdown in form
  * @param {onCancel} onCancel - callback triggered when cancel button is clicked
  * @param {onSave} onSave - callback triggered on save success
  */
 
 export default class OidcProviderForm extends Component {
-  @service store;
+  @service api;
   @service flashMessages;
+
   @tracked modelValidations;
   @tracked errorBanner;
   @tracked invalidFormAlert;
-  @tracked radioCardGroupValue =
+  @tracked radioCardGroupValue = 'limited';
+  @tracked selectedClients = [];
+
+  constructor() {
+    super(...arguments);
     // If "*" is provided, all clients are allowed: https://developer.hashicorp.com/vault/api-docs/secret/identity/oidc-provider#parameters
-    !this.args.model.allowedClientIds || this.args.model.allowedClientIds.includes('*')
-      ? 'allow_all'
-      : 'limited';
+    const { allowed_client_ids } = this.args.form.data;
+    if (!allowed_client_ids || allowed_client_ids.includes('*')) {
+      this.radioCardGroupValue = 'allow_all';
+    }
+    // initialize selectedClients for SearchSelect component with allowed_client_ids from form data
+    this.updateSelectedClients();
+  }
 
   get breadcrumbs() {
-    const providersOrDetailsBreadcrumb = this.args.model.isNew
-      ? { label: 'Providers', route: 'vault.cluster.access.oidc.providers' }
-      : {
-          label: 'Details',
-          route: 'vault.cluster.access.oidc.providers.provider.details',
-          model: this.args.model.name,
-        };
-    return [
+    const crumbs = [
       { label: 'Vault', route: 'vault.cluster.dashboard', icon: 'vault' },
-      providersOrDetailsBreadcrumb,
-      { label: this.args.model.isNew ? 'Create Provider' : 'Edit Provider' },
+      { label: 'OIDC provider: Providers', route: 'vault.cluster.access.oidc.providers' },
     ];
+
+    if (!this.args.form.isNew) {
+      crumbs.push({
+        label: this.args.form.data.name,
+        route: 'vault.cluster.access.oidc.providers.provider.details',
+        model: this.args.form.data.name,
+      });
+    }
+
+    crumbs.push({ label: this.args.form.isNew ? 'Create provider' : 'Edit provider' });
+    return crumbs;
   }
 
   // function passed to search select
   renderTooltip(selection, dropdownOptions) {
     // if a client has been deleted it will not exist in dropdownOptions (response from search select's query)
-    const clientExists = !!dropdownOptions.find((opt) => opt.clientId === selection);
+    const clientExists = !!dropdownOptions.find((opt) => opt.client_id === selection);
     return !clientExists ? 'The application associated with this client_id no longer exists' : false;
   }
 
-  // fired on did-insert from render modifier
-  @action
-  setIssuer(elem, [model]) {
-    model.issuer = model.isNew ? '' : parseURL(model.issuer).origin;
+  updateSelectedClients() {
+    const { data } = this.args.form;
+    this.selectedClients = data.allowed_client_ids?.map((clientId) =>
+      this.args.clients.find((client) => client.client_id === clientId)
+    );
   }
 
   @action
   handleClientSelection(selection) {
-    // if array then coming from search-select component, set selection as model clients
+    const { data } = this.args.form;
+    // when triggered from search-select component an array is passed
+    // set selection as clients
     if (Array.isArray(selection)) {
-      this.args.model.allowedClientIds = selection.map((client) => client.clientId);
+      data.allowed_client_ids = selection.map((client) => client.client_id);
     } else {
       // otherwise update radio button value and reset clients so
       // UI always reflects a user's selection (including when no clients are selected)
       this.radioCardGroupValue = selection;
-      this.args.model.allowedClientIds = [];
+      data.allowed_client_ids = [];
     }
+    // update selectedClients which appear in SearchSelect
+    this.updateSelectedClients();
   }
 
-  @action
-  cancel() {
-    const method = this.args.model.isNew ? 'unloadRecord' : 'rollbackAttributes';
-    this.args.model[method]();
-    this.args.onCancel();
-  }
+  save = task(
+    waitFor(async (event) => {
+      event.preventDefault();
+      try {
+        const { isValid, state, invalidFormMessage, data } = this.args.form.toJSON();
+        this.modelValidations = isValid ? null : state;
+        this.invalidFormAlert = invalidFormMessage;
 
-  @task
-  *save(event) {
-    event.preventDefault();
-    try {
-      const { isValid, state, invalidFormMessage } = this.args.model.validate();
-      this.modelValidations = isValid ? null : state;
-      this.invalidFormAlert = invalidFormMessage;
-      if (isValid) {
-        const { isNew, name } = this.args.model;
-        if (this.radioCardGroupValue === 'allow_all') {
-          this.args.model.allowedClientIds = ['*'];
+        if (isValid) {
+          if (this.radioCardGroupValue === 'allow_all') {
+            data.allowed_client_ids = ['*'];
+          }
+          const { name, ...payload } = data;
+          await this.api.identity.oidcWriteProvider(name, payload);
+          this.flashMessages.success(
+            `Successfully ${this.args.form.isNew ? 'created' : 'updated'} the OIDC provider ${name}.`
+          );
+          this.args.onSave();
         }
-        yield this.args.model.save();
-        this.flashMessages.success(
-          `Successfully ${isNew ? 'created' : 'updated'} the OIDC provider
-          ${name}.`
-        );
-        this.args.onSave();
+      } catch (error) {
+        const { message } = await this.api.parseError(error);
+        this.errorBanner = message;
+        this.invalidFormAlert = 'There was an error submitting this form.';
       }
-    } catch (error) {
-      const message = error.errors ? error.errors.join('. ') : error.message;
-      this.errorBanner = message;
-      this.invalidFormAlert = 'There was an error submitting this form.';
-    }
-  }
+    })
+  );
 }
diff --git a/ui/app/components/oidc/provider-list.hbs b/ui/app/components/oidc/provider-list.hbs
index d18b19c06b..0cdf1edb83 100644
--- a/ui/app/components/oidc/provider-list.hbs
+++ b/ui/app/components/oidc/provider-list.hbs
@@ -3,7 +3,7 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-{{#each @model as |provider|}}
+{{#each @model.providers as |provider|}}
   <LinkedBlock
     class="list-item-row"
     @params={{array "vault.cluster.access.oidc.providers.provider.details" provider.name}}
@@ -24,7 +24,7 @@
       </div>
       <div class="level-right is-flex is-paddingless is-marginless">
         <div class="level-item">
-          {{#if (or provider.canRead provider.canEdit)}}
+          {{#if (has-capability @model.capabilities "read" "update" pathKey="oidcProvider" params=provider)}}
             <Hds::Dropdown @isInline={{true}} @listPosition="bottom-right" as |dd|>
               <dd.ToggleIcon
                 @icon="more-horizontal"
@@ -32,19 +32,23 @@
                 @hasChevron={{false}}
                 data-test-popup-menu-trigger
               />
-              {{#if provider.canRead}}
+              {{#if (has-capability @model.capabilities "read" pathKey="oidcProvider" params=provider)}}
                 <dd.Interactive
                   @route="vault.cluster.access.oidc.providers.provider.details"
                   @model={{provider.name}}
                   data-test-oidc-provider-menu-link="details"
-                >Details</dd.Interactive>
+                >
+                  Details
+                </dd.Interactive>
               {{/if}}
-              {{#if provider.canEdit}}
+              {{#if (has-capability @model.capabilities "update" pathKey="oidcProvider" params=provider)}}
                 <dd.Interactive
                   @route="vault.cluster.access.oidc.providers.provider.edit"
                   @model={{provider.name}}
                   data-test-oidc-provider-menu-link="edit"
-                >Edit</dd.Interactive>
+                >
+                  Edit
+                </dd.Interactive>
               {{/if}}
             </Hds::Dropdown>
           {{/if}}
diff --git a/ui/app/components/oidc/scope-form.hbs b/ui/app/components/oidc/scope-form.hbs
index 5c57a2c9ef..d11ab01530 100644
--- a/ui/app/components/oidc/scope-form.hbs
+++ b/ui/app/components/oidc/scope-form.hbs
@@ -3,7 +3,7 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title="{{if @model.isNew 'Create' 'Edit'}} Scope">
+<Page::Header @title="{{if @form.isNew 'Create' 'Edit'}} Scope">
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
@@ -24,13 +24,11 @@
       Providers may reference a set of scopes to make specific identity information available as claims
     </p>
     <MessageError @errorMessage={{this.errorBanner}} />
-    {{#each @model.formFields as |field|}}
-      <FormField @attr={{field}} @model={{@model}} @modelValidations={{this.modelValidations}} />
-    {{/each}}
+    <FormFieldGroups @model={{@form}} @groupName="formFieldGroups" @modelValidations={{this.modelValidations}} />
   </div>
   <div class="has-top-margin-l has-bottom-margin-l">
     <Hds::Button
-      @text={{if @model.isNew "Create" "Update"}}
+      @text={{if @form.isNew "Create" "Update"}}
       @icon={{if this.save.isRunning "loading"}}
       type="submit"
       disabled={{this.save.isRunning}}
@@ -41,7 +39,7 @@
       @color="secondary"
       class="has-left-margin-s"
       disabled={{this.save.isRunning}}
-      {{on "click" this.cancel}}
+      {{on "click" @onCancel}}
       data-test-oidc-scope-cancel
     />
   </div>
diff --git a/ui/app/components/oidc/scope-form.js b/ui/app/components/oidc/scope-form.js
index 6eb26ba9ae..1421d65374 100644
--- a/ui/app/components/oidc/scope-form.js
+++ b/ui/app/components/oidc/scope-form.js
@@ -5,9 +5,9 @@
 
 import Component from '@glimmer/component';
 import { tracked } from '@glimmer/tracking';
-import { action } from '@ember/object';
 import { task } from 'ember-concurrency';
 import { service } from '@ember/service';
+import { waitFor } from '@ember/test-waiters';
 
 /**
  * @module OidcScopeForm
@@ -15,17 +15,19 @@ import { service } from '@ember/service';
  *
  * @example
  * ```js
- * <Oidc::ScopeForm @model={{this.model}} />
+ * <Oidc::ScopeForm @form={{this.model}} />
  * ```
  * @callback onCancel
  * @callback onSave
- * @param {Object} model - oidc scope model
+ * @param {Object} form - oidc scope form
  * @param {onCancel} onCancel - callback triggered when cancel button is clicked
  * @param {onSave} onSave - callback triggered on save success
  */
 
 export default class OidcScopeFormComponent extends Component {
+  @service api;
   @service flashMessages;
+
   @tracked errorBanner;
   @tracked invalidFormAlert;
   @tracked modelValidations;
@@ -40,43 +42,43 @@ export default class OidcScopeFormComponent extends Component {
 }`;
 
   get breadcrumbs() {
-    const scopesOrDetailsBreadcrumb = this.args.model.isNew
-      ? { label: 'Scopes', route: 'vault.cluster.access.oidc.scopes' }
-      : {
-          label: 'Details',
-          route: 'vault.cluster.access.oidc.scopes.scope.details',
-          model: this.args.model.name,
-        };
-    return [
+    const crumbs = [
       { label: 'Vault', route: 'vault.cluster.dashboard', icon: 'vault' },
-      scopesOrDetailsBreadcrumb,
-      { label: this.args.model.isNew ? 'Create Scope' : 'Edit Scope' },
+      { label: 'OIDC provider: Scopes', route: 'vault.cluster.access.oidc.scopes' },
     ];
+
+    if (!this.args.form.isNew) {
+      crumbs.push({
+        label: this.args.form.data.name,
+        route: 'vault.cluster.access.oidc.scopes.scope.details',
+        model: this.args.form.data.name,
+      });
+    }
+
+    crumbs.push({ label: this.args.form.isNew ? 'Create scope' : 'Edit scope' });
+    return crumbs;
   }
 
-  @task
-  *save(event) {
-    event.preventDefault();
-    try {
-      const { isValid, state, invalidFormMessage } = this.args.model.validate();
-      this.modelValidations = isValid ? null : state;
-      this.invalidFormAlert = invalidFormMessage;
-      if (isValid) {
-        const { isNew, name } = this.args.model;
-        yield this.args.model.save();
-        this.flashMessages.success(`Successfully ${isNew ? 'created' : 'updated'} the scope ${name}.`);
-        this.args.onSave();
+  save = task(
+    waitFor(async (event) => {
+      event.preventDefault();
+      try {
+        const { isNew } = this.args.form;
+        const { isValid, state, invalidFormMessage, data } = this.args.form.toJSON();
+        this.modelValidations = isValid ? null : state;
+        this.invalidFormAlert = invalidFormMessage;
+
+        if (isValid) {
+          const { name, ...payload } = data;
+          await this.api.identity.oidcWriteScope(name, payload);
+          this.flashMessages.success(`Successfully ${isNew ? 'created' : 'updated'} the scope ${name}.`);
+          this.args.onSave();
+        }
+      } catch (error) {
+        const { message } = await this.api.parseError(error);
+        this.errorBanner = message;
+        this.invalidFormAlert = 'There was an error submitting this form.';
       }
-    } catch (error) {
-      const message = error.errors ? error.errors.join('. ') : error.message;
-      this.errorBanner = message;
-      this.invalidFormAlert = 'There was an error submitting this form.';
-    }
-  }
-  @action
-  cancel() {
-    const method = this.args.model.isNew ? 'unloadRecord' : 'rollbackAttributes';
-    this.args.model[method]();
-    this.args.onCancel();
-  }
+    })
+  );
 }
diff --git a/ui/app/components/page/methods.hbs b/ui/app/components/page/methods.hbs
index 8222418435..4db2769443 100644
--- a/ui/app/components/page/methods.hbs
+++ b/ui/app/components/page/methods.hbs
@@ -8,13 +8,19 @@
     <:breadcrumbs>
       <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
     </:breadcrumbs>
+    <:description>
+      Configure authentication methods for accessing Vault.
+      <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/mfa"}}>
+        Learn more
+      </Hds::Link::Inline>
+    </:description>
     <:actions>
       {{#if this.showIntroButton}}
         <Hds::Button
           class="has-right-margin-4"
           @color="secondary"
           @icon="bulb"
-          @text="New to Auth Methods?"
+          @text="New to Auth methods?"
           {{on "click" this.showIntroPage}}
           data-test-button="intro"
         />
@@ -25,7 +31,9 @@
 
 {{#if this.showWizard}}
   <Wizard::Methods::MethodsWizard @isIntroModal={{this.shouldRenderIntroModal}} @onRefresh={{this.refreshMethodsList}} />
-{{else}}
+{{/if}}
+
+{{#if this.showContent}}
   <Toolbar>
     <ToolbarFilters>
       <SearchSelect
@@ -131,8 +139,8 @@
       </div>
     </LinkedBlock>
   {{else}}
-    <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-      <A.Header @title="No Authentication Methods found" @titleTag="h2" />
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="No Authentication Methods found" @titleTag="h2" data-test-empty-state-title />
     </Hds::ApplicationState>
   {{/each}}
 
diff --git a/ui/app/components/page/methods.ts b/ui/app/components/page/methods.ts
index 8a21f98d61..5f3f267ebd 100644
--- a/ui/app/components/page/methods.ts
+++ b/ui/app/components/page/methods.ts
@@ -9,7 +9,7 @@ import { tracked } from '@glimmer/tracking';
 import Component from '@glimmer/component';
 import { dropTask } from 'ember-concurrency';
 import sortObjects from 'vault/utils/sort-objects';
-import { WIZARD_ID } from '../wizard/methods/methods-wizard';
+import { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 
 import type ApiService from 'vault/services/api';
 import type FlashMessageService from 'vault/services/flash-messages';
@@ -46,7 +46,7 @@ export default class PageAuthMethodsComponent extends Component<Args> {
   @tracked methodToDisable: AuthMethodResource | null = null;
   @tracked shouldRenderIntroModal = false;
 
-  wizardId = WIZARD_ID;
+  wizardId = WIZARD_ID_MAP.authMethods;
 
   // list returned by getter is sorted in template
   get authMethodList() {
@@ -92,8 +92,14 @@ export default class PageAuthMethodsComponent extends Component<Args> {
     return this.args.model.methods.length === 1;
   }
 
+  get showContent() {
+    // Show when the 1) wizard is not shown OR 2) wizard intro modal is shown
+    // This ensures the wizard intro modal is shown on top of the list view and the background content is not blank behind the modal
+    return !this.showWizard || (this.shouldRenderIntroModal && this.wizard.isIntroVisible(this.wizardId));
+  }
+
   get showIntroButton() {
-    return !this.showWizard && this.hasOnlyDefaultMethods;
+    return this.showContent && this.hasOnlyDefaultMethods;
   }
 
   get showWizard() {
diff --git a/ui/app/components/page/namespaces.hbs b/ui/app/components/page/namespaces.hbs
index f903eddf67..b562e1ed8b 100644
--- a/ui/app/components/page/namespaces.hbs
+++ b/ui/app/components/page/namespaces.hbs
@@ -14,6 +14,13 @@
       <:badges>
         <Hds::Badge @icon="org" @text={{this.namespacePath}} data-test-badge="namespace-path" />
       </:badges>
+      <:description>
+        Create logically separated, multi-tenant environments so teams can manage secrets, policies, and authentication
+        methods independently.
+        <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/namespaces"}}>
+          Learn more
+        </Hds::Link::Inline>
+      </:description>
       <:actions>
         {{#if this.showIntroButton}}
           <Hds::Button
@@ -26,7 +33,7 @@
         {{/if}}
         {{#unless this.hasNamespaces}}
           <Hds::Button
-            @color={{if this.showWizard "secondary" "primary"}}
+            @color={{if this.showContent "primary" "secondary"}}
             @icon="plus"
             @route="vault.cluster.access.namespaces.create"
             @text="Create namespace"
@@ -40,12 +47,15 @@
   {{#if this.showWizard}}
     <Wizard::Namespaces::NamespaceWizard
       @isIntroModal={{this.shouldRenderIntroModal}}
+      @onFlexiblePolicyComplete={{fn (mut this.showSetupAlert) true}}
       @onRefresh={{this.refreshNamespaceList}}
     />
-  {{else}}
+  {{/if}}
+
+  {{#if this.showContent}}
     {{! Show namespace list }}
     {{#if this.hasNamespaces}}
-      <Toolbar>
+      <Toolbar class="top-margin-16 has-bottom-margin-s">
         <ToolbarFilters>
           <FilterInputExplicit
             @query={{@model.pageFilter}}
@@ -71,61 +81,53 @@
         </ToolbarActions>
       </Toolbar>
 
-      <ListView
-        @items={{@model.namespaces}}
-        @itemNoun="namespace"
-        @paginationRouteName="vault.cluster.access.namespaces"
-        @onPageChange={{this.handlePageChange}}
-        as |list|
-      >
-        {{#if @model.namespaces.length}}
-          <ListItem as |Item|>
-            <Item.content>
-              {{list.item.id}}
-            </Item.content>
-            <Item.menu>
-              <Hds::Dropdown @isInline={{true}} @listPosition="bottom-right" as |dd|>
-                <dd.ToggleIcon
-                  @icon="more-horizontal"
-                  @text="More options"
-                  @hasChevron={{false}}
-                  data-test-popup-menu-trigger
-                />
-                {{#let (concat this.namespace.path (if this.namespace.path "/") list.item.id) as |targetNamespace|}}
-                  {{#if (includes targetNamespace this.namespace.accessibleNamespaces)}}
-                    <dd.Interactive
-                      {{on "click" (fn this.switchNamespace targetNamespace)}}
-                      data-test-popup-menu="switch"
-                    >Switch to namespace</dd.Interactive>
-                  {{/if}}
-                {{/let}}
-                <dd.Interactive
-                  @color="critical"
-                  {{on "click" (fn (mut this.nsToDelete) list.item)}}
-                  data-test-popup-menu="delete"
-                >Delete</dd.Interactive>
-              </Hds::Dropdown>
-              {{#if (eq this.nsToDelete list.item)}}
-                <ConfirmModal
-                  @color="critical"
-                  @onClose={{fn (mut this.nsToDelete) null}}
-                  @onConfirm={{fn this.deleteNamespace list.item}}
-                  @confirmTitle="Delete this namespace?"
-                  @confirmMessage="Any engines or mounts in this namespace will also be removed."
-                />
-              {{/if}}
-            </Item.menu>
-          </ListItem>
-        {{else}}
-          <list.empty>
-            <Hds::Link::Standalone
-              @icon="learn-link"
-              @text="Secure multi-tenancy with namespaces tutorial"
-              @href={{doc-link "/vault/tutorials/enterprise/namespaces"}}
-            />
-          </list.empty>
-        {{/if}}
-      </ListView>
+      {{#if @model.namespaces.length}}
+        <ListTable
+          @columns={{this.tableColumns}}
+          @data={{this.namespaceIds}}
+          @pageSize={{@model.pageSize}}
+          @page={{@model.page}}
+          @onPageChange={{this.handlePageChange}}
+          @onPageSizeChange={{this.handlePageSizeChange}}
+        >
+          <:popupMenu as |rowData|>
+            <Hds::Dropdown @isInline={{true}} @listPosition="bottom-right" as |dd|>
+              <dd.ToggleIcon
+                @icon="more-horizontal"
+                @text="More options"
+                @hasChevron={{false}}
+                data-test-popup-menu-trigger
+              />
+              {{#let (concat this.namespace.path (if this.namespace.path "/") rowData.id) as |targetNamespace|}}
+                {{#if (includes targetNamespace this.namespace.accessibleNamespaces)}}
+                  <dd.Interactive
+                    {{on "click" (fn this.switchNamespace targetNamespace)}}
+                    data-test-popup-menu="switch"
+                  >Switch to namespace</dd.Interactive>
+                {{/if}}
+              {{/let}}
+              <dd.Interactive
+                @color="critical"
+                {{on "click" (fn (mut this.nsToDelete) rowData.id)}}
+                data-test-popup-menu="delete"
+              >Delete</dd.Interactive>
+            </Hds::Dropdown>
+            {{#if (eq this.nsToDelete rowData.id)}}
+              <ConfirmModal
+                @color="critical"
+                @onClose={{fn (mut this.nsToDelete) null}}
+                @onConfirm={{fn this.deleteNamespace rowData.id}}
+                @confirmTitle="Delete this namespace?"
+                @confirmMessage="Any engines or mounts in this namespace will also be removed."
+              />
+            {{/if}}
+          </:popupMenu>
+        </ListTable>
+      {{else}}
+        <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+          <A.Header @title="No Namespaces found" @titleTag="h2" data-test-empty-state-title />
+        </Hds::ApplicationState>
+      {{/if}}
     {{else}}
       {{! Show empty state }}
       {{#if this.showSetupAlert}}
@@ -135,14 +137,8 @@
         </Hds::Alert>
       {{/if}}
 
-      <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-        <A.Header
-          @title="No namespaces yet"
-          @titleTag="h2"
-          @icon="skip"
-          class="align-items-end"
-          data-test-empty-state-title
-        />
+      <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+        <A.Header @title="No namespaces yet" @titleTag="h2" @icon="skip" data-test-empty-state-title />
         <A.Body @text="Your namespaces will be listed here. Add a namespace to get started." />
         <A.Footer as |F|>
           <F.Button
diff --git a/ui/app/components/page/namespaces.ts b/ui/app/components/page/namespaces.ts
index 49fa8bfcd7..e713adf6d8 100644
--- a/ui/app/components/page/namespaces.ts
+++ b/ui/app/components/page/namespaces.ts
@@ -8,7 +8,7 @@ import { action } from '@ember/object';
 import { tracked } from '@glimmer/tracking';
 import Component from '@glimmer/component';
 import keys from 'core/utils/keys';
-import { WIZARD_ID } from 'vault/components/wizard/namespaces/namespace-wizard';
+import { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 import errorMessage from 'vault/utils/error-message';
 
 import type ApiService from 'vault/services/api';
@@ -34,10 +34,13 @@ import type { PaginatedMetadata } from 'core/utils/paginate-list';
 interface Args {
   model: {
     namespaces: NamespaceModel[] & PaginatedMetadata;
+    page: number;
+    pageSize: number;
     pageFilter: string | null;
   };
   onFilterChange: CallableFunction;
   onRefresh: CallableFunction;
+  onPageChange: CallableFunction;
 }
 
 interface NamespaceModel {
@@ -62,11 +65,31 @@ export default class PageNamespacesComponent extends Component<Args> {
   @tracked showSetupAlert = false;
   @tracked shouldRenderIntroModal = false;
 
+  wizardId = WIZARD_ID_MAP.namespace;
+
+  tableColumns = [
+    {
+      key: 'id',
+      label: 'Path',
+    },
+    {
+      key: 'popupMenu',
+      label: 'Action',
+      width: '75px',
+    },
+  ];
+
   constructor(owner: unknown, args: Args) {
     super(owner, args);
     this.query = this.args.model.pageFilter || '';
   }
 
+  get namespaceIds() {
+    return this.args.model.namespaces.map((namespace) => {
+      return { id: namespace.id };
+    });
+  }
+
   // show the full available namespace path e.g. "root/ns1/child2", "admin/ns1/child2"
   get namespacePath() {
     if (this.namespace.inRootNamespace) {
@@ -91,16 +114,22 @@ export default class PageNamespacesComponent extends Component<Args> {
   // Show header and breadcrumbs when viewing the intro page or during the list view.
   // Do not show during Guided Start as that has its own header
   get showPageHeader() {
-    return !this.showWizard || this.wizard.isIntroVisible(WIZARD_ID);
+    return !this.showWizard || this.wizard.isIntroVisible(this.wizardId);
+  }
+
+  get showContent() {
+    // Show when the 1) wizard is not shown OR 2) wizard intro modal is shown
+    // This ensures the wizard intro modal is shown on top of the list view and the background content is not blank behind the modal
+    return !this.showWizard || (this.shouldRenderIntroModal && this.wizard.isIntroVisible(this.wizardId));
   }
 
   get showIntroButton() {
-    return !this.showWizard && !this.hasNamespaces;
+    return this.showContent && !this.hasNamespaces;
   }
 
   get showWizard() {
     // Show when there are no existing namespaces and it is not in a dismissed state
-    return !this.wizard.isDismissed(WIZARD_ID) && !this.hasNamespaces;
+    return !this.wizard.isDismissed(this.wizardId) && !this.hasNamespaces;
   }
 
   @action
@@ -121,11 +150,12 @@ export default class PageNamespacesComponent extends Component<Args> {
   @action
   handleSearch(evt: HTMLElementEvent<HTMLInputElement>) {
     evt.preventDefault();
-    this.args.onFilterChange(this.query);
+    this.args.onFilterChange({ pageFilter: this.query });
   }
 
   @action
-  async deleteNamespace(nsToDelete: NamespaceModel) {
+  async deleteNamespace(namespaceId: string) {
+    const nsToDelete = this.args.model.namespaces.find((ns) => ns.id === namespaceId) as NamespaceModel;
     try {
       // Attempt to destroy the record
       await nsToDelete.destroyRecord();
@@ -156,12 +186,18 @@ export default class PageNamespacesComponent extends Component<Args> {
   @action
   showIntroPage() {
     // Reset the wizard dismissal state to allow re-entering the wizard
-    this.wizard.reset(WIZARD_ID);
+    this.wizard.reset(this.wizardId);
     this.shouldRenderIntroModal = true;
   }
 
-  @action handlePageChange() {
-    this.args.onRefresh();
+  // handles page change but keeps pageFilters if there are any
+  @action handlePageChange(page: number) {
+    this.args.onPageChange({ page: page, pageFilter: this.query, pageSize: this.args.model.pageSize });
+  }
+
+  // handles page size change but keeps any current pageFilters
+  @action handlePageSizeChange(pageSize: number) {
+    this.args.onPageChange({ page: 1, pageFilter: this.query, pageSize: pageSize });
   }
 
   @action
diff --git a/ui/app/components/page/policies.hbs b/ui/app/components/page/policies.hbs
index c5a138f9a6..12159053b7 100644
--- a/ui/app/components/page/policies.hbs
+++ b/ui/app/components/page/policies.hbs
@@ -18,12 +18,18 @@
         }}
       />
     </:breadcrumbs>
+    <:description>
+      {{this.description}}
+      <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/policies"}}>
+        Learn more
+      </Hds::Link::Inline>
+    </:description>
     <:actions>
       {{#if this.showIntroButton}}
         <Hds::Button
           @color="secondary"
           @icon="bulb"
-          @text="New to ACL Policies?"
+          @text="New to ACL policies?"
           {{on "click" this.showIntroPage}}
           data-test-button="intro"
         />
@@ -33,7 +39,9 @@
 
   {{#if this.showWizard}}
     <Wizard::AclPolicies::AclWizard @isIntroModal={{this.shouldRenderIntroModal}} @onRefresh={{this.refreshPolicyList}} />
-  {{else}}
+  {{/if}}
+
+  {{#if this.showContent}}
     <Toolbar>
       {{#if @model.meta.total}}
         <ToolbarFilters>
@@ -88,12 +96,12 @@
     </Toolbar>
     {{#if @model.meta.total}}
       {{#each @model as |item|}}
-        {{#if (eq item.id "root")}}
+        {{#if (eq item.name "root")}}
           <div class="list-item-row is-flex" data-test-policy-item>
             <Icon @name="file" class="has-text-grey-light" />
             <div>
               <span class="has-text-weight-semibold has-text-grey" data-test-policy-name>
-                {{item.id}}
+                {{item.name}}
               </span>
               <p class="help has-text-grey">
                 The
@@ -104,20 +112,20 @@
           </div>
         {{else}}
           <LinkedBlock
-            @params={{array "vault.cluster.policy.show" @policyType item.id}}
+            @params={{array "vault.cluster.policy.show" @policyType item.name}}
             class="list-item-row"
-            data-test-policy-link={{item.id}}
+            data-test-policy-link={{item.name}}
           >
             <div class="columns is-mobile">
               <div class="column is-10">
                 <LinkTo
                   @route="vault.cluster.policy.show"
-                  @models={{array @policyType item.id}}
+                  @models={{array @policyType item.name}}
                   class="has-text-black has-text-weight-semibold"
                   data-test-policy-item={{true}}
                 >
                   <Icon @name="file" class="has-text-grey-light" />
-                  <span class="is-underline" data-test-policy-name>{{item.id}}</span>
+                  <span class="is-underline" data-test-policy-name>{{item.name}}</span>
                 </LinkTo>
               </div>
               <div class="column has-text-right">
@@ -133,21 +141,23 @@
                       <LoadingDropdownOption />
                     </dd.Generic>
                   {{else}}
-                    {{#if item.canRead}}
+                    {{#if item.capabilities.canRead}}
                       <dd.Interactive
                         @route="vault.cluster.policy.show"
-                        @models={{array @policyType item.id}}
+                        @models={{array @policyType item.name}}
                         data-test-policy-link="show"
                       >Details</dd.Interactive>
                     {{/if}}
-                    {{#if item.canEdit}}
+                    {{#if item.capabilities.canUpdate}}
                       <dd.Interactive
                         @route="vault.cluster.policy.edit"
-                        @models={{array @policyType item.id}}
+                        @models={{array @policyType item.name}}
                         data-test-policy-link="edit"
                       >Edit</dd.Interactive>
                     {{/if}}
-                    {{#if (and item.canDelete (not-eq item.name "default"))}}
+                    {{#if
+                      (and item.capabilities.canDelete (not-eq item.name "default") (not-eq item.name "default-ceiling"))
+                    }}
                       <dd.Interactive
                         @color="critical"
                         data-test-confirm-action-trigger
@@ -161,8 +171,8 @@
           </LinkedBlock>
         {{/if}}
       {{else}}
-        <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-          <A.Header @title="No policies matching &quot;{{this.filter}}&quot;" @titleTag="h2" />
+        <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+          <A.Header @title="No policies matching &quot;{{this.filter}}&quot;" @titleTag="h2" data-test-empty-state-title />
         </Hds::ApplicationState>
       {{/each}}
       {{#unless this.filter}}
@@ -176,12 +186,13 @@
         />
       {{/unless}}
     {{else}}
-      <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-        <A.Header @title="No {{uppercase @policyType}} policies yet" @titleTag="h2" />
+      <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+        <A.Header @title="No {{uppercase @policyType}} policies yet" @titleTag="h2" data-test-empty-state-title />
         <A.Body
           @text="A list of policies will be listed here. Create your first {{uppercase @policyType}} policy to get started."
+          data-test-empty-state-message
         />
-        <A.Footer as |F|>
+        <A.Footer data-test-empty-state-actions as |F|>
           {{#if (eq @policyType "acl")}}
             <F.LinkStandalone
               @iconPosition="trailing"
diff --git a/ui/app/components/page/policies.ts b/ui/app/components/page/policies.ts
index df48c04871..43f1b6cc6f 100644
--- a/ui/app/components/page/policies.ts
+++ b/ui/app/components/page/policies.ts
@@ -7,17 +7,24 @@ import { service } from '@ember/service';
 import { action } from '@ember/object';
 import { tracked } from '@glimmer/tracking';
 import Component from '@glimmer/component';
-import { WIZARD_ID } from 'vault/components/wizard/acl-policies/acl-wizard';
+import { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 import errorMessage from 'vault/utils/error-message';
+import { PolicyTypes } from 'core/utils/code-generators/policy';
 
 import type ApiService from 'vault/services/api';
 import type FlashMessageService from 'vault/services/flash-messages';
 import type NamespaceService from 'vault/services/namespace';
 import type RouterService from '@ember/routing/router-service';
 import type WizardService from 'vault/services/wizard';
-import type PolicyModel from 'vault/vault/models/policy';
 import type { PaginatedMetadata } from 'core/utils/paginate-list';
 
+interface PolicyModel {
+  name: string;
+  policy: string;
+  capabilities: object;
+  policyType: string;
+}
+
 interface Args {
   filter: string | null;
   model: PolicyModel[] & PaginatedMetadata;
@@ -38,25 +45,30 @@ export default class PagePoliciesComponent extends Component<Args> {
   @tracked policyToDelete = null;
   @tracked shouldRenderIntroModal = false;
 
+  wizardId = WIZARD_ID_MAP.aclPolicy;
+
   constructor(owner: unknown, args: Args) {
     super(owner, args);
     this.filter = this.args.filter || '';
   }
 
-  // callback from HDS pagination to set the queryParams page
-  get paginationQueryParams() {
-    return (page: number) => {
-      return {
-        page,
-      };
-    };
+  get description() {
+    const policyType = this.args.policyType;
+    if (policyType === PolicyTypes.ACL) {
+      return 'Define fine-grained rules to explicitly grant or forbid access to specific paths and operations within your cluster. Because Vault is a “default deny” system, if a permission is not granted in a policy, an entity would not have permission.';
+    } else if (policyType === PolicyTypes.EGP) {
+      return 'Use Sentinel to specify policies as code that apply to discrete API paths and enforce organizational compliance standards.';
+    } else if (policyType === PolicyTypes.RGP) {
+      return 'Use Sentinel to specify policies as code that apply to tokens, entities, groups and enforce organizational compliance standards.';
+    }
+    return '';
   }
 
   // Check if the filter exactly matches a policy ID
   get filterMatchesKey(): boolean {
     const filter = this.filter;
     const content = this.args.model;
-    return !!(content && content.length && content.find((c: PolicyModel) => c['id'] === filter));
+    return !!(content && content.length && content.find((c: PolicyModel) => c['name'] === filter));
   }
 
   // Find the first policy that partially matches the filter (starts with filter)
@@ -71,25 +83,40 @@ export default class PagePoliciesComponent extends Component<Args> {
     return filterMatchesKey
       ? undefined
       : content.find((key: PolicyModel) => {
-          return re.test(key['id'] as string);
+          return re.test(key['name'] as string);
         });
   }
 
-  // starting policies are 'default' and if in the root namespace, 'root' or 'hcp-root'
+  // starting policies are 'default', 'default-ceiling' and if in the root namespace, 'root' or 'hcp-root'
   get hasOnlyDefaultPolicies() {
-    const expectedLength = this.namespace.inRootNamespace ? 2 : 1;
+    const expectedLength = this.namespace.inRootNamespace ? 3 : 2;
     return this.args.model.meta?.total <= expectedLength;
   }
 
+  // callback from HDS pagination to set the queryParams page
+  get paginationQueryParams() {
+    return (page: number) => {
+      return {
+        page,
+      };
+    };
+  }
+
+  get showContent() {
+    // Show when the 1) wizard is not shown OR 2) wizard intro modal is shown
+    // This ensures the wizard intro modal is shown on top of the list view and the background content is not blank behind the modal
+    return !this.showWizard || (this.shouldRenderIntroModal && this.wizard.isIntroVisible(this.wizardId));
+  }
+
+  get showIntroButton() {
+    return this.args.policyType === PolicyTypes.ACL && this.showContent && this.hasOnlyDefaultPolicies;
+  }
+
   // Show when it is not in a dismissed state and there are no non-default policies and
   get showWizard() {
-    if (this.args.policyType !== 'acl') return false;
+    if (this.args.policyType !== PolicyTypes.ACL) return false;
     // Use total instead of filtered total to avoid flashing wizard when filtering with no results
-    return !this.wizard.isDismissed(WIZARD_ID) && this.hasOnlyDefaultPolicies;
-  }
-
-  get showIntroButton() {
-    return !this.showWizard && this.hasOnlyDefaultPolicies;
+    return !this.wizard.isDismissed(this.wizardId) && this.hasOnlyDefaultPolicies;
   }
 
   @action
@@ -99,9 +126,9 @@ export default class PagePoliciesComponent extends Component<Args> {
       const policyType = this.args.policyType;
 
       // Use the appropriate sys endpoint based on policy type
-      if (policyType === 'egp') {
+      if (policyType === PolicyTypes.EGP) {
         await this.api.sys.systemDeletePoliciesEgpName(policyName);
-      } else if (policyType === 'rgp') {
+      } else if (policyType === PolicyTypes.RGP) {
         await this.api.sys.systemDeletePoliciesRgpName(policyName);
       } else {
         await this.api.sys.policiesDeleteAclPolicy(policyName);
@@ -132,7 +159,7 @@ export default class PagePoliciesComponent extends Component<Args> {
   @action
   showIntroPage() {
     // Reset the wizard dismissal state to allow re-entering the wizard
-    this.wizard.reset(WIZARD_ID);
+    this.wizard.reset(this.wizardId);
     this.shouldRenderIntroModal = true;
   }
 
diff --git a/ui/app/components/page/policy-show.hbs b/ui/app/components/page/policy-show.hbs
index a7d6a71e64..c8e4b16c7a 100644
--- a/ui/app/components/page/policy-show.hbs
+++ b/ui/app/components/page/policy-show.hbs
@@ -3,7 +3,7 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title={{@model.id}}>
+<Page::Header @title={{@model.name}}>
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
@@ -16,20 +16,20 @@
       @extension={{if (eq @model.policyType "acl") @model.format "sentinel"}}
       @text="Download policy"
     />
-    {{#if (and (not-eq @model.id "root") (or @model.canUpdate @model.canDelete))}}
+    {{#if (and (not-eq @model.name "root") (or @model.capabilities.canUpdate @model.capabilities.canDelete))}}
       <Hds::Button
         @icon="edit"
         @text="Edit policy"
         @route="vault.cluster.policy.edit"
-        @models={{array @model.policyType @model.id}}
+        @models={{array @model.policyType @model.name}}
         data-test-button="Edit policy"
       />
     {{/if}}
   </:actions>
 
   <:badges>
-    {{#if @model.enforcementLevel}}
-      <Hds::Badge @text={{@model.enforcementLevel}} aria-label="Enforcement level: {{@model.enforcementLevel}}" />
+    {{#if @model.enforcement_level}}
+      <Hds::Badge @text={{@model.enforcement_level}} aria-label="Enforcement level: {{@model.enforcement_level}}" />
     {{/if}}
   </:badges>
 </Page::Header>
diff --git a/ui/app/components/page/policy-show.ts b/ui/app/components/page/policy-show.ts
index ba924dc5ca..68674c7845 100644
--- a/ui/app/components/page/policy-show.ts
+++ b/ui/app/components/page/policy-show.ts
@@ -4,17 +4,22 @@
  */
 
 import Component from '@glimmer/component';
-import { policySnippetArgs } from 'core/utils/code-generators/policy';
-
-import type PolicyModel from 'vault/vault/models/policy';
+import { policySnippetArgs, PolicyTypes } from 'core/utils/code-generators/policy';
 
+interface PolicyModel {
+  name: string;
+  policy: string;
+  policyType: PolicyTypes;
+  format: string;
+  capabilities: object;
+}
 interface Args {
   model: PolicyModel;
 }
 export default class PagePolicyShow extends Component<Args> {
   get breadcrumbs() {
     // Provide defaults so crumbs don't error as the component is torn down
-    const { policyType = 'acl', id = 'policy' } = this.args.model || {};
+    const { policyType = 'acl', name = 'policy' } = this.args.model || {};
     return [
       { label: 'Vault', route: 'vault.cluster.dashboard', icon: 'vault' },
       {
@@ -22,11 +27,11 @@ export default class PagePolicyShow extends Component<Args> {
         route: 'vault.cluster.policies',
         model: policyType,
       },
-      { label: id },
+      { label: name },
     ];
   }
 
   get snippetArgs() {
-    return policySnippetArgs(this.args.model.id, this.args.model.policy);
+    return policySnippetArgs(this.args.model.name, this.args.model.policy);
   }
 }
diff --git a/ui/app/components/pgp-file.hbs b/ui/app/components/pgp-file.hbs
index 6d31908a48..550db8c9f4 100644
--- a/ui/app/components/pgp-file.hbs
+++ b/ui/app/components/pgp-file.hbs
@@ -34,20 +34,10 @@
 <div class="field">
   {{#if this.key.enterAsText}}
     <div class="control">
-      <textarea
-        class="textarea"
-        oninput={{action "updateData"}}
-        data-test-pgp-file-textarea={{true}}
-        aria-labelledby={{concat "pgpFileTextarea-" this.elementId}}
-      >{{this.key.value}}</textarea>
+      <Hds::Form::Textarea::Field name="pgp-key" @value={{this.key.value}} as |F|>
+        <F.HelperText>{{or this.textareaHelpText "Enter a base64-encoded key"}}</F.HelperText>
+      </Hds::Form::Textarea::Field>
     </div>
-    <p class="help has-text-grey" id={{concat "pgpFileTextarea-" this.elementId}}>
-      {{#if this.textareaHelpText}}
-        {{this.textareaHelpText}}
-      {{else}}
-        Enter a base64-encoded key
-      {{/if}}
-    </p>
   {{else}}
     <div class="control is-expanded">
       <div class="file">
diff --git a/ui/app/components/policy-form-modal.hbs b/ui/app/components/policy-form-modal.hbs
new file mode 100644
index 0000000000..ffde58a0d1
--- /dev/null
+++ b/ui/app/components/policy-form-modal.hbs
@@ -0,0 +1,44 @@
+{{!
+  Copyright IBM Corp. 2016, 2026
+  SPDX-License-Identifier: BUSL-1.1
+}}
+<Hds::Modal id="search-select-modal" @onClose={{@onCancel}} as |M|>
+  <M.Header data-test-modal-title>
+    Create new policy
+  </M.Header>
+
+  <M.Body>
+    {{#if @form.policyType}}
+      <Hds::Tabs as |T|>
+        <T.Tab data-test-tab-your-policy>
+          Your Policy
+        </T.Tab>
+        <T.Tab Tab data-test-tab-example-policy>
+          Example Policy
+        </T.Tab>
+
+        <T.Panel>
+          <PolicyForm @onSave={{@onSave}} @form={{@form}} @onCancel={{@onCancel}} @isCompact={{true}} />
+        </T.Panel>
+        <T.Panel class="has-top-padding-m">
+          <PolicyExample @policyType={{@form.policyType}} />
+        </T.Panel>
+      </Hds::Tabs>
+    {{else}}
+      <Select
+        @name="policyType"
+        @label="Type"
+        @options={{this.policyOptions}}
+        @isFullwidth={{true}}
+        @selectedValue={{@form.policyType}}
+        @onChange={{fn (mut @form.policyType)}}
+        @noDefault={{true}}
+        data-test-type-select
+      />
+      <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+        <A.Header @title="No policy type selected" @titleTag="h2" data-test-empty-state-title />
+        <A.Body @text="Select a policy type to continue creating." data-test-empty-state-message />
+      </Hds::ApplicationState>
+    {{/if}}
+  </M.Body>
+</Hds::Modal>
\ No newline at end of file
diff --git a/ui/app/components/policy-form-modal.ts b/ui/app/components/policy-form-modal.ts
new file mode 100644
index 0000000000..962d8f486e
--- /dev/null
+++ b/ui/app/components/policy-form-modal.ts
@@ -0,0 +1,32 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+import { service } from '@ember/service';
+import { tracked } from '@glimmer/tracking';
+
+import type ApiService from 'vault/services/api';
+import type VersionService from 'vault/services/version';
+import type PolicyForm from 'vault/forms/policy';
+
+interface Args {
+  form: PolicyForm;
+  onSave(data: PolicyForm['data']): void;
+  onCancel(): void;
+}
+
+export default class PolicyTemplate extends Component<Args> {
+  @service declare readonly api: ApiService;
+  @service declare readonly version: VersionService;
+
+  @tracked form = null; // form class passed to policy-form
+
+  get policyOptions() {
+    return [
+      { label: 'ACL Policy', value: 'acl', isDisabled: false },
+      { label: 'Role Governing Policy', value: 'rgp', isDisabled: !this.version.hasSentinel },
+    ];
+  }
+}
diff --git a/ui/app/components/policy-form.hbs b/ui/app/components/policy-form.hbs
index 5c6e60e8d0..3596063036 100644
--- a/ui/app/components/policy-form.hbs
+++ b/ui/app/components/policy-form.hbs
@@ -2,15 +2,14 @@
   Copyright IBM Corp. 2016, 2025
   SPDX-License-Identifier: BUSL-1.1
 }}
-
-<NamespaceReminder @mode={{if @model.isNew "create" "edit"}} @noun="policy" />
+<NamespaceReminder @mode={{if @form.isNew "create" "edit"}} @noun="policy" />
 
 <Hds::Form {{on "submit" (perform this.save)}} data-test-policy-form class="has-bottom-margin-xs" as |FORM|>
   <FORM.Section @isFullWidth={{true}}>
-    <MessageError @errorMessage={{this.errorBanner}} />
+    <MessageError @errorMessage={{this.errorBanner}} @errorDetails={{this.errorDetails}} />
   </FORM.Section>
 
-  {{#if @model.isNew}}
+  {{#if @form.isNew}}
     <FORM.Section @isFullWidth={{true}} as |FS|>
       <FS.Header as |FSH|>
         <FSH.Title @tag="h2">
@@ -34,7 +33,8 @@
       {{else}}
         <Hds::Form::TextInput::Field
           name="name"
-          @value={{lowercase @model.name}}
+          @value={{lowercase @form.data.name}}
+          @isRequired={{true}}
           placeholder="Enter the policy name"
           autocomplete="off"
           spellcheck="false"
@@ -50,7 +50,7 @@
 
   {{#unless this.showFileUpload}}
     <FORM.Section @isFullWidth={{true}} as |FS|>
-      {{#if @model.isNew}}
+      {{#if @form.isNew}}
         <FS.Header @tag="h3" data-test-form-header="Policy rules" as |FSH|>
           <FSH.Title>Policy rules</FSH.Title>
 
@@ -84,15 +84,16 @@
 
       {{#if (and (this.isActiveEditor "visual") this.visualEditorSupported)}}
         <CodeGenerator::Policy::Builder
-          @policyName={{@model.name}}
+          @policyName={{@form.data.name}}
           @onPolicyChange={{this.handlePolicyChange}}
           @stanzas={{this.stanzas}}
+          @renderValidations={{if (this.validationError "stanzas") true false}}
           data-test-field="visual editor"
         />
       {{else}}
         <JsonEditor
           @title="Policy editor"
-          @value={{@model.policy}}
+          @value={{@form.data.policy}}
           @valueUpdated={{this.setPolicy}}
           @mode="hcl"
           @extraKeys={{hash Shift-Enter=(perform this.save)}}
@@ -114,16 +115,16 @@
     </FORM.Section>
   {{/unless}}
 
-  {{#if @model.additionalAttrs}}
+  {{#if @form.additionalFields}}
     <FORM.Section @isFullWidth={{true}}>
-      {{#each @model.additionalAttrs as |attr|}}
-        <FormField @attr={{attr}} @model={{@model}} />
+      {{#each @form.additionalFields as |attr|}}
+        <FormField @attr={{attr}} @model={{@form}} />
       {{/each}}
     </FORM.Section>
   {{/if}}
 
   {{! Automation snippets are currently only supported for ACL policies }}
-  {{#if (and (eq @model.policyType "acl") (not @isCompact))}}
+  {{#if (and (eq @form.policyType "acl") (not @isCompact))}}
     <FORM.Separator />
 
     <FORM.Section @isFullWidth={{true}}>
@@ -141,7 +142,7 @@
   <FORM.Footer as |FF|>
     <FF.ButtonSet>
       <Hds::Button
-        @text={{if @model.isNew "Create policy" "Save"}}
+        @text={{if @form.isNew "Create policy" "Save"}}
         @icon={{if this.save.isRunning "loading"}}
         type="submit"
         disabled={{this.save.isRunning}}
@@ -151,7 +152,7 @@
         @text="Cancel"
         @color="secondary"
         disabled={{this.save.isRunning}}
-        {{on "click" this.cancel}}
+        {{on "click" @onCancel}}
         data-test-cancel
       />
     </FF.ButtonSet>
@@ -169,11 +170,11 @@
   >
     <M.Header data-test-modal-header="Example policy">
       Example
-      {{uppercase @model.policyType}}
+      {{uppercase @form.policyType}}
       Policy
     </M.Header>
     <M.Body>
-      <PolicyExample @policyType={{@model.policyType}} />
+      <PolicyExample @policyType={{@form.policyType}} />
     </M.Body>
     <M.Footer as |F|>
       <Hds::Button @text="Close" {{on "click" F.close}} data-test-modal-close-button />
diff --git a/ui/app/components/policy-form.ts b/ui/app/components/policy-form.ts
index 9e1a3fc61b..36cc9ccd5d 100644
--- a/ui/app/components/policy-form.ts
+++ b/ui/app/components/policy-form.ts
@@ -15,12 +15,14 @@ import {
   PolicyStanza,
   PolicyTypes,
 } from 'core/utils/code-generators/policy';
-import errorMessage from 'vault/utils/error-message';
+import { validate } from 'vault/utils/forms/validate';
 
 import type FlashMessageService from 'ember-cli-flash/services/flash-messages';
 import type { HTMLElementEvent } from 'vault/forms';
 import type { PolicyData } from 'core/components/code-generator/policy/builder';
-import type { FormField } from 'vault/vault/app-types';
+import type { ValidationMap, Validations } from 'vault/vault/app-types';
+import ApiService from 'vault/services/api';
+import PolicyForm from 'vault/forms/policy';
 
 /**
  * @module PolicyForm
@@ -28,7 +30,7 @@ import type { FormField } from 'vault/vault/app-types';
  *
  * @example
  *  <PolicyForm
- *    @model={{this.model}}
+ *    @form={{this.form}}
  *    @onSave={{transition-to "vault.cluster.policy.show" this.model.policyType this.model.name}}
  *    @onCancel={{transition-to "vault.cluster.policies.index"}}
  *    @isCompact={{false}}
@@ -36,7 +38,7 @@ import type { FormField } from 'vault/vault/app-types';
  * ```
  * @callback onCancel - callback triggered when cancel button is clicked
  * @callback onSave - callback triggered when save button is clicked. Passes saved model
- * @param {object} model - ember data model from createRecord
+ * @param {object} form - policy form class
  * @param {boolean} isCompact - renders a compact version of the form component, such as when rendering in a modal (see policy-template.hbs)
  */
 
@@ -45,61 +47,73 @@ enum EditorTypes {
   VISUAL = 'visual',
 }
 
-interface PolicyModel {
-  name: string;
-  policy: string;
-  policyType: PolicyTypes;
-  isNew: boolean;
-  additionalAttrs?: FormField[]; // Only exist for "rgp" and "egp" policy types
-  save: () => Promise<void>;
-  unloadRecord: () => void;
-  rollbackAttributes: () => void;
-}
-
 interface Args {
   onCancel: () => void;
-  onSave: (model: PolicyModel) => void;
-  model: PolicyModel;
+  onSave: (model: PolicyForm['data']) => void;
+  form: PolicyForm;
+  policyType: PolicyTypes;
   isCompact?: boolean;
 }
 
 export default class PolicyFormComponent extends Component<Args> {
   @service declare readonly flashMessages: FlashMessageService;
+  @service declare readonly api: ApiService;
 
   editTypes = { [EditorTypes.VISUAL]: 'Visual editor', [EditorTypes.CODE]: 'Code editor' } as const;
+  validations: Validations = {
+    stanzas: [
+      {
+        validator: ({ stanzas }) =>
+          stanzas.length > 0 && stanzas.every((stanza: PolicyStanza) => stanza.isValid),
+        message: 'Invalid policy content.',
+      },
+    ],
+  };
 
   @tracked editType: EditorTypes = EditorTypes.VISUAL;
   @tracked errorBanner = '';
+  @tracked errorDetails: string[] = [];
   @tracked showFileUpload = false;
   @tracked showSwitchEditorsModal = false;
   @tracked showTemplateModal = false;
   @tracked stanzas: PolicyStanza[] = [new PolicyStanza()];
+  @tracked validationErrors: ValidationMap | null = null;
 
   constructor(owner: unknown, args: Args) {
     super(owner, args);
     // Only ACL policies support the visual editor
-    this.editType = this.args.model.policyType === PolicyTypes.ACL ? EditorTypes.VISUAL : EditorTypes.CODE;
+    this.editType = this.args.form.policyType === PolicyTypes.ACL ? EditorTypes.VISUAL : EditorTypes.CODE;
   }
 
+  // Template helpers
   isActiveEditor = (type: string): boolean => type === this.editType;
 
+  validationError = (param: string) => {
+    const { isValid, errors } = this.validationErrors?.[param] ?? {};
+    return !isValid && errors ? errors.join(' ') : '';
+  };
+
+  get formattedStanzas() {
+    return formatStanzas(this.stanzas);
+  }
+
   get hasPolicyDiff() {
-    const { policy } = this.args.model;
+    const { policy } = this.args.form.data;
     // Make sure policy has a value (if it's undefined, neither editor has been used)
     // Return true if there is a difference between stanzas and policy arg
     // which means the user has made changes using the code editor
-    return policy && formatStanzas(this.stanzas) !== policy;
+    return policy && this.formattedStanzas !== policy;
   }
 
   get snippetArgs() {
-    const policyName = this.args.model.name || '<policy name>';
-    const policy = formatStanzas(this.stanzas);
+    const policyName = this.args.form.data.name || '<policy name>';
+    const policy = this.formattedStanzas;
     return policySnippetArgs(policyName, policy);
   }
 
   get visualEditorSupported() {
-    const { model, isCompact } = this.args;
-    return model.isNew && model.policyType === PolicyTypes.ACL && !isCompact;
+    const { form, isCompact } = this.args;
+    return form.isNew && form.policyType === PolicyTypes.ACL && !isCompact;
   }
 
   @action
@@ -108,7 +122,7 @@ export default class PolicyFormComponent extends Component<Args> {
     this.editType = EditorTypes.VISUAL;
     this.showSwitchEditorsModal = false;
     // Reset this.args.model.policy to match visual editor stanzas
-    this.setPolicy(formatStanzas(this.stanzas));
+    this.setPolicy(this.formattedStanzas);
   }
 
   @action
@@ -118,9 +132,10 @@ export default class PolicyFormComponent extends Component<Args> {
   }
 
   @action
-  handlePolicyChange({ policy, stanzas }: PolicyData) {
-    this.setPolicy(policy);
+  handlePolicyChange({ stanzas }: PolicyData) {
+    // Update tracked stanzas first, then pass formatted policy back to model
     this.stanzas = stanzas;
+    this.setPolicy(this.formattedStanzas);
   }
 
   @action
@@ -146,28 +161,67 @@ export default class PolicyFormComponent extends Component<Args> {
   @task
   *save(event: HTMLElementEvent<HTMLFormElement>) {
     event.preventDefault();
+
+    // Name is intentionally not validated here because the input has @isRequired=true
+    // which prevents the submit event all together when it is empty.
+    const { isValid, state } = validate({ stanzas: this.stanzas }, this.validations);
+    // Only enforce stanza validations for the Visual Editor
+    const shouldValidate = this.visualEditorSupported && this.editType === EditorTypes.VISUAL;
+    if (!isValid && shouldValidate) {
+      this.validationErrors = state;
+      this.errorDetails = Object.values(state).flatMap((s) => s.errors);
+      // Render general error message instead of exact count from validate() because
+      // stanzas (which are validated as a single input) can have up to 2 errors each.
+      const msg = this.errorDetails.length > 1 ? 'are errors' : 'is an error';
+      this.errorBanner = `There ${msg} with this form.`;
+      // Abort saving
+      return;
+    }
     try {
-      const { name, policyType, isNew } = this.args.model;
-      yield this.args.model.save();
+      const policyType = this.args.form.policyType;
+      const { data } = this.args.form.toJSON();
+      // remove enforcement from acl
+      if (policyType === 'acl') {
+        delete data.enforcement_level;
+      }
+
+      if (policyType === 'acl') {
+        yield this.api.sys.policiesWriteAclPolicy(data.name, { policy: data.policy });
+      } else if (policyType === 'egp') {
+        yield this.api.sys.systemWritePoliciesEgpName(data.name, {
+          policy: data.policy,
+          enforcement_level: data.enforcement_level,
+          paths: data.paths,
+        });
+      } else {
+        yield this.api.sys.systemWritePoliciesRgpName(data.name, {
+          policy: data.policy,
+          enforcement_level: data.enforcement_level,
+        });
+      }
       this.flashMessages.success(
-        `${policyType.toUpperCase()} policy "${name}" was successfully ${isNew ? 'created' : 'updated'}.`
+        `${policyType.toUpperCase()} policy "${data.name}" was successfully ${
+          this.args.form.isNew ? 'created' : 'updated'
+        }.`
       );
-      this.args.onSave(this.args.model);
+
+      this.args.onSave(data);
     } catch (error) {
-      this.errorBanner = errorMessage(error);
+      const { message } = yield this.api.parseError(error);
+      this.errorBanner = message;
     }
   }
 
   @action
   setName(name: string) {
-    this.args.model.name = name.toLowerCase();
+    this.args.form.data.name = name.toLowerCase();
   }
 
   @action
   setPolicyFromFile(fileInfo: { value: string; filename: string }) {
     const { value, filename } = fileInfo;
     this.setPolicy(value);
-    if (!this.args.model.name) {
+    if (!this.args.form.data.name) {
       const trimmedFileName = trimRight(filename, ['.json', '.txt', '.hcl', '.policy']);
       this.setName(trimmedFileName);
     }
@@ -178,13 +232,6 @@ export default class PolicyFormComponent extends Component<Args> {
 
   @action
   setPolicy(policy: string) {
-    this.args.model.policy = policy;
-  }
-
-  @action
-  cancel() {
-    const method = this.args.model.isNew ? 'unloadRecord' : 'rollbackAttributes';
-    this.args.model[method]();
-    this.args.onCancel();
+    this.args.form.data.policy = policy;
   }
 }
diff --git a/ui/app/components/recovery/page/header.hbs b/ui/app/components/recovery/page/header.hbs
deleted file mode 100644
index 5b78b4b196..0000000000
--- a/ui/app/components/recovery/page/header.hbs
+++ /dev/null
@@ -1,29 +0,0 @@
-{{!
-  Copyright IBM Corp. 2016, 2025
-  SPDX-License-Identifier: BUSL-1.1
-}}
-
-<Page::Header @title={{@title}} @subtitle={{@subtitle}}>
-  <:breadcrumbs>
-    {{#if @breadcrumbs}}
-      <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
-    {{/if}}
-  </:breadcrumbs>
-  <:badges>
-    {{#if this.version.isCommunity}}
-      <Hds::Badge @text="Enterprise" @color="highlight" data-test-badge="enterprise" />
-    {{/if}}
-  </:badges>
-  <:actions>
-    {{#if @action}}
-      <Hds::Button
-        @text={{@action.text}}
-        @icon={{@action.icon}}
-        @iconPosition={{@action.iconPosition}}
-        @color={{@action.color}}
-        @route={{@action.route}}
-        @models={{@action.models}}
-      />
-    {{/if}}
-  </:actions>
-</Page::Header>
\ No newline at end of file
diff --git a/ui/app/components/recovery/page/header.ts b/ui/app/components/recovery/page/header.ts
deleted file mode 100644
index 277bf9f213..0000000000
--- a/ui/app/components/recovery/page/header.ts
+++ /dev/null
@@ -1,18 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@glimmer/component';
-import { service } from '@ember/service';
-import type VersionService from 'vault/services/version';
-
-interface Args {
-  title: string;
-  subtitle?: string;
-  action?: unknown;
-}
-
-export default class Header extends Component<Args> {
-  @service declare readonly version: VersionService;
-}
diff --git a/ui/app/components/recovery/page/snapshots.hbs b/ui/app/components/recovery/page/snapshots.hbs
index ee33f2eb40..8587cf27cd 100644
--- a/ui/app/components/recovery/page/snapshots.hbs
+++ b/ui/app/components/recovery/page/snapshots.hbs
@@ -3,17 +3,26 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Recovery::Page::Header
-  @title="Secrets recovery"
-  @subtitle="Recover lost or deleted data from a raft snapshot. Supported data includes KV v1 and Cubbyhole secrets or Database static roles."
-  @breadcrumbs={{@breadcrumbs}}
-/>
+<Page::Header @title="Secrets recovery">
+  <:breadcrumbs>
+    <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
+  </:breadcrumbs>
+  <:badges>
+    {{#if @model.showCommunityMessage}}
+      <Hds::Badge @text="Enterprise" @color="highlight" data-test-badge="enterprise" />
+    {{/if}}
+  </:badges>
+  <:description>
+    Restore specific secrets from cluster snapshots without impacting the availability of the active Vault cluster.
+    <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/recover-secrets"}}>
+      Learn more
+    </Hds::Link::Inline>
+  </:description>
+</Page::Header>
 
 {{#if @model.snapshots.showRaftStorageMessage}}
-  <hr class="has-background-gray-300" />
-
-  <Hds::ApplicationState as |A|>
-    <A.Header @title="Raft storage required" @icon="info" data-test-empty-state-title />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="Raft storage required" @icon="info" @titleTag="h2" data-test-empty-state-title />
     <A.Body @text="Raft storage must be used in order to recover data from a snapshot." data-test-empty-state-message />
     <A.Footer data-test-empty-state-actions as |F|>
       <F.LinkStandalone
@@ -27,41 +36,53 @@
   </Hds::ApplicationState>
 {{else}}
   {{#if @model.showCommunityMessage}}
-    <EmptyState
-      @title="Secrets Recovery is an enterprise feature"
-      @icon="sync-reverse"
-      @message="Secrets Recovery allows you to restore accidentally deleted or lost secrets from a snapshot. The snapshots can be provided via upload or loaded from external storage."
-    >
-      <Hds::Button
-        @text="Learn more about upgrading"
-        @color="tertiary"
-        @icon="docs-link"
-        @iconPosition="trailing"
-        @href={{doc-link "/vault/docs/enterprise"}}
-        @isHrefExternal={{true}}
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header
+        @title="Secrets Recovery is an enterprise feature"
+        @icon="sync-reverse"
+        @titleTag="h2"
+        data-test-empty-state-title
       />
-    </EmptyState>
+      <A.Body
+        @text="Secrets Recovery allows you to restore accidentally deleted or lost secrets from a snapshot. The snapshots can be provided via upload or loaded from external storage."
+        data-test-empty-state-message
+      />
+      <A.Footer data-test-empty-state-actions as |F|>
+        <F.LinkStandalone
+          @text="Learn more about upgrading"
+          @icon="docs-link"
+          @iconPosition="trailing"
+          @href={{doc-link "/vault/docs/enterprise"}}
+          @isHrefExternal={{true}}
+        />
+      </A.Footer>
+    </Hds::ApplicationState>
   {{else if (not @model.snapshots)}}
     {{! Currently, only a single snapshot is supported and the UI automatically redirects users to "recovery.snapshots.snapshot.manage" if one exists.
   In the future, this may change to support multiple loaded snapshots and a LIST view will be built then. }}
     {{#let (get this.emptyStateDetails this.state) as |d|}}
-      <EmptyState @title={{d.title}} @icon={{d.icon}} @message={{d.message}}>
+      <Hds::Separator />
 
-        {{#if (eq this.state this.viewState.ALLOW_UPLOAD)}}
-          <Hds::Button @text={{d.buttonText}} @color={{d.buttonColor}} @route="vault.cluster.recovery.snapshots.load" />
-        {{else}}
-          <Hds::Button
-            @text={{d.buttonText}}
-            @color={{d.buttonColor}}
-            @icon={{d.buttonIcon}}
-            @iconPosition="trailing"
-            @route={{d.buttonRoute}}
-            @query={{if d.buttonRoute (hash namespace="")}}
-            @href={{doc-link d.buttonHref}}
-            @isHrefExternal={{if d.buttonHref true}}
-          />
-        {{/if}}
-      </EmptyState>
+      <Hds::ApplicationState class="is-marginless" as |A|>
+        <A.Header @title={{d.title}} @icon={{d.icon}} @titleTag="h2" data-test-empty-state-title />
+        <A.Body @text={{d.message}} data-test-empty-state-message />
+        <A.Footer data-test-empty-state-actions as |F|>
+          {{#if (eq this.state this.viewState.ALLOW_UPLOAD)}}
+            <F.Button @text={{d.buttonText}} @color={{d.buttonColor}} @route="vault.cluster.recovery.snapshots.load" />
+          {{else}}
+            <F.Button
+              @text={{d.buttonText}}
+              @color={{d.buttonColor}}
+              @icon={{d.buttonIcon}}
+              @iconPosition="trailing"
+              @route={{d.buttonRoute}}
+              @query={{if d.buttonRoute (hash namespace="")}}
+              @href={{doc-link d.buttonHref}}
+              @isHrefExternal={{if d.buttonHref true}}
+            />
+          {{/if}}
+        </A.Footer>
+      </Hds::ApplicationState>
     {{/let}}
   {{/if}}
 {{/if}}
\ No newline at end of file
diff --git a/ui/app/components/recovery/page/snapshots/load.hbs b/ui/app/components/recovery/page/snapshots/load.hbs
index f8d530c6f4..9fa82dcacc 100644
--- a/ui/app/components/recovery/page/snapshots/load.hbs
+++ b/ui/app/components/recovery/page/snapshots/load.hbs
@@ -3,7 +3,11 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Recovery::Page::Header @title="Upload snapshot" @breadcrumbs={{@breadcrumbs}} />
+<Page::Header @title="Upload snapshot">
+  <:breadcrumbs>
+    <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
+  </:breadcrumbs>
+</Page::Header>
 
 {{#if this.bannerError}}
   <div class="has-top-padding-m has-bottom-padding-m">
diff --git a/ui/app/components/recovery/page/snapshots/snapshot-details.hbs b/ui/app/components/recovery/page/snapshots/snapshot-details.hbs
index a713e94212..a88c7d24dc 100644
--- a/ui/app/components/recovery/page/snapshots/snapshot-details.hbs
+++ b/ui/app/components/recovery/page/snapshots/snapshot-details.hbs
@@ -3,19 +3,27 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Recovery::Page::Header
-  @title="Secrets recovery"
-  @subtitle="Recover lost or deleted data from a raft snapshot. Supported data includes KV v1 and Cubbyhole secrets or Database static roles."
-  @action={{(hash
-    text="Recover secrets"
-    icon="reload"
-    iconPosition="leading"
-    color="primary"
-    route="vault.cluster.recovery.snapshots.snapshot.manage"
-    models=(array @model.snapshot.snapshot_id)
-  )}}
-  @breadcrumbs={{@breadcrumbs}}
-/>
+<Page::Header @title="Secrets recovery">
+  <:breadcrumbs>
+    <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
+  </:breadcrumbs>
+  <:description>
+    Restore specific secrets from cluster snapshots without impacting the availability of the active Vault cluster.
+    <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/recover-secrets"}}>
+      Learn more
+    </Hds::Link::Inline>
+  </:description>
+  <:actions>
+    <Hds::Button
+      @text="Recover secrets"
+      @icon="reload"
+      @iconPosition="leading"
+      @color="primary"
+      @route="vault.cluster.recovery.snapshots.snapshot.manage"
+      @models={{(array @model.snapshot.snapshot_id)}}
+    />
+  </:actions>
+</Page::Header>
 
 <Hds::Table data-test-table="details">
   <:head as |H|>
diff --git a/ui/app/components/recovery/page/snapshots/snapshot-manage.hbs b/ui/app/components/recovery/page/snapshots/snapshot-manage.hbs
index 8a0489b571..a9a76d4e6c 100644
--- a/ui/app/components/recovery/page/snapshots/snapshot-manage.hbs
+++ b/ui/app/components/recovery/page/snapshots/snapshot-manage.hbs
@@ -3,11 +3,17 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Recovery::Page::Header
-  @title="Secrets recovery"
-  @subtitle="Recover lost or deleted data from a raft snapshot. Supported data includes KV v1 and Cubbyhole secrets or Database static roles."
-  @breadcrumbs={{@breadcrumbs}}
-/>
+<Page::Header @title="Secrets recovery">
+  <:breadcrumbs>
+    <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
+  </:breadcrumbs>
+  <:description>
+    Restore specific secrets from cluster snapshots without impacting the availability of the active Vault cluster.
+    <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/recover-secrets"}}>
+      Learn more
+    </Hds::Link::Inline>
+  </:description>
+</Page::Header>
 
 {{#let @model.snapshot as |snapshot|}}
   <Hds::Card::Container
@@ -32,8 +38,6 @@
   </Hds::Card::Container>
 {{/let}}
 
-<hr class="has-background-gray-300" />
-
 <Hds::Text::Display @tag="h3" class="has-top-padding-m has-bottom-margin-l">Recover or read data</Hds::Text::Display>
 {{#if this.recoveryData}}
   <Hds::Alert @type="inline" @color="success" class="has-top-margin-m has-bottom-margin-m" data-test-inline-alert as |A|>
diff --git a/ui/app/components/recovery/page/snapshots/snapshot-manage.ts b/ui/app/components/recovery/page/snapshots/snapshot-manage.ts
index 656054826d..55ffb97099 100644
--- a/ui/app/components/recovery/page/snapshots/snapshot-manage.ts
+++ b/ui/app/components/recovery/page/snapshots/snapshot-manage.ts
@@ -11,7 +11,7 @@ import { restartableTask } from 'ember-concurrency';
 import { sanitizePath } from 'core/utils/sanitize-path';
 import SecretsEngineResource, { RecoverySupportedEngines } from 'vault/resources/secrets/engine';
 import { SupportedSecretBackendsEnum } from 'vault/helpers/supported-secret-backends';
-import { ROOT_NAMESPACE } from 'vault/services/namespace';
+import { ROOT_NAMESPACE } from 'vault/utils/constants/namespace';
 import {
   createPollingTask,
   getSnapshotStatusBadge,
diff --git a/ui/app/components/recovery/page/snapshots/snapshot-utils.ts b/ui/app/components/recovery/page/snapshots/snapshot-utils.ts
index 595528fb29..158a7d830c 100644
--- a/ui/app/components/recovery/page/snapshots/snapshot-utils.ts
+++ b/ui/app/components/recovery/page/snapshots/snapshot-utils.ts
@@ -5,7 +5,7 @@
 import Ember from 'ember';
 import { timeout } from 'ember-concurrency';
 
-import { ROOT_NAMESPACE } from 'vault/services/namespace';
+import { ROOT_NAMESPACE } from 'vault/utils/constants/namespace';
 
 import type ApiService from 'vault/services/api';
 
diff --git a/ui/app/components/role-aws-edit.hbs b/ui/app/components/role-aws-edit.hbs
index d7adce185b..a6e2bc4f34 100644
--- a/ui/app/components/role-aws-edit.hbs
+++ b/ui/app/components/role-aws-edit.hbs
@@ -9,7 +9,7 @@
       @baseKey={{this.model}}
       @path="vault.cluster.secrets.backend.list"
       @mode={{this.mode}}
-      @root={{this.root}}
+      @root={{this.breadcrumbs}}
       @showCurrent={{true}}
     />
   </:breadcrumbs>
diff --git a/ui/app/components/role-aws-edit.js b/ui/app/components/role-aws-edit.js
index f7bb51db2c..ad29352d14 100644
--- a/ui/app/components/role-aws-edit.js
+++ b/ui/app/components/role-aws-edit.js
@@ -10,6 +10,15 @@ import { computed } from '@ember/object';
 const SHOW_ROUTE = 'vault.cluster.secrets.backend.show';
 
 export default RoleEdit.extend({
+  breadcrumbs: computed('root', 'title', function () {
+    return [
+      { label: 'Vault', text: 'Vault', icon: 'vault', path: 'vault.cluster.dashboard' },
+      { text: 'Secrets engines', path: 'vault.cluster.secrets.backends' },
+      this.root,
+      { label: this.title, text: this.title },
+    ];
+  }),
+
   title: computed('mode', function () {
     if (this.mode === 'create') {
       return 'Create an AWS Role';
diff --git a/ui/app/components/role-ssh-edit.hbs b/ui/app/components/role-ssh-edit.hbs
index 4aea89fb62..7a327f8c15 100644
--- a/ui/app/components/role-ssh-edit.hbs
+++ b/ui/app/components/role-ssh-edit.hbs
@@ -6,10 +6,10 @@
 <Page::Header @title={{this.title}} @subtitle={{this.subtitle}}>
   <:breadcrumbs>
     <KeyValueHeader
-      @baseKey={{this.model}}
+      @baseKey={{@form}}
       @path="vault.cluster.secrets.backend.list"
       @mode={{this.mode}}
-      @root={{this.root}}
+      @root={{this.breadcrumbs}}
       @showCurrent={{true}}
     />
   </:breadcrumbs>
@@ -18,7 +18,7 @@
 {{#if (eq this.mode "show")}}
   <Toolbar>
     <ToolbarActions>
-      {{#if this.model.canDelete}}
+      {{#if @capabilities.canDelete}}
         <ConfirmAction
           @buttonText="Delete role"
           class="toolbar-button"
@@ -27,17 +27,17 @@
         />
         <div class="toolbar-separator"></div>
       {{/if}}
-      {{#if (eq this.model.keyType "otp")}}
-        <ToolbarSecretLink @secret={{this.model.id}} @mode="credentials" data-test-backend-credentials @replace={{true}}>
+      {{#if (eq @form.data.key_type "otp")}}
+        <ToolbarSecretLink @secret={{@form.data.name}} @mode="credentials" data-test-backend-credentials @replace={{true}}>
           Generate Credential
         </ToolbarSecretLink>
       {{else}}
-        <ToolbarSecretLink @secret={{this.model.id}} @mode="sign" data-test-backend-credentials @replace={{true}}>
+        <ToolbarSecretLink @secret={{@form.data.name}} @mode="sign" data-test-backend-credentials @replace={{true}}>
           Sign Keys
         </ToolbarSecretLink>
       {{/if}}
-      {{#if (or this.model.canUpdate this.model.canDelete)}}
-        <ToolbarSecretLink @secret={{this.model.id}} @mode="edit" data-test-edit-link={{true}} @replace={{true}}>
+      {{#if (or @capabilities.canUpdate @capabilities.canDelete)}}
+        <ToolbarSecretLink @secret={{@form.data.name}} @mode="edit" data-test-edit-link={{true}} @replace={{true}}>
           Edit role
         </ToolbarSecretLink>
       {{/if}}
@@ -48,9 +48,8 @@
 {{#if (or (eq this.mode "edit") (eq this.mode "create"))}}
   <form onsubmit={{action "createOrUpdate" "create"}}>
     <div class="box is-sideless is-fullwidth is-marginless">
-      <MessageError @model={{this.model}} />
       <NamespaceReminder @mode={{this.mode}} @noun="SSH role" />
-      <FormFieldGroupsLoop @model={{this.model}} @mode={{this.mode}} />
+      <FormFieldGroupsLoop @model={{@form}} @mode={{this.mode}} />
     </div>
     <div class="field is-grouped-split box is-fullwidth is-bottomless">
       <Hds::ButtonSet>
@@ -60,7 +59,7 @@
             @text="Cancel"
             @color="secondary"
             @route="vault.cluster.secrets.backend.list-root"
-            @model={{this.model.backend}}
+            @model={{@form.data.backend}}
             @query={{hash tab="role"}}
           />
         {{else}}
@@ -68,7 +67,7 @@
             @text="Cancel"
             @color="secondary"
             @route="vault.cluster.secrets.backend.show"
-            @models={{array this.model.backend this.model.id}}
+            @models={{array @form.data.backend @form.data.name}}
           />
         {{/if}}
       </Hds::ButtonSet>
@@ -76,18 +75,14 @@
   </form>
 {{else}}
   <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
-    {{#each this.model.showFields as |attr|}}
-      {{#if (eq attr.type "object")}}
+    {{#each this.displayFields as |field|}}
+      {{#let (get @form field.name) as |value|}}
         <InfoTableRow
-          @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
-          @value={{stringify (get this.model attr.name)}}
+          @label={{capitalize (or field.options.label (humanize (dasherize field.name)))}}
+          @value={{if (eq field.type "object") (stringify value) value}}
+          @formatTtl={{eq field.options.editType "ttl"}}
         />
-      {{else}}
-        <InfoTableRow
-          @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
-          @value={{get this.model attr.name}}
-        />
-      {{/if}}
+      {{/let}}
     {{/each}}
   </div>
 {{/if}}
\ No newline at end of file
diff --git a/ui/app/components/role-ssh-edit.js b/ui/app/components/role-ssh-edit.js
index 091141cfd9..4dcc1ca022 100644
--- a/ui/app/components/role-ssh-edit.js
+++ b/ui/app/components/role-ssh-edit.js
@@ -3,14 +3,30 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import RoleEdit from './role-edit';
+import Component from '@ember/component';
+import { service } from '@ember/service';
 import { computed } from '@ember/object';
+import { isBlank } from '@ember/utils';
 
-export default RoleEdit.extend({
-  init() {
-    this._super(...arguments);
-    this.set('backendType', 'ssh');
-  },
+const LIST_ROOT_ROUTE = 'vault.cluster.secrets.backend.list-root';
+const SHOW_ROUTE = 'vault.cluster.secrets.backend.show';
+
+export default Component.extend({
+  api: service(),
+  router: service(),
+  flashMessages: service(),
+
+  mode: null,
+  form: null,
+
+  breadcrumbs: computed('root', 'title', function () {
+    return [
+      { label: 'Vault', text: 'Vault', icon: 'vault', path: 'vault.cluster.dashboard' },
+      { text: 'Secrets engines', path: 'vault.cluster.secrets.backends' },
+      this.root,
+      { label: this.title, text: this.title },
+    ];
+  }),
 
   title: computed('mode', function () {
     if (this.mode === 'create') {
@@ -22,17 +38,51 @@ export default RoleEdit.extend({
     }
   }),
 
-  subtitle: computed('mode', 'model.id', function () {
+  subtitle: computed('mode', 'form.name', function () {
     if (this.mode === 'create' || this.mode === 'edit') return;
+    return this.form.name;
+  }),
 
-    return this.model.id;
+  displayFields: computed('form.{data.key_type,displayFields}', function () {
+    return this.form?.displayFields ?? [];
   }),
 
   actions: {
+    async createOrUpdate(type, event) {
+      event.preventDefault();
+
+      const { form } = this;
+      const { name, backend, ...roleData } = form.data;
+
+      if (type === 'create' && isBlank(name)) {
+        this.flashMessages.danger('Role name is required');
+        return;
+      }
+
+      try {
+        await this.api.secrets.sshWriteRole(name, backend, roleData);
+        this.router.transitionTo(SHOW_ROUTE, name);
+      } catch (error) {
+        const { message } = await this.api.parseError(error);
+        this.flashMessages.danger(message);
+      }
+    },
+
+    async delete() {
+      const { form } = this;
+      const { name, backend } = form.data;
+
+      try {
+        await this.api.secrets.sshDeleteRole(name, backend);
+        this.router.transitionTo(LIST_ROOT_ROUTE);
+      } catch (error) {
+        const { message } = await this.api.parseError(error);
+        this.flashMessages.danger(message);
+      }
+    },
+
     updateTtl(path, val) {
-      const model = this.model;
-      const valueToSet = val.enabled === true ? `${val.seconds}s` : undefined;
-      model.set(path, valueToSet);
+      this.form[path] = val.enabled === true ? `${val.seconds}s` : undefined;
     },
   },
 });
diff --git a/ui/app/components/seal-action.hbs b/ui/app/components/seal-action.hbs
index 1910487459..2494358eca 100644
--- a/ui/app/components/seal-action.hbs
+++ b/ui/app/components/seal-action.hbs
@@ -3,28 +3,10 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<div class="box is-sideless is-fullwidth is-marginless">
-  {{#if this.error}}
-    <Hds::Alert @type="inline" @color="critical" class="has-bottom-margin-m" data-test-seal-error as |A|>
-      <A.Title>Error</A.Title>
-      <A.Description>
-        {{this.error}}
-      </A.Description>
-    </Hds::Alert>
-  {{/if}}
-  <p>
-    Sealing a vault tells the Vault server to stop responding to any access operations until it is unsealed again. A sealed
-    vault throws away its root key to unlock the data, so it physically is blocked from responding to operations again until
-    the Vault is unsealed again with the "unseal" command or via the API.
-  </p>
-</div>
-
-<div class="field is-grouped box is-fullwidth is-bottomless">
-  <ConfirmAction
-    @buttonText="Seal"
-    @confirmTitle="Seal this cluster?"
-    @confirmMessage="You will not be able to read or write any data until the cluster is unsealed again."
-    @onConfirmAction={{this.handleSeal}}
-    data-test-seal
-  />
-</div>
\ No newline at end of file
+<ConfirmAction
+  @buttonText="Seal"
+  @confirmTitle="Seal this cluster?"
+  @confirmMessage="You will not be able to read or write any data until the cluster is unsealed again."
+  @onConfirmAction={{this.handleSeal}}
+  data-test-button="Seal"
+/>
\ No newline at end of file
diff --git a/ui/app/components/seal-action.js b/ui/app/components/seal-action.js
deleted file mode 100644
index b59e81c989..0000000000
--- a/ui/app/components/seal-action.js
+++ /dev/null
@@ -1,22 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { action } from '@ember/object';
-import Component from '@glimmer/component';
-import { tracked } from '@glimmer/tracking';
-import errorMessage from 'vault/utils/error-message';
-
-export default class SealActionComponent extends Component {
-  @tracked error;
-
-  @action
-  async handleSeal() {
-    try {
-      await this.args.onSeal();
-    } catch (e) {
-      this.error = errorMessage(e, 'Seal attempt failed. Check Vault logs for details.');
-    }
-  }
-}
diff --git a/ui/app/components/seal-action.ts b/ui/app/components/seal-action.ts
new file mode 100644
index 0000000000..bdb2520ba1
--- /dev/null
+++ b/ui/app/components/seal-action.ts
@@ -0,0 +1,33 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { action } from '@ember/object';
+import { service } from '@ember/service';
+import Component from '@glimmer/component';
+
+import type ApiService from 'vault/services/api';
+import type FlashMessageService from 'vault/services/flash-messages';
+
+interface Args {
+  onSeal: CallableFunction;
+}
+
+export default class SealActionComponent extends Component<Args> {
+  @service declare readonly api: ApiService;
+  @service declare readonly flashMessages: FlashMessageService;
+
+  @action
+  async handleSeal() {
+    try {
+      await this.args.onSeal();
+    } catch (error) {
+      const message = await this.api.parseError(error, 'Check Vault logs for details.');
+
+      this.flashMessages.danger(message.message, {
+        title: 'Seal attempt failed',
+      });
+    }
+  }
+}
diff --git a/ui/app/components/secret-edit.hbs b/ui/app/components/secret-edit.hbs
index 08022cdff7..502b348e67 100644
--- a/ui/app/components/secret-edit.hbs
+++ b/ui/app/components/secret-edit.hbs
@@ -4,13 +4,13 @@
 }}
 
 <div {{did-insert this.createKvData @model}}>
-  <Page::Header @title={{if (eq @mode "create") "Create Secret" (if (eq @mode "edit") "Edit Secret" @key.id)}}>
+  <Page::Header @title={{this.title}}>
     <:breadcrumbs>
       <KeyValueHeader
         @baseKey={{@baseKey}}
         @path="vault.cluster.secrets.backend.list"
         @mode={{@mode}}
-        @root={{@root}}
+        @root={{this.breadcrumbs}}
         @showCurrent={{true}}
       />
     </:breadcrumbs>
@@ -62,7 +62,9 @@
         @showAdvancedMode={{this.showAdvancedMode}}
       />
     {{else}}
-      <EmptyState @title="No secret view was selected" />
+      <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+        <A.Header @title="No secret view was selected" @titleTag="h2" data-test-empty-state-title />
+      </Hds::ApplicationState>
     {{/if}}
   {{/if}}
 </div>
\ No newline at end of file
diff --git a/ui/app/components/secret-edit.js b/ui/app/components/secret-edit.js
index 15233b6db7..bdac6b5fec 100644
--- a/ui/app/components/secret-edit.js
+++ b/ui/app/components/secret-edit.js
@@ -37,6 +37,23 @@ export default class SecretEdit extends Component {
   @tracked secretData = null;
   @tracked editorString = null;
 
+  breadcrumbs = [
+    { label: 'Vault', text: 'Vault', icon: 'vault', path: 'vault.cluster.dashboard' },
+    { text: 'Secrets engines', path: 'vault.cluster.secrets.backends' },
+    this.args.root,
+    { label: this.title, text: this.title },
+  ];
+
+  get title() {
+    if (this.args.mode === 'create') {
+      return 'Create secret';
+    } else if (this.args.mode === 'edit') {
+      return 'Edit secret';
+    } else {
+      return this.args.key.id;
+    }
+  }
+
   // fired on did-insert from render modifier
   @action
   createKvData(elem, [model]) {
diff --git a/ui/app/components/secret-engine/list.hbs b/ui/app/components/secret-engine/list.hbs
index 8232cd1166..db462f1ba3 100644
--- a/ui/app/components/secret-engine/list.hbs
+++ b/ui/app/components/secret-engine/list.hbs
@@ -3,27 +3,28 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header
-  @title="Secrets engines"
-  @subtitle="Secrets engines available in the {{this.namespace.currentNamespace}} namespace of the {{this.version.clusterName}} cluster."
-  @icon="key"
->
+<Page::Header @title="Secrets engines" @icon="key">
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
+  <:description>
+    View and manage your configured secrets engines in the current cluster, ranging from key value store (kv) to dynamic
+    database credentials and more.
+    <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/secret-engines"}}>
+      Learn more
+    </Hds::Link::Inline>
+  </:description>
   <:actions>
-    {{#unless this.showWizard}}
-      {{#if this.hasOnlyDefaultEngines}}
-        <Hds::Button
-          @color="secondary"
-          @icon="bulb"
-          @text="New to Secret engines?"
-          {{on "click" this.showIntroPage}}
-          data-test-button="intro"
-        />
-      {{/if}}
-      <Hds::Button @text="Enable new engine" @icon="plus" @route="vault.cluster.secrets.enable" data-test-enable-engine />
-    {{/unless}}
+    {{#if this.showIntroButton}}
+      <Hds::Button
+        @color="secondary"
+        @icon="bulb"
+        @text="New to Secret engines?"
+        {{on "click" this.showIntroPage}}
+        data-test-button="intro"
+      />
+    {{/if}}
+    <Hds::Button @text="Enable new engine" @icon="plus" @route="vault.cluster.secrets.enable" data-test-enable-engine />
   </:actions>
 </Page::Header>
 
@@ -32,9 +33,11 @@
     @isIntroModal={{this.shouldRenderIntroModal}}
     @onRefresh={{this.refreshSecretEngineList}}
   />
-{{else}}
+{{/if}}
+
+{{#if this.showContent}}
   {{! Filters section }}
-  <Hds::SegmentedGroup class="has-top-margin-m" as |SG|>
+  <Hds::SegmentedGroup class="top-margin-12" as |SG|>
     <SG.TextInput
       @width="300px"
       @type="search"
@@ -114,110 +117,47 @@
 
   {{! Table Section }}
   {{#if this.sortedDisplayableBackends}}
-    <ListTable
-      class="has-top-margin-xs"
-      @columns={{this.tableColumns}}
-      @selectionKey="path"
-      @data={{this.sortedDisplayableBackends}}
-      @onSelectionChange={{this.updateSelectedItems}}
-    >
-      <:selectedItems>
-        {{#if this.selectedItems}}
-          <Hds::Layout::Flex
-            @gap="8"
-            @direction="row"
-            @justify="end"
-            @align="center"
-            class="has-bottom-margin-s has-top-margin-negative-xxl"
-            @isInline="true"
-          >
-            <Hds::Text::Body role="status" @tag="p" @size="200" @color="foreground-primary">
-              {{this.selectedItems.length}}
-              selected out of
-              {{this.sortedDisplayableBackends.length}}
-            </Hds::Text::Body>
-            <Hds::Button
-              @text="Disable engines"
-              @color="critical"
-              @icon="trash"
-              {{on "click" (fn (mut this.enginesToDisable) this.selectedItems)}}
-            />
-          </Hds::Layout::Flex>
-        {{/if}}
-      </:selectedItems>
+    <ListTable class="has-top-margin-xs" @columns={{this.tableColumns}} @data={{this.sortedDisplayableBackends}}>
       <:customTableItem as |itemData|>
         {{#let (this.getEngineResourceData itemData.path) as |backendData|}}
-          <Hds::TooltipButton
-            aria-label="Type of backend"
-            @text={{this.generateToolTipText backendData}}
-            data-test-tooltip="Backend type"
-            isInline={{true}}
-            class="is-v-centered"
-          >
-            <Hds::Icon @name={{if backendData.icon backendData.icon "lock"}} />
-          </Hds::TooltipButton>
-          {{#if backendData.isSupportedBackend}}
-            <Hds::Link::Inline
-              @route={{backendData.backendLink}}
-              @model={{backendData.id}}
-              @color="secondary"
-              class="has-text-weight-semibold"
-            >{{backendData.path}}</Hds::Link::Inline>
-          {{else}}
-            {{backendData.path}}
+          {{! Only render if we have backendData, so this doesn't try to render while data for the list refreshes }}
+          {{#if backendData}}
+            <Hds::TooltipButton
+              aria-label="Type of backend"
+              @text={{this.generateToolTipText backendData}}
+              data-test-tooltip="Backend type"
+              isInline={{true}}
+              class="is-v-centered"
+            >
+              <Hds::Icon @name={{if backendData.icon backendData.icon "lock"}} />
+            </Hds::TooltipButton>
+            {{#if backendData.isSupportedBackend}}
+              <Hds::Link::Inline
+                @route={{backendData.backendLink}}
+                @model={{backendData.id}}
+                @color="secondary"
+                class="has-text-weight-semibold"
+                data-test-link-to={{itemData.path}}
+              >{{backendData.path}}</Hds::Link::Inline>
+            {{else}}
+              {{backendData.path}}
+            {{/if}}
           {{/if}}
         {{/let}}
       </:customTableItem>
 
       <:popupMenu as |rowData|>
         {{#let (this.getEngineResourceData rowData.path) as |backendData|}}
-          <Hds::Dropdown @isInline={{true}} as |dd|>
-            <dd.ToggleIcon
-              @icon="more-horizontal"
-              @text="{{if backendData.isSupportedBackend 'supported' 'unsupported'}} secrets engine menu"
-              @hasChevron={{false}}
-              data-test-popup-menu-trigger
-            />
-            <dd.Interactive
-              @route={{backendData.backendConfigurationLink}}
-              @model={{backendData.id}}
-              data-test-popup-menu="View configuration"
-              @icon="settings"
-            >View configuration</dd.Interactive>
-            {{#if (not-eq backendData.type "cubbyhole")}}
-              <dd.Interactive
-                @color="critical"
-                {{on "click" (fn (mut this.engineToDisable) backendData)}}
-                data-test-popup-menu="Delete"
-                @icon="trash"
-              >Delete</dd.Interactive>
-            {{/if}}
-          </Hds::Dropdown>
+          {{! Only render if we have backendData, so this doesn't try to render while data for the list refreshes }}
+          {{#if backendData}}
+            <ManageDropdown @model={{backendData}} @variant="icon" @configRoute={{backendData.backendConfigurationLink}} />
+          {{/if}}
         {{/let}}
       </:popupMenu>
     </ListTable>
   {{else}}
-    <EmptyState @title="No Secrets engines found" />
-  {{/if}}
-  {{! End Table Section }}
-
-  {{#if this.engineToDisable}}
-    <ConfirmModal
-      @color="critical"
-      @confirmMessage="Any data in this engine will be permanently deleted."
-      @confirmTitle="Disable engine?"
-      @onClose={{fn (mut this.engineToDisable) null}}
-      @onConfirm={{perform this.disableEngine this.engineToDisable}}
-    />
-  {{/if}}
-
-  {{#if this.enginesToDisable}}
-    <ConfirmModal
-      @color="critical"
-      @confirmMessage="Any data in these engines will be permanently deleted."
-      @confirmTitle="Disable engines?"
-      @onClose={{fn (mut this.enginesToDisable) null}}
-      @onConfirm={{perform this.disableMultipleEngines this.enginesToDisable}}
-    />
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="No Secrets engines found" @titleTag="h2" data-test-empty-state-title />
+    </Hds::ApplicationState>
   {{/if}}
 {{/if}}
\ No newline at end of file
diff --git a/ui/app/components/secret-engine/list.ts b/ui/app/components/secret-engine/list.ts
index 54afb8516e..1c39757fab 100644
--- a/ui/app/components/secret-engine/list.ts
+++ b/ui/app/components/secret-engine/list.ts
@@ -3,23 +3,20 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import Component from '@glimmer/component';
 import { action } from '@ember/object';
 import { service } from '@ember/service';
+import Component from '@glimmer/component';
 import { tracked } from '@glimmer/tracking';
-import { dropTask } from 'ember-concurrency';
 import engineDisplayData from 'vault/helpers/engines-display-data';
-import { getEffectiveEngineType } from 'vault/utils/external-plugin-helpers';
 import { ALL_ENGINES } from 'vault/utils/all-engines-metadata';
+import { getEffectiveEngineType } from 'vault/utils/external-plugin-helpers';
+import { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 
-import type ApiService from 'vault/services/api';
-import type FlashMessageService from 'vault/services/flash-messages';
-import type NamespaceService from 'vault/services/namespace';
 import type RouterService from '@ember/routing/router-service';
 import type SecretsEngineResource from 'vault/resources/secrets/engine';
-import type VersionService from 'vault/services/version';
+import type ApiService from 'vault/services/api';
+import type FlashMessageService from 'vault/services/flash-messages';
 import type WizardService from 'vault/services/wizard';
-import { WIZARD_ID } from '../wizard/secret-engines/secret-engines-wizard';
 
 /**
  * @module SecretEngineList handles the display of the list of secret engines, including the filtering.
@@ -39,15 +36,9 @@ interface Args {
 export default class SecretEngineList extends Component<Args> {
   @service declare readonly api: ApiService;
   @service declare readonly flashMessages: FlashMessageService;
-  @service declare readonly namespace: NamespaceService;
   @service declare readonly router: RouterService;
-  @service declare readonly version: VersionService;
   @service declare readonly wizard: WizardService;
 
-  @tracked secretEngineOptions: Array<string> | [] = [];
-  @tracked engineToDisable: SecretsEngineResource | undefined = undefined;
-  @tracked enginesToDisable: Array<SecretsEngineResource> | null = null;
-
   @tracked engineTypeFilters: Array<string> = [];
   @tracked engineVersionFilters: Array<string> = [];
   @tracked searchText = '';
@@ -56,10 +47,9 @@ export default class SecretEngineList extends Component<Args> {
   @tracked typeSearchText = '';
   @tracked versionSearchText = '';
 
-  @tracked selectedItems = Array<string>();
-
   @tracked shouldRenderIntroModal = false;
-  wizardId = WIZARD_ID;
+
+  wizardId = WIZARD_ID_MAP.secretEngines;
 
   tableColumns = [
     {
@@ -72,23 +62,23 @@ export default class SecretEngineList extends Component<Args> {
     {
       key: 'accessor',
       label: 'Accessor',
-      width: '175px',
+      width: '205px',
     },
     {
       key: 'description',
       label: 'Description',
-      width: '300px',
+      width: '320px',
     },
     {
       key: 'running_plugin_version',
       label: 'Version',
       isSortable: true,
-      width: '170px',
+      width: '175px',
     },
     {
       key: 'popupMenu',
       label: 'Action',
-      width: '75px',
+      width: '80px',
     },
   ];
 
@@ -201,10 +191,21 @@ export default class SecretEngineList extends Component<Args> {
   // While not ideal, we can check whether there are other engines than the default cubbyhole/ engine
   // to determine whether we should show the intro page
   get hasOnlyDefaultEngines() {
-    const listedEngines = this.sortedDisplayableBackends;
+    // use displayableBackends to check against unfiltered results to avoid flashing intro page when a filter has no results
+    const listedEngines = this.displayableBackends;
     return !listedEngines.length || (listedEngines.length === 1 && listedEngines[0]?.path === 'cubbyhole/');
   }
 
+  get showContent() {
+    // Show when the 1) wizard is not shown OR 2) wizard intro modal is shown
+    // This ensures the wizard intro modal is shown on top of the list view and the background content is not blank behind the modal
+    return !this.showWizard || (this.shouldRenderIntroModal && this.wizard.isIntroVisible(this.wizardId));
+  }
+
+  get showIntroButton() {
+    return this.showContent && this.hasOnlyDefaultEngines;
+  }
+
   get showWizard() {
     return !this.wizard.isDismissed(this.wizardId) && this.hasOnlyDefaultEngines;
   }
@@ -283,49 +284,4 @@ export default class SecretEngineList extends Component<Args> {
     this.engineTypeFilters = [];
     this.engineVersionFilters = [];
   }
-
-  @action
-  updateSelectedItems(tableData: { selectedRowsKeys: string[] }) {
-    this.selectedItems = tableData.selectedRowsKeys;
-  }
-
-  async disableSingleEngine(engine: SecretsEngineResource) {
-    const { engineType, id, path } = engine;
-    try {
-      await this.api.sys.mountsDisableSecretsEngine(id);
-      this.flashMessages.success(`The ${engineType} Secrets Engine at ${path} has been disabled.`);
-    } catch (err) {
-      const { message } = await this.api.parseError(err);
-      this.flashMessages.danger(
-        `There was an error disabling the ${engineType} Secrets Engine at ${path}: ${message}.`
-      );
-    }
-  }
-
-  @dropTask
-  *disableMultipleEngines(enginePathsToDisable: Array<string>) {
-    const enginesToDisable = this.displayableBackends.filter((engine: SecretsEngineResource) =>
-      enginePathsToDisable.includes(engine.path)
-    );
-    try {
-      for (const engine of enginesToDisable) {
-        yield this.disableSingleEngine(engine);
-      }
-
-      // Navigate once all operations are complete
-      this.router.transitionTo('vault.cluster.secrets.backends');
-    } finally {
-      this.enginesToDisable = null;
-    }
-  }
-
-  @dropTask
-  *disableEngine(engine: SecretsEngineResource) {
-    try {
-      yield this.disableSingleEngine(engine);
-      this.router.transitionTo('vault.cluster.secrets.backends');
-    } finally {
-      this.engineToDisable = undefined;
-    }
-  }
 }
diff --git a/ui/app/components/secret-engine/page/general-settings.ts b/ui/app/components/secret-engine/page/general-settings.ts
index b90fe8e4a3..d86f1aefdd 100644
--- a/ui/app/components/secret-engine/page/general-settings.ts
+++ b/ui/app/components/secret-engine/page/general-settings.ts
@@ -260,11 +260,12 @@ export default class GeneralSettingsComponent extends Component<Args> {
        * TODO: Fast follow-up PR to update this to use proper client API methods once the
        * client version is bumped.
        */
-      await this.api.request.post(`/sys/mounts/${this.args?.model?.secretsEngine?.id}/tune`, tunePayload);
+      await this.api.sys.mountsTuneConfigurationParameters(this.args?.model?.secretsEngine?.id, tunePayload);
 
       // If plugin version changed, reload the mount to ensure the new version is active
       if (hasPluginVersionChanged) {
         await this.reloadMount();
+        await this.reloadPlugin();
       }
 
       this.flashMessages.success('Engine settings successfully updated.', { title: 'Configuration saved' });
@@ -297,6 +298,38 @@ export default class GeneralSettingsComponent extends Component<Args> {
     }
   }
 
+  // Handles reloading the plugin version after tuning and updating the model data with most recent plugin data
+  // without this the model data will be out of date and prevent the user from tuning back to the original plugin version
+  private async reloadPlugin(): Promise<void> {
+    try {
+      const mountPath = this.args.model.secretsEngine.id;
+      await this.api.sys.pluginsReloadBackends({ mounts: [mountPath] });
+
+      // Refresh version data after reload
+      const { secretsEngine } = this.args.model;
+      const pluginName = secretsEngine.type;
+
+      const [pinnedVersion, mountInfo] = await Promise.all([
+        this.api.sys.pluginsCatalogPinsReadPinnedVersion(pluginName, 'secret').catch(() => {
+          // Silently handle errors - pins are optional
+          return null;
+        }),
+        this.api.sys.internalUiReadMountInformation(mountPath),
+      ]);
+
+      this.handleVersionReload({
+        pinnedVersion: pinnedVersion?.version || null,
+        pluginVersion: mountInfo?.plugin_version || null,
+        runningVersion: mountInfo?.running_plugin_version || null,
+      });
+    } catch (error) {
+      const message = await this.api.parseError(error);
+      this.flashMessages.danger(`Failed to reload plugin: ${message.message}`, {
+        title: 'Reload Failed',
+      });
+    }
+  }
+
   @action
   discardChanges() {
     const currentRouteName = this.router.currentRouteName;
diff --git a/ui/app/components/secret-engine/page/plugin-settings.hbs b/ui/app/components/secret-engine/page/plugin-settings.hbs
index d178bdf3e7..ed77b0d781 100644
--- a/ui/app/components/secret-engine/page/plugin-settings.hbs
+++ b/ui/app/components/secret-engine/page/plugin-settings.hbs
@@ -57,31 +57,38 @@
     {{/each}}
   {{else if engineDisplayData.isConfigurable}}
     {{! Prompt user to configure the secret engine }}
-    <EmptyState
-      @title="{{engineDisplayData.displayName}} not configured"
-      @message="Get started by configuring your {{engineDisplayData.displayName}} secrets engine."
-    >
-      <Hds::Link::Standalone
-        @icon="chevron-right"
-        @iconPosition="trailing"
-        @text="Configure {{engineDisplayData.displayName}}"
-        @route="vault.cluster.secrets.backend.configuration.edit"
-        @model={{@model.secretsEngine.id}}
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="{{engineDisplayData.displayName}} not configured" @titleTag="h2" data-test-empty-state-title />
+      <A.Body
+        @text="Get started by configuring your {{engineDisplayData.displayName}} secrets engine."
+        data-test-empty-state-message
       />
-    </EmptyState>
+      <A.Footer data-test-empty-state-actions as |F|>
+        <F.LinkStandalone
+          @icon="chevron-right"
+          @iconPosition="trailing"
+          @text="Configure {{engineDisplayData.displayName}}"
+          @route="vault.cluster.secrets.backend.configuration.edit"
+          @model={{@model.secretsEngine.id}}
+        />
+      </A.Footer>
+    </Hds::ApplicationState>
   {{else}}
-    <EmptyState
-      data-test-no-config
-      @title="No configuration details available"
-      @message="{{engineDisplayData.displayName}} does not have any plugin specific configuration. All configurable parameters for this engine are under 'General Settings'."
-    >
-      <Hds::Link::Standalone
-        @icon="chevron-right"
-        @iconPosition="trailing"
-        @text="Back to general settings"
-        @route="vault.cluster.secrets.backend.configuration.general-settings"
-        @model={{@model.secretsEngine.id}}
+    <Hds::ApplicationState class="top-padding-32 is-marginless" data-test-no-config as |A|>
+      <A.Header @title="No configuration details available" @titleTag="h2" data-test-empty-state-title />
+      <A.Body
+        @text="{{engineDisplayData.displayName}} does not have any plugin specific configuration. All configurable parameters for this engine are under 'General Settings'."
+        data-test-empty-state-message
       />
-    </EmptyState>
+      <A.Footer data-test-empty-state-actions as |F|>
+        <F.LinkStandalone
+          @icon="chevron-right"
+          @iconPosition="trailing"
+          @text="Back to general settings"
+          @route="vault.cluster.secrets.backend.configuration.general-settings"
+          @model={{@model.secretsEngine.id}}
+        />
+      </A.Footer>
+    </Hds::ApplicationState>
   {{/if}}
 {{/let}}
\ No newline at end of file
diff --git a/ui/app/components/secret-engines/catalog.ts b/ui/app/components/secret-engines/catalog.ts
index 550cf626f8..e6c06c5201 100644
--- a/ui/app/components/secret-engines/catalog.ts
+++ b/ui/app/components/secret-engines/catalog.ts
@@ -3,19 +3,19 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import Component from '@glimmer/component';
-import { service } from '@ember/service';
 import { action } from '@ember/object';
+import { service } from '@ember/service';
+import Component from '@glimmer/component';
 import { tracked } from '@glimmer/tracking';
-import { filterEnginesByMountCategory } from 'vault/utils/all-engines-metadata';
-import {
-  enhanceEnginesWithCatalogData,
-  categorizeEnginesByStatus,
-  MOUNT_CATEGORIES,
-  PLUGIN_TYPES,
-  PLUGIN_CATEGORIES,
-} from 'vault/utils/plugin-catalog-helpers';
+import { filterEnginesByMountCategory } from 'core/utils/all-engines-metadata';
 import type { PluginCatalogData } from 'vault/services/plugin-catalog';
+import {
+  categorizeEnginesByStatus,
+  enhanceEnginesWithCatalogData,
+  MOUNT_CATEGORIES,
+  PLUGIN_CATEGORIES,
+  PLUGIN_TYPES,
+} from 'vault/utils/plugin-catalog-helpers';
 
 import type VersionService from 'vault/services/version';
 
diff --git a/ui/app/components/secret-form-show.hbs b/ui/app/components/secret-form-show.hbs
index f4c4e3e21b..8f2075a6fa 100644
--- a/ui/app/components/secret-form-show.hbs
+++ b/ui/app/components/secret-form-show.hbs
@@ -4,11 +4,13 @@
 }}
 
 {{#if @isWriteWithoutRead}}
-  <EmptyState
-    data-test-write-without-read-empty-message
-    @title="You do not have permission to read this secret."
-    @message="Your policies permit you to overwrite this secret, but do not allow you to read it."
-  />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" data-test-write-without-read-empty-message as |A|>
+    <A.Header data-test-empty-state-title @title="You do not have permission to read this secret." @titleTag="h2" />
+    <A.Body
+      data-test-empty-state-message
+      @text="Your policies permit you to overwrite this secret, but do not allow you to read it."
+    />
+  </Hds::ApplicationState>
 {{else}}
   {{#if @showAdvancedMode}}
     <div class="has-top-margin-s">
diff --git a/ui/app/components/secret-list/ssh-role-item.hbs b/ui/app/components/secret-list/ssh-role-item.hbs
index 712df06a9f..365c91d4a7 100644
--- a/ui/app/components/secret-list/ssh-role-item.hbs
+++ b/ui/app/components/secret-list/ssh-role-item.hbs
@@ -5,7 +5,7 @@
 
 <LinkedBlock
   @params={{array
-    (concat "vault.cluster.secrets.backend." (if (eq @item.keyType "ca") "sign" "credentials") (unless @item.id "-root"))
+    (concat "vault.cluster.secrets.backend." (if (eq @item.key_type "ca") "sign" "credentials") (unless @item.id "-root"))
     @item.id
   }}
   class="list-item-row"
@@ -17,7 +17,7 @@
       <LinkTo
         @route={{concat
           "vault.cluster.secrets.backend."
-          (if (eq @item.keyType "ca") "sign" "credentials")
+          (if (eq @item.key_type "ca") "sign" "credentials")
           (unless @item.id "-root")
         }}
         @model={{@item.id}}
@@ -27,8 +27,8 @@
         <div class="role-item-details">
           <span class="is-underline">{{if (eq @item.id " ") "(self)" (or @item.keyWithoutParent @item.id)}}</span>
           <br />
-          <Hds::Badge @text={{@item.keyType}} />
-          {{#if @item.zeroAddress}}
+          <Hds::Badge @text={{@item.key_type}} />
+          {{#if @item.zero_address}}
             <span class="has-text-grey is-size-7">Zero-Address</span>
           {{/if}}
         </div>
@@ -43,30 +43,18 @@
             @hasChevron={{false}}
             data-test-popup-menu-trigger
           />
-          {{#if (eq @item.keyType "otp")}}
-            {{#if @item.generatePath.isPending}}
-              <dd.Generic class="has-text-center">
-                <LoadingDropdownOption />
-              </dd.Generic>
-            {{else if @item.canGenerate}}
-              <dd.Interactive
-                @route="vault.cluster.secrets.backend.credentials"
-                @model={{@item.id}}
-                data-test-role-ssh-link="generate"
-              >Generate credentials</dd.Interactive>
-            {{/if}}
-          {{else if (eq @item.keyType "ca")}}
-            {{#if @item.signPath.isPending}}
-              <dd.Generic class="has-text-center">
-                <LoadingDropdownOption />
-              </dd.Generic>
-            {{else if @item.canGenerate}}
-              <dd.Interactive
-                @route="vault.cluster.secrets.backend.sign"
-                @model={{@item.id}}
-                data-test-role-ssh-link="generate"
-              >Sign Keys</dd.Interactive>
-            {{/if}}
+          {{#if (and (eq @item.key_type "otp") @item.canGenerate)}}
+            <dd.Interactive
+              @route="vault.cluster.secrets.backend.credentials"
+              @model={{@item.id}}
+              data-test-role-ssh-link="generate"
+            >Generate credentials</dd.Interactive>
+          {{else if (and (eq @item.key_type "ca") @item.canSign)}}
+            <dd.Interactive
+              @route="vault.cluster.secrets.backend.sign"
+              @model={{@item.id}}
+              data-test-role-ssh-link="generate"
+            >Sign Keys</dd.Interactive>
           {{/if}}
           {{#if @loadingToggleZeroAddress}}
             <dd.Generic class="has-text-center">
@@ -74,35 +62,29 @@
             </dd.Generic>
           {{else if @item.canEditZeroAddress}}
             <dd.Interactive {{on "click" @toggleZeroAddress}}>
-              {{if @item.zeroAddress "Disable Zero Address" "Enable Zero Address"}}
+              {{if @item.zero_address "Disable Zero Address" "Enable Zero Address"}}
             </dd.Interactive>
           {{/if}}
-          {{#if @item.updatePath.isPending}}
-            <dd.Generic class="has-text-center">
-              <LoadingDropdownOption />
-            </dd.Generic>
-          {{else}}
-            {{#if @item.canRead}}
-              <dd.Interactive
-                @route="vault.cluster.secrets.backend.show"
-                @model={{@item.id}}
-                data-test-role-ssh-link="show"
-              >Details</dd.Interactive>
-            {{/if}}
-            {{#if @item.canEdit}}
-              <dd.Interactive
-                @route="vault.cluster.secrets.backend.edit"
-                @model={{@item.id}}
-                data-test-role-ssh-link="edit"
-              >Edit</dd.Interactive>
-            {{/if}}
-            {{#if @item.canDelete}}
-              <dd.Interactive
-                @color="critical"
-                {{on "click" (fn (mut this.showConfirmModal) true)}}
-                data-test-ssh-role-delete
-              >Delete</dd.Interactive>
-            {{/if}}
+          {{#if @item.canRead}}
+            <dd.Interactive
+              @route="vault.cluster.secrets.backend.show"
+              @model={{@item.id}}
+              data-test-role-ssh-link="show"
+            >Details</dd.Interactive>
+          {{/if}}
+          {{#if @item.canEdit}}
+            <dd.Interactive
+              @route="vault.cluster.secrets.backend.edit"
+              @model={{@item.id}}
+              data-test-role-ssh-link="edit"
+            >Edit</dd.Interactive>
+          {{/if}}
+          {{#if @item.canDelete}}
+            <dd.Interactive
+              @color="critical"
+              {{on "click" (fn (mut this.showConfirmModal) true)}}
+              data-test-ssh-role-delete
+            >Delete</dd.Interactive>
           {{/if}}
         </Hds::Dropdown>
       {{/if}}
diff --git a/ui/app/components/secret-list/transform-list-item.hbs b/ui/app/components/secret-list/transform-list-item.hbs
index 763fe01cb8..f3d819d31c 100644
--- a/ui/app/components/secret-list/transform-list-item.hbs
+++ b/ui/app/components/secret-list/transform-list-item.hbs
@@ -3,7 +3,7 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-{{#if (and @item.updatePath.canRead (not this.isBuiltin))}}
+{{#if (and @item.canRead (not @item.isBuiltin))}}
   <LinkedBlock
     @params={{array "vault.cluster.secrets.backend.show" @itemPath}}
     class="list-item-row"
@@ -24,7 +24,7 @@
         </SecretLink>
       </div>
       <div class="column has-text-right">
-        {{#if (or @item.updatePath.canRead @item.updatePath.canUpdate)}}
+        {{#if (or @item.canRead @item.canUpdate)}}
           <Hds::Dropdown @isInline={{true}} @listPosition="bottom-right" as |dd|>
             <dd.ToggleIcon
               @icon="more-horizontal"
@@ -32,10 +32,10 @@
               @hasChevron={{false}}
               data-test-popup-menu-trigger
             />
-            {{#if @item.updatePath.canRead}}
+            {{#if @item.canRead}}
               <dd.Interactive @route="vault.cluster.secrets.backend.show" @model={{@itemPath}}>Details</dd.Interactive>
             {{/if}}
-            {{#if @item.updatePath.canUpdate}}
+            {{#if @item.canUpdate}}
               <dd.Interactive @route="vault.cluster.secrets.backend.edit" @model={{@itemPath}}>Edit</dd.Interactive>
             {{/if}}
           </Hds::Dropdown>
@@ -48,7 +48,7 @@
     <div class="columns is-mobile">
       <div class="column is-12 has-text-grey has-text-weight-semibold">
         <Icon @name="file" class="has-text-grey-light" />
-        {{#if this.isBuiltin}}
+        {{#if @item.isBuiltin}}
           <Hds::TooltipButton
             @text="This is a built-in HashiCorp {{@itemType}}. It can't be viewed or edited."
             @placement="top-start"
diff --git a/ui/app/components/secret-list/transform-list-item.js b/ui/app/components/secret-list/transform-list-item.js
index 7110f83c84..d135feb75d 100644
--- a/ui/app/components/secret-list/transform-list-item.js
+++ b/ui/app/components/secret-list/transform-list-item.js
@@ -17,21 +17,10 @@
  * @param {string} [itemType] - itemType is used to calculate whether an item is readable or
  */
 
-import { computed } from '@ember/object';
-import Component from '@ember/component';
+import Component from '@glimmer/component';
 
-export default Component.extend({
-  item: null,
-  itemPath: '',
-  itemType: '',
-
-  isBuiltin: computed('item', 'itemType', function () {
-    const item = this.item;
-    if (this.itemType === 'alphabet' || this.itemType === 'template') {
-      return item.id.startsWith('builtin/');
-    }
-    return false;
-  }),
-
-  backendType: 'transform',
-});
+export default class TransformListItemComponent extends Component {
+  get isBuiltin() {
+    return this.args.item?.isBuiltin || false;
+  }
+}
diff --git a/ui/app/components/secret-list/transform-transformation-item.hbs b/ui/app/components/secret-list/transform-transformation-item.hbs
index 2f475b4940..d62ba44b7a 100644
--- a/ui/app/components/secret-list/transform-transformation-item.hbs
+++ b/ui/app/components/secret-list/transform-transformation-item.hbs
@@ -24,7 +24,7 @@
       </SecretLink>
     </div>
     <div class="column has-text-right">
-      {{#if (or @item.updatePath.canRead @item.updatePath.canUpdate)}}
+      {{#if (or @item.canRead @item.canUpdate)}}
         <Hds::Dropdown @isInline={{true}} @listPosition="bottom-right" as |dd|>
           <dd.ToggleIcon
             @icon="more-horizontal"
@@ -32,10 +32,10 @@
             @hasChevron={{false}}
             data-test-popup-menu-trigger
           />
-          {{#if @item.updatePath.canRead}}
+          {{#if @item.canRead}}
             <dd.Interactive @route="vault.cluster.secrets.backend.show" @model={{@item.id}}>Details</dd.Interactive>
           {{/if}}
-          {{#if @item.updatePath.canUpdate}}
+          {{#if @item.canUpdate}}
             <dd.Interactive @route="vault.cluster.secrets.backend.edit" @model={{@item.id}}>Edit</dd.Interactive>
           {{/if}}
         </Hds::Dropdown>
diff --git a/ui/app/components/ssh-sign-key.hbs b/ui/app/components/ssh-sign-key.hbs
new file mode 100644
index 0000000000..891967afad
--- /dev/null
+++ b/ui/app/components/ssh-sign-key.hbs
@@ -0,0 +1,81 @@
+{{!
+  Copyright IBM Corp. 2016, 2026
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+<Page::Header @title="Sign SSH key">
+  <:breadcrumbs>
+    <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
+  </:breadcrumbs>
+</Page::Header>
+
+{{#if this.signedKeyData}}
+  <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
+    <Hds::Alert @type="inline" @color="warning" class="has-top-margin-s has-bottom-margin-s" as |A|>
+      <A.Title>Warning</A.Title>
+      <A.Description>
+        You will not be able to access this information later, so please copy the information below.
+      </A.Description>
+    </Hds::Alert>
+    {{#each this.signDisplayRows as |row|}}
+      <InfoTableRow @label={{row.label}} @value={{row.value}} />
+    {{/each}}
+  </div>
+  <div class="field is-grouped box is-fullwidth is-bottomless">
+    <div class="control">
+      <Hds::Copy::Button
+        @text="Copy key"
+        @textToCopy={{this.signedKeyData.signed_key}}
+        @onError={{(fn (set-flash-message "Clipboard copy failed. The Clipboard API requires a secure context." "danger"))}}
+        class="primary"
+      />
+    </div>
+    {{#if this.signedKeyData.lease_id}}
+      <div class="control">
+        <Hds::Copy::Button
+          @text="Copy lease ID"
+          @textToCopy={{this.signedKeyData.lease_id}}
+          @onError={{(fn
+            (set-flash-message "Clipboard copy failed. The Clipboard API requires a secure context." "danger")
+          )}}
+          class="secondary"
+        />
+      </div>
+    {{/if}}
+    <div class="control">
+      <Hds::Button @text="Back" @color="secondary" {{on "click" this.reset}} data-test-back-button />
+    </div>
+  </div>
+{{else}}
+  <form {{on "submit" (perform this.sign)}} data-test-secret-generate-form="true">
+    <div class="box is-sideless is-fullwidth is-marginless">
+      <MessageError @errorMessage={{this.errorMessage}} />
+      <NamespaceReminder @mode="sign" @noun="SSH key" />
+      <FormFieldGroups
+        @model={{this.signForm}}
+        @mode="create"
+        @groupName="formFieldGroups"
+        @modelValidations={{this.modelValidations}}
+      />
+      {{#if this.invalidFormAlert}}
+        <AlertInline @type="danger" @message={{this.invalidFormAlert}} class="has-top-padding-s" />
+      {{/if}}
+    </div>
+    <Hds::ButtonSet class="has-top-bottom-margin">
+      <Hds::Button
+        @text="Sign"
+        @icon={{if this.sign.isRunning "loading"}}
+        type="submit"
+        disabled={{this.sign.isRunning}}
+        data-test-submit
+      />
+      <Hds::Button
+        @text="Cancel"
+        @color="secondary"
+        @route="vault.cluster.secrets.backend.list-root"
+        @model={{@backendPath}}
+        data-test-cancel
+      />
+    </Hds::ButtonSet>
+  </form>
+{{/if}}
\ No newline at end of file
diff --git a/ui/app/components/ssh-sign-key.ts b/ui/app/components/ssh-sign-key.ts
new file mode 100644
index 0000000000..232025c46c
--- /dev/null
+++ b/ui/app/components/ssh-sign-key.ts
@@ -0,0 +1,90 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+import { service } from '@ember/service';
+import { action } from '@ember/object';
+import { tracked } from '@glimmer/tracking';
+import { task } from 'ember-concurrency';
+import { waitFor } from '@ember/test-waiters';
+import SshSignForm from 'vault/forms/ssh/sign';
+
+import type ApiService from 'vault/services/api';
+import type ControlGroupService from 'vault/vault/services/control-group';
+
+interface Args {
+  roleName: string;
+  backendPath: string;
+}
+
+export default class SshSignKey extends Component<Args> {
+  @service declare readonly api: ApiService;
+  @service declare readonly controlGroup: ControlGroupService;
+
+  @tracked signForm = new SshSignForm({ cert_type: 'user' });
+  @tracked signedKeyData: Record<string, unknown> | null = null;
+  @tracked errorMessage: string | null = null;
+  @tracked modelValidations: Record<string, unknown> | null = null;
+  @tracked invalidFormAlert: string | null = null;
+
+  get signDisplayRows() {
+    const data = this.signedKeyData;
+    if (!data) return [];
+    return [
+      { label: 'Signed key', value: data['signed_key'] },
+      { label: 'Lease ID', value: data['lease_id'] },
+      { label: 'Renewable', value: data['renewable'] },
+      { label: 'Lease duration', value: data['lease_duration'] },
+      { label: 'Serial number', value: data['serial_number'] },
+    ].filter((f) => f.value != null && f.value !== '');
+  }
+
+  get breadcrumbs() {
+    const { backendPath, roleName } = this.args;
+    return [
+      { label: backendPath, route: 'vault.cluster.secrets.backend', model: backendPath },
+      { label: 'Sign', route: 'vault.cluster.secrets.backend', model: backendPath },
+      { label: roleName, route: 'vault.cluster.secrets.backend.show', model: roleName },
+      { label: 'Sign SSH Key' },
+    ];
+  }
+
+  sign = task(
+    waitFor(async (evt: Event) => {
+      evt.preventDefault();
+      this.errorMessage = null;
+
+      const { isValid, state, invalidFormMessage, data } = this.signForm.toJSON();
+      this.modelValidations = isValid ? null : state;
+      this.invalidFormAlert = isValid ? null : invalidFormMessage;
+      if (!isValid) return;
+      try {
+        const result = await this.api.secrets.sshSignCertificate(
+          this.args.roleName,
+          this.args.backendPath,
+          data
+        );
+        this.signedKeyData = { ...result, ...(result.data as Record<string, unknown>) };
+      } catch (error) {
+        const { message, response } = await this.api.parseError(error);
+        if (response?.isControlGroupError) {
+          this.controlGroup.saveTokenFromError(response);
+          this.errorMessage = this.controlGroup.logFromError(response).content;
+        } else {
+          this.errorMessage = message;
+        }
+      }
+    })
+  );
+
+  @action
+  reset() {
+    this.signedKeyData = null;
+    this.signForm = new SshSignForm({ cert_type: 'user' });
+    this.errorMessage = null;
+    this.modelValidations = null;
+    this.invalidFormAlert = null;
+  }
+}
diff --git a/ui/app/components/token-expire-warning.hbs b/ui/app/components/token-expire-warning.hbs
index f70f2a4a2b..5017f31740 100644
--- a/ui/app/components/token-expire-warning.hbs
+++ b/ui/app/components/token-expire-warning.hbs
@@ -37,15 +37,17 @@
             on
             {{date-format @expirationDate "MMMM do yyyy, h:mm:ss a O"}}.
           </A.Description>
-          <A.Button
-            @text="Renew token"
-            @color="secondary"
-            @icon={{if this.renewToken.isRunning "loading" "reload"}}
-            @iconPosition="trailing"
-            disabled={{this.renewToken.isRunning}}
-            {{on "click" (perform this.renewToken)}}
-            data-test-renew-token-button
-          />
+          {{#if this.canShowRenew}}
+            <A.Button
+              @text="Renew token"
+              @color="secondary"
+              @icon={{if this.renewToken.isRunning "loading" "reload"}}
+              @iconPosition="trailing"
+              disabled={{this.renewToken.isRunning}}
+              {{on "click" (perform this.renewToken)}}
+              data-test-renew-token-button
+            />
+          {{/if}}
           <A.LinkStandalone
             @icon="arrow-right"
             @iconPosition="trailing"
diff --git a/ui/app/components/token-expire-warning.js b/ui/app/components/token-expire-warning.js
index 7b52b14e79..08c6644ac1 100644
--- a/ui/app/components/token-expire-warning.js
+++ b/ui/app/components/token-expire-warning.js
@@ -12,7 +12,19 @@ import { task } from 'ember-concurrency';
 export default class TokenExpireWarning extends Component {
   @service auth;
   @service router;
+  @service capabilities;
   @tracked canDismiss = true;
+  @tracked canRenewSelf = true;
+
+  constructor(owner, args) {
+    super(owner, args);
+    this.fetchRenewCapability();
+  }
+
+  async fetchRenewCapability() {
+    const { canUpdate } = await this.capabilities.fetchPathCapabilities('auth/token/renew-self');
+    this.canRenewSelf = canUpdate;
+  }
 
   handleRenew() {
     return new Promise((resolve) => {
@@ -36,6 +48,10 @@ export default class TokenExpireWarning extends Component {
     yield this.handleRenew();
   }
 
+  get canShowRenew() {
+    return this.auth?.authData?.renewable && this.canRenewSelf;
+  }
+
   get queryParams() {
     // Bring user back to current page after login
     return { redirect_to: this.router.currentURL };
diff --git a/ui/app/components/toolbar-secret-link.hbs b/ui/app/components/toolbar-secret-link.hbs
index 9cbc026931..f324566827 100644
--- a/ui/app/components/toolbar-secret-link.hbs
+++ b/ui/app/components/toolbar-secret-link.hbs
@@ -14,5 +14,5 @@
   ...attributes
 >
   {{yield}}
-  <Icon @name={{this.glyph}} />
+  <Icon class="toolbar-icon" @name={{this.glyph}} />
 </SecretLink>
\ No newline at end of file
diff --git a/ui/app/components/tools/hash.hbs b/ui/app/components/tools/hash.hbs
index dcb484b7ad..469fdc01f9 100644
--- a/ui/app/components/tools/hash.hbs
+++ b/ui/app/components/tools/hash.hbs
@@ -3,14 +3,17 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title="Hash data">
+<Page::Header
+  @title="Hash data"
+  @description="Generate secure cryptographic hashes of input data to verify integrity without storing the raw data."
+>
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
 </Page::Header>
 
 {{#if this.sum}}
-  <div class="box is-sideless is-fullwidth is-marginless">
+  <div class="box is-fullwidth is-marginless">
     <div class="field">
       <label for="sum" class="is-input">Sum</label>
       <Hds::Copy::Snippet
@@ -26,7 +29,7 @@
   </div>
 {{else}}
   <form {{on "submit" this.handleSubmit}}>
-    <div class="box is-sideless is-fullwidth is-marginless">
+    <div class="box is-fullwidth is-marginless">
       <MessageError @errorMessage={{this.errorMessage}} />
       <div class="field">
         <label for="hash-input" class="is-label">
diff --git a/ui/app/components/tools/lookup.hbs b/ui/app/components/tools/lookup.hbs
index 528c378ed0..563907ead1 100644
--- a/ui/app/components/tools/lookup.hbs
+++ b/ui/app/components/tools/lookup.hbs
@@ -3,14 +3,17 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title="Lookup token">
+<Page::Header
+  @title="Lookup token"
+  @description="Inspect the metadata of a response-wrapping token, such as its creation time and TTL without revealing the underlying secret."
+>
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
 </Page::Header>
 
 {{#if this.lookupData}}
-  <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
+  <div class="box is-fullwidth is-paddingless is-marginless">
     {{#each-in this.lookupData as |key value|}}
       {{#let (if (eq key "creation_ttl") "Creation TTL" (to-label key)) as |label|}}
         <InfoTableRow @label={{label}} @value={{value}} />
@@ -26,7 +29,7 @@
   </div>
 {{else}}
   <form {{on "submit" this.handleSubmit}}>
-    <div class="box is-sideless is-fullwidth is-marginless">
+    <div class="box is-fullwidth is-marginless">
       <NamespaceReminder @mode="perform" @noun="lookup" />
       <MessageError @errorMessage={{this.errorMessage}} />
       <div class="field">
diff --git a/ui/app/components/tools/random.hbs b/ui/app/components/tools/random.hbs
index 3acf990377..0a93922159 100644
--- a/ui/app/components/tools/random.hbs
+++ b/ui/app/components/tools/random.hbs
@@ -3,14 +3,17 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title="Random bytes">
+<Page::Header
+  @title="Random bytes"
+  @description="Use Vault as a cryptographically secure entropy source to generate high-quality random bytes for external applications."
+>
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
 </Page::Header>
 
 {{#if this.randomBytes}}
-  <div class="box is-sideless is-fullwidth is-marginless">
+  <div class="box is-fullwidth is-marginless">
     <label for="rand" class="is-label">Random bytes</label>
     <Hds::Copy::Snippet
       @textToCopy={{this.randomBytes}}
@@ -24,7 +27,7 @@
   </div>
 {{else}}
   <form {{on "submit" this.handleSubmit}}>
-    <div class="box is-sideless is-fullwidth is-marginless">
+    <div class="box is-fullwidth is-marginless">
       <MessageError @errorMessage={{this.errorMessage}} />
       <div class="field is-horizontal">
         <div class="field-body">
diff --git a/ui/app/components/tools/rewrap.hbs b/ui/app/components/tools/rewrap.hbs
index 686ffa8e45..0bab2e9d06 100644
--- a/ui/app/components/tools/rewrap.hbs
+++ b/ui/app/components/tools/rewrap.hbs
@@ -3,14 +3,17 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title="Rewrap token">
+<Page::Header
+  @title="Rewrap token"
+  @description="Migrate a wrapped secret to a new token to extend its lifetime without exposing the underlying secret data."
+>
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
 </Page::Header>
 
 {{#if this.rewrappedToken}}
-  <div class="box is-sideless is-fullwidth is-marginless">
+  <div class="box is-fullwidth is-marginless">
     <div class="field">
       <label class="is-label">Rewrapped token</label>
       <Hds::Copy::Snippet
@@ -26,7 +29,7 @@
   </div>
 {{else}}
   <form {{on "submit" this.handleSubmit}}>
-    <div class="box is-sideless is-fullwidth is-marginless">
+    <div class="box is-fullwidth is-marginless">
       <NamespaceReminder @mode="perform" @noun="rewrap" />
       <MessageError @errorMessage={{this.errorMessage}} />
       <div class="field">
diff --git a/ui/app/components/tools/unwrap.hbs b/ui/app/components/tools/unwrap.hbs
index f08cb255ce..80aea1c6e9 100644
--- a/ui/app/components/tools/unwrap.hbs
+++ b/ui/app/components/tools/unwrap.hbs
@@ -3,7 +3,10 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title="Unwrap data">
+<Page::Header
+  @title="Unwrap data"
+  @description="Retrieve the original secret data from a wrapping token and automatically invalidate the token."
+>
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
@@ -40,7 +43,7 @@
   </Hds::ButtonSet>
 {{else}}
   <form {{on "submit" this.handleSubmit}}>
-    <div class="box is-sideless is-fullwidth is-marginless">
+    <div class="box is-fullwidth is-marginless">
       <NamespaceReminder @mode="perform" @noun="unwrap" />
       <MessageError @errorMessage={{this.errorMessage}} />
       <div class="field">
diff --git a/ui/app/components/tools/wrap.hbs b/ui/app/components/tools/wrap.hbs
index dc368c969f..ecfcdcb076 100644
--- a/ui/app/components/tools/wrap.hbs
+++ b/ui/app/components/tools/wrap.hbs
@@ -7,10 +7,17 @@
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
+  <:description>
+    Generate single-use tokens that encrypt sensitive data short-term to provide secure secret delivery and intercept
+    detection.
+    <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/wrapping"}}>
+      Learn more
+    </Hds::Link::Inline>
+  </:description>
 </Page::Header>
 
 {{#if this.token}}
-  <div class="box is-sideless is-fullwidth is-marginless">
+  <div class="box is-fullwidth is-marginless">
     <div class="field">
       <label for="wrap-info" class="is-label">Wrapped token</label>
       <Hds::Copy::Snippet
@@ -35,7 +42,7 @@
   </div>
 {{else}}
   <form {{on "submit" this.handleSubmit}}>
-    <div class="box is-sideless is-fullwidth is-marginless">
+    <div class="box is-fullwidth is-marginless">
       <NamespaceReminder @mode="perform" @noun="wrap" />
       <MessageError @errorMessage={{this.errorMessage}} />
       <Toolbar>
diff --git a/ui/app/components/totp-edit.hbs b/ui/app/components/totp-edit.hbs
index 066cca5166..b334097ee6 100644
--- a/ui/app/components/totp-edit.hbs
+++ b/ui/app/components/totp-edit.hbs
@@ -6,26 +6,34 @@
 <Page::Header @title={{this.title}} @subtitle={{this.subtitle}}>
   <:breadcrumbs>
     <KeyValueHeader
-      @baseKey={{@model}}
+      @baseKey={{@form}}
       @path="vault.cluster.secrets.backend.list"
       @mode={{@mode}}
-      @root={{@root}}
+      @root={{this.breadcrumbs}}
       @showCurrent={{true}}
     />
   </:breadcrumbs>
 </Page::Header>
 
 {{#if (eq @mode "show")}}
-  <Totp::KeyDetails @model={{@model}} @onDelete={{this.deleteKey}} />
+  <Totp::KeyDetails
+    @key={{this.key}}
+    @capabilities={{@capabilities}}
+    @onDelete={{this.deleteKey}}
+    @displayFields={{this.displayFields}}
+  />
 {{else if (eq @mode "create")}}
   {{#if this.hasGenerated}}
-    <Totp::KeyQrCode @model={{@model}} @onReset={{this.reset}} />
+    <Totp::KeyQrCode
+      @qrSize={{@form.data.qr_size}}
+      @key={{this.key}}
+      @onReset={{this.reset}}
+      @generatedFields={{this.generatedFields}}
+    />
   {{else}}
     <Totp::KeyCreate
       @onSubmit={{this.createKey}}
-      @model={{@model}}
-      @defaultKeyFormFields={{this.defaultKeyFormFields}}
-      @groups={{this.groups}}
+      @form={{@form}}
       @modelValidations={{this.modelValidations}}
       @invalidFormAlert={{this.invalidFormAlert}}
     />
diff --git a/ui/app/components/totp-edit.js b/ui/app/components/totp-edit.js
index e72b8df9cd..02b96c4287 100644
--- a/ui/app/components/totp-edit.js
+++ b/ui/app/components/totp-edit.js
@@ -9,17 +9,17 @@ import { tracked } from '@glimmer/tracking';
 import { service } from '@ember/service';
 import { task } from 'ember-concurrency';
 import { waitFor } from '@ember/test-waiters';
-import errorMessage from 'vault/utils/error-message';
 
 /**
  * @module TotpEdit
  * `TotpEdit` is a component that allows you to create, view or delete a TOTP key.
  * When creating a key if `generate` and `exported` are true then after a successful save the UI renders a QR code for the generated key.
  * @example
- *   <TotpEdit @model={{this.model}} @mode={{this.mode}} />
+ *   <TotpEdit @form={{this.form}} @mode={{this.mode}} @capabilities={{this.capabilities}} />
  *
- * @param {object} model - The totp key ember data model.
+ * @param {object} form - The TotpKeyForm instance.
  * @param {string} mode - The mode to render. Either 'create' or 'show'.
+ * @param {object} capabilities - Capabilities object with canDelete, canRead flags.
  */
 const LIST_ROOT_ROUTE = 'vault.cluster.secrets.backend.list-root';
 const SHOW_ROUTE = 'vault.cluster.secrets.backend.show';
@@ -27,12 +27,38 @@ const SHOW_ROUTE = 'vault.cluster.secrets.backend.show';
 export default class TotpEdit extends Component {
   @service router;
   @service flashMessages;
+  @service api;
 
   @tracked hasGenerated = false;
   @tracked invalidFormAlert = '';
   @tracked modelValidations;
+  @tracked key;
 
-  successCallback;
+  constructor(owner, args) {
+    super(owner, args);
+    // In show mode, the route fetches the key and passes it via @form
+    // This stores it in our tracked property for consistent data source
+    if (args.mode === 'show') {
+      this.key = args.form.data;
+    }
+  }
+
+  displayFields = [
+    { field: 'account_name', label: 'Account name' },
+    { field: 'algorithm', label: 'Algorithm' },
+    { field: 'digits', label: 'Digits' },
+    { field: 'issuer', label: 'Issuer' },
+    { field: 'period', label: 'Period' },
+  ];
+
+  generatedFields = [{ field: 'url', label: 'URL' }];
+
+  breadcrumbs = [
+    { label: 'Vault', text: 'Vault', icon: 'vault', path: 'vault.cluster.dashboard' },
+    { text: 'Secrets engines', path: 'vault.cluster.secrets.backends' },
+    this.args.root,
+    { label: this.title, text: this.title },
+  ];
 
   get title() {
     if (this.args.mode === 'create') {
@@ -43,29 +69,7 @@ export default class TotpEdit extends Component {
 
   get subtitle() {
     if (this.args.mode === 'create') return '';
-
-    return this.args.model.id;
-  }
-
-  get defaultKeyFormFields() {
-    const shared = ['name', 'generate', 'issuer', 'accountName'];
-    const generated = [...shared, 'exported'];
-    const nonGenerated = [...shared, 'url', 'key'];
-    return this.args.model.generate ? generated : nonGenerated;
-  }
-
-  get groups() {
-    const { generate } = this.args.model;
-
-    const groups = {
-      'TOTP Code Options': ['algorithm', 'digits', 'period'],
-    };
-
-    if (generate) {
-      groups['Provider Options'] = ['keySize', 'skew', 'qrSize'];
-    }
-
-    return groups;
+    return this.args.form.data.name;
   }
 
   transitionToRoute() {
@@ -74,52 +78,49 @@ export default class TotpEdit extends Component {
 
   @action
   reset() {
-    const { name } = this.args.model;
-    this.args.model.unloadRecord();
+    const { name } = this.args.form.data;
     this.transitionToRoute(SHOW_ROUTE, name);
   }
 
   @action
   async deleteKey() {
     try {
-      const { id } = this.args.model;
-      await this.args.model.destroyRecord();
+      const { name, backend } = this.args.form.data;
+      await this.api.secrets.totpDeleteKey(name, backend);
       this.transitionToRoute(LIST_ROOT_ROUTE);
-      this.flashMessages.success(`${id} was successfully deleted.`);
+      this.flashMessages.success(`${name} was successfully deleted.`);
     } catch (err) {
-      this.flashMessages.danger(errorMessage(err));
+      const { message } = await this.api.parseError(err);
+      this.flashMessages.danger(message);
     }
   }
 
   createKey = task(
     waitFor(async (event) => {
       event.preventDefault();
-      const { isValid, state, invalidFormMessage } = this.args.model.validate();
+      const { isValid, state, invalidFormMessage, data } = this.args.form.toJSON();
       this.modelValidations = isValid ? null : state;
       this.invalidFormAlert = invalidFormMessage;
 
       if (!isValid) return;
       try {
-        const allFields = [...this.defaultKeyFormFields, ...Object.values(this.groups).flat()];
-        await this.args.model.save({
-          adapterOptions: {
-            keyFormFields: allFields,
-          },
-        });
-        const { generate, exported } = this.args.model;
+        const { name, backend, generate, exported } = this.args.form.data;
+        const resp = await this.api.secrets.totpCreateKey(name, backend, data);
 
         if (generate && exported) {
           // stay in this template and show QR code returned from response
+          if (resp?.data) {
+            this.key = resp.data;
+          }
           this.hasGenerated = true;
         } else {
-          // nothing is returned from response, transition to key details route
-          this.transitionToRoute(SHOW_ROUTE, this.args.model.name);
+          this.transitionToRoute(SHOW_ROUTE, name);
         }
+        this.flashMessages.success('Successfully created key.');
       } catch (err) {
-        // err will display via model state
-        return;
+        const { message } = await this.api.parseError(err);
+        this.flashMessages.danger(message);
       }
-      this.flashMessages.success('Successfully created key.');
     })
   );
 }
diff --git a/ui/app/components/totp/key-create-toggle-groups.hbs b/ui/app/components/totp/key-create-toggle-groups.hbs
deleted file mode 100644
index 75b7df8db7..0000000000
--- a/ui/app/components/totp/key-create-toggle-groups.hbs
+++ /dev/null
@@ -1,31 +0,0 @@
-{{!
-  Copyright IBM Corp. 2016, 2025
-  SPDX-License-Identifier: BUSL-1.1
-}}
-
-{{#each-in @groups as |group fields|}}
-  <ToggleButton
-    @isOpen={{eq this.showGroup group}}
-    @openLabel={{concat "Hide " group}}
-    @closedLabel={{group}}
-    @onClick={{fn this.toggleGroup group}}
-    class="is-block"
-    data-test-button={{group}}
-  />
-  {{#if (eq this.showGroup group)}}
-    <div class="box is-marginless" data-test-group={{group}}>
-      {{#each fields as |fieldName|}}
-        {{#let (find-by "name" fieldName @model.allFields) as |attr|}}
-          <FormField
-            data-test-field
-            @attr={{attr}}
-            @model={{@model}}
-            @showHelpText={{false}}
-            @modelValidations={{@modelValidations}}
-          />
-        {{/let}}
-      {{/each}}
-
-    </div>
-  {{/if}}
-{{/each-in}}
\ No newline at end of file
diff --git a/ui/app/components/totp/key-create-toggle-groups.js b/ui/app/components/totp/key-create-toggle-groups.js
deleted file mode 100644
index 709556e086..0000000000
--- a/ui/app/components/totp/key-create-toggle-groups.js
+++ /dev/null
@@ -1,17 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@glimmer/component';
-import { tracked } from '@glimmer/tracking';
-import { action } from '@ember/object';
-
-export default class KeyCreateToggleGroupsComponent extends Component {
-  @tracked showGroup = null;
-
-  @action
-  toggleGroup(group, isOpen) {
-    this.showGroup = isOpen ? group : null;
-  }
-}
diff --git a/ui/app/components/totp/key-create.hbs b/ui/app/components/totp/key-create.hbs
index f9347cdb4e..81239833ed 100644
--- a/ui/app/components/totp/key-create.hbs
+++ b/ui/app/components/totp/key-create.hbs
@@ -5,15 +5,8 @@
 
 <form {{on "submit" (perform @onSubmit)}}>
   <div class="box is-sideless is-fullwidth is-marginless">
-    <MessageError @model={{@model}} />
     <NamespaceReminder @mode={{"create"}} @noun="TOTP key" />
-    {{#each @defaultKeyFormFields as |field|}}
-      {{#let (find-by "name" field @model.allFields) as |attr|}}
-        <FormField @attr={{attr}} @model={{@model}} @modelValidations={{@modelValidations}} />
-      {{/let}}
-    {{/each}}
-
-    <Totp::KeyCreateToggleGroups @model={{@model}} @modelValidations={{@modelValidations}} @groups={{@groups}} />
+    <FormFieldGroups @model={{@form}} @groupName="formFieldGroups" @modelValidations={{@modelValidations}} />
   </div>
   <Hds::ButtonSet class="has-top-bottom-margin-12">
     <Hds::Button @text="Create key" type="submit" data-test-submit />
@@ -21,7 +14,7 @@
       @text="Cancel"
       @color="secondary"
       @route="vault.cluster.secrets.backend.list-root"
-      @model={{@model.backend}}
+      @model={{@form.data.backend}}
       @query={{hash tab="key"}}
     />
   </Hds::ButtonSet>
diff --git a/ui/app/components/totp/key-details.hbs b/ui/app/components/totp/key-details.hbs
index ee93348a1d..78a900694e 100644
--- a/ui/app/components/totp/key-details.hbs
+++ b/ui/app/components/totp/key-details.hbs
@@ -5,10 +5,10 @@
 
 <Toolbar>
   <ToolbarActions>
-    <ToolbarLink @route="vault.cluster.secrets.backend.credentials" @model={{@model.id}}>
+    <ToolbarLink @route="vault.cluster.secrets.backend.credentials" @model={{@key.name}}>
       Generate code
     </ToolbarLink>
-    {{#if @model.canDelete}}
+    {{#if @capabilities.canDelete}}
       <ConfirmAction
         @buttonText="Delete key"
         class="toolbar-button"
@@ -19,10 +19,7 @@
   </ToolbarActions>
 </Toolbar>
 <div class="box is-fullwidth is-sideless is-paddingless is-marginless" data-test-totp-key-details>
-  {{#each @model.attrs as |attr|}}
-    <InfoTableRow
-      @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
-      @value={{get @model attr.name}}
-    />
+  {{#each @displayFields as |item|}}
+    <InfoTableRow @label={{item.label}} @value={{get @key item.field}} />
   {{/each}}
 </div>
\ No newline at end of file
diff --git a/ui/app/components/totp/key-qr-code.hbs b/ui/app/components/totp/key-qr-code.hbs
index 8ddff4db30..dc932f1675 100644
--- a/ui/app/components/totp/key-qr-code.hbs
+++ b/ui/app/components/totp/key-qr-code.hbs
@@ -4,36 +4,29 @@
 }}
 
 <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
-  <MessageError @model={{@model}} />
-  {{#unless @model.isError}}
-    <Hds::Alert @type="inline" @color="warning" class="has-top-bottom-margin" data-test-warning as |A|>
-      <A.Title>Warning</A.Title>
-      <A.Description>
-        You will not be able to access this information later, so please copy the information below.
-      </A.Description>
-    </Hds::Alert>
-  {{/unless}}
-  {{#each @model.generatedAttrs as |attr|}}
-    <InfoTableRow
-      @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
-      @value={{get @model attr.name}}
-    />
+  <Hds::Alert @type="inline" @color="warning" class="has-top-bottom-margin" data-test-warning as |A|>
+    <A.Title>Warning</A.Title>
+    <A.Description>
+      You will not be able to access this information later, so please copy the information below.
+    </A.Description>
+  </Hds::Alert>
+  {{#each @generatedFields as |item|}}
+    <InfoTableRow @label={{item.label}} @value={{get @key item.field}} />
   {{/each}}
-  {{#if (gt @model.qrSize 0)}}
+  {{#if (gt @qrSize 0)}}
     <div class="list-item-row">
       <div class="center-display column">
         <QrCode
-          @text={{@model.url}}
+          @text={{@key.url}}
           @colorLight="#F7F7F7"
-          @width={{@model.qrSize}}
-          @height={{@model.qrSize}}
+          @width={{@qrSize}}
+          @height={{@qrSize}}
           @correctLevel="L"
           data-test-qrcode
         />
       </div>
     </div>
   {{/if}}
-
 </div>
 <div class="field is-grouped box is-fullwidth is-bottomless">
   <div class="control">
diff --git a/ui/app/components/transform-advanced-templating.hbs b/ui/app/components/transform-advanced-templating.hbs
index 695d930fb6..a5b0909d60 100644
--- a/ui/app/components/transform-advanced-templating.hbs
+++ b/ui/app/components/transform-advanced-templating.hbs
@@ -33,16 +33,16 @@
     <AutocompleteInput
       @label="Encode format"
       @subText="Use the groups above to define how the input will be encoded. Refer to each group with $N. This is optional; if not specified, pattern will be used."
-      @value={{@model.encodeFormat}}
+      @value={{@model.encode_format}}
       @optionsTrigger="$"
       @options={{this.inputOptions}}
-      @onChange={{fn (mut @model.encodeFormat)}}
+      @onChange={{fn (mut @model.encode_format)}}
       class="has-top-margin-l"
       data-test-encode-format
     />
     <KvObjectEditor
-      @value={{@model.decodeFormats}}
-      @onChange={{fn (mut @model.decodeFormats)}}
+      @value={{@model.decode_formats}}
+      @onChange={{fn (mut @model.decode_formats)}}
       @label="Decode formats"
       @subText="Using the groups above, define how this data will be decoded. Multiple decode_formats can be used. Optional. If not specified, pattern will be used."
       @keyPlaceholder="name"
diff --git a/ui/app/components/transform-role-edit.hbs b/ui/app/components/transform-role-edit.hbs
index 5011674cad..cf3df81963 100644
--- a/ui/app/components/transform-role-edit.hbs
+++ b/ui/app/components/transform-role-edit.hbs
@@ -5,36 +5,30 @@
 
 <Page::Header @title={{this.title}} @subtitle={{this.subtitle}}>
   <:breadcrumbs>
-    <KeyValueHeader
-      @baseKey={{hash display=this.model.id id=this.model.idForNav}}
-      @path="vault.cluster.secrets.backend.list"
-      @mode={{this.mode}}
-      @root={{this.root}}
-      @showCurrent={{true}}
-    />
+    <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
 </Page::Header>
 
-{{#if (eq this.mode "show")}}
+{{#if (eq @mode "show")}}
   <Toolbar>
     <ToolbarActions>
-      {{#if this.model.updatePath.canDelete}}
-        <ConfirmAction
-          @buttonText="Delete role"
+      {{#if @capabilities.canDelete}}
+        <Hds::Button
+          @text="Delete role"
+          @color="secondary"
           class="toolbar-button"
-          @buttonColor="secondary"
-          @onConfirmAction={{action "delete"}}
-          @confirmMessage="Deleting this role means that you’ll need to recreate it and reassign any existing transformations to use it again."
-          data-test-transformation-role-delete
+          data-test-delete
+          {{on "click" this.onDelete}}
         />
         <div class="toolbar-separator"></div>
       {{/if}}
-      {{#if this.model.updatePath.canUpdate}}
+      {{#if @capabilities.canUpdate}}
         <ToolbarSecretLink
-          @secret={{concat this.model.idPrefix this.model.id}}
+          @secret={{concat "role/" @form.data.name}}
+          @backend={{@form.data.backend}}
           @mode="edit"
-          data-test-edit-link={{true}}
           @replace={{true}}
+          data-test-edit-link
         >
           Edit role
         </ToolbarSecretLink>
@@ -43,28 +37,52 @@
   </Toolbar>
 {{/if}}
 
-{{#if (or (eq this.mode "edit") (eq this.mode "create"))}}
-  <form onsubmit={{action "createOrUpdate" this.mode}}>
+{{#if (or (eq @mode "edit") (eq @mode "create"))}}
+  <form {{on "submit" this.createOrUpdate}}>
     <div class="box is-sideless is-fullwidth is-marginless">
-      <MessageError @model={{this.model}} />
-      <NamespaceReminder @mode={{this.mode}} @noun="Transform role" />
-      {{#each this.model.attrs as |attr|}}
-        {{#if (and (eq this.mode "edit") attr.options.readOnly)}}
-          <ReadonlyFormField @attr={{attr}} @value={{get this.model attr.name}} />
+      <NamespaceReminder @mode={{@mode}} @noun="transform role" />
+      <MessageError @errorMessage={{this.errorMessage}} />
+      {{#each @form.formFields as |field|}}
+        {{#if (eq field.name "transformations")}}
+          <div class="form-section">
+            <SearchSelect
+              @id="transformations"
+              @label={{field.options.label}}
+              @labelClass="title is-4"
+              @subText={{field.options.subText}}
+              @options={{this.transformations}}
+              @inputValue={{@form.data.transformations}}
+              @onChange={{fn (mut @form.transformations)}}
+              @disallowNewItems={{true}}
+              @fallbackComponent="string-list"
+              data-test-field
+            />
+            {{#if (and this.modelValidations.transformations (not this.modelValidations.transformations.isValid))}}
+              <Hds::Form::Error data-test-validation-error="transformations">
+                {{this.modelValidations.transformations.errors}}
+              </Hds::Form::Error>
+            {{/if}}
+          </div>
         {{else}}
-          <FormField data-test-field @attr={{attr}} @model={{this.model}} />
+          <FormField
+            data-test-field
+            @attr={{field}}
+            @model={{@form}}
+            @mode={{@mode}}
+            @modelValidations={{this.modelValidations}}
+          />
         {{/if}}
       {{/each}}
     </div>
     <div class="field is-grouped-split box is-fullwidth is-bottomless">
       <Hds::ButtonSet>
-        <Hds::Button @text={{if (eq this.mode "create") "Create role" "Save"}} type="submit" data-test-submit />
-        {{#if (eq this.mode "create")}}
+        <Hds::Button @text={{if (eq @mode "create") "Create role" "Save"}} type="submit" data-test-submit />
+        {{#if (eq @mode "create")}}
           <Hds::Button
             @text="Cancel"
             @color="secondary"
             @route="vault.cluster.secrets.backend.list-root"
-            @model={{this.model.backend}}
+            @model={{@form.data.backend}}
             @query={{hash tab="role"}}
           />
         {{else}}
@@ -72,8 +90,7 @@
             @text="Cancel"
             @color="secondary"
             @route="vault.cluster.secrets.backend.show"
-            @models={{array this.model.backend (concat "role/" this.model.id)}}
-            @query={{hash tab="role"}}
+            @models={{array @form.data.backend (concat "role/" @form.data.name)}}
           />
         {{/if}}
       </Hds::ButtonSet>
@@ -81,25 +98,13 @@
   </form>
 {{else}}
   <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
-    {{#each this.model.attrs as |attr|}}
-      {{#if (eq attr.type "object")}}
-        <InfoTableRow
-          @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
-          @value={{stringify (get this.model attr.name)}}
-        />
-      {{else if (eq attr.type "array")}}
-        <InfoTableRow
-          @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
-          @value={{get this.model attr.name}}
-          @type={{attr.type}}
-          @isLink={{eq attr.name "transformations"}}
-        />
-      {{else}}
-        <InfoTableRow
-          @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
-          @value={{get this.model attr.name}}
-        />
-      {{/if}}
+    {{#each @form.formFields as |field|}}
+      <InfoTableRow
+        @label={{capitalize (or field.options.label (humanize (dasherize field.name)))}}
+        @value={{get @form.data field.name}}
+        @type={{field.type}}
+        @isLink={{eq field.name "transformations"}}
+      />
     {{/each}}
   </div>
 {{/if}}
\ No newline at end of file
diff --git a/ui/app/components/transform-role-edit.js b/ui/app/components/transform-role-edit.js
index e48633ab96..ae71c1b5c8 100644
--- a/ui/app/components/transform-role-edit.js
+++ b/ui/app/components/transform-role-edit.js
@@ -3,143 +3,224 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import TransformBase, { addToList, removeFromList } from './transform-edit-base';
+import Component from '@glimmer/component';
+import { tracked } from '@glimmer/tracking';
+import { action } from '@ember/object';
 import { service } from '@ember/service';
-import { computed } from '@ember/object';
+import { SecretsApiTransformListTransformationsListEnum } from '@hashicorp/vault-client-typescript';
 
-export default TransformBase.extend({
-  flashMessages: service(),
-  store: service(),
-  initialTransformations: null,
+/**
+ * @module TransformRoleEdit
+ * `TransformRoleEdit` is a component that allows you to create/edit or view a transform role.
+ *
+ * @example
+ * ```js
+ *   <TransformRoleEdit @form={{this.form}} @capabilities={{this.capabilities}} @mode={{this.mode}} />
+ * ```
+ * @param {object} form - RoleForm instance with data and formFields.
+ * @param {object} capabilities - Object with canDelete, canUpdate, canRead capabilities.
+ * @param {string} mode - Is either show, create or edit.
+ */
 
-  init() {
-    this._super(...arguments);
-    this.set('initialTransformations', this.model.transformations);
-  },
+export default class TransformRoleEditComponent extends Component {
+  @service flashMessages;
+  @service router;
+  @service api;
 
-  title: computed('mode', function () {
-    if (this.mode === 'create') {
-      return 'Create Role';
-    } else if (this.mode === 'edit') {
-      return 'Edit Role';
+  @tracked errorMessage = '';
+  @tracked modelValidations;
+  @tracked transformations = [];
+
+  // Non-tracked: used only to diff added/removed transformations after save
+  initialTransformations = [];
+
+  constructor() {
+    super(...arguments);
+    this.initialTransformations = [...(this.args.form.data.transformations ?? [])];
+    this.fetchTransformations();
+  }
+
+  async fetchTransformations() {
+    try {
+      const resp = await this.api.secrets.transformListTransformations(
+        this.args.form.data.backend,
+        SecretsApiTransformListTransformationsListEnum.TRUE
+      );
+      this.transformations = (resp.keys ?? []).map((key) => ({ id: key }));
+    } catch {
+      // swallow errors, SearchSelect will fall back to string-list
+    }
+  }
+
+  get breadcrumbs() {
+    const backend = this.args.form?.data?.backend;
+    const name = this.args.form?.data?.name;
+    return [
+      { label: 'Vault', route: 'vault.cluster.dashboard', icon: 'vault' },
+      { label: 'Secrets engines', route: 'vault.cluster.secrets.backends' },
+      {
+        label: backend,
+        route: 'vault.cluster.secrets.backend.list-root',
+        model: backend,
+        query: { tab: 'role' },
+      },
+      { label: this.title },
+      { label: this.args.mode === 'create' ? 'role' : name },
+    ];
+  }
+
+  get title() {
+    if (this.args.mode === 'create') {
+      return 'Create role';
+    } else if (this.args.mode === 'edit') {
+      return 'Edit role';
     } else {
       return 'Role';
     }
-  }),
+  }
 
-  subtitle: computed('mode', 'model.id', function () {
-    if (this.mode === 'create' || this.mode === 'edit') return;
+  get subtitle() {
+    if (this.args.mode === 'show') {
+      return this.args.form?.data?.name;
+    }
+    return '';
+  }
 
-    return this.model.id;
-  }),
+  // Reads a transformation, updates its allowed_roles (add/remove this role), then saves.
+  async syncTransformationForRole(transformationName, roleName, backend, syncAction) {
+    let currentAllowedRoles;
+    try {
+      const resp = await this.api.secrets.transformReadTransformation(transformationName, backend);
+      const data = resp?.data || resp || {};
+      currentAllowedRoles = data.allowed_roles || [];
+    } catch {
+      // If the transformation can't be read, skip it
+      return { transformationName, syncAction, errorStatus: null, skipped: true };
+    }
 
-  handleUpdateTransformations(updateTransformations, roleId, type = 'update') {
-    if (!updateTransformations) return;
-    const backend = this.model.backend;
-    const promises = updateTransformations.map((transform) => {
-      return this.store
-        .queryRecord('transform', {
-          backend,
-          id: transform.id,
-        })
-        .then(function (transformation) {
-          let roles = transformation.allowed_roles;
-          if (transform.action === 'ADD') {
-            roles = addToList(roles, roleId);
-          } else if (transform.action === 'REMOVE') {
-            roles = removeFromList(roles, roleId);
-          }
+    let updatedRoles;
+    if (syncAction === 'ADD') {
+      updatedRoles = currentAllowedRoles.includes(roleName)
+        ? currentAllowedRoles
+        : [...currentAllowedRoles, roleName];
+    } else {
+      updatedRoles = currentAllowedRoles.filter((r) => r !== roleName);
+    }
 
-          transformation.setProperties({
-            backend,
-            allowed_roles: roles,
-          });
-
-          return transformation.save().catch((e) => {
-            return { errorStatus: e.httpStatus, ...transform };
-          });
-        });
-    });
-
-    Promise.all(promises).then((res) => {
-      const hasError = res.find((r) => !!r.errorStatus);
-      if (hasError) {
-        const errorAdding = res.find((r) => r.errorStatus === 403 && r.action === 'ADD');
-        const errorRemoving = res.find((r) => r.errorStatus === 403 && r.action === 'REMOVE');
-
-        let message =
-          'The edits to this role were successful, but allowed_roles for its transformations was not edited due to a lack of permissions.';
-        if (type === 'create') {
-          message =
-            'Transformations have been attached to this role, but the role was not added to those transformations’ allowed_roles due to a lack of permissions.';
-        } else if (errorAdding && errorRemoving) {
-          message =
-            'This role was edited to both add and remove transformations; however, this role was not added or removed from those transformations’ allowed_roles due to a lack of permissions.';
-        } else if (errorAdding) {
-          message =
-            'This role was edited to include new transformations, but this role was not added to those transformations’ allowed_roles due to a lack of permissions.';
-        } else if (errorRemoving) {
-          message =
-            'This role was edited to remove transformations, but this role was not removed from those transformations’ allowed_roles due to a lack of permissions.';
-        }
-        this.flashMessages.info(message, {
-          sticky: true,
-          priority: 300,
-        });
-      }
-    });
-  },
-
-  actions: {
-    createOrUpdate(type, event) {
-      event.preventDefault();
-
-      this.applyChanges('save', () => {
-        const roleId = this.model.id;
-        const newModelTransformations = this.model.transformations;
-
-        if (!this.initialTransformations) {
-          this.handleUpdateTransformations(
-            newModelTransformations.map((t) => ({
-              id: t,
-              action: 'ADD',
-            })),
-            roleId,
-            type
-          );
-          return;
-        }
-
-        const updateTransformations = [...newModelTransformations, ...this.initialTransformations]
-          .map((t) => {
-            if (this.initialTransformations.indexOf(t) < 0) {
-              return {
-                id: t,
-                action: 'ADD',
-              };
-            }
-            if (newModelTransformations.indexOf(t) < 0) {
-              return {
-                id: t,
-                action: 'REMOVE',
-              };
-            }
-            return null;
-          })
-          .filter((t) => !!t);
-        this.handleUpdateTransformations(updateTransformations, roleId);
+    try {
+      await this.api.secrets.transformWriteTransformation(transformationName, backend, {
+        allowed_roles: updatedRoles,
       });
-    },
+      return { transformationName, syncAction, errorStatus: null };
+    } catch (writeErr) {
+      const { status } = await this.api.parseError(writeErr);
+      return { transformationName, syncAction, errorStatus: status };
+    }
+  }
 
-    delete() {
-      const roleId = this.model?.id;
-      const roleTransformations = this.model?.transformations || [];
-      const updateTransformations = roleTransformations.map((t) => ({
-        id: t,
-        action: 'REMOVE',
-      }));
-      this.handleUpdateTransformations(updateTransformations, roleId);
-      this.applyDelete();
-    },
-  },
-});
+  // Diffs current vs initial transformations, syncs allowed_roles on each
+  // affected transformation, then shows a single contextual flash if any failed.
+  async handleTransformationSync(roleName, backend, type = 'update') {
+    const currentTransformations = this.args.form.data.transformations ?? [];
+    const initialTransformations = this.initialTransformations;
+
+    let syncOps;
+    if (type === 'create') {
+      syncOps = currentTransformations.map((t) => ({ id: t, syncAction: 'ADD' }));
+    } else {
+      const added = currentTransformations.filter((t) => !initialTransformations.includes(t));
+      const removed = initialTransformations.filter((t) => !currentTransformations.includes(t));
+      syncOps = [
+        ...added.map((t) => ({ id: t, syncAction: 'ADD' })),
+        ...removed.map((t) => ({ id: t, syncAction: 'REMOVE' })),
+      ];
+    }
+
+    if (syncOps.length === 0) return;
+
+    const results = await Promise.all(
+      syncOps.map(({ id, syncAction }) => this.syncTransformationForRole(id, roleName, backend, syncAction))
+    );
+
+    const errors = results.filter((r) => r.errorStatus === 403);
+    if (errors.length === 0) return;
+
+    const errorAdding = errors.some((r) => r.syncAction === 'ADD');
+    const errorRemoving = errors.some((r) => r.syncAction === 'REMOVE');
+
+    let message;
+    if (type === 'create') {
+      message =
+        'Transformations have been attached to this role, but the role was not added to those transformations\u2019 allowed_roles due to a lack of permissions.';
+    } else if (errorAdding && errorRemoving) {
+      message =
+        'This role was edited to both add and remove transformations; however, this role was not added or removed from those transformations\u2019 allowed_roles due to a lack of permissions.';
+    } else if (errorAdding) {
+      message =
+        'This role was edited to include new transformations, but this role was not added to those transformations\u2019 allowed_roles due to a lack of permissions.';
+    } else {
+      message =
+        'This role was edited to remove transformations, but this role was not removed from those transformations\u2019 allowed_roles due to a lack of permissions.';
+    }
+
+    this.flashMessages.info(message, { sticky: true, priority: 300 });
+  }
+
+  // Removes this role from all of its transformations' allowed_roles on delete.
+  async cleanupTransformationsOnDelete(roleName, backend) {
+    const transformations = this.args.form.data.transformations ?? [];
+    if (transformations.length === 0) return;
+
+    await Promise.all(
+      transformations.map((t) => this.syncTransformationForRole(t, roleName, backend, 'REMOVE'))
+    );
+  }
+
+  transition(route = 'show') {
+    this.errorMessage = '';
+    this.modelValidations = null;
+    const { backend, name } = this.args.form.data;
+    if (route === 'list') {
+      this.router.transitionTo('vault.cluster.secrets.backend.list-root', backend, {
+        queryParams: { tab: 'role' },
+      });
+      return;
+    }
+    this.router.transitionTo('vault.cluster.secrets.backend.show', `role/${name}`);
+  }
+
+  @action async createOrUpdate(event) {
+    event.preventDefault();
+
+    const { isValid, state, invalidFormMessage, data } = this.args.form.toJSON();
+    this.modelValidations = isValid ? null : state;
+    this.errorMessage = invalidFormMessage;
+    if (!isValid) return;
+
+    const { name, transformations, backend } = data;
+
+    const isCreate = this.args.mode === 'create';
+    try {
+      await this.api.secrets.transformWriteRole(name, backend, { transformations });
+      this.flashMessages.success('Role saved.');
+      await this.handleTransformationSync(name, backend, isCreate ? 'create' : 'update');
+      this.transition();
+    } catch (e) {
+      const { message } = await this.api.parseError(e);
+      this.errorMessage = message;
+    }
+  }
+
+  @action async onDelete() {
+    const { name, backend } = this.args.form.data;
+    try {
+      await this.api.secrets.transformDeleteRole(name, backend);
+      this.flashMessages.success('Role deleted.');
+      await this.cleanupTransformationsOnDelete(name, backend);
+      this.transition('list');
+    } catch (e) {
+      const { message } = await this.api.parseError(e);
+      this.flashMessages.danger(message);
+    }
+  }
+}
diff --git a/ui/app/components/transform-show-transformation.hbs b/ui/app/components/transform-show-transformation.hbs
index 4676b2715f..9fd1cda1a5 100644
--- a/ui/app/components/transform-show-transformation.hbs
+++ b/ui/app/components/transform-show-transformation.hbs
@@ -17,9 +17,8 @@
         @type={{attr.type}}
         @isLink={{eq attr.name "allowed_roles"}}
         @queryParam="role"
-        @modelType="transform/role"
-        @wildcardLabel={{attr.options.wildcardLabel}}
-        @backend={{this.model.backend}}
+        @arrayOptions={{if (eq attr.name "allowed_roles") @transformRoles null}}
+        @wildcardLabel={{if (eq attr.name "allowed_roles") attr.options.wildcardLabel null}}
       />
     {{else}}
       <InfoTableRow
diff --git a/ui/app/components/transform-template-edit.hbs b/ui/app/components/transform-template-edit.hbs
index 0d7914e964..1d4d8b892b 100644
--- a/ui/app/components/transform-template-edit.hbs
+++ b/ui/app/components/transform-template-edit.hbs
@@ -1,5 +1,5 @@
 {{!
-  Copyright IBM Corp. 2016, 2025
+  Copyright IBM Corp. 2016, 2026
   SPDX-License-Identifier: BUSL-1.1
 }}
 
@@ -12,14 +12,26 @@
 {{#if (eq @mode "show")}}
   <Toolbar>
     <ToolbarActions>
-      {{#if @model.updatePath.canDelete}}
-        <Hds::Button @text="Delete template" @color="secondary" class="toolbar-button" {{on "click" this.onDelete}} />
+      {{#if @capabilities.canDelete}}
+        <Hds::Button
+          @text="Delete template"
+          @color="secondary"
+          class="toolbar-button"
+          data-test-delete
+          {{on "click" this.onDelete}}
+        />
         <div class="toolbar-separator"></div>
       {{/if}}
-      {{#if @model.updatePath.canUpdate}}
-        <ToolbarLink @route="vault.cluster.secrets.backend.edit" @model={{concat "template/" @model.id}} data-test-edit-link>
+      {{#if @capabilities.canUpdate}}
+        <ToolbarSecretLink
+          @secret={{concat "template/" @form.data.name}}
+          @backend={{@form.data.backend}}
+          @mode="edit"
+          @replace={{true}}
+          data-test-edit-link
+        >
           Edit template
-        </ToolbarLink>
+        </ToolbarSecretLink>
       {{/if}}
     </ToolbarActions>
   </Toolbar>
@@ -30,29 +42,33 @@
     <div class="box is-sideless is-fullwidth is-marginless">
       <NamespaceReminder @mode={{@mode}} @noun="transform template" />
       <MessageError @errorMessage={{this.errorMessage}} />
-      {{#each @model.writeAttrs as |attr|}}
-        {{#if (and (eq attr.name "name") (eq @mode "edit"))}}
-          <label for={{attr.name}} class="is-label">
-            {{attr.options.label}}
-          </label>
-          {{#if attr.options.subText}}
-            <p class="sub-text">{{attr.options.subText}}</p>
+      {{#each @form.formFields as |field|}}
+        {{#if (and (not-eq field.name "encode_format") (not-eq field.name "decode_formats"))}}
+          {{#if (eq field.name "alphabet")}}
+            <TransformAdvancedTemplating @model={{@form}} />
+            <div class="form-section">
+              <SearchSelect
+                @id="alphabet"
+                @label={{field.options.label}}
+                @labelClass="title is-4"
+                @subText={{field.options.subText}}
+                @options={{this.alphabets}}
+                @inputValue={{@form.data.alphabet}}
+                @onChange={{fn (mut @form.alphabet)}}
+                @fallbackComponent="string-list"
+                @selectLimit={{1}}
+                data-test-field
+              />
+            </div>
+          {{else}}
+            <FormField
+              data-test-field
+              @attr={{field}}
+              @model={{@form}}
+              @mode={{@mode}}
+              @modelValidations={{this.modelValidations}}
+            />
           {{/if}}
-          <input
-            data-test-input={{attr.name}}
-            id={{attr.name}}
-            autocomplete="off"
-            spellcheck="false"
-            value={{or (get @model attr.name) attr.options.defaultValue}}
-            readonly={{true}}
-            class="field input is-readOnly"
-            type={{attr.type}}
-          />
-        {{else}}
-          {{#if (eq attr.name "alphabet")}}
-            <TransformAdvancedTemplating @model={{@model}} />
-          {{/if}}
-          <FormField data-test-field @attr={{attr}} @model={{@model}} />
         {{/if}}
       {{/each}}
     </div>
@@ -64,7 +80,7 @@
             @text="Cancel"
             @color="secondary"
             @route="vault.cluster.secrets.backend.list-root"
-            @model={{@model.backend}}
+            @model={{@form.data.backend}}
             @query={{hash tab="template"}}
           />
         {{else}}
@@ -72,8 +88,7 @@
             @text="Cancel"
             @color="secondary"
             @route="vault.cluster.secrets.backend.show"
-            @models={{array @model.backend (concat "template/" @model.id)}}
-            @query={{hash tab="template"}}
+            @models={{array @form.data.backend (concat "template/" @form.data.name)}}
           />
         {{/if}}
       </Hds::ButtonSet>
@@ -81,13 +96,13 @@
   </form>
 {{else}}
   <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
-    {{#each @model.readAttrs as |attr|}}
-      {{#let (capitalize (or attr.options.label (humanize (dasherize attr.name)))) as |label|}}
-        {{#if (eq attr.name "decodeFormats")}}
-          {{#if (not (is-empty-value @model.decodeFormats))}}
+    {{#each @form.formFields as |field|}}
+      {{#let (capitalize (or field.options.label (humanize (dasherize field.name)))) as |label|}}
+        {{#if (eq field.name "decode_formats")}}
+          {{#if (not (is-empty-value (get @form.data field.name)))}}
             <InfoTableRow @label={{label}}>
               <div>
-                {{#each-in @model.decodeFormats as |key value|}}
+                {{#each-in (get @form.data field.name) as |key value|}}
                   <div class="transform-decode-formats">
                     <p class="is-label has-text-grey-light">{{key}}</p>
                     <p>{{value}}</p>
@@ -99,8 +114,8 @@
         {{else}}
           <InfoTableRow
             @label={{label}}
-            @value={{get @model attr.name}}
-            class={{if (eq attr.name "pattern") "transform-pattern-text"}}
+            @value={{get @form.data field.name}}
+            class={{if (eq field.name "pattern") "transform-pattern-text"}}
           />
         {{/if}}
       {{/let}}
diff --git a/ui/app/components/transform-template-edit.js b/ui/app/components/transform-template-edit.js
index 041450650e..57bc1fa98c 100644
--- a/ui/app/components/transform-template-edit.js
+++ b/ui/app/components/transform-template-edit.js
@@ -1,5 +1,5 @@
 /**
- * Copyright IBM Corp. 2016, 2025
+ * Copyright IBM Corp. 2016, 2026
  * SPDX-License-Identifier: BUSL-1.1
  */
 
@@ -7,7 +7,7 @@ import Component from '@glimmer/component';
 import { tracked } from '@glimmer/tracking';
 import { action } from '@ember/object';
 import { service } from '@ember/service';
-import errorMessage from 'vault/utils/error-message';
+import { SecretsApiTransformListAlphabetsListEnum } from '@hashicorp/vault-client-typescript';
 
 /**
  * @module TransformTemplateEdit
@@ -15,21 +15,42 @@ import errorMessage from 'vault/utils/error-message';
  *
  * @example
  * ```js
- *   <TransformTemplateEdit }} />
+ *   <TransformTemplateEdit @form={{this.form}} @capabilities={{this.capabilities}} @mode={{this.mode}} />
  * ```
- * @param {object} model - This is the transform template model.
+ * @param {object} form - TemplateForm instance with data and formFields.
+ * @param {object} capabilities - Object with canDelete, canUpdate, canRead capabilities.
  * @param {string} mode - Is either show, create or edit.
  */
 
 export default class TransformTemplateEditComponent extends Component {
   @service flashMessages;
   @service router;
+  @service api;
 
   @tracked errorMessage = '';
+  @tracked modelValidations;
+  @tracked alphabets = [];
+
+  constructor() {
+    super(...arguments);
+    this.fetchAlphabets();
+  }
+
+  async fetchAlphabets() {
+    try {
+      const resp = await this.api.secrets.transformListAlphabets(
+        this.args.form.data.backend,
+        SecretsApiTransformListAlphabetsListEnum.TRUE
+      );
+      this.alphabets = (resp.keys ?? []).map((key) => ({ id: key }));
+    } catch {
+      // swallow errors, SearchSelect will fall back to string-list
+    }
+  }
 
   get breadcrumbs() {
     // ideally this is created on the controller in the parent route but this is a generic route and adding breadcrumbs to the controller requires a larger refactor.
-    const { backend } = this.args.model;
+    const backend = this.args.form?.data?.backend;
     return [
       {
         label: backend,
@@ -54,47 +75,58 @@ export default class TransformTemplateEditComponent extends Component {
   get subtitle() {
     if (this.args.mode === 'create' || this.args.mode === 'edit') return '';
 
-    return this.args?.model?.id;
+    return this.args.form?.data?.name;
   }
 
   transition(route = 'show') {
     this.errorMessage = '';
-    const { backend, id } = this.args.model;
+    this.modelValidations = null;
+    const { backend, name } = this.args.form.data;
     if (route === 'list') {
       this.router.transitionTo('vault.cluster.secrets.backend.list-root', backend, {
         queryParams: { tab: 'template' },
       });
       return;
     } else {
-      this.router.transitionTo('vault.cluster.secrets.backend.show', `template/${id}`);
+      this.router.transitionTo('vault.cluster.secrets.backend.show', `template/${name}`);
     }
   }
 
   @action async createOrUpdate(event) {
     event.preventDefault();
 
-    if (!this.args.model.hasDirtyAttributes) {
-      this.flashMessages.info('No changes detected.');
-      this.transition();
-      return;
-    }
+    const { isValid, state, invalidFormMessage, data } = this.args.form.toJSON();
+    this.modelValidations = isValid ? null : state;
+    this.errorMessage = invalidFormMessage;
+    if (!isValid) return;
+
+    const { name, pattern, alphabet, encode_format, decode_formats, backend } = data;
 
     try {
-      await this.args.model.save();
+      await this.api.secrets.transformWriteTemplate(name, backend, {
+        type: 'regex',
+        pattern,
+        alphabet: Array.isArray(alphabet) ? alphabet[0] : alphabet,
+        encode_format,
+        decode_formats,
+      });
       this.flashMessages.success('Transform template saved.');
       this.transition();
     } catch (e) {
-      this.errorMessage = errorMessage(e);
+      const { message } = await this.api.parseError(e);
+      this.errorMessage = message;
     }
   }
 
   @action async onDelete() {
+    const { name, backend } = this.args.form.data;
     try {
-      await this.args.model.destroyRecord();
+      await this.api.secrets.transformDeleteTemplate(name, backend);
       this.flashMessages.success('Transform template deleted.');
       this.transition('list');
     } catch (e) {
-      this.errorMessage = errorMessage(e);
+      const { message } = await this.api.parseError(e);
+      this.flashMessages.danger(message);
     }
   }
 }
diff --git a/ui/app/components/transformation-edit.hbs b/ui/app/components/transformation-edit.hbs
index a0ddefd6c5..0c34b03853 100644
--- a/ui/app/components/transformation-edit.hbs
+++ b/ui/app/components/transformation-edit.hbs
@@ -1,25 +1,19 @@
 {{!
-Copyright IBM Corp. 2016, 2025
-SPDX-License-Identifier: BUSL-1.1
+  Copyright IBM Corp. 2016, 2026
+  SPDX-License-Identifier: BUSL-1.1
 }}
 
 <Page::Header @title={{this.title}} @subtitle={{this.subtitle}}>
   <:breadcrumbs>
-    <KeyValueHeader
-      @baseKey={{this.model}}
-      @path="vault.cluster.secrets.backend.list"
-      @mode={{this.mode}}
-      @root={{this.root}}
-      @showCurrent={{true}}
-    />
+    <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
 </Page::Header>
 
-{{#if (eq this.mode "show")}}
+{{#if (eq @mode "show")}}
   <Toolbar>
     <ToolbarActions>
-      {{#if this.model.updatePath.canDelete}}
-        {{#if (gt this.model.allowed_roles.length 0)}}
+      {{#if @capabilities.canDelete}}
+        {{#if (gt @form.data.allowed_roles.length 0)}}
           <Hds::TooltipButton @text="This transformation is in use by a role and can't be deleted.">
             <Hds::Button
               @text="Delete transformation"
@@ -34,22 +28,29 @@ SPDX-License-Identifier: BUSL-1.1
             @text="Delete transformation"
             @color="secondary"
             class="toolbar-button"
-            {{on "click" (action (mut this.isDeleteModalActive) true)}}
+            data-test-delete
+            {{on "click" (fn (mut this.isDeleteModalActive) true)}}
           />
         {{/if}}
         <div class="toolbar-separator"></div>
       {{/if}}
-      {{#if this.model.updatePath.canUpdate}}
-        {{#if (gt this.model.allowed_roles.length 0)}}
+      {{#if @capabilities.canUpdate}}
+        {{#if (gt @form.data.allowed_roles.length 0)}}
           <Hds::Button
             @text="Edit transformation"
             @color="secondary"
             class="toolbar-button"
-            {{on "click" (fn (mut this.isEditModalActive) true)}}
             data-test-edit-link
+            {{on "click" (fn (mut this.isEditModalActive) true)}}
           />
         {{else}}
-          <ToolbarSecretLink @secret={{this.model.id}} @mode="edit" data-test-edit-link={{true}} @replace={{true}}>
+          <ToolbarSecretLink
+            @secret={{@form.data.name}}
+            @backend={{@form.data.backend}}
+            @mode="edit"
+            @replace={{true}}
+            data-test-edit-link
+          >
             Edit transformation
           </ToolbarSecretLink>
         {{/if}}
@@ -58,29 +59,162 @@ SPDX-License-Identifier: BUSL-1.1
   </Toolbar>
 {{/if}}
 
-{{#if (eq this.mode "edit")}}
-  <TransformEditForm @mode={{this.mode}} @model={{this.model}} />
-{{else if (eq this.mode "create")}}
-  <TransformCreateForm @mode={{this.mode}} @model={{this.model}} />
+{{#if (or (eq @mode "edit") (eq @mode "create"))}}
+  <form {{on "submit" this.createOrUpdate}}>
+    <div class="box is-sideless is-fullwidth is-marginless">
+      <NamespaceReminder @mode={{@mode}} @noun="transformation" />
+      <MessageError @errorMessage={{this.errorMessage}} />
+      {{#each this.visibleFormFields as |field|}}
+        {{#if (eq field.name "template")}}
+          <div class="form-section">
+            <SearchSelect
+              @id="template"
+              @label={{field.options.label}}
+              @labelClass="title is-4"
+              @subText={{field.options.subText}}
+              @options={{this.templates}}
+              @inputValue={{@form.data.template}}
+              @onChange={{fn (mut @form.template)}}
+              @selectLimit={{1}}
+              @disallowNewItems={{true}}
+              @fallbackComponent="string-list"
+              data-test-field
+            />
+            {{#if (and this.modelValidations.template (not this.modelValidations.template.isValid))}}
+              <Hds::Form::Error data-test-validation-error="template">
+                {{this.modelValidations.template.errors}}
+              </Hds::Form::Error>
+            {{/if}}
+          </div>
+        {{else if (eq field.name "allowed_roles")}}
+          <div class="form-section">
+            <SearchSelect
+              @id="allowed_roles"
+              @label={{field.options.label}}
+              @labelClass="title is-4"
+              @subText={{field.options.subText}}
+              @options={{this.roles}}
+              @inputValue={{@form.data.allowed_roles}}
+              @onChange={{fn (mut @form.allowed_roles)}}
+              @fallbackComponent="string-list"
+              @wildcardLabel="role"
+              data-test-field
+            />
+          </div>
+        {{else}}
+          <FormField
+            data-test-field
+            @attr={{field}}
+            @model={{@form}}
+            @mode={{@mode}}
+            @modelValidations={{this.modelValidations}}
+          />
+        {{/if}}
+      {{/each}}
+    </div>
+    <div class="field is-grouped-split box is-fullwidth is-bottomless">
+      <Hds::ButtonSet>
+        <Hds::Button @text={{if (eq @mode "create") "Create transformation" "Save"}} type="submit" data-test-submit />
+        {{#if (eq @mode "create")}}
+          <Hds::Button
+            @text="Cancel"
+            @color="secondary"
+            @route="vault.cluster.secrets.backend.list-root"
+            @model={{@form.data.backend}}
+            @query={{hash tab="transformations"}}
+          />
+        {{else}}
+          <Hds::Button
+            @text="Cancel"
+            @color="secondary"
+            @route="vault.cluster.secrets.backend.show"
+            @models={{array @form.data.backend @form.data.name}}
+          />
+        {{/if}}
+      </Hds::ButtonSet>
+    </div>
+  </form>
 {{else}}
-  <TransformShowTransformation @model={{this.model}} />
+  <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
+    {{#each this.visibleFormFields as |field|}}
+      {{#if (eq field.name "allowed_roles")}}
+        <InfoTableRow
+          @label={{capitalize (or field.options.label (humanize (dasherize field.name)))}}
+          @value={{get @form.data field.name}}
+          @type="array"
+          @isLink={{true}}
+          @queryParam="role"
+          @wildcardLabel="role"
+        />
+      {{else}}
+        <InfoTableRow
+          @label={{capitalize (or field.options.label (humanize (dasherize field.name)))}}
+          @value={{get @form.data field.name}}
+          @type={{field.type}}
+        />
+      {{/if}}
+    {{/each}}
+  </div>
+
+  <div class="has-top-margin-xl has-bottom-margin-s">
+    <label class="title has-border-bottom-light page-header">CLI Commands</label>
+    <div class="has-bottom-margin-s">
+      <h2 class="title is-6">Encode</h2>
+      <div class="has-bottom-margin-s">
+        <span class="helper-text has-text-grey">
+          To test the encoding capability of your transformation, use the following command. It will output an encoded_value.
+        </span>
+      </div>
+      <div class="copy-text level">
+        {{#let (concat "vault write " @form.data.backend "/encode/" this.cliCommand) as |copyEncodeCommand|}}
+          <Hds::CodeBlock
+            @language="bash"
+            @hasLineNumbers={{false}}
+            @hasLineWrapping={{true}}
+            @hasCopyButton={{true}}
+            @value={{copyEncodeCommand}}
+          />
+        {{/let}}
+      </div>
+    </div>
+    <div>
+      <h2 class="title is-6">Decode</h2>
+      <div class="has-bottom-margin-s">
+        <span class="helper-text has-text-grey">
+          To test decoding capability of your transformation, use the encoded_value in the following command. It should
+          return your original input.
+        </span>
+      </div>
+      <div class="copy-text level">
+        {{#let (concat "vault write " @form.data.backend "/decode/" this.cliCommand) as |copyDecodeCommand|}}
+          <Hds::CodeBlock
+            @language="bash"
+            @hasLineNumbers={{false}}
+            @hasLineWrapping={{true}}
+            @hasCopyButton={{true}}
+            @value={{copyDecodeCommand}}
+          />
+        {{/let}}
+      </div>
+    </div>
+  </div>
 {{/if}}
 
 <ConfirmationModal
   @title="Delete transformation"
-  @onClose={{action (mut this.isDeleteModalActive) false}}
+  @onClose={{fn (mut this.isDeleteModalActive) false}}
   @isActive={{this.isDeleteModalActive}}
-  @confirmText={{this.model.name}}
+  @confirmText={{@form.data.name}}
   @toConfirmMsg="deleting the transformation."
-  @onConfirm={{action "delete"}}
+  @onConfirm={{this.onDelete}}
 >
   <p class="has-bottom-margin-m">
     Deleting the
-    <strong>{{this.model.name}}</strong>
+    <strong>{{@form.data.name}}</strong>
     transformation means that the underlying keys are lost and the data encoded by the transformation are unrecoverable and
     cannot be decoded.
   </p>
-  <MessageError @model={{this.model}} @errorMessage={{this.error}} />
+  <MessageError @errorMessage={{this.errorMessage}} />
 </ConfirmationModal>
 
 {{#if this.isEditModalActive}}
@@ -96,12 +230,7 @@ SPDX-License-Identifier: BUSL-1.1
     </M.Body>
     <M.Footer as |F|>
       <Hds::ButtonSet>
-        <Hds::Button
-          @text="Confirm"
-          @route="vault.cluster.secrets.backend.edit"
-          @model={{this.model.id}}
-          data-test-edit-confirm-button
-        />
+        <Hds::Button @text="Confirm" data-test-edit-confirm-button {{on "click" this.confirmEdit}} />
         <Hds::Button @color="secondary" @text="Cancel" {{on "click" F.close}} />
       </Hds::ButtonSet>
     </M.Footer>
diff --git a/ui/app/components/transformation-edit.js b/ui/app/components/transformation-edit.js
index 1b792574ad..44fd2da670 100644
--- a/ui/app/components/transformation-edit.js
+++ b/ui/app/components/transformation-edit.js
@@ -3,147 +3,301 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import TransformBase, { addToList, removeFromList } from './transform-edit-base';
+import Component from '@glimmer/component';
+import { tracked } from '@glimmer/tracking';
+import { action } from '@ember/object';
 import { service } from '@ember/service';
-import { computed } from '@ember/object';
+import {
+  SecretsApiTransformListRolesListEnum,
+  SecretsApiTransformListTemplatesListEnum,
+} from '@hashicorp/vault-client-typescript';
 
-export default TransformBase.extend({
-  flashMessages: service(),
-  store: service(),
-  initialRoles: null,
+/**
+ * @module TransformationEdit
+ * `TransformationEdit` is a component that allows you to create/edit or view a transformation.
+ *
+ * @example
+ * ```js
+ *   <TransformationEdit @form={{this.form}} @capabilities={{this.capabilities}} @mode={{this.mode}} />
+ * ```
+ * @param {object} form - TransformationForm instance with data and formFields.
+ * @param {object} capabilities - Object with canDelete, canUpdate, canRead capabilities.
+ * @param {string} mode - Is either show, create or edit.
+ */
 
-  init() {
-    this._super(...arguments);
-    if (!this.model) return;
-    this.set('initialRoles', this.model.allowed_roles);
-  },
+export default class TransformationEditComponent extends Component {
+  @service flashMessages;
+  @service router;
+  @service api;
 
-  title: computed('mode', function () {
-    if (this.mode === 'create') {
-      return 'Create Transformation';
-    } else if (this.mode === 'edit') {
-      return 'Edit Transformation';
+  @tracked errorMessage = '';
+  @tracked modelValidations;
+  @tracked roles = [];
+  @tracked templates = [];
+  @tracked isDeleteModalActive = false;
+  @tracked isEditModalActive = false;
+
+  // Non-tracked: used only to diff added/removed roles after save
+  initialAllowedRoles = [];
+
+  constructor() {
+    super(...arguments);
+    this.initialAllowedRoles = [...(this.args.form.data.allowed_roles ?? [])];
+    this.fetchRoles();
+    this.fetchTemplates();
+  }
+
+  get visibleFormFields() {
+    const type = this.args.form.data.type;
+    return this.args.form.formFields.filter((field) => {
+      switch (field.name) {
+        case 'tweak_source':
+          return type === 'fpe';
+        case 'masking_character':
+          return type === 'masking';
+        case 'template':
+          return type !== 'tokenization';
+        case 'mapping_mode':
+        case 'convergent':
+        case 'max_ttl':
+        case 'stores':
+          return type === 'tokenization';
+        default:
+          return true;
+      }
+    });
+  }
+
+  async fetchRoles() {
+    try {
+      const resp = await this.api.secrets.transformListRoles(
+        this.args.form.data.backend,
+        SecretsApiTransformListRolesListEnum.TRUE
+      );
+      this.roles = (resp.keys ?? []).map((key) => ({ id: key }));
+    } catch {
+      // swallow errors, SearchSelect will fall back to string-list
+    }
+  }
+
+  async fetchTemplates() {
+    try {
+      const resp = await this.api.secrets.transformListTemplates(
+        this.args.form.data.backend,
+        SecretsApiTransformListTemplatesListEnum.TRUE
+      );
+      this.templates = (resp.keys ?? []).map((key) => ({ id: key }));
+    } catch {
+      // swallow errors, SearchSelect will fall back to string-list
+    }
+  }
+
+  get breadcrumbs() {
+    const backend = this.args.form?.data?.backend;
+    const name = this.args.form?.data?.name;
+    return [
+      { label: 'Vault', route: 'vault.cluster.dashboard', icon: 'vault' },
+      { label: 'Secrets engines', route: 'vault.cluster.secrets.backends' },
+      {
+        label: backend,
+        route: 'vault.cluster.secrets.backend.list-root',
+        model: backend,
+      },
+      { label: this.title },
+      { label: this.args.mode === 'create' ? 'transformation' : name },
+    ];
+  }
+
+  get title() {
+    if (this.args.mode === 'create') {
+      return 'Create transformation';
+    } else if (this.args.mode === 'edit') {
+      return 'Edit transformation';
     } else {
       return 'Transformation';
     }
-  }),
+  }
 
-  subtitle: computed('mode', 'model.id', function () {
-    if (this.mode === 'create' || this.mode === 'edit') return;
-
-    return this.model.id;
-  }),
-
-  async updateOrCreateRole(role, transformationId, backend) {
-    const roleRecord = await this.store
-      .queryRecord('transform/role', {
-        backend,
-        id: role.id,
-      })
-      .catch((e) => {
-        if (e.httpStatus !== 403 && role.action === 'ADD') {
-          // If role doesn't yet exist, create it with this transformation attached
-          var newRole = this.store.createRecord('transform/role', {
-            id: role.id,
-            name: role.id,
-            transformations: [transformationId],
-            backend,
-          });
-          return newRole.save().catch((e) => {
-            return {
-              errorStatus: e.httpStatus,
-              ...role,
-              action: 'CREATE',
-            };
-          });
-        }
-
-        return {
-          ...role,
-          errorStatus: e.httpStatus,
-        };
-      });
-    // if an error occurs while querying the role, exit function and return the error
-    if (roleRecord.errorStatus) return roleRecord;
-    // otherwise update the role with the transformation and save
-    let transformations = roleRecord.transformations;
-    if (role.action === 'ADD') {
-      transformations = addToList(transformations, transformationId);
-    } else if (role.action === 'REMOVE') {
-      transformations = removeFromList(transformations, transformationId);
+  get subtitle() {
+    if (this.args.mode === 'show') {
+      return this.args.form?.data?.name;
     }
-    roleRecord.setProperties({
-      backend,
-      transformations,
-    });
-    return roleRecord.save().catch((e) => {
-      return {
-        errorStatus: e.httpStatus,
-        ...role,
-      };
-    });
-  },
+    return '';
+  }
 
-  handleUpdateRoles(updateRoles, transformationId) {
-    if (!updateRoles) return;
-    const { backend } = this.model;
-    updateRoles.forEach(async (record) => {
-      // For each role that needs to be updated, update the role with the transformation.
-      const updateOrCreateResponse = await this.updateOrCreateRole(record, transformationId, backend);
-      // If an error was returned, check error type and show a message.
-      const errorStatus = updateOrCreateResponse?.errorStatus;
-      let message;
-      if (errorStatus == 403) {
-        message = `The edits to this transformation were successful, but transformations for the role ${record.id} were not edited due to a lack of permissions.`;
-      } else if (errorStatus) {
-        message = `You've edited the allowed_roles for this transformation. However, there was a problem updating the role: ${record.id}.`;
+  get cliCommand() {
+    const { type, allowed_roles, tweak_source, name } = this.args.form?.data ?? {};
+    if (!name) return '';
+
+    const rolesArr = allowed_roles ?? [];
+    const wildCardRole = rolesArr.find((role) => role.includes('*'));
+    let role = '<choose a role>';
+    if (rolesArr.length === 1 && !wildCardRole) {
+      role = rolesArr[0];
+    }
+
+    let tweak = '';
+    if (type === 'fpe' && tweak_source === 'supplied') {
+      tweak = 'tweak=<enter your tweak>';
+    }
+
+    return `${role} value=<enter your value here> ${tweak} transformation=${name}`;
+  }
+
+  isWildcard(roleName) {
+    return typeof roleName === 'string' && roleName.includes('*');
+  }
+
+  async syncRoleForTransformation(roleName, transformationName, backend, syncAction) {
+    if (this.isWildcard(roleName)) return;
+
+    let currentTransformations;
+    try {
+      const resp = await this.api.secrets.transformReadRole(roleName, backend);
+      const data = resp?.data || resp || {};
+      currentTransformations = data.transformations || [];
+    } catch (readErr) {
+      const { status } = await this.api.parseError(readErr);
+      if (status === 403) {
+        this.flashMessages.info(
+          `The transformation was saved, but the role "${roleName}" could not be updated due to a lack of permissions.`,
+          { sticky: true, priority: 300 }
+        );
+        return;
       }
-      this.flashMessages.info(message, {
-        sticky: true,
-        priority: 300,
-      });
-    });
-  },
-
-  isWildcard(role) {
-    if (typeof role === 'string') {
-      return role.indexOf('*') >= 0;
+      // Role not found (404) or other non-403 error
+      if (syncAction === 'ADD') {
+        // Auto-create the role with this transformation
+        try {
+          await this.api.secrets.transformWriteRole(roleName, backend, {
+            transformations: [transformationName],
+          });
+        } catch (createErr) {
+          const { message } = await this.api.parseError(createErr);
+          this.flashMessages.info(
+            `The transformation was saved, but the role "${roleName}" could not be created: ${message}`,
+            { sticky: true, priority: 300 }
+          );
+        }
+      }
+      // For REMOVE: role doesn't exist, nothing to do
+      return;
     }
-    if (role && role.id) {
-      return role.id.indexOf('*') >= 0;
+
+    let updatedTransformations;
+    if (syncAction === 'ADD') {
+      updatedTransformations = currentTransformations.includes(transformationName)
+        ? currentTransformations
+        : [...currentTransformations, transformationName];
+    } else {
+      updatedTransformations = currentTransformations.filter((t) => t !== transformationName);
     }
-    return false;
-  },
 
-  actions: {
-    createOrUpdate(type, event) {
-      event.preventDefault();
-
-      this.applyChanges('save', () => {
-        const transformationId = this.model.id || this.model.name;
-        const newModelRoles = this.model.allowed_roles || [];
-        const initialRoles = this.initialRoles || [];
-
-        const updateRoles = [...newModelRoles, ...initialRoles]
-          .filter((r) => !this.isWildcard(r)) // CBS TODO: expand wildcards into included roles instead
-          .map((role) => {
-            if (initialRoles.indexOf(role) < 0) {
-              return {
-                id: role,
-                action: 'ADD',
-              };
-            }
-            if (newModelRoles.indexOf(role) < 0) {
-              return {
-                id: role,
-                action: 'REMOVE',
-              };
-            }
-            return null;
-          })
-          .filter((r) => !!r);
-        this.handleUpdateRoles(updateRoles, transformationId);
+    try {
+      await this.api.secrets.transformWriteRole(roleName, backend, {
+        transformations: updatedTransformations,
       });
-    },
-  },
-});
+    } catch (writeErr) {
+      const { status, message } = await this.api.parseError(writeErr);
+      const detail = status === 403 ? `due to a lack of permissions` : message;
+      this.flashMessages.info(
+        `The transformation was saved, but the role "${roleName}" could not be updated: ${detail}`,
+        { sticky: true, priority: 300 }
+      );
+    }
+  }
+
+  // Diffs current vs initial allowed_roles and syncs each changed role in parallel.
+  async handleRoleSync(transformationName, backend) {
+    const currentRoles = this.args.form.data.allowed_roles ?? [];
+    const initialRoles = this.initialAllowedRoles;
+
+    const addedRoles = currentRoles.filter((r) => !this.isWildcard(r) && !initialRoles.includes(r));
+    const removedRoles = initialRoles.filter((r) => !this.isWildcard(r) && !currentRoles.includes(r));
+
+    await Promise.all([
+      ...addedRoles.map((r) => this.syncRoleForTransformation(r, transformationName, backend, 'ADD')),
+      ...removedRoles.map((r) => this.syncRoleForTransformation(r, transformationName, backend, 'REMOVE')),
+    ]);
+  }
+
+  transition(route = 'show') {
+    this.errorMessage = '';
+    this.modelValidations = null;
+    const { name } = this.args.form.data;
+    if (route === 'list') {
+      const { backend } = this.args.form.data;
+      this.router.transitionTo('vault.cluster.secrets.backend.list-root', backend, {
+        queryParams: { tab: 'transformations' },
+      });
+    } else if (route === 'edit') {
+      this.router.transitionTo('vault.cluster.secrets.backend.edit', name);
+    } else {
+      this.router.transitionTo('vault.cluster.secrets.backend.show', name);
+    }
+  }
+
+  @action async createOrUpdate(event) {
+    event.preventDefault();
+
+    const { isValid, state, invalidFormMessage, data } = this.args.form.toJSON();
+    this.modelValidations = isValid ? null : state;
+    this.errorMessage = invalidFormMessage;
+    if (!isValid) return;
+
+    const {
+      name,
+      backend,
+      type,
+      tweak_source,
+      masking_character,
+      template,
+      allowed_roles,
+      deletion_allowed,
+      mapping_mode,
+      convergent,
+      max_ttl,
+      stores,
+    } = data;
+
+    const templateValue = Array.isArray(template) ? template[0] : template;
+
+    try {
+      await this.api.secrets.transformWriteTransformation(name, backend, {
+        type,
+        tweak_source,
+        masking_character,
+        template: templateValue,
+        allowed_roles,
+        deletion_allowed,
+        mapping_mode,
+        convergent,
+        max_ttl,
+        stores,
+      });
+      this.flashMessages.success('Transformation saved.');
+      await this.handleRoleSync(name, backend);
+      this.transition();
+    } catch (e) {
+      const { message } = await this.api.parseError(e);
+      this.errorMessage = message;
+    }
+  }
+
+  @action async onDelete() {
+    const { name, backend } = this.args.form.data;
+    try {
+      await this.api.secrets.transformDeleteTransformation(name, backend);
+      this.flashMessages.success('Transformation deleted.');
+      this.transition('list');
+    } catch (e) {
+      const { message } = await this.api.parseError(e);
+      this.flashMessages.danger(message);
+    }
+  }
+
+  @action confirmEdit() {
+    this.isEditModalActive = false;
+    this.transition('edit');
+  }
+}
diff --git a/ui/app/components/transit-edit.hbs b/ui/app/components/transit-edit.hbs
index 0aa4491f57..8b063b8c7c 100644
--- a/ui/app/components/transit-edit.hbs
+++ b/ui/app/components/transit-edit.hbs
@@ -42,5 +42,7 @@
     @backend={{this.backend}}
   />
 {{else}}
-  <EmptyState @title="No Transit mode selected" />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="No Transit mode selected" @titleTag="h2" data-test-empty-state-title />
+  </Hds::ApplicationState>
 {{/if}}
\ No newline at end of file
diff --git a/ui/app/components/transit-edit.js b/ui/app/components/transit-edit.js
index 89549f9fb6..d81b3b8044 100644
--- a/ui/app/components/transit-edit.js
+++ b/ui/app/components/transit-edit.js
@@ -35,6 +35,11 @@ export default Component.extend(FocusOnInsertMixin, {
 
   get breadcrumbs() {
     const baseCrumbs = [
+      {
+        label: 'Vault',
+        icon: 'vault',
+        route: 'vault.cluster.dashboard',
+      },
       {
         label: 'Secrets',
         route: 'vault.cluster.secrets',
diff --git a/ui/app/components/transit-form-edit.hbs b/ui/app/components/transit-form-edit.hbs
index 71a42382c4..0b3f816ae9 100644
--- a/ui/app/components/transit-form-edit.hbs
+++ b/ui/app/components/transit-form-edit.hbs
@@ -42,7 +42,7 @@
             onchange={{action (mut @key.minDecryptionVersion) value="target.value"}}
           >
             {{#each @key.keyVersions as |version|}}
-              <option selected={{eq @key.minDecryptionVersion version}} value={{version}}>
+              <option selected={{loose-equal @key.minDecryptionVersion version}} value={{version}}>
                 <code>{{version}}</code>
               </option>
             {{/each}}
@@ -65,13 +65,13 @@
             id="key-min-encrypt-version"
             onchange={{action (mut @key.minEncryptionVersion) value="target.value"}}
           >
-            <option selected={{eq @key.minEncryptionVersion 0}} value={{0}}>
+            <option selected={{loose-equal @key.minEncryptionVersion 0}} value={{0}}>
               <code>Latest</code>
               (currently
               {{@key.latestVersion}})
             </option>
             {{#each @key.encryptionKeyVersions as |version|}}
-              <option selected={{eq @key.minEncryptionVersion version}} value={{version}}>
+              <option selected={{loose-equal @key.minEncryptionVersion version}} value={{version}}>
                 <code>{{version}}</code>
               </option>
             {{/each}}
diff --git a/ui/app/components/wizard/acl-policies/acl-wizard.hbs b/ui/app/components/wizard/acl-policies/acl-wizard.hbs
index e57a92de97..86e0235727 100644
--- a/ui/app/components/wizard/acl-policies/acl-wizard.hbs
+++ b/ui/app/components/wizard/acl-policies/acl-wizard.hbs
@@ -26,7 +26,7 @@
         @iconPosition="trailing"
         @text="View documentation"
         @href={{doc-link "/vault/docs/concepts/policies"}}
-        class="has-left-margin-m"
+        class="margin-left-auto"
       />
     </Hds::ButtonSet>
   </:introActions>
diff --git a/ui/app/components/wizard/acl-policies/acl-wizard.ts b/ui/app/components/wizard/acl-policies/acl-wizard.ts
index fc10e8b194..59a9574705 100644
--- a/ui/app/components/wizard/acl-policies/acl-wizard.ts
+++ b/ui/app/components/wizard/acl-policies/acl-wizard.ts
@@ -6,6 +6,7 @@
 import { service } from '@ember/service';
 import { action } from '@ember/object';
 import Component from '@glimmer/component';
+import { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 
 import type WizardService from 'vault/services/wizard';
 
@@ -14,12 +15,10 @@ interface Args {
   onRefresh: CallableFunction;
 }
 
-export const WIZARD_ID = 'acl-policy';
-
 export default class WizardNamespacesWizardComponent extends Component<Args> {
   @service declare readonly wizard: WizardService;
 
-  wizardId = WIZARD_ID;
+  wizardId = WIZARD_ID_MAP.aclPolicy;
 
   @action
   async onDismiss() {
diff --git a/ui/app/components/wizard/guided-start.hbs b/ui/app/components/wizard/guided-start.hbs
index bf1e10c0aa..e3ef27c476 100644
--- a/ui/app/components/wizard/guided-start.hbs
+++ b/ui/app/components/wizard/guided-start.hbs
@@ -5,7 +5,7 @@
 
 <Page::Header @title={{concat @title " Guided Start"}} />
 
-<div class="wizard guided-start" ...attributes>
+<div class="guided-start" ...attributes>
   <Hds::Stepper::Nav
     class="has-top-margin-xl has-bottom-margin-xl is-flex-column is-flex-grow-1"
     @isInteractive={{true}}
diff --git a/ui/app/components/wizard/index.hbs b/ui/app/components/wizard/index.hbs
index 6b29ecc539..50e6495832 100644
--- a/ui/app/components/wizard/index.hbs
+++ b/ui/app/components/wizard/index.hbs
@@ -5,7 +5,7 @@
 
 {{#if (and (has-block "intro") this.isIntroVisible)}}
   {{! pass @onDismiss on for modal closure via clicking outside modal @onClose}}
-  <Wizard::Intro @isModal={{@isModal}} @title={{@title}} @onDismiss={{@onDismiss}} data-test-intro>
+  <Wizard::Intro @isModal={{@isModal}} @title={{@title}} @onDismiss={{@onDismiss}} class="wizard intro" data-test-intro>
     <:body>
       {{yield to="intro"}}
     </:body>
@@ -23,6 +23,7 @@
     @updateWizardState={{@updateWizardState}}
     @onStepChange={{@onStepChange}}
     @onDismiss={{@onDismiss}}
+    class="wizard"
     data-test-guided-start
   >
     <:exit>
diff --git a/ui/app/components/wizard/index.ts b/ui/app/components/wizard/index.ts
index 11cb9f5c2d..31204eb680 100644
--- a/ui/app/components/wizard/index.ts
+++ b/ui/app/components/wizard/index.ts
@@ -5,13 +5,15 @@
 
 import { service } from '@ember/service';
 import Component from '@glimmer/component';
+
 import type WizardService from 'vault/services/wizard';
+import type { WizardId } from 'vault/app-types';
 
 interface Args {
   /**
    * The unique identifier for the wizard used for handling wizard dismissal and intro visibility state
    */
-  wizardId: string;
+  wizardId: WizardId;
   /**
    * Whether the intro page is in the default view or in modal view depending on how it is triggered
    */
diff --git a/ui/app/components/wizard/intro-content/feature.hbs b/ui/app/components/wizard/intro-content/feature.hbs
index 65cd338f9b..db2c7e637b 100644
--- a/ui/app/components/wizard/intro-content/feature.hbs
+++ b/ui/app/components/wizard/intro-content/feature.hbs
@@ -4,7 +4,7 @@
 }}
 
 <Hds::Layout::Flex class="has-bottom-margin-s">
-  <Hds::Icon @name={{@icon}} />
+  <Hds::Icon @name={{@icon}} @size="24" />
   <Hds::Text::Body @tag="p" class="has-left-margin-xs">
     {{yield}}
   </Hds::Text::Body>
diff --git a/ui/app/components/wizard/intro.hbs b/ui/app/components/wizard/intro.hbs
index 147fe911f2..a0b94664a5 100644
--- a/ui/app/components/wizard/intro.hbs
+++ b/ui/app/components/wizard/intro.hbs
@@ -3,10 +3,10 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 {{#if @isModal}}
-  <Hds::Modal id={{@title "-intro-modal"}} @size="large" @onClose={{@onDismiss}} class="wizard" ...attributes as |M|>
+  <Hds::Modal id={{@title "-intro-modal"}} @size="large" @onClose={{@onDismiss}} class="modal" ...attributes as |M|>
     <M.Header>Welcome to {{@title}} </M.Header>
     <M.Body>
-      <Hds::Layout::Flex @align="start">
+      <Hds::Layout::Flex @align="start" @gap="48">
         {{yield to="body"}}
       </Hds::Layout::Flex>
     </M.Body>
@@ -15,7 +15,7 @@
     </M.Footer>
   </Hds::Modal>
 {{else}}
-  <Hds::Card::Container @level="mid" @hasBorder={{true}} class="wizard intro has-padding-l" ...attributes>
+  <Hds::Card::Container @level="mid" @hasBorder={{true}} class="full" ...attributes>
     <Hds::Text::Display @tag="h1" @size="400" @weight="bold" class="has-bottom-margin-xs">
       Welcome to
       {{@title}}
diff --git a/ui/app/components/wizard/methods/methods-wizard.hbs b/ui/app/components/wizard/methods/methods-wizard.hbs
index e05d9c6fd6..a3ed2ae591 100644
--- a/ui/app/components/wizard/methods/methods-wizard.hbs
+++ b/ui/app/components/wizard/methods/methods-wizard.hbs
@@ -15,13 +15,18 @@
         @route="vault.cluster.settings.auth.enable"
         data-test-button="Enable a new method"
       />
-      <Hds::Button @color="secondary" @text="Skip" {{on "click" this.onDismiss}} data-test-button="Skip" />
+      <Hds::Button
+        @color="secondary"
+        @text={{if @isIntroModal "Close" "Skip"}}
+        {{on "click" this.onDismiss}}
+        data-test-button="Skip"
+      />
       <Hds::Link::Standalone
         @icon="docs-link"
         @iconPosition="trailing"
         @text="View documentation"
         @href={{doc-link "/vault/docs/auth"}}
-        class="has-left-margin-m"
+        class="margin-left-auto"
       />
     </Hds::ButtonSet>
   </:introActions>
diff --git a/ui/app/components/wizard/methods/methods-wizard.ts b/ui/app/components/wizard/methods/methods-wizard.ts
index 6f87f0ce53..ee9627e8b3 100644
--- a/ui/app/components/wizard/methods/methods-wizard.ts
+++ b/ui/app/components/wizard/methods/methods-wizard.ts
@@ -6,6 +6,7 @@
 import { service } from '@ember/service';
 import { action } from '@ember/object';
 import Component from '@glimmer/component';
+import { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 
 import type WizardService from 'vault/services/wizard';
 
@@ -14,11 +15,10 @@ interface Args {
   onRefresh: CallableFunction;
 }
 
-export const WIZARD_ID = 'auth-methods';
 export default class WizardMethodsWizardComponent extends Component<Args> {
   @service declare readonly wizard: WizardService;
 
-  wizardId = WIZARD_ID;
+  wizardId = WIZARD_ID_MAP.authMethods;
 
   @action
   async onDismiss() {
diff --git a/ui/app/components/wizard/namespaces/namespace-wizard.hbs b/ui/app/components/wizard/namespaces/namespace-wizard.hbs
index 52ea7bc2bc..8400e2af4c 100644
--- a/ui/app/components/wizard/namespaces/namespace-wizard.hbs
+++ b/ui/app/components/wizard/namespaces/namespace-wizard.hbs
@@ -37,7 +37,7 @@
         @iconPosition="trailing"
         @text="View documentation"
         @href={{doc-link "/vault/docs/enterprise/namespaces"}}
-        class="has-left-margin-m"
+        class="margin-left-auto"
       />
     </Hds::ButtonSet>
   </:introActions>
@@ -49,7 +49,7 @@
   </:exit>
   <:submit>
     {{#if (eq this.wizardState.securityPolicyChoice this.policy.FLEXIBLE)}}
-      <Hds::Button @text="Done" {{on "click" this.onDismiss}} data-test-button="Done" />
+      <Hds::Button @text="Done" {{on "click" this.onDone}} data-test-button="Done" />
     {{else if (eq this.wizardState.creationMethod this.methods.UI)}}
       <Hds::Button @text="Apply in UI" {{on "click" this.onSubmit}} data-test-button="Apply" />
     {{else}}
diff --git a/ui/app/components/wizard/namespaces/namespace-wizard.ts b/ui/app/components/wizard/namespaces/namespace-wizard.ts
index a3fb7ddb9d..1455966fa6 100644
--- a/ui/app/components/wizard/namespaces/namespace-wizard.ts
+++ b/ui/app/components/wizard/namespaces/namespace-wizard.ts
@@ -5,10 +5,10 @@
 
 import { service } from '@ember/service';
 import { action } from '@ember/object';
-import { tracked } from '@glimmer/tracking';
 import Component from '@glimmer/component';
 import { SecurityPolicy } from 'vault/components/wizard/namespaces/step-1';
-import { CreationMethod } from 'vault/components/wizard/namespaces/step-3';
+import { CreationMethod } from 'vault/utils/constants/snippet';
+import { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 
 import type ApiService from 'vault/services/api';
 import type Block from 'vault/components/wizard/namespaces/step-2';
@@ -16,8 +16,9 @@ import type FlashMessageService from 'vault/services/flash-messages';
 import type NamespaceService from 'vault/services/namespace';
 import type RouterService from '@ember/routing/router-service';
 import type WizardService from 'vault/services/wizard';
+import type { StepConfig } from 'vault/services/wizard';
 
-const DEFAULT_STEPS = [
+const DEFAULT_STEPS: StepConfig[] = [
   { title: 'Select setup', component: 'wizard/namespaces/step-1' },
   { title: 'Map out namespaces', component: 'wizard/namespaces/step-2' },
   { title: 'Apply changes', component: 'wizard/namespaces/step-3' },
@@ -26,6 +27,7 @@ const DEFAULT_STEPS = [
 interface Args {
   isIntroModal: boolean;
   onRefresh: CallableFunction;
+  onFlexiblePolicyComplete: CallableFunction;
 }
 
 interface WizardState {
@@ -36,7 +38,13 @@ interface WizardState {
   codeSnippet: string | null;
 }
 
-export const WIZARD_ID = 'namespace';
+const DEFAULT_WIZARD_STATE: WizardState = {
+  securityPolicyChoice: null,
+  namespacePaths: null,
+  namespaceBlocks: null,
+  creationMethod: null,
+  codeSnippet: null,
+};
 
 export default class WizardNamespacesWizardComponent extends Component<Args> {
   @service declare readonly api: ApiService;
@@ -45,20 +53,23 @@ export default class WizardNamespacesWizardComponent extends Component<Args> {
   @service declare readonly wizard: WizardService;
   @service declare namespace: NamespaceService;
 
-  @tracked currentStep = 0;
-  @tracked steps = DEFAULT_STEPS;
-  @tracked wizardState: WizardState = {
-    securityPolicyChoice: null,
-    namespacePaths: null,
-    namespaceBlocks: null,
-    creationMethod: null,
-    codeSnippet: null,
-  };
-
   methods = CreationMethod;
   policy = SecurityPolicy;
 
-  wizardId = WIZARD_ID;
+  wizardId = WIZARD_ID_MAP.namespace;
+
+  get currentStep() {
+    return this.wizard.getCurrentStep(this.wizardId);
+  }
+
+  get steps() {
+    const steps = this.wizard.getSteps(this.wizardId);
+    return steps.length > 0 ? steps : DEFAULT_STEPS;
+  }
+
+  get wizardState(): WizardState {
+    return { ...DEFAULT_WIZARD_STATE, ...this.wizard.getState<Partial<WizardState>>(this.wizardId) };
+  }
 
   // Whether the current step requirements have been met to proceed to the next step
   get canProceed() {
@@ -75,7 +86,7 @@ export default class WizardNamespacesWizardComponent extends Component<Args> {
   }
 
   get isFinalStep() {
-    return this.currentStep === this.steps.length - 1;
+    return this.wizard.isFinalStep(this.wizardId);
   }
 
   get shouldShowExitButton() {
@@ -91,18 +102,18 @@ export default class WizardNamespacesWizardComponent extends Component<Args> {
 
   updateSteps() {
     if (this.wizardState.securityPolicyChoice === SecurityPolicy.FLEXIBLE) {
-      this.steps = [
+      this.wizard.setSteps(this.wizardId, [
         { title: 'Select setup', component: 'wizard/namespaces/step-1' },
         { title: 'Apply changes', component: 'wizard/namespaces/step-3' },
-      ];
+      ]);
     } else {
-      this.steps = DEFAULT_STEPS;
+      this.wizard.setSteps(this.wizardId, DEFAULT_STEPS);
     }
   }
 
   @action
   onStepChange(step: number) {
-    this.currentStep = step;
+    this.wizard.setCurrentStep(this.wizardId, step);
     // if user policy selection changes which steps we show, update upon page navigation
     // instead of flashing the changes when toggling
     this.updateSteps();
@@ -110,10 +121,21 @@ export default class WizardNamespacesWizardComponent extends Component<Args> {
 
   @action
   updateWizardState(key: string, value: unknown) {
-    this.wizardState = {
-      ...this.wizardState,
-      [key]: value,
-    };
+    this.wizard.updateState(this.wizardId, key, value);
+  }
+
+  @action
+  async onDone() {
+    await this.onDismiss();
+    this.args.onFlexiblePolicyComplete();
+    this.flashMessages.success(`Your current setup is 1 namespace.`, { title: 'Guided start complete' });
+  }
+
+  @action
+  async onDismiss() {
+    this.wizard.dismiss(this.wizardId);
+    this.wizard.clearWizardState(this.wizardId);
+    await this.args.onRefresh();
   }
 
   @action
@@ -129,12 +151,6 @@ export default class WizardNamespacesWizardComponent extends Component<Args> {
     }
   }
 
-  @action
-  async onDismiss() {
-    this.wizard.dismiss(this.wizardId);
-    await this.args.onRefresh();
-  }
-
   @action
   onIntroChange(visible: boolean) {
     this.wizard.setIntroVisible(this.wizardId, visible);
@@ -155,7 +171,7 @@ export default class WizardNamespacesWizardComponent extends Component<Args> {
         await this.createNamespace(namespaceName, fullPath);
       }
 
-      this.flashMessages.success(`The namespaces have been successfully created.`);
+      this.flashMessages.success('Your new configuration has been applied.', { title: 'Namespaces created' });
     } catch (error) {
       const { message } = await this.api.parseError(error);
       this.flashMessages.danger(`Error creating namespaces: ${message}`);
diff --git a/ui/app/components/wizard/namespaces/step-2.ts b/ui/app/components/wizard/namespaces/step-2.ts
index 81599fba01..a9b0e002c3 100644
--- a/ui/app/components/wizard/namespaces/step-2.ts
+++ b/ui/app/components/wizard/namespaces/step-2.ts
@@ -8,6 +8,7 @@ import { tracked } from '@glimmer/tracking';
 import { action } from '@ember/object';
 import { service } from '@ember/service';
 import type NamespaceService from 'vault/services/namespace';
+import { isEmpty } from '@ember/utils';
 
 interface Project {
   name: string;
@@ -40,7 +41,8 @@ class Block {
   // briefly and then remains blank.
   get hasMultipleNodes() {
     const hasMultipleOrgs = this.hasMultipleItems(this.orgs);
-    const orgHasMultipleProjects = this.orgs.some((org) => this.hasMultipleItems(org.projects));
+    const filledOrgs = this.orgs.filter((org) => !isEmpty(org.name));
+    const orgHasMultipleProjects = filledOrgs.some((org) => this.hasMultipleItems(org.projects));
     return hasMultipleOrgs || orgHasMultipleProjects;
   }
 
@@ -110,7 +112,7 @@ export default class WizardNamespacesStepTemp extends Component<Args> {
   }
 
   checkForDuplicateGlobals() {
-    const globals = this.blocks.map((block) => block.global).filter((global) => global !== '');
+    const globals = this.blocks.map((block) => block.global).filter((global) => !isEmpty(global));
     const globalCounts = new Map();
 
     globals.forEach((global) => {
@@ -167,7 +169,9 @@ export default class WizardNamespacesStepTemp extends Component<Args> {
   updateOrgValue(block: Block, orgToUpdate: Org, event: Event) {
     const target = event.target as HTMLInputElement;
     const value = target.value.trim();
-    const isDuplicate = block.orgs.some((org) => org !== orgToUpdate && org.name === value);
+    const isDuplicate = isEmpty(value)
+      ? false
+      : block.orgs.some((org) => org !== orgToUpdate && org.name === value);
 
     const updatedOrgs = block.orgs.map((org) => {
       if (org === orgToUpdate) {
@@ -203,7 +207,9 @@ export default class WizardNamespacesStepTemp extends Component<Args> {
   updateProjectValue(block: Block, org: Org, projectToUpdate: Project, event: Event) {
     const target = event.target as HTMLInputElement;
     const value = target.value.trim();
-    const isDuplicate = org.projects.some((project) => project !== projectToUpdate && project.name === value);
+    const isDuplicate = isEmpty(value)
+      ? false
+      : org.projects.some((project) => project !== projectToUpdate && project.name === value);
 
     const updatedOrgs = block.orgs.map((currentOrg) => {
       if (currentOrg === org) {
@@ -263,25 +269,27 @@ export default class WizardNamespacesStepTemp extends Component<Args> {
   }
 
   get treeData() {
-    const parsed = this.blocks.map((block) => {
-      return {
-        name: block.global,
-        children: block.orgs
-          .filter((org) => org.name !== '')
-          .map((org) => {
-            return {
-              name: org.name,
-              children: org.projects
-                .filter((project) => project.name !== '')
-                .map((project) => {
-                  return {
-                    name: project.name,
-                  };
-                }),
-            };
-          }),
-      };
-    });
+    const parsed = this.blocks
+      .filter((block) => !isEmpty(block.global))
+      .map((block) => {
+        return {
+          name: block.global,
+          children: block.orgs
+            .filter((org) => !isEmpty(org.name))
+            .map((org) => {
+              return {
+                name: org.name,
+                children: org.projects
+                  .filter((project) => !isEmpty(project.name))
+                  .map((project) => {
+                    return {
+                      name: project.name,
+                    };
+                  }),
+              };
+            }),
+        };
+      });
 
     return parsed;
   }
@@ -289,15 +297,15 @@ export default class WizardNamespacesStepTemp extends Component<Args> {
   // The Carbon tree chart only supports displaying nodes with at least 1 "fork" i.e. at least 2 globals, 2 orgs or 2 projects
   get shouldShowTreeChart(): boolean {
     // Count total globals across blocks
-    const globalsCount = this.blocks.filter((block) => block.global !== '').length;
+    const filledBlocks = this.blocks.filter((block) => !isEmpty(block.global));
 
     // Check if there are multiple globals
-    if (globalsCount > 1) {
+    if (filledBlocks.length > 1) {
       return true;
     }
 
     // Check for multiple projects or orgs within a block
-    return this.blocks.some((block) => block.hasMultipleNodes);
+    return filledBlocks.some((block) => block.hasMultipleNodes);
   }
 
   // Store namespace paths to be used for code snippets in the format "global", "global/org", "global/org/project"
@@ -307,23 +315,23 @@ export default class WizardNamespacesStepTemp extends Component<Args> {
         const results: string[] = [];
 
         // Add global namespace if it exists
-        if (block.global !== '') {
+        if (!isEmpty(block.global)) {
           results.push(block.global);
         }
 
         block.orgs.forEach((org) => {
-          if (org.name !== '') {
+          if (!isEmpty(org.name)) {
             // Add global/org namespace
-            const globalOrg = [block.global, org.name].filter((value) => value !== '').join('/');
+            const globalOrg = [block.global, org.name].filter((value) => !isEmpty(value)).join('/');
             if (globalOrg && !results.includes(globalOrg)) {
               results.push(globalOrg);
             }
 
             org.projects.forEach((project) => {
-              if (project.name !== '') {
+              if (!isEmpty(project.name)) {
                 // Add global/org/project namespace
                 const fullNamespace = [block.global, org.name, project.name]
-                  .filter((value) => value !== '')
+                  .filter((value) => !isEmpty(value))
                   .join('/');
                 if (fullNamespace && !results.includes(fullNamespace)) {
                   results.push(fullNamespace);
@@ -335,6 +343,6 @@ export default class WizardNamespacesStepTemp extends Component<Args> {
         return results;
       })
       .flat()
-      .filter((namespace) => namespace !== '');
+      .filter((namespace) => !isEmpty(namespace));
   }
 }
diff --git a/ui/app/components/wizard/namespaces/step-3.ts b/ui/app/components/wizard/namespaces/step-3.ts
index c9a3f95851..e08ac4fcc1 100644
--- a/ui/app/components/wizard/namespaces/step-3.ts
+++ b/ui/app/components/wizard/namespaces/step-3.ts
@@ -5,10 +5,11 @@
 
 import Component from '@glimmer/component';
 import { service } from '@ember/service';
-import { tracked } from '@glimmer/tracking';
 import { action } from '@ember/object';
 import { SecurityPolicy } from './step-1';
 import type NamespaceService from 'vault/services/namespace';
+import type SnippetService from 'vault/services/snippet';
+import { CreationMethod } from 'vault/utils/constants/snippet';
 import {
   generateApiSnippet,
   generateCliSnippet,
@@ -25,12 +26,6 @@ interface Args {
   updateWizardState: (key: string, value: unknown) => void;
 }
 
-export enum CreationMethod {
-  TERRAFORM = 'Terraform automation',
-  APICLI = 'API/CLI',
-  UI = 'Vault UI workflow',
-}
-
 interface CreationMethodChoice {
   icon: string;
   label: CreationMethod;
@@ -40,15 +35,14 @@ interface CreationMethodChoice {
 
 export default class WizardNamespacesStep3 extends Component<Args> {
   @service declare readonly namespace: NamespaceService;
-  @tracked creationMethodChoice: CreationMethod;
-  @tracked selectedTabIdx = 0;
+  @service declare readonly snippet: SnippetService;
 
   methods = CreationMethod;
   policy = SecurityPolicy;
 
   constructor(owner: unknown, args: Args) {
     super(owner, args);
-    this.creationMethodChoice = this.args.wizardState.creationMethod || CreationMethod.TERRAFORM;
+    this.snippet.reset(this.args.wizardState.creationMethod || CreationMethod.TERRAFORM);
   }
 
   creationMethodOptions: CreationMethodChoice[] = [
@@ -73,6 +67,14 @@ export default class WizardNamespacesStep3 extends Component<Args> {
     },
   ];
 
+  get creationMethodChoice() {
+    return this.snippet.creationMethodChoice;
+  }
+
+  get selectedTabIdx() {
+    return this.snippet.selectedTabIdx;
+  }
+
   get tfSnippet() {
     const { namespacePaths } = this.args.wizardState;
     return generateTerraformSnippet(namespacePaths, this.namespace.path);
@@ -96,28 +98,20 @@ export default class WizardNamespacesStep3 extends Component<Args> {
 
   @action
   onChange(choice: CreationMethodChoice) {
-    this.creationMethodChoice = choice.label;
+    this.snippet.setCreationMethod(choice.label, this.tfSnippet, this.customTabs);
     this.args.updateWizardState('creationMethod', choice.label);
-    // Update the code snippet whenever the creation method changes
-    this.updateCodeSnippet();
+    this.args.updateWizardState('codeSnippet', this.snippet.codeSnippet);
   }
 
   @action
   onTabChange(idx: number) {
-    this.selectedTabIdx = idx;
-
-    // Update the code snippet whenever the tab changes
-    this.updateCodeSnippet();
+    this.snippet.setSelectedTab(idx, this.tfSnippet, this.customTabs);
+    this.args.updateWizardState('codeSnippet', this.snippet.codeSnippet);
   }
 
-  // Update the wizard state with the current code snippet
   @action
   updateCodeSnippet() {
-    if (this.creationMethodChoice === CreationMethod.TERRAFORM) {
-      this.args.updateWizardState('codeSnippet', this.tfSnippet);
-    } else if (this.creationMethodChoice === CreationMethod.APICLI) {
-      const snippet = this.customTabs[this.selectedTabIdx]?.snippet;
-      this.args.updateWizardState('codeSnippet', snippet);
-    }
+    this.snippet.persistSnippet(this.tfSnippet, this.customTabs);
+    this.args.updateWizardState('codeSnippet', this.snippet.codeSnippet);
   }
 }
diff --git a/ui/app/components/wizard/secret-engines/secret-engines-wizard.hbs b/ui/app/components/wizard/secret-engines/secret-engines-wizard.hbs
index c4388c655c..3d5c43501b 100644
--- a/ui/app/components/wizard/secret-engines/secret-engines-wizard.hbs
+++ b/ui/app/components/wizard/secret-engines/secret-engines-wizard.hbs
@@ -12,8 +12,8 @@
       <Hds::Button
         @icon="plus"
         @text="Enable a Secret engine"
-        {{on "click" (fn this.onIntroChange false)}}
-        data-test-button="intro"
+        @route="vault.cluster.secrets.enable"
+        data-test-button="enable"
       />
       <Hds::Button
         @color="secondary"
@@ -26,7 +26,7 @@
         @iconPosition="trailing"
         @text="View documentation"
         @href={{doc-link "/vault/tutorials/get-started/understand-static-dynamic-secrets"}}
-        class="has-left-margin-m"
+        class="margin-left-auto"
       />
     </Hds::ButtonSet>
   </:introActions>
diff --git a/ui/app/components/wizard/secret-engines/secret-engines-wizard.ts b/ui/app/components/wizard/secret-engines/secret-engines-wizard.ts
index 725cc2a3fc..57a695e9d8 100644
--- a/ui/app/components/wizard/secret-engines/secret-engines-wizard.ts
+++ b/ui/app/components/wizard/secret-engines/secret-engines-wizard.ts
@@ -6,6 +6,7 @@
 import Component from '@glimmer/component';
 import { service } from '@ember/service';
 import { action } from '@ember/object';
+import { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 
 import type ApiService from 'vault/services/api';
 import type FlashMessageService from 'vault/services/flash-messages';
@@ -17,24 +18,17 @@ interface Args {
   onRefresh: CallableFunction;
 }
 
-export const WIZARD_ID = 'secret-engines';
-
 export default class WizardSecretEnginesWizardComponent extends Component<Args> {
   @service declare readonly api: ApiService;
   @service declare readonly router: RouterService;
   @service declare readonly flashMessages: FlashMessageService;
   @service declare readonly wizard: WizardService;
 
-  wizardId = WIZARD_ID;
+  wizardId = WIZARD_ID_MAP.secretEngines;
 
   @action
   onDismiss() {
     this.wizard.dismiss(this.wizardId);
     this.args.onRefresh();
   }
-
-  @action
-  onIntroChange(visible: boolean) {
-    this.wizard.setIntroVisible(this.wizardId, visible);
-  }
 }
diff --git a/ui/app/controllers/vault/cluster/access/identity/index.js b/ui/app/controllers/vault/cluster/access/identity/index.js
index c8200257e0..a1b9a4f26f 100644
--- a/ui/app/controllers/vault/cluster/access/identity/index.js
+++ b/ui/app/controllers/vault/cluster/access/identity/index.js
@@ -33,8 +33,8 @@ export default Controller.extend(ListController, {
           this.flashMessages.success(`Successfully deleted ${type}: ${id}`);
         })
         .catch((e) => {
-          this.flashMessages.success(
-            `There was a problem deleting ${type}: ${id} - ${e.errors.join(' ') || e.message}`
+          this.flashMessages.danger(
+            `There was a problem deleting ${type}: ${id} - ${e.errors?.join(' ') || e.message}`
           );
         })
         .finally(() => this.set('itemToDelete', null));
diff --git a/ui/app/controllers/vault/cluster/access/leases/list.js b/ui/app/controllers/vault/cluster/access/leases/list.js
index fa8914c0bf..a1754f86ad 100644
--- a/ui/app/controllers/vault/cluster/access/leases/list.js
+++ b/ui/app/controllers/vault/cluster/access/leases/list.js
@@ -26,12 +26,6 @@ export default Controller.extend(ListController, {
 
   backendCrumb: computed('clusterController.model.name', function () {
     return [
-      {
-        label: 'Vault',
-        text: 'Vault',
-        path: 'vault.cluster.dashboard',
-        icon: 'vault',
-      },
       {
         label: 'Leases',
         text: 'Leases',
diff --git a/ui/app/controllers/vault/cluster/access/mfa/enforcements/enforcement/index.js b/ui/app/controllers/vault/cluster/access/mfa/enforcements/enforcement/index.js
index faf1075830..bc6cfae7c9 100644
--- a/ui/app/controllers/vault/cluster/access/mfa/enforcements/enforcement/index.js
+++ b/ui/app/controllers/vault/cluster/access/mfa/enforcements/enforcement/index.js
@@ -11,6 +11,7 @@ import { service } from '@ember/service';
 export default class MfaLoginEnforcementIndexController extends Controller {
   @service router;
   @service flashMessages;
+  @service api;
 
   queryParams = ['tab'];
   tab = 'targets';
@@ -21,7 +22,7 @@ export default class MfaLoginEnforcementIndexController extends Controller {
   @action
   async delete() {
     try {
-      await this.model.destroyRecord();
+      await this.api.identity.mfaDeleteLoginEnforcement(this.model.name);
       this.showDeleteConfirmation = false;
       this.flashMessages.success('MFA login enforcement deleted successfully');
       this.router.transitionTo('vault.cluster.access.mfa.enforcements');
diff --git a/ui/app/controllers/vault/cluster/access/mfa/methods/create.js b/ui/app/controllers/vault/cluster/access/mfa/methods/create.js
index c7b6dc4bec..409dadc184 100644
--- a/ui/app/controllers/vault/cluster/access/mfa/methods/create.js
+++ b/ui/app/controllers/vault/cluster/access/mfa/methods/create.js
@@ -9,19 +9,24 @@ import { tracked } from '@glimmer/tracking';
 import { action } from '@ember/object';
 import { capitalize } from '@ember/string';
 import { task } from 'ember-concurrency';
-import { addToArray } from 'vault/helpers/add-to-array';
+
+import MfaCreateTotpMethodForm from 'vault/forms/mfa/method/totp';
+import MfaCreateDuoMethodForm from 'vault/forms/mfa/method/duo';
+import MfaCreateOktaMethodForm from 'vault/forms/mfa/method/okta';
+import MfaCreatePingIdMethodForm from 'vault/forms/mfa/method/ping-id';
+import MfaLoginEnforcementForm from 'vault/forms/mfa/login-enforcement';
 
 export default class MfaMethodCreateController extends Controller {
-  @service store;
   @service flashMessages;
   @service router;
+  @service api;
 
   queryParams = ['type'];
   methods = [
-    { name: 'TOTP', icon: 'history' },
-    { name: 'Duo', icon: 'duo-color' },
-    { name: 'Okta', icon: 'okta-color' },
-    { name: 'PingID', icon: 'ping-identity-color' },
+    { name: 'TOTP', icon: 'history', type: 'totp' },
+    { name: 'Duo', icon: 'duo-color', type: 'duo' },
+    { name: 'Okta', icon: 'okta-color', type: 'okta' },
+    { name: 'PingID', icon: 'ping-identity-color', type: 'pingid' },
   ];
 
   @tracked type = null;
@@ -31,6 +36,10 @@ export default class MfaMethodCreateController extends Controller {
   @tracked methodErrors;
   @tracked enforcementErrors;
 
+  get methodNameFromType() {
+    return this.methods.find((method) => method.type === this.method.type)?.name || '';
+  }
+
   get description() {
     if (this.type === 'totp') {
       return `Once set up, TOTP requires a passcode to be presented alongside a Vault token when invoking an API request.
@@ -47,7 +56,7 @@ export default class MfaMethodCreateController extends Controller {
     return this.type === 'totp';
   }
   get showForms() {
-    return this.type && this.method;
+    return this.type === this.method?.type;
   }
 
   @action
@@ -62,25 +71,33 @@ export default class MfaMethodCreateController extends Controller {
   }
   @action
   createModels() {
-    if (this.method) {
-      this.method.unloadRecord();
+    if (this.type === 'totp') {
+      this.method = new MfaCreateTotpMethodForm({ period: '30' }, { isNew: true });
+    } else if (this.type === 'duo') {
+      this.method = new MfaCreateDuoMethodForm({}, { isNew: true });
+    } else if (this.type === 'okta') {
+      this.method = new MfaCreateOktaMethodForm({}, { isNew: true });
+    } else if (this.type === 'pingid') {
+      this.method = new MfaCreatePingIdMethodForm({}, { isNew: true });
     }
-    if (this.enforcement) {
-      this.enforcement.unloadRecord();
-    }
-    this.method = this.store.createRecord('mfa-method', { type: this.type });
-    this.enforcement = this.store.createRecord('mfa-login-enforcement');
+
+    this.enforcement = new MfaLoginEnforcementForm({}, { isNew: true });
   }
+
   @action
   onEnforcementPreferenceChange(preference) {
     if (preference === 'new') {
-      this.enforcement = this.store.createRecord('mfa-login-enforcement');
+      this.enforcement = new MfaLoginEnforcementForm({}, { isNew: true });
     } else if (this.enforcement) {
-      this.enforcement.unloadRecord();
       this.enforcement = null;
     }
     this.enforcementPreference = preference;
   }
+  @action
+  onEnforcementSelect(enforcementForm) {
+    this.enforcement = enforcementForm;
+  }
+
   @action
   cancel() {
     this.method = null;
@@ -88,20 +105,43 @@ export default class MfaMethodCreateController extends Controller {
     this.enforcementPreference = null;
     this.router.transitionTo('vault.cluster.access.mfa.methods');
   }
+
   @task
   *save() {
     const isValid = this.checkValidityState();
     if (isValid) {
       try {
         // first save method
-        yield this.method.save();
-        if (this.enforcement) {
+        const { data: methodData } = this.method.toJSON();
+
+        let response = null;
+
+        if (this.type === 'totp') {
+          response = yield this.api.identity.mfaCreateTotpMethod({ ...methodData });
+        } else if (this.type === 'duo') {
+          response = yield this.api.identity.mfaCreateDuoMethod({ ...methodData });
+        } else if (this.type === 'okta') {
+          response = yield this.api.identity.mfaCreateOktaMethod({ ...methodData });
+        } else if (this.type === 'pingid') {
+          response = yield this.api.identity.mfaCreatePingIdMethod({ ...methodData });
+        }
+
+        const { data } = response;
+
+        if (data.method_id && this.enforcement) {
+          const { data: enforcementData } = this.enforcement.toJSON();
           // mfa_methods is type PromiseManyArray. Array methods like slice are no longer allowed on PromiseManyArray. We must yield the promise first, then call the method.
-          const mfaMethods = yield this.enforcement.mfa_methods;
-          this.enforcement.mfa_methods = addToArray(mfaMethods.slice(), this.method);
+          // const mfaMethods = yield enforcementData.mfa_methods;
+          // enforcementData.mfa_methods = addToArray(method_id, methodData);
           try {
             // now save enforcement and catch error separately
-            yield this.enforcement.save();
+            yield this.api.identity.mfaWriteLoginEnforcement(enforcementData.name, {
+              auth_method_accessors: enforcementData.auth_method_accessors || [],
+              auth_method_types: enforcementData.auth_method_types || [],
+              identity_entity_ids: enforcementData.identity_entity_ids || [],
+              identity_group_ids: enforcementData.identity_group_ids || [],
+              mfa_method_ids: [data.method_id],
+            });
           } catch (error) {
             this.handleError(
               error,
@@ -109,30 +149,32 @@ export default class MfaMethodCreateController extends Controller {
             );
           }
         }
-        this.router.transitionTo('vault.cluster.access.mfa.methods.method', this.method.id);
+        this.router.transitionTo('vault.cluster.access.mfa.methods.method', data.method_id);
       } catch (error) {
         this.handleError(error, 'Error saving method');
       }
     }
   }
   checkValidityState() {
+    const { isValid: isMethodValid, state: methodState } = this.method.toJSON();
     // block saving models if either is in an invalid state
-    let isEnforcementValid = true;
-    const methodValidations = this.method.validate();
-    if (!methodValidations.isValid) {
-      this.methodErrors = methodValidations.state;
+    let checkEnforcementValidity = true;
+
+    if (!isMethodValid) {
+      this.methodErrors = methodState;
     }
-    // only validate enforcement if creating new
-    if (this.enforcementPreference === 'new') {
-      const enforcementValidations = this.enforcement.validate();
+    // only validate enforcement if creating new and enforcement exists
+    if (this.enforcementPreference === 'new' && this.enforcement) {
+      const { isValid: isEnforcementValid, state: enforcementState } = this.enforcement.toJSON();
+      const enforcementValidations = isEnforcementValid;
       // since we are adding the method after it has been saved ignore mfa_methods validation state
-      const { name, targets } = enforcementValidations.state;
-      isEnforcementValid = name.isValid && targets.isValid;
+      const { name, targets } = enforcementState;
+      checkEnforcementValidity = name.isValid && targets.isValid;
       if (!enforcementValidations.isValid) {
-        this.enforcementErrors = enforcementValidations.state;
+        this.enforcementErrors = enforcementState;
       }
     }
-    return methodValidations.isValid && isEnforcementValid;
+    return isMethodValid && checkEnforcementValidity;
   }
   handleError(error, message) {
     const errorMessage = error?.errors ? `${message}: ${error.errors.join(', ')}` : message;
diff --git a/ui/app/controllers/vault/cluster/access/mfa/methods/method/index.js b/ui/app/controllers/vault/cluster/access/mfa/methods/method/index.js
index 78c845f90f..4355e5f18a 100644
--- a/ui/app/controllers/vault/cluster/access/mfa/methods/method/index.js
+++ b/ui/app/controllers/vault/cluster/access/mfa/methods/method/index.js
@@ -6,22 +6,99 @@
 import Controller from '@ember/controller';
 import { service } from '@ember/service';
 import { action } from '@ember/object';
+import { toLabel } from 'core/helpers/to-label';
 
 export default class MfaMethodController extends Controller {
   @service router;
   @service flashMessages;
+  @service api;
 
   queryParams = ['tab'];
   tab = 'config';
 
+  get displayFields() {
+    const type = this.model.method.type;
+    switch (type) {
+      case 'duo':
+        return [
+          'username_format',
+          'secret_key',
+          'integration_key',
+          'api_hostname',
+          'push_info',
+          'use_passcode',
+        ];
+      case 'okta':
+        return ['username_format', 'mount_accessor', 'org_name', 'api_token', 'base_url', 'primary_email'];
+      case 'totp':
+        return [
+          'issuer',
+          'period',
+          'key_size',
+          'qr_size',
+          'algorithm',
+          'digits',
+          'skew',
+          'max_validation_attempts',
+          'enable_self_enrollment',
+        ];
+      case 'pingid':
+        return [
+          'username_format',
+          'settings_file_base64',
+          'use_signature',
+          'idp_url',
+          'admin_url',
+          'authenticator_url',
+          'org_alias',
+        ];
+      default:
+        return [];
+    }
+  }
+
+  label(field) {
+    const key = field.replace('config.', '');
+    const label = toLabel([key]);
+    // map specific fields to custom labels
+    return (
+      {
+        push_info: 'Duo push information',
+        use_passcode: 'Passcode reminder',
+        org_name: 'Organization name',
+        api_token: 'Okta API key',
+        base_url: 'Base URL',
+        qr_size: 'QR size',
+        enable_self_enrollment: 'Enable self-enrollment',
+        api_hostname: 'API hostname',
+      }[key] || label
+    );
+  }
+
   @action
   async deleteMethod() {
     try {
-      await this.model.method.destroyRecord();
+      const { type, id } = this.model.method;
+      switch (type) {
+        case 'totp':
+          await this.api.identity.mfaDeleteTotpMethod(id);
+          break;
+        case 'pingid':
+          await this.api.identity.mfaDeletePingIdMethod(id);
+          break;
+        case 'duo':
+          await this.api.identity.mfaDeleteDuoMethod(id);
+          break;
+        case 'okta':
+          await this.api.identity.mfaDeleteOktaMethod(id);
+          break;
+        default:
+          throw new Error(`Unknown MFA method type: ${type}`);
+      }
       this.flashMessages.success('MFA method deleted successfully.');
       this.router.transitionTo('vault.cluster.access.mfa.methods');
     } catch (error) {
-      this.flashMessages.danger(`There was an error deleting this MFA method.`);
+      this.flashMessages.danger('There was an error deleting this MFA method.');
     }
   }
 }
diff --git a/ui/app/controllers/vault/cluster/access/namespaces/index.js b/ui/app/controllers/vault/cluster/access/namespaces/index.js
index 20ff5f9606..d6f850101f 100644
--- a/ui/app/controllers/vault/cluster/access/namespaces/index.js
+++ b/ui/app/controllers/vault/cluster/access/namespaces/index.js
@@ -27,7 +27,16 @@ export default class ManageNamespacesController extends Controller {
   @action
   navigate(pageFilter) {
     const route = 'vault.cluster.access.namespaces.index';
-    const args = [route, { queryParams: { page: 1, pageFilter: pageFilter || null } }];
+    const args = [
+      route,
+      {
+        queryParams: {
+          page: pageFilter.page || 1,
+          pageFilter: pageFilter.pageFilter || null,
+          pageSize: pageFilter.pageSize || null,
+        },
+      },
+    ];
     this.router.transitionTo(...args);
   }
 
diff --git a/ui/app/controllers/vault/cluster/access/oidc.js b/ui/app/controllers/vault/cluster/access/oidc.js
index cbb6c68ac8..f9596da412 100644
--- a/ui/app/controllers/vault/cluster/access/oidc.js
+++ b/ui/app/controllers/vault/cluster/access/oidc.js
@@ -41,11 +41,16 @@ export default class OidcConfigureController extends Controller {
   get breadcrumbs() {
     // we check parent for the name as the currentRoute is always "index"
     const route = this.router.currentRoute.parent.localName ?? '';
-    const isDefaultRoute = route === 'clients';
+    const isDefaultRoute = route === 'clients' || route == 'oidc';
+    const showApplications = route !== 'oidc' ? ': Applications' : '';
 
     const baseCrumbs = [
       { label: 'Vault', route: 'vault.cluster.dashboard', icon: 'vault' },
-      { label: 'Auth Oidc', route: 'vault.cluster.access.oidc', current: isDefaultRoute },
+      {
+        label: `OIDC provider${showApplications}`,
+        route: 'vault.cluster.access.oidc',
+        current: isDefaultRoute,
+      },
     ];
 
     // clients is the default view, so in order to match current patterns, we do not include it as a breadcrumb
diff --git a/ui/app/controllers/vault/cluster/access/oidc/assignments/assignment/details.js b/ui/app/controllers/vault/cluster/access/oidc/assignments/assignment/details.js
index 5e8b3520e5..e32b0c75fc 100644
--- a/ui/app/controllers/vault/cluster/access/oidc/assignments/assignment/details.js
+++ b/ui/app/controllers/vault/cluster/access/oidc/assignments/assignment/details.js
@@ -8,18 +8,18 @@ import { action } from '@ember/object';
 import { service } from '@ember/service';
 
 export default class OidcAssignmentDetailsController extends Controller {
+  @service api;
   @service router;
   @service flashMessages;
 
   @action
   async delete() {
     try {
-      await this.model.destroyRecord();
+      await this.api.identity.oidcDeleteAssignment(this.model.assignment.name);
       this.flashMessages.success('Assignment deleted successfully');
       this.router.transitionTo('vault.cluster.access.oidc.assignments');
     } catch (error) {
-      this.model.rollbackAttributes();
-      const message = error.errors ? error.errors.join('. ') : error.message;
+      const { message } = await this.api.parseError(error);
       this.flashMessages.danger(message);
     }
   }
diff --git a/ui/app/controllers/vault/cluster/access/oidc/clients/client/details.js b/ui/app/controllers/vault/cluster/access/oidc/clients/client/details.js
index 64e3f514bb..1956e9ebec 100644
--- a/ui/app/controllers/vault/cluster/access/oidc/clients/client/details.js
+++ b/ui/app/controllers/vault/cluster/access/oidc/clients/client/details.js
@@ -8,18 +8,18 @@ import { action } from '@ember/object';
 import { service } from '@ember/service';
 
 export default class OidcClientDetailsController extends Controller {
+  @service api;
   @service router;
   @service flashMessages;
 
   @action
   async delete() {
     try {
-      await this.model.destroyRecord();
+      await this.api.identity.oidcDeleteClient(this.model.client.name);
       this.flashMessages.success('Application deleted successfully');
       this.router.transitionTo('vault.cluster.access.oidc.clients');
     } catch (error) {
-      this.model.rollbackAttributes();
-      const message = error.errors ? error.errors.join('. ') : error.message;
+      const { message } = await this.api.parseError(error);
       this.flashMessages.danger(message);
     }
   }
diff --git a/ui/app/controllers/vault/cluster/access/oidc/keys/key/details.js b/ui/app/controllers/vault/cluster/access/oidc/keys/key/details.js
index 8e8514a6de..7d06f1e84c 100644
--- a/ui/app/controllers/vault/cluster/access/oidc/keys/key/details.js
+++ b/ui/app/controllers/vault/cluster/access/oidc/keys/key/details.js
@@ -10,32 +10,31 @@ import { task } from 'ember-concurrency';
 import { waitFor } from '@ember/test-waiters';
 
 export default class OidcKeyDetailsController extends Controller {
-  @service store;
+  @service api;
   @service router;
   @service flashMessages;
 
-  @task
-  @waitFor
-  *rotateKey() {
-    const adapter = this.store.adapterFor('oidc/key');
-    yield adapter
-      .rotate(this.model.name, this.model.verificationTtl)
-      .then(() => {
-        this.flashMessages.success(`Success: ${this.model.name} connection was rotated.`);
-      })
-      .catch((e) => {
-        this.flashMessages.danger(e.errors);
-      });
-  }
+  rotateKey = task(
+    waitFor(async () => {
+      try {
+        const { name, verification_ttl } = this.model.key;
+        await this.api.identity.oidcRotateKey(name, { verification_ttl });
+        this.flashMessages.success(`Success: ${name} connection was rotated.`);
+      } catch (e) {
+        const { message } = await this.api.parseError(e);
+        this.flashMessages.danger(message);
+      }
+    })
+  );
+
   @action
   async delete() {
     try {
-      await this.model.destroyRecord();
+      await this.api.identity.oidcDeleteKey(this.model.key.name);
       this.flashMessages.success('Key deleted successfully');
       this.router.transitionTo('vault.cluster.access.oidc.keys');
     } catch (error) {
-      this.model.rollbackAttributes();
-      const message = error.errors ? error.errors.join('. ') : error.message;
+      const { message } = await this.api.parseError(error);
       this.flashMessages.danger(message);
     }
   }
diff --git a/ui/app/controllers/vault/cluster/access/oidc/providers/provider/details.js b/ui/app/controllers/vault/cluster/access/oidc/providers/provider/details.js
index 18b6254589..5c4c39bf58 100644
--- a/ui/app/controllers/vault/cluster/access/oidc/providers/provider/details.js
+++ b/ui/app/controllers/vault/cluster/access/oidc/providers/provider/details.js
@@ -8,18 +8,18 @@ import { action } from '@ember/object';
 import { service } from '@ember/service';
 
 export default class OidcProviderDetailsController extends Controller {
+  @service api;
   @service router;
   @service flashMessages;
 
   @action
   async delete() {
     try {
-      await this.model.destroyRecord();
+      await this.api.identity.oidcDeleteProvider(this.model.provider.name);
       this.flashMessages.success('Provider deleted successfully');
       this.router.transitionTo('vault.cluster.access.oidc.providers');
     } catch (error) {
-      this.model.rollbackAttributes();
-      const message = error.errors ? error.errors.join('. ') : error.message;
+      const { message } = await this.api.parseError(error);
       this.flashMessages.danger(message);
     }
   }
diff --git a/ui/app/controllers/vault/cluster/access/oidc/scopes/scope/details.js b/ui/app/controllers/vault/cluster/access/oidc/scopes/scope/details.js
index e8ada25f67..79153c46dc 100644
--- a/ui/app/controllers/vault/cluster/access/oidc/scopes/scope/details.js
+++ b/ui/app/controllers/vault/cluster/access/oidc/scopes/scope/details.js
@@ -8,18 +8,18 @@ import { action } from '@ember/object';
 import { service } from '@ember/service';
 
 export default class OidcScopeDetailsController extends Controller {
+  @service api;
   @service router;
   @service flashMessages;
 
   @action
   async delete() {
     try {
-      await this.model.destroyRecord();
+      await this.api.identity.oidcDeleteScope(this.model.scope.name);
       this.flashMessages.success('Scope deleted successfully');
       this.router.transitionTo('vault.cluster.access.oidc.scopes');
     } catch (error) {
-      this.model.rollbackAttributes();
-      const message = error.errors ? error.errors.join('. ') : error.message;
+      const { message } = await this.api.parseError(error);
       this.flashMessages.danger(message);
     }
   }
diff --git a/ui/app/controllers/vault/cluster/policy/edit.js b/ui/app/controllers/vault/cluster/policy/edit.js
index 050b91b93c..b847ee9bb6 100644
--- a/ui/app/controllers/vault/cluster/policy/edit.js
+++ b/ui/app/controllers/vault/cluster/policy/edit.js
@@ -9,20 +9,30 @@ import { service } from '@ember/service';
 
 export default class PolicyEditController extends Controller {
   @service router;
+  @service api;
   @service flashMessages;
 
   @action
   async deletePolicy() {
     const { policyType, name } = this.model;
     try {
-      await this.model.destroyRecord();
+      if (policyType === 'acl') {
+        await this.api.sys.policiesDeleteAclPolicy(name);
+      } else if (policyType === 'egp') {
+        await this.api.sys.systemDeletePoliciesEgpName(name);
+      } else {
+        await this.api.sys.systemDeletePoliciesRgpName(name);
+      }
+
       this.flashMessages.success(`${policyType.toUpperCase()} policy "${name}" was successfully deleted.`);
       this.router.transitionTo('vault.cluster.policies', policyType);
     } catch (error) {
-      this.model.rollbackAttributes();
-      const errors = error.errors ? error.errors.join('. ') : error.message;
-      const message = `There was an error deleting the ${policyType.toUpperCase()} policy "${name}": ${errors}.`;
-      this.flashMessages.danger(message);
+      const { status, message } = await this.api.parseError(error);
+      if (status === 404) {
+        return [];
+      }
+      const flashMessage = `There was an error deleting the ${policyType.toUpperCase()} policy "${name}": ${message}.`;
+      this.flashMessages.danger(flashMessage);
     }
   }
 }
diff --git a/ui/app/controllers/vault/cluster/secrets/backend/list.js b/ui/app/controllers/vault/cluster/secrets/backend/list.js
index ab95c0c4aa..f3a6ccff9b 100644
--- a/ui/app/controllers/vault/cluster/secrets/backend/list.js
+++ b/ui/app/controllers/vault/cluster/secrets/backend/list.js
@@ -3,14 +3,14 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { or } from '@ember/object/computed';
-import { computed } from '@ember/object';
-import { service } from '@ember/service';
 import Controller from '@ember/controller';
-import BackendCrumbMixin from 'vault/mixins/backend-crumb';
+import { computed } from '@ember/object';
+import { or } from '@ember/object/computed';
+import { service } from '@ember/service';
+import { SecretsApiSshListRolesListEnum } from '@hashicorp/vault-client-typescript';
 import ListController from 'core/mixins/list-controller';
 import { keyIsFolder } from 'core/utils/key-utils';
-import { task } from 'ember-concurrency';
+import BackendCrumbMixin from 'vault/mixins/backend-crumb';
 
 export default Controller.extend(ListController, BackendCrumbMixin, {
   flashMessages: service(),
@@ -40,48 +40,86 @@ export default Controller.extend(ListController, BackendCrumbMixin, {
       this.set('selectedAction', action);
     },
 
-    toggleZeroAddress(item, backend) {
-      item.toggleProperty('zeroAddress');
+    // Adds or removes the given SSH role from the zero-address config, then reloads the list.
+    async toggleZeroAddress(item) {
+      const backendPath = item.backend;
       this.set('loading-' + item.id, true);
-      backend
-        .saveZeroAddressConfig()
-        .catch((e) => {
-          item.set('zeroAddress', false);
-          this.flashMessages.danger(e.message);
-        })
-        .finally(() => {
-          this.set('loading-' + item.id, false);
-        });
+      try {
+        const response = await this.api.secrets.sshListRoles(
+          backendPath,
+          SecretsApiSshListRolesListEnum.TRUE
+        );
+        const allRoles = this.api.keyInfoToArray(response);
+        const newValue = !item.zero_address;
+        const zeroAddressRoles = allRoles
+          .filter((role) => (role.id === item.id ? newValue : role.zero_address))
+          .map((role) => role.id);
+        if (zeroAddressRoles.length === 0) {
+          await this.api.secrets.sshDeleteZeroAddressConfiguration(backendPath);
+        } else {
+          await this.api.secrets.sshConfigureZeroAddress(backendPath, { roles: zeroAddressRoles });
+        }
+        this.send('reload');
+      } catch (e) {
+        const { message } = await this.api.parseError(e);
+        this.flashMessages.danger(message);
+      } finally {
+        this.set('loading-' + item.id, false);
+      }
     },
 
-    delete(item) {
+    async delete(item) {
       const name = item.id;
-      item
-        .destroyRecord()
-        .then(() => {
+      // Handle keymgmt list items (plain objects from API service)
+      if (this.backendType === 'keymgmt' && item.type === 'key') {
+        try {
+          await this.api.secrets.keyManagementDeleteKey(name, item.backend);
           this.flashMessages.success(`${name} was successfully deleted.`);
           this.send('reload');
-        })
-        .catch((e) => {
-          const error = e.errors ? e.errors.join('. ') : e.message;
-          this.flashMessages.danger(error);
-        });
+        } catch (e) {
+          const { message } = await this.api.parseError(e);
+          this.flashMessages.danger(message);
+        }
+      } else if (this.backendType === 'keymgmt' && item.type === 'provider') {
+        try {
+          await this.api.secrets.keyManagementDeleteKmsProvider(name, item.backend);
+          this.flashMessages.success(`${name} was successfully deleted.`);
+          this.send('reload');
+        } catch (e) {
+          const { message } = await this.api.parseError(e);
+          this.flashMessages.danger(message);
+        }
+      } else if (this.backendType === 'totp') {
+        try {
+          await this.api.secrets.totpDeleteKey(name, item.backend);
+          this.flashMessages.success(`${name} was successfully deleted.`);
+          this.send('reload');
+        } catch (e) {
+          const { message } = await this.api.parseError(e);
+          this.flashMessages.danger(message);
+        }
+      } else if (this.backendType === 'ssh') {
+        try {
+          await this.api.secrets.sshDeleteRole(name, item.backend);
+          this.flashMessages.success(`${name} was successfully deleted.`);
+          this.send('reload');
+        } catch (e) {
+          const { message } = await this.api.parseError(e);
+          this.flashMessages.danger(message);
+        }
+      } else {
+        // Handle Ember Data models
+        item
+          .destroyRecord()
+          .then(() => {
+            this.flashMessages.success(`${name} was successfully deleted.`);
+            this.send('reload');
+          })
+          .catch((e) => {
+            const error = e.errors ? e.errors.join('. ') : e.message;
+            this.flashMessages.danger(error);
+          });
+      }
     },
   },
-
-  disableEngine: task(function* (engine) {
-    const { engineType, id, path } = engine;
-    try {
-      yield this.api.sys.mountsDisableSecretsEngine(id);
-      this.flashMessages.success(`The ${engineType} Secrets Engine at ${path} has been disabled.`);
-      this.router.transitionTo('vault.cluster.secrets.backends');
-    } catch (err) {
-      const { message } = yield this.api.parseError(err);
-      this.flashMessages.danger(
-        `There was an error disabling the ${engineType} Secrets Engines at ${path}: ${message}.`
-      );
-    } finally {
-      this.engineToDisable = null;
-    }
-  }).drop(),
 });
diff --git a/ui/app/controllers/vault/cluster/secrets/backend/sign.js b/ui/app/controllers/vault/cluster/secrets/backend/sign.js
deleted file mode 100644
index 934c8098e6..0000000000
--- a/ui/app/controllers/vault/cluster/secrets/backend/sign.js
+++ /dev/null
@@ -1,48 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { service } from '@ember/service';
-import Controller from '@ember/controller';
-import { set } from '@ember/object';
-
-export default Controller.extend({
-  store: service(),
-  loading: false,
-  emptyData: '{\n}',
-  actions: {
-    sign() {
-      this.set('loading', true);
-      this.model.save().finally(() => {
-        this.set('loading', false);
-      });
-    },
-
-    editorUpdated(attr, val) {
-      // wont set invalid JSON to the model
-      try {
-        set(this.model, attr, JSON.parse(val));
-      } catch {
-        // linting is handled by the component
-      }
-    },
-
-    updateTtl(path, val) {
-      const model = this.model;
-      const valueToSet = val.enabled === true ? `${val.seconds}s` : undefined;
-      set(model, path, valueToSet);
-    },
-
-    newModel() {
-      const model = this.model;
-      const roleModel = model.role;
-      model.unloadRecord();
-      const newModel = this.store.createRecord('ssh-sign', {
-        role: roleModel,
-        id: `${roleModel.backend}-${roleModel.name}`,
-      });
-      this.set('model', newModel);
-    },
-  },
-});
diff --git a/ui/app/controllers/vault/cluster/secrets/enable/create.ts b/ui/app/controllers/vault/cluster/secrets/enable/create.ts
index cb927d1f04..523611312f 100644
--- a/ui/app/controllers/vault/cluster/secrets/enable/create.ts
+++ b/ui/app/controllers/vault/cluster/secrets/enable/create.ts
@@ -5,19 +5,10 @@
 
 import Controller from '@ember/controller';
 import { service } from '@ember/service';
-import { action } from '@ember/object';
-import {
-  supportedSecretBackends,
-  SupportedSecretBackendsEnum,
-} from 'vault/helpers/supported-secret-backends';
-import engineDisplayData from 'vault/helpers/engines-display-data';
-import { getEffectiveEngineType } from 'vault/utils/external-plugin-helpers';
 import type SecretsEngineForm from 'vault/forms/secrets/engine';
 import type Router from '@ember/routing/router';
 import type { EngineVersionInfo } from 'vault/utils/plugin-catalog-helpers';
 
-const SUPPORTED_BACKENDS = supportedSecretBackends();
-
 export default class VaultClusterSecretsEnableCreateController extends Controller {
   @service declare router: Router;
 
@@ -25,27 +16,4 @@ export default class VaultClusterSecretsEnableCreateController extends Controlle
     form: SecretsEngineForm;
     availableVersions: EngineVersionInfo[];
   };
-
-  @action
-  onMountSuccess(type: string, path: string, useEngineRoute = false) {
-    let transition;
-    const engineInfo = engineDisplayData(type);
-    const effectiveType = getEffectiveEngineType(type);
-
-    if (engineInfo && SUPPORTED_BACKENDS.includes(effectiveType as SupportedSecretBackendsEnum)) {
-      if (useEngineRoute && engineInfo.engineRoute) {
-        transition = this.router.transitionTo(
-          `vault.cluster.secrets.backend.${engineInfo.engineRoute}`,
-          path
-        );
-      } else {
-        // For keymgmt, we need to land on provider tab by default using query params
-        const queryParams = effectiveType === 'keymgmt' ? { tab: 'provider' } : {};
-        transition = this.router.transitionTo('vault.cluster.secrets.backend.index', path, { queryParams });
-      }
-    } else {
-      transition = this.router.transitionTo('vault.cluster.secrets.backends');
-    }
-    return transition?.followRedirects();
-  }
 }
diff --git a/ui/app/controllers/vault/cluster/secrets/enable/index.js b/ui/app/controllers/vault/cluster/secrets/enable/index.js
index 0dbd309f52..661d641594 100644
--- a/ui/app/controllers/vault/cluster/secrets/enable/index.js
+++ b/ui/app/controllers/vault/cluster/secrets/enable/index.js
@@ -6,11 +6,6 @@
 import { service } from '@ember/service';
 import Controller from '@ember/controller';
 import { action } from '@ember/object';
-import { supportedSecretBackends } from 'vault/helpers/supported-secret-backends';
-import engineDisplayData from 'vault/helpers/engines-display-data';
-import { getEffectiveEngineType } from 'vault/utils/external-plugin-helpers';
-
-const SUPPORTED_BACKENDS = supportedSecretBackends();
 
 export default class SecretEnableController extends Controller {
   @service router;
@@ -19,28 +14,4 @@ export default class SecretEnableController extends Controller {
   setMountType(type) {
     this.router.transitionTo('vault.cluster.secrets.enable.create', type);
   }
-
-  @action
-  onMountSuccess(type, path, useEngineRoute = false) {
-    let transition;
-
-    const effectiveType = getEffectiveEngineType(type);
-    const engineInfo = engineDisplayData(type);
-
-    if (SUPPORTED_BACKENDS.includes(effectiveType)) {
-      if (useEngineRoute && engineInfo?.engineRoute) {
-        transition = this.router.transitionTo(
-          `vault.cluster.secrets.backend.${engineInfo.engineRoute}`,
-          path
-        );
-      } else {
-        // For keymgmt, we need to land on provider tab by default using query params
-        const queryParams = effectiveType === 'keymgmt' ? { tab: 'provider' } : {};
-        transition = this.router.transitionTo('vault.cluster.secrets.backend.index', path, { queryParams });
-      }
-    } else {
-      transition = this.router.transitionTo('vault.cluster.secrets.backends');
-    }
-    return transition.followRedirects();
-  }
 }
diff --git a/ui/app/controllers/vault/cluster/settings/seal.js b/ui/app/controllers/vault/cluster/settings/seal.js
index 1b3e4dc5a6..a88961cc4a 100644
--- a/ui/app/controllers/vault/cluster/settings/seal.js
+++ b/ui/app/controllers/vault/cluster/settings/seal.js
@@ -18,11 +18,11 @@ export default Controller.extend({
         .adapterFor('cluster')
         .seal()
         .then(() => {
+          this.router.transitionTo('vault.cluster.unseal');
           this.store.peekAll('cluster')[0].reload();
           this.auth.deleteCurrentToken();
           // Reset version so it doesn't show on footer
           this.version.version = null;
-          return this.router.transitionTo('vault.cluster.unseal');
         });
     },
   },
diff --git a/ui/app/forms/auth/method.ts b/ui/app/forms/auth/method.ts
index 58dbabb9a8..811d0eec72 100644
--- a/ui/app/forms/auth/method.ts
+++ b/ui/app/forms/auth/method.ts
@@ -6,6 +6,7 @@
 import MountForm from 'vault/forms/mount';
 import FormField from 'vault/utils/forms/field';
 import FormFieldGroup from 'vault/utils/forms/field-group';
+import { ALL_ENGINES } from 'core/utils/all-engines-metadata';
 
 import type { AuthMethodFormData } from 'vault/auth/methods';
 
@@ -48,15 +49,22 @@ export default class AuthMethodForm extends MountForm<AuthMethodFormData> {
     });
   }
 
-  formFieldGroups = [
-    new FormFieldGroup('default', [this.fields.path]),
-    new FormFieldGroup('Method Options', [
+  get optionFields() {
+    const isWIF = !!ALL_ENGINES.find((engine) => engine.type === this.normalizedType && engine.isWIF);
+    const keyField = new FormField('config.identity_token_key', undefined, {
+      label: 'Identity token key',
+      subText: `A named key to sign tokens. If not provided, this will default to Vault's OIDC default key.`,
+      editType: 'yield',
+    });
+
+    return [
       this.fields.description,
       this.fields.listingVisibility,
       this.fields.local,
       this.fields.sealWrap,
       this.fields.defaultLeaseTtl,
       this.fields.maxLeaseTtl,
+      ...(isWIF ? [keyField] : []),
       new FormField('config.token_type', 'string', {
         label: 'Token type',
         helpText:
@@ -69,6 +77,13 @@ export default class AuthMethodForm extends MountForm<AuthMethodFormData> {
       this.fields.passthroughRequestHeaders,
       this.fields.allowedResponseHeaders,
       this.fields.pluginVersion,
-    ]),
-  ];
+    ];
+  }
+
+  get formFieldGroups() {
+    return [
+      new FormFieldGroup('default', [this.fields.path]),
+      new FormFieldGroup('Method Options', this.optionFields),
+    ];
+  }
 }
diff --git a/ui/app/forms/keymgmt/key.ts b/ui/app/forms/keymgmt/key.ts
new file mode 100644
index 0000000000..7f945e526a
--- /dev/null
+++ b/ui/app/forms/keymgmt/key.ts
@@ -0,0 +1,61 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import FormFieldGroup from 'vault/utils/forms/field-group';
+import {
+  KeyManagementUpdateKeyRequestTypeEnum,
+  KeyManagementUpdateKeyRequest,
+} from '@hashicorp/vault-client-typescript';
+
+const KEY_TYPES = Object.values(KeyManagementUpdateKeyRequestTypeEnum);
+
+type KeyFormData = KeyManagementUpdateKeyRequest & {
+  name: string;
+};
+
+export default class KeymgmtKeyForm extends Form<KeyFormData> {
+  icon = 'key';
+
+  get formFieldGroups() {
+    // Edit mode: only show min_enabled_version and deletion_allowed
+    if (!this.isNew) {
+      return [
+        new FormFieldGroup('default', [
+          new FormField('min_enabled_version', 'number', {
+            label: 'Minimum enabled version',
+            defaultValue: 0,
+            defaultShown: 'All versions enabled',
+          }),
+          new FormField('deletion_allowed', 'boolean', {
+            label: 'Allow deletion',
+            defaultValue: false,
+          }),
+        ]),
+      ];
+    }
+
+    // Create mode: show all fields
+    return [
+      new FormFieldGroup('default', [
+        new FormField('name', 'string', {
+          label: 'Key name',
+          subText: 'This is the name of the key that shows in Vault.',
+        }),
+        new FormField('type', 'string', {
+          label: 'Type',
+          subText: 'The type of cryptographic key that will be created.',
+          possibleValues: KEY_TYPES,
+          defaultValue: KeyManagementUpdateKeyRequestTypeEnum.RSA_2048,
+        }),
+        new FormField('deletion_allowed', 'boolean', {
+          label: 'Allow deletion',
+          defaultValue: false,
+        }),
+      ]),
+    ];
+  }
+}
diff --git a/ui/app/forms/keymgmt/provider.ts b/ui/app/forms/keymgmt/provider.ts
new file mode 100644
index 0000000000..d7be3838bc
--- /dev/null
+++ b/ui/app/forms/keymgmt/provider.ts
@@ -0,0 +1,161 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import type { Validations } from 'vault/app-types';
+import { get } from '@ember/object';
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import FormFieldGroup from 'vault/utils/forms/field-group';
+import {
+  KeyManagementWriteKmsProviderRequest,
+  KeyManagementWriteKmsProviderRequestProviderEnum,
+} from '@hashicorp/vault-client-typescript';
+
+type ProviderFormData = KeyManagementWriteKmsProviderRequest & {
+  name: string;
+  keys?: Array<Record<string, unknown>>;
+};
+
+type ProviderCredentialValidationModel = {
+  provider?: keyof typeof CRED_PROPS;
+  credentialProps?: string[];
+  credentials?: Record<string, string | undefined | null>;
+};
+
+interface Validator {
+  message: string;
+  validator(model: ProviderCredentialValidationModel): boolean | string;
+}
+
+export const PROVIDER_TYPES = Object.values(KeyManagementWriteKmsProviderRequestProviderEnum);
+
+export const CRED_PROPS = {
+  azurekeyvault: ['client_id', 'client_secret', 'tenant_id'],
+  awskms: ['access_key', 'secret_key', 'session_token', 'endpoint'],
+  gcpckms: ['service_account_file'],
+};
+
+const CRED_PROPS_LABEL = {
+  client_id: 'Client ID',
+  client_secret: 'Client secret',
+  tenant_id: 'Tenant ID',
+  access_key: 'Access key',
+  secret_key: 'Secret key',
+  session_token: 'Session token',
+  endpoint: 'Endpoint',
+  service_account_file: 'Service account file',
+};
+
+export const OPTIONAL_CRED_PROPS = ['session_token', 'endpoint'];
+
+export default class KeymgmtProviderForm extends Form<ProviderFormData> {
+  icon = 'key';
+  idPrefix = 'provider/';
+  type = 'provider';
+
+  constructor(...args: ConstructorParameters<typeof Form<ProviderFormData>>) {
+    super(...args);
+
+    // Provider read responses do not include credentials, but the form binds nested
+    // values like "credentials.client_id". Ensure the parent object always exists.
+    if (!this.data.credentials) {
+      this.data.credentials = {};
+    }
+  }
+
+  get credentialProps() {
+    const provider = this.data.provider;
+    if (!provider) return [];
+    return CRED_PROPS[provider as KeyManagementWriteKmsProviderRequestProviderEnum] || [];
+  }
+
+  get createFields() {
+    return [
+      new FormField('provider', 'string', {
+        label: 'Type',
+        subText: 'Choose the provider type.',
+        possibleValues: PROVIDER_TYPES,
+        noDefault: true,
+      }),
+      new FormField('name', 'string', {
+        label: 'Provider name',
+        subText:
+          'This is the name of the provider that will be displayed in Vault. This cannot be edited later.',
+      }),
+      new FormField('key_collection', 'string', {
+        label: 'Key Vault instance name',
+        subText: 'The name of a Key Vault instance must be supplied. This cannot be edited later.',
+      }),
+    ];
+  }
+
+  get credentialFields() {
+    return this.credentialProps.map((prop) => {
+      const options = {
+        label: CRED_PROPS_LABEL[prop as keyof typeof CRED_PROPS_LABEL],
+        ...(prop === 'service_account_file'
+          ? { subText: 'The path to a Google service account key file, not the file itself.' }
+          : {}),
+      };
+      return new FormField(`credentials.${prop}`, 'string', options);
+    });
+  }
+
+  get formFieldGroups() {
+    const groups: FormFieldGroup[] = [];
+
+    if (this.isNew) {
+      // Create mode: provider type, name, key_collection, credentials
+      groups.push(new FormFieldGroup('default', [...this.createFields]));
+
+      // Add credential fields based on provider type
+      if (this.credentialProps.length > 0) {
+        groups.push(new FormFieldGroup('credentials', this.credentialFields));
+      }
+    } else {
+      // Edit mode: only credentials if any
+      if (this.credentialProps.length > 0) {
+        groups.push(new FormFieldGroup('credentials', this.credentialFields));
+      }
+    }
+
+    return groups;
+  }
+
+  // since we have dynamic credential attributes based on provider we need a dynamic presence validator
+  // add validators for all cred props and return true for value if not associated with selected provider
+  get credValidators() {
+    return (Object.keys(CRED_PROPS) as Array<keyof typeof CRED_PROPS>).reduce(
+      (obj, providerKey) => {
+        CRED_PROPS[providerKey].forEach((prop: string) => {
+          if (!OPTIONAL_CRED_PROPS.includes(prop)) {
+            obj[`credentials.${prop}`] = [
+              {
+                message: `${CRED_PROPS_LABEL[prop as keyof typeof CRED_PROPS_LABEL]} is required`,
+                validator(model: ProviderCredentialValidationModel) {
+                  const selectedProvider = model.provider;
+                  if (!selectedProvider) return true;
+
+                  if (!CRED_PROPS[selectedProvider]?.includes(prop)) return true;
+
+                  const value = get(model, `credentials.${prop}`);
+                  return typeof value === 'string' ? value.trim().length > 0 : Boolean(value);
+                },
+              },
+            ];
+          }
+        });
+        return obj;
+      },
+      {} as Record<string, Validator[]>
+    );
+  }
+
+  validations: Validations = {
+    name: [{ type: 'presence', message: 'Provider name is required' }],
+    key_collection: [{ type: 'presence', message: 'Key Vault instance name is required' }],
+    ...this.credValidators,
+  };
+}
diff --git a/ui/app/forms/mfa/login-enforcement.ts b/ui/app/forms/mfa/login-enforcement.ts
new file mode 100644
index 0000000000..71e17b6dfb
--- /dev/null
+++ b/ui/app/forms/mfa/login-enforcement.ts
@@ -0,0 +1,69 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import FormFieldGroup from 'vault/utils/forms/field-group';
+
+import type { Validations } from 'vault/app-types';
+import type { MfaWriteLoginEnforcementRequest } from '@hashicorp/vault-client-typescript';
+
+type MfaLoginEnforcementFormData = MfaWriteLoginEnforcementRequest & {
+  name: string;
+};
+
+export default class MfaLoginEnforcementForm extends Form<MfaLoginEnforcementFormData> {
+  formFieldGroups = [
+    new FormFieldGroup('name', [
+      new FormField('name', 'string', {
+        label: 'Name',
+        subText:
+          'The name for this enforcement. Giving it a name means that you can refer to it again later. This name will not be editable later.',
+        editDisabled: !this.isNew,
+      }),
+    ]),
+    new FormFieldGroup('mfa_methods', [
+      new FormField('mfa_methods', 'array', {
+        label: 'MFA methods',
+        subText: 'The MFA method(s) that this enforcement will apply to.',
+        editType: 'yield',
+      }),
+    ]),
+    new FormFieldGroup('targets', [
+      new FormField('auth_method_accessors', 'array', {
+        editType: 'yield',
+      }),
+      new FormField('auth_method_types', 'array', {
+        editType: 'yield',
+      }),
+      new FormField('identity_entity_ids', 'array', {
+        editType: 'yield',
+      }),
+      new FormField('identity_group_ids', 'array', {
+        editType: 'yield',
+      }),
+    ]),
+  ];
+
+  validations: Validations = {
+    name: [{ type: 'presence', message: 'Name is required' }],
+    mfa_methods: [{ type: 'presence', message: 'At least one MFA method is required' }],
+    targets: [
+      {
+        validator(model: MfaLoginEnforcementFormData) {
+          // Check if at least one target is specified
+          return !!(
+            (model.auth_method_accessors && model.auth_method_accessors.length > 0) ||
+            (model.auth_method_types && model.auth_method_types.length > 0) ||
+            (model.identity_entity_ids && model.identity_entity_ids.length > 0) ||
+            (model.identity_group_ids && model.identity_group_ids.length > 0)
+          );
+        },
+        message:
+          "At least one target is required. If you've selected one, click 'Add' to make sure it's added to this enforcement.",
+      },
+    ],
+  };
+}
diff --git a/ui/app/forms/mfa/method/duo.ts b/ui/app/forms/mfa/method/duo.ts
new file mode 100644
index 0000000000..a3dd7b6d2d
--- /dev/null
+++ b/ui/app/forms/mfa/method/duo.ts
@@ -0,0 +1,50 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+
+import type { Validations } from 'vault/app-types';
+import type { MfaCreateDuoMethodRequest } from '@hashicorp/vault-client-typescript';
+
+type MfaCreateDuoMethodFormData = MfaCreateDuoMethodRequest & {
+  name: string;
+};
+
+export default class MfaCreateDuoMethodForm extends Form<MfaCreateDuoMethodFormData> {
+  type = 'duo';
+
+  formFields = [
+    new FormField('username_format', 'string', {
+      label: 'Username format',
+      subText: 'How to map identity names to MFA method names. ',
+    }),
+    new FormField('secret_key', 'string', {
+      label: 'Duo secret key',
+      sensitive: true,
+    }),
+    new FormField('integration_key', 'string', {
+      label: 'Duo integration key',
+      sensitive: true,
+    }),
+    new FormField('api_hostname', 'string', {
+      label: 'Duo API hostname',
+    }),
+    new FormField('push_info', 'string', {
+      label: 'Duo push information',
+      subText: 'Additional information displayed to the user when the push is presented to them.',
+    }),
+    new FormField('use_passcode', 'boolean', {
+      label: 'Passcode reminder',
+      subText: 'If this is turned on, the user is reminded to use the passcode upon MFA validation.',
+    }),
+  ];
+
+  validations: Validations = {
+    secret_key: [{ type: 'presence', message: 'Secret key is required.' }],
+    integration_key: [{ type: 'presence', message: 'Integration key is required.' }],
+    api_hostname: [{ type: 'presence', message: 'API hostname is required.' }],
+  };
+}
diff --git a/ui/app/forms/mfa/method/okta.ts b/ui/app/forms/mfa/method/okta.ts
new file mode 100644
index 0000000000..557277e2e5
--- /dev/null
+++ b/ui/app/forms/mfa/method/okta.ts
@@ -0,0 +1,44 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+
+import type { Validations } from 'vault/app-types';
+import type { MfaCreateOktaMethodRequest } from '@hashicorp/vault-client-typescript';
+
+type MfaCreateOktaMethodFormData = MfaCreateOktaMethodRequest & {
+  name: string;
+};
+
+export default class MfaCreateOktaMethodForm extends Form<MfaCreateOktaMethodFormData> {
+  type = 'okta';
+
+  formFields = [
+    new FormField('username_format', 'string', {
+      label: 'Username format',
+      subText: 'How to map identity names to MFA method names. ',
+    }),
+    new FormField('mount_accessor', 'string'),
+    new FormField('org_name', 'string', {
+      label: 'Organization name',
+      subText: 'Name of the organization to be used in the Okta API.',
+    }),
+    new FormField('api_token', 'string', {
+      label: 'Okta API key',
+    }),
+    new FormField('base_url', 'string', {
+      label: 'Base URL',
+      subText:
+        'If set, will be used as the base domain for API requests. Example are okta.com, oktapreview.com and okta-emea.com.',
+    }),
+    new FormField('primary_email', 'boolean'),
+  ];
+
+  validations: Validations = {
+    org_name: [{ type: 'presence', message: 'Org name is required.' }],
+    api_token: [{ type: 'presence', message: 'API token is required.' }],
+  };
+}
diff --git a/ui/app/forms/mfa/method/ping-id.ts b/ui/app/forms/mfa/method/ping-id.ts
new file mode 100644
index 0000000000..06fb73a44a
--- /dev/null
+++ b/ui/app/forms/mfa/method/ping-id.ts
@@ -0,0 +1,38 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+
+import type { Validations } from 'vault/app-types';
+import type { MfaCreatePingIdMethodRequest } from '@hashicorp/vault-client-typescript';
+
+type MfaCreatePingIdMethodFormData = MfaCreatePingIdMethodRequest & {
+  name: string;
+};
+
+export default class MfaCreatePingIdMethodForm extends Form<MfaCreatePingIdMethodFormData> {
+  type = 'pingid';
+
+  formFields = [
+    new FormField('username_format', 'string', {
+      label: 'Username format',
+      subText: 'How to map identity names to MFA method names. ',
+    }),
+    new FormField('settings_file_base64', 'string', {
+      label: 'Settings file',
+      subText: 'A base-64 encoded third party setting file retrieved from the PingIDs configuration page.',
+    }),
+    new FormField('use_signature', 'boolean'),
+    new FormField('idp_url', 'string'),
+    new FormField('admin_url', 'string'),
+    new FormField('authenticator_url', 'string'),
+    new FormField('org_alias', 'string'),
+  ];
+
+  validations: Validations = {
+    settings_file_base64: [{ type: 'presence', message: 'Settings file base64 is required.' }],
+  };
+}
diff --git a/ui/app/forms/mfa/method/totp.ts b/ui/app/forms/mfa/method/totp.ts
new file mode 100644
index 0000000000..c09d6d3e2b
--- /dev/null
+++ b/ui/app/forms/mfa/method/totp.ts
@@ -0,0 +1,73 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+
+import type { Validations } from 'vault/app-types';
+import type { MfaCreateTotpMethodRequest } from '@hashicorp/vault-client-typescript';
+
+type MfaCreateTotpMethodFormData = MfaCreateTotpMethodRequest & {
+  name: string;
+};
+
+export default class MfaCreateTotpMethodForm extends Form<MfaCreateTotpMethodFormData> {
+  type = 'totp';
+
+  formFields = [
+    new FormField('issuer', 'string', {
+      label: 'Issuer',
+      subText: 'The human-readable name of the keys issuing organization.',
+    }),
+    new FormField('period', undefined, {
+      label: 'Period',
+      editType: 'ttl',
+      helperTextEnabled: 'How long each generated TOTP is valid.',
+      hideToggle: true,
+    }),
+    new FormField('key_size', 'number', {
+      label: 'Key size',
+      subText: 'The size in bytes of the Vault generated key.',
+      helpText: 'Byte size of the generated key.',
+    }),
+    new FormField('qr_size', 'number', {
+      label: 'QR size',
+      subText: 'The pixel size of the generated square QR code.',
+      helpText: 'Pixel size of the QR code.',
+    }),
+    new FormField('algorithm', 'string', {
+      label: 'Algorithm',
+      editType: 'radio',
+      possibleValues: ['SHA1', 'SHA256', 'SHA512'],
+      subText: 'The hashing algorithm used to generate the TOTP code.',
+    }),
+    new FormField('digits', 'number', {
+      label: 'Digits',
+      editType: 'radio',
+      possibleValues: [6, 8],
+      subText: 'The number digits in the generated TOTP code.',
+      helpText: 'TOTP code length.',
+    }),
+    new FormField('skew', 'number', {
+      label: 'Skew',
+      editType: 'radio',
+      possibleValues: [0, 1],
+      subText: 'The number of delay periods allowed when validating a TOTP token.',
+    }),
+    new FormField('max_validation_attempts', 'number'),
+    new FormField('enable_self_enrollment', 'boolean', {
+      label: 'Enable self-enrollment',
+      editType: 'toggleButton',
+      helperTextEnabled:
+        'Let end users enroll in this MFA method on their own. You still control which auth mounts, groups, or entities it applies to.',
+      helperTextDisabled:
+        'Let end users enroll in this MFA method on their own. You still control which auth mounts, groups, or entities it applies to.',
+    }),
+  ];
+
+  validations: Validations = {
+    issuer: [{ type: 'presence', message: 'Issuer is required.' }],
+  };
+}
diff --git a/ui/app/forms/mount.ts b/ui/app/forms/mount.ts
index 74b0b5e556..9282255fae 100644
--- a/ui/app/forms/mount.ts
+++ b/ui/app/forms/mount.ts
@@ -8,6 +8,7 @@ import Form from 'vault/forms/form';
 import { getEffectiveEngineType } from 'vault/utils/external-plugin-helpers';
 import FormField from 'vault/utils/forms/field';
 import { WHITESPACE_WARNING } from 'vault/utils/forms/validators';
+import { VERSIONED_ENGINE_TYPES } from 'vault/utils/all-engines-metadata';
 
 import type { Validations } from 'vault/app-types';
 import type { SecretsEngineFormData } from 'vault/secrets/engine';
@@ -184,7 +185,7 @@ export default class MountForm<T extends SecretsEngineFormData | AuthMethodFormD
     }
 
     // options are only relevant for kv/generic engines
-    if (!['kv', 'generic'].includes(this.type)) {
+    if (!VERSIONED_ENGINE_TYPES.includes(this.type)) {
       delete data.options;
     }
 
diff --git a/ui/app/forms/oidc/assignment.ts b/ui/app/forms/oidc/assignment.ts
new file mode 100644
index 0000000000..e36068a2d9
--- /dev/null
+++ b/ui/app/forms/oidc/assignment.ts
@@ -0,0 +1,53 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import FormFieldGroup from 'vault/utils/forms/field-group';
+import isPresent from '@ember/utils/lib/is_present';
+
+import type { Validations } from 'vault/app-types';
+import type { OidcWriteAssignmentRequest } from '@hashicorp/vault-client-typescript';
+
+type OidcAssignmentFormData = OidcWriteAssignmentRequest & {
+  name: string;
+};
+
+export default class OidcAssignmentForm extends Form<OidcAssignmentFormData> {
+  formFieldGroups = [
+    new FormFieldGroup('default', [
+      new FormField('name', 'string', { editDisabled: true }),
+      // SearchSelect within the FormField component works in conjunction with Ember Data Models
+      // we can still use the component since it supports passing in an array of objects as options for the select
+      // yield out the fields so scopes can be fetched in the route and passed directly to SearchSelect
+      new FormField('entity_ids', undefined, {
+        label: 'Entities',
+        editType: 'yield',
+      }),
+      new FormField('group_ids', undefined, {
+        label: 'Groups',
+        editType: 'yield',
+      }),
+    ]),
+  ];
+
+  validations: Validations = {
+    name: [
+      { type: 'presence', message: 'Name is required.' },
+      {
+        type: 'containsWhiteSpace',
+        message: 'Name cannot contain whitespace.',
+      },
+    ],
+    targets: [
+      {
+        validator(data: OidcAssignmentFormData) {
+          return isPresent(data.entity_ids) || isPresent(data.group_ids);
+        },
+        message: 'At least one entity or group is required.',
+      },
+    ],
+  };
+}
diff --git a/ui/app/forms/oidc/client.ts b/ui/app/forms/oidc/client.ts
new file mode 100644
index 0000000000..4e49eedb6c
--- /dev/null
+++ b/ui/app/forms/oidc/client.ts
@@ -0,0 +1,72 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import FormFieldGroup from 'vault/utils/forms/field-group';
+
+import type { Validations } from 'vault/app-types';
+import type { OidcWriteClientRequest } from '@hashicorp/vault-client-typescript';
+
+type OidcClientFormData = OidcWriteClientRequest & {
+  name: string;
+};
+
+export default class OidcClientForm extends Form<OidcClientFormData> {
+  formFieldGroups = [
+    new FormFieldGroup('default', [
+      new FormField('name', 'string', {
+        label: 'Application name',
+        editDisabled: true,
+      }),
+      new FormField('client_type', 'string', {
+        label: 'Type',
+        subText:
+          'Specify whether the application type is confidential or public. The public type must use PKCE. This cannot be edited later.',
+        editType: 'radio',
+        editDisabled: true,
+        possibleValues: ['confidential', 'public'],
+      }),
+      new FormField('redirect_uris', 'array', {
+        label: 'Redirect URIs',
+        subText:
+          'One of these values must exactly match the redirect_uri parameter value used in each authentication request.',
+        editType: 'stringArray',
+      }),
+    ]),
+    new FormFieldGroup('More options', [
+      // SearchSelect within the FormField component works in conjunction with Ember Data Models
+      // we can still use the component since it supports passing in an array of objects as options for the select
+      // yield out the field so keys can be fetched in the route and passed directly to SearchSelect
+      new FormField('key', undefined, {
+        label: 'Signing key',
+        subText: 'Add a key to sign and verify the JSON web tokens (JWT). This cannot be edited later.',
+        editType: 'yield',
+        editDisabled: true,
+      }),
+      new FormField('id_token_ttl', undefined, {
+        label: 'ID Token TTL',
+        editType: 'ttl',
+        defaultValue: '24h',
+      }),
+      new FormField('access_token_ttl', undefined, {
+        label: 'Access Token TTL',
+        editType: 'ttl',
+        defaultValue: '24h',
+      }),
+    ]),
+  ];
+
+  validations: Validations = {
+    name: [
+      { type: 'presence', message: 'Name is required.' },
+      {
+        type: 'containsWhiteSpace',
+        message: 'Name cannot contain whitespace.',
+      },
+    ],
+    key: [{ type: 'presence', message: 'Key is required.' }],
+  };
+}
diff --git a/ui/app/forms/oidc/key.ts b/ui/app/forms/oidc/key.ts
new file mode 100644
index 0000000000..034e8bb12a
--- /dev/null
+++ b/ui/app/forms/oidc/key.ts
@@ -0,0 +1,43 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import FormFieldGroup from 'vault/utils/forms/field-group';
+
+import type { Validations } from 'vault/app-types';
+import type { OidcWriteKeyRequest } from '@hashicorp/vault-client-typescript';
+
+type OidcKeyFormData = OidcWriteKeyRequest & {
+  name: string;
+};
+
+export default class OidcKeyForm extends Form<OidcKeyFormData> {
+  formFieldGroups = [
+    new FormFieldGroup('default', [
+      new FormField('name', 'string', { editDisabled: true }),
+      new FormField('algorithm', 'string', {
+        possibleValues: ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'EdDSA'],
+      }),
+      new FormField('rotation_period', undefined, {
+        editType: 'ttl',
+      }),
+      new FormField('verification_ttl', undefined, {
+        label: 'Verification TTL',
+        editType: 'ttl',
+      }),
+    ]),
+  ];
+
+  validations: Validations = {
+    name: [
+      { type: 'presence', message: 'Name is required.' },
+      {
+        type: 'containsWhiteSpace',
+        message: 'Name cannot contain whitespace.',
+      },
+    ],
+  };
+}
diff --git a/ui/app/forms/oidc/provider.ts b/ui/app/forms/oidc/provider.ts
new file mode 100644
index 0000000000..7bbf719edf
--- /dev/null
+++ b/ui/app/forms/oidc/provider.ts
@@ -0,0 +1,47 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import FormFieldGroup from 'vault/utils/forms/field-group';
+
+import type { Validations } from 'vault/app-types';
+import type { OidcWriteProviderRequest } from '@hashicorp/vault-client-typescript';
+
+type OidcProviderFormData = OidcWriteProviderRequest & {
+  name: string;
+};
+
+export default class OidcProviderForm extends Form<OidcProviderFormData> {
+  formFieldGroups = [
+    new FormFieldGroup('default', [
+      new FormField('name', 'string', { editDisabled: true }),
+      new FormField('issuer', 'string', {
+        subText:
+          "The scheme, host, and optional port for your issuer. This will be used to build the URL that validates ID tokens. Defaults to a URL with Vault's api_addr.",
+        placeholder: 'e.g. https://example.com:8200',
+        docLink: '/vault/api-docs/secret/identity/oidc-provider#create-or-update-a-provider',
+      }),
+      // SearchSelect within the FormField component works in conjunction with Ember Data Models
+      // we can still use the component since it supports passing in an array of objects as options for the select
+      // yield out the field so scopes can be fetched in the route and passed directly to SearchSelect
+      new FormField('supported_scopes', undefined, {
+        label: 'Supported scopes',
+        subText: 'Scopes define information about a user and the OIDC service. Optional.',
+        editType: 'yield',
+      }),
+    ]),
+  ];
+
+  validations: Validations = {
+    name: [
+      { type: 'presence', message: 'Name is required.' },
+      {
+        type: 'containsWhiteSpace',
+        message: 'Name cannot contain whitespace.',
+      },
+    ],
+  };
+}
diff --git a/ui/app/forms/oidc/scope.ts b/ui/app/forms/oidc/scope.ts
new file mode 100644
index 0000000000..8b7fda85ab
--- /dev/null
+++ b/ui/app/forms/oidc/scope.ts
@@ -0,0 +1,29 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import FormFieldGroup from 'vault/utils/forms/field-group';
+
+import type { Validations } from 'vault/app-types';
+import type { OidcWriteScopeRequest } from '@hashicorp/vault-client-typescript';
+
+type OidcScopeFormData = OidcWriteScopeRequest & {
+  name: string;
+};
+
+export default class OidcScopeForm extends Form<OidcScopeFormData> {
+  formFieldGroups = [
+    new FormFieldGroup('default', [
+      new FormField('name', 'string', { editDisabled: true }),
+      new FormField('description', 'string', { editType: 'textarea' }),
+      new FormField('template', 'string', { label: 'JSON Template', editType: 'json', mode: 'ruby' }),
+    ]),
+  ];
+
+  validations: Validations = {
+    name: [{ type: 'presence', message: 'Name is required.' }],
+  };
+}
diff --git a/ui/app/forms/policy.ts b/ui/app/forms/policy.ts
new file mode 100644
index 0000000000..bb06f7bd7b
--- /dev/null
+++ b/ui/app/forms/policy.ts
@@ -0,0 +1,47 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { tracked } from '@glimmer/tracking';
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+
+type PolicyFormData = {
+  name: string;
+  policy: string;
+  enforcement_level?: string;
+  paths?: string[];
+};
+
+export default class PolicyForm extends Form<PolicyFormData> {
+  @tracked declare policyType: string;
+
+  formFields = [
+    new FormField('name', 'string', {
+      label: 'Policy name',
+      placeholder: 'Enter the policy name',
+    }),
+    new FormField('policy', undefined, { editType: 'yield', label: '' }),
+  ];
+  fieldProps = ['formFields', 'additionalFields'];
+
+  get additionalFields() {
+    if (this.policyType === 'acl') {
+      return [];
+    }
+
+    const fields = [
+      new FormField('enforcement_level', 'string', {
+        possibleValues: ['hard-mandatory', 'soft-mandatory', 'advisory'],
+        label: 'Enforcement level',
+      }),
+    ];
+
+    if (this.policyType == 'egp') {
+      fields.push(new FormField('paths', 'string', { editType: 'stringArray' }));
+    }
+
+    return fields;
+  }
+}
diff --git a/ui/app/forms/secrets/aws-config.ts b/ui/app/forms/secrets/aws-config.ts
index 0fc208c74b..1399934a4f 100644
--- a/ui/app/forms/secrets/aws-config.ts
+++ b/ui/app/forms/secrets/aws-config.ts
@@ -41,6 +41,7 @@ export default class AwsConfigForm extends WifConfigForm<AwsConfigFormData> {
   optionFields = [
     new FormField('region', 'string', {
       possibleValues: regions(),
+      noDefault: true,
       subText:
         'Specifies the AWS region. If not set it will use the AWS_REGION env var, AWS_DEFAULT_REGION env var, or us-east-1 in that order.',
     }),
diff --git a/ui/app/forms/secrets/engine.ts b/ui/app/forms/secrets/engine.ts
index 7e39262492..24b3814cee 100644
--- a/ui/app/forms/secrets/engine.ts
+++ b/ui/app/forms/secrets/engine.ts
@@ -3,8 +3,8 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
+import { ALL_ENGINES } from 'core/utils/all-engines-metadata';
 import MountForm from 'vault/forms/mount';
-import { ALL_ENGINES } from 'vault/utils/all-engines-metadata';
 import { isKnownExternalPlugin } from 'vault/utils/external-plugin-helpers';
 import FormField from 'vault/utils/forms/field';
 import FormFieldGroup from 'vault/utils/forms/field-group';
@@ -20,8 +20,12 @@ export default class SecretsEngineForm extends MountForm<SecretsEngineFormData>
     // path validation is already defined on the MountForm class
     // add validation for kv max versions
     this.validations['kv_config.max_versions'] = [
-      { type: 'number', message: 'Maximum versions must be a number.' },
+      { type: 'number', options: { min: 0 }, message: 'Maximum versions must be a non-negative number.' },
       { type: 'length', options: { min: 1, max: 16 }, message: 'You cannot go over 16 characters.' },
+      {
+        validator: (data: SecretsEngineFormData) => !data?.kv_config?.max_versions?.toString().includes('.'),
+        message: 'Maximum versions must be a whole number.',
+      },
     ];
     // add validation for plugin_version when mounting external plugins
     this.validations['config.plugin_version'] = [
diff --git a/ui/app/forms/secrets/kubernetes/role.ts b/ui/app/forms/secrets/kubernetes/role.ts
index 501b236e74..24f3169798 100644
--- a/ui/app/forms/secrets/kubernetes/role.ts
+++ b/ui/app/forms/secrets/kubernetes/role.ts
@@ -44,7 +44,8 @@ export default class KubernetesRoleForm extends Form<KubernetesRoleFormData> {
         full: ['service_account_name', 'kubernetes_role_name'],
       }[pref];
       props.forEach((prop) => {
-        delete this.data[prop as keyof typeof this.data];
+        // if the prop is deleted it will not be serialized in the payload and the previous value will remain unchanged on the backend
+        (this.data[prop as keyof KubernetesRoleFormData] as string) = '';
       });
     }
     this._generationPreference = pref;
diff --git a/ui/app/forms/secrets/kv.ts b/ui/app/forms/secrets/kv.ts
index b7d241b03f..429a35a8d0 100644
--- a/ui/app/forms/secrets/kv.ts
+++ b/ui/app/forms/secrets/kv.ts
@@ -43,8 +43,12 @@ export default class KvForm extends Form<KvFormData> {
       },
     ],
     max_versions: [
-      { type: 'number', message: 'Maximum versions must be a number.' },
+      { type: 'number', options: { min: 0 }, message: 'Maximum versions must be a non-negative number.' },
       { type: 'length', options: { min: 1, max: 16 }, message: 'You cannot go over 16 characters.' },
+      {
+        validator: ({ max_versions }: KvForm['data']) => !max_versions?.toString().includes('.'),
+        message: 'Maximum versions must be a whole number.',
+      },
     ],
   };
 
diff --git a/ui/app/forms/secrets/ldap/roles/dynamic.ts b/ui/app/forms/secrets/ldap/roles/dynamic.ts
index 7021832646..226743c24b 100644
--- a/ui/app/forms/secrets/ldap/roles/dynamic.ts
+++ b/ui/app/forms/secrets/ldap/roles/dynamic.ts
@@ -84,7 +84,18 @@ export default class LdapDynamicRoleForm extends Form<LdapDynamicRoleFormData> {
   ];
 
   validations: Validations = {
-    name: [{ type: 'presence', message: 'Name is required' }],
+    name: [
+      { type: 'presence', message: 'Name is required' },
+      {
+        validator: ({ name }: LdapDynamicRoleFormData) => {
+          // Allow alphanumeric, hyphens, underscores, periods, and forward slashes
+          const validPattern = /^[a-z0-9\-_./]+$/;
+          return validPattern.test(name);
+        },
+        message:
+          'Name must be lowercase and can only contain alphanumeric characters, hyphens, underscores, periods, and forward slashes.',
+      },
+    ],
     creation_ldif: [{ type: 'presence', message: 'Creation LDIF is required.' }],
     deletion_ldif: [{ type: 'presence', message: 'Deletion LDIF is required.' }],
   };
diff --git a/ui/app/forms/secrets/ldap/roles/static.ts b/ui/app/forms/secrets/ldap/roles/static.ts
index 33c6b36372..ad46ae055d 100644
--- a/ui/app/forms/secrets/ldap/roles/static.ts
+++ b/ui/app/forms/secrets/ldap/roles/static.ts
@@ -8,11 +8,11 @@ import FormField from 'vault/utils/forms/field';
 import type { Validations } from 'vault/app-types';
 import type { LdapWriteStaticRoleRequest } from '@hashicorp/vault-client-typescript';
 
-type LdapDynamicRoleFormData = LdapWriteStaticRoleRequest & {
+type LdapStaticRoleFormData = LdapWriteStaticRoleRequest & {
   name: string;
 };
 
-export default class LdapStaticRoleForm extends Form<LdapDynamicRoleFormData> {
+export default class LdapStaticRoleForm extends Form<LdapStaticRoleFormData> {
   formFields = [
     new FormField('name', 'string', {
       label: 'Role name',
@@ -38,7 +38,18 @@ export default class LdapStaticRoleForm extends Form<LdapDynamicRoleFormData> {
   ];
 
   validations: Validations = {
-    name: [{ type: 'presence', message: 'Name is required' }],
+    name: [
+      { type: 'presence', message: 'Name is required' },
+      {
+        validator: ({ name }: LdapStaticRoleFormData) => {
+          // Allow alphanumeric, hyphens, underscores, periods, and forward slashes
+          const validPattern = /^[a-z0-9\-_./]+$/;
+          return validPattern.test(name);
+        },
+        message:
+          'Name must be lowercase and can only contain alphanumeric characters, hyphens, underscores, periods, and forward slashes.',
+      },
+    ],
     username: [{ type: 'presence', message: 'Username is required.' }],
     rotation_period: [{ type: 'presence', message: 'Rotation Period is required.' }],
   };
diff --git a/ui/app/forms/ssh/otp-credential.ts b/ui/app/forms/ssh/otp-credential.ts
new file mode 100644
index 0000000000..23eb1cf1a1
--- /dev/null
+++ b/ui/app/forms/ssh/otp-credential.ts
@@ -0,0 +1,24 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import { Validations } from 'vault/vault/app-types';
+
+interface SshOtpCredentialData {
+  username: string;
+  ip: string;
+}
+
+export default class SshOtpCredentialForm extends Form<SshOtpCredentialData> {
+  formFields = [
+    new FormField('username', 'string', { label: 'Username' }),
+    new FormField('ip', 'string', { label: 'IP address' }),
+  ];
+
+  validations: Validations = {
+    ip: [{ type: 'presence', message: 'IP address is required' }],
+  };
+}
diff --git a/ui/app/forms/ssh/role.ts b/ui/app/forms/ssh/role.ts
new file mode 100644
index 0000000000..692f0e3f39
--- /dev/null
+++ b/ui/app/forms/ssh/role.ts
@@ -0,0 +1,189 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import FormFieldGroup from 'vault/utils/forms/field-group';
+
+const OTP_FIELD_ORDER = [
+  'name',
+  'key_type',
+  'default_user',
+  'admin_user',
+  'port',
+  'allowed_users',
+  'cidr_list',
+  'exclude_cidr_list',
+];
+
+const CA_FIELD_ORDER = [
+  'name',
+  'key_type',
+  'allow_user_certificates',
+  'allow_host_certificates',
+  'default_user',
+  'allowed_users',
+  'allowed_users_template',
+  'allowed_domains',
+  'allowed_domains_template',
+  'ttl',
+  'max_ttl',
+  'allowed_critical_options',
+  'default_critical_options',
+  'allowed_extensions',
+  'default_extensions',
+  'allow_bare_domains',
+  'allow_subdomains',
+  'allow_empty_principals',
+  'allow_user_key_ids',
+  'key_id_format',
+  'not_before_duration',
+  'algorithm_signer',
+];
+
+// All field names across both key types, deduplicated, for proxy discovery
+const ALL_FIELD_NAMES = [...new Set([...OTP_FIELD_ORDER, ...CA_FIELD_ORDER])];
+
+const FIELDS: Record<string, FormField> = {
+  name: new FormField('name', 'string', {
+    label: 'Role name',
+    fieldValue: 'name',
+  }),
+  key_type: new FormField('key_type', 'string', {
+    possibleValues: ['ca', 'otp'],
+  }),
+  admin_user: new FormField('admin_user', 'string', {
+    helpText: 'Username of the admin user at the remote host',
+  }),
+  default_user: new FormField('default_user', 'string', {
+    helpText: "Username to use when one isn't specified",
+  }),
+  allowed_users: new FormField('allowed_users', 'string', {
+    helpText:
+      'Create a list of users who are allowed to use this key (e.g. `admin, dev`, or use `*` to allow all.)',
+  }),
+  allowed_users_template: new FormField('allowed_users_template', 'boolean', {
+    helpText:
+      'Specifies that Allowed Users can be templated e.g. {{identity.entity.aliases.mount_accessor_xyz.name}}',
+  }),
+  allowed_domains: new FormField('allowed_domains', 'string', {
+    helpText:
+      'List of domains for which a client can request a certificate (e.g. `example.com`, or `*` to allow all)',
+  }),
+  allowed_domains_template: new FormField('allowed_domains_template', 'boolean', {
+    helpText:
+      'Specifies that Allowed Domains can be set using identity template policies. Non-templated domains are also permitted.',
+  }),
+  cidr_list: new FormField('cidr_list', 'string', {
+    helpText: 'List of CIDR blocks for which this role is applicable',
+  }),
+  exclude_cidr_list: new FormField('exclude_cidr_list', 'string', {
+    helpText: 'List of CIDR blocks that are not accepted by this role',
+  }),
+  port: new FormField('port', 'number', {
+    helpText: 'Port number for the SSH connection (default is `22`)',
+  }),
+  allowed_critical_options: new FormField('allowed_critical_options', 'string', {
+    helpText: 'List of critical options that certificates have when signed',
+  }),
+  default_critical_options: new FormField('default_critical_options', 'object', {
+    helpText: 'Map of critical options certificates should have if none are provided when signing',
+  }),
+  allowed_extensions: new FormField('allowed_extensions', 'string', {
+    helpText: 'List of extensions that certificates can have when signed',
+  }),
+  default_extensions: new FormField('default_extensions', 'object', {
+    helpText: 'Map of extensions certificates should have if none are provided when signing',
+  }),
+  allow_user_certificates: new FormField('allow_user_certificates', 'boolean', {
+    helpText: 'Specifies if certificates are allowed to be signed for us as a user',
+  }),
+  allow_host_certificates: new FormField('allow_host_certificates', 'boolean', {
+    helpText: 'Specifies if certificates are allowed to be signed for us as a host',
+  }),
+  allow_bare_domains: new FormField('allow_bare_domains', 'boolean', {
+    helpText:
+      'Specifies if host certificates that are requested are allowed to use the base domains listed in Allowed Domains',
+  }),
+  allow_subdomains: new FormField('allow_subdomains', 'boolean', {
+    helpText:
+      'Specifies if host certificates that are requested are allowed to be subdomains of those listed in Allowed Domains',
+  }),
+  allow_empty_principals: new FormField('allow_empty_principals', 'boolean', {
+    helpText:
+      'Allow signing certificates with no valid principals (e.g. any valid principal). For backwards compatibility only. The default of false is highly recommended.',
+  }),
+  allow_user_key_ids: new FormField('allow_user_key_ids', 'boolean', {
+    helpText: 'Specifies if users can override the key ID for a signed certificate with the "key_id" field',
+  }),
+  key_id_format: new FormField('key_id_format', 'string', {
+    helpText: 'When supplied, this value specifies a custom format for the key id of a signed certificate',
+  }),
+  not_before_duration: new FormField('not_before_duration', 'string', {
+    helpText: 'Specifies the duration by which to backdate the ValidAfter property',
+    editType: 'ttl',
+  }),
+  ttl: new FormField('ttl', 'string', {
+    editType: 'ttl',
+  }),
+  max_ttl: new FormField('max_ttl', 'string', {
+    editType: 'ttl',
+  }),
+  algorithm_signer: new FormField('algorithm_signer', 'string', {
+    helpText: 'When supplied, this value specifies a signing algorithm for the key',
+    possibleValues: ['default', 'ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512'],
+  }),
+};
+
+type SshRoleData = {
+  name: string;
+  backend: string;
+  key_type: string;
+  [key: string]: unknown;
+};
+
+export default class SshRoleForm extends Form<SshRoleData> {
+  /*
+   * formFieldGroups always returns all possible fields so the proxy can
+   * discover every data key regardless of which key_type is active.
+   * This is called directly on the raw target inside the proxy handler,
+   * so it must not read any proxied data properties (e.g. this.key_type).
+   */
+  get formFieldGroups() {
+    return [
+      new FormFieldGroup(
+        'default',
+        ALL_FIELD_NAMES.map((name) => FIELDS[name]).filter((f): f is FormField => !!f)
+      ),
+    ];
+  }
+
+  /*
+   * fieldGroups is what FormFieldGroupsLoop reads. It is accessed through
+   * the proxy, so this.key_type correctly resolves to data.key_type.
+   */
+  get fieldGroups() {
+    const isOtp = this.data.key_type === 'otp';
+    const defaultFieldsNum = isOtp ? 3 : 4;
+    const fieldOrder = isOtp ? [...OTP_FIELD_ORDER] : [...CA_FIELD_ORDER];
+    const defaultFieldNames = fieldOrder.splice(0, defaultFieldsNum);
+    return [
+      new FormFieldGroup(
+        'default',
+        defaultFieldNames.map((name) => FIELDS[name]).filter((f): f is FormField => !!f)
+      ),
+      new FormFieldGroup(
+        'Options',
+        fieldOrder.map((name) => FIELDS[name]).filter((f): f is FormField => !!f)
+      ),
+    ];
+  }
+
+  // Flat ordered list of fields for the current key_type, used by the show view.
+  get displayFields() {
+    const fieldOrder = this.data.key_type === 'otp' ? OTP_FIELD_ORDER : CA_FIELD_ORDER;
+    return fieldOrder.map((name) => FIELDS[name]).filter((f): f is FormField => !!f);
+  }
+}
diff --git a/ui/app/forms/ssh/sign.ts b/ui/app/forms/ssh/sign.ts
new file mode 100644
index 0000000000..0bfb66e7a5
--- /dev/null
+++ b/ui/app/forms/ssh/sign.ts
@@ -0,0 +1,49 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import FormFieldGroup from 'vault/utils/forms/field-group';
+import { Validations } from 'vault/vault/app-types';
+
+interface SshSignData {
+  public_key: string;
+  key_id?: string;
+  valid_principals?: string;
+  cert_type?: string;
+  critical_options?: Record<string, unknown>;
+  extensions?: Record<string, unknown>;
+  ttl?: string;
+}
+
+export default class SshSignForm extends Form<SshSignData> {
+  get formFieldGroups() {
+    return [
+      new FormFieldGroup('default', [
+        new FormField('public_key', 'string', { label: 'Public key' }),
+        new FormField('valid_principals', 'string', {
+          label: 'Valid principals',
+          helpText:
+            'Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified allow_empty_principals.',
+        }),
+      ]),
+      new FormFieldGroup('More options', [
+        new FormField('key_id', 'string', { label: 'Key ID' }),
+        new FormField('cert_type', 'string', {
+          label: 'Certificate Type',
+          possibleValues: ['user', 'host'],
+          defaultValue: 'user',
+        }),
+        new FormField('critical_options', 'object', { label: 'Critical Options' }),
+        new FormField('extensions', 'object', { label: 'Extensions' }),
+        new FormField('ttl', 'string', { label: 'TTL', editType: 'ttl' }),
+      ]),
+    ];
+  }
+
+  validations: Validations = {
+    public_key: [{ type: 'presence', message: 'Public Key is required' }],
+  };
+}
diff --git a/ui/app/forms/sync/aws-sm.ts b/ui/app/forms/sync/aws-sm.ts
index 5e4ab8a8a8..8d5db66b1c 100644
--- a/ui/app/forms/sync/aws-sm.ts
+++ b/ui/app/forms/sync/aws-sm.ts
@@ -3,63 +3,86 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import Form from 'vault/forms/form';
 import FormField from 'vault/utils/forms/field';
 import FormFieldGroup from 'vault/utils/forms/field-group';
-import { commonFields, getPayload } from './shared';
+import { regions } from 'vault/helpers/aws-regions';
+import { CredentialType, DestinationType } from 'sync/utils/constants';
+import CreateDestinationForm from './create-destination';
 
 import type { SystemWriteSyncDestinationsAwsSmNameRequest } from '@hashicorp/vault-client-typescript';
 
 type AwsSmFormData = SystemWriteSyncDestinationsAwsSmNameRequest & {
   name: string;
+  credential_type: CredentialType;
 };
 
-export default class AwsSmForm extends Form<AwsSmFormData> {
-  formFieldGroups = [
-    new FormFieldGroup('default', [
-      commonFields.name,
-      new FormField('region', 'string', {
-        subText:
-          'For AWS secrets manager, the name of the region must be supplied, something like “us-west-1.” If empty, Vault will use the AWS_REGION environment variable if configured.',
-        editDisabled: true,
-      }),
-      new FormField('role_arn', 'string', {
-        label: 'Role ARN',
-        subText:
-          'Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate.',
-      }),
-      new FormField('external_id', 'string', {
-        label: 'External ID',
-        subText:
-          'Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination.',
-      }),
-    ]),
-    new FormFieldGroup('Credentials', [
-      new FormField('access_key_id', 'string', {
-        label: 'Access key ID',
-        subText:
-          'Access key ID to authenticate against the secrets manager. If empty, Vault will use the AWS_ACCESS_KEY_ID environment variable if configured.',
-        sensitive: true,
-        noCopy: true,
-      }),
-      new FormField('secret_access_key', 'string', {
-        label: 'Secret access key',
-        subText:
-          'Secret access key to authenticate against the secrets manager. If empty, Vault will use the AWS_SECRET_ACCESS_KEY environment variable if configured.',
-        sensitive: true,
-        noCopy: true,
-      }),
-    ]),
-    new FormFieldGroup('Advanced configuration', [
-      commonFields.granularity,
-      commonFields.secretNameTemplate,
-      commonFields.customTags,
-    ]),
-  ];
+export default class AwsSmForm extends CreateDestinationForm<AwsSmFormData> {
+  get isAccountPluginConfigured() {
+    return !!this.data.access_key_id;
+  }
+
+  get isWifPluginConfigured() {
+    const { identity_token_audience, identity_token_ttl, role_arn } = this.data;
+    return !!identity_token_audience || !!identity_token_ttl || !!role_arn;
+  }
+
+  accountCredentialGroup = new FormFieldGroup('IAM credentials', [
+    new FormField('access_key_id', 'string', {
+      label: 'Access key ID',
+      subText:
+        'Access key ID to authenticate against the secrets manager. If empty, Vault will use the AWS_ACCESS_KEY_ID environment variable if configured.',
+      sensitive: true,
+      noCopy: true,
+    }),
+    new FormField('secret_access_key', 'string', {
+      label: 'Secret access key',
+      subText:
+        'Secret access key to authenticate against the secrets manager. If empty, Vault will use the AWS_SECRET_ACCESS_KEY environment variable if configured.',
+      sensitive: true,
+      noCopy: true,
+    }),
+  ]);
+
+  get wifCredentialGroup() {
+    return this.createWifCredentialGroup();
+  }
+
+  get formFieldGroups() {
+    const credentialGroup =
+      this.credentialType === CredentialType.ACCOUNT ? this.accountCredentialGroup : this.wifCredentialGroup;
+    return [
+      new FormFieldGroup('Destination details', [
+        this.commonFields.name,
+        new FormField('region', 'string', {
+          possibleValues: regions(),
+          noDefault: true,
+          subText:
+            'For AWS secrets manager, the name of the region must be supplied, something like “us-west-1.” If empty, Vault will use the AWS_REGION environment variable if configured.',
+          editDisabled: true,
+        }),
+        new FormField('role_arn', 'string', {
+          label: 'Role ARN',
+          subText:
+            'Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate.',
+        }),
+        new FormField('external_id', 'string', {
+          label: 'External ID',
+          subText:
+            'Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination.',
+        }),
+      ]),
+      credentialGroup,
+      new FormFieldGroup('Advanced configuration', [
+        this.commonFields.granularity,
+        this.commonFields.secretNameTemplate,
+        this.commonFields.customTags,
+      ]),
+    ];
+  }
 
   toJSON() {
     const formState = super.toJSON();
-    const data = getPayload<AwsSmFormData>('aws-sm', this.data, this.isNew);
+    const data = this.getPayload<AwsSmFormData>(DestinationType.AwsSm, this.data, this.isNew);
     return { ...formState, data };
   }
 }
diff --git a/ui/app/forms/sync/azure-kv.ts b/ui/app/forms/sync/azure-kv.ts
index e8052a215b..ac7995cfc9 100644
--- a/ui/app/forms/sync/azure-kv.ts
+++ b/ui/app/forms/sync/azure-kv.ts
@@ -3,61 +3,81 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import Form from 'vault/forms/form';
 import FormField from 'vault/utils/forms/field';
 import FormFieldGroup from 'vault/utils/forms/field-group';
-import { commonFields, getPayload } from './shared';
+import { CredentialType, DestinationType } from 'sync/utils/constants';
 
 import type { SystemWriteSyncDestinationsAzureKvNameRequest } from '@hashicorp/vault-client-typescript';
+import CreateDestinationForm from './create-destination';
 
 type AzureKvFormData = SystemWriteSyncDestinationsAzureKvNameRequest & {
   name: string;
+  credential_type: CredentialType;
 };
 
-export default class AzureKvForm extends Form<AzureKvFormData> {
-  formFieldGroups = [
-    new FormFieldGroup('default', [
-      commonFields.name,
-      new FormField('key_vault_uri', 'string', {
-        label: 'Key Vault URI',
-        subText:
-          'URI of an existing Azure Key Vault instance. If empty, Vault will use the KEY_VAULT_URI environment variable if configured.',
-        editDisabled: true,
-      }),
-      new FormField('tenant_id', 'string', {
-        label: 'Tenant ID',
-        subText:
-          'ID of the target Azure tenant. If empty, Vault will use the AZURE_TENANT_ID environment variable if configured.',
-        editDisabled: true,
-      }),
-      new FormField('cloud', 'string', {
-        subText: 'Specifies a cloud for the client. The default is Azure Public Cloud.',
-        editDisabled: true,
-      }),
-      new FormField('client_id', 'string', {
-        label: 'Client ID',
-        subText:
-          'Client ID of an Azure app registration. If empty, Vault will use the AZURE_CLIENT_ID environment variable if configured.',
-      }),
-    ]),
-    new FormFieldGroup('Credentials', [
-      new FormField('client_secret', 'string', {
-        subText:
-          'Client secret of an Azure app registration. If empty, Vault will use the AZURE_CLIENT_SECRET environment variable if configured.',
-        sensitive: true,
-        noCopy: true,
-      }),
-    ]),
-    new FormFieldGroup('Advanced configuration', [
-      commonFields.granularity,
-      commonFields.secretNameTemplate,
-      commonFields.customTags,
-    ]),
-  ];
+export default class AzureKvForm extends CreateDestinationForm<AzureKvFormData> {
+  // the "clientSecret" param is not checked because it's never returned by the API.
+  // thus we can never say for sure if the account accessType has been configured so we always return false
+  isAccountPluginConfigured = false;
+
+  get isWifPluginConfigured() {
+    const { identity_token_audience, identity_token_ttl } = this.data;
+    return !!identity_token_audience || !!identity_token_ttl;
+  }
+
+  accountCredentialGroup = new FormFieldGroup('Client secret', [
+    new FormField('client_secret', 'string', {
+      subText:
+        'Client secret of an Azure app registration. If empty, Vault will use the AZURE_CLIENT_SECRET environment variable if configured.',
+      sensitive: true,
+      noCopy: true,
+    }),
+  ]);
+
+  get wifCredentialGroup() {
+    return this.createWifCredentialGroup();
+  }
+
+  get formFieldGroups() {
+    const credentialGroup =
+      this.credentialType === CredentialType.ACCOUNT ? this.accountCredentialGroup : this.wifCredentialGroup;
+    return [
+      new FormFieldGroup('Destination details', [
+        this.commonFields.name,
+        new FormField('key_vault_uri', 'string', {
+          label: 'Key Vault URI',
+          subText:
+            'URI of an existing Azure Key Vault instance. If empty, Vault will use the KEY_VAULT_URI environment variable if configured.',
+          editDisabled: true,
+        }),
+        new FormField('tenant_id', 'string', {
+          label: 'Tenant ID',
+          subText:
+            'ID of the target Azure tenant. If empty, Vault will use the AZURE_TENANT_ID environment variable if configured.',
+          editDisabled: true,
+        }),
+        new FormField('cloud', 'string', {
+          subText: 'Specifies a cloud for the client. The default is Azure Public Cloud.',
+          editDisabled: true,
+        }),
+        new FormField('client_id', 'string', {
+          label: 'Client ID',
+          subText:
+            'Client ID of an Azure app registration. If empty, Vault will use the AZURE_CLIENT_ID environment variable if configured.',
+        }),
+      ]),
+      credentialGroup,
+      new FormFieldGroup('Advanced configuration', [
+        this.commonFields.granularity,
+        this.commonFields.secretNameTemplate,
+        this.commonFields.customTags,
+      ]),
+    ];
+  }
 
   toJSON() {
     const formState = super.toJSON();
-    const data = getPayload<AzureKvFormData>('azure-kv', this.data, this.isNew);
+    const data = this.getPayload<AzureKvFormData>(DestinationType.AzureKv, this.data, this.isNew);
     return { ...formState, data };
   }
 }
diff --git a/ui/app/forms/sync/create-destination.ts b/ui/app/forms/sync/create-destination.ts
new file mode 100644
index 0000000000..9194caaebd
--- /dev/null
+++ b/ui/app/forms/sync/create-destination.ts
@@ -0,0 +1,104 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import FormFieldGroup from 'vault/utils/forms/field-group';
+import { findDestination } from 'core/helpers/sync-destinations';
+import { CredentialType, DestinationType } from 'sync/utils/constants';
+
+import { tracked } from '@glimmer/tracking';
+
+export const DEFAULT_IDENTITY_TOKEN_TTL = '3600s';
+
+export default class CreateDestinationForm<T extends object> extends Form<T> {
+  @tracked credentialType: CredentialType = CredentialType.ACCOUNT;
+
+  commonFields = {
+    name: new FormField('name', 'string', {
+      subText: 'Specifies the name for this destination.',
+      editDisabled: true,
+    }),
+
+    secretNameTemplate: new FormField('secret_name_template', 'string', {
+      subText:
+        'Go-template string that indicates how to format the secret name at the destination. The default template varies by destination type but is generally in the form of "vault-{{ .MountAccessor }}-{{ .SecretPath }}" e.g. "vault-kv_9a8f68ad-my-secret-1". Optional.',
+    }),
+
+    granularity: new FormField('granularity', 'string', {
+      editType: 'radio',
+      label: 'Secret sync granularity',
+      possibleValues: [
+        {
+          label: 'Secret path',
+          subText: 'Sync entire secret contents as a single entry at the destination.',
+          value: 'secret-path',
+        },
+        {
+          label: 'Secret key',
+          subText: 'Sync each key-value pair of secret data as a distinct entry at the destination.',
+          helpText:
+            'Only top-level keys will be synced and any nested or complex values will be encoded as a JSON string.',
+          value: 'secret-key',
+        },
+      ],
+    }),
+
+    customTags: new FormField('custom_tags', 'object', {
+      subText:
+        'An optional set of informational key-value pairs added as additional metadata on secrets synced to this destination. Custom tags are merged with built-in tags.',
+      editType: 'kv',
+    }),
+  };
+
+  getPayload<T>(type: DestinationType, data: T, isNew: boolean) {
+    const { maskedParams, readonlyParams } = findDestination(type);
+    const payload: T = { ...data };
+
+    // the server returns ****** for sensitive fields
+    // these are represented as maskedParams in the sync-destinations helper
+    // when editing, remove these fields from the payload if they haven't been changed
+    if (!isNew) {
+      maskedParams.forEach((maskedParam) => {
+        const key = maskedParam as keyof T;
+        const value = (payload[key] as string) || '';
+        // if the value is asterisks, remove it from the payload
+        if (value.match(/^\*+$/)) {
+          delete payload[key];
+        }
+      });
+
+      // to preserve the original Ember Data payload structure, remove fields that are not editable
+      // since editing is disabled in the form the value will not change so this is mostly to satisfy existing test conditions
+      readonlyParams.forEach((readonlyParam) => {
+        delete payload[readonlyParam as keyof T];
+      });
+    }
+
+    return payload;
+  }
+
+  protected createWifCredentialGroup(additionalFields: FormField[] = []): FormFieldGroup {
+    const commonFields = [
+      new FormField('identity_token_audience', 'string', {
+        label: 'Identity token audience',
+        sensitive: true,
+        noCopy: true,
+      }),
+      new FormField('identity_token_key', 'string', {
+        label: 'Identity token key',
+        sensitive: true,
+        noCopy: true,
+      }),
+      new FormField('identity_token_ttl', 'string', {
+        label: 'Identity token time to live (TTL)',
+        editType: 'ttl',
+        helperTextEnabled: 'The TTL of generated tokens.',
+        hideToggle: true,
+      }),
+    ];
+    return new FormFieldGroup('WIF credentials', [...additionalFields, ...commonFields]);
+  }
+}
diff --git a/ui/app/forms/sync/gcp-sm.ts b/ui/app/forms/sync/gcp-sm.ts
index 507e06a3b6..26886b004d 100644
--- a/ui/app/forms/sync/gcp-sm.ts
+++ b/ui/app/forms/sync/gcp-sm.ts
@@ -3,46 +3,71 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import Form from 'vault/forms/form';
 import FormField from 'vault/utils/forms/field';
 import FormFieldGroup from 'vault/utils/forms/field-group';
-import { commonFields, getPayload } from './shared';
+import { CredentialType, DestinationType } from 'sync/utils/constants';
 
 import type { SystemWriteSyncDestinationsGcpSmNameRequest } from '@hashicorp/vault-client-typescript';
+import CreateDestinationForm from './create-destination';
 
 type GcpSmFormData = SystemWriteSyncDestinationsGcpSmNameRequest & {
   name: string;
+  credential_type: CredentialType;
 };
 
-export default class GcpSmForm extends Form<GcpSmFormData> {
-  formFieldGroups = [
-    new FormFieldGroup('default', [
-      commonFields.name,
-      new FormField('project_id', 'string', {
-        label: 'Project ID',
-        subText:
-          'The target project to manage secrets in. If set, overrides the project derived from the service account JSON credentials or application default credentials.',
-      }),
-    ]),
-    new FormFieldGroup('Credentials', [
-      new FormField('credentials', 'string', {
-        label: 'JSON credentials',
-        subText:
-          'If empty, Vault will use the GOOGLE_APPLICATION_CREDENTIALS environment variable if configured.',
-        editType: 'file',
-        docLink: '/vault/docs/secrets/gcp#authentication',
-      }),
-    ]),
-    new FormFieldGroup('Advanced configuration', [
-      commonFields.granularity,
-      commonFields.secretNameTemplate,
-      commonFields.customTags,
-    ]),
-  ];
+export default class GcpSmForm extends CreateDestinationForm<GcpSmFormData> {
+  // the "credentials" param is not checked for "isAccountPluginConfigured" because it's never return by the API
+  // additionally credentials can be set via GOOGLE_APPLICATION_CREDENTIALS env var so we cannot call it a required field in the ui.
+  // thus we can never say for sure if the account accessType has been configured so we always return false
+  isAccountPluginConfigured = false;
+
+  get isWifPluginConfigured() {
+    const { identity_token_audience, identity_token_ttl, service_account_email } = this.data;
+    return !!identity_token_audience || !!identity_token_ttl || !!service_account_email;
+  }
+
+  accountCredentialGroup = new FormFieldGroup('JSON credentials', [
+    new FormField('credentials', 'string', {
+      label: 'JSON credentials',
+      subText:
+        'If empty, Vault will use the GOOGLE_APPLICATION_CREDENTIALS environment variable if configured.',
+      editType: 'file',
+      sensitive: true,
+      docLink: '/vault/docs/secrets/gcp#authentication',
+    }),
+  ]);
+
+  get wifCredentialGroup() {
+    const serviceAccountField = new FormField('service_account_email', 'string', {
+      label: 'Service account email',
+    });
+    return this.createWifCredentialGroup([serviceAccountField]);
+  }
+
+  get formFieldGroups() {
+    const credentialGroup =
+      this.credentialType === CredentialType.ACCOUNT ? this.accountCredentialGroup : this.wifCredentialGroup;
+    return [
+      new FormFieldGroup('Destination details', [
+        this.commonFields.name,
+        new FormField('project_id', 'string', {
+          label: 'Project ID',
+          subText:
+            'The target project to manage secrets in. If set, overrides the project derived from the service account JSON credentials or application default credentials.',
+        }),
+      ]),
+      credentialGroup,
+      new FormFieldGroup('Advanced configuration', [
+        this.commonFields.granularity,
+        this.commonFields.secretNameTemplate,
+        this.commonFields.customTags,
+      ]),
+    ];
+  }
 
   toJSON() {
     const formState = super.toJSON();
-    const data = getPayload<GcpSmFormData>('gcp-sm', this.data, this.isNew);
+    const data = this.getPayload<GcpSmFormData>(DestinationType.GcpSm, this.data, this.isNew);
     return { ...formState, data };
   }
 }
diff --git a/ui/app/forms/sync/gh.ts b/ui/app/forms/sync/gh.ts
index 1f69a222cc..892865487b 100644
--- a/ui/app/forms/sync/gh.ts
+++ b/ui/app/forms/sync/gh.ts
@@ -3,10 +3,10 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import Form from 'vault/forms/form';
 import FormField from 'vault/utils/forms/field';
 import FormFieldGroup from 'vault/utils/forms/field-group';
-import { commonFields, getPayload } from './shared';
+import { DestinationType } from 'sync/utils/constants';
+import CreateDestinationForm from './create-destination';
 
 import type { SystemWriteSyncDestinationsGhNameRequest } from '@hashicorp/vault-client-typescript';
 
@@ -14,10 +14,10 @@ type GhFormData = SystemWriteSyncDestinationsGhNameRequest & {
   name: string;
 };
 
-export default class GcpSmForm extends Form<GhFormData> {
+export default class GhForm extends CreateDestinationForm<GhFormData> {
   formFieldGroups = [
     new FormFieldGroup('default', [
-      commonFields.name,
+      this.commonFields.name,
       new FormField('repository_owner', 'string', {
         subText:
           'Github organization or username that owns the repository. If empty, Vault will use the GITHUB_REPOSITORY_OWNER environment variable if configured.',
@@ -37,12 +37,15 @@ export default class GcpSmForm extends Form<GhFormData> {
         noCopy: true,
       }),
     ]),
-    new FormFieldGroup('Advanced configuration', [commonFields.granularity, commonFields.secretNameTemplate]),
+    new FormFieldGroup('Advanced configuration', [
+      this.commonFields.granularity,
+      this.commonFields.secretNameTemplate,
+    ]),
   ];
 
   toJSON() {
     const formState = super.toJSON();
-    const data = getPayload<GhFormData>('gh', this.data, this.isNew);
+    const data = this.getPayload<GhFormData>(DestinationType.Gh, this.data, this.isNew);
     return { ...formState, data };
   }
 }
diff --git a/ui/app/forms/sync/resolver.ts b/ui/app/forms/sync/resolver.ts
index 2e832b2a57..71cf50ec99 100644
--- a/ui/app/forms/sync/resolver.ts
+++ b/ui/app/forms/sync/resolver.ts
@@ -8,8 +8,9 @@ import AzureKvForm from './azure-kv';
 import GcpSmForm from './gcp-sm';
 import GhForm from './gh';
 import VercelProjectForm from './vercel-project';
+import { DestinationType, CredentialType } from 'sync/utils/constants';
 
-import type { DestinationType } from 'vault/sync';
+import type { DestinationConnectionDetails } from 'vault/sync';
 import type { FormOptions } from '../form';
 import type { Validations } from 'vault/app-types';
 
@@ -21,26 +22,107 @@ export default function destinationFormResolver(type: DestinationType, data = {}
       { type: 'presence', message: 'Name is required.' },
       { type: 'containsWhiteSpace', message: 'Name cannot contain whitespace.' },
     ],
+    role_arn: [
+      {
+        validator({ role_arn, credential_type }: DestinationConnectionDetails) {
+          if (type === DestinationType.AwsSm && credential_type === CredentialType.WIF) {
+            return !!role_arn;
+          }
+          return true;
+        },
+        message: 'Role ARN is required.',
+      },
+    ],
+    identity_token_audience: [
+      {
+        validator({ identity_token_audience, credential_type }: DestinationConnectionDetails) {
+          if (credential_type === CredentialType.WIF) {
+            return !!identity_token_audience;
+          }
+          return true;
+        },
+        message: 'Identity token audience is required.',
+      },
+    ],
+    key_vault_uri: [
+      {
+        validator({ key_vault_uri }: DestinationConnectionDetails) {
+          if (type === DestinationType.AzureKv) {
+            return !!key_vault_uri;
+          }
+          return true;
+        },
+        message: 'Key Vault URI is required.',
+      },
+    ],
+    tenant_id: [
+      {
+        validator({ tenant_id }: DestinationConnectionDetails) {
+          if (type === DestinationType.AzureKv) {
+            return !!tenant_id;
+          }
+          return true;
+        },
+        message: 'Tenant ID is required.',
+      },
+    ],
+    client_id: [
+      {
+        validator({ client_id }: DestinationConnectionDetails) {
+          if (type === DestinationType.AzureKv) {
+            return !!client_id;
+          }
+          return true;
+        },
+        message: 'Client ID is required.',
+      },
+    ],
+    project_id: [
+      {
+        validator({ project_id, credential_type }: DestinationConnectionDetails) {
+          if (type === DestinationType.GcpSm && credential_type === CredentialType.WIF) {
+            return !!project_id;
+          }
+          return true;
+        },
+        message: 'Project ID is required.',
+      },
+    ],
+    service_account_email: [
+      {
+        validator({ service_account_email, credential_type }: DestinationConnectionDetails) {
+          if (type === DestinationType.GcpSm && credential_type === CredentialType.WIF) {
+            return !!service_account_email;
+          }
+          return true;
+        },
+        message: 'Service account email is required.',
+      },
+    ],
   };
 
-  if (type === 'aws-sm') {
+  if (type === DestinationType.AwsSm) {
     return new AwsSmForm(data, options, validations);
   }
-  if (type === 'azure-kv') {
+  if (type === DestinationType.AzureKv) {
     return new AzureKvForm(data, options, validations);
   }
-  if (type === 'gcp-sm') {
+  if (type === DestinationType.GcpSm) {
     return new GcpSmForm(data, options, validations);
   }
-  if (type === 'gh') {
+  if (type === DestinationType.Gh) {
     return new GhForm(data, options, validations);
   }
-  if (type === 'vercel-project') {
+  if (type === DestinationType.VercelProject) {
     const teamId = (data as VercelProjectForm['data'])['team_id'];
     validations['team_id'] = [
       {
-        validator: (formData: VercelProjectForm['data']) =>
-          !options?.isNew && formData['team_id'] !== teamId ? false : true,
+        validator: (formData: VercelProjectForm['data']) => {
+          if (!options?.isNew && formData['team_id'] !== teamId) {
+            return false;
+          }
+          return true;
+        },
         message: 'Team ID should only be updated if the project was transferred to another account.',
         level: 'warn',
       },
diff --git a/ui/app/forms/sync/shared.ts b/ui/app/forms/sync/shared.ts
deleted file mode 100644
index 8745b83ee2..0000000000
--- a/ui/app/forms/sync/shared.ts
+++ /dev/null
@@ -1,73 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import FormField from 'vault/utils/forms/field';
-import { findDestination } from 'core/helpers/sync-destinations';
-
-import type { DestinationType } from 'vault/sync';
-
-export const commonFields = {
-  name: new FormField('name', 'string', {
-    subText: 'Specifies the name for this destination.',
-    editDisabled: true,
-  }),
-
-  secretNameTemplate: new FormField('secret_name_template', 'string', {
-    subText:
-      'Go-template string that indicates how to format the secret name at the destination. The default template varies by destination type but is generally in the form of "vault-{{ .MountAccessor }}-{{ .SecretPath }}" e.g. "vault-kv_9a8f68ad-my-secret-1". Optional.',
-  }),
-
-  granularity: new FormField('granularity', 'string', {
-    editType: 'radio',
-    label: 'Secret sync granularity',
-    possibleValues: [
-      {
-        label: 'Secret path',
-        subText: 'Sync entire secret contents as a single entry at the destination.',
-        value: 'secret-path',
-      },
-      {
-        label: 'Secret key',
-        subText: 'Sync each key-value pair of secret data as a distinct entry at the destination.',
-        helpText:
-          'Only top-level keys will be synced and any nested or complex values will be encoded as a JSON string.',
-        value: 'secret-key',
-      },
-    ],
-  }),
-
-  customTags: new FormField('custom_tags', 'object', {
-    subText:
-      'An optional set of informational key-value pairs added as additional metadata on secrets synced to this destination. Custom tags are merged with built-in tags.',
-    editType: 'kv',
-  }),
-};
-
-export function getPayload<T>(type: DestinationType, data: T, isNew: boolean) {
-  const { maskedParams, readonlyParams } = findDestination(type);
-  const payload: T = { ...data };
-
-  // the server returns ****** for sensitive fields
-  // these are represented as maskedParams in the sync-destinations helper
-  // when editing, remove these fields from the payload if they haven't been changed
-  if (!isNew) {
-    maskedParams.forEach((maskedParam) => {
-      const key = maskedParam as keyof T;
-      const value = (payload[key] as string) || '';
-      // if the value is asterisks, remove it from the payload
-      if (value.match(/^\*+$/)) {
-        delete payload[key];
-      }
-    });
-
-    // to preserve the original Ember Data payload structure, remove fields that are not editable
-    // since editing is disabled in the form the value will not change so this is mostly to satisfy existing test conditions
-    readonlyParams.forEach((readonlyParam) => {
-      delete payload[readonlyParam as keyof T];
-    });
-  }
-
-  return payload;
-}
diff --git a/ui/app/forms/sync/vercel-project.ts b/ui/app/forms/sync/vercel-project.ts
index 102d59a3b1..7afba1876f 100644
--- a/ui/app/forms/sync/vercel-project.ts
+++ b/ui/app/forms/sync/vercel-project.ts
@@ -3,21 +3,21 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import Form from 'vault/forms/form';
 import FormField from 'vault/utils/forms/field';
 import FormFieldGroup from 'vault/utils/forms/field-group';
-import { commonFields, getPayload } from './shared';
+import { DestinationType } from 'sync/utils/constants';
 
 import type { SystemWriteSyncDestinationsVercelProjectNameRequest } from '@hashicorp/vault-client-typescript';
+import CreateDestinationForm from './create-destination';
 
 type VercelProjectFormData = SystemWriteSyncDestinationsVercelProjectNameRequest & {
   name: string;
 };
 
-export default class VercelProjectForm extends Form<VercelProjectFormData> {
+export default class VercelProjectForm extends CreateDestinationForm<VercelProjectFormData> {
   formFieldGroups = [
     new FormFieldGroup('default', [
-      commonFields.name,
+      this.commonFields.name,
       new FormField('project_id', 'string', {
         label: 'Project ID',
         subText: 'Project ID where to manage environment variables.',
@@ -40,12 +40,15 @@ export default class VercelProjectForm extends Form<VercelProjectFormData> {
         noCopy: true,
       }),
     ]),
-    new FormFieldGroup('Advanced configuration', [commonFields.granularity, commonFields.secretNameTemplate]),
+    new FormFieldGroup('Advanced configuration', [
+      this.commonFields.granularity,
+      this.commonFields.secretNameTemplate,
+    ]),
   ];
 
   toJSON() {
     const formState = super.toJSON();
-    const data = getPayload<VercelProjectFormData>('vercel-project', this.data, this.isNew);
+    const data = this.getPayload<VercelProjectFormData>(DestinationType.VercelProject, this.data, this.isNew);
     return { ...formState, data };
   }
 }
diff --git a/ui/app/forms/totp/key.ts b/ui/app/forms/totp/key.ts
new file mode 100644
index 0000000000..c27542948a
--- /dev/null
+++ b/ui/app/forms/totp/key.ts
@@ -0,0 +1,173 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import FormFieldGroup from 'vault/utils/forms/field-group';
+import type { Validations } from 'vault/app-types';
+import type { TotpCreateKeyRequest } from '@hashicorp/vault-client-typescript';
+
+type TotpKeyData = TotpCreateKeyRequest & {
+  name?: string;
+  backend?: string;
+  barcode?: string;
+};
+
+export default class TotpKeyForm extends Form<TotpKeyData> {
+  get generateString(): string {
+    return this.data.generate !== false ? 'Vault' : 'Other service';
+  }
+
+  set generateString(value: string) {
+    this.data.generate = value === 'Vault';
+  }
+
+  get formFieldGroups() {
+    const isVaultGenerated = this.data.generate !== false;
+
+    const conditionalFields = isVaultGenerated
+      ? [
+          new FormField('exported', 'boolean', {
+            editType: 'toggleButton',
+            defaultValue: true,
+            helperTextEnabled: 'QR code and URL will be returned upon generating a key.',
+            helperTextDisabled: 'Vault will not return QR code and url upon key creation.',
+          }),
+        ]
+      : [
+          new FormField('url', 'string', {
+            label: 'URL',
+            helpText:
+              'If a URL is provided the other fields can be left empty. E.g. otpauth://totp/Vault:test@test.com?secret=<your_secret>&issuer=Vault',
+            subText: 'The TOTP key url string that can be used to configure a key.',
+          }),
+          new FormField('key', 'string', {
+            subText: 'The root key used to generate a TOTP code.',
+          }),
+        ];
+
+    const defaultFields = [
+      new FormField('name', 'string', {
+        subText: 'Specifies the name for this key.',
+        editDisabled: !this.isNew,
+      }),
+      new FormField('generate', 'boolean', {
+        label: 'Key Provider',
+        editType: 'radio',
+        possibleValues: ['Vault', 'Other service'],
+        defaultValue: true,
+        fieldValue: 'generateString',
+        subText: 'Specifies if the key should be generated by Vault or passed from another service.',
+      }),
+      new FormField('issuer', 'string', {
+        subText: "The name of the key's issuing organization. Required for keys generated by Vault.",
+      }),
+      new FormField('account_name', 'string', {
+        label: 'Account name',
+        subText: 'The name of the account associated with the key. Required for keys generated by Vault.',
+      }),
+      ...conditionalFields,
+    ];
+
+    const codeOptionsGroup = new FormFieldGroup('TOTP Code Options', [
+      new FormField('algorithm', 'string', {
+        possibleValues: ['SHA1', 'SHA256', 'SHA512'],
+        defaultValue: 'SHA1',
+      }),
+      new FormField('digits', 'number', {
+        possibleValues: [6, 8],
+        defaultValue: 6,
+      }),
+      new FormField('period', 'string', {
+        editType: 'ttl',
+        helperTextEnabled: 'How long each generated TOTP is valid.',
+        defaultValue: 30,
+      }),
+    ]);
+
+    const groups: FormFieldGroup[] = [new FormFieldGroup('default', defaultFields), codeOptionsGroup];
+
+    if (isVaultGenerated) {
+      groups.push(
+        new FormFieldGroup('Provider Options', [
+          new FormField('key_size', 'number', {
+            label: 'Key size',
+            defaultValue: 20,
+          }),
+          new FormField('skew', 'number', {
+            possibleValues: [0, 1],
+            defaultValue: 1,
+          }),
+          new FormField('qr_size', 'number', {
+            label: 'QR size',
+            defaultValue: 200,
+          }),
+        ])
+      );
+    }
+
+    return groups;
+  }
+
+  validations: Validations = {
+    account_name: [
+      {
+        validator: (data: TotpKeyData) => {
+          return data.generate === false || !!data.account_name;
+        },
+        message: "Account name can't be blank when the key is generated by Vault.",
+      },
+      {
+        type: 'containsWhiteSpace',
+        message:
+          "Account name contains whitespace. If this is desired, you'll need to encode it with %20 in API requests.",
+        level: 'warn',
+      },
+    ],
+    issuer: [
+      {
+        validator: (data: TotpKeyData) => data.generate === false || !!data.issuer,
+        message: "Issuer can't be blank when the key is generated by Vault.",
+      },
+    ],
+    key: [
+      {
+        validator: (data: TotpKeyData) => data.generate !== false || !!data.url || !!data.key,
+        message: "Key can't be blank if key is being passed from another service and the URL is empty.",
+      },
+    ],
+    key_size: [{ type: 'number', message: 'Key size must be a number.' }],
+    name: [
+      { type: 'presence', message: "Name can't be blank." },
+      {
+        type: 'containsWhiteSpace',
+        message:
+          "Name contains whitespace. If this is desired, you'll need to encode it with %20 in API requests.",
+        level: 'warn',
+      },
+    ],
+    qr_size: [{ type: 'number', message: 'QR size must be a number.' }],
+  };
+
+  toJSON() {
+    const { isValid, state, invalidFormMessage } = super.toJSON();
+    const data = { ...this.data } as Record<string, unknown>;
+    delete data['name'];
+    delete data['backend'];
+    delete data['barcode'];
+
+    if (data['generate'] !== false) {
+      delete data['url'];
+      delete data['key'];
+    } else {
+      delete data['key_size'];
+      delete data['skew'];
+      delete data['exported'];
+      delete data['qr_size'];
+    }
+
+    return { isValid, state, invalidFormMessage, data };
+  }
+}
diff --git a/ui/app/forms/transform/alphabet.ts b/ui/app/forms/transform/alphabet.ts
new file mode 100644
index 0000000000..1ea535e237
--- /dev/null
+++ b/ui/app/forms/transform/alphabet.ts
@@ -0,0 +1,35 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import type { Validations } from 'vault/app-types';
+
+type AlphabetData = {
+  name?: string;
+  alphabet?: string;
+  backend?: string;
+};
+
+export default class AlphabetForm extends Form<AlphabetData> {
+  // Required by secret-edit-layout.hbs to resolve the correct editComponent via options-for-backend
+  idPrefix = 'alphabet/';
+  formFields = [
+    new FormField('name', 'string', {
+      editDisabled: true,
+      subText: 'The alphabet name. Keep in mind that spaces are not allowed and this cannot be edited later.',
+    }),
+    new FormField('alphabet', 'string', {
+      label: 'Alphabet',
+      subText:
+        'Provide the set of valid UTF-8 characters contained within both the input and transformed value.',
+      docLink: '/vault/api-docs/secret/transform#create-update-alphabet',
+    }),
+  ];
+
+  validations: Validations = {
+    alphabet: [{ type: 'presence', message: 'Alphabet is required.' }],
+  };
+}
diff --git a/ui/app/forms/transform/role.ts b/ui/app/forms/transform/role.ts
new file mode 100644
index 0000000000..9fd690142a
--- /dev/null
+++ b/ui/app/forms/transform/role.ts
@@ -0,0 +1,35 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import type { Validations } from 'vault/app-types';
+
+type RoleData = {
+  name?: string;
+  transformations?: string[];
+  backend?: string;
+};
+
+export default class RoleForm extends Form<RoleData> {
+  idPrefix = 'role/';
+
+  formFields = [
+    new FormField('name', 'string', {
+      editDisabled: true,
+      subText: 'The name for your role. This cannot be edited later.',
+    }),
+    new FormField('transformations', 'array', {
+      isSectionHeader: true,
+      label: 'Transformations',
+      subText: 'Select which transformations this role will have access to. It must already exist.',
+    }),
+  ];
+
+  validations: Validations = {
+    name: [{ type: 'presence', message: 'Name is required.' }],
+    transformations: [{ type: 'presence', message: 'At least one transformation is required.' }],
+  };
+}
diff --git a/ui/app/forms/transform/template.ts b/ui/app/forms/transform/template.ts
new file mode 100644
index 0000000000..2523180f1b
--- /dev/null
+++ b/ui/app/forms/transform/template.ts
@@ -0,0 +1,47 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import type { Validations } from 'vault/app-types';
+
+type TemplateData = {
+  name?: string;
+  type?: string;
+  pattern?: string;
+  alphabet?: string[];
+  encode_format?: string;
+  decode_formats?: Record<string, string>;
+  backend?: string;
+};
+
+export default class TemplateForm extends Form<TemplateData> {
+  idPrefix = 'template/';
+
+  formFields = [
+    new FormField('name', 'string', {
+      editDisabled: true,
+      subText:
+        'Templates allow Vault to determine what and how to capture the value to be transformed. This cannot be edited later.',
+    }),
+    new FormField('pattern', 'string', {
+      editType: 'regex',
+      subText: "The template's pattern defines the data format. Expressed in regex.",
+    }),
+    new FormField('encode_format', 'string'),
+    new FormField('decode_formats', 'object'),
+    new FormField('alphabet', 'array', {
+      isSectionHeader: true,
+      label: 'Alphabet',
+      subText:
+        'Alphabet defines a set of characters (UTF-8) that is used for FPE to determine the validity of plaintext and ciphertext values. You can choose a built-in one, or create your own.',
+    }),
+  ];
+
+  validations: Validations = {
+    name: [{ type: 'presence', message: 'Name is required.' }],
+    pattern: [{ type: 'presence', message: 'Pattern is required.' }],
+  };
+}
diff --git a/ui/app/forms/transform/transformation.ts b/ui/app/forms/transform/transformation.ts
new file mode 100644
index 0000000000..5053b98a0f
--- /dev/null
+++ b/ui/app/forms/transform/transformation.ts
@@ -0,0 +1,108 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Form from 'vault/forms/form';
+import FormField from 'vault/utils/forms/field';
+import type { Validations } from 'vault/app-types';
+
+const TYPES = [
+  { value: 'fpe', displayName: 'Format Preserving Encryption (FPE)' },
+  { value: 'masking', displayName: 'Masking' },
+  { value: 'tokenization', displayName: 'Tokenization' },
+];
+
+const TWEAK_SOURCE = [
+  { value: 'supplied', displayName: 'supplied' },
+  { value: 'generated', displayName: 'generated' },
+  { value: 'internal', displayName: 'internal' },
+];
+
+type TransformationData = {
+  name?: string;
+  type?: string;
+  tweak_source?: string;
+  masking_character?: string;
+  template?: string[];
+  allowed_roles?: string[];
+  deletion_allowed?: boolean;
+  convergent?: boolean;
+  stores?: string[];
+  mapping_mode?: string;
+  max_ttl?: string;
+  backend?: string;
+};
+
+export default class TransformationForm extends Form<TransformationData> {
+  formFields = [
+    new FormField('name', 'string', {
+      editDisabled: true,
+      subText: 'The name for your transformation. This cannot be edited later.',
+    }),
+    new FormField('type', 'string', {
+      editDisabled: true,
+      possibleValues: TYPES,
+      defaultValue: 'fpe',
+      label: 'Type',
+      subText:
+        'Vault provides two types of transformations: Format Preserving Encryption (FPE) is reversible, while Masking is not. This cannot be edited later.',
+    }),
+    new FormField('deletion_allowed', 'boolean', {
+      label: 'Allow deletion',
+      subText:
+        'If checked, this transform can be deleted otherwise deletion is blocked. Note that deleting the transform deletes the underlying key which makes decoding of tokenized values impossible without restoring from a backup.',
+    }),
+    new FormField('tweak_source', 'string', {
+      possibleValues: TWEAK_SOURCE,
+      defaultValue: 'supplied',
+      label: 'Tweak source',
+      subText:
+        'A tweak value is used when performing FPE transformations. This can be supplied, generated, or internal.',
+    }),
+    new FormField('masking_character', 'string', {
+      defaultValue: '*',
+      label: 'Masking character',
+      subText: 'Specify which character you\u2019d like to mask your data.',
+    }),
+    new FormField('template', 'array', {
+      isSectionHeader: true,
+      label: 'Template',
+      subText:
+        'Templates allow Vault to determine what and how to capture the value to be transformed. Type to use an existing template or create a new one.',
+    }),
+    new FormField('allowed_roles', 'array', {
+      isSectionHeader: true,
+      label: 'Allowed roles',
+      subText: 'Search for an existing role, type a new role to create it, or use a wildcard (*).',
+    }),
+    new FormField('mapping_mode', 'string', {
+      defaultValue: 'default',
+      label: 'Mapping mode',
+      subText:
+        'Specifies the mapping mode for stored tokenization values. "default" is strongly recommended for highest security, "exportable" allows for all plaintexts to be decoded via the export-decoded endpoint in an emergency.',
+    }),
+    new FormField('convergent', 'boolean', {
+      label: 'Use convergent tokenization',
+      subText:
+        'If checked, tokenization of the same plaintext more than once results in the same token. Defaults to false as unique tokens are more desirable from a security standpoint.',
+    }),
+    new FormField('max_ttl', 'string', {
+      editType: 'ttl',
+      defaultValue: '0',
+      label: 'Maximum TTL (time-to-live) of a token',
+      subText: 'If \u201c0\u201d or unspecified, tokens may have no expiration.',
+    }),
+    new FormField('stores', 'array', {
+      editType: 'stringArray',
+      label: 'Stores',
+      subText:
+        'The list of tokenization stores to use for tokenization state. Vault\u2019s internal storage is used by default.',
+    }),
+  ];
+
+  validations: Validations = {
+    name: [{ type: 'presence', message: 'Name is required.' }],
+    template: [{ type: 'presence', message: 'Template is required.' }],
+  };
+}
diff --git a/ui/app/forms/v2/form-config.ts b/ui/app/forms/v2/form-config.ts
new file mode 100644
index 0000000000..39fe8bd6d9
--- /dev/null
+++ b/ui/app/forms/v2/form-config.ts
@@ -0,0 +1,190 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import type ApiService from 'vault/services/api';
+import type { ValidationRule } from './form-validator';
+import CONFIG_REGISTRY from './generated/index';
+
+export type FormConfigKey = keyof typeof CONFIG_REGISTRY;
+
+/**
+ * Form element types matching HDS (HashiCorp Design System) components.
+ */
+export type FormElement =
+  | 'TextInput'
+  | 'TextArea'
+  | 'Select'
+  | 'Toggle'
+  | 'Checkbox'
+  | 'Radio'
+  | 'RadioCard'
+  | 'MaskedInput';
+
+/**
+ * HDS-supported text input variants for TextInput fields.
+ */
+export type TextInputType =
+  | 'text'
+  | 'email'
+  | 'password'
+  | 'url'
+  | 'search'
+  | 'date'
+  | 'time'
+  | 'datetime-local'
+  | 'month'
+  | 'week'
+  | 'tel';
+
+/**
+ * Union type for all possible field values.
+ */
+export type FieldValue = string | number | boolean | string[] | null | undefined;
+
+/**
+ * Visibility predicate evaluated against the form payload.
+ */
+export type VisibilityRule<Payload extends object = object> = boolean | ((payload: Payload) => boolean);
+
+/**
+ * Option for Select, Radio, and RadioCard fields
+ */
+export interface FieldOption {
+  label: string;
+  value: string | number | boolean;
+  /** Optional description for RadioCard options */
+  description?: string;
+}
+
+/**
+ * Form field definition with common properties.
+ */
+export type FormField = {
+  /** Field name supporting dotted-path notation for nested properties */
+  name: string;
+  /** Form element type */
+  type: FormElement;
+  /** Display label for the field */
+  label: string;
+  /** Optional helper text shown below the field */
+  helperText?: string;
+  /** Optional HDS TextInput variant when type is TextInput */
+  inputType?: TextInputType;
+  /** Optional placeholder text */
+  placeholder?: string;
+  /** Default value for the field */
+  defaultValue?: FieldValue;
+  /** Validation rules for this field */
+  validations?: ValidationRule[];
+  /** Options for Select, Radio, and RadioCard fields */
+  options?: FieldOption[];
+  /** Whether the field is required */
+  isRequired?: boolean;
+  /** Whether the field is disabled */
+  isDisabled?: boolean;
+  /** Optional conditional visibility for this field */
+  isVisible?: VisibilityRule;
+};
+
+/**
+ * Form section grouping related fields together
+ */
+export interface FormSection {
+  /** Section identifier (used as key) */
+  name: string;
+  /** Optional display title for the section */
+  title?: string;
+  /** Optional description for the section */
+  description?: string;
+  /** Optional conditional visibility for this section */
+  isVisible?: VisibilityRule;
+  /** Fields belonging to this section */
+  fields: FormField[];
+}
+
+/**
+ * Wizard state tracking data for each completed step.
+ * Stores only data - execution state is derived from ember-concurrency task properties.
+ * Keyed by step name, contains the submitted payload, API response, and error message.
+ */
+export interface WizardStepState {
+  /** The payload that was submitted for this step */
+  payload: any;
+  /** The API response received for this step (present = step succeeded) */
+  response: any;
+  /** Error message if the step failed */
+  error?: string;
+}
+
+/**
+ * Wizard state accumulator passed to payload resolver functions.
+ * Maps step names to their completed state.
+ */
+export type WizardState = {
+  [stepName: string]: WizardStepState;
+};
+
+/**
+ * A single step in a multi-step wizard.
+ * References a FormConfig and provides step-specific metadata.
+ */
+export interface WizardStep {
+  /** Unique identifier for this step (used to key wizard state) */
+  name: string;
+  /** Display title for the step */
+  title: string;
+  /** Optional heading for the step in the panel */
+  heading?: string;
+  /** Optional description for the step in the panel */
+  description?: string;
+  /** The form configuration for this step */
+  formConfig: FormConfig<any, any>;
+}
+
+/**
+ * Multi-step wizard configuration.
+ * Defines a sequential flow of forms with cross-step data sharing.
+ */
+export interface WizardConfig {
+  /** Display title for the wizard */
+  title: string;
+  /** Optional description for the wizard */
+  description?: string;
+  /** Optional flag to indicate if the wizard has a final apply changes step */
+  applyChanges?: boolean;
+  /** Sequential steps in the wizard */
+  steps: WizardStep[];
+}
+
+export interface FormConfig<Request extends object = object, Response = unknown> {
+  /** Unique identifier for the form, typically matching the API method name */
+  name: string;
+  /** API endpoint path associated with this form -- useful for generating CURL request snippets */
+  path: string;
+  /** Title or description for the form */
+  title?: string;
+  description?: string;
+  /**
+   * Initial payload structure matching the API request shape.
+   */
+  payload: Request;
+  /**
+   * Submit handler that receives the API service and typed payload,
+   * returning the typed API response
+   */
+  submit: (api: ApiService, payload: Request) => Promise<Response>;
+  /**
+   * Optional callback invoked after successful submission.
+   * Receives the API response for post-submission handling (e.g., redirects, notifications).
+   */
+  onSuccess?: (response: Response) => void;
+  /**
+   * Optional callback invoked when submission fails.
+   * Receives the extracted error message for custom error handling.
+   */
+  onError?: (error: string) => void;
+  /** Organized groups of fields with type-safe field names */
+  sections: FormSection[];
+}
diff --git a/ui/app/forms/v2/form-validator.ts b/ui/app/forms/v2/form-validator.ts
new file mode 100644
index 0000000000..5b073f7d87
--- /dev/null
+++ b/ui/app/forms/v2/form-validator.ts
@@ -0,0 +1,180 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { get } from '@ember/object';
+import type { FieldValue, FormField } from './form-config';
+import { validators } from './form-validators';
+
+/**
+ * Options that can be passed to validators.
+ *
+ * @property {boolean} [nullable] - For 'length' and 'number': allow null/undefined values
+ * @property {number} [min] - For 'min': minimum numeric value
+ * @property {number} [max] - For 'max': maximum numeric value
+ * @property {number} [minLength] - For 'minLength': minimum string length
+ * @property {number} [maxLength] - For 'maxLength': maximum string length
+ * @property {string | RegExp} [pattern] - For 'pattern': regex pattern string or RegExp object
+ * @property {string} [flags] - For 'pattern': regex flags (e.g., 'i', 'g', 'gi')
+ * @property {string | number | boolean} [value] - For 'isNot': value to compare against
+ */
+export interface ValidatorOptions {
+  nullable?: boolean;
+  min?: number;
+  max?: number;
+  minLength?: number;
+  maxLength?: number;
+  pattern?: string | RegExp;
+  flags?: string;
+  value?: string | number | boolean;
+}
+
+/**
+ * Named validator using a predefined validator type.
+ * References a validator in validators.js (e.g., 'required', 'email', 'url').
+ *
+ * @property {ValidatorType} type - Reference to a validator in validators.js (e.g., 'required', 'email', 'url')
+ * @property {string | ((formData: Record<string, unknown>) => string)} message - Error message shown when validation fails
+ * @property {ValidatorOptions} [options] - Options passed to the validator function (e.g., { min: 3, max: 10 })
+ */
+interface NamedValidationRule {
+  type: ValidatorType;
+  message: string | ((formData: Record<string, unknown>) => string);
+  options?: ValidatorOptions;
+}
+
+/**
+ * Custom validation rule with a custom validator function.
+ * The validator function receives the entire form data and returns true if valid.
+ *
+ * @property {(formData: Record<string, unknown>, options?: ValidatorOptions) => boolean} validator - Custom validator function that receives entire form data
+ * @property {string | ((formData: Record<string, unknown>) => string)} message - Error message shown when validation fails
+ * @property {ValidatorOptions} [options] - Optional configuration for the validator
+ */
+interface CustomValidationRule {
+  validator: (formData: Record<string, unknown>, options?: ValidatorOptions) => boolean;
+  message: string | ((formData: Record<string, unknown>) => string);
+  options?: ValidatorOptions;
+}
+
+/**
+ * Validation rule for a form field.
+ * Can be either a named validator (with type) or a custom validator function.
+ */
+export type ValidationRule = NamedValidationRule | CustomValidationRule;
+
+/**
+ * HTML5 standard validator types.
+ * These correspond to built-in validators in form-validators.ts.
+ */
+export type ValidatorType =
+  | 'required'
+  | 'email'
+  | 'url'
+  | 'pattern'
+  | 'minLength'
+  | 'maxLength'
+  | 'min'
+  | 'max';
+
+/**
+ * Default error messages for built-in validators.
+ * Used as fallback when validation rule doesn't provide a message.
+ */
+const DEFAULT_MESSAGES: Record<ValidatorType, string> = {
+  required: 'This field is required',
+  email: 'Please enter a valid email address',
+  url: 'Please enter a valid URL',
+  pattern: 'Invalid format',
+  minLength: 'Value is too short',
+  maxLength: 'Value is too long',
+  min: 'Value is too small',
+  max: 'Value is too large',
+};
+
+/**
+ * Validate a single field and return validation errors.
+ *
+ * @param field - The field configuration to validate
+ * @param value - The current value of the field
+ * @param payload - The entire form payload for cross-field validation
+ * @returns Array of error messages (empty if valid)
+ */
+export function validateField<TPayload extends object>(
+  field: FormField,
+  value: FieldValue,
+  payload: TPayload
+): string[] {
+  if (!field.validations || field.validations.length === 0) {
+    return [];
+  }
+
+  return field.validations
+    .filter((rule) => !runValidator(rule, value, payload))
+    .map((rule) => {
+      // Function message (dynamic based on form data)
+      if (typeof rule.message === 'function') {
+        return rule.message(payload as Record<string, unknown>);
+      }
+      // Explicit message provided
+      if (rule.message) {
+        return rule.message;
+      }
+      // Fallback to default message for named validators
+      if ('type' in rule && rule.type in DEFAULT_MESSAGES) {
+        return DEFAULT_MESSAGES[rule.type];
+      }
+      // Last resort fallback
+      return 'Validation failed';
+    });
+}
+
+/**
+ * Validate all fields in a form and return a map of field names to errors.
+ *
+ * @param fields - Array of all field configurations in the form
+ * @param payload - The entire form payload
+ * @returns Map of field names to their validation errors
+ */
+export function validateAllFields<TPayload extends object>(
+  fields: FormField[],
+  payload: TPayload
+): Map<string, string[]> {
+  const errors = new Map<string, string[]>();
+
+  for (const field of fields) {
+    const fieldErrors = validateField(field, get(payload, field.name) as FieldValue, payload);
+    if (fieldErrors.length > 0) {
+      errors.set(field.name, fieldErrors);
+    }
+  }
+
+  return errors;
+}
+
+/**
+ * Execute a single validation rule on a field value.
+ */
+function runValidator<TPayload extends object>(
+  rule: ValidationRule,
+  value: FieldValue,
+  payload: TPayload
+): boolean {
+  // Named validator (type-based)
+  if ('type' in rule) {
+    const validatorFn = validators[rule.type];
+    if (!validatorFn) {
+      console.warn(`Unknown validator type: ${rule.type}`);
+      return true;
+    }
+    return validatorFn(value, rule.options || {});
+  }
+
+  // Custom validator function
+  if ('validator' in rule) {
+    return rule.validator(payload as Record<string, unknown>, rule.options);
+  }
+
+  return true;
+}
diff --git a/ui/app/forms/v2/form-validators.ts b/ui/app/forms/v2/form-validators.ts
new file mode 100644
index 0000000000..bd66712638
--- /dev/null
+++ b/ui/app/forms/v2/form-validators.ts
@@ -0,0 +1,95 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import type { ValidatorOptions } from './form-validator';
+
+/**
+ * Built-in validator functions
+ * All validators return true if valid, false if invalid
+ */
+export const validators = {
+  /**
+   * Required - value must be present
+   * Rejects: null, undefined, '', [], {}
+   */
+  required: (value: unknown, _options?: ValidatorOptions): boolean => {
+    if (value === null || value === undefined) return false;
+    if (typeof value === 'string') return value.trim().length > 0;
+    if (Array.isArray(value)) return value.length > 0;
+    if (typeof value === 'object') return Object.keys(value).length > 0;
+    return true;
+  },
+
+  /**
+   * Email - validates email format
+   */
+  email: (value: unknown, _options?: ValidatorOptions): boolean => {
+    if (!value) return true; // Use with 'required' for mandatory emails
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    return emailRegex.test(String(value));
+  },
+
+  /**
+   * URL - validates URL format
+   */
+  url: (value: unknown, _options?: ValidatorOptions): boolean => {
+    if (!value) return true;
+    try {
+      new URL(String(value));
+      return true;
+    } catch {
+      return false;
+    }
+  },
+
+  /**
+   * Pattern - validates against regex pattern
+   */
+  pattern: (value: unknown, { pattern, flags = '' }: ValidatorOptions): boolean => {
+    if (!value || !pattern) return true;
+    const regex = typeof pattern === 'string' ? new RegExp(pattern, flags) : pattern;
+    return regex.test(String(value));
+  },
+
+  /**
+   * MinLength - validates minimum string length
+   */
+  minLength: (value: unknown, { minLength }: ValidatorOptions): boolean => {
+    if (minLength === undefined) return true;
+    if (!value) return false;
+    return String(value).length >= minLength;
+  },
+
+  /**
+   * MaxLength - validates maximum string length
+   */
+  maxLength: (value: unknown, { maxLength }: ValidatorOptions): boolean => {
+    if (maxLength === undefined) return true;
+    if (!value) return true;
+    return String(value).length <= maxLength;
+  },
+
+  /**
+   * Min - validates minimum numeric value
+   */
+  min: (value: unknown, { min }: ValidatorOptions): boolean => {
+    if (min === undefined) return true;
+    if (value === null || value === undefined || value === '') return true;
+    const num = Number(value);
+    if (isNaN(num)) return false;
+    return num >= min;
+  },
+
+  /**
+   * Max - validates maximum numeric value
+   */
+  max: (value: unknown, { max }: ValidatorOptions): boolean => {
+    if (max === undefined) return true;
+    if (value === null || value === undefined || value === '') return true;
+    const num = Number(value);
+    if (isNaN(num)) return false;
+    return num <= max;
+  },
+};
diff --git a/ui/lib/core/app/components/search-select-with-modal.js b/ui/app/forms/v2/generated/index.ts
similarity index 54%
rename from ui/lib/core/app/components/search-select-with-modal.js
rename to ui/app/forms/v2/generated/index.ts
index 3017bc341d..87e396a52a 100644
--- a/ui/lib/core/app/components/search-select-with-modal.js
+++ b/ui/app/forms/v2/generated/index.ts
@@ -3,4 +3,6 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-export { default } from 'core/components/search-select-with-modal';
+const GENERATED_CONFIGS = {};
+
+export default GENERATED_CONFIGS;
diff --git a/ui/app/forms/v2/generated/mounts-enable-secrets-engine-config.ts b/ui/app/forms/v2/generated/mounts-enable-secrets-engine-config.ts
new file mode 100644
index 0000000000..f16ea5d3c3
--- /dev/null
+++ b/ui/app/forms/v2/generated/mounts-enable-secrets-engine-config.ts
@@ -0,0 +1,119 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+// ⚠️ AUTO-GENERATED FILE - DO NOT EDIT
+// This file is generated from openapi.json
+// To customize this form, create an override in
+// forms/v2/overrides/
+
+import type ApiService from 'vault/services/api';
+import type { FormConfig } from '../form-config';
+import type { SystemApiMountsEnableSecretsEngineOperationRequest } from '@hashicorp/vault-client-typescript';
+
+/**
+ * Form configuration for mountsEnableSecretsEngine
+ * Auto-generated from OpenAPI specification
+ */
+const mountsEnableSecretsEngineConfig: FormConfig<
+  SystemApiMountsEnableSecretsEngineOperationRequest,
+  unknown
+> = {
+  name: 'mountsEnableSecretsEngine',
+  path: '/sys/mounts/{path}',
+  description: 'Mount a new backend at a new path.',
+  submit: async (api: ApiService, payload: SystemApiMountsEnableSecretsEngineOperationRequest) => {
+    return await api.sys.mountsEnableSecretsEngineRaw(payload);
+  },
+  payload: {
+    path: '',
+    MountsEnableSecretsEngineRequest: {
+      config: {},
+      description: '',
+      external_entropy_access: false,
+      local: false,
+      options: {},
+      plugin_name: '',
+      plugin_version: '',
+      seal_wrap: false,
+      type: '',
+    },
+  },
+  sections: [
+    {
+      name: 'params',
+      fields: [
+        {
+          name: 'path',
+          type: 'TextInput',
+          label: 'Path',
+          helperText: 'The path to mount to. Example: "aws/east"',
+        },
+      ],
+    },
+    {
+      name: 'default',
+      fields: [
+        {
+          name: 'MountsEnableSecretsEngineRequest.config',
+          type: 'TextInput',
+          label: 'Config',
+          helperText: 'Configuration for this mount, such as default_lease_ttl and max_lease_ttl.',
+        },
+        {
+          name: 'MountsEnableSecretsEngineRequest.description',
+          type: 'TextInput',
+          label: 'Description',
+          helperText: 'User-friendly description for this mount.',
+        },
+        {
+          name: 'MountsEnableSecretsEngineRequest.external_entropy_access',
+          type: 'TextInput',
+          label: 'External entropy access',
+          helperText: "Whether to give the mount access to Vault's external entropy.",
+        },
+        {
+          name: 'MountsEnableSecretsEngineRequest.local',
+          type: 'TextInput',
+          label: 'Local',
+          helperText:
+            'Mark the mount as a local mount, which is not replicated and is unaffected by replication.',
+        },
+        {
+          name: 'MountsEnableSecretsEngineRequest.options',
+          type: 'TextInput',
+          label: 'Options',
+          helperText:
+            'The options to pass into the backend. Should be a json object with string keys and values.',
+        },
+        {
+          name: 'MountsEnableSecretsEngineRequest.plugin_name',
+          type: 'TextInput',
+          label: 'Plugin name',
+          helperText: 'Name of the plugin to mount based from the name registered in the plugin catalog.',
+        },
+        {
+          name: 'MountsEnableSecretsEngineRequest.plugin_version',
+          type: 'TextInput',
+          label: 'Plugin version',
+          helperText: 'The semantic version of the plugin to use, or image tag if oci_image is provided.',
+        },
+        {
+          name: 'MountsEnableSecretsEngineRequest.seal_wrap',
+          type: 'TextInput',
+          label: 'Seal wrap',
+          helperText: 'Whether to turn on seal wrapping for the mount.',
+        },
+        {
+          name: 'MountsEnableSecretsEngineRequest.type',
+          type: 'TextInput',
+          label: 'Type',
+          helperText: 'The type of the backend. Example: "passthrough"',
+        },
+      ],
+    },
+  ],
+};
+
+export default mountsEnableSecretsEngineConfig;
diff --git a/ui/app/forms/v2/get-form-config.ts b/ui/app/forms/v2/get-form-config.ts
new file mode 100644
index 0000000000..45d9cdb4f8
--- /dev/null
+++ b/ui/app/forms/v2/get-form-config.ts
@@ -0,0 +1,58 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import GENERATED_CONFIGS from './generated/index';
+import OVERRIDE_CONFIGS from './overrides/index';
+import type { FormConfig } from './form-config';
+
+export type FormConfigKey = keyof typeof GENERATED_CONFIGS | keyof typeof OVERRIDE_CONFIGS;
+
+type AllConfigs = typeof GENERATED_CONFIGS & typeof OVERRIDE_CONFIGS;
+
+/**
+ * Extract the payload type for a given form config key
+ */
+export type ExtractPayload<K extends FormConfigKey> = AllConfigs[K] extends FormConfig<
+  infer TPayload,
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  infer _TResponse
+>
+  ? TPayload
+  : never;
+
+/**
+ * Extract the response type for a given form config key
+ */
+export type ExtractResponse<K extends FormConfigKey> = AllConfigs[K] extends FormConfig<
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  infer _TPayload,
+  infer TResponse
+>
+  ? TResponse
+  : never;
+
+/**
+ * Retrieves a V2 form configuration, preferring overrides when they exist.
+ * @param configName - The camelCase config name (e.g., 'aliCloudDeleteAuthRole', 'azureConfigureAuth')
+ * @returns V2FormConfig instance with the exact type for the given config
+ */
+export function getFormConfig<K extends FormConfigKey>(
+  configName: K
+): FormConfig<ExtractPayload<K>, ExtractResponse<K>> {
+  // Check overrides first
+  const override = OVERRIDE_CONFIGS[configName as keyof typeof OVERRIDE_CONFIGS];
+  if (override) {
+    return override as unknown as FormConfig<ExtractPayload<K>, ExtractResponse<K>>;
+  }
+
+  // Fall back to generated configs
+  const config = GENERATED_CONFIGS[configName as keyof typeof GENERATED_CONFIGS];
+
+  if (!config) {
+    throw new Error(`Form configuration not found for: ${configName}`);
+  }
+
+  return config as unknown as FormConfig<ExtractPayload<K>, ExtractResponse<K>>;
+}
diff --git a/ui/app/serializers/role-ssh.js b/ui/app/forms/v2/overrides/index.ts
similarity index 51%
rename from ui/app/serializers/role-ssh.js
rename to ui/app/forms/v2/overrides/index.ts
index 1aa481c7e9..7bd69dc40a 100644
--- a/ui/app/serializers/role-ssh.js
+++ b/ui/app/forms/v2/overrides/index.ts
@@ -3,6 +3,6 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import RoleSerializer from './role';
+const OVERRIDE_CONFIGS = {};
 
-export default RoleSerializer.extend();
+export default OVERRIDE_CONFIGS;
diff --git a/ui/app/forms/v2/v2-form.ts b/ui/app/forms/v2/v2-form.ts
new file mode 100644
index 0000000000..9c3e7f9782
--- /dev/null
+++ b/ui/app/forms/v2/v2-form.ts
@@ -0,0 +1,230 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { get, set } from '@ember/object';
+import { tracked } from '@glimmer/tracking';
+import type ApiService from 'vault/services/api';
+import type { FieldValue, FormConfig, FormField, VisibilityRule } from './form-config';
+import { validateAllFields, validateField } from './form-validator';
+import { getFormConfig, type FormConfigKey } from './get-form-config';
+
+/**
+ * V2Form manages the state of a form with type-safe property updates and validation.
+ * Supports nested property updates via dotted-path notation (e.g., "user.address.street").
+ * Automatically validates fields when values change.
+ *
+ * Usage with registry name:
+ * ```typescript
+ * const form = new V2Form('mountsEnableSecretsEngine');
+ * form.set('path', 'my-path');
+ * const errors = form.getErrors('path');
+ * await form.submit(api);
+ * ```
+ *
+ * Usage with config object:
+ * ```typescript
+ * const form = new V2Form(myFormConfig);
+ * form.set('path', 'my-path');
+ * await form.submit(api);
+ * ```
+ *
+ * @template TPayload - The form payload type
+ * @template TResponse - The API response type
+ */
+export default class V2Form<TPayload extends object = any, TResponse = unknown> {
+  @tracked payload: TPayload;
+  @tracked validationErrors: Map<string, string[]> = new Map();
+  #config: FormConfig<TPayload, TResponse>;
+
+  /**
+   * NOTE: Flexible constructor pattern
+   *
+   * Supports two instantiation methods to enable flexible form usage:
+   * 1. Name-based: `new V2Form('mountsEnableSecretsEngine')` - looks up config from registry
+   *    - Use for single-step forms with globally registered configs
+   *
+   * 2. Config-based: `new V2Form<PayloadType, ResponseType>(configObject)` - accepts config directly
+   *    - Use for wizard steps with local overrides (e.g., dynamic payloads)
+   *    - Explicit generic parameters should match the config's types
+   *    - For wizards, use `new V2Form<any, any>(config)` to simplify typing
+   */
+  constructor(config: FormConfigKey | FormConfig<TPayload, TResponse>) {
+    if (typeof config === 'string') {
+      // Registry-based: getFormConfig returns FormConfig<never, never> but we need
+      // FormConfig<TPayload, TResponse>. Since generics default to `any`, this
+      // type assertion is safe and unavoidable due to TypeScript's structural typing.
+      const formConfig = getFormConfig(config);
+      this.#config = formConfig as unknown as FormConfig<TPayload, TResponse>;
+      this.payload = this.#resolvePayload(formConfig.payload as TPayload);
+    } else {
+      // Config-based: types must match the provided config
+      this.#config = config;
+      this.payload = this.#resolvePayload(config.payload);
+    }
+
+    // Auto-inject required validations for fields marked with isRequired: true
+    this.#injectRequiredValidations();
+  }
+
+  /**
+   * Automatically adds required validation rules to fields marked with isRequired: true
+   * if they don't already have a required validation.
+   */
+  #injectRequiredValidations(): void {
+    for (const section of this.#config.sections) {
+      for (const field of section.fields) {
+        if (field.isRequired) {
+          // Check if field already has a required validation
+          const hasRequiredValidation = field.validations?.some(
+            (rule) => 'type' in rule && rule.type === 'required'
+          );
+
+          if (!hasRequiredValidation) {
+            // Add required validation
+            if (!field.validations) {
+              field.validations = [];
+            }
+            field.validations.unshift({
+              type: 'required',
+              message: `${field.label} is required`,
+            });
+          }
+        }
+      }
+    }
+  }
+
+  /**
+   * Resolves the payload from the config.
+   * If the config.payload is a function, it's assumed to be a static payload
+   * (wizard payload resolution happens at the ProvisionForm level).
+   * This method just extracts the value.
+   */
+  #resolvePayload(payload: TPayload | ((wizardState: any) => TPayload)): TPayload {
+    // For V2Form, we expect the payload to already be resolved
+    // (either a static object or pre-resolved by the parent component)
+    const resolvePayload = typeof payload === 'function' ? payload({}) : payload;
+    return structuredClone(resolvePayload);
+  }
+
+  get config(): FormConfig<TPayload, TResponse> {
+    return this.#config;
+  }
+
+  get isValid(): boolean {
+    return this.validationErrors.size === 0;
+  }
+
+  /**
+   * Updates a property in the payload using dotted-path notation.
+   * Creates intermediate objects if they don't exist.
+   * Automatically validates the field after updating.
+   *
+   * @param propPath - Dotted-path to the property (e.g., "user.address.street")
+   * @param value - The new value for the property
+   */
+  set(propPath: string, value: unknown): void {
+    const nextPayload = structuredClone(this.payload);
+    set(nextPayload, propPath, value);
+    this.payload = nextPayload;
+    this.#pruneHiddenFieldErrors();
+    this.#validateField(propPath);
+  }
+
+  /**
+   * Get validation errors for a specific field
+   */
+  getErrors(propPath: string): string[] {
+    return this.validationErrors.get(propPath) ?? [];
+  }
+
+  /**
+   * Validate all fields in the form.
+   * Useful before form submission to show all validation errors.
+   */
+  validateForm(): { isValid: boolean } {
+    const errors = validateAllFields(this.#visibleFields, this.payload);
+    this.validationErrors = errors;
+
+    return {
+      isValid: this.isValid,
+    };
+  }
+
+  /**
+   * Submit the form after validation.
+   * Validates the entire form and calls the config's submit handler.
+   *
+   * @param api - The API service instance
+   * @returns Promise resolving to the API response
+   * @throws Error if form validation fails
+   */
+  async submit(api: ApiService): Promise<TResponse> {
+    const { isValid } = this.validateForm();
+
+    if (!isValid) {
+      throw new Error('Form validation failed');
+    }
+
+    return this.#config.submit(api, this.payload);
+  }
+
+  get #visibleFields(): FormField[] {
+    return this.#config.sections
+      .filter((section) => this.#isVisible(section.isVisible))
+      .flatMap((section) => section.fields.filter((field) => this.#isVisible(field.isVisible)));
+  }
+
+  #isVisible(rule?: VisibilityRule): boolean {
+    if (typeof rule === 'function') {
+      return rule(this.payload);
+    }
+
+    if (typeof rule === 'boolean') {
+      return rule;
+    }
+
+    return true;
+  }
+
+  #pruneHiddenFieldErrors(): void {
+    const visibleFieldNames = new Set(this.#visibleFields.map((field) => field.name));
+    const nextErrors = new Map(
+      [...this.validationErrors].filter(([fieldName]) => visibleFieldNames.has(fieldName))
+    );
+
+    if (nextErrors.size !== this.validationErrors.size) {
+      this.validationErrors = nextErrors;
+    }
+  }
+
+  /**
+   * Search through the config structure to find a field configuration object by its name.
+   */
+  #findField(propPath: string): FormField | null {
+    return this.#visibleFields.find((field) => field.name === propPath) ?? null;
+  }
+
+  #validateField(propPath: string): void {
+    const field = this.#findField(propPath);
+    if (!field) {
+      this.validationErrors.delete(propPath);
+      this.validationErrors = new Map(this.validationErrors);
+      return;
+    }
+
+    const value = get(this.payload, propPath) as FieldValue;
+    const errors = validateField(field, value, this.payload);
+
+    if (errors.length > 0) {
+      this.validationErrors.set(propPath, errors);
+    } else {
+      this.validationErrors.delete(propPath);
+    }
+
+    // Trigger reactivity by creating a new Map
+    this.validationErrors = new Map(this.validationErrors);
+  }
+}
diff --git a/ui/app/helpers/aws-regions.js b/ui/app/helpers/aws-regions.js
index 0a0467dbf1..b3cb79f1b4 100644
--- a/ui/app/helpers/aws-regions.js
+++ b/ui/app/helpers/aws-regions.js
@@ -7,25 +7,89 @@ import { helper as buildHelper } from '@ember/component/helper';
 
 //list from http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region
 const REGIONS = [
-  '', // initial region blank
-  'us-east-1',
-  'us-east-2',
-  'us-west-1',
-  'us-west-2',
-  'ca-central-1',
-  'ap-south-1',
-  'ap-northeast-1',
-  'ap-northeast-2',
-  'ap-southeast-1',
-  'ap-southeast-2',
-  'eu-central-1',
-  'eu-west-1',
-  'eu-west-2',
-  'sa-east-1',
+  {
+    group: 'Africa',
+    options: [{ value: 'af-south-1', displayName: 'Cape Town (af-south-1)' }],
+  },
+  {
+    group: 'Asia Pacific',
+    options: [
+      { value: 'ap-east-1', displayName: 'Hong Kong (ap-east-1)' },
+      { value: 'ap-east-2', displayName: 'Taipei (ap-east-2)' },
+      { value: 'ap-northeast-1', displayName: 'Tokyo (ap-northeast-1)' },
+      { value: 'ap-northeast-2', displayName: 'Seoul (ap-northeast-2)' },
+      { value: 'ap-northeast-3', displayName: 'Osaka (ap-northeast-3)' },
+      { value: 'ap-south-1', displayName: 'Mumbai (ap-south-1)' },
+      { value: 'ap-south-2', displayName: 'Hyderabad (ap-south-2)' },
+      { value: 'ap-southeast-1', displayName: 'Singapore (ap-southeast-1)' },
+      { value: 'ap-southeast-2', displayName: 'Sydney (ap-southeast-2)' },
+      { value: 'ap-southeast-3', displayName: 'Jakarta (ap-southeast-3)' },
+      { value: 'ap-southeast-4', displayName: 'Melbourne (ap-southeast-4)' },
+      { value: 'ap-southeast-5', displayName: 'Malaysia (ap-southeast-5)' },
+      { value: 'ap-southeast-6', displayName: 'New Zealand (ap-southeast-6)' },
+      { value: 'ap-southeast-7', displayName: 'Thailand (ap-southeast-7)' },
+    ],
+  },
+  {
+    group: 'Canada',
+    options: [
+      { value: 'ca-central-1', displayName: 'Central (ca-central-1)' },
+      { value: 'ca-west-1', displayName: 'Calgary (ca-west-1)' },
+    ],
+  },
+  {
+    group: 'Europe',
+    options: [
+      { value: 'eu-central-1', displayName: 'Frankfurt (eu-central-1)' },
+      { value: 'eu-central-2', displayName: 'Zurich (eu-central-2)' },
+      { value: 'eu-north-1', displayName: 'Stockholm (eu-north-1)' },
+      { value: 'eu-south-1', displayName: 'Milan (eu-south-1)' },
+      { value: 'eu-south-2', displayName: 'Spain (eu-south-2)' },
+      { value: 'eu-west-1', displayName: 'Ireland (eu-west-1)' },
+      { value: 'eu-west-2', displayName: 'London (eu-west-2)' },
+      { value: 'eu-west-3', displayName: 'Paris (eu-west-3)' },
+    ],
+  },
+  {
+    group: 'Israel',
+    options: [{ value: 'il-central-1', displayName: 'Tel Aviv (il-central-1)' }],
+  },
+  {
+    group: 'Mexico',
+    options: [{ value: 'mx-central-1', displayName: 'Central (mx-central-1)' }],
+  },
+  {
+    group: 'Middle East',
+    options: [
+      { value: 'me-central-1', displayName: 'UAE (me-central-1)' },
+      { value: 'me-south-1', displayName: 'Bahrain (me-south-1)' },
+    ],
+  },
+  {
+    group: 'South America',
+    options: [{ value: 'sa-east-1', displayName: 'São Paulo (sa-east-1)' }],
+  },
+  {
+    group: 'US East',
+    options: [
+      { value: 'us-east-1', displayName: 'N. Virginia (us-east-1)' },
+      { value: 'us-east-2', displayName: 'Ohio (us-east-2)' },
+    ],
+  },
+  {
+    group: 'US West',
+    options: [
+      { value: 'us-west-1', displayName: 'N. California (us-west-1)' },
+      { value: 'us-west-2', displayName: 'Oregon (us-west-2)' },
+    ],
+  },
 ];
 
 export function regions() {
-  return REGIONS.slice(0);
+  return REGIONS.map((regionGroup) => ({
+    ...regionGroup,
+    options: [...regionGroup.options],
+  }));
 }
 
 export default buildHelper(regions);
diff --git a/ui/app/helpers/engines-display-data.ts b/ui/app/helpers/engines-display-data.ts
index 4924e9a7e7..a71fe61517 100644
--- a/ui/app/helpers/engines-display-data.ts
+++ b/ui/app/helpers/engines-display-data.ts
@@ -3,60 +3,4 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { ALL_ENGINES, type EngineDisplayData } from 'vault/utils/all-engines-metadata';
-import { getEffectiveEngineType } from 'vault/utils/external-plugin-helpers';
-
-/**
- * Default metadata for unknown engine plugins
- */
-export const unknownEngineMetadata = (methodType?: string): EngineDisplayData => ({
-  type: methodType || 'unknown',
-  displayName: methodType || 'Unknown plugin',
-  glyph: 'lock',
-  mountCategory: ['secret', 'auth'],
-});
-
-/**
- * Helper function to retrieve engine metadata for a given `methodType`.
- * It searches the `ALL_ENGINES` array for an engine with a matching type and returns its metadata object.
- * The `ALL_ENGINES` array includes secret and auth engines, including those supported only in enterprise.
- * These details (such as mount type and enterprise licensing) are included in the returned engine object.
- *
- * For external plugins that have a builtin mapping (e.g., "vault-plugin-secrets-keymgmt" -> "keymgmt"),
- * this function returns the metadata for the corresponding builtin engine, preserving the original
- * external plugin name in the type field.
- *
- * Example usage:
- * const engineMetadata = engineDisplayData('kmip');
- * if (engineMetadata?.requiresEnterprise) {
- *   console.log(`This mount: ${engineMetadata.engineType} requires an enterprise license`);
- * }
- *
- * @param {string} methodType - The engine type (sometimes called backend) to look up (e.g., "aws", "azure", "vault-plugin-secrets-keymgmt").
- * @returns {Object} - The engine metadata, which includes information about its mount type (e.g., secret or auth)
- *   and whether it requires an enterprise license. For unknown engines, returns a default unknown plugin object.
- */
-export default function engineDisplayData(methodType: string): EngineDisplayData {
-  // First try to find an exact match
-  const builtinEngine = ALL_ENGINES?.find((t) => t.type === methodType);
-  if (builtinEngine) {
-    return builtinEngine;
-  }
-
-  // If no direct match, check if this is a known external plugin and use its builtin mapping
-  const effectiveType = getEffectiveEngineType(methodType);
-  if (effectiveType !== methodType) {
-    // This is a known external plugin with a builtin mapping
-    const mappedEngine = ALL_ENGINES?.find((t) => t.type === effectiveType);
-    if (mappedEngine) {
-      // Return the mapped engine metadata but preserve the original external plugin type
-      return {
-        ...mappedEngine,
-        type: methodType, // Keep the original external plugin name for identification
-      };
-    }
-  }
-
-  // Return default unknown plugin metadata
-  return unknownEngineMetadata(methodType);
-}
+export { default } from 'core/helpers/engines-display-data';
diff --git a/ui/app/models/identity/entity-merge.js b/ui/app/models/identity/entity-merge.js
index 6593b61a56..5122593bf9 100644
--- a/ui/app/models/identity/entity-merge.js
+++ b/ui/app/models/identity/entity-merge.js
@@ -12,10 +12,10 @@ export default IdentityModel.extend({
     return ['toEntityId', 'fromEntityIds', 'force'];
   }),
   toEntityId: attr('string', {
-    label: 'Entity to merge to',
+    label: 'Entity ID to merge to',
   }),
   fromEntityIds: attr({
-    label: 'Entities to merge from',
+    label: 'Entity IDs to merge from',
     editType: 'stringArray',
   }),
   force: attr('boolean', {
diff --git a/ui/app/models/keymgmt/key.js b/ui/app/models/keymgmt/key.js
deleted file mode 100644
index dca71b43e9..0000000000
--- a/ui/app/models/keymgmt/key.js
+++ /dev/null
@@ -1,134 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Model, { attr } from '@ember-data/model';
-import { expandAttributeMeta } from 'vault/utils/field-to-attrs';
-import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';
-
-export const KEY_TYPES = [
-  'aes256-gcm96',
-  'rsa-2048',
-  'rsa-3072',
-  'rsa-4096',
-  'ecdsa-p256',
-  'ecdsa-p384',
-  'ecdsa-p521',
-];
-export default class KeymgmtKeyModel extends Model {
-  @attr('string', {
-    label: 'Key name',
-    subText: 'This is the name of the key that shows in Vault.',
-  })
-  name;
-
-  @attr('string')
-  backend;
-
-  @attr('string', {
-    subText: 'The type of cryptographic key that will be created.',
-    possibleValues: KEY_TYPES,
-    defaultValue: 'rsa-2048',
-  })
-  type;
-
-  @attr('boolean', {
-    label: 'Allow deletion',
-    defaultValue: false,
-  })
-  deletionAllowed;
-
-  @attr('number', {
-    label: 'Current version',
-  })
-  latestVersion;
-
-  @attr('number', {
-    defaultValue: 0,
-    defaultShown: 'All versions enabled',
-  })
-  minEnabledVersion;
-
-  @attr('array')
-  versions;
-
-  // The following are calculated in serializer
-  @attr('date')
-  created;
-
-  @attr('date', {
-    defaultShown: 'Not yet rotated',
-  })
-  lastRotated;
-
-  // The following are from endpoints other than the main read one
-  @attr() provider; // string, or object with permissions error
-  @attr() distribution;
-
-  icon = 'key';
-
-  get hasVersions() {
-    return this.versions.length > 1;
-  }
-
-  get createFields() {
-    const createFields = ['name', 'type', 'deletionAllowed'];
-    return expandAttributeMeta(this, createFields);
-  }
-
-  get updateFields() {
-    return expandAttributeMeta(this, ['minEnabledVersion', 'deletionAllowed']);
-  }
-  get showFields() {
-    return expandAttributeMeta(this, [
-      'name',
-      'created',
-      'type',
-      'deletionAllowed',
-      'latestVersion',
-      'minEnabledVersion',
-      'lastRotated',
-    ]);
-  }
-
-  get keyTypeOptions() {
-    return expandAttributeMeta(this, ['type'])[0];
-  }
-
-  get distFields() {
-    return [
-      {
-        name: 'name',
-        type: 'string',
-        label: 'Distributed name',
-        subText: 'The name given to the key by the provider.',
-      },
-      { name: 'purpose', type: 'string', label: 'Key Purpose' },
-      { name: 'protection', type: 'string', subText: 'Where cryptographic operations are performed.' },
-    ];
-  }
-
-  @lazyCapabilities(apiPath`${'backend'}/key/${'id'}`, 'backend', 'id') keyPath;
-  @lazyCapabilities(apiPath`${'backend'}/key`, 'backend') keysPath;
-  @lazyCapabilities(apiPath`${'backend'}/key/${'id'}/kms`, 'backend', 'id') keyProvidersPath;
-
-  get canCreate() {
-    return this.keyPath.get('canCreate');
-  }
-  get canDelete() {
-    return this.keyPath.get('canDelete');
-  }
-  get canEdit() {
-    return this.keyPath.get('canUpdate');
-  }
-  get canRead() {
-    return this.keyPath.get('canRead');
-  }
-  get canList() {
-    return this.keysPath.get('canList');
-  }
-  get canListProviders() {
-    return this.keyProvidersPath.get('canList');
-  }
-}
diff --git a/ui/app/models/keymgmt/provider.js b/ui/app/models/keymgmt/provider.js
deleted file mode 100644
index c9f034615b..0000000000
--- a/ui/app/models/keymgmt/provider.js
+++ /dev/null
@@ -1,171 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Model, { attr } from '@ember-data/model';
-import { tracked } from '@glimmer/tracking';
-import { expandAttributeMeta } from 'vault/utils/field-to-attrs';
-import { withModelValidations } from 'vault/decorators/model-validations';
-import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';
-import { service } from '@ember/service';
-
-const CRED_PROPS = {
-  azurekeyvault: ['client_id', 'client_secret', 'tenant_id'],
-  awskms: ['access_key', 'secret_key', 'session_token', 'endpoint'],
-  gcpckms: ['service_account_file'],
-};
-
-const OPTIONAL_CRED_PROPS = ['session_token', 'endpoint'];
-
-// since we have dynamic credential attributes based on provider we need a dynamic presence validator
-// add validators for all cred props and return true for value if not associated with selected provider
-const credValidators = Object.keys(CRED_PROPS).reduce((obj, providerKey) => {
-  CRED_PROPS[providerKey].forEach((prop) => {
-    if (!OPTIONAL_CRED_PROPS.includes(prop)) {
-      obj[`credentials.${prop}`] = [
-        {
-          message: `${prop} is required`,
-          validator(model) {
-            return model.credentialProps.includes(prop) ? model.credentials[prop] : true;
-          },
-        },
-      ];
-    }
-  });
-  return obj;
-}, {});
-
-const validations = {
-  name: [{ type: 'presence', message: 'Provider name is required' }],
-  keyCollection: [{ type: 'presence', message: 'Key Vault instance name' }],
-  ...credValidators,
-};
-
-@withModelValidations(validations)
-export default class KeymgmtProviderModel extends Model {
-  @service pagination;
-  @attr('string') backend;
-  @attr('string', {
-    label: 'Provider name',
-    subText: 'This is the name of the provider that will be displayed in Vault. This cannot be edited later.',
-  })
-  name;
-
-  @attr('string', {
-    label: 'Type',
-    subText: 'Choose the provider type.',
-    possibleValues: ['azurekeyvault', 'awskms', 'gcpckms'],
-    noDefault: true,
-  })
-  provider;
-
-  @attr('string', {
-    label: 'Key Vault instance name',
-    subText: 'The name of a Key Vault instance must be supplied. This cannot be edited later.',
-  })
-  keyCollection;
-
-  idPrefix = 'provider/';
-  type = 'provider';
-
-  @tracked keys = [];
-  @tracked credentials = null; // never returned from API -- set only during create/edit
-
-  get icon() {
-    return {
-      azurekeyvault: 'azure-color',
-      awskms: 'aws-color',
-      gcpckms: 'gcp-color',
-    }[this.provider];
-  }
-  get typeName() {
-    return {
-      azurekeyvault: 'Azure Key Vault',
-      awskms: 'AWS Key Management Service',
-      gcpckms: 'Google Cloud Key Management Service',
-    }[this.provider];
-  }
-  get showFields() {
-    const attrs = expandAttributeMeta(this, ['name', 'keyCollection']);
-    attrs.splice(1, 0, { hasBlock: true, label: 'Type', value: this.typeName, icon: this.icon });
-    const l = this.keys.length;
-    const value = l
-      ? `${l} ${l > 1 ? 'keys' : 'key'}`
-      : this.canListKeys
-      ? 'None'
-      : 'You do not have permission to list keys';
-    attrs.push({ hasBlock: true, isLink: l, label: 'Keys', value });
-    return attrs;
-  }
-  get credentialProps() {
-    if (!this.provider) return [];
-    return CRED_PROPS[this.provider];
-  }
-  get credentialFields() {
-    const [creds, fields] = this.credentialProps.reduce(
-      ([creds, fields], prop) => {
-        creds[prop] = null;
-        const field = { name: `credentials.${prop}`, type: 'string', options: { label: prop } };
-        if (prop === 'service_account_file') {
-          field.options.subText = 'The path to a Google service account key file, not the file itself.';
-        }
-        fields.push(field);
-        return [creds, fields];
-      },
-      [{}, []]
-    );
-    this.credentials = creds;
-    return fields;
-  }
-  get createFields() {
-    return expandAttributeMeta(this, ['provider', 'name', 'keyCollection']);
-  }
-
-  async fetchKeys(page) {
-    if (this.canListKeys === false) {
-      this.keys = [];
-    } else {
-      // try unless capabilities returns false
-      try {
-        this.keys = await this.pagination.lazyPaginatedQuery('keymgmt/key', {
-          backend: this.backend,
-          provider: this.name,
-          responsePath: 'data.keys',
-          page: Number(page) || 1,
-        });
-      } catch (error) {
-        this.keys = [];
-        if (error.httpStatus !== 404) {
-          throw error;
-        }
-      }
-    }
-  }
-
-  @lazyCapabilities(apiPath`${'backend'}/kms/${'id'}`, 'backend', 'id') providerPath;
-  @lazyCapabilities(apiPath`${'backend'}/kms`, 'backend') providersPath;
-  @lazyCapabilities(apiPath`${'backend'}/kms/${'id'}/key`, 'backend', 'id') providerKeysPath;
-
-  get canCreate() {
-    return this.providerPath.get('canCreate');
-  }
-  get canDelete() {
-    return this.providerPath.get('canDelete');
-  }
-  get canEdit() {
-    return this.providerPath.get('canUpdate');
-  }
-  get canRead() {
-    return this.providerPath.get('canRead');
-  }
-  get canList() {
-    return this.providersPath.get('canList');
-  }
-  get canListKeys() {
-    return this.providerKeysPath.get('canList');
-  }
-  get canCreateKeys() {
-    return this.providerKeysPath.get('canCreate');
-  }
-}
diff --git a/ui/app/models/mfa-login-enforcement.js b/ui/app/models/mfa-login-enforcement.js
index 9bc2d4bd7d..d7cd19b176 100644
--- a/ui/app/models/mfa-login-enforcement.js
+++ b/ui/app/models/mfa-login-enforcement.js
@@ -6,11 +6,11 @@
 import Model, { attr, hasMany } from '@ember-data/model';
 import ArrayProxy from '@ember/array/proxy';
 import PromiseProxyMixin from '@ember/object/promise-proxy-mixin';
-import { withModelValidations } from 'vault/decorators/model-validations';
-import { isPresent } from '@ember/utils';
 import { service } from '@ember/service';
+import { isPresent } from '@ember/utils';
+import { filterEnginesByMountCategory } from 'core/utils/all-engines-metadata';
+import { withModelValidations } from 'vault/decorators/model-validations';
 import { addManyToArray, addToArray } from 'vault/helpers/add-to-array';
-import { filterEnginesByMountCategory } from 'vault/utils/all-engines-metadata';
 
 const validations = {
   name: [{ type: 'presence', message: 'Name is required' }],
diff --git a/ui/app/models/oidc/client.js b/ui/app/models/oidc/client.js
deleted file mode 100644
index 256e92f0a2..0000000000
--- a/ui/app/models/oidc/client.js
+++ /dev/null
@@ -1,112 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Model, { attr } from '@ember-data/model';
-import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';
-import { expandAttributeMeta } from 'vault/utils/field-to-attrs';
-import fieldToAttrs from 'vault/utils/field-to-attrs';
-import { withModelValidations } from 'vault/decorators/model-validations';
-
-const validations = {
-  name: [
-    { type: 'presence', message: 'Name is required.' },
-    {
-      type: 'containsWhiteSpace',
-      message: 'Name cannot contain whitespace.',
-    },
-  ],
-  key: [{ type: 'presence', message: 'Key is required.' }],
-};
-
-@withModelValidations(validations)
-export default class OidcClientModel extends Model {
-  @attr('string', { label: 'Application name', editDisabled: true }) name;
-  @attr('string', {
-    label: 'Type',
-    subText:
-      'Specify whether the application type is confidential or public. The public type must use PKCE. This cannot be edited later.',
-    editType: 'radio',
-    editDisabled: true,
-    defaultValue: 'confidential',
-    possibleValues: ['confidential', 'public'],
-  })
-  clientType;
-
-  @attr('array', {
-    label: 'Redirect URIs',
-    subText:
-      'One of these values must exactly match the redirect_uri parameter value used in each authentication request.',
-    editType: 'stringArray',
-  })
-  redirectUris;
-
-  // >> MORE OPTIONS TOGGLE <<
-
-  @attr('string', {
-    label: 'Signing key',
-    subText: 'Add a key to sign and verify the JSON web tokens (JWT). This cannot be edited later.',
-    editType: 'searchSelect',
-    editDisabled: true,
-    onlyAllowExisting: true,
-    defaultValue() {
-      return ['default'];
-    },
-    fallbackComponent: 'input-search',
-    selectLimit: 1,
-    models: ['oidc/key'],
-  })
-  key;
-  @attr({
-    label: 'Access Token TTL',
-    editType: 'ttl',
-    defaultValue: '24h',
-  })
-  accessTokenTtl;
-
-  @attr({
-    label: 'ID Token TTL',
-    editType: 'ttl',
-    defaultValue: '24h',
-  })
-  idTokenTtl;
-
-  // >> END MORE OPTIONS TOGGLE <<
-
-  @attr('array', { label: 'Assign access' }) assignments; // no editType because does not use form-field component
-  @attr('string', { label: 'Client ID' }) clientId;
-  @attr('string') clientSecret;
-
-  // TODO refactor when field-to-attrs util is refactored as decorator
-  _attributeMeta = null; // cache initial result of expandAttributeMeta in getter and return
-  get formFields() {
-    if (!this._attributeMeta) {
-      this._attributeMeta = expandAttributeMeta(this, ['name', 'clientType', 'redirectUris']);
-    }
-    return this._attributeMeta;
-  }
-
-  _fieldToAttrsGroups = null;
-  // more options fields
-  get fieldGroups() {
-    if (!this._fieldToAttrsGroups) {
-      this._fieldToAttrsGroups = fieldToAttrs(this, [
-        { 'More options': ['key', 'idTokenTtl', 'accessTokenTtl'] },
-      ]);
-    }
-    return this._fieldToAttrsGroups;
-  }
-
-  // CAPABILITIES //
-  @lazyCapabilities(apiPath`identity/oidc/client/${'name'}`, 'name') clientPath;
-  get canRead() {
-    return this.clientPath.get('canRead') !== false;
-  }
-  get canEdit() {
-    return this.clientPath.get('canUpdate') !== false;
-  }
-  get canDelete() {
-    return this.clientPath.get('canDelete') !== false;
-  }
-}
diff --git a/ui/app/models/oidc/provider.js b/ui/app/models/oidc/provider.js
deleted file mode 100644
index 07a5886930..0000000000
--- a/ui/app/models/oidc/provider.js
+++ /dev/null
@@ -1,64 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Model, { attr } from '@ember-data/model';
-import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';
-import { expandAttributeMeta } from 'vault/utils/field-to-attrs';
-import { withModelValidations } from 'vault/decorators/model-validations';
-
-const validations = {
-  name: [
-    { type: 'presence', message: 'Name is required.' },
-    {
-      type: 'containsWhiteSpace',
-      message: 'Name cannot contain whitespace.',
-    },
-  ],
-};
-
-@withModelValidations(validations)
-export default class OidcProviderModel extends Model {
-  @attr('string', { editDisabled: true }) name;
-  @attr('string', {
-    subText:
-      'The scheme, host, and optional port for your issuer. This will be used to build the URL that validates ID tokens.',
-    placeholderText: 'e.g. https://example.com:8200',
-    docLink: '/vault/api-docs/secret/identity/oidc-provider#create-or-update-a-provider',
-    helpText: `Optional. This defaults to a URL with Vault's api_addr`,
-  })
-  issuer;
-
-  @attr('array', {
-    label: 'Supported scopes',
-    subText: 'Scopes define information about a user and the OIDC service. Optional.',
-    editType: 'searchSelect',
-    models: ['oidc/scope'],
-    fallbackComponent: 'string-list',
-    onlyAllowExisting: true,
-  })
-  scopesSupported;
-
-  @attr('array', { label: 'Allowed applications' }) allowedClientIds; // no editType because does not use form-field component
-
-  // TODO refactor when field-to-attrs is refactored as decorator
-  _attributeMeta = null; // cache initial result of expandAttributeMeta in getter and return
-  get formFields() {
-    if (!this._attributeMeta) {
-      this._attributeMeta = expandAttributeMeta(this, ['name', 'issuer', 'scopesSupported']);
-    }
-    return this._attributeMeta;
-  }
-
-  @lazyCapabilities(apiPath`identity/oidc/provider/${'name'}`, 'name') providerPath;
-  get canRead() {
-    return this.providerPath.get('canRead') !== false;
-  }
-  get canEdit() {
-    return this.providerPath.get('canUpdate') !== false;
-  }
-  get canDelete() {
-    return this.providerPath.get('canDelete') !== false;
-  }
-}
diff --git a/ui/app/models/oidc/scope.js b/ui/app/models/oidc/scope.js
deleted file mode 100644
index 3596518baf..0000000000
--- a/ui/app/models/oidc/scope.js
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Model, { attr } from '@ember-data/model';
-import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';
-import { expandAttributeMeta } from 'vault/utils/field-to-attrs';
-import { withModelValidations } from 'vault/decorators/model-validations';
-
-const validations = {
-  name: [{ type: 'presence', message: 'Name is required.' }],
-};
-
-@withModelValidations(validations)
-export default class OidcScopeModel extends Model {
-  @attr('string', { editDisabled: true }) name;
-  @attr('string', { editType: 'textarea' }) description;
-  @attr('string', { label: 'JSON Template', editType: 'json', mode: 'ruby' }) template;
-
-  // TODO refactor when field-to-attrs is refactored as decorator
-  _attributeMeta = null; // cache initial result of expandAttributeMeta in getter and return
-  get formFields() {
-    if (!this._attributeMeta) {
-      this._attributeMeta = expandAttributeMeta(this, ['name', 'description', 'template']);
-    }
-    return this._attributeMeta;
-  }
-
-  @lazyCapabilities(apiPath`identity/oidc/scope/${'name'}`, 'name') scopePath;
-  get canRead() {
-    return this.scopePath.get('canRead');
-  }
-  get canEdit() {
-    return this.scopePath.get('canUpdate');
-  }
-  get canDelete() {
-    return this.scopePath.get('canDelete');
-  }
-}
diff --git a/ui/app/models/role-ssh.js b/ui/app/models/role-ssh.js
deleted file mode 100644
index 3e0141cba2..0000000000
--- a/ui/app/models/role-ssh.js
+++ /dev/null
@@ -1,169 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Model, { attr } from '@ember-data/model';
-import { alias } from '@ember/object/computed';
-import { computed } from '@ember/object';
-import fieldToAttrs, { expandAttributeMeta } from 'vault/utils/field-to-attrs';
-import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';
-
-// these arrays define the order in which the fields will be displayed
-// see
-// https://github.com/hashicorp/vault/blob/main/builtin/logical/ssh/path_roles.go#L542 for list of fields for each key type
-const OTP_FIELDS = [
-  'name',
-  'keyType',
-  'defaultUser',
-  'adminUser',
-  'port',
-  'allowedUsers',
-  'cidrList',
-  'excludeCidrList',
-];
-const CA_FIELDS = [
-  'name',
-  'keyType',
-  'allowUserCertificates',
-  'allowHostCertificates',
-  'defaultUser',
-  'allowedUsers',
-  'allowedUsersTemplate',
-  'allowedDomains',
-  'allowedDomainsTemplate',
-  'ttl',
-  'maxTtl',
-  'allowedCriticalOptions',
-  'defaultCriticalOptions',
-  'allowedExtensions',
-  'defaultExtensions',
-  'allowBareDomains',
-  'allowSubdomains',
-  'allowEmptyPrincipals',
-  'allowUserKeyIds',
-  'keyIdFormat',
-  'notBeforeDuration',
-  'algorithmSigner',
-];
-
-export default Model.extend({
-  zeroAddress: attr('boolean', {
-    readOnly: true,
-  }),
-  backend: attr('string', {
-    readOnly: true,
-  }),
-  name: attr('string', {
-    label: 'Role Name',
-    fieldValue: 'name',
-    readOnly: true,
-  }),
-  keyType: attr('string', {
-    possibleValues: ['ca', 'otp'], //overriding the API which also lists 'dynamic' as a type though it is deprecated
-  }),
-  adminUser: attr('string', {
-    helpText: 'Username of the admin user at the remote host',
-  }),
-  defaultUser: attr('string', {
-    helpText: "Username to use when one isn't specified",
-  }),
-  allowedUsers: attr('string', {
-    helpText:
-      'Create a list of users who are allowed to use this key (e.g. `admin, dev`, or use `*` to allow all.)',
-  }),
-  allowedUsersTemplate: attr('boolean', {
-    helpText:
-      'Specifies that Allowed Users can be templated e.g. {{identity.entity.aliases.mount_accessor_xyz.name}}',
-  }),
-  allowedDomains: attr('string', {
-    helpText:
-      'List of domains for which a client can request a certificate (e.g. `example.com`, or `*` to allow all)',
-  }),
-  allowedDomainsTemplate: attr('boolean', {
-    helpText:
-      'Specifies that Allowed Domains can be set using identity template policies. Non-templated domains are also permitted.',
-  }),
-  cidrList: attr('string', {
-    helpText: 'List of CIDR blocks for which this role is applicable',
-  }),
-  excludeCidrList: attr('string', {
-    helpText: 'List of CIDR blocks that are not accepted by this role',
-  }),
-  port: attr('number', {
-    helpText: 'Port number for the SSH connection (default is `22`)',
-  }),
-  allowedCriticalOptions: attr('string', {
-    helpText: 'List of critical options that certificates have when signed',
-  }),
-  defaultCriticalOptions: attr('object', {
-    helpText: 'Map of critical options certificates should have if none are provided when signing',
-  }),
-  allowedExtensions: attr('string', {
-    helpText: 'List of extensions that certificates can have when signed',
-  }),
-  defaultExtensions: attr('object', {
-    helpText: 'Map of extensions certificates should have if none are provided when signing',
-  }),
-  allowUserCertificates: attr('boolean', {
-    helpText: 'Specifies if certificates are allowed to be signed for us as a user',
-  }),
-  allowHostCertificates: attr('boolean', {
-    helpText: 'Specifies if certificates are allowed to be signed for us as a host',
-  }),
-  allowBareDomains: attr('boolean', {
-    helpText:
-      'Specifies if host certificates that are requested are allowed to use the base domains listed in Allowed Domains',
-  }),
-  allowSubdomains: attr('boolean', {
-    helpText:
-      'Specifies if host certificates that are requested are allowed to be subdomains of those listed in Allowed Domains',
-  }),
-  allowEmptyPrincipals: attr('boolean', {
-    helpText:
-      'Allow signing certificates with no valid principals (e.g. any valid principal). For backwards compatibility only. The default of false is highly recommended.',
-  }),
-  allowUserKeyIds: attr('boolean', {
-    helpText: 'Specifies if users can override the key ID for a signed certificate with the "key_id" field',
-  }),
-  keyIdFormat: attr('string', {
-    helpText: 'When supplied, this value specifies a custom format for the key id of a signed certificate',
-  }),
-  algorithmSigner: attr('string', {
-    helpText: 'When supplied, this value specifies a signing algorithm for the key',
-    possibleValues: ['default', 'ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512'],
-  }),
-
-  showFields: computed('keyType', function () {
-    const keyType = this.keyType;
-    const keys = keyType === 'ca' ? CA_FIELDS.slice(0) : OTP_FIELDS.slice(0);
-    return expandAttributeMeta(this, keys);
-  }),
-
-  fieldGroups: computed('keyType', function () {
-    const numRequired = this.keyType === 'otp' ? 3 : 4;
-    const fields = this.keyType === 'otp' ? [...OTP_FIELDS] : [...CA_FIELDS];
-    const defaultFields = fields.splice(0, numRequired);
-    const groups = [
-      { default: defaultFields },
-      {
-        Options: [...fields],
-      },
-    ];
-    return fieldToAttrs(this, groups);
-  }),
-
-  updatePath: lazyCapabilities(apiPath`${'backend'}/roles/${'id'}`, 'backend', 'id'),
-  canDelete: alias('updatePath.canDelete'),
-  canEdit: alias('updatePath.canUpdate'),
-  canRead: alias('updatePath.canRead'),
-
-  generatePath: lazyCapabilities(apiPath`${'backend'}/creds/${'id'}`, 'backend', 'id'),
-  canGenerate: alias('generatePath.canUpdate'),
-
-  signPath: lazyCapabilities(apiPath`${'backend'}/sign/${'id'}`, 'backend', 'id'),
-  canSign: alias('signPath.canUpdate'),
-
-  zeroAddressPath: lazyCapabilities(apiPath`${'backend'}/config/zeroaddress`, 'backend'),
-  canEditZeroAddress: alias('zeroAddressPath.canUpdate'),
-});
diff --git a/ui/app/models/secret-engine.js b/ui/app/models/secret-engine.js
index c6e798d248..22a80b693d 100644
--- a/ui/app/models/secret-engine.js
+++ b/ui/app/models/secret-engine.js
@@ -4,15 +4,14 @@
  */
 
 import Model, { attr, belongsTo } from '@ember-data/model';
-import { computed } from '@ember/object'; // eslint-disable-line
-import { equal } from '@ember/object/computed'; // eslint-disable-line
-import { withModelValidations } from 'vault/decorators/model-validations';
+import { ALL_ENGINES, isAddonEngine } from 'core/utils/all-engines-metadata';
 import { withExpandedAttributes } from 'vault/decorators/model-expanded-attributes';
-import { supportedSecretBackends } from 'vault/helpers/supported-secret-backends';
-import { WHITESPACE_WARNING } from 'vault/utils/forms/validators';
-import { ALL_ENGINES, INTERNAL_ENGINE_TYPES, isAddonEngine } from 'vault/utils/all-engines-metadata';
-import { getEffectiveEngineType } from 'vault/utils/external-plugin-helpers';
+import { withModelValidations } from 'vault/decorators/model-validations';
 import engineDisplayData from 'vault/helpers/engines-display-data';
+import { supportedSecretBackends } from 'vault/helpers/supported-secret-backends';
+import { INTERNAL_ENGINE_TYPES } from 'vault/utils/all-engines-metadata';
+import { getEffectiveEngineType } from 'vault/utils/external-plugin-helpers';
+import { WHITESPACE_WARNING } from 'vault/utils/forms/validators';
 
 const LINKED_BACKENDS = supportedSecretBackends();
 
@@ -271,13 +270,4 @@ export default class SecretEngineModel extends Model {
       },
     ];
   }
-
-  /* ACTIONS */
-  saveZeroAddressConfig() {
-    return this.save({
-      adapterOptions: {
-        adapterMethod: 'saveZeroAddressConfig',
-      },
-    });
-  }
 }
diff --git a/ui/app/models/ssh-otp-credential.js b/ui/app/models/ssh-otp-credential.js
deleted file mode 100644
index eef66abe14..0000000000
--- a/ui/app/models/ssh-otp-credential.js
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Model, { attr } from '@ember-data/model';
-import { withExpandedAttributes } from 'vault/decorators/model-expanded-attributes';
-
-@withExpandedAttributes()
-export default class SshOtpCredential extends Model {
-  @attr('object', {
-    readOnly: true,
-  })
-  role;
-  @attr('string', {
-    label: 'IP Address',
-  })
-  ip;
-  @attr('string') username;
-  @attr('string', { masked: true }) key;
-  @attr('string') keyType;
-  @attr('number') port;
-
-  get toCreds() {
-    return this.key;
-  }
-}
diff --git a/ui/app/models/ssh-sign.js b/ui/app/models/ssh-sign.js
deleted file mode 100644
index 65d79680b0..0000000000
--- a/ui/app/models/ssh-sign.js
+++ /dev/null
@@ -1,60 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Model, { attr } from '@ember-data/model';
-import { computed } from '@ember/object';
-import { expandAttributeMeta } from 'vault/utils/field-to-attrs';
-const CREATE_FIELDS = [
-  'publicKey',
-  'keyId',
-  'validPrincipals',
-  'certType',
-  'criticalOptions',
-  'extensions',
-  'ttl',
-];
-
-const DISPLAY_FIELDS = ['signedKey', 'leaseId', 'renewable', 'leaseDuration', 'serialNumber'];
-
-export default Model.extend({
-  role: attr('object', {
-    readOnly: true,
-  }),
-  publicKey: attr('string', {
-    label: 'Public Key',
-    editType: 'textarea',
-  }),
-  ttl: attr({
-    label: 'TTL',
-    editType: 'ttl',
-  }),
-  validPrincipals: attr('string', {
-    helpText:
-      'Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified allow_empty_principals.',
-  }),
-  certType: attr('string', {
-    defaultValue: 'user',
-    label: 'Certificate Type',
-    possibleValues: ['user', 'host'],
-  }),
-  keyId: attr('string', {
-    label: 'Key ID',
-  }),
-  criticalOptions: attr('object'),
-  extensions: attr('object'),
-
-  leaseId: attr('string', {
-    label: 'Lease ID',
-  }),
-  renewable: attr('boolean'),
-  leaseDuration: attr('number'),
-  serialNumber: attr('string'),
-  signedKey: attr('string'),
-
-  attrs: computed('signedKey', function () {
-    const keys = this.signedKey ? DISPLAY_FIELDS.slice(0) : CREATE_FIELDS.slice(0);
-    return expandAttributeMeta(this, keys);
-  }),
-});
diff --git a/ui/app/models/totp-key.js b/ui/app/models/totp-key.js
deleted file mode 100644
index d7d95c2ac1..0000000000
--- a/ui/app/models/totp-key.js
+++ /dev/null
@@ -1,191 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Model, { attr } from '@ember-data/model';
-import { withFormFields } from 'vault/decorators/model-form-fields';
-import { withModelValidations } from 'vault/decorators/model-validations';
-import { withExpandedAttributes } from 'vault/decorators/model-expanded-attributes';
-import lazyCapabilities, { apiPath } from 'vault/macros/lazy-capabilities';
-import { isPresent } from '@ember/utils';
-
-const validations = {
-  accountName: [
-    {
-      validator(model) {
-        const { generate, accountName } = model;
-        // this is required when generate is true
-        return generate && !isPresent(accountName) ? false : true;
-      },
-      message: "Account name can't be blank when the key is generated by Vault.",
-    },
-    {
-      type: 'containsWhiteSpace',
-      message:
-        "Account name contains whitespace. If this is desired, you'll need to encode it with %20 in API requests.",
-      level: 'warn',
-    },
-  ],
-  issuer: [
-    {
-      validator(model) {
-        const { generate, issuer } = model;
-        // this is required when generate is true
-        return generate && !isPresent(issuer) ? false : true;
-      },
-      message: "Issuer can't be blank when when the key is generated by Vault.",
-    },
-  ],
-  key: [
-    {
-      validator(model) {
-        const { generate, key, url } = model;
-        // this is required when generate is false and url is blank
-        return !generate && !isPresent(url) && !isPresent(key) ? false : true;
-      },
-      message: "Key can't be blank if key is being passed from another service and the URL is empty.",
-    },
-  ],
-  keySize: [{ type: 'number', message: 'Key size must be a number.' }],
-  name: [
-    { type: 'presence', message: "Name can't be blank." },
-    {
-      type: 'containsWhiteSpace',
-      message:
-        "Name contains whitespace. If this is desired, you'll need to encode it with %20 in API requests.",
-      level: 'warn',
-    },
-  ],
-  qrSize: [{ type: 'number', message: 'QR size must be a number' }],
-};
-
-@withModelValidations(validations)
-@withExpandedAttributes()
-@withFormFields()
-export default class TotpKeyModel extends Model {
-  @attr('string', {
-    readOnly: true,
-  })
-  backend;
-
-  @attr('string', {
-    subText: 'Specifies the name for this key.',
-  })
-  name;
-
-  @attr('string', {
-    subText: 'The name of the account associated with the key. Required for keys generated by Vault.',
-  })
-  accountName;
-
-  @attr('string', {
-    possibleValues: ['SHA1', 'SHA256', 'SHA512'],
-    defaultValue: 'SHA1',
-  })
-  algorithm;
-
-  @attr('number', {
-    possibleValues: [6, 8],
-    defaultValue: 6,
-  })
-  digits;
-
-  @attr('string', {
-    subText: `The name of the key's issuing organization. Required for keys generated by Vault.`,
-  })
-  issuer;
-
-  @attr({
-    editType: 'ttl',
-    helperTextEnabled: 'How long each generated TOTP is valid.',
-    defaultValue: 30, // API accepts both an integer as seconds and string with unit e.g 30 || '30s'
-  })
-  period;
-
-  // The generate attr is a boolean. The generateString getter and setter is used only in forms to get and set the boolean via
-  // strings values. The payload params expect the attr to be a boolean value.
-  @attr({
-    label: 'Key Provider',
-    defaultValue: true,
-    editType: 'radio',
-    possibleValues: ['Vault', 'Other service'],
-    fieldValue: 'generateString',
-    subText: 'Specifies if the key should be generated by Vault or passed from another service.',
-  })
-  generate;
-
-  // Used when generate is true
-  @attr('number', {
-    defaultValue: 20,
-  })
-  keySize;
-
-  @attr('number', {
-    possibleValues: [0, 1],
-    defaultValue: 1,
-  })
-  skew;
-
-  @attr('boolean', {
-    editType: 'toggleButton',
-    defaultValue: true,
-    helperTextDisabled: 'Vault will not return QR code and url upon key creation.',
-    helperTextEnabled: 'QR code and URL will be returned upon generating a key.',
-  })
-  exported;
-
-  @attr('number', {
-    label: 'QR size',
-    defaultValue: 200,
-  })
-  qrSize;
-
-  // Used when generate is false
-  @attr('string', {
-    label: 'URL',
-    helpText:
-      'If a URL is provided the other fields can be left empty. E.g. otpauth://totp/Vault:test@test.com?secret=<your_secret>&issuer=Vault',
-    subText: 'The TOTP key url string that can be used to configure a key.',
-  })
-  url;
-
-  @attr('string', {
-    subText: 'The root key used to generate a TOTP code.',
-  })
-  key;
-
-  // Returned when a key is created as provider
-  @attr('string', {
-    readOnly: true,
-  })
-  barcode;
-
-  get attrs() {
-    const keys = ['accountName', 'name', 'algorithm', 'digits', 'issuer', 'period'];
-    return keys.map((k) => this.allByKey[k]);
-  }
-
-  get generatedAttrs() {
-    const keys = ['url'];
-    return keys.map((k) => this.allByKey[k]);
-  }
-
-  get generateString() {
-    return this.generate ? 'Vault' : 'Other service';
-  }
-
-  set generateString(value) {
-    this.generate = value === 'Vault' ? true : false;
-  }
-
-  @lazyCapabilities(apiPath`${'backend'}/keys/${'id'}`, 'backend', 'id') keyPath;
-
-  get canDelete() {
-    return this.keyPath.get('canDelete');
-  }
-
-  get canRead() {
-    return this.keyPath.get('canRead');
-  }
-}
diff --git a/ui/app/modifiers/carbon-chart.ts b/ui/app/modifiers/carbon-chart.ts
new file mode 100644
index 0000000000..e06de3ff63
--- /dev/null
+++ b/ui/app/modifiers/carbon-chart.ts
@@ -0,0 +1,65 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { modifier } from 'ember-modifier';
+import { SimpleBarChart, StackedBarChart, DonutChart } from '@carbon/charts';
+import type { BarChartOptions, DonutChartOptions } from '@carbon/charts/dist/interfaces';
+
+/**
+ * Chart type constants for Carbon Charts
+ */
+export const CHART_TYPES = {
+  SIMPLE_BAR: 'simple',
+  STACKED_BAR: 'stacked',
+  DONUT: 'donut',
+} as const;
+
+export type ChartType = (typeof CHART_TYPES)[keyof typeof CHART_TYPES];
+
+interface ChartDataPoint {
+  group: string;
+  value: number | null;
+  [key: string]: string | number | null;
+}
+
+interface CarbonChartModifierSignature {
+  Element: HTMLDivElement;
+  Args: {
+    Positional: [ChartDataPoint[], BarChartOptions | DonutChartOptions, ChartType];
+  };
+}
+
+/**
+ * Custom modifier for managing Carbon Chart lifecycle.
+ * Replaces the need for did-insert, did-update, and will-destroy render modifiers.
+ *
+ * @example
+ * ```hbs
+ * <div {{carbon-chart @chartData @chartOptions @chartType}}></div>
+ * ```
+ */
+const CHART_CLASS_MAP = {
+  [CHART_TYPES.SIMPLE_BAR]: SimpleBarChart,
+  [CHART_TYPES.STACKED_BAR]: StackedBarChart,
+  [CHART_TYPES.DONUT]: DonutChart,
+} as const;
+
+export default modifier<CarbonChartModifierSignature>((element, [chartData, chartOptions, chartType]) => {
+  let chart: SimpleBarChart | StackedBarChart | DonutChart | null = null;
+
+  if (chartData && Array.isArray(chartData) && chartData.length > 0) {
+    const ChartClass = CHART_CLASS_MAP[chartType];
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    chart = new ChartClass(element as HTMLDivElement, { data: chartData, options: chartOptions as any });
+  }
+
+  // Return cleanup function
+  return () => {
+    if (chart) {
+      chart.destroy();
+      chart = null;
+    }
+  };
+});
diff --git a/ui/app/resources/secrets/engine.ts b/ui/app/resources/secrets/engine.ts
index 0c522f0a1a..7f9dcd1181 100644
--- a/ui/app/resources/secrets/engine.ts
+++ b/ui/app/resources/secrets/engine.ts
@@ -3,14 +3,14 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { baseResourceFactory } from 'vault/resources/base-factory';
+import engineDisplayData from 'vault/helpers/engines-display-data';
 import {
   supportedSecretBackends,
   SupportedSecretBackendsEnum,
 } from 'vault/helpers/supported-secret-backends';
+import { baseResourceFactory } from 'vault/resources/base-factory';
 import { INTERNAL_ENGINE_TYPES, isAddonEngine } from 'vault/utils/all-engines-metadata';
 import { getEffectiveEngineType } from 'vault/utils/external-plugin-helpers';
-import engineDisplayData from 'vault/helpers/engines-display-data';
 
 import type { Mount } from 'vault/mount';
 
diff --git a/ui/app/router.js b/ui/app/router.js
index b8af919877..af00bd8a72 100644
--- a/ui/app/router.js
+++ b/ui/app/router.js
@@ -168,6 +168,7 @@ Router.map(function () {
         });
       });
       this.route('secrets-redirect', { path: '/secrets' }); // legacy redirect
+      this.route('secrets-redirect-with-path', { path: '/secrets/*path' }); // legacy redirect with wildcard to capture full path
       this.route('secrets', { path: '/secrets-engines' }, function () {
         this.route('enable', function () {
           this.route('create', { path: '/:mount_type' });
@@ -219,6 +220,9 @@ Router.map(function () {
         this.route('show', { path: '/:policy_name' });
         this.route('edit', { path: '/:policy_name/edit' });
       });
+      this.route('billing', function () {
+        this.route('overview');
+      });
       this.route('resilience-recovery');
       this.route('replication-dr-promote', function () {
         this.route('details');
diff --git a/ui/app/routes/application.js b/ui/app/routes/application.js
index e20aad6f13..c732460881 100644
--- a/ui/app/routes/application.js
+++ b/ui/app/routes/application.js
@@ -14,6 +14,7 @@ import ControlGroupError from 'vault/lib/control-group-error';
 export default class ApplicationRoute extends Route {
   @service analytics;
   @service controlGroup;
+  @service intl;
   @service('router') routing;
   @service('namespace') namespaceService;
   @service('flags') flagsService;
@@ -72,6 +73,7 @@ export default class ApplicationRoute extends Route {
   }
 
   beforeModel() {
+    this.intl.setLocale(['en-us']);
     return this.flagsService.fetchFeatureFlags();
   }
 
diff --git a/ui/app/routes/vault/cluster/access/identity/aliases/show.js b/ui/app/routes/vault/cluster/access/identity/aliases/show.js
index 31e9843987..769a0ac848 100644
--- a/ui/app/routes/vault/cluster/access/identity/aliases/show.js
+++ b/ui/app/routes/vault/cluster/access/identity/aliases/show.js
@@ -10,8 +10,8 @@ import Route from '@ember/routing/route';
 import { TABS } from 'vault/helpers/tabs-for-identity-show';
 import { service } from '@ember/service';
 
-export default Route.extend({
-  store: service(),
+export default class IdentityAliasesShowRoute extends Route {
+  @service store;
 
   model(params) {
     const { section } = params;
@@ -28,7 +28,7 @@ export default Route.extend({
       model: this.store.findRecord(modelType, params.item_alias_id),
       section,
     });
-  },
+  }
 
   setupController(controller, resolvedModel) {
     const { model, section } = resolvedModel;
@@ -36,5 +36,5 @@ export default Route.extend({
       model,
       section,
     });
-  },
-});
+  }
+}
diff --git a/ui/app/routes/vault/cluster/access/identity/index.js b/ui/app/routes/vault/cluster/access/identity/index.js
index b46df43db9..309a920370 100644
--- a/ui/app/routes/vault/cluster/access/identity/index.js
+++ b/ui/app/routes/vault/cluster/access/identity/index.js
@@ -4,11 +4,20 @@
  */
 
 import Route from '@ember/routing/route';
-import ListRoute from 'core/mixins/list-route';
 import { service } from '@ember/service';
+import { action } from '@ember/object';
 
-export default Route.extend(ListRoute, {
-  pagination: service(),
+export default class IdentityIndexRoute extends Route {
+  @service pagination;
+
+  queryParams = {
+    page: {
+      refreshModel: true,
+    },
+    pageFilter: {
+      refreshModel: true,
+    },
+  };
 
   model(params) {
     const itemType = this.modelFor('vault.cluster.access.identity');
@@ -27,24 +36,37 @@ export default Route.extend(ListRoute, {
           throw err;
         }
       });
-  },
+  }
 
-  setupController(controller) {
-    this._super(...arguments);
-    controller.set('identityType', this.modelFor('vault.cluster.access.identity'));
-  },
+  setupController(controller, resolvedModel) {
+    super.setupController(controller, resolvedModel);
+    const { pageFilter } = this.paramsFor(this.routeName);
+    controller.setProperties({
+      filter: pageFilter || '',
+      page: resolvedModel?.meta?.currentPage || 1,
+      identityType: this.modelFor('vault.cluster.access.identity'),
+    });
+  }
 
-  actions: {
-    willTransition(transition) {
-      window.scrollTo(0, 0);
-      if (transition.targetName !== this.routeName) {
-        this.pagination.clearDataset();
-      }
-      return true;
-    },
-    reload() {
+  resetController(controller, isExiting) {
+    if (isExiting) {
+      controller.set('pageFilter', null);
+      controller.set('filter', null);
+    }
+  }
+
+  @action
+  willTransition(transition) {
+    window.scrollTo(0, 0);
+    if (transition.targetName !== this.routeName) {
       this.pagination.clearDataset();
-      this.refresh();
-    },
-  },
-});
+    }
+    return true;
+  }
+
+  @action
+  reload() {
+    this.pagination.clearDataset();
+    this.refresh();
+  }
+}
diff --git a/ui/app/routes/vault/cluster/access/identity/show.js b/ui/app/routes/vault/cluster/access/identity/show.js
index 6c349f1ff2..d6d67fda93 100644
--- a/ui/app/routes/vault/cluster/access/identity/show.js
+++ b/ui/app/routes/vault/cluster/access/identity/show.js
@@ -11,9 +11,9 @@ import Route from '@ember/routing/route';
 import { TABS } from 'vault/helpers/tabs-for-identity-show';
 import { service } from '@ember/service';
 
-export default Route.extend({
-  router: service(),
-  store: service(),
+export default class IdentityShowRoute extends Route {
+  @service router;
+  @service store;
 
   model(params) {
     const { section } = params;
@@ -43,7 +43,7 @@ export default Route.extend({
       model,
       section,
     });
-  },
+  }
 
   activate() {
     // if we're just entering the route, and it's not a hard reload
@@ -54,14 +54,14 @@ export default Route.extend({
         this.controller.model.reload();
       });
     }
-  },
+  }
 
   afterModel(resolvedModel) {
     const { section, model } = resolvedModel;
     if (model?.identityType === 'group' && model?.type === 'internal' && section === 'aliases') {
       return this.router.transitionTo('vault.cluster.access.identity.show', model.id, 'details');
     }
-  },
+  }
 
   setupController(controller, resolvedModel) {
     const { model, section } = resolvedModel;
@@ -69,5 +69,5 @@ export default Route.extend({
       model,
       section,
     });
-  },
-});
+  }
+}
diff --git a/ui/app/routes/vault/cluster/access/mfa/enforcements/create.js b/ui/app/routes/vault/cluster/access/mfa/enforcements/create.js
index f6bf9b514c..cfbf01134f 100644
--- a/ui/app/routes/vault/cluster/access/mfa/enforcements/create.js
+++ b/ui/app/routes/vault/cluster/access/mfa/enforcements/create.js
@@ -5,11 +5,15 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
+import { fetchMfaMethods } from 'vault/utils/mfa-login-enforcement-helpers';
+
+import MfaLoginEnforcementForm from 'vault/forms/mfa/login-enforcement';
 
 export default class MfaLoginEnforcementCreateRoute extends Route {
-  @service store;
+  @service api;
 
-  model() {
-    return this.store.createRecord('mfa-login-enforcement');
+  async model() {
+    const methods = await fetchMfaMethods(this.api);
+    return { form: new MfaLoginEnforcementForm({}, { isNew: true }), methods };
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/mfa/enforcements/enforcement.js b/ui/app/routes/vault/cluster/access/mfa/enforcements/enforcement.js
index 32bb8974fb..42ce49d99e 100644
--- a/ui/app/routes/vault/cluster/access/mfa/enforcements/enforcement.js
+++ b/ui/app/routes/vault/cluster/access/mfa/enforcements/enforcement.js
@@ -5,11 +5,16 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
+import { prepareTargets, fetchMfaMethods } from 'vault/utils/mfa-login-enforcement-helpers';
 
 export default class MfaLoginEnforcementRoute extends Route {
-  @service store;
+  @service api;
 
-  model({ name }) {
-    return this.store.findRecord('mfa-login-enforcement', name);
+  async model({ name }) {
+    const { data } = await this.api.identity.mfaReadLoginEnforcement(name);
+    const targets = await prepareTargets(data, this.api);
+    const methods = await fetchMfaMethods(this.api);
+
+    return { enforcement: data, name, targets, methods };
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/mfa/enforcements/enforcement/edit.js b/ui/app/routes/vault/cluster/access/mfa/enforcements/enforcement/edit.js
index 198ce7c7c2..667200516c 100644
--- a/ui/app/routes/vault/cluster/access/mfa/enforcements/enforcement/edit.js
+++ b/ui/app/routes/vault/cluster/access/mfa/enforcements/enforcement/edit.js
@@ -4,5 +4,21 @@
  */
 
 import Route from '@ember/routing/route';
+import { service } from '@ember/service';
+import { fetchMfaMethods } from 'vault/utils/mfa-login-enforcement-helpers';
 
-export default class MfaLoginEnforcementEditRoute extends Route {}
+import MfaLoginEnforcementForm from 'vault/forms/mfa/login-enforcement';
+
+export default class MfaLoginEnforcementEditRoute extends Route {
+  @service api;
+
+  async model() {
+    const methods = await fetchMfaMethods(this.api);
+    const { enforcement } = this.modelFor('vault.cluster.access.mfa.enforcements.enforcement');
+    const selectedMethods = methods.filter((method) =>
+      (enforcement.mfa_method_ids || []).includes(method.id)
+    );
+    const formData = { ...enforcement, mfa_methods: selectedMethods };
+    return { form: new MfaLoginEnforcementForm(formData, { isNew: false }), methods, name: enforcement.name };
+  }
+}
diff --git a/ui/app/routes/vault/cluster/access/mfa/enforcements/index.js b/ui/app/routes/vault/cluster/access/mfa/enforcements/index.js
index 5993d81690..52e7a43a91 100644
--- a/ui/app/routes/vault/cluster/access/mfa/enforcements/index.js
+++ b/ui/app/routes/vault/cluster/access/mfa/enforcements/index.js
@@ -5,25 +5,31 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
+import { fetchMfaLoginEnforcements } from 'vault/utils/mfa-login-enforcement-helpers';
 
 export default class MfaEnforcementsRoute extends Route {
-  @service store;
+  @service api;
 
-  model() {
-    return this.store.query('mfa-login-enforcement', {}).catch((err) => {
-      if (err.httpStatus === 404) {
-        return [];
+  async model() {
+    try {
+      const enforcements = await fetchMfaLoginEnforcements(this.api);
+      return { enforcements };
+    } catch (err) {
+      const { status } = await this.api.parseError(err);
+      if (status === 404) {
+        return { enforcements: [] };
       } else {
         throw err;
       }
-    });
+    }
   }
+
   setupController(controller, model) {
     controller.set('model', model);
 
     controller.breadcrumbs = [
       { label: 'Vault', route: 'vault.cluster.dashboard', icon: 'vault' },
-      { label: 'Mfa', route: 'vault.cluster.access.mfa' },
+      { label: 'Multi-factor authentication', route: 'vault.cluster.access.mfa' },
       { label: 'Enforcements' },
     ];
   }
diff --git a/ui/app/routes/vault/cluster/access/mfa/index.js b/ui/app/routes/vault/cluster/access/mfa/index.js
index b3c84b6248..753b14e4dd 100644
--- a/ui/app/routes/vault/cluster/access/mfa/index.js
+++ b/ui/app/routes/vault/cluster/access/mfa/index.js
@@ -8,17 +8,15 @@ import { service } from '@ember/service';
 
 export default class MfaConfigureRoute extends Route {
   @service router;
-  @service store;
+  @service api;
 
-  beforeModel() {
-    return this.store
-      .query('mfa-method', {})
-      .then(() => {
-        // if response then they should transition to the methods page instead of staying on the configure page.
-        this.router.transitionTo('vault.cluster.access.mfa.methods.index');
-      })
-      .catch(() => {
-        // stay on the landing page
-      });
+  async beforeModel() {
+    try {
+      // if response then they should transition to the methods page instead of staying on the configure page.
+      await this.api.identity.mfaListMethods(true);
+      this.router.transitionTo('vault.cluster.access.mfa.methods.index');
+    } catch (e) {
+      // stay on the landing page
+    }
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/mfa/methods/index.js b/ui/app/routes/vault/cluster/access/mfa/methods/index.js
index 9a4a94f337..ba39337df5 100644
--- a/ui/app/routes/vault/cluster/access/mfa/methods/index.js
+++ b/ui/app/routes/vault/cluster/access/mfa/methods/index.js
@@ -5,19 +5,26 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
+import { fetchMfaMethods } from 'vault/utils/mfa-login-enforcement-helpers';
 
 export default class MfaMethodsRoute extends Route {
-  @service store;
   @service router;
+  @service api;
 
-  model() {
-    return this.store.query('mfa-method', {}).catch((err) => {
-      if (err.httpStatus === 404) {
-        return [];
+  async model() {
+    try {
+      const methods = await fetchMfaMethods(this.api);
+      return { methods };
+    } catch (err) {
+      const { status } = await this.api.parseError(err);
+      if (status === 404) {
+        this.router.transitionTo('vault.cluster.access.mfa.index');
+
+        return { methods: [] };
       } else {
         throw err;
       }
-    });
+    }
   }
 
   afterModel(model) {
@@ -25,12 +32,13 @@ export default class MfaMethodsRoute extends Route {
       this.router.transitionTo('vault.cluster.access.mfa');
     }
   }
+
   setupController(controller, model) {
     controller.set('model', model);
 
     controller.breadcrumbs = [
       { label: 'Vault', route: 'vault.cluster.dashboard', icon: 'vault' },
-      { label: 'Mfa' },
+      { label: 'Multi-factor authentication' },
     ];
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/mfa/methods/method.js b/ui/app/routes/vault/cluster/access/mfa/methods/method.js
index dbd54e9da3..91be6e2b1e 100644
--- a/ui/app/routes/vault/cluster/access/mfa/methods/method.js
+++ b/ui/app/routes/vault/cluster/access/mfa/methods/method.js
@@ -6,27 +6,40 @@
 import Route from '@ember/routing/route';
 import { hash } from 'rsvp';
 import { service } from '@ember/service';
+import {
+  fetchMfaLoginEnforcements,
+  getMfaMethodName,
+  getMfaMethodIcon,
+} from 'vault/utils/mfa-login-enforcement-helpers';
 
 export default class MfaMethodRoute extends Route {
-  @service store;
+  @service api;
 
-  model({ id }) {
+  async model({ id }) {
+    let enforcements;
+    let method;
+    let error = [];
+
+    try {
+      method = await this.api.identity.mfaReadMethod(id);
+      method.data.displayName = getMfaMethodName(method.data.type);
+      method.data.icon = getMfaMethodIcon(method.data.type);
+
+      enforcements = await fetchMfaLoginEnforcements(this.api);
+    } catch (err) {
+      const { status } = await this.api.parseError(err);
+      if (status === 404) {
+        error = [];
+      } else {
+        throw err;
+      }
+    }
     return hash({
-      method: this.store.findRecord('mfa-method', id).then((data) => data),
-      enforcements: this.store
-        .query('mfa-login-enforcement', {})
-        .then((data) => {
-          const filteredEnforcements = data.filter((item) => {
-            const results = item.hasMany('mfa_methods').ids();
-            return results.includes(id);
-          });
-          return filteredEnforcements;
-        })
-        .catch(() => {
-          // Do nothing
-        }),
+      method: method.data || {},
+      enforcements: enforcements || error,
     });
   }
+
   setupController(controller, model) {
     controller.set('model', model);
   }
diff --git a/ui/app/routes/vault/cluster/access/mfa/methods/method/edit.js b/ui/app/routes/vault/cluster/access/mfa/methods/method/edit.js
index dd881a641e..94b0ebe661 100644
--- a/ui/app/routes/vault/cluster/access/mfa/methods/method/edit.js
+++ b/ui/app/routes/vault/cluster/access/mfa/methods/method/edit.js
@@ -4,5 +4,33 @@
  */
 
 import Route from '@ember/routing/route';
+import { service } from '@ember/service';
+import MfaCreateTotpMethodForm from 'vault/forms/mfa/method/totp';
+import MfaCreateDuoMethodForm from 'vault/forms/mfa/method/duo';
+import MfaCreateOktaMethodForm from 'vault/forms/mfa/method/okta';
+import MfaCreatePingIdMethodForm from 'vault/forms/mfa/method/ping-id';
 
-export default class MfaMethodEditRoute extends Route {}
+export default class MfaMethodEditRoute extends Route {
+  @service api;
+
+  async model() {
+    const { method } = this.modelFor('vault.cluster.access.mfa.methods.method');
+
+    let form;
+
+    if (method.type === 'totp') {
+      form = new MfaCreateTotpMethodForm(method, { isNew: false });
+    } else if (method.type === 'duo') {
+      form = new MfaCreateDuoMethodForm(method, { isNew: false });
+    } else if (method.type === 'okta') {
+      form = new MfaCreateOktaMethodForm(method, { isNew: false });
+    } else if (method.type === 'pingid') {
+      form = new MfaCreatePingIdMethodForm(method, { isNew: false });
+    }
+
+    return {
+      form,
+      method,
+    };
+  }
+}
diff --git a/ui/app/routes/vault/cluster/access/namespaces/index.js b/ui/app/routes/vault/cluster/access/namespaces/index.js
index d302f59dc2..43c9ee015d 100644
--- a/ui/app/routes/vault/cluster/access/namespaces/index.js
+++ b/ui/app/routes/vault/cluster/access/namespaces/index.js
@@ -23,6 +23,9 @@ export default class NamespaceListRoute extends Route {
     page: {
       refreshModel: true,
     },
+    pageSize: {
+      refreshModel: true,
+    },
   };
 
   beforeModel() {
@@ -56,6 +59,8 @@ export default class NamespaceListRoute extends Route {
     const { pageFilter } = params;
     return hash({
       namespaces: this.fetchNamespaces(params),
+      page: Number(params?.page) || 1,
+      pageSize: Number(params?.pageSize) || 10,
       pageFilter,
     });
   }
diff --git a/ui/app/routes/vault/cluster/access/oidc/assignments.js b/ui/app/routes/vault/cluster/access/oidc/assignments.js
new file mode 100644
index 0000000000..6b7de5e099
--- /dev/null
+++ b/ui/app/routes/vault/cluster/access/oidc/assignments.js
@@ -0,0 +1,29 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Route from '@ember/routing/route';
+import { service } from '@ember/service';
+import {
+  IdentityApiEntityListByIdListEnum,
+  IdentityApiGroupListByIdListEnum,
+} from '@hashicorp/vault-client-typescript';
+
+export default class OidcAssignmentsRoute extends Route {
+  @service api;
+
+  async model() {
+    // entities and groups are needed in the details, edit and create routes
+    // fetch them here and access them with modelFor in the child routes
+    const [entitiesResult, groupsResult] = await Promise.allSettled([
+      this.api.identity.entityListById(IdentityApiEntityListByIdListEnum.TRUE),
+      this.api.identity.groupListById(IdentityApiGroupListByIdListEnum.TRUE),
+    ]);
+
+    return {
+      entities: entitiesResult.status === 'fulfilled' ? this.api.keyInfoToArray(entitiesResult.value) : [],
+      groups: groupsResult.status === 'fulfilled' ? this.api.keyInfoToArray(groupsResult.value) : [],
+    };
+  }
+}
diff --git a/ui/app/routes/vault/cluster/access/oidc/assignments/assignment.js b/ui/app/routes/vault/cluster/access/oidc/assignments/assignment.js
index e57099ec28..b6a44f46f7 100644
--- a/ui/app/routes/vault/cluster/access/oidc/assignments/assignment.js
+++ b/ui/app/routes/vault/cluster/access/oidc/assignments/assignment.js
@@ -7,9 +7,15 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 
 export default class OidcAssignmentRoute extends Route {
-  @service store;
+  @service api;
+  @service capabilities;
 
-  model({ name }) {
-    return this.store.findRecord('oidc/assignment', name);
+  async model({ name }) {
+    const { data } = await this.api.identity.oidcReadAssignment(name);
+    const capabilities = await this.capabilities.for('oidcAssignment', { name });
+    return {
+      assignment: { ...data, name },
+      capabilities,
+    };
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/assignments/assignment/details.js b/ui/app/routes/vault/cluster/access/oidc/assignments/assignment/details.js
index 16d1142225..52e4887ebb 100644
--- a/ui/app/routes/vault/cluster/access/oidc/assignments/assignment/details.js
+++ b/ui/app/routes/vault/cluster/access/oidc/assignments/assignment/details.js
@@ -4,5 +4,22 @@
  */
 
 import Route from '@ember/routing/route';
+import { service } from '@ember/service';
 
-export default class OidcAssignmentDetailsRoute extends Route {}
+export default class OidcAssignmentDetailsRoute extends Route {
+  @service api;
+
+  async model() {
+    const { entities, groups } = this.modelFor('vault.cluster.access.oidc.assignments');
+    const { assignment, capabilities } = this.modelFor('vault.cluster.access.oidc.assignments.assignment');
+    assignment.entities = assignment.entity_ids.map(
+      (id) => entities.find((entity) => entity.id === id)?.name ?? id
+    );
+    assignment.groups = assignment.group_ids.map((id) => groups.find((group) => group.id === id)?.name ?? id);
+
+    return {
+      assignment,
+      capabilities,
+    };
+  }
+}
diff --git a/ui/app/routes/vault/cluster/access/oidc/assignments/assignment/edit.js b/ui/app/routes/vault/cluster/access/oidc/assignments/assignment/edit.js
index bb57ef4f99..e1e1f243f3 100644
--- a/ui/app/routes/vault/cluster/access/oidc/assignments/assignment/edit.js
+++ b/ui/app/routes/vault/cluster/access/oidc/assignments/assignment/edit.js
@@ -4,5 +4,16 @@
  */
 
 import Route from '@ember/routing/route';
+import OidcAssignmentForm from 'vault/forms/oidc/assignment';
 
-export default class OidcAssignmentEditRoute extends Route {}
+export default class OidcAssignmentEditRoute extends Route {
+  model() {
+    const { entities, groups } = this.modelFor('vault.cluster.access.oidc.assignments');
+    const { assignment } = this.modelFor('vault.cluster.access.oidc.assignments.assignment');
+    return {
+      form: new OidcAssignmentForm(assignment),
+      entities,
+      groups,
+    };
+  }
+}
diff --git a/ui/app/routes/vault/cluster/access/oidc/assignments/create.js b/ui/app/routes/vault/cluster/access/oidc/assignments/create.js
index 5e8ceeb8e3..17f6ff6090 100644
--- a/ui/app/routes/vault/cluster/access/oidc/assignments/create.js
+++ b/ui/app/routes/vault/cluster/access/oidc/assignments/create.js
@@ -4,12 +4,15 @@
  */
 
 import Route from '@ember/routing/route';
-import { service } from '@ember/service';
+import OidcAssignmentForm from 'vault/forms/oidc/assignment';
 
 export default class OidcAssignmentsCreateRoute extends Route {
-  @service store;
-
   model() {
-    return this.store.createRecord('oidc/assignment');
+    const { entities, groups } = this.modelFor('vault.cluster.access.oidc.assignments');
+    return {
+      form: new OidcAssignmentForm({}, { isNew: true }),
+      entities,
+      groups,
+    };
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/assignments/index.js b/ui/app/routes/vault/cluster/access/oidc/assignments/index.js
index f8ed5ff8ed..2003dfa89a 100644
--- a/ui/app/routes/vault/cluster/access/oidc/assignments/index.js
+++ b/ui/app/routes/vault/cluster/access/oidc/assignments/index.js
@@ -5,16 +5,34 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
+import { IdentityApiOidcListAssignmentsListEnum } from '@hashicorp/vault-client-typescript';
 
-export default class OidcAssignmentsRoute extends Route {
-  @service store;
-  model() {
-    return this.store.query('oidc/assignment', {}).catch((err) => {
-      if (err.httpStatus === 404) {
-        return [];
+export default class OidcAssignmentsIndexRoute extends Route {
+  @service api;
+  @service capabilities;
+
+  async model() {
+    try {
+      const { keys: assignments } = await this.api.identity.oidcListAssignments(
+        IdentityApiOidcListAssignmentsListEnum.TRUE
+      );
+      const paths = assignments.map((name) => this.capabilities.pathFor('oidcAssignment', { name }));
+      const capabilities = paths ? await this.capabilities.fetch(paths) : {};
+
+      return {
+        assignments,
+        capabilities,
+      };
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 404) {
+        return {
+          assignments: [],
+          capabilities: {},
+        };
       } else {
-        throw err;
+        throw error;
       }
-    });
+    }
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/clients/client.js b/ui/app/routes/vault/cluster/access/oidc/clients/client.js
index d3fae5cb50..ba3cc56521 100644
--- a/ui/app/routes/vault/cluster/access/oidc/clients/client.js
+++ b/ui/app/routes/vault/cluster/access/oidc/clients/client.js
@@ -7,9 +7,12 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 
 export default class OidcClientRoute extends Route {
-  @service store;
+  @service api;
+  @service capabilities;
 
-  model({ name }) {
-    return this.store.findRecord('oidc/client', name);
+  async model({ name }) {
+    const { data } = await this.api.identity.oidcReadClient(name);
+    const capabilities = await this.capabilities.for('oidcClient', { name });
+    return { client: { ...data, name }, capabilities };
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/clients/client/edit.js b/ui/app/routes/vault/cluster/access/oidc/clients/client/edit.js
index 4254750666..d1fc8bfc7f 100644
--- a/ui/app/routes/vault/cluster/access/oidc/clients/client/edit.js
+++ b/ui/app/routes/vault/cluster/access/oidc/clients/client/edit.js
@@ -4,5 +4,38 @@
  */
 
 import Route from '@ember/routing/route';
+import { service } from '@ember/service';
+import OidcClientForm from 'vault/forms/oidc/client';
+import {
+  IdentityApiOidcListAssignmentsListEnum,
+  IdentityApiOidcListKeysListEnum,
+} from '@hashicorp/vault-client-typescript';
 
-export default class OidcClientEditRoute extends Route {}
+export default class OidcClientEditRoute extends Route {
+  @service api;
+
+  async model() {
+    // fetch keys and assignments to populate SearchSelect
+    let keys = [];
+    let assignments = [];
+    try {
+      const { keys: keyItems } = await this.api.identity.oidcListKeys(IdentityApiOidcListKeysListEnum.TRUE);
+      const { keys: assignmentItems } = await this.api.identity.oidcListAssignments(
+        IdentityApiOidcListAssignmentsListEnum.TRUE
+      );
+      // SearchSelect requires options to be objects
+      keys = keyItems?.map((key) => ({ id: key }));
+      assignments = assignmentItems
+        ?.filter((assignment) => assignment !== 'allow_all')
+        ?.map((assignment) => ({ id: assignment }));
+    } catch (error) {
+      // swallow error and return empty array for keys
+    }
+    const { client } = this.modelFor('vault.cluster.access.oidc.clients.client');
+    return {
+      form: new OidcClientForm(client),
+      keys,
+      assignments,
+    };
+  }
+}
diff --git a/ui/app/routes/vault/cluster/access/oidc/clients/client/providers.js b/ui/app/routes/vault/cluster/access/oidc/clients/client/providers.js
index e71e6628e9..3b5d0525a4 100644
--- a/ui/app/routes/vault/cluster/access/oidc/clients/client/providers.js
+++ b/ui/app/routes/vault/cluster/access/oidc/clients/client/providers.js
@@ -5,22 +5,36 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
+import { IdentityApiOidcListProvidersListEnum } from '@hashicorp/vault-client-typescript';
 
 export default class OidcClientProvidersRoute extends Route {
-  @service store;
+  @service api;
+  @service capabilities;
 
-  model() {
-    const model = this.modelFor('vault.cluster.access.oidc.clients.client');
-    return this.store
-      .query('oidc/provider', {
-        allowed_client_id: model.clientId,
-      })
-      .catch((err) => {
-        if (err.httpStatus === 404) {
-          return [];
-        } else {
-          throw err;
-        }
-      });
+  async model() {
+    try {
+      const { client } = this.modelFor('vault.cluster.access.oidc.clients.client');
+      const response = await this.api.identity.oidcListProviders(
+        IdentityApiOidcListProvidersListEnum.TRUE,
+        client.client_id // use allowed_client_id query param to filter providers for this client
+      );
+      const paths = response.keys.map((name) => this.capabilities.pathFor('oidcProvider', { name }));
+      const capabilities = paths ? await this.capabilities.fetch(paths) : {};
+
+      return {
+        providers: this.api.keyInfoToArray(response, 'name'),
+        capabilities,
+      };
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 404) {
+        return {
+          providers: [],
+          capabilities: {},
+        };
+      } else {
+        throw error;
+      }
+    }
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/clients/create.js b/ui/app/routes/vault/cluster/access/oidc/clients/create.js
index 2c03b11841..fb99f0cd90 100644
--- a/ui/app/routes/vault/cluster/access/oidc/clients/create.js
+++ b/ui/app/routes/vault/cluster/access/oidc/clients/create.js
@@ -5,11 +5,42 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
+import OidcClientForm from 'vault/forms/oidc/client';
+import {
+  IdentityApiOidcListAssignmentsListEnum,
+  IdentityApiOidcListKeysListEnum,
+} from '@hashicorp/vault-client-typescript';
 
 export default class OidcClientsCreateRoute extends Route {
-  @service store;
+  @service api;
 
-  model() {
-    return this.store.createRecord('oidc/client');
+  async model() {
+    // fetch keys and assignments to populate SearchSelect
+    let keys = [];
+    let assignments = [];
+    try {
+      const { keys: keyItems } = await this.api.identity.oidcListKeys(IdentityApiOidcListKeysListEnum.TRUE);
+      const { keys: assignmentItems } = await this.api.identity.oidcListAssignments(
+        IdentityApiOidcListAssignmentsListEnum.TRUE
+      );
+      // SearchSelect requires options to be objects
+      keys = keyItems?.map((key) => ({ id: key }));
+      assignments = assignmentItems
+        ?.filter((assignment) => assignment !== 'allow_all')
+        ?.map((assignment) => ({ id: assignment }));
+    } catch (error) {
+      // swallow error and return empty array for keys
+    }
+    const defaults = {
+      key: 'default',
+      id_token_ttl: '24h',
+      access_token_ttl: '24h',
+      client_type: 'confidential',
+    };
+    return {
+      form: new OidcClientForm(defaults, { isNew: true }),
+      keys,
+      assignments,
+    };
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/clients/index.js b/ui/app/routes/vault/cluster/access/oidc/clients/index.js
index e481f36b6c..daa241011a 100644
--- a/ui/app/routes/vault/cluster/access/oidc/clients/index.js
+++ b/ui/app/routes/vault/cluster/access/oidc/clients/index.js
@@ -5,22 +5,38 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
+import { IdentityApiOidcListClientsListEnum } from '@hashicorp/vault-client-typescript';
+
 export default class OidcClientsRoute extends Route {
-  @service store;
+  @service api;
+  @service capabilities;
   @service router;
 
-  model() {
-    return this.store.query('oidc/client', {}).catch((err) => {
-      if (err.httpStatus === 404) {
-        return [];
+  async model() {
+    try {
+      const response = await this.api.identity.oidcListClients(IdentityApiOidcListClientsListEnum.TRUE);
+      const paths = response.keys.map((name) => this.capabilities.pathFor('oidcClient', { name }));
+      const capabilities = paths ? await this.capabilities.fetch(paths) : {};
+
+      return {
+        clients: this.api.keyInfoToArray(response, 'name'),
+        capabilities,
+      };
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 404) {
+        return {
+          clients: [],
+          capabilities: {},
+        };
       } else {
-        throw err;
+        throw error;
       }
-    });
+    }
   }
 
   afterModel(model) {
-    if (model.length === 0) {
+    if (model.clients.length === 0) {
       this.router.transitionTo('vault.cluster.access.oidc');
     }
   }
diff --git a/ui/app/routes/vault/cluster/access/oidc/index.js b/ui/app/routes/vault/cluster/access/oidc/index.js
index 6410bcd097..3774b0a3a4 100644
--- a/ui/app/routes/vault/cluster/access/oidc/index.js
+++ b/ui/app/routes/vault/cluster/access/oidc/index.js
@@ -5,20 +5,21 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
+import { IdentityApiOidcListClientsListEnum } from '@hashicorp/vault-client-typescript';
 
 export default class OidcConfigureRoute extends Route {
-  @service store;
+  @service api;
   @service router;
 
-  beforeModel() {
-    return this.store
-      .query('oidc/client', {})
-      .then(() => {
+  async beforeModel() {
+    try {
+      const { keys } = await this.api.identity.oidcListClients(IdentityApiOidcListClientsListEnum.TRUE);
+      if (keys?.length) {
         // transition to client list view if clients have been created
         this.router.transitionTo('vault.cluster.access.oidc.clients');
-      })
-      .catch(() => {
-        // adapter throws error for 404 - swallow and remain on index route to show call to action
-      });
+      }
+    } catch (e) {
+      // swallow error and remain on index route to show call to action
+    }
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/keys/create.js b/ui/app/routes/vault/cluster/access/oidc/keys/create.js
index fd277ee688..1632b1f444 100644
--- a/ui/app/routes/vault/cluster/access/oidc/keys/create.js
+++ b/ui/app/routes/vault/cluster/access/oidc/keys/create.js
@@ -5,11 +5,17 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
+import OidcKeyForm from 'vault/forms/oidc/key';
 
 export default class OidcKeysCreateRoute extends Route {
-  @service store;
+  @service api;
 
   model() {
-    return this.store.createRecord('oidc/key');
+    const defaultValues = {
+      algorithm: 'RS256',
+      rotation_period: '24h',
+      verification_ttl: '24h',
+    };
+    return new OidcKeyForm(defaultValues, { isNew: true });
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/keys/index.js b/ui/app/routes/vault/cluster/access/oidc/keys/index.js
index d0ea016332..796bc78efa 100644
--- a/ui/app/routes/vault/cluster/access/oidc/keys/index.js
+++ b/ui/app/routes/vault/cluster/access/oidc/keys/index.js
@@ -5,17 +5,32 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
+import { IdentityApiOidcListKeysListEnum } from '@hashicorp/vault-client-typescript';
 
 export default class OidcKeysRoute extends Route {
-  @service store;
+  @service api;
+  @service capabilities;
 
-  model() {
-    return this.store.query('oidc/key', {}).catch((err) => {
-      if (err.httpStatus === 404) {
-        return [];
+  async model() {
+    try {
+      const { keys } = await this.api.identity.oidcListKeys(IdentityApiOidcListKeysListEnum.TRUE);
+      const paths = keys.map((name) => this.capabilities.pathFor('oidcKey', { name }));
+      const capabilities = paths ? await this.capabilities.fetch(paths) : {};
+
+      return {
+        keys,
+        capabilities,
+      };
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 404) {
+        return {
+          keys: [],
+          capabilities: {},
+        };
       } else {
-        throw err;
+        throw error;
       }
-    });
+    }
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/keys/key.js b/ui/app/routes/vault/cluster/access/oidc/keys/key.js
index c3e183636b..9a85bf6178 100644
--- a/ui/app/routes/vault/cluster/access/oidc/keys/key.js
+++ b/ui/app/routes/vault/cluster/access/oidc/keys/key.js
@@ -7,9 +7,20 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 
 export default class OidcKeyRoute extends Route {
-  @service store;
+  @service api;
+  @service capabilities;
 
-  model({ name }) {
-    return this.store.findRecord('oidc/key', name);
+  async model({ name }) {
+    const { data } = await this.api.identity.oidcReadKey(name);
+    const { pathFor } = this.capabilities;
+    const paths = {
+      key: pathFor('oidcKey', { name }),
+      rotate: pathFor('oidcKeyRotate', { name }),
+    };
+    const capabilities = await this.capabilities.fetch(Object.values(paths));
+    return {
+      key: { ...data, name },
+      capabilities: { ...capabilities[paths.key], canRotate: capabilities[paths.rotate].canUpdate },
+    };
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/keys/key/clients.js b/ui/app/routes/vault/cluster/access/oidc/keys/key/clients.js
index e446d75c12..1ae5b12394 100644
--- a/ui/app/routes/vault/cluster/access/oidc/keys/key/clients.js
+++ b/ui/app/routes/vault/cluster/access/oidc/keys/key/clients.js
@@ -5,12 +5,24 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
+import { IdentityApiOidcListClientsListEnum } from '@hashicorp/vault-client-typescript';
 
 export default class OidcKeyClientsRoute extends Route {
-  @service store;
+  @service api;
+  @service capabilities;
 
   async model() {
-    const { allowedClientIds } = this.modelFor('vault.cluster.access.oidc.keys.key');
-    return await this.store.query('oidc/client', { paramKey: 'client_id', filterFor: allowedClientIds });
+    const { key } = this.modelFor('vault.cluster.access.oidc.keys.key');
+    const response = await this.api.identity.oidcListClients(IdentityApiOidcListClientsListEnum.TRUE);
+    const clients = this.api.keyInfoToArray(response, 'name');
+    // filter clients based on allowed_client_ids of provider
+    const filteredClients = key.allowed_client_ids.includes('*')
+      ? clients
+      : clients.filter((client) => key.allowed_client_ids.includes(client.client_id));
+    // fetch capabilities for filtered clients
+    const paths = filteredClients.map(({ name }) => this.capabilities.pathFor('oidcClient', { name }));
+    const capabilities = paths ? await this.capabilities.fetch(paths) : {};
+
+    return { clients: filteredClients, capabilities };
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/keys/key/edit.js b/ui/app/routes/vault/cluster/access/oidc/keys/key/edit.js
index 6306d2b7b4..99cc3dd2d2 100644
--- a/ui/app/routes/vault/cluster/access/oidc/keys/key/edit.js
+++ b/ui/app/routes/vault/cluster/access/oidc/keys/key/edit.js
@@ -4,5 +4,24 @@
  */
 
 import Route from '@ember/routing/route';
+import { service } from '@ember/service';
+import { IdentityApiOidcListClientsListEnum } from '@hashicorp/vault-client-typescript';
+import OidcKeyForm from 'vault/forms/oidc/key';
 
-export default class OidcKeyEditRoute extends Route {}
+export default class OidcKeyEditRoute extends Route {
+  @service api;
+
+  async model() {
+    const { key } = this.modelFor('vault.cluster.access.oidc.keys.key');
+    // fetch clients to populate dropdown in form
+    const response = await this.api.identity.oidcListClients(IdentityApiOidcListClientsListEnum.TRUE);
+    const clients = this.api.keyInfoToArray(response, 'name');
+    // filter clients that are associated with this key
+    const filteredClients = clients.filter((client) => client.key === key.name);
+
+    return {
+      clients: filteredClients,
+      form: new OidcKeyForm(key),
+    };
+  }
+}
diff --git a/ui/app/routes/vault/cluster/access/oidc/providers/create.js b/ui/app/routes/vault/cluster/access/oidc/providers/create.js
index 115724144f..1e7fded339 100644
--- a/ui/app/routes/vault/cluster/access/oidc/providers/create.js
+++ b/ui/app/routes/vault/cluster/access/oidc/providers/create.js
@@ -5,11 +5,30 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
+import OidcProviderForm from 'vault/forms/oidc/provider';
+import {
+  IdentityApiOidcListScopesListEnum,
+  IdentityApiOidcListClientsListEnum,
+} from '@hashicorp/vault-client-typescript';
 
 export default class OidcProvidersCreateRoute extends Route {
-  @service store;
+  @service api;
 
-  model() {
-    return this.store.createRecord('oidc/provider');
+  async model() {
+    // fetch scopes and clients to populate dropdowns in form
+    const [scopesResult, clientsResult] = await Promise.allSettled([
+      this.api.identity.oidcListScopes(IdentityApiOidcListScopesListEnum.TRUE),
+      this.api.identity.oidcListClients(IdentityApiOidcListClientsListEnum.TRUE),
+    ]);
+
+    // SearchSelect requires options to be objects.
+    const scopes = scopesResult.value?.keys?.map((key) => ({ id: key })) ?? [];
+    const clients = this.api.keyInfoToArray(clientsResult.value, 'name');
+
+    return {
+      form: new OidcProviderForm({}, { isNew: true }),
+      scopes,
+      clients,
+    };
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/providers/index.js b/ui/app/routes/vault/cluster/access/oidc/providers/index.js
index fab51bf8b6..fb30275d95 100644
--- a/ui/app/routes/vault/cluster/access/oidc/providers/index.js
+++ b/ui/app/routes/vault/cluster/access/oidc/providers/index.js
@@ -5,17 +5,32 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
+import { IdentityApiOidcListProvidersListEnum } from '@hashicorp/vault-client-typescript';
 
 export default class OidcProvidersRoute extends Route {
-  @service store;
+  @service api;
+  @service capabilities;
 
-  model() {
-    return this.store.query('oidc/provider', {}).catch((err) => {
-      if (err.httpStatus === 404) {
-        return [];
+  async model() {
+    try {
+      const response = await this.api.identity.oidcListProviders(IdentityApiOidcListProvidersListEnum.TRUE);
+      const paths = response.keys.map((name) => this.capabilities.pathFor('oidcProvider', { name }));
+      const capabilities = paths ? await this.capabilities.fetch(paths) : {};
+
+      return {
+        providers: this.api.keyInfoToArray(response, 'name'),
+        capabilities,
+      };
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 404) {
+        return {
+          providers: [],
+          capabilities: {},
+        };
       } else {
-        throw err;
+        throw error;
       }
-    });
+    }
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/providers/provider.js b/ui/app/routes/vault/cluster/access/oidc/providers/provider.js
index 691090265b..6db57982e0 100644
--- a/ui/app/routes/vault/cluster/access/oidc/providers/provider.js
+++ b/ui/app/routes/vault/cluster/access/oidc/providers/provider.js
@@ -7,9 +7,12 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 
 export default class OidcProviderRoute extends Route {
-  @service store;
+  @service api;
+  @service capabilities;
 
-  model({ name }) {
-    return this.store.findRecord('oidc/provider', name);
+  async model({ name }) {
+    const { data } = await this.api.identity.oidcReadProvider(name);
+    const capabilities = await this.capabilities.for('oidcProvider', { name });
+    return { provider: { ...data, name }, capabilities };
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/providers/provider/clients.js b/ui/app/routes/vault/cluster/access/oidc/providers/provider/clients.js
index a74a5d4fa9..b8aa571d9f 100644
--- a/ui/app/routes/vault/cluster/access/oidc/providers/provider/clients.js
+++ b/ui/app/routes/vault/cluster/access/oidc/providers/provider/clients.js
@@ -5,12 +5,24 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
+import { IdentityApiOidcListClientsListEnum } from '@hashicorp/vault-client-typescript';
 
 export default class OidcProviderClientsRoute extends Route {
-  @service store;
+  @service api;
+  @service capabilities;
 
   async model() {
-    const { allowedClientIds } = this.modelFor('vault.cluster.access.oidc.providers.provider');
-    return await this.store.query('oidc/client', { paramKey: 'client_id', filterFor: allowedClientIds });
+    const { provider } = this.modelFor('vault.cluster.access.oidc.providers.provider');
+    const response = await this.api.identity.oidcListClients(IdentityApiOidcListClientsListEnum.TRUE);
+    const clients = this.api.keyInfoToArray(response, 'name');
+    // filter clients based on allowed_client_ids of provider
+    const filteredClients = provider.allowed_client_ids.includes('*')
+      ? clients
+      : clients.filter((client) => provider.allowed_client_ids.includes(client.client_id));
+    // fetch capabilities for filtered clients
+    const paths = filteredClients.map(({ name }) => this.capabilities.pathFor('oidcClient', { name }));
+    const capabilities = paths ? await this.capabilities.fetch(paths) : {};
+
+    return { clients: filteredClients, capabilities };
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/providers/provider/edit.js b/ui/app/routes/vault/cluster/access/oidc/providers/provider/edit.js
index 3b98d8435a..3a5b55391c 100644
--- a/ui/app/routes/vault/cluster/access/oidc/providers/provider/edit.js
+++ b/ui/app/routes/vault/cluster/access/oidc/providers/provider/edit.js
@@ -4,5 +4,38 @@
  */
 
 import Route from '@ember/routing/route';
+import { service } from '@ember/service';
+import OidcProviderForm from 'vault/forms/oidc/provider';
+import {
+  IdentityApiOidcListScopesListEnum,
+  IdentityApiOidcListClientsListEnum,
+} from '@hashicorp/vault-client-typescript';
+import parseURL from 'core/utils/parse-url';
 
-export default class OidcProviderEditRoute extends Route {}
+export default class OidcProviderEditRoute extends Route {
+  @service api;
+
+  async model() {
+    // fetch scopes and clients to populate dropdowns in form
+    const [scopesResult, clientsResult] = await Promise.allSettled([
+      this.api.identity.oidcListScopes(IdentityApiOidcListScopesListEnum.TRUE),
+      this.api.identity.oidcListClients(IdentityApiOidcListClientsListEnum.TRUE),
+    ]);
+
+    // SearchSelect requires options to be objects.
+    const scopes = scopesResult.value?.keys?.map((key) => ({ id: key })) ?? [];
+    const clients = this.api.keyInfoToArray(clientsResult.value, 'name');
+    const { provider } = this.modelFor('vault.cluster.access.oidc.providers.provider');
+    // parse issuer to only include scheme, host, and port for form field
+    const formData = {
+      ...provider,
+      issuer: provider.issuer ? parseURL(provider.issuer).origin : '',
+    };
+
+    return {
+      form: new OidcProviderForm(formData),
+      scopes,
+      clients,
+    };
+  }
+}
diff --git a/ui/app/routes/vault/cluster/access/oidc/scopes/create.js b/ui/app/routes/vault/cluster/access/oidc/scopes/create.js
index 91db3f0aef..cb1641de76 100644
--- a/ui/app/routes/vault/cluster/access/oidc/scopes/create.js
+++ b/ui/app/routes/vault/cluster/access/oidc/scopes/create.js
@@ -4,12 +4,10 @@
  */
 
 import Route from '@ember/routing/route';
-import { service } from '@ember/service';
+import OidcScopeForm from 'vault/forms/oidc/scope';
 
 export default class OidcScopesCreateRoute extends Route {
-  @service store;
-
   model() {
-    return this.store.createRecord('oidc/scope');
+    return new OidcScopeForm({}, { isNew: true });
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/scopes/index.js b/ui/app/routes/vault/cluster/access/oidc/scopes/index.js
index 514fe112c6..2a3333ee87 100644
--- a/ui/app/routes/vault/cluster/access/oidc/scopes/index.js
+++ b/ui/app/routes/vault/cluster/access/oidc/scopes/index.js
@@ -5,17 +5,32 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
+import { IdentityApiOidcListScopesListEnum } from '@hashicorp/vault-client-typescript';
 
 export default class OidcScopesRoute extends Route {
-  @service store;
+  @service api;
+  @service capabilities;
 
-  model() {
-    return this.store.query('oidc/scope', {}).catch((err) => {
-      if (err.httpStatus === 404) {
-        return [];
+  async model() {
+    try {
+      const { keys: scopes } = await this.api.identity.oidcListScopes(IdentityApiOidcListScopesListEnum.TRUE);
+      const paths = scopes.map((name) => this.capabilities.pathFor('oidcScope', { name }));
+      const capabilities = paths ? await this.capabilities.fetch(paths) : {};
+
+      return {
+        scopes,
+        capabilities,
+      };
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 404) {
+        return {
+          scopes: [],
+          capabilities: {},
+        };
       } else {
-        throw err;
+        throw error;
       }
-    });
+    }
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/scopes/scope.js b/ui/app/routes/vault/cluster/access/oidc/scopes/scope.js
index f586dbfcc0..e4bb9a4450 100644
--- a/ui/app/routes/vault/cluster/access/oidc/scopes/scope.js
+++ b/ui/app/routes/vault/cluster/access/oidc/scopes/scope.js
@@ -7,9 +7,15 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 
 export default class OidcScopeRoute extends Route {
-  @service store;
+  @service api;
+  @service capabilities;
 
-  model({ name }) {
-    return this.store.findRecord('oidc/scope', name);
+  async model({ name }) {
+    const { data } = await this.api.identity.oidcReadScope(name);
+    const capabilities = await this.capabilities.for('oidcScope', { name });
+    return {
+      scope: { ...data, name },
+      capabilities,
+    };
   }
 }
diff --git a/ui/app/routes/vault/cluster/access/oidc/scopes/scope/edit.js b/ui/app/routes/vault/cluster/access/oidc/scopes/scope/edit.js
index 339756fb37..3be895fe5a 100644
--- a/ui/app/routes/vault/cluster/access/oidc/scopes/scope/edit.js
+++ b/ui/app/routes/vault/cluster/access/oidc/scopes/scope/edit.js
@@ -4,5 +4,11 @@
  */
 
 import Route from '@ember/routing/route';
+import OidcScopeForm from 'vault/forms/oidc/scope';
 
-export default class OidcScopeEditRoute extends Route {}
+export default class OidcScopeEditRoute extends Route {
+  model() {
+    const { scope } = this.modelFor('vault.cluster.access.oidc.scopes.scope');
+    return new OidcScopeForm(scope);
+  }
+}
diff --git a/ui/app/routes/vault/cluster/billing/overview.ts b/ui/app/routes/vault/cluster/billing/overview.ts
new file mode 100644
index 0000000000..bba04f69bb
--- /dev/null
+++ b/ui/app/routes/vault/cluster/billing/overview.ts
@@ -0,0 +1,42 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Route from '@ember/routing/route';
+import { service } from '@ember/service';
+import RouterService from '@ember/routing/router-service';
+import { computeNavBar, RouteName } from 'core/helpers/display-nav-item';
+
+import type ApiService from 'vault/services/api';
+import type Controller from '@ember/controller';
+import type { Breadcrumb } from 'vault/vault/app-types';
+import type { Month } from 'vault/vault/billing/overview';
+
+interface RouteController extends Controller {
+  breadcrumbs: Array<Breadcrumb>;
+  pollBillingOverview: ReturnType<typeof import('ember-concurrency').task>;
+  fetchBillingMetrics: () => Promise<Month[]>;
+  months: Month[];
+}
+
+export default class BillingOverviewRoute extends Route {
+  @service declare readonly router: RouterService;
+  @service declare readonly api: ApiService;
+
+  beforeModel() {
+    // if the route does not have the required permissions, redirect to the cluster dashboard
+    if (!computeNavBar(this, RouteName.BILLING_DASHBOARD)) {
+      this.router.replaceWith('vault.cluster.dashboard');
+    }
+  }
+
+  setupController(controller: RouteController, resolvedModel: Month[]) {
+    super.setupController(controller, resolvedModel);
+
+    controller.breadcrumbs = [
+      { label: 'Vault', route: 'vault.cluster.dashboard', icon: 'vault' },
+      { label: 'Billing metrics' },
+    ];
+  }
+}
diff --git a/ui/app/routes/vault/cluster/clients.ts b/ui/app/routes/vault/cluster/clients.ts
index 8a2747e7e2..22686fd7bc 100644
--- a/ui/app/routes/vault/cluster/clients.ts
+++ b/ui/app/routes/vault/cluster/clients.ts
@@ -9,7 +9,7 @@ import { ModelFrom } from 'vault/route';
 
 import type ApiService from 'vault/services/api';
 import type CapabilitiesService from 'vault/services/capabilities';
-import { VersionHistoryListEnum } from '@hashicorp/vault-client-typescript';
+import { SystemApiVersionHistoryListEnum } from '@hashicorp/vault-client-typescript';
 
 export type ClientsRouteModel = ModelFrom<ClientsRoute>;
 
@@ -20,7 +20,9 @@ export default class ClientsRoute extends Route {
   async model() {
     const { canRead: canReadConfig, canUpdate: canUpdateConfig } =
       await this.capabilities.for('clientsConfig');
-    const response = await this.api.sys.versionHistory(VersionHistoryListEnum.TRUE).catch(() => undefined);
+    const response = await this.api.sys
+      .versionHistory(SystemApiVersionHistoryListEnum.TRUE)
+      .catch(() => undefined);
     const versionHistory = response ? this.api.keyInfoToArray(response, 'version') : [];
     const config = await this.api.sys.internalClientActivityReadConfiguration().catch(() => ({}));
     return { canReadConfig, canUpdateConfig, versionHistory, config };
diff --git a/ui/app/routes/vault/cluster/policies/create.js b/ui/app/routes/vault/cluster/policies/create.js
index 2a704762fe..6d4c017034 100644
--- a/ui/app/routes/vault/cluster/policies/create.js
+++ b/ui/app/routes/vault/cluster/policies/create.js
@@ -6,18 +6,27 @@
 import { service } from '@ember/service';
 import Route from '@ember/routing/route';
 import UnsavedModelRoute from 'vault/mixins/unsaved-model-route';
+import PolicyForm from 'vault/forms/policy';
 
 export default Route.extend(UnsavedModelRoute, {
   router: service(),
-  store: service(),
+  api: service(),
   version: service(),
 
-  model() {
+  async model() {
     const policyType = this.policyType();
     if (!this.version.hasSentinel && policyType !== 'acl') {
       return this.router.transitionTo('vault.cluster.policies', policyType);
     }
-    return this.store.createRecord(`policy/${policyType}`, {});
+
+    const form = new PolicyForm(
+      {
+        enforcement_level: 'hard-mandatory',
+      },
+      { isNew: true }
+    );
+    form.policyType = policyType;
+    return form;
   },
 
   setupController(controller) {
diff --git a/ui/app/routes/vault/cluster/policies/index.js b/ui/app/routes/vault/cluster/policies/index.js
index 4398e3ff1d..803d35dcb3 100644
--- a/ui/app/routes/vault/cluster/policies/index.js
+++ b/ui/app/routes/vault/cluster/policies/index.js
@@ -6,34 +6,63 @@
 import { service } from '@ember/service';
 import Route from '@ember/routing/route';
 import ListRoute from 'core/mixins/list-route';
+import { paginate } from 'core/utils/paginate-list';
 
 export default Route.extend(ListRoute, {
   pagination: service(),
+  api: service(),
   version: service(),
+  capabilities: service(),
 
   shouldReturnEmptyModel(policyType, version) {
     return policyType !== 'acl' && (version.isCommunity || !version.hasSentinel);
   },
 
-  model(params) {
+  async model(params) {
     const policyType = this.policyType();
     if (this.shouldReturnEmptyModel(policyType, this.version)) {
       return;
     }
-    return this.pagination
-      .lazyPaginatedQuery(`policy/${policyType}`, {
+    try {
+      const { keys } = await this.getPolicies(policyType);
+      const paginated = paginate(keys, {
         page: params.page,
-        pageFilter: params.pageFilter,
-        responsePath: 'data.keys',
-      })
-      .catch((err) => {
-        // acls will never be empty, but sentinel policies can be
-        if (err.httpStatus === 404 && this.policyType() !== 'acl') {
-          return [];
-        } else {
-          throw err;
-        }
+        filter: params.pageFilter,
       });
+
+      const paths = paginated.map((id) =>
+        this.capabilities.pathFor('policy', { policyType: this.policyType(), id })
+      );
+      const capabilities = paths ? await this.capabilities.fetch(paths) : {};
+
+      const policies = paginated.map((name, i) => {
+        return {
+          name,
+          capabilities: capabilities[paths[i]] || null,
+          policyType,
+        };
+      });
+      policies.meta = paginated.meta;
+      return policies;
+    } catch (err) {
+      const { status } = await this.api.parseError(err);
+      // acls will never be empty, but sentinel policies can be
+      if (status === 404 && policyType !== 'acl') {
+        return [];
+      } else {
+        throw err;
+      }
+    }
+  },
+
+  async getPolicies(policyType) {
+    if (policyType === 'rgp') {
+      return this.api.sys.systemListPoliciesRgp(true);
+    } else if (policyType === 'egp') {
+      return this.api.sys.systemListPoliciesEgp(true);
+    } else {
+      return this.api.sys.policiesListAclPolicies(true);
+    }
   },
 
   setupController(controller, model) {
diff --git a/ui/app/routes/vault/cluster/policy/edit.js b/ui/app/routes/vault/cluster/policy/edit.js
index b0f11cbab3..d931426536 100644
--- a/ui/app/routes/vault/cluster/policy/edit.js
+++ b/ui/app/routes/vault/cluster/policy/edit.js
@@ -3,7 +3,59 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import UnsavedModelRoute from 'vault/mixins/unsaved-model-route';
-import ShowRoute from './show';
+import Route from '@ember/routing/route';
+import { service } from '@ember/service';
+import PolicyForm from 'vault/forms/policy';
 
-export default ShowRoute.extend(UnsavedModelRoute, {});
+export default class PolicyEditRouter extends Route {
+  @service router;
+  @service api;
+  @service capabilities;
+
+  beforeModel() {
+    const params = this.paramsFor(this.routeName);
+    const policyType = this.policyType();
+    if (policyType === 'acl' && params.policy_name === 'root') {
+      return this.router.transitionTo('vault.cluster.policies', 'acl');
+    }
+  }
+
+  async model(params) {
+    // use existing model if edit is routed from policy/show
+    const model = this.modelFor('vault.cluster.policy.show');
+    if (model) {
+      const form = new PolicyForm(model, { isNew: false });
+      form.policyType = model.policyType;
+      form.capabilities = model.capabilities;
+      return form;
+    } else {
+      // otherwise need to fetch policy if model is not available
+      const type = this.policyType();
+      const policy = await this.fetchPolicy(params.policy_name, type);
+      const form = new PolicyForm(policy, { isNew: false });
+      form.policyType = type;
+      form.capabilities = await this.capabilities.for('policy', {
+        policyType: this.policyType(),
+        id: params.policy_name,
+      });
+      return form;
+    }
+  }
+
+  async fetchPolicy(name, type) {
+    let res;
+    if (type === 'acl') {
+      res = await this.api.sys.policiesReadAclPolicy(name);
+    } else if (type === 'egp') {
+      res = (await this.api.sys.systemReadPoliciesEgpName(name)).data;
+    } else {
+      res = (await this.api.sys.systemReadPoliciesRgpName(name)).data;
+    }
+
+    return { name, ...res };
+  }
+
+  policyType() {
+    return this.paramsFor('vault.cluster.policy').type;
+  }
+}
diff --git a/ui/app/routes/vault/cluster/policy/show.js b/ui/app/routes/vault/cluster/policy/show.js
index 15864c4ad9..e9173f80f4 100644
--- a/ui/app/routes/vault/cluster/policy/show.js
+++ b/ui/app/routes/vault/cluster/policy/show.js
@@ -3,7 +3,6 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { hash } from 'rsvp';
 import Route from '@ember/routing/route';
 import UnloadModelRoute from 'vault/mixins/unload-model-route';
 import { service } from '@ember/service';
@@ -13,7 +12,8 @@ import { service } from '@ember/service';
  */
 export default Route.extend(UnloadModelRoute, {
   router: service(),
-  store: service(),
+  api: service(),
+  capabilities: service(),
 
   beforeModel() {
     const params = this.paramsFor(this.routeName);
@@ -23,19 +23,43 @@ export default Route.extend(UnloadModelRoute, {
     }
   },
 
-  model(params) {
+  async model(params) {
     const type = this.policyType();
-    return hash({
-      policy: this.store.findRecord(`policy/${type}`, params.policy_name),
-    });
+
+    let res;
+    if (type === 'acl') {
+      res = await this.api.sys.policiesReadAclPolicy(params.policy_name);
+    } else if (type === 'egp') {
+      res = (await this.api.sys.systemReadPoliciesEgpName(params.policy_name)).data;
+    } else {
+      res = (await this.api.sys.systemReadPoliciesRgpName(params.policy_name)).data;
+    }
+
+    const policy = { name: params.policy_name, ...res };
+
+    return {
+      ...policy,
+      policyType: type,
+      format: this.format(res.policy),
+      capabilities: await this.capabilities.for('policy', {
+        policyType: this.policyType(),
+        id: params.policy_name,
+      }),
+    };
   },
 
-  setupController(controller, model) {
-    controller.setProperties({
-      model: model.policy,
-      capabilities: model.capabilities,
-      policyType: this.policyType(),
-    });
+  format(policy) {
+    let isJSON;
+    try {
+      const parsed = JSON.parse(policy);
+      if (parsed) {
+        isJSON = true;
+      }
+    } catch (e) {
+      // can't parse JSON
+      isJSON = false;
+    }
+    return isJSON ? 'json' : 'hcl';
   },
 
   policyType() {
diff --git a/ui/app/routes/vault/cluster/recovery/snapshots.ts b/ui/app/routes/vault/cluster/recovery/snapshots.ts
index 65731d18f6..e80b354778 100644
--- a/ui/app/routes/vault/cluster/recovery/snapshots.ts
+++ b/ui/app/routes/vault/cluster/recovery/snapshots.ts
@@ -5,7 +5,7 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
-import { SystemListStorageRaftSnapshotLoadListEnum } from '@hashicorp/vault-client-typescript';
+import { SystemApiSystemListStorageRaftSnapshotLoadListEnum } from '@hashicorp/vault-client-typescript';
 
 import type ApiService from 'vault/services/api';
 import type Capabilities from 'vault/services/capabilities';
@@ -50,7 +50,7 @@ export default class RecoverySnapshotsRoute extends Route {
       // By default, the api service uses the current namespace context, so we'll need to specify otherwise.
       // Snapshot operations do not have this constraint.
       const { keys } = await this.api.sys.systemListStorageRaftSnapshotLoad(
-        SystemListStorageRaftSnapshotLoadListEnum.TRUE,
+        SystemApiSystemListStorageRaftSnapshotLoadListEnum.TRUE,
         this.api.buildHeaders({ namespace: '' })
       );
       return keys as string[];
diff --git a/ui/app/routes/vault/cluster/recovery/snapshots/load.ts b/ui/app/routes/vault/cluster/recovery/snapshots/load.ts
index ead3119b5d..993f684bce 100644
--- a/ui/app/routes/vault/cluster/recovery/snapshots/load.ts
+++ b/ui/app/routes/vault/cluster/recovery/snapshots/load.ts
@@ -5,7 +5,7 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
-import { SystemListStorageRaftSnapshotAutoConfigListEnum } from '@hashicorp/vault-client-typescript';
+import { SystemApiSystemListStorageRaftSnapshotAutoConfigListEnum } from '@hashicorp/vault-client-typescript';
 
 import type ApiService from 'vault/services/api';
 import type { Breadcrumb } from 'vault/vault/app-types';
@@ -34,7 +34,7 @@ export default class RecoverySnapshotsLoadRoute extends Route {
 
     try {
       const { keys } = await this.api.sys.systemListStorageRaftSnapshotAutoConfig(
-        SystemListStorageRaftSnapshotAutoConfigListEnum.TRUE
+        SystemApiSystemListStorageRaftSnapshotAutoConfigListEnum.TRUE
       );
       configs = keys ?? [];
     } catch (e) {
diff --git a/ui/app/routes/vault/cluster/secrets-redirect-with-path.js b/ui/app/routes/vault/cluster/secrets-redirect-with-path.js
new file mode 100644
index 0000000000..ad4a1b3b12
--- /dev/null
+++ b/ui/app/routes/vault/cluster/secrets-redirect-with-path.js
@@ -0,0 +1,27 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+import Route from '@ember/routing/route';
+import { service } from '@ember/service';
+
+export default class SecretsRedirectWithPathRoute extends Route {
+  @service router;
+
+  beforeModel(transition) {
+    // Redirect to secrets page under /secrets-engines
+    // if the user navigates to the legacy path /secrets
+    // Preserve the full path after /secrets (e.g., /secrets/kv/kv/list -> /secrets-engines/kv/kv/list)
+    const params = transition.to.params;
+    const path = params?.path;
+
+    if (path) {
+      // Construct the new URL with full path including /vault/secrets-engines/*path
+      const newUrl = `/vault/secrets-engines/${path}`;
+      this.router.replaceWith(newUrl);
+    } else {
+      // If no path, just redirect to the base secrets page
+      this.router.replaceWith('vault.cluster.secrets');
+    }
+  }
+}
diff --git a/ui/app/routes/vault/cluster/secrets/backend/configuration/index.ts b/ui/app/routes/vault/cluster/secrets/backend/configuration/index.ts
index 15521a2ec9..5a9b73e23a 100644
--- a/ui/app/routes/vault/cluster/secrets/backend/configuration/index.ts
+++ b/ui/app/routes/vault/cluster/secrets/backend/configuration/index.ts
@@ -6,11 +6,12 @@
 import Route from '@ember/routing/route';
 import RouterService from '@ember/routing/router-service';
 import { service } from '@ember/service';
+import type Transition from '@ember/routing/transition';
 
 export default class BackendConfigurationIndexRoute extends Route {
   @service declare readonly router: RouterService;
 
-  beforeModel() {
+  beforeModel(): Transition {
     return this.router.replaceWith('vault.cluster.secrets.backend.configuration.general-settings');
   }
 }
diff --git a/ui/app/routes/vault/cluster/secrets/backend/create-root.js b/ui/app/routes/vault/cluster/secrets/backend/create-root.js
index dc78bc2dfe..e94b41fd11 100644
--- a/ui/app/routes/vault/cluster/secrets/backend/create-root.js
+++ b/ui/app/routes/vault/cluster/secrets/backend/create-root.js
@@ -6,6 +6,15 @@
 import { hash } from 'rsvp';
 import { service } from '@ember/service';
 import EditBase from './secret-edit';
+import KeymgmtKeyForm from 'vault/forms/keymgmt/key';
+import KeymgmtProviderForm from 'vault/forms/keymgmt/provider';
+import TotpKeyForm from 'vault/forms/totp/key';
+import SshRoleForm from 'vault/forms/ssh/role';
+import AlphabetForm from 'vault/forms/transform/alphabet';
+import TemplateForm from 'vault/forms/transform/template';
+import RoleForm from 'vault/forms/transform/role';
+import TransformationForm from 'vault/forms/transform/transformation';
+import { KeyManagementUpdateKeyRequestTypeEnum } from '@hashicorp/vault-client-typescript';
 
 const secretModel = (store, backend, key) => {
   const model = store.createRecord('secret', {
@@ -14,30 +23,71 @@ const secretModel = (store, backend, key) => {
   return model;
 };
 
-const transformModel = (queryParams) => {
-  const modelType = 'transform';
-  if (!queryParams || !queryParams.itemType) return modelType;
-
-  return `${modelType}/${queryParams.itemType}`;
-};
-
 export default EditBase.extend({
   store: service(),
 
   createModel(transition) {
     const { backend } = this.paramsFor('vault.cluster.secrets.backend');
     let modelType = this.modelType(backend, null, { queryParams: transition.to.queryParams });
+
+    // Handle keymgmt/key with Form class
+    if (modelType === 'keymgmt/key') {
+      const defaultValues = {
+        backend,
+        type: KeyManagementUpdateKeyRequestTypeEnum.RSA_2048,
+        deletion_allowed: false,
+      };
+      return new KeymgmtKeyForm(defaultValues, { isNew: true });
+    }
+
+    if (modelType === 'keymgmt/provider') {
+      const defaultValues = {
+        backend,
+        credentials: {},
+      };
+      return new KeymgmtProviderForm(defaultValues, { isNew: true });
+    }
+
+    if (modelType === 'totp-key') {
+      return new TotpKeyForm(
+        {
+          backend,
+          generate: true,
+          algorithm: 'SHA1',
+          digits: 6,
+          period: 30,
+          exported: true,
+          key_size: 20,
+          skew: 1,
+          qr_size: 200,
+        },
+        { isNew: true }
+      );
+    }
+
     if (modelType === 'role-ssh') {
-      return this.store.createRecord(modelType, { keyType: 'ca' });
+      return new SshRoleForm(
+        { backend, key_type: 'ca', not_before_duration: '30s', port: 22 },
+        { isNew: true }
+      );
+    }
+    if (modelType === 'transform/alphabet') {
+      return new AlphabetForm({ backend }, { isNew: true });
+    }
+    if (modelType === 'transform/template') {
+      return new TemplateForm({ backend }, { isNew: true });
+    }
+    if (modelType === 'transform/role') {
+      return new RoleForm({ backend }, { isNew: true });
     }
     if (modelType === 'transform') {
-      modelType = transformModel(transition.to.queryParams);
+      return new TransformationForm({ backend, type: 'fpe' }, { isNew: true });
     }
     if (modelType === 'database/connection' && transition.to?.queryParams?.itemType === 'role') {
       modelType = 'database/role';
     }
     if (modelType !== 'secret') {
-      return this.store.createRecord(modelType);
+      return this.store.createRecord(modelType, { backend });
     }
     return secretModel(this.store, backend, transition.to.queryParams.initialKey);
   },
diff --git a/ui/app/routes/vault/cluster/secrets/backend/credentials.js b/ui/app/routes/vault/cluster/secrets/backend/credentials.js
index 13513940ec..da1061d354 100644
--- a/ui/app/routes/vault/cluster/secrets/backend/credentials.js
+++ b/ui/app/routes/vault/cluster/secrets/backend/credentials.js
@@ -5,7 +5,6 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
-import ControlGroupError from 'vault/lib/control-group-error';
 
 const SUPPORTED_DYNAMIC_BACKENDS = ['database', 'ssh', 'aws', 'totp'];
 
@@ -13,7 +12,7 @@ export default Route.extend({
   templateName: 'vault/cluster/secrets/backend/credentials',
   pathHelp: service('path-help'),
   router: service(),
-  store: service(),
+  api: service(),
 
   beforeModel(transition) {
     const { id: backendPath, type: backendType } = this.modelFor('vault.cluster.secrets.backend');
@@ -21,10 +20,6 @@ export default Route.extend({
     if (!SUPPORTED_DYNAMIC_BACKENDS.includes(backendType)) {
       return this.router.transitionTo('vault.cluster.secrets.backend.list-root', backendPath);
     }
-    // hydrate model if backend type is ssh
-    if (backendType === 'ssh') {
-      this.pathHelp.hydrateModel('ssh-otp-credential', backendPath);
-    }
 
     // assign back button route
     if (backendType === 'totp') {
@@ -33,21 +28,42 @@ export default Route.extend({
     }
   },
 
-  getDatabaseCredential(backend, secret, roleType = '') {
-    return this.store.queryRecord('database/credential', { backend, secret, roleType }).catch((error) => {
-      if (error instanceof ControlGroupError) {
-        throw error;
+  async getDatabaseCredential(backend, secret, roleType = '') {
+    try {
+      if (roleType === 'static') {
+        const { last_vault_rotation, lease_duration, data } =
+          await this.api.secrets.databaseReadStaticRoleCredentials(secret, backend);
+        return {
+          last_vault_rotation,
+          lease_duration,
+          ...data,
+        };
+      } else {
+        const { data, lease_id, lease_duration } = await this.api.secrets.databaseGenerateCredentials(
+          secret,
+          backend
+        );
+        return {
+          ...data,
+          lease_id,
+          lease_duration,
+        };
+      }
+    } catch (error) {
+      const { response } = await this.api.parseError(error);
+      if (response.isControlGroupError) {
+        throw response;
       }
       // Unless it's a control group error, we want to pass back error info
       // so we can render it on the GenerateCredentialsDatabase component
-      return error;
-    });
+      return response;
+    }
   },
 
   async getAwsRole(backend, id) {
     try {
-      const role = await this.store.queryRecord('role-aws', { backend, id });
-      return role;
+      const { data } = await this.api.secrets.awsReadRole(id, backend);
+      return data;
     } catch (e) {
       // swallow error, non-essential data
       return;
@@ -56,11 +72,11 @@ export default Route.extend({
 
   async getTotpKey(backend, keyName) {
     try {
-      const key = await this.store.queryRecord('totp-key', { id: keyName, backend });
-      return key;
+      const { data } = await this.api.secrets.totpReadKey(keyName, backend);
+      return data || {};
     } catch (e) {
       // swallow error, non-essential data
-      return;
+      return {};
     }
   },
 
@@ -85,19 +101,11 @@ export default Route.extend({
       roleName: role,
       roleType,
       dbCred,
-      awsRoleType: awsRole?.credentialType,
+      awsRoleType: awsRole?.credential_type,
     };
   },
 
   resetController(controller) {
     controller.reset();
   },
-
-  actions: {
-    willTransition() {
-      // we do not want to save any of the credential information in the store.
-      // once the user navigates away from this page, remove all credential info.
-      this.store.unloadAll('database/credential');
-    },
-  },
 });
diff --git a/ui/app/routes/vault/cluster/secrets/backend/list.js b/ui/app/routes/vault/cluster/secrets/backend/list.js
index 4e82e3c8cd..878047db96 100644
--- a/ui/app/routes/vault/cluster/secrets/backend/list.js
+++ b/ui/app/routes/vault/cluster/secrets/backend/list.js
@@ -3,19 +3,31 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { set } from '@ember/object';
-import { hash } from 'rsvp';
-import Route from '@ember/routing/route';
-import { supportedSecretBackends } from 'vault/helpers/supported-secret-backends';
-import { isAddonEngine, filterEnginesByMountCategory } from 'vault/utils/all-engines-metadata';
-import { getEffectiveEngineType } from 'vault/utils/external-plugin-helpers';
-import { getModelTypeForEngine } from 'vault/utils/model-helpers/secret-engine-helpers';
-import { service } from '@ember/service';
-import { normalizePath } from 'vault/utils/path-encoding-helpers';
-import { getEnginePathParam } from 'vault/utils/backend-route-helpers';
 import { assert } from '@ember/debug';
+import { set } from '@ember/object';
+import Route from '@ember/routing/route';
+import { service } from '@ember/service';
+import { filterEnginesByMountCategory, isAddonEngine } from 'core/utils/all-engines-metadata';
+import { paginate } from 'core/utils/paginate-list';
 import { pathIsDirectory } from 'kv/utils/kv-breadcrumbs';
 import engineDisplayData from 'vault/helpers/engines-display-data';
+import { supportedSecretBackends } from 'vault/helpers/supported-secret-backends';
+import { getEnginePathParam } from 'vault/utils/backend-route-helpers';
+import { getEffectiveEngineType } from 'vault/utils/external-plugin-helpers';
+import { getKeymgmtProviderIcon } from 'vault/utils/keymgmt-provider-utils';
+import { getModelTypeForEngine } from 'vault/utils/model-helpers/secret-engine-helpers';
+import { normalizePath } from 'vault/utils/path-encoding-helpers';
+import { resolve } from 'rsvp';
+import {
+  SecretsApiKeyManagementListKeysListEnum,
+  SecretsApiKeyManagementListKmsProvidersListEnum,
+  SecretsApiTotpListKeysListEnum,
+  SecretsApiSshListRolesListEnum,
+  SecretsApiTransformListTransformationsListEnum,
+  SecretsApiTransformListRolesListEnum,
+  SecretsApiTransformListTemplatesListEnum,
+  SecretsApiTransformListAlphabetsListEnum,
+} from '@hashicorp/vault-client-typescript';
 
 const SUPPORTED_BACKENDS = supportedSecretBackends();
 
@@ -36,6 +48,8 @@ function getValidPage(pageParam) {
 export default Route.extend({
   pagination: service(),
   store: service(),
+  api: service(),
+  capabilitiesService: service('capabilities'),
   templateName: 'vault/cluster/secrets/backend/list',
   pathHelp: service('path-help'),
   router: service(),
@@ -89,6 +103,16 @@ export default Route.extend({
       return this.router.transitionTo('vault.cluster.secrets.backend.kv.list', backend);
     }
     const modelType = this.getModelType(effectiveType, tab);
+    // Keymgmt, TOTP, SSH, and Transform routes use API-backed forms instead of Ember Data models, so skip model hydration.
+    if (
+      effectiveType === 'keymgmt' ||
+      effectiveType === 'totp' ||
+      effectiveType === 'ssh' ||
+      effectiveType === 'transform'
+    ) {
+      return resolve();
+    }
+
     return this.pathHelp.hydrateModel(modelType, backend).then(() => {
       this.store.unloadAll('capabilities');
     });
@@ -98,6 +122,344 @@ export default Route.extend({
     return getModelTypeForEngine(type, { tab });
   },
 
+  async fetchTotpKeys(backend, page, pageFilter) {
+    try {
+      const resp = await this.api.secrets.totpListKeys(backend, SecretsApiTotpListKeysListEnum.TRUE);
+      const keys = resp.keys || [];
+
+      const pathsToFetch = keys.map((name) => this.capabilitiesService.pathFor('totpKey', { backend, name }));
+      const capabilities = pathsToFetch.length ? await this.capabilitiesService.fetch(pathsToFetch) : {};
+
+      const items = keys.map((name) => {
+        const keyPath = this.capabilitiesService.pathFor('totpKey', { backend, name });
+        return {
+          id: name,
+          name,
+          backend,
+          canRead: capabilities[keyPath]?.canRead || false,
+          canDelete: capabilities[keyPath]?.canDelete || false,
+        };
+      });
+
+      return paginate(items, { page, filter: pageFilter });
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 404) {
+        return [];
+      }
+      throw error;
+    }
+  },
+
+  async fetchKeysWithCapabilities(backend) {
+    const { keys } = await this.api.secrets.keyManagementListKeys(
+      backend,
+      SecretsApiKeyManagementListKeysListEnum.TRUE
+    );
+
+    // Fetch capabilities for all keys
+    const pathsToFetch = (keys || []).flatMap((keyName) => {
+      const keyPath = this.capabilitiesService.pathFor('keymgmtKey', { backend, name: keyName });
+      return [keyPath];
+    });
+
+    const capabilities = await this.capabilitiesService.fetch(pathsToFetch);
+
+    // Transform string array into objects for list display with capabilities
+    const keysList = (keys || []).map((keyName) => {
+      const keyPath = this.capabilitiesService.pathFor('keymgmtKey', { backend, name: keyName });
+      return {
+        id: keyName,
+        name: keyName,
+        backend,
+        icon: 'key',
+        type: 'key',
+        canRead: capabilities[keyPath]?.canRead || false,
+        canEdit: capabilities[keyPath]?.canUpdate || false,
+        canDelete: capabilities[keyPath]?.canDelete || false,
+      };
+    });
+
+    return { keysList, capabilities };
+  },
+
+  async fetchKeymgmtKeys(backend, page, pageFilter) {
+    try {
+      const { keysList } = await this.fetchKeysWithCapabilities(backend);
+      return paginate(keysList, { page, filter: pageFilter });
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 404) {
+        return [];
+      }
+      throw error;
+    }
+  },
+
+  async fetchProvidersWithCapabilities(backend) {
+    const { keys: providerNames } = await this.api.secrets.keyManagementListKmsProviders(
+      backend,
+      SecretsApiKeyManagementListKmsProvidersListEnum.TRUE
+    );
+
+    const providersWithData = await Promise.all(
+      (providerNames || []).map(async (providerName) => {
+        const { data } = await this.api.secrets.keyManagementReadKmsProvider(providerName, backend);
+        return {
+          ...data,
+          id: providerName,
+          name: providerName,
+          backend,
+          type: 'provider',
+          icon: getKeymgmtProviderIcon(data.provider),
+        };
+      })
+    );
+
+    const pathsToFetch = providersWithData.map((provider) =>
+      this.capabilitiesService.pathFor('keymgmtProvider', { backend, id: provider.id })
+    );
+    const capabilities = await this.capabilitiesService.fetch(pathsToFetch);
+
+    const providersList = providersWithData.map((provider) => {
+      const providerPath = this.capabilitiesService.pathFor('keymgmtProvider', {
+        backend,
+        id: provider.id,
+      });
+      return {
+        ...provider,
+        canRead: capabilities[providerPath]?.canRead || false,
+        canEdit: capabilities[providerPath]?.canUpdate || false,
+        canDelete: capabilities[providerPath]?.canDelete || false,
+      };
+    });
+
+    return { providersList, capabilities };
+  },
+
+  async fetchKeymgmtProviders(backend, page, pageFilter) {
+    try {
+      const { providersList } = await this.fetchProvidersWithCapabilities(backend);
+      return paginate(providersList, { page, filter: pageFilter });
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 404) {
+        return [];
+      }
+      throw error;
+    }
+  },
+
+  async fetchSshRolesWithCapabilities(backend) {
+    // Fetch roles and zero-address config in parallel (zero-address may 404 if never configured)
+    const [listResponse, zeroAddressResult] = await Promise.allSettled([
+      this.api.secrets.sshListRoles(backend, SecretsApiSshListRolesListEnum.TRUE),
+      this.api.secrets.sshReadZeroAddressConfigurationRaw({ ssh_mount_path: backend }),
+    ]);
+
+    if (listResponse.status === 'rejected') throw listResponse.reason;
+
+    const roles = this.api.keyInfoToArray(listResponse.value);
+
+    // Build set of zero-address role names from the config endpoint
+    let zeroAddressRoles = new Set();
+    if (zeroAddressResult.status === 'fulfilled') {
+      const body = await zeroAddressResult.value.raw.json();
+      const names = body?.data?.roles;
+      if (Array.isArray(names)) {
+        zeroAddressRoles = new Set(names);
+      }
+    }
+
+    // Build all capability paths for batch fetch
+    const zeroAddressPath = this.capabilitiesService.pathFor('sshZeroAddress', { backend });
+    const rolePaths = roles.map((role) => ({
+      role: this.capabilitiesService.pathFor('sshRole', { backend, id: role.id }),
+      credentials: this.capabilitiesService.pathFor('sshCredentials', { backend, id: role.id }),
+      sign: this.capabilitiesService.pathFor('sshSign', { backend, id: role.id }),
+    }));
+
+    // Fetch all capabilities in a single request
+    const allPaths = [
+      ...rolePaths.flatMap((paths) => [paths.role, paths.credentials, paths.sign]),
+      zeroAddressPath,
+    ];
+    const capabilities = await this.capabilitiesService.fetch(allPaths);
+
+    // Merge role data with capabilities
+    return roles.map((role, index) => {
+      const paths = rolePaths[index];
+      return {
+        ...role,
+        backend,
+        zero_address: zeroAddressRoles.has(role.id),
+        canRead: capabilities[paths.role]?.canRead || false,
+        canEdit: capabilities[paths.role]?.canUpdate || false,
+        canDelete: capabilities[paths.role]?.canDelete || false,
+        canGenerate: capabilities[paths.credentials]?.canUpdate || false,
+        canSign: capabilities[paths.sign]?.canUpdate || false,
+        canEditZeroAddress: capabilities[zeroAddressPath]?.canUpdate || false,
+      };
+    });
+  },
+
+  async fetchSshRoles(backend, page, pageFilter) {
+    try {
+      const roles = await this.fetchSshRolesWithCapabilities(backend);
+      return paginate(roles, { page, filter: pageFilter });
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 404) {
+        return [];
+      }
+      throw error;
+    }
+  },
+
+  async fetchTransformTransformations(backend, page, pageFilter) {
+    try {
+      const resp = await this.api.secrets.transformListTransformations(
+        backend,
+        SecretsApiTransformListTransformationsListEnum.TRUE
+      );
+      const keys = resp.keys || [];
+
+      const pathsToFetch = keys.map((name) =>
+        this.capabilitiesService.pathFor('transformTransformation', { backend, name })
+      );
+      const capabilities = pathsToFetch.length ? await this.capabilitiesService.fetch(pathsToFetch) : {};
+
+      const items = keys.map((name) => {
+        const itemPath = this.capabilitiesService.pathFor('transformTransformation', { backend, name });
+        return {
+          id: name,
+          name,
+          backend,
+          canRead: capabilities[itemPath]?.canRead || false,
+          canUpdate: capabilities[itemPath]?.canUpdate || false,
+          canDelete: capabilities[itemPath]?.canDelete || false,
+        };
+      });
+
+      return paginate(items, { page, filter: pageFilter });
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 404) {
+        return [];
+      }
+      throw error;
+    }
+  },
+
+  async fetchTransformRolesList(backend, page, pageFilter) {
+    try {
+      const resp = await this.api.secrets.transformListRoles(
+        backend,
+        SecretsApiTransformListRolesListEnum.TRUE
+      );
+      const keys = resp.keys || [];
+
+      const pathsToFetch = keys.map((name) =>
+        this.capabilitiesService.pathFor('transformRole', { backend, name })
+      );
+      const capabilities = pathsToFetch.length ? await this.capabilitiesService.fetch(pathsToFetch) : {};
+
+      const items = keys.map((name) => {
+        const itemPath = this.capabilitiesService.pathFor('transformRole', { backend, name });
+        return {
+          id: name,
+          name,
+          backend,
+          canRead: capabilities[itemPath]?.canRead || false,
+          canUpdate: capabilities[itemPath]?.canUpdate || false,
+          canDelete: capabilities[itemPath]?.canDelete || false,
+        };
+      });
+
+      return paginate(items, { page, filter: pageFilter });
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 404) {
+        return [];
+      }
+      throw error;
+    }
+  },
+
+  async fetchTransformTemplates(backend, page, pageFilter) {
+    try {
+      const resp = await this.api.secrets.transformListTemplates(
+        backend,
+        SecretsApiTransformListTemplatesListEnum.TRUE
+      );
+      const keys = resp.keys || [];
+
+      const pathsToFetch = keys.map((name) =>
+        this.capabilitiesService.pathFor('transformTemplate', { backend, name })
+      );
+      const capabilities = pathsToFetch.length ? await this.capabilitiesService.fetch(pathsToFetch) : {};
+
+      const items = keys.map((name) => {
+        const itemPath = this.capabilitiesService.pathFor('transformTemplate', { backend, name });
+        const isBuiltin = name.startsWith('builtin/');
+        return {
+          id: name,
+          name,
+          backend,
+          isBuiltin,
+          canRead: isBuiltin ? false : capabilities[itemPath]?.canRead || false,
+          canUpdate: isBuiltin ? false : capabilities[itemPath]?.canUpdate || false,
+          canDelete: isBuiltin ? false : capabilities[itemPath]?.canDelete || false,
+        };
+      });
+
+      return paginate(items, { page, filter: pageFilter });
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 404) {
+        return [];
+      }
+      throw error;
+    }
+  },
+
+  async fetchTransformAlphabets(backend, page, pageFilter) {
+    try {
+      const resp = await this.api.secrets.transformListAlphabets(
+        backend,
+        SecretsApiTransformListAlphabetsListEnum.TRUE
+      );
+      const keys = resp.keys || [];
+
+      const pathsToFetch = keys.map((name) =>
+        this.capabilitiesService.pathFor('transformAlphabet', { backend, name })
+      );
+      const capabilities = pathsToFetch.length ? await this.capabilitiesService.fetch(pathsToFetch) : {};
+
+      const items = keys.map((name) => {
+        const itemPath = this.capabilitiesService.pathFor('transformAlphabet', { backend, name });
+        const isBuiltin = name.startsWith('builtin/');
+        return {
+          id: name,
+          name,
+          backend,
+          isBuiltin,
+          canRead: isBuiltin ? false : capabilities[itemPath]?.canRead || false,
+          canUpdate: isBuiltin ? false : capabilities[itemPath]?.canUpdate || false,
+          canDelete: isBuiltin ? false : capabilities[itemPath]?.canDelete || false,
+        };
+      });
+
+      return paginate(items, { page, filter: pageFilter });
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 404) {
+        return [];
+      }
+      throw error;
+    }
+  },
+
   async model(params) {
     const secret = this.secretParam() || '';
     const backend = getEnginePathParam(this);
@@ -105,29 +467,63 @@ export default Route.extend({
     const effectiveType = getEffectiveEngineType(backendModel.engineType);
     const modelType = this.getModelType(effectiveType, params.tab);
 
-    return hash({
-      secret,
-      secrets: this.pagination
-        .lazyPaginatedQuery(modelType, {
+    // Handle TOTP, keymgmt and ssh resources with API service
+    let secrets;
+    if (effectiveType === 'totp') {
+      const page = getValidPage(params.page);
+      secrets = await this.fetchTotpKeys(backend, page, params.pageFilter);
+      this.set('has404', false);
+    } else if (effectiveType === 'keymgmt') {
+      const page = getValidPage(params.page);
+      const filter = params.pageFilter;
+      secrets =
+        params.tab === 'provider'
+          ? await this.fetchKeymgmtProviders(backend, page, filter)
+          : await this.fetchKeymgmtKeys(backend, page, filter);
+
+      this.set('has404', false);
+    } else if (effectiveType === 'ssh') {
+      const page = getValidPage(params.page);
+      const filter = params.pageFilter;
+      secrets = await this.fetchSshRoles(backend, page, filter);
+      this.set('has404', false);
+    } else if (effectiveType === 'transform') {
+      const page = getValidPage(params.page);
+      const filter = params.pageFilter;
+      const tab = params.tab;
+      if (tab === 'role') {
+        secrets = await this.fetchTransformRolesList(backend, page, filter);
+      } else if (tab === 'template') {
+        secrets = await this.fetchTransformTemplates(backend, page, filter);
+      } else if (tab === 'alphabet') {
+        secrets = await this.fetchTransformAlphabets(backend, page, filter);
+      } else {
+        secrets = await this.fetchTransformTransformations(backend, page, filter);
+      }
+      this.set('has404', false);
+    } else {
+      try {
+        secrets = await this.pagination.lazyPaginatedQuery(modelType, {
           id: secret,
           backend,
           responsePath: 'data.keys',
           page: getValidPage(params.page),
           pageFilter: params.pageFilter,
-        })
-        .then((model) => {
-          this.set('has404', false);
-          return model;
-        })
-        .catch((err) => {
-          if (backendModel && err.httpStatus === 404) {
-            return [];
-          } else {
-            // else we're throwing and dealing with this in the error action
-            throw err;
-          }
-        }),
-    });
+        });
+        this.set('has404', false);
+      } catch (err) {
+        if (backendModel && err.httpStatus === 404) {
+          secrets = [];
+        } else {
+          throw err;
+        }
+      }
+    }
+
+    return {
+      secret,
+      secrets,
+    };
   },
 
   setupController(controller, resolvedModel) {
diff --git a/ui/app/routes/vault/cluster/secrets/backend/overview.js b/ui/app/routes/vault/cluster/secrets/backend/overview.js
index f3b7c21d6d..3ce1ae2587 100644
--- a/ui/app/routes/vault/cluster/secrets/backend/overview.js
+++ b/ui/app/routes/vault/cluster/secrets/backend/overview.js
@@ -7,54 +7,96 @@ import Route from '@ember/routing/route';
 import { hash } from 'rsvp';
 import { service } from '@ember/service';
 import { getEnginePathParam } from 'vault/utils/backend-route-helpers';
+import {
+  SecretsApiDatabaseListStaticRolesListEnum,
+  SecretsApiDatabaseListRolesListEnum,
+  SecretsApiDatabaseListConnectionsListEnum,
+} from '@hashicorp/vault-client-typescript';
 
 export default Route.extend({
-  store: service(),
+  capabilities: service(),
+  api: service(),
   type: '',
 
+  // this only grabs connections for current db backend, only used to populate # of connections
   async fetchConnection(queryOptions) {
     try {
-      return await this.store.query('database/connection', queryOptions);
-    } catch (e) {
-      return e.httpStatus;
+      const { keys } = await this.api.secrets.databaseListConnections(
+        queryOptions.backend,
+        SecretsApiDatabaseListConnectionsListEnum.TRUE
+      );
+      return keys;
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 404) {
+        return status;
+      }
     }
   },
 
+  // this grabs both dynamic and static roles for current db backend, only used to populate # of roles
   async fetchAllRoles(queryOptions) {
     try {
-      return await this.store.query('database/role', queryOptions);
-    } catch (e) {
-      return e.httpStatus;
-    }
-  },
+      const roles = [];
+      const { backend } = queryOptions;
+      const [staticResp, dynamicResp] = await Promise.allSettled([
+        this.api.secrets.databaseListStaticRoles(backend, SecretsApiDatabaseListStaticRolesListEnum.TRUE),
+        this.api.secrets.databaseListRoles(backend, SecretsApiDatabaseListRolesListEnum.TRUE),
+      ]);
 
-  pathQuery(backend, endpoint) {
-    return {
-      id: `${backend}/${endpoint}/`,
-    };
+      if (staticResp.status === 'rejected' && dynamicResp.status === 'rejected') {
+        const { response: staticError, status: staticStatus } = await this.api.parseError(staticResp.reason);
+        const { response: dynamicError, status: dynamicStatus } = await this.api.parseError(
+          dynamicResp.reason
+        );
+        if (staticError?.isControlGroupError) {
+          throw staticError;
+        }
+        throw staticStatus < dynamicStatus ? dynamicError : staticError;
+      } else {
+        if (staticResp.value) {
+          roles.push(...staticResp.value.keys);
+        }
+        if (dynamicResp.value) {
+          roles.push(...dynamicResp.value.keys);
+        }
+        return roles;
+      }
+    } catch (error) {
+      const { status } = await this.api.parseError(error);
+      if (status === 404) {
+        return status;
+      }
+    }
   },
 
   async fetchCapabilitiesRole(queryOptions) {
-    return this.store.queryRecord('capabilities', this.pathQuery(queryOptions.backend, 'roles'));
+    const paths = [this.capabilities.pathFor('databaseRoles', { backend: queryOptions.backend })];
+    const capabilities = paths ? await this.capabilities.fetch(paths) : {};
+    return capabilities[paths[0]];
   },
 
   async fetchCapabilitiesStaticRole(queryOptions) {
-    return this.store.queryRecord('capabilities', this.pathQuery(queryOptions.backend, 'static-roles'));
+    const paths = [this.capabilities.pathFor('databaseStaticRoles', { backend: queryOptions.backend })];
+    const capabilities = paths ? await this.capabilities.fetch(paths) : {};
+    return capabilities[paths[0]];
   },
 
   async fetchCapabilitiesConnection(queryOptions) {
-    return this.store.queryRecord('capabilities', this.pathQuery(queryOptions.backend, 'config'));
+    const paths = [this.capabilities.pathFor('databaseConfig', { backend: queryOptions.backend })];
+    const capabilities = paths ? await this.capabilities.fetch(paths) : {};
+    return capabilities[paths[0]];
   },
 
-  model() {
+  async model() {
     const backend = getEnginePathParam(this);
     const queryOptions = { backend, id: '' };
 
-    const connection = this.fetchConnection(queryOptions);
-    const role = this.fetchAllRoles(queryOptions);
-    const roleCapabilities = this.fetchCapabilitiesRole(queryOptions);
-    const staticRoleCapabilities = this.fetchCapabilitiesStaticRole(queryOptions);
-    const connectionCapabilities = this.fetchCapabilitiesConnection(queryOptions);
+    const connection = await this.fetchConnection(queryOptions);
+    const role = await this.fetchAllRoles(queryOptions);
+    const roleCapabilities = await this.fetchCapabilitiesRole(queryOptions);
+    const staticRoleCapabilities = await this.fetchCapabilitiesStaticRole(queryOptions);
+    const connectionCapabilities = await this.fetchCapabilitiesConnection(queryOptions);
 
     return hash({
       backend,
@@ -71,7 +113,7 @@ export default Route.extend({
 
   setupController(controller, model) {
     this._super(...arguments);
-    const showEmptyState = model.connections === 404 && model.roles === 404;
+    const showEmptyState = model.connections === 404 && (model.roles === undefined || model.roles === 404);
     const noConnectionCapabilities =
       !model.connectionCapabilities.canList &&
       !model.connectionCapabilities.canCreate &&
diff --git a/ui/app/routes/vault/cluster/secrets/backend/secret-edit.js b/ui/app/routes/vault/cluster/secrets/backend/secret-edit.js
index be442abd4e..3f1cfe8707 100644
--- a/ui/app/routes/vault/cluster/secrets/backend/secret-edit.js
+++ b/ui/app/routes/vault/cluster/secrets/backend/secret-edit.js
@@ -13,6 +13,20 @@ import { keyIsFolder, parentKeyForKey } from 'core/utils/key-utils';
 import { getEffectiveEngineType } from 'vault/utils/external-plugin-helpers';
 import { getModelTypeForEngine } from 'vault/utils/model-helpers/secret-engine-helpers';
 import { getBackendEffectiveType, getEnginePathParam } from 'vault/utils/backend-route-helpers';
+import { isValidProvider } from 'vault/utils/keymgmt-provider-utils';
+import KeymgmtKeyForm from 'vault/forms/keymgmt/key';
+import KeymgmtProviderForm from 'vault/forms/keymgmt/provider';
+import TotpKeyForm from 'vault/forms/totp/key';
+import SshRoleForm from 'vault/forms/ssh/role';
+import AlphabetForm from 'vault/forms/transform/alphabet';
+import TemplateForm from 'vault/forms/transform/template';
+import RoleForm from 'vault/forms/transform/role';
+import TransformationForm from 'vault/forms/transform/transformation';
+import Form from 'vault/forms/form';
+import {
+  SecretsApiKeyManagementListKmsProvidersForKeyListEnum,
+  SecretsApiTransformListRolesListEnum,
+} from '@hashicorp/vault-client-typescript';
 
 /**
  * @type Class
@@ -21,6 +35,8 @@ export default Route.extend({
   store: service(),
   router: service(),
   pathHelp: service('path-help'),
+  api: service(),
+  capabilitiesService: service('capabilities'),
 
   secretParam() {
     const { secret } = this.paramsFor(this.routeName);
@@ -54,6 +70,18 @@ export default Route.extend({
     return secret.replace(`${noun}/`, '');
   },
 
+  async fetchTransformRoles(backend) {
+    try {
+      const { keys } = await this.api.secrets.transformListRoles(
+        backend,
+        SecretsApiTransformListRolesListEnum.TRUE
+      );
+      return keys || [];
+    } catch (error) {
+      return [];
+    }
+  },
+
   backendType() {
     return getBackendEffectiveType(this);
   },
@@ -105,7 +133,15 @@ export default Route.extend({
   buildModel(secret, queryParams) {
     const backend = getEnginePathParam(this);
     const modelType = this.modelType(backend, secret, { queryParams });
-    if (modelType === 'secret') {
+    // TODO: Remove buildModel once all remaining engine types (e.g. database, transit) are migrated
+    // to API-backed Form instances — none will need hydrateModel and this function becomes redundant.
+    const skipHydration =
+      modelType === 'secret' ||
+      modelType.startsWith('keymgmt/') ||
+      modelType.startsWith('transform') ||
+      modelType === 'totp-key' ||
+      modelType === 'role-ssh';
+    if (skipHydration) {
       return resolve();
     }
     return this.pathHelp.hydrateModel(modelType, backend);
@@ -122,6 +158,332 @@ export default Route.extend({
     });
   },
 
+  async fetchKeyProvider(name, backend) {
+    try {
+      const providerResp = await this.api.secrets.keyManagementListKmsProvidersForKey(
+        name,
+        backend,
+        SecretsApiKeyManagementListKmsProvidersForKeyListEnum.TRUE
+      );
+      return providerResp.keys?.[0] || null;
+    } catch (e) {
+      const { status } = await this.api.parseError(e);
+      if (status === 403) {
+        return { permissionsError: true };
+      }
+      if (status === 404) {
+        return [];
+      }
+      throw e;
+    }
+  },
+
+  async fetchKeyDistribution(name, provider, backend) {
+    try {
+      const distResp = await this.api.secrets.keyManagementReadKeyInKmsProvider(name, provider, backend);
+      return {
+        ...distResp.data,
+        purposeArray: distResp.data?.purpose?.split(',') || [],
+      };
+    } catch (e) {
+      const { status } = await this.api.parseError(e);
+      // Return null for 403 - distribution is optional, no need for permissionsError like provider
+      if (status === 403) {
+        return null;
+      }
+      throw e;
+    }
+  },
+
+  buildKeyVersionsData(versions) {
+    let created = null;
+    let last_rotated = null;
+    let versionsArray = [];
+
+    if (versions) {
+      const versionKeys = Object.keys(versions);
+      if (versionKeys.length > 0) {
+        // This computes value of "created" from first version
+        const firstKey = versionKeys[0];
+        const firstVersion = versions[firstKey];
+        if (firstVersion?.creation_time) {
+          created = new Date(firstVersion.creation_time);
+        }
+
+        // This computes value of "last_rotated" from last version (if more than one)
+        if (versionKeys.length > 1) {
+          const lastKey = versionKeys[versionKeys.length - 1];
+          const lastVersion = versions[lastKey];
+          if (lastVersion?.creation_time) {
+            last_rotated = new Date(lastVersion.creation_time);
+          }
+        }
+
+        versionsArray = versionKeys
+          .map((key) => {
+            const version = versions[key];
+            if (!version?.creation_time) return null;
+            return {
+              ...version,
+              id: parseInt(key, 10),
+            };
+          })
+          .filter((v) => v !== null);
+      }
+    }
+
+    return { created, last_rotated, versions: versionsArray };
+  },
+
+  async fetchTotpKey(backend, name) {
+    const resp = await this.api.secrets.totpReadKey(name, backend);
+    const data = resp.data || {};
+    return new TotpKeyForm(
+      {
+        ...data,
+        name,
+        backend,
+      },
+      { isNew: false }
+    );
+  },
+
+  async fetchTotpKeyCapabilities(backend, name) {
+    const keyPath = this.capabilitiesService.pathFor('totpKey', { backend, name });
+    const keysPath = this.capabilitiesService.pathFor('totpKeys', { backend });
+
+    const capabilities = await this.capabilitiesService.fetch([keyPath, keysPath]);
+
+    return {
+      canDelete: capabilities[keyPath]?.canDelete,
+      canRead: capabilities[keyPath]?.canRead,
+      canList: capabilities[keysPath]?.canList,
+    };
+  },
+
+  async fetchKeymgmtKey(backend, name) {
+    const { data } = await this.api.secrets.keyManagementReadKey(name, backend);
+
+    const provider = await this.fetchKeyProvider(name, backend);
+
+    let distribution = null;
+    if (isValidProvider(provider)) {
+      distribution = await this.fetchKeyDistribution(name, provider, backend);
+    }
+
+    // This builds computed version data.
+    const { created, last_rotated, versions } = this.buildKeyVersionsData(data.versions);
+
+    const form = new KeymgmtKeyForm(
+      {
+        ...data,
+        name,
+        backend,
+        provider,
+        distribution,
+        created,
+        last_rotated,
+        versions,
+      },
+      { isNew: false }
+    );
+    return form;
+  },
+
+  async fetchKeymgmtKeyCapabilities(backend, name) {
+    const keyPath = this.capabilitiesService.pathFor('keymgmtKey', { backend, name });
+    const keysPath = this.capabilitiesService.pathFor('keymgmtKeys', { backend });
+    const keyProvidersPath = this.capabilitiesService.pathFor('keymgmtKeyProviders', { backend, name });
+
+    const capabilities = await this.capabilitiesService.fetch([keyPath, keysPath, keyProvidersPath]);
+
+    return {
+      canDelete: capabilities[keyPath]?.canDelete,
+      canUpdate: capabilities[keyPath]?.canUpdate,
+      canEdit: capabilities[keyPath]?.canUpdate,
+      canRead: capabilities[keyPath]?.canRead,
+      canList: capabilities[keysPath]?.canList,
+      canListProviders: capabilities[keyProvidersPath]?.canList,
+    };
+  },
+
+  async fetchKeymgmtProvider(backend, name) {
+    const { data } = await this.api.secrets.keyManagementReadKmsProvider(name, backend);
+
+    const form = new KeymgmtProviderForm(
+      {
+        ...data,
+        name,
+        backend,
+        keys: [],
+      },
+      { isNew: false }
+    );
+
+    return form;
+  },
+
+  async fetchKeymgmtProviderCapabilities(backend, name) {
+    const providerPath = this.capabilitiesService.pathFor('keymgmtProvider', { backend, id: name });
+    const providersPath = this.capabilitiesService.pathFor('keymgmtProviders', { backend });
+    const providerKeysPath = this.capabilitiesService.pathFor('keymgmtProviderKeys', { backend, id: name });
+
+    const capabilities = await this.capabilitiesService.fetch([
+      providerPath,
+      providersPath,
+      providerKeysPath,
+    ]);
+
+    return {
+      canDelete: capabilities[providerPath]?.canDelete,
+      canUpdate: capabilities[providerPath]?.canUpdate,
+      canEdit: capabilities[providerPath]?.canUpdate,
+      canRead: capabilities[providerPath]?.canRead,
+      canList: capabilities[providersPath]?.canList,
+      canListKeys: capabilities[providerKeysPath]?.canList,
+      canCreateKeys: capabilities[providerKeysPath]?.canCreate,
+    };
+  },
+
+  async fetchSshRole(backend, name) {
+    try {
+      const { data } = await this.api.secrets.sshReadRole(name, backend);
+      return new SshRoleForm({ ...data, name, backend }, { isNew: false });
+    } catch (error) {
+      const { message } = await this.api.parseError(error);
+      throw new Error(message);
+    }
+  },
+
+  async fetchSshRoleCapabilities(backend, name) {
+    try {
+      const rolePath = this.capabilitiesService.pathFor('sshRole', { backend, id: name });
+      const credentialsPath = this.capabilitiesService.pathFor('sshCredentials', { backend, id: name });
+      const signPath = this.capabilitiesService.pathFor('sshSign', { backend, id: name });
+
+      const capabilities = await this.capabilitiesService.fetch([rolePath, credentialsPath, signPath]);
+
+      return {
+        canDelete: capabilities[rolePath]?.canDelete,
+        canUpdate: capabilities[rolePath]?.canUpdate,
+        canEdit: capabilities[rolePath]?.canUpdate,
+        canRead: capabilities[rolePath]?.canRead,
+        canGenerate: capabilities[credentialsPath]?.canUpdate,
+        canSign: capabilities[signPath]?.canUpdate,
+      };
+    } catch (error) {
+      const { message } = await this.api.parseError(error);
+      throw new Error(message);
+    }
+  },
+
+  async fetchTransformAlphabet(backend, name) {
+    const resp = await this.api.secrets.transformReadAlphabet(name, backend);
+    const data = resp.data || {};
+    return new AlphabetForm({ ...data, name, backend }, { isNew: false });
+  },
+
+  async fetchTransformAlphabetCapabilities(backend, name) {
+    const alphabetPath = this.capabilitiesService.pathFor('transformAlphabet', { backend, name });
+    const alphabetsPath = this.capabilitiesService.pathFor('transformAlphabets', { backend });
+
+    const capabilities = await this.capabilitiesService.fetch([alphabetPath, alphabetsPath]);
+
+    return {
+      canDelete: capabilities[alphabetPath]?.canDelete,
+      canUpdate: capabilities[alphabetPath]?.canUpdate,
+      canRead: capabilities[alphabetPath]?.canRead,
+      canList: capabilities[alphabetsPath]?.canList,
+    };
+  },
+
+  async fetchTransformTemplate(backend, name) {
+    const resp = await this.api.secrets.transformReadTemplate(name, backend);
+    const data = resp.data || {};
+    return new TemplateForm(
+      {
+        name,
+        backend,
+        type: data.type,
+        pattern: data.pattern,
+        alphabet: data.alphabet ? [data.alphabet] : [],
+        encode_format: data.encode_format,
+        decode_formats: data.decode_formats,
+      },
+      { isNew: false }
+    );
+  },
+
+  async fetchTransformTemplateCapabilities(backend, name) {
+    const templatePath = this.capabilitiesService.pathFor('transformTemplate', { backend, name });
+    const templatesPath = this.capabilitiesService.pathFor('transformTemplates', { backend });
+
+    const capabilities = await this.capabilitiesService.fetch([templatePath, templatesPath]);
+
+    return {
+      canDelete: capabilities[templatePath]?.canDelete,
+      canUpdate: capabilities[templatePath]?.canUpdate,
+      canRead: capabilities[templatePath]?.canRead,
+      canList: capabilities[templatesPath]?.canList,
+    };
+  },
+
+  async fetchTransformRole(backend, name) {
+    const resp = await this.api.secrets.transformReadRole(name, backend);
+    const data = resp.data || {};
+    return new RoleForm({ name, backend, transformations: data.transformations || [] }, { isNew: false });
+  },
+
+  async fetchTransformRoleCapabilities(backend, name) {
+    const rolePath = this.capabilitiesService.pathFor('transformRole', { backend, name });
+    const rolesPath = this.capabilitiesService.pathFor('transformRoles', { backend });
+
+    const capabilities = await this.capabilitiesService.fetch([rolePath, rolesPath]);
+
+    return {
+      canDelete: capabilities[rolePath]?.canDelete,
+      canUpdate: capabilities[rolePath]?.canUpdate,
+      canRead: capabilities[rolePath]?.canRead,
+      canList: capabilities[rolesPath]?.canList,
+    };
+  },
+
+  async fetchTransformTransformation(backend, name) {
+    const resp = await this.api.secrets.transformReadTransformation(name, backend);
+    const data = resp.data || resp || {};
+    return new TransformationForm(
+      {
+        name,
+        backend,
+        type: data.type || 'fpe',
+        tweak_source: data.tweak_source,
+        masking_character: data.masking_character,
+        template: data.template ? [data.template] : [],
+        allowed_roles: data.allowed_roles || [],
+        deletion_allowed: data.deletion_allowed,
+        mapping_mode: data.mapping_mode,
+        convergent: data.convergent,
+        max_ttl: data.max_ttl,
+        stores: data.stores || [],
+      },
+      { isNew: false }
+    );
+  },
+
+  async fetchTransformTransformationCapabilities(backend, name) {
+    const transformationPath = this.capabilitiesService.pathFor('transformTransformation', { backend, name });
+    const transformationsPath = this.capabilitiesService.pathFor('transformTransformations', { backend });
+
+    const capabilities = await this.capabilitiesService.fetch([transformationPath, transformationsPath]);
+
+    return {
+      canDelete: capabilities[transformationPath]?.canDelete,
+      canUpdate: capabilities[transformationPath]?.canUpdate,
+      canRead: capabilities[transformationPath]?.canRead,
+      canList: capabilities[transformationsPath]?.canList,
+    };
+  },
+
   async handleSecretModelError(capabilitiesPromise, secretId, modelType, error) {
     // capabilities is a promise proxy, not a real object
     // to work around this we explicitly assign it to a const and await it
@@ -158,20 +520,46 @@ export default Route.extend({
       secret = secret.replace('role/', '');
     }
     let secretModel;
+    let capabilities;
 
-    const capabilities = this.capabilities(secret, modelType);
-    try {
-      secretModel = await this.store.queryRecord(modelType, { id: secret, backend, type });
-    } catch (err) {
-      // we've failed the read request, but if it's a kv-v1 type backend, we want to
-      // do additional checks of the capabilities
-      if (err.httpStatus === 403 && modelType === 'secret') {
-        secretModel = await this.handleSecretModelError(capabilities, secret, modelType, err);
-      } else {
-        throw err;
+    if (modelType === 'totp-key') {
+      secretModel = await this.fetchTotpKey(backend, secret);
+      capabilities = await this.fetchTotpKeyCapabilities(backend, secret);
+    } else if (modelType === 'keymgmt/key') {
+      secretModel = await this.fetchKeymgmtKey(backend, secret);
+      capabilities = await this.fetchKeymgmtKeyCapabilities(backend, secret);
+    } else if (modelType === 'keymgmt/provider') {
+      secretModel = await this.fetchKeymgmtProvider(backend, secret);
+      capabilities = await this.fetchKeymgmtProviderCapabilities(backend, secret);
+    } else if (modelType === 'role-ssh') {
+      secretModel = await this.fetchSshRole(backend, secret);
+      capabilities = await this.fetchSshRoleCapabilities(backend, secret);
+    } else if (modelType === 'transform/alphabet') {
+      secretModel = await this.fetchTransformAlphabet(backend, secret);
+      capabilities = await this.fetchTransformAlphabetCapabilities(backend, secret);
+    } else if (modelType === 'transform/template') {
+      secretModel = await this.fetchTransformTemplate(backend, secret);
+      capabilities = await this.fetchTransformTemplateCapabilities(backend, secret);
+    } else if (modelType === 'transform/role') {
+      secretModel = await this.fetchTransformRole(backend, secret);
+      capabilities = await this.fetchTransformRoleCapabilities(backend, secret);
+    } else if (modelType === 'transform') {
+      secretModel = await this.fetchTransformTransformation(backend, secret);
+      capabilities = await this.fetchTransformTransformationCapabilities(backend, secret);
+    } else {
+      capabilities = await this.capabilities(secret, modelType);
+      try {
+        secretModel = await this.store.queryRecord(modelType, { id: secret, backend, type });
+      } catch (err) {
+        // we've failed the read request, but if it's a kv-v1 type backend, we want to
+        // do additional checks of the capabilities
+        if (err.httpStatus === 403 && modelType === 'secret') {
+          secretModel = await this.handleSecretModelError(capabilities, secret, modelType, err);
+        } else {
+          throw err;
+        }
       }
     }
-    await capabilities;
 
     return {
       secret: secretModel,
@@ -187,13 +575,22 @@ export default Route.extend({
       /* eslint-disable-next-line ember/no-controller-access-in-routes */
       this.controllerFor('vault.cluster.secrets.backend').preferAdvancedEdit || false;
     const backendType = this.backendType();
-    model.secret.setProperties({ backend });
+    // mode will be 'show', 'edit', 'create'
+    const mode = this.routeName.split('.').pop().replace('-root', '');
+
+    // Form-based models (keymgmt, TOTP, SSH, transform sub-types) use Form class instances which
+    // don't have the Ember Data setProperties method.
+    const isFormModel = model.secret instanceof Form;
+    if (!isFormModel) {
+      model.secret.setProperties({ backend });
+    }
+
     controller.setProperties({
       model: model.secret,
+      form: isFormModel ? model.secret : null,
       capabilities: model.capabilities,
       baseKey: { id: secret },
-      // mode will be 'show', 'edit', 'create'
-      mode: this.routeName.split('.').pop().replace('-root', ''),
+      mode,
       backend,
       preferAdvancedEdit,
       backendType,
diff --git a/ui/app/routes/vault/cluster/secrets/backend/sign.js b/ui/app/routes/vault/cluster/secrets/backend/sign.js
index 41a44577c7..d29c604adf 100644
--- a/ui/app/routes/vault/cluster/secrets/backend/sign.js
+++ b/ui/app/routes/vault/cluster/secrets/backend/sign.js
@@ -1,32 +1,21 @@
 /**
- * Copyright IBM Corp. 2016, 2025
+ * Copyright IBM Corp. 2016, 2026
  * SPDX-License-Identifier: BUSL-1.1
  */
 
 import Route from '@ember/routing/route';
-import UnloadModel from 'vault/mixins/unload-model-route';
 import { service } from '@ember/service';
 
-export default Route.extend(UnloadModel, {
+export default Route.extend({
   router: service(),
-  store: service(),
+  capabilities: service(),
   templateName: 'vault/cluster/secrets/backend/sign',
 
   backendModel() {
     return this.modelFor('vault.cluster.secrets.backend');
   },
 
-  pathQuery(role, backend) {
-    return {
-      id: `${backend}/sign/${role}`,
-    };
-  },
-
-  pathForType() {
-    return 'sign';
-  },
-
-  model(params) {
+  async model(params) {
     const role = params.secret;
     const backendModel = this.backendModel();
     const backend = backendModel.id;
@@ -34,23 +23,16 @@ export default Route.extend(UnloadModel, {
     if (backendModel.type !== 'ssh') {
       return this.router.transitionTo('vault.cluster.secrets.backend.list-root', backend);
     }
-    return this.store.queryRecord('capabilities', this.pathQuery(role, backend)).then((capabilities) => {
-      if (!capabilities.canUpdate) {
-        return this.router.transitionTo('vault.cluster.secrets.backend.list-root', backend);
-      }
-      return this.store.createRecord('ssh-sign', {
-        role: {
-          backend,
-          id: role,
-          name: role,
-        },
-        id: `${backend}-${role}`,
-      });
-    });
-  },
 
-  setupController(controller) {
-    this._super(...arguments);
-    controller.set('backend', this.backendModel());
+    const signPath = this.capabilities.pathFor('sshSign', { backend, id: role });
+    const capabilities = await this.capabilities.fetch([signPath]);
+    if (!capabilities[signPath]?.canUpdate) {
+      return this.router.transitionTo('vault.cluster.secrets.backend.list-root', backend);
+    }
+
+    return {
+      roleName: role,
+      backendPath: backend,
+    };
   },
 });
diff --git a/ui/app/routes/vault/cluster/secrets/enable/create.ts b/ui/app/routes/vault/cluster/secrets/enable/create.ts
index cb061832bd..2ef3f164f9 100644
--- a/ui/app/routes/vault/cluster/secrets/enable/create.ts
+++ b/ui/app/routes/vault/cluster/secrets/enable/create.ts
@@ -6,10 +6,13 @@
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 import SecretsEngineForm from 'vault/forms/secrets/engine';
-import type ApiService from 'vault/services/api';
-import type PluginCatalogService from 'vault/services/plugin-catalog';
 import { getExternalPluginNameFromBuiltin } from 'vault/utils/external-plugin-helpers';
 import { getAllVersionsForEngineType, type EngineVersionInfo } from 'vault/utils/plugin-catalog-helpers';
+import { ALL_ENGINES } from 'vault/utils/all-engines-metadata';
+import { IdentityApiOidcListKeysListEnum } from '@hashicorp/vault-client-typescript/dist/apis/IdentityApi';
+
+import type ApiService from 'vault/services/api';
+import type PluginCatalogService from 'vault/services/plugin-catalog';
 
 export default class VaultClusterSecretsEnableCreateRoute extends Route {
   @service('plugin-catalog') declare readonly pluginCatalog: PluginCatalogService;
@@ -36,6 +39,23 @@ export default class VaultClusterSecretsEnableCreateRoute extends Route {
     form.applyTypeSpecificDefaults();
 
     // Fetch plugin catalog data to get available versions for this engine type
+    const { availableVersions, hasUnversionedPlugins } = await this.fetchPluginVersions(form);
+    // Get pinned version for this plugin type
+    const pinnedVersion = await this.fetchPinnedVersion(mount_type, availableVersions);
+
+    // WIF engines require fetching OIDC keys to populate an additional form field
+    const oidcKeys = await this.fetchOidcKeys(mount_type);
+
+    return {
+      form,
+      availableVersions,
+      hasUnversionedPlugins,
+      pinnedVersion,
+      oidcKeys,
+    };
+  }
+
+  async fetchPluginVersions(form: SecretsEngineForm) {
     const pluginCatalogResponse = await this.pluginCatalog.fetchPluginCatalog();
     let availableVersions: EngineVersionInfo[] = [];
     let hasUnversionedPlugins = false;
@@ -43,7 +63,7 @@ export default class VaultClusterSecretsEnableCreateRoute extends Route {
     if (pluginCatalogResponse.data?.detailed) {
       const versionResult = getAllVersionsForEngineType(
         pluginCatalogResponse.data.detailed,
-        mount_type,
+        form.type,
         'secret'
       );
 
@@ -53,8 +73,10 @@ export default class VaultClusterSecretsEnableCreateRoute extends Route {
       // Set up the plugin version field with available versions
       form.setupPluginVersionField(availableVersions);
     }
+    return { availableVersions, hasUnversionedPlugins };
+  }
 
-    // Get pinned version for this plugin type
+  async fetchPinnedVersion(mountType: string, availableVersions: EngineVersionInfo[]) {
     let pinnedVersion: string | null = null;
 
     // Only fetch external pinned version if there are external versions available
@@ -62,7 +84,7 @@ export default class VaultClusterSecretsEnableCreateRoute extends Route {
     if (hasExternalVersions) {
       try {
         // Convert builtin type to external plugin name for API call
-        const externalPluginName = getExternalPluginNameFromBuiltin(mount_type);
+        const externalPluginName = getExternalPluginNameFromBuiltin(mountType);
         if (externalPluginName) {
           const response = await this.api.sys.pluginsCatalogPinsReadPinnedVersion(
             externalPluginName,
@@ -75,12 +97,23 @@ export default class VaultClusterSecretsEnableCreateRoute extends Route {
         pinnedVersion = null;
       }
     }
+    return pinnedVersion;
+  }
 
-    return {
-      form,
-      availableVersions,
-      hasUnversionedPlugins,
-      pinnedVersion,
-    };
+  async fetchOidcKeys(type: string) {
+    // an additional form field for identity_token_key is displayed for WIF engines
+    // fetch oidc keys to populate the search select component
+    let oidcKeys: { id: string }[] = [];
+    const isWIF = !!ALL_ENGINES.find((engine) => engine.type === type && engine.isWIF);
+    if (isWIF) {
+      try {
+        const { keys } = await this.api.identity.oidcListKeys(IdentityApiOidcListKeysListEnum.TRUE);
+        // SearchSelect requires options to be objects
+        oidcKeys = keys?.map((key) => ({ id: key })) || [];
+      } catch (e) {
+        // swallow fetch error and fallback component will be used
+      }
+    }
+    return oidcKeys;
   }
 }
diff --git a/ui/app/serializers/identity/_base.js b/ui/app/serializers/identity/_base.js
index 452cea5a16..4667d7305e 100644
--- a/ui/app/serializers/identity/_base.js
+++ b/ui/app/serializers/identity/_base.js
@@ -7,7 +7,10 @@ import ApplicationSerializer from '../application';
 
 export default ApplicationSerializer.extend({
   normalizeItems(payload) {
-    if (payload.data.keys && Array.isArray(payload.data.keys)) {
+    // Extract the keys array into individual objects with the key as the id, if it exists.
+    // This is for endpoints that return a list of keys and a separate key_info object with
+    // the details for each key, such as the list endpoint for entities.
+    if (payload.data?.keys && Array.isArray(payload.data?.keys)) {
       if (typeof payload.data.keys[0] !== 'string') {
         // If keys is not an array of strings, it was already normalized into objects in extractLazyPaginatedData
         return payload.data.keys;
diff --git a/ui/app/serializers/keymgmt/key.js b/ui/app/serializers/keymgmt/key.js
deleted file mode 100644
index 5a08ee21c4..0000000000
--- a/ui/app/serializers/keymgmt/key.js
+++ /dev/null
@@ -1,39 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import ApplicationSerializer from '../application';
-
-export default class KeymgmtKeySerializer extends ApplicationSerializer {
-  normalizeItems(payload) {
-    const normalized = super.normalizeItems(payload);
-    // Transform versions from object with number keys to array with key ids
-    if (normalized.versions) {
-      let lastRotated;
-      let created;
-      const versions = [];
-      Object.keys(normalized.versions).forEach((key, i, arr) => {
-        versions.push({
-          id: parseInt(key, 10),
-          ...normalized.versions[key],
-        });
-        if (i === 0) {
-          created = normalized.versions[key].creation_time;
-        } else if (arr.length - 1 === i) {
-          // Set lastRotated to the last key
-          lastRotated = normalized.versions[key].creation_time;
-        }
-      });
-      normalized.versions = versions;
-      return { ...normalized, last_rotated: lastRotated, created };
-    } else if (Array.isArray(normalized)) {
-      return normalized.map((key) => ({
-        id: key.id,
-        name: key.id,
-        backend: payload.backend,
-      }));
-    }
-    return normalized;
-  }
-}
diff --git a/ui/app/serializers/keymgmt/provider.js b/ui/app/serializers/keymgmt/provider.js
deleted file mode 100644
index 6fb40f8fe9..0000000000
--- a/ui/app/serializers/keymgmt/provider.js
+++ /dev/null
@@ -1,29 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import ApplicationSerializer from '../application';
-
-export default class KeymgmtProviderSerializer extends ApplicationSerializer {
-  primaryKey = 'name';
-
-  normalizeItems(payload) {
-    const normalized = super.normalizeItems(payload);
-    if (Array.isArray(normalized)) {
-      normalized.forEach((provider) => {
-        provider.id = provider.name;
-        provider.backend = payload.backend;
-      });
-    }
-    return normalized;
-  }
-
-  serialize(snapshot) {
-    const json = super.serialize(...arguments);
-    return {
-      ...json,
-      credentials: snapshot.record.credentials,
-    };
-  }
-}
diff --git a/ui/app/serializers/oidc/client.js b/ui/app/serializers/oidc/client.js
deleted file mode 100644
index 4d1ecc83d1..0000000000
--- a/ui/app/serializers/oidc/client.js
+++ /dev/null
@@ -1,22 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import ApplicationSerializer from '../application';
-
-export default class OidcClientSerializer extends ApplicationSerializer {
-  primaryKey = 'name';
-
-  // rehydrate each client model so all model attributes are accessible from the LIST response
-  normalizeItems(payload) {
-    if (payload.data) {
-      if (payload.data?.keys && Array.isArray(payload.data.keys)) {
-        return payload.data.keys.map((key) => ({ name: key, ...payload.data.key_info[key] }));
-      }
-      Object.assign(payload, payload.data);
-      delete payload.data;
-    }
-    return payload;
-  }
-}
diff --git a/ui/app/serializers/oidc/provider.js b/ui/app/serializers/oidc/provider.js
deleted file mode 100644
index 896d23decb..0000000000
--- a/ui/app/serializers/oidc/provider.js
+++ /dev/null
@@ -1,22 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import ApplicationSerializer from '../application';
-
-export default class OidcProviderSerializer extends ApplicationSerializer {
-  primaryKey = 'name';
-
-  // need to normalize to get issuer metadata for provider's list view
-  normalizeItems(payload) {
-    if (payload.data) {
-      if (payload.data?.keys && Array.isArray(payload.data.keys)) {
-        return payload.data.keys.map((key) => ({ name: key, ...payload.data.key_info[key] }));
-      }
-      Object.assign(payload, payload.data);
-      delete payload.data;
-    }
-    return payload;
-  }
-}
diff --git a/ui/app/serializers/oidc/scope.js b/ui/app/serializers/oidc/scope.js
deleted file mode 100644
index d279f9372a..0000000000
--- a/ui/app/serializers/oidc/scope.js
+++ /dev/null
@@ -1,10 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import ApplicationSerializer from '../application';
-
-export default class OidcScopeSerializer extends ApplicationSerializer {
-  primaryKey = 'name';
-}
diff --git a/ui/app/serializers/ssh.js b/ui/app/serializers/ssh.js
deleted file mode 100644
index 5ae7fc070b..0000000000
--- a/ui/app/serializers/ssh.js
+++ /dev/null
@@ -1,59 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import RESTSerializer from '@ember-data/serializer/rest';
-import { isNone, isBlank } from '@ember/utils';
-import { decamelize } from '@ember/string';
-
-export default RESTSerializer.extend({
-  keyForAttribute: function (attr) {
-    return decamelize(attr);
-  },
-
-  pushPayload(store, payload) {
-    const transformedPayload = this.normalizeResponse(
-      store,
-      store.modelFor(payload.modelName),
-      payload,
-      payload.id,
-      'findRecord'
-    );
-    return store.push(transformedPayload);
-  },
-
-  normalizeItems(payload) {
-    Object.assign(payload, payload.data);
-    delete payload.data;
-    return payload;
-  },
-
-  normalizeResponse(store, primaryModelClass, payload, id, requestType) {
-    const responseJSON = this.normalizeItems(payload);
-    const { modelName } = primaryModelClass;
-    const transformedPayload = { [modelName]: responseJSON };
-    const ret = this._super(store, primaryModelClass, transformedPayload, id, requestType);
-    return ret;
-  },
-
-  serializeAttribute(snapshot, json, key, attributes) {
-    const val = snapshot.attr(key);
-    if (attributes.options.readOnly) {
-      return;
-    }
-    if (
-      attributes.type === 'object' &&
-      val &&
-      Object.keys(val).length > 0 &&
-      isNone(snapshot.changedAttributes()[key])
-    ) {
-      return;
-    }
-    if (isBlank(val) && isNone(snapshot.changedAttributes()[key])) {
-      return;
-    }
-
-    this._super(snapshot, json, key, attributes);
-  },
-});
diff --git a/ui/app/serializers/totp-key.js b/ui/app/serializers/totp-key.js
deleted file mode 100644
index e2a660d2c8..0000000000
--- a/ui/app/serializers/totp-key.js
+++ /dev/null
@@ -1,44 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import ApplicationSerializer from './application';
-import { camelize } from '@ember/string';
-
-export default class TotpKeySerializer extends ApplicationSerializer {
-  normalizeItems(payload, requestType) {
-    if (
-      requestType !== 'queryRecord' &&
-      payload.data &&
-      payload.data.keys &&
-      Array.isArray(payload.data.keys)
-    ) {
-      // if we have data.keys, it's a list of ids, so we map over that
-      // and create objects with id's
-      return payload.data.keys.map((secret) => ({
-        id: secret,
-        backend: payload.backend,
-      }));
-    }
-
-    Object.assign(payload, payload.data);
-    delete payload.data;
-    return payload;
-  }
-
-  serialize(snapshot) {
-    // remove all fields that are not relevant to specified key provider
-    const { keyFormFields } = snapshot.adapterOptions;
-    const json = super.serialize(...arguments);
-    Object.keys(json).forEach((key) => {
-      if (!keyFormFields.includes(camelize(key))) {
-        delete json[key];
-      }
-    });
-
-    // remove name as it isn't a parameter - it is a part of the request url
-    delete json.name;
-    return json;
-  }
-}
diff --git a/ui/app/services/api.ts b/ui/app/services/api.ts
index b6de21fdea..2160b5deae 100644
--- a/ui/app/services/api.ts
+++ b/ui/app/services/api.ts
@@ -85,17 +85,27 @@ export default class ApiService extends Service {
   };
 
   // -- Post Request Middleware --
+  private async readJson(response: Response) {
+    const contentType = response.headers.get('Content-Type');
+    if (!contentType?.includes('json')) {
+      return null;
+    }
+
+    try {
+      return await response.json();
+    } catch {
+      return null;
+    }
+  }
+
   showWarnings = waitFor(async (context: ResponseContext) => {
     const response = context.response.clone();
-    // if the response is empty, don't try to parse it
-    if (response.headers.get('Content-Length')) {
-      const json = await response.json();
+    const json = await this.readJson(response);
 
-      if (json?.warnings) {
-        json.warnings.forEach((message: string) => {
-          this.flashMessages.info(message);
-        });
-      }
+    if (json?.warnings) {
+      json.warnings.forEach((message: string) => {
+        this.flashMessages.info(message);
+      });
     }
   });
 
@@ -114,19 +124,17 @@ export default class ApiService extends Service {
       }
     }
     // if the requested path is locked by a control group we need to create a new error response
-    if (headers.get('Content-Length')) {
-      const json = await response.json();
-      const wrapTtl = headers.get('X-Vault-Wrap-TTL');
-      const isLockedByControlGroup = this.controlGroup.isRequestedPathLocked(json, wrapTtl);
+    const json = await this.readJson(response);
+    const wrapTtl = headers.get('X-Vault-Wrap-TTL');
+    const isLockedByControlGroup = this.controlGroup.isRequestedPathLocked(json, wrapTtl);
 
-      if (isLockedByControlGroup) {
-        const error = {
-          message: 'Control Group encountered',
-          isControlGroupError: true,
-          ...json.wrap_info,
-        };
-        return new Response(JSON.stringify(error), { headers, status: 403, statusText: 'Forbidden' });
-      }
+    if (isLockedByControlGroup && json) {
+      const error = {
+        message: 'Control Group encountered',
+        isControlGroupError: true,
+        ...json.wrap_info,
+      };
+      return new Response(JSON.stringify(error), { headers, status: 403, statusText: 'Forbidden' });
     }
 
     return;
@@ -256,31 +264,37 @@ export default class ApiService extends Service {
 
   // interface for making raw fetch requests outside of the generated API methods
   // this should only be used in cases where it's not possible to use the client
-  private async rawRequest(path: string, method: HTTPMethod, body?: unknown) {
+  private async rawRequest(path: string, method: HTTPMethod, body?: unknown, headers?: HeadersInit) {
     const context = {
-      url: `${this.configuration.basePath}${path}`,
+      url: `${this.configuration.basePath}${path.charAt(0) === '/' ? path : `/${path}`}`,
       init: { method } as RequestInit,
     };
 
     if (body) {
       context.init.body = JSON.stringify(body);
     }
+    if (headers) {
+      context.init.headers = headers;
+    }
 
     const { url, init } = await this.setHeaders(context as RequestContext);
 
     const response = await this.configuration.fetchApi?.(new Request(url, init));
     if (!response?.ok) {
-      throw response;
+      throw new ResponseError(response as Response);
     }
     // with various content types like application/pem-certificate-chain or application/pkix-cert for example,
     // return the response so the caller can read the body with the appropriate method (blob, text, json etc.)
     return response;
   }
   request = {
-    get: (path: string) => this.rawRequest(path, 'GET'),
-    post: (path: string, body?: unknown) => this.rawRequest(path, 'POST', body),
-    put: (path: string, body?: unknown) => this.rawRequest(path, 'PUT', body),
-    patch: (path: string, body?: unknown) => this.rawRequest(path, 'PATCH', body),
-    delete: (path: string, body?: unknown) => this.rawRequest(path, 'DELETE', body),
+    get: (path: string, headers?: HeadersInit) => this.rawRequest(path, 'GET', undefined, headers),
+    post: (path: string, body?: unknown, headers?: HeadersInit) =>
+      this.rawRequest(path, 'POST', body, headers),
+    put: (path: string, body?: unknown, headers?: HeadersInit) => this.rawRequest(path, 'PUT', body, headers),
+    patch: (path: string, body?: unknown, headers?: HeadersInit) =>
+      this.rawRequest(path, 'PATCH', body, headers),
+    delete: (path: string, body?: unknown, headers?: HeadersInit) =>
+      this.rawRequest(path, 'DELETE', body, headers),
   };
 }
diff --git a/ui/app/services/flags.ts b/ui/app/services/flags.ts
index 0456abfc4d..1237a5b5bb 100644
--- a/ui/app/services/flags.ts
+++ b/ui/app/services/flags.ts
@@ -7,7 +7,7 @@ import Service, { inject as service } from '@ember/service';
 import { tracked } from '@glimmer/tracking';
 import { keepLatestTask } from 'ember-concurrency';
 import { macroCondition, isDevelopingApp } from '@embroider/macros';
-import { ADMINISTRATIVE_NAMESPACE } from 'vault/services/namespace';
+import { ADMINISTRATIVE_NAMESPACE } from 'vault/utils/constants/namespace';
 
 import type VersionService from 'vault/services/version';
 import type ApiService from 'vault/services/api';
diff --git a/ui/app/services/namespace.ts b/ui/app/services/namespace.ts
index 41f182569c..c55da6eda2 100644
--- a/ui/app/services/namespace.ts
+++ b/ui/app/services/namespace.ts
@@ -8,6 +8,7 @@ import { task } from 'ember-concurrency';
 import { getRelativePath, sanitizePath } from 'core/utils/sanitize-path';
 import { tracked } from '@glimmer/tracking';
 import { buildWaiter } from '@ember/test-waiters';
+import { ROOT_NAMESPACE, ADMINISTRATIVE_NAMESPACE } from 'vault/utils/constants/namespace';
 
 import type AuthService from 'vault/services/auth';
 import type ApiService from 'vault/services/api';
@@ -15,9 +16,6 @@ import type FlagsService from 'vault/services/flags';
 
 const waiter = buildWaiter('namespaces');
 
-export const ROOT_NAMESPACE = '';
-export const ADMINISTRATIVE_NAMESPACE = 'admin';
-
 export interface NamespaceOption {
   path: string;
   label: string;
diff --git a/ui/app/services/permissions.js b/ui/app/services/permissions.js
index 07874b685b..40933c0080 100644
--- a/ui/app/services/permissions.js
+++ b/ui/app/services/permissions.js
@@ -115,6 +115,9 @@ const API_PATHS = {
   monitoring: {
     'utilization-report': 'sys/utilization-report',
   },
+  billing: {
+    overview: 'sys/billing/overview',
+  },
 };
 
 // API_PATHS_TO_ROUTE_PARAMS is used to resolve route params for that path when checking permissions for the nav item.
diff --git a/ui/app/services/snippet.ts b/ui/app/services/snippet.ts
new file mode 100644
index 0000000000..2f34ce542b
--- /dev/null
+++ b/ui/app/services/snippet.ts
@@ -0,0 +1,50 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Service from '@ember/service';
+import { tracked } from '@glimmer/tracking';
+import { action } from '@ember/object';
+import { CreationMethod } from 'vault/utils/constants/snippet';
+
+export interface SnippetTab {
+  key: string;
+  label: string;
+  snippet: string;
+}
+
+export default class SnippetService extends Service {
+  @tracked selectedTabIdx = 0;
+  @tracked creationMethodChoice: CreationMethod = CreationMethod.TERRAFORM;
+  @tracked codeSnippet: string | null = null;
+
+  @action
+  setCreationMethod(choice: CreationMethod, tfSnippet: string, customTabs: SnippetTab[]) {
+    this.creationMethodChoice = choice;
+    this.persistSnippet(tfSnippet, customTabs);
+  }
+
+  @action
+  setSelectedTab(idx: number, tfSnippet: string, customTabs: SnippetTab[]) {
+    this.selectedTabIdx = idx;
+    this.persistSnippet(tfSnippet, customTabs);
+  }
+
+  @action
+  persistSnippet(tfSnippet: string, customTabs: SnippetTab[]) {
+    if (this.creationMethodChoice === CreationMethod.TERRAFORM) {
+      this.codeSnippet = tfSnippet;
+    } else if (this.creationMethodChoice === CreationMethod.APICLI) {
+      this.codeSnippet = customTabs[this.selectedTabIdx]?.snippet ?? null;
+    } else {
+      this.codeSnippet = null;
+    }
+  }
+
+  reset(initialChoice: CreationMethod = CreationMethod.TERRAFORM) {
+    this.selectedTabIdx = 0;
+    this.creationMethodChoice = initialChoice;
+    this.codeSnippet = null;
+  }
+}
diff --git a/ui/app/services/unsaved-changes.ts b/ui/app/services/unsaved-changes.ts
index 97d7196eaf..8fc581ccb7 100644
--- a/ui/app/services/unsaved-changes.ts
+++ b/ui/app/services/unsaved-changes.ts
@@ -13,6 +13,11 @@ import type Transition from '@ember/routing/transition';
 import type RouterService from '@ember/routing/router-service';
 import FlagsService from 'vault/services/flags';
 
+type TransitionInfo = {
+  routeName?: string;
+  params?: Record<string, unknown>;
+};
+
 // this service tracks the unsaved changes modal state.
 export default class UnsavedChangesService extends Service {
   @service declare readonly router: RouterService;
@@ -42,10 +47,10 @@ export default class UnsavedChangesService extends Service {
     return this.changedFields.length > 0;
   }
 
-  get transitionInfo() {
+  get transitionInfo(): TransitionInfo {
     return {
       routeName: this.intendedTransition?.to?.name,
-      params: this.intendedTransition?.to?.params,
+      params: this.intendedTransition?.to?.params as Record<string, unknown> | undefined,
     };
   }
 
diff --git a/ui/app/services/version.js b/ui/app/services/version.js
index 6e88582dd2..38a237a309 100644
--- a/ui/app/services/version.js
+++ b/ui/app/services/version.js
@@ -52,6 +52,11 @@ export default class VersionService extends Service {
     return this.features.includes('Control Groups');
   }
 
+  // Consumption Billing will only be present on the platform-standard module introduced in 2.0.0.
+  get hasConsumptionBilling() {
+    return this.features.includes('Consumption Billing');
+  }
+
   get hasSecretsSync() {
     const isEnterprise = this.isEnterprise;
     const isHvdManaged = this.flags.isHvdManaged;
diff --git a/ui/app/services/wizard.ts b/ui/app/services/wizard.ts
index 7c2098fd93..f925e8f515 100644
--- a/ui/app/services/wizard.ts
+++ b/ui/app/services/wizard.ts
@@ -6,12 +6,26 @@
 import Service from '@ember/service';
 import { tracked } from '@glimmer/tracking';
 import localStorage from 'vault/lib/local-storage';
+import { DISMISSED_WIZARD_KEY } from 'vault/utils/constants/wizard';
 
-const DISMISSED_WIZARD_KEY = 'dismissed-wizards';
+import type { WizardId } from 'vault/app-types';
+
+export interface StepConfig {
+  title: string;
+  component: string;
+}
+
+// Unique identifier for each wizard, used to track dismissal state and step state.
+export type WizardID = string;
+
+// Dynamic state storage for each wizard defined at the component level.
+// This allows for flexible state management across different wizards without
+// needing to predefine specific properties for each wizard in the service.
+export type WizardState = Record<string, unknown>;
 
 /**
  * WizardService manages the state of wizards across the application,
- * particularly tracking which wizards have been dismissed by the user.
+ * including tracking which wizards have been dismissed by the user.
  * This service provides a centralized way to check and update wizard
  * dismissal state instead of directly accessing localStorage.
  */
@@ -19,6 +33,11 @@ export default class WizardService extends Service {
   @tracked dismissedWizards: string[] = this.loadDismissedWizards();
   @tracked introVisibleState: Record<string, boolean> = {};
 
+  /* Tracked properties for step state management */
+  @tracked private stepData: Record<WizardID, WizardState> = {};
+  @tracked private currentStep: Record<WizardID, number> = {};
+  @tracked private steps: Record<WizardID, StepConfig[]> = {};
+
   /**
    * Load dismissed wizards from localStorage
    */
@@ -31,7 +50,7 @@ export default class WizardService extends Service {
    * @param wizardId - The unique identifier for the wizard
    * @returns true if the wizard has been dismissed, false otherwise
    */
-  isDismissed(wizardId: string): boolean {
+  isDismissed(wizardId: WizardId): boolean {
     return this.dismissedWizards.includes(wizardId);
   }
 
@@ -39,7 +58,7 @@ export default class WizardService extends Service {
    * Mark a wizard as dismissed
    * @param wizardId - The unique identifier for the wizard to dismiss
    */
-  dismiss(wizardId: string): void {
+  dismiss(wizardId: WizardId): void {
     // Only add if not already dismissed
     if (!this.dismissedWizards.includes(wizardId)) {
       this.dismissedWizards = [...this.dismissedWizards, wizardId];
@@ -51,7 +70,7 @@ export default class WizardService extends Service {
    * Clear the dismissed state for a specific wizard
    * @param wizardId - The unique identifier for the wizard to reset
    */
-  reset(wizardId: string): void {
+  reset(wizardId: WizardId): void {
     this.dismissedWizards = this.dismissedWizards.filter((id: string) => id !== wizardId);
     localStorage.setItem(DISMISSED_WIZARD_KEY, this.dismissedWizards);
     // Reset intro visibility when wizard is reset
@@ -72,7 +91,7 @@ export default class WizardService extends Service {
    * @param wizardId - The unique identifier for the wizard
    * @returns true if the intro is visible, false otherwise (defaults to true if wizard not dismissed, false if dismissed)
    */
-  isIntroVisible(wizardId: string): boolean {
+  isIntroVisible(wizardId: WizardId): boolean {
     // If intro visibility has been explicitly set, use that value
     if (this.introVisibleState[wizardId] !== undefined) {
       return this.introVisibleState[wizardId];
@@ -87,10 +106,100 @@ export default class WizardService extends Service {
    * @param wizardId - The unique identifier for the wizard
    * @param visible - Whether the intro should be visible
    */
-  setIntroVisible(wizardId: string, visible: boolean): void {
+  setIntroVisible(wizardId: WizardId, visible: boolean): void {
     this.introVisibleState = {
       ...this.introVisibleState,
       [wizardId]: visible,
     };
   }
+
+  /* Step state management */
+
+  /**
+   * Retrieve the stored state for a wizard, typed by the caller.
+   * Returns an empty object if no state has been set yet, so consumers
+   * should merge with their own defaults when a fully-typed object is required.
+   * @param wizardId - The unique identifier for the wizard
+   * @returns The wizard's current state, cast to the caller-supplied type
+   */
+  getState<T extends object>(wizardId: WizardId): T {
+    return (this.stepData[wizardId] ?? {}) as T;
+  }
+
+  /**
+   * Immutably update a single key in the wizard's stored state.
+   * Other keys in the state are left unchanged.
+   * @param wizardId - The unique identifier for the wizard
+   * @param key - The state key to update
+   * @param value - The new value for that key
+   */
+  updateState(wizardId: WizardId, key: string, value: unknown): void {
+    this.stepData = {
+      ...this.stepData,
+      [wizardId]: { ...this.stepData[wizardId], [key]: value },
+    };
+  }
+
+  /**
+   * Reset the wizard's step data to an empty object and return navigation to step 0.
+   * The step configuration (registered via setSteps) is intentionally preserved so
+   * the same wizard can be re-entered without re-registering its steps.
+   * @param wizardId - The unique identifier for the wizard
+   */
+  clearWizardState(wizardId: WizardId): void {
+    this.stepData = { ...this.stepData, [wizardId]: {} };
+    this.currentStep = { ...this.currentStep, [wizardId]: 0 };
+  }
+
+  /**
+   * Return the index of the currently active step for a wizard.
+   * Defaults to 0 if the wizard has not yet navigated to any step.
+   * @param wizardId - The unique identifier for the wizard
+   * @returns The zero-indexed current step number
+   */
+  getCurrentStep(wizardId: WizardId): number {
+    return this.currentStep[wizardId] ?? 0;
+  }
+
+  /**
+   * Set the active step index for a wizard.
+   * @param wizardId - The unique identifier for the wizard
+   * @param step - The zero-indexed step to navigate to
+   */
+  setCurrentStep(wizardId: WizardId, step: number): void {
+    this.currentStep = { ...this.currentStep, [wizardId]: step };
+  }
+
+  /**
+   * Return the registered step configuration array for a wizard.
+   * Returns an empty array if no steps have been registered yet, allowing
+   * consumers to supply their own defaults on first render.
+   * @param wizardId - The unique identifier for the wizard
+   * @returns Array of step configuration objects
+   */
+  getSteps(wizardId: WizardId): StepConfig[] {
+    return this.steps[wizardId] ?? [];
+  }
+
+  /**
+   * Replace the step configuration array for a wizard.
+   * Use this to add, remove, or reorder steps dynamically — for example,
+   * skipping a step based on a user's earlier selection.
+   * @param wizardId - The unique identifier for the wizard
+   * @param steps - The new step configuration to register
+   */
+  setSteps(wizardId: WizardId, steps: StepConfig[]): void {
+    this.steps = { ...this.steps, [wizardId]: steps };
+  }
+
+  /**
+   * Return true when the current step is the last one in the registered configuration.
+   * Returns false if no steps have been registered yet.
+   * @param wizardId - The unique identifier for the wizard
+   * @returns Whether the wizard is on its final step
+   */
+  isFinalStep(wizardId: WizardId): boolean {
+    const steps = this.getSteps(wizardId);
+    return steps.length > 0 && this.getCurrentStep(wizardId) === steps.length - 1;
+  }
 }
diff --git a/ui/app/styles/components/clients-counts-card.scss b/ui/app/styles/components/clients-counts-card.scss
index d1f627e27f..94733965b0 100644
--- a/ui/app/styles/components/clients-counts-card.scss
+++ b/ui/app/styles/components/clients-counts-card.scss
@@ -49,3 +49,13 @@
     }
   }
 }
+
+.chart-container {
+  position: relative;
+}
+
+.chart-container-toggle {
+  position: absolute;
+  right: 24px;
+  z-index: 2;
+}
diff --git a/ui/app/styles/components/cluster-banners.scss b/ui/app/styles/components/cluster-banners.scss
index 7543aa1eee..91aaf84c5c 100644
--- a/ui/app/styles/components/cluster-banners.scss
+++ b/ui/app/styles/components/cluster-banners.scss
@@ -8,8 +8,6 @@
 .cluster-banners-wrapper {
   width: 100%;
   max-width: 1344px;
-  margin: 0 auto;
-  padding: 0 1.5rem;
 
   > div {
     margin-top: size_variables.$spacing-24;
diff --git a/ui/app/styles/components/console-ui-panel.scss b/ui/app/styles/components/console-ui-panel.scss
index c0472da92f..a072b6ab67 100644
--- a/ui/app/styles/components/console-ui-panel.scss
+++ b/ui/app/styles/components/console-ui-panel.scss
@@ -109,7 +109,7 @@ $console-close-height: 35px;
 
 .panel-open .console-ui-panel {
   box-shadow: box-shadow_variables.$box-shadow-highest;
-  min-height: 425px;
+  min-height: 460px;
 }
 
 .main--console-open {
diff --git a/ui/app/styles/components/empty-state-component.scss b/ui/app/styles/components/empty-state-component.scss
deleted file mode 100644
index 358f1931ae..0000000000
--- a/ui/app/styles/components/empty-state-component.scss
+++ /dev/null
@@ -1,65 +0,0 @@
-@use '../utils/size_variables';
-
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-.empty-state {
-  align-items: center;
-  color: var(--token-color-foreground-faint);
-  background: var(--token-color-surface-faint);
-  display: flex;
-  justify-content: center;
-  padding: size_variables.$spacing-48 size_variables.$spacing-12;
-  box-shadow: 0 -2px 0 -1px var(--token-color-palette-neutral-300);
-}
-
-.empty-state-transparent {
-  align-items: center;
-  color: var(--token-color-foreground-faint);
-  background: transparent;
-  display: flex;
-  justify-content: center;
-  padding: size_variables.$spacing-48 0;
-  box-shadow: none;
-}
-
-.empty-state-content {
-  max-width: 320px;
-}
-
-.empty-state-title {
-  color: var(--token-color-palette-neutral-400);
-  font-size: var(--token-typography-display-400-font-size);
-  font-weight: var(--token-typography-font-weight-semibold);
-  line-height: 1.2;
-  margin-bottom: size_variables.$spacing-8;
-}
-
-.empty-state-subTitle {
-  font-size: size_variables.$size-7;
-  margin-top: -10px;
-  padding-bottom: size_variables.$spacing-12;
-}
-
-.empty-state-message.has-border-bottom-light {
-  padding-bottom: size_variables.$spacing-12;
-}
-
-.empty-state-actions {
-  margin-top: size_variables.$spacing-8;
-  display: flex;
-  justify-content: space-between;
-
-  > * + * {
-    margin-left: size_variables.$spacing-12;
-    margin-right: size_variables.$spacing-12;
-  }
-}
-
-.empty-state-icon > .hs-icon,
-.empty-state-icon > .hds-icon {
-  float: left;
-  margin-right: size_variables.$spacing-8;
-}
diff --git a/ui/app/styles/components/icon.scss b/ui/app/styles/components/icon.scss
index 9709a396ab..bd1311a83b 100644
--- a/ui/app/styles/components/icon.scss
+++ b/ui/app/styles/components/icon.scss
@@ -22,14 +22,6 @@
   color: var(--token-color-foreground-action);
 }
 
-.hds-icon {
-  &.hds-icon--is-inline {
-    vertical-align: middle;
-    margin-left: size_variables.$spacing-4;
-    margin-right: size_variables.$spacing-4;
-  }
-}
-
 .hs-icon {
   flex: 0 0 auto;
   display: inline-flex;
diff --git a/ui/app/styles/components/overview-card.scss b/ui/app/styles/components/overview-card.scss
index fad2a1d795..e5433091d8 100644
--- a/ui/app/styles/components/overview-card.scss
+++ b/ui/app/styles/components/overview-card.scss
@@ -9,3 +9,30 @@
   padding: size_variables.$spacing-24;
   line-height: initial;
 }
+
+.dashboard-header-with-gradient {
+  &::before {
+    content: '';
+    position: absolute;
+    top: -100px;
+    left: -100px;
+    width: 400px;
+    height: 400px;
+    border-radius: 50%;
+    background: linear-gradient(
+      315deg,
+      #f22f2f 0%,
+      #f58a25 15%,
+      #7061a3 30%,
+      #ffaa42 45%,
+      #ffc011 60%,
+      #fff940 75%,
+      #f58a25 85%,
+      #7230ff 100%
+    );
+    opacity: 0.18;
+    filter: blur(60px);
+    pointer-events: none;
+    z-index: -1;
+  }
+}
diff --git a/ui/app/styles/components/toolbar.scss b/ui/app/styles/components/toolbar.scss
index 3cb1349367..982257530b 100644
--- a/ui/app/styles/components/toolbar.scss
+++ b/ui/app/styles/components/toolbar.scss
@@ -40,6 +40,13 @@
   }
 }
 
+// Added because we're currently using <LinkTo> in conjunction with Hds::Icon within <ToolbarLink>.
+// This fixes alignment issues between the hds icon and the link text in <ToolbarLink>.
+// TODO: Remove this when all usage of <ToolbarLink> is deprecated and replaced with hds components
+.toolbar-icon {
+  vertical-align: text-bottom;
+}
+
 .toolbar-label {
   padding: size_variables.$spacing-8;
   color: var(--token-color-palette-neutral-400);
diff --git a/ui/app/styles/components/wizard.scss b/ui/app/styles/components/wizard.scss
index 996340a7ea..bd67a8b78f 100644
--- a/ui/app/styles/components/wizard.scss
+++ b/ui/app/styles/components/wizard.scss
@@ -7,40 +7,57 @@
  */
 
 .wizard {
-  &.guided-start {
-    @extend .is-flex-column;
-    @extend .is-flex-grow-1;
-  }
-
   &.intro {
-    @extend .top-margin-32;
+    &.full {
+      @extend .top-margin-32;
+      @extend .has-padding-l;
+      .margin-left-auto {
+        @extend .has-left-margin-m;
+      }
+    }
+
+    &.modal {
+      .margin-left-auto {
+        margin-left: auto;
+      }
+    }
 
     svg {
       flex-shrink: 0;
     }
   }
 
-  .content {
-    padding-top: 40px;
-    overflow: visible;
+  &.guided-start {
+    @extend .is-flex-column;
+    @extend .is-flex-grow-1;
 
-    // Non-active panels are hidden and prevented from taking up space
-    &[hidden] {
-      display: none;
+    .content {
+      padding-top: 40px;
+      overflow: visible;
+
+      // Non-active panels are hidden and prevented from taking up space
+      &[hidden] {
+        display: none;
+      }
     }
-  }
 
-  .button-bar {
-    @extend .has-padding-m;
-    @extend .is-flex-between;
+    .button-bar {
+      @extend .has-padding-m;
+      @extend .is-flex-between;
 
-    .hds-button-set {
-      margin-left: auto;
+      .hds-button-set {
+        margin-left: auto;
+      }
     }
-  }
 
-  .tree {
-    border: 1px solid var(--token-color-border-primary);
-    border-radius: var(--token-border-radius-medium);
+    .tree {
+      border: 1px solid var(--token-color-border-primary);
+      border-radius: var(--token-border-radius-medium);
+
+      // prevents last character of node labels from being cut off
+      svg {
+        overflow: visible;
+      }
+    }
   }
 }
diff --git a/ui/app/styles/core.scss b/ui/app/styles/core.scss
index e60a334ede..42922162dc 100644
--- a/ui/app/styles/core.scss
+++ b/ui/app/styles/core.scss
@@ -58,7 +58,6 @@
 @use 'components/console-ui-panel';
 @use 'components/control-group';
 @use 'components/doc-link';
-@use 'components/empty-state-component';
 @use 'components/env-banner';
 @use 'components/form-section';
 @use 'components/global-flash';
diff --git a/ui/app/styles/core/charts.scss b/ui/app/styles/core/charts.scss
index b9e09d8cdb..cd5afaaa28 100644
--- a/ui/app/styles/core/charts.scss
+++ b/ui/app/styles/core/charts.scss
@@ -5,116 +5,33 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-// LEGEND STYLING (positioning is in chart-container.scss)
-$single: #1c345f;
+:root {
+  --clients-chart-color-single: var(--token-color-palette-blue-500);
+
+  /* HDS Hue Cycle - Level 200 (Vibrant) */
+
+  --clients-chart-color-first: var(--token-color-palette-blue-200);
+  --clients-chart-color-second: var(--token-color-palette-purple-200);
+  --clients-chart-color-third: var(--token-color-palette-green-200);
+  --clients-chart-color-fourth: var(--token-color-palette-amber-200);
+  --clients-chart-color-fifth: var(--token-color-palette-red-200);
+
+  /* HDS Hue Cycle - Level 400 (Deep) */
+  --clients-chart-color-sixth: var(--token-color-palette-blue-400);
+  --clients-chart-color-seventh: var(--token-color-palette-purple-400);
+  --clients-chart-color-eighth: var(--token-color-palette-green-400);
+  --clients-chart-color-ninth: var(--token-color-palette-amber-400);
+  --clients-chart-color-tenth: var(--token-color-palette-red-400);
+}
+
+$single: var(--clients-chart-color-single);
 // stacked bar chart color scheme
-$first: #4269d0;
-$second: #efb117;
-$third: #ff725c;
-$fourth: #6cc5b0;
+$first: var(--clients-chart-color-first);
+$second: var(--clients-chart-color-second);
+$third: var(--clients-chart-color-third);
+$fourth: var(--clients-chart-color-fourth);
 
-.legend-container {
-  .dots {
-    height: 10px;
-    width: 10px;
-    border-radius: 50%;
-    display: inline-block;
-  }
-  .legend-dot-total {
-    background-color: $single;
-  }
-  // numbers are indices because chart legend is iterated over to ensure
-  // legend colors match the correct stacked-bar-# class below
-  .legend-dot-0 {
-    background-color: $first;
-  }
-  .legend-dot-1 {
-    background-color: $second;
-  }
-  .legend-dot-2 {
-    background-color: $third;
-  }
-  .legend-dot-3 {
-    background-color: $fourth;
-  }
-}
-
-.chart-tooltip {
-  background-color: hsl(0, 0%, 4%);
-  color: var(--token-color-foreground-high-contrast);
-  font-size: size_variables.$size-9;
-  padding: 6px;
-  border-radius: var(--token-border-radius-small);
-  flex-wrap: nowrap;
-  width: fit-content;
-
-  .bold {
-    font-weight: var(--token-typography-font-weight-bold);
-  }
-  // styling below handles tooltip position
-  position: absolute;
-  transform-style: preserve-3d;
-  bottom: 30px;
-  left: -20px;
-  pointer-events: none;
-  width: 140px;
-  transform: translate(calc(1px * var(--x, 0)), calc(-1px * var(--y, 0)));
-  transform-origin: bottom left;
-  z-index: 100;
-  margin-bottom: size_variables.$spacing-8;
-}
-
-.chart-tooltip-arrow {
-  width: 0;
-  height: 0;
-  border-left: 5px solid transparent;
-  border-right: 5px solid transparent;
-  border-top: 9px solid hsl(0, 0%, 4%);
-  position: absolute;
-  opacity: 0.8;
-  bottom: -9px;
-  left: calc(50% - 5px);
-}
-
-// LINEAL STYLING //
-.lineal-chart {
-  position: relative;
-  padding: 10px 10px 20px 50px;
-  width: 100%;
-  svg {
-    overflow: visible;
-  }
-}
-
-.lineal-chart-bar {
-  fill: $single;
-}
-
-.lineal-axis {
-  color: var(--token-color-palette-neutral-400);
-  text {
-    font-size: 0.75rem;
-  }
-  line {
-    color: var(--token-color-palette-neutral-300);
-  }
-}
-
-// @colorScale arg for Lineal::VBars is "stacked-bar", numbers are added by lineal (not 0-indexed)
-.stacked-bar-1 {
-  color: $first;
-  fill: $first;
-}
-.stacked-bar-2 {
-  color: $second;
-  fill: $second;
-}
-.stacked-bar-3 {
-  color: $third;
-  fill: $third;
-}
-// MUST BE LAST because conditionally renders and legend color mapping for stacked bars will be off otherwise
-.stacked-bar-4 {
-  color: $fourth;
-  fill: $fourth;
+// Carbon Charts tooltip styling
+.carbon-chart-tooltip {
+  padding: 8px 12px;
 }
diff --git a/ui/app/styles/core/containers.scss b/ui/app/styles/core/containers.scss
index e49ff90dd2..bc5faa8bd5 100644
--- a/ui/app/styles/core/containers.scss
+++ b/ui/app/styles/core/containers.scss
@@ -13,10 +13,11 @@
 }
 
 .page-container {
-  min-height: 100vh;
+  min-height: calc(100vh - 60px);
   display: flex;
   flex-direction: column;
   justify-content: flex-end;
+  padding: 0 size_variables.$spacing-64;
 }
 
 .section {
@@ -38,8 +39,14 @@
 
 .container {
   flex-grow: 1;
-  margin: size_variables.$spacing-24 size_variables.$spacing-64;
+  margin: size_variables.$spacing-24 0;
   max-width: 1032px;
   position: relative;
   width: auto;
 }
+
+.centered-container {
+  margin: 0 auto;
+  max-width: 1032px;
+  padding: size_variables.$spacing-24;
+}
diff --git a/ui/app/styles/helper-classes/flexbox-and-grid.scss b/ui/app/styles/helper-classes/flexbox-and-grid.scss
index c69fc4acee..30cd3d6658 100644
--- a/ui/app/styles/helper-classes/flexbox-and-grid.scss
+++ b/ui/app/styles/helper-classes/flexbox-and-grid.scss
@@ -214,7 +214,3 @@
 .align-items-center {
   align-items: center;
 }
-
-.align-items-end {
-  align-items: end;
-}
diff --git a/ui/app/styles/helper-classes/spacing.scss b/ui/app/styles/helper-classes/spacing.scss
index 5212185c59..5c35781223 100644
--- a/ui/app/styles/helper-classes/spacing.scss
+++ b/ui/app/styles/helper-classes/spacing.scss
@@ -163,10 +163,6 @@
   margin-top: -(size_variables.$spacing-48);
 }
 
-.has-left-margin-xxs {
-  margin-left: size_variables.$spacing-4;
-}
-
 .has-bottom-margin-xxs {
   margin-bottom: size_variables.$spacing-4 !important;
 }
@@ -175,10 +171,18 @@
   margin-bottom: size_variables.$spacing-8 !important;
 }
 
+.bottom-margin-8 {
+  margin-bottom: size_variables.$spacing-8;
+}
+
 .has-bottom-margin-s {
   margin-bottom: size_variables.$spacing-12;
 }
 
+.bottom-margin-16 {
+  margin-bottom: size_variables.$spacing-16;
+}
+
 .has-bottom-margin-m {
   margin-bottom: size_variables.$spacing-16;
 }
@@ -203,10 +207,18 @@
   margin-top: size_variables.$spacing-12;
 }
 
+.top-margin-12 {
+  margin-top: size_variables.$spacing-12;
+}
+
 .has-top-margin-xs {
   margin-top: size_variables.$spacing-8;
 }
 
+.top-margin-16 {
+  margin-top: size_variables.$spacing-16;
+}
+
 .has-top-margin-m {
   margin-top: size_variables.$spacing-16;
 }
@@ -274,3 +286,7 @@
 .has-right-margin-l {
   margin-right: size_variables.$spacing-24;
 }
+
+.margin-left-auto {
+  margin-left: auto;
+}
diff --git a/ui/app/templates/vault/cluster.hbs b/ui/app/templates/vault/cluster.hbs
index e1722c11c1..2fbd8f4ffa 100644
--- a/ui/app/templates/vault/cluster.hbs
+++ b/ui/app/templates/vault/cluster.hbs
@@ -2,7 +2,6 @@
   Copyright IBM Corp. 2016, 2025
   SPDX-License-Identifier: BUSL-1.1
 }}
-<Sidebar::Nav::Cluster />
 {{#if this.vaultVersion.isEnterprise}}
   {{#each this.customMessages.bannerMessages as |bannerMessage|}}
     {{#if (get this.customMessages.bannerState bannerMessage.id)}}
diff --git a/ui/app/templates/vault/cluster/access/control-groups.hbs b/ui/app/templates/vault/cluster/access/control-groups.hbs
index 2b30df171c..667003296d 100644
--- a/ui/app/templates/vault/cluster/access/control-groups.hbs
+++ b/ui/app/templates/vault/cluster/access/control-groups.hbs
@@ -4,7 +4,10 @@
 }}
 
 {{#if (has-feature "Control Groups")}}
-  <Page::Header @title="Approval workflow">
+  <Page::Header
+    @title="Approval workflow"
+    @description="Implement manual or automated checkpoints to require authorization before sensitive operations or accessing secrets."
+  >
     <:breadcrumbs>
       <Page::Breadcrumbs
         @breadcrumbs={{array
@@ -13,6 +16,7 @@
         }}
       />
     </:breadcrumbs>
+
   </Page::Header>
   {{#if this.model.canConfigure}}
     <Toolbar>
diff --git a/ui/app/templates/vault/cluster/access/identity/aliases/edit.hbs b/ui/app/templates/vault/cluster/access/identity/aliases/edit.hbs
index 1d0bf1a2ea..f962a17313 100644
--- a/ui/app/templates/vault/cluster/access/identity/aliases/edit.hbs
+++ b/ui/app/templates/vault/cluster/access/identity/aliases/edit.hbs
@@ -3,6 +3,18 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title="Edit {{this.model.name}}" />
+<Page::Header @title="Edit {{this.model.name}}">
+  <:breadcrumbs>
+    <Page::Breadcrumbs
+      @breadcrumbs={{array
+        (hash label="Vault" icon="vault" route="vault.cluster.dashboard")
+        (hash
+          label=(capitalize (pluralize (humanize this.model.identityType))) route="vault.cluster.access.identity.aliases"
+        )
+        (hash label=this.model.name)
+      }}
+    />
+  </:breadcrumbs>
+</Page::Header>
 
 <Identity::EditForm @mode="edit" @model={{this.model}} @onSave={{action "navAfterSave"}} />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/identity/aliases/index.hbs b/ui/app/templates/vault/cluster/access/identity/aliases/index.hbs
index deab83a7e9..01c8906de8 100644
--- a/ui/app/templates/vault/cluster/access/identity/aliases/index.hbs
+++ b/ui/app/templates/vault/cluster/access/identity/aliases/index.hbs
@@ -47,7 +47,7 @@
   />
 
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
     <A.Header data-test-empty-state-title @title="No {{this.identityType}} aliases yet" @titleTag="h2" />
     <A.Body
       data-test-empty-state-message
diff --git a/ui/app/templates/vault/cluster/access/identity/aliases/show.hbs b/ui/app/templates/vault/cluster/access/identity/aliases/show.hbs
index ace26aa3fe..0b3bd7ba35 100644
--- a/ui/app/templates/vault/cluster/access/identity/aliases/show.hbs
+++ b/ui/app/templates/vault/cluster/access/identity/aliases/show.hbs
@@ -7,6 +7,7 @@
   <:breadcrumbs>
     <Page::Breadcrumbs
       @breadcrumbs={{array
+        (hash label="Vault" icon="vault" route="vault.cluster.dashboard")
         (hash
           label=(capitalize (pluralize (humanize this.model.identityType))) route="vault.cluster.access.identity.aliases"
         )
diff --git a/ui/app/templates/vault/cluster/access/identity/edit.hbs b/ui/app/templates/vault/cluster/access/identity/edit.hbs
index 9db297ae72..7e7e361ea9 100644
--- a/ui/app/templates/vault/cluster/access/identity/edit.hbs
+++ b/ui/app/templates/vault/cluster/access/identity/edit.hbs
@@ -3,6 +3,16 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title="Edit {{titleize this.model.name}}" />
+<Page::Header @title="Edit {{titleize this.model.name}}">
+  <:breadcrumbs>
+    <Page::Breadcrumbs
+      @breadcrumbs={{array
+        (hash label="Vault" icon="vault" route="vault.cluster.dashboard")
+        (hash label=(capitalize (pluralize (humanize this.model.identityType))) route="vault.cluster.access.identity.index")
+        (hash label=this.model.name)
+      }}
+    />
+  </:breadcrumbs>
+</Page::Header>
 
 <Identity::EditForm @mode="edit" @model={{this.model}} @onSave={{action "navAfterSave"}} />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/identity/index.hbs b/ui/app/templates/vault/cluster/access/identity/index.hbs
index 729e9c2836..d21ed22b75 100644
--- a/ui/app/templates/vault/cluster/access/identity/index.hbs
+++ b/ui/app/templates/vault/cluster/access/identity/index.hbs
@@ -60,7 +60,11 @@
                 {{/if}}
               {{/if}}
               {{#if item.canEdit}}
-                <dd.Interactive @route="vault.cluster.access.identity.edit" @model={{item.id}}>Edit</dd.Interactive>
+                <dd.Interactive
+                  data-test-popup-menu="edit"
+                  @route="vault.cluster.access.identity.edit"
+                  @model={{item.id}}
+                >Edit</dd.Interactive>
                 {{#if item.disabled}}
                   <dd.Interactive {{on "click" (action "toggleDisabled" item)}}>Enable</dd.Interactive>
                 {{else if (eq this.identityType "entity")}}
@@ -96,7 +100,7 @@
   />
 
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
     <A.Header data-test-empty-state-title @title="No {{pluralize this.identityType}} yet" @titleTag="h2" />
     <A.Body
       data-test-empty-state-message
diff --git a/ui/app/templates/vault/cluster/access/identity/show.hbs b/ui/app/templates/vault/cluster/access/identity/show.hbs
index 600c7b0313..d2143f8c52 100644
--- a/ui/app/templates/vault/cluster/access/identity/show.hbs
+++ b/ui/app/templates/vault/cluster/access/identity/show.hbs
@@ -7,6 +7,7 @@
   <:breadcrumbs>
     <Page::Breadcrumbs
       @breadcrumbs={{array
+        (hash label="Vault" icon="vault" route="vault.cluster.dashboard")
         (hash label=(capitalize (pluralize this.model.identityType)) route="vault.cluster.access.identity.index")
         (hash label=this.model.name)
       }}
diff --git a/ui/app/templates/vault/cluster/access/leases/error.hbs b/ui/app/templates/vault/cluster/access/leases/error.hbs
index a0cd98ccdd..ed1457444b 100644
--- a/ui/app/templates/vault/cluster/access/leases/error.hbs
+++ b/ui/app/templates/vault/cluster/access/leases/error.hbs
@@ -25,20 +25,24 @@
     <A.Description>{{this.model.keyId}} is not a valid lease ID.</A.Description>
   </Hds::Alert>
 {{else if (eq this.model.httpStatus 404)}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-    <A.Header @title="No leases with that ID" @titleTag="h2" />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="No leases with that ID" @titleTag="h2" data-test-empty-state-title />
     <A.Body
       @text="Unable to find lease for the ID &quot;{{this.model.keyId}}&quot;. Try going back to the lookup and re-entering the ID."
+      data-test-empty-state-message
     />
-    <A.Footer as |F|>
+    <A.Footer data-test-empty-state-actions as |F|>
       <F.LinkStandalone @icon="chevron-left" @text="Back to lookup" @route="vault.cluster.access.leases" />
     </A.Footer>
   </Hds::ApplicationState>
 {{else if (eq this.model.httpStatus 403)}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-    <A.Header @title="You don't have access to a lease with that ID" @titleTag="h2" />
-    <A.Body @text="If you think you've reached this page in error, please contact your administrator." />
-    <A.Footer as |F|>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="You don't have access to a lease with that ID" @titleTag="h2" data-test-empty-state-title />
+    <A.Body
+      @text="If you think you've reached this page in error, please contact your administrator."
+      data-test-empty-state-message
+    />
+    <A.Footer data-test-empty-state-actions as |F|>
       <F.LinkStandalone @icon="chevron-left" @text="Back to lookup" @route="vault.cluster.access.leases" />
     </A.Footer>
   </Hds::ApplicationState>
diff --git a/ui/app/templates/vault/cluster/access/leases/list.hbs b/ui/app/templates/vault/cluster/access/leases/list.hbs
index 8d35ff4646..b5d2844d9a 100644
--- a/ui/app/templates/vault/cluster/access/leases/list.hbs
+++ b/ui/app/templates/vault/cluster/access/leases/list.hbs
@@ -3,7 +3,10 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title="Leases">
+<Page::Header
+  @title="Leases"
+  @description="Monitor and manage the lifetime of dynamic secrets, including tracking time to live (TTL), renewals, and manual revocations."
+>
   <:breadcrumbs>
     <KeyValueHeader
       @baseKey={{this.baseKey}}
@@ -13,13 +16,16 @@
       @showCurrent={{true}}
     />
   </:breadcrumbs>
+
   <:actions>
-    <Hds::Button
-      @text="Back to Leases"
-      @color="secondary"
-      @route="vault.cluster.access.leases.list-root"
-      data-test-button="Back to Leases"
-    />
+    {{#if this.baseKey.id}}
+      <Hds::Button
+        @text="Back to Leases"
+        @color="secondary"
+        @route="vault.cluster.access.leases.list-root"
+        data-test-button="Back to Leases"
+      />
+    {{/if}}
   </:actions>
 </Page::Header>
 
@@ -96,22 +102,24 @@
       <span class="has-text-weight-semibold">{{or item.keyWithoutParent item.id}}</span>
     </LinkTo>
   {{else}}
-    <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-      <A.Header @title="There are no leases matching &quot;{{this.filter}}&quot;" @titleTag="h2" />
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header
+        @title="There are no leases matching &quot;{{this.filter}}&quot;"
+        @titleTag="h2"
+        data-test-empty-state-title
+      />
     </Hds::ApplicationState>
   {{/each}}
-  {{#unless this.filter}}
-    <Hds::Pagination::Numbered
-      @currentPage={{this.model.meta.currentPage}}
-      @currentPageSize={{this.model.meta.pageSize}}
-      @route={{concat "vault.cluster.access.leases.list" (unless this.baseKey.id "-root")}}
-      @showSizeSelector={{false}}
-      @totalItems={{this.model.meta.total}}
-      @queryFunction={{this.paginationQueryParams}}
-    />
-  {{/unless}}
+  <Hds::Pagination::Numbered
+    @currentPage={{this.model.meta.currentPage}}
+    @currentPageSize={{this.model.meta.pageSize}}
+    @route={{concat "vault.cluster.access.leases.list" (unless this.baseKey.id "-root")}}
+    @showSizeSelector={{false}}
+    @totalItems={{this.model.meta.total}}
+    @queryFunction={{this.paginationQueryParams}}
+  />
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-    <A.Header @title={{this.emptyTitle}} @titleTag="h2" />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title={{this.emptyTitle}} @titleTag="h2" data-test-empty-state-title />
   </Hds::ApplicationState>
 {{/if}}
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/leases/show.hbs b/ui/app/templates/vault/cluster/access/leases/show.hbs
index bf7bbae6cd..f284455039 100644
--- a/ui/app/templates/vault/cluster/access/leases/show.hbs
+++ b/ui/app/templates/vault/cluster/access/leases/show.hbs
@@ -14,12 +14,14 @@
     />
   </:breadcrumbs>
   <:actions>
-    <Hds::Button
-      @text="Back to Leases"
-      @color="secondary"
-      @route="vault.cluster.access.leases"
-      data-test-button="Back to Leases"
-    />
+    {{#if this.baseKey.id}}
+      <Hds::Button
+        @text="Back to Leases"
+        @color="secondary"
+        @route="vault.cluster.access.leases"
+        data-test-button="Back to Leases"
+      />
+    {{/if}}
   </:actions>
 </Page::Header>
 
diff --git a/ui/app/templates/vault/cluster/access/method/section.hbs b/ui/app/templates/vault/cluster/access/method/section.hbs
index f773d28e78..f9866e400a 100644
--- a/ui/app/templates/vault/cluster/access/method/section.hbs
+++ b/ui/app/templates/vault/cluster/access/method/section.hbs
@@ -6,7 +6,11 @@
 <Page::Header @title={{this.model.id}}>
   <:breadcrumbs>
     <Page::Breadcrumbs
-      @breadcrumbs={{array (hash label="Auth Methods" route="vault.cluster.access.methods") (hash label=this.model.id)}}
+      @breadcrumbs={{array
+        (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
+        (hash label="Auth Methods" route="vault.cluster.access.methods")
+        (hash label=this.model.id)
+      }}
     />
   </:breadcrumbs>
 </Page::Header>
diff --git a/ui/app/templates/vault/cluster/access/mfa/enforcements/create.hbs b/ui/app/templates/vault/cluster/access/mfa/enforcements/create.hbs
index 6e9ecc0ce7..9681ffa41b 100644
--- a/ui/app/templates/vault/cluster/access/mfa/enforcements/create.hbs
+++ b/ui/app/templates/vault/cluster/access/mfa/enforcements/create.hbs
@@ -5,8 +5,9 @@
 
 <Mfa::MfaLoginEnforcementHeader @heading="New enforcement" />
 <Mfa::MfaLoginEnforcementForm
-  @model={{this.model}}
+  @form={{this.model.form}}
+  @methods={{this.model.methods}}
   @onClose={{transition-to "vault.cluster.access.mfa.enforcements"}}
-  @onSave={{transition-to "vault.cluster.access.mfa.enforcements.enforcement" this.model.name}}
+  @onSave={{transition-to "vault.cluster.access.mfa.enforcements.enforcement" this.model.form.data.name}}
   class="has-top-margin-l"
 />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/mfa/enforcements/enforcement/edit.hbs b/ui/app/templates/vault/cluster/access/mfa/enforcements/enforcement/edit.hbs
index 97b371ccf7..ba5be020c5 100644
--- a/ui/app/templates/vault/cluster/access/mfa/enforcements/enforcement/edit.hbs
+++ b/ui/app/templates/vault/cluster/access/mfa/enforcements/enforcement/edit.hbs
@@ -5,7 +5,8 @@
 
 <Mfa::MfaLoginEnforcementHeader @heading="Update enforcement" />
 <Mfa::MfaLoginEnforcementForm
-  @model={{this.model}}
+  @form={{this.model.form}}
+  @methods={{this.model.methods}}
   @onSave={{transition-to "vault.cluster.access.mfa.enforcements.enforcement" this.model.name}}
   @onClose={{transition-to "vault.cluster.access.mfa.enforcements.enforcement" this.model.name}}
   class="has-top-margin-l"
diff --git a/ui/app/templates/vault/cluster/access/mfa/enforcements/enforcement/index.hbs b/ui/app/templates/vault/cluster/access/mfa/enforcements/enforcement/index.hbs
index 76c8ec0a82..609a2eafa3 100644
--- a/ui/app/templates/vault/cluster/access/mfa/enforcements/enforcement/index.hbs
+++ b/ui/app/templates/vault/cluster/access/mfa/enforcements/enforcement/index.hbs
@@ -3,13 +3,14 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title={{this.model.name}} @icon="lock">
+<Page::Header @title={{@model.name}} @icon="lock">
   <:breadcrumbs>
     <Page::Breadcrumbs
       @breadcrumbs={{array
         (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
+        (hash label="Multi-factor authentication" route="vault.cluster.access.mfa.methods.index")
         (hash label="Enforcements" route="vault.cluster.access.mfa.enforcements.index")
-        (hash label=this.model.name)
+        (hash label=@model.name)
       }}
     />
   </:breadcrumbs>
@@ -22,7 +23,7 @@
         @route="vault.cluster.access.mfa.enforcements.enforcement"
         @query={{hash tab="targets"}}
         data-test-tab="targets"
-        @model={{this.model}}
+        @model={{@model.name}}
       >
         Targets
       </LinkTo>
@@ -30,7 +31,7 @@
         @route="vault.cluster.access.mfa.enforcements.enforcement"
         @query={{hash tab="methods"}}
         data-test-tab="methods"
-        @model={{this.model}}
+        @model={{@model.name}}
       >
         Methods
       </LinkTo>
@@ -49,7 +50,7 @@
     <div class="toolbar-separator"></div>
     <ToolbarLink
       @route="vault.cluster.access.mfa.enforcements.enforcement.edit"
-      @model={{this.model.id}}
+      @model={{@model.name}}
       data-test-enforcement-edit
     >
       Edit enforcement
@@ -103,20 +104,20 @@
       </LinkedBlock>
     {{/each}}
   {{else}}
-    <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-      <A.Header @title="No target exists for this enforcement" @titleTag="h2" />
-      <A.Body @text="A target might have been deleted after the enforcement was created." />
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="No target exists for this enforcement" @titleTag="h2" data-test-empty-state-title />
+      <A.Body @text="A target might have been deleted after the enforcement was created." data-test-empty-state-message />
     </Hds::ApplicationState>
   {{/if}}
 {{else if (eq this.tab "methods")}}
-  {{#each this.model.mfa_methods as |method|}}
+  {{#each @model.methods as |method|}}
     <Mfa::MethodListItem @model={{method}} />
   {{/each}}
 {{/if}}
 
 <ConfirmationModal
   @title="Delete enforcement?"
-  @confirmText={{this.model.name}}
+  @confirmText={{@model.name}}
   @toConfirmMsg="deleting the transformation."
   @buttonText="Delete"
   @isActive={{this.showDeleteConfirmation}}
@@ -125,7 +126,7 @@
 >
   <p class="has-bottom-margin-m">
     Deleting the
-    <strong>{{this.model.name}}</strong>
+    <strong>{{@model.name}}</strong>
     enforcement will mean that the MFA method that depends on it will no longer enforce multi-factor authentication.
     <br /><br />
     Deleting this enforcement cannot be undone; it will have to be recreated.
diff --git a/ui/app/templates/vault/cluster/access/mfa/enforcements/index.hbs b/ui/app/templates/vault/cluster/access/mfa/enforcements/index.hbs
index 597e852055..a04436d2a5 100644
--- a/ui/app/templates/vault/cluster/access/mfa/enforcements/index.hbs
+++ b/ui/app/templates/vault/cluster/access/mfa/enforcements/index.hbs
@@ -3,10 +3,16 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title="Multi-Factor Authentication">
+<Page::Header @title="Multi-factor authentication">
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
+  <:description>
+    Enforce a secondary layer of identity verification (such as TOTP, Okta, or Duo) during the login process.
+    <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/login-mfa"}}>
+      Learn more
+    </Hds::Link::Inline>
+  </:description>
 </Page::Header>
 
 <Mfa::Nav />
@@ -19,13 +25,13 @@
   </ToolbarActions>
 </Toolbar>
 
-{{#if (gt this.model.length 0)}}
-  {{#each this.model as |item|}}
+{{#if (gt this.model.enforcements.length 0)}}
+  {{#each this.model.enforcements as |item|}}
     <Mfa::LoginEnforcementListItem @model={{item}} />
   {{/each}}
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-    <A.Header @title="No enforcements found." @titleTag="h2" />
-    <A.Body @text="Add a new one to get started." />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="No enforcements found." @titleTag="h2" data-test-empty-state-title />
+    <A.Body @text="Add a new one to get started." data-test-empty-state-message />
   </Hds::ApplicationState>
 {{/if}}
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/mfa/index.hbs b/ui/app/templates/vault/cluster/access/mfa/index.hbs
index ebbc91ef75..890eec767b 100644
--- a/ui/app/templates/vault/cluster/access/mfa/index.hbs
+++ b/ui/app/templates/vault/cluster/access/mfa/index.hbs
@@ -3,14 +3,20 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title=" Multi-factor authentication">
+<Page::Header @title="Multi-factor authentication">
+  <:breadcrumbs>
+    <Page::Breadcrumbs
+      @breadcrumbs={{array
+        (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
+        (hash label="Multi-factor authentication")
+      }}
+    />
+  </:breadcrumbs>
   <:description>
-    <Hds::Text::Body>
-      Configure and enforce multi-factor authentication (MFA) for users logging into Vault, for any
-      <br />
-      authentication method.
-      <Hds::Link::Inline @href={{doc-link "/vault/tutorials/auth-methods/multi-factor-authentication"}}>Learn more</Hds::Link::Inline>
-    </Hds::Text::Body>
+    Enforce a secondary layer of identity verification (such as TOTP, Okta, or Duo) during the login process.
+    <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/login-mfa"}}>
+      Learn more
+    </Hds::Link::Inline>
   </:description>
   <:actions>
     <Hds::Button @text="Configure MFA" @route="vault.cluster.access.mfa.methods.create" data-test-mfa-configure />
diff --git a/ui/app/templates/vault/cluster/access/mfa/methods/create.hbs b/ui/app/templates/vault/cluster/access/mfa/methods/create.hbs
index c59d149a90..5c4fc48c5a 100644
--- a/ui/app/templates/vault/cluster/access/mfa/methods/create.hbs
+++ b/ui/app/templates/vault/cluster/access/mfa/methods/create.hbs
@@ -3,7 +3,9 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title={{if this.method (concat "Configure " this.method.name " MFA") "Multi-Factor Authentication"}}>
+<Page::Header
+  @title={{if this.method.type (concat "Configure " this.methodNameFromType " MFA") "Multi-factor authentication"}}
+>
   <:breadcrumbs>
     <Page::Breadcrumbs
       @breadcrumbs={{array
@@ -13,37 +15,43 @@
       }}
     />
   </:breadcrumbs>
+  <:description>
+    Enforce a secondary layer of identity verification (such as TOTP, Okta, or Duo) during the login process.
+    <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/login-mfa"}}>
+      Learn more
+    </Hds::Link::Inline>
+  </:description>
 </Page::Header>
 
-<div class="has-border-top-light has-top-padding-l">
+<div>
   {{#if this.showForms}}
     <h3 class="is-size-4 has-text-weight-semibold">Settings</h3>
     <p class="has-border-top-light has-top-padding-l">
       {{this.description}}
-      <DocLink @path={{concat "/vault/api-docs/secret/identity/mfa/" this.type}}>Learn more.</DocLink>
+      <Hds::Link::Inline
+        @isHrefExternal={{true}}
+        @href={{doc-link (concat "/vault/api-docs/secret/identity/mfa/" this.type)}}
+      >
+        Learn more
+      </Hds::Link::Inline>
     </p>
-    <Mfa::MethodForm @model={{this.method}} @validations={{this.methodErrors}} class="is-shadowless" />
+    <Mfa::MethodForm @form={{this.method}} @validations={{this.methodErrors}} class="is-shadowless" />
     <Mfa::MfaLoginEnforcementHeader
       @isInline={{true}}
       @radioCardGroupValue={{this.enforcementPreference}}
       @onRadioCardSelect={{this.onEnforcementPreferenceChange}}
-      @onEnforcementSelect={{fn (mut this.enforcement)}}
+      @onEnforcementSelect={{this.onEnforcementSelect}}
     />
     {{#if (eq this.enforcementPreference "new")}}
       <Mfa::MfaLoginEnforcementForm
-        @model={{this.enforcement}}
+        @form={{this.enforcement}}
         @isInline={{true}}
         @modelErrors={{this.enforcementErrors}}
         class="has-top-margin-l"
       />
     {{/if}}
   {{else}}
-    <p>
-      Multi-factor authentication (MFA) allows you to set up another layer of security on top of existing authentication
-      methods. Vault has four available methods.
-      <DocLink @path="/vault/api-docs/secret/identity/mfa">Learn more.</DocLink>
-    </p>
-    <div class="is-flex-row has-top-margin-xl">
+    <div class="is-flex-row">
       {{#each this.methods as |method|}}
         <RadioCard
           @value={{lowercase method.name}}
diff --git a/ui/app/templates/vault/cluster/access/mfa/methods/index.hbs b/ui/app/templates/vault/cluster/access/mfa/methods/index.hbs
index 28e76401f1..3e99dcfb24 100644
--- a/ui/app/templates/vault/cluster/access/mfa/methods/index.hbs
+++ b/ui/app/templates/vault/cluster/access/mfa/methods/index.hbs
@@ -3,10 +3,16 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title="Multi-Factor Authentication">
+<Page::Header @title="Multi-factor authentication">
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
+  <:description>
+    Enforce a secondary layer of identity verification (such as TOTP, Okta, or Duo) during the login process.
+    <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/login-mfa"}}>
+      Learn more
+    </Hds::Link::Inline>
+  </:description>
 </Page::Header>
 
 <Mfa::Nav />
@@ -19,13 +25,13 @@
   </ToolbarActions>
 </Toolbar>
 
-{{#if (gt this.model.length 0)}}
-  {{#each this.model as |item|}}
+{{#if (gt this.model.methods.length 0)}}
+  {{#each this.model.methods as |item|}}
     <Mfa::MethodListItem @model={{item}} />
   {{/each}}
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-    <A.Header @title="No methods found." @titleTag="h2" />
-    <A.Body @text="Add a new one to get started." />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="No methods found." @titleTag="h2" data-test-empty-state-title />
+    <A.Body @text="Add a new one to get started." data-test-empty-state-message />
   </Hds::ApplicationState>
 {{/if}}
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/mfa/methods/method/edit.hbs b/ui/app/templates/vault/cluster/access/mfa/methods/method/edit.hbs
index ba62947d37..83248fd9ec 100644
--- a/ui/app/templates/vault/cluster/access/mfa/methods/method/edit.hbs
+++ b/ui/app/templates/vault/cluster/access/mfa/methods/method/edit.hbs
@@ -3,10 +3,21 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title="Configure {{this.model.method.name}} MFA" />
+<Page::Header @title="Configure {{this.model.method.name}} MFA">
+  <:breadcrumbs>
+    <Page::Breadcrumbs
+      @breadcrumbs={{array
+        (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
+        (hash label="Multi-factor authentication" route="vault.cluster.access.mfa.methods.index")
+        (hash label=this.model.method.id route="vault.cluster.access.mfa.methods.method" model=this.model.method.id)
+        (hash label="Configure")
+      }}
+    />
+  </:breadcrumbs>
+</Page::Header>
 
 <Mfa::MethodForm
-  @model={{this.model.method}}
+  @form={{this.model.form}}
   @hasActions={{true}}
   @onSave={{transition-to "vault.cluster.access.mfa.methods.method" this.model.method.id}}
   @onClose={{transition-to "vault.cluster.access.mfa.methods.method" this.model.method.id}}
diff --git a/ui/app/templates/vault/cluster/access/mfa/methods/method/index.hbs b/ui/app/templates/vault/cluster/access/mfa/methods/method/index.hbs
index da87380a29..f5d210b37f 100644
--- a/ui/app/templates/vault/cluster/access/mfa/methods/method/index.hbs
+++ b/ui/app/templates/vault/cluster/access/mfa/methods/method/index.hbs
@@ -2,14 +2,13 @@
   Copyright IBM Corp. 2016, 2025
   SPDX-License-Identifier: BUSL-1.1
 }}
-
-<Page::Header @icon={{this.model.method.icon}} @title={{this.model.method.name}}>
+<Page::Header @icon={{this.model.method.icon}} @title={{this.model.method.displayName}}>
   <:breadcrumbs>
     <Page::Breadcrumbs
       @breadcrumbs={{array
         (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
-        (hash label="Methods" route="vault.cluster.access.mfa.methods.index")
-        (hash label=this.model.method.name)
+        (hash label="Multi-factor authentication" route="vault.cluster.access.mfa.methods.index")
+        (hash label=this.model.method.displayName)
       }}
     />
   </:breadcrumbs>
@@ -64,22 +63,17 @@
   </Toolbar>
   <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
     <InfoTableRow @label="ID" @value={{this.model.method.id}} @addCopyButton={{true}} />
-    {{#each this.model.method.attrs as |attr|}}
-      {{#if (eq attr.type "object")}}
-        <InfoTableRow
-          @alwaysRender={{not (is-empty-value (get this.model.method attr.name))}}
-          @label={{or attr.options.label (to-label attr.name)}}
-          @value={{stringify (get this.model.method attr.name)}}
-        />
-      {{else}}
-        <InfoTableRow
-          @alwaysRender={{not (is-empty-value (get this.model.method attr.name))}}
-          @label={{or attr.options.label (to-label attr.name)}}
-          @value={{get this.model.method attr.name}}
-          @formatTtl={{eq attr.options.editType "ttl"}}
-          @helperText={{attr.options.helperText}}
-        />
-      {{/if}}
+    <InfoTableRow @label="Type" @value={{this.model.method.type}} />
+    {{#if this.model.method.namespace_path}}
+      <InfoTableRow @label="Namespace" @value={{this.model.method.namespace_path}} />
+    {{/if}}
+    {{#each this.displayFields as |field|}}
+      <InfoTableRow
+        @alwaysRender={{not (is-empty-value (get this.model.method field))}}
+        @label={{this.label field}}
+        @value={{get this.model.method field}}
+        @formatTtl={{eq field "period"}}
+      />
     {{/each}}
   </div>
 {{else if (eq this.tab "enforcements")}}
@@ -92,10 +86,11 @@
   </Toolbar>
   <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
     {{#if (is-empty this.model.enforcements)}}
-      <Hds::ApplicationState @align="center" class="top-padding-32 bottom-padding-32" as |A|>
-        <A.Header @title="No enforcements found." @titleTag="h2" />
+      <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
+        <A.Header @title="No enforcements found." @titleTag="h2" data-test-empty-state-title />
         <A.Body
           @text="No enforcements are applied to this MFA method. Edit an existing enforcement or add a new one to get started."
+          data-test-empty-state-message
         />
       </Hds::ApplicationState>
     {{else}}
diff --git a/ui/app/templates/vault/cluster/access/namespaces/create.hbs b/ui/app/templates/vault/cluster/access/namespaces/create.hbs
index c68bf3cf65..55ee871e10 100644
--- a/ui/app/templates/vault/cluster/access/namespaces/create.hbs
+++ b/ui/app/templates/vault/cluster/access/namespaces/create.hbs
@@ -7,7 +7,11 @@
   <Page::Header @title="Create a Namespace">
     <:breadcrumbs>
       <Page::Breadcrumbs
-        @breadcrumbs={{array (hash label="Namespaces" route="vault.cluster.access.namespaces.index") (hash label="Create")}}
+        @breadcrumbs={{array
+          (hash label="Vault" icon="vault" route="vault.cluster.dashboard")
+          (hash label="Namespaces" route="vault.cluster.access.namespaces.index")
+          (hash label="Create a Namespace")
+        }}
       />
     </:breadcrumbs>
   </Page::Header>
diff --git a/ui/app/templates/vault/cluster/access/namespaces/index.hbs b/ui/app/templates/vault/cluster/access/namespaces/index.hbs
index a8998b9d9d..6706e7de20 100644
--- a/ui/app/templates/vault/cluster/access/namespaces/index.hbs
+++ b/ui/app/templates/vault/cluster/access/namespaces/index.hbs
@@ -3,4 +3,9 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Namespaces @model={{this.model}} @onFilterChange={{this.navigate}} @onRefresh={{this.refreshRoute}} />
\ No newline at end of file
+<Page::Namespaces
+  @model={{this.model}}
+  @onFilterChange={{this.navigate}}
+  @onRefresh={{this.refreshRoute}}
+  @onPageChange={{this.navigate}}
+/>
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/oidc.hbs b/ui/app/templates/vault/cluster/access/oidc.hbs
index 4d7bef18ac..76f61e813a 100644
--- a/ui/app/templates/vault/cluster/access/oidc.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc.hbs
@@ -8,26 +8,22 @@
     <:breadcrumbs>
       <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
     </:breadcrumbs>
-  </Page::Header>
-  <div class="box is-fullwidth is-sideless is-flex-between is-shadowless is-marginless" data-test-oidc-header>
-    <p>
-      Configure Vault to act as an OIDC identity provider, and offer
-      {{"Vault’s"}}
-      various authentication
+    <:description>
+      Use Vault as an identity provider for external authentication methods that use the OpenID Connect (OIDC) protocol.
+      <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/oidc-provider"}}>
+        Learn more
+      </Hds::Link::Inline>
+    </:description>
+    <:actions>
       {{#if this.isCta}}
-        <br />
+        <Hds::Button
+          @text="Create your first app"
+          @route="vault.cluster.access.oidc.clients.create"
+          data-test-oidc-configure
+        />
       {{/if}}
-      methods and source of identity to any client applications.
-      <Hds::Link::Inline @href={{doc-link "/vault/tutorials/auth-methods/oidc-identity-provider"}}>Learn more</Hds::Link::Inline>
-    </p>
-    {{#if this.isCta}}
-      <Hds::Button
-        @text="Create your first app"
-        @route="vault.cluster.access.oidc.clients.create"
-        data-test-oidc-configure
-      />
-    {{/if}}
-  </div>
+    </:actions>
+  </Page::Header>
   {{#unless this.isCta}}
     {{! show tab links in list routes }}
     <div class="tabs-container box is-sideless is-fullwidth is-paddingless is-marginless" data-test-oidc-tabs>
diff --git a/ui/app/templates/vault/cluster/access/oidc/assignments/assignment/details.hbs b/ui/app/templates/vault/cluster/access/oidc/assignments/assignment/details.hbs
index d1a046462e..0e955b6859 100644
--- a/ui/app/templates/vault/cluster/access/oidc/assignments/assignment/details.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/assignments/assignment/details.hbs
@@ -3,82 +3,78 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title={{@model.name}}>
-  <:breadcrumbs>
-    <Page::Breadcrumbs
-      @breadcrumbs={{array
-        (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
-        (hash label="Assignments" route="vault.cluster.access.oidc.assignments")
-        (hash label=@model.name)
-      }}
-    />
-  </:breadcrumbs>
-</Page::Header>
-
-<div class="tabs-container box is-sideless is-fullwidth is-paddingless is-marginless">
-  <nav class="tabs" aria-label="tabs">
-    <ul>
-      <LinkTo
-        @route="vault.cluster.access.oidc.assignments.assignment.details"
-        @model={{@model}}
-        data-test-oidc-assignment-details
-      >
-        Details
-      </LinkTo>
-    </ul>
-  </nav>
-</div>
-
-<Toolbar>
-  <ToolbarActions>
-    {{#if @model.canDelete}}
-      <ConfirmAction
-        @buttonText="Delete assignment"
-        class="toolbar-button"
-        @buttonColor="secondary"
-        @onConfirmAction={{this.delete}}
-        @confirmTitle="Delete assignment?"
-        @confirmMessage="This assignment will be permanently deleted. You will not be able to recover it."
-        data-test-oidc-assignment-delete
+{{#let this.model.assignment this.model.capabilities as |assignment capabilities|}}
+  <Page::Header @title={{assignment.name}}>
+    <:breadcrumbs>
+      <Page::Breadcrumbs
+        @breadcrumbs={{array
+          (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
+          (hash label="OIDC provider: Assignments" route="vault.cluster.access.oidc.assignments")
+          (hash label=assignment.name)
+        }}
       />
-      <div class="toolbar-separator"></div>
-    {{/if}}
-    {{#if @model.canEdit}}
-      <ToolbarLink
-        @route="vault.cluster.access.oidc.assignments.assignment.edit"
-        @model={{@model.name}}
-        data-test-oidc-assignment-edit
-      >
-        Edit assignment
-      </ToolbarLink>
-    {{/if}}
-  </ToolbarActions>
-</Toolbar>
+    </:breadcrumbs>
+  </Page::Header>
 
-<div class="box is-fullwidth is-sideless is-paddingless is-marginless">
-  <InfoTableRow @label="Name" @value={{@model.name}} />
-  <InfoTableRow
-    @label="Entities"
-    @type="array"
-    @value={{@model.entityIds}}
-    @model={{@model}}
-    @isLink={{true}}
-    @renderItemName={{true}}
-    @modelType="identity/entity"
-    @itemRoute={{(array "vault.cluster.access.identity.show" "entities" "details")}}
-    @alwaysRender={{true}}
-    @toggleViewAll={{true}}
-  />
-  <InfoTableRow
-    @label="Groups"
-    @type="array"
-    @value={{@model.groupIds}}
-    @model={{@model}}
-    @isLink={{true}}
-    @renderItemName={{true}}
-    @modelType="identity/group"
-    @itemRoute={{(array "vault.cluster.access.identity.show" "groups" "details")}}
-    @alwaysRender={{true}}
-    @doNotTruncate={{true}}
-  />
-</div>
\ No newline at end of file
+  <div class="tabs-container box is-sideless is-fullwidth is-paddingless is-marginless">
+    <nav class="tabs" aria-label="tabs">
+      <ul>
+        <LinkTo
+          @route="vault.cluster.access.oidc.assignments.assignment.details"
+          @model={{assignment.name}}
+          data-test-oidc-assignment-details
+        >
+          Details
+        </LinkTo>
+      </ul>
+    </nav>
+  </div>
+
+  <Toolbar>
+    <ToolbarActions>
+      {{#if capabilities.canDelete}}
+        <ConfirmAction
+          @buttonText="Delete assignment"
+          class="toolbar-button"
+          @buttonColor="secondary"
+          @onConfirmAction={{this.delete}}
+          @confirmTitle="Delete assignment?"
+          @confirmMessage="This assignment will be permanently deleted. You will not be able to recover it."
+          data-test-oidc-assignment-delete
+        />
+        <div class="toolbar-separator"></div>
+      {{/if}}
+      {{#if capabilities.canUpdate}}
+        <ToolbarLink
+          @route="vault.cluster.access.oidc.assignments.assignment.edit"
+          @model={{assignment.name}}
+          data-test-oidc-assignment-edit
+        >
+          Edit assignment
+        </ToolbarLink>
+      {{/if}}
+    </ToolbarActions>
+  </Toolbar>
+
+  <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
+    <InfoTableRow @label="Name" @value={{assignment.name}} />
+    <InfoTableRow
+      @label="Entities"
+      @type="array"
+      @value={{assignment.entities}}
+      @isLink={{true}}
+      @itemRoute={{(array "vault.cluster.access.identity.show" "entities" "details")}}
+      @alwaysRender={{true}}
+      @toggleViewAll={{true}}
+    />
+    <InfoTableRow
+      @label="Groups"
+      @type="array"
+      @value={{assignment.groups}}
+      @isLink={{true}}
+      @itemRoute={{(array "vault.cluster.access.identity.show" "groups" "details")}}
+      @alwaysRender={{true}}
+      @doNotTruncate={{true}}
+    />
+  </div>
+{{/let}}
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/oidc/assignments/assignment/edit.hbs b/ui/app/templates/vault/cluster/access/oidc/assignments/assignment/edit.hbs
index 140297d1a3..48d1332270 100644
--- a/ui/app/templates/vault/cluster/access/oidc/assignments/assignment/edit.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/assignments/assignment/edit.hbs
@@ -8,6 +8,7 @@
     <Page::Breadcrumbs
       @breadcrumbs={{array
         (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
+        (hash label="OIDC provider: Assignments" route="vault.cluster.access.oidc.assignments")
         (hash label="Details" route="vault.cluster.access.oidc.assignments.assignment.details" model=this.model.name)
         (hash label="Edit Assignment")
       }}
@@ -16,7 +17,9 @@
 </Page::Header>
 
 <Oidc::AssignmentForm
-  @model={{this.model}}
-  @onCancel={{transition-to "vault.cluster.access.oidc.assignments.assignment.details" this.model.name}}
-  @onSave={{transition-to "vault.cluster.access.oidc.assignments.assignment.details" this.model.name}}
+  @form={{this.model.form}}
+  @entities={{this.model.entities}}
+  @groups={{this.model.groups}}
+  @onCancel={{transition-to "vault.cluster.access.oidc.assignments.assignment.details" this.model.form.data.name}}
+  @onSave={{transition-to "vault.cluster.access.oidc.assignments.assignment.details" this.model.form.data.name}}
 />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/oidc/assignments/create.hbs b/ui/app/templates/vault/cluster/access/oidc/assignments/create.hbs
index 6d4f8e981d..f4c364cc58 100644
--- a/ui/app/templates/vault/cluster/access/oidc/assignments/create.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/assignments/create.hbs
@@ -8,7 +8,7 @@
     <Page::Breadcrumbs
       @breadcrumbs={{array
         (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
-        (hash label="Assignments" route="vault.cluster.access.oidc.assignments")
+        (hash label="OIDC provider: Assignments" route="vault.cluster.access.oidc.assignments")
         (hash label="Create Assignment")
       }}
     />
@@ -16,7 +16,9 @@
 </Page::Header>
 
 <Oidc::AssignmentForm
-  @model={{this.model}}
+  @form={{this.model.form}}
+  @entities={{this.model.entities}}
+  @groups={{this.model.groups}}
   @onCancel={{transition-to "vault.cluster.access.oidc.assignments"}}
-  @onSave={{transition-to "vault.cluster.access.oidc.assignments.assignment.details" this.model.name}}
+  @onSave={{transition-to "vault.cluster.access.oidc.assignments.assignment.details" this.model.form.data.name}}
 />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/oidc/assignments/index.hbs b/ui/app/templates/vault/cluster/access/oidc/assignments/index.hbs
index b400ca4207..7a3d5a11f2 100644
--- a/ui/app/templates/vault/cluster/access/oidc/assignments/index.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/assignments/index.hbs
@@ -11,21 +11,21 @@
   </ToolbarActions>
 </Toolbar>
 
-{{#each this.model as |model|}}
+{{#each this.model.assignments as |assignment|}}
   <LinkedBlock
-    class="list-item-row {{if (eq model.name 'allow_all') 'is-disabled'}}"
-    @params={{array "vault.cluster.access.oidc.assignments.assignment.details" model.name}}
-    @disabled={{eq model.name "allow_all"}}
-    data-test-oidc-assignment-linked-block={{model.name}}
+    class="list-item-row {{if (eq assignment 'allow_all') 'is-disabled'}}"
+    @params={{array "vault.cluster.access.oidc.assignments.assignment.details" assignment}}
+    @disabled={{eq assignment "allow_all"}}
+    data-test-oidc-assignment-linked-block={{assignment}}
   >
     <div class="level is-mobile">
       <div class="level-left">
         <div>
           <Icon @name="users" class="has-text-grey-light" />
-          <span class="has-text-weight-semibold {{if (not-eq model.name 'allow_all') 'is-underline'}}">
-            {{model.name}}
+          <span class="has-text-weight-semibold {{if (not-eq assignment 'allow_all') 'is-underline'}}">
+            {{assignment}}
           </span>
-          {{#if (eq model.name "allow_all")}}
+          {{#if (eq assignment "allow_all")}}
             <div class="is-size-8">
               This is a built-in assignment that cannot be modified or deleted.
               <DocLink @path="/vault/docs/concepts/oidc-provider#assignments">
@@ -35,7 +35,7 @@
           {{/if}}
         </div>
       </div>
-      {{#if (not-eq model.name "allow_all")}}
+      {{#if (not-eq assignment "allow_all")}}
         <div class="level-right is-flex is-paddingless is-marginless">
           <div class="level-item">
             <Hds::Dropdown @isInline={{true}} @listPosition="bottom-right" as |dd|>
@@ -47,16 +47,24 @@
               />
               <dd.Interactive
                 @route="vault.cluster.access.oidc.assignments.assignment.details"
-                @model={{model.name}}
-                @disabled={{eq model.canRead false}}
+                @model={{assignment}}
+                @disabled={{not
+                  (has-capability this.model.capabilities "read" pathKey="oidcAssignment" params=(hash name=assignment))
+                }}
                 data-test-oidc-assignment-menu-link="details"
-              >Details</dd.Interactive>
+              >
+                Details
+              </dd.Interactive>
               <dd.Interactive
                 @route="vault.cluster.access.oidc.assignments.assignment.edit"
-                @model={{model.name}}
-                @disabled={{eq model.canEdit false}}
+                @model={{assignment}}
+                @disabled={{not
+                  (has-capability this.model.capabilities "update" pathKey="oidcAssignment" params=(hash name=assignment))
+                }}
                 data-test-oidc-assignment-menu-link="edit"
-              >Edit</dd.Interactive>
+              >
+                Edit
+              </dd.Interactive>
             </Hds::Dropdown>
           </div>
         </div>
diff --git a/ui/app/templates/vault/cluster/access/oidc/clients/client.hbs b/ui/app/templates/vault/cluster/access/oidc/clients/client.hbs
index 82246ce588..4b0a7f5ba8 100644
--- a/ui/app/templates/vault/cluster/access/oidc/clients/client.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/clients/client.hbs
@@ -4,13 +4,13 @@
 }}
 
 {{#if (not-eq this.router.currentRoute.localName "edit")}}
-  <Page::Header @title={{this.model.name}}>
+  <Page::Header @title={{this.model.client.name}}>
     <:breadcrumbs>
       <Page::Breadcrumbs
         @breadcrumbs={{array
           (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
-          (hash label="Applications" route="vault.cluster.access.oidc.clients")
-          (hash label=this.model.name)
+          (hash label="OIDC provider: Applications" route="vault.cluster.access.oidc.clients")
+          (hash label=this.model.client.name)
         }}
       />
     </:breadcrumbs>
@@ -21,14 +21,14 @@
       <ul>
         <LinkTo
           @route="vault.cluster.access.oidc.clients.client.details"
-          @model={{this.model}}
+          @model={{this.model.client.name}}
           data-test-oidc-client-details
         >
           Details
         </LinkTo>
         <LinkTo
           @route="vault.cluster.access.oidc.clients.client.providers"
-          @model={{this.model}}
+          @model={{this.model.client.name}}
           data-test-oidc-client-providers
         >
           Available providers
diff --git a/ui/app/templates/vault/cluster/access/oidc/clients/client/details.hbs b/ui/app/templates/vault/cluster/access/oidc/clients/client/details.hbs
index fc68894692..d7387e1bc8 100644
--- a/ui/app/templates/vault/cluster/access/oidc/clients/client/details.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/clients/client/details.hbs
@@ -5,7 +5,7 @@
 
 <Toolbar data-test-oidc-client-toolbar>
   <ToolbarActions>
-    {{#if this.model.canDelete}}
+    {{#if this.model.capabilities.canDelete}}
       <ConfirmAction
         data-test-oidc-client-delete
         @buttonText="Delete application"
@@ -17,10 +17,10 @@
       />
       <div class="toolbar-separator"></div>
     {{/if}}
-    {{#if this.model.canEdit}}
+    {{#if this.model.capabilities.canUpdate}}
       <ToolbarLink
         @route="vault.cluster.access.oidc.clients.client.edit"
-        @model={{this.model.name}}
+        @model={{this.model.client.name}}
         data-test-oidc-client-edit
       >
         Edit application
@@ -29,20 +29,22 @@
   </ToolbarActions>
 </Toolbar>
 
-<div class="box is-fullwidth is-sideless is-paddingless is-marginless">
-  <InfoTableRow @label="Name" @value={{this.model.name}} @alwaysRender={{true}} />
-  <InfoTableRow @label="Type" @value={{this.model.clientType}} @alwaysRender={{true}} />
-  <InfoTableRow @label="Redirect URI" @value={{this.model.redirectUris}} @alwaysRender={{true}} />
-  <InfoTableRow @label="Assignment" @value={{this.model.assignments}} @alwaysRender={{true}} />
-  <InfoTableRow @label="Key" @alwaysRender={{true}}>
-    <LinkTo @route="vault.cluster.access.oidc.keys.key.details" @model={{this.model.key}}>
-      {{this.model.key}}
-    </LinkTo>
-  </InfoTableRow>
-  <InfoTableRow @label="Client ID" @value={{this.model.clientId}} @addCopyButton={{true}} @alwaysRender={{true}} />
-  <InfoTableRow @label="Client Secret">
-    <MaskedInput @value={{this.model.clientSecret}} @displayOnly={{true}} @allowCopy={{true}} @alwaysRender={{true}} />
-  </InfoTableRow>
-  <InfoTableRow @label="ID Token TTL" @value={{format-duration this.model.idTokenTtl}} @alwaysRender={{true}} />
-  <InfoTableRow @label="Access Token TTL" @value={{format-duration this.model.accessTokenTtl}} @alwaysRender={{true}} />
-</div>
\ No newline at end of file
+{{#let this.model.client as |client|}}
+  <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
+    <InfoTableRow @label="Name" @value={{client.name}} @alwaysRender={{true}} />
+    <InfoTableRow @label="Type" @value={{client.client_type}} @alwaysRender={{true}} />
+    <InfoTableRow @label="Redirect URI" @value={{client.redirect_uris}} @alwaysRender={{true}} />
+    <InfoTableRow @label="Assignment" @value={{client.assignments}} @alwaysRender={{true}} />
+    <InfoTableRow @label="Key" @alwaysRender={{true}}>
+      <LinkTo @route="vault.cluster.access.oidc.keys.key.details" @model={{client.key}}>
+        {{client.key}}
+      </LinkTo>
+    </InfoTableRow>
+    <InfoTableRow @label="Client ID" @value={{client.client_id}} @addCopyButton={{true}} @alwaysRender={{true}} />
+    <InfoTableRow @label="Client Secret">
+      <MaskedInput @value={{client.client_secret}} @displayOnly={{true}} @allowCopy={{true}} @alwaysRender={{true}} />
+    </InfoTableRow>
+    <InfoTableRow @label="ID Token TTL" @value={{format-duration client.id_token_ttl}} @alwaysRender={{true}} />
+    <InfoTableRow @label="Access Token TTL" @value={{format-duration client.access_token_ttl}} @alwaysRender={{true}} />
+  </div>
+{{/let}}
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/oidc/clients/client/edit.hbs b/ui/app/templates/vault/cluster/access/oidc/clients/client/edit.hbs
index 613f6185ab..3dbb0112d9 100644
--- a/ui/app/templates/vault/cluster/access/oidc/clients/client/edit.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/clients/client/edit.hbs
@@ -4,7 +4,9 @@
 }}
 
 <Oidc::ClientForm
-  @model={{this.model}}
-  @onCancel={{transition-to "vault.cluster.access.oidc.clients.client.details" this.model.name}}
-  @onSave={{transition-to "vault.cluster.access.oidc.clients.client.details" this.model.name}}
+  @form={{this.model.form}}
+  @keys={{this.model.keys}}
+  @assignments={{this.model.assignments}}
+  @onCancel={{transition-to "vault.cluster.access.oidc.clients.client.details" this.model.form.data.name}}
+  @onSave={{transition-to "vault.cluster.access.oidc.clients.client.details" this.model.form.data.name}}
 />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/oidc/clients/client/providers.hbs b/ui/app/templates/vault/cluster/access/oidc/clients/client/providers.hbs
index f38fe892f4..5e72196eeb 100644
--- a/ui/app/templates/vault/cluster/access/oidc/clients/client/providers.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/clients/client/providers.hbs
@@ -4,15 +4,16 @@
 }}
 
 <Toolbar />
-{{#if (gt this.model.length 0)}}
+{{#if (gt this.model.providers.length 0)}}
   <Oidc::ProviderList @model={{this.model}} />
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-    <A.Header @title="No available providers" @titleTag="h2" />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="No available providers" @titleTag="h2" data-test-empty-state-title />
     <A.Body
       @text="Edit an existing provider or create a new one to allow this application access for authentication requests."
+      data-test-empty-state-message
     />
-    <A.Footer as |F|>
+    <A.Footer data-test-empty-state-actions as |F|>
       <F.LinkStandalone
         @icon="chevron-right"
         @iconPosition="trailing"
diff --git a/ui/app/templates/vault/cluster/access/oidc/clients/create.hbs b/ui/app/templates/vault/cluster/access/oidc/clients/create.hbs
index bcb38d8366..862ac870ea 100644
--- a/ui/app/templates/vault/cluster/access/oidc/clients/create.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/clients/create.hbs
@@ -4,7 +4,9 @@
 }}
 
 <Oidc::ClientForm
-  @model={{this.model}}
+  @form={{this.model.form}}
+  @keys={{this.model.keys}}
+  @assignments={{this.model.assignments}}
   @onCancel={{transition-to "vault.cluster.access.oidc.clients"}}
-  @onSave={{transition-to "vault.cluster.access.oidc.clients.client.details" this.model.name}}
+  @onSave={{transition-to "vault.cluster.access.oidc.clients.client.details" this.model.form.data.name}}
 />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/oidc/keys/create.hbs b/ui/app/templates/vault/cluster/access/oidc/keys/create.hbs
index 819be39a86..3d331146cb 100644
--- a/ui/app/templates/vault/cluster/access/oidc/keys/create.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/keys/create.hbs
@@ -8,15 +8,15 @@
     <Page::Breadcrumbs
       @breadcrumbs={{array
         (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
-        (hash label="Keys" route="vault.cluster.access.oidc.keys")
-        (hash label="Create Key")
+        (hash label="OIDC provider: Keys" route="vault.cluster.access.oidc.keys")
+        (hash label="Create key")
       }}
     />
   </:breadcrumbs>
 </Page::Header>
 
 <Oidc::KeyForm
-  @model={{this.model}}
+  @form={{this.model}}
   @onCancel={{transition-to "vault.cluster.access.oidc.keys"}}
   @onSave={{transition-to "vault.cluster.access.oidc.keys.key.details" this.model.name}}
 />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/oidc/keys/index.hbs b/ui/app/templates/vault/cluster/access/oidc/keys/index.hbs
index 74541c31a9..ad221ea8e8 100644
--- a/ui/app/templates/vault/cluster/access/oidc/keys/index.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/keys/index.hbs
@@ -11,18 +11,18 @@
   </ToolbarActions>
 </Toolbar>
 
-{{#each this.model as |model|}}
+{{#each this.model.keys as |key|}}
   <LinkedBlock
     class="list-item-row"
-    @params={{array "vault.cluster.access.oidc.keys.key.details" model.name}}
-    data-test-oidc-key-linked-block={{model.name}}
+    @params={{array "vault.cluster.access.oidc.keys.key.details" key}}
+    data-test-oidc-key-linked-block={{key}}
   >
     <div class="level is-mobile">
       <div class="level-left">
         <div>
           <Icon @name="key" class="has-text-grey-light" />
           <span class="has-text-weight-semibold is-underline" data-test-item>
-            {{model.name}}
+            {{key}}
           </span>
         </div>
       </div>
@@ -37,16 +37,20 @@
             />
             <dd.Interactive
               @route="vault.cluster.access.oidc.keys.key.details"
-              @model={{model.name}}
-              @disabled={{eq model.canRead false}}
+              @model={{key}}
+              @disabled={{not (has-capability @model.capabilities "read" pathKey="oidcKey" params=key)}}
               data-test-oidc-key-menu-link="details"
-            >Details</dd.Interactive>
+            >
+              Details
+            </dd.Interactive>
             <dd.Interactive
               @route="vault.cluster.access.oidc.keys.key.edit"
-              @model={{model.name}}
-              @disabled={{eq model.canEdit false}}
+              @model={{key}}
+              @disabled={{not (has-capability @model.capabilities "update" pathKey="oidcKey" params=key)}}
               data-test-oidc-key-menu-link="edit"
-            >Edit</dd.Interactive>
+            >
+              Edit
+            </dd.Interactive>
           </Hds::Dropdown>
         </div>
       </div>
diff --git a/ui/app/templates/vault/cluster/access/oidc/keys/key.hbs b/ui/app/templates/vault/cluster/access/oidc/keys/key.hbs
index baf1a61774..01e3b909c5 100644
--- a/ui/app/templates/vault/cluster/access/oidc/keys/key.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/keys/key.hbs
@@ -4,13 +4,13 @@
 }}
 
 {{#if (not-eq this.router.currentRoute.localName "edit")}}
-  <Page::Header @title={{this.model.name}}>
+  <Page::Header @title={{this.model.key.name}}>
     <:breadcrumbs>
       <Page::Breadcrumbs
         @breadcrumbs={{array
           (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
-          (hash label="Keys" route="vault.cluster.access.oidc.keys")
-          (hash label=this.model.name)
+          (hash label="OIDC provider: Keys" route="vault.cluster.access.oidc.keys")
+          (hash label=this.model.key.name)
         }}
       />
     </:breadcrumbs>
@@ -19,10 +19,18 @@
   <div class="tabs-container box is-sideless is-fullwidth is-paddingless is-marginless">
     <nav class="tabs" aria-label="tabs">
       <ul>
-        <LinkTo data-test-oidc-key-details @route="vault.cluster.access.oidc.keys.key.details" @model={{this.model}}>
+        <LinkTo
+          data-test-oidc-key-details
+          @route="vault.cluster.access.oidc.keys.key.details"
+          @model={{this.model.key.name}}
+        >
           Details
         </LinkTo>
-        <LinkTo data-test-oidc-key-clients @route="vault.cluster.access.oidc.keys.key.clients" @model={{this.model}}>
+        <LinkTo
+          data-test-oidc-key-clients
+          @route="vault.cluster.access.oidc.keys.key.clients"
+          @model={{this.model.key.name}}
+        >
           Applications
         </LinkTo>
       </ul>
diff --git a/ui/app/templates/vault/cluster/access/oidc/keys/key/clients.hbs b/ui/app/templates/vault/cluster/access/oidc/keys/key/clients.hbs
index b548d4642b..c3583d0a0e 100644
--- a/ui/app/templates/vault/cluster/access/oidc/keys/key/clients.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/keys/key/clients.hbs
@@ -5,15 +5,16 @@
 
 <Toolbar />
 
-{{#if (gt this.model.length 0)}}
+{{#if (gt this.model.clients.length 0)}}
   <Oidc::ClientList @model={{this.model}} />
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-    <A.Header @title="No applications allowed" @titleTag="h2" />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="No applications allowed" @titleTag="h2" data-test-empty-state-title />
     <A.Body
       @text="Access to this key has been limited, and no applications are allowed to use it. Edit the key to allow access."
+      data-test-empty-state-message
     />
-    <A.Footer as |F|>
+    <A.Footer data-test-empty-state-actions as |F|>
       <F.LinkStandalone
         @icon="chevron-right"
         @iconPosition="trailing"
diff --git a/ui/app/templates/vault/cluster/access/oidc/keys/key/details.hbs b/ui/app/templates/vault/cluster/access/oidc/keys/key/details.hbs
index 54cb9ae016..af5c4c13d0 100644
--- a/ui/app/templates/vault/cluster/access/oidc/keys/key/details.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/keys/key/details.hbs
@@ -2,45 +2,46 @@
   Copyright IBM Corp. 2016, 2025
   SPDX-License-Identifier: BUSL-1.1
 }}
+{{#let this.model.key this.model.capabilities as |key capabilities|}}
+  <Toolbar>
+    <ToolbarActions>
+      {{#if (and (not-eq key.name "default") capabilities.canDelete)}}
+        <ConfirmAction
+          @buttonText="Delete key"
+          data-test-oidc-key-delete
+          class="toolbar-button"
+          @buttonColor="secondary"
+          @onConfirmAction={{this.delete}}
+          @confirmTitle="Delete key?"
+          @confirmMessage="This key will be permanently deleted. You will not be able to recover it."
+        />
+        <div class="toolbar-separator"></div>
+      {{/if}}
+      {{#if capabilities.canRotate}}
+        <ConfirmAction
+          @buttonText="Rotate key"
+          data-test-oidc-key-rotate
+          class="toolbar-button"
+          @buttonColor="secondary"
+          @onConfirmAction={{perform this.rotateKey}}
+          @confirmTitle="Rotate this key?"
+          @confirmMessage="After rotation, a new public/private key pair will be generated."
+          @modalColor="warning"
+          @isRunning={{this.rotateKey.isRunning}}
+        />
+      {{/if}}
+      {{#if capabilities.canUpdate}}
+        <ToolbarLink @route="vault.cluster.access.oidc.keys.key.edit" @model={{key.name}} data-test-oidc-key-edit>
+          Edit key
+        </ToolbarLink>
+      {{/if}}
+    </ToolbarActions>
+  </Toolbar>
 
-<Toolbar>
-  <ToolbarActions>
-    {{#if (and (not-eq this.model.name "default") this.model.canDelete)}}
-      <ConfirmAction
-        @buttonText="Delete key"
-        data-test-oidc-key-delete
-        class="toolbar-button"
-        @buttonColor="secondary"
-        @onConfirmAction={{this.delete}}
-        @confirmTitle="Delete key?"
-        @confirmMessage="This key will be permanently deleted. You will not be able to recover it."
-      />
-      <div class="toolbar-separator"></div>
-    {{/if}}
-    {{#if this.model.canRotate}}
-      <ConfirmAction
-        @buttonText="Rotate key"
-        data-test-oidc-key-rotate
-        class="toolbar-button"
-        @buttonColor="secondary"
-        @onConfirmAction={{perform this.rotateKey}}
-        @confirmTitle="Rotate this key?"
-        @confirmMessage="After rotation, a new public/private key pair will be generated."
-        @modalColor="warning"
-        @isRunning={{this.rotateKey.isRunning}}
-      />
-    {{/if}}
-    {{#if this.model.canEdit}}
-      <ToolbarLink @route="vault.cluster.access.oidc.keys.key.edit" @model={{this.model.name}} data-test-oidc-key-edit>
-        Edit key
-      </ToolbarLink>
-    {{/if}}
-  </ToolbarActions>
-</Toolbar>
-
-<div class="box is-fullwidth is-sideless is-paddingless is-marginless">
-  <InfoTableRow @label="Name" @value={{this.model.name}} @alwaysRender={{true}} />
-  <InfoTableRow @label="Algorithm" @value={{this.model.algorithm}} @alwaysRender={{true}} />
-  <InfoTableRow @label="Rotation period" @value={{format-duration this.model.rotationPeriod}} @alwaysRender={{true}} />
-  <InfoTableRow @label="Verification TTL" @value={{format-duration this.model.verificationTtl}} @alwaysRender={{true}} />
-</div>
\ No newline at end of file
+  <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
+    <InfoTableRow @label="Name" @value={{key.name}} @alwaysRender={{true}} />
+    <InfoTableRow @label="Algorithm" @value={{key.algorithm}} @alwaysRender={{true}} />
+    <InfoTableRow @label="Rotation period" @value={{format-duration key.rotation_period}} @alwaysRender={{true}} />
+    <InfoTableRow @label="Verification TTL" @value={{format-duration key.verification_ttl}} @alwaysRender={{true}} />
+  </div>
+{{/let}}
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/oidc/keys/key/edit.hbs b/ui/app/templates/vault/cluster/access/oidc/keys/key/edit.hbs
index ec158517bd..3294422cb6 100644
--- a/ui/app/templates/vault/cluster/access/oidc/keys/key/edit.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/keys/key/edit.hbs
@@ -7,16 +7,18 @@
   <:breadcrumbs>
     <Page::Breadcrumbs
       @breadcrumbs={{array
-        (hash label="Keys" route="vault.cluster.access.oidc.keys")
-        (hash label="Details" route="vault.cluster.access.oidc.keys.key.details" model=this.model.name)
-        (hash label="Edit Key")
+        (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
+        (hash label="OIDC provider: Keys" route="vault.cluster.access.oidc.keys")
+        (hash label="Details" route="vault.cluster.access.oidc.keys.key.details" model=this.model.form.data.name)
+        (hash label="Edit key")
       }}
     />
   </:breadcrumbs>
 </Page::Header>
 
 <Oidc::KeyForm
-  @model={{this.model}}
-  @onCancel={{transition-to "vault.cluster.access.oidc.keys.key.details" this.model.name}}
-  @onSave={{transition-to "vault.cluster.access.oidc.keys.key.details" this.model.name}}
+  @form={{this.model.form}}
+  @clients={{this.model.clients}}
+  @onCancel={{transition-to "vault.cluster.access.oidc.keys.key.details" this.model.form.data.name}}
+  @onSave={{transition-to "vault.cluster.access.oidc.keys.key.details" this.model.form.data.name}}
 />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/oidc/providers/create.hbs b/ui/app/templates/vault/cluster/access/oidc/providers/create.hbs
index d4415aa8e7..12068b2be1 100644
--- a/ui/app/templates/vault/cluster/access/oidc/providers/create.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/providers/create.hbs
@@ -4,7 +4,9 @@
 }}
 
 <Oidc::ProviderForm
-  @model={{this.model}}
+  @form={{this.model.form}}
+  @scopes={{this.model.scopes}}
+  @clients={{this.model.clients}}
   @onCancel={{transition-to "vault.cluster.access.oidc.providers"}}
-  @onSave={{transition-to "vault.cluster.access.oidc.providers.provider.details" this.model.name}}
+  @onSave={{transition-to "vault.cluster.access.oidc.providers.provider.details" this.model.form.data.name}}
 />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/oidc/providers/provider.hbs b/ui/app/templates/vault/cluster/access/oidc/providers/provider.hbs
index 808783c66c..d90caefc52 100644
--- a/ui/app/templates/vault/cluster/access/oidc/providers/provider.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/providers/provider.hbs
@@ -4,13 +4,13 @@
 }}
 
 {{#if (not-eq this.router.currentRoute.localName "edit")}}
-  <Page::Header @title={{this.model.name}}>
+  <Page::Header @title={{this.model.provider.name}}>
     <:breadcrumbs>
       <Page::Breadcrumbs
         @breadcrumbs={{array
           (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
-          (hash label="Providers" route="vault.cluster.access.oidc.providers")
-          (hash label=this.model.name)
+          (hash label="OIDC provider: Providers" route="vault.cluster.access.oidc.providers")
+          (hash label=this.model.provider.name)
         }}
       />
     </:breadcrumbs>
@@ -22,14 +22,14 @@
         <LinkTo
           data-test-oidc-provider-details
           @route="vault.cluster.access.oidc.providers.provider.details"
-          @model={{this.model}}
+          @model={{this.model.provider.name}}
         >
           Details
         </LinkTo>
         <LinkTo
           data-test-oidc-provider-clients
           @route="vault.cluster.access.oidc.providers.provider.clients"
-          @model={{this.model}}
+          @model={{this.model.provider.name}}
         >
           Applications
         </LinkTo>
diff --git a/ui/app/templates/vault/cluster/access/oidc/providers/provider/clients.hbs b/ui/app/templates/vault/cluster/access/oidc/providers/provider/clients.hbs
index f232586d92..813dbd45ff 100644
--- a/ui/app/templates/vault/cluster/access/oidc/providers/provider/clients.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/providers/provider/clients.hbs
@@ -5,15 +5,16 @@
 
 <Toolbar />
 
-{{#if (gt this.model.length 0)}}
+{{#if (gt this.model.clients.length 0)}}
   <Oidc::ClientList @model={{this.model}} />
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-    <A.Header @title="No applications allowed" @titleTag="h2" />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="No applications allowed" @titleTag="h2" data-test-empty-state-title />
     <A.Body
       @text="Access to this provider has been limited, and no applications are allowed to use it. Edit the provider to allow access."
+      data-test-empty-state-message
     />
-    <A.Footer as |F|>
+    <A.Footer data-test-empty-state-actions as |F|>
       <F.LinkStandalone
         @icon="chevron-right"
         @iconPosition="trailing"
diff --git a/ui/app/templates/vault/cluster/access/oidc/providers/provider/details.hbs b/ui/app/templates/vault/cluster/access/oidc/providers/provider/details.hbs
index 3ecd49862c..d06c7fe44b 100644
--- a/ui/app/templates/vault/cluster/access/oidc/providers/provider/details.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/providers/provider/details.hbs
@@ -5,7 +5,7 @@
 
 <Toolbar>
   <ToolbarActions>
-    {{#if (and (not-eq this.model.name "default") this.model.canDelete)}}
+    {{#if (and (not-eq this.model.provider.name "default") this.model.capabilities.canDelete)}}
       <ConfirmAction
         data-test-oidc-provider-delete
         @buttonText="Delete provider"
@@ -17,10 +17,10 @@
       />
       <div class="toolbar-separator"></div>
     {{/if}}
-    {{#if this.model.canEdit}}
+    {{#if this.model.capabilities.canUpdate}}
       <ToolbarLink
         @route="vault.cluster.access.oidc.providers.provider.edit"
-        @model={{this.model.name}}
+        @model={{this.model.provider.name}}
         data-test-oidc-provider-edit
       >
         Edit provider
@@ -29,15 +29,13 @@
   </ToolbarActions>
 </Toolbar>
 <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
-  <InfoTableRow @label="Name" @value={{this.model.name}} @alwaysRender={{true}} />
-  <InfoTableRow @label="Issuer URL" @value={{this.model.issuer}} @addCopyButton={{true}} @alwaysRender={{true}} />
+  <InfoTableRow @label="Name" @value={{this.model.provider.name}} @alwaysRender={{true}} />
+  <InfoTableRow @label="Issuer URL" @value={{this.model.provider.issuer}} @addCopyButton={{true}} @alwaysRender={{true}} />
   <InfoTableRow
     @label="Scopes"
     @type="array"
-    @value={{@model.scopesSupported}}
-    @model={{@model}}
+    @value={{this.model.provider.scopes_supported}}
     @isLink={{true}}
-    @modelType="oidc/scope"
     @itemRoute={{"vault.cluster.access.oidc.scopes.scope.details"}}
     @alwaysRender={{true}}
     @doNotTruncate={{true}}
diff --git a/ui/app/templates/vault/cluster/access/oidc/providers/provider/edit.hbs b/ui/app/templates/vault/cluster/access/oidc/providers/provider/edit.hbs
index db6450827a..207d19a9a4 100644
--- a/ui/app/templates/vault/cluster/access/oidc/providers/provider/edit.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/providers/provider/edit.hbs
@@ -4,7 +4,9 @@
 }}
 
 <Oidc::ProviderForm
-  @model={{this.model}}
-  @onCancel={{transition-to "vault.cluster.access.oidc.providers.provider.details" this.model.name}}
-  @onSave={{transition-to "vault.cluster.access.oidc.providers.provider.details" this.model.name}}
+  @form={{this.model.form}}
+  @scopes={{this.model.scopes}}
+  @clients={{this.model.clients}}
+  @onCancel={{transition-to "vault.cluster.access.oidc.providers.provider.details" this.model.form.data.name}}
+  @onSave={{transition-to "vault.cluster.access.oidc.providers.provider.details" this.model.form.data.name}}
 />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/oidc/scopes/create.hbs b/ui/app/templates/vault/cluster/access/oidc/scopes/create.hbs
index b278e52e8e..e389156fea 100644
--- a/ui/app/templates/vault/cluster/access/oidc/scopes/create.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/scopes/create.hbs
@@ -4,7 +4,7 @@
 }}
 
 <Oidc::ScopeForm
-  @model={{this.model}}
+  @form={{this.model}}
   @onCancel={{transition-to "vault.cluster.access.oidc.scopes"}}
-  @onSave={{transition-to "vault.cluster.access.oidc.scopes.scope.details" this.model.name}}
+  @onSave={{transition-to "vault.cluster.access.oidc.scopes.scope.details" this.model.data.name}}
 />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/oidc/scopes/index.hbs b/ui/app/templates/vault/cluster/access/oidc/scopes/index.hbs
index e54a7f66e5..76346d9f3a 100644
--- a/ui/app/templates/vault/cluster/access/oidc/scopes/index.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/scopes/index.hbs
@@ -11,19 +11,19 @@
   </ToolbarActions>
 </Toolbar>
 
-{{#if (gt this.model.length 0)}}
-  {{#each this.model as |model|}}
+{{#if this.model.scopes}}
+  {{#each this.model.scopes as |scope|}}
     <LinkedBlock
       class="list-item-row"
-      @params={{array "vault.cluster.access.oidc.scopes.scope.details" model.name}}
-      data-test-oidc-scope-linked-block={{model.name}}
+      @params={{array "vault.cluster.access.oidc.scopes.scope.details" scope}}
+      data-test-oidc-scope-linked-block={{scope}}
     >
       <div class="level is-mobile">
         <div class="level-left">
           <div>
             <Icon @name="file" class="has-text-grey-light" />
             <span class="has-text-weight-semibold is-underline">
-              {{model.name}}
+              {{scope}}
             </span>
           </div>
         </div>
@@ -38,16 +38,24 @@
               />
               <dd.Interactive
                 @route="vault.cluster.access.oidc.scopes.scope.details"
-                @model={{model.name}}
-                @disabled={{eq model.canRead false}}
+                @model={{scope}}
+                @disabled={{not
+                  (has-capability this.model.capabilities "read" pathKey="oidcScope" params=(hash name=scope))
+                }}
                 data-test-oidc-scope-menu-link="details"
-              >Details</dd.Interactive>
+              >
+                Details
+              </dd.Interactive>
               <dd.Interactive
                 @route="vault.cluster.access.oidc.scopes.scope.edit"
-                @model={{model.name}}
-                @disabled={{eq model.canEdit false}}
+                @model={{scope}}
+                @disabled={{not
+                  (has-capability this.model.capabilities "update" pathKey="oidcScope" params=(hash name=scope))
+                }}
                 data-test-oidc-scope-menu-link="edit"
-              >Edit</dd.Interactive>
+              >
+                Edit
+              </dd.Interactive>
             </Hds::Dropdown>
           </div>
         </div>
@@ -55,7 +63,7 @@
     </LinkedBlock>
   {{/each}}
 {{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" data-test-oidc-scope-empty-state as |A|>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" data-test-oidc-scope-empty-state as |A|>
     <A.Header data-test-empty-state-title @title="No scopes yet" @titleTag="h2" />
     <A.Body data-test-empty-state-message @text="Use scope to define identity information about the authenticated user." />
     <A.Footer data-test-empty-state-actions as |F|>
diff --git a/ui/app/templates/vault/cluster/access/oidc/scopes/scope/details.hbs b/ui/app/templates/vault/cluster/access/oidc/scopes/scope/details.hbs
index aabf9ad76c..09c39e80a7 100644
--- a/ui/app/templates/vault/cluster/access/oidc/scopes/scope/details.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/scopes/scope/details.hbs
@@ -3,56 +3,58 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title={{this.model.name}}>
-  <:breadcrumbs>
-    <Page::Breadcrumbs
-      @breadcrumbs={{array
-        (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
-        (hash label="Scopes" route="vault.cluster.access.oidc.scopes")
-        (hash label=this.model.name)
-      }}
-    />
-  </:breadcrumbs>
-</Page::Header>
-
-<div class="tabs-container box is-sideless is-fullwidth is-paddingless is-marginless">
-  <nav class="tabs" aria-label="tabs">
-    <ul>
-      <LinkTo @route="vault.cluster.access.oidc.scopes.scope.details" @model={{this.model}} data-test-oidc-scope-details>
-        Details
-      </LinkTo>
-    </ul>
-  </nav>
-</div>
-
-<Toolbar>
-  <ToolbarActions>
-    {{#if this.model.canDelete}}
-      <ConfirmAction
-        data-test-oidc-scope-delete
-        @buttonText="Delete scope"
-        class="toolbar-button"
-        @buttonColor="secondary"
-        @onConfirmAction={{this.delete}}
-        @confirmTitle="Delete scope?"
-        @confirmMessage="This scope will be permanently deleted. You will not be able to recover it."
+{{#let this.model.scope this.model.capabilities as |scope capabilities|}}
+  <Page::Header @title={{scope.name}}>
+    <:breadcrumbs>
+      <Page::Breadcrumbs
+        @breadcrumbs={{array
+          (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
+          (hash label="OIDC provider: Scopes" route="vault.cluster.access.oidc.scopes")
+          (hash label=scope.name)
+        }}
       />
-      <div class="toolbar-separator"></div>
-    {{/if}}
-    {{#if this.model.canEdit}}
-      <ToolbarLink @route="vault.cluster.access.oidc.scopes.scope.edit" @model={{this.model.name}} data-test-oidc-scope-edit>
-        Edit scope
-      </ToolbarLink>
-    {{/if}}
-  </ToolbarActions>
-</Toolbar>
+    </:breadcrumbs>
+  </Page::Header>
 
-<div class="box is-fullwidth is-sideless is-paddingless is-marginless">
-  <InfoTableRow @label="Name" @value={{this.model.name}} />
-  <InfoTableRow @label="Description" @value={{this.model.description}} />
-  <Hds::CodeBlock @value={{this.model.template}} @language="ruby" @hasCopyButton={{true}} as |CB|>
-    <CB.Title @tag="h3">
-      JSON Template
-    </CB.Title>
-  </Hds::CodeBlock>
-</div>
\ No newline at end of file
+  <div class="tabs-container box is-sideless is-fullwidth is-paddingless is-marginless">
+    <nav class="tabs" aria-label="tabs">
+      <ul>
+        <LinkTo @route="vault.cluster.access.oidc.scopes.scope.details" @model={{scope.name}} data-test-oidc-scope-details>
+          Details
+        </LinkTo>
+      </ul>
+    </nav>
+  </div>
+
+  <Toolbar>
+    <ToolbarActions>
+      {{#if capabilities.canDelete}}
+        <ConfirmAction
+          data-test-oidc-scope-delete
+          @buttonText="Delete scope"
+          class="toolbar-button"
+          @buttonColor="secondary"
+          @onConfirmAction={{this.delete}}
+          @confirmTitle="Delete scope?"
+          @confirmMessage="This scope will be permanently deleted. You will not be able to recover it."
+        />
+        <div class="toolbar-separator"></div>
+      {{/if}}
+      {{#if capabilities.canUpdate}}
+        <ToolbarLink @route="vault.cluster.access.oidc.scopes.scope.edit" @model={{scope.name}} data-test-oidc-scope-edit>
+          Edit scope
+        </ToolbarLink>
+      {{/if}}
+    </ToolbarActions>
+  </Toolbar>
+
+  <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
+    <InfoTableRow @label="Name" @value={{scope.name}} />
+    <InfoTableRow @label="Description" @value={{scope.description}} />
+    <Hds::CodeBlock @value={{scope.template}} @language="ruby" @hasCopyButton={{true}} as |CB|>
+      <CB.Title @tag="h3">
+        JSON Template
+      </CB.Title>
+    </Hds::CodeBlock>
+  </div>
+{{/let}}
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/access/oidc/scopes/scope/edit.hbs b/ui/app/templates/vault/cluster/access/oidc/scopes/scope/edit.hbs
index a11480c5dc..40e40f1ae6 100644
--- a/ui/app/templates/vault/cluster/access/oidc/scopes/scope/edit.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/scopes/scope/edit.hbs
@@ -4,7 +4,7 @@
 }}
 
 <Oidc::ScopeForm
-  @model={{this.model}}
-  @onCancel={{transition-to "vault.cluster.access.oidc.scopes.scope.details" this.model.name}}
-  @onSave={{transition-to "vault.cluster.access.oidc.scopes.scope.details" this.model.name}}
+  @form={{this.model}}
+  @onCancel={{transition-to "vault.cluster.access.oidc.scopes.scope.details" this.model.data.name}}
+  @onSave={{transition-to "vault.cluster.access.oidc.scopes.scope.details" this.model.data.name}}
 />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/auth.hbs b/ui/app/templates/vault/cluster/auth.hbs
index 38c3dc8945..42b1972dfd 100644
--- a/ui/app/templates/vault/cluster/auth.hbs
+++ b/ui/app/templates/vault/cluster/auth.hbs
@@ -4,14 +4,16 @@
 }}
 
 {{#if this.unwrapTokenError}}
-  <Hds::ApplicationState @align="center" class="has-top-margin-xxl" data-test-page-error as |A|>
-    <A.Header @title="Authentication error" @titleTag="h2" />
-    <A.Body @text="Token unwrap failed" />
-    <A.Body @text="Error: {{this.unwrapTokenError}}" />
-    <A.Footer as |F|>
-      <F.Button @icon="arrow-left" @color="tertiary" @text="Go back" {{on "click" (action "backToLogin")}} />
-    </A.Footer>
-  </Hds::ApplicationState>
+  <div class="flex is-flex-grow-1">
+    <Hds::ApplicationState @align="center" class="align-self-center" data-test-page-error as |A|>
+      <A.Header @title="Authentication error" @titleTag="h1" data-test-empty-state-title />
+      <A.Body @text="Token unwrap failed" data-test-empty-state-message />
+      <A.Body @text="Error: {{this.unwrapTokenError}}" />
+      <A.Footer data-test-empty-state-actions as |F|>
+        <F.Button @icon="arrow-left" @color="tertiary" @text="Go back" {{on "click" (action "backToLogin")}} />
+      </A.Footer>
+    </Hds::ApplicationState>
+  </div>
 {{else}}
   <Auth::Page
     @cluster={{this.model.clusterModel}}
diff --git a/ui/app/templates/vault/cluster/billing/overview.hbs b/ui/app/templates/vault/cluster/billing/overview.hbs
new file mode 100644
index 0000000000..89b9f8c9fa
--- /dev/null
+++ b/ui/app/templates/vault/cluster/billing/overview.hbs
@@ -0,0 +1,10 @@
+{{!
+  Copyright IBM Corp. 2016, 2025
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+<Sidebar::Nav::Cluster />
+
+<Billing::Page::Overview @model={{this.model}} @breadcrumbs={{this.breadcrumbs}} />
+
+{{outlet}}
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/clients/counts/client-list.hbs b/ui/app/templates/vault/cluster/clients/counts/client-list.hbs
index 926a2b1580..6c99f04d26 100644
--- a/ui/app/templates/vault/cluster/clients/counts/client-list.hbs
+++ b/ui/app/templates/vault/cluster/clients/counts/client-list.hbs
@@ -4,14 +4,8 @@
 }}
 
 {{#if this.model.cannotRequestExport}}
-  <Hds::ApplicationState @align="center" class="has-top-margin-xxl" as |A|>
-    <A.Header
-      @icon="skip"
-      class="align-items-end"
-      @title="You are not authorized"
-      @titleTag="h2"
-      data-test-empty-state-title
-    />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @icon="skip" @title="You are not authorized" @titleTag="h2" data-test-empty-state-title />
 
     <A.Body data-test-empty-state-message>
       Viewing export data requires
@@ -20,8 +14,8 @@
       <Hds::Text::Code class="code-in-text">/sys/internal/counters/activity/export</Hds::Text::Code>.
     </A.Body>
 
-    <A.Footer data-test-empty-state-actions>
-      <Hds::Link::Standalone
+    <A.Footer data-test-empty-state-actions as |F|>
+      <F.LinkStandalone
         @icon="docs-link"
         @iconPosition="trailing"
         @text="Client Export Documentation"
diff --git a/ui/app/templates/vault/cluster/dashboard.hbs b/ui/app/templates/vault/cluster/dashboard.hbs
index 31bf659998..d19fef998c 100644
--- a/ui/app/templates/vault/cluster/dashboard.hbs
+++ b/ui/app/templates/vault/cluster/dashboard.hbs
@@ -3,6 +3,7 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
+<Sidebar::Nav::Cluster />
 <Dashboard::Overview
   @replication={{this.model.replication}}
   @secretsEngines={{this.model.secretsEngines}}
diff --git a/ui/app/templates/vault/cluster/error.hbs b/ui/app/templates/vault/cluster/error.hbs
index 2cfde2f761..1b16cee0ce 100644
--- a/ui/app/templates/vault/cluster/error.hbs
+++ b/ui/app/templates/vault/cluster/error.hbs
@@ -3,4 +3,5 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
+<Sidebar::Nav::Cluster />
 <Page::Error @error={{this.model}} @isFullPage={{true}} />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/mfa-setup.hbs b/ui/app/templates/vault/cluster/mfa-setup.hbs
index 6931ec2b87..9fb1ea5dc9 100644
--- a/ui/app/templates/vault/cluster/mfa-setup.hbs
+++ b/ui/app/templates/vault/cluster/mfa-setup.hbs
@@ -3,6 +3,8 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
+<Sidebar::Nav::Cluster />
+
 {{#if (eq this.onStep 1)}}
   <Mfa::MfaSetupStepOne
     @header={{this.header}}
diff --git a/ui/app/templates/vault/cluster/not-found.hbs b/ui/app/templates/vault/cluster/not-found.hbs
index 907857ad00..0029b784ad 100644
--- a/ui/app/templates/vault/cluster/not-found.hbs
+++ b/ui/app/templates/vault/cluster/not-found.hbs
@@ -3,4 +3,5 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
+<Sidebar::Nav::Cluster />
 <Page::Error @error={{hash httpStatus=404 path=this.model.path}} @isFullPage={{true}} />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/policies/create.hbs b/ui/app/templates/vault/cluster/policies/create.hbs
index 71d6196b14..53f4b1cec3 100644
--- a/ui/app/templates/vault/cluster/policies/create.hbs
+++ b/ui/app/templates/vault/cluster/policies/create.hbs
@@ -18,7 +18,7 @@
 <hr class="has-background-gray-300 is-marginless" />
 
 <PolicyForm
-  @model={{this.model}}
+  @form={{this.model}}
   @onSave={{transition-to "vault.cluster.policy.show" this.model.policyType this.model.name}}
   @onCancel={{transition-to "vault.cluster.policies.index"}}
 />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/policy/edit.hbs b/ui/app/templates/vault/cluster/policy/edit.hbs
index 86616da842..021663019e 100644
--- a/ui/app/templates/vault/cluster/policy/edit.hbs
+++ b/ui/app/templates/vault/cluster/policy/edit.hbs
@@ -2,14 +2,17 @@
   Copyright IBM Corp. 2016, 2025
   SPDX-License-Identifier: BUSL-1.1
 }}
-
-<Page::Header @title={{this.model.id}}>
+<Page::Header @title={{this.model.name}}>
   <:breadcrumbs>
     <Page::Breadcrumbs
       @breadcrumbs={{array
         (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
-        (hash label=(concat (uppercase this.policyType) " policies") route="vault.cluster.policies" model=this.policyType)
-        (hash label=this.model.id route="vault.cluster.policy.show" model=this.model.id)
+        (hash
+          label=(concat (uppercase this.model.policyType) " policies")
+          route="vault.cluster.policies"
+          model=this.model.policyType
+        )
+        (hash label=this.model.name route="vault.cluster.policy.show" model=this.model.name)
         (hash label="Edit")
       }}
     />
@@ -21,10 +24,12 @@
   </:badges>
 </Page::Header>
 
-{{#if (and (not-eq this.model.id "root") (or this.model.canUpdate this.model.canDelete))}}
+{{#if (and (not-eq this.model.name "root") (or this.model.capabilities.canUpdate this.model.capabilities.canDelete))}}
   <Toolbar>
     <ToolbarActions>
-      {{#if (and (not-eq this.model.id "default") this.model.canDelete)}}
+      {{#if
+        (and (not-eq this.model.name "default") (not-eq this.model.name "default-ceiling") this.model.capabilities.canDelete)
+      }}
         <ConfirmAction
           @buttonText="Delete policy"
           class="toolbar-button"
@@ -34,7 +39,7 @@
         />
         <div class="toolbar-separator"></div>
       {{/if}}
-      <ToolbarLink @route="vault.cluster.policy.show" @model={{this.model.id}} data-test-button="Back to policy">
+      <ToolbarLink @route="vault.cluster.policy.show" @model={{this.model.name}} data-test-button="Back to policy">
         Back to policy
       </ToolbarLink>
     </ToolbarActions>
@@ -42,7 +47,7 @@
 {{/if}}
 
 <PolicyForm
-  @model={{this.model}}
+  @form={{this.model}}
   @onSave={{transition-to "vault.cluster.policy.show" this.model.policyType this.model.name}}
   @onCancel={{transition-to "vault.cluster.policy.show" this.model.policyType this.model.name}}
 />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/replication-dr-promote/details.hbs b/ui/app/templates/vault/cluster/replication-dr-promote/details.hbs
index 5dce459196..feb23a0aa6 100644
--- a/ui/app/templates/vault/cluster/replication-dr-promote/details.hbs
+++ b/ui/app/templates/vault/cluster/replication-dr-promote/details.hbs
@@ -4,19 +4,19 @@
 }}
 
 <section class="section">
-  <div class="container is-widescreen">
+  <div class="centered-container is-widescreen">
     <ReplicationPage @model={{this.model}} as |Page|>
       <Page.header @showTabs={{true}} />
       {{#if Page.isDisabled}}
-        <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+        <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
           <A.Header
             @title="Disaster Recovery secondary not set up"
             @titleTag="h2"
             @icon="alert-circle"
-            class="align-items-end"
+            data-test-empty-state-title
           />
-          <A.Body @text={{Page.message}} />
-          <A.Footer as |F|>
+          <A.Body @text={{Page.message}} data-test-empty-state-message />
+          <A.Footer data-test-empty-state-actions as |F|>
             <F.LinkStandalone @icon="chevron-left" @text="Go back" @route="vault.cluster.secrets.backends" />
             <F.LinkStandalone
               @icon="learn-link"
diff --git a/ui/app/templates/vault/cluster/replication-dr-promote/index.hbs b/ui/app/templates/vault/cluster/replication-dr-promote/index.hbs
index 85abad8d6c..a41e796598 100644
--- a/ui/app/templates/vault/cluster/replication-dr-promote/index.hbs
+++ b/ui/app/templates/vault/cluster/replication-dr-promote/index.hbs
@@ -4,19 +4,19 @@
 }}
 
 <section class="section">
-  <div class="container is-widescreen">
+  <div class="centered-container is-widescreen">
     <ReplicationPage @model={{this.model}} as |Page|>
       <Page.header @showTabs={{true}} />
       {{#if Page.isDisabled}}
-        <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+        <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
           <A.Header
             @title="Disaster Recovery secondary not set up"
             @titleTag="h2"
             @icon="alert-circle"
-            class="align-items-end"
+            data-test-empty-state-title
           />
-          <A.Body @text={{Page.message}} />
-          <A.Footer as |F|>
+          <A.Body @text={{Page.message}} data-test-empty-state-message />
+          <A.Footer data-test-empty-state-actions as |F|>
             <F.LinkStandalone @icon="chevron-left" @text="Go back" @route="vault.cluster.secrets.backends" />
             <F.LinkStandalone
               @icon="learn-link"
diff --git a/ui/app/templates/vault/cluster/secrets/backend/credentials.hbs b/ui/app/templates/vault/cluster/secrets/backend/credentials.hbs
index e072608729..788143fbe9 100644
--- a/ui/app/templates/vault/cluster/secrets/backend/credentials.hbs
+++ b/ui/app/templates/vault/cluster/secrets/backend/credentials.hbs
@@ -1,5 +1,5 @@
 {{!
-  Copyright IBM Corp. 2016, 2025
+  Copyright IBM Corp. 2016, 2026
   SPDX-License-Identifier: BUSL-1.1
 }}
 
@@ -7,7 +7,7 @@
   <GenerateCredentialsDatabase
     @backendPath={{this.model.backendPath}}
     @roleName={{this.model.roleName}}
-    @roleType={{this.model.dbCred.roleType}}
+    @roleType={{this.model.roleType}}
     @model={{this.model.dbCred}}
   />
 {{else if (eq this.model.backendType "totp")}}
@@ -18,6 +18,8 @@
     @keyName={{this.model.keyName}}
     @totpCodePeriod={{this.model.totpCodePeriod}}
   />
+{{else if (eq this.model.backendType "ssh")}}
+  <GenerateCredentialsSsh @backendPath={{this.model.backendPath}} @roleName={{this.model.roleName}} />
 {{else}}
   <GenerateCredentials
     @backendPath={{this.model.backendPath}}
diff --git a/ui/app/templates/vault/cluster/secrets/backend/list.hbs b/ui/app/templates/vault/cluster/secrets/backend/list.hbs
index 9b42cdda9a..3f3d5259c6 100644
--- a/ui/app/templates/vault/cluster/secrets/backend/list.hbs
+++ b/ui/app/templates/vault/cluster/secrets/backend/list.hbs
@@ -9,24 +9,14 @@
       (options-for-backend this.backendType this.tab) (engines-display-data this.backendType)
       as |options engineDisplayData|
     }}
-      <Hds::Dropdown as |D|>
-        <D.ToggleButton @text="Manage" @color="secondary" data-test-dropdown="Manage" />
-        <D.Interactive
-          @icon="settings"
-          @route={{if
-            engineDisplayData.isConfigurable
-            "vault.cluster.secrets.backend.configuration.plugin-settings"
-            "vault.cluster.secrets.backend.configuration.general-settings"
-          }}
-          data-test-popup-menu="Configure"
-        >Configure</D.Interactive>
-        <D.Interactive
-          {{on "click" (fn (mut this.engineToDisable) this.backendModel)}}
-          @color="critical"
-          @icon="trash"
-          data-test-popup-menu="Delete"
-        >Delete</D.Interactive>
-      </Hds::Dropdown>
+      <ManageDropdown
+        @model={{this.backendModel}}
+        @configRoute={{if
+          engineDisplayData.isConfigurable
+          "vault.cluster.secrets.backend.configuration.plugin-settings"
+          "vault.cluster.secrets.backend.configuration.general-settings"
+        }}
+      />
 
       <Hds::Button
         @text={{options.create}}
@@ -97,7 +87,7 @@
       {{/let}}
     {{else}}
       {{! Empty state here means that a filter was applied on top of the results list }}
-      <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+      <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
         <A.Header
           data-test-empty-state-title
           @title='There are no {{pluralize options.item}} matching "{{this.filter}}". {{if
@@ -125,12 +115,12 @@
   {{else}}
     {{#if (eq this.baseKey.id "")}}
       {{#if (and options.firstStep (not this.tab))}}
-        <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+        <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
           <A.Header data-test-empty-state-title @title="Get started with {{capitalize this.backendType}}" @titleTag="h2" />
           <A.Body data-test-empty-state-message @text={{options.firstStep}} />
         </Hds::ApplicationState>
       {{else}}
-        <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+        <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
           <A.Header data-test-empty-state-title @title="No {{pluralize options.item}} in this backend" @titleTag="h2" />
           <A.Body
             data-test-empty-state-message
@@ -144,7 +134,7 @@
       {{/if}}
     {{else}}
       {{#if this.filterIsFolder}}
-        <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+        <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
           <A.Header
             data-test-empty-state-title
             @title={{if
@@ -161,7 +151,7 @@
           </A.Body>
         </Hds::ApplicationState>
       {{else}}
-        <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+        <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
           <A.Header
             data-test-empty-state-title
             @title={{concat "No " (pluralize options.item) ' matching "' this.filter '".'}}
@@ -176,14 +166,4 @@
       {{/if}}
     {{/if}}
   {{/if}}
-{{/let}}
-
-{{#if this.engineToDisable}}
-  <ConfirmModal
-    @color="critical"
-    @confirmMessage="Any data in this engine will be permanently deleted."
-    @confirmTitle="Disable engine?"
-    @onClose={{fn (mut this.engineToDisable) null}}
-    @onConfirm={{perform this.disableEngine this.engineToDisable}}
-  />
-{{/if}}
\ No newline at end of file
+{{/let}}
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/secrets/backend/overview.hbs b/ui/app/templates/vault/cluster/secrets/backend/overview.hbs
index 3702666037..f147cd13ac 100644
--- a/ui/app/templates/vault/cluster/secrets/backend/overview.hbs
+++ b/ui/app/templates/vault/cluster/secrets/backend/overview.hbs
@@ -8,7 +8,7 @@
 {{#if this.showEmptyState}}
   <div class="box is-fullwidth is-shadowless is-sideless is-paddingless is-marginless">
     <Toolbar />
-    <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
       <A.Header data-test-empty-state-title @title="Connect a database" @titleTag="h2" />
       <A.Body data-test-empty-state-message @text={{this.emptyStateMessage}} />
       {{#if (or this.model.connectionCapabilities.canCreate this.model.connectionCapabilities.canUpdate)}}
diff --git a/ui/app/templates/vault/cluster/secrets/backend/secret-edit-layout.hbs b/ui/app/templates/vault/cluster/secrets/backend/secret-edit-layout.hbs
index cfa99c17cf..8c422c6948 100644
--- a/ui/app/templates/vault/cluster/secrets/backend/secret-edit-layout.hbs
+++ b/ui/app/templates/vault/cluster/secrets/backend/secret-edit-layout.hbs
@@ -8,9 +8,11 @@
   key=this.model
   tab=this.tab
   model=this.model
+  form=this.form
   mode=this.mode
   root=this.backendCrumb
   capabilities=this.capabilities
+  transformRoles=this.transformRoles
   onRefresh=(action "refresh")
   onToggleAdvancedEdit=(action "toggleAdvancedEdit")
   initialKey=this.initialKey
diff --git a/ui/app/templates/vault/cluster/secrets/backend/sign.hbs b/ui/app/templates/vault/cluster/secrets/backend/sign.hbs
index 6afa0cb665..b584880243 100644
--- a/ui/app/templates/vault/cluster/secrets/backend/sign.hbs
+++ b/ui/app/templates/vault/cluster/secrets/backend/sign.hbs
@@ -1,115 +1,6 @@
 {{!
-  Copyright IBM Corp. 2016, 2025
+  Copyright IBM Corp. 2016, 2026
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Page::Header @title="Sign SSH Key">
-  <:breadcrumbs>
-    <Page::Breadcrumbs
-      @breadcrumbs={{array
-        (hash label="SSH" route="vault.cluster.secrets.backend" model=this.backend.id)
-        (hash label="Sign" route="vault.cluster.secrets.backend" model=this.backend.id)
-        (hash label=this.model.role.name route="vault.cluster.secrets.backend.show" model=this.model.role.name)
-        (hash label="Sign SSH Key")
-      }}
-    />
-  </:breadcrumbs>
-</Page::Header>
-
-{{#if this.model.signedKey}}
-  <div class="box is-fullwidth is-sideless is-paddingless is-marginless">
-    <Hds::Alert @type="inline" @color="warning" class="has-top-margin-s has-bottom-margin-s" as |A|>
-      <A.Title>Warning</A.Title>
-      <A.Description>
-        You will not be able to access this information later, so please copy the information below.
-      </A.Description>
-    </Hds::Alert>
-    {{#each this.model.attrs as |attr|}}
-      {{#if (eq attr.type "object")}}
-        <InfoTableRow
-          @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
-          @value={{stringify (get this.model attr.name)}}
-        />
-      {{else}}
-        <InfoTableRow
-          @label={{capitalize (or attr.options.label (humanize (dasherize attr.name)))}}
-          @value={{get this.model attr.name}}
-        />
-      {{/if}}
-    {{/each}}
-  </div>
-  <div class="field is-grouped box is-fullwidth is-bottomless">
-    <div class="control">
-      <Hds::Copy::Button
-        @text="Copy key"
-        @textToCopy={{this.model.signedKey}}
-        @onError={{(fn (set-flash-message "Clipboard copy failed. The Clipboard API requires a secure context." "danger"))}}
-        class="primary"
-      />
-    </div>
-    {{#if this.model.leaseId}}
-      <div class="control">
-        <Hds::Copy::Button
-          @text="Copy lease ID"
-          @textToCopy={{this.model.leaseId}}
-          @onError={{(fn
-            (set-flash-message "Clipboard copy failed. The Clipboard API requires a secure context." "danger")
-          )}}
-          class="secondary"
-        />
-      </div>
-    {{/if}}
-    <div class="control">
-      <Hds::Button @text="Back" @color="secondary" {{on "click" (action "newModel")}} data-test-back-button />
-    </div>
-  </div>
-{{else}}
-  <form {{action "sign" on="submit"}} data-test-secret-generate-form="true">
-    <div class="box is-sideless is-fullwidth is-marginless">
-      <MessageError @model={{this.model}} />
-      <NamespaceReminder @mode="sign" @noun="SSH key" />
-      {{#if this.model.attrs}}
-        {{#let (find-by "name" "publicKey" this.model.attrs) as |attr|}}
-          <FormFieldFromModel @attr={{attr}} @model={{this.model}} />
-        {{/let}}
-        {{! valid_principals is required unless allow_empty_principals is true (not recommended) }}
-        {{#let (find-by "name" "validPrincipals" this.model.attrs) as |attr|}}
-          <FormFieldFromModel @attr={{attr}} @model={{this.model}} />
-        {{/let}}
-        <ToggleButton @isOpen={{this.showOptions}} @onClick={{fn (mut this.showOptions)}} data-test-toggle-button />
-        {{#if this.showOptions}}
-          <div class="box is-marginless">
-            {{#each this.model.attrs as |attr|}}
-              {{! These attrs render above, outside of the "More options" toggle }}
-              {{#if (not (includes attr.name (array "publicKey" "validPrincipals")))}}
-                <FormFieldFromModel
-                  @attr={{attr}}
-                  @model={{this.model}}
-                  @updateTtl={{action "updateTtl" attr.name}}
-                  @emptyData={{this.emptyData}}
-                  @editorUpdated={{action "editorUpdated" attr.name}}
-                />
-              {{/if}}
-            {{/each}}
-          </div>
-        {{/if}}
-      {{/if}}
-    </div>
-    <Hds::ButtonSet class="has-top-bottom-margin">
-      <Hds::Button
-        @text="Sign"
-        @icon={{if this.loading "loading"}}
-        type="submit"
-        disabled={{this.loading}}
-        data-test-submit
-      />
-      <Hds::Button
-        @text="Cancel"
-        @color="secondary"
-        @route="vault.cluster.secrets.backend.list-root"
-        @model={{this.backend.id}}
-        data-test-cancel
-      />
-    </Hds::ButtonSet>
-  </form>
-{{/if}}
\ No newline at end of file
+<SshSignKey @roleName={{this.model.roleName}} @backendPath={{this.model.backendPath}} />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/secrets/enable/create.hbs b/ui/app/templates/vault/cluster/secrets/enable/create.hbs
index 4360d2369d..d8a2152301 100644
--- a/ui/app/templates/vault/cluster/secrets/enable/create.hbs
+++ b/ui/app/templates/vault/cluster/secrets/enable/create.hbs
@@ -3,4 +3,4 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Mount::SecretsEngineForm @model={{this.model}} @onMountSuccess={{action "onMountSuccess"}} />
\ No newline at end of file
+<Mount::SecretsEngineForm @model={{this.model}} />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/settings/auth/configure.hbs b/ui/app/templates/vault/cluster/settings/auth/configure.hbs
index e41afc8c0a..054f272f56 100644
--- a/ui/app/templates/vault/cluster/settings/auth/configure.hbs
+++ b/ui/app/templates/vault/cluster/settings/auth/configure.hbs
@@ -7,6 +7,7 @@
   <:breadcrumbs>
     <Page::Breadcrumbs
       @breadcrumbs={{array
+        (hash label="Vault" route="vault.cluster.dashboard" icon="vault")
         (hash label="Auth Methods" route="vault.cluster.access.methods")
         (hash label=this.model.method.id route="vault.cluster.access.method" model=this.model.method.id)
         (hash label="Configure")
diff --git a/ui/app/templates/vault/cluster/settings/seal.hbs b/ui/app/templates/vault/cluster/settings/seal.hbs
index 813786a66f..21f0e76055 100644
--- a/ui/app/templates/vault/cluster/settings/seal.hbs
+++ b/ui/app/templates/vault/cluster/settings/seal.hbs
@@ -10,12 +10,26 @@
       @breadcrumbs={{array (hash label="Vault" route="vault.cluster.dashboard" icon="vault") (hash label="Seal Vault")}}
     />
   </:breadcrumbs>
+  <:description>
+    Stop Vault from responding to all access operations by discarding its in-memory root key. You must use the CLI or API to
+    unseal Vault and restore decryption capabilities.
+    <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/seal-vault"}}>
+      Learn more
+    </Hds::Link::Inline>
+  </:description>
+  <:actions>
+    {{#if this.model.seal.canUpdate}}
+      <SealAction @onSeal={{action "seal"}} />
+    {{/if}}
+  </:actions>
 </Page::Header>
 
-{{#if this.model.seal.canUpdate}}
-  <SealAction @onSeal={{action "seal"}} />
-{{else}}
-  <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-    <A.Header @title="This token does not have sufficient capabilities to seal this vault" @titleTag="h2" />
+{{#unless this.model.seal.canUpdate}}
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header
+      @title="This token does not have sufficient capabilities to seal this vault"
+      @titleTag="h2"
+      data-test-empty-state-title
+    />
   </Hds::ApplicationState>
-{{/if}}
\ No newline at end of file
+{{/unless}}
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/storage-restore.hbs b/ui/app/templates/vault/cluster/storage-restore.hbs
index dc4c3f4f6d..48597e7f75 100644
--- a/ui/app/templates/vault/cluster/storage-restore.hbs
+++ b/ui/app/templates/vault/cluster/storage-restore.hbs
@@ -3,4 +3,5 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
+<Sidebar::Nav::Cluster />
 <RaftStorageRestore />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/storage.hbs b/ui/app/templates/vault/cluster/storage.hbs
index 69d3a28095..fc5d02fe53 100644
--- a/ui/app/templates/vault/cluster/storage.hbs
+++ b/ui/app/templates/vault/cluster/storage.hbs
@@ -3,4 +3,5 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
+<Sidebar::Nav::Cluster />
 <RaftStorageOverview @model={{this.model}} />
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/tools/tool.hbs b/ui/app/templates/vault/cluster/tools/tool.hbs
index 14c3d754d2..c767af1c96 100644
--- a/ui/app/templates/vault/cluster/tools/tool.hbs
+++ b/ui/app/templates/vault/cluster/tools/tool.hbs
@@ -19,7 +19,7 @@
   {{! This center aligns error message on the page }}
   <div class="is-flex is-flex-grow-1">
     <Hds::ApplicationState @align="center" class="align-self-center" as |A|>
-      <A.Header @title="Tool not available" @titleTag="h2" />
+      <A.Header @title="Tool not available" @titleTag="h1" data-test-empty-state-title />
     </Hds::ApplicationState>
   </div>
 {{/if}}
\ No newline at end of file
diff --git a/ui/app/templates/vault/cluster/unseal.hbs b/ui/app/templates/vault/cluster/unseal.hbs
index 1a3eb96360..647f118aa8 100644
--- a/ui/app/templates/vault/cluster/unseal.hbs
+++ b/ui/app/templates/vault/cluster/unseal.hbs
@@ -7,11 +7,12 @@
   <div class="section is-flex-v-centered-tablet is-flex-grow-1 is-fullwidth">
     <div class="columns is-centered is-gapless is-fullwidth">
       <Hds::ApplicationState @align="center" as |A|>
-        <A.Header @title="License required" @titleTag="h2" @icon="skip" class="align-items-end" />
+        <A.Header @title="License required" @titleTag="h1" @icon="skip" data-test-empty-state-title />
         <A.Body
           @text="Your Vault license has terminated and Vault is sealed. To unseal, add a current license to your configuration and restart Vault."
+          data-test-empty-state-message
         />
-        <A.Footer as |F|>
+        <A.Footer data-test-empty-state-actions as |F|>
           <F.LinkStandalone
             @icon="learn-link"
             @iconPosition="trailing"
diff --git a/ui/app/utils/all-engines-metadata.ts b/ui/app/utils/all-engines-metadata.ts
index 0adc37aa1e..d15b54ccff 100644
--- a/ui/app/utils/all-engines-metadata.ts
+++ b/ui/app/utils/all-engines-metadata.ts
@@ -3,355 +3,4 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-/**
- * Metadata configuration for secret and auth engines, including enterprise.
- *
- * This file defines and exports engine metadata, including its
- * displayName, mountCategory, requiresEnterprise, and other relevant properties. It serves as a
- * centralized source of truth for engine-related configurations.
- *
- * Key responsibilities:
- * - Define metadata for all engines.
- * - Provide utility functions or constants for accessing engine-specific data.
- * - Facilitate dynamic engine rendering and behavior based on metadata.
- *
- * Example usage:
- * If an enterprise license is present, return all secret engines;
- * otherwise, return only the secret engines supported in OSS.
- * return filterEnginesByMountCategory({ mountCategory: 'secret', isEnterprise: this.version.isEnterprise });
- */
-
-export interface EngineDisplayData {
-  pluginCategory?: string; // The plugin category is used to group engines in the UI. e.g., 'cloud', 'infra', 'generic'
-  displayName: string;
-  engineRoute?: string; // engines that have their own Ember engine will have this route defined.
-  glyph?: string;
-  isWIF?: boolean; // flag for 'Workload Identity Federation' engines. - https://developer.hashicorp.com/hcp/docs/hcp/iam/service-principal/workload-identity-federation
-  mountCategory: string[];
-  requiredFeature?: string; // flag for engines that require the ADP (Advanced Data Protection) feature. - https://www.hashicorp.com/en/blog/advanced-data-protection-adp-now-available-in-hcp-vault
-  requiresEnterprise?: boolean;
-  isConfigurable?: boolean; // for secret engines that have additional configuration pages and actions.
-  isOnlyMountable?: boolean; // The UI only supports configuration views for these secrets engines. The CLI must be used to manage other engine resources (i.e. roles, credentials).
-  type: string;
-  value?: string;
-  configRoute?: string; // override for custom route if not "configuration.plugin-settings" (used for Ember engines)
-}
-
-/**
- * @param mountCategory - Given mount category to filter by, e.g., 'auth' or 'secret'.
- * @param isEnterprise - Optional boolean to indicate if enterprise engines should be included in the results.
- * @returns Filtered array of engines that match the given mount category
- */
-export function filterEnginesByMountCategory({
-  mountCategory,
-  isEnterprise = false,
-}: {
-  mountCategory: 'auth' | 'secret';
-  isEnterprise: boolean;
-}) {
-  return isEnterprise
-    ? ALL_ENGINES.filter((engine) => engine.mountCategory.includes(mountCategory))
-    : ALL_ENGINES.filter(
-        (engine) => engine.mountCategory.includes(mountCategory) && !engine.requiresEnterprise
-      );
-}
-
-export function isAddonEngine(type: string, version: number) {
-  if (type === 'kv' && version === 1) {
-    return false;
-  }
-  const engineRoute = ALL_ENGINES.find((engine) => engine.type === type)?.engineRoute;
-  return !!engineRoute;
-}
-
-//  The "sys/mounts" and "sys/internal/ui/mounts" endpoints return a "secret/" key containing
-//  all mounts enabled in Vault. Some types are internal Vault APIs, not user-mountable secrets engines,
-//  and should be filtered in some scenarios, such as listing secrets engines.
-export const INTERNAL_ENGINE_TYPES = ['system', 'identity', 'agent_registry'];
-
-export const ALL_ENGINES: EngineDisplayData[] = [
-  {
-    pluginCategory: 'cloud',
-    displayName: 'AliCloud',
-    glyph: 'alibaba-color',
-    mountCategory: ['auth', 'secret'],
-    type: 'alicloud',
-  },
-  {
-    pluginCategory: 'generic',
-    displayName: 'AppRole',
-    glyph: 'cpu',
-    mountCategory: ['auth'],
-    type: 'approle',
-    value: 'approle',
-  },
-  {
-    pluginCategory: 'cloud',
-    displayName: 'AWS',
-    glyph: 'aws-color',
-    isConfigurable: true,
-    isWIF: true,
-    mountCategory: ['auth', 'secret'],
-    type: 'aws',
-  },
-  {
-    pluginCategory: 'cloud',
-    displayName: 'Azure',
-    glyph: 'azure-color',
-    isOnlyMountable: true,
-    isConfigurable: true,
-    isWIF: true,
-    mountCategory: ['auth', 'secret'],
-    type: 'azure',
-  },
-  {
-    pluginCategory: 'infra',
-    displayName: 'Consul',
-    glyph: 'consul-color',
-    mountCategory: ['secret'],
-    type: 'consul',
-  },
-  {
-    displayName: 'Cubbyhole',
-    type: 'cubbyhole',
-    mountCategory: ['secret'],
-  },
-  {
-    pluginCategory: 'infra',
-    displayName: 'Databases',
-    glyph: 'database',
-    mountCategory: ['secret'],
-    type: 'database',
-  },
-  {
-    pluginCategory: 'cloud',
-    displayName: 'GitHub',
-    glyph: 'github-color',
-    mountCategory: ['auth'],
-    type: 'github',
-    value: 'github',
-  },
-  {
-    pluginCategory: 'cloud',
-    displayName: 'Google Cloud',
-    glyph: 'gcp-color',
-    isOnlyMountable: true,
-    isConfigurable: true,
-    isWIF: true,
-    mountCategory: ['auth', 'secret'],
-    type: 'gcp',
-  },
-  {
-    pluginCategory: 'cloud',
-    displayName: 'Google Cloud KMS',
-    glyph: 'gcp-color',
-    mountCategory: ['secret'],
-    type: 'gcpkms',
-  },
-  {
-    pluginCategory: 'generic',
-    displayName: 'JWT',
-    glyph: 'jwt',
-    mountCategory: ['auth'],
-    type: 'jwt',
-    value: 'jwt',
-  },
-  {
-    pluginCategory: 'generic',
-    displayName: 'KV',
-    engineRoute: 'kv.list',
-    configRoute: 'kv.configuration', // only utilized to display config data for kvv2, not in conjunction with isConfigurable as templates determine whether engine is kv v1 or v2
-    glyph: 'key-values',
-    mountCategory: ['secret'],
-    type: 'kv',
-  },
-  {
-    pluginCategory: 'generic',
-    displayName: 'KMIP',
-    engineRoute: 'kmip.scopes.index',
-    configRoute: 'kmip.configuration',
-    isConfigurable: true,
-    glyph: 'lock',
-    mountCategory: ['secret'],
-    requiredFeature: 'KMIP',
-    requiresEnterprise: true,
-    type: 'kmip',
-  },
-  {
-    pluginCategory: 'generic',
-    displayName: 'Transform',
-    glyph: 'transform-data',
-    mountCategory: ['secret'],
-    requiredFeature: 'Transform Secrets Engine',
-    requiresEnterprise: true,
-    type: 'transform',
-  },
-  {
-    pluginCategory: 'cloud',
-    displayName: 'Key Management',
-    glyph: 'key',
-    mountCategory: ['secret'],
-    requiredFeature: 'Key Management Secrets Engine',
-    requiresEnterprise: true,
-    type: 'keymgmt',
-  },
-  {
-    pluginCategory: 'generic',
-    displayName: 'Kubernetes',
-    engineRoute: 'kubernetes.overview',
-    configRoute: 'kubernetes.configuration',
-    glyph: 'kubernetes-color',
-    isConfigurable: true,
-    mountCategory: ['auth', 'secret'],
-    type: 'kubernetes',
-  },
-  {
-    pluginCategory: 'generic',
-    displayName: 'LDAP',
-    isConfigurable: true,
-    engineRoute: 'ldap.overview',
-    configRoute: 'ldap.configuration',
-    glyph: 'folder-users',
-    mountCategory: ['auth', 'secret'],
-    type: 'ldap',
-  },
-  {
-    pluginCategory: 'infra',
-    displayName: 'Nomad',
-    glyph: 'nomad-color',
-    mountCategory: ['secret'],
-    type: 'nomad',
-  },
-  {
-    pluginCategory: 'generic',
-    displayName: 'OIDC',
-    glyph: 'openid-color',
-    mountCategory: ['auth'],
-    type: 'oidc',
-    value: 'oidc',
-  },
-  {
-    pluginCategory: 'infra',
-    displayName: 'Okta',
-    glyph: 'okta-color',
-    mountCategory: ['auth'],
-    type: 'okta',
-    value: 'okta',
-  },
-  {
-    pluginCategory: 'generic',
-    displayName: 'PKI Certificates',
-    isConfigurable: true,
-    engineRoute: 'pki.overview',
-    configRoute: 'pki.configuration',
-    glyph: 'certificate',
-    mountCategory: ['secret'],
-    type: 'pki',
-  },
-  {
-    pluginCategory: 'infra',
-    displayName: 'RADIUS',
-    glyph: 'mainframe',
-    mountCategory: ['auth'],
-    type: 'radius',
-    value: 'radius',
-  },
-  {
-    pluginCategory: 'infra',
-    displayName: 'RabbitMQ',
-    glyph: 'rabbitmq-color',
-    mountCategory: ['secret'],
-    type: 'rabbitmq',
-  },
-  {
-    pluginCategory: 'generic',
-    displayName: 'SAML',
-    glyph: 'saml-color',
-    mountCategory: ['auth'],
-    requiresEnterprise: true,
-    type: 'saml',
-    value: 'saml',
-  },
-  {
-    pluginCategory: 'generic',
-    displayName: 'SSH',
-    glyph: 'terminal-screen',
-    isConfigurable: true,
-    mountCategory: ['secret'],
-    type: 'ssh',
-  },
-  {
-    pluginCategory: 'generic',
-    displayName: 'TLS Certificates',
-    glyph: 'certificate',
-    mountCategory: ['auth'],
-    type: 'cert',
-    value: 'cert',
-  },
-  {
-    pluginCategory: 'generic',
-    displayName: 'TOTP',
-    glyph: 'history',
-    mountCategory: ['secret'],
-    type: 'totp',
-  },
-  {
-    pluginCategory: 'generic',
-    displayName: 'Transit',
-    glyph: 'swap-horizontal',
-    mountCategory: ['secret'],
-    type: 'transit',
-  },
-  {
-    displayName: 'Token',
-    type: 'token',
-    mountCategory: ['auth'],
-  },
-  {
-    pluginCategory: 'generic',
-    displayName: 'Userpass',
-    glyph: 'users',
-    mountCategory: ['auth'],
-    type: 'userpass',
-    value: 'userpass',
-  },
-
-  // TODO: enable builtin plugins after confirming with Product
-  //
-  // {
-  //   pluginCategory: 'generic',
-  //   displayName: 'Ad',
-  //   glyph: 'folder',
-  //   isOldEngine: true,
-  //   isOnlyMountable: true,
-  //   mountCategory: ['secret'],
-  //   type: 'ad',
-  // },
-  // {
-  //   pluginCategory: 'cloud',
-  //   displayName: 'MongoDB Atlas',
-  //   glyph: 'mongodb-color',
-  //   isOldEngine: true,
-  //   isOnlyMountable: true,
-  //   mountCategory: ['secret'],
-  //   type: 'mongodbatlas',
-  // },
-  // {
-  //   pluginCategory: 'infra',
-  //   displayName: 'OpenLDAP',
-  //   glyph: 'folder-users',
-  //   isOldEngine: true,
-  //   isOnlyMountable: true,
-  //   mountCategory: ['secret'],
-  //   type: 'openldap',
-  // },
-  // {
-  //   pluginCategory: 'infra',
-  //   displayName: 'Terraform',
-  //   glyph: 'terraform-color',
-  //   isOldEngine: true,
-  //   isOnlyMountable: true,
-  //   mountCategory: ['secret'],
-  //   type: 'terraform',
-  // },
-];
+export * from 'core/utils/all-engines-metadata';
diff --git a/ui/app/utils/auth-form-helpers.ts b/ui/app/utils/auth-form-helpers.ts
index 68315a1858..2526538bd1 100644
--- a/ui/app/utils/auth-form-helpers.ts
+++ b/ui/app/utils/auth-form-helpers.ts
@@ -9,7 +9,7 @@
  * which includes all the methods that can be enabled and mounted.
  */
 
-const BASE_LOGIN_METHODS = ['github', 'jwt', 'ldap', 'oidc', 'okta', 'radius', 'token', 'userpass'];
+const BASE_LOGIN_METHODS = ['github', 'jwt', 'ldap', 'oidc', 'okta', 'radius', 'token', 'cert', 'userpass'];
 
 export const ENTERPRISE_LOGIN_METHODS = ['saml'];
 
@@ -19,7 +19,7 @@ export const supportedTypes = (isEnterprise: boolean) => {
 
 // this ensures no unexpected params are injected and submitted in the login form
 // 'namespace' and 'path' are intentionally omitted because they are handled explicitly
-export const POSSIBLE_FIELDS = ['role', 'jwt', 'password', 'token', 'username'];
+export const POSSIBLE_FIELDS = ['role', 'jwt', 'password', 'token', 'username', 'name'];
 
 // maps OIDC provider domain to display name for oidc-jwt auth form
 export const DOMAIN_PROVIDER_MAP = {
diff --git a/ui/app/utils/chart-helpers.js b/ui/app/utils/chart-helpers.js
index 6f2689fcd9..01bc75b246 100644
--- a/ui/app/utils/chart-helpers.js
+++ b/ui/app/utils/chart-helpers.js
@@ -3,45 +3,65 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { format } from 'd3-format';
-import { mean } from 'd3-array';
-
-// COLOR THEME:
-export const BAR_PALETTE = ['#CCE3FE', '#1060FF', '#C2C5CB', '#656A76'];
-export const UPGRADE_WARNING = '#FDEEBA';
-export const GREY = '#EBEEF2';
-
-// TRANSLATIONS:
-export const TRANSLATE = { left: -11 };
-export const SVG_DIMENSIONS = { height: 190, width: 500 };
-
-export const BAR_WIDTH = 17; // data bar width is 17 pixels
-
-// Reference for tickFormat https://www.youtube.com/watch?v=c3MCROTNN8g
-export function numericalAxisLabel(number) {
-  if (number < 1000) return number;
-  if (number < 1100) return format('.1s')(number);
-  if (number < 2000) return format('.2s')(number); // between 1k and 2k, show 2 decimals
-  if (number < 10000) return format('.1s')(number);
-  // replace SI prefix of 'G' for billions to 'B'
-  return format('.2s')(number).replace('G', 'B');
-}
-
-export function calculateAverage(dataset, objectKey) {
-  // before mapping for values, check that the objectKey exists at least once in the dataset because
-  // map returns 0 when dataset[objectKey] is undefined in order to calculate average
-  if (!Array.isArray(dataset) || !objectKey || !dataset.some((d) => Object.keys(d).includes(objectKey))) {
-    return null;
-  }
-
-  const integers = dataset.map((d) => (d[objectKey] ? d[objectKey] : 0));
-  const checkIntegers = integers.every((n) => Number.isInteger(n)); // decimals will be false
-  return checkIntegers ? Math.round(mean(integers)) : null;
-}
-
-export function calculateSum(integerArray) {
+/**
+ * Calculates the sum of an array of numbers with optional decimal precision.
+ * This function fixes floating-point arithmetic errors by rounding to a specified
+ * number of decimal places. For example, 48.7888 + 0.0112 = 48.800000000000004
+ * in JavaScript, but with fixedDecimalPlaces=4, it returns 48.8.
+ *
+ * @param {number[]} integerArray - Array of numbers to sum
+ * @param {number} [fixedDecimalPlaces] - Optional number of decimal places for precision.
+ *                                        If provided, the sum is rounded to this precision.
+ * @returns {number|null} Returns the sum as a number, or null if invalid input.
+ *                        When fixedDecimalPlaces is provided, returns a number rounded
+ *                        to that precision (e.g., 48.8 instead of 48.800000000000004).
+ *
+ * @example
+ * calculateSum([2, 3])                    // Returns 5
+ * calculateSum([48.7888, 0.0112], 4)      // Returns 48.8 (fixes floating-point error)
+ * calculateSum([73.1832, 0.0168], 4)      // Returns 73.2
+ * calculateSum([10, 20, 30], 4)           // Returns 60
+ * calculateSum(['one', 2])                // Returns null (invalid input)
+ */
+export function calculateSum(integerArray, fixedDecimalPlaces) {
   if (!Array.isArray(integerArray) || integerArray.some((n) => typeof n !== 'number')) {
     return null;
   }
-  return integerArray.reduce((a, b) => a + b, 0);
+
+  const sum = integerArray.reduce((a, b) => a + b, 0);
+
+  if (typeof fixedDecimalPlaces === 'number' && fixedDecimalPlaces >= 0) {
+    return parseFloat(sum.toFixed(fixedDecimalPlaces));
+  }
+
+  return sum;
+}
+
+/**
+ * Formats a number for display with a fixed number of decimal places.
+ * This helper function converts numbers to strings with trailing zeros preserved,
+ * which is useful for displaying values like "48.8000" instead of "48.8".
+ *
+ * @param {number} number - The number to format
+ * @param {number} decimalPlaces - The number of decimal places to display
+ * @returns {number|string} Returns the original number if invalid inputs,
+ *                          returns 0 as-is for zero values,
+ *                          otherwise returns a string with fixed decimal places
+ *
+ * @example
+ * toFixedDisplay(48.8, 4)      // Returns "48.8000"
+ * toFixedDisplay(73.2, 4)      // Returns "73.2000"
+ * toFixedDisplay(0, 4)         // Returns 0 (not "0.0000")
+ * toFixedDisplay(100, 2)       // Returns "100.00"
+ */
+export function toFixedDisplay(number, decimalPlaces) {
+  if (typeof number !== 'number' || typeof decimalPlaces !== 'number' || decimalPlaces < 0) {
+    return number;
+  }
+
+  if (number === 0) {
+    return 0;
+  }
+
+  return number.toFixed(decimalPlaces);
 }
diff --git a/ui/app/utils/constants/capabilities.ts b/ui/app/utils/constants/capabilities.ts
index 01a8aed799..900bc55d37 100644
--- a/ui/app/utils/constants/capabilities.ts
+++ b/ui/app/utils/constants/capabilities.ts
@@ -23,6 +23,15 @@ export const PATH_MAP = {
   clientsConfig: apiPath`sys/internal/counters/config`,
   customLogin: apiPath`sys/config/ui/login/default-auth/${'id'}`,
   customMessages: apiPath`sys/config/ui/custom-messages/${'id'}`,
+  databaseConfig: apiPath`${'backend'}/config`,
+  databaseRoles: apiPath`${'backend'}/roles`,
+  databaseStaticRoles: apiPath`${'backend'}/static-roles`,
+  keymgmtKey: apiPath`${'backend'}/key/${'name'}`,
+  keymgmtKeys: apiPath`${'backend'}/key`,
+  keymgmtKeyProviders: apiPath`${'backend'}/key/${'name'}/kms`,
+  keymgmtProvider: apiPath`${'backend'}/kms/${'id'}`,
+  keymgmtProviders: apiPath`${'backend'}/kms`,
+  keymgmtProviderKeys: apiPath`${'backend'}/kms/${'id'}/key`,
   kmipCredentialsRevoke: apiPath`${'backend'}/scope/${'scope'}/role/${'role'}/credentials/revoke`,
   kmipRole: apiPath`${'backend'}/scopes/${'scope'}/roles/${'name'}`,
   kmipScope: apiPath`${'backend'}/scopes/${'name'}`,
@@ -38,6 +47,12 @@ export const PATH_MAP = {
   ldapRotateStaticRole: apiPath`${'backend'}/rotate-role/${'name'}`,
   ldapStaticRole: apiPath`${'backend'}/static-role/${'name'}`,
   ldapStaticRoleCreds: apiPath`${'backend'}/static-cred/${'name'}`,
+  oidcAssignment: apiPath`identity/oidc/assignment/${'name'}`,
+  oidcClient: apiPath`identity/oidc/client/${'name'}`,
+  oidcKey: apiPath`identity/oidc/key/${'name'}`,
+  oidcKeyRotate: apiPath`identity/oidc/key/${'name'}/rotate`,
+  oidcProvider: apiPath`identity/oidc/provider/${'name'}`,
+  oidcScope: apiPath`identity/oidc/scope/${'name'}`,
   pkiCertificates: apiPath`${'backend'}/certificates`,
   pkiConfigAcme: apiPath`${'backend'}/config/acme`,
   pkiConfigAutoTidy: apiPath`${'backend'}/config/auto-tidy`,
@@ -64,8 +79,23 @@ export const PATH_MAP = {
   pkiSignVerbatim: apiPath`${'backend'}/sign-verbatim/${'id'}`,
   pkiTidy: apiPath`${'backend'}/tidy`,
   pkiTidyStatus: apiPath`${'backend'}/tidy/status`,
+  policy: apiPath`sys/policies/${'policyType'}/${'id'}`,
+  sshCredentials: apiPath`${'backend'}/creds/${'id'}`,
+  sshRole: apiPath`${'backend'}/roles/${'id'}`,
+  sshSign: apiPath`${'backend'}/sign/${'id'}`,
+  sshZeroAddress: apiPath`${'backend'}/config/zeroaddress`,
   syncActivate: apiPath`sys/activation-flags/secrets-sync/activate`,
   syncDestination: apiPath`sys/sync/destinations/${'type'}/${'name'}`,
   syncRemoveAssociation: apiPath`sys/sync/destinations/${'type'}/${'name'}/associations/remove`,
   syncSetAssociation: apiPath`sys/sync/destinations/${'type'}/${'name'}/associations/set`,
+  totpKey: apiPath`${'backend'}/keys/${'name'}`,
+  totpKeys: apiPath`${'backend'}/keys`,
+  transformAlphabet: apiPath`${'backend'}/alphabet/${'name'}`,
+  transformAlphabets: apiPath`${'backend'}/alphabet`,
+  transformRole: apiPath`${'backend'}/role/${'name'}`,
+  transformRoles: apiPath`${'backend'}/role`,
+  transformTemplate: apiPath`${'backend'}/template/${'name'}`,
+  transformTemplates: apiPath`${'backend'}/template`,
+  transformTransformation: apiPath`${'backend'}/transformation/${'name'}`,
+  transformTransformations: apiPath`${'backend'}/transformation`,
 };
diff --git a/ui/app/utils/constants/namespace.ts b/ui/app/utils/constants/namespace.ts
new file mode 100644
index 0000000000..7617a4e1be
--- /dev/null
+++ b/ui/app/utils/constants/namespace.ts
@@ -0,0 +1,7 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+export const ROOT_NAMESPACE = '';
+export const ADMINISTRATIVE_NAMESPACE = 'admin';
diff --git a/ui/app/utils/constants/snippet.ts b/ui/app/utils/constants/snippet.ts
new file mode 100644
index 0000000000..65a37f295b
--- /dev/null
+++ b/ui/app/utils/constants/snippet.ts
@@ -0,0 +1,10 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+export enum CreationMethod {
+  TERRAFORM = 'Terraform automation',
+  APICLI = 'API/CLI',
+  UI = 'Vault UI workflow',
+}
diff --git a/ui/app/utils/constants/wizard.ts b/ui/app/utils/constants/wizard.ts
new file mode 100644
index 0000000000..166411f370
--- /dev/null
+++ b/ui/app/utils/constants/wizard.ts
@@ -0,0 +1,13 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+export const DISMISSED_WIZARD_KEY = 'dismissed-wizards';
+
+export const WIZARD_ID_MAP = {
+  aclPolicy: 'acl-policy',
+  authMethods: 'auth-methods',
+  secretEngines: 'secret-engines',
+  namespace: 'namespace',
+} as const;
diff --git a/ui/app/utils/form-config-generator.js b/ui/app/utils/form-config-generator.js
new file mode 100644
index 0000000000..e127674c65
--- /dev/null
+++ b/ui/app/utils/form-config-generator.js
@@ -0,0 +1,194 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+/**
+ * Utility functions for generating form configurations from OpenAPI specs.
+ * These functions have no side effects and can be safely imported and used in unit tests.
+ */
+
+import { dasherize, classify } from '@ember/string';
+
+const TYPE_DEFAULTS = {
+  string: '',
+  number: 0,
+  integer: 0,
+  boolean: false,
+  object: {},
+  array: [],
+};
+
+const API_CLASS_FROM_TAG = {
+  auth: 'auth',
+  identity: 'identity',
+  secrets: 'secrets',
+  system: 'sys',
+};
+
+const formatLabel = (str) => {
+  // HDS guidelines suggest using sentence case for labels
+  // "some_example_text" → "Some example text"
+  // "client-id" → "Client id"
+  const sentence = str.replace(/[_-]/g, ' ').toLowerCase();
+  return sentence.charAt(0).toUpperCase() + sentence.slice(1);
+};
+
+/**
+ * Construct request type name to match the vault-client-typescript SDK conventions.
+ * Example: tag='system', methodName='mountsEnableSecretsEngine'
+ *        → 'SystemApiMountsEnableSecretsEngineOperationRequest'
+ */
+const getRequestType = (tag, methodName) => {
+  const apiClassName = `${classify(tag)}Api`;
+  const methodPascal = classify(methodName);
+  return `${apiClassName}${methodPascal}OperationRequest`;
+};
+
+const getOperationDetails = (spec, operationId) => {
+  const { components } = spec;
+
+  for (const pathUrl in spec.paths) {
+    const pathItem = spec.paths[pathUrl];
+    const { post } = pathItem;
+
+    if (post?.operationId !== operationId) continue;
+
+    const ref = post.requestBody?.content?.['application/json']?.schema?.$ref;
+    const schemaName = ref?.split('/').pop();
+    const requestBody = components.schemas[schemaName];
+
+    // There are typically two parts to the API operations -
+    // the parameters and the request body. These are in different places
+    // in the spec so we need to address them separately.
+    const params = [];
+    if (Array.isArray(pathItem.parameters)) {
+      for (const param of pathItem.parameters) {
+        if (param.deprecated) continue;
+        params.push({
+          name: param.name,
+          description: param.description,
+          required: param.required,
+          type: param.schema.type,
+        });
+      }
+    }
+
+    const properties = {};
+    for (const [propName, prop] of Object.entries(requestBody.properties)) {
+      if (prop.deprecated) continue;
+      properties[propName] = prop;
+    }
+
+    return {
+      operationId: post.operationId,
+      tag: post.tags?.[0],
+      description: pathItem.description || post.summary || '',
+      pathUrl,
+      parameters: params,
+      requestBody: [schemaName, properties],
+    };
+  }
+
+  return null;
+};
+
+const buildPayloadFromOperation = (operation) => {
+  const [requestSchemaName, requestProperties] = operation.requestBody;
+  const payload = {};
+
+  for (const param of operation.parameters) {
+    payload[param.name] = TYPE_DEFAULTS[param.type];
+  }
+
+  const requestPayload = {};
+  for (const [propName, prop] of Object.entries(requestProperties)) {
+    requestPayload[propName] = TYPE_DEFAULTS[prop.type];
+  }
+  payload[requestSchemaName] = requestPayload;
+
+  return payload;
+};
+
+const buildSectionsFromOperation = (operation) => {
+  const [requestSchemaName, requestProperties] = operation.requestBody;
+  // { default: [...], Advanced: [...] }
+  const groups = {};
+
+  // Group all of the parameter fields together
+  for (const param of operation.parameters) {
+    // `??=` is used to initialize the group if it doesn't exist
+    (groups.params ??= []).push({
+      name: param.name,
+      type: 'TextInput',
+      label: formatLabel(param.name),
+      helperText: param.description,
+    });
+  }
+
+  // Add request body fields to their respective groups
+  for (const [propName, prop] of Object.entries(requestProperties)) {
+    const group = prop['x-vault-displayAttrs']?.group || 'default';
+    (groups[group] ??= []).push({
+      name: `${requestSchemaName}.${propName}`,
+      type: 'TextInput',
+      label: prop['x-vault-displayAttrs']?.name || formatLabel(propName),
+      helperText: prop.description,
+    });
+  }
+
+  // Returns a converted `group` object to the correct format for sections:
+  // [{ name: 'default', fields: [...] }, { name: 'Advanced', fields: [...] }, ...]
+  return Object.entries(groups).map(([name, fields]) => ({ name, fields }));
+};
+
+export const prepFormConfig = (spec, methodName) => {
+  const operation = getOperationDetails(spec, dasherize(methodName));
+
+  if (!operation) return null;
+
+  return {
+    name: methodName,
+    path: operation.pathUrl,
+    description: operation.description,
+    payload: buildPayloadFromOperation(operation),
+    sections: buildSectionsFromOperation(operation),
+    apiClass: API_CLASS_FROM_TAG[operation.tag],
+    requestType: getRequestType(operation.tag, methodName),
+  };
+};
+
+export const generateConfigContent = (config) => {
+  return `
+    /**
+      * Copyright IBM Corp. 2016, 2025
+      * SPDX-License-Identifier: BUSL-1.1
+    */
+
+    // ⚠️ AUTO-GENERATED FILE - DO NOT EDIT
+    // This file is generated from openapi.json
+    // To customize this form, create an override in
+    // forms/v2/overrides/
+
+    import type ApiService from 'vault/services/api';
+    import type { FormConfig } from '../form-config';
+    import type { ${config.requestType} } from '@hashicorp/vault-client-typescript';
+
+    /**
+     * Form configuration for ${config.name}
+     * Auto-generated from OpenAPI specification
+     */
+    const ${config.name}Config: FormConfig<${config.requestType},unknown> = {
+      name: '${config.name}',
+      path: '${config.path}',
+      description: '${config.description}',
+      submit: async (api: ApiService, payload: ${config.requestType}) => {
+        return await api.${config.apiClass}.${config.name}Raw(payload);
+      },
+      payload: ${JSON.stringify(config.payload, null, 2)},
+      sections: ${JSON.stringify(config.sections, null, 2)},
+    };
+
+    export default ${config.name}Config;
+  `;
+};
diff --git a/ui/app/utils/forms/validate.ts b/ui/app/utils/forms/validate.ts
index cb4dd344be..0045a4c7b9 100644
--- a/ui/app/utils/forms/validate.ts
+++ b/ui/app/utils/forms/validate.ts
@@ -59,10 +59,8 @@ export const validate = (
       }
       // dot notation may be used to define key for nested property
       const passedValidation = useCustomValidator
-        ? // @ts-expect-error - options may or may not be defined
-          validator(data, options)
-        : // @ts-expect-error - options may or may not be defined
-          validator(get(data, key), options);
+        ? validator(data, options)
+        : validator(get(data, key), options);
 
       if (!passedValidation) {
         // message can also be a function
diff --git a/ui/app/utils/forms/validators.js b/ui/app/utils/forms/validators.js
index 4c37c51796..6be134cbf6 100644
--- a/ui/app/utils/forms/validators.js
+++ b/ui/app/utils/forms/validators.js
@@ -26,10 +26,12 @@ export const length = (value, { nullable = false, min, max } = {}) => {
   return nullable;
 };
 
-export const number = (value, { nullable = false } = {}) => {
+export const number = (value, { nullable = false, min, max } = {}) => {
   // since 0 is falsy, !value returns true even though 0 is a valid number
   if (!value && value !== 0) return nullable;
-  return !isNaN(value);
+  const underMin = isPresent(min) ? value < min : false;
+  const overMax = isPresent(max) ? value > max : false;
+  return !isNaN(value) && !underMin && !overMax;
 };
 
 export const containsWhiteSpace = (value) => {
diff --git a/ui/app/utils/keymgmt-provider-utils.ts b/ui/app/utils/keymgmt-provider-utils.ts
new file mode 100644
index 0000000000..530c8d9e0d
--- /dev/null
+++ b/ui/app/utils/keymgmt-provider-utils.ts
@@ -0,0 +1,30 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+/**
+ * Validates if a provider value is a valid string that can be used for API calls.
+ * Provider must be a non-empty string to be valid.
+ * This prevents passing objects like { permissionsError: true } to API calls.
+ * @param {*} provider - The provider value to validate
+ * @returns {boolean} true if provider is a valid non-empty string, false otherwise
+ */
+export function isValidProvider(provider: unknown): boolean {
+  return typeof provider === 'string' && provider.trim().length > 0;
+}
+
+/**
+ * Returns the icon name associated with a keymgmt provider type.
+ * @param {string | undefined} providerType - The keymgmt provider type
+ * @returns {string} Icon token used by the UI
+ */
+export function getKeymgmtProviderIcon(providerType?: string): string {
+  return (
+    {
+      azurekeyvault: 'azure-color',
+      awskms: 'aws-color',
+      gcpckms: 'gcp-color',
+    }[providerType || ''] || 'key'
+  );
+}
diff --git a/ui/app/utils/keymgmt-provider-validator.ts b/ui/app/utils/keymgmt-provider-validator.ts
new file mode 100644
index 0000000000..f4518a5752
--- /dev/null
+++ b/ui/app/utils/keymgmt-provider-validator.ts
@@ -0,0 +1,15 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+/**
+ * Validates if a provider value is a valid string that can be used for API calls.
+ * Provider must be a non-empty string to be valid.
+ * This prevents passing objects like { permissionsError: true } to API calls.
+ * @param {*} provider - The provider value to validate
+ * @returns {boolean} true if provider is a valid non-empty string, false otherwise
+ */
+export function isValidProvider(provider: any): boolean {
+  return provider && typeof provider === 'string' && provider.trim().length > 0;
+}
diff --git a/ui/app/utils/metrics-helpers.ts b/ui/app/utils/metrics-helpers.ts
new file mode 100644
index 0000000000..79a24974cf
--- /dev/null
+++ b/ui/app/utils/metrics-helpers.ts
@@ -0,0 +1,103 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { calculateSum } from 'vault/utils/chart-helpers';
+
+import type { Month, NormalizedMetricsData } from 'vault/vault/billing/overview';
+
+export enum NormalizedBillingMetrics {
+  AUTO_ROTATED_ROLES_TOTAL = 'auto_rotated_roles_total',
+  CREDENTIAL_UNITS_TOTAL = 'credential_units_total',
+  DATA_PROTECTION_CALLS_TOTAL = 'data_protection_calls_total',
+  DATA_PROTECTION_CALLS_TRANSFORM = 'data_protection_calls_transform',
+  DATA_PROTECTION_CALLS_TRANSIT = 'data_protection_calls_transit',
+  DATA_PROTECTION_CALLS_GCPKMS = 'data_protection_calls_gcpkms',
+  DYNAMIC_ROLES_TOTAL = 'dynamic_roles_total',
+  EXTERNAL_PLUGINS_TOTAL = 'external_plugins_total',
+  ID_TOKEN_UNITS_TOTAL = 'id_token_units_total',
+  ID_TOKEN_UNITS_OIDC = 'id_token_units_oidc',
+  ID_TOKEN_UNITS_SPIFFE = 'id_token_units_spiffe',
+  KMIP_USED_IN_MONTH = 'kmip_used_in_month',
+  MANAGED_KEYS = 'managed_keys',
+  MANAGED_KEYS_KMSE = 'managed_keys_kmse',
+  MANAGED_KEYS_TOTAL = 'managed_keys_total',
+  MANAGED_KEYS_TOTP = 'managed_keys_totp',
+  PKI_UNITS_TOTAL = 'pki_units_total',
+  SSH_UNITS = 'ssh_units',
+  SSH_UNITS_CERTIFICATE_UNITS = 'ssh_units_certificate_units',
+  SSH_UNITS_OTP_UNITS = 'ssh_units_otp_units',
+  SSH_UNITS_TOTAL = 'ssh_units_total',
+  STATIC_SECRETS_KV = 'static_secrets_kv',
+  STATIC_SECRETS_TOTAL = 'static_secrets_total',
+}
+
+export enum BillingMetricsKeys {
+  USED_IN_MONTH = 'used_in_month',
+  KMIP = 'kmip',
+  TOTAL = 'total',
+}
+
+export function normalizeMetricData(metric: Month | null | undefined) {
+  const { usage_metrics } = metric || {};
+  if (!usage_metrics) return;
+
+  const normalized: NormalizedMetricsData = {};
+
+  for (const metric of usage_metrics) {
+    if (metric.metric_name === 'kmip') {
+      const kmipKey = `${metric.metric_name}_used_in_month`;
+      normalized[kmipKey] = metric.metric_data.used_in_month;
+    }
+
+    const metricName = metric.metric_name;
+    const total = metric.metric_data?.total;
+
+    if (typeof total === 'number') {
+      normalized[`${metricName}_total`] = total;
+    }
+
+    for (const detail of metric.metric_data?.metric_details ?? []) {
+      // Skip detail entries that are missing a type or a numeric count — both are required to build a valid normalized key.
+      if (!detail.type || typeof detail.count !== 'number') continue;
+      // Prefix parent metric_name to detail "type" to avoid future naming collisions.
+      // For example the 'kv' type in the `metrics_details`
+      // becomes `static_secrets_kv`:
+      // {
+      //   metric_name: 'static_secrets',
+      //   metric_data: {
+      //     total: 10,
+      //     metric_details: [{ type: 'kv', count: 10 }],
+      //   },
+      // },
+      const detailName = `${metricName}_${detail.type}`;
+      normalized[detailName] = detail.count;
+    }
+  }
+
+  // Calculate credential_units_total as the sum of ssh_units, pki_units, and id_token_units
+  const sshUnitsTotal =
+    typeof normalized[NormalizedBillingMetrics.SSH_UNITS_TOTAL] === 'number'
+      ? normalized[NormalizedBillingMetrics.SSH_UNITS_TOTAL]
+      : 0;
+  const pkiUnitsTotal =
+    typeof normalized[NormalizedBillingMetrics.PKI_UNITS_TOTAL] === 'number'
+      ? normalized[NormalizedBillingMetrics.PKI_UNITS_TOTAL]
+      : 0;
+  const idTokenUnitsTotal =
+    typeof normalized[NormalizedBillingMetrics.ID_TOKEN_UNITS_TOTAL] === 'number'
+      ? normalized[NormalizedBillingMetrics.ID_TOKEN_UNITS_TOTAL]
+      : 0;
+  normalized[NormalizedBillingMetrics.CREDENTIAL_UNITS_TOTAL] =
+    calculateSum([sshUnitsTotal, pkiUnitsTotal, idTokenUnitsTotal], 4) ?? 0;
+
+  // Explicitly set any missing metric keys to 0.
+  for (const metricsKey of Object.values(NormalizedBillingMetrics)) {
+    if (!(metricsKey in normalized)) {
+      normalized[metricsKey] = 0;
+    }
+  }
+
+  return normalized;
+}
diff --git a/ui/app/utils/mfa-login-enforcement-helpers.js b/ui/app/utils/mfa-login-enforcement-helpers.js
new file mode 100644
index 0000000000..8204068505
--- /dev/null
+++ b/ui/app/utils/mfa-login-enforcement-helpers.js
@@ -0,0 +1,191 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { filterEnginesByMountCategory } from 'core/utils/all-engines-metadata';
+import { addManyToArray, addToArray } from 'vault/helpers/add-to-array';
+import { capitalize } from '@ember/string';
+
+/**
+ * Prepares targets for MFA login enforcement display
+ * @param {Object} enforcement - The enforcement object containing target data
+ * @param {Array} enforcement.auth_method_accessors - Array of auth method accessors
+ * @param {Array} enforcement.auth_method_types - Array of auth method types
+ * @param {Array} enforcement.identity_entities - Array of identity entities (or identity_entity_ids)
+ * @param {Array} enforcement.identity_groups - Array of identity groups (or identity_group_ids)
+ * @param {Object} api - The API service for fetching auth methods and identity data
+ * @param {Object} options - Optional configuration
+ * @param {boolean} options.includeFormFields - If true, includes label, key, and value fields for form usage
+ * @returns {Promise<Array>} Array of prepared target objects
+ */
+export async function prepareTargets(enforcement, api, options = {}) {
+  let authMethods;
+  let targets = [];
+  const { includeFormFields = false } = options;
+
+  if (enforcement.auth_method_accessors?.length || enforcement.auth_method_types?.length) {
+    // fetch all auth methods and lookup by accessor to get mount path and type
+    try {
+      const { data } = await api.sys.authListEnabledMethods();
+      authMethods = api.responseObjectToArray(data, 'path');
+    } catch (error) {
+      // swallow this error
+    }
+  }
+
+  if (enforcement.auth_method_accessors?.length) {
+    const selectedAuthMethods = authMethods.filter((method) => {
+      return enforcement.auth_method_accessors.includes(method.accessor);
+    });
+    targets = addManyToArray(
+      targets,
+      selectedAuthMethods.map((method) => ({
+        ...(includeFormFields && {
+          label: 'Authentication mount',
+          key: 'auth_method_accessors',
+          value: method.accessor,
+        }),
+        icon: iconForMount(method.type),
+        link: 'vault.cluster.access.method',
+        linkModels: [method.path.slice(0, -1)],
+        title: method.path,
+        subTitle: method.accessor,
+      }))
+    );
+  }
+
+  enforcement.auth_method_types?.forEach((type) => {
+    const icon = iconForMount(type);
+    const mountCount = authMethods ? authMethods.filterBy('type', type).length : 0;
+    targets = addToArray(targets, {
+      ...(includeFormFields && {
+        label: 'Authentication method',
+        key: 'auth_method_types',
+        value: type,
+      }),
+      icon,
+      title: type,
+      subTitle: `All ${type} mounts (${mountCount})`,
+    });
+  });
+
+  // Handle identity entities and groups using API service
+  const types = [
+    {
+      key: 'identity_entities',
+      idKey: 'identity_entity_ids',
+      linkType: 'entities',
+      label: 'Entity',
+      apiMethod: 'entityListById',
+    },
+    {
+      key: 'identity_groups',
+      idKey: 'identity_group_ids',
+      linkType: 'groups',
+      label: 'Group',
+      apiMethod: 'groupListById',
+    },
+  ];
+
+  for (const { key, idKey, linkType, label, apiMethod } of types) {
+    const itemKey = enforcement[key] ? key : idKey;
+    const ids = enforcement[itemKey] || [];
+
+    if (ids.length > 0) {
+      try {
+        // Fetch all entities/groups at once using list endpoint
+        const response = await api.identity[apiMethod](true);
+        const allItems = api.keyInfoToArray(response);
+
+        // Filter to only the IDs we need and map to target objects
+        ids.forEach((id) => {
+          const item = allItems.find((i) => i.id === id);
+          if (item) {
+            targets = addToArray(targets, {
+              ...(includeFormFields && {
+                label,
+                key: idKey,
+                value: item,
+              }),
+              icon: 'user',
+              link: 'vault.cluster.access.identity.show',
+              linkModels: [linkType, id, 'details'],
+              title: item.name,
+              subTitle: id,
+            });
+          }
+        });
+      } catch (error) {
+        // Skip items that can't be loaded
+      }
+    }
+  }
+
+  return targets;
+}
+
+/**
+ * Returns the icon for a given mount type
+ * @param {string} type - The mount type
+ * @returns {string} The icon name
+ */
+export function iconForMount(type) {
+  const mountableMethods = filterEnginesByMountCategory({ mountCategory: 'auth', isEnterprise: true });
+  const mount = mountableMethods.find((method) => method.type === type);
+  return mount ? mount.glyph || mount.type : 'token';
+}
+
+/**
+ * Returns the icon for a given MFA method type
+ * @param {string} type - The MFA method type (e.g., 'totp', 'duo', 'pingid')
+ * @returns {string} The icon name
+ */
+export function getMfaMethodIcon(type) {
+  switch (type) {
+    case 'totp':
+      return 'history';
+    case 'pingid':
+      return 'ping-identity-color';
+    case 'duo':
+      return 'duo-color';
+    default:
+      return type;
+  }
+}
+
+/**
+ * Returns the display name for a given MFA method type
+ * @param {string} type - The MFA method type (e.g., 'totp', 'duo', 'pingid')
+ * @returns {string} The formatted display name
+ */
+export function getMfaMethodName(type) {
+  return type === 'totp' ? type.toUpperCase() : capitalize(type);
+}
+
+/**
+ * Fetches all MFA methods by listing method IDs and reading each method's details
+ * @param {Object} api - The API service instance
+ * @returns {Promise<Array>} Array of MFA method data objects
+ */
+export async function fetchMfaMethods(api) {
+  const response = await api.identity.mfaListMethods(true);
+  const mfaMethods = api.keyInfoToArray(response);
+
+  mfaMethods.forEach((method) => {
+    method.displayName = getMfaMethodName(method.type);
+    method.icon = getMfaMethodIcon(method.type);
+  });
+
+  return mfaMethods;
+}
+
+/**
+ * Fetches all MFA login enforcements by listing enforcement names and reading each enforcement's details
+ * @param {Object} api - The API service instance
+ * @returns {Promise<Array>} Array of MFA login enforcement data objects
+ */
+export async function fetchMfaLoginEnforcements(api) {
+  const response = await api.identity.mfaListLoginEnforcements(true);
+  return api.keyInfoToArray(response);
+}
diff --git a/ui/app/utils/model-helpers/secret-engine-helpers.ts b/ui/app/utils/model-helpers/secret-engine-helpers.ts
index c5fd03b531..d5c8310d97 100644
--- a/ui/app/utils/model-helpers/secret-engine-helpers.ts
+++ b/ui/app/utils/model-helpers/secret-engine-helpers.ts
@@ -50,10 +50,15 @@ function getTransformModelTypeFromParams(transformType?: string): string {
 
 /**
  * Main helper function to determine the transform model type based on context.
- * @param context - Context object containing secret path, transformType, or tab
+ * @param context - Context object containing secret path, transformType, tab, or itemType
  * @returns The appropriate transform model type
  */
-function getTransformModelType(context: { transformType?: string; tab?: string; secret?: string }): string {
+function getTransformModelType(context: {
+  transformType?: string;
+  tab?: string;
+  secret?: string;
+  itemType?: string;
+}): string {
   // Check secret name prefix first (for existing secrets)
   if (context.secret) {
     const secretBasedType = getTransformModelTypeFromSecretPath(context.secret);
@@ -64,7 +69,8 @@ function getTransformModelType(context: { transformType?: string; tab?: string;
   }
 
   // Fall back to query parameters (for new secrets or navigation, or when secret has no recognized prefix)
-  const transformType = context.transformType || context.tab;
+  // Check transformType, tab, and itemType — consistent with how keymgmt uses itemType for sub-type resolution.
+  const transformType = context.transformType || context.tab || context.itemType;
   return getTransformModelTypeFromParams(transformType);
 }
 
diff --git a/ui/app/utils/openapi-helpers.ts b/ui/app/utils/openapi-helpers.ts
index 6b60a9bba7..88a927ef4b 100644
--- a/ui/app/utils/openapi-helpers.ts
+++ b/ui/app/utils/openapi-helpers.ts
@@ -204,17 +204,18 @@ export function filterPathsByItemType(pathInfo: PathInfo, itemType: string): Pat
   });
 }
 
-/**
- * This object maps model names to the openAPI path that hydrates the model, given the backend path.
- */
-const OPENAPI_POWERED_MODELS = {
-  'role-ssh': (backend: string) => `/v1/${backend}/roles/example?help=1`,
-};
+// Maps model names to the openAPI path used for Ember Data hydration.
+// Currently empty — all models that used it (auth-configs, PKI, KMIP, SSH) have been migrated
+// to API-backed Form classes. Other engine types (transform, database, identity) call hydrateModel
+// but were never in this map and don't rely on it — those calls are already no-ops.
+// TODO: To fully delete this and getHelpUrlForModel, we also need to clean up the hydrateModel call sites
+// in secrets/backend/list.js and secret-edit.js.
+const OPENAPI_POWERED_MODELS: Record<string, (backend: string) => string> = {};
 
 export function getHelpUrlForModel(modelType: string, backend?: string) {
   if (modelType in OPENAPI_POWERED_MODELS && backend) {
-    const urlFn = OPENAPI_POWERED_MODELS[modelType as keyof typeof OPENAPI_POWERED_MODELS];
-    return urlFn(backend);
+    const urlFn = OPENAPI_POWERED_MODELS[modelType];
+    return urlFn?.(backend) ?? null;
   }
   return null;
 }
diff --git a/ui/config/content-security-policy.js b/ui/config/content-security-policy.js
index 5c0607dbd2..6c83c88bfe 100644
--- a/ui/config/content-security-policy.js
+++ b/ui/config/content-security-policy.js
@@ -10,13 +10,17 @@ module.exports = function (environment) {
     'font-src': ["'self'"],
     'connect-src': ["'self'"],
     'img-src': ["'self'", 'data:'],
-    'style-src': ["'unsafe-inline'", "'self'"],
+    'style-src': ["'self'"],
     'media-src': ["'self'"],
     'form-action': ["'none'"],
   };
 
   policy['connect-src'].push('https://eu.i.posthog.com');
 
+  if (environment === 'test') {
+    policy['style-src'].push("'unsafe-inline'");
+  }
+
   return {
     delivery: ['header', 'meta'],
     enabled: environment !== 'production',
diff --git a/ui/config/ember-intl.js b/ui/config/ember-intl.js
new file mode 100644
index 0000000000..e27f3da0c4
--- /dev/null
+++ b/ui/config/ember-intl.js
@@ -0,0 +1,13 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+module.exports = function () {
+  return {
+    fallbackLocale: null,
+    inputPath: 'translations',
+    publicOnly: false,
+    wrapTranslationsWithNamespace: true,
+  };
+};
diff --git a/ui/docs/css.md b/ui/docs/css.md
index 211699929e..8d7ba85934 100644
--- a/ui/docs/css.md
+++ b/ui/docs/css.md
@@ -1,23 +1,20 @@
 # CSS/SCSS
 
-<!-- START doctoc generated TOC please keep comment here to allow auto update -->
-<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
-
 - [Guidelines](#guidelines)
   - [Helper classes](#helper-classes)
   - [Core class styles](#core-class-styles)
 
-<!-- END doctoc generated TOC please keep comment here to allow auto update -->
-
 ## Guidelines
 
 - [**Helper classes**](#helper-classes) should be used if a styling block does not already exist and/or a reasonable number of helper classes can cover the desired style.
 - [**Core classes**](#core-class-styles) provide styling for any classes not associated with a component. The scope of each file is defined by the file name.
 - **Component specific styling** should only be added to, or created when you cannot achieve the styling with a helper class or core class.
-- **Utils'** files define mixins, and variables. 
+- **Utils'** files define mixins, and variables.
 
 > ### Known issues
+>
 > The following are known issues that we are working to address in conjunction with the adoption of HDS.
+>
 > 1. **Size variables** The UI does not follow a consistent size variable pattern. We use both px and rem to define font-size and we use px, rem, and ems to define margins, heights and widths. For accessibility reasons we _should_ define all font-sizing at the very least by rem, though this is not consistently done in the app.
 > 2. **Variable naming** The UI does not have a consistent pattern to variable naming. We use a mix of numbers and words (ex: `ui-gray-050` is the same as `ui-gray-lightest`).
 > 3. **Random variables** We have dieing but not dead variables. For example, we have some variables that define box-shadows and we have some variables to define animations, but we are missing many box-shadow definitions and we do not consistently use the animation variables.
@@ -26,7 +23,7 @@
 
 ### Helper classes
 
-A good portion of our class definitions have come from Bulma. Bulma has since been removed, but we still rely on many of its class definitions. Bulma class definitions, specifically their helper classes, always end in the keyword  `!important`. This use of `important!` and Bulma specific naming patterns has led to a mix of inconsistent helper class names. Moving forward, we have agreed as a team to pursue the following patterns. When it makes sense, please default to these instead of relying on existing helper names for guidance.
+A good portion of our class definitions have come from Bulma. Bulma has since been removed, but we still rely on many of its class definitions. Bulma class definitions, specifically their helper classes, always end in the keyword `!important`. This use of `important!` and Bulma specific naming patterns has led to a mix of inconsistent helper class names. Moving forward, we have agreed as a team to pursue the following patterns. When it makes sense, please default to these instead of relying on existing helper names for guidance.
 
 - Drop the starting verb. Many of our helper classes start with a verb `has` or `is`. Going forward we prefer to drop the verb. `margin-bottom` instead of `is-margin-bottom`.
 - Start your helper class name with what the class controls. `margin-bottom` instead of `bottom-margin`.
diff --git a/ui/docs/forms.md b/ui/docs/forms.md
index 90560779a6..2579b1257f 100644
--- a/ui/docs/forms.md
+++ b/ui/docs/forms.md
@@ -1,12 +1,7 @@
 # Forms
 
-<!-- START doctoc generated TOC please keep comment here to allow auto update -->
-<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
-
 - [Guidelines](#guidelines)
 
-<!-- END doctoc generated TOC please keep comment here to allow auto update -->
-
 ## Guidelines
 
 - Render `FlashMessage` on success
diff --git a/ui/docs/how-to-docfy.md b/ui/docs/how-to-docfy.md
deleted file mode 100644
index 6dc50ec876..0000000000
--- a/ui/docs/how-to-docfy.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: How to docfy
-order: 1
----
-
-# How to docfy
-
-http://localhost:4200/ui/docs (navigate to directly or click the present icon in the bottom right of the app footer).
-
-## `docs/` markdown files
-
-Side nav links correspond to the file + directory structure within the `docs/` directory. These top-level markdown files **can** be edited directly and any updates should be saved and pushed to main. (Component docs are generated by the `pnpm docs` command, see below.)
-
-## generating component docs
-
-The `docs/components` directory is where _generated_ component markdown files are located after running `pnpm docs`. **Do not edit component markdown files directly**. Instead, update markdown by making changes to the `jsdoc` and then re-running the generate command. The `docs/components/*` files are included in `.gitignore` so they are not pushed to main. `jsdoc-to-markdown` errors log in the console.
-
-> _If you have never run the `pnpm docs` command before, you need to create the `docs/components` directory locally before running `pnpm docfy-md` so the markdown has a place to go. `mkdir docs/components`_
-
-```
-pnpm docfy-md <component name> <addon or engine> <full filepath>
-```
-
-> _Note: the above command takes three args, if passing the full filepath for a component then the second arg is unnecessary_
-
-| Command                                                                   | Description                                                                                  |
-| ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- |
-| `pnpm docs`                                                               | generate markdown file for every\* component in the `addon/core` directory                   |
-| `pnpm docfy-md some-component-name`                                       | generate markdown file for **specific** component                                            |
-| `pnpm docfy-md read-more core`                                            | generate markdown for `read-more` component in the `core` addon                              |
-| `pnpm docfy-md pki-test null ./lib/pki/addon/components/pki-key-usage.ts` | optional third arg is the full component filepath (first arg will become markdown file name) |
-| `mkdir docs/components`                                                   | create directory where the generated component markdown files will go                        |
-| `rm -f ./docs/components/*`                                               | cleanup and delete generated component markdown files                                        |
-
-> _\*replication and `shamir/*` components are skipped as these are not reused and should eventually be moved outside the `addon/core` directory_
-
-## Writing documentation for a component
-
-Component docs are generated by the script `pnpm docs`. Accurate `jsdoc` syntax is important so `jsdoc-to-markdown` properly generates the markdown file for that component. **Do not edit component markdown files directly**.
-
-| jsdoc examples                           |                                                                                                            |                                                               |
-| ---------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
-| form-field (`@description` example)      | [github ](https://github.com/hashicorp/vault/blob/main/ui/lib/core/addon/components/form-field.js)         | [vscode ](../lib/core/addon/components/form-field.js)         |
-| confirmation-modal                       | [github ](https://github.com/hashicorp/vault/blob/main/ui/lib/core/addon/components/confirmation-modal.js) | [vscode ](../lib/core/addon/components/confirmation-modal.js) |
-| certificate-card                         | [github ](https://github.com/hashicorp/vault/blob/main/ui/lib/core/addon/components/certificate-card.js)   | [vscode ](../lib/core/addon/components/certificate-card.js)   |
-| alert-inline (`@deprecated` example)     | [github](https://github.com/hashicorp/vault/blob/main/ui/lib/core/addon/components/alert-inline.js)        | [vscode ](../lib/core/addon/components/alert-inline.js)       |
-| secret-list-header (code snippet only\*) | [github](https://github.com/hashicorp/vault/blob/main/ui/lib/core/addon/components/secret-list-header.js)  | [vscode ](../lib/core/addon/components/secret-list-header.js) |
-
-> _\*renders a template code snippet and not instantiated component because it relies on too many args that cannot be set up for component instance_
-
-### Syntax tips
-
-Docfy renders an actual instance of the component beneath `@example` as a sample. Make sure the component uses proper hbs syntax and all args are on a single line.
-
-> - Check the generated markdown file for syntax errors or typos. To update the markdown, first edit the jsdoc then re-run the generator. _Do not edit component markdown files directly_
-> - Param types: `object`, `string`, `function`, `array`
-> - Do not include `null` for empty default values
-> - Wrap optional params in brackets `[]`
-> - To include a codeblock in your module's description use `@description`
-
-```
-❌ multi-line jsdoc will not render a component example
-* @example
-* <Block
-*  @title="Example"
-*  @description="My component"
-* />
-```
-
-```
-✅ this will render
-* @example
-* <Block @title="Example" description="My component" />
-```
-
-**Template**
-
-```
-/**
- * @module ComponentName
- * @description
- * Description of the component
- *
- * @example
- * <ComponentName @param={{}} optionalParam={{}} />
- *
- * @param {object} paramName - description
- * @param {array} requiredParam=foo - foo is the default value here
- * @param {function} [optionalParamName] - An optional parameter is wrapped in brackets
- * @param {string} [param="some default value"] - An optional parameter with a default value
- */
-```
-
-> ### Config
->
-> - [docfy-md.js](../scripts/docfy-md.js): script that generates component markdown and passes options to `jsdoc2md` command
-> - [generate-docs.sh](../scripts/docfy-md.js): batch command that iterates over desired javascript and typescript file in the `core` addon engine
-> - [jsdoc2md.json](../jsdoc2md.json): `jsdoc-to-markdown` config file, necessary so typescript files can be passed to `docfy-md` script
-
-### More info
-
-- [Building and consuming components](./building-components.md)
diff --git a/ui/docs/models.md b/ui/docs/models.md
index 1c5b75fca5..1e60294429 100644
--- a/ui/docs/models.md
+++ b/ui/docs/models.md
@@ -1,8 +1,5 @@
 # Models
 
-<!-- START doctoc generated TOC please keep comment here to allow auto update -->
-<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
-
 - [Models](#models)
   - [Intro](#intro)
   - [Model patterns overview](#model-patterns-overview)
@@ -17,8 +14,6 @@
   - [Using Decorators](#using-decorators)
     - [@withFormFields()](#withformfields)
 
-<!-- END doctoc generated TOC please keep comment here to allow auto update -->
-
 ## Intro
 
 We use models primarily as the backing data layer for our forms and for our list/show views. As Ember-Data has matured, our patterns of usage have become outdated. This document serves to outline our current best-practices, since examples within the codebase are often out of date and do not always reflect our best practices or ambitions.
diff --git a/ui/docs/routing.md b/ui/docs/routing.md
index add1ff8688..e576d96732 100644
--- a/ui/docs/routing.md
+++ b/ui/docs/routing.md
@@ -1,16 +1,11 @@
 # Routing
 
-<!-- START doctoc generated TOC please keep comment here to allow auto update -->
-<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
-
 - [Guidelines](#guidelines)
 - [File structure](#file-structure)
 - [Shared functionality](#shared-functionality)
 - [Decorators](#decorators)
   - [@withConfirmLeave()](#withconfirmleave)
 
-<!-- END doctoc generated TOC please keep comment here to allow auto update -->
-
 ## Guidelines
 
 - Parent route typically serves to group related child resources
diff --git a/ui/docs/serializers-adapters.md b/ui/docs/serializers-adapters.md
index ec035a5ea4..52a1a29635 100644
--- a/ui/docs/serializers-adapters.md
+++ b/ui/docs/serializers-adapters.md
@@ -1,13 +1,8 @@
 # Serializers & Adapters
 
-<!-- START doctoc generated TOC please keep comment here to allow auto update -->
-<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
-
 - [Guidelines](#guidelines)
 - [Gotchas](#gotchas)
 
-<!-- END doctoc generated TOC please keep comment here to allow auto update -->
-
 ## Guidelines
 
 - Prepend internal functions with an underscore to differentiate from Ember methods `_getUrl`
diff --git a/ui/e2e/init.setup.ts b/ui/e2e/init.setup.ts
index c56e0d5a16..532d18ded0 100644
--- a/ui/e2e/init.setup.ts
+++ b/ui/e2e/init.setup.ts
@@ -7,6 +7,7 @@ import { test as base } from '@playwright/test';
 import fs from 'fs';
 import path from 'path';
 import { USER_POLICY_MAP } from './policies';
+import { DISMISSED_WIZARD_KEY, WIZARD_ID_MAP } from '../app/utils/constants/wizard';
 
 export type UserSetupOptions = {
   userType: string;
@@ -21,6 +22,13 @@ export const setup = base.extend<UserSetupOptions>({
 setup('initialize vault and setup user for testing', async ({ page, userType }) => {
   // on fresh app load navigating to the root will land us on the initialize page
   await page.goto('./');
+  // manually update dismissed wizards so that they don't have to be skipped in tests before persisting storage state;
+  await page.evaluate(
+    ({ key, ids }) => {
+      localStorage.setItem(key, JSON.stringify(ids));
+    },
+    { key: DISMISSED_WIZARD_KEY, ids: Object.values(WIZARD_ID_MAP) }
+  );
   // initialize vault
   await page.getByRole('spinbutton', { name: 'Key shares' }).fill('1');
   await page.getByRole('spinbutton', { name: 'Key threshold' }).fill('1');
@@ -42,7 +50,12 @@ setup('initialize vault and setup user for testing', async ({ page, userType })
   // create a policy for a specific user persona
   // defaults to superuser but should be passed in via the project config in playwright.config.ts
   await page.getByRole('link', { name: 'Access control', exact: true }).click();
-  await page.getByRole('link', { name: 'Create ACL policy' }).click();
+  // if the intro page is shown, click the create policy link there, otherwise click the create policy link in the toolbar on main page
+  if (await page.getByRole('link', { name: 'Create a policy' }).isVisible()) {
+    await page.getByRole('link', { name: 'Create a policy' }).click();
+  } else {
+    await page.getByRole('link', { name: 'Create ACL policy' }).click();
+  }
   await page.getByRole('textbox', { name: 'Policy name' }).fill(userType);
   await page.getByRole('radio', { name: 'Code editor' }).check();
   await page.getByRole('textbox', { name: 'Policy editor' }).fill(USER_POLICY_MAP[userType]);
@@ -63,7 +76,7 @@ setup('initialize vault and setup user for testing', async ({ page, userType })
   await page.getByRole('button', { name: 'Sign in' }).click();
   // wait for the dashboard to load to ensure login was successful
   await page.waitForURL('**/dashboard');
-  // save the authenticated state to file
-  // subsequent tests can then reuse this session data
+  // save the localStorage state to file which includes the auth token and dismissed wizards
+  // subsequent tests can then reuse the session data
   await page.context().storageState({ path: path.join(__dirname, `/tmp/${userType}-session.json`) });
 });
diff --git a/ui/e2e/pages/base.ts b/ui/e2e/pages/base.ts
index 6f576e4e2a..4667963c67 100644
--- a/ui/e2e/pages/base.ts
+++ b/ui/e2e/pages/base.ts
@@ -4,6 +4,7 @@
  */
 
 import { Page } from '@playwright/test';
+import { findEngineDisplayName } from './configuration-settings';
 
 export class BasePage {
   constructor(protected page: Page) {}
@@ -16,4 +17,84 @@ export class BasePage {
       await locator.first().click();
     }
   }
+
+  async goToSecrets() {
+    await this.page.getByRole('link', { name: 'Secrets', exact: true }).click();
+    const skipButton = this.page.getByRole('button', { name: 'Skip' });
+    if (await skipButton.isVisible()) {
+      await skipButton.click();
+    }
+  }
+
+  async disableEngine(path: string) {
+    await this.page.goto('secrets-engines');
+    await this.page
+      .getByRole('row', { name: `Type of backend ${path}` })
+      .getByLabel('supported secrets engine menu')
+      .click();
+    await this.page.getByRole('button', { name: 'Delete' }).click();
+    await this.page.getByRole('button', { name: 'Confirm' }).click();
+  }
+
+  /**
+   * Enable a secrets engine with a dynamic path
+   * @param engineType - The type of engine to enable (e.g., 'KV', 'Transit', 'PKI Certificates')
+   * @param path - The mount path for the engine
+   * @param options - Optional configuration for the engine with variable key-value pairs
+   */
+  async enableEngine(
+    engineType: string,
+    path: string,
+    options?: {
+      defaultLeaseTtl?: { unit: number; option: string };
+      maxLeaseTtl?: { unit: number; option: string };
+      external?: boolean;
+      pluginVersion?: string;
+      skipEnable?: boolean;
+    }
+  ) {
+    await this.page.goto('dashboard');
+    await this.goToSecrets();
+
+    // Click "Enable new engine"
+    await this.page.getByRole('link', { name: 'Enable new engine' }).click();
+    await this.page.getByRole('heading', { name: findEngineDisplayName(engineType) }).click();
+
+    if (options?.external) {
+      // Prerequisite: mock plugin catalog endpoint in the test so the External plugin option is available.
+      await this.page.locator('label:nth-child(2) > .hds-form-radio-card__control-wrapper').click();
+      if (options.pluginVersion) {
+        await this.page.getByLabel('Plugin version Required').selectOption(options.pluginVersion);
+      }
+    }
+
+    if (options?.defaultLeaseTtl) {
+      await this.page.locator('label').filter({ hasText: 'Default Lease TTL Vault will' }).click();
+      await this.page
+        .getByLabel('TTL unit for Default Lease TTL')
+        .selectOption(options.defaultLeaseTtl.option as string);
+      await this.page
+        .getByRole('group', { name: 'Default Lease TTL Lease will' })
+        .getByLabel('Number of units')
+        .fill(options.defaultLeaseTtl.unit.toString());
+    }
+
+    if (options?.maxLeaseTtl) {
+      await this.page
+        .getByLabel('TTL unit for Max Lease TTL')
+        .selectOption(options.maxLeaseTtl.option as string);
+      await this.page
+        .getByRole('group', { name: 'Max Lease TTL Lease will' })
+        .getByLabel('Number of units')
+        .fill(options.maxLeaseTtl.unit.toString());
+    }
+
+    // Fill in the path
+    await this.page.getByRole('textbox', { name: 'Path' }).fill(path);
+
+    // Enable the engine
+    if (!options?.skipEnable) {
+      await this.page.getByRole('button', { name: 'Enable engine' }).click();
+    }
+  }
 }
diff --git a/ui/e2e/pages/configuration-settings.ts b/ui/e2e/pages/configuration-settings.ts
new file mode 100644
index 0000000000..a470e0491b
--- /dev/null
+++ b/ui/e2e/pages/configuration-settings.ts
@@ -0,0 +1,113 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { expect, type Page } from '@playwright/test';
+import { ALL_ENGINES } from '../../lib/core/addon/utils/all-engines-metadata';
+
+export const findEngineDisplayName = (engineType: string) => {
+  const engine = ALL_ENGINES.find((e) => e.type === engineType);
+  return engine ? engine.displayName : engineType;
+};
+
+const configurableEngines = ALL_ENGINES.filter((engine) => engine.isConfigurable).map(
+  (engine) => engine.type
+);
+
+export class ConfigurationSettingsPage {
+  constructor(protected page: Page) {}
+
+  async navigateToConfiguration(path: string) {
+    await this.page.getByRole('button', { name: 'Manage', exact: true }).click();
+    await this.page.getByRole('link', { name: 'Configure' }).click();
+    await expect(this.page.getByRole('heading', { name: `${path} configuration` })).toContainText(
+      `${path} configuration`
+    );
+  }
+
+  async assertPluginSettingsTabActive(engineType: string) {
+    const engineDisplayName = findEngineDisplayName(engineType);
+    await expect(this.page.getByRole('link', { name: 'General settings' })).not.toHaveClass(/active/);
+    await expect(this.page.getByRole('link', { name: `${engineDisplayName} settings` })).toHaveClass(
+      /active/
+    );
+    await expect(this.page.getByRole('link', { name: `${engineDisplayName} settings` })).toContainText(
+      `${engineDisplayName} settings`
+    );
+  }
+
+  async navigateToGeneralSettings(engineType: string) {
+    const engineDisplayName = findEngineDisplayName(engineType);
+    await this.page.getByRole('link', { name: 'General settings' }).click();
+    await expect(this.page.getByRole('link', { name: 'General settings' })).toHaveClass(/active/);
+
+    if (configurableEngines.includes(engineDisplayName)) {
+      await expect(
+        this.page.getByRole('link', {
+          name: `${engineDisplayName} settings`,
+        })
+      ).not.toHaveClass(/active/);
+    }
+
+    await expect(this.page.getByRole('form', { name: 'general settings form' })).toBeVisible();
+  }
+
+  async editAndVerifyGeneralSettings(path: string, engineType: string, isExternalPlugin = false) {
+    await expect(this.page.getByText(`Engine type ${engineType}`)).toBeVisible();
+    await expect(this.page.getByText('Running version')).toContainText('Running version');
+    await expect(this.page.getByRole('group', { name: 'Path' })).toBeVisible();
+    await expect(this.page.getByRole('button', { name: `copy ${path}/` })).toContainText(`${path}/`);
+    await expect(this.page.getByRole('group', { name: 'Accessor' })).toBeVisible();
+    await expect(
+      this.page.getByText('Default time-to-live (TTL) How long secrets in this engine stay valid. seconds')
+    ).toBeVisible();
+
+    if (!isExternalPlugin) {
+      await this.page.getByRole('textbox', { name: 'Description' }).fill('some description');
+      await this.page.getByRole('textbox', { name: 'Default time-to-live (TTL)time' }).fill('2');
+      await this.page.getByRole('button', { name: 'Save changes' }).click();
+      await expect(this.page.getByRole('alert', { name: 'Configuration saved' })).toBeVisible();
+      await expect(this.page.getByRole('textbox', { name: 'Description' })).toHaveValue('some description');
+      await expect(this.page.getByRole('textbox', { name: 'Default time-to-live (TTL)time' })).toHaveValue(
+        '2'
+      );
+    }
+  }
+
+  async verifyUnsavedChangesModalOnNavigateAway(path: string) {
+    // make a change to trigger the unsaved changes modal
+    await this.page.getByRole('textbox', { name: 'Description' }).fill('unsaved changes test');
+
+    // try to navigate away
+    this.page.getByRole('link', { name: 'Back to main navigation' }).click();
+
+    // verify the unsaved changes modal appears
+    const modal = this.page.getByRole('dialog', { name: 'Unsaved changes' });
+    await expect(modal).toBeVisible();
+    await expect(
+      this.page.getByText("You've made changes to the following: Description Would you like to apply them?")
+    ).toBeVisible();
+
+    // save unsaved changes
+    await modal.getByRole('button', { name: 'Save changes' }).click();
+
+    // verify still on the configuration page and description was updated
+    await this.page.getByRole('link', { name: 'Secrets', exact: true }).click();
+    await this.page.getByRole('link', { name: path }).click();
+    await this.page.getByRole('button', { name: 'Manage' }).click();
+    await this.page.getByRole('link', { name: 'Configure' }).click();
+    await this.page.getByRole('link', { name: 'General settings' }).click();
+    await expect(this.page.getByRole('textbox', { name: 'Description' })).toHaveValue('unsaved changes test');
+
+    // make another change to trigger the unsaved changes modal
+    await this.page.getByRole('textbox', { name: 'Description' }).fill('unsaved changes test 2');
+
+    // try to navigate away again
+    this.page.getByRole('link', { name: 'Back to main navigation' }).click();
+
+    // dismiss the modal
+    await modal.getByRole('button', { name: 'Discard changes' }).click();
+    await expect(this.page.getByRole('link', { name: 'Dashboard' })).toBeVisible();
+  }
+}
diff --git a/ui/e2e/policies/superuser.hcl b/ui/e2e/policies/superuser.hcl
index 2c64d21233..9a55e7359d 100644
--- a/ui/e2e/policies/superuser.hcl
+++ b/ui/e2e/policies/superuser.hcl
@@ -3,4 +3,8 @@
 
 path "*" {
   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
\ No newline at end of file
+}
+
+path "sys/leases/lookup" {
+    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
diff --git a/ui/e2e/tests/superuser/access/entities.spec.ts b/ui/e2e/tests/superuser/access/entities.spec.ts
new file mode 100644
index 0000000000..226d679cd1
--- /dev/null
+++ b/ui/e2e/tests/superuser/access/entities.spec.ts
@@ -0,0 +1,101 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+
+test('entities workflow', async ({ page }) => {
+  await test.step('should display entities page', async () => {
+    await page.goto('dashboard');
+    await page.getByRole('link', { name: 'Access control' }).click();
+    await page.getByRole('link', { name: 'Entities' }).click();
+    await expect(page.getByRole('heading', { name: 'Entities', exact: true })).toContainText('Entities');
+    await expect(page.getByRole('heading', { name: 'No entities yet' })).toContainText('No entities yet');
+    await expect(page.getByText('A list of entities in this')).toContainText(
+      'A list of entities in this namespace will be listed here. Create your first entity to get started.'
+    );
+  });
+
+  await test.step('create policy', async () => {
+    await page.getByRole('link', { name: 'ACL Policies' }).click();
+    await page.getByRole('link', { name: 'Create ACL policy' }).click();
+    await page.getByRole('textbox', { name: 'Policy name' }).click();
+    await page.getByRole('textbox', { name: 'Policy name' }).fill('test-policy');
+    await page.getByRole('radio', { name: 'Code editor' }).check();
+    await page
+      .getByRole('textbox', { name: 'Policy editor' })
+      .fill('path "auth/token/lookup-self" { capabilities = ["read"]}');
+    await page.getByRole('button', { name: 'Create policy' }).click();
+    await page.getByRole('link', { name: 'Entities' }).click();
+  });
+
+  await test.step('create entity', async () => {
+    await page.getByRole('link', { name: 'Create entity' }).click();
+    await page.getByRole('textbox', { name: 'Name' }).fill('entity-1');
+    await page.getByRole('textbox', { name: 'Key' }).fill('hello');
+    await page.getByRole('textbox', { name: 'Value' }).fill('world');
+    await page.locator('.ember-basic-dropdown-trigger').first().click();
+    await page.locator('.ember-power-select-option', { hasText: 'test-policy' }).click();
+    await page.getByRole('button', { name: 'Create' }).click();
+  });
+
+  await test.step('should display entity detail page', async () => {
+    await expect(page.getByRole('heading', { name: 'entity-' })).toContainText('entity-1');
+    await page.locator('div:nth-child(2) > .column.is-flex-center').click();
+    await expect(page.getByText('Name entity-')).toBeVisible();
+  });
+
+  await test.step('should display correct entity information on each tab', async () => {
+    // Aliases tab
+    await expect(page.getByRole('link', { name: 'Aliases' })).toBeVisible();
+    await page.getByRole('link', { name: 'Aliases' }).click();
+    await expect(page.getByRole('heading', { name: 'No entity aliases for entity-1 yet' })).toBeVisible();
+
+    // Policies tab
+    await expect(page.getByRole('link', { name: 'Policies', exact: true })).toBeVisible();
+    await page.getByRole('link', { name: 'Policies', exact: true }).click();
+    await expect(page.locator('section')).toContainText('test-policy');
+    await page.getByRole('button', { name: 'Identity policy management' }).click();
+    await page.getByRole('link', { name: 'View policy', exact: true }).click();
+    await page.getByText('Vault ACL policies test-policy test-policy Download policy').click();
+    await expect(page.getByText('Vault ACL policies test-policy test-policy Download policy')).toBeVisible();
+    await page.getByRole('link', { name: 'Entities' }).click();
+    await page.getByRole('link', { name: 'entity-1', exact: true }).click();
+
+    // Groups tab
+    await expect(page.getByRole('link', { name: 'Groups' }).nth(1)).toBeVisible();
+    await page.getByRole('link', { name: 'Groups' }).nth(1).click();
+    await expect(
+      page.getByRole('heading', { name: 'entity-1 is not a member of any groups.' })
+    ).toBeVisible();
+
+    // Metadata tab
+    await page.getByRole('link', { name: 'Metadata' }).click();
+    await expect(page.getByText('hello world')).toBeVisible();
+    await expect(page.getByRole('link', { name: 'Metadata' })).toBeVisible();
+  });
+
+  await test.step('create and view aliases', async () => {
+    await page.getByRole('link', { name: 'Add alias' }).click();
+    await expect(page.getByRole('heading', { name: 'Create Entity Alias for' })).toBeVisible();
+    await page.getByRole('textbox', { name: 'Name' }).fill('alias-1');
+    await page.getByRole('button', { name: 'Create' }).click();
+    await expect(page.locator('.hds-page-header__title-wrapper')).toBeVisible();
+
+    await page.getByRole('link', { name: 'Edit entity alias' }).click();
+    await expect(page.locator('.hds-page-header__title-wrapper')).toBeVisible();
+    await page.getByRole('link', { name: 'Entity aliases' }).click();
+    await expect(page.getByRole('link', { name: 'alias-1', exact: true })).toBeVisible();
+  });
+
+  await test.step('cleanup by deleting entities if it was not deleted in previous step', async () => {
+    await page.getByLabel('navigation for entities').getByRole('link', { name: 'Entities' }).click();
+    await page.getByRole('button', { name: 'Identity management options' }).click();
+    await page.getByRole('button', { name: 'Delete' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+    await expect(page.getByRole('heading', { name: 'No entities yet' })).toBeVisible();
+    await page.getByRole('link', { name: 'Aliases' }).click();
+    await expect(page.getByRole('heading', { name: 'No entity aliases yet' })).toBeVisible();
+  });
+});
diff --git a/ui/e2e/tests/superuser/access/groups.spec.ts b/ui/e2e/tests/superuser/access/groups.spec.ts
new file mode 100644
index 0000000000..26e5598234
--- /dev/null
+++ b/ui/e2e/tests/superuser/access/groups.spec.ts
@@ -0,0 +1,87 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+
+test('groups workflow', async ({ page }) => {
+  await test.step('should display groups page', async () => {
+    await page.goto('dashboard');
+    await page.getByRole('link', { name: 'Access control' }).click();
+    await page.getByRole('link', { name: 'Groups' }).click();
+    await expect(page.getByRole('heading', { name: 'Groups', exact: true })).toContainText('Groups');
+    await expect(page.getByRole('heading', { name: 'No groups yet' })).toContainText('No groups yet');
+    await expect(page.getByText('A list of groups in this')).toContainText(
+      'A list of groups in this namespace will be listed here. Create your first group to get started.'
+    );
+  });
+
+  await test.step('create policy', async () => {
+    await page.getByRole('link', { name: 'ACL Policies' }).click();
+    await page.getByRole('link', { name: 'Create ACL policy' }).click();
+    await page.getByRole('textbox', { name: 'Policy name' }).click();
+    await page.getByRole('textbox', { name: 'Policy name' }).fill('test-policy');
+    await page.getByRole('radio', { name: 'Code editor' }).check();
+    await page
+      .getByRole('textbox', { name: 'Policy editor' })
+      .fill('path "auth/token/lookup-self" { capabilities = ["read"]}');
+    await page.getByRole('button', { name: 'Create policy' }).click();
+    await page.getByRole('link', { name: 'Groups' }).click();
+  });
+
+  await test.step('create group', async () => {
+    await page.getByRole('link', { name: 'Create group' }).click();
+    await page.getByRole('textbox', { name: 'Name' }).fill('group-1');
+    await page.getByRole('textbox', { name: 'Key' }).fill('hello');
+    await page.getByRole('textbox', { name: 'Value' }).fill('world');
+    await page.locator('.ember-basic-dropdown-trigger').first().click();
+    await page.locator('.ember-power-select-option', { hasText: 'test-policy' }).click();
+    await page.getByRole('button', { name: 'Create' }).click();
+  });
+
+  await test.step('should display group detail page', async () => {
+    await expect(page.getByRole('heading', { name: 'group-' })).toContainText('group-1');
+    await page.locator('div:nth-child(2) > .column.is-flex-center').click();
+    await expect(page.getByText('Name group-')).toBeVisible();
+  });
+
+  await test.step('should display correct group information on each tab', async () => {
+    // Policies tab
+    await expect(page.getByRole('link', { name: 'Policies', exact: true })).toBeVisible();
+    await page.getByRole('link', { name: 'Policies', exact: true }).click();
+    await expect(page.locator('section')).toContainText('test-policy');
+    await page.getByRole('button', { name: 'Identity policy management' }).click();
+    await page.getByRole('link', { name: 'View policy', exact: true }).click();
+    await page.getByText('Vault ACL policies test-policy test-policy Download policy').click();
+    await expect(page.getByText('Vault ACL policies test-policy test-policy Download policy')).toBeVisible();
+    await page.getByRole('link', { name: 'Groups' }).click();
+    await page.getByRole('link', { name: 'group-1', exact: true }).click();
+
+    // Members tab
+    await expect(page.getByRole('link', { name: 'Members' })).toBeVisible();
+    await page.getByRole('link', { name: 'Members' }).click();
+    await expect(page.getByRole('heading', { name: 'No members in this group yet' })).toBeVisible();
+
+    // Parent groups tab
+    await expect(page.getByRole('link', { name: 'Parent groups' })).toBeVisible();
+    await page.getByRole('link', { name: 'Parent groups' }).click();
+    await expect(page.getByRole('heading', { name: 'This group has no parent' })).toBeVisible();
+
+    // Metadata tab
+    await page.getByRole('link', { name: 'Metadata' }).click();
+    await expect(page.getByText('hello world')).toBeVisible();
+    await expect(page.getByRole('link', { name: 'Metadata' })).toBeVisible();
+  });
+
+  await test.step('edit and delete group', async () => {
+    await page.getByRole('link', { name: 'Edit group' }).click();
+    await expect(page.getByRole('heading', { name: 'Edit Group-1' })).toContainText('Edit Group-1');
+    await page.getByRole('button', { name: 'Delete group' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+  });
+
+  await test.step('should show empty state after group deletion', async () => {
+    await expect(page.getByRole('heading', { name: 'No groups yet' })).toContainText('No groups yet');
+  });
+});
diff --git a/ui/e2e/tests/superuser/billing-metrics-dashboard.spec.ts b/ui/e2e/tests/superuser/billing-metrics-dashboard.spec.ts
new file mode 100644
index 0000000000..ce092ba395
--- /dev/null
+++ b/ui/e2e/tests/superuser/billing-metrics-dashboard.spec.ts
@@ -0,0 +1,96 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+import { METRICS_DATA_RESPONSE } from '../../../tests/helpers/billing/stubs';
+import { formatInTimeZone } from 'date-fns-tz';
+
+test('billing metrics dashboard workflow', async ({ page }) => {
+  await test.step('navigate to billing metrics page and mock data', async () => {
+    await page.route('**/sys/license/features', async (route) =>
+      route.fulfill({ json: { features: ['Consumption Billing'] } })
+    );
+    await page.route('**/sys/billing/overview', async (route) =>
+      route.fulfill({ json: METRICS_DATA_RESPONSE })
+    );
+    await page.goto('dashboard');
+    await page.getByRole('link', { name: 'Billing metrics' }).click();
+  });
+
+  await test.step('display billing metrics summary panel', async () => {
+    await expect(page.getByRole('button', { name: 'January 2026' })).toContainText('January 2026');
+    await expect(page.getByRole('heading', { name: 'Billing metrics' })).toBeVisible();
+    await expect(page.getByText('Data reflects usage across')).toContainText(
+      'Data reflects usage across this Vault cluster. Billing metrics determine license utilization.'
+    );
+    await expect(page.getByRole('heading', { name: 'Summary' })).toBeVisible();
+
+    await expect(page.locator('section')).toContainText(
+      'Summary Secrets 10 Credential units 303.617 Data protection calls 420 Managed keys 430 KMIP Enabled Custom plugins 100'
+    );
+  });
+
+  await test.step('display billing metrics details by metric panel', async () => {
+    await expect(page.getByRole('heading', { name: 'Details by metric' })).toBeVisible();
+
+    await expect(page.locator('section')).toContainText(
+      'Secrets Highest number of static secrets, static roles, and dynamic roles managed on the cluster during the month. Secrets replicated to this cluster are not counted. Total 210 KV Secrets 10 Dynamic roles 130 Static roles 70'
+    );
+    await expect(page.locator('section')).toContainText(
+      'Credential units Certificates, tokens, and other credentials issued during the month, adjusted by their duration. Total 303.617 PKI units 100.1234 SSH OTP units 50.1234 SSH certificate units 50.1234 OIDC token units 52.1234 SPIFFE JWT units 51.1234'
+    );
+    await expect(page.locator('section')).toContainText(
+      'Data protection calls Total number of data elements processed. Total 640 Transform 220 Transit 200 GCP KMS 220'
+    );
+    await expect(page.locator('section')).toContainText(
+      'Managed keys Highest number of cryptographic keys managed on the cluster during the month. Keys replicated to this cluster are not counted. Total 430 TOTP 220 KMSE 210'
+    );
+  });
+
+  await test.step('change the billing period date', async () => {
+    await page.getByRole('button', { name: 'January 2026' }).click();
+    await page.getByRole('option', { name: 'December 2025' }).click();
+    await expect(page.locator('section')).toContainText(
+      'Summary Secrets 2 Credential units 200.3702 Data protection calls 220 Managed keys 220 KMIP Not enabled Custom plugins 100'
+    );
+    await expect(page.locator('section')).toContainText(
+      'Secrets Highest number of static secrets, static roles, and dynamic roles managed on the cluster during the month. Secrets replicated to this cluster are not counted. Total 192 KV Secrets 2 Dynamic roles 125 Static roles 65'
+    );
+    await expect(page.getByRole('button', { name: 'December 2025' })).toContainText('December 2025');
+  });
+});
+
+test('billing metrics dashboard api returns two months of data', async ({ page }) => {
+  await page.route('**/sys/license/features', async (route) =>
+    route.fulfill({ json: { features: ['Consumption Billing'] } })
+  );
+
+  await page.goto('dashboard');
+
+  // Set up response listener before clicking the link
+  const responsePromise = page.waitForResponse('**/sys/billing/overview**');
+  await page.getByRole('link', { name: 'Billing metrics' }).click();
+
+  // Wait for the API response and get the actual months returned
+  const response = await responsePromise;
+  const data = await response.json();
+  const months = data.data?.months || [];
+
+  // Verify we have at least 2 months of data
+  expect(months.length).toEqual(2);
+
+  // Verify both months appear in the dropdown options
+  const currentMonth = new Date(months[0].month);
+  const previousMonth = new Date(months[1].month);
+
+  // Click the date range dropdown to verify both months are available
+  await page.getByRole('button', { name: formatInTimeZone(currentMonth, 'UTC', 'MMMM') }).click();
+  await expect(page.getByRole('option', { name: formatInTimeZone(currentMonth, 'UTC', 'MMMM') })).toHaveText(
+    formatInTimeZone(currentMonth, 'UTC', 'MMMM yyyy')
+  );
+  await expect(page.getByRole('option', { name: formatInTimeZone(previousMonth, 'UTC', 'MMMM') })).toHaveText(
+    formatInTimeZone(previousMonth, 'UTC', 'MMMM yyyy')
+  );
+});
diff --git a/ui/e2e/tests/superuser/client-counts.spec.ts b/ui/e2e/tests/superuser/client-counts.spec.ts
new file mode 100644
index 0000000000..7c210bf69d
--- /dev/null
+++ b/ui/e2e/tests/superuser/client-counts.spec.ts
@@ -0,0 +1,118 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+import { BasePage } from '../../pages/base';
+import { generateActivityResponse } from '../../../mirage/handlers/clients';
+import { ACTIVITY_EXPORT_STUB } from '../../../tests/helpers/clients/client-count-helpers';
+
+import type { ActivityData } from '../../../types/vault/client-counts/activity-api';
+
+test('client counts workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+  const activityResponse = generateActivityResponse();
+  const activityData: ActivityData = activityResponse.data;
+
+  await test.step('navigate to client counts page and mock data', async () => {
+    await page.route('**/sys/internal/counters/activity', async (route) =>
+      route.fulfill({ json: activityResponse })
+    );
+    await page.route('**/sys/internal/counters/activity/export**', async (route) =>
+      route.fulfill({ body: ACTIVITY_EXPORT_STUB })
+    );
+
+    await page.goto('dashboard');
+    await page.getByRole('link', { name: 'Client count' }).click();
+    await page.waitForResponse('**/sys/internal/counters/activity');
+    await page.waitForResponse('**/sys/internal/counters/activity/export**');
+    await basePage.dismissFlashMessages();
+  });
+
+  await test.step('client usage header', async () => {
+    await expect(page.getByText('For billing period: July 2023 - January 2024')).toBeVisible();
+    await expect(page.getByText('Dashboard last updated:')).toBeVisible();
+    await expect(page.getByRole('button', { name: 'Refresh page' })).toBeVisible();
+    await expect(page.getByRole('button', { name: 'Export activity data' })).toBeVisible();
+    await expect(page.getByRole('button', { name: 'July 2023', exact: true })).toBeVisible();
+  });
+
+  await test.step('client usage overview', async () => {
+    const { entity_clients, non_entity_clients, acme_clients } = activityData.total;
+    const totalClients = (entity_clients + non_entity_clients + acme_clients).toLocaleString();
+    await expect(page.getByRole('img', { name: `Total of ${totalClients} Total` })).toBeVisible();
+    await expect(page.getByRole('switch', { name: 'Split by client type' })).toBeVisible();
+    await expect(page.locator('.lineal-chart')).toBeVisible();
+    await expect(page.locator('section')).toContainText(
+      `${entity_clients.toLocaleString()} Entity clients ${non_entity_clients.toLocaleString()} Non-entity clients ${acme_clients.toLocaleString()} ACME clients`
+    );
+  });
+
+  await test.step('client attribution filters', async () => {
+    await page.getByRole('button', { name: 'Namespace', exact: true }).click();
+    await page.getByRole('option', { name: 'ns1/' }).click();
+    await expect(page.getByRole('button', { name: 'Dismiss ns1/' })).toBeVisible();
+    await page.getByRole('button', { name: 'Mount path', exact: true }).click();
+    await page.getByRole('option', { name: 'auth/token/0/' }).click();
+    await expect(page.getByRole('button', { name: 'Dismiss auth/token/0/' })).toBeVisible();
+    await page.getByRole('button', { name: 'Mount type', exact: true }).click();
+    await page.getByRole('option', { name: 'token' }).click();
+    await expect(page.getByRole('button', { name: 'Dismiss token' })).toBeVisible();
+    await page.getByRole('button', { name: 'Month' }).click();
+    await page.getByRole('option', { name: 'January' }).click();
+    await expect(page.getByRole('button', { name: 'Dismiss January' })).toBeVisible();
+    await page.getByRole('button', { name: 'Clear filters' }).click();
+    await expect(page.locator('section')).toContainText('Filters applied: None');
+  });
+
+  await test.step('client attribution table', async () => {
+    const ns1 = activityData.by_namespace.find((ns) => ns.namespace_path === 'ns1/');
+    const mount = ns1?.mounts[0];
+    const mountType =
+      mount?.mount_type === 'deleted mount' ? 'Deleted' : mount?.mount_type?.replace(/\/$/, '');
+    const count = `${mount?.counts.clients}`;
+
+    await page.getByRole('button', { name: 'Namespace', exact: true }).click();
+    await page.getByRole('option', { name: 'ns1/' }).click();
+    await expect(page.getByRole('gridcell', { name: 'ns1/' }).first()).toBeVisible();
+    await expect(page.getByRole('gridcell', { name: mount?.mount_path }).first()).toBeVisible();
+    await expect(page.getByRole('gridcell', { name: mountType }).first()).toBeVisible();
+    await expect(page.getByRole('gridcell', { name: count }).first()).toBeVisible();
+  });
+
+  await test.step('client list', async () => {
+    await page.getByRole('link', { name: 'Client list' }).click();
+    await page.getByRole('button', { name: 'Clear filters' }).click();
+    await expect(page.getByText('Namespace Mount path Mount type Month Filters applied: None')).toBeVisible();
+    await expect(page.getByRole('tab', { name: 'Entity 8' })).toBeVisible();
+    await expect(page.getByRole('tab', { name: 'Non-entity 18' })).toBeVisible();
+    await expect(page.getByRole('tab', { name: 'ACME 16' })).toBeVisible();
+    await expect(page.getByRole('tab', { name: 'Secret sync 8' })).toBeVisible();
+    await expect(page.getByRole('gridcell', { name: 'copy 5692c6ef-c871-128e-fb06-' })).toBeVisible();
+    await expect(page.getByRole('gridcell', { name: 'entity' }).first()).toBeVisible();
+    await expect(page.getByRole('gridcell', { name: 'ns1/' }).first()).toBeVisible();
+    await expect(page.getByRole('gridcell', { name: 'vK5Bt' })).toBeVisible();
+    await expect(page.getByRole('gridcell', { name: '2023-09-15T23:48:09Z' })).toBeVisible();
+    await expect(page.getByRole('gridcell', { name: 'auth/userpass/0/' })).toBeVisible();
+    await expect(page.getByRole('gridcell', { name: 'userpass' }).nth(1)).toBeVisible();
+    await expect(page.getByRole('gridcell', { name: 'auth_userpass_f47ad0b4' }).first()).toBeVisible();
+    await expect(page.getByRole('gridcell', { name: 'entity_b3e2a7ff' }).first()).toBeVisible();
+    await expect(page.getByRole('gridcell', { name: 'bob' }).first()).toBeVisible();
+    await expect(page.getByRole('gridcell', { name: 'false' }).first()).toBeVisible();
+    await expect(page.getByRole('gridcell', { name: '[ "7537e6b7-3b06-65c2-1fb2-' }).first()).toBeVisible();
+  });
+
+  await test.step('counts configuration', async () => {
+    await page.getByRole('link', { name: 'Configuration' }).click();
+    await expect(page.getByText('On', { exact: true })).toBeVisible();
+    await expect(page.getByText('48')).toBeVisible();
+    await page.getByRole('link', { name: 'Edit configuration' }).click();
+    await page.getByRole('textbox', { name: 'Retention period' }).fill('72');
+    await page.getByRole('button', { name: 'Save' }).click();
+    await expect(page.getByText('Retention period must be less than or equal to 60.')).toBeVisible();
+    await page.getByRole('textbox', { name: 'Retention period' }).fill('60');
+    await page.getByRole('button', { name: 'Save' }).click();
+    await expect(page.getByText('60')).toBeVisible();
+  });
+});
diff --git a/ui/e2e/tests/superuser/console.spec.ts b/ui/e2e/tests/superuser/console.spec.ts
new file mode 100644
index 0000000000..5b37e35753
--- /dev/null
+++ b/ui/e2e/tests/superuser/console.spec.ts
@@ -0,0 +1,44 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+import { BasePage } from '../../pages/base';
+
+test('console workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+  await page.goto('dashboard');
+
+  await test.step('open console and verify content', async () => {
+    await page.getByRole('button', { name: 'Console toggle' }).click();
+    // verify console is open and has expected content
+    await expect(page.getByRole('textbox', { name: 'Web R.E.P.L.' })).toBeVisible();
+    await expect(page.getByRole('button', { name: 'Close console' })).toBeVisible();
+
+    // verify clicking maximize button adds expected class to panel and clicking minimize removes it
+    await page.getByRole('button', { name: 'Maximize window' }).click();
+    await expect(page.locator('.console-ui-panel')).toHaveClass(/fullscreen/);
+
+    await page.getByRole('button', { name: 'Minimize window' }).click();
+    await expect(page.locator('.console-ui-panel')).not.toHaveClass(/fullscreen/);
+  });
+
+  await test.step('execute command in console and verify output', async () => {
+    await page
+      .getByRole('textbox', { name: 'Web R.E.P.L.' })
+      .fill('write sys/mounts/console-route-test type=kv');
+    await page.getByRole('textbox', { name: 'Web R.E.P.L.' }).press('Enter');
+    await expect(page.getByText('Success! Data written to: sys')).toBeVisible();
+
+    // verify clicking close button hides the console
+    await page.getByRole('button', { name: 'Close console' }).click();
+    await expect(page.getByRole('textbox', { name: 'Web R.E.P.L.' })).toBeHidden();
+
+    // navigate to the secrets page and verify the new mount is visible
+    await page.getByRole('link', { name: 'Secrets', exact: true }).click();
+    await expect(page.getByRole('link', { name: 'console-route-test/' })).toBeVisible();
+
+    await basePage.disableEngine('console-route-test');
+  });
+});
diff --git a/ui/e2e/tests/superuser/custom-messages.spec.ts b/ui/e2e/tests/superuser/custom-messages.spec.ts
new file mode 100644
index 0000000000..04c966e051
--- /dev/null
+++ b/ui/e2e/tests/superuser/custom-messages.spec.ts
@@ -0,0 +1,356 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+import { BasePage } from '../../pages/base';
+import fs from 'fs';
+import path from 'path';
+
+const keysPath = path.resolve(__dirname, '../../tmp/superuser-keys.json');
+
+enum MessageLocation {
+  LoginPage = 'On the login page',
+  PostLogin = 'After the user logs in',
+}
+
+enum MessageType {
+  Alert = 'Alert message',
+  Modal = 'Modal',
+}
+
+async function navigateToCustomMessages(page: BasePage['page']) {
+  await page.goto('dashboard');
+  await page.getByRole('link', { name: 'Operational tools', exact: true }).click();
+  await page.getByRole('link', { name: 'Custom messages' }).click();
+}
+
+// A helper function to create messages which will default to creating
+// active messages after user logins in, if start_time is not provided.
+async function createMessage(
+  page: BasePage['page'],
+  title: string,
+  message: string,
+  location: MessageLocation = MessageLocation.PostLogin,
+  type: MessageType = MessageType.Alert,
+  startTime = '2020-01-01T00:00',
+  endTime?: string,
+  linkText?: string,
+  linkUrl?: string
+) {
+  await page.getByRole('button', { name: 'Create message' }).click();
+  await page.getByRole('textbox', { name: 'Title', exact: true }).fill(title);
+  await page.getByRole('textbox', { name: 'Message', exact: true }).fill(message);
+  await page.getByRole('radio', { name: location }).check();
+  await page.getByRole('radio', { name: type }).check();
+  await page.getByRole('textbox', { name: 'Message starts' }).fill(startTime);
+  if (endTime) {
+    await page.getByRole('radio', { name: 'Specific date' }).click();
+    await page.locator('[data-test-input="end_time"]').fill(endTime);
+  }
+  if (linkText) {
+    await page.getByPlaceholder('Display text (e.g. Learn more)').fill(linkText);
+  }
+  if (linkUrl) {
+    await page.getByPlaceholder('Link URL (e.g. https://www.hashicorp.com/)').fill(linkUrl);
+  }
+  await page.getByRole('button', { name: 'Create message' }).click();
+}
+
+async function deleteMessageFromList(page: BasePage['page'], title: string) {
+  await page.getByRole('link', { name: title }).getByLabel('Message popup menu').click();
+  await page.getByRole('button', { name: 'Delete' }).click();
+  await page.getByRole('button', { name: 'Confirm' }).click();
+}
+
+test.describe('Custom messages workflows', () => {
+  test.beforeEach(async ({ page }) => {
+    await navigateToCustomMessages(page);
+  });
+
+  test('custom messages page is reachable and initially shows empty state', async ({ page }) => {
+    await expect(page.getByRole('heading', { name: 'Custom messages' })).toBeVisible();
+    await expect(page.getByRole('heading', { name: 'No messages yet' })).toBeVisible();
+
+    await test.step('default tab selected is After user logs in', async () => {
+      await expect(page.getByRole('link', { name: 'After user logs in' })).toHaveClass(/active/);
+    });
+
+    await test.step('filtering messages is disabled on init', async () => {
+      await expect(page.getByRole('button', { name: 'Apply filters' })).toBeDisabled();
+    });
+  });
+
+  test('create and view a message on the login page', async ({ page }) => {
+    await createMessage(
+      page,
+      'Login Page banner',
+      'This is a login page banner message.',
+      MessageLocation.LoginPage,
+      MessageType.Alert
+    );
+
+    // Logout and route to login page to verify the login page banner appears
+    await page.getByRole('button', { name: 'User menu' }).click();
+    await page.getByRole('listitem').filter({ hasText: 'Log out' }).click();
+    await expect(page.getByLabel('Login Page Banner')).toBeVisible();
+
+    const { root_token } = JSON.parse(fs.readFileSync(keysPath, 'utf-8'));
+    await page.getByRole('textbox', { name: 'Token' }).fill(root_token);
+    await page.getByRole('button', { name: 'Sign in' }).click();
+
+    // Navigate back to custom messages list to delete the message
+    await expect(page.getByRole('button', { name: 'root' })).toBeVisible();
+    await expect(page.getByRole('link', { name: 'Dashboard' })).toBeVisible();
+    await page.getByRole('link', { name: 'Operational tools', exact: true }).click();
+    await page.getByRole('link', { name: 'Custom messages' }).click();
+    await expect(page.getByRole('heading', { name: 'Custom messages' })).toBeVisible();
+
+    // Cleanup
+    await page.getByRole('link', { name: 'On login page' }).click();
+    await deleteMessageFromList(page, 'Login Page banner');
+  });
+
+  test('create a modal message on the login page with preview', async ({ page }) => {
+    await test.step('can toggle to login page tab', async () => {
+      const loginPageTab = page.getByRole('link', { name: 'On login page' });
+      await loginPageTab.click();
+      await expect(loginPageTab).toHaveClass(/active/);
+    });
+
+    await page.getByRole('button', { name: 'Create message' }).click();
+    await page.getByRole('radio', { name: 'Modal' }).click();
+    await page.getByRole('textbox', { name: 'Title' }).fill('E2E Login Modal');
+    await page
+      .getByRole('textbox', { name: 'Message', exact: true })
+      .fill('Important notice for all users on the login page.');
+
+    await page.getByRole('textbox', { name: 'Message starts' }).fill('2020-01-01T00:00');
+
+    await test.step('can see a preview of a modal', async () => {
+      await page.getByRole('button', { name: 'Preview' }).click();
+      await expect(page.getByRole('dialog').getByText('E2E Login Modal')).toBeVisible();
+      await expect(
+        page.getByRole('dialog').getByText('Important notice for all users on the login page.')
+      ).toBeVisible();
+      await page.getByRole('button', { name: 'Confirm' }).click();
+    });
+
+    await page.getByRole('button', { name: 'Create message' }).click();
+
+    await page.getByRole('link', { name: 'Custom messages' }).first().click();
+    await page.getByRole('link', { name: 'On login page' }).click();
+
+    // Cleanup
+    await deleteMessageFromList(page, 'E2E Login Modal');
+  });
+
+  test('create and view multiple messages', async ({ page }) => {
+    // Create a an active banner message to be shown after user logs in
+    await createMessage(
+      page,
+      'E2E Post-login banner',
+      'This is a post-login banner message.',
+      MessageLocation.PostLogin,
+      MessageType.Alert
+    );
+    await navigateToCustomMessages(page);
+
+    // Create an active modal message to be shown after user logs in
+    await createMessage(
+      page,
+      'E2E Post-login Modal',
+      'This is a post-login modal message.',
+      MessageLocation.PostLogin,
+      MessageType.Modal
+    );
+
+    // Verify the banner messages and modal appear in the correct locations
+    await expect(page.getByLabel('E2E Post-login Banner')).toBeVisible();
+    await expect(page.getByLabel('E2E Post-login Modal')).toBeVisible();
+
+    await test.step('banners can only be dismissed after modal(s) are dismissed', async () => {
+      await expect(
+        page
+          .getByLabel('E2E Post-login Banner')
+          .getByRole('button', { name: 'Dismiss' })
+          .click({ timeout: 1000 })
+      ).rejects.toThrow();
+
+      // Close the modal and confirm the banner can be dismissed
+      await page.getByRole('button', { name: 'Confirm' }).click();
+      await expect(page.getByLabel('E2E Post-login Modal')).not.toBeVisible();
+      await page.getByLabel('E2E Post-login banner').getByRole('button', { name: 'Dismiss' }).click();
+      await expect(page.getByLabel('E2E Post-login Banner')).not.toBeVisible();
+    });
+
+    // Cleanup
+    await page.getByRole('button', { name: 'Delete message' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+    await navigateToCustomMessages(page);
+    await deleteMessageFromList(page, 'Post-login banner');
+  });
+
+  test('message details page shows correct field values', async ({ page }) => {
+    await createMessage(
+      page,
+      'E2E Details Check',
+      'Details page verification message.',
+      MessageLocation.PostLogin,
+      MessageType.Alert,
+      '2020-01-01T00:00',
+      '',
+      'Learn more',
+      'https://example.com'
+    );
+
+    await expect(page.getByRole('heading', { name: 'E2E Details Check' })).toBeVisible();
+    await expect(page.locator('span[data-test-row-value="Message"]')).toHaveText(
+      'Details page verification message.'
+    );
+    await expect(
+      page.getByLabel('E2E Details Check').getByRole('link', { name: 'Learn more' })
+    ).toBeVisible();
+    await expect(
+      page.getByLabel('E2E Details Check').getByRole('link', { name: 'Learn more' })
+    ).toHaveAttribute('href', 'https://example.com');
+
+    await navigateToCustomMessages(page);
+    await deleteMessageFromList(page, 'E2E Details Check');
+  });
+
+  test('edit and delete messages', async ({ page }) => {
+    const basePage = new BasePage(page);
+
+    await createMessage(
+      page,
+      'E2E Test Banner',
+      'This is a test banner message.',
+      MessageLocation.PostLogin,
+      MessageType.Alert
+    );
+
+    await expect(page.getByRole('heading', { name: 'E2E Test Banner' })).toBeVisible();
+    await expect(page.locator('span[data-test-row-value="Message"]')).toHaveText(
+      'This is a test banner message.'
+    );
+
+    await test.step('can edit and view message updates on details page', async () => {
+      await page.getByRole('link', { name: 'Edit message' }).click();
+      await expect(page.getByRole('heading', { name: 'Edit message' })).toBeVisible();
+      await page.getByRole('textbox', { name: 'Title' }).fill('E2E Test Banner Updated');
+      await basePage.dismissFlashMessages();
+      await page.getByRole('button', { name: 'Save' }).click();
+
+      await expect(page.getByRole('heading', { name: 'E2E Test Banner Updated' })).toBeVisible();
+      await expect(page.getByLabel('E2E Test Banner Updated')).toBeVisible();
+    });
+
+    await test.step('can delete message from details page and navigate user back to list view', async () => {
+      await page.getByRole('button', { name: 'Delete message' }).click();
+      await page.getByRole('button', { name: 'Confirm' }).click();
+
+      await expect(page.getByRole('link', { name: 'E2E Test Banner Updated' })).not.toBeVisible();
+      await expect(page.getByLabel('E2E Test Banner Updated')).not.toBeVisible();
+    });
+  });
+
+  test('list and filter messages', async ({ page }) => {
+    // Active message with no expiration date
+    await createMessage(
+      page,
+      'E2E Active Banner',
+      'This message is currently active.',
+      MessageLocation.PostLogin,
+      MessageType.Alert,
+      '2020-01-01T00:00'
+    );
+    await navigateToCustomMessages(page);
+
+    // Active until message with a future expiration date
+    await createMessage(
+      page,
+      'E2E Active until future date Banner',
+      'This message will remain active for a while.',
+      MessageLocation.PostLogin,
+      MessageType.Alert,
+      '2020-01-01T00:00',
+      '2030-01-01T00:00'
+    );
+    await navigateToCustomMessages(page);
+
+    // Scheduled message
+    await createMessage(
+      page,
+      'E2E Scheduled Banner',
+      'This message is scheduled to be active in the future.',
+      MessageLocation.PostLogin,
+      MessageType.Alert,
+      '2030-01-01T00:00'
+    );
+    await navigateToCustomMessages(page);
+
+    // Expired message
+    await createMessage(
+      page,
+      'E2E Expired Banner',
+      'This message has expired.',
+      MessageLocation.PostLogin,
+      MessageType.Alert,
+      '2020-01-01T00:00',
+      '2020-12-31T23:59'
+    );
+    await navigateToCustomMessages(page);
+
+    await expect(page.locator('[data-test-list-item]')).toHaveCount(4);
+
+    await test.step('displays badge statuses for messages', async () => {
+      await expect(page.getByRole('link', { name: 'E2E Active Banner' })).toContainText('Active');
+      await expect(page.getByRole('link', { name: 'E2E Active until future date Banner' })).toContainText(
+        'Active until'
+      );
+      await expect(page.getByRole('link', { name: 'E2E Scheduled Banner' })).toContainText('Scheduled');
+      await expect(page.getByRole('link', { name: 'E2E Expired Banner' })).toContainText('Inactive');
+    });
+
+    await test.step('can filter messages by status', async () => {
+      await page.getByLabel('Filter by message status').selectOption('active');
+      await page.getByRole('button', { name: 'Apply filters' }).click();
+
+      await expect(page.locator('[data-test-list-item]')).toHaveCount(2);
+
+      await page.getByLabel('Filter by message status').selectOption('inactive');
+      await page.getByRole('button', { name: 'Apply filters' }).click();
+
+      await expect(page.locator('[data-test-list-item]')).toHaveCount(2);
+      await navigateToCustomMessages(page);
+    });
+
+    await test.step('can filter messages by type', async () => {
+      await page.getByLabel('Filter by type').selectOption('modal');
+      await page.getByRole('button', { name: 'Apply filters' }).click();
+
+      await expect(page.locator('[data-test-list-item]')).toHaveCount(0);
+
+      await page.getByLabel('Filter by type').selectOption('banner');
+      await page.getByRole('button', { name: 'Apply filters' }).click();
+
+      await expect(page.locator('[data-test-list-item]')).toHaveCount(4);
+      await navigateToCustomMessages(page);
+    });
+
+    await test.step('can filter messages by text', async () => {
+      await page.getByRole('searchbox', { name: 'Search by message title' }).fill('Scheduled');
+      await page.getByRole('button', { name: 'Apply filters' }).click();
+      await expect(page.locator('[data-test-list-item]')).toHaveCount(1);
+      await page.getByRole('button', { name: 'Clear filters' }).click();
+    });
+
+    // Cleanup
+    await deleteMessageFromList(page, 'E2E Expired Banner');
+    await deleteMessageFromList(page, 'E2E Scheduled Banner');
+    await deleteMessageFromList(page, 'E2E Active Banner');
+    await deleteMessageFromList(page, 'E2E Active until future date Banner');
+  });
+});
diff --git a/ui/e2e/tests/superuser/filtering-engines.spec.ts b/ui/e2e/tests/superuser/filtering-engines.spec.ts
new file mode 100644
index 0000000000..21c9b765e0
--- /dev/null
+++ b/ui/e2e/tests/superuser/filtering-engines.spec.ts
@@ -0,0 +1,80 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+import { BasePage } from '../../pages/base';
+
+test('filtering secrets engines workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+  // nav to secrets engines page and enable a couple of engines to test filtering
+  await page.goto('dashboard');
+  await page.getByRole('link', { name: 'Secrets', exact: true }).click();
+
+  // enable transit
+  await page.getByRole('link', { name: 'Enable new engine' }).click();
+  await page.getByLabel('Transit - enabled engine type').click();
+  await page.getByRole('button', { name: 'Enable engine' }).click();
+  await basePage.dismissFlashMessages();
+  await page.getByLabel('breadcrumbs').getByRole('link', { name: 'Secrets engines' }).click();
+
+  // enable kv
+  await page.getByRole('link', { name: 'Enable new engine' }).click();
+  await page.getByRole('heading', { name: 'KV' }).click();
+  await page.getByRole('button', { name: 'Enable engine' }).click();
+  await basePage.dismissFlashMessages();
+  await page.getByLabel('breadcrumbs').getByRole('link', { name: 'Secrets engines' }).click();
+
+  // search for transit engine
+  await page.getByRole('searchbox', { name: 'Search' }).fill('transit');
+
+  // assert theres only 1 result and its the transit engine
+  await expect(page.getByText('1–1 of 1 page 1 Items per')).toBeVisible();
+  await expect(page.getByRole('link', { name: 'transit/' })).toBeVisible();
+
+  // assert user can click into transit engine from search results and nav back
+  await page.getByRole('link', { name: 'transit/' }).click();
+  await expect(page.getByRole('heading', { name: 'transit', exact: true })).toBeVisible();
+  await page.getByLabel('breadcrumbs').getByRole('link', { name: 'Secrets engines' }).click();
+
+  // filter for cubbyhole engine type
+  await page.getByRole('button', { name: 'Engine type' }).click();
+  await page.getByRole('checkbox', { name: 'cubbyhole', exact: true }).check();
+  await page.getByRole('button', { name: 'Engine type' }).click();
+  await expect(page.getByRole('link', { name: 'cubbyhole/' })).toBeVisible();
+
+  // clear filter
+  await page.getByRole('button', { name: 'Clear all' }).click();
+
+  // filter by engine type and version
+  await page.getByRole('button', { name: 'Engine type' }).click();
+  await page.getByRole('checkbox', { name: 'cubbyhole', exact: true }).check();
+  await page.getByRole('button', { name: 'Version', exact: true }).click();
+  // clicking the label here so it closes the dropdown, the checkbox is inside the label so it will still be checked
+  // Note: /\+builtin\.vault/ is regex to partial match the builtin label since the version will change
+  await page
+    .locator('label')
+    .filter({ hasText: /\+builtin\.vault/ })
+    .click();
+
+  // assert filter chips are visible and applied correctly
+  await expect(
+    page
+      .locator('span')
+      .filter({ hasText: /\+builtin\.vault/ })
+      .nth(1)
+  ).toBeVisible();
+  await expect(page.locator('span').filter({ hasText: 'cubbyhole' }).nth(1)).toBeVisible();
+  await expect(page.getByRole('link', { name: 'cubbyhole/' })).toBeVisible();
+  await expect(page.getByRole('gridcell', { name: /\+builtin\.vault/ })).toBeVisible();
+
+  // clear filters and assert all engines are visible again
+  await page.getByRole('button', { name: 'Clear all' }).click();
+  await expect(page.getByRole('link', { name: 'kv/' })).toBeVisible();
+  await expect(page.getByRole('link', { name: 'transit/' })).toBeVisible();
+
+  await basePage.disableEngine('transit');
+  await basePage.disableEngine('kv');
+  await basePage.dismissFlashMessages();
+});
diff --git a/ui/e2e/tests/superuser/intro-pages.spec.ts b/ui/e2e/tests/superuser/intro-pages.spec.ts
new file mode 100644
index 0000000000..fc524df6f7
--- /dev/null
+++ b/ui/e2e/tests/superuser/intro-pages.spec.ts
@@ -0,0 +1,199 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+import { DISMISSED_WIZARD_KEY } from '../../../app/utils/constants/wizard';
+import { BasePage } from '../../pages/base';
+
+test('intro pages workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+  await page.goto('dashboard');
+
+  // remove the dismissed wizards from local storage so that the intro pages will show up on login
+  await page.evaluate(
+    ({ key }) => {
+      localStorage.removeItem(key);
+    },
+    { key: DISMISSED_WIZARD_KEY }
+  );
+
+  await test.step('Verify secrets intro page content and workflow', async () => {
+    await page.getByRole('link', { name: 'Secrets', exact: true }).click();
+    await expect(page.getByRole('heading', { name: 'Welcome to Secrets engines' })).toBeVisible();
+    await expect(page.getByRole('link', { name: 'Enable a Secret engine' })).toBeVisible();
+    await expect(page.getByRole('button', { name: 'Skip' })).toBeVisible();
+    await expect(page.getByRole('link', { name: 'View documentation' })).toBeVisible();
+
+    // verify clicking enable routes to enablement page
+    await page.getByRole('link', { name: 'Enable a Secret engine' }).click();
+    await expect(page.getByText('Enable secrets engine')).toBeVisible();
+    await expect(page.getByLabel('KV - enabled engine type')).toBeVisible();
+
+    // navigate back to secrets intro page and click skip and verify the intro page is dismissed
+    await page.getByLabel('Secrets Navigation Links').getByRole('link', { name: 'Secrets engines' }).click();
+    await page.getByRole('button', { name: 'Skip' }).click();
+
+    // intro page is dismissed and not visible
+    await expect(page.getByRole('heading', { name: 'Welcome to Secrets engines' })).not.toBeVisible();
+
+    // user sees secrets engines list and can see the 'new to secrets engines' button
+    await expect(page.getByRole('heading', { name: 'Secrets engines' })).toBeVisible();
+    await expect(page.getByRole('link', { name: 'cubbyhole/' })).toBeVisible();
+    await expect(page.getByRole('button', { name: 'New to Secret engines?' })).toBeVisible();
+
+    // clicking enable from banner routes to enablement page
+    await page.getByRole('button', { name: 'New to Secret engines?' }).click();
+    await page.getByRole('link', { name: 'Enable a Secret engine' }).click();
+    await expect(page.getByText('Enable secrets engine')).toBeVisible();
+
+    // click button and close the banner and assert the banner is closed
+    await page.getByLabel('breadcrumbs').getByRole('link', { name: 'Secrets engines' }).click();
+    await page.getByRole('button', { name: 'Skip' }).click();
+    await page.getByRole('button', { name: 'New to Secret engines?' }).click();
+    await page.getByRole('button', { name: 'Close' }).click();
+    await expect(page.getByText('Welcome to Secrets engines')).not.toBeVisible();
+
+    // enable an engine and verify the welcome button doesn't render on secrets engines page
+    await basePage.enableEngine('transit', 'test-transit');
+    await page.getByLabel('Secrets Navigation Links').getByRole('link', { name: 'Secrets engines' }).click();
+    await expect(page.getByRole('button', { name: 'New to Secret engines?' })).not.toBeVisible();
+
+    await basePage.disableEngine('test-transit');
+    await page.getByRole('link', { name: 'Back to main navigation' }).click();
+  });
+
+  await test.step('Verify auth methods intro page content and workflow', async () => {
+    await page.getByRole('link', { name: 'Access control', exact: true }).click();
+    await page.getByRole('link', { name: 'Authentication methods' }).click();
+    await expect(page.getByRole('heading', { name: 'Welcome to Authentication methods' })).toBeVisible();
+    await expect(page.getByRole('link', { name: 'Enable a new method' })).toBeVisible();
+    await expect(page.getByRole('button', { name: 'Skip' })).toBeVisible();
+    await expect(page.getByRole('link', { name: 'View documentation' })).toBeVisible();
+
+    // verify clicking enable routes to enablement page
+    await page.getByRole('link', { name: 'Enable a new method' }).click();
+    await expect(page.getByText('Enable an Authentication Method')).toBeVisible();
+    await expect(page.getByLabel('Userpass - enabled engine type')).toBeVisible();
+
+    // navigate back to auth methods intro page and click skip and verify the intro page is dismissed
+    await page.getByRole('link', { name: 'Authentication methods' }).click();
+    await page.getByRole('button', { name: 'Skip' }).click();
+    await expect(page.getByRole('heading', { name: 'Welcome to Authentication methods' })).not.toBeVisible();
+
+    // user sees auth methods list and can see the 'new to auth methods' button
+    await expect(page.getByRole('heading', { name: 'Authentication methods' })).toBeVisible();
+    await expect(page.getByRole('link', { name: 'token/' })).toBeVisible();
+    await expect(page.getByRole('button', { name: 'New to Auth methods?' })).toBeVisible();
+
+    // clicking enable from banner routes to enablement page
+    await page.getByRole('button', { name: 'New to Auth methods?' }).click();
+    await page.getByRole('link', { name: 'Enable a new method' }).click();
+    await expect(page.getByText('Enable an Authentication Method')).toBeVisible();
+
+    // click button and close the banner and assert the banner is closed
+    await page.getByRole('link', { name: 'Authentication methods' }).click();
+    await page.getByRole('button', { name: 'Skip' }).click();
+    await page.getByRole('button', { name: 'New to Auth methods?' }).click();
+    await page.getByRole('button', { name: 'Close' }).click();
+    await expect(page.getByText('Welcome to Authentication methods')).not.toBeVisible();
+
+    // enable a method and verify the welcome button doesn't render on auth methods page
+    await page.getByRole('link', { name: 'Enable new method' }).click();
+    await page.getByLabel('Userpass - enabled engine type').click();
+    await page.getByRole('button', { name: 'Enable method' }).click();
+    await page.getByRole('link', { name: 'Authentication methods' }).click();
+    await expect(page.getByRole('button', { name: 'New to Auth methods?' })).not.toBeVisible();
+
+    await basePage.dismissFlashMessages();
+  });
+
+  await test.step('verify namespace intro page content and workflow', async () => {
+    await page.getByRole('link', { name: 'Namespaces' }).click();
+
+    await expect(page.getByRole('heading', { name: 'Welcome to Namespaces' })).toBeVisible();
+    await expect(page.getByRole('button', { name: 'Guided start' })).toBeVisible();
+    await expect(page.getByRole('button', { name: 'Skip' })).toBeVisible();
+    await expect(page.getByRole('link', { name: 'View documentation' })).toBeVisible();
+
+    // verify clicking create routes to guided start page
+    await page.getByRole('button', { name: 'Guided start' }).click();
+    await expect(page.getByText('Namespaces Guided Start')).toBeVisible();
+    await expect(page.getByRole('tab', { name: 'Select setup (current)' })).toBeVisible();
+    await page.getByRole('button', { name: 'Exit' }).click();
+
+    await expect(page.getByRole('heading', { name: 'Welcome to Namespaces' })).not.toBeVisible();
+    await expect(page.locator('h1')).toHaveText('Namespaces');
+    await expect(page.getByRole('link', { name: 'Create namespace' })).toBeVisible();
+    await expect(page.getByRole('button', { name: 'New to Namespaces?' })).toBeVisible();
+    await page.getByRole('link', { name: 'Create namespace' }).click();
+    await page.getByRole('textbox', { name: 'Path' }).fill('testNs');
+    await page.getByRole('button', { name: 'Save' }).click();
+
+    await expect(page.getByRole('button', { name: 'New to Namespaces?' })).not.toBeVisible();
+  });
+
+  await test.step('create policy for test namespace for testing ACL intro page', async () => {
+    await page.getByRole('link', { name: 'ACL policies' }).click();
+    await page.getByRole('link', { name: 'Create ACL policy' }).click();
+    await page.getByRole('textbox', { name: 'Policy name' }).fill('testns');
+    await page.getByRole('textbox', { name: 'Resource path' }).fill('testNs/*');
+    await page.getByRole('checkbox', { name: 'create' }).check();
+    await page.getByRole('checkbox', { name: 'read' }).check();
+    await page.getByRole('checkbox', { name: 'list' }).check();
+    await page.getByRole('button', { name: 'Create policy' }).click();
+
+    await page.getByRole('button', { name: 'root' }).click();
+    await page.getByRole('option', { name: 'testNs' }).click();
+  });
+
+  await test.step('Verify access control intro page content and workflow', async () => {
+    await page.goto('dashboard?namespace=testNs');
+
+    //nav to access control intro page and verify the content
+    await page.getByRole('link', { name: 'Access control', exact: true }).click();
+    await expect(page.getByRole('heading', { name: 'Welcome to ACL Policies' })).toBeVisible();
+    await expect(page.getByRole('link', { name: 'Create a policy' })).toBeVisible();
+    await expect(page.getByRole('button', { name: 'Skip' })).toBeVisible();
+    await expect(page.getByRole('link', { name: 'View documentation' })).toBeVisible();
+
+    await page.getByRole('button', { name: 'Skip' }).click();
+    await expect(page.getByRole('heading', { name: 'Welcome to ACL Policies' })).not.toBeVisible();
+    await expect(page.getByRole('heading', { name: 'ACL policies' })).toBeVisible();
+    await expect(page.getByRole('button', { name: 'New to ACL policies?' })).toBeVisible();
+
+    await page.getByRole('button', { name: 'New to ACL policies?' }).click();
+    await expect(page.getByText('Welcome to ACL Policies')).toBeVisible();
+    await page.getByRole('link', { name: 'Create a policy' }).click();
+    await page.getByRole('textbox', { name: 'Policy name' }).fill('testpolicy');
+    await page.getByRole('textbox', { name: 'Resource path' }).fill('testpath');
+    await page.getByText('create', { exact: true }).click();
+    await page.getByRole('button', { name: 'Create policy' }).click();
+    await expect(page.getByRole('heading', { name: 'testpolicy' })).toBeVisible();
+
+    await page.getByLabel('breadcrumbs').getByRole('link', { name: 'ACL policies' }).click();
+    await expect(page.getByRole('link', { name: 'testpolicy', exact: true })).toBeVisible();
+    await expect(page.getByRole('button', { name: 'New to ACL policies?' })).not.toBeVisible();
+  });
+
+  await test.step('cleanup', async () => {
+    await page.goto('dashboard');
+    await page.getByRole('link', { name: 'Access control' }).click();
+    await page.getByRole('link', { name: 'Namespaces' }).click();
+    await page.getByRole('button', { name: 'More options' }).click();
+    await page.getByRole('button', { name: 'Delete' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+    await page.getByRole('link', { name: 'ACL policies' }).click();
+    await page.getByRole('link', { name: 'testns Policy nav menu' }).getByLabel('Policy nav menu').click();
+    await page.getByRole('button', { name: 'Delete' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+    await page.getByRole('link', { name: 'Authentication methods' }).click();
+    await page
+      .getByRole('link', { name: 'Type of auth mount userpass/' })
+      .getByLabel('Overflow options')
+      .click();
+    await page.getByRole('button', { name: 'Disable' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+  });
+});
diff --git a/ui/e2e/tests/superuser/keymgmt-mount-external.ent.spec.ts b/ui/e2e/tests/superuser/keymgmt-mount-external.ent.spec.ts
new file mode 100644
index 0000000000..b949fc3e4b
--- /dev/null
+++ b/ui/e2e/tests/superuser/keymgmt-mount-external.ent.spec.ts
@@ -0,0 +1,138 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { expect, test } from '@playwright/test';
+import { BasePage } from '../../pages/base';
+
+const PINNED_PLUGIN_DATA = {
+  data: {
+    name: 'vault-plugin-secrets-keymgmt',
+    type: 'secret',
+    version: 'v0.17.0+ent',
+  },
+};
+
+const PLUGIN_CATALOG_DATA = {
+  request_id: 'request_id',
+  lease_id: '',
+  renewable: false,
+  lease_duration: 0,
+  data: {
+    detailed: [
+      {
+        builtin: true,
+        deprecation_status: 'supported',
+        name: 'keymgmt',
+        type: 'secret',
+        version: 'v0.18.1+builtin',
+      },
+      {
+        builtin: false,
+        name: 'vault-plugin-secrets-keymgmt',
+        sha256: 'sha256',
+        type: 'secret',
+        version: '',
+      },
+      {
+        builtin: false,
+        name: 'vault-plugin-secrets-keymgmt',
+        sha256: 'sha256',
+        type: 'secret',
+        version: 'v0.16.0+ent',
+      },
+      {
+        builtin: false,
+        name: 'vault-plugin-secrets-keymgmt',
+        sha256: 'sha256',
+        type: 'secret',
+        version: 'v0.17.0+ent',
+      },
+      {
+        builtin: false,
+        name: 'vault-plugin-secrets-keymgmt',
+        sha256: 'sha256',
+        type: 'secret',
+        version: 'v0.18.0+ent',
+      },
+    ],
+  },
+};
+
+test('mount external keymgmt workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+
+  await test.step('mock the keymgmt pinned version response', async () => {
+    await page.route('**v1/sys/plugins/pins/secret/vault-plugin-secrets-keymgmt', async (route) => {
+      if (route.request().method() === 'GET') {
+        await route.fulfill({
+          status: 200,
+          contentType: 'application/json',
+          body: JSON.stringify(PINNED_PLUGIN_DATA),
+        });
+      } else {
+        await route.continue();
+      }
+    });
+  });
+
+  await test.step('mock the plugin catalog response to return builtin and external keymgmt plugins', async () => {
+    await page.route('**v1/sys/plugins/catalog', async (route) => {
+      if (route.request().method() === 'GET') {
+        await route.fulfill({
+          status: 200,
+          contentType: 'application/json',
+          body: JSON.stringify(PLUGIN_CATALOG_DATA),
+        });
+      } else {
+        await route.continue();
+      }
+    });
+  });
+
+  await page.goto('dashboard');
+
+  await test.step('navigate to enable Key Management engine', async () => {
+    await basePage.enableEngine('Key Management', 'keymgmt-external', {
+      external: true,
+      pluginVersion: 'v0.17.0+ent',
+      skipEnable: true,
+    });
+  });
+
+  await test.step('verify builtin and external plugin type options are visible', async () => {
+    await expect(page.getByText('Built-in plugin Preregistered')).toBeVisible();
+    await expect(page.getByText('External plugin External')).toBeVisible();
+    await expect(page.getByText('Plugin version Required')).toBeVisible();
+  });
+
+  await test.step('selecting external plugin type shows plugin version dropdown', async () => {
+    await expect(page.getByLabel('Plugin version Required')).toContainText(
+      'v0.17.0+ent (pinned) v0.16.0+ent v0.18.0+ent'
+    );
+  });
+
+  await test.step('pinned version is selected by default with no warning', async () => {
+    await expect(page.getByLabel('Version differs from pinned')).not.toBeVisible();
+  });
+
+  await test.step('selecting a non-pinned version shows a warning', async () => {
+    await page.getByLabel('Plugin version Required').selectOption('v0.16.0+ent');
+    await expect(page.getByLabel('Version differs from pinned')).toContainText(
+      'You have selected v0.16.0+ent, but version v0.17.0+ent is pinned for this plugin. Enabling the engine with this version will override the pinned version for this mount.'
+    );
+  });
+
+  await test.step('re-selecting the pinned version clears the warning', async () => {
+    await page.getByLabel('Plugin version Required').selectOption('v0.17.0+ent');
+    await expect(page.getByLabel('Version differs from pinned')).not.toBeVisible();
+  });
+
+  await test.step('enabling engine shows error with external plugin name', async () => {
+    await page.getByRole('button', { name: 'Enable engine' }).click();
+    await expect(page.getByLabel('Error')).toContainText(
+      'plugin not found in the catalog: vault-plugin-secrets-keymgmt'
+    );
+  });
+});
diff --git a/ui/e2e/tests/superuser/keymgmt-tune-external.ent.spec.ts b/ui/e2e/tests/superuser/keymgmt-tune-external.ent.spec.ts
new file mode 100644
index 0000000000..1642e67a04
--- /dev/null
+++ b/ui/e2e/tests/superuser/keymgmt-tune-external.ent.spec.ts
@@ -0,0 +1,206 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { expect, test } from '@playwright/test';
+import { ConfigurationSettingsPage } from '../../pages/configuration-settings';
+
+const PINNED_PLUGIN_DATA = {
+  data: {
+    name: 'vault-plugin-secrets-keymgmt',
+    type: 'secret',
+    version: 'v0.17.0+ent',
+  },
+};
+
+const PLUGIN_CATALOG_DATA = {
+  request_id: 'request_id',
+  lease_id: '',
+  renewable: false,
+  lease_duration: 0,
+  data: {
+    detailed: [
+      {
+        builtin: true,
+        deprecation_status: 'supported',
+        name: 'keymgmt',
+        type: 'secret',
+        version: 'v0.18.1+builtin',
+      },
+      {
+        builtin: false,
+        name: 'vault-plugin-secrets-keymgmt',
+        sha256: 'sha256',
+        type: 'secret',
+        version: '',
+      },
+      {
+        builtin: false,
+        name: 'vault-plugin-secrets-keymgmt',
+        sha256: 'sha256',
+        type: 'secret',
+        version: 'v0.16.0+ent',
+      },
+      {
+        builtin: false,
+        name: 'vault-plugin-secrets-keymgmt',
+        sha256: 'sha256',
+        type: 'secret',
+        version: 'v0.17.0+ent',
+      },
+      {
+        builtin: false,
+        name: 'vault-plugin-secrets-keymgmt',
+        sha256: 'sha256',
+        type: 'secret',
+        version: 'v0.18.0+ent',
+      },
+    ],
+  },
+};
+
+const KEYMGMT_EXTERNAL_MOUNT_DATA = {
+  request_id: 'request_id',
+  lease_id: '',
+  renewable: false,
+  lease_duration: 0,
+  data: {
+    accessor: 'vault-plugin-secrets-keymgmt_accessor',
+    config: {
+      default_lease_ttl: 2764800,
+      force_no_cache: false,
+      listing_visibility: 'hidden',
+      max_lease_ttl: 2764800,
+    },
+    description: '',
+    external_entropy_access: false,
+    local: false,
+    options: {},
+    path: 'keymgmt-external/',
+    plugin_version: 'v0.17.0+ent',
+    running_plugin_version: 'v0.17.0+ent',
+    running_sha256: 'sha256',
+    seal_wrap: false,
+    type: 'vault-plugin-secrets-keymgmt',
+    uuid: 'uuid',
+  },
+  wrap_info: null,
+  warnings: null,
+  auth: null,
+  mount_type: '',
+};
+
+const UPDATED_KEYMGMT_EXTERNAL_MOUNT_DATA = {
+  ...KEYMGMT_EXTERNAL_MOUNT_DATA,
+  data: {
+    ...KEYMGMT_EXTERNAL_MOUNT_DATA.data,
+    plugin_version: 'v0.18.0+ent',
+    running_plugin_version: 'v0.18.0+ent',
+  },
+};
+
+test('tune external keymgmt workflow', async ({ page }) => {
+  const configurationSettingsPage = new ConfigurationSettingsPage(page);
+
+  await test.step('mock the keymgmt pinned version response', async () => {
+    await page.route('**v1/sys/plugins/pins/secret/vault-plugin-secrets-keymgmt', async (route) => {
+      if (route.request().method() === 'GET') {
+        await route.fulfill({
+          status: 200,
+          contentType: 'application/json',
+          body: JSON.stringify(PINNED_PLUGIN_DATA),
+        });
+      } else {
+        await route.continue();
+      }
+    });
+  });
+
+  await test.step('mock the plugin catalog response to return builtin and external keymgmt plugins', async () => {
+    await page.route('**v1/sys/plugins/catalog', async (route) => {
+      if (route.request().method() === 'GET') {
+        await route.fulfill({
+          status: 200,
+          contentType: 'application/json',
+          body: JSON.stringify(PLUGIN_CATALOG_DATA),
+        });
+      } else {
+        await route.continue();
+      }
+    });
+  });
+
+  await test.step('mock the keymgmt external mount response', async () => {
+    await page.route('**/v1/sys/internal/ui/mounts/keymgmt-external', async (route) => {
+      if (route.request().method() === 'GET') {
+        await route.fulfill({
+          status: 200,
+          contentType: 'application/json',
+          body: JSON.stringify(KEYMGMT_EXTERNAL_MOUNT_DATA),
+        });
+      } else {
+        await route.continue();
+      }
+    });
+  });
+
+  await test.step('mock the initial keymgmt external tune response', async () => {
+    await page.route('**/v1/sys/mounts/keymgmt-external/tune', async (route) => {
+      if (route.request().method() === 'POST') {
+        await route.fulfill({
+          status: 204,
+          contentType: 'application/json',
+        });
+      } else {
+        await route.continue();
+      }
+    });
+  });
+
+  await page.goto('dashboard');
+
+  await test.step("navigate to the external keymgmt mount's general settings page", async () => {
+    await page.goto('secrets-engines/keymgmt-external/list');
+    const path = 'keymgmt-external';
+    const engineType = 'vault-plugin-secrets-keymgmt';
+    await configurationSettingsPage.navigateToConfiguration(path);
+    await configurationSettingsPage.editAndVerifyGeneralSettings(path, engineType, true);
+    await expect(page.getByRole('paragraph').nth(3)).toContainText('v0.17.0+ent (Pinned)');
+  });
+
+  await test.step('verify that selecting an unpinned version shows the override message', async () => {
+    await page.getByLabel('Update version to:').selectOption('v0.16.0+ent');
+    await expect(page.getByLabel('Override pinned version')).toContainText(
+      'You have selected v0.16.0+ent, but version v0.17.0+ent is pinned for this plugin. Updating to this version will override the pinned version for this mount.'
+    );
+  });
+
+  await test.step('reset the version selection and verify that the override message goes away', async () => {
+    await page.getByLabel('Update version to:').selectOption('');
+    await expect(page.getByLabel('Override pinned version')).not.toBeVisible();
+  });
+
+  await test.step('verify that selecting an unpinned version shows the override message', async () => {
+    await page.getByLabel('Update version to:').selectOption('v0.18.0+ent');
+    await expect(page.getByLabel('Override pinned version')).toContainText(
+      'You have selected v0.18.0+ent, but version v0.17.0+ent is pinned for this plugin. Updating to this version will override the pinned version for this mount.'
+    );
+  });
+
+  await test.step('mock updated mount response after tuning with a new plugin version', async () => {
+    await page.route('**/v1/sys/internal/ui/mounts/keymgmt-external', async (route) => {
+      if (route.request().method() === 'GET') {
+        await route.fulfill({
+          status: 200,
+          contentType: 'application/json',
+          body: JSON.stringify(UPDATED_KEYMGMT_EXTERNAL_MOUNT_DATA),
+        });
+      } else {
+        await route.continue();
+      }
+    });
+  });
+
+  await page.getByRole('button', { name: 'Save changes' }).click();
+});
diff --git a/ui/e2e/tests/superuser/keymgmt.spec.ts b/ui/e2e/tests/superuser/keymgmt.spec.ts
new file mode 100644
index 0000000000..07e34acc75
--- /dev/null
+++ b/ui/e2e/tests/superuser/keymgmt.spec.ts
@@ -0,0 +1,135 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { expect, test } from '@playwright/test';
+import { BasePage } from '../../pages/base';
+import { ConfigurationSettingsPage } from '../../pages/configuration-settings';
+
+test('keymgmt workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+
+  await test.step('mock the distribution response', async () => {
+    await page.route('**/v1/keymgmt-test/kms/test-provider/key/test-key', async (route) => {
+      if (route.request().method() === 'PUT') {
+        await route.fulfill({
+          status: 200,
+          contentType: 'application/json',
+        });
+      } else {
+        await route.continue();
+      }
+    });
+  });
+
+  await test.step('enable Key Management secrets engine mount', async () => {
+    await basePage.enableEngine('Key Management', 'keymgmt-test', { skipEnable: true });
+
+    await expect(page.getByText('Built-in plugin Preregistered')).toBeVisible();
+    await expect(page.getByText('External plugin External')).toBeVisible();
+    await expect(page.getByText('Plugin version Required')).not.toBeVisible();
+
+    await page.getByRole('button', { name: 'Enable engine' }).click();
+  });
+
+  await test.step('Key Management secrets engine mount saved successfully', async () => {
+    await expect(page.getByText('Success', { exact: true })).toBeVisible();
+    await expect(
+      page.getByText('Successfully mounted the keymgmt secrets engine at keymgmt-test')
+    ).toBeVisible();
+    await page.getByRole('button', { name: 'Dismiss' }).click();
+  });
+
+  await test.step('create a provider', async () => {
+    await page.getByRole('link', { name: 'Create provider' }).click();
+    await page.getByLabel('Type').selectOption('azurekeyvault');
+    await page.getByRole('textbox', { name: 'Provider name' }).fill('test-provider');
+    await page.getByRole('textbox', { name: 'Key Vault instance name' }).fill('keyvault-name');
+    await page.getByRole('textbox', { name: 'client_id' }).fill('a0454cd1-e28e-405e-bc50-7477fa8a00b7');
+    await page.getByRole('textbox', { name: 'client_secret' }).fill('eR%HizuCVEpAKgeaUEx');
+    await page.getByRole('textbox', { name: 'tenant_id' }).fill('cd4bf224-d114-4f96-9bbc-b8f45751c43f');
+    await page.getByRole('button', { name: 'Create provider' }).click();
+
+    await expect(page.locator('span').filter({ hasText: 'test-provider' })).toBeVisible();
+    await expect(page.getByText('Azure Key Vault')).toBeVisible();
+    await expect(page.getByText('keyvault-name')).toBeVisible();
+    await expect(page.getByText('None')).toBeVisible();
+  });
+
+  await test.step('create a key', async () => {
+    await page.getByRole('link', { name: 'Keys' }).click();
+    await page.getByRole('link', { name: 'Create key' }).click();
+    await page.getByRole('textbox', { name: 'Key name' }).fill('test-key');
+    await page.getByRole('checkbox', { name: 'Allow deletion' }).check();
+    await page.getByRole('button', { name: 'Create key' }).click();
+
+    await expect(page.locator('section')).toContainText('test-key');
+    await expect(page.locator('section')).toContainText('rsa-2048');
+    await expect(page.locator('section')).toContainText('Yes');
+  });
+
+  await test.step('distribute key to provider', async () => {
+    await page.getByLabel('toolbar actions').getByRole('button', { name: 'Distribute key' }).click();
+    await page.getByText('Search').click();
+    await page.getByRole('option', { name: 'test-provider' }).click();
+    await page.getByText('Encrypt').click();
+    await page.getByText('Decrypt').click();
+    await page.getByText('Sign').click();
+    await page.getByText('Verify').click();
+    await page.getByText('Wrap', { exact: true }).click();
+    await page.getByText('Unwrap').click();
+    await page.getByRole('radio', { name: 'HSM' }).check();
+    await page.getByRole('button', { name: 'Distribute key' }).click();
+
+    await expect(page.getByText('Success', { exact: true })).toBeVisible();
+    await expect(page.getByText('Successfully distributed key test-key to test-provider')).toBeVisible();
+    await page.getByRole('button', { name: 'Dismiss' }).click();
+  });
+});
+
+test('keymgmt tune workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+  const configurationSettingsPage = new ConfigurationSettingsPage(page);
+
+  const path = 'keymgmt-tune';
+  const engineType = 'keymgmt';
+
+  await test.step('enable keymgmt secrets engine mount', async () => {
+    await basePage.enableEngine(engineType, path);
+  });
+
+  await test.step('navigate to configuration page from manage dropdown ', async () => {
+    await configurationSettingsPage.navigateToConfiguration(path);
+  });
+
+  // keymgmt does not have plugin settings, so we only need to test for general settings
+
+  await test.step('navigate and verify general settings form', async () => {
+    await configurationSettingsPage.navigateToGeneralSettings(engineType);
+    await configurationSettingsPage.editAndVerifyGeneralSettings(path, engineType);
+    await page.getByRole('link', { name: 'Exit configuration' }).click();
+  });
+
+  await test.step('ensure that we navigate back to the keymgmt overview page when Exit configuration is clicked', async () => {
+    await expect(
+      page
+        .locator('div')
+        .filter({ hasText: `${path} Manage Create provider` })
+        .nth(3)
+    ).toBeVisible();
+  });
+
+  await test.step('verify unsaved changes modal works in general settings', async () => {
+    // Navigate back to general settings
+    await configurationSettingsPage.navigateToConfiguration(path);
+    await configurationSettingsPage.navigateToGeneralSettings(engineType);
+
+    // Test Unsaved changes modal
+    await configurationSettingsPage.verifyUnsavedChangesModalOnNavigateAway(path);
+  });
+
+  await test.step('clean up and disable engine', async () => {
+    await basePage.disableEngine(path);
+  });
+});
diff --git a/ui/e2e/tests/superuser/kmip.spec.ts b/ui/e2e/tests/superuser/kmip.spec.ts
new file mode 100644
index 0000000000..d761da07d1
--- /dev/null
+++ b/ui/e2e/tests/superuser/kmip.spec.ts
@@ -0,0 +1,128 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { expect, test } from '@playwright/test';
+import { BasePage } from '../../pages/base';
+
+test('kmip workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+
+  await test.step('enable KMIP secrets engine', async () => {
+    await basePage.enableEngine('KMIP', 'kmip-test');
+  });
+
+  await test.step('KMIP secrets engine mount saved successfully', async () => {
+    await expect(page.getByText('Success', { exact: true })).toBeVisible();
+    await expect(page.getByText('Successfully mounted the kmip secrets engine at kmip-test')).toBeVisible();
+    await page.getByRole('button', { name: 'Dismiss' }).click();
+  });
+
+  await test.step('configure KMIP engine', async () => {
+    await page.getByRole('button', { name: 'Manage' }).click();
+    await page.getByRole('link', { name: 'Configure' }).click();
+
+    await page.locator('label').filter({ hasText: 'Default TLS Client TTL Lease' }).click();
+    await page.getByLabel('TLS CA Key type').selectOption('rsa');
+    await page.getByRole('textbox', { name: 'TLS CA Key bits' }).fill('2048');
+    await page.getByRole('button', { name: 'Save' }).click();
+
+    await expect(page.getByText('Success', { exact: true })).toBeVisible();
+    await expect(page.getByText('Successfully configured KMIP engine')).toBeVisible();
+    await page.getByRole('button', { name: 'Dismiss' }).click();
+
+    await expect(page.locator('[data-test-row-value="Default TLS client TTL"]')).toContainText('0');
+    await expect(page.locator('span[data-test-row-value="TLS CA key type"]')).toContainText('rsa');
+    await expect(page.locator('span[data-test-row-value="TLS CA key bits"]')).toContainText('2048');
+  });
+
+  await test.step('update general settings', async () => {
+    await page.getByRole('link', { name: 'General settings' }).click();
+    await page.getByText('Engine type kmip').click();
+    await page.getByRole('textbox', { name: 'Description' }).click();
+    await page.getByRole('textbox', { name: 'Description' }).press('ControlOrMeta+a');
+    await page.getByRole('textbox', { name: 'Description' }).fill('abcdefg');
+    await page.getByRole('button', { name: 'Save changes' }).click();
+
+    await expect(page.getByText('Configuration saved')).toBeVisible();
+    await expect(page.getByText('Engine settings successfully updated.')).toBeVisible();
+    await page.getByRole('button', { name: 'Dismiss' }).click();
+  });
+
+  await test.step('create a scope', async () => {
+    await page.getByRole('link', { name: 'Exit configuration' }).click();
+    await expect(page.locator('section')).toContainText('KMIP Secrets Engine');
+    await expect(page.locator('section')).toContainText(
+      "First, let's create a scope that our roles and credentials will belong to. A client can only access objects within their role's scope."
+    );
+    await page.getByRole('link', { name: 'Create scope' }).click();
+    await page.getByRole('textbox', { name: 'Name' }).click();
+    await page.getByRole('textbox', { name: 'Name' }).fill('kmip-scope');
+    await page.getByRole('button', { name: 'Save' }).click();
+
+    await expect(page.getByText('Success', { exact: true })).toBeVisible();
+    await expect(page.getByText('Successfully created scope kmip-scope')).toBeVisible();
+    await page.getByRole('button', { name: 'Dismiss' }).click();
+  });
+
+  await test.step('create a role', async () => {
+    await page.getByRole('button', { name: 'More options' }).click();
+    await page.getByRole('link', { name: 'View scope', exact: true }).click();
+
+    await page.locator('div').filter({ hasText: 'No roles in this scope yet' }).nth(3).click();
+    await page.getByRole('link', { name: 'Create role' }).click();
+    await page.getByRole('textbox', { name: 'Name', exact: true }).click();
+    await page.getByRole('textbox', { name: 'Name', exact: true }).fill('kmip-role');
+    await page.getByRole('button', { name: 'Save' }).click();
+
+    await expect(page.getByText('Success', { exact: true })).toBeVisible();
+    await expect(page.getByText('Successfully saved role kmip-role')).toBeVisible();
+    await page.getByRole('button', { name: 'Dismiss' }).click();
+  });
+
+  await test.step('generate credentials', async () => {
+    await page.getByRole('button', { name: 'More options' }).click();
+    await page.getByRole('link', { name: 'View credentials', exact: true }).click();
+    await expect(page.getByText('No credentials yet for this')).toBeVisible();
+    await expect(page.getByText('You can generate new')).toBeVisible();
+    await page.getByLabel('toolbar actions').getByRole('link', { name: 'Generate credentials' }).click();
+    await page.getByLabel('Certificate format').selectOption('pem_bundle');
+    await page.getByRole('button', { name: 'Save' }).click();
+
+    await expect(page.getByText('Success', { exact: true })).toBeVisible();
+    await expect(page.getByText('Successfully generated credentials from role kmip-role.')).toBeVisible();
+    await page.getByRole('button', { name: 'Dismiss' }).click();
+  });
+
+  await test.step('revoke credentials', async () => {
+    await page.getByRole('button', { name: 'Revoke credentials' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+
+    await expect(page.getByText('Success', { exact: true })).toBeVisible();
+    await expect(page.getByText('Successfully revoked credentials.')).toBeVisible();
+    await page.getByRole('button', { name: 'Dismiss' }).click();
+
+    await expect(page.getByText('No credentials yet for this')).toBeVisible();
+  });
+
+  await test.step('delete role', async () => {
+    await page.getByRole('link', { name: 'kmip-scope' }).click();
+    await page.getByRole('button', { name: 'More options' }).click();
+    await page.getByRole('button', { name: 'Delete role' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+
+    await expect(page.getByText('No roles in this scope yet')).toBeVisible();
+    await expect(page.getByText('Roles let you generate')).toBeVisible();
+  });
+
+  await test.step('delete scope', async () => {
+    await page.getByRole('link', { name: 'kmip-test' }).click();
+    await page.getByRole('button', { name: 'More options' }).click();
+    await page.getByRole('button', { name: 'Delete scope' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+
+    await expect(page.getByText('KMIP Secrets Engine')).toBeVisible();
+    await expect(page.getByText("First, let's create a scope")).toBeVisible();
+  });
+});
diff --git a/ui/e2e/tests/superuser/kubernetes-secrets.spec.ts b/ui/e2e/tests/superuser/kubernetes-secrets.spec.ts
new file mode 100644
index 0000000000..57759df65c
--- /dev/null
+++ b/ui/e2e/tests/superuser/kubernetes-secrets.spec.ts
@@ -0,0 +1,250 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+import { BasePage } from '../../pages/base';
+import { ConfigurationSettingsPage } from '../../pages/configuration-settings';
+
+test('kubernetes secrets workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+
+  await test.step('enable kubernetes secrets engine', async () => {
+    await page.goto('dashboard');
+    await page.getByRole('link', { name: 'Secrets', exact: true }).click();
+    await page.getByRole('link', { name: 'Enable new engine' }).click();
+    await page.getByLabel('Kubernetes - enabled engine').click();
+    await page.getByRole('button', { name: 'Enable engine' }).click();
+    await expect(page.locator('section')).toContainText('Kubernetes not configured');
+    await basePage.dismissFlashMessages();
+  });
+
+  await test.step('configure kubernetes secrets engine', async () => {
+    await page.getByRole('link', { name: 'Configure Kubernetes' }).click();
+    await page.getByRole('button', { name: 'Get config values' }).click();
+    await expect(page.locator('section')).toContainText(
+      'Vault could not infer a configuration from your environment variables. Check your configuration file to edit or delete them, or configure manually.'
+    );
+    await page.getByRole('radio', { name: 'Manual configuration Generate' }).check();
+    await page.getByRole('button', { name: 'Save' }).click();
+    await expect(page.locator('#error-kubernetes_host')).toContainText('Kubernetes host is required');
+    await page.getByRole('textbox', { name: 'Kubernetes host' }).fill('https://192.168.99.100:8443');
+    await page.getByRole('textbox', { name: 'Service account JWT' }).fill('test-jwt');
+    await page.getByRole('textbox', { name: 'Kubernetes CA Certificate' }).fill('-----CERTIFICATE-----');
+    await page.getByRole('button', { name: 'Save' }).click();
+    await expect(
+      page.locator('.info-table-row').filter({
+        hasText: 'Kubernetes host https://192.168.99.100:8443',
+      })
+    ).toBeVisible();
+    await expect(
+      page.locator('.info-table-row').filter({
+        hasText: 'Certificate PEM Format -----CERTIFICATE-----',
+      })
+    ).toBeVisible();
+    await page.getByRole('link', { name: 'Exit configuration' }).click();
+    await expect(page.locator('section')).toContainText(
+      'Roles Create Role The number of Vault roles being used to generate Kubernetes credentials. None'
+    );
+    await expect(page.locator('section')).toContainText(
+      'Generate credentials Quickly generate credentials by typing the role name. Type to find a role... Generate'
+    );
+    await basePage.dismissFlashMessages();
+  });
+
+  await test.step('create kubernetes role', async () => {
+    await page.getByRole('link', { name: 'Roles' }).click();
+    await expect(page.locator('section')).toContainText(
+      'No roles yet When created, roles will be listed here. Create a role to start generating service account tokens.'
+    );
+    await page.getByRole('link', { name: 'Create role' }).click();
+    await expect(page.locator('section')).toContainText(
+      'Choose an option above To configure a Vault role, choose what should be generated in Kubernetes by Vault.'
+    );
+    await page.getByRole('radio', { name: 'Generate token only using' }).check();
+    await page.getByRole('button', { name: 'Save' }).click();
+    await expect(page.locator('#error-name')).toContainText('Name is required');
+    await page.getByRole('textbox', { name: 'Role name' }).fill('test-role');
+    await page.getByRole('textbox', { name: 'Service account name' }).fill('foo');
+    await page.getByRole('textbox', { name: 'Allowed Kubernetes namespaces' }).fill('*');
+    await page.getByRole('button', { name: 'Save' }).click();
+    await expect(
+      page.locator('.info-table-row').filter({
+        hasText: 'Role name test-role',
+      })
+    ).toBeVisible();
+
+    await page.getByRole('link', { name: 'Roles' }).click();
+    await expect(page.getByRole('link', { name: 'test-role', exact: true })).toBeVisible();
+    await basePage.dismissFlashMessages();
+  });
+
+  await test.step('edit kubernetes role', async () => {
+    await page.getByRole('link', { name: 'test-role', exact: true }).click();
+    await expect(
+      page.locator('.info-table-row').filter({
+        hasText: 'Service account name foo',
+      })
+    ).toBeVisible();
+    await page.getByRole('button', { name: 'Manage' }).click();
+    await page.getByRole('link', { name: 'Edit role' }).click();
+    await page.getByRole('radio', { name: 'Generate token, service' }).check();
+    await page.getByRole('textbox', { name: 'Kubernetes role name' }).click();
+    await page.getByRole('textbox', { name: 'Kubernetes role name' }).fill('admin');
+    await page.getByRole('button', { name: 'Save' }).click();
+    await expect(
+      page.locator('.info-table-row').filter({
+        hasText: 'Kubernetes role name admin',
+      })
+    ).toBeVisible();
+
+    await page.getByRole('button', { name: 'Manage' }).click();
+    await page.getByRole('link', { name: 'Edit role' }).click();
+    await page.getByRole('radio', { name: 'Generate entire Kubernetes' }).check();
+    await page.getByLabel('Role rules template').selectOption('5');
+    await page.getByRole('button', { name: 'Save' }).click();
+    await expect(page.locator('section')).toContainText(
+      'Generated role rules Role rules rules: - apiGroups: [""] resources: ["secrets", "services"] verbs: ["get", "watch", "list", "create", "delete", "deletecollection", "patch", "update"]'
+    );
+    await basePage.dismissFlashMessages();
+  });
+
+  await test.step('generate credentials from kubernetes role', async () => {
+    // mock since we aren't connected to a kubernetes cluster
+    await page.route('**/v1/kubernetes/creds/test-role', async (route) => {
+      await route.fulfill({
+        status: 200,
+        contentType: 'application/json',
+        body: JSON.stringify({
+          lease_duration: 3600,
+          lease_id: 'kubernetes/creds/test-role/aWczfcfJ7NKUdiirJrPXIs38',
+          data: {
+            service_account_name: 'default',
+            service_account_namespace: 'default',
+            service_account_token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Imlr',
+          },
+        }),
+      });
+    });
+    await page.getByRole('button', { name: 'Manage' }).click();
+    await page.getByRole('link', { name: 'Generate credentials' }).click();
+    await page.getByRole('textbox', { name: 'Kubernetes namespace' }).fill('user');
+    await page.getByRole('button', { name: 'Generate credentials' }).click();
+    await expect(page.getByLabel('Warning')).toContainText(
+      "Warning You won't be able to access these credentials later, so please copy them now."
+    );
+    await page.getByRole('button', { name: 'Done' }).click();
+    await page.getByRole('link', { name: 'Roles' }).click();
+    await basePage.dismissFlashMessages();
+  });
+
+  await test.step('filter kubernetes roles', async () => {
+    await page.getByRole('link', { name: 'Create role' }).click();
+    await page.getByRole('radio', { name: 'Generate token only using' }).check();
+    await page.getByRole('textbox', { name: 'Role name' }).fill('foo');
+    await page.getByRole('textbox', { name: 'Allowed Kubernetes namespaces' }).fill('*');
+    await page.getByRole('textbox', { name: 'Service account name' }).fill('bar');
+    await page.getByRole('button', { name: 'Save' }).click();
+    await page.getByRole('link', { name: 'Roles' }).click();
+    await page.getByRole('textbox', { name: 'Search by path' }).fill('test');
+    await page.getByRole('button', { name: 'Search' }).click();
+    await expect(page.getByRole('link', { name: 'test-role', exact: true })).toBeVisible();
+    await expect(page.getByRole('link', { name: 'foo', exact: true })).not.toBeVisible();
+    await page.getByRole('textbox', { name: 'Search by path' }).fill('foo');
+    await page.getByRole('button', { name: 'Search' }).click();
+    await expect(page.getByRole('link', { name: 'foo', exact: true })).toBeVisible();
+    await expect(page.getByRole('link', { name: 'test-role', exact: true })).not.toBeVisible();
+  });
+
+  await test.step('delete kubernetes role', async () => {
+    await page.getByRole('button', { name: 'More options' }).click();
+    await page.getByRole('button', { name: 'Delete' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+    await expect(page.locator('section')).toContainText('There are no roles matching "foo"');
+    await page.getByRole('textbox', { name: 'Search by path' }).click();
+    await page.getByRole('textbox', { name: 'Search by path' }).fill('');
+    await page.getByRole('button', { name: 'Search' }).click();
+    await expect(page.getByRole('link', { name: 'test-role', exact: true })).toBeVisible();
+    await basePage.dismissFlashMessages();
+  });
+
+  await test.step('kubernetes overview', async () => {
+    await page.getByRole('link', { name: 'Overview' }).click();
+    await expect(page.locator('section')).toContainText(
+      'Roles View Roles The number of Vault roles being used to generate Kubernetes credentials. 1'
+    );
+    await page.getByRole('link', { name: 'View Roles' }).click();
+    await expect(page.getByRole('link', { name: 'test-role', exact: true })).toBeVisible();
+    await page.getByRole('link', { name: 'Overview' }).click();
+    await page.getByText('Type to find a role...').click();
+    await page.getByRole('option', { name: 'test-role' }).click();
+    await page.getByRole('button', { name: 'Generate' }).click();
+    await expect(page.getByRole('paragraph')).toContainText(
+      'This will generate credentials using the role test-role.'
+    );
+  });
+  await test.step('clean up and disable engine', async () => {
+    await basePage.disableEngine('kubernetes');
+  });
+});
+
+test('kubernetes tune workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+  const configurationSettingsPage = new ConfigurationSettingsPage(page);
+
+  const path = 'kubernetes-tune';
+  const engineType = 'kubernetes';
+
+  await test.step('enable kubernetes secrets engine mount', async () => {
+    await basePage.enableEngine(engineType, path);
+  });
+
+  await test.step('navigate to configuration page from manage dropdown and ensure plugin settings tab is active', async () => {
+    await configurationSettingsPage.navigateToConfiguration(path);
+    await configurationSettingsPage.assertPluginSettingsTabActive(engineType);
+  });
+
+  await test.step('configure kubernetes plugin settings', async () => {
+    await page.locator('div').filter({ hasText: 'Manual configuration Generate' }).nth(4).click();
+    await page.getByRole('textbox', { name: 'Kubernetes host' }).fill('https://192.168.99.100:8443');
+    await page.getByRole('textbox', { name: 'Service account JWT' }).fill('test-jwt');
+    await page.getByRole('textbox', { name: 'Kubernetes CA Certificate' }).fill('-----CERTIFICATE-----');
+    await page.getByRole('button', { name: 'Save' }).click();
+  });
+
+  await test.step('ensure kubernetes plugin settings was saved', async () => {
+    await expect(page.locator('section')).toContainText('Kubernetes host https://192.168.99.100:8443');
+  });
+
+  await test.step('edit plugin settings configuration', async () => {
+    await page.getByRole('link', { name: 'Edit configuration' }).click();
+    await page.getByRole('textbox', { name: 'Kubernetes host' }).fill('https://192.168.99.100:8448');
+    await page.getByRole('button', { name: 'Save' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+    await expect(page.locator('section')).toContainText('Kubernetes host https://192.168.99.100:8448');
+  });
+
+  await test.step('navigate and verify general settings form', async () => {
+    await configurationSettingsPage.navigateToGeneralSettings(engineType);
+    await configurationSettingsPage.editAndVerifyGeneralSettings(path, engineType);
+    await page.getByRole('link', { name: 'Exit configuration' }).click();
+  });
+
+  await test.step('ensure that we navigate back to the kubernetes overview page when Exit configuration is clicked', async () => {
+    await expect(page.getByText(`Vault Secrets engines ${path} ${path} Kubernetes Manage`)).toBeVisible();
+  });
+
+  await test.step('verify unsaved changes modal works in general settings', async () => {
+    // Navigate back to general settings
+    await configurationSettingsPage.navigateToConfiguration(path);
+    await configurationSettingsPage.navigateToGeneralSettings(engineType);
+
+    // Test Unsaved changes modal
+    await configurationSettingsPage.verifyUnsavedChangesModalOnNavigateAway(path);
+  });
+
+  await test.step('clean up and disable engine', async () => {
+    await basePage.disableEngine(path);
+  });
+});
diff --git a/ui/e2e/tests/superuser/kv.spec.ts b/ui/e2e/tests/superuser/kv.spec.ts
index f9c8cd0d63..e5674c8bbb 100644
--- a/ui/e2e/tests/superuser/kv.spec.ts
+++ b/ui/e2e/tests/superuser/kv.spec.ts
@@ -5,17 +5,13 @@
 
 import { test, expect } from '@playwright/test';
 import { BasePage } from '../../pages/base';
+import { ConfigurationSettingsPage } from '../../pages/configuration-settings';
 
 test('kvv2 workflow', async ({ page }) => {
   const basePage = new BasePage(page);
-  await page.goto('dashboard');
   // enable kv secrets engine
-  await page.getByRole('link', { name: 'Secrets', exact: true }).click();
-  await page.getByRole('link', { name: 'Enable new engine' }).click();
-  await page.locator('div').filter({ hasText: 'KV' }).nth(4).click();
-  await page.getByRole('textbox', { name: 'Path' }).click();
-  await page.getByRole('textbox', { name: 'Path' }).fill('kv-test');
-  await page.getByRole('button', { name: 'Enable engine' }).click();
+  await basePage.enableEngine('KV', 'kv-test');
+
   // once enabled it should navigate to the secrets engine overview page
   await expect(page.locator('section')).toContainText('kv-test version 2');
   await expect(page.locator('section')).toContainText(
@@ -121,4 +117,75 @@ test('kvv2 workflow', async ({ page }) => {
   await expect(page.locator('section')).toContainText(
     'Version 1 of this secret has been permanently destroyed A version that has been permanently deleted cannot be restored. You can view other versions of this secret in the Version History tab above. KV v2 API docs'
   );
+  // generate policy
+  await page.getByRole('button', { name: 'Generate policy' }).click();
+  await page.getByRole('textbox', { name: 'Policy name' }).fill('foo-policy');
+  await page.getByRole('checkbox', { name: 'sudo' }).nth(0).check();
+  await page.getByRole('checkbox', { name: 'read' }).nth(1).check();
+  await page.getByRole('checkbox', { name: 'list' }).nth(2).check();
+  await page.getByRole('button', { name: 'Delete' }).nth(3).click();
+  await page.getByRole('button', { name: 'Add rule' }).click();
+  await page.getByRole('textbox', { name: 'Resource path' }).nth(5).fill('kv-test/nomatch');
+  await page.getByRole('checkbox', { name: 'create' }).nth(5).check();
+  await page.getByRole('button', { name: 'Automation snippets' }).click();
+  await expect(page.getByRole('code')).toContainText(
+    'resource "vault_policy" "<local identifier>" { name = "foo-policy" policy = <<EOT path "kv-test/metadata/foo" { capabilities = ["sudo"] } path "kv-test/data/foo" { capabilities = ["read"] } path "kv-test/subkeys/foo" { capabilities = ["list"] } path "kv-test/undelete/foo" { capabilities = [] } path "kv-test/destroy/foo" { capabilities = [] } path "kv-test/nomatch" { capabilities = ["create"] } EOT }'
+  );
+  await page.getByRole('button', { name: 'Save' }).click();
+  await page.getByRole('link', { name: 'View policy' }).click();
+  await expect(page.getByRole('heading', { name: 'foo-policy' })).toBeVisible();
+});
+
+test('kvv2 tune workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+  const configurationSettingsPage = new ConfigurationSettingsPage(page);
+
+  const path = 'kv-tune';
+  const engineType = 'kv';
+
+  await test.step('enable kvv2 secrets engine mount', async () => {
+    await basePage.enableEngine(engineType, path);
+  });
+
+  await test.step('navigate to configuration page from manage dropdown and ensure plugin settings tab is active', async () => {
+    await configurationSettingsPage.navigateToConfiguration(path);
+    await configurationSettingsPage.assertPluginSettingsTabActive(engineType);
+  });
+
+  await test.step('edit plugin settings configuration', async () => {
+    await page.getByRole('link', { name: 'Edit configuration' }).click();
+    await page.getByRole('link', { name: 'Edit configuration' }).click();
+    await page.locator('#max_versions').fill('2');
+    await page.locator('#label-cas_required').check();
+    await page.getByRole('button', { name: 'Save' }).click();
+    await expect(page.getByText('Require check and set Yes')).toBeVisible();
+  });
+
+  await test.step('navigate and verify general settings form', async () => {
+    await configurationSettingsPage.navigateToGeneralSettings(engineType);
+    await configurationSettingsPage.editAndVerifyGeneralSettings(path, engineType);
+    await page.getByRole('link', { name: 'Exit configuration' }).click();
+  });
+
+  await test.step('ensure that we navigate back to the kv overview page when Exit configuration is clicked', async () => {
+    await expect(
+      page
+        .locator('div')
+        .filter({ hasText: `${path} version 2 KV Manage` })
+        .nth(3)
+    ).toBeVisible();
+  });
+
+  await test.step('verify unsaved changes modal works in general settings', async () => {
+    // Navigate back to general settings
+    await configurationSettingsPage.navigateToConfiguration(path);
+    await configurationSettingsPage.navigateToGeneralSettings(engineType);
+
+    // Test Unsaved changes modal
+    await configurationSettingsPage.verifyUnsavedChangesModalOnNavigateAway(path);
+  });
+
+  await test.step('clean up and disable engine', async () => {
+    await basePage.disableEngine(path);
+  });
 });
diff --git a/ui/e2e/tests/superuser/leases.spec.ts b/ui/e2e/tests/superuser/leases.spec.ts
new file mode 100644
index 0000000000..b335aab0fb
--- /dev/null
+++ b/ui/e2e/tests/superuser/leases.spec.ts
@@ -0,0 +1,20 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+
+test('leases workflow', async ({ page }) => {
+  await page.goto('dashboard');
+  await page.getByRole('link', { name: 'Access control' }).click();
+  await page.getByRole('link', { name: 'Leases' }).click();
+  await expect(page.getByRole('heading', { name: 'Leases' })).toContainText('Leases');
+  await page.getByRole('link', { name: 'auth/' }).click();
+  await page.getByRole('link', { name: 'token/' }).click();
+  await page.getByRole('link', { name: 'create/' }).click();
+  await expect(page.getByRole('button', { name: 'Force revoke prefix' })).toBeVisible();
+  await expect(page.getByRole('button', { name: 'Revoke prefix', exact: true })).toBeVisible();
+  await page.getByRole('link', { name: 'Back to Leases' }).click();
+  await expect(page.getByRole('link', { name: 'Back to Leases' })).not.toBeVisible();
+});
diff --git a/ui/e2e/tests/superuser/mfa.ent.spec.ts b/ui/e2e/tests/superuser/mfa.ent.spec.ts
new file mode 100644
index 0000000000..a37d694570
--- /dev/null
+++ b/ui/e2e/tests/superuser/mfa.ent.spec.ts
@@ -0,0 +1,102 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { expect, test } from '@playwright/test';
+
+test('mfa workflow', async ({ page }) => {
+  await page.goto('dashboard');
+
+  await test.step('create userpass auth method and user', async () => {
+    await page.getByRole('link', { name: 'Access control' }).click();
+    await page.getByRole('link', { name: 'Authentication methods' }).click();
+    await page.getByRole('link', { name: 'Enable new method' }).click();
+    await page.getByLabel('Userpass').click();
+    await page.getByRole('button', { name: 'Enable method' }).click();
+    await page.getByRole('button', { name: 'Update options' }).click();
+
+    await page.getByRole('link', { name: 'Type of auth mount userpass/' }).click();
+    await page.getByLabel('toolbar actions').getByRole('link', { name: 'Create user' }).click();
+    await page.getByRole('textbox', { name: 'Username' }).fill('bob');
+    await page.getByRole('textbox', { name: 'password', exact: true }).fill('bobpassword');
+    await page.getByRole('button', { name: 'Save' }).click();
+    await expect(page.getByRole('link', { name: 'bob', exact: true })).toBeVisible();
+  });
+
+  await test.step('navigate to MFA page', async () => {
+    await page.getByRole('link', { name: 'Multi-factor authentication' }).click();
+    await expect(page.getByRole('img', { name: 'MFA configure diagram' })).toBeVisible();
+  });
+
+  await test.step('create method with enforcement', async () => {
+    await page.getByRole('link', { name: 'Configure MFA' }).click();
+    await page.getByRole('radio', { name: 'TOTP' }).check();
+    await page.getByRole('button', { name: 'Next' }).click();
+    await page.getByRole('textbox', { name: 'Issuer' }).fill('mfa-totp-issuer');
+    await page.getByLabel('TTL unit for Period').selectOption('m');
+    await page.getByRole('textbox', { name: 'Number of units' }).fill('5');
+    await page.getByRole('radio', { name: 'SHA1' }).check();
+    await page.getByRole('radio', { name: '6', exact: true }).check();
+    await page.getByRole('textbox', { name: 'Name' }).fill('mfa-totp-enforcement');
+    await page.getByLabel('target-type').selectOption('method');
+    await page.getByLabel('Auth method').locator('select').selectOption('userpass');
+    await page.getByRole('button', { name: 'Add' }).click();
+    await page.getByRole('button', { name: 'Continue' }).click();
+
+    await expect(page.getByText('Issuer mfa-totp-issuer')).toBeVisible();
+    await expect(page.getByText('Period 5 minutes')).toBeVisible();
+    await expect(page.getByText('Digits TOTP code length. 6')).toBeVisible();
+    await expect(page.getByText('Enable self-enrollment No')).toBeVisible();
+    await page.getByRole('link', { name: 'Enforcements' }).click();
+    await expect(page.getByRole('link', { name: 'mfa-totp-enforcement' })).toBeVisible();
+  });
+
+  await test.step('verify mfa enforcement on login', async () => {
+    await page.getByRole('button', { name: 'User menu' }).click();
+    await page.getByRole('button', { name: 'Copy token' }).click();
+    await page.getByRole('link', { name: 'Log out' }).click();
+
+    await page.getByLabel('Method').selectOption('userpass');
+    await page.getByRole('textbox', { name: 'Username' }).fill('bob');
+    await page.getByRole('textbox', { name: 'Password' }).fill('bobpassword');
+    await page.getByRole('button', { name: 'Sign in' }).click();
+
+    await expect(page.getByRole('heading', { name: 'Multi-factor authentication' })).toBeVisible();
+    await page.getByText('Enter your authentication code to log in. TOTP passcode').click();
+    await page.getByRole('textbox', { name: 'TOTP passcode' }).fill('12');
+    await page.getByRole('button', { name: 'Verify' }).click();
+    await expect(page.getByRole('alert', { name: 'Error' })).toBeVisible();
+    await page.getByRole('button', { name: 'Cancel' }).click();
+    await expect(page.getByRole('heading', { name: 'Sign in to Vault' })).toBeVisible();
+  });
+
+  await test.step('delete mfa method and userpass auth method', async () => {
+    await page.getByLabel('Method').selectOption('token');
+    // get token value from clipboard that we copied before logging out
+    const suToken = await page.evaluate(() => navigator.clipboard.readText());
+    await page.getByRole('textbox', { name: 'Token' }).fill(suToken);
+    await page.getByRole('button', { name: 'Sign in' }).click();
+    await page.getByRole('link', { name: 'Access control' }).click();
+    await page.getByRole('link', { name: 'Multi-factor authentication' }).click();
+    await page.getByRole('link', { name: 'TOTP' }).click();
+    await page.getByRole('link', { name: 'Enforcements' }).click();
+    await page.getByRole('link', { name: 'mfa-totp-enforcement' }).click();
+    await page.getByRole('button', { name: 'Delete' }).click();
+    await page.getByRole('textbox', { name: 'Type mfa-totp-enforcement' }).fill('mfa-totp-enforcement');
+    await page.getByLabel('Delete enforcement?').getByRole('button', { name: 'Delete' }).click();
+    await page.getByRole('link', { name: 'Methods', exact: true }).click();
+    await page.getByRole('link', { name: 'TOTP' }).click();
+    await page.getByRole('link', { name: 'Configuration' }).click();
+    await page.getByRole('button', { name: 'Delete' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+
+    await page.getByRole('link', { name: 'Authentication methods' }).click();
+    await page
+      .getByRole('link', { name: 'Type of auth mount userpass/' })
+      .getByLabel('Overflow options')
+      .click();
+    await page.getByRole('button', { name: 'Disable' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+  });
+});
diff --git a/ui/e2e/tests/superuser/namespace.spec.ts b/ui/e2e/tests/superuser/namespace.spec.ts
new file mode 100644
index 0000000000..76b12abc30
--- /dev/null
+++ b/ui/e2e/tests/superuser/namespace.spec.ts
@@ -0,0 +1,133 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+
+test('namespace workflow', async ({ page }) => {
+  await test.step('create namespace', async () => {
+    await page.goto('dashboard');
+    await page.getByRole('link', { name: 'Access control' }).click();
+    await page.getByRole('link', { name: 'Namespaces' }).click();
+    await page.getByRole('link', { name: 'Create namespace' }).click();
+    await page.getByRole('textbox', { name: 'Path' }).fill('testNamespace');
+    await page.getByRole('button', { name: 'Save' }).click();
+  });
+
+  await test.step('should display the new namespace in the namespace picker and switch to it', async () => {
+    await page.getByRole('button', { name: 'root' }).click();
+    await page.getByRole('option', { name: 'testNamespace' }).click();
+  });
+
+  await test.step('should switch to the new namespace and display the correct header', async () => {
+    await expect(page.locator('#app-main-content').getByText('testNamespace')).toBeVisible();
+  });
+
+  await test.step('delete namespace', async () => {
+    await page.getByRole('button', { name: 'testNamespace' }).click();
+    await page.getByRole('option', { name: 'root' }).click();
+    await page.getByRole('link', { name: 'Access control' }).click();
+    await page.getByRole('link', { name: 'Namespaces' }).click();
+    await page.getByRole('button', { name: 'More options' }).click();
+    await page.getByRole('button', { name: 'Delete' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+  });
+});
+
+test('namespace wizard workflow', async ({ page }) => {
+  await page.goto('dashboard');
+
+  await test.step('Navigate to namespaces wizard', async () => {
+    await page.getByRole('link', { name: 'Access control' }).click();
+    await page.getByRole('link', { name: 'Namespaces' }).click();
+    await page.getByRole('button', { name: 'New to Namespaces?' }).click();
+    const modal = page.getByRole('dialog', { name: 'Welcome to Namespaces' });
+    await expect(modal).toBeVisible();
+    await page.getByRole('button', { name: 'Guided start' }).click();
+    await expect(page.getByRole('heading', { name: 'Namespaces Guided Start' })).toBeVisible();
+  });
+
+  await test.step('Should show step 1 selection options', async () => {
+    await page.getByRole('heading', { name: 'What best describes your' }).click();
+
+    await expect(
+      page.getByRole('heading', {
+        name: 'What best describes your access policy between teams and applications?',
+      })
+    ).toContainText('What best describes your access policy between teams and applications?');
+    await expect(page.getByText('Flexible/shared access: our')).toBeVisible();
+    await expect(
+      page.getByText('Strict isolation required: our policy mandates hard boundaries (separate')
+    ).toBeVisible();
+  });
+
+  await test.step('Should show flexible/shared access information in Step 1 if it is selected', async () => {
+    await page.getByText('Flexible/shared access:').click();
+    await expect(page.getByRole('heading', { name: 'Your recommended setup' })).toContainText(
+      'Your recommended setup'
+    );
+    await page.getByRole('heading', { name: 'Single namespace' }).click();
+    await expect(page.getByRole('heading', { name: 'Single namespace' })).toContainText('Single namespace');
+    await expect(page.getByText('Your organization should be')).toContainText(
+      'Your organization should be comfortable with your current setup of one global namespace. You can always add more namespaces later.'
+    );
+  });
+
+  await test.step('Should navigate to "Apply changes" step once "next" is clicked for flexible/shared access selection', async () => {
+    await page.getByRole('button', { name: 'Next' }).click();
+
+    await expect(page.getByRole('heading', { name: "No action needed, you're all set." })).toBeVisible();
+    await expect(
+      page.getByRole('heading', { name: 'Next up: build out your access lists and identities' })
+    ).toBeVisible();
+    await expect(page.getByRole('heading', { name: 'Why use ACL and identities?' })).toBeVisible();
+    await expect(page.getByRole('link', { name: 'Set up identities' })).toBeVisible();
+    await expect(page.getByRole('link', { name: 'Learn more about namespaces' })).toBeVisible();
+  });
+
+  await page.getByRole('button', { name: 'Back' }).click();
+
+  await test.step('Should navigate to "Map out namespaces" once "next" is clicked for strict isolation selection', async () => {
+    await page.getByText('Strict isolation required: our policy mandates hard boundaries (separate').click();
+    await page.getByRole('button', { name: 'Next' }).click();
+    await expect(page.getByRole('heading', { name: 'Map out your namespaces' })).toContainText(
+      'Map out your namespaces'
+    );
+    await page.getByText('Create the namespaces you').click();
+    await expect(page.getByText('Create the namespaces you')).toContainText(
+      'Create the namespaces you need using the 3-layer structure, starting with the global level. Refresh the preview to update. These changes will only be applied on the next step, once you select the implementation method.'
+    );
+    await page.getByRole('textbox', { name: 'Global' }).fill('global');
+    await page.getByRole('textbox', { name: 'Org' }).fill('org-1');
+    await page.getByRole('textbox', { name: 'Project' }).fill('project-2');
+    await page.getByRole('button', { name: 'Add' }).first().click();
+    await page.getByRole('button', { name: 'Next' }).click();
+  });
+
+  await test.step('Should navigate and display "Apply changes" once "Map out your namespaces" is complete', async () => {
+    await expect(
+      page.getByText('Terraform automation Recommended Manage configurations by Infrastructure as')
+    ).toBeVisible();
+    await expect(
+      page.getByText('variable "global_child_namespaces" { type = set(string) default = ["org-1"] }')
+    ).toContainText(
+      'variable "global_child_namespaces" { type = set(string) default = ["org-1"] } variable "global_org-1_child_namespaces" { type = set(string) default = ["project-2"] } resource "vault_namespace" "global" { path = "global" } resource "vault_namespace" "global_children" { for_each = var.global_child_namespaces namespace = vault_namespace.global.path path = each.key } resource "vault_namespace" "global_org-1_children" { for_each = var.global_org-1_child_namespaces namespace = vault_namespace.global_children["org-1"].path_fq path = each.key }'
+    );
+    await page.getByText('API/CLI Manage namespaces').click();
+    await expect(page.getByText('API/CLI Manage namespaces')).toContainText(
+      'API/CLI Manage namespaces directly via the Vault CLI or REST API. Best for quick updates, custom scripting, or terminal-based workflows.'
+    );
+    await expect(page.getByText('curl \\ --header "X-Vault-')).toContainText(
+      'curl \\ --header "X-Vault-Token: $VAULT_TOKEN" \\ --request PUT \\ $VAULT_ADDR/v1/sys/namespaces/global curl \\ --header "X-Vault-Token: $VAULT_TOKEN" \\ --header "X-Vault-Namespace: /global" \\ --request PUT \\ $VAULT_ADDR/v1/sys/namespaces/org-1 curl \\ --header "X-Vault-Token: $VAULT_TOKEN" \\ --header "X-Vault-Namespace: /global/org-1" \\ --request PUT \\ $VAULT_ADDR/v1/sys/namespaces/project-2'
+    );
+    await page.getByRole('radio', { name: 'Vault UI workflow Apply' }).check();
+    await expect(page.getByText('Apply changes immediately.')).toContainText(
+      'Apply changes immediately. Note: Changes made in the UI will be overwritten by any future updates made via Infrastructure as Code (Terraform).'
+    );
+    await page.getByRole('tab', { name: 'Map out namespaces (complete)' }).click();
+    await expect(page.getByRole('heading', { name: 'Map out your namespaces' })).toContainText(
+      'Map out your namespaces'
+    );
+  });
+});
diff --git a/ui/e2e/tests/superuser/oidc.spec.ts b/ui/e2e/tests/superuser/oidc.spec.ts
new file mode 100644
index 0000000000..1c71ac97bc
--- /dev/null
+++ b/ui/e2e/tests/superuser/oidc.spec.ts
@@ -0,0 +1,162 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { expect, test } from '@playwright/test';
+
+test('oidc workflow', async ({ page }) => {
+  await page.goto('dashboard');
+
+  await test.step('navigate to OIDC provider page', async () => {
+    await page.getByRole('link', { name: 'Access control' }).click();
+    await page.getByRole('link', { name: 'OIDC provider' }).click();
+    await expect(page.getByRole('img', { name: 'Example flow of a user' })).toBeVisible();
+  });
+
+  await test.step('create application', async () => {
+    await page.getByRole('link', { name: 'Create your first app' }).click();
+    await page.getByRole('textbox', { name: 'Application name' }).fill('test-oidc-app');
+    await page.getByRole('button', { name: 'More options' }).click();
+    await page
+      .getByRole('group', { name: 'ID Token TTL Lease will' })
+      .getByLabel('Number of units')
+      .fill('30');
+    await page.getByLabel('TTL unit for ID Token TTL').selectOption('m');
+    await page
+      .getByRole('group', { name: 'Access Token TTL Lease will' })
+      .getByLabel('Number of units')
+      .fill('30');
+    await page.getByLabel('TTL unit for Access Token TTL').selectOption('m');
+    await page.getByRole('button', { name: 'Create' }).click();
+
+    await expect(page.getByRole('heading', { name: 'test-oidc-app' })).toBeVisible();
+    await expect(page.getByText('ID Token TTL 30 minutes')).toBeVisible();
+    await expect(page.getByText('Access Token TTL 30 minutes')).toBeVisible();
+    await page.getByRole('link', { name: 'Available providers' }).click();
+    await expect(page.getByRole('link', { name: 'default Issuer: /v1/identity/' })).toBeVisible();
+    await page.getByRole('link', { name: 'Applications' }).click();
+    await expect(page.getByRole('link', { name: 'test-oidc-app Client ID:' })).toBeVisible();
+  });
+
+  await test.step('create key', async () => {
+    await page.getByRole('link', { name: 'Keys' }).click();
+    await expect(page.getByRole('link', { name: 'default Key nav options' })).toBeVisible();
+    await page.getByRole('link', { name: 'Create key' }).click();
+    await page.getByRole('textbox', { name: 'Name' }).fill('test-oidc-key');
+    await page.getByLabel('Algorithm').selectOption('ES256');
+    await page
+      .getByRole('group', { name: 'Rotation period Lease will' })
+      .getByLabel('Number of units')
+      .fill('30');
+    await page.getByLabel('TTL unit for Rotation period').selectOption('m');
+    await page
+      .getByRole('group', { name: 'Verification TTL Lease will' })
+      .getByLabel('Number of units')
+      .fill('30');
+    await page.getByLabel('TTL unit for Verification TTL').selectOption('m');
+    await expect(page.locator('.radio-card').nth(1)).toHaveClass(/is-disabled/);
+    await page.getByRole('button', { name: 'Create' }).click();
+
+    await expect(page.getByRole('heading', { name: 'test-oidc-key' })).toBeVisible();
+    await expect(page.getByText('Algorithm ES256')).toBeVisible();
+    await expect(page.getByText('Rotation period 30 minutes')).toBeVisible();
+    await expect(page.getByText('Verification TTL 30 minutes')).toBeVisible();
+  });
+
+  await test.step('rotate key', async () => {
+    await page.getByRole('button', { name: 'Rotate key' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+  });
+
+  await test.step('edit key', async () => {
+    await page.getByRole('link', { name: 'Edit key' }).click();
+    await page.getByLabel('Algorithm').selectOption('EdDSA');
+    await page.getByRole('button', { name: 'Update' }).click();
+    await expect(page.getByText('Algorithm EdDSA')).toBeVisible();
+    await page.getByRole('link', { name: 'Keys' }).click();
+  });
+
+  await test.step('create assignment', async () => {
+    // create a group and entity for the assignment
+    await page.getByRole('link', { name: 'Groups' }).click();
+    await page.getByRole('link', { name: 'Create group' }).click();
+    await page.getByRole('textbox', { name: 'Name' }).fill('oidc-group');
+    await page.getByRole('button', { name: 'Create' }).click();
+    await page.getByRole('link', { name: 'Entities' }).click();
+    await page.getByRole('link', { name: 'Create entity' }).click();
+    await page.getByRole('textbox', { name: 'Name' }).fill('oidc-entity');
+    await page.getByRole('button', { name: 'Create' }).click();
+
+    await page.getByRole('link', { name: 'OIDC provider' }).click();
+    await page.getByRole('link', { name: 'Assignments' }).click();
+    await expect(page.locator('.list-item-row')).toHaveClass(/is-disabled/);
+
+    await page.getByRole('link', { name: 'Create assignment' }).click();
+    await page.getByRole('textbox', { name: 'Name' }).fill('oidc-assignment');
+    await page.getByLabel('Entities').getByText('Search').click();
+    await page.getByRole('button', { name: 'Create' }).click();
+    await expect(page.getByText('At least one entity or group')).toBeVisible();
+    await page.getByLabel('Groups').getByText('Search').click();
+    await page.getByRole('option', { name: 'oidc-group' }).click();
+    await page.getByRole('button', { name: 'Create' }).click();
+    await expect(page.getByRole('link', { name: 'oidc-group' })).toBeVisible();
+  });
+
+  await test.step('edit assignment', async () => {
+    await page.getByRole('link', { name: 'Edit assignment' }).click();
+    await page.getByLabel('Entities').getByText('Search').click();
+    await page.getByRole('option', { name: 'oidc-entity' }).click();
+    await page.getByRole('button', { name: 'Update' }).click();
+    await expect(page.getByRole('link', { name: 'oidc-entity' })).toBeVisible();
+    await page.getByRole('link', { name: 'Assignments' }).click();
+    await expect(page.getByRole('link', { name: 'oidc-assignment' })).toBeVisible();
+  });
+
+  await test.step('create provider', async () => {
+    await page.getByRole('link', { name: 'Providers' }).click();
+    await page.getByRole('link', { name: 'Create provider' }).click();
+    await page.getByRole('textbox', { name: 'Name' }).fill('oidc-provider');
+    await page.getByRole('radio', { name: 'Limit access to selected' }).check();
+    await page.getByLabel('Application name').getByText('Search').click();
+    await page.getByRole('option', { name: 'test-oidc-app' }).click();
+    await page.getByRole('button', { name: 'Create' }).click();
+    await expect(page.getByText('/v1/identity/oidc/provider/')).toBeVisible();
+  });
+
+  await test.step('create scope', async () => {
+    await page.getByRole('link', { name: 'Providers' }).click();
+    await page.getByRole('link', { name: 'Scopes' }).click();
+    await expect(page.getByRole('heading', { name: 'No scopes yet' })).toBeVisible();
+    await page.getByRole('link', { name: 'Create scope' }).click();
+    await page.getByRole('textbox', { name: 'Name' }).fill('oidc-scope');
+    await page.getByRole('textbox', { name: 'Description' }).fill('oidc scope description');
+    await page.getByRole('textbox', { name: 'JSON Template' }).fill(`{
+      "username": {{identity.entity.aliases.$MOUNT_ACCESSOR.name}},
+      "contact": {
+        "email": {{identity.entity.metadata.email}},
+        "phone_number": {{identity.entity.metadata.phone_number}}
+      },
+      "groups": {{identity.entity.groups.names}}
+    }`);
+    await page.getByRole('button', { name: 'Create' }).click();
+  });
+
+  await test.step('edit scope', async () => {
+    await page.getByRole('link', { name: 'Edit scope' }).click();
+    await page.getByRole('textbox', { name: 'Description' }).fill('updated description');
+    await page.getByRole('textbox', { name: 'JSON Template' }).fill(`{
+      "username": {{identity.entity.aliases.$MOUNT_ACCESSOR.name}},
+      "contact": {
+        "email": {{identity.entity.metadata.email}}
+      },
+      "groups": {{identity.entity.groups.names}}
+    }`);
+
+    await page.getByRole('button', { name: 'Update' }).click();
+    await expect(page.getByText('updated description')).toBeVisible();
+    await expect(page.getByText('"phone_number"')).not.toBeVisible();
+    await page.getByRole('link', { name: 'Scopes' }).click();
+    await expect(page.getByRole('link', { name: 'oidc-scope' })).toBeVisible();
+  });
+});
diff --git a/ui/e2e/tests/superuser/pki.spec.ts b/ui/e2e/tests/superuser/pki.spec.ts
new file mode 100644
index 0000000000..e5007aea81
--- /dev/null
+++ b/ui/e2e/tests/superuser/pki.spec.ts
@@ -0,0 +1,222 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+import { BasePage } from '../../pages/base';
+import { ConfigurationSettingsPage } from '../../pages/configuration-settings';
+
+test('pki workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+
+  // enable PKI secrets engine
+  await basePage.enableEngine('PKI Certificates', 'pki-engine', {
+    defaultLeaseTtl: { unit: 5, option: 'm' },
+    maxLeaseTtl: { unit: 10, option: 'm' },
+  });
+
+  // configure PKI Engine
+  await expect(page.getByRole('heading', { name: 'pki-engine' })).toContainText('pki-engine');
+  await expect(page.locator('section')).toContainText('PKI not configured');
+  await page.getByRole('link', { name: 'Configure PKI' }).click();
+  await expect(page.locator('section')).toContainText('Import a CA');
+  await expect(page.locator('section')).toContainText('Generate root');
+  await expect(page.locator('section')).toContainText('Generate intermediate CSR');
+  await page.locator('label').filter({ hasText: 'Generate root Generates a new' }).click();
+  await page.getByLabel('Type').selectOption('internal');
+  await page.getByRole('textbox', { name: 'Common name' }).fill('pki-common-name');
+  await page.getByRole('textbox', { name: 'Issuer name' }).fill('pki-issuer');
+  await page.getByRole('textbox', { name: 'Not valid after' }).fill('36000');
+  await page.getByLabel('TTL unit for Not before').selectOption('m');
+  await page.getByRole('textbox', { name: 'Number of units' }).fill('10');
+  await page.getByLabel('Format', { exact: true }).selectOption('der');
+  await page.getByRole('textbox', { name: 'Max path length' }).fill('16');
+  await page.getByRole('button', { name: 'Key parameters' }).click();
+  await page.getByRole('textbox', { name: 'Key name' }).fill('pki-key');
+  await page.getByLabel('Key type').selectOption('ed25519');
+  await page.getByRole('button', { name: 'Done' }).click();
+  await expect(page.getByRole('heading', { name: 'pki-engine configuration' })).toBeVisible();
+  await expect(page.getByRole('link', { name: 'PKI Certificates settings' })).toBeVisible();
+  await expect(page.getByRole('button', { name: 'Generate policy' })).toBeVisible();
+  await expect(page.getByRole('link', { name: 'Exit configuration' })).toBeVisible();
+  await page.getByRole('link', { name: 'General settings' }).click();
+  await expect(page.getByRole('button', { name: 'Generate policy' })).not.toBeVisible();
+  await page.getByRole('link', { name: 'pki-engine', exact: true }).click();
+
+  // create role
+  await page.getByRole('link', { name: 'Roles', exact: true }).click();
+  await page.getByRole('link', { name: 'Create role' }).click();
+  await page.getByRole('textbox', { name: 'Role Name' }).fill('pki-role');
+  await expect(page.getByLabel('issuer_ref')).toContainText('pki-issuer');
+  await page.locator('label').filter({ hasText: 'Use default issuer' }).click();
+  await page.getByLabel('TTL unit for TTL').selectOption('m');
+  await page
+    .getByText('TTL Set relative certificate')
+    .getByRole('textbox', { name: 'Number of units' })
+    .fill('30');
+  await page.getByLabel('TTL unit for Backdate validity').selectOption('m');
+  await page
+    .getByRole('group', { name: 'Backdate validity Lease will' })
+    .getByLabel('Number of units')
+    .fill('10');
+  await page.locator('label').filter({ hasText: 'Max TTL Vault will use the' }).click();
+  await page.getByRole('button', { name: 'Domain handling' }).click();
+  await page.getByLabel('TTL unit for Max TTL').selectOption('m');
+  await page
+    .getByRole('group', { name: 'Max TTL Lease will expire' })
+    .getByLabel('Number of units')
+    .fill('50');
+  await page.getByRole('checkbox', { name: 'Allow any name' }).check();
+  await page.getByRole('button', { name: 'Create' }).click();
+  await page.getByRole('link', { name: 'Generate Certificate' }).click();
+  await page.getByRole('textbox', { name: 'Common name' }).fill('role-cert');
+  await page.getByRole('textbox', { name: 'Number of units' }).fill('1');
+  await page.getByLabel('TTL unit for TTL').selectOption('m');
+  await page.getByRole('button', { name: 'Generate' }).click();
+  await expect(page.getByLabel('Next steps')).toBeVisible();
+  // used for testing role certificate revocation as issuer certificates cannot be revoked via the UI currently
+  const roleSerialNumber = await page.getByText(/^[0-9a-f]{2}(?::[0-9a-f]{2}){9,}$/i).textContent();
+  await page.getByLabel('breadcrumbs').getByText('Roles').click();
+  await expect(page.locator('section')).toContainText('pki-role');
+
+  // view certificates
+  await page.getByRole('link', { name: 'Certificates' }).click();
+  await expect(page.getByLabel('certificate serial number')).toHaveCount(2);
+  await page.getByLabel('certificate serial number').filter({ hasText: roleSerialNumber }).click();
+  await expect(page.getByRole('heading', { name: 'View Certificate' })).toContainText('View Certificate');
+  const downloadPromise = page.waitForEvent('download');
+  await page.getByRole('button', { name: 'Download' }).click();
+  await expect(page.getByText('Your download has started')).toBeVisible();
+  const download = await downloadPromise;
+  expect(download.suggestedFilename()).toMatch(/\.pem$/);
+  await expect(page.getByText('Revocation time')).not.toBeVisible();
+  await page.getByRole('button', { name: 'Revoke certificate' }).click();
+  await page.getByRole('button', { name: 'Confirm' }).click();
+  await expect(page.getByText('Revocation time')).toBeVisible();
+  await expect(page.getByRole('button', { name: 'Revoke certificate' })).not.toBeVisible();
+
+  // generate issuer
+  await page.getByRole('link', { name: 'pki-engine' }).click();
+  await page.getByRole('link', { name: 'Issuers', exact: true }).click();
+  await expect(page.getByRole('button', { name: 'Generate policy' })).toBeVisible();
+  await expect(page.getByRole('button', { name: 'Manage', exact: true })).toBeVisible();
+  await page.getByRole('button', { name: 'Generate', exact: true }).click();
+  await page.getByRole('link', { name: 'Root', exact: true }).click();
+  await page.getByLabel('Type').selectOption('exported');
+  await page.getByRole('textbox', { name: 'Common name' }).fill('pki-common-name-exported');
+  await page.getByRole('textbox', { name: 'Issuer name' }).fill('pki-issuer-exported');
+  await page.getByRole('button', { name: 'Done' }).click();
+  await expect(page.getByRole('heading', { name: 'View generated root' })).toBeVisible();
+  await expect(page.getByLabel('Next steps')).toBeVisible();
+  await page.getByRole('button', { name: 'Done' }).click();
+
+  // generate keys
+  await page.getByRole('link', { name: 'Keys' }).click();
+  await expect(page.locator('section')).toContainText(
+    'Below is information about the private keys used by the issuers to sign certificates. While certificates represent a public assertion of an identity, private keys represent the private part of that identity, a secret used to prove who they are and who they trust.'
+  );
+  await expect(page.locator('section')).toContainText('pki-key');
+  await expect(page.getByRole('link', { name: 'pki-key' })).toBeVisible();
+  await page.getByRole('link', { name: 'Generate' }).click();
+  await page.getByRole('textbox', { name: 'Key name' }).fill('pki-generated-key');
+  await page.getByLabel('Type', { exact: true }).selectOption('internal');
+  await page.getByLabel('Key type').selectOption('rsa');
+  await page.getByLabel('Key bits').selectOption('3072');
+  await page.getByRole('button', { name: 'Generate key' }).click();
+  await expect(page.getByRole('heading', { name: 'View Key' })).toBeVisible();
+  await expect(page.locator('section')).toContainText('pki-generated-key');
+
+  // overview
+  await page.getByRole('link', { name: 'pki-engine' }).click();
+  await expect(page.locator('section')).toContainText(
+    'Issuers View issuers The total number of issuers in this PKI mount. Includes both root and intermediate certificates. 2'
+  );
+  await expect(page.locator('section')).toContainText(
+    'Roles View roles The total number of roles in this PKI mount that have been created to generate certificates. 1'
+  );
+  await expect(page.getByText('Issue certificate Begin')).toBeVisible();
+  await page.getByText('Type to find a role...').click();
+  await expect(page.getByRole('option', { name: 'pki-role' })).toBeVisible();
+  await expect(page.getByText('View certificate Quickly view')).toBeVisible();
+  await page.getByText('33:a3:').click();
+  await expect(page.getByRole('option', { name: roleSerialNumber })).toBeVisible();
+  await expect(page.getByText('View issuer Choose or type an')).toBeVisible();
+  await page.getByText('Type to find an issuer...').click();
+  await expect(page.getByRole('option').first()).toBeVisible();
+});
+
+test('pki tune workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+  const configurationSettingsPage = new ConfigurationSettingsPage(page);
+
+  const path = 'pki-tune';
+  const engineType = 'pki';
+
+  await test.step('enable pki secrets engine mount', async () => {
+    await basePage.enableEngine(engineType, path, {
+      defaultLeaseTtl: { unit: 5, option: 'm' },
+      maxLeaseTtl: { unit: 10, option: 'm' },
+    });
+  });
+
+  await test.step('navigate to configuration page from manage dropdown and ensure plugin settings tab is active', async () => {
+    await configurationSettingsPage.navigateToConfiguration(path);
+    await configurationSettingsPage.assertPluginSettingsTabActive(engineType);
+  });
+
+  await test.step('configure pki plugin settings', async () => {
+    await page.locator('label').filter({ hasText: 'Generate root Generates a new' }).click();
+    await page.getByLabel('Type').selectOption('exported');
+    await page.getByRole('textbox', { name: 'Common name' }).click();
+    await page.getByRole('textbox', { name: 'Common name' }).fill('common-name-1');
+    await page.getByRole('textbox', { name: 'Issuer name' }).click();
+    await page.getByRole('textbox', { name: 'Issuer name' }).fill('issue-name-1');
+    await page.getByRole('button', { name: 'Done' }).click();
+  });
+
+  await test.step('ensure pki plugin settings was saved', async () => {
+    await expect(page.getByLabel('Next steps')).toContainText(
+      'Next steps The private_key is only available once. Make sure you copy and save it now.'
+    );
+    await expect(page.locator('section')).toContainText('Common name common-name-1');
+    await expect(page.locator('section')).toContainText('Issuer name issue-name-1');
+    await page.getByRole('button', { name: 'Done' }).click();
+  });
+
+  // Navigate back to plugin settings page
+  await configurationSettingsPage.navigateToConfiguration(path);
+
+  await test.step('edit plugin settings configuration', async () => {
+    await page.getByRole('link', { name: 'Edit configuration' }).click();
+    await expect(page.locator('form')).toContainText('Cluster Config');
+    await expect(page.getByText("Mount's API path Specifies")).toBeVisible();
+    await page.getByRole('button', { name: 'Cancel' }).click();
+  });
+
+  await test.step('navigate and verify general settings form', async () => {
+    // General settings
+    await configurationSettingsPage.navigateToGeneralSettings(engineType);
+    await configurationSettingsPage.editAndVerifyGeneralSettings(path, engineType);
+    await page.getByRole('link', { name: 'Exit configuration' }).click();
+  });
+
+  await test.step('ensure that we navigate back to the pki overview page when Exit configuration is clicked', async () => {
+    await expect(
+      page.getByText(`Vault Secrets engines ${path} ${path} Generate policy Manage`)
+    ).toBeVisible();
+  });
+
+  await test.step('verify unsaved changes modal works in general settings', async () => {
+    // Navigate back to general settings
+    await configurationSettingsPage.navigateToConfiguration(path);
+    await configurationSettingsPage.navigateToGeneralSettings(engineType);
+
+    // Test Unsaved changes modal
+    await configurationSettingsPage.verifyUnsavedChangesModalOnNavigateAway(path);
+  });
+
+  await test.step('clean up and disable engine', async () => {
+    await basePage.disableEngine(path);
+  });
+});
diff --git a/ui/e2e/tests/superuser/policies.ent.spec.ts b/ui/e2e/tests/superuser/policies.ent.spec.ts
new file mode 100644
index 0000000000..a12200f7fc
--- /dev/null
+++ b/ui/e2e/tests/superuser/policies.ent.spec.ts
@@ -0,0 +1,99 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+
+test('rgp policy workflow', async ({ page }) => {
+  await page.goto('dashboard');
+  // nav to rgp policies and create a policy
+  await page.getByRole('link', { name: 'Access control' }).click();
+  await page.getByRole('link', { name: 'Role governing policies' }).click();
+  await page.getByRole('heading', { name: 'RGP policies', exact: true }).click();
+  await page.getByRole('link', { name: 'Create RGP policy' }).click();
+  await page.getByRole('textbox', { name: 'Policy name' }).fill('rgp-policy');
+  await page.getByRole('button', { name: 'How to write a policy' }).click();
+  await page.getByText('Here is an example policy').click();
+  await page.getByRole('button', { name: 'Copy' }).nth(1).click();
+  // access the clipboard to get the example policy
+  const clipboardValue = await page.evaluate(() => navigator.clipboard.readText());
+  await page.getByRole('button', { name: 'Close' }).click();
+  await page.getByRole('textbox', { name: 'Policy editor' }).fill(clipboardValue);
+  await page.getByLabel('Enforcement level').selectOption('advisory');
+  await page.getByRole('button', { name: 'Create policy' }).click();
+  await page.getByRole('heading', { name: 'rgp-policy' }).click();
+  await page.getByRole('button', { name: 'Download policy' }).click();
+  await expect(page.getByRole('alert', { name: 'Info' })).toBeVisible();
+  await expect(page.getByLabel('Enforcement level: advisory')).toBeVisible();
+
+  // edit
+  await page.getByRole('link', { name: 'Edit policy' }).click();
+  await page.getByLabel('Policy').clear();
+  const updatedValue = clipboardValue + '\n# just a comment';
+  await page.getByLabel('Policy').fill(updatedValue);
+  await page.getByLabel('Enforcement level', { exact: true }).selectOption('hard-mandatory');
+  await page.getByRole('button', { name: 'Save' }).click();
+  await expect(page.getByLabel('Enforcement level: hard-')).toBeVisible();
+  await expect(page.getByRole('code')).toContainText('# just a comment');
+
+  // delete
+  await page.getByRole('link', { name: 'Edit policy' }).click();
+  await page.getByRole('button', { name: 'Delete policy' }).click();
+  await page.getByRole('button', { name: 'Confirm' }).click();
+  await expect(page.getByRole('link', { name: 'rgp-policy', exact: true })).not.toBeVisible();
+});
+
+test('egp policy workflow', async ({ page }) => {
+  await page.goto('dashboard');
+  // nav to egp policies and create a policy
+  await page.getByRole('link', { name: 'Access control' }).click();
+  await page.getByRole('link', { name: 'Endpoint governing policies' }).click();
+  await page.getByRole('heading', { name: 'EGP policies', exact: true }).click();
+
+  await page.getByRole('link', { name: 'Create EGP policy' }).click();
+  await page.getByRole('textbox', { name: 'Policy name' }).fill('egp-policy');
+  await page.getByRole('button', { name: 'How to write a policy' }).click();
+
+  await page.getByText('Here is an example policy').click();
+  await page.getByRole('button', { name: 'Copy' }).nth(1).click();
+  // access the clipboard to get the example policy
+  const clipboardValue = await page.evaluate(() => navigator.clipboard.readText());
+  await page.getByRole('button', { name: 'Close' }).click();
+  await page.getByRole('textbox', { name: 'Policy editor' }).fill(clipboardValue);
+  await page.getByLabel('Enforcement level').selectOption('advisory');
+  await page.getByRole('textbox', { name: 'Paths list item' }).fill('foo');
+  await page.getByRole('button', { name: 'Add' }).click();
+  await page.getByRole('textbox', { name: 'Paths list item 1' }).fill('bar');
+  await page.getByRole('button', { name: 'Add' }).click();
+  await page.getByRole('button', { name: 'Create policy' }).click();
+  await page.getByRole('heading', { name: 'egp-policy' }).click();
+  await page.getByRole('button', { name: 'Download policy' }).click();
+  await expect(page.getByRole('alert', { name: 'Info' })).toBeVisible();
+  await expect(page.getByLabel('Enforcement level: advisory')).toBeVisible();
+  await expect(page.getByRole('listitem').filter({ hasText: 'foo' })).toBeVisible();
+  await expect(page.getByRole('listitem').filter({ hasText: 'bar' })).toBeVisible();
+
+  // edit
+  await page.getByRole('link', { name: 'Edit policy' }).click();
+  await page.getByLabel('Policy').clear();
+  const updatedValue = clipboardValue + '\n# just a comment';
+  await page.getByLabel('Policy').fill(updatedValue);
+  await page.getByLabel('Enforcement level', { exact: true }).selectOption('hard-mandatory');
+  await page.getByRole('button', { name: 'delete row' }).nth(1).click();
+  await page.getByRole('textbox', { name: 'Paths list item 1' }).fill('baz');
+  await page.getByRole('button', { name: 'Add' }).click();
+  await page.getByRole('button', { name: 'Save' }).click();
+  await expect(page.getByLabel('Enforcement level: hard-')).toBeVisible();
+  await page.getByRole('button', { name: 'Show more code' }).click();
+  await expect(page.getByText('# just a comment')).toBeVisible();
+  await expect(page.getByRole('listitem').filter({ hasText: 'foo' })).toBeVisible();
+  await expect(page.getByRole('listitem').filter({ hasText: 'bar' })).not.toBeVisible();
+  await expect(page.getByRole('listitem').filter({ hasText: 'baz' })).toBeVisible();
+
+  // delete
+  await page.getByRole('link', { name: 'Edit policy' }).click();
+  await page.getByRole('button', { name: 'Delete policy' }).click();
+  await page.getByRole('button', { name: 'Confirm' }).click();
+  await expect(page.getByRole('link', { name: 'egp-policy', exact: true })).not.toBeVisible();
+});
diff --git a/ui/e2e/tests/superuser/policies.spec.ts b/ui/e2e/tests/superuser/policies.spec.ts
new file mode 100644
index 0000000000..2294bbeb91
--- /dev/null
+++ b/ui/e2e/tests/superuser/policies.spec.ts
@@ -0,0 +1,74 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+
+test('acl policy workflow', async ({ page }) => {
+  await page.goto('dashboard');
+  // nav to acl policies and create a policy
+  await page.getByRole('link', { name: 'Access control' }).click();
+  await page.getByRole('link', { name: 'Create ACL policy' }).click();
+  await page.getByRole('textbox', { name: 'Policy name' }).fill('acl-policy');
+  await page.getByRole('textbox', { name: 'Resource path' }).fill('kv');
+  await page.getByRole('checkbox', { name: 'read' }).check();
+  await page.getByRole('checkbox', { name: 'update' }).check();
+  await page.getByRole('switch', { name: 'Show preview' }).click();
+  await expect(page.getByRole('code')).toContainText('path "kv" { capabilities = ["read", "update"] }');
+  await page.getByRole('switch', { name: 'Hide preview' }).click();
+  await page.getByRole('button', { name: 'Add rule' }).click();
+  await page.getByRole('textbox', { name: 'Resource path' }).nth(1).fill('pki');
+  await page.getByRole('checkbox', { name: 'list' }).nth(1).check();
+  await page.getByRole('checkbox', { name: 'patch' }).nth(1).check();
+  await page.getByRole('button', { name: 'Add rule' }).click();
+  await page.getByRole('textbox', { name: 'Resource path' }).nth(2).fill('totp');
+  await page.getByRole('checkbox', { name: 'create' }).nth(2).check();
+  // check snippets
+  await page.getByRole('button', { name: 'Automation snippets' }).click();
+  await expect(page.getByRole('code')).toContainText(
+    'resource "vault_policy" "<local identifier>" { name = "acl-policy" policy = <<EOT path "kv" { capabilities = ["read", "update"] } path "pki" { capabilities = ["list", "patch"] } path "totp" { capabilities = ["create"] } EOT }'
+  );
+  await page.getByRole('tab', { name: 'CLI' }).click();
+  await expect(page.getByText('vault policy write acl-policy')).toBeVisible();
+  await page.getByRole('button', { name: 'Delete' }).nth(2).click();
+  await expect(page.getByRole('code')).toContainText(
+    'vault policy write acl-policy - <<EOT path "kv" { capabilities = ["read", "update"] } path "pki" { capabilities = ["list", "patch"] } EOT'
+  );
+  // check change detection
+  await page.getByRole('radio', { name: 'Code editor' }).check();
+  await expect(page.getByRole('heading', { name: 'Policy editor' })).toBeVisible();
+  await expect(page.getByRole('button', { name: 'Switch and discard changes' })).not.toBeVisible();
+  await page.getByRole('radio', { name: 'Visual editor' }).check();
+  await page.getByRole('radio', { name: 'Code editor' }).check();
+  await page.getByRole('textbox', { name: 'Policy editor' }).clear();
+  await page
+    .getByRole('textbox', { name: 'Policy editor' })
+    .fill(
+      'vault policy write acl-policy - <<EOT path "kv" { capabilities = ["read"] } path "pki" { capabilities = ["list", "patch"] } EOT'
+    );
+  await page.getByRole('radio', { name: 'Visual editor' }).click();
+  await page.getByRole('button', { name: 'Switch and discard changes' }).click();
+  await expect(page.getByRole('code')).toContainText(
+    'EOT path "kv" { capabilities = ["read", "update"] } path "pki" { capabilities = ["list", "patch"] } EOT'
+  );
+  await page.getByRole('button', { name: 'Create policy' }).click();
+  await expect(page.getByRole('heading', { name: 'acl-policy' })).toBeVisible();
+  await page.getByRole('button', { name: 'Download policy' }).click();
+  await expect(page.getByRole('alert', { name: 'Info' })).toBeVisible();
+  await expect(page.getByText('Policy HCL format')).toBeVisible();
+  await expect(page.getByRole('button', { name: 'Automation snippets' })).toBeVisible();
+
+  // edit
+  await page.getByRole('link', { name: 'Edit policy' }).click();
+  await page.getByLabel('Policy').clear();
+  await page.getByLabel('Policy').fill('path "kv" { capabilities = ["read", "update"] }');
+  await page.getByRole('button', { name: 'Save' }).click();
+  await expect(page.getByLabel('Policy')).toContainText('path "kv" { capabilities = ["read", "update"] }');
+
+  // delete
+  await page.getByRole('link', { name: 'Edit policy' }).click();
+  await page.getByRole('button', { name: 'Delete policy' }).click();
+  await page.getByRole('button', { name: 'Confirm' }).click();
+  await expect(page.getByRole('link', { name: 'acl-policy', exact: true })).not.toBeVisible();
+});
diff --git a/ui/e2e/tests/superuser/seal.spec.ts b/ui/e2e/tests/superuser/seal.spec.ts
new file mode 100644
index 0000000000..aa16ed86cd
--- /dev/null
+++ b/ui/e2e/tests/superuser/seal.spec.ts
@@ -0,0 +1,28 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+import fs from 'fs';
+import path from 'path';
+
+const keysPath = path.resolve(__dirname, '../../tmp/superuser-keys.json');
+
+test('sealing/unsealing workflow', async ({ page }) => {
+  await page.goto('dashboard');
+  await page.getByRole('link', { name: 'Resilience and recovery' }).click();
+  await page.getByRole('link', { name: 'Seal Vault' }).click();
+  await page.getByRole('button', { name: 'Seal' }).click();
+  await page.getByRole('button', { name: 'Confirm' }).click();
+  await expect(page.getByText('Vault is sealed')).toBeVisible();
+
+  // unseal vault for sequential tests
+  const { keys, root_token } = JSON.parse(fs.readFileSync(keysPath, 'utf-8'));
+  await page.getByRole('textbox', { name: 'Unseal Key Portion' }).fill(keys[0]);
+  await page.getByRole('button', { name: 'Unseal' }).click();
+  await page.getByRole('textbox', { name: 'Token' }).fill(root_token);
+  await page.getByRole('button', { name: 'Sign in' }).click();
+  await expect(page.getByRole('button', { name: 'root' })).toBeVisible();
+  await expect(page.getByRole('link', { name: 'Dashboard' })).toBeVisible();
+});
diff --git a/ui/e2e/tests/superuser/sync-destinations.spec.ts b/ui/e2e/tests/superuser/sync-destinations.spec.ts
new file mode 100644
index 0000000000..1ae4fcc648
--- /dev/null
+++ b/ui/e2e/tests/superuser/sync-destinations.spec.ts
@@ -0,0 +1,190 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect, Page } from '@playwright/test';
+import { BasePage } from '../../pages/base';
+import {
+  SYNC_DESTINATION_AWS_WIF_RESPONSE,
+  SYNC_DESTINATION_AZURE_WIF_RESPONSE,
+  SYNC_DESTINATION_GCP_WIF_RESPONSE,
+} from '../../../tests/helpers/sync/mocks';
+
+/**
+ * Navigate to the sync destination creation form
+ * @param page - The Playwright page object
+ * @param type - The destination type ('aws-sm', 'azure-kv', 'gcp-sm')
+ */
+async function openCreateDestinationForm(page: Page, type: string) {
+  await page.goto('dashboard');
+  await page.getByRole('link', { name: 'Secrets', exact: true }).click();
+  await page.getByRole('link', { name: 'Secrets sync' }).click();
+
+  const enableButton = page.getByRole('button', { name: 'Enable' });
+  // waitFor auto-waits for the page to render after navigation; catch means secrets sync is already activated
+  const needsActivation = await enableButton
+    .waitFor({ state: 'visible', timeout: 100 })
+    .then(() => true)
+    .catch(() => false);
+  if (needsActivation) {
+    await enableButton.click();
+    await page.getByRole('checkbox', { name: "I've read the above linked" }).check();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+  }
+
+  await page.getByRole('link', { name: 'Create first destination' }).click();
+  await page.locator(`[data-test-select-destination="${type}"]`).click();
+}
+
+test('sync destination wif workflow for aws', async ({ page }) => {
+  const basePage = new BasePage(page);
+
+  // Set up route mocks before any navigation
+  await page.route('**/v1/sys/sync/destinations/aws-sm/test-aws', async (route) => {
+    await route.fulfill({
+      status: 200,
+      contentType: 'application/json',
+      body: JSON.stringify(SYNC_DESTINATION_AWS_WIF_RESPONSE),
+    });
+  });
+
+  await test.step('navigate to open new create destination form for AWS Secrets Manager', async () => {
+    await openCreateDestinationForm(page, 'aws-sm');
+  });
+  await expect(page.getByRole('radio', { name: 'Workload Identity Federation' })).toBeVisible();
+  await page.getByRole('radio', { name: 'Workload Identity Federation' }).check();
+  await page.getByRole('button', { name: 'Create destination' }).click();
+
+  await expect(page.getByText('Name is required.')).toBeVisible();
+  await expect(page.getByText('Role ARN is required.')).toBeVisible();
+  await expect(page.getByText('Identity token audience is required.')).toBeVisible();
+
+  await page.getByRole('textbox', { name: 'Name' }).fill('test-aws');
+  await page.getByRole('textbox', { name: 'Role ARN' }).fill('arn:aws:iam::111111111111:role/wif_test');
+  await page
+    .getByRole('textbox', { name: 'identity_token_audience' })
+    .fill('vault-test.wif-test.sbx.hashidemos.io/v1/identity/oidc/secrets-sync');
+
+  // Set up response watchers before clicking to avoid missing fast responses
+  const postResponse = page.waitForResponse(
+    (resp) =>
+      resp.url().includes('/v1/sys/sync/destinations/aws-sm/test-aws') && resp.request().method() === 'POST'
+  );
+  const getResponse = page.waitForResponse(
+    (resp) =>
+      resp.url().includes('/v1/sys/sync/destinations/aws-sm/test-aws') && resp.request().method() === 'GET'
+  );
+
+  await page.getByRole('button', { name: 'Create destination' }).click();
+  await Promise.all([postResponse, getResponse]);
+  await expect(page.getByText('Connection successful', { exact: true })).toBeVisible();
+  await expect(page.getByText('You have successfully created a sync destination')).toBeVisible();
+  await basePage.dismissFlashMessages();
+
+  // Verify that the details page shows the correct information from the mocked response
+  await expect(page.getByRole('heading', { name: 'test-aws' })).toBeVisible();
+  await expect(page.getByText('WIF', { exact: true })).toBeVisible();
+});
+
+test('sync destination wif workflow for azure', async ({ page }) => {
+  const basePage = new BasePage(page);
+
+  await page.route('**/v1/sys/sync/destinations/azure-kv/test-azure', async (route) => {
+    await route.fulfill({
+      status: 200,
+      contentType: 'application/json',
+      body: JSON.stringify(SYNC_DESTINATION_AZURE_WIF_RESPONSE),
+    });
+  });
+
+  await test.step('navigate to open new create destination form for Azure Key Vault', async () => {
+    await openCreateDestinationForm(page, 'azure-kv');
+  });
+  await expect(page.getByRole('radio', { name: 'Workload Identity Federation' })).toBeVisible();
+  await page.getByRole('radio', { name: 'Workload Identity Federation' }).check();
+  await page.getByRole('button', { name: 'Create destination' }).click();
+
+  await expect(page.getByText('Name is required.')).toBeVisible();
+  await expect(page.getByText('Key Vault URI is required.')).toBeVisible();
+  await expect(page.getByText('Tenant ID is required.')).toBeVisible();
+  await expect(page.getByText('Client ID is required.')).toBeVisible();
+  await expect(page.getByText('Identity token audience is required.')).toBeVisible();
+
+  await page.getByRole('textbox', { name: 'Name' }).fill('test-azure');
+  await page.getByRole('textbox', { name: 'Key Vault URI' }).fill('https://test-keyvault.vault.azure.net');
+  await page.getByRole('textbox', { name: 'Tenant ID' }).fill('11111111-1111-1111-1111-111111111111');
+  await page.getByRole('textbox', { name: 'Client ID' }).fill('test-client-id');
+  await page
+    .getByRole('textbox', { name: 'identity_token_audience' })
+    .fill('https://test-audience.azure.com');
+
+  const postResponse = page.waitForResponse(
+    (resp) =>
+      resp.url().includes('/v1/sys/sync/destinations/azure-kv/test-azure') &&
+      resp.request().method() === 'POST'
+  );
+  const getResponse = page.waitForResponse(
+    (resp) =>
+      resp.url().includes('/v1/sys/sync/destinations/azure-kv/test-azure') &&
+      resp.request().method() === 'GET'
+  );
+
+  await page.getByRole('button', { name: 'Create destination' }).click();
+  await Promise.all([postResponse, getResponse]);
+  await expect(page.getByText('Connection successful', { exact: true })).toBeVisible();
+  await expect(page.getByText('You have successfully created a sync destination')).toBeVisible();
+  await basePage.dismissFlashMessages();
+
+  await expect(page.getByRole('heading', { name: 'test-azure' })).toBeVisible();
+  await expect(page.getByText('WIF', { exact: true })).toBeVisible();
+});
+
+test('sync destination wif workflow for gcp', async ({ page }) => {
+  const basePage = new BasePage(page);
+
+  await page.route('**/v1/sys/sync/destinations/gcp-sm/test-gcp', async (route) => {
+    await route.fulfill({
+      status: 200,
+      contentType: 'application/json',
+      body: JSON.stringify(SYNC_DESTINATION_GCP_WIF_RESPONSE),
+    });
+  });
+
+  await test.step('navigate to open new create destination form for Google Secret Manager', async () => {
+    await openCreateDestinationForm(page, 'gcp-sm');
+  });
+  await expect(page.getByRole('radio', { name: 'Workload Identity Federation' })).toBeVisible();
+  await page.getByRole('radio', { name: 'Workload Identity Federation' }).check();
+  await page.getByRole('button', { name: 'Create destination' }).click();
+
+  await expect(page.getByText('Name is required.')).toBeVisible();
+  await expect(page.getByText('Project ID is required.')).toBeVisible();
+  await expect(page.getByText('Service account email is required.')).toBeVisible();
+  await expect(page.getByText('Identity token audience is required.')).toBeVisible();
+
+  await page.getByRole('textbox', { name: 'Name' }).fill('test-gcp');
+  await page.getByRole('textbox', { name: 'Project ID' }).fill('test-gcp-project');
+  await page
+    .getByRole('textbox', { name: 'Service account email' })
+    .fill('test-sa@test-gcp-project.iam.gserviceaccount.com');
+  await page.getByRole('textbox', { name: 'identity_token_audience' }).fill('https://test-audience.gcp.com');
+
+  const postResponse = page.waitForResponse(
+    (resp) =>
+      resp.url().includes('/v1/sys/sync/destinations/gcp-sm/test-gcp') && resp.request().method() === 'POST'
+  );
+  const getResponse = page.waitForResponse(
+    (resp) =>
+      resp.url().includes('/v1/sys/sync/destinations/gcp-sm/test-gcp') && resp.request().method() === 'GET'
+  );
+
+  await page.getByRole('button', { name: 'Create destination' }).click();
+  await Promise.all([postResponse, getResponse]);
+  await expect(page.getByText('Connection successful', { exact: true })).toBeVisible();
+  await expect(page.getByText('You have successfully created a sync destination')).toBeVisible();
+  await basePage.dismissFlashMessages();
+
+  await expect(page.getByRole('heading', { name: 'test-gcp' })).toBeVisible();
+  await expect(page.getByText('WIF', { exact: true })).toBeVisible();
+});
diff --git a/ui/e2e/tests/superuser/tools.spec.ts b/ui/e2e/tests/superuser/tools.spec.ts
index 3a5f1e0d9d..f9e25068b3 100644
--- a/ui/e2e/tests/superuser/tools.spec.ts
+++ b/ui/e2e/tests/superuser/tools.spec.ts
@@ -16,7 +16,7 @@ test('tools workflow', async ({ page }) => {
   await page.getByRole('textbox', { name: 'Value' }).fill('bar');
   await page.locator('label').filter({ hasText: 'Wrap TTL Vault will use the' }).click();
   await page.getByRole('textbox', { name: 'Number of units' }).fill('20');
-  await page.getByLabel('ttl-unit').selectOption('h');
+  await page.getByLabel('TTL unit for Wrap TTL').selectOption('h');
   await page.getByRole('button', { name: 'Wrap data' }).click();
   await page.getByRole('button', { name: 'copy hvs.' }).click();
   // access the clipboard to get the copied token value
@@ -65,5 +65,4 @@ test('tools workflow', async ({ page }) => {
   await expect(page.locator('#operations-0-tokenLookUpAccessor')).toContainText(
     '/auth/token/lookup-accessor'
   );
-  await expect(page.locator('#operations-0-tokenLookUpAccessor')).toContainText('tokenLookUpAccessor');
 });
diff --git a/ui/e2e/tests/superuser/transform.spec.ts b/ui/e2e/tests/superuser/transform.spec.ts
new file mode 100644
index 0000000000..efb7851318
--- /dev/null
+++ b/ui/e2e/tests/superuser/transform.spec.ts
@@ -0,0 +1,139 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { expect, test } from '@playwright/test';
+import { BasePage } from '../../pages/base';
+import { ConfigurationSettingsPage } from '../../pages/configuration-settings';
+
+test('transform workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+
+  await test.step('enable Transform secrets engine mount', async () => {
+    await basePage.enableEngine('Transform', 'transform-test');
+  });
+
+  await test.step('Transform secrets engine mount saved successfully', async () => {
+    await expect(page.getByText('Success', { exact: true })).toBeVisible();
+    await expect(page.getByText('Successfully mounted the')).toBeVisible();
+    await page.getByRole('button', { name: 'Dismiss' }).click();
+  });
+
+  await test.step('Transformation can be created', async () => {
+    await page.getByRole('link', { name: 'Create transformation' }).click();
+    await page.getByRole('textbox', { name: 'Name' }).fill('test-transformation');
+    await page.getByRole('checkbox', { name: 'Allow deletion' }).check();
+    await page.getByLabel('Template').getByText('Search').click();
+    await page.getByRole('option', { name: 'builtin/socialsecuritynumber' }).click();
+    await page.getByRole('button', { name: 'Create transformation' }).click();
+    await page.getByRole('link', { name: 'transform-test' }).click();
+    await expect(page.getByText('test-transformation', { exact: true })).toBeVisible();
+  });
+
+  await test.step('Role can be created', async () => {
+    await page.getByRole('link', { name: 'Roles' }).click();
+    await expect(page.getByRole('heading', { name: 'No roles in this backend' })).toBeVisible();
+    await expect(page.getByText('Roles in this backend will be')).toBeVisible();
+    await page.getByRole('link', { name: 'Create role' }).click();
+    await page.getByRole('textbox', { name: 'Name' }).fill('test-role');
+    await page.getByText('Search').click();
+    await page.getByRole('option', { name: 'test-transformation' }).click();
+    await page.getByRole('button', { name: 'Create role' }).click();
+  });
+
+  await test.step('Template can be created', async () => {
+    await page.getByRole('link', { name: 'transform-test' }).click();
+    await page.getByRole('link', { name: 'Templates' }).click();
+    await page.getByRole('link', { name: 'Create template' }).click();
+    await page.getByRole('textbox', { name: 'Name' }).fill('test-template');
+    await page.getByRole('textbox', { name: 'Pattern' }).fill('`^(19)');
+    await page.getByText('Search').click();
+    await page.getByRole('option', { name: 'builtin/alphalower' }).click();
+    await page.getByRole('button', { name: 'Create template' }).click();
+  });
+
+  await test.step('Template saved successfully', async () => {
+    await expect(page.getByText('Success')).toBeVisible();
+    await expect(page.getByText('Transform template saved.')).toBeVisible();
+    await page.getByRole('button', { name: 'Dismiss' }).click();
+  });
+
+  await test.step('Alphabet can be created', async () => {
+    await page.getByRole('link', { name: 'transform-test' }).click();
+    await page.getByRole('link', { name: 'Alphabets' }).click();
+    await page.getByRole('link', { name: 'Create alphabet' }).click();
+    await page.getByRole('textbox', { name: 'Name' }).click();
+    await page.getByRole('textbox', { name: 'Name' }).fill('test-alphabet');
+    await page.getByRole('textbox', { name: 'Alphabet' }).click();
+    await page.getByRole('textbox', { name: 'Alphabet' }).fill('abc');
+    await page.getByRole('button', { name: 'Create alphabet' }).click();
+  });
+
+  await test.step('Alphabet saved successfully', async () => {
+    await expect(page.getByText('Success')).toBeVisible();
+    await expect(page.getByText('Alphabet saved.')).toBeVisible();
+    await page.getByRole('button', { name: 'Dismiss' }).click();
+  });
+
+  await test.step('Transform mount can be configured/updated', async () => {
+    await page.getByRole('link', { name: 'transform-test' }).click();
+    await page.getByRole('button', { name: 'Manage', exact: true }).click();
+    await page.getByRole('link', { name: 'Configure' }).click();
+    await page.getByRole('textbox', { name: 'Description' }).click();
+    await page.getByRole('textbox', { name: 'Description' }).fill('My transform secrets engine. test');
+    await page.getByRole('button', { name: 'Save changes' }).click();
+  });
+
+  await test.step('Transform mount updated successfully', async () => {
+    await expect(page.getByText('Configuration saved')).toBeVisible();
+    await expect(page.getByText('Engine settings successfully')).toBeVisible();
+    await page.getByRole('button', { name: 'Dismiss' }).click();
+  });
+});
+
+test('transform tune workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+  const configurationSettingsPage = new ConfigurationSettingsPage(page);
+
+  const path = 'transform-tune';
+  const engineType = 'transform';
+
+  await test.step('enable transform secrets engine mount', async () => {
+    await basePage.enableEngine(engineType, path);
+  });
+
+  await test.step('navigate to configuration page from manage dropdown ', async () => {
+    await configurationSettingsPage.navigateToConfiguration(path);
+  });
+
+  // transform does not have plugin settings, so we only need to test for general settings
+
+  await test.step('navigate and verify general settings form', async () => {
+    await configurationSettingsPage.navigateToGeneralSettings(engineType);
+    await configurationSettingsPage.editAndVerifyGeneralSettings(path, engineType);
+    await page.getByRole('link', { name: 'Exit configuration' }).click();
+  });
+
+  await test.step('ensure that we navigate back to the transform overview page when Exit configuration is clicked', async () => {
+    await expect(
+      page
+        .locator('div')
+        .filter({ hasText: `${path} Manage Create transformation` })
+        .nth(3)
+    ).toBeVisible();
+  });
+
+  await test.step('verify unsaved changes modal works in general settings', async () => {
+    // Navigate back to general settings
+    await configurationSettingsPage.navigateToConfiguration(path);
+    await configurationSettingsPage.navigateToGeneralSettings(engineType);
+
+    // Test Unsaved changes modal
+    await configurationSettingsPage.verifyUnsavedChangesModalOnNavigateAway(path);
+  });
+
+  await test.step('clean up and disable engine', async () => {
+    await basePage.disableEngine(path);
+  });
+});
diff --git a/ui/e2e/tests/superuser/transit.spec.ts b/ui/e2e/tests/superuser/transit.spec.ts
new file mode 100644
index 0000000000..c9c53add68
--- /dev/null
+++ b/ui/e2e/tests/superuser/transit.spec.ts
@@ -0,0 +1,131 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+import { BasePage } from '../../pages/base';
+import { ConfigurationSettingsPage } from '../../pages/configuration-settings';
+
+test('transit workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+
+  // enable Transit Engine
+  await basePage.enableEngine('Transit', 'transit-workflow');
+
+  // create key
+  await page.getByRole('link', { name: 'Create key' }).click();
+  await page.getByRole('textbox', { name: 'Name' }).fill('testKey');
+  await page.getByRole('button', { name: 'Create key' }).click();
+  await expect(page.getByLabel('breadcrumbs').getByText('testKey')).toBeVisible();
+  await basePage.dismissFlashMessages();
+
+  // rotate key
+  await page.getByRole('link', { name: 'Versions' }).click();
+  await page.getByRole('button', { name: 'Rotate key' }).click();
+  await page.getByRole('button', { name: 'Confirm' }).click();
+  //verify a new version is created after rotation
+  await expect(page.getByText('Version 2')).toBeVisible();
+
+  // encrypt text
+  await page.getByRole('link', { name: 'Key Actions' }).click();
+  await page.getByRole('link', { name: 'Encrypt Looks up wrapping' }).click();
+  await page.getByRole('textbox', { name: 'Plaintext' }).fill('testString');
+  await page.getByRole('button', { name: 'Encrypt' }).click();
+
+  // grab the generated ciphertext and copy it to clipboard
+  await page.getByRole('button', { name: 'copy vault:v2:' }).click();
+  await page.getByRole('button', { name: 'Close' }).click();
+
+  // decrypt text
+  await page.getByRole('link', { name: 'Decrypt' }).click();
+  await page.getByRole('textbox', { name: 'Ciphertext' }).press('ControlOrMeta+v');
+  await page.getByRole('button', { name: 'Decrypt' }).click();
+  await expect(page.getByText('Copy your unwrapped data')).toBeVisible();
+  await page.getByRole('button', { name: 'copy dGVzdFN0cmluZw==' }).click();
+  await page.getByRole('button', { name: 'Close' }).click();
+
+  // generate datakey
+  await page.getByRole('link', { name: 'Datakey' }).click();
+  await page.getByRole('button', { name: 'Create datakey' }).click();
+  await page.locator('html').click();
+  await expect(page.getByText('Copy your generated key')).toBeVisible();
+  await page.getByRole('button', { name: 'copy vault:v2:' }).click();
+  await page.getByRole('button', { name: 'Close' }).click();
+
+  // rewrap key
+  await page.getByRole('link', { name: 'Rewrap' }).click();
+  await page.getByRole('textbox', { name: 'Ciphertext' }).press('ControlOrMeta+v');
+  await page.getByRole('button', { name: 'Rewrap' }).click();
+  await expect(page.getByText('Copy your token')).toBeVisible();
+  await page.getByRole('button', { name: 'Close' }).click();
+
+  // HMAC generate
+  await page.getByRole('link', { name: 'HMAC' }).click();
+  await page.getByRole('textbox', { name: 'Input' }).fill('test');
+  await page.getByRole('button', { name: 'HMAC' }).click();
+  await expect(page.getByText('Copy your unwrapped data')).toBeVisible();
+  await page.getByRole('button', { name: 'copy vault:v2:' }).click();
+  await page.getByRole('button', { name: 'Close' }).click();
+
+  // HMAC verify
+  await page.getByRole('link', { name: 'Verify' }).click();
+  //verify test and hmac is prefilled from previous step
+  await expect(
+    page
+      .getByLabel('Input')
+      .locator('div')
+      .filter({ hasText: /^test$/ })
+  ).toBeVisible();
+  await expect(page.getByText(/vault:v2:.*/)).toBeVisible();
+  await page.getByRole('button', { name: 'Verify' }).click();
+
+  await expect(page.getByText('Results Valid')).toBeVisible();
+  await page.getByRole('button', { name: 'Close' }).click();
+});
+
+test('transit tune workflow', async ({ page }) => {
+  const basePage = new BasePage(page);
+  const configurationSettingsPage = new ConfigurationSettingsPage(page);
+
+  const path = 'transit-tune';
+  const engineType = 'transit';
+
+  await test.step('enable Transit secrets engine mount', async () => {
+    await basePage.enableEngine(engineType, path);
+  });
+
+  await test.step('navigate to configuration page from manage dropdown ', async () => {
+    await configurationSettingsPage.navigateToConfiguration(path);
+  });
+
+  // Transit does not have plugin settings, so we only need to test for general settings
+
+  await test.step('navigate and verify general settings form', async () => {
+    await configurationSettingsPage.navigateToGeneralSettings(engineType);
+    await configurationSettingsPage.editAndVerifyGeneralSettings(path, engineType);
+    await page.getByRole('link', { name: 'Exit configuration' }).click();
+  });
+
+  await test.step('ensure that we navigate back to the transit overview page when Exit configuration is clicked', async () => {
+    await expect(
+      page
+        .locator('div')
+        .filter({ hasText: `${path} Manage Create key` })
+        .nth(3)
+    ).toBeVisible();
+  });
+
+  await test.step('verify unsaved changes modal works in general settings', async () => {
+    // Navigate back to general settings
+    await configurationSettingsPage.navigateToConfiguration(path);
+    await configurationSettingsPage.navigateToGeneralSettings(engineType);
+
+    // Test Unsaved changes modal
+    await configurationSettingsPage.verifyUnsavedChangesModalOnNavigateAway(path);
+  });
+
+  await test.step('clean up and disable engine', async () => {
+    await basePage.disableEngine(path);
+  });
+});
diff --git a/ui/e2e/tests/superuser/userpass.spec.ts b/ui/e2e/tests/superuser/userpass.spec.ts
new file mode 100644
index 0000000000..1a60656d6a
--- /dev/null
+++ b/ui/e2e/tests/superuser/userpass.spec.ts
@@ -0,0 +1,58 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { test, expect } from '@playwright/test';
+
+test('userpass workflow', async ({ page }) => {
+  await test.step('enable userpass auth method', async () => {
+    await page.goto('dashboard');
+    await page.getByRole('link', { name: 'Access control' }).click();
+    await page.getByRole('link', { name: 'Authentication methods' }).click();
+    await page.getByRole('link', { name: 'Enable new method' }).click();
+    await page.getByLabel('Userpass - enabled engine type').click();
+    await page.getByRole('textbox', { name: 'Path' }).fill('test-userpass');
+    await page.getByRole('button', { name: 'Enable method' }).click();
+  });
+
+  await test.step('create a test user', async () => {
+    await page.getByRole('link', { name: 'View method' }).click();
+    await page.getByLabel('toolbar actions').getByRole('link', { name: 'Create user' }).click();
+    await page.getByRole('textbox', { name: 'Username' }).fill('testUser');
+    await page.getByRole('textbox', { name: 'password', exact: true }).fill('test');
+    await page.getByRole('button', { name: 'Save' }).click();
+    await expect(page.getByRole('link', { name: 'testuser', exact: true })).toBeVisible();
+  });
+
+  await test.step('log in with new user', async () => {
+    await page.getByRole('button', { name: 'User menu' }).click();
+    await page.getByRole('button', { name: 'Copy token' }).click();
+    await page.getByRole('link', { name: 'Log out' }).click();
+    await page.getByLabel('Method').selectOption('userpass');
+    await page.getByRole('textbox', { name: 'Username' }).fill('testUser');
+    await page.getByRole('textbox', { name: 'Password' }).fill('test');
+    await page.getByRole('button', { name: 'Advanced settings' }).click();
+    await page.getByRole('textbox', { name: 'Mount path' }).fill('test-userpass');
+    await page.getByRole('button', { name: 'Sign in' }).click();
+  });
+
+  await test.step('verify login was successful', async () => {
+    await page.getByRole('button', { name: 'User menu' }).click();
+    await expect(page.getByText('Testuser')).toBeVisible();
+  });
+
+  await test.step('disable test-userpass auth method', async () => {
+    await page.getByRole('link', { name: 'Log out' }).click();
+    await page.getByLabel('Method').selectOption('token');
+    // get token value from clipboard that we copied before logging out
+    const suToken = await page.evaluate(() => navigator.clipboard.readText());
+    await page.getByRole('textbox', { name: 'Token' }).fill(suToken);
+    await page.getByRole('button', { name: 'Sign in' }).click();
+    await page.getByRole('link', { name: 'Access control' }).click();
+    await page.getByRole('link', { name: 'Authentication methods' }).click();
+    await page.getByRole('link', { name: 'Type of auth mount test-' }).getByLabel('Overflow options').click();
+    await page.getByRole('button', { name: 'Disable' }).click();
+    await page.getByRole('button', { name: 'Confirm' }).click();
+  });
+});
diff --git a/ui/ember-cli-build.js b/ui/ember-cli-build.js
index c087ad126d..97bb60765b 100644
--- a/ui/ember-cli-build.js
+++ b/ui/ember-cli-build.js
@@ -79,7 +79,6 @@ const appConfig = {
 module.exports = function (defaults) {
   const app = new EmberApp(defaults, appConfig);
 
-  app.import('node_modules/jsonlint/lib/jsonlint.js');
   app.import('node_modules/text-encoder-lite/text-encoder-lite.js');
   app.import('vendor/jsondiffpatch.umd.js');
   app.import('vendor/htmlformatter.umd.js');
@@ -89,6 +88,7 @@ module.exports = function (defaults) {
   app.import(
     'node_modules/@hashicorp/design-system-components/dist/styles/@hashicorp/design-system-components.css'
   );
+  app.import('node_modules/@carbon/charts/dist/styles.css');
 
   return app.toTree();
 };
diff --git a/ui/lib/config-ui/addon/components/login-settings/page/list.hbs b/ui/lib/config-ui/addon/components/login-settings/page/list.hbs
index c942b6473a..4f40783dc9 100644
--- a/ui/lib/config-ui/addon/components/login-settings/page/list.hbs
+++ b/ui/lib/config-ui/addon/components/login-settings/page/list.hbs
@@ -7,9 +7,15 @@
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
+  <:description>
+    Set a default and backup authentication methods to customize GUI login behavior.
+    <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/custom-login"}}>
+      Learn more
+    </Hds::Link::Inline>
+  </:description>
 </Page::Header>
 
-<Toolbar />
+<Toolbar class="top-margin-16" />
 
 {{#if @loginRules}}
   {{#each @loginRules as |rule|}}
@@ -61,17 +67,21 @@
     </LinkedBlock>
   {{/each}}
 {{else}}
-  <EmptyState
-    @title="No UI login settings yet"
-    @message="Login settings can be used to customize which methods display in the web UI login form by setting a default and back up login methods. Available to be created via the CLI or HTTP API."
-  >
-    <Hds::Link::Standalone
-      @icon="docs-link"
-      @iconPosition="trailing"
-      @text="UI login settings documentation"
-      @href={{doc-link "/vault/docs/ui/custom-login"}}
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="No UI login settings yet" @titleTag="h2" data-test-empty-state-title />
+    <A.Body
+      @text="Login settings can be used to customize which methods display in the web UI login form by setting a default and back up login methods. Available to be created via the CLI or HTTP API."
+      data-test-empty-state-message
     />
-  </EmptyState>
+    <A.Footer data-test-empty-state-actions as |F|>
+      <F.LinkStandalone
+        @icon="docs-link"
+        @iconPosition="trailing"
+        @text="UI login settings documentation"
+        @href={{doc-link "/vault/docs/ui/custom-login"}}
+      />
+    </A.Footer>
+  </Hds::ApplicationState>
 {{/if}}
 
 {{#if this.ruleToDelete}}
diff --git a/ui/lib/config-ui/addon/components/messages/page/list.hbs b/ui/lib/config-ui/addon/components/messages/page/list.hbs
index a822d10695..f6ffe2c83d 100644
--- a/ui/lib/config-ui/addon/components/messages/page/list.hbs
+++ b/ui/lib/config-ui/addon/components/messages/page/list.hbs
@@ -17,8 +17,9 @@
           @icon="trash"
           @isIconOnly={{true}}
           type="reset"
+          disabled={{not this.hasFiltersSelected}}
           {{on "click" this.resetFilters}}
-          data-test-filter-reset
+          data-test-button="reset"
         />
         <S.TextInput
           @value={{@params.pageFilter}}
@@ -28,13 +29,15 @@
           placeholder="Search by message title"
           aria-label="Search by message title"
           size="32"
-          data-test-filter-by="pageFilter"
+          {{on "input" this.updatePageFilter}}
+          data-test-filter="pageFilter"
         />
         <S.Select
           aria-label="Filter by message status"
           name="status"
           class="segment-filter {{unless @params.status 'has-text-grey'}}"
-          data-test-filter-by="status"
+          {{on "change" this.updateStatus}}
+          data-test-filter="status"
           as |S|
         >
           <S.Options>
@@ -48,7 +51,8 @@
           aria-label="Filter by type"
           name="type"
           class="segment-filter {{unless @params.status 'has-text-grey'}}"
-          data-test-filter-by="type"
+          {{on "change" this.updateType}}
+          data-test-filter="type"
           as |S|
         >
           <S.Options>
@@ -59,9 +63,9 @@
           </S.Options>
         </S.Select>
         <S.Button
-          @color="secondary"
           @text="Apply filters"
           @icon={{if this.handleSearch.isRunning "loading" "filter"}}
+          disabled={{not this.hasFiltersSelected}}
           type="submit"
           data-test-submit
         />
@@ -141,12 +145,16 @@
     @showSizeSelector={{false}}
     @totalItems={{@messages.meta.total}}
     @queryFunction={{this.paginationQueryParams}}
+    data-test-pagination
   />
 {{else}}
-  <EmptyState
-    @title="No messages yet"
-    @message="Add a custom message for all users after they log into Vault. Create message to get started."
-  />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="No messages yet" @titleTag="h2" data-test-empty-state-title />
+    <A.Body
+      @text="Add a custom message for all users after they log into Vault. Create message to get started."
+      data-test-empty-state-message
+    />
+  </Hds::ApplicationState>
 {{/if}}
 
 {{#if this.showMaxMessageModal}}
diff --git a/ui/lib/config-ui/addon/components/messages/page/list.js b/ui/lib/config-ui/addon/components/messages/page/list.js
index 2b16326840..fef20d42a5 100644
--- a/ui/lib/config-ui/addon/components/messages/page/list.js
+++ b/ui/lib/config-ui/addon/components/messages/page/list.js
@@ -32,6 +32,9 @@ export default class MessagesList extends Component {
 
   @tracked showMaxMessageModal = false;
   @tracked messageToDelete = null;
+  @tracked pageFilterValue = this.args.params?.pageFilter || '';
+  @tracked statusValue = this.args.params?.status || '';
+  @tracked typeValue = this.args.params?.type || '';
 
   isStartTimeAfterToday = (message) => {
     return isAfter(message.start_time, timestamp.now());
@@ -58,13 +61,12 @@ export default class MessagesList extends Component {
           })}`;
           badgeColor = 'highlight';
         } else {
-          badgeDisplayText = `Inactive:  ${dateFormat([message.start_time, 'MMM d, yyyy hh:mm aaa'], {
+          badgeDisplayText = `Inactive: ${dateFormat([message.end_time, 'MMM d, yyyy hh:mm aaa'], {
             withTimeZone: true,
           })}`;
           badgeColor = 'neutral';
         }
       }
-
       message.badgeDisplayText = badgeDisplayText;
       message.badgeColor = badgeColor;
       return message;
@@ -87,6 +89,25 @@ export default class MessagesList extends Component {
     };
   }
 
+  get hasFiltersSelected() {
+    return !!(this.pageFilterValue || this.statusValue || this.typeValue);
+  }
+
+  @action
+  updatePageFilter(event) {
+    this.pageFilterValue = event.target.value;
+  }
+
+  @action
+  updateStatus(event) {
+    this.statusValue = event.target.value;
+  }
+
+  @action
+  updateType(event) {
+    this.typeValue = event.target.value;
+  }
+
   transitionToMessagesWithParams(queryParams) {
     this.router.transitionTo('vault.cluster.config-ui.messages', {
       // always reset back to page 1 when changing filters
@@ -126,6 +147,9 @@ export default class MessagesList extends Component {
 
   @action
   resetFilters() {
+    this.pageFilterValue = '';
+    this.statusValue = '';
+    this.typeValue = '';
     this.transitionToMessagesWithParams({ pageFilter: '', status: null, type: null });
   }
 
diff --git a/ui/lib/config-ui/addon/components/messages/tab-page-header.hbs b/ui/lib/config-ui/addon/components/messages/tab-page-header.hbs
index f5f522b144..90c4a7f091 100644
--- a/ui/lib/config-ui/addon/components/messages/tab-page-header.hbs
+++ b/ui/lib/config-ui/addon/components/messages/tab-page-header.hbs
@@ -7,6 +7,15 @@
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{@breadcrumbs}} />
   </:breadcrumbs>
+  <:description>
+    {{#if @showTabs}}
+      Configure global banners or modal notifications to display important system updates or compliance reminders to GUI
+      users.
+      <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/custom-msg"}}>
+        Learn more
+      </Hds::Link::Inline>
+    {{/if}}
+  </:description>
 </Page::Header>
 
 {{#if @showTabs}}
@@ -18,7 +27,7 @@
           <LinkTo
             class={{if @authenticated "active"}}
             @route="messages"
-            @query={{hash authenticated=true page=1}}
+            @query={{hash authenticated=true page=1 pageFilter=null status=null type=null}}
             data-test-custom-messages-tab="After user logs in"
           >
             After user logs in
@@ -28,7 +37,7 @@
           <LinkTo
             class={{unless @authenticated "active"}}
             @route="messages"
-            @query={{hash authenticated=false page=1}}
+            @query={{hash authenticated=false page=1 pageFilter=null status=null type=null}}
             data-test-custom-messages-tab="On login page"
           >
             On login page
diff --git a/ui/lib/config-ui/addon/routes/messages/index.js b/ui/lib/config-ui/addon/routes/messages/index.js
index 573eb67c3b..b70da29af6 100644
--- a/ui/lib/config-ui/addon/routes/messages/index.js
+++ b/ui/lib/config-ui/addon/routes/messages/index.js
@@ -57,7 +57,7 @@ export default class MessagesRoute extends Route {
       });
       const messages = paginate(data, {
         page,
-        pageSize: 2,
+        pageSize: 10,
         filter: pageFilter,
         filterKey: 'title',
       });
diff --git a/ui/lib/core/addon/components/certificate-card.js b/ui/lib/core/addon/components/certificate-card.js
deleted file mode 100644
index 10c0cd9907..0000000000
--- a/ui/lib/core/addon/components/certificate-card.js
+++ /dev/null
@@ -1,50 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@glimmer/component';
-
-/**
- * @module CertificateCard
- * The CertificateCard component receives data and optionally receives a boolean declaring if that data is meant to be in PEM
- * Format. It renders using the Hds::Card::Container. To the left there is a certificate icon. In the center there is a label
- * which says which format (PEM or DER) the data is in. Below the label is the truncated data. To the right there is a copy
- * button to copy the data.
- *
- * @example
- *  <CertificateCard @isPem={{true}} @data="-----BEGIN CERTIFICATE-----MIIDezCCAmOgAwIBAgIUTBbQcZijQsmd0rjd6COikPsrGyowDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAxMJdGVzdC1yb290MB4XDTIzMDEyMDE3NTcxMloXDTIzMDIy" />
- *
- * @param {string} data - the data to be displayed in the component (usually in PEM or DER format)
- * @param {boolean} [isPem] - optional argument for if the data is required to be in PEM format (and should thus have the PEM Format label)
- */
-
-export default class CertificateCardComponent extends Component {
-  get certLabel() {
-    if (!this.args.data) return '';
-
-    const value = Array.isArray(this.args.data) ? this.args.data[0] : this.args.data;
-
-    if (value.substring(0, 11) === '-----BEGIN ' || this.args.isPem === true) {
-      return 'PEM Format';
-    }
-    return 'DER Format';
-  }
-
-  get copyValue() {
-    const { data } = this.args;
-    if (!data) return data;
-    const type = Array.isArray(data) ? 'array' : typeof data;
-    switch (type) {
-      case 'string':
-        return data;
-      case 'array':
-        return data.join('\n');
-      case 'object':
-        // unlikely for certificates but just in case
-        return JSON.stringify(data);
-      default:
-        return data.toString();
-    }
-  }
-}
diff --git a/ui/lib/core/addon/components/choose-pgp-key-form.hbs b/ui/lib/core/addon/components/choose-pgp-key-form.hbs
index a2daf5de24..c7fd1acc4b 100644
--- a/ui/lib/core/addon/components/choose-pgp-key-form.hbs
+++ b/ui/lib/core/addon/components/choose-pgp-key-form.hbs
@@ -28,7 +28,7 @@
         @color="secondary"
         @onError={{(fn (set-flash-message "Clipboard copy failed. The Clipboard API requires a secure context." "danger"))}}
         @isTruncated={{true}}
-        data-test-pgp-key-copy
+        data-test-copy-snippet="pgp-key"
         @container="#shamir-flow-modal"
       />
     </div>
@@ -41,7 +41,7 @@
         data-test-confirm-pgp-back-button
       />
 
-      <Hds::Button @text={{this.buttonText}} type="submit" disabled={{not this.pgpKey}} data-test-confirm-pgp-key-submit />
+      <Hds::Button @text={{this.buttonText}} type="submit" disabled={{not this.pgpKey}} data-test-submit />
     </Hds::ButtonSet>
   </form>
 {{else}}
@@ -49,7 +49,7 @@
     id="choose-pgp-key"
     {{on "submit" this.usePgpKey}}
     aria-label="provide PGP key"
-    data-test-choose-pgp-key-form="begin"
+    data-test-dr-token-flow-step="choose-pgp-key"
   >
     <div class="has-bottom-margin-m">
       <p data-test-choose-pgp-key-description>
@@ -58,14 +58,8 @@
       <PgpFile @index="" @key={{this.pgpKeyFile}} @onChange={{this.setKey}} />
     </div>
     <Hds::ButtonSet>
-      <Hds::Button
-        @text="Back"
-        @color="tertiary"
-        @icon="chevron-left"
-        {{on "click" @onCancel}}
-        data-test-use-pgp-key-cancel
-      />
-      <Hds::Button @text="Use PGP Key" type="submit" disabled={{not this.pgpKeyFile.value}} data-test-use-pgp-key-button />
+      <Hds::Button @text="Back" @color="tertiary" @icon="chevron-left" {{on "click" @onCancel}} data-test-cancel />
+      <Hds::Button @text="Use PGP Key" type="submit" disabled={{not this.pgpKeyFile.value}} data-test-button="use-pgp-key" />
     </Hds::ButtonSet>
   </form>
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/core/addon/components/code-generator/policy/builder.hbs b/ui/lib/core/addon/components/code-generator/policy/builder.hbs
index 9c40ff97ab..20bcdc7ef2 100644
--- a/ui/lib/core/addon/components/code-generator/policy/builder.hbs
+++ b/ui/lib/core/addon/components/code-generator/policy/builder.hbs
@@ -10,6 +10,7 @@
       @onChange={{this.updateStanzas}}
       @onDelete={{fn this.deleteStanza stanza}}
       @stanza={{stanza}}
+      @renderValidations={{@renderValidations}}
       class="has-bottom-margin-m"
     />
   {{/each}}
diff --git a/ui/lib/core/addon/components/code-generator/policy/builder.ts b/ui/lib/core/addon/components/code-generator/policy/builder.ts
index d31a36af9e..8e365e4fdb 100644
--- a/ui/lib/core/addon/components/code-generator/policy/builder.ts
+++ b/ui/lib/core/addon/components/code-generator/policy/builder.ts
@@ -5,11 +5,10 @@
 
 import { action } from '@ember/object';
 import Component from '@glimmer/component';
-import { formatStanzas, PolicyStanza } from 'core/utils/code-generators/policy';
+import { PolicyStanza } from 'core/utils/code-generators/policy';
 import { assert } from '@ember/debug';
 
 export interface PolicyData {
-  policy: string;
   stanzas: PolicyStanza[];
 }
 interface Args {
@@ -45,6 +44,6 @@ export default class CodeGeneratorPolicyBuilder extends Component<Args> {
   @action
   updateStanzas(stanzas?: PolicyStanza[]) {
     const updated = stanzas ?? this.args.stanzas;
-    this.args.onPolicyChange({ policy: formatStanzas(updated), stanzas: updated });
+    this.args.onPolicyChange({ stanzas: updated });
   }
 }
diff --git a/ui/lib/core/addon/components/code-generator/policy/flyout.hbs b/ui/lib/core/addon/components/code-generator/policy/flyout.hbs
index d67540b736..b99acf2fe9 100644
--- a/ui/lib/core/addon/components/code-generator/policy/flyout.hbs
+++ b/ui/lib/core/addon/components/code-generator/policy/flyout.hbs
@@ -28,7 +28,7 @@
         <Hds::Form id="flyout-policy-form" {{on "submit" (perform this.onSave)}} data-test-policy-form as |FORM|>
           {{#if this.errorMessage}}
             <FORM.Section @isFullWidth={{true}}>
-              <MessageError @errorMessage={{this.errorMessage}} />
+              <MessageError @errorMessage={{this.errorMessage}} @errorDetails={{this.errorDetails}} />
             </FORM.Section>
           {{/if}}
 
@@ -65,6 +65,7 @@
               @policyName={{this.policyName}}
               @onPolicyChange={{this.handlePolicyChange}}
               @stanzas={{this.stanzas}}
+              @renderValidations={{if (this.validationError "stanzas") true false}}
               data-test-field="visual editor"
             />
           </FORM.Section>
diff --git a/ui/lib/core/addon/components/code-generator/policy/flyout.ts b/ui/lib/core/addon/components/code-generator/policy/flyout.ts
index 796729aa66..8793c0aab1 100644
--- a/ui/lib/core/addon/components/code-generator/policy/flyout.ts
+++ b/ui/lib/core/addon/components/code-generator/policy/flyout.ts
@@ -36,10 +36,17 @@ export default class CodeGeneratorPolicyFlyout extends Component<Args> {
 
   validations: Validations = {
     name: [{ type: 'presence', message: 'Name is required.' }],
+    stanzas: [
+      {
+        validator: ({ stanzas }) =>
+          stanzas.length > 0 && stanzas.every((stanza: PolicyStanza) => stanza.isValid),
+        message: 'Invalid policy content.',
+      },
+    ],
   };
 
+  @tracked errorDetails: string[] = [];
   @tracked errorMessage = '';
-  @tracked policyContent = '';
   @tracked policyName = '';
   @tracked showFlyout = false;
   @tracked stanzas: PolicyStanza[] = this.defaultStanzas;
@@ -61,11 +68,14 @@ export default class CodeGeneratorPolicyFlyout extends Component<Args> {
   }
 
   @action
-  handlePolicyChange({ policy, stanzas }: PolicyData) {
-    this.policyContent = policy;
+  handlePolicyChange({ stanzas }: PolicyData) {
     this.stanzas = stanzas;
   }
 
+  get policyContent() {
+    return formatStanzas(this.stanzas);
+  }
+
   get snippetArgs() {
     const policyName = this.policyName || '<policy name>';
     const policy = formatStanzas(this.stanzas);
@@ -77,10 +87,15 @@ export default class CodeGeneratorPolicyFlyout extends Component<Args> {
     event.preventDefault();
     this.resetErrors();
 
-    const { isValid, state, invalidFormMessage } = validate({ name: this.policyName }, this.validations);
+    const { isValid, state } = validate({ name: this.policyName, stanzas: this.stanzas }, this.validations);
+
     if (!isValid) {
       this.validationErrors = state;
-      this.errorMessage = invalidFormMessage;
+      this.errorDetails = Object.values(state).flatMap((s) => s.errors);
+      // Render general error message instead of exact count from validate() because
+      // stanzas (which are validated as a single input) can have up to 2 errors each.
+      const msg = this.errorDetails.length > 1 ? 'are errors' : 'is an error';
+      this.errorMessage = `There ${msg} with this form.`;
       return;
     }
 
@@ -93,7 +108,7 @@ export default class CodeGeneratorPolicyFlyout extends Component<Args> {
           models: ['acl', this.policyName],
         },
       });
-      this.showFlyout = false;
+      this.closeFlyout();
       this.resetFlyoutState();
     } catch (e) {
       const { message } = yield this.api.parseError(e);
@@ -125,11 +140,11 @@ export default class CodeGeneratorPolicyFlyout extends Component<Args> {
   resetErrors() {
     this.validationErrors = null;
     this.errorMessage = '';
+    this.errorDetails = [];
   }
 
   resetFlyoutState() {
     this.policyName = '';
-    this.policyContent = '';
     this.stanzas = [new PolicyStanza()];
   }
 
diff --git a/ui/lib/core/addon/components/code-generator/policy/stanza.hbs b/ui/lib/core/addon/components/code-generator/policy/stanza.hbs
index 1d5ae86718..9414bdf0d8 100644
--- a/ui/lib/core/addon/components/code-generator/policy/stanza.hbs
+++ b/ui/lib/core/addon/components/code-generator/policy/stanza.hbs
@@ -12,7 +12,7 @@
 >
   <Hds::Layout::Flex @justify="space-between" class="has-bottom-margin-xs">
     <Hds::Text::Body @tag="p" @weight="semibold" @color="strong">
-      Rule
+      Path
     </Hds::Text::Body>
     <Hds::Form::Toggle::Field {{on "input" this.togglePreview}} data-test-toggle-input="preview" as |F|>
       <F.Label data-test-form-field-label="preview">{{if this.showPreview "Hide" "Show"}} preview</F.Label>
@@ -28,17 +28,23 @@
       data-test-field="preview"
     />
   {{else}}
-    <Hds::Layout::Flex @gap="8">
-      <Hds::Form::TextInput::Base
+    <Hds::Layout::Flex @align="start" @gap="8">
+      <Hds::Form::TextInput::Field
         @type="text"
         @value={{@stanza.path}}
+        @isInvalid={{and @renderValidations @stanza.invalidPath}}
         aria-label="Resource path"
         name="path-{{@index}}"
         {{on "input" this.setPath}}
         autocomplete="off"
         placeholder="Enter a resource path"
         data-test-input="path"
-      />
+        as |F|
+      >
+        {{#if (and @renderValidations @stanza.invalidPath)}}
+          <F.Error data-test-validation-error="path-{{@index}}">{{@stanza.invalidPath}}</F.Error>
+        {{/if}}
+      </Hds::Form::TextInput::Field>
       <Hds::Button
         @icon="trash"
         @isIconOnly={{true}}
@@ -49,12 +55,13 @@
       />
     </Hds::Layout::Flex>
 
-    <Hds::Form::Checkbox::Group @layout="horizontal" as |G|>
+    <Hds::Form::Checkbox::Group @layout="horizontal" @name="capabilities-{{@index}}" as |G|>
       <G.Legend class="has-top-padding-m">Capabilities</G.Legend>
       {{#each this.permissions as |capability|}}
         <G.CheckboxField
           checked={{this.hasCapability capability}}
           @value={{capability}}
+          @isInvalid={{and @renderValidations @stanza.invalidCapabilities}}
           {{on "input" this.setPermissions}}
           data-test-checkbox={{capability}}
           as |F|
@@ -62,6 +69,9 @@
           <F.Label data-test-form-field-label={{capability}}>{{capability}}</F.Label>
         </G.CheckboxField>
       {{/each}}
+      {{#if (and @renderValidations @stanza.invalidCapabilities)}}
+        <G.Error data-test-validation-error="capabilities-{{@index}}">{{@stanza.invalidCapabilities}}</G.Error>
+      {{/if}}
     </Hds::Form::Checkbox::Group>
   {{/if}}
 
diff --git a/ui/lib/core/addon/components/edit-form.js b/ui/lib/core/addon/components/edit-form.js
index ca53655f59..36ffe61570 100644
--- a/ui/lib/core/addon/components/edit-form.js
+++ b/ui/lib/core/addon/components/edit-form.js
@@ -85,11 +85,13 @@ export default Component.extend({
   ).drop(),
 
   willDestroy() {
-    // components are torn down after store is unloaded and will cause an error if attempt to unload record
-    const noTeardown = this.store && !this.store.isDestroying;
-    const { model } = this;
-    if (noTeardown && model && model.isDirty && !model.isDestroyed && !model.isDestroying) {
-      model.rollbackAttributes();
+    try {
+      const { model } = this;
+      if (model && model.isDirty && !model.isDestroyed && !model.isDestroying) {
+        model.rollbackAttributes();
+      }
+    } catch (e) {
+      // silent catch if component is torn down after store is unloaded
     }
     this._super(...arguments);
   },
diff --git a/ui/lib/core/addon/components/empty-state.hbs b/ui/lib/core/addon/components/empty-state.hbs
deleted file mode 100644
index 65589c2696..0000000000
--- a/ui/lib/core/addon/components/empty-state.hbs
+++ /dev/null
@@ -1,45 +0,0 @@
-{{!
-  Copyright IBM Corp. 2016, 2025
-  SPDX-License-Identifier: BUSL-1.1
-}}
-
-<div data-test-component="empty-state" class="empty-state" ...attributes>
-  <div class="empty-state-content">
-    {{#if @icon}}
-      <div class="empty-state-icon">
-        <Icon @name={{@icon}} @size="24" />
-        <p class="empty-state-title" data-test-empty-state-title>
-          {{@title}}
-        </p>
-      </div>
-      {{#if @subTitle}}
-        <p class="empty-state-subTitle" data-test-empty-state-subtitle>
-          {{@subTitle}}
-        </p>
-      {{/if}}
-    {{else}}
-      <p class={{concat "empty-state-title" (if @subTitle " has-bottom-margin-m")}} data-test-empty-state-title>
-        {{@title}}
-      </p>
-      {{#if @subTitle}}
-        <p class="empty-state-subTitle" data-test-empty-state-subtitle>
-          {{@subTitle}}
-        </p>
-      {{/if}}
-    {{/if}}
-    {{#if @message}}
-      <p class={{concat "empty-state-message" (if @bottomBorder " has-border-bottom-light")}} data-test-empty-state-message>
-        {{@message}}
-      </p>
-    {{/if}}
-    {{#if (has-block)}}
-      <div class="empty-state-actions" data-test-empty-state-actions>
-        {{yield}}
-      </div>
-    {{else if @emptyActions}}
-      <div class="empty-state-actions" data-test-empty-state-actions>
-        {{component @emptyActions}}
-      </div>
-    {{/if}}
-  </div>
-</div>
\ No newline at end of file
diff --git a/ui/lib/core/addon/components/certificate-card.hbs b/ui/lib/core/addon/components/encoded-data-card.hbs
similarity index 88%
rename from ui/lib/core/addon/components/certificate-card.hbs
rename to ui/lib/core/addon/components/encoded-data-card.hbs
index f9cfc87008..403844660e 100644
--- a/ui/lib/core/addon/components/certificate-card.hbs
+++ b/ui/lib/core/addon/components/encoded-data-card.hbs
@@ -10,11 +10,11 @@
   data-test-certificate-card
 >
   <span class="has-left-margin-s">
-    <Icon @name="certificate" @size="24" data-test-certificate-icon />
+    <Icon @name={{this.certDisplay.icon}} @size="24" />
   </span>
   <div class="has-left-margin-m is-min-width-0 is-flex-grow-1">
     <p class="has-text-weight-bold" data-test-certificate-label>
-      {{this.certLabel}}
+      {{this.certDisplay.label}}
     </p>
     <code class="is-size-8 truncate-second-line has-text-grey" data-test-certificate-value>
       {{@data}}
diff --git a/ui/lib/core/addon/components/encoded-data-card.ts b/ui/lib/core/addon/components/encoded-data-card.ts
new file mode 100644
index 0000000000..2b48d27b0d
--- /dev/null
+++ b/ui/lib/core/addon/components/encoded-data-card.ts
@@ -0,0 +1,63 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+
+/**
+ * @module EncodedDataCard
+ * The EncodedDataCard component renders truncated encoded data with a copy button.
+ * It detects if the format is PEM or optionally receives a boolean explicitly stating PEM.
+ * If @data is not already a string, it converts it into a copyable string.
+ *
+ * @example
+ *  <EncodedDataCard @isPem={{true}} @data="-----BEGIN CERTIFICATE-----MIIDezCCAmOgAwIBAgIUTBbQcZijQsmd0rjd6COikPsrGyowDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAxMJdGVzdC1yb290MB4XDTIzMDEyMDE3NTcxMloXDTIzMDIy" />
+ *
+ * @param {string|Array|object} data - the encoded data to be displayed in the component, such as PEM, DER, or a base64-encoded string
+ * @param {boolean} [isPem] - optional argument for if the data should be labeled as PEM format
+ */
+
+interface Args {
+  data?: string | string[] | Record<string, unknown> | unknown[];
+  isPem?: boolean;
+}
+
+export default class EncodedDataCardComponent extends Component<Args> {
+  get certDisplay(): { label: string; icon: string } {
+    if (!this.args.data) return { label: '', icon: 'transform-data' };
+
+    const value = Array.isArray(this.args.data) ? this.args.data[0] : this.args.data;
+    const hasPemHeader = typeof value === 'string' && value.substring(0, 11) === '-----BEGIN ';
+    if (hasPemHeader || this.args.isPem === true) {
+      return { label: 'PEM Format', icon: 'certificate' };
+    }
+
+    return { label: 'Encoded Data', icon: 'transform-data' };
+  }
+
+  get copyValue(): string {
+    const { data } = this.args;
+    if (!data) return '';
+
+    if (Array.isArray(data)) {
+      return data
+        .map((value) => {
+          if (typeof value === 'string') return value;
+          if (value && typeof value === 'object') return JSON.stringify(value);
+          return String(value);
+        })
+        .join('\n');
+    }
+
+    switch (typeof data) {
+      case 'string':
+        return data;
+      case 'object':
+        // unlikely for certificates but just in case
+        return JSON.stringify(data);
+      default:
+        return String(data);
+    }
+  }
+}
diff --git a/ui/lib/core/addon/components/form-field-groups.hbs b/ui/lib/core/addon/components/form-field-groups.hbs
index ce8072e437..d73b141834 100644
--- a/ui/lib/core/addon/components/form-field-groups.hbs
+++ b/ui/lib/core/addon/components/form-field-groups.hbs
@@ -19,7 +19,9 @@
               @onKeyUp={{@onKeyUp}}
               @modelValidations={{@modelValidations}}
               @showHelpText={{@showHelpText}}
-            />
+            >
+              {{yield attr}}
+            </FormField>
           {{else}}
             {{! OTHERWISE WE'RE EDITING }}
             {{#if (or (eq attr.name "name") (attr.options.editDisabled))}}
@@ -38,7 +40,9 @@
                 @onKeyUp={{@onKeyUp}}
                 @modelValidations={{@modelValidations}}
                 @showHelpText={{@showHelpText}}
-              />
+              >
+                {{yield attr}}
+              </FormField>
             {{/if}}
           {{/if}}
         {{/each}}
@@ -66,9 +70,7 @@
                   @modelValidations={{@modelValidations}}
                   @showHelpText={{@showHelpText}}
                 >
-                  {{#if (and (has-block "identityTokenKey") (eq attr.name "config.identity_token_key"))}}
-                    {{yield to="identityTokenKey"}}
-                  {{/if}}
+                  {{yield attr}}
                 </FormField>
               {{else}}
                 {{! OTHERWISE WE'RE EDITING }}
@@ -84,7 +86,9 @@
                     @onKeyUp={{@onKeyUp}}
                     @modelValidations={{@modelValidations}}
                     @showHelpText={{@showHelpText}}
-                  />
+                  >
+                    {{yield attr}}
+                  </FormField>
                 {{/if}}
               {{/if}}
             {{/each}}
diff --git a/ui/lib/core/addon/components/form-field.hbs b/ui/lib/core/addon/components/form-field.hbs
index 6da1151c46..fc496d7e82 100644
--- a/ui/lib/core/addon/components/form-field.hbs
+++ b/ui/lib/core/addon/components/form-field.hbs
@@ -93,6 +93,7 @@
           name={{@attr.name}}
           @id={{@attr.name}}
           @isInvalid={{this.validationError}}
+          disabled={{and @attr.options.editDisabled (not @model.isNew)}}
           {{on "change" this.onChangeWithEvent}}
           data-test-input={{@attr.name}}
           as |F|
@@ -116,11 +117,26 @@
                 Select one
               </option>
             {{/if}}
-            {{#each (path-or-array @attr.options.possibleValues @model) as |val|}}
-              <option selected={{loose-equal (get @model this.valuePath) (or val.value val)}} value={{or val.value val}}>
-                {{or val.displayName val}}
-              </option>
-            {{/each}}
+            {{#if (has-option-groups (path-or-array @attr.options.possibleValues @model))}}
+              {{#each (path-or-array @attr.options.possibleValues @model) as |groupData|}}
+                <optgroup label={{groupData.group}}>
+                  {{#each groupData.options as |val|}}
+                    <option
+                      selected={{loose-equal (get @model this.valuePath) (or val.value val)}}
+                      value={{or val.value val}}
+                    >
+                      {{or val.displayName val.value val}}
+                    </option>
+                  {{/each}}
+                </optgroup>
+              {{/each}}
+            {{else}}
+              {{#each (path-or-array @attr.options.possibleValues @model) as |val|}}
+                <option selected={{loose-equal (get @model this.valuePath) (or val.value val)}} value={{or val.value val}}>
+                  {{or val.displayName val.value val}}
+                </option>
+              {{/each}}
+            {{/if}}
           </F.Options>
           {{#if this.validationError}}
             <F.Error data-test-validation-error={{this.valuePath}}>{{this.validationError}}</F.Error>
diff --git a/ui/lib/core/addon/components/form-field.js b/ui/lib/core/addon/components/form-field.js
index 8f4e7ce037..3b32fe18b2 100644
--- a/ui/lib/core/addon/components/form-field.js
+++ b/ui/lib/core/addon/components/form-field.js
@@ -180,7 +180,7 @@ export default class FormFieldComponent extends Component {
   }
 
   get isReadOnly() {
-    const readonly = this.args.attr.options?.readOnly || false;
+    const readonly = this.args.attr.options?.readOnly || this.args.attr.options?.editDisabled || false;
     return readonly && this.args.mode === 'edit';
   }
 
diff --git a/ui/lib/core/addon/components/info-table-item-array.hbs b/ui/lib/core/addon/components/info-table-item-array.hbs
index 17514eb669..0f1c85dc2f 100644
--- a/ui/lib/core/addon/components/info-table-item-array.hbs
+++ b/ui/lib/core/addon/components/info-table-item-array.hbs
@@ -4,72 +4,65 @@
 }}
 
 {{! the class linked-block-item is needed for the read-more component }}
-<div data-test-info-table-item-array {{did-insert this.fetchOptions}} class="linked-block-item">
+<div data-test-info-table-item-array class="linked-block-item">
   {{#if @isLink}}
     <div data-test-row-value={{@label}}>
-      {{#if this.fetchComplete}}
-        <ReadMore>
-          {{#each this.displayArrayTruncated as |item|}}
-            {{#if (is-wildcard-string item)}}
-              {{#let (filter-wildcard item this.allOptions) as |wildcardCount|}}
-                <span>{{item}}</span>
-                {{#if (not-eq wildcardCount undefined)}}
-                  <Hds::Badge
-                    @text="includes {{pluralize wildcardCount this.wildcardLabel}}"
-                    data-test-count={{wildcardCount}}
-                  />
-                {{/if}}
-                {{#if (eq this.displayArrayTruncated.lastObject item)}}
-                  <LinkTo @route={{this.rootRoute}} @query={{hash tab=@queryParam}}>
-                    <span data-test-view-all={{lowercase @label}}>View all {{lowercase @label}}.</span>
-                  </LinkTo>
-                {{/if}}
-              {{/let}}
+      <ReadMore>
+        {{#each this.displayArrayTruncated as |item|}}
+          {{#if (is-wildcard-string item)}}
+            {{#let (filter-wildcard item @arrayOptions) as |wildcardCount|}}
+              <span data-test-item={{item}}>{{item}}</span>
+              {{#if (not-eq wildcardCount undefined)}}
+                <Hds::Badge
+                  @text="includes {{pluralize wildcardCount this.wildcardLabel}}"
+                  data-test-count={{wildcardCount}}
+                />
+              {{/if}}
+            {{/let}}
+          {{else}}
+            {{#if (is-array this.itemRoute)}}
+              <LinkTo
+                @route={{(get this.itemRoute "0")}}
+                @models={{array (get this.itemRoute "1") item (get this.itemRoute "2")}}
+              >
+                {{item}}
+              </LinkTo>
             {{else}}
-              {{#if (is-array this.itemRoute)}}
-                <LinkTo
-                  @route={{(get this.itemRoute "0")}}
-                  @models={{array (get this.itemRoute "1") item (get this.itemRoute "2")}}
-                >
-                  {{or (get this.itemNameById item) item}}
+              <LinkTo
+                @route={{this.itemRoute}}
+                @model={{if @queryParam (concat @queryParam "/" item) item}}
+                data-test-item={{item}}
+              >
+                <span>{{item}}</span>
+              </LinkTo>
+            {{/if}}
+          {{/if}}
+          {{#if (not-eq item this.displayArrayTruncated.lastObject)}}
+            ,&nbsp;
+          {{/if}}
+          {{#unless this.doNotTruncate}}
+            {{#if (and (eq item this.displayArrayTruncated.lastObject) (gte @displayArray.length 10))}}
+              {{! dec is a math helper that decrements by 5 the length of the array ex: 11-5 = "and 6 others."}}
+              <span data-test-and={{dec 5 @displayArray.length}}>
+                &nbsp;and
+                {{dec 5 @displayArray.length}}
+                others.&nbsp;
+              </span>
+            {{/if}}
+            {{#if (and (eq item this.displayArrayTruncated.lastObject) (gte @displayArray.length 10))}}
+              {{#if (is-array @rootRoute)}}
+                <LinkTo @route={{(get @rootRoute "0")}} @model={{(get @rootRoute "1")}}>
+                  <span data-test-view-all={{lowercase @label}}>View all {{lowercase @label}}.</span>
                 </LinkTo>
               {{else}}
-                <LinkTo
-                  @route={{this.itemRoute}}
-                  @model={{if @queryParam (concat @queryParam "/" item) item}}
-                  data-test-item={{item}}
-                >
-                  <span>{{or (get this.itemNameById item) item}}</span>
+                <LinkTo @route={{this.rootRoute}} @query={{hash tab=@queryParam}}>
+                  <span data-test-view-all={{lowercase @label}}>View all {{lowercase @label}}.</span>
                 </LinkTo>
               {{/if}}
             {{/if}}
-            {{#if (not-eq item this.displayArrayTruncated.lastObject)}}
-              ,&nbsp;
-            {{/if}}
-            {{#unless this.doNotTruncate}}
-              {{#if (and (eq item this.displayArrayTruncated.lastObject) (gte @displayArray.length 10))}}
-                {{! dec is a math helper that decrements by 5 the length of the array ex: 11-5 = "and 6 others."}}
-                <span data-test-and={{dec 5 @displayArray.length}}>
-                  &nbsp;and
-                  {{dec 5 @displayArray.length}}
-                  others.&nbsp;
-                </span>
-              {{/if}}
-              {{#if (and (eq item this.displayArrayTruncated.lastObject) (gte @displayArray.length 10))}}
-                {{#if (is-array @rootRoute)}}
-                  <LinkTo @route={{(get @rootRoute "0")}} @model={{(get @rootRoute "1")}}>
-                    <span data-test-view-all={{lowercase @label}}>View all {{lowercase @label}}.</span>
-                  </LinkTo>
-                {{else}}
-                  <LinkTo @route={{this.rootRoute}} @query={{hash tab=@queryParam}}>
-                    <span data-test-view-all={{lowercase @label}}>View all {{lowercase @label}}.</span>
-                  </LinkTo>
-                {{/if}}
-              {{/if}}
-            {{/unless}}
-          {{/each}}
-        </ReadMore>
-      {{/if}}
+          {{/unless}}
+        {{/each}}
+      </ReadMore>
     </div>
   {{else}}
     <code class="is-word-break has-text-black" data-test-row-value={{@label}}>
diff --git a/ui/lib/core/addon/components/info-table-item-array.js b/ui/lib/core/addon/components/info-table-item-array.js
index 6e3effbd21..02c3222075 100644
--- a/ui/lib/core/addon/components/info-table-item-array.js
+++ b/ui/lib/core/addon/components/info-table-item-array.js
@@ -5,17 +5,13 @@
 
 import Component from '@glimmer/component';
 import { assert } from '@ember/debug';
-import { action } from '@ember/object';
-import { service } from '@ember/service';
-import { tracked } from '@glimmer/tracking';
 
 /**
  * @module InfoTableItemArray
  * The `InfoTableItemArray` component handles arrays in the info-table-row component.
  * If an array has more than 10 items, then only 5 are displayed and a count of total items is displayed next to the five.
  * If a isLink is true than a link can be set for the use to click on the specific array item
- * If a wildcard is a potential variable in the string of an item, then you can use the modelType and wildcardLabel parameters to
- * return a wildcard count similar to what is done in the searchSelect component.
+ * Wildcard items are rendered as the raw string passed through the display array.
  *
  * @example
  * <InfoTableItemArray @label="Roles" @displayArray={{array "test-1" "test-2" "test-3"}}  />
@@ -25,18 +21,12 @@ import { tracked } from '@glimmer/tracking';
  * @param {boolean} [isLink]  - Indicates if the item should contain a link-to component.  Only setup for arrays, but this could be changed if needed.
  * @param {string | array} [rootRoute=vault.cluster.secrets.backend.list-root] -  Tells what route the link should go to when selecting "view all". If the route requires more than one dynamic param, insert an array.
  * @param {string | array} [itemRoute=vault.cluster.secrets.backend.show] - Tells what route the link should go to when selecting the individual item. If the route requires more than one dynamic param, insert an array.
- * @param {string} [modelType]  - Tells which model you want to query and set allOptions.  Used in conjunction with the the isLink.
- * @param {string} [wildcardLabel]  - when you want the component to return a count on the model for options returned when using a wildcard you must provide a label of the count e.g. role.  Should be singular.
+ * @param {array} [arrayOptions] - Optional array of preloaded item names used to count wildcard matches.
+ * @param {string} [wildcardLabel] - Singular label used when rendering a wildcard match count badge.
  * @param {string} [backend] - To specify which backend to point the link to.
  * @param {boolean} [doNotTruncate=false] - Determines whether to show the View all "roles" link. Otherwise uses the ReadMore component's "See More" toggle
- * @param {boolean} [renderItemName=false] - If true renders the item name instead of its id
  */
 export default class InfoTableItemArray extends Component {
-  @service store;
-  @tracked allOptions = null;
-  @tracked itemNameById; // object is only created if renderItemName=true
-  @tracked fetchComplete = false;
-
   constructor() {
     super(...arguments);
     assert('@label is required for InfoTableItemArray components', this.args.label);
@@ -67,27 +57,4 @@ export default class InfoTableItemArray extends Component {
   get wildcardLabel() {
     return this.args.wildcardLabel || '';
   }
-
-  @action async fetchOptions() {
-    if (this.args.isLink && this.args.modelType) {
-      const queryOptions = this.args.backend ? { backend: this.args.backend } : {};
-
-      const modelRecords = await this.store.query(this.args.modelType, queryOptions).catch((err) => {
-        if (err.httpStatus === 404) {
-          return [];
-        } else {
-          return null;
-        }
-      });
-
-      this.allOptions = modelRecords ? modelRecords.map((record) => record.id) : null;
-      if (this.args.renderItemName && modelRecords) {
-        modelRecords.forEach(({ id, name }) => {
-          // create key/value pair { item-id: item-name } for each record
-          this.itemNameById = { ...this.itemNameById, [id]: name };
-        });
-      }
-    }
-    this.fetchComplete = true;
-  }
 }
diff --git a/ui/lib/core/addon/components/info-table-row.hbs b/ui/lib/core/addon/components/info-table-row.hbs
index 8f4574af66..d1cca07a53 100644
--- a/ui/lib/core/addon/components/info-table-row.hbs
+++ b/ui/lib/core/addon/components/info-table-row.hbs
@@ -71,13 +71,12 @@
             @backend={{@backend}}
             @displayArray={{@value}}
             @isLink={{@isLink}}
-            @modelType={{@modelType}}
+            @arrayOptions={{@arrayOptions}}
             @queryParam={{@queryParam}}
             @wildcardLabel={{@wildcardLabel}}
             @rootRoute={{@rootRoute}}
             @itemRoute={{@itemRoute}}
             @doNotTruncate={{@doNotTruncate}}
-            @renderItemName={{@renderItemName}}
           />
         {{else}}
           {{#if @tooltipText}}
diff --git a/ui/lib/core/addon/components/info-table-row.js b/ui/lib/core/addon/components/info-table-row.js
index a16cc1f792..f17313d8e9 100644
--- a/ui/lib/core/addon/components/info-table-row.js
+++ b/ui/lib/core/addon/components/info-table-row.js
@@ -28,10 +28,13 @@ import { action } from '@ember/object';
  * @param {string} [type=array] - The type of value being passed in.  This is used for when you want to trim an array.  For example, if you have an array value that can equal length 15+ this will trim to show 5 and count how many more are there
  *
  * @param {boolean} [isLink=true] - Passed through to InfoTableItemArray. Indicates if the item should contain a link-to component.  Only setup for arrays, but this could be changed if needed.
- * @param {string} [modelType=null] - Passed through to InfoTableItemArray. Tells what model you want data for the allOptions to be returned from.  Used in conjunction with the the isLink.
  * @param {string} [queryParam] - Passed through to InfoTableItemArray. If you want to specific a tab for the View All XX to display to.  Ex= role
+ * @param {array} [arrayOptions] - Passed through to InfoTableItemArray for wildcard match counts.
+ * @param {string} [wildcardLabel] - Passed through to InfoTableItemArray for wildcard badge text.
  * @param {string} [backend] - Passed through to InfoTableItemArray. To specify secrets backend to point link to  Ex= transformation
- * @param {string} [viewAll] - Passed through to InfoTableItemArray. Specify the word at the end of the link View all.
+ * @param {string | array} [rootRoute] - Passed through to InfoTableItemArray for the View all link target.
+ * @param {string | array} [itemRoute] - Passed through to InfoTableItemArray for individual array item links.
+ * @param {boolean} [doNotTruncate=false] - Passed through to InfoTableItemArray to disable truncation and use ReadMore instead.
  */
 
 export default class InfoTableRowComponent extends Component {
diff --git a/ui/lib/core/addon/components/input-search.hbs b/ui/lib/core/addon/components/input-search.hbs
index abf60f2e49..5326c63ded 100644
--- a/ui/lib/core/addon/components/input-search.hbs
+++ b/ui/lib/core/addon/components/input-search.hbs
@@ -15,7 +15,7 @@
     as |F|
   >
     {{#if @label}}
-      <F.Label>{{@label}}</F.Label>
+      <F.Label data-test-form-label={{@label}}>{{@label}}</F.Label>
     {{/if}}
     {{#if @subText}}
       <F.HelperText>{{@subText}}</F.HelperText>
diff --git a/ui/lib/core/addon/components/json-editor.hbs b/ui/lib/core/addon/components/json-editor.hbs
index 2bf38c3269..d55fdaa8c9 100644
--- a/ui/lib/core/addon/components/json-editor.hbs
+++ b/ui/lib/core/addon/components/json-editor.hbs
@@ -20,6 +20,7 @@
   {{else}}
     <Hds::CodeEditor
       @ariaLabel={{this.ariaLabel}}
+      @cspNonce={{this.cspNonce}}
       @extraKeys={{@extraKeys}}
       @hasCopyButton={{true}}
       @hasFullScreenButton={{@hasFullScreenButton}}
diff --git a/ui/lib/core/addon/components/json-editor.js b/ui/lib/core/addon/components/json-editor.js
index 74e9788690..0e3a5b433b 100644
--- a/ui/lib/core/addon/components/json-editor.js
+++ b/ui/lib/core/addon/components/json-editor.js
@@ -50,6 +50,12 @@ export default class JsonEditorComponent extends Component {
     return this.args.title ?? 'JSON Editor';
   }
 
+  get cspNonce() {
+    // Read the CSP nonce from the meta tag injected by the server
+    const metaTag = document.querySelector('meta[name="csp-nonce"]');
+    return metaTag ? metaTag.getAttribute('content') : null;
+  }
+
   @action
   onSetup(editor) {
     this._codemirrorEditor = editor;
diff --git a/ui/lib/core/addon/components/kv-suggestion-input.ts b/ui/lib/core/addon/components/kv-suggestion-input.ts
index 44ddcb35ea..bd325434af 100644
--- a/ui/lib/core/addon/components/kv-suggestion-input.ts
+++ b/ui/lib/core/addon/components/kv-suggestion-input.ts
@@ -10,7 +10,7 @@ import { action } from '@ember/object';
 import { guidFor } from '@ember/object/internals';
 import { run } from '@ember/runloop';
 import { keyIsFolder, parentKeyForKey, keyWithoutParentKey } from 'core/utils/key-utils';
-import { KvV2ListListEnum } from '@hashicorp/vault-client-typescript';
+import { SecretsApiKvV2ListListEnum } from '@hashicorp/vault-client-typescript';
 
 import type ApiService from 'vault/services/api';
 
@@ -78,7 +78,11 @@ export default class KvSuggestionInputComponent extends Component<Args> {
       // This request can either list secrets at the mount root or for a specified :secret_path.
       // Since :secret_path already contains a trailing slash, e.g. /metadata/my-secret//
       // the request URL is sanitized by the api service to remove duplicate slashes.
-      const { keys } = await this.api.secrets.kvV2List(this.pathToSecret, backend, KvV2ListListEnum.TRUE);
+      const { keys } = await this.api.secrets.kvV2List(
+        this.pathToSecret,
+        backend,
+        SecretsApiKvV2ListListEnum.TRUE
+      );
       // this will be used to filter the existing result set when the search term changes within the same path
       this._cachedSecrets = keys || [];
       return this._cachedSecrets;
diff --git a/ui/lib/core/addon/components/linked-block.js b/ui/lib/core/addon/components/linked-block.js
deleted file mode 100644
index 4d6b0e4542..0000000000
--- a/ui/lib/core/addon/components/linked-block.js
+++ /dev/null
@@ -1,65 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@glimmer/component';
-import { action } from '@ember/object';
-import { encodePath } from 'vault/utils/path-encoding-helpers';
-import routerLookup from 'core/utils/router-lookup';
-
-/**
- * @module LinkedBlock
- * LinkedBlock components are linkable divs that yield any content nested within them. They are often used in list views such as when listing the secret engines.
- *
- * @example
- * <LinkedBlock @params={{array "vault.cluster.secrets.backend.show" "my-secret-path"}} class="list-item-row" >
- * My wrapped content
- * </LinkedBlock>
- *
- *
- * @param {Array} params=null - These are values sent to the router's transitionTo method.  First item is route, second is the optional path.
- * @param {Object} [queryParams=null] - queryParams can be passed via this property. It needs to be an object.
- * @param {String} [linkPrefix=null] - Overwrite the params with custom route.  Needed for use in engines (KMIP and PKI). ex: vault.cluster.secrets.backend.kmip
- * @param {Boolean} [encode=false] - Encode the path.
- * @param {boolean} [disabled] - disable the link -- prevents on click and removes linked-block hover styling
- */
-
-export default class LinkedBlockComponent extends Component {
-  get router() {
-    return routerLookup(this);
-  }
-
-  @action
-  onClick(event) {
-    if (!this.args.disabled) {
-      const $target = event.target;
-      const isAnchorOrButton =
-        $target.tagName === 'A' ||
-        $target.tagName === 'BUTTON' ||
-        $target.closest('button') ||
-        $target.closest('a');
-      if (!isAnchorOrButton) {
-        let params = this.args.params;
-        if (this.args.encode) {
-          params = params.map((param, index) => {
-            if (index === 0 || typeof param !== 'string') {
-              return param;
-            }
-            return encodePath(param);
-          });
-        }
-        const queryParams = this.args.queryParams;
-        if (queryParams) {
-          params.push({ queryParams });
-        }
-        if (this.args.linkPrefix) {
-          let targetRoute = this.args.params[0];
-          targetRoute = `${this.args.linkPrefix}.${targetRoute}`;
-          this.args.params[0] = targetRoute;
-        }
-        this.router.transitionTo(...params);
-      }
-    }
-  }
-}
diff --git a/ui/lib/core/addon/components/linked-block.ts b/ui/lib/core/addon/components/linked-block.ts
new file mode 100644
index 0000000000..5c5dbf81b0
--- /dev/null
+++ b/ui/lib/core/addon/components/linked-block.ts
@@ -0,0 +1,87 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+import { action } from '@ember/object';
+import { encodePath } from 'vault/utils/path-encoding-helpers';
+import routerLookup from 'core/utils/router-lookup';
+
+import type RouterService from '@ember/routing/router-service';
+
+type TransitionArgs = [string, ...unknown[]];
+
+interface Args {
+  params: TransitionArgs;
+  queryParams?: Record<string, unknown>;
+  linkPrefix?: string;
+  encode?: boolean;
+  disabled?: boolean;
+}
+
+/**
+ * @module LinkedBlock
+ * LinkedBlock components are linkable divs that yield any content nested within them. They are often used in list views such as when listing the secret engines.
+ *
+ * @example
+ * <LinkedBlock @params={{array "vault.cluster.secrets.backend.show" "my-secret-path"}} class="list-item-row" >
+ * My wrapped content
+ * </LinkedBlock>
+ *
+ *
+ * @param {Array} params=null - These are values sent to the router's transitionTo method.  First item is route, second is the optional path.
+ * @param {Object} [queryParams=null] - queryParams can be passed via this property. It needs to be an object.
+ * @param {String} [linkPrefix=null] - Overwrite the params with custom route.  Needed for use in engines (KMIP and PKI). ex: vault.cluster.secrets.backend.kmip
+ * @param {Boolean} [encode=false] - Encode the path.
+ * @param {boolean} [disabled] - disable the link -- prevents on click and removes linked-block hover styling
+ */
+
+export default class LinkedBlockComponent extends Component<Args> {
+  get router(): RouterService {
+    return routerLookup(this);
+  }
+
+  @action
+  onClick(event: MouseEvent): void {
+    if (this.args.disabled) {
+      return;
+    }
+
+    const target = event.target;
+    if (!(target instanceof Element)) {
+      return;
+    }
+
+    const isAnchorOrButton =
+      target.tagName === 'A' ||
+      target.tagName === 'BUTTON' ||
+      !!target.closest('button') ||
+      !!target.closest('a');
+    if (isAnchorOrButton) {
+      return;
+    }
+
+    let params = [...this.args.params] as TransitionArgs;
+    if (this.args.encode) {
+      params = params.map((param, index) => {
+        if (index === 0 || typeof param !== 'string') {
+          return param;
+        }
+        return encodePath(param);
+      }) as TransitionArgs;
+    }
+
+    const queryParams = this.args.queryParams;
+    if (queryParams) {
+      params.push({ queryParams });
+    }
+
+    if (this.args.linkPrefix) {
+      const [targetRoute, ...rest] = params;
+      params = [`${this.args.linkPrefix}.${targetRoute}`, ...rest] as TransitionArgs;
+    }
+
+    this.router.transitionTo(...params);
+  }
+}
diff --git a/ui/lib/core/addon/components/list-table.hbs b/ui/lib/core/addon/components/list-table.hbs
index 2b8ad804bb..bb9532cac5 100644
--- a/ui/lib/core/addon/components/list-table.hbs
+++ b/ui/lib/core/addon/components/list-table.hbs
@@ -2,39 +2,40 @@
   Copyright IBM Corp. 2016, 2025
   SPDX-License-Identifier: BUSL-1.1
 }}
-{{#if (has-block "selectedItems")}}
-  {{yield to="selectedItems"}}
-{{/if}}
+
 <Hds::AdvancedTable
   @model={{this.paginatedTableData}}
   @columns={{@columns}}
-  @isSelectable={{if @selectionKey true false}}
-  class="has-bottom-margin-s"
+  @isSelectable={{if @selectionKeyField true false}}
+  @hasResizableColumns={{true}}
   @onSelectionChange={{@onSelectionChange}}
+  class="has-bottom-margin-s"
   {{did-update this.resetPagination @data}}
 >
   <:body as |B|>
     <B.Tr
-      @selectionKey={{get B.data @selectionKey}}
-      @selectionAriaLabelSuffix="row {{B.data.path}}"
-      data-test-table-row={{get B.data @selectionKey}}
+      {{! Pass value of selectionKeyField because it should be the unique identifier for that object }}
+      @selectionKey={{this.identifier B.data}}
+      @selectionAriaLabelSuffix="row {{this.identifier B.data}}"
+      data-test-table-row={{B.rowIndex}}
+      data-test-list-item={{this.identifier B.data}}
     >
-      {{#each this.columnKeys as |key index|}}
-        {{#if (and (eq key "popupMenu") (has-block "popupMenu"))}}
+      {{#each @columns as |column|}}
+        {{#if (and (eq column.key "popupMenu") (has-block "popupMenu"))}}
           <B.Td data-test-table-data="popupMenu">
             {{yield B.data to="popupMenu"}}
           </B.Td>
         {{else}}
-          {{#let (get B.data key) as |value|}}
-            <B.Td data-test-table-data={{key}} class="is-inline text-overflow-ellipsis">
-              {{#if (get (get @columns index) "customTableItem")}}
-                {{yield B.data to="customTableItem"}}
-              {{else}}
+          <B.Td data-test-table-data={{column.key}} class="is-inline text-overflow-ellipsis">
+            {{#if column.customTableItem}}
+              {{yield B.data to="customTableItem"}}
+            {{else}}
+              {{#let (get B.data column.key) as |value|}}
                 {{! stringify value if it is an array or object, otherwise render directly }}
                 {{if (this.isObject value) (stringify value) value}}
-              {{/if}}
-            </B.Td>
-          {{/let}}
+              {{/let}}
+            {{/if}}
+          </B.Td>
         {{/if}}
       {{/each}}
     </B.Tr>
diff --git a/ui/lib/core/addon/components/list-table.ts b/ui/lib/core/addon/components/list-table.ts
index 32994e9869..ea8b41b293 100644
--- a/ui/lib/core/addon/components/list-table.ts
+++ b/ui/lib/core/addon/components/list-table.ts
@@ -11,27 +11,20 @@ import { paginate } from 'core/utils/paginate-list';
 
 /**
  * @module ListTable
- * `ListTable` component is used for rendering a list of items in a table.
+ * `ListTable` renders paginated table rows with optional row selection.
  *
  * @example
  * <ListTable
  *   @columns={{this.tableColumns}}
  *   @data={{this.data}}
- *   @isSelectable={{true}}
+ *   @selectionKeyField="path"
  *   @onSelectionChange={{this.updateSelectedItems}}
  * >
  *
- * @param {array} columns - An array of type TableColumn, for populating table headers and any optional functionality (ie. isSortable...)
- * @param {array} data - An array of data to display corresponding to columns. (ie. the key from a column corresponds to the parameter value of the data object your passing in)
- * @param {string} [selectionKey] - string of desired param value to be used as a unique identifier for a selected row - setting this arg automatically sets 'isSelectable' on the table to make rows selectable
- * @param {function} [onSelectionChange] - Provided function for handling when rows are selected
- *
- * For custom column items that are not 1 to 1 with their dataset (ie. these items have conditional icons, colors, generated text etc)
- * within the column type, the 'customTableItem' flag will allow the parent component to {{yield}} any custom implementation from the parent for those items
- * but the yield block in the parent must be 'customTableItem'.
- *
- * similarly, if 'isSelectable' is true and 'onSelectionChange' is being handled
- * For displaying new content based on what's selected, the parent component can also pass in a yield block 'selectedItems'
+ * @param {TableColumn[]} columns - Used to populate table headers and specify column display options or functionality (e.g. `isSortable`). See the `columns` in the component API for available HDS parameters @see https://helios.hashicorp.design/components/table/advanced-table?tab=code#advancedtable
+ * @param {object[]} data - An array of data to display corresponding to columns. (ie. the key from a column corresponds to the parameter value of the data object your passing in)
+ * @param {string} [selectionKeyField] - string of desired param to be use as a unique identifier for a selected row, if provided 'isSelectable' is set to "true" and table rows are selectable
+ * @param {OnSelectionChange} [onSelectionChange] - Provided function for handling when rows are selected
  *
  * If there's an 'Action' column (ie. possibly for manipulating data rows, or navigating to a page per that row data, etc)
  * The parent component must specify the key as 'popupMenu' for that column and pass in a yield block 'popupMenu' for it to render per each item under the 'action' column.
@@ -41,23 +34,47 @@ import { paginate } from 'core/utils/paginate-list';
 interface TableColumn {
   key: string;
   label: string;
-  selectionKey?: string;
-  customTableItem?: boolean;
-  onSelectionChange?: CallableFunction;
+  customTableItem?: boolean; // when true, the parent yields a custom display for that column
 }
 
+interface SelectableRowState {
+  selectionKey: string; // value of selected item
+  isSelected: boolean;
+}
+
+interface OnSelectionArgs {
+  selectionKey: string;
+  selectionCheckboxElement: HTMLInputElement;
+  selectedRowsKeys: string[];
+  selectableRowsStates: SelectableRowState[];
+}
+
+type OnSelectionChange = (callbackArgs: OnSelectionArgs) => void;
+
 interface Args {
   data: Array<object>;
   columns: TableColumn[];
+  selectionKeyField?: string;
+  page?: number; // optional page number to set current page, needed to keep pagination sync with url query param
+  pageSize?: number; // optional page size, needed to keep pagination sync with url query param & keep page size
+  onSelectionChange?: OnSelectionChange;
+  onPageChange?: CallableFunction;
+  onPageSizeChange?: CallableFunction;
 }
 
 export default class ListTable extends Component<Args> {
-  @tracked currentPage = 1;
-  @tracked pageSize = 10;
-
+  @tracked currentPage;
+  @tracked pageSize;
   //  WORKAROUND to manually re-render Hds::Pagination::Numbered to force update @currentPage
   @tracked renderPagination = true;
 
+  constructor(owner: unknown, args: Args) {
+    super(owner, args);
+
+    this.currentPage = args.page || 1;
+    this.pageSize = args.pageSize || 10;
+  }
+
   get paginatedTableData() {
     const paginated = paginate(this.args.data, {
       page: this.currentPage,
@@ -66,13 +83,19 @@ export default class ListTable extends Component<Args> {
     return paginated;
   }
 
-  get columnKeys() {
-    return this.args.columns.map((k: TableColumn) => k['key'] ?? k['label']);
-  }
-
   @action
-  handlePaginationChange(action: 'currentPage' | 'pageSize', value: number) {
+  async handlePaginationChange(action: 'currentPage' | 'pageSize', value: number) {
+    if (action === 'pageSize') {
+      await this.resetPagination();
+      // external callback to handle page size changes and bubble up to parent component
+      this.args.onPageSizeChange?.(value);
+    }
     this[action] = value;
+
+    // external callback to handle current page changes and bubble up to parent component
+    if (action === 'currentPage') {
+      this.args.onPageChange?.(value);
+    }
   }
 
   @action
@@ -84,4 +107,14 @@ export default class ListTable extends Component<Args> {
       this.renderPagination = true;
     });
   }
+
+  // TEMPLATE HELPERS
+  isObject = (value: unknown) => typeof value === 'object' && value !== null;
+
+  identifier = (cellData: Record<string, unknown>) => {
+    const firstColumn = this.args.columns[0]?.key;
+    // Use selectionKeyField if provided, otherwise default to value of the first column
+    const identifier = this.args.selectionKeyField || firstColumn;
+    return identifier ? cellData[identifier] : null;
+  };
 }
diff --git a/ui/lib/core/addon/components/list-view.hbs b/ui/lib/core/addon/components/list-view.hbs
index a41d9a87e2..258bc8f01b 100644
--- a/ui/lib/core/addon/components/list-view.hbs
+++ b/ui/lib/core/addon/components/list-view.hbs
@@ -23,5 +23,5 @@
     {{/if}}
   </div>
 {{else}}
-  {{yield (hash empty=(component "empty-state" title=this.emptyTitle message=this.emptyMessage))}}
+  {{yield (hash empty=(component "hds/application-state") emptyTitle=this.emptyTitle emptyMessage=this.emptyMessage)}}
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/core/addon/components/list-view.js b/ui/lib/core/addon/components/list-view.js
index 470180642b..83fb2b9be6 100644
--- a/ui/lib/core/addon/components/list-view.js
+++ b/ui/lib/core/addon/components/list-view.js
@@ -14,7 +14,10 @@ import { pluralize } from 'ember-inflector';
  * @example
  * <ListView @items={{hash meta=(hash currentPage=1 total=1 pageSize=1)}} @itemNoun="role" @paginationRouteName="vault" as |list|>
  *   {{#if list.empty}}
- *     <list.empty @title="No roles here" />
+ *     <list.empty data-test-list-view-empty-state as |A|>
+ *       <A.Header @title={{list.emptyTitle}} @titleTag="h2" />
+ *       <A.Body @text={{list.emptyMessage}} />
+ *     </list.empty>
  *   {{else}}
  *     <div>
  *       my item
@@ -28,7 +31,8 @@ import { pluralize } from 'ember-inflector';
  * @param {string} [paginationRouteName] - The link used in the ListPagination component.
  * @yields {object} Yields the current item in the loop.
  * @yields If there are no objects in items, then `empty` will be yielded - this is an instance of
- * the EmptyState component.
+ * `Hds::ApplicationState`.
+ * @yields `emptyTitle` and `emptyMessage` are yielded for convenience when rendering the `empty` block.
  * @yields If `item` or `empty` isn't present on the object, the component can still yield a block - this is
  * useful for showing states where there are items but there may be a filter applied that returns an
  * empty set.
diff --git a/ui/lib/core/addon/components/manage-dropdown.hbs b/ui/lib/core/addon/components/manage-dropdown.hbs
new file mode 100644
index 0000000000..9f4a154209
--- /dev/null
+++ b/ui/lib/core/addon/components/manage-dropdown.hbs
@@ -0,0 +1,46 @@
+{{!
+  Copyright IBM Corp. 2016, 2025
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+<Hds::Dropdown as |D|>
+  {{#if this.isIcon}}
+    <D.ToggleIcon
+      @icon="more-horizontal"
+      @text="{{if @model.isSupportedBackend 'supported' 'unsupported'}} secrets engine menu"
+      @hasChevron={{false}}
+      data-test-popup-menu-trigger
+    />
+  {{else}}
+    <D.ToggleButton @text="Manage" @color="secondary" data-test-dropdown="Manage" />
+  {{/if}}
+
+  {{! Yield point for engine-specific custom menu items (e.g., KV's Generate policy) }}
+  {{yield D}}
+
+  <D.Interactive
+    @icon="settings"
+    @route={{@configRoute}}
+    @model={{this.configureRouteModel}}
+    data-test-popup-menu="Configure"
+  >Configure</D.Interactive>
+
+  {{#if this.shouldShowDelete}}
+    <D.Interactive
+      {{on "click" (fn this.handleDeleteClick @model)}}
+      @color="critical"
+      @icon="trash"
+      data-test-popup-menu="Delete"
+    >Delete</D.Interactive>
+  {{/if}}
+</Hds::Dropdown>
+
+{{#if this.engineToDisable}}
+  <ConfirmModal
+    @color="critical"
+    @confirmMessage="Any data in this engine will be permanently deleted."
+    @confirmTitle="Disable engine?"
+    @onClose={{this.handleModalClose}}
+    @onConfirm={{this.handleModalConfirm}}
+  />
+{{/if}}
\ No newline at end of file
diff --git a/ui/lib/core/addon/components/manage-dropdown.ts b/ui/lib/core/addon/components/manage-dropdown.ts
new file mode 100644
index 0000000000..d628998e9c
--- /dev/null
+++ b/ui/lib/core/addon/components/manage-dropdown.ts
@@ -0,0 +1,114 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { action } from '@ember/object';
+import { service } from '@ember/service';
+import Component from '@glimmer/component';
+import { tracked } from '@glimmer/tracking';
+import routerLookup from 'core/utils/router-lookup';
+
+import type RouterService from '@ember/routing/router-service';
+import type SecretsEngineResource from 'vault/resources/secrets/engine';
+import type ApiService from 'vault/services/api';
+import type FlashMessageService from 'vault/services/flash-messages';
+
+/**
+ * @module ManageDropdown
+ * Reusable component for displaying the Manage dropdown used in secret engine headers & secret engine mount list.
+ *
+ * @example
+ * In main app page headers and list components — uses the resource getter for the full absolute route
+ * <ManageDropdown
+ *   @model={{this.backendModel}}
+ *   @configRoute={{this.backendConfigurationLink}}
+ * />
+ *
+ * In Ember engine templates (pki, kubernetes, ldap, kmip, kv) — pass the short relative route,
+ * since HDS @route resolves relative to the engine's router mount
+ * <ManageDropdown
+ *   @model={{@model}}
+ *   @configRoute="configuration"
+ * />
+ *
+ * With custom menu items (like KV's Generate policy) — icon variant in a Ember engine list
+ * <ManageDropdown
+ *   @model={{@backendModel}}
+ *   @configRoute="configuration"
+ *   as |D|
+ * >
+ *   <D.Interactive @icon="shield-check" {{on "click" openFlyout}}>Generate policy</D.Interactive>
+ * </ManageDropdown>
+ *
+ * @param {SecretsEngineResource} model - The secrets engine resource containing the engine details
+ * @param {string} configRoute - Route for the Configure action.
+ * @param {string} variant - Set to "icon" for "..." icon button, otherwise shows "Manage" text button (default)
+ */
+
+interface Args {
+  model: SecretsEngineResource;
+  configRoute: string;
+  variant?: 'icon';
+}
+
+export default class ManageDropdown extends Component<Args> {
+  @service declare readonly api: ApiService;
+  @service declare readonly flashMessages: FlashMessageService;
+
+  @tracked engineToDisable: SecretsEngineResource | undefined = undefined;
+
+  get router(): RouterService {
+    return routerLookup(this);
+  }
+
+  get isIcon() {
+    return this.args.variant === 'icon';
+  }
+
+  get configureRouteModel() {
+    return this.args.model.id;
+  }
+
+  get shouldShowDelete() {
+    // Don't show delete for cubbyhole engine
+    return this.args.model.type !== 'cubbyhole';
+  }
+
+  transitionOrRefresh() {
+    const { currentRouteName } = this.router;
+    // Call refresh() when currently on the route so data properly refreshes even when in a namespace.
+    const method = currentRouteName === 'vault.cluster.secrets.backends' ? 'refresh' : 'transitionTo';
+    this.router[method]('vault.cluster.secrets.backends');
+  }
+
+  @action
+  handleDeleteClick(engine: SecretsEngineResource) {
+    this.engineToDisable = engine;
+  }
+
+  @action
+  handleModalClose() {
+    this.engineToDisable = undefined;
+  }
+
+  @action
+  async handleModalConfirm() {
+    if (this.engineToDisable) {
+      const { engineType, id, path } = this.engineToDisable;
+
+      try {
+        await this.api.sys.mountsDisableSecretsEngine(id);
+        this.flashMessages.success(`The ${engineType} Secrets Engine at ${path} has been disabled.`);
+        this.transitionOrRefresh();
+      } catch (error) {
+        const { message } = await this.api.parseError(error);
+        this.flashMessages.danger(
+          `There was an error disabling the ${engineType} Secrets Engine at ${path}: ${message}.`
+        );
+      } finally {
+        this.engineToDisable = undefined;
+      }
+    }
+  }
+}
diff --git a/ui/lib/core/addon/components/message-error.hbs b/ui/lib/core/addon/components/message-error.hbs
index 485e4ae214..85bac3a8db 100644
--- a/ui/lib/core/addon/components/message-error.hbs
+++ b/ui/lib/core/addon/components/message-error.hbs
@@ -39,7 +39,19 @@
       as |A|
     >
       <A.Title>Error</A.Title>
-      <A.Description data-test-message-error-description>{{error}}</A.Description>
+      <A.Description data-test-message-error-description>
+        {{error}}
+
+        {{#if @errorDetails}}
+          <ul class="bullet">
+            {{#each @errorDetails as |detail|}}
+              <li>
+                {{detail}}
+              </li>
+            {{/each}}
+          </ul>
+        {{/if}}
+      </A.Description>
     </Hds::Alert>
   {{/each}}
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/core/addon/components/message-error.js b/ui/lib/core/addon/components/message-error.js
index 9f6463b248..ae402c7b71 100644
--- a/ui/lib/core/addon/components/message-error.js
+++ b/ui/lib/core/addon/components/message-error.js
@@ -16,6 +16,7 @@ import Component from '@glimmer/component';
  * @param {object} [model=null] - An Ember data model that will be used to bind error states to the internal `errors` property.
  * @param {array} [errors=null] - An array of error strings to show.
  * @param {string} [errorMessage=null] - An Error string to display.
+ * @param {array} [errorDetails=null] - Renders a list of errors when error is not from the API. Helpful for rendering a list of client-side validation errors.
  */
 
 export default class MessageError extends Component {
diff --git a/ui/lib/core/addon/components/page/error.hbs b/ui/lib/core/addon/components/page/error.hbs
index 8ad827506f..cb223e1000 100644
--- a/ui/lib/core/addon/components/page/error.hbs
+++ b/ui/lib/core/addon/components/page/error.hbs
@@ -7,7 +7,7 @@
   {{! Full page errors should be vertically and horizontally centered on the page with text @align="center" }}
   {{! Otherwise text alignment should be "left" and top-padding: 32px }}
   <Hds::ApplicationState
-    class={{if @isFullPage "align-self-center" "top-padding-32"}}
+    class={{if @isFullPage "align-self-center" "top-padding-32 is-marginless"}}
     @align={{if @isFullPage "center" "left"}}
     as |AppState|
   >
diff --git a/ui/lib/core/addon/components/page/header.hbs b/ui/lib/core/addon/components/page/header.hbs
index 1f9621c41b..3ccd23c13f 100644
--- a/ui/lib/core/addon/components/page/header.hbs
+++ b/ui/lib/core/addon/components/page/header.hbs
@@ -3,7 +3,7 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<Hds::PageHeader class="page-header" as |PH|>
+<Hds::PageHeader class="page-header bottom-margin-8" ...attributes as |PH|>
   <PH.Title>{{@title}}</PH.Title>
   {{#if (has-block "breadcrumbs")}}
     <PH.Breadcrumb>
diff --git a/ui/lib/core/addon/components/policy-example.hbs b/ui/lib/core/addon/components/policy-example.hbs
index 5db5fba2cc..39227d9919 100644
--- a/ui/lib/core/addon/components/policy-example.hbs
+++ b/ui/lib/core/addon/components/policy-example.hbs
@@ -3,7 +3,7 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<div class="has-bottom-margin-s">
+<div class="has-bottom-margin-s" data-test-policy-example>
   {{#if (eq @policyType "acl")}}
     <p data-test-example-modal-text="acl">
       <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/tutorials/get-started/introduction-policies"}}>ACL
diff --git a/ui/lib/core/addon/components/replication-page.js b/ui/lib/core/addon/components/replication-page.js
index 0554abd409..5bdfab89f3 100644
--- a/ui/lib/core/addon/components/replication-page.js
+++ b/ui/lib/core/addon/components/replication-page.js
@@ -28,7 +28,8 @@ const MODE = {
 };
 
 export default class ReplicationPage extends Component {
-  @service store;
+  @service api;
+
   @tracked reindexingDetails = null;
 
   // This component renders both within and outside the replication engine so we have to dynamically look up the router
@@ -44,8 +45,8 @@ export default class ReplicationPage extends Component {
 
   @task
   @waitFor
-  *getReplicationModeStatus(replicationMode) {
-    let resp;
+  *getReplicationModeStatus([replicationMode]) {
+    let resp = {};
     if (this.isSummaryDashboard) {
       // the summary dashboard is not mode specific and will error
       // while running replication/null/status in the replication-mode adapter
@@ -53,11 +54,17 @@ export default class ReplicationPage extends Component {
     }
 
     try {
-      resp = yield this.store.adapterFor('replication-mode').fetchStatus(replicationMode);
+      // unauthenticated request -- explicitly pass empty token header
+      const headers = this.api.buildHeaders({ token: '' });
+      if (replicationMode === 'dr') {
+        resp = yield this.api.sys.systemReadReplicationDrStatus(headers);
+      } else if (replicationMode === 'performance') {
+        resp = yield this.api.sys.systemReadReplicationPerformanceStatus(headers);
+      }
     } catch (e) {
       // do not handle error
     } finally {
-      this.reindexingDetails = resp;
+      this.reindexingDetails = resp.data;
     }
   }
   get isSummaryDashboard() {
diff --git a/ui/lib/core/addon/components/replication-secondary-card.hbs b/ui/lib/core/addon/components/replication-secondary-card.hbs
index a2c741e565..710d23eca0 100644
--- a/ui/lib/core/addon/components/replication-secondary-card.hbs
+++ b/ui/lib/core/addon/components/replication-secondary-card.hbs
@@ -100,12 +100,13 @@
     </div>
     <div class="grid-item-third-row">
       {{#if (is-empty this.knownPrimaryClusterAddrs)}}
-        <Hds::ApplicationState @align="center" data-test-empty-state as |A|>
-          <A.Header @title="No known_primary_cluster_addrs" @titleTag="h2" />
+        <Hds::ApplicationState data-test-empty-state as |A|>
+          <A.Header @title="No known_primary_cluster_addrs" @titleTag="h2" data-test-empty-state-title />
           <A.Body
             @text="These addresses are used by the secondary to communicate with the primary cluster. Should always be non-zero in a functioning replication setup."
+            data-test-empty-state-message
           />
-          <A.Footer @hasDivider={{true}} as |F|>
+          <A.Footer @hasDivider={{true}} data-test-empty-state-actions as |F|>
             <F.LinkStandalone
               @icon="help"
               @text="Learn more about replication"
diff --git a/ui/lib/core/addon/components/search-select-with-modal.hbs b/ui/lib/core/addon/components/search-select-with-modal.hbs
deleted file mode 100644
index 512a571ead..0000000000
--- a/ui/lib/core/addon/components/search-select-with-modal.hbs
+++ /dev/null
@@ -1,112 +0,0 @@
-{{!
-  Copyright IBM Corp. 2016, 2025
-  SPDX-License-Identifier: BUSL-1.1
-}}
-
-<div
-  {{did-insert (perform this.fetchOptions)}}
-  id={{@id}}
-  class="field search-select {{if @displayInherit 'display-inherit'}}"
-  data-test-search-select-with-modal
-  ...attributes
->
-  {{#if this.shouldUseFallback}}
-    {{component
-      @fallbackComponent
-      label=@label
-      subText=@subText
-      onChange=@onChange
-      inputValue=@inputValue
-      helpText=@helpText
-      placeholder=(or @fallbackComponentPlaceholder @placeholder)
-      id=@id
-      selectLimit=@selectLimit
-    }}
-  {{else}}
-    {{#if @label}}
-      <div class="label-row">
-        <label for={{@id}} class={{@labelClass}} data-test-field-label>
-          {{@label}}
-        </label>
-        {{#if @helpText}}
-          <Hds::TooltipButton @text={{@helpText}} class={{@labelClass}} aria-label="More information">
-            <Hds::Icon @name="info" />
-          </Hds::TooltipButton>
-        {{/if}}
-      </div>
-    {{/if}}
-    {{#if @subText}}
-      <p data-test-modal-subtext class="sub-text">{{@subText}}</p>
-    {{/if}}
-    {{#unless this.hidePowerSelect}}
-      <PowerSelect
-        @eventType="click"
-        @placeholder={{@placeholder}}
-        @searchEnabled={{true}}
-        @search={{this.searchAndSuggest}}
-        @options={{this.dropdownOptions}}
-        @onChange={{this.selectOrCreate}}
-        @renderInPlace={{true}}
-        @placeholderComponent={{component "search-select-placeholder"}}
-        @verticalPosition="below"
-        as |option|
-      >
-        {{#if this.shouldRenderName}}
-          {{option.name}}
-          {{#unless option.__isSuggestion__}}
-            <small class="search-select-list-key" data-test-smaller-id="true">
-              {{option.id}}
-            </small>
-          {{/unless}}
-        {{else}}
-          {{option.id}}
-        {{/if}}
-      </PowerSelect>
-    {{/unless}}
-    <ul class="search-select-list">
-      {{#each this.selectedOptions as |selected index|}}
-        <li class="search-select-list-item" data-test-selected-option={{index}}>
-          {{#if this.shouldRenderName}}
-            {{selected.name}}
-            <small class="search-select-list-key" data-test-smaller-id={{index}}>
-              {{selected.id}}
-            </small>
-          {{else}}
-            <div>
-              {{selected.id}}
-            </div>
-          {{/if}}
-          <div class="control">
-            <Hds::Button
-              @icon="trash"
-              @text="delete selection"
-              @isIconOnly={{true}}
-              @color="tertiary"
-              data-test-selected-list-button="delete"
-              {{on "click" (fn this.discardSelection selected)}}
-            />
-          </div>
-        </li>
-      {{/each}}
-    </ul>
-  {{/if}}
-
-  {{#if this.showModal}}
-    <Hds::Modal id="search-select-modal" @onClose={{fn (mut this.showModal) false}} as |M|>
-      <M.Header data-test-modal-title>
-        Create new
-        {{singularize @id}}
-      </M.Header>
-      <M.Body>
-        {{#if @modalSubtext}}
-          <p class="has-bottom-margin-s" data-test-modal-subtext>
-            {{@modalSubtext}}
-          </p>
-        {{/if}}
-        {{! dynamically render template from modal-form/ folder}}
-        {{! form must receive an @onSave and @onCancel arg that executes the callback}}
-        {{component @modalFormTemplate nameInput=this.nameInput onSave=this.resetModal onCancel=this.resetModal}}
-      </M.Body>
-    </Hds::Modal>
-  {{/if}}
-</div>
\ No newline at end of file
diff --git a/ui/lib/core/addon/components/search-select-with-modal.js b/ui/lib/core/addon/components/search-select-with-modal.js
deleted file mode 100644
index 59033b905b..0000000000
--- a/ui/lib/core/addon/components/search-select-with-modal.js
+++ /dev/null
@@ -1,210 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import Component from '@glimmer/component';
-import { service } from '@ember/service';
-import { action } from '@ember/object';
-import { tracked } from '@glimmer/tracking';
-import { task } from 'ember-concurrency';
-import { filterOptions, defaultMatcher } from 'ember-power-select/utils/group-utils';
-import { removeFromArray } from 'vault/helpers/remove-from-array';
-import { addToArray } from 'vault/helpers/add-to-array';
-
-/**
- * @module SearchSelectWithModal
- * The SearchSelectWithModal is an implementation of the [ember-power-select](https://github.com/cibernox/ember-power-select) used for form elements where options come dynamically from the API.
- * It renders a passed template component that parents a form so records can be created inline, via a modal that pops up after clicking 'No results found for "${term}". Click here to create it.' from the dropdown menu.
- * **!! NOTE: any form passed must be able to receive an `@onSave` and `@onCancel` arg so that the modal will close properly. See `oidc/client-form.hbs` that renders a modal for the `oidc-assignment-template.hbs` as an example.
- * @example
- * <SearchSelectWithModal @id="assignments" @models={{array "oidc/assignment"}} @label="assignment name" @subText="Search for an existing assignment, or type a new name to create it." @inputValue={{map-by "id" @model.assignments}} @onChange={{this.handleSearchSelect}} @excludeOptions={{array "allow_all"}} @fallbackComponent="string-list" @modalFormTemplate="modal-form/some-template" @modalSubtext="Use assignment to specify which Vault entities and groups are allowed to authenticate."
- * />
- *
- * component functionality
- * @param {function} onChange - The onchange action for this form field. ** SEE EXAMPLE ** mfa-login-enforcement-form.js (onMethodChange) for example when selecting models from a hasMany relationship
- * @param {array} [inputValue] - Array of strings corresponding to the input's initial value, e.g. an array of model ids that on edit will appear as selected items below the input
- * @param {boolean} [shouldRenderName=false] - By default an item's id renders in the dropdown, `true` displays the name with its id in smaller text beside it *NOTE: the boolean flips automatically with 'identity' models
- * @param {array} [excludeOptions] - array of strings containing model ids to filter from the dropdown (ex: ['allow_all'])
-
- * query params for dropdown items
- * @param {array} models - models to fetch from API. models with varying permissions should be ordered from least restricted to anticipated most restricted (ex. if one model is an enterprise only feature, pass it in last)
-
- * template only/display args
- * @param {string} id - The name of the form field
- * @param {string} [label] - Label appears above the form field
- * @param {string} [labelClass] - overwrite default label size (14px) from class="is-label"
- * @param {string} [helpText] - Text to be displayed in the info tooltip for this form field
- * @param {string} [subText] - Text to be displayed below the label
- * @param {string} fallbackComponent - name of component to be rendered if the API call 403s
- * @param {string} [placeholder] - placeholder text to override the default text of "Search"
- * @param {string} [fallbackComponentPlaceholder] - specific placeholder text relevant to fallback component. In some cases, the placeholder text does not make sense for both the search-select and the fallback component. Ex: "Input key name" for input-search and "Search or type to create a new item" for search-select.
- * @param {boolean} [displayInherit=false] - if you need the search select component to display inherit instead of box.
- * @param {number} [selectLimit=1] - if you only want the user to select a limited number of options, add number to this param.
- */
-export default class SearchSelectWithModal extends Component {
-  @service store;
-  @tracked shouldUseFallback = false;
-  @tracked selectedOptions = []; // list of selected options
-  @tracked dropdownOptions = []; // options that will render in dropdown, updates as selections are added/discarded
-  @tracked showModal = false;
-  @tracked nameInput = null;
-
-  get hidePowerSelect() {
-    return this.selectedOptions.length >= this.args.selectLimit;
-  }
-
-  get shouldRenderName() {
-    return this.args.models?.some((model) => model.includes('identity')) || this.args.shouldRenderName
-      ? true
-      : false;
-  }
-
-  addSearchText(optionsToFormat) {
-    // maps over array models from query
-    return optionsToFormat.map((option) => {
-      option.searchText = `${option.name} ${option.id}`;
-      return option;
-    });
-  }
-
-  formatInputAndUpdateDropdown(inputValues) {
-    // inputValues are initially an array of strings from @inputValue
-    // map over so selectedOptions are objects
-    return inputValues.map((option) => {
-      const matchingOption = this.dropdownOptions.find((opt) => opt.id === option);
-      // remove any matches from dropdown list
-      this.dropdownOptions = removeFromArray(this.dropdownOptions, matchingOption);
-      return {
-        id: option,
-        name: matchingOption ? matchingOption.name : option,
-        searchText: matchingOption ? matchingOption.searchText : option,
-      };
-    });
-  }
-
-  @task
-  *fetchOptions() {
-    this.dropdownOptions = []; // reset dropdown anytime we re-fetch
-    if (!this.args.models) {
-      return;
-    }
-
-    for (const modelType of this.args.models) {
-      try {
-        // fetch options from the store
-        let options = yield this.store.query(modelType, {});
-        if (this.args.excludeOptions) {
-          options = options.filter((o) => !this.args.excludeOptions.includes(o.id));
-        }
-        // add to dropdown options
-        this.dropdownOptions = [...this.dropdownOptions, ...this.addSearchText(options)];
-      } catch (err) {
-        if (err.httpStatus === 404) {
-          // continue to query other models even if one 404s
-          // and so selectedOptions will be set after for loop
-          continue;
-        }
-        if (err.httpStatus === 403) {
-          // when multiple models are passed in, don't use fallback if the first query is successful
-          // (i.e. policies ['acl', 'rgp'] - rgp policies are ENT only so will always fail on OSS)
-          if (this.dropdownOptions.length > 0 && this.args.models.length > 1) continue;
-          this.shouldUseFallback = true;
-          return;
-        }
-        throw err;
-      }
-    }
-
-    // after all models are queried, set selectedOptions and remove matches from dropdown list
-    this.selectedOptions = this.args.inputValue
-      ? this.formatInputAndUpdateDropdown(this.args.inputValue)
-      : [];
-  }
-
-  @action
-  handleChange() {
-    if (this.selectedOptions.length && typeof this.selectedOptions[0] === 'object') {
-      this.args.onChange(Array.from(this.selectedOptions, (option) => option.id));
-    } else {
-      this.args.onChange(this.selectedOptions);
-    }
-  }
-
-  shouldShowCreate(id, searchResults) {
-    if (searchResults && searchResults.length && searchResults[0].groupName) {
-      return !searchResults.some((group) => group.options.find((opt) => opt.id === id));
-    }
-    const existingOption =
-      this.dropdownOptions && this.dropdownOptions.find((opt) => opt.id === id || opt.name === id);
-    return !existingOption;
-  }
-
-  // ----- adapted from ember-power-select-with-create
-  addCreateOption(term, results) {
-    if (this.shouldShowCreate(term, results)) {
-      const name = `No results found for "${term}". Click here to create it.`;
-      const suggestion = {
-        __isSuggestion__: true,
-        __value__: term,
-        name,
-        id: name,
-      };
-      results.unshift(suggestion);
-    }
-  }
-
-  filter(options, searchText) {
-    const matcher = (option, text) => defaultMatcher(option.searchText, text);
-    return filterOptions(options || [], searchText, matcher);
-  }
-  // -----
-  @action
-  discardSelection(selected) {
-    this.selectedOptions = removeFromArray(this.selectedOptions, selected);
-    this.dropdownOptions = addToArray(this.dropdownOptions, selected);
-    this.handleChange();
-  }
-
-  // ----- adapted from ember-power-select-with-create
-  @action
-  searchAndSuggest(term) {
-    if (term.length === 0) {
-      return this.dropdownOptions;
-    }
-    if (this.args.models?.some((model) => model.includes('policy'))) {
-      term = term.toLowerCase();
-    }
-    const newOptions = this.filter(this.dropdownOptions, term);
-    this.addCreateOption(term, newOptions);
-    return newOptions;
-  }
-
-  @action
-  selectOrCreate(selection) {
-    if (selection && selection.__isSuggestion__) {
-      // user has clicked to create a new item
-      // wait to handleChange below in resetModal
-      this.nameInput = selection.__value__; // input is passed to form component
-      this.showModal = true;
-    } else {
-      // user has selected an existing item, handleChange immediately
-      this.selectedOptions = addToArray(this.selectedOptions, selection);
-      this.dropdownOptions = removeFromArray(this.dropdownOptions, selection);
-      this.handleChange();
-    }
-  }
-  // -----
-
-  @action
-  resetModal(model) {
-    // resetModal fires when the form component calls onSave or onCancel
-    this.showModal = false;
-    if (model && model.currentState.isSaved) {
-      const { name } = model;
-      this.selectedOptions = addToArray(this.selectedOptions, { name, id: name });
-      this.handleChange();
-    }
-    this.nameInput = null;
-  }
-}
diff --git a/ui/lib/core/addon/components/search-select.js b/ui/lib/core/addon/components/search-select.js
index 2aa25d12ad..d2a08c1e6b 100644
--- a/ui/lib/core/addon/components/search-select.js
+++ b/ui/lib/core/addon/components/search-select.js
@@ -12,7 +12,7 @@ import { resolve } from 'rsvp';
 import { filterOptions, defaultMatcher } from 'ember-power-select/utils/group-utils';
 import { removeFromArray } from 'vault/helpers/remove-from-array';
 import { addToArray } from 'vault/helpers/add-to-array';
-import { assert } from '@ember/debug';
+import { assert, debug } from '@ember/debug';
 /**
  * @module SearchSelect
  * The `SearchSelect` is an implementation of the [ember-power-select](https://github.com/cibernox/ember-power-select) used for form elements where options come dynamically from the API.
@@ -22,6 +22,7 @@ import { assert } from '@ember/debug';
  *
  // * component functionality
  * @param {function} onChange - The onchange action for this form field. ** SEE EXAMPLE ** mfa-login-enforcement-form.js (onMethodChange) for example when selecting models from a hasMany relationship
+ * @param {function} [onCreate] - Callback when user clicks the create new action in the dropdown. Receives the search term as an argument so the parent can determine how to handle creation (ex: open a modal with a form pre-filled with the search term as the name)
  * @param {array} [inputValue] - Array of strings corresponding to the input's initial value, e.g. an array of model ids that on edit will appear as selected items below the input
  * @param {boolean} [disallowNewItems=false] - Controls whether or not the user can add a new item if none found
  * @param {boolean} [shouldRenderName=false] - By default an item's id renders in the dropdown, `true` displays the name with its id in smaller text beside it *NOTE: the boolean flips automatically with 'identity' models or if this.idKey !== 'id'
@@ -34,7 +35,6 @@ import { assert } from '@ember/debug';
 // * query params for dropdown items
  * @param {Array} models - An array of model types to fetch from the API.
  * @param {string} [backend] - name of the backend if the query for options needs additional information (eg. secret backend)
- * @param {object} [queryObject] - object passed as query options to this.store.query(). NOTE: will override @backend
 
  // * template only/display args
  * @param {string} id - The name of the form field
@@ -58,7 +58,7 @@ import { assert } from '@ember/debug';
  */
 
 export default class SearchSelect extends Component {
-  @service store;
+  @service api;
   @tracked shouldUseFallback = false;
   @tracked selectedOptions = []; // array of selected options (initially set by @inputValue)
   @tracked dropdownOptions = []; // options that will render in dropdown, updates as selections are added/discarded
@@ -70,6 +70,11 @@ export default class SearchSelect extends Component {
       'one of @id, @label, or @ariaLabel must be passed to search-select component',
       this.args.id || this.args.label || this.args.ariaLabel
     );
+    if (this.args.models) {
+      debug(
+        'DEVELOPER NOTICE: @models is deprecated as part of the Ember Data migration. Please use @options and pass array of items to render.'
+      );
+    }
   }
 
   get hidePowerSelect() {
@@ -140,6 +145,8 @@ export default class SearchSelect extends Component {
       this.selectedOptions = this.args.parentManageSelected;
     }
 
+    // this if condition can be removed once model support has been fully deprecated
+    // for the remaining usages we will use the api service to maintain fetch functionality
     if (!this.args.models) {
       if (Array.isArray(this.args.options)) {
         const { options } = this.args;
@@ -148,27 +155,30 @@ export default class SearchSelect extends Component {
           ? options
           : [...this.addSearchText(options)];
 
-        if (!this.args.parentManageSelected) {
-          //  set selectedOptions and remove matches from dropdown list
+        // preserve full selected objects when parent manages them, but still remove matches from dropdown
+        if (this.args.parentManageSelected) {
+          const selectedIds = this.args.parentManageSelected.map((opt) => opt[this.idKey]);
+          selectedIds.forEach((id) => {
+            const matchingOption = this.dropdownOptions.find((opt) => opt[this.idKey] === id);
+            if (matchingOption) {
+              this.dropdownOptions = removeFromArray(this.dropdownOptions, matchingOption);
+            }
+          });
+        } else {
           this.selectedOptions = this.args.inputValue
             ? this.formatInputAndUpdateDropdown(this.args.inputValue)
             : [];
         }
       }
+      this.shouldUseFallback =
+        this.args.fallbackComponent && !this.args.options?.length && this.args.disallowNewItems;
       return;
     }
 
     for (const modelType of this.args.models) {
       try {
-        let queryParams = {};
-        if (this.args.backend) {
-          queryParams = { backend: this.args.backend };
-        }
-        if (this.args.queryObject) {
-          queryParams = this.args.queryObject;
-        }
-        // fetch options from the store
-        const options = yield this.store.query(modelType, queryParams);
+        // fetch options from api
+        const options = yield this.fetchWithApiClient(modelType, this.args.backend);
 
         // store both select + unselected options in tracked property used by wildcard filter
         this.allOptions = [...this.allOptions, ...options.map((option) => option.id)];
@@ -176,16 +186,17 @@ export default class SearchSelect extends Component {
         // add to dropdown options
         this.dropdownOptions = [...this.dropdownOptions, ...this.addSearchText(options)];
       } catch (err) {
-        if (err.httpStatus === 404) {
+        const { status, response } = yield this.api.parseError(err);
+        if (status === 404) {
           // continue to query other models even if one 404s
           // and so selectedOptions will be set after for loop
           continue;
         }
-        if (err.httpStatus === 403) {
+        if (status === 403) {
           this.shouldUseFallback = true;
           return;
         }
-        throw err;
+        throw response;
       }
     }
 
@@ -195,6 +206,45 @@ export default class SearchSelect extends Component {
       : [];
   }
 
+  /**
+   * Temporary method to maintain backwards compatibility with original Ember Data model query functionality
+   * The @models argument is deprecated and the remaining usages need to be converted to fetch options from the route and pass them via the @options arg
+   */
+  async fetchWithApiClient(modelType, backend) {
+    const apiServicePath = {
+      transform: 'secrets.transformListTransformations',
+      'transform/alphabet': 'secrets.transformListAlphabets',
+      'transform/template': 'secrets.transformListTemplates',
+      'transform/role': 'secrets.transformListRoles',
+      'database/connection': 'secrets.databaseListConnections',
+      'database/role': 'secrets.databaseListRoles',
+      'identity/group': 'identity.groupListByName',
+      'identity/entity': 'identity.entityListByName',
+      'mfa-method': 'sys.systemListMfaMethod',
+      'keymgmt/key': 'secrets.keyManagementListKeys',
+      'keymgmt/provider': 'secrets.keyManagementListKmsProviders',
+      'policy/acl': 'sys.policiesListAclPolicies',
+      'policy/rgp': 'sys.systemListPoliciesRgp',
+    }[modelType];
+    // if model is not recognized in map log error to console, return empty array and use fallback component if it exists
+    if (!apiServicePath) {
+      debug(
+        `DEVELOPER NOTICE: Unrecognized model type "${modelType}" passed to search-select component. Please use @options instead to pass an array of options to render`
+      );
+      if (this.args.fallbackComponent) {
+        this.shouldUseFallback = true;
+      }
+      return [];
+    }
+    const args = backend ? [backend, true] : [true];
+    const [api, method] = apiServicePath.split('.');
+    const response = await this.api[api][method](...args);
+    if (response.key_info) {
+      return this.api.keyInfoToArray(response);
+    }
+    return response.keys.map((key) => ({ id: key, name: key }));
+  }
+
   @action
   handleChange() {
     if (this.selectedOptions.length && typeof this.selectedOptions[0] === 'object') {
@@ -293,6 +343,7 @@ export default class SearchSelect extends Component {
     if (selection && selection.__isSuggestion__) {
       const name = selection.__value__;
       this.selectedOptions = addToArray(this.selectedOptions, { name, id: name, new: true });
+      this.args.onCreate?.(name);
     } else {
       this.selectedOptions = addToArray(this.selectedOptions, selection);
       this.dropdownOptions = removeFromArray(this.dropdownOptions, selection);
diff --git a/ui/lib/core/addon/components/secret-list-header-tab.js b/ui/lib/core/addon/components/secret-list-header-tab.js
index 30a653928b..b78555a542 100644
--- a/ui/lib/core/addon/components/secret-list-header-tab.js
+++ b/ui/lib/core/addon/components/secret-list-header-tab.js
@@ -26,7 +26,8 @@ import { tracked } from '@glimmer/tracking';
 import { service } from '@ember/service';
 
 export default class SecretListHeaderTab extends Component {
-  @service store;
+  @service capabilities;
+
   @tracked dontShowTab;
 
   constructor() {
@@ -41,45 +42,12 @@ export default class SecretListHeaderTab extends Component {
   }
 
   async fetchCapabilities() {
-    const capabilitiesArray = ['canList', 'canCreate', 'canUpdate'];
-    const checkCapabilities = function (object) {
-      const array = [];
-      // we only want to look at the canList, canCreate and canUpdate on the capabilities record
-      capabilitiesArray.forEach((item) => {
-        // object is sometimes null
-        if (object) {
-          array.push(object[item]);
-        }
-      });
-      return array;
-    };
-    const checker = (arr) => arr.every((item) => !item); // same things as listing every item as !item && !item, etc.
     // For now only check capabilities for the Database Secrets Engine
     if (this.args.displayName === 'Database') {
-      const peekRecordRoles = this.store.peekRecord('capabilities', 'database/roles/');
-      const peekRecordStaticRoles = this.store.peekRecord('capabilities', 'database/static-roles/');
-      const peekRecordConnections = this.store.peekRecord('capabilities', 'database/config/');
-      // peekRecord if the capabilities store data is there for the connections (config) and roles model
-      if (
-        (peekRecordRoles && this.args.path === 'roles') ||
-        (peekRecordStaticRoles && this.args.path === 'roles')
-      ) {
-        const roles = checker(checkCapabilities(peekRecordRoles));
-        const staticRoles = checker(checkCapabilities(peekRecordStaticRoles));
-
-        this.dontShowTab = roles && staticRoles;
-        return;
-      }
-      if (peekRecordConnections && this.args.path === 'config') {
-        this.dontShowTab = checker(checkCapabilities(peekRecordConnections));
-        return;
-      }
-      // otherwise queryRecord and create an instance on the capabilities.
-      const response = await this.store.queryRecord(
-        'capabilities',
-        this.pathQuery(this.args.id, this.args.path)
-      );
-      this.dontShowTab = checker(checkCapabilities(response));
+      const { path, id: backend } = this.args;
+      const pathKey = path === 'config' ? 'databaseConfig' : 'databaseRoles';
+      const { canList, canCreate, canUpdate } = await this.capabilities.for(pathKey, { backend });
+      this.dontShowTab = !canList && !canCreate && !canUpdate;
     }
   }
 }
diff --git a/ui/lib/core/addon/components/shamir/dr-token-flow.hbs b/ui/lib/core/addon/components/shamir/dr-token-flow.hbs
index 9386ee63d7..428bae26ad 100644
--- a/ui/lib/core/addon/components/shamir/dr-token-flow.hbs
+++ b/ui/lib/core/addon/components/shamir/dr-token-flow.hbs
@@ -19,7 +19,7 @@
         @textToCopy={{this.encodedToken}}
         @container="#shamir-flow-modal"
         @onError={{(fn (set-flash-message "Clipboard copy failed. The Clipboard API requires a secure context." "danger"))}}
-        data-test-shamir-encoded-token
+        data-test-copy-snippet="shamir-encoded-token"
       />
     </div>
     {{#if this.otp}}
@@ -93,6 +93,7 @@
       secondary Disaster Recovery cluster.
     </p>
   </Shamir::Form>
+
 {{else if this.generateWithPGP}}
   <MessageError @errors={{this.errors}} />
   <ChoosePgpKeyForm
@@ -100,9 +101,41 @@
     @onSubmit={{this.usePgpKey}}
     @formText={{this.pgpText.form}}
     @confirmText={{this.pgpText.confirm}}
-    @buttonText="Generate operation token"
+    @buttonText="Continue"
     data-test-dr-token-flow-step="choose-pgp"
   />
+{{else if this.askForPrimaryToken}}
+  <MessageError @errors={{this.errors}} />
+
+  <Hds::Text::Body @tag="p" @size="300" class="has-bottom-margin-m" data-test-dr-token-flow-step="primary-token">
+    To generate an operation token on this DR secondary, you must provide a root token from the primary cluster. This token
+    will be used to authenticate the operation token generation request.
+  </Hds::Text::Body>
+
+  <Hds::Form::TextInput::Field
+    @type="password"
+    @value={{this.primaryRootToken}}
+    autocomplete="off"
+    name="primary-token"
+    data-test-input="primary-token"
+    {{on "input" this.updatePrimaryRootToken}}
+    as |F|
+  >
+    <F.Label>Primary cluster root token</F.Label>
+  </Hds::Form::TextInput::Field>
+
+  <Hds::ButtonSet class="has-top-margin-m">
+    {{#if this.savedPgpKey}}
+      <Hds::Button
+        @text="Back"
+        @color="secondary"
+        @icon="chevron-left"
+        {{on "click" this.backToPgpForm}}
+        data-test-button="back-to-pgp"
+      />
+    {{/if}}
+    <Hds::Button @text="Continue" {{on "click" this.validatePrimaryRootToken}} data-test-submit-primary-token />
+  </Hds::ButtonSet>
 {{else}}
   {{! Generate token flow not started }}
   <form
@@ -125,7 +158,7 @@
           @color="tertiary"
           @icon="key"
           {{on "click" (fn (mut this.generateWithPGP) true)}}
-          data-test-use-pgp-key-cta
+          data-test-button="use-pgp-key-cta"
           @text="Provide PGP Key"
         />
       </div>
@@ -135,7 +168,7 @@
         </span>
       </div>
       <div class="control">
-        <Hds::Button type="submit" data-test-generate-token-cta @text="Generate operation token" />
+        <Hds::Button type="submit" data-test-button="generate-token-cta" @text="Generate operation token" />
       </div>
     </div>
   </form>
@@ -145,6 +178,6 @@
 <Hds::Button
   @color="secondary"
   {{on "click" this.onCancelClose}}
-  data-test-shamir-modal-cancel-button
+  data-test-cancel
   @text={{if this.encodedToken "Close" "Cancel"}}
 />
\ No newline at end of file
diff --git a/ui/lib/core/addon/components/shamir/dr-token-flow.js b/ui/lib/core/addon/components/shamir/dr-token-flow.js
index 7973015818..828be514a1 100644
--- a/ui/lib/core/addon/components/shamir/dr-token-flow.js
+++ b/ui/lib/core/addon/components/shamir/dr-token-flow.js
@@ -5,6 +5,7 @@
 
 import { tracked } from '@glimmer/tracking';
 import { action } from '@ember/object';
+import { service } from '@ember/service';
 import ShamirFlowComponent from './flow';
 
 /**
@@ -20,20 +21,26 @@ import ShamirFlowComponent from './flow';
  * @param {function} onCancel - if provided, function will be triggered on Cancel
  */
 export default class ShamirDrTokenFlowComponent extends ShamirFlowComponent {
+  @service api;
+
   @tracked generateWithPGP = false; // controls which form shows
   @tracked savedPgpKey = null;
   @tracked otp = '';
+  @tracked askForPrimaryToken = false; // controls whether to show primary token input
+  @tracked primaryRootToken = null; // stores the primary root token
 
   constructor() {
     super(...arguments);
-    // Fetch status on init
-    this.attemptProgress();
+    // Don't fetch status on init - we'll check it after the user provides the primary token
+    // Fetching status here would start an unauthenticated generation attempt
   }
 
   reset() {
     this.generateWithPGP = false;
     this.savedPgpKey = null;
     this.otp = '';
+    this.askForPrimaryToken = false;
+    this.primaryRootToken = null;
     // tracked items on Shamir/Flow
     this.attemptResponse = null;
     this.errors = null;
@@ -57,7 +64,7 @@ export default class ShamirDrTokenFlowComponent extends ShamirFlowComponent {
   }
   get pgpText() {
     return {
-      confirm: `Below is the base-64 encoded PGP Key that will be used to encrypt the generated operation token. Next we'll enter portions of the root key to generate an operation token. Click the "Generate operation token" button to proceed.`,
+      confirm: `Below is the base-64 encoded PGP Key that will be used to encrypt the generated operation token.`,
       form: `Choose a PGP Key from your computer or paste the contents of one in the form below. This key will be used to Encrypt the generated operation token.`,
     };
   }
@@ -95,20 +102,78 @@ export default class ShamirDrTokenFlowComponent extends ShamirFlowComponent {
   @action
   usePgpKey(keyfile) {
     this.savedPgpKey = keyfile;
-    this.attemptProgress(this.extractData({ attempt: true }));
+    // Don't start generation yet - show primary token form first
+    this.generateWithPGP = false;
+    this.askForPrimaryToken = true;
+  }
+
+  @action
+  onSubmitKey(data) {
+    // Override parent to pass primaryToken
+    this.attemptProgress(this.extractData(data), this.primaryRootToken);
   }
 
   @action
   startGenerate(evt) {
     evt.preventDefault();
-    this.attemptProgress(this.extractData({ attempt: true }));
+    // Show the primary token input form first
+    this.askForPrimaryToken = true;
+  }
+
+  @action
+  updatePrimaryRootToken(evt) {
+    this.primaryRootToken = evt.target.value;
+  }
+
+  @action
+  async validatePrimaryRootToken() {
+    if (!this.primaryRootToken) {
+      this.errors = ['Primary root token is required'];
+      return;
+    }
+
+    this.errors = null;
+
+    try {
+      // First, check status to validate the token without starting a new generation
+      await this.attemptProgress(undefined, this.primaryRootToken);
+
+      if (!this.started) {
+        // No generation in progress, so start one
+        await this.attemptProgress(this.extractData({ attempt: true }), this.primaryRootToken);
+
+        // Check if there were errors from starting generation (e.g., invalid PGP key)
+        if (this.errors) {
+          return;
+        }
+      }
+
+      // Only hide the primary token form if there were no errors
+      this.askForPrimaryToken = false;
+    } catch (e) {
+      if (e.httpStatus === 403) {
+        this.errors = ['Invalid primary root token. Please check the token and try again.'];
+      } else {
+        this.errors = [e.message || 'An error occurred while validating the token'];
+      }
+    }
+  }
+
+  @action
+  backToPgpForm() {
+    // Go back to PGP form and clear the saved PGP key
+    this.askForPrimaryToken = false;
+    this.generateWithPGP = true;
+    this.savedPgpKey = null;
+    this.errors = null;
   }
 
   @action
   async onCancelClose() {
     if (!this.encodedToken && this.started) {
-      const adapter = this.store.adapterFor('cluster');
-      await adapter.generateDrOperationToken({}, { cancel: true });
+      // if primaryRootToken is not defined then make unauthenticated request
+      const headers = this.api.buildHeaders({ token: this.primaryRootToken || '' });
+      await this.api.sys.replicationDrSecondaryGenerateOperationTokenCancel(headers);
     }
     this.reset();
     if (this.args.onCancel) {
diff --git a/ui/lib/core/addon/components/shamir/flow.js b/ui/lib/core/addon/components/shamir/flow.js
index 1367541b8b..1c42da8454 100644
--- a/ui/lib/core/addon/components/shamir/flow.js
+++ b/ui/lib/core/addon/components/shamir/flow.js
@@ -42,7 +42,8 @@ import { tracked } from '@glimmer/tracking';
  *
  */
 export default class ShamirFlowComponent extends Component {
-  @service store;
+  @service api;
+
   @tracked errors = null;
   @tracked attemptResponse = null;
 
@@ -69,28 +70,39 @@ export default class ShamirFlowComponent extends Component {
    * 2. Attempt progress. This method assumes the correct data
    * has already been extracted (use this.extractData to customize)
    * @param {object} data arbitrary data which will be passed to adapter method
+   * @param {string} primaryToken optional primary root token for DR secondary operations
    * @returns Promise which should resolve unless throwing error to parent.
    */
-  async attemptProgress(data) {
-    this.errors = null;
-    const action = this.action;
-    const adapter = this.store.adapterFor('cluster');
-    const method = adapter[action];
-    // Only used for DR token generate
-    const checkStatus = data ? false : true;
-
+  async attemptProgress(data, primaryToken) {
     try {
-      const resp = await method.call(adapter, data, { checkStatus });
-      this.updateProgress(resp);
-      this.handleComplete(resp);
-      return;
+      this.errors = null;
+      let response;
+      const headers = this.api.buildHeaders(primaryToken || '');
+
+      if (this.args.action === 'generate-dr-operation-token') {
+        if (!data) {
+          // check status
+          response = await this.api.sys.replicationDrSecondaryGenerateOperationTokenReadProgress(headers);
+        } else if (data.pgp_key || data.attempt) {
+          // initialize a new generate-operation-token attempt
+          response = await this.api.sys.replicationDrSecondaryGenerateOperationTokenInitialize(data, headers);
+        } else {
+          // progress the operation
+          response = await this.api.sys.replicationDrSecondaryGenerateOperationTokenUpdate(data, headers);
+        }
+      } else if (this.args.action === 'unseal') {
+        const resp = await this.api.request.put('/sys/unseal', data, headers);
+        response = await resp.json();
+      }
+      this.updateProgress(response?.data || response);
+      this.handleComplete(response?.data || response);
     } catch (e) {
-      if (e.httpStatus === 400) {
-        this.errors = e.errors;
-        return;
+      const { status, response } = await this.api.parseError(e);
+      if (status === 400) {
+        this.errors = response.errors;
       } else {
         // if licensing error, trigger parent method to handle
-        if (e.httpStatus === 500 && e.errors?.join(' ').includes('licensing is in an invalid state')) {
+        if (status === 500 && response.errors?.join(' ').includes('licensing is in an invalid state')) {
           this.args.onLicenseError();
         }
         throw e;
diff --git a/ui/lib/core/addon/components/shamir/form.hbs b/ui/lib/core/addon/components/shamir/form.hbs
index 4adb1b5091..4eea98fbd1 100644
--- a/ui/lib/core/addon/components/shamir/form.hbs
+++ b/ui/lib/core/addon/components/shamir/form.hbs
@@ -49,13 +49,13 @@
         name="key"
         @value={{this.key}}
         autocomplete="off"
-        data-test-shamir-key-input
+        data-test-input="shamir-key"
       />
     </div>
   </div>
   <div class="columns is-mobile">
     <div class="column is-narrow">
-      <Hds::Button @text={{this.buttonText}} type="submit" disabled={{this.loading}} data-test-shamir-submit />
+      <Hds::Button @text={{this.buttonText}} type="submit" disabled={{this.loading}} data-test-submit />
     </div>
     <div class="column is-flex-v-centered is-flex-end">
       {{#if this.showProgress}}
diff --git a/ui/lib/core/addon/components/sidebar/nav/cluster.hbs b/ui/lib/core/addon/components/sidebar/nav/cluster.hbs
index ab5f4e69d3..94e0da630e 100644
--- a/ui/lib/core/addon/components/sidebar/nav/cluster.hbs
+++ b/ui/lib/core/addon/components/sidebar/nav/cluster.hbs
@@ -38,7 +38,8 @@
   {{#if
     (or
       (and this.isRootNamespace (has-permission "status" routeParams="raft"))
-      (and (has-permission "clients" routeParams="activity") (not this.hasChrootNamespace))
+      (display-nav-item this.navSection.clientCount)
+      (display-nav-item this.routeName.billingDashboard)
     )
   }}
     <Nav.Title data-test-sidebar-nav-heading="Monitoring">Monitoring</Nav.Title>
@@ -59,6 +60,14 @@
       data-test-sidebar-nav-link="Client count"
     />
   {{/if}}
+  {{#if (display-nav-item this.routeName.billingDashboard)}}
+    <Nav.Link
+      @route="vault.cluster.billing.overview"
+      @text="Billing metrics"
+      @hasSubItems={{true}}
+      data-test-sidebar-nav-link="Billing metrics"
+    />
+  {{/if}}
   {{#if (and this.cluster.usingRaft this.isRootNamespace (has-permission "status" routeParams="raft"))}}
     <Nav.Link
       @route="vault.cluster.storage"
diff --git a/ui/lib/core/addon/components/sidebar/nav/cluster.js b/ui/lib/core/addon/components/sidebar/nav/cluster.js
index d619cf8aac..e063e6c2ef 100644
--- a/ui/lib/core/addon/components/sidebar/nav/cluster.js
+++ b/ui/lib/core/addon/components/sidebar/nav/cluster.js
@@ -22,6 +22,7 @@ export default class SidebarNavClusterComponent extends Component {
 
   routeName = {
     vaultUsage: RouteName.VAULT_USAGE,
+    billingDashboard: RouteName.BILLING_DASHBOARD,
   };
 
   get cluster() {
diff --git a/ui/lib/core/addon/components/toolbar-link.hbs b/ui/lib/core/addon/components/toolbar-link.hbs
index 6250d0725b..89aa752ee8 100644
--- a/ui/lib/core/addon/components/toolbar-link.hbs
+++ b/ui/lib/core/addon/components/toolbar-link.hbs
@@ -13,5 +13,5 @@
   @disabled={{@disabled}}
 >
   {{yield}}
-  <Icon @name={{this.glyph}} data-test-icon={{this.glyph}} />
+  <Icon class="toolbar-icon" @name={{this.glyph}} data-test-icon={{this.glyph}} />
 </LinkTo>
\ No newline at end of file
diff --git a/ui/lib/core/addon/components/ttl-picker.hbs b/ui/lib/core/addon/components/ttl-picker.hbs
index 312cde52be..e0f8068c93 100644
--- a/ui/lib/core/addon/components/ttl-picker.hbs
+++ b/ui/lib/core/addon/components/ttl-picker.hbs
@@ -46,6 +46,7 @@
         <label for="select-ttl-unit" class="sr-only">Unit for TTL</label>
         {{! Select automatically gets id based on name }}
         <Select
+          @ariaLabel="TTL unit for {{this.label}}"
           @name="ttl-unit"
           @options={{this.unitOptions}}
           @onChange={{this.updateUnit}}
@@ -116,6 +117,7 @@
             <label for="unit-{{this.elementId}}" class="sr-only">Unit for TTL</label>
             <Select
               id="unit-{{this.elementId}}"
+              @ariaLabel="TTL unit for {{this.label}}"
               @name="ttl-unit"
               @options={{this.unitOptions}}
               @onChange={{this.updateUnit}}
diff --git a/ui/lib/core/addon/components/upgrade-page.hbs b/ui/lib/core/addon/components/upgrade-page.hbs
index 1e88d1ce21..bb6f505ea0 100644
--- a/ui/lib/core/addon/components/upgrade-page.hbs
+++ b/ui/lib/core/addon/components/upgrade-page.hbs
@@ -11,15 +11,19 @@
   </:breadcrumbs>
 </Page::Header>
 
-<EmptyState
-  @title="Upgrade to use {{this.featureName}}"
-  @message="You will need {{this.minimumEdition}} with {{this.featureName}} included to use this feature."
->
-  <Hds::Link::Standalone
-    @icon="chevron-right"
-    @iconPosition="trailing"
-    @text="Vault Enterprise"
-    @href="https://www.hashicorp.com/products/vault/enterprise?source=vaultui_{{this.featureName}}"
-    data-test-upgrade-link
+<Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+  <A.Header @title="Upgrade to use {{this.featureName}}" @titleTag="h2" data-test-empty-state-title />
+  <A.Body
+    @text="You will need {{this.minimumEdition}} with {{this.featureName}} included to use this feature."
+    data-test-empty-state-message
   />
-</EmptyState>
\ No newline at end of file
+  <A.Footer data-test-empty-state-actions as |F|>
+    <F.LinkStandalone
+      @icon="chevron-right"
+      @iconPosition="trailing"
+      @text="Vault Enterprise"
+      @href="https://www.hashicorp.com/products/vault/enterprise?source=vaultui_{{this.featureName}}"
+      data-test-upgrade-link
+    />
+  </A.Footer>
+</Hds::ApplicationState>
\ No newline at end of file
diff --git a/ui/lib/core/addon/decorators/confirm-leave.js b/ui/lib/core/addon/decorators/confirm-leave.js
index 7d875b903a..ea89ea19ec 100644
--- a/ui/lib/core/addon/decorators/confirm-leave.js
+++ b/ui/lib/core/addon/decorators/confirm-leave.js
@@ -5,7 +5,6 @@
 
 import { action } from '@ember/object';
 import Route from '@ember/routing/route';
-import { service } from '@ember/service';
 import Ember from 'ember';
 
 /**
@@ -51,8 +50,6 @@ export function withConfirmLeave(modelPath = 'model', silentCleanupPaths) {
       return SuperClass;
     }
     return class ConfirmLeave extends SuperClass {
-      @service store;
-
       _rollbackModel(modelPath) {
         const model = this.controller.get(modelPath);
         // we only want to complete rollback if the model is dirty and not saving
diff --git a/ui/lib/core/addon/helpers/cluster-states.js b/ui/lib/core/addon/helpers/cluster-states.js
index 73598a2c58..4966bfdd50 100644
--- a/ui/lib/core/addon/helpers/cluster-states.js
+++ b/ui/lib/core/addon/helpers/cluster-states.js
@@ -14,46 +14,55 @@ export const CLUSTER_STATES = {
     glyph: 'check-circle',
     isOk: true,
     isSyncing: false,
+    color: 'success',
   },
   ready: {
     glyph: 'check-circle',
     isOk: true,
     isSyncing: false,
+    color: 'success',
   },
   'stream-wals': {
     glyph: 'check-circle',
     isOk: true,
     isSyncing: false,
+    color: 'success',
   },
   'merkle-diff': {
     glyph: 'sync-reverse',
     isOk: true,
     isSyncing: true,
+    color: 'warning',
   },
   connecting: {
     glyph: 'sync-reverse',
     isOk: true,
     isSyncing: true,
+    color: 'warning',
   },
   'merkle-sync': {
     glyph: 'sync-reverse',
     isOk: true,
     isSyncing: true,
+    color: 'warning',
   },
   idle: {
     glyph: 'x-square',
     isOk: false,
     isSyncing: false,
+    color: 'critical',
   },
   transient_failure: {
     glyph: 'x-circle',
     isOk: false,
     isSyncing: false,
+    color: 'critical',
   },
   shutdown: {
     glyph: 'x-circle',
     isOk: false,
     isSyncing: false,
+    color: 'critical',
   },
 };
 
diff --git a/ui/lib/core/addon/helpers/display-nav-item.ts b/ui/lib/core/addon/helpers/display-nav-item.ts
index 7776eb8b49..25f3c33041 100644
--- a/ui/lib/core/addon/helpers/display-nav-item.ts
+++ b/ui/lib/core/addon/helpers/display-nav-item.ts
@@ -21,6 +21,7 @@ export enum RouteName {
   REPLICATION = 'replication',
   VAULT_USAGE = 'vault-usage',
   LICENSE = 'license',
+  BILLING_DASHBOARD = 'billing-dashboard',
 }
 
 export enum NavSection {
@@ -37,7 +38,8 @@ export default class NavBar extends Helper {
   @service declare readonly flags: FlagsService;
 
   compute([navItem]: string[]) {
-    const { SECRETS_RECOVERY, SEAL, REPLICATION, VAULT_USAGE, LICENSE, SECRETS_SYNC } = RouteName;
+    const { SECRETS_RECOVERY, SEAL, REPLICATION, VAULT_USAGE, LICENSE, SECRETS_SYNC, BILLING_DASHBOARD } =
+      RouteName;
     const { RESILIENCE_AND_RECOVERY, REPORTING, CLIENT_COUNT } = NavSection;
 
     switch (navItem) {
@@ -54,6 +56,9 @@ export default class NavBar extends Helper {
         return this.supportsLicense;
       case REPORTING:
         return this.canAccessVaultUsageDashboard || this.supportsLicense;
+      // monitoring
+      case BILLING_DASHBOARD:
+        return this.supportsBillingDashboard;
       // resilience and recovery nav items
       case SECRETS_RECOVERY:
         return this.supportsSnapshots;
@@ -133,7 +138,8 @@ export default class NavBar extends Helper {
       this.permissions.hasNavPermission('clients', 'activity') &&
       !this.cluster?.dr?.isSecondary &&
       !this.hasChrootNamespace &&
-      !this.version.hasPKIOnly
+      !this.version.hasPKIOnly &&
+      !this.version.hasConsumptionBilling
     );
   }
 
@@ -151,6 +157,16 @@ export default class NavBar extends Helper {
     // otherwise we show the link depending on whether or not the feature exists
     return this.version.hasSecretsSync;
   }
+
+  get supportsBillingDashboard() {
+    const isCorrectNamespace = this.isRootNamespace || this.namespace.inHvdAdminNamespace;
+
+    return (
+      this.version.hasConsumptionBilling &&
+      isCorrectNamespace &&
+      this.permissions.hasNavPermission('billing', 'overview')
+    );
+  }
 }
 
 export function computeNavBar(context: object, navItem: string): boolean {
diff --git a/ui/lib/core/addon/helpers/engines-display-data.ts b/ui/lib/core/addon/helpers/engines-display-data.ts
new file mode 100644
index 0000000000..d54920d50f
--- /dev/null
+++ b/ui/lib/core/addon/helpers/engines-display-data.ts
@@ -0,0 +1,62 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { ALL_ENGINES, type EngineDisplayData } from 'core/utils/all-engines-metadata';
+import { getEffectiveEngineType } from 'vault/utils/external-plugin-helpers';
+
+/**
+ * Default metadata for unknown engine plugins
+ */
+export const unknownEngineMetadata = (methodType?: string): EngineDisplayData => ({
+  type: methodType || 'unknown',
+  displayName: methodType || 'Unknown plugin',
+  glyph: 'lock',
+  mountCategory: ['secret', 'auth'],
+});
+
+/**
+ * Helper function to retrieve engine metadata for a given `methodType`.
+ * It searches the `ALL_ENGINES` array for an engine with a matching type and returns its metadata object.
+ * The `ALL_ENGINES` array includes secret and auth engines, including those supported only in enterprise.
+ * These details (such as mount type and enterprise licensing) are included in the returned engine object.
+ *
+ * For external plugins that have a builtin mapping (e.g., "vault-plugin-secrets-keymgmt" -> "keymgmt"),
+ * this function returns the metadata for the corresponding builtin engine, preserving the original
+ * external plugin name in the type field.
+ *
+ * Example usage:
+ * const engineMetadata = engineDisplayData('kmip');
+ * if (engineMetadata?.requiresEnterprise) {
+ *   console.log(`This mount: ${engineMetadata.engineType} requires an enterprise license`);
+ * }
+ *
+ * @param {string} methodType - The engine type (sometimes called backend) to look up (e.g., "aws", "azure", "vault-plugin-secrets-keymgmt").
+ * @returns {Object} - The engine metadata, which includes information about its mount type (e.g., secret or auth)
+ *   and whether it requires an enterprise license. For unknown engines, returns a default unknown plugin object.
+ */
+export default function engineDisplayData(methodType: string): EngineDisplayData {
+  // First try to find an exact match
+  const builtinEngine = ALL_ENGINES?.find((t) => t.type === methodType);
+  if (builtinEngine) {
+    return builtinEngine;
+  }
+
+  // If no direct match, check if this is a known external plugin and use its builtin mapping
+  const effectiveType = getEffectiveEngineType(methodType);
+  if (effectiveType !== methodType) {
+    // This is a known external plugin with a builtin mapping
+    const mappedEngine = ALL_ENGINES?.find((t) => t.type === effectiveType);
+    if (mappedEngine) {
+      // Return the mapped engine metadata but preserve the original external plugin type
+      return {
+        ...mappedEngine,
+        type: methodType, // Keep the original external plugin name for identification
+      };
+    }
+  }
+
+  // Return default unknown plugin metadata
+  return unknownEngineMetadata(methodType);
+}
diff --git a/ui/lib/core/addon/helpers/has-option-groups.ts b/ui/lib/core/addon/helpers/has-option-groups.ts
new file mode 100644
index 0000000000..834d5fbf76
--- /dev/null
+++ b/ui/lib/core/addon/helpers/has-option-groups.ts
@@ -0,0 +1,30 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { helper } from '@ember/component/helper';
+/**
+ * Helper to detect if possibleValues contains grouped options (with optgroups).
+ * Returns true if any item in the array has a 'group' property, false otherwise.
+ *
+ * @param {Array} possibleValues - Array that may contain flat options or grouped options
+ * @returns {boolean} - True if grouped options detected, false for flat arrays
+ */
+export function hasOptionGroups(possibleValues: unknown[] | null | undefined): boolean {
+  if (!possibleValues || !Array.isArray(possibleValues) || possibleValues.length === 0) {
+    return false;
+  }
+  return possibleValues.some((item) => {
+    if (!item || typeof item !== 'object') {
+      return false;
+    }
+    const candidate = item as { group?: unknown; options?: unknown };
+    return typeof candidate.group === 'string' && Array.isArray(candidate.options);
+  });
+}
+export default helper(function hasOptionGroupsHelper([possibleValues]: [
+  unknown[] | null | undefined,
+]): boolean {
+  return hasOptionGroups(possibleValues);
+});
diff --git a/ui/lib/core/addon/helpers/sync-destinations.ts b/ui/lib/core/addon/helpers/sync-destinations.ts
index b0025ec5bc..73c8bf03e0 100644
--- a/ui/lib/core/addon/helpers/sync-destinations.ts
+++ b/ui/lib/core/addon/helpers/sync-destinations.ts
@@ -4,8 +4,7 @@
  */
 
 import { helper as buildHelper } from '@ember/component/helper';
-
-import type { DestinationType } from 'vault/sync';
+import { DestinationType, CredentialType } from 'sync/utils/constants';
 import type { SyncDestination } from 'vault/helpers/sync-destinations';
 
 /* 
@@ -16,40 +15,83 @@ maskedParams: attributes for sensitive data, the API returns these values as '**
 const SYNC_DESTINATIONS: Array<SyncDestination> = [
   {
     name: 'AWS Secrets Manager',
-    type: 'aws-sm',
+    type: DestinationType.AwsSm,
     icon: 'aws-color',
     category: 'cloud',
-    maskedParams: ['access_key_id', 'secret_access_key'],
+    maskedParams: ['access_key_id', 'secret_access_key', 'identity_token_audience', 'identity_token_key'],
     readonlyParams: ['name', 'region'],
     defaultValues: {
       granularity: 'secret-path',
+      credential_type: CredentialType.ACCOUNT,
     },
+    roleTypeOptions: [
+      {
+        title: 'IAM Credentials',
+        description:
+          'Use an AWS Access Key ID and Secret Access Key to allow Vault to interact directly with your AWS resources.',
+        value: CredentialType.ACCOUNT,
+      },
+      {
+        title: 'Workload Identity Federation',
+        description:
+          'Leverages OIDC or AWS IAM Roles for Service Accounts (IRSA) for more secure, keyless authentication.',
+        value: CredentialType.WIF,
+      },
+    ],
   },
   {
     name: 'Azure Key Vault',
-    type: 'azure-kv',
+    type: DestinationType.AzureKv,
     icon: 'azure-color',
     category: 'cloud',
-    maskedParams: ['client_secret'],
+    maskedParams: ['client_secret', 'identity_token_audience', 'identity_token_key'],
     readonlyParams: ['name', 'key_vault_uri', 'tenant_id', 'cloud'],
     defaultValues: {
       granularity: 'secret-path',
+      credential_type: CredentialType.ACCOUNT,
     },
+    roleTypeOptions: [
+      {
+        title: 'Client Secret',
+        description: 'Use client secret of an Azure app registration to authenticate.',
+        value: CredentialType.ACCOUNT,
+      },
+      {
+        title: 'Workload Identity Federation',
+        description:
+          'Leverages OIDC with Azure workload identity pools and providers for more secure, keyless authentication.',
+        value: CredentialType.WIF,
+      },
+    ],
   },
   {
     name: 'Google Secret Manager',
-    type: 'gcp-sm',
+    type: DestinationType.GcpSm,
     icon: 'gcp-color',
     category: 'cloud',
-    maskedParams: ['credentials'],
+    maskedParams: ['credentials', 'identity_token_audience', 'identity_token_key'],
     readonlyParams: ['name'],
     defaultValues: {
       granularity: 'secret-path',
+      credential_type: CredentialType.ACCOUNT,
     },
+    roleTypeOptions: [
+      {
+        title: 'JSON Credentials',
+        description: 'Use a JSON file from your computer to authenticate.',
+        value: CredentialType.ACCOUNT,
+      },
+      {
+        title: 'Workload Identity Federation',
+        description:
+          'Leverages OIDC with GCP workload identity pools and providers for more secure, keyless authentication.',
+        value: CredentialType.WIF,
+      },
+    ],
   },
   {
     name: 'Github Actions',
-    type: 'gh',
+    type: DestinationType.Gh,
     icon: 'github-color',
     category: 'dev-tools',
     maskedParams: ['access_token'],
@@ -60,7 +102,7 @@ const SYNC_DESTINATIONS: Array<SyncDestination> = [
   },
   {
     name: 'Vercel Project',
-    type: 'vercel-project',
+    type: DestinationType.VercelProject,
     icon: 'vercel-color',
     category: 'dev-tools',
     maskedParams: ['access_token'],
diff --git a/ui/lib/core/addon/mixins/replication-actions.js b/ui/lib/core/addon/mixins/replication-actions.js
index 460db291d1..1b37e53bac 100644
--- a/ui/lib/core/addon/mixins/replication-actions.js
+++ b/ui/lib/core/addon/mixins/replication-actions.js
@@ -10,10 +10,62 @@ import Mixin from '@ember/object/mixin';
 import { task } from 'ember-concurrency';
 
 export default Mixin.create({
-  store: service(),
+  api: service(),
+
   loading: or('save.isRunning', 'submitSuccess.isRunning'),
+
   onDisable() {},
   onPromote() {},
+
+  replicationAction(action, replicationMode, clusterMode, data = {}) {
+    switch (action) {
+      case 'disable':
+        if (replicationMode === 'dr' && clusterMode === 'primary') {
+          return this.api.sys.systemWriteReplicationDrPrimaryDisable();
+        }
+        if (replicationMode === 'dr' && clusterMode === 'secondary') {
+          return this.api.sys.systemWriteReplicationDrSecondaryDisable(data);
+        }
+        if (replicationMode === 'performance' && clusterMode === 'primary') {
+          return this.api.sys.systemWriteReplicationPerformancePrimaryDisable();
+        }
+        if (replicationMode === 'performance' && clusterMode === 'secondary') {
+          return this.api.sys.systemWriteReplicationPerformanceSecondaryDisable();
+        }
+        break;
+      case 'demote':
+        if (replicationMode === 'dr' && clusterMode === 'primary') {
+          return this.api.sys.systemWriteReplicationDrPrimaryDemote();
+        }
+        if (replicationMode === 'performance' && clusterMode === 'primary') {
+          return this.api.sys.systemWriteReplicationPerformancePrimaryDemote();
+        }
+        break;
+      case 'promote':
+        if (replicationMode === 'dr' && clusterMode === 'secondary') {
+          return this.api.sys.systemWriteReplicationDrSecondaryPromote(data);
+        }
+        if (replicationMode === 'performance' && clusterMode === 'secondary') {
+          return this.api.sys.systemWriteReplicationPerformanceSecondaryPromote(data);
+        }
+        break;
+      case 'update-primary':
+        if (replicationMode === 'dr' && clusterMode === 'secondary') {
+          return this.api.sys.systemWriteReplicationDrSecondaryUpdatePrimary(data);
+        }
+        if (replicationMode === 'performance' && clusterMode === 'secondary') {
+          return this.api.sys.systemWriteReplicationPerformanceSecondaryUpdatePrimary(data);
+        }
+        break;
+      case 'recover':
+        return this.api.sys.systemWriteReplicationRecover();
+      case 'reindex':
+        return this.api.sys.systemWriteReplicationReindex(data);
+    }
+
+    throw new Error(`Unsupported replication action: ${replicationMode}/${clusterMode}/${action}`);
+  },
+
   submitHandler: task(function* (action, clusterMode, data, event) {
     const replicationMode = (data && data.replicationMode) || this.replicationMode;
     if (event && event.preventDefault) {
@@ -40,15 +92,13 @@ export default Mixin.create({
   }),
 
   save: task(function* (action, replicationMode, clusterMode, data) {
-    let resp;
     try {
-      resp = yield this.store
-        .adapterFor('cluster')
-        .replicationAction(action, replicationMode, clusterMode, data);
+      const response = yield this.replicationAction(action, replicationMode, clusterMode, data);
+      return yield this.submitSuccess.perform(response, action, clusterMode);
     } catch (e) {
-      return this.submitError(e);
+      const { response } = yield this.api.parseError(e);
+      return this.submitError(response);
     }
-    return yield this.submitSuccess.perform(resp, action, clusterMode);
   }).drop(),
 
   submitSuccess: task(function* (resp, action) {
diff --git a/ui/lib/core/addon/utils/all-engines-metadata.ts b/ui/lib/core/addon/utils/all-engines-metadata.ts
new file mode 100644
index 0000000000..71205a7092
--- /dev/null
+++ b/ui/lib/core/addon/utils/all-engines-metadata.ts
@@ -0,0 +1,357 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+/**
+ * Metadata configuration for secret and auth engines, including enterprise.
+ *
+ * This file defines and exports engine metadata, including its
+ * displayName, mountCategory, requiresEnterprise, and other relevant properties. It serves as a
+ * centralized source of truth for engine-related configurations.
+ *
+ * Key responsibilities:
+ * - Define metadata for all engines.
+ * - Provide utility functions or constants for accessing engine-specific data.
+ * - Facilitate dynamic engine rendering and behavior based on metadata.
+ *
+ * Example usage:
+ * If an enterprise license is present, return all secret engines;
+ * otherwise, return only the secret engines supported in OSS.
+ * return filterEnginesByMountCategory({ mountCategory: 'secret', isEnterprise: this.version.isEnterprise });
+ */
+
+export interface EngineDisplayData {
+  pluginCategory?: string; // The plugin category is used to group engines in the UI. e.g., 'cloud', 'infra', 'generic'
+  displayName: string;
+  engineRoute?: string; // engines that have their own Ember engine will have this route defined.
+  glyph?: string;
+  isWIF?: boolean; // flag for 'Workload Identity Federation' engines. - https://developer.hashicorp.com/hcp/docs/hcp/iam/service-principal/workload-identity-federation
+  mountCategory: string[];
+  requiredFeature?: string; // flag for engines that require the ADP (Advanced Data Protection) feature. - https://www.hashicorp.com/en/blog/advanced-data-protection-adp-now-available-in-hcp-vault
+  requiresEnterprise?: boolean;
+  isConfigurable?: boolean; // for secret engines that have additional configuration pages and actions.
+  isOnlyMountable?: boolean; // The UI only supports configuration views for these secrets engines. The CLI must be used to manage other engine resources (i.e. roles, credentials).
+  type: string;
+  value?: string;
+  configRoute?: string; // override for custom route if not "configuration.plugin-settings" (used for Ember engines)
+}
+
+/**
+ * @param mountCategory - Given mount category to filter by, e.g., 'auth' or 'secret'.
+ * @param isEnterprise - Optional boolean to indicate if enterprise engines should be included in the results.
+ * @returns Filtered array of engines that match the given mount category
+ */
+export function filterEnginesByMountCategory({
+  mountCategory,
+  isEnterprise = false,
+}: {
+  mountCategory: 'auth' | 'secret';
+  isEnterprise: boolean;
+}) {
+  return isEnterprise
+    ? ALL_ENGINES.filter((engine) => engine.mountCategory.includes(mountCategory))
+    : ALL_ENGINES.filter(
+        (engine) => engine.mountCategory.includes(mountCategory) && !engine.requiresEnterprise
+      );
+}
+
+export function isAddonEngine(type: string, version: number) {
+  if (type === 'kv' && version === 1) {
+    return false;
+  }
+  const engineRoute = ALL_ENGINES.find((engine) => engine.type === type)?.engineRoute;
+  return !!engineRoute;
+}
+
+//  The "sys/mounts" and "sys/internal/ui/mounts" endpoints return a "secret/" key containing
+//  all mounts enabled in Vault. Some types are internal Vault APIs, not user-mountable secrets engines,
+//  and should be filtered in some scenarios, such as listing secrets engines.
+export const INTERNAL_ENGINE_TYPES = ['system', 'identity', 'agent_registry'];
+
+// These engines rely on a specific version being set (eg. "kv version 1" or "kv version 2") via options parameter when being mounted in Vault.
+// If the engine to be mounted isn't specified here, we ignore the 'options' field.
+export const VERSIONED_ENGINE_TYPES = ['vault-plugin-secrets-kv', 'kv', 'generic'];
+
+export const ALL_ENGINES: EngineDisplayData[] = [
+  {
+    pluginCategory: 'cloud',
+    displayName: 'AliCloud',
+    glyph: 'alibaba-color',
+    mountCategory: ['auth', 'secret'],
+    type: 'alicloud',
+  },
+  {
+    pluginCategory: 'generic',
+    displayName: 'AppRole',
+    glyph: 'cpu',
+    mountCategory: ['auth'],
+    type: 'approle',
+    value: 'approle',
+  },
+  {
+    pluginCategory: 'cloud',
+    displayName: 'AWS',
+    glyph: 'aws-color',
+    isConfigurable: true,
+    isWIF: true,
+    mountCategory: ['auth', 'secret'],
+    type: 'aws',
+  },
+  {
+    pluginCategory: 'cloud',
+    displayName: 'Azure',
+    glyph: 'azure-color',
+    isOnlyMountable: true,
+    isConfigurable: true,
+    isWIF: true,
+    mountCategory: ['auth', 'secret'],
+    type: 'azure',
+  },
+  {
+    pluginCategory: 'infra',
+    displayName: 'Consul',
+    glyph: 'consul-color',
+    mountCategory: ['secret'],
+    type: 'consul',
+  },
+  {
+    displayName: 'Cubbyhole',
+    type: 'cubbyhole',
+    mountCategory: ['secret'],
+  },
+  {
+    pluginCategory: 'infra',
+    displayName: 'Databases',
+    glyph: 'database',
+    mountCategory: ['secret'],
+    type: 'database',
+  },
+  {
+    pluginCategory: 'cloud',
+    displayName: 'GitHub',
+    glyph: 'github-color',
+    mountCategory: ['auth'],
+    type: 'github',
+    value: 'github',
+  },
+  {
+    pluginCategory: 'cloud',
+    displayName: 'Google Cloud',
+    glyph: 'gcp-color',
+    isOnlyMountable: true,
+    isConfigurable: true,
+    isWIF: true,
+    mountCategory: ['auth', 'secret'],
+    type: 'gcp',
+  },
+  {
+    pluginCategory: 'cloud',
+    displayName: 'Google Cloud KMS',
+    glyph: 'gcp-color',
+    mountCategory: ['secret'],
+    type: 'gcpkms',
+  },
+  {
+    pluginCategory: 'generic',
+    displayName: 'JWT',
+    glyph: 'jwt',
+    mountCategory: ['auth'],
+    type: 'jwt',
+    value: 'jwt',
+  },
+  {
+    pluginCategory: 'generic',
+    displayName: 'KV',
+    engineRoute: 'kv.list',
+    configRoute: 'kv.configuration', // only utilized to display config data for kvv2, not in conjunction with isConfigurable as templates determine whether engine is kv v1 or v2
+    glyph: 'key-values',
+    mountCategory: ['secret'],
+    type: 'kv',
+  },
+  {
+    pluginCategory: 'generic',
+    displayName: 'KMIP',
+    engineRoute: 'kmip.scopes.index',
+    configRoute: 'kmip.configuration',
+    isConfigurable: true,
+    glyph: 'lock',
+    mountCategory: ['secret'],
+    requiredFeature: 'KMIP',
+    requiresEnterprise: true,
+    type: 'kmip',
+  },
+  {
+    pluginCategory: 'generic',
+    displayName: 'Transform',
+    glyph: 'transform-data',
+    mountCategory: ['secret'],
+    requiredFeature: 'Transform Secrets Engine',
+    requiresEnterprise: true,
+    type: 'transform',
+  },
+  {
+    pluginCategory: 'cloud',
+    displayName: 'Key Management',
+    glyph: 'key',
+    mountCategory: ['secret'],
+    requiredFeature: 'Key Management Secrets Engine',
+    requiresEnterprise: true,
+    type: 'keymgmt',
+  },
+  {
+    pluginCategory: 'generic',
+    displayName: 'Kubernetes',
+    engineRoute: 'kubernetes.overview',
+    configRoute: 'kubernetes.configuration',
+    glyph: 'kubernetes-color',
+    isConfigurable: true,
+    mountCategory: ['auth', 'secret'],
+    type: 'kubernetes',
+  },
+  {
+    pluginCategory: 'generic',
+    displayName: 'LDAP',
+    isConfigurable: true,
+    engineRoute: 'ldap.overview',
+    configRoute: 'ldap.configuration',
+    glyph: 'folder-users',
+    mountCategory: ['auth', 'secret'],
+    type: 'ldap',
+  },
+  {
+    pluginCategory: 'infra',
+    displayName: 'Nomad',
+    glyph: 'nomad-color',
+    mountCategory: ['secret'],
+    type: 'nomad',
+  },
+  {
+    pluginCategory: 'generic',
+    displayName: 'OIDC',
+    glyph: 'openid-color',
+    mountCategory: ['auth'],
+    type: 'oidc',
+    value: 'oidc',
+  },
+  {
+    pluginCategory: 'infra',
+    displayName: 'Okta',
+    glyph: 'okta-color',
+    mountCategory: ['auth'],
+    type: 'okta',
+    value: 'okta',
+  },
+  {
+    pluginCategory: 'generic',
+    displayName: 'PKI Certificates',
+    isConfigurable: true,
+    engineRoute: 'pki.overview',
+    configRoute: 'pki.configuration',
+    glyph: 'certificate',
+    mountCategory: ['secret'],
+    type: 'pki',
+  },
+  {
+    pluginCategory: 'infra',
+    displayName: 'RADIUS',
+    glyph: 'mainframe',
+    mountCategory: ['auth'],
+    type: 'radius',
+    value: 'radius',
+  },
+  {
+    pluginCategory: 'infra',
+    displayName: 'RabbitMQ',
+    glyph: 'rabbitmq-color',
+    mountCategory: ['secret'],
+    type: 'rabbitmq',
+  },
+  {
+    pluginCategory: 'generic',
+    displayName: 'SAML',
+    glyph: 'saml-color',
+    mountCategory: ['auth'],
+    requiresEnterprise: true,
+    type: 'saml',
+    value: 'saml',
+  },
+  {
+    pluginCategory: 'generic',
+    displayName: 'SSH',
+    glyph: 'terminal-screen',
+    isConfigurable: true,
+    mountCategory: ['secret'],
+    type: 'ssh',
+  },
+  {
+    pluginCategory: 'generic',
+    displayName: 'TLS Certificates',
+    glyph: 'certificate',
+    mountCategory: ['auth'],
+    type: 'cert',
+    value: 'cert',
+  },
+  {
+    pluginCategory: 'generic',
+    displayName: 'TOTP',
+    glyph: 'history',
+    mountCategory: ['secret'],
+    type: 'totp',
+  },
+  {
+    pluginCategory: 'generic',
+    displayName: 'Transit',
+    glyph: 'swap-horizontal',
+    mountCategory: ['secret'],
+    type: 'transit',
+  },
+  {
+    displayName: 'Token',
+    type: 'token',
+    mountCategory: ['auth'],
+  },
+  {
+    pluginCategory: 'generic',
+    displayName: 'Userpass',
+    glyph: 'users',
+    mountCategory: ['auth'],
+    type: 'userpass',
+    value: 'userpass',
+  },
+
+  // TODO: enable builtin plugins after confirming with Product
+  //
+  // {
+  //   pluginCategory: 'generic',
+  //   displayName: 'Ad',
+  //   glyph: 'folder',
+  //   isOnlyMountable: true,
+  //   mountCategory: ['secret'],
+  //   type: 'ad',
+  // },
+  // {
+  //   pluginCategory: 'cloud',
+  //   displayName: 'MongoDB Atlas',
+  //   glyph: 'mongodb-color',
+  //   isOnlyMountable: true,
+  //   mountCategory: ['secret'],
+  //   type: 'mongodbatlas',
+  // },
+  // {
+  //   pluginCategory: 'infra',
+  //   displayName: 'OpenLDAP',
+  //   glyph: 'folder-users',
+  //   isOnlyMountable: true,
+  //   mountCategory: ['secret'],
+  //   type: 'openldap',
+  // },
+  // {
+  //   pluginCategory: 'infra',
+  //   displayName: 'Terraform',
+  //   glyph: 'terraform-color',
+  //   isOnlyMountable: true,
+  //   mountCategory: ['secret'],
+  //   type: 'terraform',
+  // },
+];
diff --git a/ui/lib/core/addon/utils/client-counts/helpers.ts b/ui/lib/core/addon/utils/client-counts/helpers.ts
index c7cf1c78a0..c929988c47 100644
--- a/ui/lib/core/addon/utils/client-counts/helpers.ts
+++ b/ui/lib/core/addon/utils/client-counts/helpers.ts
@@ -5,7 +5,7 @@
 
 import { isSameMonthUTC, parseAPITimestamp } from 'core/utils/date-formatters';
 import { isWithinInterval } from 'date-fns';
-import { ROOT_NAMESPACE } from 'vault/services/namespace';
+import { ROOT_NAMESPACE } from 'vault/utils/constants/namespace';
 
 import type { VersionHistory } from 'vault/client-counts';
 import type {
diff --git a/ui/lib/core/addon/utils/code-generators/api.ts b/ui/lib/core/addon/utils/code-generators/api.ts
new file mode 100644
index 0000000000..5747d0bd1a
--- /dev/null
+++ b/ui/lib/core/addon/utils/code-generators/api.ts
@@ -0,0 +1,35 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { sanitizePath } from '../sanitize-path';
+import { formatArgsFromPayload } from './formatters';
+
+/**
+ * Replaces OpenAPI style tokens {token} with values from an object.
+ * eg. - path /identity/oidc/client/{name} and params { name: 'root' } returns /identity/oidc/client/root
+ */
+export const formatDynamicApiPath = <T extends object>(path: string, params: T) => {
+  const formattedPath = path.replace(/{(\w+)}/g, (match, key) => {
+    // Type guard: check if 'key' is actually a property of 'params'
+    if (key in params) {
+      const value = params[key as keyof T];
+      return value !== undefined ? encodeURIComponent(String(value)) : match;
+    }
+    return match;
+  });
+  return sanitizePath(formattedPath);
+};
+
+// returns formatted CURL command for given API path and payload
+export const generateCurlCommand = (path: string, payload: Record<string, unknown>, namespace?: string) => {
+  return `curl \\
+  --header "X-Vault-Token: $VAULT_TOKEN"${
+    namespace ? `\\\n  --header "X-Vault-Namespace: ${namespace}"\\` : ''
+  }
+  --request POST \\
+  --data '${JSON.stringify(formatArgsFromPayload(payload))}' \\
+  $VAULT_ADDR/v1/${formatDynamicApiPath(path, payload)}
+`;
+};
diff --git a/ui/lib/core/addon/utils/code-generators/cli.ts b/ui/lib/core/addon/utils/code-generators/cli.ts
index 55d2cdc0ec..038e810078 100644
--- a/ui/lib/core/addon/utils/code-generators/cli.ts
+++ b/ui/lib/core/addon/utils/code-generators/cli.ts
@@ -3,6 +3,8 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
+import { formatArgsFromPayload } from './formatters';
+
 // The CliTemplateArgs intentionally does NOT include "namespace" because the location for CLI commands is not consistent.
 // Additionally, namespace can be specified via the environment variable `VAULT_NAMESPACE` and passing a flag is unnecessary.
 
@@ -20,3 +22,35 @@ export const cliTemplate = ({ command = '', content = '' }: CliTemplateArgs = {}
   const segments = ['vault', command, content].filter(Boolean);
   return segments.join(' ');
 };
+
+// generate a CLI command with args from a generic object or form payload
+// the payload object will be converted to CLI flags in the format of `-key=value` and appended to the command
+export const generateCliCommand = (command = '', payload: Record<string, unknown> = {}) => {
+  const filteredArgs = formatArgsFromPayload(payload);
+  const content = Object.entries(filteredArgs)
+    .map(([key, value]) => {
+      // For boolean flags, include the flag without a value if true, and omit if false
+      if (typeof value === 'boolean') {
+        return value ? `-${key}` : '';
+      }
+      // For array values, join them with commas (e.g., `-key=value1,value2`)
+      if (Array.isArray(value)) {
+        return `-${key}=${value.join(',')}`;
+      }
+      // for nested objects, repeat the flag for each key-value pair (e.g., `-options="version=2" -options="type=kv-v2"`)
+      if (typeof value === 'object' && value !== null) {
+        return Object.entries(value)
+          .map(([nestedKey, nestedValue]) => `-${key}="${nestedKey}=${nestedValue}"`)
+          .join(' ');
+      }
+      // For other types, include the flag with its value
+      return `-${key}=${value}`;
+    })
+    .filter(Boolean) // Remove any empty strings resulting from false boolean flags
+    .join(' ');
+
+  return cliTemplate({ command, content });
+};
+
+export const generateCliWriteCommand = (path: string, payload: Record<string, unknown> = {}) =>
+  generateCliCommand(`write ${path}`, payload);
diff --git a/ui/lib/core/addon/utils/code-generators/formatters.ts b/ui/lib/core/addon/utils/code-generators/formatters.ts
index cd769d134b..ee1240fd94 100644
--- a/ui/lib/core/addon/utils/code-generators/formatters.ts
+++ b/ui/lib/core/addon/utils/code-generators/formatters.ts
@@ -13,3 +13,19 @@ export const formatEot = (content = '') => {
 ${content}
 EOT`;
 };
+
+// returns a formatted args object to populate snippets with empty values removed (e.g. empty strings, empty objects/arrays, undefined, null)
+export const formatArgsFromPayload = (payload: Record<string, unknown> = {}) => {
+  return Object.fromEntries(
+    Object.entries(payload).filter(([, value]) => {
+      const isEmptyValue = value === '' || value === undefined || value === null;
+      const isEmptyObject =
+        typeof value === 'object' &&
+        value !== null &&
+        !Array.isArray(value) &&
+        Object.keys(value).length === 0;
+      const isEmptyArray = Array.isArray(value) && value.length === 0;
+      return !isEmptyValue && !isEmptyObject && !isEmptyArray;
+    })
+  );
+};
diff --git a/ui/lib/core/addon/utils/code-generators/policy.ts b/ui/lib/core/addon/utils/code-generators/policy.ts
index e6a36f21f6..4d632844ca 100644
--- a/ui/lib/core/addon/utils/code-generators/policy.ts
+++ b/ui/lib/core/addon/utils/code-generators/policy.ts
@@ -26,6 +26,23 @@ export class PolicyStanza {
   get preview() {
     return aclTemplate(this.path, Array.from(this.capabilities));
   }
+
+  get isValid() {
+    // Stanza must have a non-empty path and capabilities selected to be valid
+    return !this.invalidCapabilities && !this.invalidPath;
+  }
+
+  // These getters return an error message when invalid and an empty string when valid.
+  // Negative naming is a little counterintuitive, but simplifies template logic
+  // so the message only renders when the value is truthy.
+  get invalidCapabilities() {
+    return this.capabilities.size > 0 ? '' : 'Rule must have at least one capability.';
+  }
+
+  get invalidPath() {
+    const isValid = typeof this.path === 'string' && this.path.trim().length > 0;
+    return isValid ? '' : 'Path cannot be empty.';
+  }
 }
 
 export const formatStanzas = (stanzas: PolicyStanza[]) => stanzas.map((s) => s.preview).join('\n');
diff --git a/ui/lib/core/addon/utils/code-generators/terraform.ts b/ui/lib/core/addon/utils/code-generators/terraform.ts
index 9caca8680f..0430bb83ba 100644
--- a/ui/lib/core/addon/utils/code-generators/terraform.ts
+++ b/ui/lib/core/addon/utils/code-generators/terraform.ts
@@ -4,6 +4,8 @@
  */
 
 import { typeOf } from '@ember/utils';
+import { sanitizePath } from '../sanitize-path';
+import { formatArgsFromPayload } from './formatters';
 
 // Yes, this seems silly but pretty formatting these snippets was a...journey.
 // Hopefully these consts make it easier for whoever comes next.
@@ -75,9 +77,31 @@ ${formattedContent.join('\n')}
 }`;
 };
 
+// if specific resource cannot be determined the generic endpoint resource can be used with the API path
+export const terraformGenericResourceTemplate = (
+  path: string,
+  resourceArgs: Record<string, unknown> = {},
+  localId = '<local identifier>',
+  namespace?: string
+) => {
+  const formattedContent = formatTerraformArgs(resourceArgs);
+  const ns = namespace ? `namespace = "${namespace}"\n` : '';
+
+  return `resource "vault_generic_endpoint" "${localId}" {
+  path = "${sanitizePath(path)}"
+  ${ns}
+  data_json = jsonencode({
+  ${formattedContent.join(`\n${TWO_SPACES}`)}
+  })
+}`;
+};
+
 export const formatTerraformArgs = (resourceArgs: Record<string, unknown> = {}) => {
+  // strip empty values before formatting
+  // focus on empty strings, objects and arrays, as well as undefined values, but this can be expanded as needed
+  const filteredArgs = formatArgsFromPayload(resourceArgs);
   const formattedArgs = [];
-  for (const [key, value] of Object.entries(resourceArgs)) {
+  for (const [key, value] of Object.entries(filteredArgs)) {
     // Handle nested objects (like "options" above)
     if (typeOf(value) === 'object') {
       const formattedValue = formatNestedObject(key, value as Record<string, unknown>);
diff --git a/ui/lib/core/addon/utils/paginate-list.ts b/ui/lib/core/addon/utils/paginate-list.ts
index 808bac274a..20f6e472a5 100644
--- a/ui/lib/core/addon/utils/paginate-list.ts
+++ b/ui/lib/core/addon/utils/paginate-list.ts
@@ -34,31 +34,33 @@ export function paginate<T>(data: T[], options: PaginateOptions = {}) {
   const { page = 1, pageSize = DEFAULT_PAGE_SIZE, filter, filterKey } = options;
 
   if (Array.isArray(data)) {
-    let filteredData = [...data];
-    // filter data before paginating if filter is provided
-    if (filter) {
-      filteredData = data.filter((item) => {
-        const filterValue = filterKey ? (item as Record<string, unknown>)[filterKey] : item;
-        if (typeof filterValue === 'string') {
-          return filterValue.toLowerCase().includes(filter.toLowerCase());
-        }
-        return false;
-      });
-    }
+    let filteredData = filter
+      ? data.filter((item) => {
+          const filterValue = filterKey ? (item as Record<string, unknown>)[filterKey] : item;
+          if (typeof filterValue === 'string') {
+            return filterValue.toLowerCase().includes(filter.toLowerCase());
+          }
+          return false;
+        })
+      : [...data];
 
-    const lastPage = Math.ceil(filteredData.length / pageSize);
-    const start = (page - 1) * pageSize;
+    const filteredTotal = filteredData.length;
+    const lastPage = Math.ceil(filteredTotal / pageSize);
+    // Verify that the page number does not go out of bounds, if so adjust to show
+    // the first page of results
+    const currentPage = page > lastPage ? 1 : page;
+    const start = (currentPage - 1) * pageSize;
     const end = start + pageSize;
     filteredData = filteredData.slice(start, end);
     // add meta data previously from lazyPaginatedQuery since components expect it
     Object.defineProperty(filteredData, 'meta', {
       value: {
-        currentPage: page,
+        currentPage,
         lastPage,
         nextPage: page + 1,
         prevPage: page - 1,
         total: data.length,
-        filteredTotal: filteredData.length,
+        filteredTotal,
         pageSize,
       },
       writable: false,
diff --git a/ui/lib/core/app/components/encoded-data-card.js b/ui/lib/core/app/components/encoded-data-card.js
new file mode 100644
index 0000000000..08e6596bcd
--- /dev/null
+++ b/ui/lib/core/app/components/encoded-data-card.js
@@ -0,0 +1,6 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+export { default } from 'core/components/encoded-data-card';
diff --git a/ui/lib/core/app/components/manage-dropdown.js b/ui/lib/core/app/components/manage-dropdown.js
new file mode 100644
index 0000000000..e524fcb744
--- /dev/null
+++ b/ui/lib/core/app/components/manage-dropdown.js
@@ -0,0 +1,6 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+export { default } from 'core/components/manage-dropdown';
diff --git a/ui/lib/core/app/helpers/engines-display-data.js b/ui/lib/core/app/helpers/engines-display-data.js
new file mode 100644
index 0000000000..a71fe61517
--- /dev/null
+++ b/ui/lib/core/app/helpers/engines-display-data.js
@@ -0,0 +1,6 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+export { default } from 'core/helpers/engines-display-data';
diff --git a/ui/lib/core/app/components/empty-state.js b/ui/lib/core/app/helpers/has-option-groups.ts
similarity index 57%
rename from ui/lib/core/app/components/empty-state.js
rename to ui/lib/core/app/helpers/has-option-groups.ts
index fc59f34d45..ee06ba9eef 100644
--- a/ui/lib/core/app/components/empty-state.js
+++ b/ui/lib/core/app/helpers/has-option-groups.ts
@@ -3,4 +3,4 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-export { default } from 'core/components/empty-state';
+export { default } from 'core/helpers/has-option-groups';
diff --git a/ui/lib/kmip/addon/components/page/configuration.hbs b/ui/lib/kmip/addon/components/page/configuration.hbs
index 87ce6b75d8..0b6a12e318 100644
--- a/ui/lib/kmip/addon/components/page/configuration.hbs
+++ b/ui/lib/kmip/addon/components/page/configuration.hbs
@@ -50,8 +50,8 @@
     <MaskedInput @value={{@config.ca_pem}} @displayOnly={{true}} @allowCopy={{true}} />
   </InfoTableRow>
 {{else}}
-  <EmptyState
-    @title="No configuration for this secrets engine"
-    @message="We'll need to configure a few things before getting started."
-  />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="No configuration for this secrets engine" @titleTag="h2" data-test-empty-state-title />
+    <A.Body @text="We'll need to configure a few things before getting started." data-test-empty-state-message />
+  </Hds::ApplicationState>
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/kmip/addon/components/page/credentials.hbs b/ui/lib/kmip/addon/components/page/credentials.hbs
index 892196341b..f9a19536c8 100644
--- a/ui/lib/kmip/addon/components/page/credentials.hbs
+++ b/ui/lib/kmip/addon/components/page/credentials.hbs
@@ -95,13 +95,23 @@
   </div>
 {{else}}
   {{#if @filterValue}}
-    <EmptyState @title="There are no credentials matching &quot;{{@filterValue}}&quot;" />
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header
+        @title="There are no credentials matching &quot;{{@filterValue}}&quot;"
+        @titleTag="h2"
+        data-test-empty-state-title
+      />
+    </Hds::ApplicationState>
   {{else}}
-    <EmptyState
-      @title="No credentials yet for this role"
-      @message="You can generate new credentials that will be limited to this role's allowed operations, then you can distribute them to your KMIP clients."
-    >
-      <Hds::Link::Standalone @icon="plus" @text="Generate credentials" @route="credentials.generate" />
-    </EmptyState>
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="No credentials yet for this role" @titleTag="h2" data-test-empty-state-title />
+      <A.Body
+        @text="You can generate new credentials that will be limited to this role's allowed operations, then you can distribute them to your KMIP clients."
+        data-test-empty-state-message
+      />
+      <A.Footer data-test-empty-state-actions as |F|>
+        <F.LinkStandalone @icon="plus" @text="Generate credentials" @route="credentials.generate" />
+      </A.Footer>
+    </Hds::ApplicationState>
   {{/if}}
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/kmip/addon/components/page/scope/roles.hbs b/ui/lib/kmip/addon/components/page/scope/roles.hbs
index f1a80b6253..7a09fc1614 100644
--- a/ui/lib/kmip/addon/components/page/scope/roles.hbs
+++ b/ui/lib/kmip/addon/components/page/scope/roles.hbs
@@ -106,13 +106,23 @@
   </div>
 {{else}}
   {{#if @filterValue}}
-    <EmptyState @title="There are no roles matching &quot;{{@filterValue}}&quot;" />
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header
+        @title="There are no roles matching &quot;{{@filterValue}}&quot;"
+        @titleTag="h2"
+        data-test-empty-state-title
+      />
+    </Hds::ApplicationState>
   {{else}}
-    <EmptyState
-      @title="No roles in this scope yet"
-      @message="Roles let you generate credentials with a specified set of KMIP operations permissions that clients are allowed to perform."
-    >
-      <Hds::Link::Standalone @icon="plus" @text="Create a role" @route="scope.roles.create" />
-    </EmptyState>
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="No roles in this scope yet" @titleTag="h2" data-test-empty-state-title />
+      <A.Body
+        @text="Roles let you generate credentials with a specified set of KMIP operations permissions that clients are allowed to perform."
+        data-test-empty-state-message
+      />
+      <A.Footer data-test-empty-state-actions as |F|>
+        <F.LinkStandalone @icon="plus" @text="Create a role" @route="scope.roles.create" />
+      </A.Footer>
+    </Hds::ApplicationState>
   {{/if}}
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/kmip/addon/components/page/scopes.hbs b/ui/lib/kmip/addon/components/page/scopes.hbs
index b16ccc4234..c6a6b95d14 100644
--- a/ui/lib/kmip/addon/components/page/scopes.hbs
+++ b/ui/lib/kmip/addon/components/page/scopes.hbs
@@ -7,21 +7,7 @@
     <KmipBreadcrumb @currentRoute={{this.secretMountPath.currentPath}} />
   </:breadcrumbs>
   <:actions>
-    <Hds::Dropdown as |D|>
-      <D.ToggleButton @text="Manage" @color="secondary" data-test-dropdown="Manage" />
-      <D.Interactive
-        @icon="settings"
-        @route="configuration"
-        @model={{@secretsEngine.id}}
-        data-test-popup-menu="Configure"
-      >Configure</D.Interactive>
-      <D.Interactive
-        {{on "click" (fn (mut this.engineToDisable) @secretsEngine)}}
-        @color="critical"
-        @icon="trash"
-        data-test-popup-menu="Delete"
-      >Delete</D.Interactive>
-    </Hds::Dropdown>
+    <ManageDropdown @model={{@secretsEngine}} @configRoute="configuration" />
   </:actions>
 </Page::Header>
 <KmipTabs />
@@ -108,23 +94,23 @@
   </div>
 {{else}}
   {{#if @filterValue}}
-    <EmptyState @title="There are no scopes matching &quot;{{@filterValue}}&quot;" />
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header
+        @title="There are no scopes matching &quot;{{@filterValue}}&quot;"
+        @titleTag="h2"
+        data-test-empty-state-title
+      />
+    </Hds::ApplicationState>
   {{else}}
-    <EmptyState
-      @title="KMIP Secrets Engine"
-      @message="First, let's create a scope that our roles and credentials will belong to. A client can only access objects within their role's scope."
-    >
-      <Hds::Link::Standalone @icon="plus" @text="Create a scope" @route="scopes.create" />
-    </EmptyState>
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="KMIP Secrets Engine" @titleTag="h2" data-test-empty-state-title />
+      <A.Body
+        @text="First, let's create a scope that our roles and credentials will belong to. A client can only access objects within their role's scope."
+        data-test-empty-state-message
+      />
+      <A.Footer data-test-empty-state-actions as |F|>
+        <F.LinkStandalone @icon="plus" @text="Create a scope" @route="scopes.create" />
+      </A.Footer>
+    </Hds::ApplicationState>
   {{/if}}
-{{/if}}
-
-{{#if this.engineToDisable}}
-  <ConfirmModal
-    @color="critical"
-    @confirmMessage="Any data in this engine will be permanently deleted."
-    @confirmTitle="Disable engine?"
-    @onClose={{fn (mut this.engineToDisable) null}}
-    @onConfirm={{perform this.disableEngine this.engineToDisable}}
-  />
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/kmip/addon/components/page/scopes.ts b/ui/lib/kmip/addon/components/page/scopes.ts
index b4b9dac68c..89dec64c86 100644
--- a/ui/lib/kmip/addon/components/page/scopes.ts
+++ b/ui/lib/kmip/addon/components/page/scopes.ts
@@ -3,21 +3,21 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import Component from '@glimmer/component';
-import { tracked } from '@glimmer/tracking';
-import { service } from '@ember/service';
 import { action } from '@ember/object';
 import { getOwner } from '@ember/owner';
-import { task } from 'ember-concurrency';
+import { service } from '@ember/service';
+import Component from '@glimmer/component';
+import { tracked } from '@glimmer/tracking';
 
 import type RouterService from '@ember/routing/router-service';
-import type SecretMountPath from 'vault/services/secret-mount-path';
-import type ApiService from 'vault/services/api';
 import type { CapabilitiesMap, EngineOwner } from 'vault/app-types';
 import type SecretsEngineResource from 'vault/resources/secrets/engine';
+import type ApiService from 'vault/services/api';
 import FlashMessageService from 'vault/services/flash-messages';
+import type SecretMountPath from 'vault/services/secret-mount-path';
 
 interface Args {
+  secretsEngine: SecretsEngineResource;
   scopes: string[];
   capabilities: CapabilitiesMap;
 }
@@ -27,7 +27,6 @@ export default class KmipScopesPageComponent extends Component<Args> {
   @service declare readonly secretMountPath: SecretMountPath;
   @service declare readonly api: ApiService;
   @service declare readonly flashMessages: FlashMessageService;
-  @tracked engineToDisable: SecretsEngineResource | undefined = undefined;
 
   @tracked scopeToDelete: string | null = null;
 
@@ -56,22 +55,4 @@ export default class KmipScopesPageComponent extends Component<Args> {
       this.flashMessages.danger(`Error deleting scope ${this.scopeToDelete}: ${message}`);
     }
   }
-
-  @task
-  *disableEngine(engine: SecretsEngineResource) {
-    const { engineType, id, path } = engine;
-
-    try {
-      yield this.api.sys.mountsDisableSecretsEngine(id);
-      this.flashMessages.success(`The ${engineType} Secrets Engine at ${path} has been disabled.`);
-      this.router.transitionTo('vault.cluster.secrets.backends');
-    } catch (err) {
-      const { message } = yield this.api.parseError(err);
-      this.flashMessages.danger(
-        `There was an error disabling the ${engineType} Secrets Engine at ${path}: ${message}.`
-      );
-    } finally {
-      this.engineToDisable = undefined;
-    }
-  }
 }
diff --git a/ui/lib/kmip/addon/routes/configuration.ts b/ui/lib/kmip/addon/routes/configuration.ts
index 3687116405..1c98cfa462 100644
--- a/ui/lib/kmip/addon/routes/configuration.ts
+++ b/ui/lib/kmip/addon/routes/configuration.ts
@@ -21,11 +21,13 @@ export default class KmipConfigurationRoute extends Route {
 
     try {
       const { currentPath } = this.secretMountPath;
-      const { data } = await this.api.secrets.kmipReadConfiguration(currentPath);
+      // the spec changed and now the operation ids are the same for reading both the config and ca pem
+      const { data } = await this.api.secrets.kmipReadConfiguration_1(currentPath);
       const config = data as Record<string, unknown>;
       const { secretsEngine } = this.modelFor('application') as KmipApplicationModel;
       try {
-        const { data } = await this.api.secrets.kmipReadCaPem(currentPath);
+        // this method now calls the same endpoint as the former kmipReadCaPem
+        const { data } = await this.api.secrets.kmipReadConfiguration(currentPath);
         const ca = data as Record<string, unknown>;
         return { config: { ...config, ...ca }, secretsEngine };
       } catch (error) {
diff --git a/ui/lib/kmip/addon/routes/credentials/index.ts b/ui/lib/kmip/addon/routes/credentials/index.ts
index 289db413a7..bf24f91379 100644
--- a/ui/lib/kmip/addon/routes/credentials/index.ts
+++ b/ui/lib/kmip/addon/routes/credentials/index.ts
@@ -5,7 +5,7 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
-import { KmipListClientCertificatesListEnum } from '@hashicorp/vault-client-typescript';
+import { SecretsApiKmipListClientCertificatesListEnum } from '@hashicorp/vault-client-typescript';
 import { paginate } from 'core/utils/paginate-list';
 
 import type Controller from '@ember/controller';
@@ -40,7 +40,7 @@ export default class KmipCredentialsRoute extends Route {
         role_name as string,
         scope_name as string,
         currentPath,
-        KmipListClientCertificatesListEnum.TRUE
+        SecretsApiKmipListClientCertificatesListEnum.TRUE
       );
       const credentials = keys ? paginate(keys, { page: Number(page) || 1, filter: pageFilter }) : [];
       // capabilities exist at root path, not for individual credentials
diff --git a/ui/lib/kmip/addon/routes/scope/roles.ts b/ui/lib/kmip/addon/routes/scope/roles.ts
index b83b6a7ec1..26a08c893d 100644
--- a/ui/lib/kmip/addon/routes/scope/roles.ts
+++ b/ui/lib/kmip/addon/routes/scope/roles.ts
@@ -6,7 +6,7 @@
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 import { paginate } from 'core/utils/paginate-list';
-import { KmipListRolesListEnum } from '@hashicorp/vault-client-typescript';
+import { SecretsApiKmipListRolesListEnum } from '@hashicorp/vault-client-typescript';
 
 import type ApiService from 'vault/services/api';
 import type SecretMountPath from 'vault/services/secret-mount-path';
@@ -41,7 +41,7 @@ export default class KmipScopeRolesRoute extends Route {
       const { keys } = await this.api.secrets.kmipListRoles(
         scope as string,
         currentPath,
-        KmipListRolesListEnum.TRUE
+        SecretsApiKmipListRolesListEnum.TRUE
       );
       const roles = keys ? paginate(keys, { page: Number(page) || 1, filter: pageFilter }) : [];
       // fetch capabilities for filtered scopes
diff --git a/ui/lib/kmip/addon/routes/scopes/index.ts b/ui/lib/kmip/addon/routes/scopes/index.ts
index 2390f2832d..3c64124828 100644
--- a/ui/lib/kmip/addon/routes/scopes/index.ts
+++ b/ui/lib/kmip/addon/routes/scopes/index.ts
@@ -6,7 +6,7 @@
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 import { paginate } from 'core/utils/paginate-list';
-import { KmipListScopesListEnum } from '@hashicorp/vault-client-typescript';
+import { SecretsApiKmipListScopesListEnum } from '@hashicorp/vault-client-typescript';
 
 import type ApiService from 'vault/services/api';
 import type SecretMountPath from 'vault/services/secret-mount-path';
@@ -38,7 +38,10 @@ export default class KmipScopesRoute extends Route {
     const { secretsEngine } = this.modelFor('application') as KmipApplicationModel;
 
     try {
-      const { keys } = await this.api.secrets.kmipListScopes(currentPath, KmipListScopesListEnum.TRUE);
+      const { keys } = await this.api.secrets.kmipListScopes(
+        currentPath,
+        SecretsApiKmipListScopesListEnum.TRUE
+      );
       const scopes = keys ? paginate(keys, { page: Number(page) || 1, filter: pageFilter }) : [];
       // fetch capabilities for filtered scopes
       const paths = scopes.map((scope) =>
diff --git a/ui/lib/kubernetes/addon/components/config-cta.hbs b/ui/lib/kubernetes/addon/components/config-cta.hbs
index 6693e89624..3c63929277 100644
--- a/ui/lib/kubernetes/addon/components/config-cta.hbs
+++ b/ui/lib/kubernetes/addon/components/config-cta.hbs
@@ -3,9 +3,13 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<EmptyState
-  @title="Kubernetes not configured"
-  @message="Get started by establishing the URL of the Kubernetes API to connect to, along with some additional options."
->
-  <Hds::Link::Standalone @icon="chevron-right" @iconPosition="trailing" @text="Configure Kubernetes" @route="configure" />
-</EmptyState>
\ No newline at end of file
+<Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+  <A.Header @title="Kubernetes not configured" @titleTag="h2" data-test-empty-state-title />
+  <A.Body
+    @text="Get started by establishing the URL of the Kubernetes API to connect to, along with some additional options."
+    data-test-empty-state-message
+  />
+  <A.Footer data-test-empty-state-actions as |F|>
+    <F.LinkStandalone @icon="chevron-right" @iconPosition="trailing" @text="Configure Kubernetes" @route="configure" />
+  </A.Footer>
+</Hds::ApplicationState>
\ No newline at end of file
diff --git a/ui/lib/kubernetes/addon/components/kubernetes-header.hbs b/ui/lib/kubernetes/addon/components/kubernetes-header.hbs
index 8dca4cfee7..69f296d30f 100644
--- a/ui/lib/kubernetes/addon/components/kubernetes-header.hbs
+++ b/ui/lib/kubernetes/addon/components/kubernetes-header.hbs
@@ -15,21 +15,7 @@
     {{#if @configRoute}}
       <Hds::Button @color="secondary" @route="overview" @text="Exit configuration" data-test-button="Exit configuration" />
     {{else}}
-      <Hds::Dropdown as |D|>
-        <D.ToggleButton @text="Manage" @color="secondary" data-test-dropdown="Manage" />
-        <D.Interactive
-          @icon="settings"
-          @route={{if @promptConfig "configure" "configuration"}}
-          @model={{@model.id}}
-          data-test-popup-menu="Configure"
-        >Configure</D.Interactive>
-        <D.Interactive
-          {{on "click" (fn (mut this.engineToDisable) @model)}}
-          @color="critical"
-          @icon="trash"
-          data-test-popup-menu="Delete"
-        >Delete</D.Interactive>
-      </Hds::Dropdown>
+      <ManageDropdown @model={{@model}} @configRoute={{if @promptConfig "configure" "configuration"}} />
     {{/if}}
   </:actions>
 </Page::Header>
diff --git a/ui/lib/kubernetes/addon/components/kubernetes-header.ts b/ui/lib/kubernetes/addon/components/kubernetes-header.ts
deleted file mode 100644
index a6769c4fce..0000000000
--- a/ui/lib/kubernetes/addon/components/kubernetes-header.ts
+++ /dev/null
@@ -1,57 +0,0 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { service } from '@ember/service';
-import Component from '@glimmer/component';
-import { tracked } from '@glimmer/tracking';
-import { task } from 'ember-concurrency';
-
-import type SecretsEngineResource from 'vault/resources/secrets/engine';
-import type RouterService from '@ember/routing/router-service';
-import type FlashMessageService from 'vault/services/flash-messages';
-import type ApiService from 'vault/services/api';
-
-/**
- * @module KubernetesHeader handles the ldap page header.
- *
- * @example
- * <SecretEngine::KubernetesHeader
- *    @model={{this.model}}
- *    />
- *
- * @param {object} secretsEngine - A model contains a ldap secret engine resource.
- * @param {object} config - A model contains the configuration of the ldap secret engine.
- */
-
-interface Args {
-  secretsEngine: SecretsEngineResource;
-  config: Record<string, unknown>;
-}
-
-export default class KubernetesHeader extends Component<Args> {
-  @service('app-router') declare readonly router: RouterService;
-  @service declare readonly api: ApiService;
-  @service declare readonly flashMessages: FlashMessageService;
-
-  @tracked engineToDisable: SecretsEngineResource | undefined = undefined;
-
-  @task
-  *disableEngine(engine: SecretsEngineResource) {
-    const { engineType, id, path } = engine;
-
-    try {
-      yield this.api.sys.mountsDisableSecretsEngine(id);
-      this.flashMessages.success(`The ${engineType} Secrets Engine at ${path} has been disabled.`);
-      this.router.transitionTo('vault.cluster.secrets.backends');
-    } catch (err) {
-      const { message } = yield this.api.parseError(err);
-      this.flashMessages.danger(
-        `There was an error disabling the ${engineType} Secrets Engine at ${path}: ${message}.`
-      );
-    } finally {
-      this.engineToDisable = undefined;
-    }
-  }
-}
diff --git a/ui/lib/kubernetes/addon/components/page/configuration.hbs b/ui/lib/kubernetes/addon/components/page/configuration.hbs
index dd3150da95..56094f2013 100644
--- a/ui/lib/kubernetes/addon/components/page/configuration.hbs
+++ b/ui/lib/kubernetes/addon/components/page/configuration.hbs
@@ -21,7 +21,7 @@
     <InfoTableRow @label="Kubernetes host" @value={{@config.kubernetes_host}} />
     {{#if @config.kubernetes_ca_cert}}
       <InfoTableRow @label="Certificate">
-        <CertificateCard @data={{@config.kubernetes_ca_cert}} @isPem={{true}} />
+        <EncodedDataCard @data={{@config.kubernetes_ca_cert}} @isPem={{true}} />
       </InfoTableRow>
     {{/if}}
   {{else}}
diff --git a/ui/lib/kubernetes/addon/components/page/role/create-and-edit.hbs b/ui/lib/kubernetes/addon/components/page/role/create-and-edit.hbs
index c327a4c553..f4bfcb4c6b 100644
--- a/ui/lib/kubernetes/addon/components/page/role/create-and-edit.hbs
+++ b/ui/lib/kubernetes/addon/components/page/role/create-and-edit.hbs
@@ -121,11 +121,13 @@
     {{/if}}
   </form>
 {{else}}
-  <EmptyState
-    class="is-shadowless"
-    @title="Choose an option above"
-    @message="To configure a Vault role, choose what should be generated in Kubernetes by Vault."
-  />
+  <Hds::ApplicationState class="bottom-padding-32 is-marginless" as |A|>
+    <A.Header @title="Choose an option above" @titleTag="h2" data-test-empty-state-title />
+    <A.Body
+      @text="To configure a Vault role, choose what should be generated in Kubernetes by Vault."
+      data-test-empty-state-message
+    />
+  </Hds::ApplicationState>
 {{/if}}
 
 <hr class="is-marginless has-background-gray-200" />
diff --git a/ui/lib/kubernetes/addon/components/page/roles.hbs b/ui/lib/kubernetes/addon/components/page/roles.hbs
index cdaad1df74..699818a28b 100644
--- a/ui/lib/kubernetes/addon/components/page/roles.hbs
+++ b/ui/lib/kubernetes/addon/components/page/roles.hbs
@@ -23,12 +23,21 @@
   <ConfigCta />
 {{else if (not @roles)}}
   {{#if @filterValue}}
-    <EmptyState @title="There are no roles matching &quot;{{@filterValue}}&quot;" />
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header
+        @title="There are no roles matching &quot;{{@filterValue}}&quot;"
+        @titleTag="h2"
+        data-test-empty-state-title
+      />
+    </Hds::ApplicationState>
   {{else}}
-    <EmptyState
-      @title="No roles yet"
-      @message="When created, roles will be listed here. Create a role to start generating service account tokens."
-    />
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="No roles yet" @titleTag="h2" data-test-empty-state-title />
+      <A.Body
+        @text="When created, roles will be listed here. Create a role to start generating service account tokens."
+        data-test-empty-state-message
+      />
+    </Hds::ApplicationState>
   {{/if}}
 {{else}}
   <div class="has-bottom-margin-s">
diff --git a/ui/lib/kubernetes/addon/routes/overview.ts b/ui/lib/kubernetes/addon/routes/overview.ts
index bfb6262863..714ea357f9 100644
--- a/ui/lib/kubernetes/addon/routes/overview.ts
+++ b/ui/lib/kubernetes/addon/routes/overview.ts
@@ -6,7 +6,7 @@
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 import { ModelFrom } from 'vault/route';
-import { KubernetesListRolesListEnum } from '@hashicorp/vault-client-typescript';
+import { SecretsApiKubernetesListRolesListEnum } from '@hashicorp/vault-client-typescript';
 
 import type { KubernetesApplicationModel } from './application';
 import type SecretMountPath from 'vault/services/secret-mount-path';
@@ -30,7 +30,7 @@ export default class KubernetesOverviewRoute extends Route {
     const { promptConfig, secretsEngine } = this.modelFor('application') as KubernetesApplicationModel;
 
     const { keys } = await this.api.secrets
-      .kubernetesListRoles(currentPath, KubernetesListRolesListEnum.TRUE)
+      .kubernetesListRoles(currentPath, SecretsApiKubernetesListRolesListEnum.TRUE)
       .catch(() => ({ keys: [] }));
 
     return {
diff --git a/ui/lib/kubernetes/addon/routes/roles/index.ts b/ui/lib/kubernetes/addon/routes/roles/index.ts
index a2f8dcb0eb..76b2285a53 100644
--- a/ui/lib/kubernetes/addon/routes/roles/index.ts
+++ b/ui/lib/kubernetes/addon/routes/roles/index.ts
@@ -6,7 +6,7 @@
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 import { ModelFrom } from 'vault/route';
-import { KubernetesListRolesListEnum } from '@hashicorp/vault-client-typescript';
+import { SecretsApiKubernetesListRolesListEnum } from '@hashicorp/vault-client-typescript';
 
 import type { KubernetesApplicationModel } from '../application';
 import type ApiService from 'vault/services/api';
@@ -38,7 +38,7 @@ export default class KubernetesRolesRoute extends Route {
       const { pageFilter } = (transition.to?.queryParams || {}) as { pageFilter?: string };
       const { keys } = await this.api.secrets.kubernetesListRoles(
         currentPath,
-        KubernetesListRolesListEnum.TRUE
+        SecretsApiKubernetesListRolesListEnum.TRUE
       );
       const roles = pageFilter
         ? keys?.filter((key) => key.toLowerCase().includes(pageFilter.toLowerCase()))
diff --git a/ui/lib/kv/addon/components/page/list.hbs b/ui/lib/kv/addon/components/page/list.hbs
index a3ba752d8e..ccd5f12682 100644
--- a/ui/lib/kv/addon/components/page/list.hbs
+++ b/ui/lib/kv/addon/components/page/list.hbs
@@ -11,29 +11,17 @@
     <Hds::Badge @text="version 2" data-test-badge />
   </:badges>
   <:actions>
-    <Hds::Dropdown as |D|>
-      <D.ToggleButton @text="Manage" @color="secondary" data-test-dropdown="Manage" />
-      <CodeGenerator::Policy::Flyout @onClose={{D.close}}>
-        <:customTrigger as |openFlyout|>
-          <D.Interactive @icon="shield-check" {{on "click" openFlyout}} data-test-popup-menu="Generate policy">
-            Generate policy
-          </D.Interactive>
-        </:customTrigger>
-      </CodeGenerator::Policy::Flyout>
-      <D.Interactive
-        @icon="settings"
-        @route="configuration"
-        @model={{@backendModel.id}}
-        data-test-popup-menu="Configure"
-      >Configure</D.Interactive>
-      <D.Interactive
-        {{on "click" (fn (mut this.engineToDisable) @backendModel)}}
-        @color="critical"
-        @icon="trash"
-        data-test-popup-menu="Delete"
-      >Delete</D.Interactive>
-    </Hds::Dropdown>
-
+    <ManageDropdown @model={{@backendModel}} @configRoute="configuration" as |D|>
+      {{#unless this.version.isCommunity}}
+        <D.Interactive
+          @icon="shield-check"
+          {{on "click" (fn (mut this.showPolicyFlyout) true)}}
+          data-test-popup-menu="Generate policy"
+        >
+          Generate policy
+        </D.Interactive>
+      {{/unless}}
+    </ManageDropdown>
     <Hds::Button
       @text="Create secret"
       @icon="plus"
@@ -45,6 +33,14 @@
   </:actions>
 </Page::Header>
 
+<CodeGenerator::Policy::Flyout @onClose={{(fn (mut this.showPolicyFlyout) false)}}>
+  <:customTrigger as |openFlyout|>
+    {{#if this.showPolicyFlyout}}
+      <div {{did-insert openFlyout}} />
+    {{/if}}
+  </:customTrigger>
+</CodeGenerator::Policy::Flyout>
+
 <KvTabsToolbar>
   <:tabs>
     <li><LinkTo @route="list" data-test-tab="Secrets" @model={{@backend}}>Secrets</LinkTo></li>
@@ -188,23 +184,17 @@
     />
   {{else}}
     {{#if @filterValue}}
-      <EmptyState @title='There are no secrets matching "{{@filterValue}}".' />
+      <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+        <A.Header @title='There are no secrets matching "{{@filterValue}}".' @titleTag="h2" data-test-empty-state-title />
+      </Hds::ApplicationState>
     {{else}}
-      <EmptyState
-        data-test-secret-list-empty-state
-        @title="No secrets yet"
-        @message="When created, secrets will be listed here. Create a secret to get started."
-      />
+      <Hds::ApplicationState class="top-padding-32 is-marginless" data-test-secret-list-empty-state as |A|>
+        <A.Header @title="No secrets yet" @titleTag="h2" data-test-empty-state-title />
+        <A.Body
+          @text="When created, secrets will be listed here. Create a secret to get started."
+          data-test-empty-state-message
+        />
+      </Hds::ApplicationState>
     {{/if}}
   {{/if}}
-{{/if}}
-
-{{#if this.engineToDisable}}
-  <ConfirmModal
-    @color="critical"
-    @confirmMessage="Any data in this engine will be permanently deleted."
-    @confirmTitle="Disable engine?"
-    @onClose={{fn (mut this.engineToDisable) null}}
-    @onConfirm={{perform this.disableEngine this.engineToDisable}}
-  />
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/page/list.js b/ui/lib/kv/addon/components/page/list.js
index 2f77aecdb3..863115c834 100644
--- a/ui/lib/kv/addon/components/page/list.js
+++ b/ui/lib/kv/addon/components/page/list.js
@@ -3,14 +3,13 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import Component from '@glimmer/component';
-import { service } from '@ember/service';
 import { action } from '@ember/object';
-import { tracked } from '@glimmer/tracking';
 import { getOwner } from '@ember/owner';
+import { service } from '@ember/service';
+import Component from '@glimmer/component';
+import { tracked } from '@glimmer/tracking';
 import { ancestorKeysForKey } from 'core/utils/key-utils';
 import { pathIsDirectory } from 'kv/utils/kv-breadcrumbs';
-import { task } from 'ember-concurrency';
 
 /**
  * @module List
@@ -29,10 +28,11 @@ export default class KvListPageComponent extends Component {
   @service flashMessages;
   @service('app-router') router;
   @service api;
+  @service version;
 
   @tracked secretPath;
   @tracked metadataToDelete = null; // set to the metadata intended to delete
-  @tracked engineToDisable = undefined;
+  @tracked showPolicyFlyout = false;
 
   // used for KV list and list-directory view
   // ex: beep/
@@ -59,24 +59,6 @@ export default class KvListPageComponent extends Component {
     };
   }
 
-  @task
-  *disableEngine(engine) {
-    const { engineType, id, path } = engine;
-
-    try {
-      yield this.api.sys.mountsDisableSecretsEngine(id);
-      this.flashMessages.success(`The ${engineType} Secrets Engine at ${path} has been disabled.`);
-      this.router.transitionTo('vault.cluster.secrets.backends');
-    } catch (err) {
-      const { message } = yield this.api.parseError(err);
-      this.flashMessages.danger(
-        `There was an error disabling the ${engineType} Secrets Engine at ${path}: ${message}.`
-      );
-    } finally {
-      this.engineToDisable = undefined;
-    }
-  }
-
   @action
   async onDelete(secretPath) {
     try {
diff --git a/ui/lib/kv/addon/components/page/secret/details.hbs b/ui/lib/kv/addon/components/page/secret/details.hbs
index d5c5cebca3..7d6e16009f 100644
--- a/ui/lib/kv/addon/components/page/secret/details.hbs
+++ b/ui/lib/kv/addon/components/page/secret/details.hbs
@@ -172,17 +172,21 @@
 {{/if}}
 
 {{#if this.emptyState}}
-  <EmptyState @title={{this.emptyState.title}} @message={{this.emptyState.message}}>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title={{this.emptyState.title}} @titleTag="h2" data-test-empty-state-title />
+    <A.Body @text={{this.emptyState.message}} data-test-empty-state-message />
     {{#if this.emptyState.link}}
-      <Hds::Link::Standalone
-        @icon="docs-link"
-        @iconPosition="trailing"
-        @text="KV v2 API docs"
-        @href={{doc-link this.emptyState.link}}
-        @isHrefExternal={{true}}
-      />
+      <A.Footer data-test-empty-state-actions as |F|>
+        <F.LinkStandalone
+          @icon="docs-link"
+          @iconPosition="trailing"
+          @text="KV v2 API docs"
+          @href={{doc-link this.emptyState.link}}
+          @isHrefExternal={{true}}
+        />
+      </A.Footer>
     {{/if}}
-  </EmptyState>
+  </Hds::ApplicationState>
 {{else}}
   <hr class="is-marginless has-background-gray-200" />
   {{#if this.showJsonView}}
diff --git a/ui/lib/kv/addon/components/page/secret/metadata/details.hbs b/ui/lib/kv/addon/components/page/secret/metadata/details.hbs
index 4bb66c1bf5..805ad26aac 100644
--- a/ui/lib/kv/addon/components/page/secret/metadata/details.hbs
+++ b/ui/lib/kv/addon/components/page/secret/metadata/details.hbs
@@ -68,10 +68,13 @@
     <InfoTableRow @alwaysRender={{false}} @label={{key}} @value={{value}} />
   {{else}}
     {{#if (and (not @capabilities.canReadMetadata) (not @capabilities.canReadData))}}
-      <EmptyState
-        @title="You do not have access to read custom metadata"
-        @message="In order to read custom metadata you either need read access to the secret data and/or read access to metadata."
-      />
+      <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
+        <A.Header @title="You do not have access to read custom metadata" @titleTag="h2" data-test-empty-state-title />
+        <A.Body
+          @text="In order to read custom metadata you either need read access to the secret data and/or read access to metadata."
+          data-test-empty-state-message
+        />
+      </Hds::ApplicationState>
     {{else}}
       {{! Offer opportunity to manually request /data/ for custom_metadata }}
       {{#if this.error.isControlGroup}}
@@ -80,44 +83,50 @@
         <MessageError @errorMessage={{this.error}} />
       {{/if}}
       {{#if this.canRequestData}}
-        <EmptyState
-          @title="Request custom metadata?"
-          @bottomBorder={{true}}
-          @message="You do not have access to the metadata endpoint but you can retrieve custom metadata from the secret data endpoint."
-        >
-          <div class="is-block">
-            <Hds::Alert @type="compact" @color="critical" class="has-top-margin-xs" as |A|>
-              <A.Description>
-                Sensitive secret data will be retrieved.
-              </A.Description>
-            </Hds::Alert>
-            <Hds::Button
-              class="has-top-margin-xs"
-              @text="Request data"
-              @icon="reload"
-              @iconPosition="trailing"
-              @isFullWidth={{true}}
-              data-test-request-data
-              {{on "click" this.requestData}}
-            />
-          </div>
-        </EmptyState>
+        <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
+          <A.Header @title="Request custom metadata?" @titleTag="h2" data-test-empty-state-title />
+          <A.Body
+            @text="You do not have access to the metadata endpoint, but you can retrieve custom metadata from the secret data endpoint."
+            data-test-empty-state-message
+          />
+          <A.Footer data-test-empty-state-actions>
+            <div class="is-block">
+              <Hds::Alert @type="compact" @color="critical" class="has-top-margin-xs" as |A|>
+                <A.Description>
+                  Sensitive secret data will be retrieved.
+                </A.Description>
+              </Hds::Alert>
+              <Hds::Button
+                class="has-top-margin-xs"
+                @text="Request data"
+                @icon="reload"
+                @iconPosition="trailing"
+                @isFullWidth={{true}}
+                data-test-request-data
+                {{on "click" this.requestData}}
+              />
+            </div>
+          </A.Footer>
+        </Hds::ApplicationState>
       {{else}}
-        <EmptyState
-          @title="No custom metadata"
-          @bottomBorder={{true}}
-          @message="This data is version-agnostic and is usually used to describe the secret being stored."
-        >
+        <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
+          <A.Header @title="No custom metadata" @titleTag="h2" data-test-empty-state-title />
+          <A.Body
+            @text="This data is version-agnostic and is usually used to describe the secret being stored."
+            data-test-empty-state-message
+          />
           {{#if @capabilities.canUpdateMetadata}}
-            <Hds::Link::Standalone
-              @icon="plus"
-              @text="Add metadata"
-              @route="secret.metadata.edit"
-              @models={{array @backend @path}}
-              data-test-add-custom-metadata
-            />
+            <A.Footer data-test-empty-state-actions as |F|>
+              <F.LinkStandalone
+                @icon="plus"
+                @text="Add metadata"
+                @route="secret.metadata.edit"
+                @models={{array @backend @path}}
+                data-test-add-custom-metadata
+              />
+            </A.Footer>
           {{/if}}
-        </EmptyState>
+        </Hds::ApplicationState>
       {{/if}}
     {{/if}}
   {{/each-in}}
@@ -144,9 +153,12 @@
       />
     </div>
   {{else}}
-    <EmptyState
-      @title="You do not have access to secret metadata"
-      @message="In order to edit secret metadata, the UI requires read permissions; otherwise, data may be deleted. Edits can still be made via the API and CLI."
-    />
+    <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
+      <A.Header @title="You do not have access to secret metadata" @titleTag="h2" data-test-empty-state-title />
+      <A.Body
+        @text="In order to edit secret metadata, the UI requires read permissions; otherwise, data may be deleted. Edits can still be made via the API and CLI."
+        data-test-empty-state-message
+      />
+    </Hds::ApplicationState>
   {{/if}}
 </section>
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/page/secret/metadata/edit.hbs b/ui/lib/kv/addon/components/page/secret/metadata/edit.hbs
index 0386f88c16..13453be447 100644
--- a/ui/lib/kv/addon/components/page/secret/metadata/edit.hbs
+++ b/ui/lib/kv/addon/components/page/secret/metadata/edit.hbs
@@ -52,17 +52,18 @@
     </div>
   </form>
 {{else}}
-  <EmptyState
-    @title="You do not have permissions to edit metadata"
-    @message="Ask your administrator if you think you should have access."
-  >
-    <Hds::Link::Standalone @icon="chevron-left" @text="Go back" @route="secret.metadata.index" />
-    <Hds::Link::Standalone
-      @icon="docs-link"
-      @iconPosition="trailing"
-      @text="KV v2 metadata API docs"
-      @href={{doc-link "/vault/api-docs/secret/kv/kv-v2#create-update-metadata"}}
-      @isHrefExternal={{true}}
-    />
-  </EmptyState>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="You do not have permissions to edit metadata" @titleTag="h2" data-test-empty-state-title />
+    <A.Body @text="Ask your administrator if you think you should have access." data-test-empty-state-message />
+    <A.Footer data-test-empty-state-actions as |F|>
+      <F.LinkStandalone @icon="chevron-left" @text="Go back" @route="secret.metadata.index" />
+      <F.LinkStandalone
+        @icon="docs-link"
+        @iconPosition="trailing"
+        @text="KV v2 metadata API docs"
+        @href={{doc-link "/vault/api-docs/secret/kv/kv-v2#create-update-metadata"}}
+        @isHrefExternal={{true}}
+      />
+    </A.Footer>
+  </Hds::ApplicationState>
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/kv/addon/components/page/secret/metadata/version-diff.hbs b/ui/lib/kv/addon/components/page/secret/metadata/version-diff.hbs
index ed668c5586..bb3e4c46ba 100644
--- a/ui/lib/kv/addon/components/page/secret/metadata/version-diff.hbs
+++ b/ui/lib/kv/addon/components/page/secret/metadata/version-diff.hbs
@@ -37,10 +37,17 @@
 </KvTabsToolbar>
 
 {{#if this.deactivatedState}}
-  <EmptyState
-    @title="Version {{this.rightVersion}} has been {{this.deactivatedState}}"
-    @message="The current version of this secret has been {{this.deactivatedState}}. Select another version to compare."
-  />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header
+      @title="Version {{this.rightVersion}} has been {{this.deactivatedState}}"
+      @titleTag="h2"
+      data-test-empty-state-title
+    />
+    <A.Body
+      @text="The current version of this secret has been {{this.deactivatedState}}. Select another version to compare."
+      data-test-empty-state-message
+    />
+  </Hds::ApplicationState>
 {{else}}
   <div class="form-section visual-diff text-grey-lightest background-color-black has-top-margin-s">
     <pre data-test-visual-diff>{{sanitized-html this.visualDiff}}</pre>
diff --git a/ui/lib/kv/addon/components/page/secret/metadata/version-history.hbs b/ui/lib/kv/addon/components/page/secret/metadata/version-history.hbs
index 9d5ed773ea..137e9d88a6 100644
--- a/ui/lib/kv/addon/components/page/secret/metadata/version-history.hbs
+++ b/ui/lib/kv/addon/components/page/secret/metadata/version-history.hbs
@@ -140,8 +140,8 @@
     </LinkedBlock>
   {{/each}}
 {{else}}
-  <EmptyState
-    @title="You do not have permission to read metadata"
-    @message="Ask your administrator if you think you should have access."
-  />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="You do not have permission to read metadata" @titleTag="h2" data-test-empty-state-title />
+    <A.Body @text="Ask your administrator if you think you should have access." data-test-empty-state-message />
+  </Hds::ApplicationState>
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/ldap/addon/components/accounts-checked-out.hbs b/ui/lib/ldap/addon/components/accounts-checked-out.hbs
index c483bfc7b8..7c1d63b131 100644
--- a/ui/lib/ldap/addon/components/accounts-checked-out.hbs
+++ b/ui/lib/ldap/addon/components/accounts-checked-out.hbs
@@ -38,11 +38,10 @@
         </:body>
       </Hds::Table>
     {{else}}
-      <EmptyState
-        @title="No accounts checked out yet"
-        @message="There is no account that is currently in use."
-        class="is-shadowless"
-      />
+      <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
+        <A.Header @title="No accounts checked out yet" @titleTag="h2" data-test-empty-state-title />
+        <A.Body @text="There is no account that is currently in use." data-test-empty-state-message />
+      </Hds::ApplicationState>
     {{/if}}
   </:content>
 </OverviewCard>
diff --git a/ui/lib/ldap/addon/components/config-cta.hbs b/ui/lib/ldap/addon/components/config-cta.hbs
index 955558d2e0..62870fa081 100644
--- a/ui/lib/ldap/addon/components/config-cta.hbs
+++ b/ui/lib/ldap/addon/components/config-cta.hbs
@@ -3,6 +3,10 @@
   SPDX-License-Identifier: BUSL-1.1
 }}
 
-<EmptyState @title="LDAP not configured" @message="Get started by setting up the connection with your existing LDAP system.">
-  <Hds::Link::Standalone @icon="chevron-right" @iconPosition="trailing" @text="Configure LDAP" @route="configure" />
-</EmptyState>
\ No newline at end of file
+<Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+  <A.Header @title="LDAP not configured" @titleTag="h2" data-test-empty-state-title />
+  <A.Body @text="Get started by setting up the connection with your existing LDAP system." data-test-empty-state-message />
+  <A.Footer data-test-empty-state-actions as |F|>
+    <F.LinkStandalone @icon="chevron-right" @iconPosition="trailing" @text="Configure LDAP" @route="configure" />
+  </A.Footer>
+</Hds::ApplicationState>
\ No newline at end of file
diff --git a/ui/lib/ldap/addon/components/ldap-header.hbs b/ui/lib/ldap/addon/components/ldap-header.hbs
index 422c21b0ba..f52fd7f9c4 100644
--- a/ui/lib/ldap/addon/components/ldap-header.hbs
+++ b/ui/lib/ldap/addon/components/ldap-header.hbs
@@ -15,21 +15,7 @@
     {{#if @configRoute}}
       <Hds::Button @color="secondary" @route="overview" @text="Exit configuration" data-test-button="Exit configuration" />
     {{else}}
-      <Hds::Dropdown as |D|>
-        <D.ToggleButton @text="Manage" @color="secondary" data-test-dropdown="Manage" />
-        <D.Interactive
-          @icon="settings"
-          @route={{if @promptConfig "configure" "configuration"}}
-          @model={{@model.id}}
-          data-test-popup-menu="Configure"
-        >Configure</D.Interactive>
-        <D.Interactive
-          {{on "click" (fn (mut this.engineToDisable) @model)}}
-          @color="critical"
-          @icon="trash"
-          data-test-popup-menu="Delete"
-        >Delete</D.Interactive>
-      </Hds::Dropdown>
+      <ManageDropdown @model={{@model}} @configRoute={{if @promptConfig "configure" "configuration"}} />
     {{/if}}
   </:actions>
 </Page::Header>
@@ -51,16 +37,6 @@
   </nav>
 {{/if}}
 
-{{#if this.engineToDisable}}
-  <ConfirmModal
-    @color="critical"
-    @confirmMessage="Any data in this engine will be permanently deleted."
-    @confirmTitle="Disable engine?"
-    @onClose={{fn (mut this.engineToDisable) null}}
-    @onConfirm={{perform this.disableEngine this.engineToDisable}}
-  />
-{{/if}}
-
 <Toolbar aria-label="nav for managing LDAP">
   <ToolbarFilters aria-label="filter for LDAP items">
     {{yield to="toolbarFilters"}}
diff --git a/ui/lib/ldap/addon/components/ldap-header.ts b/ui/lib/ldap/addon/components/ldap-header.ts
deleted file mode 100644
index af9ce1d792..0000000000
--- a/ui/lib/ldap/addon/components/ldap-header.ts
+++ /dev/null
@@ -1,57 +0,0 @@
-/**
- * Copyright (c) HashiCorp, Inc.
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { service } from '@ember/service';
-import Component from '@glimmer/component';
-import { tracked } from '@glimmer/tracking';
-import { task } from 'ember-concurrency';
-
-import type SecretsEngineResource from 'vault/resources/secrets/engine';
-import type RouterService from '@ember/routing/router-service';
-import type FlashMessageService from 'vault/services/flash-messages';
-import type ApiService from 'vault/services/api';
-
-/**
- * @module LdapHeader handles the ldap page header.
- *
- * @example
- * <SecretEngine::LdapHeader
- *    @model={{this.model}}
- *    />
- *
- * @param {object} secretsEngine - A model contains a ldap secret engine resource.
- * @param {object} config - A model contains the configuration of the ldap secret engine.
- */
-
-interface Args {
-  secretsEngine: SecretsEngineResource;
-  config: Record<string, unknown>;
-}
-
-export default class LdapHeader extends Component<Args> {
-  @service('app-router') declare readonly router: RouterService;
-  @service declare readonly api: ApiService;
-  @service declare readonly flashMessages: FlashMessageService;
-
-  @tracked engineToDisable: SecretsEngineResource | undefined = undefined;
-
-  @task
-  *disableEngine(engine: SecretsEngineResource) {
-    const { engineType, id, path } = engine;
-
-    try {
-      yield this.api.sys.mountsDisableSecretsEngine(id);
-      this.flashMessages.success(`The ${engineType} Secrets Engine at ${path} has been disabled.`);
-      this.router.transitionTo('vault.cluster.secrets.backends');
-    } catch (err) {
-      const { message } = yield this.api.parseError(err);
-      this.flashMessages.danger(
-        `There was an error disabling the ${engineType} Secrets Engine at ${path}: ${message}.`
-      );
-    } finally {
-      this.engineToDisable = undefined;
-    }
-  }
-}
diff --git a/ui/lib/ldap/addon/components/page/configure.hbs b/ui/lib/ldap/addon/components/page/configure.hbs
index 87e6e74aa5..47141d352c 100644
--- a/ui/lib/ldap/addon/components/page/configure.hbs
+++ b/ui/lib/ldap/addon/components/page/configure.hbs
@@ -37,11 +37,10 @@
         <FormFieldGroups @model={{@model.form}} @groupName="formFieldGroups" @modelValidations={{this.modelValidations}} />
       </div>
     {{else}}
-      <EmptyState
-        class="is-shadowless has-top-margin-l"
-        @title="Choose an option"
-        @message="Pick an option above to see available configuration options"
-      />
+      <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
+        <A.Header @title="Choose an option" @titleTag="h2" data-test-empty-state-title />
+        <A.Body @text="Pick an option above to see available configuration options" data-test-empty-state-message />
+      </Hds::ApplicationState>
     {{/if}}
   </div>
 
diff --git a/ui/lib/ldap/addon/components/page/libraries.hbs b/ui/lib/ldap/addon/components/page/libraries.hbs
index ab85a03097..d8df02f426 100644
--- a/ui/lib/ldap/addon/components/page/libraries.hbs
+++ b/ui/lib/ldap/addon/components/page/libraries.hbs
@@ -28,12 +28,21 @@
   <ConfigCta />
 {{else if (not this.filteredLibraries)}}
   {{#if this.filterValue}}
-    <EmptyState @title="There are no libraries matching &quot;{{this.filterValue}}&quot;" />
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header
+        @title="There are no libraries matching &quot;{{this.filterValue}}&quot;"
+        @titleTag="h2"
+        data-test-empty-state-title
+      />
+    </Hds::ApplicationState>
   {{else}}
-    <EmptyState
-      @title="No libraries created yet"
-      @message="Use libraries to manage a set of highly privileged accounts that can be shared among a team."
-    />
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="No libraries created yet" @titleTag="h2" data-test-empty-state-title />
+      <A.Body
+        @text="Use libraries to manage a set of highly privileged accounts that can be shared among a team."
+        data-test-empty-state-message
+      />
+    </Hds::ApplicationState>
   {{/if}}
 {{else}}
   <div class="has-bottom-margin-s">
diff --git a/ui/lib/ldap/addon/components/page/overview.ts b/ui/lib/ldap/addon/components/page/overview.ts
index 4b82913f8a..1a8bf7da22 100644
--- a/ui/lib/ldap/addon/components/page/overview.ts
+++ b/ui/lib/ldap/addon/components/page/overview.ts
@@ -9,8 +9,8 @@ import { service } from '@ember/service';
 import { action } from '@ember/object';
 import { restartableTask } from 'ember-concurrency';
 import {
-  LdapLibraryListListEnum,
-  LdapLibraryListLibraryPathListEnum,
+  SecretsApiLdapLibraryListListEnum,
+  SecretsApiLdapLibraryListLibraryPathListEnum,
 } from '@hashicorp/vault-client-typescript';
 
 import type {
@@ -147,9 +147,9 @@ export default class LdapLibrariesPageComponent extends Component<Args> {
       ? await this.api.secrets.ldapLibraryListLibraryPath(
           pathToLibrary,
           currentPath,
-          LdapLibraryListLibraryPathListEnum.TRUE
+          SecretsApiLdapLibraryListLibraryPathListEnum.TRUE
         )
-      : await this.api.secrets.ldapLibraryList(currentPath, LdapLibraryListListEnum.TRUE);
+      : await this.api.secrets.ldapLibraryList(currentPath, SecretsApiLdapLibraryListListEnum.TRUE);
 
     const libraries =
       keys?.map((name) => {
diff --git a/ui/lib/ldap/addon/components/page/roles.hbs b/ui/lib/ldap/addon/components/page/roles.hbs
index e129935275..c25a758411 100644
--- a/ui/lib/ldap/addon/components/page/roles.hbs
+++ b/ui/lib/ldap/addon/components/page/roles.hbs
@@ -27,12 +27,21 @@
   <ConfigCta />
 {{else if (not @roles.meta.filteredTotal)}}
   {{#if @pageFilter}}
-    <EmptyState @title="There are no roles matching &quot;{{@pageFilter}}&quot;" />
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header
+        @title="There are no roles matching &quot;{{@pageFilter}}&quot;"
+        @titleTag="h2"
+        data-test-empty-state-title
+      />
+    </Hds::ApplicationState>
   {{else}}
-    <EmptyState
-      @title="No roles created yet"
-      @message="Roles in Vault will allow you to manage LDAP credentials. Create a role to get started."
-    />
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="No roles created yet" @titleTag="h2" data-test-empty-state-title />
+      <A.Body
+        @text="Roles in Vault will allow you to manage LDAP credentials. Create a role to get started."
+        data-test-empty-state-message
+      />
+    </Hds::ApplicationState>
   {{/if}}
 {{else}}
   <div class="has-bottom-margin-s">
diff --git a/ui/lib/ldap/addon/routes/error.ts b/ui/lib/ldap/addon/routes/error.ts
index 59fac854c5..9cd1cc79c3 100644
--- a/ui/lib/ldap/addon/routes/error.ts
+++ b/ui/lib/ldap/addon/routes/error.ts
@@ -8,14 +8,15 @@ import { service } from '@ember/service';
 
 import type Transition from '@ember/routing/transition';
 import type AdapterError from '@ember-data/adapter/error';
-import type SecretEngineModel from 'vault/models/secret-engine';
+import type SecretsEngineResource from 'vault/resources/secrets/engine';
 import type { Breadcrumb } from 'vault/vault/app-types';
 import type Controller from '@ember/controller';
 import type SecretMountPath from 'vault/services/secret-mount-path';
+import type { LdapApplicationModel } from './application';
 
 interface LdapErrorController extends Controller {
   breadcrumbs: Array<Breadcrumb>;
-  backend: SecretEngineModel;
+  backend: SecretsEngineResource;
 }
 
 export default class LdapErrorRoute extends Route {
@@ -28,6 +29,7 @@ export default class LdapErrorRoute extends Route {
       { label: 'Secrets engines', route: 'secrets', linkExternal: true },
       { label: this.secretMountPath.currentPath, route: 'overview' },
     ];
-    controller.backend = this.modelFor('application') as SecretEngineModel;
+    const { secretsEngine } = this.modelFor('application') as LdapApplicationModel;
+    controller.backend = secretsEngine;
   }
 }
diff --git a/ui/lib/ldap/addon/routes/libraries.ts b/ui/lib/ldap/addon/routes/libraries.ts
index 2cf27ec78c..9f389a6e65 100644
--- a/ui/lib/ldap/addon/routes/libraries.ts
+++ b/ui/lib/ldap/addon/routes/libraries.ts
@@ -6,8 +6,8 @@
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 import {
-  LdapLibraryListListEnum,
-  LdapLibraryListLibraryPathListEnum,
+  SecretsApiLdapLibraryListListEnum,
+  SecretsApiLdapLibraryListLibraryPathListEnum,
 } from '@hashicorp/vault-client-typescript';
 
 import type ApiService from 'vault/services/api';
@@ -29,9 +29,9 @@ export default class LdapLibrariesRoute extends Route {
         ? await this.api.secrets.ldapLibraryListLibraryPath(
             path_to_library,
             currentPath,
-            LdapLibraryListLibraryPathListEnum.TRUE
+            SecretsApiLdapLibraryListLibraryPathListEnum.TRUE
           )
-        : await this.api.secrets.ldapLibraryList(currentPath, LdapLibraryListListEnum.TRUE);
+        : await this.api.secrets.ldapLibraryList(currentPath, SecretsApiLdapLibraryListListEnum.TRUE);
 
       const libraries =
         keys?.map((name) => {
diff --git a/ui/lib/ldap/addon/routes/overview.ts b/ui/lib/ldap/addon/routes/overview.ts
index 22149d0e9a..d6aea8fc0e 100644
--- a/ui/lib/ldap/addon/routes/overview.ts
+++ b/ui/lib/ldap/addon/routes/overview.ts
@@ -7,8 +7,8 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 import { ModelFrom } from 'vault/route';
 import {
-  LdapListStaticRolesListEnum,
-  LdapListDynamicRolesListEnum,
+  SecretsApiLdapListStaticRolesListEnum,
+  SecretsApiLdapListDynamicRolesListEnum,
 } from '@hashicorp/vault-client-typescript';
 
 import type SecretMountPath from 'vault/services/secret-mount-path';
@@ -33,8 +33,8 @@ export default class LdapOverviewRoute extends Route {
     const { promptConfig, secretsEngine } = this.modelFor('application') as LdapApplicationModel;
     const { currentPath } = this.secretMountPath;
     const requests = [
-      this.api.secrets.ldapListStaticRoles(currentPath, LdapListStaticRolesListEnum.TRUE),
-      this.api.secrets.ldapListDynamicRoles(currentPath, LdapListDynamicRolesListEnum.TRUE),
+      this.api.secrets.ldapListStaticRoles(currentPath, SecretsApiLdapListStaticRolesListEnum.TRUE),
+      this.api.secrets.ldapListDynamicRoles(currentPath, SecretsApiLdapListDynamicRolesListEnum.TRUE),
     ];
     const results = await Promise.allSettled(requests);
     const roles = [];
diff --git a/ui/lib/ldap/addon/routes/roles.ts b/ui/lib/ldap/addon/routes/roles.ts
index 8f0016694f..3798fe7c9c 100644
--- a/ui/lib/ldap/addon/routes/roles.ts
+++ b/ui/lib/ldap/addon/routes/roles.ts
@@ -5,21 +5,21 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
-import { paginate, PaginateOptions } from 'core/utils/paginate-list';
-import sortObjects from 'vault/utils/sort-objects';
-import { fetchRoleCapabilities } from 'ldap/utils/capabilities-helper';
 import {
-  LdapListStaticRolesListEnum,
-  LdapListDynamicRolesListEnum,
-  LdapListStaticRolePathListEnum,
-  LdapListRolePathListEnum,
+  SecretsApiLdapListDynamicRolesListEnum,
+  SecretsApiLdapListRolePathListEnum,
+  SecretsApiLdapListStaticRolePathListEnum,
+  SecretsApiLdapListStaticRolesListEnum,
 } from '@hashicorp/vault-client-typescript';
+import { paginate, PaginateOptions } from 'core/utils/paginate-list';
+import { fetchRoleCapabilities } from 'ldap/utils/capabilities-helper';
+import sortObjects from 'vault/utils/sort-objects';
 
-import type ApiService from 'vault/services/api';
-import type SecretMountPath from 'vault/services/secret-mount-path';
 import type FlashMessageService from 'ember-cli-flash/services/flash-messages';
-import type CapabilitiesService from 'vault/services/capabilities';
 import type { LdapRole } from 'vault/secrets/ldap';
+import type ApiService from 'vault/services/api';
+import type CapabilitiesService from 'vault/services/capabilities';
+import type SecretMountPath from 'vault/services/secret-mount-path';
 
 // Base class for roles/index and roles/subdirectory routes
 export default class LdapRolesRoute extends Route {
@@ -39,12 +39,18 @@ export default class LdapRolesRoute extends Route {
     if (path) {
       requests =
         subType === 'static'
-          ? [this.api.secrets.ldapListStaticRolePath(currentPath, path, LdapListStaticRolePathListEnum.TRUE)]
-          : [this.api.secrets.ldapListRolePath(currentPath, path, LdapListRolePathListEnum.TRUE)];
+          ? [
+              this.api.secrets.ldapListStaticRolePath(
+                path,
+                currentPath,
+                SecretsApiLdapListStaticRolePathListEnum.TRUE
+              ),
+            ]
+          : [this.api.secrets.ldapListRolePath(path, currentPath, SecretsApiLdapListRolePathListEnum.TRUE)];
     } else {
       requests = [
-        this.api.secrets.ldapListStaticRoles(currentPath, LdapListStaticRolesListEnum.TRUE),
-        this.api.secrets.ldapListDynamicRoles(currentPath, LdapListDynamicRolesListEnum.TRUE),
+        this.api.secrets.ldapListStaticRoles(currentPath, SecretsApiLdapListStaticRolesListEnum.TRUE),
+        this.api.secrets.ldapListDynamicRoles(currentPath, SecretsApiLdapListDynamicRolesListEnum.TRUE),
       ];
     }
     const results = await Promise.allSettled(requests);
diff --git a/ui/lib/open-api-explorer/addon/components/swagger-ui.hbs b/ui/lib/open-api-explorer/addon/components/swagger-ui.hbs
index 584c81c3fb..50991bf02a 100644
--- a/ui/lib/open-api-explorer/addon/components/swagger-ui.hbs
+++ b/ui/lib/open-api-explorer/addon/components/swagger-ui.hbs
@@ -7,9 +7,15 @@
   <:breadcrumbs>
     <Page::Breadcrumbs @breadcrumbs={{this.breadcrumbs}} />
   </:breadcrumbs>
+  <:description>
+    Call Vault and plugin API endpoints directly from the browser to accelerate development and debugging.
+    <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/api-docs"}}>
+      Learn more
+    </Hds::Link::Inline>
+  </:description>
 </Page::Header>
 
-<div class="box is-fullwidth is-sideless is-marginless">
+<div class="box is-fullwidth is-marginless">
   <NamespaceReminder as |R|>
     Requests use the header
     <code>X-Vault-Namespace: {{R.namespace.path}}</code>. You can also use
diff --git a/ui/lib/pki/addon/components/page/pki-certificate-details.hbs b/ui/lib/pki/addon/components/page/pki-certificate-details.hbs
index c47a040f44..cb35f26448 100644
--- a/ui/lib/pki/addon/components/page/pki-certificate-details.hbs
+++ b/ui/lib/pki/addon/components/page/pki-certificate-details.hbs
@@ -13,7 +13,7 @@
       {{on "click" this.downloadCert}}
       data-test-pki-cert-download-button
     />
-    {{#if @canRevoke}}
+    {{#if this.showRevoke}}
       <ConfirmAction
         @buttonText="Revoke certificate"
         class="toolbar-button"
@@ -44,7 +44,7 @@
     {{#if value}}
       {{#if (this.isCertificate field)}}
         <InfoTableRow @label={{this.label field}}>
-          <CertificateCard @data={{value}} />
+          <EncodedDataCard @data={{value}} />
         </InfoTableRow>
       {{else if (eq field "serial_number")}}
         <InfoTableRow @label="Serial number">
diff --git a/ui/lib/pki/addon/components/page/pki-certificate-details.ts b/ui/lib/pki/addon/components/page/pki-certificate-details.ts
index 87f235ec5d..e00b862337 100644
--- a/ui/lib/pki/addon/components/page/pki-certificate-details.ts
+++ b/ui/lib/pki/addon/components/page/pki-certificate-details.ts
@@ -50,6 +50,7 @@ export default class PkiCertificateDetailsComponent extends Component<Args> {
   constructor(owner: Owner, args: Args) {
     super(owner, args);
     this.parsedCertificate = parseCertificate(this.args.certData.certificate || '');
+    this.didRevoke = Boolean(this.args.certData.revocation_time);
   }
 
   get displayFields() {
@@ -63,12 +64,16 @@ export default class PkiCertificateDetailsComponent extends Component<Args> {
       'private_key_type',
     ];
     // insert revocation_time after common_name if revoked
-    if (this.args.certData.revocation_time || this.didRevoke) {
+    if (this.didRevoke) {
       fields.splice(2, 0, 'revocation_time');
     }
     return fields;
   }
 
+  get showRevoke() {
+    return this.args.canRevoke && !this.didRevoke;
+  }
+
   isCertificate = (field: string) => ['certificate', 'issuing_ca', 'ca_chain', 'private_key'].includes(field);
 
   label = (field: string) => {
diff --git a/ui/lib/pki/addon/components/page/pki-configuration-edit.hbs b/ui/lib/pki/addon/components/page/pki-configuration-edit.hbs
index c734a99376..7a37926669 100644
--- a/ui/lib/pki/addon/components/page/pki-configuration-edit.hbs
+++ b/ui/lib/pki/addon/components/page/pki-configuration-edit.hbs
@@ -29,13 +29,17 @@
           <FormField @attr={{field}} @model={{@clusterForm}} @showHelpText={{false}} />
         {{/each}}
       {{else}}
-        <EmptyState
-          class="is-shadowless"
-          @title="You do not have permission to set this mount's the cluster config"
-          @message="Ask your administrator if you think you should have access to:"
-        >
-          <code>POST /{{@backend}}/config/cluster</code>
-        </EmptyState>
+        <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
+          <A.Header
+            @title="You do not have permission to set this mount's the cluster config"
+            @titleTag="h2"
+            data-test-empty-state-title
+          />
+          <A.Body @text="Ask your administrator if you think you should have access to:" data-test-empty-state-message />
+          <A.Footer data-test-empty-state-actions>
+            <code>POST /{{@backend}}/config/cluster</code>
+          </A.Footer>
+        </Hds::ApplicationState>
       {{/if}}
     </fieldset>
 
@@ -48,13 +52,17 @@
           <FormField @attr={{field}} @model={{@acmeForm}} @showHelpText={{false}} />
         {{/each}}
       {{else}}
-        <EmptyState
-          class="is-shadowless"
-          @title="You do not have permission to set this mount's ACME config"
-          @message="Ask your administrator if you think you should have access to:"
-        >
-          <code>POST /{{@backend}}/config/acme</code>
-        </EmptyState>
+        <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
+          <A.Header
+            @title="You do not have permission to set this mount's ACME config"
+            @titleTag="h2"
+            data-test-empty-state-title
+          />
+          <A.Body @text="Ask your administrator if you think you should have access to:" data-test-empty-state-message />
+          <A.Footer data-test-empty-state-actions>
+            <code>POST /{{@backend}}/config/acme</code>
+          </A.Footer>
+        </Hds::ApplicationState>
       {{/if}}
     </fieldset>
 
@@ -67,13 +75,17 @@
           <FormField @attr={{field}} @model={{@urlsForm}} @showHelpText={{false}} />
         {{/each}}
       {{else}}
-        <EmptyState
-          class="is-shadowless"
-          @title="You do not have permission to set this mount's URLs"
-          @message="Ask your administrator if you think you should have access to:"
-        >
-          <code>POST /{{@backend}}/config/urls</code>
-        </EmptyState>
+        <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
+          <A.Header
+            @title="You do not have permission to set this mount's URLs"
+            @titleTag="h2"
+            data-test-empty-state-title
+          />
+          <A.Body @text="Ask your administrator if you think you should have access to:" data-test-empty-state-message />
+          <A.Footer data-test-empty-state-actions>
+            <code>POST /{{@backend}}/config/urls</code>
+          </A.Footer>
+        </Hds::ApplicationState>
       {{/if}}
     </fieldset>
 
@@ -114,12 +126,17 @@
           {{/each-in}}
         {{/each}}
       {{else}}
-        <EmptyState
-          @title="You do not have permission to set this mount's revocation configuration"
-          @message="Ask your administrator if you think you should have access to:"
-        >
-          <code>POST /{{@backend}}/config/crl</code>
-        </EmptyState>
+        <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
+          <A.Header
+            @title="You do not have permission to set this mount's revocation configuration"
+            @titleTag="h2"
+            data-test-empty-state-title
+          />
+          <A.Body @text="Ask your administrator if you think you should have access to:" data-test-empty-state-message />
+          <A.Footer data-test-empty-state-actions>
+            <code>POST /{{@backend}}/config/crl</code>
+          </A.Footer>
+        </Hds::ApplicationState>
       {{/if}}
     </fieldset>
 
diff --git a/ui/lib/pki/addon/components/page/pki-configure-create.hbs b/ui/lib/pki/addon/components/page/pki-configure-create.hbs
index 050e33c2be..f402bb412c 100644
--- a/ui/lib/pki/addon/components/page/pki-configure-create.hbs
+++ b/ui/lib/pki/addon/components/page/pki-configure-create.hbs
@@ -58,7 +58,10 @@
     @onComplete={{transition-to "vault.cluster.secrets.backend.pki.overview"}}
   />
 {{else}}
-  <EmptyState @title="Choose an option" @message="To see configuration options, choose your desired output above." />
+  <Hds::ApplicationState class="top-padding-32 bottom-padding-32 is-marginless" as |A|>
+    <A.Header @title="Choose an option" @titleTag="h2" data-test-empty-state-title />
+    <A.Body @text="To see configuration options, choose your desired output above." data-test-empty-state-message />
+  </Hds::ApplicationState>
   <hr class="has-background-gray-100" />
   <Hds::ButtonSet>
     <Hds::Button @text="Done" disabled={{true}} data-test-submit />
diff --git a/ui/lib/pki/addon/components/page/pki-issuer-details.hbs b/ui/lib/pki/addon/components/page/pki-issuer-details.hbs
index fbbf8a8c21..4452f4bded 100644
--- a/ui/lib/pki/addon/components/page/pki-issuer-details.hbs
+++ b/ui/lib/pki/addon/components/page/pki-issuer-details.hbs
@@ -110,7 +110,7 @@
       {{#let (get @issuer field) as |value|}}
         {{#if (includes field (array "ca_chain" "certificate"))}}
           <InfoTableRow @label={{this.label field}} @value={{value}}>
-            <CertificateCard @data={{value}} />
+            <EncodedDataCard @data={{value}} />
           </InfoTableRow>
         {{else if (eq field "key_id")}}
           <InfoTableRow @label={{this.label field}} @value={{value}}>
diff --git a/ui/lib/pki/addon/components/page/pki-issuer-list.hbs b/ui/lib/pki/addon/components/page/pki-issuer-list.hbs
index 26dc628c5e..5e2dbd678c 100644
--- a/ui/lib/pki/addon/components/page/pki-issuer-list.hbs
+++ b/ui/lib/pki/addon/components/page/pki-issuer-list.hbs
@@ -125,14 +125,18 @@
     {{/each}}
   </:list>
   <:empty>
-    <EmptyState @title="PKI not configured" @message={{this.notConfiguredMessage}}>
-      <Hds::Link::Standalone
-        @icon="chevron-right"
-        @iconPosition="trailing"
-        @text="Configure PKI"
-        @route="configuration.create"
-        @model={{@backend}}
-      />
-    </EmptyState>
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="PKI not configured" @titleTag="h2" data-test-empty-state-title />
+      <A.Body @text={{this.notConfiguredMessage}} data-test-empty-state-message />
+      <A.Footer data-test-empty-state-actions as |F|>
+        <F.LinkStandalone
+          @icon="chevron-right"
+          @iconPosition="trailing"
+          @text="Configure PKI"
+          @route="configuration.create"
+          @model={{@backend}}
+        />
+      </A.Footer>
+    </Hds::ApplicationState>
   </:empty>
 </PkiPaginatedList>
\ No newline at end of file
diff --git a/ui/lib/pki/addon/components/page/pki-issuer-rotate-root.ts b/ui/lib/pki/addon/components/page/pki-issuer-rotate-root.ts
index dd86977ed6..826ecaee58 100644
--- a/ui/lib/pki/addon/components/page/pki-issuer-rotate-root.ts
+++ b/ui/lib/pki/addon/components/page/pki-issuer-rotate-root.ts
@@ -20,7 +20,7 @@ import type { Breadcrumb, ValidationMap } from 'vault/vault/app-types';
 import type {
   PkiGenerateRootResponse,
   PkiReadIssuerResponse,
-  PkiRotateRootExportedEnum,
+  SecretsApiPkiRotateRootExportedEnum,
   PkiRotateRootRequest,
 } from '@hashicorp/vault-client-typescript';
 import type { ParsedCertificateData } from 'vault/vault/utils/parse-pki-cert';
@@ -113,7 +113,7 @@ export default class PagePkiIssuerRotateRootComponent extends Component<Args> {
         const { type } = this.newRootForm.data;
         try {
           this.newRoot = await this.api.secrets.pkiRotateRoot(
-            type as PkiRotateRootExportedEnum,
+            type as SecretsApiPkiRotateRootExportedEnum,
             this.secretMountPath.currentPath,
             data as PkiRotateRootRequest
           );
diff --git a/ui/lib/pki/addon/components/page/pki-key-details.hbs b/ui/lib/pki/addon/components/page/pki-key-details.hbs
index f0ad4a7623..4e6cd1b12d 100644
--- a/ui/lib/pki/addon/components/page/pki-key-details.hbs
+++ b/ui/lib/pki/addon/components/page/pki-key-details.hbs
@@ -52,7 +52,7 @@
   {{/each}}
   {{#if @key.private_key}}
     <InfoTableRow @label="Private key">
-      <CertificateCard @data={{@key.private_key}} />
+      <EncodedDataCard @data={{@key.private_key}} />
     </InfoTableRow>
   {{/if}}
 </div>
\ No newline at end of file
diff --git a/ui/lib/pki/addon/components/page/pki-key-list.hbs b/ui/lib/pki/addon/components/page/pki-key-list.hbs
index 4d5109a9a8..a22defe240 100644
--- a/ui/lib/pki/addon/components/page/pki-key-list.hbs
+++ b/ui/lib/pki/addon/components/page/pki-key-list.hbs
@@ -82,18 +82,25 @@
   </:list>
 
   <:empty>
-    <EmptyState @title="No keys yet" @message="There are no keys in this PKI mount. You can generate or create one." />
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="No keys yet" @titleTag="h2" data-test-empty-state-title />
+      <A.Body @text="There are no keys in this PKI mount. You can generate or create one." data-test-empty-state-message />
+    </Hds::ApplicationState>
   </:empty>
 
   <:configure>
-    <EmptyState @title="PKI not configured" @message={{this.notConfiguredMessage}}>
-      <Hds::Link::Standalone
-        @icon="chevron-right"
-        @iconPosition="trailing"
-        @text="Configure PKI"
-        @route="configuration.create"
-        @model={{@backend}}
-      />
-    </EmptyState>
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="PKI not configured" @titleTag="h2" data-test-empty-state-title />
+      <A.Body @text={{this.notConfiguredMessage}} data-test-empty-state-message />
+      <A.Footer data-test-empty-state-actions as |F|>
+        <F.LinkStandalone
+          @icon="chevron-right"
+          @iconPosition="trailing"
+          @text="Configure PKI"
+          @route="configuration.create"
+          @model={{@backend}}
+        />
+      </A.Footer>
+    </Hds::ApplicationState>
   </:configure>
 </PkiPaginatedList>
\ No newline at end of file
diff --git a/ui/lib/pki/addon/components/page/pki-tidy-status.hbs b/ui/lib/pki/addon/components/page/pki-tidy-status.hbs
index 3098c4c9c5..83d46ac34f 100644
--- a/ui/lib/pki/addon/components/page/pki-tidy-status.hbs
+++ b/ui/lib/pki/addon/components/page/pki-tidy-status.hbs
@@ -97,19 +97,23 @@
     {{/each}}
   {{/if}}
 {{else}}
-  <EmptyState
-    @title="Tidy status unavailable"
-    @message="After the next tidy operation has been performed, information about the current or most recent tidy operation will display here."
-  >
-    <Hds::Button
-      @color="tertiary"
-      @icon="chevron-right"
-      @iconPosition="trailing"
-      {{on "click" (fn (mut this.tidyOptionsModal) true)}}
-      data-test-tidy-empty-state-configure
-      @text="Tidy"
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="Tidy status unavailable" @titleTag="h2" data-test-empty-state-title />
+    <A.Body
+      @text="After the next tidy operation has been performed, information about the current or most recent tidy operation will display here."
+      data-test-empty-state-message
     />
-  </EmptyState>
+    <A.Footer data-test-empty-state-actions as |F|>
+      <F.Button
+        @color="tertiary"
+        @icon="chevron-right"
+        @iconPosition="trailing"
+        {{on "click" (fn (mut this.tidyOptionsModal) true)}}
+        data-test-tidy-empty-state-configure
+        @text="Tidy"
+      />
+    </A.Footer>
+  </Hds::ApplicationState>
 {{/if}}
 
 {{! TIDY OPTIONS MODAL }}
diff --git a/ui/lib/pki/addon/components/pki-generate-csr.hbs b/ui/lib/pki/addon/components/pki-generate-csr.hbs
index cff190433e..f4a20f7be6 100644
--- a/ui/lib/pki/addon/components/pki-generate-csr.hbs
+++ b/ui/lib/pki/addon/components/pki-generate-csr.hbs
@@ -24,7 +24,7 @@
           <InfoTableRow @label={{this.detailLabel fieldName}} @value={{value}} @addCopyButton={{eq fieldName "key_id"}}>
             {{#if value}}
               {{#if (includes fieldName (array "csr" "private_key"))}}
-                <CertificateCard @data={{value}} />
+                <EncodedDataCard @data={{value}} />
               {{else if (eq fieldName "key_id")}}
                 <LinkTo @route="keys.key.details" @models={{array this.secretMountPath.currentPath value}}>
                   {{value}}
diff --git a/ui/lib/pki/addon/components/pki-generate-csr.ts b/ui/lib/pki/addon/components/pki-generate-csr.ts
index d2ee45def4..153ab7f584 100644
--- a/ui/lib/pki/addon/components/pki-generate-csr.ts
+++ b/ui/lib/pki/addon/components/pki-generate-csr.ts
@@ -17,8 +17,8 @@ import type ApiService from 'vault/services/api';
 import type SecretMountPath from 'vault/services/secret-mount-path';
 import type { ValidationMap } from 'vault/app-types';
 import type {
-  PkiGenerateIntermediateExportedEnum,
-  PkiIssuersGenerateIntermediateExportedEnum,
+  SecretsApiPkiGenerateIntermediateExportedEnum,
+  SecretsApiPkiIssuersGenerateIntermediateExportedEnum,
   PkiGenerateIntermediateRequest,
   PkiGenerateIntermediateResponse,
   PkiIssuersGenerateIntermediateRequest,
@@ -100,13 +100,13 @@ export default class PkiGenerateCsrComponent extends Component<Args> {
   generateCsr(canUseIssuer: boolean, data: PkiConfigGenerateForm['data']) {
     if (canUseIssuer) {
       return this.api.secrets.pkiIssuersGenerateIntermediate(
-        this.form.data.type as PkiIssuersGenerateIntermediateExportedEnum,
+        this.form.data.type as SecretsApiPkiIssuersGenerateIntermediateExportedEnum,
         this.secretMountPath.currentPath,
         data as PkiIssuersGenerateIntermediateRequest
       );
     } else {
       return this.api.secrets.pkiGenerateIntermediate(
-        this.form.data.type as PkiGenerateIntermediateExportedEnum,
+        this.form.data.type as SecretsApiPkiGenerateIntermediateExportedEnum,
         this.secretMountPath.currentPath,
         data as PkiGenerateIntermediateRequest
       );
diff --git a/ui/lib/pki/addon/components/pki-generate-root.hbs b/ui/lib/pki/addon/components/pki-generate-root.hbs
index c09cbd348f..04c80d018c 100644
--- a/ui/lib/pki/addon/components/pki-generate-root.hbs
+++ b/ui/lib/pki/addon/components/pki-generate-root.hbs
@@ -32,7 +32,7 @@
           </InfoTableRow>
         {{else if (this.isCertificateField fieldName)}}
           <InfoTableRow @label={{this.detailLabel fieldName}}>
-            <CertificateCard @data={{value}} />
+            <EncodedDataCard @data={{value}} />
           </InfoTableRow>
         {{else}}
           <InfoTableRow @label={{this.detailLabel fieldName}} @value={{value}} />
@@ -42,7 +42,7 @@
 
     <InfoTableRow @label="Private key">
       {{#if this.config.private_key}}
-        <CertificateCard @data={{this.config.private_key}} />
+        <EncodedDataCard @data={{this.config.private_key}} />
       {{else}}
         <Hds::Badge @text="internal" />
       {{/if}}
@@ -101,10 +101,13 @@
             />
           {{/each}}
         {{else}}
-          <EmptyState
-            @title="You do not have permissions to set URLs."
-            @message="These are not required but will need to be configured later. You can do this via the CLI or by changing your permissions and returning to this form."
-          />
+          <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+            <A.Header @title="You do not have permissions to set URLs." @titleTag="h2" data-test-empty-state-title />
+            <A.Body
+              @text="These are not required but will need to be configured later. You can do this via the CLI or by changing your permissions and returning to this form."
+              data-test-empty-state-message
+            />
+          </Hds::ApplicationState>
         {{/if}}
       </fieldset>
     {{/if}}
diff --git a/ui/lib/pki/addon/components/pki-generate-root.ts b/ui/lib/pki/addon/components/pki-generate-root.ts
index 6031be6cbb..cb2ba52f93 100644
--- a/ui/lib/pki/addon/components/pki-generate-root.ts
+++ b/ui/lib/pki/addon/components/pki-generate-root.ts
@@ -20,13 +20,13 @@ import type ApiService from 'vault/services/api';
 import type CapabilitiesService from 'vault/services/capabilities';
 import type SecretMountPath from 'vault/services/secret-mount-path';
 import type {
-  PkiGenerateRootExportedEnum,
-  PkiIssuersGenerateRootExportedEnum,
+  SecretsApiPkiGenerateRootExportedEnum,
+  SecretsApiPkiIssuersGenerateRootExportedEnum,
   PkiGenerateRootRequest,
   PkiGenerateRootResponse,
   PkiIssuersGenerateRootRequest,
   PkiIssuersGenerateRootResponse,
-  PkiRotateRootExportedEnum,
+  SecretsApiPkiRotateRootExportedEnum,
   PkiRotateRootRequest,
 } from '@hashicorp/vault-client-typescript';
 
@@ -146,7 +146,7 @@ export default class PkiGenerateRootComponent extends Component<Args> {
 
     if (this.args.rotateCertData) {
       return this.api.secrets.pkiRotateRoot(
-        type as PkiRotateRootExportedEnum,
+        type as SecretsApiPkiRotateRootExportedEnum,
         currentPath,
         data as PkiRotateRootRequest
       );
@@ -154,13 +154,13 @@ export default class PkiGenerateRootComponent extends Component<Args> {
       const canUseIssuer = await this.fetchIssuerCapabilities();
       if (canUseIssuer) {
         return this.api.secrets.pkiIssuersGenerateRoot(
-          type as PkiIssuersGenerateRootExportedEnum,
+          type as SecretsApiPkiIssuersGenerateRootExportedEnum,
           this.secretMountPath.currentPath,
           data as PkiIssuersGenerateRootRequest
         );
       } else {
         return this.api.secrets.pkiGenerateRoot(
-          type as PkiGenerateRootExportedEnum,
+          type as SecretsApiPkiGenerateRootExportedEnum,
           this.secretMountPath.currentPath,
           data as PkiGenerateRootRequest
         );
diff --git a/ui/lib/pki/addon/components/pki-info-table-rows.hbs b/ui/lib/pki/addon/components/pki-info-table-rows.hbs
index 4724b3e272..28cc06355e 100644
--- a/ui/lib/pki/addon/components/pki-info-table-rows.hbs
+++ b/ui/lib/pki/addon/components/pki-info-table-rows.hbs
@@ -9,7 +9,7 @@
     {{#if (or value (includes field (array "common_name" "private_key" "private_key_type")))}}
       <InfoTableRow @label={{@label field}} @value={{value}} @addCopyButton={{includes field (array "issuer_id" "key_id")}}>
         {{#if (and (includes field (array "ca_chain" "certificate")) value)}}
-          <CertificateCard @data={{value}} />
+          <EncodedDataCard @data={{value}} />
         {{else if (includes field (array "issuer_id" "key_id"))}}
           <LinkTo @route={{if (eq field "issuer_id") "issuers.issuer.details" "keys.key.details"}} @model={{value}}>
             {{value}}
diff --git a/ui/lib/pki/addon/components/pki-issuer-cross-sign.js b/ui/lib/pki/addon/components/pki-issuer-cross-sign.js
index 4051292a74..40df3f7106 100644
--- a/ui/lib/pki/addon/components/pki-issuer-cross-sign.js
+++ b/ui/lib/pki/addon/components/pki-issuer-cross-sign.js
@@ -11,7 +11,7 @@ import { tracked } from '@glimmer/tracking';
 import { waitFor } from '@ember/test-waiters';
 import { parseCertificate } from 'vault/utils/parse-pki-cert';
 import { addToArray } from 'vault/helpers/add-to-array';
-import { PkiListIssuersListEnum } from '@hashicorp/vault-client-typescript';
+import { SecretsApiPkiListIssuersListEnum } from '@hashicorp/vault-client-typescript';
 /**
  * @module PkiIssuerCrossSign
  * PkiIssuerCrossSign components render from a parent issuer's details page to cross-sign an intermediate issuer (from a different mount).
@@ -88,7 +88,7 @@ export default class PkiIssuerCrossSign extends Component {
       for (let row = 0; row < this.formData.length; row++) {
         const { intermediateMount, newCrossSignedIssuer } = this.formData[row];
         const issuers = await this.api.secrets
-          .pkiListIssuers(intermediateMount, PkiListIssuersListEnum.TRUE)
+          .pkiListIssuers(intermediateMount, SecretsApiPkiListIssuersListEnum.TRUE)
           .then((response) => this.api.keyInfoToArray(response, 'issuer_id'))
           .catch(() => []);
         // for cross-signing error handling we want to record the list of issuers before the process starts
diff --git a/ui/lib/pki/addon/components/pki-page-header.hbs b/ui/lib/pki/addon/components/pki-page-header.hbs
index c584b79447..4ea78c2fae 100644
--- a/ui/lib/pki/addon/components/pki-page-header.hbs
+++ b/ui/lib/pki/addon/components/pki-page-header.hbs
@@ -17,21 +17,7 @@
     {{#if @configRoute}}
       <Hds::Button @color="secondary" @route="overview" @text="Exit configuration" data-test-button="Exit configuration" />
     {{else}}
-      <Hds::Dropdown as |D|>
-        <D.ToggleButton @text="Manage" @color="secondary" data-test-dropdown="Manage" />
-        <D.Interactive
-          @icon="settings"
-          @route="configuration"
-          @model={{@backend.id}}
-          data-test-popup-menu="Configure"
-        >Configure</D.Interactive>
-        <D.Interactive
-          {{on "click" (fn (mut this.engineToDisable) @backend)}}
-          @color="critical"
-          @icon="trash"
-          data-test-popup-menu="Delete"
-        >Delete</D.Interactive>
-      </Hds::Dropdown>
+      <ManageDropdown @model={{@backend}} @configRoute="configuration" />
     {{/if}}
   </:actions>
 </Page::Header>
@@ -58,14 +44,4 @@
       <li><LinkTo @route="tidy" @model={{@backend.id}} data-test-secret-list-tab="Tidy">Tidy</LinkTo></li>
     </ul>
   </nav>
-{{/if}}
-
-{{#if this.engineToDisable}}
-  <ConfirmModal
-    @color="critical"
-    @confirmMessage="Any data in this engine will be permanently deleted."
-    @confirmTitle="Disable engine?"
-    @onClose={{fn (mut this.engineToDisable) null}}
-    @onConfirm={{perform this.disableEngine this.engineToDisable}}
-  />
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/pki/addon/components/pki-page-header.ts b/ui/lib/pki/addon/components/pki-page-header.ts
index 4e6436c7fa..e6f398cf47 100644
--- a/ui/lib/pki/addon/components/pki-page-header.ts
+++ b/ui/lib/pki/addon/components/pki-page-header.ts
@@ -4,16 +4,12 @@
  */
 
 import { service } from '@ember/service';
-import { tracked } from '@glimmer/tracking';
 import Component from '@glimmer/component';
-import { task } from 'ember-concurrency';
 
-import type { PATH_MAP } from 'vault/utils/constants/capabilities';
-import type ApiService from 'vault/services/api';
-import type CapabilitiesService from 'vault/services/capabilities';
-import type FlashMessageService from 'vault/services/flash-messages';
 import type RouterService from '@ember/routing/router-service';
 import type SecretsEngineResource from 'vault/resources/secrets/engine';
+import type CapabilitiesService from 'vault/services/capabilities';
+import type { PATH_MAP } from 'vault/utils/constants/capabilities';
 
 /**
  * @module PkiPageHeader
@@ -25,7 +21,7 @@ import type SecretsEngineResource from 'vault/resources/secrets/engine';
  */
 
 interface Args {
-  backend: { id: string };
+  backend: SecretsEngineResource;
 }
 
 const ROUTE_PATH_MAP = {
@@ -36,12 +32,8 @@ const ROUTE_PATH_MAP = {
 
 export default class PkiPageHeader extends Component<Args> {
   @service('app-router') declare readonly router: RouterService;
-  @service declare readonly api: ApiService;
-  @service declare readonly flashMessages: FlashMessageService;
   @service declare readonly capabilities: CapabilitiesService;
 
-  @tracked engineToDisable = undefined;
-
   get breadcrumbs() {
     return [
       { label: 'Vault', route: 'vault', icon: 'vault', linkExternal: true },
@@ -61,22 +53,4 @@ export default class PkiPageHeader extends Component<Args> {
     }
     return null;
   }
-
-  @task
-  *disableEngine(engine: SecretsEngineResource) {
-    const { engineType, id, path } = engine;
-
-    try {
-      yield this.api.sys.mountsDisableSecretsEngine(id);
-      this.flashMessages.success(`The ${engineType} Secrets Engine at ${path} has been disabled.`);
-      this.router.transitionTo('vault.cluster.secrets.backends');
-    } catch (err) {
-      const { message } = yield this.api.parseError(err);
-      this.flashMessages.danger(
-        `There was an error disabling the ${engineType} Secrets Engine at ${path}: ${message}.`
-      );
-    } finally {
-      this.engineToDisable = undefined;
-    }
-  }
 }
diff --git a/ui/lib/pki/addon/components/pki-sign-intermediate-form.hbs b/ui/lib/pki/addon/components/pki-sign-intermediate-form.hbs
index faf894f5b3..a8365f9f11 100644
--- a/ui/lib/pki/addon/components/pki-sign-intermediate-form.hbs
+++ b/ui/lib/pki/addon/components/pki-sign-intermediate-form.hbs
@@ -21,13 +21,13 @@
         </LinkTo>
       </InfoTableRow>
       <InfoTableRow @label="Certificate">
-        <CertificateCard @data={{this.signedIntermediate.certificate}} />
+        <EncodedDataCard @data={{this.signedIntermediate.certificate}} />
       </InfoTableRow>
       <InfoTableRow @label="Issuing CA">
-        <CertificateCard @data={{this.signedIntermediate.issuing_ca}} />
+        <EncodedDataCard @data={{this.signedIntermediate.issuing_ca}} />
       </InfoTableRow>
       <InfoTableRow @label="CA Chain">
-        <CertificateCard @data={{this.signedIntermediate.ca_chain}} />
+        <EncodedDataCard @data={{this.signedIntermediate.ca_chain}} />
       </InfoTableRow>
 
       <ParsedCertificateInfoRows @model={{this.parsedCertificate}} />
diff --git a/ui/lib/pki/addon/decorators/check-issuers.js b/ui/lib/pki/addon/decorators/check-issuers.js
index a166267ed9..d65fdebd81 100644
--- a/ui/lib/pki/addon/decorators/check-issuers.js
+++ b/ui/lib/pki/addon/decorators/check-issuers.js
@@ -5,7 +5,7 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
-import { PkiListIssuersListEnum } from '@hashicorp/vault-client-typescript';
+import { SecretsApiPkiListIssuersListEnum } from '@hashicorp/vault-client-typescript';
 
 /**
  * the overview, roles, issuers, certificates, and key routes all need to be aware of the whether there is a config for the engine
@@ -36,7 +36,7 @@ export function withConfig() {
         try {
           await this.api.secrets.pkiListIssuers(
             this.secretMountPath.currentPath,
-            PkiListIssuersListEnum.TRUE
+            SecretsApiPkiListIssuersListEnum.TRUE
           );
           this.pkiMountHasConfig = true;
         } catch (e) {
diff --git a/ui/lib/pki/addon/routes/certificates/index.js b/ui/lib/pki/addon/routes/certificates/index.js
index 48f86d018a..6666526b5f 100644
--- a/ui/lib/pki/addon/routes/certificates/index.js
+++ b/ui/lib/pki/addon/routes/certificates/index.js
@@ -7,7 +7,7 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 import { withConfig } from 'pki/decorators/check-issuers';
 import { getCliMessage } from 'pki/routes/overview';
-import { PkiListCertsListEnum } from '@hashicorp/vault-client-typescript';
+import { SecretsApiPkiListCertsListEnum } from '@hashicorp/vault-client-typescript';
 import { paginate } from 'core/utils/paginate-list';
 
 @withConfig()
@@ -33,7 +33,7 @@ export default class PkiCertificatesIndexRoute extends Route {
       const page = Number(params.page) || 1;
       const { keys: certificates } = await this.api.secrets.pkiListCerts(
         this.secretMountPath.currentPath,
-        PkiListCertsListEnum.TRUE
+        SecretsApiPkiListCertsListEnum.TRUE
       );
       model.certificates = paginate(certificates, { page });
     } catch (e) {
diff --git a/ui/lib/pki/addon/routes/issuers/index.js b/ui/lib/pki/addon/routes/issuers/index.js
index 7a502dcdeb..c08fff2e21 100644
--- a/ui/lib/pki/addon/routes/issuers/index.js
+++ b/ui/lib/pki/addon/routes/issuers/index.js
@@ -6,7 +6,7 @@
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 import { paginate } from 'core/utils/paginate-list';
-import { PkiListIssuersListEnum } from '@hashicorp/vault-client-typescript';
+import { SecretsApiPkiListIssuersListEnum } from '@hashicorp/vault-client-typescript';
 import { verifyCertificates, parseCertificate } from 'vault/utils/parse-pki-cert';
 
 export default class PkiIssuersListRoute extends Route {
@@ -32,7 +32,7 @@ export default class PkiIssuersListRoute extends Route {
     try {
       const listResponse = await this.api.secrets.pkiListIssuers(
         this.secretMountPath.currentPath,
-        PkiListIssuersListEnum.TRUE
+        SecretsApiPkiListIssuersListEnum.TRUE
       );
       // fetch full issuer data only if there are less than 10 issuers to avoid making too many requests
       if (listResponse.keys.length <= 10) {
diff --git a/ui/lib/pki/addon/routes/keys/index.js b/ui/lib/pki/addon/routes/keys/index.js
index b690ac86bd..1afd6ce9f5 100644
--- a/ui/lib/pki/addon/routes/keys/index.js
+++ b/ui/lib/pki/addon/routes/keys/index.js
@@ -7,7 +7,7 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 import { withConfig } from 'pki/decorators/check-issuers';
 import { PKI_DEFAULT_EMPTY_STATE_MSG } from 'pki/routes/overview';
-import { PkiListKeysListEnum } from '@hashicorp/vault-client-typescript';
+import { SecretsApiPkiListKeysListEnum } from '@hashicorp/vault-client-typescript';
 import { paginate } from 'core/utils/paginate-list';
 
 @withConfig()
@@ -53,7 +53,7 @@ export default class PkiKeysIndexRoute extends Route {
     try {
       const response = await this.api.secrets.pkiListKeys(
         this.secretMountPath.currentPath,
-        PkiListKeysListEnum.TRUE
+        SecretsApiPkiListKeysListEnum.TRUE
       );
       const keys = this.api.keyInfoToArray(response, 'key_id');
       const capabilities = await this.fetchCapabilities(keys);
diff --git a/ui/lib/pki/addon/routes/overview.js b/ui/lib/pki/addon/routes/overview.js
index f0ddef9316..70e95d5824 100644
--- a/ui/lib/pki/addon/routes/overview.js
+++ b/ui/lib/pki/addon/routes/overview.js
@@ -8,9 +8,9 @@ import { service } from '@ember/service';
 import { withConfig } from 'pki/decorators/check-issuers';
 import { hash } from 'rsvp';
 import {
-  PkiListCertsListEnum,
-  PkiListRolesListEnum,
-  PkiListIssuersListEnum,
+  SecretsApiPkiListCertsListEnum,
+  SecretsApiPkiListRolesListEnum,
+  SecretsApiPkiListIssuersListEnum,
 } from '@hashicorp/vault-client-typescript';
 
 export const PKI_DEFAULT_EMPTY_STATE_MSG =
@@ -32,7 +32,7 @@ export default class PkiOverviewRoute extends Route {
     try {
       const { keys } = await this.api.secrets.pkiListCerts(
         this.secretMountPath.currentPath,
-        PkiListCertsListEnum.TRUE
+        SecretsApiPkiListCertsListEnum.TRUE
       );
       return keys;
     } catch (e) {
@@ -47,7 +47,7 @@ export default class PkiOverviewRoute extends Route {
     try {
       const { keys } = await this.api.secrets.pkiListRoles(
         this.secretMountPath.currentPath,
-        PkiListRolesListEnum.TRUE
+        SecretsApiPkiListRolesListEnum.TRUE
       );
       return keys;
     } catch (e) {
@@ -62,7 +62,7 @@ export default class PkiOverviewRoute extends Route {
     try {
       const { keys } = await this.api.secrets.pkiListIssuers(
         this.secretMountPath.currentPath,
-        PkiListIssuersListEnum.TRUE
+        SecretsApiPkiListIssuersListEnum.TRUE
       );
       return keys;
     } catch (e) {
diff --git a/ui/lib/pki/addon/routes/roles/create.js b/ui/lib/pki/addon/routes/roles/create.js
index 2930782217..30c6215f03 100644
--- a/ui/lib/pki/addon/routes/roles/create.js
+++ b/ui/lib/pki/addon/routes/roles/create.js
@@ -5,7 +5,7 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
-import { PkiListIssuersListEnum } from '@hashicorp/vault-client-typescript';
+import { SecretsApiPkiListIssuersListEnum } from '@hashicorp/vault-client-typescript';
 import PkiRoleForm from 'vault/forms/secrets/pki/role';
 
 export default class PkiRolesCreateRoute extends Route {
@@ -16,7 +16,7 @@ export default class PkiRolesCreateRoute extends Route {
     const backend = this.secretMountPath.currentPath;
     let issuers = [];
     try {
-      const response = await this.api.secrets.pkiListIssuers(backend, PkiListIssuersListEnum.TRUE);
+      const response = await this.api.secrets.pkiListIssuers(backend, SecretsApiPkiListIssuersListEnum.TRUE);
       issuers = this.api.keyInfoToArray(response, 'issuer_id');
     } catch (error) {
       if (error.response.status !== 404) {
diff --git a/ui/lib/pki/addon/routes/roles/index.js b/ui/lib/pki/addon/routes/roles/index.js
index b1da121667..2c5840c2f4 100644
--- a/ui/lib/pki/addon/routes/roles/index.js
+++ b/ui/lib/pki/addon/routes/roles/index.js
@@ -7,7 +7,7 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 import { withConfig } from 'pki/decorators/check-issuers';
 import { getCliMessage } from 'pki/routes/overview';
-import { PkiListRolesListEnum } from '@hashicorp/vault-client-typescript';
+import { SecretsApiPkiListRolesListEnum } from '@hashicorp/vault-client-typescript';
 import { paginate } from 'core/utils/paginate-list';
 
 @withConfig()
@@ -33,7 +33,7 @@ export default class PkiRolesIndexRoute extends Route {
       const page = Number(params.page) || 1;
       const { keys: roles } = await this.api.secrets.pkiListRoles(
         this.secretMountPath.currentPath,
-        PkiListRolesListEnum.TRUE
+        SecretsApiPkiListRolesListEnum.TRUE
       );
       model.roles = paginate(roles, { page });
     } catch (e) {
diff --git a/ui/lib/pki/addon/routes/roles/role/edit.js b/ui/lib/pki/addon/routes/roles/role/edit.js
index a20a4533ce..c5a9a94a09 100644
--- a/ui/lib/pki/addon/routes/roles/role/edit.js
+++ b/ui/lib/pki/addon/routes/roles/role/edit.js
@@ -5,7 +5,7 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
-import { PkiListIssuersListEnum } from '@hashicorp/vault-client-typescript';
+import { SecretsApiPkiListIssuersListEnum } from '@hashicorp/vault-client-typescript';
 import PkiRoleForm from 'vault/forms/secrets/pki/role';
 
 export default class PkiRoleEditRoute extends Route {
@@ -20,7 +20,7 @@ export default class PkiRoleEditRoute extends Route {
 
     let issuers = [];
     try {
-      const response = await this.api.secrets.pkiListIssuers(backend, PkiListIssuersListEnum.TRUE);
+      const response = await this.api.secrets.pkiListIssuers(backend, SecretsApiPkiListIssuersListEnum.TRUE);
       issuers = this.api.keyInfoToArray(response, 'issuer_id');
     } catch (error) {
       if (error.response.status !== 404) {
diff --git a/ui/lib/pki/addon/templates/certificates/index.hbs b/ui/lib/pki/addon/templates/certificates/index.hbs
index ff0ee6bfa0..fc61484a9c 100644
--- a/ui/lib/pki/addon/templates/certificates/index.hbs
+++ b/ui/lib/pki/addon/templates/certificates/index.hbs
@@ -22,7 +22,7 @@
           <div class="level-left">
             <div>
               <Icon @name="certificate" class="has-text-grey-light" />
-              <span class="has-text-weight-semibold is-underline">
+              <span class="has-text-weight-semibold is-underline" aria-label="certificate serial number">
                 {{cert}}
               </span>
               <div class="is-flex-row has-left-margin-l has-top-margin-xs">
@@ -47,20 +47,27 @@
     {{/each}}
   </:list>
   <:empty>
-    <EmptyState
-      @title="No certificates yet"
-      @message="When created, certificates will be listed here. Select a role to start generating certificates"
-    />
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="No certificates yet" @titleTag="h2" data-test-empty-state-title />
+      <A.Body
+        @text="When created, certificates will be listed here. Select a role to start generating certificates"
+        data-test-empty-state-message
+      />
+    </Hds::ApplicationState>
   </:empty>
   <:configure>
-    <EmptyState @title="PKI not configured" @message={{this.notConfiguredMessage}}>
-      <Hds::Link::Standalone
-        @icon="chevron-right"
-        @iconPosition="trailing"
-        @text="Configure PKI"
-        @route="configuration.create"
-        @model={{this.model.parentModel.id}}
-      />
-    </EmptyState>
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="PKI not configured" @titleTag="h2" data-test-empty-state-title />
+      <A.Body @text={{this.notConfiguredMessage}} data-test-empty-state-message />
+      <A.Footer data-test-empty-state-actions as |F|>
+        <F.LinkStandalone
+          @icon="chevron-right"
+          @iconPosition="trailing"
+          @text="Configure PKI"
+          @route="configuration.create"
+          @model={{this.model.parentModel.id}}
+        />
+      </A.Footer>
+    </Hds::ApplicationState>
   </:configure>
 </PkiPaginatedList>
\ No newline at end of file
diff --git a/ui/lib/pki/addon/templates/overview.hbs b/ui/lib/pki/addon/templates/overview.hbs
index 9f85b82009..2d1535d15f 100644
--- a/ui/lib/pki/addon/templates/overview.hbs
+++ b/ui/lib/pki/addon/templates/overview.hbs
@@ -17,13 +17,17 @@
     @canListRoles={{this.model.canListRoles}}
   />
 {{else}}
-  <EmptyState @title="PKI not configured" @message={{this.notConfiguredMessage}}>
-    <Hds::Link::Standalone
-      @icon="chevron-right"
-      @iconPosition="trailing"
-      @text="Configure PKI"
-      @route="configuration.create"
-      @model={{this.model.engine.id}}
-    />
-  </EmptyState>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="PKI not configured" @titleTag="h2" data-test-empty-state-title />
+    <A.Body @text={{this.notConfiguredMessage}} data-test-empty-state-message />
+    <A.Footer data-test-empty-state-actions as |F|>
+      <F.LinkStandalone
+        @icon="chevron-right"
+        @iconPosition="trailing"
+        @text="Configure PKI"
+        @route="configuration.create"
+        @model={{this.model.engine.id}}
+      />
+    </A.Footer>
+  </Hds::ApplicationState>
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/pki/addon/templates/roles/index.hbs b/ui/lib/pki/addon/templates/roles/index.hbs
index 499b25413f..9d239d6cda 100644
--- a/ui/lib/pki/addon/templates/roles/index.hbs
+++ b/ui/lib/pki/addon/templates/roles/index.hbs
@@ -57,20 +57,27 @@
     {{/each}}
   </:list>
   <:empty>
-    <EmptyState
-      @title="No roles yet"
-      @message="When created, roles will be listed here. Create a role to start generating certificates."
-    />
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="No roles yet" @titleTag="h2" data-test-empty-state-title />
+      <A.Body
+        @text="When created, roles will be listed here. Create a role to start generating certificates."
+        data-test-empty-state-message
+      />
+    </Hds::ApplicationState>
   </:empty>
   <:configure>
-    <EmptyState @title="PKI not configured" @message={{this.notConfiguredMessage}}>
-      <Hds::Link::Standalone
-        @icon="chevron-right"
-        @iconPosition="trailing"
-        @text="Configure PKI"
-        @route="configuration.create"
-        @model={{this.model.parentModel.id}}
-      />
-    </EmptyState>
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header @title="PKI not configured" @titleTag="h2" data-test-empty-state-title />
+      <A.Body @text={{this.notConfiguredMessage}} data-test-empty-state-message />
+      <A.Footer data-test-empty-state-actions as |F|>
+        <F.LinkStandalone
+          @icon="chevron-right"
+          @iconPosition="trailing"
+          @text="Configure PKI"
+          @route="configuration.create"
+          @model={{this.model.parentModel.id}}
+        />
+      </A.Footer>
+    </Hds::ApplicationState>
   </:configure>
 </PkiPaginatedList>
\ No newline at end of file
diff --git a/ui/lib/pki/addon/templates/tidy/index.hbs b/ui/lib/pki/addon/templates/tidy/index.hbs
index ca98c21e15..72267f8bba 100644
--- a/ui/lib/pki/addon/templates/tidy/index.hbs
+++ b/ui/lib/pki/addon/templates/tidy/index.hbs
@@ -9,13 +9,17 @@
   <Page::PkiTidyStatus @enabled={{this.model.autoTidyConfig.enabled}} @tidyStatus={{this.tidyStatus}} />
 {{else}}
   <Toolbar />
-  <EmptyState @title="PKI not configured" @message={{this.notConfiguredMessage}}>
-    <Hds::Link::Standalone
-      @icon="chevron-right"
-      @iconPosition="trailing"
-      @text="Configure PKI"
-      @route="configuration.create"
-      @model={{this.model.engine.id}}
-    />
-  </EmptyState>
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="PKI not configured" @titleTag="h2" data-test-empty-state-title />
+    <A.Body @text={{this.notConfiguredMessage}} data-test-empty-state-message />
+    <A.Footer data-test-empty-state-actions as |F|>
+      <F.LinkStandalone
+        @icon="chevron-right"
+        @iconPosition="trailing"
+        @text="Configure PKI"
+        @route="configuration.create"
+        @model={{this.model.engine.id}}
+      />
+    </A.Footer>
+  </Hds::ApplicationState>
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/replication/addon/components/enable-replication-form.hbs b/ui/lib/replication/addon/components/enable-replication-form.hbs
index d04561838e..698917f683 100644
--- a/ui/lib/replication/addon/components/enable-replication-form.hbs
+++ b/ui/lib/replication/addon/components/enable-replication-form.hbs
@@ -6,7 +6,7 @@
 <form {{on "submit" (fn this.onSubmit this.data)}} data-test-replication-enable-form>
   <MessageError @errorMessage={{this.error}} />
 
-  <div class="box is-sideless is-fullwidth is-marginless">
+  <div class="box is-fullwidth is-marginless">
     <label for="replication-mode" class="is-label">
       Cluster mode
     </label>
diff --git a/ui/lib/replication/addon/components/known-secondaries-card.hbs b/ui/lib/replication/addon/components/known-secondaries-card.hbs
index 61c21b7e2e..5ef0e0444e 100644
--- a/ui/lib/replication/addon/components/known-secondaries-card.hbs
+++ b/ui/lib/replication/addon/components/known-secondaries-card.hbs
@@ -17,7 +17,7 @@
     {{#if this.replicationAttrs.secondaries}}
       <KnownSecondariesTable @secondaries={{this.replicationAttrs.secondaries}} />
     {{else}}
-      <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
+      <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
         <A.Header
           @title="No known {{this.cluster.replicationMode}} secondary clusters associated with this cluster"
           @titleTag="h2"
@@ -25,6 +25,7 @@
         />
         <A.Body
           @text="Associated secondary clusters will be listed here. Add your first secondary cluster to get started."
+          data-test-empty-state-message
         />
       </Hds::ApplicationState>
     {{/if}}
diff --git a/ui/lib/replication/addon/components/page/mode-index.hbs b/ui/lib/replication/addon/components/page/mode-index.hbs
index 249a43abf2..e14b69ddac 100644
--- a/ui/lib/replication/addon/components/page/mode-index.hbs
+++ b/ui/lib/replication/addon/components/page/mode-index.hbs
@@ -10,33 +10,14 @@
         @breadcrumbs={{array (hash label="Vault" route="vault" icon="vault" linkExternal=true) (hash label=this.title)}}
       />
     </:breadcrumbs>
+    <:description>
+      {{this.description}}
+      <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link this.docLink}}>
+        Learn more
+      </Hds::Link::Inline>
+    </:description>
   </Page::Header>
 
-  <div class="box is-sideless is-fullwidth is-marginless">
-    {{#if (eq @replicationMode "dr")}}
-      <h2 class="title is-flex-center is-5 is-marginless">
-        <Icon @size="24" @name="replication-direct" />
-        Disaster recovery (DR) replication
-      </h2>
-      <p class="help has-text-grey-dark">
-        {{replication-mode-description "dr"}}
-      </p>
-    {{else if (eq @replicationMode "performance")}}
-      <h2 class="title is-flex-center is-5 is-marginless">
-        <Icon @size="24" @name="replication-perf" />
-        Performance replication
-      </h2>
-      {{#if (has-feature "Performance Replication")}}
-        <p class="help has-text-grey-dark">
-          {{replication-mode-description "performance"}}
-        </p>
-      {{else}}
-        <p class="help has-text-grey-dark">
-          Performance replication is a feature of Vault Enterprise Premium
-        </p>
-      {{/if}}
-    {{/if}}
-  </div>
   <EnableReplicationForm
     @replicationMode={{@replicationMode}}
     @canEnablePrimary={{this.canEnable "Primary"}}
diff --git a/ui/lib/replication/addon/components/page/mode-index.js b/ui/lib/replication/addon/components/page/mode-index.js
index ce98c787cd..db3e8867fe 100644
--- a/ui/lib/replication/addon/components/page/mode-index.js
+++ b/ui/lib/replication/addon/components/page/mode-index.js
@@ -33,6 +33,17 @@ export default class PageModeIndex extends Component {
     return 'Enable replication';
   }
 
+  get description() {
+    if (this.args.replicationMode === 'dr') {
+      return 'Maintain a synchronized standby cluster to enable business continuity and data preservation in the event of a primary site failure.';
+    }
+    return 'Pair geographically distributed clusters that share a common configuration to scale Vault.';
+  }
+
+  get docLink() {
+    return this.args.replicationMode === 'dr' ? '/vault/gui/dr' : '/vault/gui/pr';
+  }
+
   canEnable = (type) => {
     const { cluster, replicationMode } = this.args;
     let perm;
diff --git a/ui/lib/replication/addon/engine.js b/ui/lib/replication/addon/engine.js
index 11c304b374..ae6a9d13f9 100644
--- a/ui/lib/replication/addon/engine.js
+++ b/ui/lib/replication/addon/engine.js
@@ -15,6 +15,7 @@ const Eng = Engine.extend({
   Resolver,
   dependencies: {
     services: [
+      'api',
       'auth',
       'capabilities',
       'flash-messages',
diff --git a/ui/lib/replication/addon/templates/index.hbs b/ui/lib/replication/addon/templates/index.hbs
index eca78545c0..5c0de37362 100644
--- a/ui/lib/replication/addon/templates/index.hbs
+++ b/ui/lib/replication/addon/templates/index.hbs
@@ -18,7 +18,13 @@
         </:breadcrumbs>
       </Page::Header>
 
-      <EmptyState @title="The current cluster configuration does not support replication" />
+      <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+        <A.Header
+          @title="The current cluster configuration does not support replication"
+          @titleTag="h2"
+          data-test-empty-state-title
+        />
+      </Hds::ApplicationState>
     {{else if this.model.replicationIsInitializing}}
       <LayoutLoading />
     {{else if this.model.allReplicationDisabled}}
diff --git a/ui/lib/replication/addon/templates/mode/secondaries/config-show.hbs b/ui/lib/replication/addon/templates/mode/secondaries/config-show.hbs
index 4eaeb77483..ad93358f3c 100644
--- a/ui/lib/replication/addon/templates/mode/secondaries/config-show.hbs
+++ b/ui/lib/replication/addon/templates/mode/secondaries/config-show.hbs
@@ -44,5 +44,8 @@
     </InfoTableRow>
   </div>
 {{else}}
-  <EmptyState @title="No config yet" @message="Performance Mount Filtering is not configured for this secondary" />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="No config yet" @titleTag="h2" data-test-empty-state-title />
+    <A.Body @text="Performance Mount Filtering is not configured for this secondary." data-test-empty-state-message />
+  </Hds::ApplicationState>
 {{/if}}
\ No newline at end of file
diff --git a/ui/lib/replication/addon/templates/mode/secondaries/index.hbs b/ui/lib/replication/addon/templates/mode/secondaries/index.hbs
index 856a453147..71f6bd15e4 100644
--- a/ui/lib/replication/addon/templates/mode/secondaries/index.hbs
+++ b/ui/lib/replication/addon/templates/mode/secondaries/index.hbs
@@ -57,10 +57,17 @@
       <hr class="is-marginless" />
     {{/each}}
   {{else}}
-    <Hds::ApplicationState @align="center" class="top-padding-32" as |A|>
-      <A.Header @title="No known {{this.performanceMode}} secondary clusters associated with this cluster" @titleTag="h2" />
-      <A.Body @text="Associated secondary clusters will be listed here. Add your first secondary cluster to get started." />
-      <A.Footer as |F|>
+    <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+      <A.Header
+        @title="No known {{this.performanceMode}} secondary clusters associated with this cluster"
+        @titleTag="h2"
+        data-test-empty-state-title
+      />
+      <A.Body
+        @text="Associated secondary clusters will be listed here. Add your first secondary cluster to get started."
+        data-test-empty-state-message
+      />
+      <A.Footer data-test-empty-state-actions as |F|>
         <F.LinkStandalone
           @icon="docs-link"
           @iconPosition="trailing"
diff --git a/ui/lib/sync/addon/components/secrets/landing-cta.hbs b/ui/lib/sync/addon/components/secrets/landing-cta.hbs
index 1ebca5b52c..8bd19f2edd 100644
--- a/ui/lib/sync/addon/components/secrets/landing-cta.hbs
+++ b/ui/lib/sync/addon/components/secrets/landing-cta.hbs
@@ -9,9 +9,16 @@
   </:breadcrumbs>
   <:badges>
     {{#if this.flags.isHvdManaged}}
-      <Hds::Badge @text="Plus feature" @color="highlight" @size="large" data-test-badge="Plus feature" />
+      <Hds::Badge @text="Standard feature" @color="highlight" @size="large" data-test-badge="Standard feature" />
     {{/if}}
   </:badges>
+  <:description>
+    Centralize your secret governance by synchronizing Vault-managed data to external secret managers in cloud services
+    providers, GitHub, & Vercel.
+    <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/gui/secret-sync"}}>
+      Learn more
+    </Hds::Link::Inline>
+  </:description>
   <:actions>
     {{! Only allow users who have activated the feature to create a destination. }}
     {{#if @isActivated}}
@@ -20,35 +27,19 @@
   </:actions>
 </Page::Header>
 
-<div class="box is-fullwidth is-sideless is-flex-between is-shadowless" data-test-cta-container>
-  {{! One cta message regardless of OSS vs Enterprise with/without secrets sync or managed cluster. }}
-  <p>
-    This feature allows you to sync secrets to platforms and tools across your stack to get secrets when and where you need
-    them.
-    <Hds::Link::Standalone
-      @text="Learn more about Secrets Sync"
-      @icon="docs-link"
-      @iconPosition="trailing"
-      @isHrefExternal={{true}}
-      @href={{doc-link "/vault/tutorials/enterprise/secrets-sync"}}
-      data-test-cta-doc-link
-    />
-  </p>
-</div>
-
-<div class="is-flex-row gap-24 has-bottom-margin-m">
-  <div>
+<Hds::Layout::Flex @gap="24" class="top-margin-16" as |LF|>
+  <LF.Item @tag="div">
     <img src={{img-path "~/sync-landing-1.png"}} alt="Secrets sync destinations diagram" aria-describedby="sync-step-1" />
-    <p id="sync-step-1" class="has-top-margin-m">
+    <Hds::Text::Body @tag="p">
       <b>Step 1:</b>
       Create a destination, and set up the connection details to allow Vault access.
-    </p>
-  </div>
-  <div>
+    </Hds::Text::Body>
+  </LF.Item>
+  <LF.Item @tag="div">
     <img src={{img-path "~/sync-landing-2.png"}} alt="Syncing secrets diagram" aria-describedby="sync-step-2" />
-    <p id="sync-step-2" class="has-top-margin-m">
+    <Hds::Text::Body @tag="p">
       <b>Step 2:</b>
       Select secrets from your KV v2 engine and sync secrets to your destination.
-    </p>
-  </div>
-</div>
\ No newline at end of file
+    </Hds::Text::Body>
+  </LF.Item>
+</Hds::Layout::Flex>
\ No newline at end of file
diff --git a/ui/lib/sync/addon/components/secrets/page/destinations.hbs b/ui/lib/sync/addon/components/secrets/page/destinations.hbs
index 2ba426a26d..c45dadd037 100644
--- a/ui/lib/sync/addon/components/secrets/page/destinations.hbs
+++ b/ui/lib/sync/addon/components/secrets/page/destinations.hbs
@@ -116,7 +116,9 @@
     />
   </div>
 {{else}}
-  <EmptyState @title={{this.noResultsMessage}} />
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title={{this.noResultsMessage}} @titleTag="h2" data-test-empty-state-title />
+  </Hds::ApplicationState>
 {{/if}}
 
 {{#if this.destinationToDelete}}
diff --git a/ui/lib/sync/addon/components/secrets/page/destinations.ts b/ui/lib/sync/addon/components/secrets/page/destinations.ts
index 5a2e2def2a..d24bc8adc2 100644
--- a/ui/lib/sync/addon/components/secrets/page/destinations.ts
+++ b/ui/lib/sync/addon/components/secrets/page/destinations.ts
@@ -11,11 +11,12 @@ import { getOwner } from '@ember/owner';
 import { findDestination, syncDestinations } from 'core/helpers/sync-destinations';
 import { next } from '@ember/runloop';
 import apiMethodResolver from 'sync/utils/api-method-resolver';
+import { DestinationType } from 'sync/utils/constants';
 
 import type RouterService from '@ember/routing/router-service';
 import type FlashMessageService from 'vault/services/flash-messages';
 import type { CapabilitiesMap, EngineOwner } from 'vault/app-types';
-import type { DestinationName, DestinationType, ListDestination } from 'vault/sync';
+import type { DestinationName, ListDestination } from 'vault/sync';
 import type Transition from '@ember/routing/transition';
 import type { PaginatedMetadata } from 'core/utils/paginate-list';
 import type ApiService from 'vault/services/api';
diff --git a/ui/lib/sync/addon/components/secrets/page/destinations/create-and-edit.hbs b/ui/lib/sync/addon/components/secrets/page/destinations/create-and-edit.hbs
index f51dad0b02..2fb05ed84b 100644
--- a/ui/lib/sync/addon/components/secrets/page/destinations/create-and-edit.hbs
+++ b/ui/lib/sync/addon/components/secrets/page/destinations/create-and-edit.hbs
@@ -9,10 +9,28 @@
 
 <form {{on "submit" (perform this.save)}} class="has-top-margin-l">
   <MessageError @errorMessage={{this.error}} />
+
   {{#each @form.formFieldGroups as |fieldGroup|}}
     {{#each-in fieldGroup as |group fields|}}
-      {{#if (not-eq group "default")}}
-        <hr class="has-top-margin-xl has-bottom-margin-l has-background-gray-200" />
+      {{#if (not-eq group "Advanced configuration")}}
+        {{#if (this.isCredentialTypeGroup group)}}
+          <Hds::Form::RadioCard::Group @name="role type options" class="has-bottom-margin-m" as |RadioGroup|>
+            <RadioGroup.Legend>Credential type</RadioGroup.Legend>
+            {{#each this.roleTypeOptions as |option|}}
+              <RadioGroup.RadioCard
+                @checked={{eq option.value @form.credentialType}}
+                @disabled={{this.isAccessTypeDisabled}}
+                {{on "change" (fn this.onTypeChange option)}}
+                data-test-radio-card={{option.value}}
+                as |Card|
+              >
+                <Card.Label>{{option.title}}</Card.Label>
+                <Card.Description>{{option.description}}</Card.Description>
+              </RadioGroup.RadioCard>
+            {{/each}}
+          </Hds::Form::RadioCard::Group>
+          <hr class="has-top-margin-xl has-bottom-margin-l has-background-gray-200" />
+        {{/if}}
         <Hds::Text::Display
           @tag="h2"
           @size="400"
@@ -28,21 +46,37 @@
         >
           {{this.groupSubtext group @form.isNew}}
         </Hds::Text::Body>
+        {{#each fields as |attr|}}
+          {{#if (and attr.options.sensitive (not @form.isNew))}}
+            <EnableInput data-test-enable-field={{attr.name}} class="field" @attr={{attr}}>
+              <FormField @attr={{attr}} @model={{@form}} @modelValidations={{this.modelValidations}} />
+            </EnableInput>
+          {{else}}
+            <FormField
+              @attr={{attr}}
+              @model={{@form}}
+              @modelValidations={{this.modelValidations}}
+              @onKeyUp={{this.updateWarningValidation}}
+            />
+          {{/if}}
+        {{/each}}
+      {{else}}
+        <Hds::Accordion @size="large" as |A|>
+          <A.Item data-test-accordion={{group}}>
+            <:toggle>{{group}}</:toggle>
+            <:content>
+              {{#each fields as |attr|}}
+                <FormField
+                  @attr={{attr}}
+                  @model={{@form}}
+                  @modelValidations={{this.modelValidations}}
+                  @onKeyUp={{this.updateWarningValidation}}
+                />
+              {{/each}}
+            </:content>
+          </A.Item>
+        </Hds::Accordion>
       {{/if}}
-      {{#each fields as |attr|}}
-        {{#if (and (eq group "Credentials") (not @form.isNew))}}
-          <EnableInput data-test-enable-field={{attr.name}} class="field" @attr={{attr}}>
-            <FormField @attr={{attr}} @model={{@form}} @modelValidations={{this.modelValidations}} />
-          </EnableInput>
-        {{else}}
-          <FormField
-            @attr={{attr}}
-            @model={{@form}}
-            @modelValidations={{this.modelValidations}}
-            @onKeyUp={{this.updateWarningValidation}}
-          />
-        {{/if}}
-      {{/each}}
     {{/each-in}}
   {{/each}}
 
diff --git a/ui/lib/sync/addon/components/secrets/page/destinations/create-and-edit.ts b/ui/lib/sync/addon/components/secrets/page/destinations/create-and-edit.ts
index ddd5216e26..db1f470380 100644
--- a/ui/lib/sync/addon/components/secrets/page/destinations/create-and-edit.ts
+++ b/ui/lib/sync/addon/components/secrets/page/destinations/create-and-edit.ts
@@ -9,29 +9,55 @@ import { tracked } from '@glimmer/tracking';
 import { task } from 'ember-concurrency';
 import { waitFor } from '@ember/test-waiters';
 import { service } from '@ember/service';
+import { assert } from '@ember/debug';
+import { next } from '@ember/runloop';
 import { findDestination } from 'core/helpers/sync-destinations';
 import apiMethodResolver from 'sync/utils/api-method-resolver';
+import { DEFAULT_IDENTITY_TOKEN_TTL } from 'vault/forms/sync/create-destination';
 
 import type { ValidationMap } from 'vault/app-types';
 import type FlashMessageService from 'vault/services/flash-messages';
 import type RouterService from '@ember/routing/router-service';
 import type ApiService from 'vault/services/api';
-import type { DestinationForm, DestinationType } from 'vault/sync';
+import VersionService from 'vault/services/version';
+import {
+  DestinationType,
+  CredentialType,
+  CLOUD_DESTINATION_TYPES,
+  WIF_CREDENTIAL_FIELDS,
+  ACCOUNT_CREDENTIAL_FIELDS,
+  type CloudDestinationType,
+} from 'sync/utils/constants';
+import type { DestinationForm, DestinationRoleTypeOption } from 'vault/sync';
 import type Owner from '@ember/owner';
+import AwsSmForm from 'vault/forms/sync/aws-sm';
+import AzureKvForm from 'vault/forms/sync/azure-kv';
+import GcpSmForm from 'vault/forms/sync/gcp-sm';
+
+type CloudDestinationForm = AwsSmForm | AzureKvForm | GcpSmForm;
 
 interface Args {
   type: DestinationType;
   form: DestinationForm;
 }
 
+function isCloudDestinationForm(
+  type: DestinationType,
+  _form: DestinationForm
+): _form is CloudDestinationForm {
+  return CLOUD_DESTINATION_TYPES.includes(type as CloudDestinationType);
+}
+
 export default class DestinationsCreateForm extends Component<Args> {
   @service declare readonly flashMessages: FlashMessageService;
   @service('app-router') declare readonly router: RouterService;
   @service declare readonly api: ApiService;
+  @service declare readonly version: VersionService;
 
   @tracked modelValidations: ValidationMap | null = null;
   @tracked invalidFormMessage = '';
   @tracked error = '';
+  isAccessTypeDisabled = false;
 
   declare readonly initialCustomTags?: Record<string, string>;
 
@@ -44,6 +70,30 @@ export default class DestinationsCreateForm extends Component<Args> {
     if (custom_tags) {
       this.initialCustomTags = { ...custom_tags };
     }
+
+    // the following checks are only relevant to existing cloud destination configurations with WIF support
+    if (this.version.isEnterprise && !args.form.isNew && isCloudDestinationForm(args.type, args.form)) {
+      const cloudForm = args.form;
+      const { isWifPluginConfigured, isAccountPluginConfigured } = cloudForm;
+
+      assert(
+        `'isWifPluginConfigured' is required to be defined on the config model. Must return a boolean.`,
+        isWifPluginConfigured !== undefined
+      );
+      const credentialType = isWifPluginConfigured ? CredentialType.WIF : CredentialType.ACCOUNT;
+      next(() => {
+        cloudForm.credentialType = credentialType;
+        cloudForm.data.credential_type = credentialType;
+      });
+      // if wif or account only attributes are defined, disable the user's ability to change the access type
+      this.isAccessTypeDisabled = isWifPluginConfigured || isAccountPluginConfigured;
+    }
+  }
+
+  get roleTypeOptions(): Array<DestinationRoleTypeOption> {
+    const { type } = this.args;
+    const destination = findDestination(type);
+    return destination.roleTypeOptions ?? [];
   }
 
   get header() {
@@ -70,7 +120,7 @@ export default class DestinationsCreateForm extends Component<Args> {
             {
               label: 'Destination',
               route: 'secrets.destinations.destination.secrets',
-              model: { name, type },
+              models: [type, name],
             },
             { label: 'Edit destination' },
           ],
@@ -85,12 +135,22 @@ export default class DestinationsCreateForm extends Component<Args> {
       case 'Advanced configuration':
         return 'Configuration options for the destination.';
       case 'Credentials':
+      case 'IAM credentials':
+      case 'Client secret':
+      case 'JSON credentials':
         return `Connection credentials are sensitive information ${dynamicText}.`;
       default:
         return '';
     }
   }
 
+  isCredentialTypeGroup = (group: string): boolean => {
+    const { type } = this.args;
+    const credentialGroups = ['WIF credentials', 'IAM credentials', 'Client secret', 'JSON credentials'];
+
+    return CLOUD_DESTINATION_TYPES.includes(type as CloudDestinationType) && credentialGroups.includes(group);
+  };
+
   diffCustomTags(payload: Record<string, unknown>) {
     // if tags were removed we need to add them to the payload
     const { isNew } = this.args.form;
@@ -124,11 +184,20 @@ export default class DestinationsCreateForm extends Component<Args> {
       if (isValid) {
         try {
           const payload = data as unknown as Record<string, unknown>;
+          // remove credential_type since it's not an actual field on the API payload, it's only used for form validation
+          delete payload['credential_type'];
           this.diffCustomTags(payload);
           const method = apiMethodResolver(form.isNew ? 'write' : 'patch', type);
           await this.api.sys[method](name, payload);
 
           this.router.transitionTo('vault.cluster.sync.secrets.destinations.destination.details', type, name);
+          const successMessage = form.isNew
+            ? 'You have successfully created a sync destination.'
+            : 'You have successfully updated the sync destination.';
+          const successTitle = form.isNew ? 'Connection successful' : 'Destination updated';
+          this.flashMessages.success(successMessage, {
+            title: successTitle,
+          });
         } catch (error) {
           const { message } = await this.api.parseError(
             error,
@@ -143,11 +212,50 @@ export default class DestinationsCreateForm extends Component<Args> {
   @action
   updateWarningValidation() {
     if (this.args.form.isNew) return;
-    // check for warnings on change
     const { state } = this.args.form.toJSON();
     this.modelValidations = state;
   }
 
+  private resetWifFields(form: CloudDestinationForm, type: CloudDestinationType) {
+    const fields = WIF_CREDENTIAL_FIELDS[type];
+    fields.forEach((field) => {
+      if (field in form.data) {
+        (form.data as unknown as Record<string, unknown>)[field] = undefined;
+      }
+    });
+  }
+
+  private resetAccountFields(form: CloudDestinationForm, type: CloudDestinationType) {
+    const fields = ACCOUNT_CREDENTIAL_FIELDS[type];
+    fields.forEach((field) => {
+      if (field in form.data) {
+        (form.data as unknown as Record<string, unknown>)[field] = undefined;
+      }
+    });
+  }
+
+  @action
+  onTypeChange(option: DestinationRoleTypeOption) {
+    const { type, form } = this.args;
+
+    if (!isCloudDestinationForm(type, form)) {
+      return;
+    }
+
+    form.credentialType = option.value;
+    form.data.credential_type = option.value;
+
+    if (option.value === CredentialType.ACCOUNT) {
+      this.resetWifFields(form, type as CloudDestinationType);
+    } else if (option.value === CredentialType.WIF) {
+      this.resetAccountFields(form, type as CloudDestinationType);
+      form.data.identity_token_ttl = DEFAULT_IDENTITY_TOKEN_TTL;
+    }
+
+    this.modelValidations = null;
+    this.invalidFormMessage = '';
+  }
+
   @action
   cancel() {
     const route = this.args.form.isNew ? 'create' : 'destination';
diff --git a/ui/lib/sync/addon/components/secrets/page/destinations/destination/details.hbs b/ui/lib/sync/addon/components/secrets/page/destinations/destination/details.hbs
index 95d3cb94c3..63e843da26 100644
--- a/ui/lib/sync/addon/components/secrets/page/destinations/destination/details.hbs
+++ b/ui/lib/sync/addon/components/secrets/page/destinations/destination/details.hbs
@@ -5,7 +5,7 @@
 
 <Secrets::DestinationHeader @destination={{@destination}} @capabilities={{@capabilities}} />
 {{#each this.displayFields as |field|}}
-  {{#let (get @destination field) as |fieldValue|}}
+  {{#let (this.getFieldValue field) as |fieldValue|}}
     {{#if (this.isMasked field)}}
       <InfoTableRow @label={{this.fieldLabel field}}>
         <Hds::Badge @text={{this.credentialValue fieldValue}} @icon="check-circle" @color="success" />
@@ -20,7 +20,11 @@
         <InfoTableRow @alwaysRender={{false}} @label={{key}} @value={{value}} />
       {{/each-in}}
     {{else}}
-      <InfoTableRow @label={{this.fieldLabel field}} @value={{fieldValue}} />
+      <InfoTableRow
+        @label={{this.fieldLabel field}}
+        @value={{fieldValue}}
+        @formatTtl={{(eq field "connection_details.identity_token_ttl")}}
+      />
     {{/if}}
   {{/let}}
 {{/each}}
\ No newline at end of file
diff --git a/ui/lib/sync/addon/components/secrets/page/destinations/destination/details.ts b/ui/lib/sync/addon/components/secrets/page/destinations/destination/details.ts
index cf7c42e7f7..bdac32b9b7 100644
--- a/ui/lib/sync/addon/components/secrets/page/destinations/destination/details.ts
+++ b/ui/lib/sync/addon/components/secrets/page/destinations/destination/details.ts
@@ -6,8 +6,14 @@
 import Component from '@glimmer/component';
 import { findDestination } from 'core/helpers/sync-destinations';
 import { toLabel } from 'core/helpers/to-label';
-
-import type { Destination } from 'vault/sync';
+import {
+  DestinationType,
+  CLOUD_DESTINATION_TYPES,
+  ACCOUNT_CREDENTIAL_FIELDS,
+  WIF_CREDENTIAL_FIELDS,
+  type CloudDestinationType,
+} from 'sync/utils/constants';
+import type { Destination, DestinationConnectionDetails, DestinationOptions } from 'vault/sync';
 import type { CapabilitiesMap } from 'vault/app-types';
 
 interface Args {
@@ -15,19 +21,83 @@ interface Args {
   capabilities: CapabilitiesMap;
 }
 
+function isCloudDestinationType(type: DestinationType): type is CloudDestinationType {
+  return CLOUD_DESTINATION_TYPES.includes(type as CloudDestinationType);
+}
+
 export default class DestinationDetailsPage extends Component<Args> {
-  connectionDetailsMap = {
-    'aws-sm': ['region', 'access_key_id', 'secret_access_key', 'role_arn', 'external_id'],
-    'azure-kv': ['key_vault_uri', 'tenant_id', 'cloud', 'client_id', 'client_secret'],
-    'gcp-sm': ['project_id', 'credentials'],
-    gh: ['repository_owner', 'repository_name', 'access_token'],
-    'vercel-project': ['access_token', 'project_id', 'team_id', 'deployment_environments'],
-  };
+  private getCredentialType(destination: Destination): string | undefined {
+    if (!isCloudDestinationType(destination.type)) {
+      return undefined;
+    }
+
+    const isWIF = !!destination.connection_details?.identity_token_audience;
+
+    if (isWIF) {
+      return 'WIF';
+    }
+
+    const accountCredentialTypes: Record<CloudDestinationType, string> = {
+      [DestinationType.AwsSm]: 'IAM',
+      [DestinationType.AzureKv]: 'Client secret',
+      [DestinationType.GcpSm]: 'JSON',
+    };
+
+    return accountCredentialTypes[destination.type];
+  }
+  get connectionDetailsMap() {
+    const { destination } = this.args;
+    const isWIF = !!destination.connection_details?.identity_token_audience;
+
+    const baseMap = {
+      [DestinationType.AwsSm]: [
+        'region',
+        'external_id',
+        'credential_type',
+        'role_arn',
+        'access_key_id',
+        'secret_access_key',
+        'identity_token_ttl',
+      ],
+      [DestinationType.AzureKv]: [
+        'key_vault_uri',
+        'tenant_id',
+        'cloud',
+        'client_id',
+        'credential_type',
+        'client_secret',
+        'identity_token_ttl',
+      ],
+      [DestinationType.GcpSm]: [
+        'project_id',
+        'credential_type',
+        'credentials',
+        'service_account_email',
+        'identity_token_ttl',
+      ],
+      [DestinationType.Gh]: ['repository_owner', 'repository_name', 'access_token'],
+      [DestinationType.VercelProject]: ['access_token', 'project_id', 'team_id', 'deployment_environments'],
+    };
+
+    if (isCloudDestinationType(destination.type)) {
+      const fieldsToRemove = isWIF
+        ? ACCOUNT_CREDENTIAL_FIELDS[destination.type]
+        : WIF_CREDENTIAL_FIELDS[destination.type];
+      baseMap[destination.type] = baseMap[destination.type].filter(
+        (field) => !fieldsToRemove.includes(field)
+      );
+    }
+
+    return baseMap;
+  }
 
   get displayFields() {
     const { destination } = this.args;
     const type = destination.type as keyof typeof this.connectionDetailsMap;
-    const connectionDetails = this.connectionDetailsMap[type].map((field) => `connection_details.${field}`);
+
+    const availableFields = this.connectionDetailsMap[type] || [];
+    const connectionDetails = availableFields.map((field) => `connection_details.${field}`);
+
     const fields = [
       'name',
       ...connectionDetails,
@@ -35,13 +105,34 @@ export default class DestinationDetailsPage extends Component<Args> {
       'options.secret_name_template',
     ];
 
-    if (!['gh', 'vercel-project'].includes(type)) {
+    if (CLOUD_DESTINATION_TYPES.includes(type as CloudDestinationType)) {
       fields.push('options.custom_tags');
     }
 
     return fields;
   }
 
+  getFieldValue = (field: string): unknown => {
+    const { destination } = this.args;
+    const fieldName = this.fieldName(field);
+
+    if (fieldName === 'credential_type') {
+      return this.getCredentialType(destination);
+    }
+
+    if (field.startsWith('connection_details.')) {
+      const connectionDetails = destination.connection_details;
+      return connectionDetails?.[fieldName as keyof DestinationConnectionDetails];
+    }
+
+    if (field.startsWith('options.')) {
+      const options = destination.options;
+      return options?.[fieldName as keyof DestinationOptions];
+    }
+
+    return destination[fieldName as keyof Destination];
+  };
+
   // remove connection_details or options from the field name
   fieldName(field: string) {
     return field.replace(/(connection_details|options)\./, '');
@@ -61,6 +152,7 @@ export default class DestinationDetailsPage extends Component<Args> {
       project_id: 'Project ID',
       credentials: 'JSON credentials',
       team_id: 'Team ID',
+      identity_token_ttl: 'Identity token time to live',
     }[fieldName];
 
     return customLabel || toLabel([fieldName]);
diff --git a/ui/lib/sync/addon/components/secrets/page/destinations/destination/secrets.hbs b/ui/lib/sync/addon/components/secrets/page/destinations/destination/secrets.hbs
index 28b1a99c48..6a837ce135 100644
--- a/ui/lib/sync/addon/components/secrets/page/destinations/destination/secrets.hbs
+++ b/ui/lib/sync/addon/components/secrets/page/destinations/destination/secrets.hbs
@@ -91,17 +91,22 @@
     />
   </div>
 {{else}}
-  <EmptyState
-    @title="No synced secrets yet"
-    @message="Select secrets from existing KV version 2 engines and sync them to the destination."
-  >
-    <Hds::Link::Standalone
-      @text="Sync secrets"
-      @icon="chevron-right"
-      @iconPosition="trailing"
-      @route="secrets.destinations.destination.sync"
+  <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+    <A.Header @title="No synced secrets yet" @titleTag="h2" data-test-empty-state-title />
+    <A.Body
+      @text="Select secrets from existing KV version 2 engines and sync them to the destination."
+      data-test-empty-state-message
     />
-  </EmptyState>
+    <A.Footer as |F|>
+      <F.LinkStandalone
+        @text="Sync secrets"
+        @icon="chevron-right"
+        @iconPosition="trailing"
+        @route="secrets.destinations.destination.sync"
+        data-test-empty-state-actions
+      />
+    </A.Footer>
+  </Hds::ApplicationState>
 {{/if}}
 
 {{#if this.secretToUnsync}}
diff --git a/ui/lib/sync/addon/components/secrets/page/destinations/select-type.hbs b/ui/lib/sync/addon/components/secrets/page/destinations/select-type.hbs
index 6a01eba83a..166bb63ab6 100644
--- a/ui/lib/sync/addon/components/secrets/page/destinations/select-type.hbs
+++ b/ui/lib/sync/addon/components/secrets/page/destinations/select-type.hbs
@@ -24,7 +24,7 @@
         @onClick={{transition-to "vault.cluster.sync.secrets.destinations.create.destination" d.type}}
         data-test-select-destination={{d.type}}
       >
-        <Icon @name={{d.icon}} @size="24" />
+        <Icon class="has-right-margin-4 has-left-margin-xxs" @name={{d.icon}} @size="24" />
         <Hds::Text::Display @tag="h3" @size="300">
           {{d.name}}
         </Hds::Text::Display>
diff --git a/ui/lib/sync/addon/components/secrets/page/overview.hbs b/ui/lib/sync/addon/components/secrets/page/overview.hbs
index aabe4545c4..2bf2129c87 100644
--- a/ui/lib/sync/addon/components/secrets/page/overview.hbs
+++ b/ui/lib/sync/addon/components/secrets/page/overview.hbs
@@ -11,6 +11,7 @@
         @color="warning"
         @onDismiss={{if @canActivateSecretsSync (fn (mut this.hideOptIn) true) undefined}}
         data-test-secrets-sync-opt-in-banner
+        class="bottom-margin-16"
         as |A|
       >
         <A.Title>Enable Secrets Sync feature</A.Title>
@@ -76,17 +77,18 @@
           Loading destinations...
         </div>
       {{else if (not this.destinationMetrics)}}
-        <EmptyState
-          @title="Error fetching information"
-          @message="Ensure that the policy has access to read sync associations."
-        >
-          <Hds::Link::Standalone
-            @icon="docs-link"
-            @iconPosition="trailing"
-            @text="Secrets Sync association API docs"
-            @href={{doc-link "/vault/api-docs/system/secrets-sync#read-associations"}}
-          />
-        </EmptyState>
+        <Hds::ApplicationState class="top-padding-32 is-marginless" as |A|>
+          <A.Header @title="Error fetching information" @titleTag="h2" data-test-empty-state-title />
+          <A.Body @text="Ensure that the policy has access to read sync associations." data-test-empty-state-message />
+          <A.Footer data-test-empty-state-actions as |F|>
+            <F.LinkStandalone
+              @icon="docs-link"
+              @iconPosition="trailing"
+              @text="Secrets Sync association API docs"
+              @href={{doc-link "/vault/api-docs/system/secrets-sync#read-associations"}}
+            />
+          </A.Footer>
+        </Hds::ApplicationState>
       {{else}}
         <Hds::Table>
           <:head as |H|>
diff --git a/ui/lib/sync/addon/components/secrets/page/overview.ts b/ui/lib/sync/addon/components/secrets/page/overview.ts
index 5651aa33ba..246a419cd7 100644
--- a/ui/lib/sync/addon/components/secrets/page/overview.ts
+++ b/ui/lib/sync/addon/components/secrets/page/overview.ts
@@ -11,13 +11,14 @@ import { action } from '@ember/object';
 import Ember from 'ember';
 import { macroCondition, isDevelopingApp } from '@embroider/macros';
 import { findDestination } from 'core/helpers/sync-destinations';
+import { DestinationType } from 'sync/utils/constants';
 
 import type FlashMessageService from 'vault/services/flash-messages';
 import type VersionService from 'vault/services/version';
 import type FlagsService from 'vault/services/flags';
 import type ApiService from 'vault/services/api';
 import type { SystemReadSyncDestinationsTypeNameAssociationsResponse } from '@hashicorp/vault-client-typescript';
-import type { ListDestination, DestinationMetrics, AssociatedSecret, DestinationType } from 'vault/sync';
+import type { ListDestination, DestinationMetrics, AssociatedSecret } from 'vault/sync';
 
 interface Args {
   destinations: ListDestination[];
@@ -127,7 +128,7 @@ export default class SyncSecretsDestinationsPageComponent extends Component<Args
 
     if (this.flags.isHvdManaged) {
       errors.push(
-        'Secrets Sync is available for Plus tier clusters only. Please check the tier of your cluster to enable Secrets Sync.'
+        'Secrets Sync is available for Standard tier clusters only. Please check the tier of your cluster to enable Secrets Sync.'
       );
     }
     this.activationErrors = errors;
diff --git a/ui/lib/sync/addon/components/secrets/sync-activation-modal.ts b/ui/lib/sync/addon/components/secrets/sync-activation-modal.ts
index 9e6e2d8f13..47bd5c44ca 100644
--- a/ui/lib/sync/addon/components/secrets/sync-activation-modal.ts
+++ b/ui/lib/sync/addon/components/secrets/sync-activation-modal.ts
@@ -9,6 +9,7 @@ import { service } from '@ember/service';
 import { task } from 'ember-concurrency';
 import { waitFor } from '@ember/test-waiters';
 
+import type { TaskGenerator } from 'ember-concurrency';
 import type FlagsService from 'vault/services/flags';
 import type FlashMessageService from 'vault/services/flash-messages';
 import type RouterService from '@ember/routing/router-service';
@@ -30,7 +31,7 @@ export default class SyncActivationModal extends Component<Args> {
 
   @task
   @waitFor
-  *onFeatureConfirm() {
+  *onFeatureConfirm(): TaskGenerator<void> {
     // clear any previous errors in the parent component
     this.args.onConfirm();
 
@@ -38,7 +39,7 @@ export default class SyncActivationModal extends Component<Args> {
     // for non-managed clusters the root namespace path is technically an empty string, otherwise we pass 'admin' if HVD managed.
     const namespace = this.flags.hvdManagedNamespaceRoot || '';
     try {
-      yield this.api.sys.activationFlagsActivate_3(this.api.buildHeaders({ namespace }));
+      yield this.api.sys.activationFlagsActivate_5(this.api.buildHeaders({ namespace }));
       // must refresh and not transition because transition does not refresh the model from within a namespace
       yield this.router.refresh('vault.cluster');
     } catch (error) {
diff --git a/ui/lib/sync/addon/components/sync-header.hbs b/ui/lib/sync/addon/components/sync-header.hbs
index a6e936f016..4cea10c300 100644
--- a/ui/lib/sync/addon/components/sync-header.hbs
+++ b/ui/lib/sync/addon/components/sync-header.hbs
@@ -11,7 +11,7 @@
   </:breadcrumbs>
   <:badges>
     {{#if this.flags.isHvdManaged}}
-      <Hds::Badge @text="Plus feature" @color="highlight" @size="large" data-test-badge="Plus feature" />
+      <Hds::Badge @text="Standard feature" @color="highlight" @size="large" data-test-badge="Standard feature" />
     {{/if}}
   </:badges>
 </Page::Header>
\ No newline at end of file
diff --git a/ui/lib/sync/addon/routes/secrets/destinations/create/destination.ts b/ui/lib/sync/addon/routes/secrets/destinations/create/destination.ts
index 6edab84a09..71b2222121 100644
--- a/ui/lib/sync/addon/routes/secrets/destinations/create/destination.ts
+++ b/ui/lib/sync/addon/routes/secrets/destinations/create/destination.ts
@@ -6,8 +6,7 @@
 import Route from '@ember/routing/route';
 import { findDestination } from 'core/helpers/sync-destinations';
 import formResolver from 'vault/forms/sync/resolver';
-
-import type { DestinationType } from 'vault/sync';
+import { DestinationType } from 'sync/utils/constants';
 
 type Params = {
   type: DestinationType;
diff --git a/ui/lib/sync/addon/routes/secrets/destinations/index.ts b/ui/lib/sync/addon/routes/secrets/destinations/index.ts
index 31af7113dc..3b8d19d3dc 100644
--- a/ui/lib/sync/addon/routes/secrets/destinations/index.ts
+++ b/ui/lib/sync/addon/routes/secrets/destinations/index.ts
@@ -5,7 +5,7 @@
 
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
-import { SystemListSyncDestinationsListEnum } from '@hashicorp/vault-client-typescript';
+import { SystemApiSystemListSyncDestinationsListEnum } from '@hashicorp/vault-client-typescript';
 import { listDestinationsTransform } from 'sync/utils/api-transforms';
 import { paginate } from 'core/utils/paginate-list';
 
@@ -56,7 +56,9 @@ export default class SyncSecretsDestinationsIndexRoute extends Route {
 
   async model(params: SyncSecretsDestinationsIndexRouteParams) {
     const { name = '', type = '', page } = params;
-    const response = await this.api.sys.systemListSyncDestinations(SystemListSyncDestinationsListEnum.TRUE);
+    const response = await this.api.sys.systemListSyncDestinations(
+      SystemApiSystemListSyncDestinationsListEnum.TRUE
+    );
     // transform and paginate destinations response
     const destinations = listDestinationsTransform(response, name, type);
     const paginatedDestinations = paginate(destinations, { page: Number(page) || 1 });
diff --git a/ui/lib/sync/addon/routes/secrets/overview.ts b/ui/lib/sync/addon/routes/secrets/overview.ts
index 70a8dadd66..c3fa3bd957 100644
--- a/ui/lib/sync/addon/routes/secrets/overview.ts
+++ b/ui/lib/sync/addon/routes/secrets/overview.ts
@@ -6,8 +6,8 @@
 import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 import {
-  SystemListSyncDestinationsListEnum,
-  SystemListSyncAssociationsListEnum,
+  SystemApiSystemListSyncDestinationsListEnum,
+  SystemApiSystemListSyncAssociationsListEnum,
 } from '@hashicorp/vault-client-typescript';
 import { listDestinationsTransform } from 'sync/utils/api-transforms';
 
@@ -35,8 +35,12 @@ export default class SyncSecretsOverviewRoute extends Route {
     const requests = isActivated
       ? [
           capabilitiesReq,
-          this.api.sys.systemListSyncAssociations(SystemListSyncAssociationsListEnum.TRUE).catch(() => []),
-          this.api.sys.systemListSyncDestinations(SystemListSyncDestinationsListEnum.TRUE).catch(() => []),
+          this.api.sys
+            .systemListSyncAssociations(SystemApiSystemListSyncAssociationsListEnum.TRUE)
+            .catch(() => []),
+          this.api.sys
+            .systemListSyncDestinations(SystemApiSystemListSyncDestinationsListEnum.TRUE)
+            .catch(() => []),
         ]
       : [capabilitiesReq, [], []];
 
diff --git a/ui/lib/sync/addon/utils/api-method-resolver.ts b/ui/lib/sync/addon/utils/api-method-resolver.ts
index 8c7f53e13d..07b88483c0 100644
--- a/ui/lib/sync/addon/utils/api-method-resolver.ts
+++ b/ui/lib/sync/addon/utils/api-method-resolver.ts
@@ -13,8 +13,7 @@
  */
 
 import { capitalize, classify } from '@ember/string';
-
-import type { DestinationType } from 'vault/sync';
+import { DestinationType } from 'sync/utils/constants';
 
 type TypeKey = 'AwsSm' | 'AzureKv' | 'GcpSm' | 'Gh' | 'VercelProject';
 
diff --git a/ui/lib/sync/addon/utils/api-transforms.ts b/ui/lib/sync/addon/utils/api-transforms.ts
index 794207f2f0..cc02d024e1 100644
--- a/ui/lib/sync/addon/utils/api-transforms.ts
+++ b/ui/lib/sync/addon/utils/api-transforms.ts
@@ -4,8 +4,9 @@
  */
 
 import { findDestination } from 'core/helpers/sync-destinations';
+import { DestinationType } from 'sync/utils/constants';
 
-import type { DestinationType, ListDestination } from 'vault/sync';
+import type { ListDestination } from 'vault/sync';
 import type { SystemListSyncDestinationsResponse } from '@hashicorp/vault-client-typescript';
 
 // transforms the systemListSyncDestinations response to a flat array
diff --git a/ui/lib/sync/addon/utils/constants.ts b/ui/lib/sync/addon/utils/constants.ts
new file mode 100644
index 0000000000..f819c1daa5
--- /dev/null
+++ b/ui/lib/sync/addon/utils/constants.ts
@@ -0,0 +1,39 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+export enum CredentialType {
+  ACCOUNT = 'account',
+  WIF = 'wif',
+}
+
+export enum DestinationType {
+  AwsSm = 'aws-sm',
+  AzureKv = 'azure-kv',
+  GcpSm = 'gcp-sm',
+  Gh = 'gh',
+  VercelProject = 'vercel-project',
+}
+
+export const CLOUD_DESTINATION_TYPES = [
+  DestinationType.AwsSm,
+  DestinationType.AzureKv,
+  DestinationType.GcpSm,
+] as const;
+
+export type CloudDestinationType = (typeof CLOUD_DESTINATION_TYPES)[number];
+
+const COMMON_WIF_FIELDS = ['identity_token_audience', 'identity_token_ttl', 'identity_token_key'];
+
+export const ACCOUNT_CREDENTIAL_FIELDS: Record<CloudDestinationType, string[]> = {
+  [DestinationType.AwsSm]: ['access_key_id', 'secret_access_key'],
+  [DestinationType.AzureKv]: ['client_secret'],
+  [DestinationType.GcpSm]: ['credentials'],
+};
+
+export const WIF_CREDENTIAL_FIELDS: Record<CloudDestinationType, string[]> = {
+  [DestinationType.AwsSm]: [...COMMON_WIF_FIELDS],
+  [DestinationType.AzureKv]: [...COMMON_WIF_FIELDS],
+  [DestinationType.GcpSm]: [...COMMON_WIF_FIELDS, 'service_account_email'],
+};
diff --git a/ui/mirage/factories/mfa-login-enforcement.js b/ui/mirage/factories/mfa-login-enforcement.js
index 01ca3b500e..973076ca2a 100644
--- a/ui/mirage/factories/mfa-login-enforcement.js
+++ b/ui/mirage/factories/mfa-login-enforcement.js
@@ -43,7 +43,7 @@ export default Factory.extend({
       identity_entity_ids: ['f831667b-7392-7a1c-c0fc-33d48cb1c57d'],
     };
     for (const key in targets) {
-      if (!record.key) {
+      if (!record[key]) {
         record.update(key, targets[key]);
       }
     }
diff --git a/ui/mirage/handlers/clients.js b/ui/mirage/handlers/clients.js
index 631b7e509e..9befbd672d 100644
--- a/ui/mirage/handlers/clients.js
+++ b/ui/mirage/handlers/clients.js
@@ -44,6 +44,67 @@ export const CONFIG_RESPONSE = {
   },
 };
 
+export const LICENSE_STATUS_RESPONSE = {
+  request_id: 'my-license-request-id',
+  data: {
+    autoloaded: {
+      license_id: 'my-license-id',
+      start_time: formatRFC3339(LICENSE_START),
+      expiration_time: formatRFC3339(endOfMonth(addMonths(STATIC_NOW, 6))),
+    },
+  },
+};
+
+export const VERSION_HISTORY_RESPONSE = {
+  request_id: 'version-history-request-id',
+  data: {
+    keys: ['1.9.0', '1.9.1', '1.10.1', '1.10.3', '1.14.4', '1.16.0', '1.17.0'],
+    key_info: {
+      // entity/non-entity breakdown added
+      '1.9.0': {
+        // we don't currently use build_date, including for accuracy. it's only tracked in versions >= 1.11.0
+        build_date: null,
+        previous_version: null,
+        timestamp_installed: '2023-07-02T00:00:00Z',
+      },
+      '1.9.1': {
+        build_date: null,
+        previous_version: '1.9.0',
+        timestamp_installed: '2023-08-02T00:00:00Z',
+      },
+      // auth mount attribution added in 1.10.0
+      '1.10.1': {
+        build_date: null,
+        previous_version: '1.9.1',
+        timestamp_installed: '2023-09-02T00:00:00Z', // same as UPGRADE_DATE
+      },
+      '1.10.3': {
+        build_date: null,
+        previous_version: '1.10.1',
+        timestamp_installed: '2023-10-23T00:00:00Z',
+      },
+      // no notable UI changes
+      '1.14.4': {
+        build_date: '2023-11-02T00:00:00Z',
+        previous_version: '1.10.3',
+        timestamp_installed: '2023-11-02T00:00:00Z',
+      },
+      // sync clients added
+      '1.16.0': {
+        build_date: '2023-11-23T00:00:00Z',
+        previous_version: '1.14.4',
+        timestamp_installed: '2023-11-23T00:00:00Z',
+      },
+      // acme_clients separated from non-entity clients
+      '1.17.0': {
+        build_date: '2023-12-02T00:00:00Z',
+        previous_version: '1.16.0',
+        timestamp_installed: '2023-12-02T00:00:00Z',
+      },
+    },
+  },
+};
+
 // --------- FOR DATA GENERATION
 function getSum(array, key) {
   return array.reduce((sum, { counts }) => sum + counts[key], 0);
@@ -163,7 +224,7 @@ function generateMonths(startDate, endDate, namespaces) {
   return months;
 }
 
-function generateActivityResponse(startDate, endDate) {
+function generateActivityData(startDate, endDate) {
   let namespaces = Array.from(Array(12)).map((v, idx) => generateNamespaceBlock(idx, null, null, true));
   const months = generateMonths(startDate, endDate, namespaces);
   if (months.length) {
@@ -276,19 +337,56 @@ function filterActivityResponse(originalData, namespacePath) {
   };
 }
 
+export function generateActivityResponse(start, end, namespace, activities) {
+  let start_time = start;
+  let end_time = end;
+  if (!start_time) {
+    // if there are no date query params, the activity log default behavior
+    // queries from the builtin license start timestamp to the current month
+    start_time = LICENSE_START.toISOString();
+  }
+  if (!end_time) {
+    end_time = STATIC_NOW.toISOString();
+  }
+  // backend returns a timestamp if given unix time, so first convert to timestamp string here
+  if (!start_time?.includes('T')) start_time = fromUnixTime(start_time).toISOString();
+  if (!end_time?.includes('T')) end_time = fromUnixTime(end_time).toISOString();
+
+  const record = activities?.findBy({ start_time, end_time });
+  let data;
+  if (record) {
+    // if we already have data for the given start/end time, use that
+    data = {
+      start_time: record.start_time,
+      end_time: record.end_time,
+      by_namespace: record.by_namespace,
+      months: record.months,
+      total: record.total,
+    };
+  } else {
+    data = generateActivityData(start_time, end_time);
+    activities?.create(data);
+  }
+  return {
+    request_id: 'some-activity-id',
+    lease_id: '',
+    renewable: false,
+    lease_duration: 0,
+    data: filterActivityResponse(data, namespace),
+    wrap_info: null,
+    warnings: end
+      ? null
+      : [
+          'Since this usage period includes both the current month and at least one historical month, counts returned in this usage period are an estimate. Client counts for this period will no longer be estimated at the start of the next month.',
+        ],
+    auth: null,
+  };
+}
+
 // --------- SERVER FN
 export default function (server) {
   server.get('sys/license/status', function () {
-    return {
-      request_id: 'my-license-request-id',
-      data: {
-        autoloaded: {
-          license_id: 'my-license-id',
-          start_time: formatRFC3339(LICENSE_START),
-          expiration_time: formatRFC3339(endOfMonth(addMonths(STATIC_NOW, 6))),
-        },
-      },
-    };
+    return LICENSE_STATUS_RESPONSE;
   });
 
   server.get('sys/internal/counters/config', function () {
@@ -298,49 +396,8 @@ export default function (server) {
   server.get('/sys/internal/counters/activity', (schema, req) => {
     const activities = schema['clients/activities'];
     const namespace = req.requestHeaders['X-Vault-Namespace'];
-    let { start_time, end_time } = req.queryParams;
-
-    if (!start_time) {
-      // if there are no date query params, the activity log default behavior
-      // queries from the builtin license start timestamp to the current month
-      start_time = LICENSE_START.toISOString();
-    }
-    if (!end_time) {
-      end_time = STATIC_NOW.toISOString();
-    }
-    // backend returns a timestamp if given unix time, so first convert to timestamp string here
-    if (!start_time?.includes('T')) start_time = fromUnixTime(start_time).toISOString();
-    if (!end_time?.includes('T')) end_time = fromUnixTime(end_time).toISOString();
-
-    const record = activities.findBy({ start_time, end_time });
-    let data;
-    if (record) {
-      // if we already have data for the given start/end time, use that
-      data = {
-        start_time: record.start_time,
-        end_time: record.end_time,
-        by_namespace: record.by_namespace,
-        months: record.months,
-        total: record.total,
-      };
-    } else {
-      data = generateActivityResponse(start_time, end_time);
-      activities.create(data);
-    }
-    const response = {
-      request_id: 'some-activity-id',
-      lease_id: '',
-      renewable: false,
-      lease_duration: 0,
-      data: filterActivityResponse(data, namespace),
-      wrap_info: null,
-      warnings: req.queryParams.end_time
-        ? null
-        : [
-            'Since this usage period includes both the current month and at least one historical month, counts returned in this usage period are an estimate. Client counts for this period will no longer be estimated at the start of the next month.',
-          ],
-      auth: null,
-    };
+    const { start_time, end_time } = req.queryParams;
+    const response = generateActivityResponse(start_time, end_time, namespace, activities);
     // need to set Content-Length header for api service to show warnings
     return new Response(200, { 'Content-Length': JSON.stringify(response).length }, response);
   });
@@ -348,54 +405,6 @@ export default function (server) {
   // client counting has changed in different ways since 1.9 see link below for details
   // https://developer.hashicorp.com/vault/docs/concepts/client-count/faq#client-count-faq
   server.get('sys/version-history', function () {
-    return {
-      request_id: 'version-history-request-id',
-      data: {
-        keys: ['1.9.0', '1.9.1', '1.10.1', '1.10.3', '1.14.4', '1.16.0', '1.17.0'],
-        key_info: {
-          // entity/non-entity breakdown added
-          '1.9.0': {
-            // we don't currently use build_date, including for accuracy. it's only tracked in versions >= 1.11.0
-            build_date: null,
-            previous_version: null,
-            timestamp_installed: '2023-07-02T00:00:00Z',
-          },
-          '1.9.1': {
-            build_date: null,
-            previous_version: '1.9.0',
-            timestamp_installed: '2023-08-02T00:00:00Z',
-          },
-          // auth mount attribution added in 1.10.0
-          '1.10.1': {
-            build_date: null,
-            previous_version: '1.9.1',
-            timestamp_installed: '2023-09-02T00:00:00Z', // same as UPGRADE_DATE
-          },
-          '1.10.3': {
-            build_date: null,
-            previous_version: '1.10.1',
-            timestamp_installed: '2023-10-23T00:00:00Z',
-          },
-          // no notable UI changes
-          '1.14.4': {
-            build_date: '2023-11-02T00:00:00Z',
-            previous_version: '1.10.3',
-            timestamp_installed: '2023-11-02T00:00:00Z',
-          },
-          // sync clients added
-          '1.16.0': {
-            build_date: '2023-11-23T00:00:00Z',
-            previous_version: '1.14.4',
-            timestamp_installed: '2023-11-23T00:00:00Z',
-          },
-          // acme_clients separated from non-entity clients
-          '1.17.0': {
-            build_date: '2023-12-02T00:00:00Z',
-            previous_version: '1.16.0',
-            timestamp_installed: '2023-12-02T00:00:00Z',
-          },
-        },
-      },
-    };
+    return VERSION_HISTORY_RESPONSE;
   });
 }
diff --git a/ui/mirage/handlers/mfa-config.js b/ui/mirage/handlers/mfa-config.js
index 455ff93e36..aed8545ee6 100644
--- a/ui/mirage/handlers/mfa-config.js
+++ b/ui/mirage/handlers/mfa-config.js
@@ -56,8 +56,14 @@ export default function (server) {
     const dataKey = isMethod ? 'id' : 'name';
     const data = records.reduce(
       (resp, record) => {
-        resp.key_info[record[dataKey]] = record;
-        resp.keys.push(record[dataKey]);
+        const key = record[dataKey];
+        // For enforcements, ensure both id and name are set to the same value
+        if (!isMethod && key) {
+          record.id = key;
+          record.name = key;
+        }
+        resp.key_info[key] = record;
+        resp.keys.push(key);
         return resp;
       },
       {
@@ -161,12 +167,13 @@ export default function (server) {
         }
       );
     }
-    if (schema.db.mfaLoginEnforcements.findBy({ name })) {
-      schema.db.mfaLoginEnforcements.update({ name }, data);
+    const existingRecord = schema.db.mfaLoginEnforcements.findBy({ name });
+    if (existingRecord) {
+      schema.db.mfaLoginEnforcements.update(existingRecord.id, { ...data, name });
     } else {
-      schema.db.mfaLoginEnforcements.insert(data);
+      server.create('mfa-login-enforcement', { ...data, name });
     }
-    return { ...data, id: data.name };
+    return { data: { ...data, name, id: name } };
   });
   // delete enforcement
   server.delete('/identity/mfa/login-enforcement/:name', (schema, { params: { name } }) => {
diff --git a/ui/package.json b/ui/package.json
index 4225a942b4..1a5f09dba7 100644
--- a/ui/package.json
+++ b/ui/package.json
@@ -13,8 +13,6 @@
     "build": "pnpm build:jsondiffpatch && ember build --environment=production && cp metadata.json ../http/web_ui/metadata.json",
     "build:dev": "pnpm build:jsondiffpatch && ember build",
     "build:jsondiffpatch": "webpack --config webpack.jsondiffpatch.config.js",
-    "docs": "sh scripts/generate-docs.sh",
-    "docfy-md": "node scripts/docfy-md.js",
     "lint:css": "stylelint \"**/*.css\"",
     "lint:css:fix": "pnpm lint:css --fix",
     "lint:fix": "concurrently -c \"auto\" -n lint: \"pnpm:lint:*:fix\"",
@@ -29,11 +27,12 @@
     "fmt:js": "prettier --config .prettierrc.js --write '{app,tests,config,lib}/**/*.js'",
     "fmt:hbs": "prettier --config .prettierrc.js --write '**/*.hbs'",
     "fmt:styles": "prettier --write app/styles/**/*.*",
+    "generate:form-config": "node --no-warnings scripts/generate-form-config.js",
     "start": "VAULT_ADDR=http://127.0.0.1:8200; pnpm build:jsondiffpatch && ember server --proxy=$VAULT_ADDR",
     "start2": "pnpm build:jsondiffpatch && ember server --proxy=http://127.0.0.1:8202 --port=4202",
     "start:chroot": "ember server --proxy=http://127.0.0.1:8300 --port=4300",
     "lint": "concurrently --kill-others-on-fail -P -c \"auto\" -n lint:js,lint:hbs,lint:types \"pnpm:lint:js:quiet\" \"pnpm:lint:hbs:quiet\" \"pnpm:lint:types\"",
-    "test": "pnpm lint && node scripts/start-vault.js",
+    "test": "node scripts/start-vault.js",
     "test:enos": "concurrently --kill-others-on-fail -P -c \"auto\" -n lint:js,lint:hbs,lint:types,enos \"pnpm:lint:js:quiet\" \"pnpm:lint:hbs:quiet\" \"pnpm:lint:types\" \"node scripts/enos-test-ember.js {@}\" --",
     "test:oss": "pnpm test -f='!enterprise'",
     "test:ent": "node scripts/start-vault.js -f='enterprise'",
@@ -46,60 +45,58 @@
     "vault:e2e": "vault server"
   },
   "devDependencies": {
-    "@babel/cli": "~7.27.0",
+    "@babel/cli": "~7.27.2",
     "@babel/core": "~7.26.10",
     "@babel/plugin-proposal-class-properties": "~7.18.6",
-    "@babel/plugin-proposal-decorators": "^7.28.0",
+    "@babel/plugin-proposal-decorators": "^7.29.7",
     "@babel/plugin-proposal-object-rest-spread": "~7.20.7",
-    "@babel/plugin-transform-block-scoping": "~7.27.0",
-    "@babel/preset-env": "~7.26.9",
-    "@babel/preset-typescript": "~7.27.0",
-    "@codemirror/view": "^6.36.2",
+    "@babel/plugin-transform-block-scoping": "~7.27.5",
+    "@babel/preset-env": "~7.29.5",
+    "@babel/preset-typescript": "~7.27.1",
+    "@codemirror/view": "^6.43.0",
     "@docfy/ember": "~0.8.5",
     "@ember/legacy-built-in-components": "~0.4.2",
     "@ember/optional-features": "~2.2.0",
     "@ember/render-modifiers": "~3.0.0",
     "@ember/string": "~4.0.1",
-    "@ember/test-helpers": "~5.2.1",
-    "@ember/test-waiters": "~4.1.0",
-    "@embroider/macros": "1.15.0",
+    "@ember/test-helpers": "~5.2.2",
+    "@ember/test-waiters": "~4.1.1",
+    "@embroider/macros": "~1.20.3",
     "@glimmer/component": "~1.1.2",
     "@glimmer/tracking": "~1.1.2",
-    "@glint/template": "^1.7.3",
+    "@glint/template": "^1.7.7",
     "@icholy/duration": "~5.1.0",
-    "@lineal-viz/lineal": "~0.5.1",
-    "@playwright/test": "^1.58.0",
+    "@playwright/test": "^1.60.0",
     "@tsconfig/ember": "~2.0.0",
-    "@types/d3-array": "~3.2.1",
+    "@types/d3-array": "~3.2.2",
     "@types/ember-data": "~4.4.16",
-    "@types/node": "^25.1.0",
-    "@types/qunit": "~2.19.12",
+    "@types/node": "^25.9.1",
+    "@types/qunit": "~2.19.14",
     "@types/rsvp": "~4.0.9",
     "@types/shell-quote": "~1.7.5",
     "@typescript-eslint/eslint-plugin": "~5.62.0",
     "@typescript-eslint/parser": "~5.62.0",
-    "asn1js": "~3.0.6",
+    "asn1js": "~3.0.10",
     "autosize": "~6.0.1",
     "babel-plugin-inline-json-import": "~0.3.2",
     "base64-js": "~1.5.1",
     "broccoli-asset-rev": "~3.0.0",
-    "broccoli-sri-hash": "meirish/broccoli-sri-hash#rooturl",
+    "broccoli-sri-hash": "github:meirish/broccoli-sri-hash#rooturl",
     "chalk": "^4.1.2",
     "columnify": "~1.6.0",
     "concurrently": "~9.1.2",
     "d3-array": "~3.2.4",
     "d3-axis": "~3.0.0",
-    "d3-format": "~3.1.0",
+    "d3-format": "~3.1.2",
     "d3-scale": "~4.0.2",
     "d3-selection": "~3.0.0",
     "d3-shape": "~3.2.0",
     "date-fns": "~2.30.0",
     "date-fns-tz": "~1.3.8",
-    "doctoc": "~2.2.1",
-    "dompurify": "~3.2.5",
-    "ember-a11y-testing": "~7.1.2",
+    "dompurify": "~3.3.3",
+    "ember-a11y-testing": "~7.1.3",
     "ember-basic-dropdown": "~8.7.0",
-    "ember-cli": "~5.8.0",
+    "ember-cli": "~5.8.1",
     "ember-cli-babel": "~8.2.0",
     "ember-cli-clean-css": "~3.0.0",
     "ember-cli-content-security-policy": "2.0.3",
@@ -109,25 +106,26 @@
     "ember-cli-htmlbars": "~6.3.0",
     "ember-cli-inject-live-reload": "~2.1.0",
     "ember-cli-mirage": "~3.0.4",
-    "ember-cli-page-object": "~2.3.1",
+    "ember-cli-page-object": "~2.3.2",
     "ember-cli-sass": "11.0.1",
-    "ember-cli-sri": "meirish/ember-cli-sri#rooturl",
+    "ember-cli-sri": "github:meirish/ember-cli-sri#rooturl",
     "ember-cli-string-helpers": "6.1.0",
     "ember-cli-terser": "~4.0.2",
     "ember-composable-helpers": "5.0.0",
-    "ember-concurrency": "~4.0.3",
+    "ember-concurrency": "~4.0.6",
     "ember-data": "~5.3.13",
     "ember-engines": "0.8.23",
     "ember-exam": "~9.1.0",
     "ember-inflector": "4.0.2",
+    "ember-intl": "^7.5.0",
     "ember-load-initializers": "~3.0.1",
-    "ember-modifier": "~4.2.0",
-    "ember-power-select": "~8.12.0",
+    "ember-modifier": "~4.2.2",
+    "ember-power-select": "~8.12.2",
     "ember-qrcode-shim": "~0.4.0",
     "ember-qunit": "~8.1.1",
-    "ember-resolver": "~13.1.0",
+    "ember-resolver": "~13.1.1",
     "ember-responsive": "5.0.0",
-    "ember-service-worker": "meirish/ember-service-worker#configurable-scope",
+    "ember-service-worker": "github:meirish/ember-service-worker#configurable-scope",
     "ember-sinon-qunit": "~7.5.0",
     "ember-source": "~5.8.0",
     "ember-style-modifier": "~4.4.0",
@@ -138,7 +136,7 @@
     "ember-truth-helpers": "4.0.3",
     "escape-string-regexp": "~2.0.0",
     "eslint": "~8.57.1",
-    "eslint-config-prettier": "~9.1.0",
+    "eslint-config-prettier": "~9.1.2",
     "eslint-plugin-compat": "~4.2.0",
     "eslint-plugin-ember": "~11.12.0",
     "eslint-plugin-n": "~16.6.2",
@@ -147,20 +145,18 @@
     "execa": "^5.1.1",
     "filesize": "~4.2.1",
     "jsdoc-babel": "~0.5.0",
-    "jsdoc-to-markdown": "~8.0.3",
     "jsondiffpatch": "0.7.3",
-    "jsonlint": "~1.6.3",
     "lint-staged": "~16.0.0",
     "loader.js": "~4.7.0",
     "miragejs": "~0.1.48",
     "pkijs": "~2.4.0",
     "prettier": "3.0.3",
     "prettier-eslint-cli": "~7.1.0",
-    "pvutils": "~1.1.3",
-    "qunit": "~2.24.1",
+    "pvutils": "~1.1.5",
+    "qunit": "~2.24.3",
     "qunit-dom": "~3.4.0",
-    "sass": "~1.88.0",
-    "shell-quote": "~1.8.2",
+    "sass": "^1.100.0",
+    "shell-quote": "~1.8.4",
     "sinon": "~20.0.0",
     "stylelint": "~16.19.1",
     "stylelint-config-standard": "~38.0.0",
@@ -168,36 +164,37 @@
     "swagger-ui-dist": "~5.21.0",
     "text-encoder-lite": "2.0.0",
     "tracked-built-ins": "~3.4.0",
-    "typescript": "~5.5.4",
-    "webpack": "5.94.0",
+    "typescript": "~5.6.3",
+    "webpack": "^5.107.2",
     "webpack-cli": "^6.0.1"
   },
   "pnpm": {
     "overrides": {
       "@babel/runtime": "7.27.0",
-      "@embroider/macros": "1.15.0",
-      "@messageformat/runtime": "3.0.2",
+      "@xmldom/xmldom": "0.9.10",
       "ansi-html": "0.0.8",
       "async": "2.6.4",
       "braces": "3.0.3",
-      "eslint-utils": "1.4.3",
-      "express": "4.22.1",
-      "https-proxy-agent": "2.2.4",
-      "ini": "1.3.8",
       "json5": "1.0.2",
       "kind-of": "6.0.3",
+      "lodash": "4.18.0",
+      "lodash-es": "4.18.0",
+      "markdown-it": "14.1.1",
       "micromatch": "4.0.8",
-      "prismjs": "1.30.0",
       "qs": "6.14.1",
-      "rollup": "2.79.2",
-      "serialize-javascript": "3.1.0",
-      "socket.io": "4.8.1",
-      "underscore": "1.13.7"
+      "rollup": "2.80.0"
     }
   },
   "engines": {
     "node": "20"
   },
+  "devEngines": {
+    "runtime": {
+      "name": "node",
+      "version": "20.20.2",
+      "onFail": "download"
+    }
+  },
   "ember": {
     "edition": "octane"
   },
@@ -220,14 +217,14 @@
   },
   "dependencies": {
     "@babel/core": "7.26.10",
-    "@babel/eslint-parser": "^7.28.5",
-    "@carbon/charts": "^1.27.2",
-    "@hashicorp-internal/vault-reporting": "file:vault-reporting/0.8.0.tgz",
+    "@babel/eslint-parser": "^7.29.7",
+    "@carbon/charts": "^1.27.11",
+    "@hashicorp-internal/vault-reporting": "file:vault-reporting/0.21.0.tgz",
     "@hashicorp/design-system-components": "4.24.1",
     "@hashicorp/design-system-tokens": "3.0.0",
-    "@hashicorp/vault-client-typescript": "hashicorp/vault-client-typescript",
+    "@hashicorp/vault-client-typescript": "github:hashicorp/vault-client-typescript",
     "ember-auto-import": "2.10.0",
-    "handlebars": "4.7.8",
+    "handlebars": "4.7.9",
     "posthog-js": "1.236.1",
     "uuid": "9.0.1"
   },
diff --git a/ui/pnpm-lock.yaml b/ui/pnpm-lock.yaml
index 9aecfe284e..5ef532fa08 100644
--- a/ui/pnpm-lock.yaml
+++ b/ui/pnpm-lock.yaml
@@ -6,24 +6,18 @@ settings:
 
 overrides:
   '@babel/runtime': 7.27.0
-  '@embroider/macros': 1.15.0
-  '@messageformat/runtime': 3.0.2
+  '@xmldom/xmldom': 0.9.10
   ansi-html: 0.0.8
   async: 2.6.4
   braces: 3.0.3
-  eslint-utils: 1.4.3
-  express: 4.22.1
-  https-proxy-agent: 2.2.4
-  ini: 1.3.8
   json5: 1.0.2
   kind-of: 6.0.3
+  lodash: 4.18.0
+  lodash-es: 4.18.0
+  markdown-it: 14.1.1
   micromatch: 4.0.8
-  prismjs: 1.30.0
   qs: 6.14.1
-  rollup: 2.79.2
-  serialize-javascript: 3.1.0
-  socket.io: 4.8.1
-  underscore: 1.13.7
+  rollup: 2.80.0
 
 importers:
 
@@ -33,29 +27,29 @@ importers:
         specifier: 7.26.10
         version: 7.26.10
       '@babel/eslint-parser':
-        specifier: ^7.28.5
-        version: 7.28.5(@babel/core@7.26.10)(eslint@8.57.1)
+        specifier: ^7.29.7
+        version: 7.29.7(@babel/core@7.26.10)(eslint@8.57.1)
       '@carbon/charts':
-        specifier: ^1.27.2
-        version: 1.27.2
+        specifier: ^1.27.11
+        version: 1.27.11
       '@hashicorp-internal/vault-reporting':
-        specifier: file:vault-reporting/0.8.0.tgz
-        version: file:vault-reporting/0.8.0.tgz(@babel/core@7.26.10)(@glint/template@1.7.3)(@hashicorp/design-system-components@4.24.1(9e1e7970f02a7597d41eecd5c69ae0c6))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+        specifier: file:vault-reporting/0.21.0.tgz
+        version: file:vault-reporting/0.21.0.tgz(@babel/core@7.26.10)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(@hashicorp/design-system-components@4.24.1(82ada2dfe2f3991d57e146b4e9515b04))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(typescript@5.6.3)(webpack@5.107.2)
       '@hashicorp/design-system-components':
         specifier: 4.24.1
-        version: 4.24.1(9e1e7970f02a7597d41eecd5c69ae0c6)
+        version: 4.24.1(82ada2dfe2f3991d57e146b4e9515b04)
       '@hashicorp/design-system-tokens':
         specifier: 3.0.0
         version: 3.0.0
       '@hashicorp/vault-client-typescript':
-        specifier: hashicorp/vault-client-typescript
-        version: https://codeload.github.com/hashicorp/vault-client-typescript/tar.gz/e29e1596079a941e42dd87cf533d95575f88a67c
+        specifier: github:hashicorp/vault-client-typescript
+        version: https://codeload.github.com/hashicorp/vault-client-typescript/tar.gz/9191faf2deb4fa4fd9d0d4b396434fec5b799abc
       ember-auto-import:
         specifier: 2.10.0
-        version: 2.10.0(@glint/template@1.7.3)(webpack@5.94.0)
+        version: 2.10.0(@glint/template@1.7.7)(webpack@5.107.2)
       handlebars:
-        specifier: 4.7.8
-        version: 4.7.8
+        specifier: 4.7.9
+        version: 4.7.9
       posthog-js:
         specifier: 1.236.1
         version: 1.236.1
@@ -64,53 +58,53 @@ importers:
         version: 9.0.1
     devDependencies:
       '@babel/cli':
-        specifier: ~7.27.0
+        specifier: ~7.27.2
         version: 7.27.2(@babel/core@7.26.10)
       '@babel/plugin-proposal-class-properties':
         specifier: ~7.18.6
         version: 7.18.6(@babel/core@7.26.10)
       '@babel/plugin-proposal-decorators':
-        specifier: ^7.28.0
-        version: 7.28.0(@babel/core@7.26.10)
+        specifier: ^7.29.7
+        version: 7.29.7(@babel/core@7.26.10)
       '@babel/plugin-proposal-object-rest-spread':
         specifier: ~7.20.7
         version: 7.20.7(@babel/core@7.26.10)
       '@babel/plugin-transform-block-scoping':
-        specifier: ~7.27.0
-        version: 7.27.1(@babel/core@7.26.10)
+        specifier: ~7.27.5
+        version: 7.27.5(@babel/core@7.26.10)
       '@babel/preset-env':
-        specifier: ~7.26.9
-        version: 7.26.9(@babel/core@7.26.10)
+        specifier: ~7.29.5
+        version: 7.29.7(@babel/core@7.26.10)
       '@babel/preset-typescript':
-        specifier: ~7.27.0
+        specifier: ~7.27.1
         version: 7.27.1(@babel/core@7.26.10)
       '@codemirror/view':
-        specifier: ^6.36.2
-        version: 6.36.8
+        specifier: ^6.43.0
+        version: 6.43.0
       '@docfy/ember':
         specifier: ~0.8.5
-        version: 0.8.5(@babel/core@7.26.10)(@glint/template@1.7.3)
+        version: 0.8.5(@babel/core@7.26.10)(@glint/template@1.7.7)
       '@ember/legacy-built-in-components':
         specifier: ~0.4.2
-        version: 0.4.2(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+        version: 0.4.2(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       '@ember/optional-features':
         specifier: ~2.2.0
         version: 2.2.0
       '@ember/render-modifiers':
         specifier: ~3.0.0
-        version: 3.0.0(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+        version: 3.0.0(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       '@ember/string':
         specifier: ~4.0.1
         version: 4.0.1
       '@ember/test-helpers':
-        specifier: ~5.2.1
-        version: 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3)
+        specifier: ~5.2.2
+        version: 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7)
       '@ember/test-waiters':
-        specifier: ~4.1.0
-        version: 4.1.0(@glint/template@1.7.3)
+        specifier: ~4.1.1
+        version: 4.1.1(@babel/core@7.26.10)(@glint/template@1.7.7)
       '@embroider/macros':
-        specifier: 1.15.0
-        version: 1.15.0(@glint/template@1.7.3)
+        specifier: ~1.20.3
+        version: 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       '@glimmer/component':
         specifier: ~1.1.2
         version: 1.1.2(@babel/core@7.26.10)
@@ -118,32 +112,29 @@ importers:
         specifier: ~1.1.2
         version: 1.1.2
       '@glint/template':
-        specifier: ^1.7.3
-        version: 1.7.3
+        specifier: ^1.7.7
+        version: 1.7.7
       '@icholy/duration':
         specifier: ~5.1.0
         version: 5.1.0
-      '@lineal-viz/lineal':
-        specifier: ~0.5.1
-        version: 0.5.1(@babel/core@7.26.10)(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
       '@playwright/test':
-        specifier: ^1.58.0
-        version: 1.58.0
+        specifier: ^1.60.0
+        version: 1.60.0
       '@tsconfig/ember':
         specifier: ~2.0.0
         version: 2.0.0
       '@types/d3-array':
-        specifier: ~3.2.1
-        version: 3.2.1
+        specifier: ~3.2.2
+        version: 3.2.2
       '@types/ember-data':
         specifier: ~4.4.16
         version: 4.4.16(@babel/core@7.26.10)
       '@types/node':
-        specifier: ^25.1.0
-        version: 25.1.0
+        specifier: ^25.9.1
+        version: 25.9.1
       '@types/qunit':
-        specifier: ~2.19.12
-        version: 2.19.12
+        specifier: ~2.19.14
+        version: 2.19.14
       '@types/rsvp':
         specifier: ~4.0.9
         version: 4.0.9
@@ -152,13 +143,13 @@ importers:
         version: 1.7.5
       '@typescript-eslint/eslint-plugin':
         specifier: ~5.62.0
-        version: 5.62.0(@typescript-eslint/parser@5.62.0(eslint@8.57.1)(typescript@5.5.4))(eslint@8.57.1)(typescript@5.5.4)
+        version: 5.62.0(@typescript-eslint/parser@5.62.0(eslint@8.57.1)(typescript@5.6.3))(eslint@8.57.1)(typescript@5.6.3)
       '@typescript-eslint/parser':
         specifier: ~5.62.0
-        version: 5.62.0(eslint@8.57.1)(typescript@5.5.4)
+        version: 5.62.0(eslint@8.57.1)(typescript@5.6.3)
       asn1js:
-        specifier: ~3.0.6
-        version: 3.0.6
+        specifier: ~3.0.10
+        version: 3.0.10
       autosize:
         specifier: ~6.0.1
         version: 6.0.1
@@ -172,7 +163,7 @@ importers:
         specifier: ~3.0.0
         version: 3.0.0
       broccoli-sri-hash:
-        specifier: meirish/broccoli-sri-hash#rooturl
+        specifier: github:meirish/broccoli-sri-hash#rooturl
         version: https://codeload.github.com/meirish/broccoli-sri-hash/tar.gz/5ebad6f345c38d45461676c7a298a0b61be4a39d
       chalk:
         specifier: ^4.1.2
@@ -190,8 +181,8 @@ importers:
         specifier: ~3.0.0
         version: 3.0.0
       d3-format:
-        specifier: ~3.1.0
-        version: 3.1.0
+        specifier: ~3.1.2
+        version: 3.1.2
       d3-scale:
         specifier: ~4.0.2
         version: 4.0.2
@@ -207,21 +198,18 @@ importers:
       date-fns-tz:
         specifier: ~1.3.8
         version: 1.3.8(date-fns@2.30.0)
-      doctoc:
-        specifier: ~2.2.1
-        version: 2.2.1
       dompurify:
-        specifier: ~3.2.5
-        version: 3.2.6
+        specifier: ~3.3.3
+        version: 3.3.3
       ember-a11y-testing:
-        specifier: ~7.1.2
-        version: 7.1.2(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glint/template@1.7.3)(qunit@2.24.1)(webpack@5.94.0)
+        specifier: ~7.1.3
+        version: 7.1.3(@babel/core@7.26.10)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(qunit@2.24.3)(webpack@5.107.2)
       ember-basic-dropdown:
         specifier: ~8.7.0
-        version: 8.7.0(@babel/core@7.26.10)(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+        version: 8.7.0(@babel/core@7.26.10)(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       ember-cli:
-        specifier: ~5.8.0
-        version: 5.8.1(handlebars@4.7.8)(underscore@1.13.7)
+        specifier: ~5.8.1
+        version: 5.8.1(@babel/core@7.26.10)(@types/node@25.9.1)(handlebars@4.7.9)(underscore@1.13.8)
       ember-cli-babel:
         specifier: ~8.2.0
         version: 8.2.0(@babel/core@7.26.10)
@@ -233,13 +221,13 @@ importers:
         version: 2.0.3
       ember-cli-dependency-checker:
         specifier: ~3.3.3
-        version: 3.3.3(ember-cli@5.8.1(handlebars@4.7.8)(underscore@1.13.7))
+        version: 3.3.3(ember-cli@5.8.1(@babel/core@7.26.10)(@types/node@25.9.1)(handlebars@4.7.9)(underscore@1.13.8))
       ember-cli-deprecation-workflow:
         specifier: ~3.3.0
-        version: 3.3.0(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+        version: 3.3.0(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       ember-cli-flash:
         specifier: 4.0.0
-        version: 4.0.0(@babel/core@7.26.10)(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(webpack@5.94.0)
+        version: 4.0.0(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(webpack@5.107.2)
       ember-cli-htmlbars:
         specifier: ~6.3.0
         version: 6.3.0
@@ -248,15 +236,15 @@ importers:
         version: 2.1.0
       ember-cli-mirage:
         specifier: ~3.0.4
-        version: 3.0.4(@ember-data/model@5.3.13(dae11eb22c7d90ae6eb976a152fcd2ef))(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glint/template@1.7.3)(ember-data@5.3.13(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1))(ember-qunit@8.1.1(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(miragejs@0.1.48)(webpack@5.94.0)
+        version: 3.0.4(eec33d100c300afbeba6a809f067b5f1)
       ember-cli-page-object:
-        specifier: ~2.3.1
-        version: 2.3.1(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))
+        specifier: ~2.3.2
+        version: 2.3.2(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))
       ember-cli-sass:
         specifier: 11.0.1
         version: 11.0.1
       ember-cli-sri:
-        specifier: meirish/ember-cli-sri#rooturl
+        specifier: github:meirish/ember-cli-sri#rooturl
         version: https://codeload.github.com/meirish/ember-cli-sri/tar.gz/1c0ff776a61f09121d1ea69ce16e4653da5e1efa
       ember-cli-string-helpers:
         specifier: 6.1.0
@@ -268,53 +256,56 @@ importers:
         specifier: 5.0.0
         version: 5.0.0
       ember-concurrency:
-        specifier: ~4.0.3
-        version: 4.0.6(@babel/core@7.26.10)(@glint/template@1.7.3)
+        specifier: ~4.0.6
+        version: 4.0.6(@babel/core@7.26.10)(@glint/template@1.7.7)
       ember-data:
         specifier: ~5.3.13
-        version: 5.3.13(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1)
+        version: 5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@ember/test-waiters@4.1.1(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(qunit@2.24.3)
       ember-engines:
         specifier: 0.8.23
-        version: 0.8.23(@ember/legacy-built-in-components@0.4.2(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+        version: 0.8.23(@babel/core@7.26.10)(@ember/legacy-built-in-components@0.4.2(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       ember-exam:
         specifier: ~9.1.0
-        version: 9.1.0(@glint/template@1.7.3)(ember-qunit@8.1.1(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1)(webpack@5.94.0)
+        version: 9.1.0(@glint/template@1.7.7)(ember-qunit@8.1.1(@babel/core@7.26.10)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(qunit@2.24.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(qunit@2.24.3)(webpack@5.107.2)
       ember-inflector:
         specifier: 4.0.2
         version: 4.0.2
+      ember-intl:
+        specifier: ^7.5.0
+        version: 7.5.0(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(typescript@5.6.3)(webpack@5.107.2)
       ember-load-initializers:
         specifier: ~3.0.1
-        version: 3.0.1(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+        version: 3.0.1(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       ember-modifier:
-        specifier: ~4.2.0
+        specifier: ~4.2.2
         version: 4.2.2(@babel/core@7.26.10)
       ember-power-select:
-        specifier: ~8.12.0
-        version: 8.12.0(@babel/core@7.26.10)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(ember-basic-dropdown@8.7.0(@babel/core@7.26.10)(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(ember-concurrency@4.0.6(@babel/core@7.26.10)(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+        specifier: ~8.12.2
+        version: 8.12.2(@babel/core@7.26.10)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(ember-basic-dropdown@8.7.0(@babel/core@7.26.10)(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(ember-concurrency@4.0.6(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       ember-qrcode-shim:
         specifier: ~0.4.0
         version: 0.4.0
       ember-qunit:
         specifier: ~8.1.1
-        version: 8.1.1(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1)
+        version: 8.1.1(@babel/core@7.26.10)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(qunit@2.24.3)
       ember-resolver:
-        specifier: ~13.1.0
+        specifier: ~13.1.1
         version: 13.1.1
       ember-responsive:
         specifier: 5.0.0
         version: 5.0.0
       ember-service-worker:
-        specifier: meirish/ember-service-worker#configurable-scope
-        version: https://codeload.github.com/meirish/ember-service-worker/tar.gz/dda14187aace0d73ecdb6a55beac2194a3aec01b(rollup@2.79.2)
+        specifier: github:meirish/ember-service-worker#configurable-scope
+        version: https://codeload.github.com/meirish/ember-service-worker/tar.gz/dda14187aace0d73ecdb6a55beac2194a3aec01b(rollup@2.80.0)
       ember-sinon-qunit:
         specifier: ~7.5.0
-        version: 7.5.0(@babel/core@7.26.10)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1)(sinon@20.0.0)
+        version: 7.5.0(@babel/core@7.26.10)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(qunit@2.24.3)(sinon@20.0.0)
       ember-source:
         specifier: ~5.8.0
-        version: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+        version: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
       ember-style-modifier:
         specifier: ~4.4.0
-        version: 4.4.0(@babel/core@7.26.10)(@ember/string@4.0.1)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+        version: 4.4.0(@babel/core@7.26.10)(@ember/string@4.0.1)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       ember-template-lint:
         specifier: ~6.1.0
         version: 6.1.0
@@ -326,10 +317,10 @@ importers:
         version: 7.1.0
       ember-tether:
         specifier: 3.1.1
-        version: 3.1.1(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(webpack@5.94.0)
+        version: 3.1.1(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(webpack@5.107.2)
       ember-truth-helpers:
         specifier: 4.0.3
-        version: 4.0.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+        version: 4.0.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       escape-string-regexp:
         specifier: ~2.0.0
         version: 2.0.0
@@ -337,8 +328,8 @@ importers:
         specifier: ~8.57.1
         version: 8.57.1
       eslint-config-prettier:
-        specifier: ~9.1.0
-        version: 9.1.0(eslint@8.57.1)
+        specifier: ~9.1.2
+        version: 9.1.2(eslint@8.57.1)
       eslint-plugin-compat:
         specifier: ~4.2.0
         version: 4.2.0(eslint@8.57.1)
@@ -350,10 +341,10 @@ importers:
         version: 16.6.2(eslint@8.57.1)
       eslint-plugin-prettier:
         specifier: ~5.2.6
-        version: 5.2.6(@types/eslint@8.56.12)(eslint-config-prettier@9.1.0(eslint@8.57.1))(eslint@8.57.1)(prettier@3.0.3)
+        version: 5.2.6(@types/eslint@8.56.12)(eslint-config-prettier@9.1.2(eslint@8.57.1))(eslint@8.57.1)(prettier@3.0.3)
       eslint-plugin-qunit:
         specifier: ~8.1.2
-        version: 8.1.2
+        version: 8.1.2(eslint@8.57.1)
       execa:
         specifier: ^5.1.1
         version: 5.1.1
@@ -363,15 +354,9 @@ importers:
       jsdoc-babel:
         specifier: ~0.5.0
         version: 0.5.0(@babel/core@7.26.10)
-      jsdoc-to-markdown:
-        specifier: ~8.0.3
-        version: 8.0.3
       jsondiffpatch:
         specifier: 0.7.3
         version: 0.7.3
-      jsonlint:
-        specifier: ~1.6.3
-        version: 1.6.3
       lint-staged:
         specifier: ~16.0.0
         version: 16.0.0
@@ -381,6 +366,9 @@ importers:
       miragejs:
         specifier: ~0.1.48
         version: 0.1.48
+      node:
+        specifier: runtime:20.20.2
+        version: runtime:20.20.2
       pkijs:
         specifier: ~2.4.0
         version: 2.4.0
@@ -391,32 +379,32 @@ importers:
         specifier: ~7.1.0
         version: 7.1.0(prettier-eslint@15.0.1)
       pvutils:
-        specifier: ~1.1.3
-        version: 1.1.3
+        specifier: ~1.1.5
+        version: 1.1.5
       qunit:
-        specifier: ~2.24.1
-        version: 2.24.1
+        specifier: ~2.24.3
+        version: 2.24.3
       qunit-dom:
         specifier: ~3.4.0
         version: 3.4.0
       sass:
-        specifier: ~1.88.0
-        version: 1.88.0
+        specifier: ^1.100.0
+        version: 1.100.0
       shell-quote:
-        specifier: ~1.8.2
-        version: 1.8.2
+        specifier: ~1.8.4
+        version: 1.8.4
       sinon:
         specifier: ~20.0.0
         version: 20.0.0
       stylelint:
         specifier: ~16.19.1
-        version: 16.19.1(typescript@5.5.4)
+        version: 16.19.1(typescript@5.6.3)
       stylelint-config-standard:
         specifier: ~38.0.0
-        version: 38.0.0(stylelint@16.19.1(typescript@5.5.4))
+        version: 38.0.0(stylelint@16.19.1(typescript@5.6.3))
       stylelint-prettier:
         specifier: ~5.0.3
-        version: 5.0.3(prettier@3.0.3)(stylelint@16.19.1(typescript@5.5.4))
+        version: 5.0.3(prettier@3.0.3)(stylelint@16.19.1(typescript@5.6.3))
       swagger-ui-dist:
         specifier: ~5.21.0
         version: 5.21.0
@@ -427,14 +415,14 @@ importers:
         specifier: ~3.4.0
         version: 3.4.0(@babel/core@7.26.10)
       typescript:
-        specifier: ~5.5.4
-        version: 5.5.4
+        specifier: ~5.6.3
+        version: 5.6.3
       webpack:
-        specifier: 5.94.0
-        version: 5.94.0(webpack-cli@6.0.1)
+        specifier: ^5.107.2
+        version: 5.107.2(webpack-cli@6.0.1)
       webpack-cli:
         specifier: ^6.0.1
-        version: 6.0.1(webpack@5.94.0)
+        version: 6.0.1(webpack@5.107.2)
 
 packages:
 
@@ -449,147 +437,157 @@ packages:
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/code-frame@7.27.1':
-    resolution: {integrity: sha512-cjQ7ZlQ0Mv3b47hABuTevyTuYN4i+loJKGeV9flcCgIK37cCXRh+L1bd3iBHlynerhQ7BhCkn2BPbQUL+rGqFg==}
+  '@babel/code-frame@7.29.7':
+    resolution: {integrity: sha512-Aup7aUOfpbAUg2ROOJN6Iw5f9DMBlzu0mIkm/malLQFN/YQgO48wCj0Kxa3sEHJvPVFg7siR+qRInwXd2qhQKw==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/compat-data@7.27.2':
-    resolution: {integrity: sha512-TUtMJYRPyUb/9aU8f3K0mjmjf6M9N5Woshn2CS6nqJSeJtTtQcpLUXjGt9vbF8ZGff0El99sWkLgzwW3VXnxZQ==}
+  '@babel/compat-data@7.29.7':
+    resolution: {integrity: sha512-locTkQyKvwIEgBzVrn8693ebc97F2U8ZHjbXwDXJ5Fn2TCpNwTlKcaKLkdHop5c/icOFE7qt7Q9JC5hnKNa6Gg==}
     engines: {node: '>=6.9.0'}
 
   '@babel/core@7.26.10':
     resolution: {integrity: sha512-vMqyb7XCDMPvJFFOaT9kxtiRh42GwlZEg1/uIgtZshS5a/8OaduUfCi7kynKgc3Tw/6Uo2D+db9qBttghhmxwQ==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/core@7.27.1':
-    resolution: {integrity: sha512-IaaGWsQqfsQWVLqMn9OB92MNN7zukfVA4s7KKAI0KfrrDsZ0yhi5uV4baBuLuN7n3vsZpwP8asPPcVwApxvjBQ==}
+  '@babel/core@7.29.7':
+    resolution: {integrity: sha512-RgHBCvtjbOK2gXSNBNIkNoEc9qoVEtau3hj8gEqKQuL3HZAibKarWFEI3Lfm6EYKkLalOh8eSrj9b+ch9H/VBA==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/eslint-parser@7.28.5':
-    resolution: {integrity: sha512-fcdRcWahONYo+JRnJg1/AekOacGvKx12Gu0qXJXFi2WBqQA1i7+O5PaxRB7kxE/Op94dExnCiiar6T09pvdHpA==}
+  '@babel/eslint-parser@7.29.7':
+    resolution: {integrity: sha512-zxt+UJTOMKvUt3yOg+D58MLuz334pHp93qifMFcjIIO+9hN6t+ufw2gi7vDPMpxvfnHRR+3VVXvIjineCcgyXw==}
     engines: {node: ^10.13.0 || ^12.13.0 || >=14.0.0}
     peerDependencies:
       '@babel/core': ^7.11.0
       eslint: ^7.5.0 || ^8.0.0 || ^9.0.0
 
-  '@babel/generator@7.27.1':
-    resolution: {integrity: sha512-UnJfnIpc/+JO0/+KRVQNGU+y5taA5vCbwN8+azkX6beii/ZF+enZJSOKo11ZSzGJjlNfJHfQtmQT8H+9TXPG2w==}
+  '@babel/generator@7.29.7':
+    resolution: {integrity: sha512-DkXD5OJQaAQIdZ1bt3UZdEnHAn9Imd3IVBdX03UFe+ony9Ojw5pzr9YVKGDY1jt+Gcn/FnGkNf8r+Vj5NOJWtQ==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-annotate-as-pure@7.27.1':
-    resolution: {integrity: sha512-WnuuDILl9oOBbKnb4L+DyODx7iC47XfzmNCpTttFsSp6hTG7XZxu60+4IO+2/hPfcGOoKbFiwoI/+zwARbNQow==}
+  '@babel/helper-annotate-as-pure@7.29.7':
+    resolution: {integrity: sha512-OoK6239jHPuSQOoS0kfTVKn0b/rVTk0seKq4Gd2UMLtmOVLjDC0ki3e+c90Trqv2gMfvJFqkiljrr568+qddiw==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-compilation-targets@7.27.2':
-    resolution: {integrity: sha512-2+1thGUUWWjLTYTHZWK1n8Yga0ijBz1XAhUXcKy81rd5g6yh7hGqMp45v7cadSbEHc9G3OTv45SyneRN3ps4DQ==}
+  '@babel/helper-compilation-targets@7.29.7':
+    resolution: {integrity: sha512-wem6WaBj4NaVYVdNhLPPVacES6ZJ+KBBfSkTMD3YZxbP3rm3Di85tJU5ljaUNhaOynt+Aj0xruhYuzQBt8n71g==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-create-class-features-plugin@7.27.1':
-    resolution: {integrity: sha512-QwGAmuvM17btKU5VqXfb+Giw4JcN0hjuufz3DYnpeVDvZLAObloM77bhMXiqry3Iio+Ai4phVRDwl6WU10+r5A==}
+  '@babel/helper-create-class-features-plugin@7.29.7':
+    resolution: {integrity: sha512-IY3ZD9Tmooqr3TUhc3DUWxiuo8xx1DWLhd5M7hQ+ZWJamqM2BbalrBJb2MisSLoYorOj75U03qULCxQTY9r3hg==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0
 
-  '@babel/helper-create-regexp-features-plugin@7.27.1':
-    resolution: {integrity: sha512-uVDC72XVf8UbrH5qQTc18Agb8emwjTiZrQE11Nv3CuBEZmVvTwwE9CBUEvHku06gQCAyYf8Nv6ja1IN+6LMbxQ==}
+  '@babel/helper-create-regexp-features-plugin@7.29.7':
+    resolution: {integrity: sha512-907Uymvqgg1dwUA+7IGwFAOSYzQOuzPXKNJ1yxzwPffzkYFg2q2eHi1fIOs6sXkG9NbIUMunnUlkYsfRFNvomg==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0
 
-  '@babel/helper-define-polyfill-provider@0.6.4':
-    resolution: {integrity: sha512-jljfR1rGnXXNWnmQg2K3+bvhkxB51Rl32QRaOTuwwjviGrHzIbSc8+x9CpraDtbT7mfyjXObULP4w/adunNwAw==}
+  '@babel/helper-define-polyfill-provider@0.6.8':
+    resolution: {integrity: sha512-47UwBLPpQi1NoWzLuHNjRoHlYXMwIJoBf7MFou6viC/sIHWYygpvr0B6IAyh5sBdA2nr2LPIRww8lfaUVQINBA==}
     peerDependencies:
       '@babel/core': ^7.4.0 || ^8.0.0-0 <8.0.0
 
-  '@babel/helper-member-expression-to-functions@7.27.1':
-    resolution: {integrity: sha512-E5chM8eWjTp/aNoVpcbfM7mLxu9XGLWYise2eBKGQomAk/Mb4XoxyqXTZbuTohbsl8EKqdlMhnDI2CCLfcs9wA==}
+  '@babel/helper-globals@7.29.7':
+    resolution: {integrity: sha512-3nQVUAtvkKH9zahfWgw96Jc/uFOmjACE1kQz82E2lqWmHBgjzbNlsC22nuQTfahmWeQtTq5nQ/4Nnd2A1wj4zA==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-module-imports@7.27.1':
-    resolution: {integrity: sha512-0gSFWUPNXNopqtIPQvlD5WgXYI5GY2kP2cCvoT8kczjbfcfuIljTbcWrulD1CIPIX2gt1wghbDy08yE1p+/r3w==}
+  '@babel/helper-member-expression-to-functions@7.29.7':
+    resolution: {integrity: sha512-j+7JYmk1JYDtACIGj0QJqqWZjoUpMoEikQGADMaHgCMCSDqd2+P32rfcibUNrGOMWrlzK1WJBdxrB3JJQZwWtg==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-module-transforms@7.27.1':
-    resolution: {integrity: sha512-9yHn519/8KvTU5BjTVEEeIM3w9/2yXNKoD82JifINImhpKkARMJKPP59kLo+BafpdN5zgNeIcS4jsGDmd3l58g==}
+  '@babel/helper-module-imports@7.29.7':
+    resolution: {integrity: sha512-ejHwrQQYcm9xnTivShn2IDOlIzInN34AXskvq9QicvCtEzq1Vzclu/tKF8Jq1Cg8JG2GL6/EmjgsCT7lXepE3g==}
+    engines: {node: '>=6.9.0'}
+
+  '@babel/helper-module-transforms@7.29.7':
+    resolution: {integrity: sha512-UPUVSyXbOh627KiCIGQSgwWzGeBKLkaJ9PJEdrngIwMSzxLR4jS4+f1f1jb7VzBbg8nFLaYotvVPFCTqdrmTAg==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0
 
-  '@babel/helper-optimise-call-expression@7.27.1':
-    resolution: {integrity: sha512-URMGH08NzYFhubNSGJrpUEphGKQwMQYBySzat5cAByY1/YgIRkULnIy3tAMeszlL/so2HbeilYloUmSpd7GdVw==}
+  '@babel/helper-optimise-call-expression@7.29.7':
+    resolution: {integrity: sha512-+kmGVjcT9RGYzoDwdwEqEvGgKe3BYq+O1iGzjFubaNgZHwYHP6lsF2Yghf4kEuv9BV7tYDZ913aBW9am6YKong==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-plugin-utils@7.27.1':
-    resolution: {integrity: sha512-1gn1Up5YXka3YYAHGKpbideQ5Yjf1tDa9qYcgysz+cNCXukyLl6DjPXhD3VRwSb8c0J9tA4b2+rHEZtc6R0tlw==}
+  '@babel/helper-plugin-utils@7.29.7':
+    resolution: {integrity: sha512-G7sHYigPY17oO5SYWnfD/0MTBwVR781S/JI643e/JhUYgVgWE/61SoW3NH9KWUKyKq5LVh3npif99Wkt6j86Jw==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-remap-async-to-generator@7.27.1':
-    resolution: {integrity: sha512-7fiA521aVw8lSPeI4ZOD3vRFkoqkJcS+z4hFo82bFSH/2tNd6eJ5qCVMS5OzDmZh/kaHQeBaeyxK6wljcPtveA==}
+  '@babel/helper-remap-async-to-generator@7.29.7':
+    resolution: {integrity: sha512-16AMiW26DbXWBbr3B8wNozKM0ydMLB892vaOaJW/fPJdnT8vJk5sdkQcU/isqUxyCE0cEoa8wZOcbgDuC4b6Og==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0
 
-  '@babel/helper-replace-supers@7.27.1':
-    resolution: {integrity: sha512-7EHz6qDZc8RYS5ElPoShMheWvEgERonFCs7IAonWLLUTXW59DP14bCZt89/GKyreYn8g3S83m21FelHKbeDCKA==}
+  '@babel/helper-replace-supers@7.29.7':
+    resolution: {integrity: sha512-atfGXWSeCiF4DnKZIfmJfQRkSw9b9gNNXR1kqKjbhG4pGYCOnkp8OcTB8E3NXjBu8NpheSnOeNKz8KT7UNFTmQ==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0
 
-  '@babel/helper-skip-transparent-expression-wrappers@7.27.1':
-    resolution: {integrity: sha512-Tub4ZKEXqbPjXgWLl2+3JpQAYBJ8+ikpQ2Ocj/q/r0LwE3UhENh7EUabyHjz2kCEsrRY83ew2DQdHluuiDQFzg==}
+  '@babel/helper-skip-transparent-expression-wrappers@7.29.7':
+    resolution: {integrity: sha512-brcMGQaVzIeUb+6/bs1Av0f8YuNNjKY2JyvfRCsFuFsdKccEQ5Ges2y74D74NZ1Rz8lKJ9ksJkfqwQFJ/iNEyQ==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-string-parser@7.27.1':
-    resolution: {integrity: sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==}
+  '@babel/helper-string-parser@7.29.7':
+    resolution: {integrity: sha512-Pb5ijPrZ89GDH8223L4UP8i6QApWxs04RbPQJTeWDV0/keR2E36MeKnyr6LYmUUvqRRI+Iv87SuF1W6ErINzYw==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-validator-identifier@7.27.1':
-    resolution: {integrity: sha512-D2hP9eA+Sqx1kBZgzxZh0y1trbuU+JoDkiEwqhQ36nodYqJwyEIhPSdMNd7lOm/4io72luTPWH20Yda0xOuUow==}
+  '@babel/helper-validator-identifier@7.29.7':
+    resolution: {integrity: sha512-qehxGkRj55h/ff8EMaJ+cYhyaKlHIxqYDn682wQD7RNp9UujOQsHog2uS0r2vzr4pW+sXf90NeeayjcNaX3fFg==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-validator-option@7.27.1':
-    resolution: {integrity: sha512-YvjJow9FxbhFFKDSuFnVCe2WxXk1zWc22fFePVNEaWJEu8IrZVlda6N0uHwzZrUM1il7NC9Mlp4MaJYbYd9JSg==}
+  '@babel/helper-validator-option@7.29.7':
+    resolution: {integrity: sha512-N9ZErrD+yW5geCDtBqnOoxmR8+tNKiGuxKlDpuJxfsqpa2dFcexaziGAE/qoHLiDDreVNMupxGmSoNlyvsA3gw==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-wrap-function@7.27.1':
-    resolution: {integrity: sha512-NFJK2sHUvrjo8wAU/nQTWU890/zB2jj0qBcCbZbbf+005cAsv6tMjXz31fBign6M5ov1o0Bllu+9nbqkfsjjJQ==}
+  '@babel/helper-wrap-function@7.29.7':
+    resolution: {integrity: sha512-iES0Skag9ERIF68aXadpO6dbXa03mNWK3sEqJaMnLNs/eC3l0lkImdfoy6Y09/SfkpawdAB4RjQ7PVA7TcVGdw==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helpers@7.27.1':
-    resolution: {integrity: sha512-FCvFTm0sWV8Fxhpp2McP5/W53GPllQ9QeQ7SiqGWjMf/LVG07lFa5+pgK05IRhVwtvafT22KF+ZSnM9I545CvQ==}
+  '@babel/helpers@7.29.7':
+    resolution: {integrity: sha512-1k2lAGRMfHTcwuNYcCNUmaUffmQv8KWMfh2iJUUeRlwlwH4FdNG7mfPI10NPfLHJFThE4Tyr4mv7kTNZOiPuBg==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/parser@7.27.2':
-    resolution: {integrity: sha512-QYLs8299NA7WM/bZAdp+CviYYkVoYXlDW2rzliy3chxd1PQjej7JORuMJDJXJUb9g0TT+B99EwaVLKmX+sPXWw==}
+  '@babel/parser@7.29.7':
+    resolution: {integrity: sha512-hnORnjP/1P/zFEndoeX+n+t1RwWRJiJpM/jO7FW32Kn9r5+sJB2JWOdYo4L6k78j15eCwY3Gm/7364B1EMwtNg==}
     engines: {node: '>=6.0.0'}
     hasBin: true
 
-  '@babel/plugin-bugfix-firefox-class-in-computed-class-key@7.27.1':
-    resolution: {integrity: sha512-QPG3C9cCVRQLxAVwmefEmwdTanECuUBMQZ/ym5kiw3XKCGA7qkuQLcjWWHcrD/GKbn/WmJwaezfuuAOcyKlRPA==}
+  '@babel/plugin-bugfix-firefox-class-in-computed-class-key@7.29.7':
+    resolution: {integrity: sha512-j8SrR0zLZrRsC09DlszEx8FpMiwukKffYXMK0d5LmOglO7vGG6sz/BR/20yHqWH+Lnn31JTt2PE3hIWNgM2J6w==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0
 
-  '@babel/plugin-bugfix-safari-class-field-initializer-scope@7.27.1':
-    resolution: {integrity: sha512-qNeq3bCKnGgLkEXUuFry6dPlGfCdQNZbn7yUAPCInwAJHMU7THJfrBSozkcWq5sNM6RcF3S8XyQL2A52KNR9IA==}
+  '@babel/plugin-bugfix-safari-class-field-initializer-scope@7.29.7':
+    resolution: {integrity: sha512-r8j8escF+U2FUHo0KOhPUdMzUO+jp9fInva6+ACVAF3Y97Ev+5iNZwiqTghmzNeWwDkOPlYuTcfb1vDaoZKmAQ==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0
 
-  '@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@7.27.1':
-    resolution: {integrity: sha512-g4L7OYun04N1WyqMNjldFwlfPCLVkgB54A/YCXICZYBsvJJE3kByKv9c9+R/nAfmIfjl2rKYLNyMHboYbZaWaA==}
+  '@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@7.29.7':
+    resolution: {integrity: sha512-GE1TFSiuFeGsCxmYXZl8HwoPrVlwe4rHPFE8weieGKZqnDORK+Ar3vgWMgW+AOxQ6/2TgLSKx9p6W7O4rC6qgQ==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0
 
-  '@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@7.27.1':
-    resolution: {integrity: sha512-oO02gcONcD5O1iTLi/6frMJBIwWEHceWGSGqrpCmEL8nogiS6J9PBlE48CaK20/Jx1LuRml9aDftLgdjXT8+Cw==}
+  '@babel/plugin-bugfix-safari-rest-destructuring-rhs-array@7.29.7':
+    resolution: {integrity: sha512-oBNVCvnO5tND+xSopWvV8WNGfpTfgP4Zr/YXXSj8zfmcPktp5Ku/aZlsIowgSD4fjmgHn6sGmB9APVsU5zOdhA==}
+    engines: {node: '>=6.9.0'}
+    peerDependencies:
+      '@babel/core': ^7.0.0
+
+  '@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@7.29.7':
+    resolution: {integrity: sha512-QQt9qKHZ2sg/kivaLr7lnQr8HVrQDdBNSfCsTjiDxRuX/K5ORyKq+Bu8Xr0cDE3Dfkv0cw28Ve0EKyKMvulkOw==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.13.0
 
-  '@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly@7.27.1':
-    resolution: {integrity: sha512-6BpaYGDavZqkI6yT+KSPdpZFfpnd68UKXbcjI9pJ13pvHhPrCKWOOLp+ysvMeA+DxnhuPpgIaRpxRxo5A9t5jw==}
+  '@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly@7.29.7':
+    resolution: {integrity: sha512-pn6QacGLgvCcwc+syUhKE/qSjV2D1IHDB84RNxWYSt1mW3K/SCtjinZ2p0cETJxAWBjPy3K/1lHwG5BjjPxNlw==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0
@@ -601,8 +599,8 @@ packages:
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-proposal-decorators@7.28.0':
-    resolution: {integrity: sha512-zOiZqvANjWDUaUS9xMxbMcK/Zccztbe/6ikvUXaG9nsPH3w6qh5UaPGAnirI/WhIbZ8m3OHU0ReyPrknG+ZKeg==}
+  '@babel/plugin-proposal-decorators@7.29.7':
+    resolution: {integrity: sha512-EtU0Hi3GvrTqD56xKmZvV/uCXK2ZbwVNPNLAquVItcAZpUhkXwWlo3Fmj0c2LxgSf2I8IDULeAepwNP1OefLXg==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
@@ -634,26 +632,26 @@ packages:
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-syntax-decorators@7.27.1':
-    resolution: {integrity: sha512-YMq8Z87Lhl8EGkmb0MwYkt36QnxC+fzCgrl66ereamPlYToRpIk5nUjKUY3QKLWq8mwUB1BgbeXcTJhZOCDg5A==}
+  '@babel/plugin-syntax-decorators@7.29.7':
+    resolution: {integrity: sha512-9MTTLbF39X6sqM92JPEsoI7++26hjZvzkxKZy64aMhWLH2mPkJ/Q3AV4QLmls3R14FpSpkOwQQfUh962JGQxxg==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-syntax-import-assertions@7.27.1':
-    resolution: {integrity: sha512-UT/Jrhw57xg4ILHLFnzFpPDlMbcdEicaAtjPQpbj9wa8T4r5KVWCimHcL/460g8Ht0DMxDyjsLgiWSkVjnwPFg==}
+  '@babel/plugin-syntax-import-assertions@7.29.7':
+    resolution: {integrity: sha512-/An1OCBN93thpBAGyfsK2pcf0jvju1SAtKkL2Ny++B5Sy6sqgzXDQH1cZxWbF96Wuk+bn41MDA9bLd4VVAw6rw==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-syntax-import-attributes@7.27.1':
-    resolution: {integrity: sha512-oFT0FrKHgF53f4vOsZGi2Hh3I35PfSmVs4IBFLFj4dnafP+hIWDLg3VyKmUHfLoLHlyxY4C7DGtmHuJgn+IGww==}
+  '@babel/plugin-syntax-import-attributes@7.29.7':
+    resolution: {integrity: sha512-zGYcYfq/WmZ4V+kBIXQon9dSSc8ircGZqw9ZaNhhGj9nZkeBu1jHLBDQqYYi5WA9uawvA2sIMbry2nCFhf5Djg==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-syntax-jsx@7.27.1':
-    resolution: {integrity: sha512-y8YTNIeKoyhGd9O0Jiyzyyqk8gdjnumGTQPsz0xOZOQ2RmkVJeZ1vmmfIvFEKqucBG6axJGBZDE/7iI5suUI/w==}
+  '@babel/plugin-syntax-jsx@7.29.7':
+    resolution: {integrity: sha512-TSu8+mHCoEaaCDEZ0I3+6mvTBYR4PCxQwf2z9/r5Tbztv6NaLR3B9thGTTxX2WGuGHJqRiAbKPeGTJ5XWXVg6A==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
@@ -669,8 +667,8 @@ packages:
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-syntax-typescript@7.27.1':
-    resolution: {integrity: sha512-xfYCBMxveHrRMnAWl1ZlPXOZjzkN82THFvLhQhFXFt81Z5HnN+EtUkZhv/zcKpmT3fzmWZB0ywiBrbC3vogbwQ==}
+  '@babel/plugin-syntax-typescript@7.29.7':
+    resolution: {integrity: sha512-ngr+82Sh0xMz25TPCZi+nC2iTzjfCdWS2ONXTp/PtSCHCgaCNBpdMqgvJ2ccdLlClVZ7sisIgB914j/JFe+RZA==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
@@ -681,290 +679,302 @@ packages:
     peerDependencies:
       '@babel/core': ^7.0.0
 
-  '@babel/plugin-transform-arrow-functions@7.27.1':
-    resolution: {integrity: sha512-8Z4TGic6xW70FKThA5HYEKKyBpOOsucTOD1DjU3fZxDg+K3zBJcXMFnt/4yQiZnf5+MiOMSXQ9PaEK/Ilh1DeA==}
+  '@babel/plugin-transform-arrow-functions@7.29.7':
+    resolution: {integrity: sha512-N7zArUXWzAMzm+/N0uPBeVB3Fam5lMxtUwMmDK5f/IBBS7a7p1qeUoxd/6CckXoxUdgsntq1Dh8xNW06maZbDQ==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-async-generator-functions@7.27.1':
-    resolution: {integrity: sha512-eST9RrwlpaoJBDHShc+DS2SG4ATTi2MYNb4OxYkf3n+7eb49LWpnS+HSpVfW4x927qQwgk8A2hGNVaajAEw0EA==}
+  '@babel/plugin-transform-async-generator-functions@7.29.7':
+    resolution: {integrity: sha512-d98gXZkgswvkyohMBABkhm3GeXhYj8psWfwQ2C7gtfrKGTykQa/iOIi+JJhwMjPlZ6Vm2XN+DCf3Es1EoG4ZLA==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-async-to-generator@7.27.1':
-    resolution: {integrity: sha512-NREkZsZVJS4xmTr8qzE5y8AfIPqsdQfRuUiLRTEzb7Qii8iFWCyDKaUV2c0rCuh4ljDZ98ALHP/PetiBV2nddA==}
+  '@babel/plugin-transform-async-to-generator@7.29.7':
+    resolution: {integrity: sha512-pcUb2SS+RMo9TWVBwKGI5ShtoG7R+zBsFmCKDa6fe8c+hPr3XJlZgoE5j6i8W7gDjhyvy+85vmYexanvXh3d1w==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-block-scoped-functions@7.27.1':
-    resolution: {integrity: sha512-cnqkuOtZLapWYZUYM5rVIdv1nXYuFVIltZ6ZJ7nIj585QsjKM5dhL2Fu/lICXZ1OyIAFc7Qy+bvDAtTXqGrlhg==}
+  '@babel/plugin-transform-block-scoped-functions@7.29.7':
+    resolution: {integrity: sha512-cUSmjh72N+rN4PrkFlN1dJwNCwjVp5d38/CQrEsFggkD10UiFlBFgdH3tv5dNsLuHY+3S8db2xCHjhZcv5WgvA==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-block-scoping@7.27.1':
-    resolution: {integrity: sha512-QEcFlMl9nGTgh1rn2nIeU5bkfb9BAjaQcWbiP4LvKxUot52ABcTkpcyJ7f2Q2U2RuQ84BNLgts3jRme2dTx6Fw==}
+  '@babel/plugin-transform-block-scoping@7.27.5':
+    resolution: {integrity: sha512-JF6uE2s67f0y2RZcm2kpAUEbD50vH62TyWVebxwHAlbSdM49VqPz8t4a1uIjp4NIOIZ4xzLfjY5emt/RCyC7TQ==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-class-properties@7.27.1':
-    resolution: {integrity: sha512-D0VcalChDMtuRvJIu3U/fwWjf8ZMykz5iZsg77Nuj821vCKI3zCyRLwRdWbsuJ/uRwZhZ002QtCqIkwC/ZkvbA==}
+  '@babel/plugin-transform-block-scoping@7.29.7':
+    resolution: {integrity: sha512-ONyr4+AZhKh8yKWInVxU9AXA9EbsyeLcL6V0dJy6M2/62vuvpGm29zzuymbTpdc451GEpDIdAyPLP3r+P61yKQ==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-class-static-block@7.27.1':
-    resolution: {integrity: sha512-s734HmYU78MVzZ++joYM+NkJusItbdRcbm+AGRgJCt3iA+yux0QpD9cBVdz3tKyrjVYWRl7j0mHSmv4lhV0aoA==}
+  '@babel/plugin-transform-class-properties@7.29.7':
+    resolution: {integrity: sha512-GtcpjFvanPfzNQi3eTitsCqtRRmmqzpy/A+yhTR1HaZo1Ly3EA8ZXxlPyHdR8/IuRMYc3E4wdGBewB2QKQjAaA==}
+    engines: {node: '>=6.9.0'}
+    peerDependencies:
+      '@babel/core': ^7.0.0-0
+
+  '@babel/plugin-transform-class-static-block@7.29.7':
+    resolution: {integrity: sha512-kibJgmEdX2iMwsHY2tSZNDgj8PwIlCQz7FK9KuGKO8zsuoUwSEhoNnNVp/emKWrbY4HeO6kkXfdMqRKKKXBm2A==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.12.0
 
-  '@babel/plugin-transform-classes@7.27.1':
-    resolution: {integrity: sha512-7iLhfFAubmpeJe/Wo2TVuDrykh/zlWXLzPNdL0Jqn/Xu8R3QQ8h9ff8FQoISZOsw74/HFqFI7NX63HN7QFIHKA==}
+  '@babel/plugin-transform-classes@7.29.7':
+    resolution: {integrity: sha512-qV0OGGBVacduzQHE649JyCneOFI/maT+YKsO+K4Yi3xv2wTPNjM/W2o2gdzMwEAZz7fXNTHAe0NcSg30bIN69g==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-computed-properties@7.27.1':
-    resolution: {integrity: sha512-lj9PGWvMTVksbWiDT2tW68zGS/cyo4AkZ/QTp0sQT0mjPopCmrSkzxeXkznjqBxzDI6TclZhOJbBmbBLjuOZUw==}
+  '@babel/plugin-transform-computed-properties@7.29.7':
+    resolution: {integrity: sha512-RK7/IyU5phpuCdBAuig5VkzG/EnbDaui5SQGdU9BFrHdV+mV4cUjLMQ9lJDjLNtWHsqtiefpGZUXQP2BiTYMsA==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-destructuring@7.27.1':
-    resolution: {integrity: sha512-ttDCqhfvpE9emVkXbPD8vyxxh4TWYACVybGkDj+oReOGwnp066ITEivDlLwe0b1R0+evJ13IXQuLNB5w1fhC5Q==}
+  '@babel/plugin-transform-destructuring@7.29.7':
+    resolution: {integrity: sha512-iPX8aD6H9zV5s7ZsqTdNocPN/MGQ5sSMnElKrktxjJRMnB2jN/1p2+R7GkfD6CAYoVFqy5A4XnSIUeGgJzIWpg==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-dotall-regex@7.27.1':
-    resolution: {integrity: sha512-gEbkDVGRvjj7+T1ivxrfgygpT7GUd4vmODtYpbs0gZATdkX8/iSnOtZSxiZnsgm1YjTgjI6VKBGSJJevkrclzw==}
+  '@babel/plugin-transform-dotall-regex@7.29.7':
+    resolution: {integrity: sha512-3qc18hsD2RdZiyJNDNc7HQpv6xbncwh8FYtxNFFzclSyh/trPD9KkVR9BDECUjDLvb7yJVF15GfYUuC+LMkkiQ==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-duplicate-keys@7.27.1':
-    resolution: {integrity: sha512-MTyJk98sHvSs+cvZ4nOauwTTG1JeonDjSGvGGUNHreGQns+Mpt6WX/dVzWBHgg+dYZhkC4X+zTDfkTU+Vy9y7Q==}
+  '@babel/plugin-transform-duplicate-keys@7.29.7':
+    resolution: {integrity: sha512-6IvRRriEMqnBwD6chtxdLpMYCHWEzN+oL5cyQtjykya19UgzbmKhxmhZgKC/LHxS2nYr9Q/qYPZ5Lr6jOL9+yQ==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-duplicate-named-capturing-groups-regex@7.27.1':
-    resolution: {integrity: sha512-hkGcueTEzuhB30B3eJCbCYeCaaEQOmQR0AdvzpD4LoN0GXMWzzGSuRrxR2xTnCrvNbVwK9N6/jQ92GSLfiZWoQ==}
+  '@babel/plugin-transform-duplicate-named-capturing-groups-regex@7.29.7':
+    resolution: {integrity: sha512-2wiIyo2BjtgU7HufSeDnL9L2O7zr8jmhFKuSr65VpRkUiRKRNpb0mdlk56+XPPKoIrfHqzbMuglDvZun0RISsA==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0
 
-  '@babel/plugin-transform-dynamic-import@7.27.1':
-    resolution: {integrity: sha512-MHzkWQcEmjzzVW9j2q8LGjwGWpG2mjwaaB0BNQwst3FIjqsg8Ct/mIZlvSPJvfi9y2AC8mi/ktxbFVL9pZ1I4A==}
+  '@babel/plugin-transform-dynamic-import@7.29.7':
+    resolution: {integrity: sha512-giOlEm/EFjfjr+te9NsdjkUo2v4f8rS/SXPumRVHAtbNcyNlvtREkU1dZzaIDclNpnaVhlCqRdFKhJBjBikzLg==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-exponentiation-operator@7.27.1':
-    resolution: {integrity: sha512-uspvXnhHvGKf2r4VVtBpeFnuDWsJLQ6MF6lGJLC89jBR1uoVeqM416AZtTuhTezOfgHicpJQmoD5YUakO/YmXQ==}
+  '@babel/plugin-transform-explicit-resource-management@7.29.7':
+    resolution: {integrity: sha512-Rstj7coNz8sE+7Ju7ihpHLI564lsK5pUpNNlvptCIC/16E/S5hbl6n3kESPKdNRmqEWlpn5xpS5Q2dvXBsySLw==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-export-namespace-from@7.27.1':
-    resolution: {integrity: sha512-tQvHWSZ3/jH2xuq/vZDy0jNn+ZdXJeM8gHvX4lnJmsc3+50yPlWdZXIc5ay+umX+2/tJIqHqiEqcJvxlmIvRvQ==}
+  '@babel/plugin-transform-exponentiation-operator@7.29.7':
+    resolution: {integrity: sha512-zFpMOTLZBdW5LfObqcSbL6kefg4R4eLdmvS0wbN9M6D5Mym/sKm9toOoWyVOa+xDjvCnuWcHls2YonXwHvH3CQ==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-for-of@7.27.1':
-    resolution: {integrity: sha512-BfbWFFEJFQzLCQ5N8VocnCtA8J1CLkNTe2Ms2wocj75dd6VpiqS5Z5quTYcUoo4Yq+DN0rtikODccuv7RU81sw==}
+  '@babel/plugin-transform-export-namespace-from@7.29.7':
+    resolution: {integrity: sha512-24B2nOy2TeJSMheqwPD4DDQOV/elLSIlKxjZt4i05H5AgdPdWR3n18HnNrcJ+j76WJd9gbwb9jPjNYUy6RautA==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-function-name@7.27.1':
-    resolution: {integrity: sha512-1bQeydJF9Nr1eBCMMbC+hdwmRlsv5XYOMu03YSWFwNs0HsAmtSxxF1fyuYPqemVldVyFmlCU7w8UE14LupUSZQ==}
+  '@babel/plugin-transform-for-of@7.29.7':
+    resolution: {integrity: sha512-zeSIHh0+E1Um1WJRXCFlHQYu2ieJNdivLLjlBEp+dIBu3S51n+SZZmIXjxnItw6pz56Cn+KvK68BIBVsxq2JiQ==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-json-strings@7.27.1':
-    resolution: {integrity: sha512-6WVLVJiTjqcQauBhn1LkICsR2H+zm62I3h9faTDKt1qP4jn2o72tSvqMwtGFKGTpojce0gJs+76eZ2uCHRZh0Q==}
+  '@babel/plugin-transform-function-name@7.29.7':
+    resolution: {integrity: sha512-otRWaHXE6fbAGkePvaj/kvs3HsqXfPhlnzwSOlnFgbqCPMd975dW+4wZ00WFBt+/YlBGcJwNrARQTOJOb4ZrIg==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-literals@7.27.1':
-    resolution: {integrity: sha512-0HCFSepIpLTkLcsi86GG3mTUzxV5jpmbv97hTETW3yzrAij8aqlD36toB1D0daVFJM8NK6GvKO0gslVQmm+zZA==}
+  '@babel/plugin-transform-json-strings@7.29.7':
+    resolution: {integrity: sha512-RRnE2+eon1rJAq8MnoF1b5kTpY1vU88twHcvcKMrsqP/jxIRqDVs9iJB5fqPuqyeFAW0wJo4MlUIPpQCq/aRsg==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-logical-assignment-operators@7.27.1':
-    resolution: {integrity: sha512-SJvDs5dXxiae4FbSL1aBJlG4wvl594N6YEVVn9e3JGulwioy6z3oPjx/sQBO3Y4NwUu5HNix6KJ3wBZoewcdbw==}
+  '@babel/plugin-transform-literals@7.29.7':
+    resolution: {integrity: sha512-DZ/oLP21ZuWx1vKqnoNv6/tvEK48AQOBRai40CX9dTjGluvT/YZCyY3rryDtyUqCEoyNroy5KKPwX2iQCiRvyw==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-member-expression-literals@7.27.1':
-    resolution: {integrity: sha512-hqoBX4dcZ1I33jCSWcXrP+1Ku7kdqXf1oeah7ooKOIiAdKQ+uqftgCFNOSzA5AMS2XIHEYeGFg4cKRCdpxzVOQ==}
+  '@babel/plugin-transform-logical-assignment-operators@7.29.7':
+    resolution: {integrity: sha512-A0H91hh6W8MFRkp5TqJmMr39jzGD1A1E1Ysiv2O06Sfbhkapm+XyIzxWCEh5kqwOZ1/8QZ0dY3SeQ7XBqfJd5Q==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-modules-amd@7.27.1':
-    resolution: {integrity: sha512-iCsytMg/N9/oFq6n+gFTvUYDZQOMK5kEdeYxmxt91fcJGycfxVP9CnrxoliM0oumFERba2i8ZtwRUCMhvP1LnA==}
+  '@babel/plugin-transform-member-expression-literals@7.29.7':
+    resolution: {integrity: sha512-hl1kwFZCCiDyfH25Xmco9jTrkPgnS9pmOzSG7W5I4SaGbLeqKv417hcU2RKmaxoPEgsoJh7ZPOrnPGq99bHoUg==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-modules-commonjs@7.27.1':
-    resolution: {integrity: sha512-OJguuwlTYlN0gBZFRPqwOGNWssZjfIUdS7HMYtN8c1KmwpwHFBwTeFZrg9XZa+DFTitWOW5iTAG7tyCUPsCCyw==}
+  '@babel/plugin-transform-modules-amd@7.29.7':
+    resolution: {integrity: sha512-fxtQoH3m5ywUSIfaH0FGCzWu4McsYon5bD3K4XnskC7f+OyQMj7rsOMi4NvvmJ83WwBAg4UCe+ov4VZlqEvyew==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-modules-systemjs@7.27.1':
-    resolution: {integrity: sha512-w5N1XzsRbc0PQStASMksmUeqECuzKuTJer7kFagK8AXgpCMkeDMO5S+aaFb7A51ZYDF7XI34qsTX+fkHiIm5yA==}
+  '@babel/plugin-transform-modules-commonjs@7.29.7':
+    resolution: {integrity: sha512-j0vCldybPC5b5dwCQOJ21uKtHzt7hxLygJTg9eF1ScfaikEDNfzn94XoW5Fi+seBR0nCyL23xaBFFkq7dTM8XQ==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-modules-umd@7.27.1':
-    resolution: {integrity: sha512-iQBE/xC5BV1OxJbp6WG7jq9IWiD+xxlZhLrdwpPkTX3ydmXdvoCpyfJN7acaIBZaOqTfr76pgzqBJflNbeRK+w==}
+  '@babel/plugin-transform-modules-systemjs@7.29.7':
+    resolution: {integrity: sha512-TM2ZcQLoG2/y4HODiStCo10DibYhWhGWAwVv+EQKmG/7GFl0N+AAmUiXOMKM+aiJ9XBJ9AHVZBvTzMnJ2sM3cQ==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-named-capturing-groups-regex@7.27.1':
-    resolution: {integrity: sha512-SstR5JYy8ddZvD6MhV0tM/j16Qds4mIpJTOd1Yu9J9pJjH93bxHECF7pgtc28XvkzTD6Pxcm/0Z73Hvk7kb3Ng==}
+  '@babel/plugin-transform-modules-umd@7.29.7':
+    resolution: {integrity: sha512-B4UkaTK3QpgCwJnrxKfMPKdo92CN7OKXAlpAAnM3UPu0Q0lCCk57ylA9AJbRy2v8dDKOPAAWcoR6CMyeoHwRCA==}
+    engines: {node: '>=6.9.0'}
+    peerDependencies:
+      '@babel/core': ^7.0.0-0
+
+  '@babel/plugin-transform-named-capturing-groups-regex@7.29.7':
+    resolution: {integrity: sha512-vuFoLwr4qnv2xbZ16SQd6uPcH5FNrLHhk/Jzo++0XJFcaDsr4gjJVg6j398oMHiC+83k/GiBzviwF5KBJkPUtQ==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0
 
-  '@babel/plugin-transform-new-target@7.27.1':
-    resolution: {integrity: sha512-f6PiYeqXQ05lYq3TIfIDu/MtliKUbNwkGApPUvyo6+tc7uaR4cPjPe7DFPr15Uyycg2lZU6btZ575CuQoYh7MQ==}
+  '@babel/plugin-transform-new-target@7.29.7':
+    resolution: {integrity: sha512-fEo41GmsOUhOBlw8ioo6zvjX5Xc2Lqkzlyfqbpsk3eB6TReV18uhxZ0esfEokVbY2+PVJAQHNKxER6lGrzNd3A==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-nullish-coalescing-operator@7.27.1':
-    resolution: {integrity: sha512-aGZh6xMo6q9vq1JGcw58lZ1Z0+i0xB2x0XaauNIUXd6O1xXc3RwoWEBlsTQrY4KQ9Jf0s5rgD6SiNkaUdJegTA==}
+  '@babel/plugin-transform-nullish-coalescing-operator@7.29.7':
+    resolution: {integrity: sha512-idmp1dFaekP9GbcMvG24Kvw2BfhFZjHnNJCkV4WuIY4PskJzwI3f1N5OdgYke38T7rftO6ERulFRn2cFeZwRkg==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-numeric-separator@7.27.1':
-    resolution: {integrity: sha512-fdPKAcujuvEChxDBJ5c+0BTaS6revLV7CJL08e4m3de8qJfNIuCc2nc7XJYOjBoTMJeqSmwXJ0ypE14RCjLwaw==}
+  '@babel/plugin-transform-numeric-separator@7.29.7':
+    resolution: {integrity: sha512-zR7fv/z14OjgHl4AgRtkDBvBMhIzCxqV/qN/2BCRC7LjFwvuzjYe7gDWxC4Wl/SNsLM6SE1IWvRPYMgSJaUvNw==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-object-rest-spread@7.27.2':
-    resolution: {integrity: sha512-AIUHD7xJ1mCrj3uPozvtngY3s0xpv7Nu7DoUSnzNY6Xam1Cy4rUznR//pvMHOhQ4AvbCexhbqXCtpxGHOGOO6g==}
+  '@babel/plugin-transform-object-rest-spread@7.29.7':
+    resolution: {integrity: sha512-Ld98jn4c0smUywL57m7SgsHq3OpThOa6LqZJif3G6jYOovPleoFhVrBJ1WegRApSFB2wu4+RelAj9AC9G08Z4A==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-object-super@7.27.1':
-    resolution: {integrity: sha512-SFy8S9plRPbIcxlJ8A6mT/CxFdJx/c04JEctz4jf8YZaVS2px34j7NXRrlGlHkN/M2gnpL37ZpGRGVFLd3l8Ng==}
+  '@babel/plugin-transform-object-super@7.29.7':
+    resolution: {integrity: sha512-Ea/diGcw0twB5IlZPO5sgET6fJsLJqPABqTuFWIR+iMPGPZJkATEIWx0wa+aEQ5UY1CBQyP/gkAiLEqn1vBiQA==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-optional-catch-binding@7.27.1':
-    resolution: {integrity: sha512-txEAEKzYrHEX4xSZN4kJ+OfKXFVSWKB2ZxM9dpcE3wT7smwkNmXo5ORRlVzMVdJbD+Q8ILTgSD7959uj+3Dm3Q==}
+  '@babel/plugin-transform-optional-catch-binding@7.29.7':
+    resolution: {integrity: sha512-sLsyndxK2VwX6yNUOakMb7Sh553ZTe/vVM1XJ+9Z5aW1ytsc8xOIwmyk05NNjN60vkc5/KqoTH6hB4V41LJhng==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-optional-chaining@7.27.1':
-    resolution: {integrity: sha512-BQmKPPIuc8EkZgNKsv0X4bPmOoayeu4F1YCwx2/CfmDSXDbp7GnzlUH+/ul5VGfRg1AoFPsrIThlEBj2xb4CAg==}
+  '@babel/plugin-transform-optional-chaining@7.29.7':
+    resolution: {integrity: sha512-6GM1dhvK3gNODkXcEcMCOLEDCLSoZ/sBbro2Ax8HURyasQ4NshagQixkRFdh5niI6E4gmA/jYI/4aT7rRos3ZQ==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-parameters@7.27.1':
-    resolution: {integrity: sha512-018KRk76HWKeZ5l4oTj2zPpSh+NbGdt0st5S6x0pga6HgrjBOJb24mMDHorFopOOd6YHkLgOZ+zaCjZGPO4aKg==}
+  '@babel/plugin-transform-parameters@7.29.7':
+    resolution: {integrity: sha512-ZDOBqV/qLYJI0YElr8DcENEyARsFQeESqWXH6gZlghYXuPPjvweuDhP4VyEi4BlUBlLRFZVjxoZDMjxhLW766g==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-private-methods@7.27.1':
-    resolution: {integrity: sha512-10FVt+X55AjRAYI9BrdISN9/AQWHqldOeZDUoLyif1Kn05a56xVBXb8ZouL8pZ9jem8QpXaOt8TS7RHUIS+GPA==}
+  '@babel/plugin-transform-private-methods@7.29.7':
+    resolution: {integrity: sha512-/6Rz4DK1ETDEM/bWHsPHcaEe7ZaT1EqSXjtSP/L0DijOYuaUhiRiOKcwpZ8P7zR4xXEHc2ITdiCgBm9Tpyv9ug==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-private-property-in-object@7.27.1':
-    resolution: {integrity: sha512-5J+IhqTi1XPa0DXF83jYOaARrX+41gOewWbkPyjMNRDqgOCqdffGh8L3f/Ek5utaEBZExjSAzcyjmV9SSAWObQ==}
+  '@babel/plugin-transform-private-property-in-object@7.29.7':
+    resolution: {integrity: sha512-+BNo06dnrzdNNqCm1X6YUaVv0DKk8Q+JYcoZfOkLhYWNCXzlwTSRq8zGWayT1csjcpNXV9CQTBRRbmTLZac5cA==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-property-literals@7.27.1':
-    resolution: {integrity: sha512-oThy3BCuCha8kDZ8ZkgOg2exvPYUlprMukKQXI1r1pJ47NCvxfkEy8vK+r/hT9nF0Aa4H1WUPZZjHTFtAhGfmQ==}
+  '@babel/plugin-transform-property-literals@7.29.7':
+    resolution: {integrity: sha512-bOMRLQuI0A5ZqHq3OWJ89/rXpJ/NJrbVhXiP4zwPGMs6kpcVsuTUNjwoE30K0Qm3mf48a/TnRYYD6vPNqcg6jA==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-regenerator@7.27.1':
-    resolution: {integrity: sha512-B19lbbL7PMrKr52BNPjCqg1IyNUIjTcxKj8uX9zHO+PmWN93s19NDr/f69mIkEp2x9nmDJ08a7lgHaTTzvW7mw==}
+  '@babel/plugin-transform-regenerator@7.29.7':
+    resolution: {integrity: sha512-rNNFV0DBAJp988xW2DOntfDoYn1eR8GGF5AT5vYc+rjyfaQkM242c9tZUHHPe7KYaiJizXPWhQTzzdbXySyhBw==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-regexp-modifiers@7.27.1':
-    resolution: {integrity: sha512-TtEciroaiODtXvLZv4rmfMhkCv8jx3wgKpL68PuiPh2M4fvz5jhsA7697N1gMvkvr/JTF13DrFYyEbY9U7cVPA==}
+  '@babel/plugin-transform-regexp-modifiers@7.29.7':
+    resolution: {integrity: sha512-mB5Fs0VWrJ42ZCmc8114v60qetdaUVNkj9PmSZRmanCZM3S9hm0CFRLjRmYIsuXav14l2jvZ+4T8iiCGnhj3nQ==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0
 
-  '@babel/plugin-transform-reserved-words@7.27.1':
-    resolution: {integrity: sha512-V2ABPHIJX4kC7HegLkYoDpfg9PVmuWy/i6vUM5eGK22bx4YVFD3M5F0QQnWQoDs6AGsUWTVOopBiMFQgHaSkVw==}
+  '@babel/plugin-transform-reserved-words@7.29.7':
+    resolution: {integrity: sha512-5+YhdpVgmfSmwZyLMftfaiffLRMHjzIRHFHHLdibcSyJm2pasMrKHrO3Ptrt2DRshjvpgjEJJ1zVW14WPq/6QA==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-runtime@7.27.1':
-    resolution: {integrity: sha512-TqGF3desVsTcp3WrJGj4HfKokfCXCLcHpt4PJF0D8/iT6LPd9RS82Upw3KPeyr6B22Lfd3DO8MVrmp0oRkUDdw==}
+  '@babel/plugin-transform-runtime@7.29.7':
+    resolution: {integrity: sha512-xmAscdE/AsqRW7vutbPNoUmu/nF5SrLKPs7aoJgEjo35lLKA/Bc0i2rMv/hr1+Y0o1bQCiVtith3u2vdgRL39Q==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-shorthand-properties@7.27.1':
-    resolution: {integrity: sha512-N/wH1vcn4oYawbJ13Y/FxcQrWk63jhfNa7jef0ih7PHSIHX2LB7GWE1rkPrOnka9kwMxb6hMl19p7lidA+EHmQ==}
+  '@babel/plugin-transform-shorthand-properties@7.29.7':
+    resolution: {integrity: sha512-I+WYbGBAiCn7nA6xBrlgPH+MB7HWb4u8pv5S0Pv7OtwNvIFvCCb24YlttKEeUFVurfBCEaOTnuhlqsb7f0Z5Dg==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-spread@7.27.1':
-    resolution: {integrity: sha512-kpb3HUqaILBJcRFVhFUs6Trdd4mkrzcGXss+6/mxUd273PfbWqSDHRzMT2234gIg2QYfAjvXLSquP1xECSg09Q==}
+  '@babel/plugin-transform-spread@7.29.7':
+    resolution: {integrity: sha512-/u5K1QWada7tbYNqTjMh96718g9NTwh9tfPJMsSmVsQwGT447FskV+KcfeXkXq2GWki4EM/MuTdmBec+hOuVTQ==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-sticky-regex@7.27.1':
-    resolution: {integrity: sha512-lhInBO5bi/Kowe2/aLdBAawijx+q1pQzicSgnkB6dUPc1+RC8QmJHKf2OjvU+NZWitguJHEaEmbV6VWEouT58g==}
+  '@babel/plugin-transform-sticky-regex@7.29.7':
+    resolution: {integrity: sha512-BCHzNYJGe9l7EpwwDBN/ztlL2NYFFq8hp9ddjtUEM9f2O7S7kKV/lL6Fwo7IF7NSkYhPK2vO+86nIGltA90MsA==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-template-literals@7.27.1':
-    resolution: {integrity: sha512-fBJKiV7F2DxZUkg5EtHKXQdbsbURW3DZKQUWphDum0uRP6eHGGa/He9mc0mypL680pb+e/lDIthRohlv8NCHkg==}
+  '@babel/plugin-transform-template-literals@7.29.7':
+    resolution: {integrity: sha512-NCSEJ4sLFU2gqAub45HYh4fus2yQ36rr6ei6vpU7NdoJqCpxvEG8E6eJpscGyXP3VHD2Ny+fSXr04k1hoUrFqA==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-typeof-symbol@7.27.1':
-    resolution: {integrity: sha512-RiSILC+nRJM7FY5srIyc4/fGIwUhyDuuBSdWn4y6yT6gm652DpCHZjIipgn6B7MQ1ITOUnAKWixEUjQRIBIcLw==}
+  '@babel/plugin-transform-typeof-symbol@7.29.7':
+    resolution: {integrity: sha512-223mNGoTkBiTEWFoK+Q6Go3tueMRclO8vxxxxquNCYuNI4jWOofFKJRRDu6SDrB8Sgo1UEGW9T4GAQ8ZyRso1A==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-typescript@7.27.1':
-    resolution: {integrity: sha512-Q5sT5+O4QUebHdbwKedFBEwRLb02zJ7r4A5Gg2hUoLuU3FjdMcyqcywqUrLCaDsFCxzokf7u9kuy7qz51YUuAg==}
+  '@babel/plugin-transform-typescript@7.29.7':
+    resolution: {integrity: sha512-jK52h8LaLc7JarhQV2ofeFMts4H7vnOXnqZNA6fYglBTZewRBE51KWt3BUltW1P+KoPsYkHoJeXePuz4zo2LMw==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
@@ -974,26 +984,26 @@ packages:
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-unicode-escapes@7.27.1':
-    resolution: {integrity: sha512-Ysg4v6AmF26k9vpfFuTZg8HRfVWzsh1kVfowA23y9j/Gu6dOuahdUVhkLqpObp3JIv27MLSii6noRnuKN8H0Mg==}
+  '@babel/plugin-transform-unicode-escapes@7.29.7':
+    resolution: {integrity: sha512-jCfXxSjf94lf4E0hKE0AByxF6F3/pVFqRdUUNkDJhsY0m1ZKjnN6ZYyMeHNpzflxb/0q5b7t3p+BE+SLF1WOtA==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-unicode-property-regex@7.27.1':
-    resolution: {integrity: sha512-uW20S39PnaTImxp39O5qFlHLS9LJEmANjMG7SxIhap8rCHqu0Ik+tLEPX5DKmHn6CsWQ7j3lix2tFOa5YtL12Q==}
+  '@babel/plugin-transform-unicode-property-regex@7.29.7':
+    resolution: {integrity: sha512-OgZ+zoAJgZLUCunsTRQ5LAjOywDv5zzZ2/hQ5aMw1pGXyY2rtE8/chXYUmu3AlVHKpm10KEdG9aMwbI/K76ZGw==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-unicode-regex@7.27.1':
-    resolution: {integrity: sha512-xvINq24TRojDuyt6JGtHmkVkrfVV3FPT16uytxImLeBZqW3/H52yN+kM1MGuyPkIQxrzKwPHs5U/MP3qKyzkGw==}
+  '@babel/plugin-transform-unicode-regex@7.29.7':
+    resolution: {integrity: sha512-7D/x/23/d/3VqZ0QA+LGbZMlGwZjztBygSWWWsfTPoQ1oQ6Q1P6Mr3d0kk42XabyUVw+fha3LqdRsFqeKqvCyA==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
 
-  '@babel/plugin-transform-unicode-sets-regex@7.27.1':
-    resolution: {integrity: sha512-EtkOujbc4cgvb0mlpQefi4NTPBzhSIevblFevACNLUspmrALgmEBdL/XfnyyITfd8fKBZrZys92zOWcik7j9Tw==}
+  '@babel/plugin-transform-unicode-sets-regex@7.29.7':
+    resolution: {integrity: sha512-BLOhLht9DOJwIxlmp91wHvkXv1lguuHS3/FwUO8HL1H0u8s4hR1gASVFyilu9iGtcTRYqjTZmlsFFeQletntEg==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0
@@ -1002,14 +1012,8 @@ packages:
     resolution: {integrity: sha512-X0pi0V6gxLi6lFZpGmeNa4zxtwEmCs42isWLNjZZDE0Y8yVfgu0T2OAHlzBbdYlqbW/YXVvoBHpATEM+goCj8g==}
     deprecated: 🚨 This package has been deprecated in favor of separate inclusion of a polyfill and regenerator-runtime (when needed). See the @babel/polyfill docs (https://babeljs.io/docs/en/babel-polyfill) for more information.
 
-  '@babel/preset-env@7.26.9':
-    resolution: {integrity: sha512-vX3qPGE8sEKEAZCWk05k3cpTAE3/nOYca++JA+Rd0z2NCNzabmYvEiSShKzm10zdquOIAVXsy2Ei/DTW34KlKQ==}
-    engines: {node: '>=6.9.0'}
-    peerDependencies:
-      '@babel/core': ^7.0.0-0
-
-  '@babel/preset-env@7.27.2':
-    resolution: {integrity: sha512-Ma4zSuYSlGNRlCLO+EAzLnCmJK2vdstgv+n7aUP+/IKZrOfWHOJVdSJtuub8RzHTj3ahD37k5OKJWvzf16TQyQ==}
+  '@babel/preset-env@7.29.7':
+    resolution: {integrity: sha512-GYzX36n1nsciIb0uyH0GHwxwtNwPQIcpxSeiVLDtG/B7jB5xXgchnmL1f/jCX5o+pwnaDBtO60ONSJhEBJfxYA==}
     engines: {node: '>=6.9.0'}
     peerDependencies:
       '@babel/core': ^7.0.0-0
@@ -1029,23 +1033,29 @@ packages:
     resolution: {integrity: sha512-VtPOkrdPHZsKc/clNqyi9WUA8TINkZ4cGk63UUE3u4pmB2k+ZMQRDuIOagv8UVd6j7k0T3+RRIb7beKTebNbcw==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/template@7.27.2':
-    resolution: {integrity: sha512-LPDZ85aEJyYSd18/DkjNh4/y1ntkE5KwUHWTiqgRxruuZL2F1yuHligVHLvcHY2vMHXttKFpJn6LwfI7cw7ODw==}
+  '@babel/template@7.29.7':
+    resolution: {integrity: sha512-puq+Gf35oI24FeN11LkoUQFqv9uwNeWpxXZi/Ji3rRIoKAzKnxRaZ+Gkj0vKS9ZCiTESfng1N9LyOyXvo+m+Gg==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/traverse@7.27.1':
-    resolution: {integrity: sha512-ZCYtZciz1IWJB4U61UPu4KEaqyfj+r5T1Q5mqPo+IBpcG9kHv30Z0aD8LXPgC1trYa6rK0orRyAhqUgk4MjmEg==}
+  '@babel/traverse@7.29.7':
+    resolution: {integrity: sha512-EhlfNQtZ+NK22w5BM61ciuiq1m58ed33Wr1Xan//ZRTy6hgjnwyCffRYwzsGXdASJSUJ1guZILsErh1eQcl+zw==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/types@7.27.1':
-    resolution: {integrity: sha512-+EzkxvLNfiUeKMgy/3luqfsCWFRXLb7U6wNQTk60tovuckwB15B191tJWvpp4HjiQWdJkCxO3Wbvc6jlk3Xb2Q==}
+  '@babel/types@7.29.7':
+    resolution: {integrity: sha512-4zBIxpPzowiZpusoFkyGVwakdRJUyuH5PxQ/PrqghfdFWWasvnCdPfQXHrenDai+gyLARulZjZowCOj6fjT4pA==}
     engines: {node: '>=6.9.0'}
 
-  '@carbon/charts@1.27.2':
-    resolution: {integrity: sha512-0eYS1bgwP/z+lCBQrDT8vOJSMJQVKzT3h51lyXwxn9rx3/GLuseEr1+t65elyjUaBxMAs9wT1kDat2PU2d32lA==}
+  '@cacheable/memory@2.0.9':
+    resolution: {integrity: sha512-HdMx6DoGywB30vacDbBsITbIX4pgFqj1zsrV58jZBUw3klzkNoXhj7qOqAgledhxG7YZI5rBSJg7Zp8/VG0DuA==}
 
-  '@carbon/colors@11.45.0':
-    resolution: {integrity: sha512-3ZHP2L77PbBytPl6jf7OcDVvEH/i1SIzGJfdA9rMZ7L8AyUpvf/zTEcN+BrOv+Xsg2idPtlz3ZyRkm5oASl6rg==}
+  '@cacheable/utils@2.4.1':
+    resolution: {integrity: sha512-eiFgzCbIneyMlLOmNG4g9xzF7Hv3Mga4LjxjcSC/ues6VYq2+gUbQI8JqNuw/ZM8tJIeIaBGpswAsqV2V7ApgA==}
+
+  '@carbon/charts@1.27.11':
+    resolution: {integrity: sha512-nPEOmBj9Sy1uveK8hUXEyPMJqEyiCwlrYIychr4PpPtQ+6aL94xQ6c3OlbZrPQL03nX0syELpX7SEcsFX1fADA==}
+
+  '@carbon/colors@11.52.0':
+    resolution: {integrity: sha512-T0Jhemrowk1VBsq/iK00bPQ+O43X1ibtBRVxuy+2APBvB35409kgvkfOEMiEpETHa/gZeevpBPFum/6g+iyqIQ==}
 
   '@carbon/utils-position@1.3.0':
     resolution: {integrity: sha512-bfar2dV+fQ15syIrH3n9ujY4PXd1Q+AF2VcTLJIC04IDe2f80zOnJlLNPc/RktHcWTZ7WSQm80cQo3abGcsfTA==}
@@ -1055,11 +1065,11 @@ packages:
     engines: {node: '>=0.1.95'}
     hasBin: true
 
-  '@codemirror/autocomplete@6.18.6':
-    resolution: {integrity: sha512-PHHBXFomUs5DF+9tCOM/UoW6XQ4R44lLNNhRaW9PKPTU0D7lIjRg3ElxaJnTwsl/oHiR93WSXDBrekhoUGCPtg==}
+  '@codemirror/autocomplete@6.20.2':
+    resolution: {integrity: sha512-G5FPkgIiLjOgZMjqVjvuKQ1rGPtHogLldJr33eFJdVLtmwY+giGrlv/ewljLz6b9BSQLkjxuwBc6g6omDM+YxQ==}
 
-  '@codemirror/commands@6.8.1':
-    resolution: {integrity: sha512-KlGVYufHMQzxbdQONiLyGQDUW0itrLZwq3CcY7xpv9ZLRHqzkBSoteocBHtMCoY7/Ci4xhzSrToIeLg7FxHuaw==}
+  '@codemirror/commands@6.10.3':
+    resolution: {integrity: sha512-JFRiqhKu+bvSkDLI+rUhJwSxQxYb759W5GBezE8Uc8mHLqC9aV/9aTC7yJSqCtB3F00pylrLCwnyS91Ap5ej4Q==}
 
   '@codemirror/lang-css@6.3.1':
     resolution: {integrity: sha512-kr5fwBGiGtmz6l0LSJIbno9QrifNMUusivHbnA1H6Dmqy4HZFte3UAICix1VuKo0lMPKQr2rqB+0BkKi/S3Ejg==}
@@ -1067,59 +1077,59 @@ packages:
   '@codemirror/lang-go@6.0.1':
     resolution: {integrity: sha512-7fNvbyNylvqCphW9HD6WFnRpcDjr+KXX/FgqXy5H5ZS0eC5edDljukm/yNgYkwTsgp2busdod50AOTIy6Jikfg==}
 
-  '@codemirror/lang-html@6.4.9':
-    resolution: {integrity: sha512-aQv37pIMSlueybId/2PVSP6NPnmurFDVmZwzc7jszd2KAF8qd4VBbvNYPXWQq90WIARjsdVkPbw29pszmHws3Q==}
+  '@codemirror/lang-html@6.4.11':
+    resolution: {integrity: sha512-9NsXp7Nwp891pQchI7gPdTwBuSuT3K65NGTHWHNJ55HjYcHLllr0rbIZNdOzas9ztc1EUVBlHou85FFZS4BNnw==}
 
-  '@codemirror/lang-javascript@6.2.4':
-    resolution: {integrity: sha512-0WVmhp1QOqZ4Rt6GlVGwKJN3KW7Xh4H2q8ZZNGZaP6lRdxXJzmjm4FqvmOojVj6khWJHIb9sp7U/72W7xQgqAA==}
+  '@codemirror/lang-javascript@6.2.5':
+    resolution: {integrity: sha512-zD4e5mS+50htS7F+TYjBPsiIFGanfVqg4HyUz6WNFikgOPf2BgKlx+TQedI1w6n/IqRBVBbBWmGFdLB/7uxO4A==}
 
-  '@codemirror/lang-json@6.0.1':
-    resolution: {integrity: sha512-+T1flHdgpqDDlJZ2Lkil/rLiRy684WMLc74xUnjJH48GQdfJo/pudlTRreZmKwzP8/tGdKf83wlbAdOCzlJOGQ==}
+  '@codemirror/lang-json@6.0.2':
+    resolution: {integrity: sha512-x2OtO+AvwEHrEwR0FyyPtfDUiloG3rnVTSZV1W8UteaLL8/MajQd8DpvUb2YVzC+/T18aSDv0H9mu+xw0EStoQ==}
 
-  '@codemirror/lang-markdown@6.3.2':
-    resolution: {integrity: sha512-c/5MYinGbFxYl4itE9q/rgN/sMTjOr8XL5OWnC+EaRMLfCbVUmmubTJfdgpfcSS2SCaT7b+Q+xi3l6CgoE+BsA==}
+  '@codemirror/lang-markdown@6.5.0':
+    resolution: {integrity: sha512-0K40bZ35jpHya6FriukbgaleaqzBLZfOh7HuzqbMxBXkbYMJDxfF39c23xOgxFezR+3G+tR2/Mup+Xk865OMvw==}
 
-  '@codemirror/lang-sql@6.8.0':
-    resolution: {integrity: sha512-aGLmY4OwGqN3TdSx3h6QeA1NrvaYtF7kkoWR/+W7/JzB0gQtJ+VJxewlnE3+VImhA4WVlhmkJr109PefOOhjLg==}
+  '@codemirror/lang-sql@6.10.0':
+    resolution: {integrity: sha512-6ayPkEd/yRw0XKBx5uAiToSgGECo/GY2NoJIHXIIQh1EVwLuKoU8BP/qK0qH5NLXAbtJRLuT73hx7P9X34iO4w==}
 
-  '@codemirror/lang-yaml@6.1.2':
-    resolution: {integrity: sha512-dxrfG8w5Ce/QbT7YID7mWZFKhdhsaTNOYjOkSIMt1qmC4VQnXSDSYVHHHn8k6kJUfIhtLo8t1JJgltlxWdsITw==}
+  '@codemirror/lang-yaml@6.1.3':
+    resolution: {integrity: sha512-AZ8DJBuXGVHybpBQhmZtgew5//4hv3tdkXnr3vDmOUMJRuB6vn/uuwtmTOTlqEaQFg3hQSVeA90NmvIQyUV6FQ==}
 
-  '@codemirror/language@6.11.0':
-    resolution: {integrity: sha512-A7+f++LodNNc1wGgoRDTt78cOwWm9KVezApgjOMp1W4hM0898nsqBXwF+sbePE7ZRcjN7Sa1Z5m2oN27XkmEjQ==}
+  '@codemirror/language@6.12.3':
+    resolution: {integrity: sha512-QwCZW6Tt1siP37Jet9Tb02Zs81TQt6qQrZR2H+eGMcFsL1zMrk2/b9CLC7/9ieP1fjIUMgviLWMmgiHoJrj+ZA==}
 
-  '@codemirror/legacy-modes@6.5.1':
-    resolution: {integrity: sha512-DJYQQ00N1/KdESpZV7jg9hafof/iBNp9h7TYo1SLMk86TWl9uDsVdho2dzd81K+v4retmK6mdC7WpuOQDytQqw==}
+  '@codemirror/legacy-modes@6.5.3':
+    resolution: {integrity: sha512-xCsmIzH78MyWkib9jlPaaun57XNkfbMIhagfaZVd0iLTqlpw3jXaIcbZm72MTmmn64eTZpBVNjbyYh+QXnxRsg==}
 
-  '@codemirror/lint@6.8.5':
-    resolution: {integrity: sha512-s3n3KisH7dx3vsoeGMxsbRAgKe4O1vbrnKBClm99PU0fWxmxsx5rR2PfqQgIt+2MMJBHbiJ5rfIdLYfB9NNvsA==}
+  '@codemirror/lint@6.9.6':
+    resolution: {integrity: sha512-6Kp7r6XfCi/D/5sdXieMfg9pJU1bUEx96WITuLU6ESaKizCz0QHFMjY/TaFSbigDdEAIgi93itLBIUETP4oK+A==}
 
-  '@codemirror/state@6.5.2':
-    resolution: {integrity: sha512-FVqsPqtPWKVVL3dPSxy8wEF/ymIEuVzF1PK3VbUgrxXpJUSHQWWZz4JMToquRxnkw+36LTamCZG2iua2Ptq0fA==}
+  '@codemirror/state@6.6.0':
+    resolution: {integrity: sha512-4nbvra5R5EtiCzr9BTHiTLc+MLXK2QGiAVYMyi8PkQd3SR+6ixar/Q/01Fa21TBIDOZXgeWV4WppsQolSreAPQ==}
 
-  '@codemirror/view@6.36.8':
-    resolution: {integrity: sha512-yoRo4f+FdnD01fFt4XpfpMCcCAo9QvZOtbrXExn4SqzH32YC6LgzqxfLZw/r6Ge65xyY03mK/UfUqrVw1gFiFg==}
+  '@codemirror/view@6.43.0':
+    resolution: {integrity: sha512-V7ZCLQO3Jus9hzh2jVCCPW3mO4IBMr43O37PqSUYautJSnnJF41YlgLw21x0fLJTYvJ+Vkm6Gp+qKGH9pltgXA==}
 
   '@colors/colors@1.5.0':
     resolution: {integrity: sha512-ooWCrlZP11i8GImSjTHYHLkvFDP48nS4+204nGb1RiX/WXYHmJA2III9/e2DWVabCESdW7hBAEzHRqUn9OUVvQ==}
     engines: {node: '>=0.1.90'}
 
-  '@csstools/css-parser-algorithms@3.0.4':
-    resolution: {integrity: sha512-Up7rBoV77rv29d3uKHUIVubz1BTcgyUK72IvCQAbfbMv584xHcGKCKbWh7i8hPrRJ7qU4Y8IO3IY9m+iTB7P3A==}
+  '@csstools/css-parser-algorithms@3.0.5':
+    resolution: {integrity: sha512-DaDeUkXZKjdGhgYaHNJTV9pV7Y9B3b644jCLs9Upc3VeNGg6LWARAT6O+Q+/COo+2gg/bM5rhpMAtf70WqfBdQ==}
     engines: {node: '>=18'}
     peerDependencies:
-      '@csstools/css-tokenizer': ^3.0.3
+      '@csstools/css-tokenizer': ^3.0.4
 
-  '@csstools/css-tokenizer@3.0.3':
-    resolution: {integrity: sha512-UJnjoFsmxfKUdNYdWgOB0mWUypuLvAfQPH1+pyvRJs6euowbFkFC6P13w1l8mJyi3vxYMxc9kld5jZEGRQs6bw==}
+  '@csstools/css-tokenizer@3.0.4':
+    resolution: {integrity: sha512-Vd/9EVDiu6PPJt9yAh6roZP6El1xHrdvIVGjyBsHR0RYwNHgL7FJPyIIW4fANJNG6FtyZfvlRPpFI4ZM/lubvw==}
     engines: {node: '>=18'}
 
-  '@csstools/media-query-list-parser@4.0.2':
-    resolution: {integrity: sha512-EUos465uvVvMJehckATTlNqGj4UJWkTmdWuDMjqvSUkjGpmOyFZBVwb4knxCm/k2GMTXY+c/5RkdndzFYWeX5A==}
+  '@csstools/media-query-list-parser@4.0.3':
+    resolution: {integrity: sha512-HAYH7d3TLRHDOUQK4mZKf9k9Ph/m8Akstg66ywKR4SFAigjs3yBiUeZtFxywiTm5moZMAp/5W/ZuFnNXXYLuuQ==}
     engines: {node: '>=18'}
     peerDependencies:
-      '@csstools/css-parser-algorithms': ^3.0.4
-      '@csstools/css-tokenizer': ^3.0.3
+      '@csstools/css-parser-algorithms': ^3.0.5
+      '@csstools/css-tokenizer': ^3.0.4
 
   '@csstools/selector-specificity@5.0.0':
     resolution: {integrity: sha512-PCqQV3c4CoVm3kdPhyeZ07VmBRdH2EpMFA/pd9OASpOEC3aXNGoqPDAZ80D0cLpMBxnmk0+yNhGsEx31hq7Gtw==}
@@ -1142,8 +1152,8 @@ packages:
     resolution: {integrity: sha512-nXjGqJdLoHHa25RsDXxUsEX5AiMniFOgy7Lggod4sDIxheixHavgJIOL7+aZwUFOhUvJl+P+ESAbSaD4RZ8zdw==}
     engines: {node: '>= 12'}
 
-  '@dual-bundle/import-meta-resolve@4.1.0':
-    resolution: {integrity: sha512-+nxncfwHM5SgAtrVzgpzJOI1ol0PkumhVo469KCf9lUi21IGcY90G98VuHm9VRrUypmAzawAHO9bs6hqeADaVg==}
+  '@dual-bundle/import-meta-resolve@4.2.1':
+    resolution: {integrity: sha512-id+7YRUgoUX6CgV0DtuhirQWodeeA7Lf4i2x71JS/vtA5pRb/hIGWlw+G6MeXvsM+MXrz0VAydTGElX1rAfgPg==}
 
   '@ember-data/adapter@5.3.13':
     resolution: {integrity: sha512-tXx8XftDEAH/biUPZuWm73x6wPyXDlCf+k3IlgLVoGtY4MtqmX3e44JadhzrflqVcs38Ic2oosWZORP7UJ5wPg==}
@@ -1312,15 +1322,15 @@ packages:
     resolution: {integrity: sha512-bb9h95ktG2wKY9+ja1sdsFBdOms2lB19VWs8wmNpzgHv1NCetonBoV5jHBV4DHt0uS1tg9z66cZqhUVlYs96KQ==}
     engines: {node: 10.* || 12.* || >= 14.*}
 
-  '@ember/test-waiters@4.1.0':
-    resolution: {integrity: sha512-qRFA0OumYv7/C3hmx4ETC2dlPzyD549D+naPhcrnV2xCnc3AZlKouWyoFnNF+Cje918kRp9aEefVgV3vmGL5Bg==}
+  '@ember/test-waiters@4.1.1':
+    resolution: {integrity: sha512-HbK70JYCDJcGI0CrwcbjeL2QHAn0HLwa3oGep7mr6l/yO95U7JYA8VN+/9VTsWJTmKueLtWayUqEmGS3a3mVOg==}
 
-  '@embroider/addon-shim@1.10.0':
-    resolution: {integrity: sha512-gcJuHiXgnrzaU8NyU+2bMbtS6PNOr5v5B8OXBqaBvTCsMpXLvKo8OBOQFCoUN0rPX2J6VaFqrbi/371sMvzZug==}
+  '@embroider/addon-shim@1.10.2':
+    resolution: {integrity: sha512-EfI9cJ5/3QSUJtwm7x1MXrx3TEa2p7RNgSHefy7fvGm8/DP1xUFL25nST1NaHbHcqR1UhMlrTtv5iUIDoVzeQQ==}
     engines: {node: 12.* || 14.* || >= 16}
 
-  '@embroider/macros@1.15.0':
-    resolution: {integrity: sha512-gXh46ZafqYb6AJVoCCaQwYRsqFIwAat/PVCaJgEDKnOgOP/BTyIXwAld0gLZlIgSKkqOccBih83bXMShflKkLg==}
+  '@embroider/macros@1.20.3':
+    resolution: {integrity: sha512-8sClktPsQ20KgnWl8id6NL5G/hv3+Q5OlnQ4y4XQjYS/RsPy8/C9tU75/2ujgToi1YfX64UykjCau6PXqKDfUQ==}
     engines: {node: 12.* || 14.* || >= 16}
     peerDependencies:
       '@glint/template': ^1.0.0
@@ -1328,20 +1338,20 @@ packages:
       '@glint/template':
         optional: true
 
-  '@embroider/shared-internals@2.5.2':
-    resolution: {integrity: sha512-jNDJ9YlV6Qp9Na9v17qirUewVuq6T0t32nn+bbnFlCRTvmllKluZdYPSC5RuRnEZKTloVYRSF0+f1rgkTIEvxQ==}
+  '@embroider/reverse-exports@0.2.0':
+    resolution: {integrity: sha512-WFsw8nQpHZiWGEDYpa/A79KEFfTisqteXbY+jg9eZiww1r1G+LZvsmdszDp86TkotUSCqrMbK/ewn0jR1CJmqg==}
     engines: {node: 12.* || 14.* || >= 16}
 
-  '@embroider/shared-internals@2.9.0':
-    resolution: {integrity: sha512-8untWEvGy6av/oYibqZWMz/yB+LHsKxEOoUZiLvcpFwWj2Sipc0DcXeTJQZQZ++otNkLCWyDrDhOLrOkgjOPSg==}
+  '@embroider/shared-internals@2.9.2':
+    resolution: {integrity: sha512-d96ub/WkS1Gx6dRDxZ0mCRPwFAHIMlMr2iti6uTYxTFzC85Wgt6j7bYr6ppkEuwEwKQVyzKRT0kTsJz6P74caQ==}
     engines: {node: 12.* || 14.* || >= 16}
 
-  '@embroider/shared-internals@3.0.0':
-    resolution: {integrity: sha512-5J5ipUMCAinQS38WW7wedruq5Z4VnHvNo+ZgOduw0PtI9w0CQWx7/HE+98PBDW8jclikeF+aHwF317vc1hwuzg==}
+  '@embroider/shared-internals@3.1.0':
+    resolution: {integrity: sha512-DAEB8B0rAHMYnwCPIeYIrZ6uKGEesQx5XqLuO0beqDnZLwsIRcvWSSbpUgOu6nwqXm5EiJiJaTbrHedOSrlR5g==}
     engines: {node: 12.* || 14.* || >= 16}
 
-  '@embroider/util@1.13.4':
-    resolution: {integrity: sha512-TqA0SNQarSJUdYGv+39MBCHkiuxhr2u0iKJP/JnDmQkCiVhvuFWy3P3n5sI26fVrVwG3DJLfxE2XVnB37udFOA==}
+  '@embroider/util@1.13.5':
+    resolution: {integrity: sha512-rHhGUzAQ5iOr5Swvk7yaarVe5SJtcjK2t/C8ts9agWfhTq4DVfy8+axF0KOf1jALRiJao3l9ALRGd6letKw2ZQ==}
     engines: {node: 12.* || 14.* || >= 16}
     peerDependencies:
       '@glint/environment-ember-loose': ^1.0.0
@@ -1353,14 +1363,14 @@ packages:
       '@glint/template':
         optional: true
 
-  '@eslint-community/eslint-utils@4.7.0':
-    resolution: {integrity: sha512-dyybb3AcajC7uha6CvhdVRJqaKyn7w2YKqKyAN37NKYgZT36w+iRb0Dymmc5qEJ549c/S31cMMSFd75bteCpCw==}
+  '@eslint-community/eslint-utils@4.9.1':
+    resolution: {integrity: sha512-phrYmNiYppR7znFEdqgfWHXR6NCkZEK7hwWDHZUjit/2/U0r6XvkDl0SYnoM51Hq7FhCGdLDT6zxCCOY1hexsQ==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
     peerDependencies:
       eslint: ^6.0.0 || ^7.0.0 || >=8.0.0
 
-  '@eslint-community/regexpp@4.12.1':
-    resolution: {integrity: sha512-CCZCDJuduB9OUkFkY2IgppNZMi2lBQgD2qzwXkEia16cge2pijY/aXi96CJMquDMn3nJdlPV1A5KrJEXwfLNzQ==}
+  '@eslint-community/regexpp@4.12.2':
+    resolution: {integrity: sha512-EriSTlt5OC9/7SXkRSCAhfSxxoSUgBm33OH+IkwbdpgoqsSsUg7y3uh+IICI/Qg4BBWr3U2i39RpmycbxMq4ew==}
     engines: {node: ^12.0.0 || ^14.0.0 || >=16.0.0}
 
   '@eslint/eslintrc@2.1.4':
@@ -1371,14 +1381,41 @@ packages:
     resolution: {integrity: sha512-d9zaMRSTIKDLhctzH12MtXvJKSSUhaHcjV+2Z+GK+EEY7XKpP5yR4x+N3TAcHTcu963nIr+TMcCb4DBCYX1z6Q==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
 
-  '@floating-ui/core@1.7.0':
-    resolution: {integrity: sha512-FRdBLykrPPA6P76GGGqlex/e7fbe0F1ykgxHYNXQsH/iTEtjMj/f9bpY5oQqbjt5VgZvgz/uKXbGuROijh3VLA==}
+  '@faker-js/faker@8.4.1':
+    resolution: {integrity: sha512-XQ3cU+Q8Uqmrbf2e0cIC/QN43sTBSC8KF12u29Mb47tWrt2hAgBXSgpZMj4Ao8Uk0iJcU99QsOCaIL8934obCg==}
+    engines: {node: ^14.17.0 || ^16.13.0 || >=18.0.0, npm: '>=6.14.13'}
 
-  '@floating-ui/dom@1.7.0':
-    resolution: {integrity: sha512-lGTor4VlXcesUMh1cupTUTDoCxMb0V6bm3CnxHzQcw8Eaf1jQbgQX4i02fYgT0vJ82tb5MZ4CZk1LRGkktJCzg==}
+  '@floating-ui/core@1.7.5':
+    resolution: {integrity: sha512-1Ih4WTWyw0+lKyFMcBHGbb5U5FtuHJuujoyyr5zTaWS5EYMeT6Jb2AuDeftsCsEuchO+mM2ij5+q9crhydzLhQ==}
 
-  '@floating-ui/utils@0.2.9':
-    resolution: {integrity: sha512-MDWhGtE+eHw5JW7lq4qhc5yRLS11ERl1c7Z6Xd0a58DozHES6EnNNwUWbMiG4J9Cgj053Bhk8zvlhFYKVhULwg==}
+  '@floating-ui/dom@1.7.6':
+    resolution: {integrity: sha512-9gZSAI5XM36880PPMm//9dfiEngYoC6Am2izES1FF406YFsjvyBMmeJ2g4SAju3xWwtuynNRFL2s9hgxpLI5SQ==}
+
+  '@floating-ui/utils@0.2.11':
+    resolution: {integrity: sha512-RiB/yIh78pcIxl6lLMG0CgBXAZ2Y0eVHqMPYugu+9U0AeT6YBeiJpf7lbdJNIugFP5SIjwNRgo4DhR1Qxi26Gg==}
+
+  '@formatjs/ecma402-abstract@2.3.6':
+    resolution: {integrity: sha512-HJnTFeRM2kVFVr5gr5kH1XP6K0JcJtE7Lzvtr3FS/so5f1kpsqqqxy5JF+FRaO6H2qmcMfAUIox7AJteieRtVw==}
+
+  '@formatjs/fast-memoize@2.2.7':
+    resolution: {integrity: sha512-Yabmi9nSvyOMrlSeGGWDiH7rf3a7sIwplbvo/dlz9WCIjzIQAfy1RMf4S0X3yG724n5Ghu2GmEl5NJIV6O9sZQ==}
+
+  '@formatjs/icu-messageformat-parser@2.11.4':
+    resolution: {integrity: sha512-7kR78cRrPNB4fjGFZg3Rmj5aah8rQj9KPzuLsmcSn4ipLXQvC04keycTI1F7kJYDwIXtT2+7IDEto842CfZBtw==}
+
+  '@formatjs/icu-skeleton-parser@1.8.16':
+    resolution: {integrity: sha512-H13E9Xl+PxBd8D5/6TVUluSpxGNvFSlN/b3coUp0e0JpuWXXnQDiavIpY3NnvSp4xhEMoXyyBvVfdFX8jglOHQ==}
+
+  '@formatjs/intl-localematcher@0.6.2':
+    resolution: {integrity: sha512-XOMO2Hupl0wdd172Y06h6kLpBz6Dv+J4okPLl4LPtzbr8f66WbIoy4ev98EBuZ6ZK4h5ydTN6XneT4QVpD7cdA==}
+
+  '@formatjs/intl@3.1.8':
+    resolution: {integrity: sha512-LWXgwI5zTMatvR8w8kCNh/priDTOF/ZssokMBHJ7ZWXFoYLVOYo0EJERD9Eajv+xsfQO1QkuAt77KWQ1OI4mOQ==}
+    peerDependencies:
+      typescript: ^5.6.0
+    peerDependenciesMeta:
+      typescript:
+        optional: true
 
   '@glimmer/compiler@0.87.1':
     resolution: {integrity: sha512-7qXrOv55cH/YW+Vs4dFkNJsNXAW/jP+7kZLhKcH8wCduPfBCQxb9HNh1lBESuFej2rCks6h9I1qXeZHkc/oWxQ==}
@@ -1448,8 +1485,8 @@ packages:
   '@glimmer/syntax@0.87.1':
     resolution: {integrity: sha512-zYzZT6LgpSF0iv5iuxmMV5Pf52aE8dukNC2KfrHC6gXJfM4eLZMZcyk76NW5m+SEetZSOXX6AWv/KwLnoxiMfQ==}
 
-  '@glimmer/syntax@0.94.9':
-    resolution: {integrity: sha512-OBw8DqMzKO4LX4kJBhwfTUqtpbd7O9amQXNTfb1aS7pufio5Vu5Qi6mRTfdFj6RyJ//aSI/l0kxWt6beYW0Apg==}
+  '@glimmer/syntax@0.95.0':
+    resolution: {integrity: sha512-W/PHdODnpONsXjbbdY9nedgIHpglMfOzncf/moLVrKIcCfeQhw2vG07Rs/YW8KeJCgJRCLkQsi+Ix7XvrurGAg==}
 
   '@glimmer/tracking@1.1.2':
     resolution: {integrity: sha512-cyV32zsHh+CnftuRX84ALZpd2rpbDrhLhJnTXn9W//QpqdRZ5rdMsxSY9fOsj0CKEc706tmEU299oNnDc0d7tA==}
@@ -1488,17 +1525,21 @@ packages:
   '@glimmer/wire-format@0.94.8':
     resolution: {integrity: sha512-A+Cp5m6vZMAEu0Kg/YwU2dJZXyYxVJs2zI57d3CP6NctmX7FsT8WjViiRUmt5abVmMmRH5b8BUovqY6GSMAdrw==}
 
-  '@glint/template@1.7.3':
-    resolution: {integrity: sha512-ouB9HjLJ5kDnAhORLx43vTmGukm6uHg5hg+jAoiSlyifQdVINmXIkkGPGCD1HQ0WeIDZ/CmxH7aIZlIyI90AAw==}
+  '@glint/template@1.7.7':
+    resolution: {integrity: sha512-jcPdQ3A6cXo5h9RBi0tK4/o5qNn7868Y8xpkwWQNPAd8xQKuRKmG9dGJwUycXvtqISzfrnL1p3MQr3hYN/Ua6Q==}
 
   '@handlebars/parser@2.0.0':
     resolution: {integrity: sha512-EP9uEDZv/L5Qh9IWuMUGJRfwhXJ4h1dqKTT4/3+tY0eu7sPis7xh23j61SYUnNF4vqCQvvUXpDo9Bh/+q1zASA==}
 
-  '@hashicorp-internal/vault-reporting@file:vault-reporting/0.8.0.tgz':
-    resolution: {integrity: sha512-3WDH1gPWjCNNQQlZvO1wDCq8gT7ce7Aawpn0zP/8OttzyZDe5uRrKsKw6RtYJbgxpNcz+rMAYR2HN5eXLQeq0g==, tarball: file:vault-reporting/0.8.0.tgz}
-    version: 0.8.0
+  '@handlebars/parser@2.2.2':
+    resolution: {integrity: sha512-n/SZW+12rwikx/f8YcSv9JCi5p9vn1Bnts9ZtVvfErG4h0gbjHI1H1ZMhVUnaOC7yzFc6PtsCKIK8XeTnL90Gw==}
+    engines: {node: ^18 || ^20 || ^22 || >=24}
+
+  '@hashicorp-internal/vault-reporting@file:vault-reporting/0.21.0.tgz':
+    resolution: {integrity: sha512-PxIc7KyBEeRguh/wysC+OClVIKI34omonikdtDwt5gj8JJY/0UOwGMNB88ri7th3LfAkoWXGyycHtZa0hGxBZA==, tarball: file:vault-reporting/0.21.0.tgz}
+    version: 0.21.0
     peerDependencies:
-      '@hashicorp/design-system-components': ^4.22.1
+      '@hashicorp/design-system-components': 4.23.0 - 6
 
   '@hashicorp/design-system-components@4.24.1':
     resolution: {integrity: sha512-rcRbBKc9MWngtVTRKr1i0ixbQypj4tEF8ZnsFrUVZLm7CMS8R5/+cfSu3pgbPriOOqZDCx7qAhNqAeTim4AYag==}
@@ -1519,8 +1560,8 @@ packages:
   '@hashicorp/flight-icons@3.14.0':
     resolution: {integrity: sha512-nyLDApaZsAHpAf2sRNwYX1MnJQU9UI3euiwE6wHPl2l/+Yt8wba1oXkmWL/Ptc4QgJxxnRUUhf66jGcB/AIOyQ==}
 
-  '@hashicorp/vault-client-typescript@https://codeload.github.com/hashicorp/vault-client-typescript/tar.gz/e29e1596079a941e42dd87cf533d95575f88a67c':
-    resolution: {tarball: https://codeload.github.com/hashicorp/vault-client-typescript/tar.gz/e29e1596079a941e42dd87cf533d95575f88a67c}
+  '@hashicorp/vault-client-typescript@https://codeload.github.com/hashicorp/vault-client-typescript/tar.gz/9191faf2deb4fa4fd9d0d4b396434fec5b799abc':
+    resolution: {tarball: https://codeload.github.com/hashicorp/vault-client-typescript/tar.gz/9191faf2deb4fa4fd9d0d4b396434fec5b799abc}
     version: 0.0.0
 
   '@humanwhocodes/config-array@0.13.0':
@@ -1536,78 +1577,87 @@ packages:
     resolution: {integrity: sha512-93zYdMES/c1D69yZiKDBj0V24vqNzB/koF26KPaagAfd3P/4gUlh3Dys5ogAK+Exi9QyzlD8x/08Zt7wIKcDcA==}
     deprecated: Use @eslint/object-schema instead
 
-  '@ibm/telemetry-js@1.10.2':
-    resolution: {integrity: sha512-F8+/NNUwtm8BuFz18O9KPvIFTFDo8GUSoyhPxPjEpk7nEyEzWGfhIiEPhL00B2NdHRLDSljh3AiCfSnL/tutiQ==}
+  '@ibm/telemetry-js@1.11.0':
+    resolution: {integrity: sha512-RO/9j+URJnSfseWg9ZkEX9p+a3Ousd33DBU7rOafoZB08RqdzxFVYJ2/iM50dkBuD0o7WX7GYt1sLbNgCoE+pA==}
     hasBin: true
 
   '@icholy/duration@5.1.0':
     resolution: {integrity: sha512-I/zdjC6qYdwWJ2H1/PZbI3g58pPIiI/eOe5XDTtQ/v36d0ogcvAylqwOIWj/teY1rBnIMzUyWfX7PMm9I67WWg==}
 
-  '@inquirer/figures@1.0.11':
-    resolution: {integrity: sha512-eOg92lvrn/aRUqbxRyvpEWnrvRuTYRifixHkYVpJiygTgVSBIHDqLh0SrMQXkafvULg3ck11V7xvR+zcgvpHFw==}
+  '@inquirer/external-editor@1.0.3':
+    resolution: {integrity: sha512-RWbSrDiYmO4LbejWY7ttpxczuwQyZLBUyygsA9Nsv95hpzUWwnNTVQmAq3xuh7vNwCp07UTmE5i11XAEExx4RA==}
+    engines: {node: '>=18'}
+    peerDependencies:
+      '@types/node': '>=18'
+    peerDependenciesMeta:
+      '@types/node':
+        optional: true
+
+  '@inquirer/figures@1.0.15':
+    resolution: {integrity: sha512-t2IEY+unGHOzAaVM5Xx6DEWKeXlDDcNPeDyUpsRc6CUhBfU3VQOEl+Vssh7VNp1dR8MdUJBWhuObjXCsVpjN5g==}
     engines: {node: '>=18'}
 
   '@isaacs/cliui@8.0.2':
     resolution: {integrity: sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==}
     engines: {node: '>=12'}
 
-  '@jridgewell/gen-mapping@0.3.8':
-    resolution: {integrity: sha512-imAbBGkb+ebQyxKgzv5Hu2nmROxoDOXHh80evxdoXNOrvAnVx7zimzc1Oo5h9RlfV4vPXaE2iM5pOFbvOCClWA==}
-    engines: {node: '>=6.0.0'}
+  '@jridgewell/gen-mapping@0.3.13':
+    resolution: {integrity: sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==}
+
+  '@jridgewell/remapping@2.3.5':
+    resolution: {integrity: sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ==}
 
   '@jridgewell/resolve-uri@3.1.2':
     resolution: {integrity: sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==}
     engines: {node: '>=6.0.0'}
 
-  '@jridgewell/set-array@1.2.1':
-    resolution: {integrity: sha512-R8gLRTZeyp03ymzP/6Lil/28tGeGEzhx1q2k703KGWRAI1VdvPIXdG70VJc2pAMw3NA6JKL5hhFu1sJX0Mnn/A==}
-    engines: {node: '>=6.0.0'}
+  '@jridgewell/source-map@0.3.11':
+    resolution: {integrity: sha512-ZMp1V8ZFcPG5dIWnQLr3NSI1MiCU7UETdS/A0G8V/XWHvJv3ZsFqutJn1Y5RPmAPX6F3BiE397OqveU/9NCuIA==}
 
-  '@jridgewell/source-map@0.3.6':
-    resolution: {integrity: sha512-1ZJTZebgqllO79ue2bm3rIGud/bOe0pP5BjSRCRxxYkEZS8STV7zN84UBbiYu7jy+eCKSnVIUgoWWE/tt+shMQ==}
+  '@jridgewell/sourcemap-codec@1.5.5':
+    resolution: {integrity: sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==}
 
-  '@jridgewell/sourcemap-codec@1.5.0':
-    resolution: {integrity: sha512-gv3ZRaISU3fjPAgNsriBRqGWQL6quFx04YMPW/zD8XMLsU32mhCCbfbO6KZFLjvYpCZ8zyDEgqsgf+PwPaM7GQ==}
+  '@jridgewell/trace-mapping@0.3.31':
+    resolution: {integrity: sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw==}
 
-  '@jridgewell/trace-mapping@0.3.25':
-    resolution: {integrity: sha512-vNk6aEwybGtawWmy/PzwnGDOjCkLWSD2wqvjGGAgOAwCGWySYXfYoxt00IJkTF+8Lb57DwOb3Aa0o9CApepiYQ==}
+  '@keyv/bigmap@1.3.1':
+    resolution: {integrity: sha512-WbzE9sdmQtKy8vrNPa9BRnwZh5UF4s1KTmSK0KUVLo3eff5BlQNNWDnFOouNpKfPKDnms9xynJjsMYjMaT/aFQ==}
+    engines: {node: '>= 18'}
+    peerDependencies:
+      keyv: ^5.6.0
 
-  '@jsdoc/salty@0.2.9':
-    resolution: {integrity: sha512-yYxMVH7Dqw6nO0d5NIV8OQWnitU8k6vXH8NtgqAfIa/IUqRMxRv/NUJJ08VEKbAakwxlgBl5PJdrU0dMPStsnw==}
-    engines: {node: '>=v12.0.0'}
+  '@keyv/serialize@1.1.1':
+    resolution: {integrity: sha512-dXn3FZhPv0US+7dtJsIi2R+c7qWYiReoEh5zUntWCf4oSpMNib8FDhSoed6m3QyZdx5hK7iLFkYk3rNxwt8vTA==}
 
-  '@keyv/serialize@1.0.3':
-    resolution: {integrity: sha512-qnEovoOp5Np2JDGonIDL6Ayihw0RhnRh6vxPuHo4RDn1UOzwEo4AeIfpL6UGIrsceWrCMiVPgwRjbHu4vYFc3g==}
+  '@lezer/common@1.5.2':
+    resolution: {integrity: sha512-sxQE460fPZyU3sdc8lafxiPwJHBzZRy/udNFynGQky1SePYBdhkBl1kOagA9uT3pxR8K09bOrmTUqA9wb/PjSQ==}
 
-  '@lezer/common@1.2.3':
-    resolution: {integrity: sha512-w7ojc8ejBqr2REPsWxJjrMFsA/ysDCFICn8zEOR9mrqzOu2amhITYuLD8ag6XZf0CFXDrhKqw7+tW8cX66NaDA==}
-
-  '@lezer/css@1.2.1':
-    resolution: {integrity: sha512-2F5tOqzKEKbCUNraIXc0f6HKeyKlmMWJnBB0i4XW6dJgssrZO/YlZ2pY5xgyqDleqqhiNJ3dQhbrV2aClZQMvg==}
+  '@lezer/css@1.3.3':
+    resolution: {integrity: sha512-RzBo8r+/6QJeow7aPHIpGVIH59xTcJXp399820gZoMo9noQDRVpJLheIBUicYwKcsbOYoBRoLZlf2720dG/4Tg==}
 
   '@lezer/go@1.0.1':
     resolution: {integrity: sha512-xToRsYxwsgJNHTgNdStpcvmbVuKxTapV0dM0wey1geMMRc9aggoVyKgzYp41D2/vVOx+Ii4hmE206kvxIXBVXQ==}
 
-  '@lezer/highlight@1.2.1':
-    resolution: {integrity: sha512-Z5duk4RN/3zuVO7Jq0pGLJ3qynpxUVsh7IbUbGj88+uV2ApSAn6kWg2au3iJb+0Zi7kKtqffIESgNcRXWZWmSA==}
+  '@lezer/highlight@1.2.3':
+    resolution: {integrity: sha512-qXdH7UqTvGfdVBINrgKhDsVTJTxactNNxLk7+UMwZhU13lMHaOBlJe9Vqp907ya56Y3+ed2tlqzys7jDkTmW0g==}
 
-  '@lezer/html@1.3.10':
-    resolution: {integrity: sha512-dqpT8nISx/p9Do3AchvYGV3qYc4/rKr3IBZxlHmpIKam56P47RSHkSF5f13Vu9hebS1jM0HmtJIwLbWz1VIY6w==}
+  '@lezer/html@1.3.13':
+    resolution: {integrity: sha512-oI7n6NJml729m7pjm9lvLvmXbdoMoi2f+1pwSDJkl9d68zGr7a9Btz8NdHTGQZtW2DA25ybeuv/SyDb9D5tseg==}
 
-  '@lezer/javascript@1.5.1':
-    resolution: {integrity: sha512-ATOImjeVJuvgm3JQ/bpo2Tmv55HSScE2MTPnKRMRIPx2cLhHGyX2VnqpHhtIV1tVzIjZDbcWQm+NCTF40ggZVw==}
+  '@lezer/javascript@1.5.4':
+    resolution: {integrity: sha512-vvYx3MhWqeZtGPwDStM2dwgljd5smolYD2lR2UyFcHfxbBQebqx8yjmFmxtJ/E6nN6u1D9srOiVWm3Rb4tmcUA==}
 
   '@lezer/json@1.0.3':
     resolution: {integrity: sha512-BP9KzdF9Y35PDpv04r0VeSTKDeox5vVr3efE7eBbx3r4s3oNLfunchejZhjArmeieBH+nVOpgIiBJpEAv8ilqQ==}
 
-  '@lezer/lr@1.4.2':
-    resolution: {integrity: sha512-pu0K1jCIdnQ12aWNaAVU5bzi7Bd1w54J3ECgANPmYLtQKP0HBj2cE/5coBD66MT10xbtIuUr7tg0Shbsvk0mDA==}
+  '@lezer/lr@1.4.10':
+    resolution: {integrity: sha512-rnCpTIBafOx4mRp43xOxDJbFipJm/c0cia/V5TiGlhmMa+wsSdoGmUN3w5Bqrks/09Q/D4tNAmWaT8p6NRi77A==}
 
-  '@lezer/markdown@1.4.3':
-    resolution: {integrity: sha512-kfw+2uMrQ/wy/+ONfrH83OkdFNM0ye5Xq96cLlaCy7h5UT9FO54DU4oRoIc0CSBh5NWmWuiIJA7NGLMJbQ+Oxg==}
+  '@lezer/markdown@1.6.3':
+    resolution: {integrity: sha512-jpGm5Ps+XErS+xA4urw7ogEGkeZOahVQF21Z6oECF0sj+2liwZopd2+I8uH5I/vZsRuuze3OxBREIANLf6KKUw==}
 
-  '@lezer/yaml@1.0.3':
-    resolution: {integrity: sha512-GuBLekbw9jDBDhGur82nuwkxKQ+a3W5H0GfaAthDXcAu+XdpS43VlnxA9E9hllkpSP5ellRDKjLLj7Lu9Wr6xA==}
+  '@lezer/yaml@1.0.4':
+    resolution: {integrity: sha512-2lrrHqxalACEbxIbsjhqGpSW8kWpUKuY6RHgnSAFZa6qK62wvnPxA8hGOwOoDbwHcOFs5M4o27mjGu+P7TvBmw==}
 
   '@lineal-viz/lineal@0.5.1':
     resolution: {integrity: sha512-t6FwvAmMkii/hxsXDxZybTO0dbJ9wKBNl6E9YP6VwSFAY9xQeK5lJcXlC6r6vaLSuv9/+NDJ0Y5SCZu4XpNb4w==}
@@ -1658,101 +1708,101 @@ packages:
     resolution: {integrity: sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==}
     engines: {node: '>= 8'}
 
-  '@nullvoxpopuli/ember-composable-helpers@5.3.0':
-    resolution: {integrity: sha512-pjuYVAxJJETaFFmDME9sPH++kSNcTJjxHqHUSJOwoYvxSRBHIysJbCFD/CHQjJtbI5D4pVouYU80ugmyGrZoFA==}
+  '@nullvoxpopuli/ember-composable-helpers@5.3.2':
+    resolution: {integrity: sha512-ABqoeTFyh57tiTQ6X4/9agduYeY82lAGQ+Vva7RK3w9fPXeMRxtxk6AFoOF2PWzTsYrZrGZ7ZmZtVvfhCALNYg==}
 
-  '@parcel/watcher-android-arm64@2.5.1':
-    resolution: {integrity: sha512-KF8+j9nNbUN8vzOFDpRMsaKBHZ/mcjEjMToVMJOhTozkDonQFFrRcfdLWn6yWKCmJKmdVxSgHiYvTCef4/qcBA==}
+  '@parcel/watcher-android-arm64@2.5.6':
+    resolution: {integrity: sha512-YQxSS34tPF/6ZG7r/Ih9xy+kP/WwediEUsqmtf0cuCV5TPPKw/PQHRhueUo6JdeFJaqV3pyjm0GdYjZotbRt/A==}
     engines: {node: '>= 10.0.0'}
     cpu: [arm64]
     os: [android]
 
-  '@parcel/watcher-darwin-arm64@2.5.1':
-    resolution: {integrity: sha512-eAzPv5osDmZyBhou8PoF4i6RQXAfeKL9tjb3QzYuccXFMQU0ruIc/POh30ePnaOyD1UXdlKguHBmsTs53tVoPw==}
+  '@parcel/watcher-darwin-arm64@2.5.6':
+    resolution: {integrity: sha512-Z2ZdrnwyXvvvdtRHLmM4knydIdU9adO3D4n/0cVipF3rRiwP+3/sfzpAwA/qKFL6i1ModaabkU7IbpeMBgiVEA==}
     engines: {node: '>= 10.0.0'}
     cpu: [arm64]
     os: [darwin]
 
-  '@parcel/watcher-darwin-x64@2.5.1':
-    resolution: {integrity: sha512-1ZXDthrnNmwv10A0/3AJNZ9JGlzrF82i3gNQcWOzd7nJ8aj+ILyW1MTxVk35Db0u91oD5Nlk9MBiujMlwmeXZg==}
+  '@parcel/watcher-darwin-x64@2.5.6':
+    resolution: {integrity: sha512-HgvOf3W9dhithcwOWX9uDZyn1lW9R+7tPZ4sug+NGrGIo4Rk1hAXLEbcH1TQSqxts0NYXXlOWqVpvS1SFS4fRg==}
     engines: {node: '>= 10.0.0'}
     cpu: [x64]
     os: [darwin]
 
-  '@parcel/watcher-freebsd-x64@2.5.1':
-    resolution: {integrity: sha512-SI4eljM7Flp9yPuKi8W0ird8TI/JK6CSxju3NojVI6BjHsTyK7zxA9urjVjEKJ5MBYC+bLmMcbAWlZ+rFkLpJQ==}
+  '@parcel/watcher-freebsd-x64@2.5.6':
+    resolution: {integrity: sha512-vJVi8yd/qzJxEKHkeemh7w3YAn6RJCtYlE4HPMoVnCpIXEzSrxErBW5SJBgKLbXU3WdIpkjBTeUNtyBVn8TRng==}
     engines: {node: '>= 10.0.0'}
     cpu: [x64]
     os: [freebsd]
 
-  '@parcel/watcher-linux-arm-glibc@2.5.1':
-    resolution: {integrity: sha512-RCdZlEyTs8geyBkkcnPWvtXLY44BCeZKmGYRtSgtwwnHR4dxfHRG3gR99XdMEdQ7KeiDdasJwwvNSF5jKtDwdA==}
+  '@parcel/watcher-linux-arm-glibc@2.5.6':
+    resolution: {integrity: sha512-9JiYfB6h6BgV50CCfasfLf/uvOcJskMSwcdH1PHH9rvS1IrNy8zad6IUVPVUfmXr+u+Km9IxcfMLzgdOudz9EQ==}
     engines: {node: '>= 10.0.0'}
     cpu: [arm]
     os: [linux]
 
-  '@parcel/watcher-linux-arm-musl@2.5.1':
-    resolution: {integrity: sha512-6E+m/Mm1t1yhB8X412stiKFG3XykmgdIOqhjWj+VL8oHkKABfu/gjFj8DvLrYVHSBNC+/u5PeNrujiSQ1zwd1Q==}
+  '@parcel/watcher-linux-arm-musl@2.5.6':
+    resolution: {integrity: sha512-Ve3gUCG57nuUUSyjBq/MAM0CzArtuIOxsBdQ+ftz6ho8n7s1i9E1Nmk/xmP323r2YL0SONs1EuwqBp2u1k5fxg==}
     engines: {node: '>= 10.0.0'}
     cpu: [arm]
     os: [linux]
 
-  '@parcel/watcher-linux-arm64-glibc@2.5.1':
-    resolution: {integrity: sha512-LrGp+f02yU3BN9A+DGuY3v3bmnFUggAITBGriZHUREfNEzZh/GO06FF5u2kx8x+GBEUYfyTGamol4j3m9ANe8w==}
+  '@parcel/watcher-linux-arm64-glibc@2.5.6':
+    resolution: {integrity: sha512-f2g/DT3NhGPdBmMWYoxixqYr3v/UXcmLOYy16Bx0TM20Tchduwr4EaCbmxh1321TABqPGDpS8D/ggOTaljijOA==}
     engines: {node: '>= 10.0.0'}
     cpu: [arm64]
     os: [linux]
 
-  '@parcel/watcher-linux-arm64-musl@2.5.1':
-    resolution: {integrity: sha512-cFOjABi92pMYRXS7AcQv9/M1YuKRw8SZniCDw0ssQb/noPkRzA+HBDkwmyOJYp5wXcsTrhxO0zq1U11cK9jsFg==}
+  '@parcel/watcher-linux-arm64-musl@2.5.6':
+    resolution: {integrity: sha512-qb6naMDGlbCwdhLj6hgoVKJl2odL34z2sqkC7Z6kzir8b5W65WYDpLB6R06KabvZdgoHI/zxke4b3zR0wAbDTA==}
     engines: {node: '>= 10.0.0'}
     cpu: [arm64]
     os: [linux]
 
-  '@parcel/watcher-linux-x64-glibc@2.5.1':
-    resolution: {integrity: sha512-GcESn8NZySmfwlTsIur+49yDqSny2IhPeZfXunQi48DMugKeZ7uy1FX83pO0X22sHntJ4Ub+9k34XQCX+oHt2A==}
+  '@parcel/watcher-linux-x64-glibc@2.5.6':
+    resolution: {integrity: sha512-kbT5wvNQlx7NaGjzPFu8nVIW1rWqV780O7ZtkjuWaPUgpv2NMFpjYERVi0UYj1msZNyCzGlaCWEtzc+exjMGbQ==}
     engines: {node: '>= 10.0.0'}
     cpu: [x64]
     os: [linux]
 
-  '@parcel/watcher-linux-x64-musl@2.5.1':
-    resolution: {integrity: sha512-n0E2EQbatQ3bXhcH2D1XIAANAcTZkQICBPVaxMeaCVBtOpBZpWJuf7LwyWPSBDITb7In8mqQgJ7gH8CILCURXg==}
+  '@parcel/watcher-linux-x64-musl@2.5.6':
+    resolution: {integrity: sha512-1JRFeC+h7RdXwldHzTsmdtYR/Ku8SylLgTU/reMuqdVD7CtLwf0VR1FqeprZ0eHQkO0vqsbvFLXUmYm/uNKJBg==}
     engines: {node: '>= 10.0.0'}
     cpu: [x64]
     os: [linux]
 
-  '@parcel/watcher-win32-arm64@2.5.1':
-    resolution: {integrity: sha512-RFzklRvmc3PkjKjry3hLF9wD7ppR4AKcWNzH7kXR7GUe0Igb3Nz8fyPwtZCSquGrhU5HhUNDr/mKBqj7tqA2Vw==}
+  '@parcel/watcher-win32-arm64@2.5.6':
+    resolution: {integrity: sha512-3ukyebjc6eGlw9yRt678DxVF7rjXatWiHvTXqphZLvo7aC5NdEgFufVwjFfY51ijYEWpXbqF5jtrK275z52D4Q==}
     engines: {node: '>= 10.0.0'}
     cpu: [arm64]
     os: [win32]
 
-  '@parcel/watcher-win32-ia32@2.5.1':
-    resolution: {integrity: sha512-c2KkcVN+NJmuA7CGlaGD1qJh1cLfDnQsHjE89E60vUEMlqduHGCdCLJCID5geFVM0dOtA3ZiIO8BoEQmzQVfpQ==}
+  '@parcel/watcher-win32-ia32@2.5.6':
+    resolution: {integrity: sha512-k35yLp1ZMwwee3Ez/pxBi5cf4AoBKYXj00CZ80jUz5h8prpiaQsiRPKQMxoLstNuqe2vR4RNPEAEcjEFzhEz/g==}
     engines: {node: '>= 10.0.0'}
     cpu: [ia32]
     os: [win32]
 
-  '@parcel/watcher-win32-x64@2.5.1':
-    resolution: {integrity: sha512-9lHBdJITeNR++EvSQVUcaZoWupyHfXe1jZvGZ06O/5MflPcuPLtEphScIBL+AiCWBO46tDSHzWyD0uDmmZqsgA==}
+  '@parcel/watcher-win32-x64@2.5.6':
+    resolution: {integrity: sha512-hbQlYcCq5dlAX9Qx+kFb0FHue6vbjlf0FrNzSKdYK2APUf7tGfGxQCk2ihEREmbR6ZMc0MVAD5RIX/41gpUzTw==}
     engines: {node: '>= 10.0.0'}
     cpu: [x64]
     os: [win32]
 
-  '@parcel/watcher@2.5.1':
-    resolution: {integrity: sha512-dfUnCxiN9H4ap84DvD2ubjw+3vUNpstxa0TneY/Paat8a3R4uQZDLSvWjmznAY/DoahqTHl9V46HF/Zs3F29pg==}
+  '@parcel/watcher@2.5.6':
+    resolution: {integrity: sha512-tmmZ3lQxAe/k/+rNnXQRawJ4NjxO2hqiOLTHvWchtGZULp4RyFeh6aU4XdOYBFe2KE1oShQTv4AblOs2iOrNnQ==}
     engines: {node: '>= 10.0.0'}
 
   '@pkgjs/parseargs@0.11.0':
     resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==}
     engines: {node: '>=14'}
 
-  '@pkgr/core@0.2.4':
-    resolution: {integrity: sha512-ROFF39F6ZrnzSUEmQQZUar0Jt4xVoP9WnDRdWwF4NNcXs3xBTLgBUDoOwW141y1jP+S8nahIbdxbFC7IShw9Iw==}
+  '@pkgr/core@0.2.9':
+    resolution: {integrity: sha512-QNqXyfVS2wm9hweSYD2O7F0G06uurj9kZ96TRQE5Y9hU7+tgdZwIkbAKc5Ocy1HxEY2kuDQa6cQ1WRs/O5LFKA==}
     engines: {node: ^12.20.0 || ^14.18.0 || >=16.0.0}
 
-  '@playwright/test@1.58.0':
-    resolution: {integrity: sha512-fWza+Lpbj6SkQKCrU6si4iu+fD2dD3gxNHFhUPxsfXBPhnv3rRSQVd0NtBUT9Z/RhF/boCBcuUaMUSTRTopjZg==}
+  '@playwright/test@1.60.0':
+    resolution: {integrity: sha512-O71yZIbAh/PxDMNGns37GHBIfrVkEVyn+AXyIa5dOTfb4/xNvRWV+Vv/NMbNCtODB/pO7vLlF2OTmMVLhmr7Ag==}
     engines: {node: '>=18'}
     hasBin: true
 
@@ -1782,7 +1832,7 @@ packages:
   '@rollup/plugin-replace@2.3.0':
     resolution: {integrity: sha512-rzWAMqXAHC1w3eKpK6LxRqiF4f3qVFaa1sGii6Bp3rluKcwHNOpPt+hWRCmAH6SDEPtbPiLFf0pfNQyHs6Btlg==}
     peerDependencies:
-      rollup: 2.79.2
+      rollup: 2.80.0
 
   '@scalvert/ember-setup-middleware-reporter@0.1.1':
     resolution: {integrity: sha512-C5DHU6YlKaISB5utGQ+jpsMB57ZtY0uZ8UkD29j855BjqG6eJ98lhA2h/BoJbyPw89RKLP1EEXroy9+5JPoyVw==}
@@ -1791,6 +1841,9 @@ packages:
   '@scarf/scarf@1.4.0':
     resolution: {integrity: sha512-xxeapPiUXdZAE3che6f3xogoJPeZgig6omHEy1rIY5WVsB3H2BHNnZH+gHG6x91SCWyQCzWGsuL2Hh3ClO5/qQ==}
 
+  '@sec-ant/readable-stream@0.4.1':
+    resolution: {integrity: sha512-831qok9r2t8AlxLko40y2ebgSDhenenCatLVeW/uBtnHPyhHOvG0C7TvfgecV+wHzIm5KUICgzmVpWS+IMEAeg==}
+
   '@simple-dom/document@1.4.0':
     resolution: {integrity: sha512-/RUeVH4kuD3rzo5/91+h4Z1meLSLP66eXqpVAw/4aZmYozkeqUkMprq0znL4psX/adEed5cBgiNJcfMz/eKZLg==}
 
@@ -1801,29 +1854,28 @@ packages:
     resolution: {integrity: sha512-LtoMMhxAlorcGhmFYI+LhPgbPZCkgP6ra1YL604EeF6U98pLlQ3iWIGMdWSC+vWmPBWBNgmDBAhnAobLROJmwg==}
     engines: {node: '>=18'}
 
+  '@sindresorhus/merge-streams@4.0.0':
+    resolution: {integrity: sha512-tlqY9xq5ukxTUZBmoOp+m61cqwQD5pHJtFY3Mn8CA8ps6yghLH/Hw8UPdqg4OLmFW3IFlcXnQNmo/dh8HzXYIQ==}
+    engines: {node: '>=18'}
+
   '@sinonjs/commons@3.0.1':
     resolution: {integrity: sha512-K3mCHKQ9sVh8o1C9cxkwxaOmXoAMlDxC1mYyHrjqOWEcBjYr76t96zL2zlj5dUGZ3HSw240X1qgH3Mjf1yJWpQ==}
 
   '@sinonjs/fake-timers@13.0.5':
     resolution: {integrity: sha512-36/hTbH2uaWuGVERyC6da9YwGWnzUZXuPro/F2LfsdOsLnCojz/iSH8MxUt/FD2S5XBSVPhmArFUXcpCQ2Hkiw==}
 
-  '@sinonjs/samsam@8.0.2':
-    resolution: {integrity: sha512-v46t/fwnhejRSFTGqbpn9u+LQ9xJDse10gNnPgAcxgdoCDMXj/G2asWAC/8Qs+BAZDicX+MNZouXT1A7c83kVw==}
+  '@sinonjs/samsam@8.0.3':
+    resolution: {integrity: sha512-hw6HbX+GyVZzmaYNh82Ecj1vdGZrqVIn/keDTg63IgAwiQPO+xCz99uG6Woqgb4tM0mUiFENKZ4cqd7IX94AXQ==}
 
   '@socket.io/component-emitter@3.1.2':
     resolution: {integrity: sha512-9BCxFwvbGg/RsZK9tjXd8s4UcwR0MWeFQ1XEKIQVVvAGJyINdrqKMcTRyLoK8Rse1GjzLV9cwjWV1olXRWEXVA==}
 
-  '@textlint/ast-node-types@12.6.1':
-    resolution: {integrity: sha512-uzlJ+ZsCAyJm+lBi7j0UeBbj+Oy6w/VWoGJ3iHRHE5eZ8Z4iK66mq+PG/spupmbllLtz77OJbY89BYqgFyjXmA==}
-
-  '@textlint/markdown-to-ast@12.6.1':
-    resolution: {integrity: sha512-T0HO+VrU9VbLRiEx/kH4+gwGMHNMIGkp0Pok+p0I33saOOLyhfGvwOKQgvt2qkxzQEV2L5MtGB8EnW4r5d3CqQ==}
-
   '@tsconfig/ember@2.0.0':
     resolution: {integrity: sha512-RzbDYYcjxVdG8Ki0xe99HN3+nHTZe6EBgw6N7B3yup7QogVFQQxA9nY7X80j1XzF15xqetwWiYfAjv5lkkp0/A==}
+    deprecated: Please use @ember/app-tsconfig or @ember/library-tsconfig instead. These live at https://github.com/ember-cli/tsconfigs
 
-  '@types/body-parser@1.19.5':
-    resolution: {integrity: sha512-fB3Zu92ucau0iQ0JMCFQE7b/dv8Ot07NI3KaZIkIUNXq82k4eBAqUaneXfleGY9JWskeS9y+u0nXMyspcuQrCg==}
+  '@types/body-parser@1.19.6':
+    resolution: {integrity: sha512-HLFeCYgz89uk22N5Qg3dvGvsv46B8GLvKKo1zKG4NybA8U2DiEO3w9lqGg29t/tfLRJpJ6iQxnVw4OnB7MoM9g==}
 
   '@types/chai-as-promised@7.1.8':
     resolution: {integrity: sha512-ThlRVIJhr69FLlh6IctTXFkmhtP3NpMZ2QGq69StYLyKZFp/HOp1VdKZj7RvfNWYYcJ1xlbLGLLWj1UvP5u/Gw==}
@@ -1831,17 +1883,14 @@ packages:
   '@types/chai@4.3.20':
     resolution: {integrity: sha512-/pC9HAB5I/xMlc5FP77qjCnI16ChlJfW0tGa0IUcFn38VJrTV6DeZ60NU5KZBtaOZqjdpwTWohz5HU1RrhiYxQ==}
 
-  '@types/chai@5.2.2':
-    resolution: {integrity: sha512-8kB30R7Hwqf40JPiKhVzodJs2Qc1ZJ5zuT3uzw5Hq/dhNCl3G3l83jfpdI1e20BP348+fV7VIL/+FxaXkqBmWg==}
-
   '@types/connect@3.4.38':
     resolution: {integrity: sha512-K6uROf1LD88uDQqJCktA4yzL1YYAK6NgfsI0v/mTgyPKWsX1CnJ0XPSDhViejru1GcRkLWb8RlzFYJRqGUbaug==}
 
-  '@types/cors@2.8.18':
-    resolution: {integrity: sha512-nX3d0sxJW41CqQvfOzVG1NCTXfFDrDWIghCZncpHeWlVFd81zxB/DLhg7avFg6eHLCRX7ckBmoIIcqa++upvJA==}
+  '@types/cors@2.8.19':
+    resolution: {integrity: sha512-mFNylyeyqN93lfe/9CSxOGREz8cpzAhH+E93xJ4xWQf62V8sQ/24reV2nyzUWM6H6Xji+GGHpkbLe7pVoUEskg==}
 
-  '@types/d3-array@3.2.1':
-    resolution: {integrity: sha512-Y2Jn2idRrLzUfAKV2LyRImR+y4oa2AntrgID95SHJxuMUrkNXmanDSed71sRNZysveJVt1hLLemQZIady0FpEg==}
+  '@types/d3-array@3.2.2':
+    resolution: {integrity: sha512-hOLWVbm7uRza0BYXpIIW5pxfrKe0W+D5lrFiAEYR+pb6w3N2SwSMaJbXdUfSEv+dT4MfHBLtn5js0LAWaO6otw==}
 
   '@types/d3-axis@3.0.6':
     resolution: {integrity: sha512-pYeijfZuBd87T0hGn0FO1vQ/cgLk6E1ALJjfkC0oJ8cbwkZl3TpgS8bVBLZN+2jjGgg38epgxb2zmoGtSfvgMw==}
@@ -1933,9 +1982,6 @@ packages:
   '@types/d3@7.4.3':
     resolution: {integrity: sha512-lZXZ9ckh5R8uiFVt8ogUNf+pIrK4EsWrx2Np75WvF/eTpJ0FMHNhjXk8CKEx/+gpHbNQyJWehbFaTvqmHWB3ww==}
 
-  '@types/deep-eql@4.0.2':
-    resolution: {integrity: sha512-c9h9dVVMigMPc4bwTvC5dxqtqJZwQPePsWjPlpSOnojbor6pGqdk541lfA7AqFQr5pB1BRdq0juY9db81BwyFw==}
-
   '@types/ember-data@4.4.16':
     resolution: {integrity: sha512-plFqPkgw7n4YlkzvApkQAIhvvYTERlx8PeI2J5gSFtMtsKuoaIo8fXm4w22ZdBQtTzeh/kwvpO2WY8R/d5Ttfg==}
 
@@ -1972,8 +2018,8 @@ packages:
   '@types/ember__polyfills@4.0.6':
     resolution: {integrity: sha512-hbds3Qv+oVm/QKIaY1E6atvrCoJTH/MPSl4swOhX6P0RiMB2fOfFCrFSD1mP1KrU1LqpHJ2Rzs7XLe53SWVzgw==}
 
-  '@types/ember__routing@4.0.22':
-    resolution: {integrity: sha512-qLk9Vd2GMxdlGmX9xbzg4Farths+AQGzYDH901Wo2Nsre+Cwv1Tk1rbCiay2V3ICYZYufytdWT6V++DISF3nvw==}
+  '@types/ember__routing@4.0.23':
+    resolution: {integrity: sha512-JW4HXubi7Du98sdPdMmdz54fwawo1o9YX3r/emHWGAsCCiwlbuwKIwyrlhUml5YQTpcZfC///Q9t5M6/JXTNrw==}
 
   '@types/ember__runloop@4.0.10':
     resolution: {integrity: sha512-9MZfOJBXuUP7RqLjovmzy1yY2xKTxVpqHMapqy6QJ8mjAekRmq9IJ+ni2zJ5CWftyb3Lqu3Eks05CL7fnbhcJA==}
@@ -1981,8 +2027,8 @@ packages:
   '@types/ember__service@4.0.9':
     resolution: {integrity: sha512-DrepocL/4hH5YxbDWbxEKMDcAchBPSGGa4g+LEINW1Po81RmSdKw5GZV4UO0mvRWgkdu3EbWUxbTzB4gmbDSeQ==}
 
-  '@types/ember__string@3.16.3':
-    resolution: {integrity: sha512-0T9ofzm9LL/bSG5u1SxKx/j2h/bHKkl5NKjGCNbFQxEKBw4f2cs6+AMDgWke9z+qrRRIz9vGEtMXnA3yJrO2xA==}
+  '@types/ember__string@3.0.15':
+    resolution: {integrity: sha512-SxoaweAJUJKSIt82clIwpi/Fm0IfeisozLnXthnBp/hE2JyVcnOb1wMIbw0CCfzercmyWG1njV45VBqy8SrLDQ==}
 
   '@types/ember__template@4.0.7':
     resolution: {integrity: sha512-jv4hhG+8d1zdma+jhbCdJ3Ak7C22YNatGyWWvB3N9zbXq358AAPXaJoyNY8QTDbD/RIR9P6yoRk4u9vLbF6zfA==}
@@ -1996,17 +2042,14 @@ packages:
   '@types/eslint@8.56.12':
     resolution: {integrity: sha512-03ruubjWyOHlmljCVoxSuNDdmfZDzsrrz0P2LeJsOXr+ZwFQ+0yQIwNCwt/GYhV7Z31fgtXJTAEs+FYlEL851g==}
 
-  '@types/estree@1.0.7':
-    resolution: {integrity: sha512-w28IoSUCJpidD/TGviZwwMJckNESJZXFu7NBZ5YJ4mEUnNraUn9Pm8HSZm/jDF1pDWYKspWE7oVphigUPRakIQ==}
+  '@types/estree@1.0.9':
+    resolution: {integrity: sha512-GhdPgy1el4/ImP05X05Uw4cw2/M93BCUmnEvWZNStlCzEKME4Fkk+YpoA5OiHNQmoS7Cafb8Xa3Pya8m1Qrzeg==}
 
-  '@types/estree@1.0.8':
-    resolution: {integrity: sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==}
+  '@types/express-serve-static-core@4.19.8':
+    resolution: {integrity: sha512-02S5fmqeoKzVZCHPZid4b8JH2eM5HzQLZWN2FohQEy/0eXTq8VXZfSN6Pcr3F6N9R/vNrj7cpgbhjie6m/1tCA==}
 
-  '@types/express-serve-static-core@4.19.6':
-    resolution: {integrity: sha512-N4LZ2xG7DatVqhCZzOGb1Yi5lMbXSZcmdLDe9EzSndPV2HpWYWzRbaerl2n27irrm94EPpprqa8KpskPT085+A==}
-
-  '@types/express@4.17.22':
-    resolution: {integrity: sha512-eZUmSnhRX9YRSkplpz0N+k6NljUUn5l3EWZIKZvYzhvMphEuNiyyy1viH/ejgt66JWgALwC/gtSUAeQKtSwW/w==}
+  '@types/express@4.17.25':
+    resolution: {integrity: sha512-dVd04UKsfpINUnK0yBoYHDF3xu7xVH4BuDotC/xGuycx4CgbP48X/KF/586bcObxT0HENHXEU8Nqtu6NR+eKhw==}
 
   '@types/fs-extra@5.1.0':
     resolution: {integrity: sha512-AInn5+UBFIK9FK5xc9yP5e3TQSPNNgjHByqYcj9g5elVBnDQcQL7PlO1CIRy2gWlbwK7UPYqi7vRvFA44dCmYQ==}
@@ -2023,50 +2066,43 @@ packages:
   '@types/glob@7.2.0':
     resolution: {integrity: sha512-ZUxbzKl0IfJILTS6t7ip5fQQM/J3TJYubDm3nMbgubNNYS62eXeUpoLUC8/7fJNiFYHTrGPQn7hspDUzIHX3UA==}
 
-  '@types/glob@8.1.0':
-    resolution: {integrity: sha512-IO+MJPVhoqz+28h1qLAcBEH2+xHMK6MTyHJc7MTnnYb6wsoLR29POVGJ7LycmVXIqyy/4/2ShP5sUwTXuOwb/w==}
+  '@types/glob@9.0.0':
+    resolution: {integrity: sha512-00UxlRaIUvYm4R4W9WYkN8/J+kV8fmOQ7okeH6YFtGWFMt3odD45tpG5yA5wnL7HE6lLgjaTW5n14ju2hl2NNA==}
+    deprecated: This is a stub types definition. glob provides its own type definitions, so you do not need this installed.
 
-  '@types/http-errors@2.0.4':
-    resolution: {integrity: sha512-D0CFMMtydbJAegzOyHjtiKPLlvnm3iTZyZRSZoLq2mRhDdmLfIWOCYPfQJ4cu2erKghU++QvjcUjp/5h7hESpA==}
+  '@types/http-errors@2.0.5':
+    resolution: {integrity: sha512-r8Tayk8HJnX0FztbZN7oVqGccWgw98T/0neJphO91KkmOzug1KkofZURD4UaD5uH8AqcFLfdPErnBod0u71/qg==}
 
-  '@types/jquery@3.5.32':
-    resolution: {integrity: sha512-b9Xbf4CkMqS02YH8zACqN1xzdxc3cO735Qe5AbSUFmyOiaWAbcpqh9Wna+Uk0vgACvoQHpWDg2rGdHkYPLmCiQ==}
+  '@types/jquery@3.5.34':
+    resolution: {integrity: sha512-3m3939S3erqmTLJANS/uy0B6V7BorKx7RorcGZVjZ62dF5PAGbKEDZK1CuLtKombJkFA2T1jl8LAIIs7IV6gBQ==}
 
   '@types/json-schema@7.0.15':
     resolution: {integrity: sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==}
 
-  '@types/linkify-it@5.0.0':
-    resolution: {integrity: sha512-sVDA58zAw4eWAffKOaQH5/5j3XeayukzDk+ewSsnv3p4yJEZHCCzMDiZM8e0OUrRvmpGZ85jf4yDHkHsgBNr9Q==}
-
-  '@types/markdown-it@14.1.2':
-    resolution: {integrity: sha512-promo4eFwuiW+TfGxhi+0x3czqTYJkG8qB17ZUJiVF10Xm7NLVRSLUsfRTU/6h1e24VvRnXCx+hG7li58lkzog==}
-
   '@types/mdast@3.0.15':
     resolution: {integrity: sha512-LnwD+mUEfxWMa1QpDraczIn6k0Ee3SMicuYSSzS6ZYl2gKS09EClnJYGd8Du6rfc5r/GZEk5o1mRb8TaTj03sQ==}
 
-  '@types/mdurl@2.0.0':
-    resolution: {integrity: sha512-RGdgjQUZba5p6QEFAVx2OGb8rQDL/cPRG7GiedRzMcJ1tYnUANBncjbSB1NRGwbvjcPeikRABz2nshyPk1bhWg==}
-
   '@types/mime@1.3.5':
     resolution: {integrity: sha512-/pyBZWSLD2n0dcHE3hq8s8ZvcETHtEuF+3E7XVt0Ig2nvsVQXdghHVcEkIWjy9A0wKfTn97a/PSDYohKIlnP/w==}
 
   '@types/minimatch@3.0.5':
     resolution: {integrity: sha512-Klz949h02Gz2uZCMGwDUSDS1YBlTdDDgbWHi+81l29tQALUtvz4rAYi5uoVhE5Lagoq6DeqAUlbrHvW/mXDgdQ==}
 
-  '@types/minimatch@5.1.2':
-    resolution: {integrity: sha512-K0VQKziLUWkVKiRVrx4a40iPaxTUefQmjtkQofBkYRcoaaL/8rhwDWww9qWbrgicNOgnpIsMxyNIUM4+n6dUIA==}
+  '@types/minimatch@6.0.0':
+    resolution: {integrity: sha512-zmPitbQ8+6zNutpwgcQuLcsEpn/Cj54Kbn7L5pX0Os5kdWplB7xPgEh/g+SWOB/qmows2gpuCaPyduq8ZZRnxA==}
+    deprecated: This is a stub types definition. minimatch provides its own type definitions, so you do not need this installed.
 
-  '@types/node@25.1.0':
-    resolution: {integrity: sha512-t7frlewr6+cbx+9Ohpl0NOTKXZNV9xHRmNOvql47BFJKcEG1CxtxlPEEe+gR9uhVWM4DwhnvTF110mIL4yP9RA==}
+  '@types/node@25.9.1':
+    resolution: {integrity: sha512-xfrlY7UD5rMJk3ZVJP8BNzS28J36YJg+xp+LPXV1TdWxr8uMH5A860QNxYDGQe/ylDSgjxE52Q9VnO7p75tJxg==}
 
   '@types/prettier@2.7.3':
     resolution: {integrity: sha512-+68kP9yzs4LMp7VNh8gdzMSPZFL44MLGqiHWvttYJe+6qnuVr4Ek9wSBQoveqY/r+LwjCcU29kNVkidwim+kYA==}
 
-  '@types/qs@6.14.0':
-    resolution: {integrity: sha512-eOunJqu0K1923aExK6y8p6fsihYEn/BYuQ4g0CxAAgFc4b/ZLN4CrsRZ55srTdqoiLzU2B2evC+apEIxprEzkQ==}
+  '@types/qs@6.15.1':
+    resolution: {integrity: sha512-GZHUBZR9hckSUhrxmp1nG6NwdpM9fCunJwyThLW1X3AyHgd9IlHb6VANpQQqDr2o/qQp6McZ3y/IA2rVzKzSbw==}
 
-  '@types/qunit@2.19.12':
-    resolution: {integrity: sha512-II+C1wgzUia0g+tGAH+PBb4XiTm8/C/i6sN23r21NNskBYOYrv+qnW0tFQ/IxZzKVwrK4CTglf8YO3poJUclQA==}
+  '@types/qunit@2.19.14':
+    resolution: {integrity: sha512-ou2RMtwyDnW1btrMnDMZeL6V5/yRRbuHKrRC6y8IuzDljjVzw6wPCVFb8p4qJD0NkUkf3BdZeJJIBzjK1BUUDQ==}
 
   '@types/range-parser@1.2.7':
     resolution: {integrity: sha512-hKormJbkJqzQGhziax5PItDUTMAM9uE2XXQmM37dyd4hVM+5aVl7oVxMVUiVQn2oCQFN/LKCZdvSM0pFRqbSmQ==}
@@ -2077,14 +2113,17 @@ packages:
   '@types/rsvp@4.0.9':
     resolution: {integrity: sha512-F6vaN5mbxw2MBCu/AD9fSKwrhnto2pE77dyUsi415qz9IP9ni9ZOWXHxnXfsM4NW9UjW+it189jvvqnhv37Z7Q==}
 
-  '@types/semver@7.7.0':
-    resolution: {integrity: sha512-k107IF4+Xr7UHjwDc7Cfd6PRQfbdkiRabXGRjo07b4WyPahFBZCZ1sE+BNxYIJPPg73UkfOsVOLwqVc/6ETrIA==}
+  '@types/semver@7.7.1':
+    resolution: {integrity: sha512-FmgJfu+MOcQ370SD0ev7EI8TlCAfKYU+B4m5T3yXc1CiRN94g/SZPtsCkk506aUDtlMnFZvasDwHHUcZUEaYuA==}
 
-  '@types/send@0.17.4':
-    resolution: {integrity: sha512-x2EM6TJOybec7c52BX0ZspPodMsQUd5L6PRwOunVyVUhXiBSKf3AezDL8Dgvgt5o0UfKNfuA0eMLr2wLT4AiBA==}
+  '@types/send@0.17.6':
+    resolution: {integrity: sha512-Uqt8rPBE8SY0RK8JB1EzVOIZ32uqy8HwdxCnoCOsYrvnswqmFZ/k+9Ikidlk/ImhsdvBsloHbAlewb2IEBV/Og==}
 
-  '@types/serve-static@1.15.7':
-    resolution: {integrity: sha512-W8Ym+h8nhuRwaKPaDw34QUkwsGi6Rc4yYqvKFo5rm2FUEhCFbzVWrxXUxuKK8TASjWsysJY0nsmNCGhCOIsrOw==}
+  '@types/send@1.2.1':
+    resolution: {integrity: sha512-arsCikDvlU99zl1g69TcAB3mzZPpxgw0UQnaHeC1Nwb015xp8bknZv5rIfri9xTOcMuaVgvabfIRA7PSZVuZIQ==}
+
+  '@types/serve-static@1.15.10':
+    resolution: {integrity: sha512-tRs1dB+g8Itk72rlSI2ZrW6vZg0YrLI81iQSTkMmOqnqCaNr/8Ek4VwWcN5vZgCYWbg/JJSGBlUaYGAOP73qBw==}
 
   '@types/shell-quote@1.7.5':
     resolution: {integrity: sha512-+UE8GAGRPbJVQDdxi16dgadcBfQ+KG2vgZhV1+3A1XmHbmwcdwhCUwIdy+d3pAGrbvgRoVSjeI9vOWyq376Yzw==}
@@ -2092,11 +2131,11 @@ packages:
   '@types/sinon@17.0.4':
     resolution: {integrity: sha512-RHnIrhfPO3+tJT0s7cFaXGZvsL4bbR3/k7z3P312qMS4JaS2Tk+KiwiLx1S0rQ56ERj00u1/BtdyVd0FY+Pdew==}
 
-  '@types/sinonjs__fake-timers@8.1.5':
-    resolution: {integrity: sha512-mQkU2jY8jJEF7YHjHvsQO8+3ughTL1mcnn96igfhONmR+fUPSKIkefQYpSe8bsly2Ep7oQbn/6VG5/9/0qcArQ==}
+  '@types/sinonjs__fake-timers@15.0.1':
+    resolution: {integrity: sha512-Ko2tjWJq8oozHzHV+reuvS5KYIRAokHnGbDwGh/J64LntgpbuylF74ipEL24HCyRjf9FOlBiBHWBR1RlVKsI1w==}
 
-  '@types/sizzle@2.3.9':
-    resolution: {integrity: sha512-xzLEyKB50yqCUPUJkIsrVvoWNfFUbIZI+RspLWt8u+tIW/BetMBZtgV2LY/2o+tYH8dRvQ+eoPf3NdhQCcLE2w==}
+  '@types/sizzle@2.3.10':
+    resolution: {integrity: sha512-TC0dmN0K8YcWEAEfiPi5gJP14eJe30TTGjkvek3iM/1NdHHsdCA/Td6GvNndMOo/iSnIsZ4HuuhrYPDAmbxzww==}
 
   '@types/symlink-or-copy@1.2.2':
     resolution: {integrity: sha512-MQ1AnmTLOncwEf9IVU+B2e4Hchrku5N67NkgcAHW0p3sdzPe0FNMANxEm6OJUzPniEQGkeT3OROLlCwZJLWFZA==}
@@ -2125,6 +2164,9 @@ packages:
   '@types/unist@2.0.11':
     resolution: {integrity: sha512-CmBKiL6NNo/OqgmMn95Fk9Whlp2mtvIv+KNpQKN2F4SjvrEesubTRWGYSg+BnWZOnlCaSTU1sMpsBOzgbYhnsA==}
 
+  '@types/ws@8.18.1':
+    resolution: {integrity: sha512-ThVF6DCVhA8kUGy+aazFQ4kXQ7E1Ty7A3ypFOe0IcJV8O/M511G99AW24irKrW56Wt44yG9+ij8FaqoBGkuBXg==}
+
   '@typescript-eslint/eslint-plugin@5.62.0':
     resolution: {integrity: sha512-TiZzBSJja/LbhNPvk6yc0JrX9XqhQ0hdh6M2svYfsHGejaKFIAGd9MQ+ERIMzLGlN/kZoYIgdxFV0PuljTKXag==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
@@ -2183,8 +2225,8 @@ packages:
     resolution: {integrity: sha512-07ny+LHRzQXepkGg6w0mFY41fVUNBrL2Roj/++7V1txKugfjm/Ci/qSND03r2RhlJhJYMcTn9AhhSSqQp0Ysyw==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
 
-  '@ungap/structured-clone@1.3.0':
-    resolution: {integrity: sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==}
+  '@ungap/structured-clone@1.3.1':
+    resolution: {integrity: sha512-mUFwbeTqrVgDQxFveS+df2yfap6iuP20NAKAsBt5jDEoOTDew+zwLAOilHCeQJOVSvmgCX4ogqIrA0mnyr08yQ==}
 
   '@warp-drive/build-config@0.0.3':
     resolution: {integrity: sha512-cvaZE2tF73o+DvXkKmu7WU65tDffAZKQgRh3HWnVWksWs7B4rn86zGg3uUh6edKnpZ76o7xQ0cBaqdQkoDJ5Ng==}
@@ -2264,9 +2306,9 @@ packages:
       webpack-dev-server:
         optional: true
 
-  '@xmldom/xmldom@0.8.10':
-    resolution: {integrity: sha512-2WALfTl4xo2SkGCYRt6rDTFfk9R1czmBvUQy12gK2KuRKIpWEhcbbzy8EZXtz/jkRqHX8bFEc6FC1HjX4TUWYw==}
-    engines: {node: '>=10.0.0'}
+  '@xmldom/xmldom@0.9.10':
+    resolution: {integrity: sha512-A9gOqLdi6cV4ibazAjcQufGj0B1y/vDqYrcuP6d/6x8P27gRS8643Dj9o1dEKtB6O7fwxb2FgBmJS2mX7gpvdw==}
+    engines: {node: '>=14.6'}
 
   '@xtuc/ieee754@1.2.0':
     resolution: {integrity: sha512-DX8nKgqcGwsc0eJSqYt5lwP4DH5FlHnmuWWBRy7X0NcaGR0ZtuyeESgMwTYVEtxmsNGY+qit4QYT/MIYTOTPeA==}
@@ -2274,9 +2316,6 @@ packages:
   '@xtuc/long@4.2.2':
     resolution: {integrity: sha512-NuHqBY1PB/D8xU6s/thBgOAiAP7HOYDQ32+BFZILJ8ivkUkAHQnWfn6WhL79Owj1qmUnoN/YPhktdIoucipkAQ==}
 
-  JSV@4.0.2:
-    resolution: {integrity: sha512-ZJ6wx9xaKJ3yFUhq5/sk82PJMuUyLk277I8mQeyDgCTjGdjWJIvPfaU5LIXaMuaN2UO1X3kZH4+lgphublZUHw==}
-
   abbrev@1.1.1:
     resolution: {integrity: sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==}
 
@@ -2284,10 +2323,15 @@ packages:
     resolution: {integrity: sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==}
     engines: {node: '>= 0.6'}
 
-  acorn-import-attributes@1.9.5:
-    resolution: {integrity: sha512-n02Vykv5uA3eHGM/Z2dQrcD56kL8TyDb2p1+0P83PClMnC/nc+anbQRhIOWnSq4Ke/KvDPrY3C9hDtC/A3eHnQ==}
+  accepts@2.0.0:
+    resolution: {integrity: sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==}
+    engines: {node: '>= 0.6'}
+
+  acorn-import-phases@1.0.4:
+    resolution: {integrity: sha512-wKmbr/DDiIXzEOiWrTTUcDm24kQ2vGfZQvM2fwg2vXqR5uW6aapr7ObPtj1th32b9u90/Pf4AItvdTh42fBmVQ==}
+    engines: {node: '>=10.13.0'}
     peerDependencies:
-      acorn: ^8
+      acorn: ^8.14.0
 
   acorn-jsx@5.3.2:
     resolution: {integrity: sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==}
@@ -2299,8 +2343,8 @@ packages:
     engines: {node: '>=0.4.0'}
     hasBin: true
 
-  acorn@8.14.1:
-    resolution: {integrity: sha512-OvQ/2pUDKmgfCg++xsTX1wGxfTaszcHVcTctW4UJB4hibJx2HXxxO5UmVgyjMa+ZDsiaf5wWLXYpRWMmBI0QHg==}
+  acorn@8.16.0:
+    resolution: {integrity: sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==}
     engines: {node: '>=0.4.0'}
     hasBin: true
 
@@ -2317,11 +2361,11 @@ packages:
     peerDependencies:
       ajv: ^8.8.2
 
-  ajv@6.12.6:
-    resolution: {integrity: sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==}
+  ajv@6.15.0:
+    resolution: {integrity: sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==}
 
-  ajv@8.17.1:
-    resolution: {integrity: sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==}
+  ajv@8.20.0:
+    resolution: {integrity: sha512-Thbli+OlOj+iMPYFBVBfJ3OmCAnaSyNn4M1vz9T6Gka5Jt9ba/HIR56joy65tY6kx/FCF5VXNB819Y7/GUrBGA==}
 
   amd-name-resolver@0.0.6:
     resolution: {integrity: sha512-W2trar3LgeKV/yB6ZRD3Iw7MlhrKjLMVSNAatWNNYsn4w+iSfbmA66VB+jQjVIfvzHPZicnHObAvflMkoVtjAQ==}
@@ -2334,13 +2378,6 @@ packages:
     resolution: {integrity: sha512-S2Hw0TtNkMJhIabBwIojKL9YHO5T0n5eNqWJ7Lrlel/zDbftQpxpapi8tZs3X1HWa+u+QeydGmzzNU0m09+Rcg==}
     engines: {node: '>=0.4.2'}
 
-  anchor-markdown-header@0.6.0:
-    resolution: {integrity: sha512-v7HJMtE1X7wTpNFseRhxsY/pivP4uAJbidVhPT+yhz4i/vV1+qx371IXuV9V7bN6KjFtheLJxqaSm0Y/8neJTA==}
-
-  ansi-escape-sequences@4.1.0:
-    resolution: {integrity: sha512-dzW9kHxH011uBsidTXd14JXgzye/YLb2LzeKZ4bsgl/Knwx8AtbSFkkGxagdNOoh0DlqHCmfiEjWKBaqjOanVw==}
-    engines: {node: '>=8.0.0'}
-
   ansi-escapes@3.2.0:
     resolution: {integrity: sha512-cBhpre4ma+U0T1oM5fXg7Dy1Jw7zzwv7lt/GoCpr+hDQJoYnKVPLL4dCvSEFMmQurOQvSrwT7SL/DAlhBI97RQ==}
     engines: {node: '>=4'}
@@ -2349,8 +2386,8 @@ packages:
     resolution: {integrity: sha512-gKXj5ALrKWQLsYG9jlTRmR/xKluxHV+Z9QEwNIgCfM1/uwPMCuzVVnh5mwTd+OuBZcwSIMbqssNWRm1lE51QaQ==}
     engines: {node: '>=8'}
 
-  ansi-escapes@7.0.0:
-    resolution: {integrity: sha512-GdYO7a61mR0fOlAsvC9/rIHf7L96sBc6dEWzeOu+KAea5bZyQRPIpojrVoI4AXGJS/ycu/fBTdLrUkA4ODrvjw==}
+  ansi-escapes@7.3.0:
+    resolution: {integrity: sha512-BvU8nYgGQBxcmMuEeUEmNTvrMVjJNSH7RgW24vXexN4Ven6qCvy4TntnvlnwnMLTVlcRQQdbRY8NKnaIoeWDNg==}
     engines: {node: '>=18'}
 
   ansi-html@0.0.8:
@@ -2374,14 +2411,10 @@ packages:
     resolution: {integrity: sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==}
     engines: {node: '>=8'}
 
-  ansi-regex@6.1.0:
-    resolution: {integrity: sha512-7HSX4QQb4CspciLpVFwyRe79O3xsIZDDLER21kERQ71oaPodF8jL725AgJMFAYbooIqolJoRLuM81SpeUkpkvA==}
+  ansi-regex@6.2.2:
+    resolution: {integrity: sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==}
     engines: {node: '>=12'}
 
-  ansi-styles@1.0.0:
-    resolution: {integrity: sha512-3iF4FIKdxaVYT3JqQuY3Wat/T2t7TRbbQ94Fu50ZUCbLy4TFbTzr90NOHQodQkNqmeEGCw8WbeP78WNi6SKYUA==}
-    engines: {node: '>=0.8.0'}
-
   ansi-styles@2.2.1:
     resolution: {integrity: sha512-kmCevFghRiWM7HB5zTPULl4r9bVFSWjz62MhqizDGUrq2NWuNMQyuv4tHHoKJHs69M/MF64lEcHdYIocrdWQYA==}
     engines: {node: '>=0.10.0'}
@@ -2394,8 +2427,8 @@ packages:
     resolution: {integrity: sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==}
     engines: {node: '>=8'}
 
-  ansi-styles@6.2.1:
-    resolution: {integrity: sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==}
+  ansi-styles@6.2.3:
+    resolution: {integrity: sha512-4Dj6M28JB+oAH8kFkTLUo+a2jwOFkuqb3yucU0CANcRRUbxS0cP0nZYCGjcc3BNXwRIsUVmDGgzawme7zvJHvg==}
     engines: {node: '>=12'}
 
   ansi-to-html@0.6.15:
@@ -2413,22 +2446,14 @@ packages:
     resolution: {integrity: sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==}
     engines: {node: '>= 8'}
 
-  aproba@2.0.0:
-    resolution: {integrity: sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==}
-
-  are-we-there-yet@3.0.1:
-    resolution: {integrity: sha512-QZW4EDmGwlYur0Yyf/b2uGucHQMa8aFUP7eu9ddR73vvhFyt4V0Vl3QHPcTNJ8l6qYOBdxgXdnBXQrHilfRQBg==}
-    engines: {node: ^12.13.0 || ^14.15.0 || >=16.0.0}
-    deprecated: This package is no longer supported.
+  aproba@2.1.0:
+    resolution: {integrity: sha512-tLIEcj5GuR2RSTnxNKdkK0dJ/GrC7P38sUkiDmDuHfsHmbagTFAxDVIBltoklXEVIQ/f14IL8IMJ5pn9Hez1Ew==}
 
   are-we-there-yet@4.0.2:
     resolution: {integrity: sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==}
     engines: {node: ^14.17.0 || ^16.13.0 || >=18.0.0}
     deprecated: This package is no longer supported.
 
-  argparse@1.0.10:
-    resolution: {integrity: sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==}
-
   argparse@2.0.1:
     resolution: {integrity: sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==}
 
@@ -2436,30 +2461,6 @@ packages:
     resolution: {integrity: sha512-COROpnaoap1E2F000S62r6A60uHZnmlvomhfyT2DlTcrY1OrBKn2UhH7qn5wTC9zMvD0AY7csdPSNwKP+7WiQw==}
     engines: {node: '>= 0.4'}
 
-  array-back@1.0.4:
-    resolution: {integrity: sha512-1WxbZvrmyhkNoeYcizokbmh5oiOCIfyvGtcqbK3Ls1v1fKcquzxnQSceOx6tzq7jmai2kFLWIpGND2cLhH6TPw==}
-    engines: {node: '>=0.12.0'}
-
-  array-back@2.0.0:
-    resolution: {integrity: sha512-eJv4pLLufP3g5kcZry0j6WXpIbzYw9GUB4mVJZno9wfwiBxbizTnHCw3VJb07cBihbFX48Y7oSrW9y+gt4glyw==}
-    engines: {node: '>=4'}
-
-  array-back@3.1.0:
-    resolution: {integrity: sha512-TkuxA4UCOvxuDK6NZYXCalszEzj+TLszyASooky+i742l9TqsOdYCMJJupxRic61hwquNtppB3hgcuq9SVSH1Q==}
-    engines: {node: '>=6'}
-
-  array-back@4.0.2:
-    resolution: {integrity: sha512-NbdMezxqf94cnNfWLL7V/im0Ub+Anbb0IoZhvzie8+4HJ4nMQuzHuy49FkGYCJK2yAloZ3meiB6AVMClbrI1vg==}
-    engines: {node: '>=8'}
-
-  array-back@5.0.0:
-    resolution: {integrity: sha512-kgVWwJReZWmVuWOQKEOohXKJX+nD02JAZ54D1RRWlv8L0NebauKAaFxACKzB74RTclt1+WNz5KHaLRDAPZbDEw==}
-    engines: {node: '>=10'}
-
-  array-back@6.2.2:
-    resolution: {integrity: sha512-gUAZ7HPyb4SJczXAMUXMGAvI976JoK3qEx9v1FTmeYuJj0IBiaKttG1ydtGKdkfqWkIkouke7nG8ufGy77+Cvw==}
-    engines: {node: '>=12.17'}
-
   array-buffer-byte-length@1.0.2:
     resolution: {integrity: sha512-LHE+8BuR7RYGDKvnrmcuSq3tDcKv9OFEXQt/HpbZhY7V6h0zlUXutnAD82GiFx9rdieCMjkvtcsPqBwgUl1Iiw==}
     engines: {node: '>= 0.4'}
@@ -2488,8 +2489,8 @@ packages:
     resolution: {integrity: sha512-3duEwti880xqi4eAMN8AyR4a0ByT90zoYdLlevfrvU43vb0YZwZVfxOgxWrLXXXpyugL0hNZc9G6BiB5B3nUug==}
     engines: {node: '>=8'}
 
-  asn1js@3.0.6:
-    resolution: {integrity: sha512-UOCGPYbl0tv8+006qks/dTgV9ajs97X2p0FAbyS2iyCRrmLSRolDaHdp+v/CLgnzHc3fVB+CwYiUmei7ndFcgA==}
+  asn1js@3.0.10:
+    resolution: {integrity: sha512-S2s3aOytiKdFRdulw2qPE51MzjzVOisppcVv7jVFR+Kw0kxwvFrDcYA0h7Ndqbmj0HkMIXYWaoj7fli8kgx1eg==}
     engines: {node: '>=12.0.0'}
 
   assert-never@1.4.0:
@@ -2534,8 +2535,8 @@ packages:
     resolution: {integrity: sha512-wvUjBtSGN7+7SjNpq/9M2Tg350UZD3q62IFZLbRAR1bSMlCo1ZaeW+BJ+D090e4hIIZLBcTDWe4Mh4jvUDajzQ==}
     engines: {node: '>= 0.4'}
 
-  axe-core@4.10.3:
-    resolution: {integrity: sha512-Xm7bpRXnDSX2YE2YFfBk2FnF0ep6tmG7xPh8iHee8MIcrgq762Nkce856dYtJYLkuIoYZvGfTs/PbZhideTcEg==}
+  axe-core@4.11.4:
+    resolution: {integrity: sha512-KunSNx+TVpkAw/6ULfhnx+HWRecjqZGTOyquAoWHYLRSdK1tB5Ihce1ZW+UY3fj33bYAFWPu7W/GRSmmrCGuxA==}
     engines: {node: '>=4'}
 
   babel-import-util@0.2.0:
@@ -2603,21 +2604,26 @@ packages:
     resolution: {integrity: sha512-tjR0GvSndzPew/Iayf4uICWZqjBwnlMWjSx6brryfQ81F9rxBVqwDJtFCV8oOs0+vJeefK9TmdZtkIFdFe1UnA==}
     engines: {node: '>= 6.0.0'}
 
-  babel-plugin-module-resolver@5.0.2:
-    resolution: {integrity: sha512-9KtaCazHee2xc0ibfqsDeamwDps6FZNo5S0Q81dUqEuFzVwPhcT4J5jOqIVvgCA3Q/wO9hKYxN/Ds3tIsp5ygg==}
+  babel-plugin-module-resolver@5.0.3:
+    resolution: {integrity: sha512-h8h6H71ZvdLJZxZrYkaeR30BojTaV7O9GfqacY14SNj5CNB8ocL9tydNzTC0JrnNN7vY3eJhwCmkDj7tuEUaqQ==}
 
-  babel-plugin-polyfill-corejs2@0.4.13:
-    resolution: {integrity: sha512-3sX/eOms8kd3q2KZ6DAhKPc0dgm525Gqq5NtWKZ7QYYZEv57OQ54KtblzJzH1lQF/eQxO8KjWGIK9IPUJNus5g==}
+  babel-plugin-polyfill-corejs2@0.4.17:
+    resolution: {integrity: sha512-aTyf30K/rqAsNwN76zYrdtx8obu0E4KoUME29B1xj+B3WxgvWkp943vYQ+z8Mv3lw9xHXMHpvSPOBxzAkIa94w==}
     peerDependencies:
       '@babel/core': ^7.4.0 || ^8.0.0-0 <8.0.0
 
-  babel-plugin-polyfill-corejs3@0.11.1:
-    resolution: {integrity: sha512-yGCqvBT4rwMczo28xkH/noxJ6MZ4nJfkVYdoDaC/utLtWrXxv27HVrzAeSbqR8SxDsp46n0YF47EbHoixy6rXQ==}
+  babel-plugin-polyfill-corejs3@0.13.0:
+    resolution: {integrity: sha512-U+GNwMdSFgzVmfhNm8GJUX88AadB3uo9KpJqS3FaqNIPKgySuvMb+bHPsOmmuWyIcuqZj/pzt1RUIUZns4y2+A==}
     peerDependencies:
       '@babel/core': ^7.4.0 || ^8.0.0-0 <8.0.0
 
-  babel-plugin-polyfill-regenerator@0.6.4:
-    resolution: {integrity: sha512-7gD3pRadPrbjhjLyxebmx/WrFYcuSjZ0XbdUujQMZ/fcE9oeewk2U/7PCvez84UeuK3oSjmPZ0Ch0dlupQvGzw==}
+  babel-plugin-polyfill-corejs3@0.14.2:
+    resolution: {integrity: sha512-coWpDLJ410R781Npmn/SIBZEsAetR4xVi0SxLMXPaMO4lSf1MwnkGYMtkFxew0Dn8B3/CpbpYxN0JCgg8mn67g==}
+    peerDependencies:
+      '@babel/core': ^7.4.0 || ^8.0.0-0 <8.0.0
+
+  babel-plugin-polyfill-regenerator@0.6.8:
+    resolution: {integrity: sha512-M762rNHfSF1EV3SLtnCJXFoQbbIIz0OyRwnCmV0KPC7qosSfCO0QLTSuJX3ayAebubhE6oYBAYPrBA5ljowaZg==}
     peerDependencies:
       '@babel/core': ^7.4.0 || ^8.0.0-0 <8.0.0
 
@@ -2639,6 +2645,10 @@ packages:
   balanced-match@2.0.0:
     resolution: {integrity: sha512-1ugUSr8BHXRnK23KfuYS+gVMC3LB8QGH9W1iGtDPsNWoQbgtXSExkBu2aDR4epiGWZOjZsj6lDl/N/AqqTC3UA==}
 
+  balanced-match@4.0.4:
+    resolution: {integrity: sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==}
+    engines: {node: 18 || 20 || >=22}
+
   base64-js@1.5.1:
     resolution: {integrity: sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==}
 
@@ -2646,6 +2656,11 @@ packages:
     resolution: {integrity: sha512-lGe34o6EHj9y3Kts9R4ZYs/Gr+6N7MCaMlIFA3F1R2O5/m7K06AxfSeO5530PEERE6/WyEg3lsuyw4GHlPZHog==}
     engines: {node: ^4.5.0 || >= 5.9}
 
+  baseline-browser-mapping@2.10.32:
+    resolution: {integrity: sha512-wbPvpyjJPC0zdfdKXxqEL3Ea+bOMD/87X4lftiJkkaBiuG6ALQy1SLmEd7BSmVCuwCQsBrCamgBoLyfFDD1EPg==}
+    engines: {node: '>=6.0.0'}
+    hasBin: true
+
   basic-auth@2.0.1:
     resolution: {integrity: sha512-NF+epuEdnUYVlGuhaxbbq+dvJttwLnGY+YixlXlME5KpQ5W3CnXA5cVTneY3SPbPDRkcjMbifrwmFYcClgOZeg==}
     engines: {node: '>= 0.8'}
@@ -2671,24 +2686,29 @@ packages:
   blank-object@1.0.2:
     resolution: {integrity: sha512-kXQ19Xhoghiyw66CUiGypnuRpWlbHAzY/+NyvqTEdTfhfQGH1/dbEMYiXju7fYKIFePpzp/y9dsu5Cu/PkmawQ==}
 
-  bluebird@3.7.2:
-    resolution: {integrity: sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg==}
-
-  body-parser@1.20.3:
-    resolution: {integrity: sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g==}
+  body-parser@1.20.5:
+    resolution: {integrity: sha512-3grm+/2tUOvu2cjJkvsIxrv/wVpfXQW4PsQHYm7yk4vfpu7Ekl6nEsYBoJUL6qDwZUx8wUhQ8tR2qz+ad9c9OA==}
     engines: {node: '>= 0.8', npm: 1.2.8000 || >= 1.4.16}
 
+  body-parser@2.2.2:
+    resolution: {integrity: sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==}
+    engines: {node: '>=18'}
+
   body@5.1.0:
     resolution: {integrity: sha512-chUsBxGRtuElD6fmw1gHLpvnKdVLK302peeFa9ZqAEk8TyzZ3fygLyUEDDPTJvL9+Bor0dIwn6ePOsRM2y0zQQ==}
 
   boolify@1.0.1:
     resolution: {integrity: sha512-ma2q0Tc760dW54CdOyJjhrg/a54317o1zYADQJFgperNGKIKgAUGIcKnuMiff8z57+yGlrGNEt4lPgZfCgTJgA==}
 
-  brace-expansion@1.1.11:
-    resolution: {integrity: sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==}
+  brace-expansion@1.1.15:
+    resolution: {integrity: sha512-EwOCDEex4quD37XhqM3omwtMoJjr//isUZz1JopUNWms+4Z2ViyM/k1YIRePpoVNnQhENnxtFjLaxNHrT7xIUg==}
 
-  brace-expansion@2.0.1:
-    resolution: {integrity: sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==}
+  brace-expansion@2.1.1:
+    resolution: {integrity: sha512-WR1cURNjuvBLMZBMbqM0UoE+WAfdUcEV1ccD8PVBVOI+Z3ND4+SZbN8RsfT2bMuG1qwz5RFvPukSZm5fF2D5eA==}
+
+  brace-expansion@5.0.6:
+    resolution: {integrity: sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==}
+    engines: {node: 18 || 20 || >=22}
 
   braces@3.0.3:
     resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==}
@@ -2721,21 +2741,21 @@ packages:
   broccoli-caching-writer@2.3.1:
     resolution: {integrity: sha512-lfoDx98VaU8tG4mUXCxKdKyw2Lr+iSIGUjCgV83KC2zRC07SzYTGuSsMqpXFiOQlOGuoJxG3NRoyniBa1BWOqA==}
 
-  broccoli-caching-writer@3.0.3:
-    resolution: {integrity: sha512-g644Kb5uBPsy+6e2DvO3sOc+/cXZQQNgQt64QQzjA9TSdP0dl5qvetpoNIx4sy/XIjrPYG1smEidq9Z9r61INw==}
+  broccoli-caching-writer@3.1.0:
+    resolution: {integrity: sha512-3TWi92ogzUhLmCF5V4DjhN7v4t6OjXYO21p9GkuOZQ1SiVmM1sYio364y64dREHUzjFEcH8mdVCiRDdrwUGVTw==}
 
   broccoli-clean-css@1.1.0:
     resolution: {integrity: sha512-S7/RWWX+lL42aGc5+fXVLnwDdMtS0QEWUFalDp03gJ9Na7zj1rWa351N2HZ687E2crM9g+eDWXKzD17cbcTepg==}
 
-  broccoli-concat@4.2.5:
-    resolution: {integrity: sha512-dFB5ATPwOyV8S2I7a07HxCoutoq23oY//LhM6Mou86cWUTB174rND5aQLR7Fu8FjFFLxoTbkk7y0VPITJ1IQrw==}
+  broccoli-concat@4.2.7:
+    resolution: {integrity: sha512-JePfBFwHtZ2FR33PBZQA99/hQ4idIbZ205rH84Jw6vgkuKDRVXWVzZP2gvR2WXugXaQ1fj3+yO04b0QsstNHzQ==}
     engines: {node: 10.* || >= 12.*}
 
   broccoli-config-loader@1.0.1:
     resolution: {integrity: sha512-MDKYQ50rxhn+g17DYdfzfEM9DjTuSGu42Db37A8TQHQe8geYEcUZ4SQqZRgzdAI3aRQNlA1yBHJfOeGmOjhLIg==}
 
-  broccoli-config-replace@1.1.2:
-    resolution: {integrity: sha512-qLlEY3V7p3ZWJNRPdPgwIM77iau1qR03S9BupMMFngjzBr7S6RSzcg96HbCYXmW9gfTbjRm9FC4CQT81SBusZg==}
+  broccoli-config-replace@1.1.3:
+    resolution: {integrity: sha512-gWGS2h/2VyJnD9tI1/HzRsXLOptnt7tu+KLpfPuxd+DBcdswn/i0kyVrTxQpFy+C5eo2hBn672QAEZzf/7LlAA==}
 
   broccoli-debug@0.6.5:
     resolution: {integrity: sha512-RIVjHvNar9EMCLDW/FggxFRXqpjhncM/3qq87bn/y+/zR9tqEkHvTqbyOc4QnB97NO2m6342w4wGkemkaeOuWg==}
@@ -2780,8 +2800,8 @@ packages:
     resolution: {integrity: sha512-nTrQe5AQtCrW4enLRvbD/vTLHqyW2tz+vsLXQe4IEaUhepuMGVKJJr+I8n34Vu6fPjmPLwTjzNC8izMIDMtHPw==}
     engines: {node: 10.* || >= 12.*}
 
-  broccoli-middleware@2.1.1:
-    resolution: {integrity: sha512-BK8aPhQpOLsHWiftrqXQr84XsvzUqeaN4PlCQOYg5yM0M+WKAHtX2WFXmicSQZOVgKDyh5aeoNTFkHjBAEBzwQ==}
+  broccoli-middleware@2.1.2:
+    resolution: {integrity: sha512-hdJ5mPwvsQI/eDZbpztfaA0DNINqp/aHzEz4lPG8WCVOXUfbFdbiWO7nMu3v+mmwTcgRD2e8I4DVQ9J2AoYnPQ==}
     engines: {node: 6.* || 8.* || >= 10.*}
 
   broccoli-node-api@1.7.0:
@@ -2877,8 +2897,8 @@ packages:
     resolution: {integrity: sha512-sWi3b3fTUSVPDsz5KsQ5eCQNVAtLgkIE/HYFkEZXR/07clqmd4E/gFiuwSaqa9b+QTXc1Uemfb7TVWbEIURWDg==}
     engines: {node: 8.* || >= 10.*}
 
-  browserslist@4.24.5:
-    resolution: {integrity: sha512-FDToo4Wo82hIdgc1CQ+NQD0hEhmpPjrZ3hiUgwgOG6IuTdlpr8jdjyG24P6cNP1yJpTLzS5OcGgSw0xmDU1/Tw==}
+  browserslist@4.28.2:
+    resolution: {integrity: sha512-48xSriZYYg+8qXna9kwqjIVzuQxi+KYWp2+5nCYnYKPTr0LvD89Jqk2Or5ogxz0NUMfIjhh2lIUX/LyX9B4oIg==}
     engines: {node: ^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7}
     hasBin: true
 
@@ -2891,9 +2911,6 @@ packages:
   buffer@5.7.1:
     resolution: {integrity: sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==}
 
-  buffer@6.0.3:
-    resolution: {integrity: sha512-FTiCpNxtwiZZHEZbcbTIcZjERVICn9yq/pDFkTl95/AxzD1naBctN7YO68riM/gLSDY7sdrMby8hofADYuuqOA==}
-
   builtin-modules@3.3.0:
     resolution: {integrity: sha512-zhaCDicdLuWN5UbN5IMnFqNMhNfo919sH85y2/ea+5Yg9TsTkeZxpL+JLbp6cgYFS4sRLp3YV4S6yDuqVWHYOw==}
     engines: {node: '>=6'}
@@ -2912,12 +2929,8 @@ packages:
     resolution: {integrity: sha512-JDGoiJ+yt+4Ui1e/vMWx5TRvmnErBBbsOkprXgbe1fRp2XZzI8MoknoiR/ZVCya9aWJbOhrJ5Heon1wrAdftkg==}
     engines: {node: '>=6.0.0'}
 
-  cache-point@2.0.0:
-    resolution: {integrity: sha512-4gkeHlFpSKgm3vm2gJN5sPqfmijYRFYCQ6tv5cLw0xVmT6r1z1vd4FNnpuOREco3cBs1G709sZ72LdgddKvL5w==}
-    engines: {node: '>=8'}
-
-  cacheable@1.9.0:
-    resolution: {integrity: sha512-8D5htMCxPDUULux9gFzv30f04Xo3wCnik0oOxKoRTPIBoqA7HtOcJ87uBhQTs3jCfZZTrUBGsYIZOgE0ZRgMAg==}
+  cacheable@2.3.5:
+    resolution: {integrity: sha512-EQfaKe09tl615iNvq/TBRWTFf1AKJNXYQSsMx0Z3EI0nA+pVsVPS8wJhnRlkbdacKPh1d0qVIhwTc2zsQNFEEg==}
 
   calculate-cache-key-for-tree@2.0.0:
     resolution: {integrity: sha512-Quw8a6y8CPmRd6eU+mwypktYCwUcf8yVFIRbNZ6tPQEckX9yd+EBVEPC/GSZZrMWH9e7Vz4pT7XhpmyApRByLQ==}
@@ -2927,8 +2940,8 @@ packages:
     resolution: {integrity: sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==}
     engines: {node: '>= 0.4'}
 
-  call-bind@1.0.8:
-    resolution: {integrity: sha512-oKlSFMcMwpUg2ednkhQ454wfWiU/ul3CkJe/PEHcTKuiX6RpbehUiFMXu13HalGZxfUwCQzZG747YXBn1im9ww==}
+  call-bind@1.0.9:
+    resolution: {integrity: sha512-a/hy+pNsFUTR+Iz8TCJvXudKVLAnz/DyeSUo10I5yvFDQJBFU2s9uqQpoSrJlroHUKoKqzg+epxyP9lqFdzfBQ==}
     engines: {node: '>= 0.4'}
 
   call-bound@1.0.4:
@@ -2958,8 +2971,8 @@ packages:
     resolution: {integrity: sha512-RbsNrFyhwkx+6psk/0fK/Q9orOUr9VMxohGd8vTa4djf4TGLfblBgUfqZChrZuW0Q+mz2eBPFLusw9Jfukzmhg==}
     hasBin: true
 
-  caniuse-lite@1.0.30001754:
-    resolution: {integrity: sha512-x6OeBXueoAceOmotzx3PO4Zpt4rzpeIFsSr6AAePTZxSkXiYDUmpypEl7e2+8NCd9bD7bXjqyef8CJYPC1jfxg==}
+  caniuse-lite@1.0.30001793:
+    resolution: {integrity: sha512-iwSsYWaCOoh26cV8NwNRViHlrfUvYsHDfRVcbtmw0Kg6PJIZZXwMkj1442FYLBGkeUf1juAsU3DTfxW579mrPA==}
 
   capture-exit@2.0.0:
     resolution: {integrity: sha512-PiT/hQmTonHhl/HFGN+Lx3JJUznrVYJ3+AQsnthneZbvW7x+f08Tk7yLJTLEOUvBTbduLeeBkxEaYXUOUrRq6g==}
@@ -2969,17 +2982,9 @@ packages:
     resolution: {integrity: sha512-INsuF4GyiFLk8C91FPokbKTc/rwHqV4JnfatVZ6GPhguP1qmkRWX2dp5tepYboYdPpGWisLVLI+KsXoXFPRSMg==}
     hasBin: true
 
-  catharsis@0.9.0:
-    resolution: {integrity: sha512-prMTQVpcns/tzFgFVkVp6ak6RykZyWb3gu8ckUpd6YkTlacOd3DXGJjIpD4Q6zJirizvaiAjSSHlOsA+6sNh2A==}
-    engines: {node: '>= 10'}
-
   ccount@1.1.0:
     resolution: {integrity: sha512-vlNK021QdI7PNeiUh/lKkC/mNHHfV0m/Ad5JoI0TYtlBnJAslM/JIkm/tGC88bkLIwO6OQ5uV6ztS6kVAtCDlg==}
 
-  chalk@0.4.0:
-    resolution: {integrity: sha512-sQfYDlfv2DGVtjdoQqxS0cEZDroyG8h6TamA6rvxwlrU5BaSLDx9xhatBYl2pxZ7gmpNaPFVwBtdGdu5rQ+tYQ==}
-    engines: {node: '>=0.8.0'}
-
   chalk@1.1.3:
     resolution: {integrity: sha512-U3lRVLMSlsCfjqYPbLyVv11M9CPW4I728d6TCKMAOJueEeB9/8o+eSsMnxPJD+Q+K909sdESg7C+tIkoH6on1A==}
     engines: {node: '>=0.10.0'}
@@ -3011,6 +3016,9 @@ packages:
   chardet@0.7.0:
     resolution: {integrity: sha512-mT8iDcrh03qDGRRmoA2hmBJnxpllMR+0/0qlzjqZES6NdiWDcZkCNAk4rPFZ9Q85r27unkiNNg8ZOiwZXBHwcA==}
 
+  chardet@2.1.1:
+    resolution: {integrity: sha512-PsezH1rqdV9VvyNhxxOW32/d75r01NY7TQCmOqomRo15ZSOKbpTFVsfjghxo6JloQUCGnH4k1LGu0R4yCLlWQQ==}
+
   charm@1.0.2:
     resolution: {integrity: sha512-wqW3VdPnlSWT4eRiYX+hcs+C6ViBPUWk1qTCd+37qw9kEm/a5n2qcyQDMBWvSYKN/ctqZzeXNQaeBjOetJJUkw==}
 
@@ -3018,9 +3026,9 @@ packages:
     resolution: {integrity: sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==}
     engines: {node: '>= 8.10.0'}
 
-  chokidar@4.0.3:
-    resolution: {integrity: sha512-Qgzu8kfBvo+cA4962jnP1KkS6Dop5NS6g7R5LFYJr4b8Ub94PPQXUksCw9PvXoeXPRRddRNC5C1JQUR2SMGtnA==}
-    engines: {node: '>= 14.16.0'}
+  chokidar@5.0.0:
+    resolution: {integrity: sha512-TQMmc3w+5AxjpL8iIiwebF73dRDF4fBIieAqGn9RGCWaEVwQ6Fb2cGe31Yns0RRIzii5goJ1Y7xbMwo1TxMplw==}
+    engines: {node: '>= 20.19.0'}
 
   chrome-trace-event@1.0.4:
     resolution: {integrity: sha512-rNjApaLzuwaOTjCiT8lSDdGN1APCiqkChLMJxJPWLunPAt5fy8xgU9/jNOchV84wfIxrA0lRQB7oCT8jrn/wrQ==}
@@ -3030,10 +3038,13 @@ packages:
     resolution: {integrity: sha512-NIxF55hv4nSqQswkAeiOi1r83xy8JldOFDTWiug55KBu9Jnblncd2U6ViHmYgHf01TPZS77NJBhBMKdWj9HQMQ==}
     engines: {node: '>=8'}
 
-  ci-info@4.2.0:
-    resolution: {integrity: sha512-cYY9mypksY8NRqgDB1XD1RiJL338v/551niynFTGkZOO2LHuB2OmOYxDIe/ttN9AHwrqdum1360G3ald0W9kCg==}
+  ci-info@4.4.0:
+    resolution: {integrity: sha512-77PSwercCZU2Fc4sX94eF8k8Pxte6JAwL4/ICZLFjJLqegs7kCuAsqqj/70NQF6TvDpgFjkubQB2FW2ZZddvQg==}
     engines: {node: '>=8'}
 
+  cldr-core@47.0.0:
+    resolution: {integrity: sha512-tdYRy66DMgpjEwVOWCTN0zhNr+zh1+d4A6MCNgJKU7voFDGsrwcWHor6jcqudHDmElCgyVNqWBKAB1JeNdSOKg==}
+
   clean-base-url@1.0.0:
     resolution: {integrity: sha512-9q6ZvUAhbKOSRFY7A/irCQ/rF0KIpa3uXpx6izm8+fp7b2H4hLeUJ+F1YYk9+gDQ/X8Q0MEyYs+tG3cht//HTg==}
 
@@ -3124,10 +3135,6 @@ packages:
   codemirror-lang-hcl@0.0.0-beta.2:
     resolution: {integrity: sha512-R3ew7Z2EYTdHTMXsWKBW9zxnLoLPYO+CrAa3dPZjXLrIR96Q3GR4cwJKF7zkSsujsnWgwRQZonyWpXYXfhQYuQ==}
 
-  collect-all@1.0.4:
-    resolution: {integrity: sha512-RKZhRwJtJEP5FWul+gkSMEnaK6H3AGPTTWOiRimCcs+rc/OmQE3Yhy1Q7A7KsdkG3ZXVdZq68Y6ONSdvkeEcKA==}
-    engines: {node: '>=0.10.0'}
-
   color-convert@1.9.3:
     resolution: {integrity: sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==}
 
@@ -3166,18 +3173,6 @@ packages:
   comma-separated-tokens@1.0.8:
     resolution: {integrity: sha512-GHuDRO12Sypu2cV70d1dkA2EUmXHgntrzbpvOB+Qy+49ypNfGgFQIC2fhhXbnyrJRynDCAARsT7Ou0M6hirpfw==}
 
-  command-line-args@5.2.1:
-    resolution: {integrity: sha512-H4UfQhZyakIjC74I9d34fGYDwk3XpSr17QhEd0Q3I9Xq1CETHo4Hcuo87WyWHpAF1aSLjLRf5lD9ZGX2qStUvg==}
-    engines: {node: '>=4.0.0'}
-
-  command-line-tool@0.8.0:
-    resolution: {integrity: sha512-Xw18HVx/QzQV3Sc5k1vy3kgtOeGmsKIqwtFFoyjI4bbcpSgnw2CWVULvtakyw4s6fhyAdI6soQQhXc2OzJy62g==}
-    engines: {node: '>=4.0.0'}
-
-  command-line-usage@4.1.0:
-    resolution: {integrity: sha512-MxS8Ad995KpdAC0Jopo/ovGIroV/m0KHwzKfXxKag6FHOkGsH8/lv5yjgablcRxCJJC0oJeUMuO/gmaq+Wq46g==}
-    engines: {node: '>=4.0.0'}
-
   commander@12.1.0:
     resolution: {integrity: sha512-Vw8qHK3bZM9y/P10u3Vib8o/DdkvA2OtPtZvD871QKjy74Wj1WSKFILMPRPSdUSx5RFK1arlJzEtA4PkFgnbuA==}
     engines: {node: '>=18'}
@@ -3186,6 +3181,10 @@ packages:
     resolution: {integrity: sha512-/rFeCpNJQbhSZjGVwO9RFV3xPqbnERS8MmIQzCtD/zl6gpJuV/bMLuN92oG3F7d8oDEHHRrujSXNUr8fpjntKw==}
     engines: {node: '>=18'}
 
+  commander@14.0.3:
+    resolution: {integrity: sha512-H+y0Jo/T1RZ9qPP4Eh1pkcQcLRglraJaSLoyOtHxu6AapkjWVCy2Sit1QQ4x3Dng8qDlSsZEet7g5Pq06MvTgw==}
+    engines: {node: '>=20'}
+
   commander@2.20.3:
     resolution: {integrity: sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==}
 
@@ -3212,10 +3211,6 @@ packages:
   common-ancestor-path@1.0.1:
     resolution: {integrity: sha512-L3sHRo1pXXEqX8VU28kfgUY+YGsk09hPqZiZmLacNib6XNTCM8ubYeT7ryXQw8asB1sKgcU5lkB7ONug08aB8w==}
 
-  common-sequence@2.0.2:
-    resolution: {integrity: sha512-jAg09gkdkrDO9EWTdXfv80WWH3yeZl5oT69fGfedBNS9pXUKYInVJ1bJ+/ht2+Moeei48TmSbQDYMc8EOx9G0g==}
-    engines: {node: '>=8'}
-
   common-tags@1.8.2:
     resolution: {integrity: sha512-gk/Z852D2Wtb//0I+kRFNKKE9dIIVirjoqPoA1wJU+XePVXZfGeBpk45+A1rKO4Q43prqWBNY/MiIeRLbPWUaA==}
     engines: {node: '>=4.0.0'}
@@ -3227,8 +3222,8 @@ packages:
     resolution: {integrity: sha512-AF3r7P5dWxL8MxyITRMlORQNaOA2IkAFaTr4k7BUumjPtRpGDTZpl0Pb1XCO6JeDCBdp126Cgs9sMxqSjgYyRg==}
     engines: {node: '>= 0.6'}
 
-  compression@1.8.0:
-    resolution: {integrity: sha512-k6WLKfunuqCYD3t6AsuPGvQWaKwuLLh2/xHNcX4qE+vIfDNXpSqnrhwA7O53R7WVQUnt8dVAIW+YHr7xTgOgGA==}
+  compression@1.8.1:
+    resolution: {integrity: sha512-9mAqGPHLakhCLeNyxPkK4xVo746zQ/czLH1Ky+vkitMnWfWZps8r0qXuwhwizagCRttsL4lfG4pIOvaWLpAP0w==}
     engines: {node: '>= 0.8.0'}
 
   concat-map@0.0.1:
@@ -3239,9 +3234,6 @@ packages:
     engines: {node: '>=18'}
     hasBin: true
 
-  config-master@3.1.0:
-    resolution: {integrity: sha512-n7LBL1zBzYdTpF1mx5DNcZnZn05CWIdsdvtPL4MosvqbBUK3Rq6VWEtGUuF3Y0s9/CIhMejezqlSkP6TnCJ/9g==}
-
   configstore@5.0.1:
     resolution: {integrity: sha512-aMKprgk5YhBNyH25hj8wGt2+D52Sw1DRRIzqBwLp2Ya9mFmY8KPvvtvmna8SxVR9JMZ4kzMD68N22vlaRpkeFA==}
     engines: {node: '>=8'}
@@ -3257,14 +3249,13 @@ packages:
     resolution: {integrity: sha512-+5j3R4wZJcEYZeXk30whc4ZU/+fWW9JMTNntVuMYpjZJ9n26Cxr0tUBXco1NRjVZRpRVvZ4DDKKKIHNYeUG9Dw==}
     engines: {node: 6.* || 8.* || >= 10.*}
 
-  consolidate@0.16.0:
-    resolution: {integrity: sha512-Nhl1wzCslqXYTJVDyJCu3ODohy9OfBMB5uD2BiBTzd7w+QY0lBzafkR8y8755yMYHAaMD4NuzbAw03/xzfw+eQ==}
-    engines: {node: '>= 0.10.0'}
-    deprecated: Please upgrade to consolidate v1.0.0+ as it has been modernized with several long-awaited fixes implemented. Maintenance is supported by Forward Email at https://forwardemail.net ; follow/watch https://github.com/ladjs/consolidate for updates and release changelog
+  consolidate@1.0.4:
+    resolution: {integrity: sha512-RuZ3xnqEDsxiwaoIkqVeeK3gg9qxw7+YKYX2tKhLs1eukVKMgSr4VYI3iYFsRHi4TloHYDlugrz3kvkjs3nynA==}
+    engines: {node: '>=14'}
     peerDependencies:
+      '@babel/core': ^7.22.5
       arc-templates: ^0.5.3
       atpl: '>=0.7.6'
-      babel-core: ^6.26.3
       bracket-template: ^1.1.5
       coffee-script: ^1.12.7
       dot: ^1.1.3
@@ -3280,14 +3271,12 @@ packages:
       handlebars: ^4.7.6
       hogan.js: ^3.0.2
       htmling: ^0.0.8
-      jade: ^1.11.0
       jazz: ^0.0.18
       jqtpl: ~1.1.0
       just: ^0.1.8
       liquid-node: ^3.0.1
       liquor: ^0.0.5
-      lodash: ^4.17.20
-      marko: ^3.14.4
+      lodash: 4.18.0
       mote: ^0.2.0
       mustache: ^4.0.1
       nunjucks: ^3.2.2
@@ -3295,33 +3284,30 @@ packages:
       pug: ^3.0.0
       qejs: ^3.0.5
       ractive: ^1.3.12
-      razor-tmpl: ^1.3.1
-      react: ^16.13.1
-      react-dom: ^16.13.1
+      react: '>=16.13.1'
+      react-dom: '>=16.13.1'
       slm: ^2.0.0
-      squirrelly: ^5.1.0
       swig: ^1.4.2
       swig-templates: ^2.0.3
       teacup: ^2.0.0
       templayed: '>=0.2.3'
-      then-jade: '*'
       then-pug: '*'
       tinyliquid: ^0.2.34
       toffee: ^0.3.6
       twig: ^1.15.2
       twing: ^5.0.2
-      underscore: 1.13.7
+      underscore: ^1.11.0
       vash: ^0.13.0
       velocityjs: ^2.0.1
       walrus: ^0.10.1
       whiskers: ^0.4.0
     peerDependenciesMeta:
+      '@babel/core':
+        optional: true
       arc-templates:
         optional: true
       atpl:
         optional: true
-      babel-core:
-        optional: true
       bracket-template:
         optional: true
       coffee-script:
@@ -3352,8 +3338,6 @@ packages:
         optional: true
       htmling:
         optional: true
-      jade:
-        optional: true
       jazz:
         optional: true
       jqtpl:
@@ -3366,8 +3350,6 @@ packages:
         optional: true
       lodash:
         optional: true
-      marko:
-        optional: true
       mote:
         optional: true
       mustache:
@@ -3382,16 +3364,12 @@ packages:
         optional: true
       ractive:
         optional: true
-      razor-tmpl:
-        optional: true
       react:
         optional: true
       react-dom:
         optional: true
       slm:
         optional: true
-      squirrelly:
-        optional: true
       swig:
         optional: true
       swig-templates:
@@ -3400,8 +3378,6 @@ packages:
         optional: true
       templayed:
         optional: true
-      then-jade:
-        optional: true
       then-pug:
         optional: true
       tinyliquid:
@@ -3427,6 +3403,10 @@ packages:
     resolution: {integrity: sha512-FveZTNuGw04cxlAiWbzi6zTAL/lhehaWbTtgluJh4/E95DqMwTmha3KZN1aAWA8cFIhHzMZUvLevkw5Rqk+tSQ==}
     engines: {node: '>= 0.6'}
 
+  content-disposition@1.1.0:
+    resolution: {integrity: sha512-5jRCH9Z/+DRP7rkvY83B+yGIGX96OYdJmzngqnw2SBSxqCFPd0w2km3s5iawpGX8krnwSGmF0FW5Nhr0Hfai3g==}
+    engines: {node: '>=18'}
+
   content-tag@1.2.2:
     resolution: {integrity: sha512-9guqKIx2H+78N17otBpl8yLZbQGL5q1vBO/jDb3gF2JjixtcVpC62jDUNxjVMNoaZ09oxRX84ZOD6VX02qkVvg==}
 
@@ -3434,14 +3414,22 @@ packages:
     resolution: {integrity: sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==}
     engines: {node: '>= 0.6'}
 
+  content-type@2.0.0:
+    resolution: {integrity: sha512-j/O/d7GcZCyNl7/hwZAb606rzqkyvaDctLmckbxLzHvFBzTJHuGEdodATcP3yIRoDrLHkIATJuvzbFlp/ki2cQ==}
+    engines: {node: '>=18'}
+
   continuable-cache@0.3.1:
     resolution: {integrity: sha512-TF30kpKhTH8AGCG3dut0rdd/19B7Z+qCnrMoBLpyQu/2drZdNrrpcjPEoJeSVsQM+8KmWG5O56oPDjSSUsuTyA==}
 
   convert-source-map@2.0.0:
     resolution: {integrity: sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==}
 
-  cookie-signature@1.0.6:
-    resolution: {integrity: sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ==}
+  cookie-signature@1.0.7:
+    resolution: {integrity: sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA==}
+
+  cookie-signature@1.2.2:
+    resolution: {integrity: sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==}
+    engines: {node: '>=6.6.0'}
 
   cookie@0.7.2:
     resolution: {integrity: sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==}
@@ -3450,15 +3438,15 @@ packages:
   copy-dereference@1.0.0:
     resolution: {integrity: sha512-40TSLuhhbiKeszZhK9LfNdazC67Ue4kq/gGwN5sdxEUWPXTIMmKmGmgD9mPfNKVAeecEW+NfEIpBaZoACCQLLw==}
 
-  core-js-compat@3.42.0:
-    resolution: {integrity: sha512-bQasjMfyDGyaeWKBIu33lHh9qlSR0MFE/Nmc6nMjf/iU9b3rSMdAYz1Baxrv4lPdGUsTqZudHA4jIGSJy0SWZQ==}
+  core-js-compat@3.49.0:
+    resolution: {integrity: sha512-VQXt1jr9cBz03b331DFDCCP90b3fanciLkgiOoy8SBHy06gNf+vQ1A3WFLqG7I8TipYIKeYK9wxd0tUrvHcOZA==}
 
   core-js@2.6.12:
     resolution: {integrity: sha512-Kb2wC0fvsWfQrgk8HU5lW6U/Lcs8+9aaYcy4ZFc6DDlo4nZ7n70dEgE5rtR0oG6ufKDUnrwfWL1mXR5ljDatrQ==}
     deprecated: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
 
-  core-js@3.41.0:
-    resolution: {integrity: sha512-SJ4/EHwS36QMJd6h/Rg+GyR4A5xE0FSI3eZ+iBVpfqf1x0eTSg1smWLHrA+2jQThZSh97fmSgFSU8B61nxosxA==}
+  core-js@3.49.0:
+    resolution: {integrity: sha512-es1U2+YTtzpwkxVLwAFdSpaIMyQaq0PBgm3YD1W3Qpsn1NAmO3KSgZfu+oGSWVu6NvLHoHCV/aYcsE5wiB7ALg==}
 
   core-object@3.1.5:
     resolution: {integrity: sha512-sA2/4+/PZ/KV6CKgjrVrrUVBKCkdDO02CUlQ0YKTQoYUwPYNOtOAcWlbYhd5v/1JqYaA6oZ4sDlOU4ppVw6Wbg==}
@@ -3467,12 +3455,12 @@ packages:
   core-util-is@1.0.3:
     resolution: {integrity: sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==}
 
-  cors@2.8.5:
-    resolution: {integrity: sha512-KIHbLJqu73RGr/hnbrO9uBeixNGuvSQjul/jdFvS/KFSIH1hWVd1ng7zOHx+YrEfInLG7q4n6GHQ9cDtxv/P6g==}
+  cors@2.8.6:
+    resolution: {integrity: sha512-tJtZBBHA6vjIAaF6EnIaq6laBBP9aq/Y3ouVJjEfoHbRBcHBAHYcMh/w8LDrk2PvIMMq8gmopa5D4V8RmbrxGw==}
     engines: {node: '>= 0.10'}
 
-  cosmiconfig@9.0.0:
-    resolution: {integrity: sha512-itvL5h8RETACmOTFc4UfIyB2RfEHi71Ax6E/PivVxq9NseKbOWpeyHEOIbmAw1rs8Ak0VursQNww7lf7YtUwzg==}
+  cosmiconfig@9.0.1:
+    resolution: {integrity: sha512-hr4ihw+DBqcvrsEDioRO31Z17x71pUYoNe/4h6Z0wB72p7MU7/9gH8Q3s12NFhHPfYBBOV3qyfUxmr/Yn3shnQ==}
     engines: {node: '>=14'}
     peerDependencies:
       typescript: '>=4.9.5'
@@ -3495,9 +3483,9 @@ packages:
     resolution: {integrity: sha512-v1plID3y9r/lPhviJ1wrXpLeyUIGAZ2SHNYTEapm7/8A9nLPoyvVp3RK/EPFqn5kEznyWgYZNsRtYYIWbuG8KA==}
     engines: {node: '>=8'}
 
-  css-functions-list@3.2.3:
-    resolution: {integrity: sha512-IQOkD3hbR5KrN93MtcYuad6YPuTSUhntLHDuLEbFWE+ff2/XSZNdZG+LcbbIW5AXKg/WFIfYItIzVoHngHXZzA==}
-    engines: {node: '>=12 || >=16'}
+  css-functions-list@3.3.3:
+    resolution: {integrity: sha512-8HFEBPKhOpJPEPu70wJJetjKta86Gw9+CCyCnB3sui2qQfOvRyqBy4IKLKKAwdMpWb2lHXWk9Wb4Z6AmaUT1Pg==}
+    engines: {node: '>=12'}
 
   css-loader@5.2.7:
     resolution: {integrity: sha512-Q7mOvpBNBG7YrVGMxRxcBJZFL75o+cH2abNASdibkj/fffYD8qWbInZrD0S9ccI6vZclF3DsHE7njGlLtaHbhg==}
@@ -3509,8 +3497,8 @@ packages:
     resolution: {integrity: sha512-6Fv1DV/TYw//QF5IzQdqsNDjx/wc8TrMBZsqjL9eW01tWb7R7k/mq+/VXfJCl7SoD5emsJop9cOByJZfs8hYIw==}
     engines: {node: ^10 || ^12.20.0 || ^14.13.0 || >=15.0.0}
 
-  css-tree@3.1.0:
-    resolution: {integrity: sha512-0eW44TGN5SQXU1mWSkKwFstI/22X2bG1nYzZTYMAWjylYURhse752YgbE4Cx46AC+bAvI+/dYTPRk1LqSUnu6w==}
+  css-tree@3.2.1:
+    resolution: {integrity: sha512-X7sjQzceUhu1u7Y/ylrRZFU2FS6LRiFVp6rKLPg23y3x3c3DOKAwuXGDp+PAGjh6CSnCjYeAul8pcT8bAl+lSA==}
     engines: {node: ^10 || ^12.20.0 || ^14.13.0 || >=15.0.0}
 
   cssesc@3.0.0:
@@ -3518,8 +3506,8 @@ packages:
     engines: {node: '>=4'}
     hasBin: true
 
-  csstype@3.1.3:
-    resolution: {integrity: sha512-M1uQkMl8rQK/szD0LNhtqxIPLpimGm8sOBwU7lLnCpSbTyY3yeU1Vc7l4KT5zT4s/yOxHH5O7tIuuLOCnLADRw==}
+  csstype@3.2.3:
+    resolution: {integrity: sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ==}
 
   d3-array@2.12.1:
     resolution: {integrity: sha512-B0ErZK/66mHtEsR1TkPEEkwdy+WDesimkM5gpZr5Dsg54BiTA5RXtYW5qTLIAcekaS9xfZrzBLF/OAkB3Qn1YQ==}
@@ -3540,8 +3528,8 @@ packages:
     resolution: {integrity: sha512-VE5S6TNa+j8msksl7HwjxMHDM2yNK3XCkusIlpX5kwauBfXuyLAtNg9jCp/iHH61tgI4sb6R/EIMWCqEIdjT/g==}
     engines: {node: '>=12'}
 
-  d3-cloud@1.2.8:
-    resolution: {integrity: sha512-K0qBFkgystNlgFW/ufdwIES5kDiC8cGJxMw4ULzN9UU511v89A6HXs1X8vUPxqurehzqJZS5KzZI4c8McT+4UA==}
+  d3-cloud@1.2.9:
+    resolution: {integrity: sha512-leL1GLneC9ZQtnV+6TGWrNlGfI1WX7S2arcTv2vae12DaXo5wjm6GBCkskXbrDlyOymd/A75Pyj1H37MW4BZ/Q==}
 
   d3-color@3.1.0:
     resolution: {integrity: sha512-zg/chbXyeBtMQ1LbD/WSoW2DpC3I0mpmPdW+ynRTj/x2DAWYrIY7qeZIHidozwV24m4iavr15lNwIwLxRmOxhA==}
@@ -3583,8 +3571,8 @@ packages:
     resolution: {integrity: sha512-zxV/SsA+U4yte8051P4ECydjD/S+qeYtnaIyAs9tgHCqfguma/aAQDjo85A9Z6EKhBirHRJHXIgJUlffT4wdLg==}
     engines: {node: '>=12'}
 
-  d3-format@3.1.0:
-    resolution: {integrity: sha512-YyUI6AEuY/Wpt8KWLgZHsIU86atmikuoOmCfommt0LYHiQSPjvX2AcFc38PX0CBpr2RCyZhjex+NS/LPOv6YqA==}
+  d3-format@3.1.2:
+    resolution: {integrity: sha512-AJDdYOdnyRDV5b6ArilzCPPwc1ejkHcoyFarqlPqT7zRYjhavcT3uSrqcMvsgh2CgoPbK3RCwyHaVyxYcP2Arg==}
     engines: {node: '>=12'}
 
   d3-geo@3.1.1:
@@ -3693,8 +3681,8 @@ packages:
   date-fns@3.6.0:
     resolution: {integrity: sha512-fRHTG8g/Gif+kSh50gaGEdToemgfj74aRX3swtiouboip5JDLAyDE9F11nHMIcvOaXeOC6D7SpNhi7uFyB7Uww==}
 
-  date-fns@4.1.0:
-    resolution: {integrity: sha512-Ukq0owbQXxa/U3EGtsdVBkR1w7KOQ5gIBqdH2hkvknzZPYvBxb/aa6E8L7tmjFtkwZBu3UXBbjIgPo/Ez4xaNg==}
+  date-fns@4.3.0:
+    resolution: {integrity: sha512-OYcL+3N/jyWbYdFGqoMAhytDgxP9pbYPUUiRCOgn4Fewaadk9l/Wam4Avciiyp2BgkpfQyBV9B+ehnVJych+eQ==}
 
   debug@2.6.9:
     resolution: {integrity: sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==}
@@ -3712,24 +3700,6 @@ packages:
       supports-color:
         optional: true
 
-  debug@4.3.7:
-    resolution: {integrity: sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ==}
-    engines: {node: '>=6.0'}
-    peerDependencies:
-      supports-color: '*'
-    peerDependenciesMeta:
-      supports-color:
-        optional: true
-
-  debug@4.4.1:
-    resolution: {integrity: sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ==}
-    engines: {node: '>=6.0'}
-    peerDependencies:
-      supports-color: '*'
-    peerDependenciesMeta:
-      supports-color:
-        optional: true
-
   debug@4.4.3:
     resolution: {integrity: sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==}
     engines: {node: '>=6.0'}
@@ -3746,15 +3716,14 @@ packages:
     resolution: {integrity: sha512-z2S+W9X73hAUUki+N+9Za2lBlun89zigOyGrsax+KUQ6wKW4ZoWpEYBkGhQjwAjjDCkWxhY0VKEhk8wzY7F5cA==}
     engines: {node: '>=0.10.0'}
 
+  decimal.js@10.6.0:
+    resolution: {integrity: sha512-YpgQiITW3JXGntzdUmyUR1V812Hn8T1YVXhCu+wO3OpS4eU9l4YdD3qjyiKdV6mvV29zapkMeD390UVEf2lkUg==}
+
   decorator-transforms@1.2.1:
     resolution: {integrity: sha512-UUtmyfdlHvYoX3VSG1w5rbvBQ2r5TX1JsE4hmKU9snleFymadA3VACjl6SRfi9YgBCSjBbfQvR1bs9PRW9yBKw==}
 
-  decorator-transforms@2.3.0:
-    resolution: {integrity: sha512-jo8c1ss9yFPudHuYYcrJ9jpkDZIoi+lOGvt+Uyp9B+dz32i50icRMx9Bfa8hEt7TnX1FyKWKkjV+cUdT/ep2kA==}
-
-  deep-extend@0.6.0:
-    resolution: {integrity: sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==}
-    engines: {node: '>=4.0.0'}
+  decorator-transforms@2.3.2:
+    resolution: {integrity: sha512-XcErcjlmCzG5ODgYjt6ZTXwd6S8fPKln/sJmw15ZXkWG2JpoQNwszis+AwF6XSGlOoG7g8MCEO97g+Yw3fk5OQ==}
 
   deep-is@0.1.4:
     resolution: {integrity: sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==}
@@ -3770,11 +3739,8 @@ packages:
     resolution: {integrity: sha512-8QmQKqEASLd5nx0U1B1okLElbUuuttJ/AnYmRXbbbGDWh6uS208EjD4Xqq/I9wK7u0v6O08XhTWnt5XtEbR6Dg==}
     engines: {node: '>= 0.4'}
 
-  delaunator@5.0.1:
-    resolution: {integrity: sha512-8nvh+XBe96aCESrGOqMp/84b13H9cdKbG5P2ejQCh4d4sK9RL4371qou9drQjMhvnPmhWl5hnmqbEE0fXr9Xnw==}
-
-  delegates@1.0.0:
-    resolution: {integrity: sha512-bd2L678uiWATM6m5Z1VzNCErI3jiGzt6HGY8OVICs40JQq/HALfbyNJmp0UDakEY4pMMaN0Ly5om/B1VI/+xfQ==}
+  delaunator@5.1.0:
+    resolution: {integrity: sha512-AGrQ4QSgssa1NGmWmLPqN5NY2KajF5MqxetNEO+o0n3ZwZZeTmt7bBnvzHWrmkZFxGgr4HdyFgelzgi06otLuQ==}
 
   depd@1.1.2:
     resolution: {integrity: sha512-7emPTl6Dpo6JRXOXjLRxck+FlLRX5847cLKEn00PLAgc3g2hTZZgr+e4c2v6QpSmLeFP3n5yUo7ft6avBK/5jQ==}
@@ -3796,17 +3762,16 @@ packages:
     resolution: {integrity: sha512-reYkTUJAZb9gUuZ2RvVCNhVHdg62RHnJ7WJl8ftMi4diZ6NWlciOzQN88pUhSELEwflJht4oQDv0F0BMlwaYtA==}
     engines: {node: '>=8'}
 
-  detect-libc@1.0.3:
-    resolution: {integrity: sha512-pGjwhsmsp4kL2RTz08wcOlGN83otlqHeD/Z5T8GXZB+/YcpQ/dgo+lbU8ZsGxV0HIvqqxo9l7mqYwyYMD9bKDg==}
-    engines: {node: '>=0.10'}
-    hasBin: true
+  detect-libc@2.1.2:
+    resolution: {integrity: sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==}
+    engines: {node: '>=8'}
 
   detect-newline@3.1.0:
     resolution: {integrity: sha512-TLz+x/vEXm/Y7P7wn1EJFNLxYpUD4TgMosxY6fAVJUnJMbupHBOncxyWUG9OpTaH9EBD7uFI5LfEgmMOc54DsA==}
     engines: {node: '>=8'}
 
-  diff@5.2.0:
-    resolution: {integrity: sha512-uIFDxqpRZGZ6ThOk84hEfqWoHx2devRFvpTZcTHur85vImfaxUbTW9Ryh4CpCuDnToOP1CEtXKIgytHBPVff5A==}
+  diff@5.2.2:
+    resolution: {integrity: sha512-vtcDfH3TOjP8UekytvnHH1o1P4FcUdt4eQ1Y+Abap1tk/OB2MWQvcwS2ClCd1zuIhc3JKOx6p3kod8Vfys3E+A==}
     engines: {node: '>=0.3.1'}
 
   diff@7.0.0:
@@ -3820,14 +3785,6 @@ packages:
   dlv@1.1.3:
     resolution: {integrity: sha512-+HlytyjlPKnIG8XuRG8WvmBP8xs8P71y+SKKS6ZXWoEgLuePxtDoUEiH7WkdePWrQ5JBpE6aoVqfZfJUQkjXwA==}
 
-  dmd@6.2.3:
-    resolution: {integrity: sha512-SIEkjrG7cZ9GWZQYk/mH+mWtcRPly/3ibVuXO/tP/MFoWz6KiRK77tSMq6YQBPl7RljPtXPQ/JhxbNuCdi1bNw==}
-    engines: {node: '>=12'}
-
-  doctoc@2.2.1:
-    resolution: {integrity: sha512-qNJ1gsuo7hH40vlXTVVrADm6pdg30bns/Mo7Nv1SxuXSM1bwF9b4xQ40a6EFT/L1cI+Yylbyi8MPI4G4y7XJzQ==}
-    hasBin: true
-
   doctrine@3.0.0:
     resolution: {integrity: sha512-yS+Q5i3hBf7GBkd4KG8a7eBNNWNGLTaEwwYWUijIYM7zrlYDM0BFXHjjPWlWZ1Rg7UaddZeIDmi9jF3HmqiQ2w==}
     engines: {node: '>=6.0.0'}
@@ -3835,21 +3792,11 @@ packages:
   dom-element-descriptors@0.5.1:
     resolution: {integrity: sha512-DLayMRQ+yJaziF4JJX1FMjwjdr7wdTr1y9XvZ+NfHELfOMcYDnCHneAYXAS4FT1gLILh4V0juMZohhH1N5FsoQ==}
 
-  dom-serializer@1.4.1:
-    resolution: {integrity: sha512-VHwB3KfrcOOkelEG2ZOfxqLZdfkil8PtJi4P8N2MMXucZq2yLp75ClViUlOVwyoHEDjYU433Aq+5zWP61+RGag==}
+  dompurify@3.3.3:
+    resolution: {integrity: sha512-Oj6pzI2+RqBfFG+qOaOLbFXLQ90ARpcGG6UePL82bJLtdsa6CYJD7nmiU8MW9nQNOtCHV3lZ/Bzq1X0QYbBZCA==}
 
-  domelementtype@2.3.0:
-    resolution: {integrity: sha512-OLETBj6w0OsagBwdXnPdN0cnMfF9opN69co+7ZrbfPGrdpPVNBUj02spi6B1N7wChLQiPn4CSH/zJvXw56gmHw==}
-
-  domhandler@4.3.1:
-    resolution: {integrity: sha512-GrwoxYN+uWlzO8uhUXRl0P+kHE4GtVPfYzVLcUxPL7KNdHKj66vvlhiweIHqYYXWlw+T8iLMp42Lm67ghw4WMQ==}
-    engines: {node: '>= 4'}
-
-  dompurify@3.2.6:
-    resolution: {integrity: sha512-/2GogDQlohXPZe6D6NOgQvXLPSYBqIWMnZ8zzOhn09REE4eyAzb+Hed3jhoM9OkuaJ8P6ZGTTVWQKAi8ieIzfQ==}
-
-  domutils@2.8.0:
-    resolution: {integrity: sha512-w96Cjofp72M5IIhpjgobBimYEfoPjx1Vx0BSX9P30WBdZW2WIKU0T1Bd0kz2eNZ9ikjKgHbEyKx8BB6H1L3h3A==}
+  dompurify@3.4.6:
+    resolution: {integrity: sha512-+7gzEI8trIIQkVCvQ3ucGtNfH3nOmDgVTzc62rAAOlMxLth78pwpPoZCPc7CyRzAQF89MqcfPdEWkDwnjgqktg==}
 
   dot-case@3.0.4:
     resolution: {integrity: sha512-Kv5nKlh6yRrdrGvxeJ2e5y2eRUpkUosIW4A2AS38zwSz27zu7ufDwQPi5Jhs3XAlGNetl3bmnGhQsMtkKJnj3w==}
@@ -3876,15 +3823,15 @@ packages:
   ee-first@1.1.1:
     resolution: {integrity: sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==}
 
-  electron-to-chromium@1.5.157:
-    resolution: {integrity: sha512-/0ybgsQd1muo8QlnuTpKwtl0oX5YMlUGbm8xyqgDU00motRkKFFbUJySAQBWcY79rVqNLWIWa87BGVGClwAB2w==}
+  electron-to-chromium@1.5.361:
+    resolution: {integrity: sha512-Q6Hts7N9FnJc5LeGRINFvLhCI9xZmNtTDe5ZbcVezQz7cU4a8Aua3GH1b8J2XY8Al9PF+OCwYqhgsOOheMdvkA==}
 
   ember-a11y-refocus@4.1.4:
     resolution: {integrity: sha512-51tGk30bskObL1LsGZRxzqIxgZhIE8ZvvDYcT1OWphxZlq00+Arz57aMLS4Vz4qhSE40BfeN2qFYP/gXtp9qDA==}
     engines: {node: 16.* || >= 18.*}
 
-  ember-a11y-testing@7.1.2:
-    resolution: {integrity: sha512-V30dZgfj3itq+4/H78livBN1X4wvYeCJnsPTnQFqZfgrQyEfCYLL6d96W0T4UoahQao+PFzJcR2P/CpMU9j5nw==}
+  ember-a11y-testing@7.1.3:
+    resolution: {integrity: sha512-3d4oqSGRBqYbX6nqcruLzfQrQSoLpRd5iinITusefylk1aQd7HJdoJLkL+En8YLqTt3DsUfImnX3svT0flMhsw==}
     engines: {node: 16.* || >= 18}
     peerDependencies:
       '@ember/test-helpers': ^3.0.3 || ^4.0.2 || ^5.0.0
@@ -3909,6 +3856,10 @@ packages:
     resolution: {integrity: sha512-bcBFDYVTFHyqyq8BNvsj6UO3pE6Uqou/cNmee0WaqBgZ+1nQqFz0UE26usrtnFAT+YaFZSkqF2H36QW84k0/cg==}
     engines: {node: 12.* || 14.* || >= 16}
 
+  ember-auto-import@2.13.1:
+    resolution: {integrity: sha512-MjxJK2nfCJmmQI/rju2TrycmAa1AxmTarfvygbcrrgW0s4WeZHtbGXCO2z1lW9wfrShqeTo/o+3Mgk+9xcDTWg==}
+    engines: {node: 12.* || 14.* || >= 16}
+
   ember-basic-dropdown@8.7.0:
     resolution: {integrity: sha512-M++bfghpFXVRs3A3VdEtHcrv41STf2Far8JWJf3Sukh41oWVm76P0R6ZXBPJ0MyCJwR2qlHgCn1QIesP3fSOpA==}
     peerDependencies:
@@ -3939,6 +3890,12 @@ packages:
     peerDependencies:
       '@babel/core': ^7.12.0
 
+  ember-cli-babel@8.3.1:
+    resolution: {integrity: sha512-Pxm5JP0jQ6fCBlXuh1BFmhrg2/5YXjhf16JI/n8ReOR6Nl+fEbudMpdO69LlqZRsMmTgdjCRmfSxMh26Wsw/rw==}
+    engines: {node: 16.* || 18.* || >= 20}
+    peerDependencies:
+      '@babel/core': ^7.12.0
+
   ember-cli-clean-css@3.0.0:
     resolution: {integrity: sha512-BbveJCyRvzzkaTH1llLW+MpHe/yzA5zpHOpMIg2vp/3JD9mban9zUm7lphaB0TSpPuMuby9rAhTI8pgXq0ifIA==}
     engines: {node: 16.* || >= 18}
@@ -4008,8 +3965,8 @@ packages:
   ember-cli-normalize-entity-name@1.0.0:
     resolution: {integrity: sha512-rF4P1rW2P1gVX1ynZYPmuIf7TnAFDiJmIUFI1Xz16VYykUAyiOCme0Y22LeZq8rTzwBMiwBwoE3RO4GYWehXZA==}
 
-  ember-cli-page-object@2.3.1:
-    resolution: {integrity: sha512-QHxGVpGcPwdYRxTLKbnI9I39KjR9CRfHxngogqqMpRaSx19Qq2YhHLc5JKaJIIyMU5NXVqPmVFRtFGDj0AU5fQ==}
+  ember-cli-page-object@2.3.2:
+    resolution: {integrity: sha512-4RfcDMq7mRKs1ZlTQ4wKHeA6u39XuxhzeRqbC0XWRZgFfBnUjlwlIvuyuNzUEnKR9l+uvWVDioGerLIZLLz78w==}
     engines: {node: 12.* || 14.* || >= 16}
     peerDependencies:
       '@ember/jquery': '*'
@@ -4143,11 +4100,8 @@ packages:
       ember-source: '>= 4.0.0'
       qunit: '*'
 
-  ember-focus-trap@1.1.1:
-    resolution: {integrity: sha512-5tOWu6eV1UoNZE+P9Gl9lJXNrENZVCoOXi52ePb7JOrOZ3ckOk1OkPsFwR4Jym9VJ7vZ6S3Z3D8BrkFa2aCpYw==}
-    engines: {node: 12.* || >= 14}
-    peerDependencies:
-      ember-source: '>= 4.0.0'
+  ember-focus-trap@1.2.0:
+    resolution: {integrity: sha512-+/AkXjWF9Qtv6a3tSZQvzFTF+vSoSNuWVemN8kbp4d3MmHWnbXzv5brd9wmAFFlp4yYRr2be7bVhNVxzJMLEhw==}
 
   ember-functions-as-helper-polyfill@2.1.3:
     resolution: {integrity: sha512-Hte8jfOmSNzrz/vOchf68CGaBWXN2/5qKgFaylqr9omW2i4Wt9JmaBWRkeR0AJ53N57q3DX2TOb166Taq6QjiA==}
@@ -4167,6 +4121,15 @@ packages:
     resolution: {integrity: sha512-+oRstEa52mm0jAFzhr51/xtEWpCEykB3SEBr7vUg8YnXUZJ5hKNBppP938q8Zzr9XfJEbzrtDSGjhKwJCJv6FQ==}
     engines: {node: 10.* || 12.* || >= 14}
 
+  ember-intl@7.5.0:
+    resolution: {integrity: sha512-IzNE4gbY4fgLtCcVF5PQy+Sn+VeRQ/2B80h1/oKiLLfFJCh8/u/YMcmimbc4hrTNFl26Ti9WZpcSrSicV06OeA==}
+    engines: {node: 18.* || >= 20}
+    peerDependencies:
+      '@ember/test-helpers': ^2.9.4 || ^3.2.0 || ^4.0.0 || ^5.0.0
+    peerDependenciesMeta:
+      '@ember/test-helpers':
+        optional: true
+
   ember-load-initializers@3.0.1:
     resolution: {integrity: sha512-qV3vxJKw5+7TVDdtdLPy8PhVsh58MlK8jwzqh5xeOwJPNP7o0+BlhvwoIlLYTPzGaHdfjEIFCgVSyMRGd74E1g==}
     engines: {node: '>= 18.*'}
@@ -4184,12 +4147,12 @@ packages:
   ember-modifier@4.2.2:
     resolution: {integrity: sha512-pPYBAGyczX0hedGWQFQOEiL9s45KS9efKxJxUQkMLjQyh+1Uef1mcmAGsdw2KmvNupITkE/nXxmVO1kZ9tt3ag==}
 
-  ember-power-select@8.12.0:
-    resolution: {integrity: sha512-U+raYh8gjXnO4Xg64s4eMU1XO7Y35YtMGbBRFQCZC8ey8CZhXwpjoYtIEee83ECvgvoXVNicGrOmayoY14sUmQ==}
+  ember-power-select@8.12.2:
+    resolution: {integrity: sha512-cbRUD2rbeaBiWpAaa7a+w7mC7RBWUopmjLAJUOh0gkI/+q2Py346RgOKoSttTv0qIpEprJYggmcPXh4b0R4Rqw==}
     peerDependencies:
       '@ember/test-helpers': ^2.9.4 || ^3.2.1 || ^4.0.2 || ^5.0.0
       '@glimmer/component': ^1.1.2 || ^2.0.0
-      ember-basic-dropdown: ^8.7.0
+      ember-basic-dropdown: ^8.9.0
       ember-concurrency: ^4.0.4 || ^5.1.0
 
   ember-qrcode-shim@0.4.0:
@@ -4301,16 +4264,17 @@ packages:
     resolution: {integrity: sha512-eL7lZat68E6P/D7b9UoTB5bB5Oh/0aju0Z7PCMi3aTwhaydRaxloE7TGrTRYU+NdJuyNVZXeGyxFxn2frvd3TA==}
     engines: {node: 12.* || >= 14}
 
+  ember-tracked-storage-polyfill@1.0.1:
+    resolution: {integrity: sha512-lr66R+1H9qMXIUXxwzpixS/qTwsMEpJXS5s2nOdvQP9U/JYuZT9MexpvLktSUQ1uWEhGQA8DDeeVh4R1CvLDFQ==}
+    engines: {node: 12.* || >= 14}
+
   ember-truth-helpers@4.0.3:
     resolution: {integrity: sha512-T6Ogd3pk9FxYiZfSxdjgn3Hb3Ksqgw7CD23V9qfig9jktNdkNEHo4+3PA3cSD/+3a2kdH3KmNvKyarVuzdtEkA==}
     peerDependencies:
       ember-source: '>=3.28.0'
 
-  emoji-regex@10.1.0:
-    resolution: {integrity: sha512-xAEnNCT3w2Tg6MA7ly6QqYJvEoY1tm9iIjJ3yMKK9JPlWuRHAMoe5iETwQnx3M9TVbFMfsrBgWKR+IsmswwNjg==}
-
-  emoji-regex@10.4.0:
-    resolution: {integrity: sha512-EC+0oUMY1Rqm4O6LLrgjtYDvcVYTy7chDnM4Q7030tP4Kwj3u/pR6gP9ygnp2CJMK5Gq+9Q2oqmrFJAz01DXjw==}
+  emoji-regex@10.6.0:
+    resolution: {integrity: sha512-toUI84YS5YmxW219erniWD0CIVOo46xGKColeNQRgOzDorgBi1v4D71/OFzgD9GO2UGKIv1C3Sp8DAn0+j5w7A==}
 
   emoji-regex@7.0.3:
     resolution: {integrity: sha512-CwBLREIQ7LvYFB0WyRvwhq5N5qPhc6PMjD6bYggFlI5YyDgl+0vxq5VHbMOFqLg7hfWzmu8T5Z1QofhmTIhItA==}
@@ -4333,19 +4297,19 @@ packages:
     resolution: {integrity: sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==}
     engines: {node: '>= 0.8'}
 
-  end-of-stream@1.4.4:
-    resolution: {integrity: sha512-+uw1inIHVPQoaVuHzRyXd21icM+cnt4CzD5rW+NC1wjOUSTOs+Te7FOv7AhN7vS9x/oIyhLP5PR1H+phQAHu5Q==}
+  end-of-stream@1.4.5:
+    resolution: {integrity: sha512-ooEGc6HP26xXq/N+GCGOT0JKCLDGrq2bQUZrQ7gyrJiZANJ/8YDTxTpQBXGMn+WbIQXNVpyWymm7KYVICQnyOg==}
 
   engine.io-parser@5.2.3:
     resolution: {integrity: sha512-HqD3yTBfnBxIrbnM1DoD6Pcq8NECnh8d4As1Qgh0z5Gg3jRRIqijury0CL3ghu/edArpUYiYqQiDUQBIs4np3Q==}
     engines: {node: '>=10.0.0'}
 
-  engine.io@6.6.4:
-    resolution: {integrity: sha512-ZCkIjSYNDyGn0R6ewHDtXgns/Zre/NT6Agvq1/WobF7JXgFff4SeDroKiCO3fNJreU9YG429Sc81o4w5ok/W5g==}
+  engine.io@6.6.8:
+    resolution: {integrity: sha512-2agL3ueZhqxoVrfmntO8yuVj+uNSlIOnhykYHk3Cq0ShYPdUjjUiSJrQvXjq01I9jAuI0Zl2YO8Evv5Mqytm5g==}
     engines: {node: '>=10.2.0'}
 
-  enhanced-resolve@5.18.1:
-    resolution: {integrity: sha512-ZSW3ma5GkcQBIpwZTSRAI8N71Uuwgs93IezB7mf7R60tC8ZbJideoDNKjHn2O9KIlx6rkGTTEk1xUCK2E1Y2Yg==}
+  enhanced-resolve@5.22.0:
+    resolution: {integrity: sha512-xYcDWrpELkFzz9SpZ3PlI6Eu6eD93Yf0WLDRxikGhWJ3MAir2SNZTIVCVZqZ/NUyx8AdMc2gT9C0gPiw18kG+A==}
     engines: {node: '>=10.13.0'}
 
   ensure-posix-path@1.1.1:
@@ -4354,10 +4318,6 @@ packages:
   entities@2.2.0:
     resolution: {integrity: sha512-p92if5Nz619I0w+akJrLZH0MX0Pb5DX39XOwQTtXSdQQOaYH03S1uIQp4mhOZtAXrxq4ViO67YTiLBo2638o9A==}
 
-  entities@3.0.1:
-    resolution: {integrity: sha512-WiyBqoomrwMdFG1e0kqvASYfnlb0lp8M5o5Fw2OFq1hNZxxcNk8Ik0Xm7LxzBhuidnZB/UtBqVCgUz3kBOP51Q==}
-    engines: {node: '>=0.12'}
-
   entities@4.5.0:
     resolution: {integrity: sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==}
     engines: {node: '>=0.12'}
@@ -4366,8 +4326,8 @@ packages:
     resolution: {integrity: sha512-+h1lkLKhZMTYjog1VEpJNG7NZJWcuc2DDk/qsqSTRRCOXiLjeQ1d1/udrUGhqMxUgAlwKNZ0cf2uqan5GLuS2A==}
     engines: {node: '>=6'}
 
-  envinfo@7.15.0:
-    resolution: {integrity: sha512-chR+t7exF6y59kelhXw5I3849nTy7KIRO+ePdLMhCD+JRP/JvmkenDWP7QSFGlsHX+kxGxdDutOPrmj5j1HR6g==}
+  envinfo@7.21.0:
+    resolution: {integrity: sha512-Lw7I8Zp5YKHFCXL7+Dz95g4CcbMEpgvqZNNq3AmlT5XAV6CgAAk6gyAMqn2zjw08K9BHfcNuKrMiCPLByGafow==}
     engines: {node: '>=4'}
     hasBin: true
 
@@ -4379,18 +4339,18 @@ packages:
     resolution: {integrity: sha512-e64Qj9+4aZzjzzFpZC7p5kmm/ccCrbLhAJplhsDXQFs87XTsXwOpH4s1Io2s90Tau/8r2j9f4l/thhDevRjzxw==}
     engines: {node: '>=0.8'}
 
-  error-ex@1.3.2:
-    resolution: {integrity: sha512-7dFHNmqeFSEt2ZBsCriorKnn3Z2pj+fd9kmI6QoWw4//DL+icEBfc0U7qJCisqrTsKTjw4fNFy2pW9OqStD84g==}
+  error-ex@1.3.4:
+    resolution: {integrity: sha512-sqQamAnR14VgCr1A618A3sGrygcpK+HEbenA/HiEAkkUwcZIIB/tgWqHFxWgOyDh4nB4JCRimh79dR5Ywc9MDQ==}
 
   error@7.2.1:
     resolution: {integrity: sha512-fo9HBvWnx3NGUKMvMwB/CBCMMrfEJgbDTVDEkPygA3Bdd3lM1OyCd+rbQ8BwnpF6GdVeOLDNmyL4N5Bg80ZvdA==}
 
-  errorhandler@1.5.1:
-    resolution: {integrity: sha512-rcOwbfvP1WTViVoUjcfZicVzjhjTuhSMntHh6mW3IrEiyE6mJyXvsToJUJGlGlw/2xU9P5whlWNGlIDVeCiT4A==}
+  errorhandler@1.5.2:
+    resolution: {integrity: sha512-kNAL7hESndBCrWwS72QyV3IVOTrVmj9D062FV5BQswNL5zEdeRmz/WJFyh6Aj/plvvSOrzddkxW57HgkZcR9Fw==}
     engines: {node: '>= 0.8'}
 
-  es-abstract@1.23.10:
-    resolution: {integrity: sha512-MtUbM072wlJNyeYAe0mhzrD+M6DIJa96CZAOBBrhDbgKnB4MApIKefcyAB1eOdYn8cUNZgvwBvEzdoAYsxgEIw==}
+  es-abstract@1.24.2:
+    resolution: {integrity: sha512-2FpH9Q5i2RRwyEP1AylXe6nYLR5OhaJTZwmlcP0dL/+JCbgg7yyEo/sEK6HeGZRf3dFpWwThaRHVApXSkW3xeg==}
     engines: {node: '>= 0.4'}
 
   es-define-property@1.0.1:
@@ -4401,11 +4361,11 @@ packages:
     resolution: {integrity: sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==}
     engines: {node: '>= 0.4'}
 
-  es-module-lexer@1.7.0:
-    resolution: {integrity: sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==}
+  es-module-lexer@2.1.0:
+    resolution: {integrity: sha512-n27zTYMjYu1aj4MjCWzSP7G9r75utsaoc8m61weK+W8JMBGGQybd43GstCXZ3WNmSFtGT9wi59qQTW6mhTR5LQ==}
 
-  es-object-atoms@1.1.1:
-    resolution: {integrity: sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==}
+  es-object-atoms@1.1.2:
+    resolution: {integrity: sha512-HWcBoN6NileqtSydK2FqHbS/LoDd2pqrnQHLyJzBj4kOp/ky2MWMN694xOfkK8/SnUsW2DH7EfyVlydKCsm1Zw==}
     engines: {node: '>= 0.4'}
 
   es-set-tostringtag@2.1.0:
@@ -4441,8 +4401,8 @@ packages:
     peerDependencies:
       eslint: '>=6.0.0'
 
-  eslint-config-prettier@9.1.0:
-    resolution: {integrity: sha512-NSWl5BFQWEPi1j4TjVNItzYV7dZXZ+wP6I6ZhrBGpChQhZRUaElihE9uRRkcbRnNb76UMKDF3r+WTmNcGPKsqw==}
+  eslint-config-prettier@9.1.2:
+    resolution: {integrity: sha512-iI1f+D2ViGn+uvv5HuHVUamg8ll4tN+JRHGc6IJi4TP9Kl976C57fzPXgseXNs8v0iA8aSJpHsTWjDb9QJamGQ==}
     hasBin: true
     peerDependencies:
       eslint: '>=7.0.0'
@@ -4500,13 +4460,11 @@ packages:
     resolution: {integrity: sha512-dOt21O7lTMhDM+X9mB4GX+DZrZtCUJPL/wlcTqxyrx5IvO0IYtILdtrQGQp+8n5S0gwSVmOf9NQrjMOgfQZlIg==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
 
-  eslint-utils@1.4.3:
-    resolution: {integrity: sha512-fbBN5W2xdY45KulGXmLHZ3c3FHfVYmKg0IrAKGOkT/464PQsx2UeIzfz1RmEci+KLm1bBaAzZAh8+/E+XAeZ8Q==}
-    engines: {node: '>=6'}
-
-  eslint-visitor-keys@1.3.0:
-    resolution: {integrity: sha512-6J72N8UNa462wa/KFODt/PJ3IU60SDpC3QXC1Hjc1BXXpfL2C9R5+AU7jhe0F6GREqVMh4Juu+NY7xn+6dipUQ==}
-    engines: {node: '>=4'}
+  eslint-utils@3.0.0:
+    resolution: {integrity: sha512-uuQC43IGctw68pJA1RgbQS8/NP7rch6Cwd4j3ZBtgo4/8Flj4eGE7ZYSZRN3iq5pVUv6GPdW5Z1RFleo84uLDA==}
+    engines: {node: ^10.0.0 || ^12.0.0 || >= 14.0.0}
+    peerDependencies:
+      eslint: '>=5'
 
   eslint-visitor-keys@2.1.0:
     resolution: {integrity: sha512-0rSmRBzXgDzIsD6mGdJgevzgezI534Cer5L/vyMX0kHzT/jiB43jRhd9YUlMGYLQy2zprNmoT8qasCGtY+QaKw==}
@@ -4540,10 +4498,6 @@ packages:
     engines: {node: '>=4'}
     hasBin: true
 
-  esquery@1.6.0:
-    resolution: {integrity: sha512-ca9pw9fomFcKPvFLXhBKUK90ZvGibiGOvRJNbjljY7s7uq/5YO4BOzcYtJqExdx99rF6aAcnRxHmcUHcz6sQsg==}
-    engines: {node: '>=0.10'}
-
   esquery@1.7.0:
     resolution: {integrity: sha512-Ap6G0WQwcU/LHsvLwON1fAQX9Zp0A2Y6Y/cJBl9r/JbW90Zyg4/zbG6zzKa2OTALELarYHmKu0GhpM5EO+7T0g==}
     engines: {node: '>=0.10'}
@@ -4574,11 +4528,12 @@ packages:
   eventemitter3@4.0.7:
     resolution: {integrity: sha512-8guHBZCwKnFhYdHr2ysuRWErTwhoN2X8XELRlrRwpmfeY2jjuUN4taQMsULKUVo1K4DvZl+0pgfyoysHxvmvEw==}
 
-  eventemitter3@5.0.1:
-    resolution: {integrity: sha512-GWkBvjiSZK87ELrYOSESUYeVIc9mvLLf/nXalMOS5dYrgZq9o5OVkbZAVM06CVxYsCwH9BDZFPlQTlPA1j4ahA==}
+  eventemitter3@5.0.4:
+    resolution: {integrity: sha512-mlsTRyGaPBjPedk6Bvw+aqbsXDtoAyAzm5MO7JgU+yVRyMQ5O8bD4Kcci7BS85f93veegeCPkL8R4GLClnjLFw==}
 
-  events-to-array@1.1.2:
-    resolution: {integrity: sha512-inRWzRY7nG+aXZxBzEqYKB3HPgwflZRopAjDCHv0whhRx+MTUr1ei0ICZUypdyE0HRm4L2d5VEcIqLD6yl+BFA==}
+  events-to-array@2.0.3:
+    resolution: {integrity: sha512-f/qE2gImHRa4Cp2y1stEOSgw8wTFyUdVJX7G//bMwbaV9JqISFxg99NbmVQeP7YLnDUZ2un851jlaDrlpmGehQ==}
+    engines: {node: '>=12'}
 
   events@3.3.0:
     resolution: {integrity: sha512-mQw+2fkQbALzQ7V0MY0IqdnXNOeTtP4r0lN9z7AAawCXgqea7bDii20AYrIBrFd/Hx0M2Ocz6S111CaFkUcb0Q==}
@@ -4607,6 +4562,10 @@ packages:
     resolution: {integrity: sha512-VyhnebXciFV2DESc+p6B+y0LjSm0krU4OgJN44qFAhBY0TJ+1V61tYD2+wHusZ6F9n5K+vl8k0sTy7PEfV4qpg==}
     engines: {node: '>=16.17'}
 
+  execa@9.6.1:
+    resolution: {integrity: sha512-9Be3ZoN4LmYR90tUoVu2te2BsbzHfhJyfEiAVfz7N5/zv+jduIfLrV2xdQXOHbaD6KgpGdO9PRPM1Y4Q9QkPkA==}
+    engines: {node: ^18.19.0 || >=20.5.0}
+
   exit@0.1.2:
     resolution: {integrity: sha512-Zk/eNKV2zbjpKzrsQ+n1G6poVbErQxJ0LBOJXaKZ1EViLzH+hrLu9cdXI4zw9dBQJslwBEpbQ2P1oS7nDxs6jQ==}
     engines: {node: '>= 0.8.0'}
@@ -4615,10 +4574,14 @@ packages:
     resolution: {integrity: sha512-A5EmesHW6rfnZ9ysHQjPdJRni0SRar0tjtG5MNtm9n5TUvsYU8oozprtRD4AqHxcZWWlVuAmQo2nWKfN9oyjTw==}
     engines: {node: '>=0.10.0'}
 
-  express@4.22.1:
-    resolution: {integrity: sha512-F2X8g9P1X7uCPZMA3MVf9wcTqlyNp7IhH5qPCI0izhaOIYXaW9L535tGA3qmjRzpH+bZczqq7hVKxTR4NWnu+g==}
+  express@4.22.2:
+    resolution: {integrity: sha512-IuL+Elrou2ZvCFHs18/CIzy2Nzvo25nZ1/D2eIZlz7c+QUayAcYoiM2BthCjs+EBHVpjYjcuLDAiCWgeIX3X1Q==}
     engines: {node: '>= 0.10.0'}
 
+  express@5.2.1:
+    resolution: {integrity: sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==}
+    engines: {node: '>= 18'}
+
   extend@3.0.2:
     resolution: {integrity: sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==}
 
@@ -4656,15 +4619,15 @@ packages:
     resolution: {integrity: sha512-7h9/x25c6AQwdU3mA8MZDUMR3UCy50f237egBrBkuwjnUZSmfu4ptCf91PZSKzON2Uh5VvIHozYKWcPPgcjxIw==}
     engines: {node: 10.* || >= 12.*}
 
-  fast-uri@3.0.6:
-    resolution: {integrity: sha512-Atfo14OibSv5wAp4VWNsFYE1AchQRTv9cBGWET4pZWHzYshFSS9NQI6I57rdKn9croWVMbYFbLhJ+yJvmZIIHw==}
+  fast-uri@3.1.2:
+    resolution: {integrity: sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==}
 
   fastest-levenshtein@1.0.16:
     resolution: {integrity: sha512-eRnCtTTtGZFpQCwhJiUOuxPQWRXVKYDn0b2PeHfXL6/Zi53SLAzAHfVhVWK2AryC/WH05kGfxhFIPvTF0SXQzg==}
     engines: {node: '>= 4.9.1'}
 
-  fastq@1.19.1:
-    resolution: {integrity: sha512-GwLTyxkCXjXbxqIhTsMI2Nui8huMPtnxg7krajPJAjnEG/iiOS7i+zCtWGZR9G0NBKbXKh6X9m9UIsYX/N6vvQ==}
+  fastq@1.20.1:
+    resolution: {integrity: sha512-GGToxJ/w1x32s/D2EKND7kTil4n8OVk/9mycTc4VDza13lOvpUZTGX3mFSCtV9ksdGBVzvsyAVLM6mHFThxXxw==}
 
   fault@1.0.4:
     resolution: {integrity: sha512-CJ0HCB5tL5fYTEA7ToAq5+kTwd++Borf1/bifxd9iT70QcXr4MRrO3Llf8Ifs70q+SJcGHFtnIE/Nw6giCtECA==}
@@ -4687,17 +4650,17 @@ packages:
     resolution: {integrity: sha512-yaduQFRKLXYOGgEn6AZau90j3ggSOyiqXU0F9JZfeXYhNa+Jk4X+s45A2zg5jns87GAFa34BBm2kXw4XpNcbdg==}
     engines: {node: '>=8'}
 
-  file-entry-cache@10.1.0:
-    resolution: {integrity: sha512-Et/ex6smi3wOOB+n5mek+Grf7P2AxZR5ueqRUvAAn4qkyatXi3cUC1cuQXVkX0VlzBVsN4BkWJFmY/fYiRTdww==}
+  figures@6.1.0:
+    resolution: {integrity: sha512-d+l3qxjSesT4V7v2fh+QnmFnUWv9lSpjarhShNTgBOfA0ttejbQUAlHLitbjkoRiDulW0OPoQPYIGhIC8ohejg==}
+    engines: {node: '>=18'}
+
+  file-entry-cache@10.1.4:
+    resolution: {integrity: sha512-5XRUFc0WTtUbjfGzEwXc42tiGxQHBmtbUG1h9L2apu4SulCGN3Hqm//9D6FAolf8MYNL7f/YlJl9vy08pj5JuA==}
 
   file-entry-cache@6.0.1:
     resolution: {integrity: sha512-7Gps/XWymbLk2QLYK4NzpMOrYjMhdIxXuIvy2QBsLE6ljuodKvdkWs/cpyJJ3CVIVpH0Oi1Hvg1ovbMzLdFBBg==}
     engines: {node: ^10.12.0 || >=12.0.0}
 
-  file-set@4.0.2:
-    resolution: {integrity: sha512-fuxEgzk4L8waGXaAkd8cMr73Pm0FxOVkn8hztzUW7BAHhOGH90viQNXbiOsnecCWmfInqU6YmAMwxRMdKETceQ==}
-    engines: {node: '>=10'}
-
   filesize@10.1.6:
     resolution: {integrity: sha512-sJslQKU2uM33qH5nqewAwVB2QgR6w1aMNsYUp3aN5rMRyXEwJGmZvaWzeJFNTOXWlHQyBFCWrdj3fV/fsTOX8w==}
     engines: {node: '>= 10.4.0'}
@@ -4714,10 +4677,14 @@ packages:
     resolution: {integrity: sha512-aAWcW57uxVNrQZqFXjITpW3sIUQmHGG3qSb9mUah9MgMC4NeWhNOlNjXEYq3HjRAvL6arUviZGGJsBg6z0zsWA==}
     engines: {node: '>= 0.8'}
 
-  finalhandler@1.3.1:
-    resolution: {integrity: sha512-6BN9trH7bp3qvnrRyzsBz+g3lZxTNZTbVO2EV1CS0WIcDbawYVdYvGflME/9QP0h0pYlCDBCTjYa9nZzMDpyxQ==}
+  finalhandler@1.3.2:
+    resolution: {integrity: sha512-aA4RyPcd3badbdABGDuTXCMTtOneUCAYH/gxoYRTZlIJdF0YPWuGqiAsIrhNnnqdXGswYk6dGujem4w80UJFhg==}
     engines: {node: '>= 0.8'}
 
+  finalhandler@2.1.1:
+    resolution: {integrity: sha512-S8KoZgRZN+a5rNwqTxlZZePjT/4cnm0ROV70LedRHZ0p8u9fRID0hJUZQpkKLzro8LfmC8sx23bY6tVNxv8pQA==}
+    engines: {node: '>= 18.0.0'}
+
   find-babel-config@1.2.2:
     resolution: {integrity: sha512-oK59njMyw2y3yxto1BCfVK7MQp/OYf4FleHu0RgosH3riFJ1aOuo/7naLDLAObfrgn3ueFhw5sAT/cp0QuJI3Q==}
     engines: {node: '>=4.0.0'}
@@ -4732,19 +4699,6 @@ packages:
   find-index@1.1.1:
     resolution: {integrity: sha512-XYKutXMrIK99YMUPf91KX5QVJoG31/OsgftD6YoTPAObfQIxM4ziA9f0J1AsqKhJmo+IeaIPP0CFopTD4bdUBw==}
 
-  find-replace@3.0.0:
-    resolution: {integrity: sha512-6Tb2myMioCAgv5kfvP5/PkZZ/ntTpVK39fHY7WkWBgvbeE+VHd/tZuZ4mrC+bxh4cfOZeYKVPaJIZtZXV7GNCQ==}
-    engines: {node: '>=4.0.0'}
-
-  find-replace@5.0.2:
-    resolution: {integrity: sha512-Y45BAiE3mz2QsrN2fb5QEtO4qb44NcS7en/0y9PEVsg351HsLeVclP8QPMH79Le9sH3rs5RSwJu99W0WPZO43Q==}
-    engines: {node: '>=14'}
-    peerDependencies:
-      '@75lb/nature': latest
-    peerDependenciesMeta:
-      '@75lb/nature':
-        optional: true
-
   find-up@2.1.0:
     resolution: {integrity: sha512-NWzkk0jSJtTt08+FBFMvXoeZnOJD+jTtsRmBYbAIzJdX6l7dLgR7CTubCM5/eDdPUBvLCeVasP1brfVR/9/EZQ==}
     engines: {node: '>=4'}
@@ -4776,9 +4730,6 @@ packages:
     resolution: {integrity: sha512-6jvvn/12IC4quLBL1KNokxC7wWTvYncaVUYSoxWw7YykPLuRrnv4qdHcSOywOI5RpkOVGeQRtWM8/q+G6W6qfQ==}
     engines: {node: '>= 8'}
 
-  fireworm@0.7.2:
-    resolution: {integrity: sha512-GjebTzq+NKKhfmDxjKq3RXwQcN9xRmZWhnnuC9L+/x5wBQtR0aaQM50HsjrzJ2wc28v1vSdfOpELok0TKR4ddg==}
-
   fixturify-project@1.10.0:
     resolution: {integrity: sha512-L1k9uiBQuN0Yr8tA9Noy2VSQ0dfg0B8qMdvT7Wb5WQKc7f3dn3bzCbSrqlb+etLW+KDV4cBC7R1OvcMg3kcxmA==}
 
@@ -4801,21 +4752,21 @@ packages:
     resolution: {integrity: sha512-CYcENa+FtcUKLmhhqyctpclsq7QF38pKjZHsGNiSQF5r4FtoKDWabFDl3hzaEQMvT1LHEysw5twgLvpYYb4vbw==}
     engines: {node: ^10.12.0 || >=12.0.0}
 
-  flat-cache@6.1.9:
-    resolution: {integrity: sha512-DUqiKkTlAfhtl7g78IuwqYM+YqvT+as0mY+EVk6mfimy19U79pJCzDZQsnqk3Ou/T6hFXWLGbwbADzD/c8Tydg==}
+  flat-cache@6.1.22:
+    resolution: {integrity: sha512-N2dnzVJIphnNsjHcrxGW7DePckJ6haPrSFqpsBUhHYgwtKGVq4JrBGielEGD2fCVnsGm1zlBVZ8wGhkyuetgug==}
 
   flat@5.0.2:
     resolution: {integrity: sha512-b6suED+5/3rTpUBdG1gupIl8MPFCAMA0QXwmljLhvCUKcUvdE4gWky9zpuGCcXHOsz4J9wPGNWq6OKpmIzz3hQ==}
     hasBin: true
 
-  flatted@3.3.3:
-    resolution: {integrity: sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==}
+  flatted@3.4.2:
+    resolution: {integrity: sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==}
 
-  focus-trap@6.9.4:
-    resolution: {integrity: sha512-v2NTsZe2FF59Y+sDykKY+XjqZ0cPfhq/hikWVL88BqLivnNiEffAsac6rP6H45ff9wG9LL5ToiDqrLEP9GX9mw==}
+  focus-trap@7.8.0:
+    resolution: {integrity: sha512-/yNdlIkpWbM0ptxno3ONTuf+2g318kh2ez3KSeZN5dZ8YC6AAmgeWz+GasYYiBJPFaYcSAPeu4GfhUaChzIJXA==}
 
-  follow-redirects@1.15.9:
-    resolution: {integrity: sha512-gew4GsXizNgdoRyqmyfMHyAmXsZDk6mHkSxZFCzW9gwlbtOW44CDtYavM+y+72qD/Vq2l550kMF52DT8fOLJqQ==}
+  follow-redirects@1.16.0:
+    resolution: {integrity: sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==}
     engines: {node: '>=4.0'}
     peerDependencies:
       debug: '*'
@@ -4843,6 +4794,10 @@ packages:
     resolution: {integrity: sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==}
     engines: {node: '>= 0.6'}
 
+  fresh@2.0.0:
+    resolution: {integrity: sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A==}
+    engines: {node: '>= 0.8'}
+
   fs-extra@0.24.0:
     resolution: {integrity: sha512-w1RvhdLZdU9V3vQdL+RooGlo6b9R9WVoBanOfoJvosWlqSKvrjFlci2oVhwvLwZXBtM7khyPvZ8r3fwsim3o0A==}
 
@@ -4853,8 +4808,8 @@ packages:
     resolution: {integrity: sha512-oRXApq54ETRj4eMiFzGnHWGy+zo5raudjuxN0b8H7s/RU2oW0Wvsx9O0ACRN/kRq9E8Vu/ReskGB5o3ji+FzHQ==}
     engines: {node: '>=12'}
 
-  fs-extra@11.3.0:
-    resolution: {integrity: sha512-Z4XaCL6dUDHfP/jT25jJKMmtxvuwbkrD1vNSMFlo9lNLY2c5FHYSQgHPRZUjAB26TpDEoW9HCOgplrdbaPV/ew==}
+  fs-extra@11.3.5:
+    resolution: {integrity: sha512-eKpRKAovdpZtR1WopLHxlBWvAgPny3c4gX1G5Jhwmmw4XJj0ifSD5qB5TOo8hmA0wlRKDAOAhEE1yVPgs6Fgcg==}
     engines: {node: '>=14.14'}
 
   fs-extra@3.0.1:
@@ -4884,10 +4839,6 @@ packages:
   fs-readdir-recursive@1.1.0:
     resolution: {integrity: sha512-GNanXlVr2pf02+sPN40XN8HG+ePaNcvM0q5mZBd668Obwb0yD5GiUbZOFgwn8kGMY6I3mdyDJzieUy3PTYyTRA==}
 
-  fs-then-native@2.0.0:
-    resolution: {integrity: sha512-X712jAOaWXkemQCAmWeg5rOT2i+KOpWz1Z/txk/cW0qlOu2oQ9H61vc5w3X/iyuUEfq/OyaFJ78/cZAQD1/bgA==}
-    engines: {node: '>=4.0.0'}
-
   fs-tree-diff@0.5.9:
     resolution: {integrity: sha512-872G8ax0kHh01m9n/2KDzgYwouKza0Ad9iFltBpNykvROvf2AGtoOzPJgGx125aolGPER3JuC7uZFrQ7bG1AZw==}
 
@@ -4926,16 +4877,19 @@ packages:
     resolution: {integrity: sha512-trLf4SzuuUxfusZADLINj+dE8clK1frKdmqiJNb1Es75fmI5oY6X2mxLVUciLLjxqw/xr72Dhy+lER6dGd02FQ==}
     engines: {node: '>=10'}
 
-  gauge@4.0.4:
-    resolution: {integrity: sha512-f9m+BEN5jkg6a0fZjleidjN51VE1X+mPFQ2DJ0uv1V39oCLCbsGe6yjbBnp7eK7z/+GAon99a3nHuqbuuthyPg==}
-    engines: {node: ^12.13.0 || ^14.15.0 || >=16.0.0}
-    deprecated: This package is no longer supported.
+  fuse.js@7.3.0:
+    resolution: {integrity: sha512-plz8RVjfcDedTGfVngWH1jmJvBvAwi1v2jecfDerbEnMcmOYUEEwKFTHbNoCiYyzaK2Ws8lABkTCcRSqCY1q4w==}
+    engines: {node: '>=10'}
 
   gauge@5.0.2:
     resolution: {integrity: sha512-pMaFftXPtiGIHCJHdcUUx9Rby/rFT/Kkt3fIIGCs+9PMDIljSyRiqraTlxNtBReJRDfUefpa263RQ3vnp5G/LQ==}
     engines: {node: ^14.17.0 || ^16.13.0 || >=18.0.0}
     deprecated: This package is no longer supported.
 
+  generator-function@2.0.1:
+    resolution: {integrity: sha512-SFdFmIJi+ybC0vjlHN0ZGVGHc3lgE0DxPAT0djjVg+kjOnSqclqmj0KQ7ykTOLP6YxoqOvuAODGdcHJn+43q3g==}
+    engines: {node: '>= 0.4'}
+
   gensync@1.0.0-beta.2:
     resolution: {integrity: sha512-3hN7NaskYvMDLQY55gnW3NQ+mesEAepTqlg+VEbj7zzqEMBVNhzcGYYeqFo/TlYz6eQiFcp1HcsCZO+nGgS8zg==}
     engines: {node: '>=6.9.0'}
@@ -4944,8 +4898,8 @@ packages:
     resolution: {integrity: sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==}
     engines: {node: 6.* || 8.* || >= 10.*}
 
-  get-east-asian-width@1.3.0:
-    resolution: {integrity: sha512-vpeMIQKxczTD/0s2CdEWHcb0eeJe6TFjxb+J5xgX7hScxqrGuyjmv4c1D4A/gelKfyox0gJJwIHF+fLjeaM8kQ==}
+  get-east-asian-width@1.6.0:
+    resolution: {integrity: sha512-QRbvDIbx6YklUe6RxeTeleMR0yv3cYH6PsPZHcnVn7xv7zO1BHN8r0XETu8n6Ye3Q+ahtSarc3WgtNWmehIBfA==}
     engines: {node: '>=18'}
 
   get-intrinsic@1.3.0:
@@ -4984,12 +4938,16 @@ packages:
     resolution: {integrity: sha512-VaUJspBffn/LMCJVoMvSAdmscJyS1auj5Zulnn5UoYcY531UWmdwhRWkcGKnGU93m5HSXP9LP2usOryrBtQowA==}
     engines: {node: '>=16'}
 
+  get-stream@9.0.1:
+    resolution: {integrity: sha512-kVCxPF3vQM/N0B1PmoqVUqgHP+EeVjmZSQn+1oCRPxd2P21P2F19lIgbR3HBosbB1PUhOAoctJnfEn2GbN2eZA==}
+    engines: {node: '>=18'}
+
   get-symbol-description@1.1.0:
     resolution: {integrity: sha512-w9UMqWwJxHNOvoNzSJ2oPF5wvYcvP7jUvYzhp67yEhTi17ZDBBC1z9pTdGuzjD+EFIqLSYRweZjqfiPzQ06Ebg==}
     engines: {node: '>= 0.4'}
 
-  get-tsconfig@4.10.1:
-    resolution: {integrity: sha512-auHyJ4AgMz7vgS8Hp3N6HXSmlMdUyhSUrfBF16w153rxtLIEOE+HGqaBppczZvnHLqQJfiHotCYpNhl0lUROFQ==}
+  get-tsconfig@4.14.0:
+    resolution: {integrity: sha512-yTb+8DXzDREzgvYmh6s9vHsSVCHeC0G3PI5bEXNBHtmshPnO+S5O7qgLEOn0I5QvMy6kpZN8K1NKGyilLb93wA==}
 
   git-hooks-list@1.0.3:
     resolution: {integrity: sha512-Y7wLWcrLUXwk2noSka166byGCvhMtDRpgHdzCno1UQv/n/Hegp++a2xBWJL1lJarnKD3SWaljD+0z1ztqxuKyQ==}
@@ -5014,24 +4972,30 @@ packages:
 
   glob@10.5.0:
     resolution: {integrity: sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==}
+    deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
     hasBin: true
 
+  glob@13.0.6:
+    resolution: {integrity: sha512-Wjlyrolmm8uDpm/ogGyXZXb1Z+Ca2B8NbJwqBVg0axK9GbBeoS7yGV6vjXnYdGm6X53iehEuxxbyiKp8QmN4Vw==}
+    engines: {node: 18 || 20 || >=22}
+
   glob@5.0.15:
     resolution: {integrity: sha512-c9IPMazfRITpmAAKi22dK1VKxGDX9ehhqfABDriL/lzO92xcUKEJPQHrVA/2YHSNFB4iFlykVmWvwo48nr3OxA==}
-    deprecated: Glob versions prior to v9 are no longer supported
+    deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
 
   glob@7.2.3:
     resolution: {integrity: sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==}
-    deprecated: Glob versions prior to v9 are no longer supported
+    deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
 
   glob@8.1.0:
     resolution: {integrity: sha512-r8hpEjiQEYlF2QU0df3dS+nxxSIreXQS1qRhMJM0Q5NDdR386C7jb7Hwwod8Fgiuex+k0GFjgft18yvxm5XoCQ==}
     engines: {node: '>=12'}
-    deprecated: Glob versions prior to v9 are no longer supported
+    deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
 
   glob@9.3.5:
     resolution: {integrity: sha512-e1LleDykUz2Iu+MTYdkSsuWX8lvAjAcs0Xef0lNIu0S2wOAzuTxCJtcd9S3cijlwYF18EsU3rzb8jPVobxDh9Q==}
     engines: {node: '>=16 || 14 >=14.17'}
+    deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
 
   global-modules@1.0.0:
     resolution: {integrity: sha512-sKzpEkf11GpOFuw0Zzjzmt4B4UZwjOcG757PPvrfhxcLFbq0wpsgpOqxpxtxFiCG4DtG93M6XRVbF2oGdev7bg==}
@@ -5049,10 +5013,6 @@ packages:
     resolution: {integrity: sha512-awConJSVCHVGND6x3tmMaKcQvwXLhjdkmomy2W+Goaui8YPgYgXJZewhg3fWC+DlfqqQuWg8AwqjGTD2nAPVWg==}
     engines: {node: '>=6'}
 
-  globals@11.12.0:
-    resolution: {integrity: sha512-WOBp/EEGUiIsJSp7wcv/y6MO+lV9UoncWqxuFfm8eBwzWNgyfBd6Gz+IeKQ9jCmyhoH99g15M3T+QaVHFjizVA==}
-    engines: {node: '>=4'}
-
   globals@13.24.0:
     resolution: {integrity: sha512-AhO5QUcj8llrbG09iWhPU2B204J1xnPeL8kQmVorSsy+Sjj1sk8gIyh6cUocGmH4L0UuhAJy+hJMRA4mgA4mFQ==}
     engines: {node: '>=8'}
@@ -5101,8 +5061,8 @@ packages:
   growly@1.3.0:
     resolution: {integrity: sha512-+xGQY0YyAWCnqy7Cd++hc2JqMYzlm0dG30Jd0beaA64sROr8C4nt8Yc9V5Ro3avlSUDTN0ulqP/VBKi1/lLygw==}
 
-  handlebars@4.7.8:
-    resolution: {integrity: sha512-vafaFqs8MZkRrSX7sFVUdo3ap/eNiLnb4IakshzvP56X5Nr1iGKAIqdX6tMlm6HcNRIkr6AxO5jFEoJzzpT8aQ==}
+  handlebars@4.7.9:
+    resolution: {integrity: sha512-4E71E0rpOaQuJR2A3xDZ+GM1HyWYv1clR58tC8emQNeQe3RH7MAzSbat+V0wG78LQBo6m6bzSG/L4pBuCsgnUQ==}
     engines: {node: '>=0.4.7'}
     hasBin: true
 
@@ -5118,10 +5078,6 @@ packages:
     resolution: {integrity: sha512-R3pbpkcIqv2Pm3dUwgjclDRVmWpTJW2DcMzcIhEXEx1oh/CEMObMm3KLmRJOdvhM7o4uQBnwr8pzRK2sJWIqfg==}
     engines: {node: '>= 0.4'}
 
-  has-color@0.1.7:
-    resolution: {integrity: sha512-kaNz5OTAYYmt646Hkqw50/qyxP2vFnTVu5AQ1Zmk22Kk5+4Qx6BpO8+u7IKsML5fOsFk0ZT0AcCJNYwcvaLBvw==}
-    engines: {node: '>=0.10.0'}
-
   has-flag@3.0.0:
     resolution: {integrity: sha512-sKJf1+ceQBr4SMkvQnBDNDtf4TXpVhVGateu0t918bl30FnbE2m4vNLX+VWe/dpjlb+HugGYzW7uQXH98HPEYw==}
     engines: {node: '>=4'}
@@ -5148,11 +5104,15 @@ packages:
   has-unicode@2.0.1:
     resolution: {integrity: sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==}
 
-  hash-for-dep@1.5.1:
-    resolution: {integrity: sha512-/dQ/A2cl7FBPI2pO0CANkvuuVi/IFS5oTyJ0PsOb6jW6WbVW1js5qJXMJTNbWHXBIPdFTWFbabjB+mE0d+gelw==}
+  hash-for-dep@1.5.2:
+    resolution: {integrity: sha512-+kJRJpgO+V8x6c3UQuzO+gzHu5euS8HDOIaIUsOPdQrVu7ajNKkMykbSC8O0VX3LuRnUNf4hHE0o/rJ+nB8czw==}
 
-  hasown@2.0.2:
-    resolution: {integrity: sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==}
+  hashery@1.5.1:
+    resolution: {integrity: sha512-iZyKG96/JwPz1N55vj2Ie2vXbhu440zfUfJvSwEqEbeLluk7NnapfGqa7LH0mOsnDxTF85Mx8/dyR6HfqcbmbQ==}
+    engines: {node: '>=20'}
+
+  hasown@2.0.3:
+    resolution: {integrity: sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==}
     engines: {node: '>= 0.4'}
 
   hast-util-is-element@1.1.0:
@@ -5164,8 +5124,8 @@ packages:
   hast-util-whitespace@1.0.4:
     resolution: {integrity: sha512-I5GTdSfhYfAPNztx2xJRQpG8cuDSNt599/7YUn7Gx/WxNMsG+a835k97TDkFgk123cwjfwINaZknkKkphx/f2A==}
 
-  heimdalljs-fs-monitor@1.1.1:
-    resolution: {integrity: sha512-BHB8oOXLRlrIaON0MqJSEjGVPDyqt2Y6gu+w2PaEZjrCxeVtZG7etEZp7M4ZQ80HNvnr66KIQ2lot2qdeG8HgQ==}
+  heimdalljs-fs-monitor@1.1.2:
+    resolution: {integrity: sha512-M7OPf3Tu+ybhAXdiC07O1vUYFyhCgfew4L3vaG2nn4Be05xzNvtBcU6IKMTfHJ9AxWFa3w9rrmiJovkxHhpopw==}
 
   heimdalljs-graph@1.0.0:
     resolution: {integrity: sha512-v2AsTERBss0ukm/Qv4BmXrkwsT5x6M1V5Om6E8NcDQ/ruGkERsfsuLi5T8jx8qWzKMGYlwzAd7c/idymxRaPzA==}
@@ -5181,8 +5141,11 @@ packages:
     resolution: {integrity: sha512-eSmmWE5bZTK2Nou4g0AI3zZ9rswp7GRKoKXS1BLUkvPviOqs4YTN1djQIqrXy9k5gEtdLPy86JjRwsNM9tnDcA==}
     engines: {node: '>=0.10.0'}
 
-  hookified@1.9.0:
-    resolution: {integrity: sha512-2yEEGqphImtKIe1NXWEhu6yD3hlFR4Mxk4Mtp3XEyScpSt4pQ4ymmXA1zzxZpj99QkFK+nN0nzjeb2+RUi/6CQ==}
+  hookified@1.15.1:
+    resolution: {integrity: sha512-MvG/clsADq1GPM2KGo2nyfaWVyn9naPiXrqIe4jYjXNZQt238kWyOGrsyc/DmRAQ+Re6yeo6yX/yoNCG5KAEVg==}
+
+  hookified@2.2.0:
+    resolution: {integrity: sha512-p/LgFzRN5FeoD3DLS6bkUapeye6E4SI6yJs6KetENd18S+FBthqYq2amJUWpt5z0EQwwHemidjY5OqJGEKm5uA==}
 
   hosted-git-info@3.0.8:
     resolution: {integrity: sha512-aXpmwoOhRBrw6X3j0h5RloK4x1OzsxMPyxqIHyNfSe2pypkVTZFpEiRoSipPEPlMrh0HW/XsjkJ5WgnCirpNUw==}
@@ -5202,15 +5165,12 @@ packages:
   html-void-elements@1.0.5:
     resolution: {integrity: sha512-uE/TxKuyNIcx44cIWnjr/rfIATDH7ZaOMmstu0CwhFG1Dunhlp4OC6/NMbhiwoq5BpW0ubi303qnEk/PZj614w==}
 
-  htmlparser2@7.2.0:
-    resolution: {integrity: sha512-H7MImA4MS6cw7nbyURtLPO1Tms7C5H602LRETv95z1MxO/7CP7rDVROehUYeYBUYEON94NXXDEPmZuq+hX4sog==}
-
   http-errors@1.6.3:
     resolution: {integrity: sha512-lks+lVC8dgGyh97jxvxeYTWQFvh4uw4yC12gVl63Cg30sjPX4wuGcdkICVXDAESr6OJGjqGA8Iz5mkeN6zlD7A==}
     engines: {node: '>= 0.6'}
 
-  http-errors@2.0.0:
-    resolution: {integrity: sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ==}
+  http-errors@2.0.1:
+    resolution: {integrity: sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==}
     engines: {node: '>= 0.8'}
 
   http-parser-js@0.5.10:
@@ -5235,6 +5195,10 @@ packages:
     resolution: {integrity: sha512-AXcZb6vzzrFAUE61HnN4mpLqd/cSIwNQjtNWR0euPm6y0iqx3G4gOXaIDdtdDwZmhwe82LA6+zinmW4UBWVePQ==}
     engines: {node: '>=16.17.0'}
 
+  human-signals@8.0.1:
+    resolution: {integrity: sha512-eKCa6bwnJhvxj14kZk5NCPc6Hb6BdsU9DZcOnmQKSnO1VKrfV0zCvtttPZUsBvjmNDn8rpcJfpwSYnHBjc95MQ==}
+    engines: {node: '>=18.18.0'}
+
   iconv-lite@0.4.24:
     resolution: {integrity: sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==}
     engines: {node: '>=0.10.0'}
@@ -5243,6 +5207,10 @@ packages:
     resolution: {integrity: sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==}
     engines: {node: '>=0.10.0'}
 
+  iconv-lite@0.7.2:
+    resolution: {integrity: sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw==}
+    engines: {node: '>=0.10.0'}
+
   icss-utils@5.1.0:
     resolution: {integrity: sha512-soFhflCVWLfRNOPU3iv5Z9VUdT44xFRbzjLsEzSr5AQmgqPMTHdU3PMT1Cf1ssx8fLNJDA1juftYl+PUcv3MqA==}
     engines: {node: ^10 || ^12 || >= 14}
@@ -5256,12 +5224,12 @@ packages:
     resolution: {integrity: sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g==}
     engines: {node: '>= 4'}
 
-  ignore@7.0.4:
-    resolution: {integrity: sha512-gJzzk+PQNznz8ysRrC0aOkBNVRBDtE1n53IqyqEf3PXrYwomFs5q4pGMizBMJF+ykh03insJ27hB8gSrD2Hn8A==}
+  ignore@7.0.5:
+    resolution: {integrity: sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==}
     engines: {node: '>= 4'}
 
-  immutable@5.1.2:
-    resolution: {integrity: sha512-qHKXW1q6liAk1Oys6umoaZbDRqjcjgSrbnrifHsfsttza7zcvRAsL7mMV6xWcyhwQy7Xj5v4hhbr6b+iDYwlmQ==}
+  immutable@5.1.5:
+    resolution: {integrity: sha512-t7xcm2siw+hlUM68I+UEOK+z84RzmN59as9DZ7P1l0994DKUWV7UXBMQZVxaoMSRQ+PBZbHCOoBt7a2wxOMt+A==}
 
   import-fresh@3.3.1:
     resolution: {integrity: sha512-TR3KfrTZTYLPB6jUjfx6MF9WcWrHL9su5TObK4ZkYgBdWKPOFoSoQIdEuTuR82pmtxH2spWG9h6etwfr1pLBqQ==}
@@ -5319,8 +5287,8 @@ packages:
     resolution: {integrity: sha512-JG3eIAj5V9CwcGvuOmoo6LB9kbAYT8HXffUl6memuszlwDC/qvFAJw49XJ5NROSFNPxp3iQg1GqkFhaY/CR0IA==}
     engines: {node: '>=8.0.0'}
 
-  inquirer@9.3.7:
-    resolution: {integrity: sha512-LJKFHCSeIRq9hanN14IlOtPSTe3lNES7TYDTE2xxdAy1LS5rYphajK1qtwvj3YmQXvvk0U2Vbmcni8P9EIQW9w==}
+  inquirer@9.3.8:
+    resolution: {integrity: sha512-pFGGdaHrmRKMh4WoDDSowddgjT1Vkl90atobmTeSmcPGdYiwikch/m/Ef5wRaiamHejtw0cUUMMerzDUXCci2w==}
     engines: {node: '>=18'}
 
   internal-slot@1.1.0:
@@ -5338,6 +5306,9 @@ packages:
     resolution: {integrity: sha512-6xwYfHbajpoF0xLW+iwLkhwgvLoZDfjYfoFNu8ftMoXINzwuymNLd9u/KmwtdT2GbR+/Cz66otEGEVVUHX9QLQ==}
     engines: {node: '>=10.13.0'}
 
+  intl-messageformat@10.7.18:
+    resolution: {integrity: sha512-m3Ofv/X/tV8Y3tHXLohcuVuhWKo7BBq62cqY15etqmLxg2DZ34AGGgQDeR+SCta2+zICb1NX83af0GJmbQ1++g==}
+
   invert-kv@3.0.1:
     resolution: {integrity: sha512-CYdFeFexxhv/Bcny+Q0BfOV+ltRlJcd4BBZBYFX/O0u4npJrgZtIcjokegtiSMAvlMTJ+Koq0GBCc//3bueQxw==}
     engines: {node: '>=8'}
@@ -5387,8 +5358,8 @@ packages:
     resolution: {integrity: sha512-1BC0BVFhS/p0qtw6enp8e+8OD0UrK0oFLztSjNzhcKA3WDuJxxAPXzPuPtKkjEY9UUoEWlX/8fgKeu2S8i9JTA==}
     engines: {node: '>= 0.4'}
 
-  is-core-module@2.16.1:
-    resolution: {integrity: sha512-UfoeMA6fIJ8wTYFEUjelnaGI67v6+N7qXJEvQuIGa99l4xsCruSYOVSQ0uPANn4dAzm8lkYPaKLrrijLq7x23w==}
+  is-core-module@2.16.2:
+    resolution: {integrity: sha512-evOr8xfXKxE6qSR0hSXL2r3sd7ALj8+7jQEUvPYcm5sgZFdJ+AYzT6yNmJenvIYQBgIGwfwz08sL8zoL7yq2BA==}
     engines: {node: '>= 0.4'}
 
   is-data-view@1.0.2:
@@ -5427,12 +5398,12 @@ packages:
     resolution: {integrity: sha512-O4L094N2/dZ7xqVdrXhh9r1KODPJpFms8B5sGdJLPy664AgvXsreZUyCQQNItZRDlYug4xStLjNp/sz3HvBowQ==}
     engines: {node: '>=12'}
 
-  is-fullwidth-code-point@5.0.0:
-    resolution: {integrity: sha512-OVa3u9kkBbw7b8Xw5F9P+D/T9X+Z4+JruYVNapTjPYZYUznQ5YfWeFkOj606XYYW8yugTfC8Pj0hYqvi4ryAhA==}
+  is-fullwidth-code-point@5.1.0:
+    resolution: {integrity: sha512-5XHYaSyiqADb4RnZ1Bdad6cPp8Toise4TzEjcOYDHZkTCbKgiUl7WTUCpNWHuxmDt91wnsZBc9xinNzopv3JMQ==}
     engines: {node: '>=18'}
 
-  is-generator-function@1.1.0:
-    resolution: {integrity: sha512-nPUB5km40q9e8UfN/Zc24eLlzdSf9OfKByBw9CIdw4H1giPMeA0OIJvbchsCu4npfI2QcMVBsGEBHKZ7wLTWmQ==}
+  is-generator-function@1.1.2:
+    resolution: {integrity: sha512-upqt1SkGkODW9tsGNG5mtXTXtECizwtS2kA161M+gJPc1xdb/Ax629af6YrTwcOeQHbewrPNlE5Dx7kzvXTizA==}
     engines: {node: '>= 0.4'}
 
   is-git-url@1.0.0:
@@ -5461,6 +5432,10 @@ packages:
     resolution: {integrity: sha512-1Qed0/Hr2m+YqxnM09CjA2d/i6YZNfF6R2oRAOj36eUdS6qIV/huPJNSEpKbupewFs+ZsJlxsjjPbc0/afW6Lw==}
     engines: {node: '>= 0.4'}
 
+  is-negative-zero@2.0.3:
+    resolution: {integrity: sha512-5KoIu2Ngpyek75jXodFvnafB6DJgr3u8uuK0LEZJjrU19DrMD3EVERaR8sjz8CCGgpZvxPl9SuE1GMVPFHx1mw==}
+    engines: {node: '>= 0.4'}
+
   is-number-object@1.1.1:
     resolution: {integrity: sha512-lZhclumE1G6VYD8VHe35wFaIif+CTy5SJIi5+3y4psDgWu4wPDoBhF8NxUOinEc7pHgiTsT6MaBb92rKhhD+Xw==}
     engines: {node: '>= 0.4'}
@@ -5481,6 +5456,10 @@ packages:
     resolution: {integrity: sha512-YWnfyRwxL/+SsrWYfOpUtz5b3YD+nyfkHvjbcanzk8zgyO4ASD67uVMRt8k5bM4lLMDnXfriRhOpemw+NfT1eA==}
     engines: {node: '>=8'}
 
+  is-plain-obj@4.1.0:
+    resolution: {integrity: sha512-+Pgi+vMuUNkJyExiMBt5IlFoMyKnr5zhJ4Uspz58WOhBF5QoIZkFyNHIbBAtHwzVAgk5RtndVNsDRN61/mmDqg==}
+    engines: {node: '>=12'}
+
   is-plain-object@2.0.4:
     resolution: {integrity: sha512-h5PpgXkWitc38BBMYawTYMWJHFZJVnBquFE57xFpjB8pJFiF6gZ+bU+WyI/yqXiFR5mdLsgYNaPe8uao6Uv9Og==}
     engines: {node: '>=0.10.0'}
@@ -5489,6 +5468,9 @@ packages:
     resolution: {integrity: sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==}
     engines: {node: '>=0.10.0'}
 
+  is-promise@4.0.0:
+    resolution: {integrity: sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ==}
+
   is-regex@1.2.1:
     resolution: {integrity: sha512-MjYsKHO5O7mCsmRGxWcLWheFqN9DJ/2TmngvjKXihe6efViPqc274+Fx/4fYj/r03+ESvBdTXK0V6tA3rgez1g==}
     engines: {node: '>= 0.4'}
@@ -5513,6 +5495,10 @@ packages:
     resolution: {integrity: sha512-LnQR4bZ9IADDRSkvpqMGvt/tEJWclzklNgSw48V5EAaAeDd6qGvN8ei6k5p0tvxSR171VmGyHuTiAOfxAbr8kA==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
 
+  is-stream@4.0.1:
+    resolution: {integrity: sha512-Dnz92NInDqYckGEUJv689RbRiTSEHCQ7wOVeALbkOz999YpqT46yMRIGtSNl2iCL1waAZSx40+h59NV/EwzV/A==}
+    engines: {node: '>=18'}
+
   is-string@1.1.1:
     resolution: {integrity: sha512-BtEeSsoaQjlSPBemMQIrY1MY0uM6vnS1g5fmufYOtnxLGUZM2178PKbhsk7Ffv58IX+ZtcvoGwccYsh0PglkAA==}
     engines: {node: '>= 0.4'}
@@ -5525,9 +5511,6 @@ packages:
     resolution: {integrity: sha512-9gGx6GTtCQM73BgmHQXfDmLtfjjTUDSyoxTCbp5WtoixAhfgsDirWIcVQ/IHpvI5Vgd5i/J5F7B9cN/WlVbC/w==}
     engines: {node: '>= 0.4'}
 
-  is-type@0.0.1:
-    resolution: {integrity: sha512-YwJh/zBVrcJ90aAnPBM0CbHvm7lG9ao7lIFeqTZ1UQj4iFLpM5CikdaU+dGGesrMJwxLqPGmjjrUrQ6Kn3Zh+w==}
-
   is-typed-array@1.1.15:
     resolution: {integrity: sha512-p3EcsicXjit7SaskXHs1hA91QxgTw46Fv6EFKKGS5DRFLD8yKnohjF3hxoju94b/OcMZoQukzpPpBE9uLVKzgQ==}
     engines: {node: '>= 0.4'}
@@ -5539,6 +5522,10 @@ packages:
     resolution: {integrity: sha512-knxG2q4UC3u8stRGyAVJCOdxFmv5DZiRcdlIaAQXAbSfJya+OhopNotLQrstBhququ4ZpuKbDc/8S6mgXgPFPw==}
     engines: {node: '>=10'}
 
+  is-unicode-supported@2.1.0:
+    resolution: {integrity: sha512-mE00Gnza5EEB3Ds0HfMyllZzbBrmLOX3vfWoj9A9PEnTfratQ/BcaJOuMhnkhjXvb2+FkY3VuHqtAGpTPmglFQ==}
+    engines: {node: '>=18'}
+
   is-weakmap@2.0.2:
     resolution: {integrity: sha512-K5pXYOm9wqY1RgjpL3YTkF39tni1XajUIkawTLUo9EZEVUFga5gSQJF8nNS7ZwJQ02y+1YCNYcMh+HIf1ZqE+w==}
     engines: {node: '>= 0.4'}
@@ -5568,8 +5555,8 @@ packages:
   isarray@2.0.5:
     resolution: {integrity: sha512-xHjhDr3cNBK0BzdUJSPXZntQUx/mwMS5Rw4A7lPJ90XGAO6ISP/ePDNuo0vhqOZU+UD5JoodwCAAoZQd3FeAKw==}
 
-  isbinaryfile@5.0.4:
-    resolution: {integrity: sha512-YKBKVkKhty7s8rxddb40oOkuP0NbaeXrQvLin6QMHL7Ypiy2RW9LwOVrVgZRyOrhQlayMd9t+D8yDy8MKFTSDQ==}
+  isbinaryfile@5.0.7:
+    resolution: {integrity: sha512-gnWD14Jh3FzS3CPhF0AxNOJ8CxqeblPTADzI38r0wt8ZyQl5edpy75myt08EG2oKvpyiqSqsx+Wkz9vtkbTqYQ==}
     engines: {node: '>= 18.0.0'}
 
   isexe@2.0.0:
@@ -5608,49 +5595,19 @@ packages:
   js-tokens@4.0.0:
     resolution: {integrity: sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==}
 
-  js-yaml@3.14.2:
-    resolution: {integrity: sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==}
-    hasBin: true
-
   js-yaml@4.1.1:
     resolution: {integrity: sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==}
     hasBin: true
 
-  js2xmlparser@4.0.2:
-    resolution: {integrity: sha512-6n4D8gLlLf1n5mNLQPRfViYzu9RATblzPEtm1SthMX1Pjao0r9YI9nw7ZIfRxQMERS87mcswrg+r/OYrPRX6jA==}
-
-  jsdoc-api@8.1.1:
-    resolution: {integrity: sha512-yas9E4h8NHp1CTEZiU/DPNAvLoUcip+Hl8Xi1RBYzHqSrgsF+mImAZNtwymrXvgbrgl4bNGBU9syulM0JzFeHQ==}
-    engines: {node: '>=12.17'}
-
   jsdoc-babel@0.5.0:
     resolution: {integrity: sha512-PYfTbc3LNTeR8TpZs2M94NLDWqARq0r9gx3SvuziJfmJS7/AeMKvtj0xjzOX0R/4MOVA7/FqQQK7d6U0iEoztQ==}
     peerDependencies:
       '@babel/core': ^7.0.0
 
-  jsdoc-parse@6.2.4:
-    resolution: {integrity: sha512-MQA+lCe3ioZd0uGbyB3nDCDZcKgKC7m/Ivt0LgKZdUoOlMJxUWJQ3WI6GeyHp9ouznKaCjlp7CU9sw5k46yZTw==}
-    engines: {node: '>=12'}
-
   jsdoc-regex@1.0.1:
     resolution: {integrity: sha512-CMFgT3K8GbmChWEfLWe6jlv9x33E8wLPzBjxIlh/eHLMcnDF+TF3CL265ZGBe029o1QdFepwVrQu0WuqqNPncg==}
     engines: {node: '>=4.0'}
 
-  jsdoc-to-markdown@8.0.3:
-    resolution: {integrity: sha512-JGYYd5xygnQt1DIxH+HUI+X/ynL8qWihzIF0n15NSCNtM6MplzawURRcaLI2WkiS2hIjRIgsphCOfM7FkaWiNg==}
-    engines: {node: '>=12.17'}
-    hasBin: true
-
-  jsdoc@4.0.4:
-    resolution: {integrity: sha512-zeFezwyXeG4syyYHbvh1A967IAqq/67yXtXvuL5wnqCkFZe8I0vKfm+EO+YEvLguo6w9CDUbrAXVtJSHh2E8rw==}
-    engines: {node: '>=12.0.0'}
-    hasBin: true
-
-  jsesc@3.0.2:
-    resolution: {integrity: sha512-xKqzzWXDttJuOcawBt4KnKHHIf5oQ/Cxax+0PWFG+DFDgHNAdi+TXECADI+RYiFUMmx8792xsMbbgXj4CwnP4g==}
-    engines: {node: '>=6'}
-    hasBin: true
-
   jsesc@3.1.0:
     resolution: {integrity: sha512-/sM3dO2FOzXjKQhJuo0Q173wf2KOo8t4I8vHy6lF9poUp7bKT0/NHE8fPX23PwfhnykfqnC2xRxOnVw5XuGIaA==}
     engines: {node: '>=6'}
@@ -5697,22 +5654,17 @@ packages:
   jsonfile@4.0.0:
     resolution: {integrity: sha512-m6F1R3z8jjlf2imQHS2Qez5sjKWQzbuuhuJ/FKYFRZvPE3PuHcSMVZzfsLhGVOkfd20obL5SWEBew5ShlquNxg==}
 
-  jsonfile@6.1.0:
-    resolution: {integrity: sha512-5dgndWOriYSm5cnYaJNhalLNDKOqFwyDB/rr1E9ZsGciGvKPs8R2xYGCacuf3z6K1YKDz182fd+fY3cn3pMqXQ==}
+  jsonfile@6.2.1:
+    resolution: {integrity: sha512-zwOTdL3rFQ/lRdBnntKVOX6k5cKJwEc1HdilT71BWEu7J41gXIB2MRp+vxduPSwZJPWBxEzv4yH1wYLJGUHX4Q==}
 
   jsonify@0.0.1:
     resolution: {integrity: sha512-2/Ki0GcmuqSrgFyelQq9M05y7PS0mEwuIzrf3f1fPqkVDVRvZrPZtVSMHxdgo8Aq0sxAOb/cr2aqqA3LeWHVPg==}
 
-  jsonlint@1.6.3:
-    resolution: {integrity: sha512-jMVTMzP+7gU/IyC6hvKyWpUU8tmTkK5b3BPNuMI9U8Sit+YAWLlZwB6Y6YrdCxfg2kNz05p3XY3Bmm4m26Nv3A==}
-    engines: {node: '>= 0.6'}
-    hasBin: true
-
   keyv@4.5.4:
     resolution: {integrity: sha512-oxVHkHR/EJf2CNXnWxRLW6mg7JyCCUcG0DtEGmL2ctUo1PNTin1PUil+r/+4r5MpVgC/fn1kjsx7mjSujKqIpw==}
 
-  keyv@5.3.3:
-    resolution: {integrity: sha512-Rwu4+nXI9fqcxiEHtbkvoes2X+QfkTRo1TMkPfwzipGsJlJO/z69vqB4FNl9xJ3xCpAcbkvmEabZfPzrwN3+gQ==}
+  keyv@5.6.0:
+    resolution: {integrity: sha512-CYDD3SOtsHtyXeEORYRx2qBtpDJFjRTGXUtmNEMGyzYOKj1TE3tycdlho7kA1Ufx9OYWZzg52QFBGALTirzDSw==}
 
   kind-of@6.0.3:
     resolution: {integrity: sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==}
@@ -5721,9 +5673,6 @@ packages:
   klaw@1.3.1:
     resolution: {integrity: sha512-TED5xi9gGQjGpNnvRWknrwAB1eL5GciPfVFOt3Vk1OJCVDQbzuSfrF3hkUQKlsgKrG1F+0t5W0m+Fje1jIt8rw==}
 
-  klaw@3.0.0:
-    resolution: {integrity: sha512-0Fo5oir+O9jnXu5EefYbVK+mHMBeEVEy2cmctR1O1NECcCkPRreJKrS6Qt/j3KC2C148Dfo9i3pCmCMsdqGr0g==}
-
   known-css-properties@0.36.0:
     resolution: {integrity: sha512-A+9jP+IUmuQsNdsLdcg6Yt7voiMF/D4K83ew0OpJtpu+l34ef7LaohWV0Rc6KNvzw6ZDizkqfyB5JznZnzuKQA==}
 
@@ -5752,11 +5701,8 @@ packages:
   lines-and-columns@1.2.4:
     resolution: {integrity: sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg==}
 
-  linkify-it@4.0.1:
-    resolution: {integrity: sha512-C7bfi1UZmoj8+PQx22XyeXCuBlokoyWQL5pWSP+EI6nzRylyThouddufc2c1NDIcP9k5agmN9fLpA7VNJfIiqw==}
-
-  linkify-it@5.0.0:
-    resolution: {integrity: sha512-5aHCbzQRADcdP+ATqnDuhhJ/MRIqDkZX5pyjFHRRysS8vZ5AbqGEoFIb6pYHPZ+L/OC2Lc+xT8uHVVR5CAK/wQ==}
+  linkify-it@5.0.1:
+    resolution: {integrity: sha512-wVoTjP4Q6R0NW5hiZkVJaFZPWgtXfoGF+6LucL3/FtiNjmcHhYjEr5f1Kqjirc1nBW07J/ZuRFumqr2oqccEWg==}
 
   lint-staged@16.0.0:
     resolution: {integrity: sha512-sUCprePs6/rbx4vKC60Hez6X10HPkpDJaGcy3D1NdwR7g1RcNkWL8q9mJMreOqmHBTs+1sNFp+wOiX9fr+hoOQ==}
@@ -5770,8 +5716,8 @@ packages:
   livereload-js@3.4.1:
     resolution: {integrity: sha512-5MP0uUeVCec89ZbNOT/i97Mc+q3SxXmiUGhRFOTmhrGPn//uWVQdCvcLJDy64MSBR5MidFdOR7B9viumoavy6g==}
 
-  loader-runner@4.3.0:
-    resolution: {integrity: sha512-3R/1M+yS3j5ou80Me59j7F9IMs4PXs3VqRrm0TU3AbKPxlmpoY1TNscJV/oGJXo8qCatFGTfDbY6W6ipGOYXfg==}
+  loader-runner@4.3.2:
+    resolution: {integrity: sha512-DFEqQ3ihfS9blba08cLfYf1NRAIEm+dDjic073DRDc3/JspI/8wYmtDsHwd3+4hwvdxSK7PGaElfTmm0awWJ4w==}
     engines: {node: '>=6.11.5'}
 
   loader-utils@2.0.4:
@@ -5801,43 +5747,19 @@ packages:
     resolution: {integrity: sha512-gvVijfZvn7R+2qyPX8mAuKcFGDf6Nc61GdvGafQsHL0sBIxfKzA+usWn4GFC/bk+QdwPUD4kWFJLhElipq+0VA==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
 
-  lodash-es@4.17.23:
-    resolution: {integrity: sha512-kVI48u3PZr38HdYz98UmfPnXl2DXrpdctLrFLCd3kOx1xUkOmpFPx7gCWWM5MPkL/fD8zb+Ph0QzjGFs4+hHWg==}
-
-  lodash._baseflatten@3.1.4:
-    resolution: {integrity: sha512-fESngZd+X4k+GbTxdMutf8ohQa0s3sJEHIcwtu4/LsIQ2JTDzdRxDCMQjW+ezzwRitLmHnacVVmosCbxifefbw==}
-
-  lodash._getnative@3.9.1:
-    resolution: {integrity: sha512-RrL9VxMEPyDMHOd9uFbvMe8X55X16/cGM5IgOKgRElQZutpX89iS6vwl64duTV1/16w5JY7tuFNXqoekmh1EmA==}
-
-  lodash._isiterateecall@3.0.9:
-    resolution: {integrity: sha512-De+ZbrMu6eThFti/CSzhRvTKMgQToLxbij58LMfM8JnYDNSOjkjTCIaa8ixglOeGh2nyPlakbt5bJWJ7gvpYlQ==}
+  lodash-es@4.18.0:
+    resolution: {integrity: sha512-koAgswPPA+UTaPN64Etp+PGP+WT6oqOS2NMi5yDkMaiGw9qY4VxQbQF0mtKMyr4BlTznWyzePV5UpECTJQmSUA==}
+    deprecated: Bad release. Please use lodash-es@4.17.23 instead.
 
   lodash.camelcase@4.3.0:
     resolution: {integrity: sha512-TwuEnCnxbc3rAvhf/LbG7tJUDzhqXyFnv3dtzLOPgCG/hODL7WFnsbwktkD7yUV0RrreP/l1PALq/YSg6VvjlA==}
 
-  lodash.debounce@3.1.1:
-    resolution: {integrity: sha512-lcmJwMpdPAtChA4hfiwxTtgFeNAaow701wWUgVUqeD0XJF7vMXIN+bu/2FJSGxT0NUbZy9g9VFrlOFfPjl+0Ew==}
-
   lodash.debounce@4.0.8:
     resolution: {integrity: sha512-FT1yDzDYEoYWhnSGnpE/4Kj1fLZkDFyqRb7fNt6FdYOSxlUWAtp42Eh6Wb0rGIv/m9Bgo7x4GhQbm5Ys4SG5ow==}
 
   lodash.defaultsdeep@4.6.1:
     resolution: {integrity: sha512-3j8wdDzYuWO3lM3Reg03MuQR957t287Rpcxp1njpEa8oDrikb+FwGdW3n+FELh/A6qib6yPit0j/pv9G/yeAqA==}
 
-  lodash.flatten@3.0.2:
-    resolution: {integrity: sha512-jCXLoNcqQRbnT/KWZq2fIREHWeczrzpTR0vsycm96l/pu5hGeAntVBG0t7GuM/2wFqmnZs3d1eGptnAH2E8+xQ==}
-
-  lodash.get@4.4.2:
-    resolution: {integrity: sha512-z+Uw/vLuy6gQe8cfaFWD7p0wVv8fJl3mbzXh33RS+0oW2wvUqiRXiQ69gLWSLpgB5/6sU+r6BlQR0MBILadqTQ==}
-    deprecated: This package is deprecated. Use the optional chaining (?.) operator instead.
-
-  lodash.isarguments@3.1.0:
-    resolution: {integrity: sha512-chi4NHZlZqZD18a0imDHnZPrDeBbTtVN7GXMwuGdRH9qotxAjYs3aVLKc7zNOG9eddR5Ksd8rvFEBc9SsggPpg==}
-
-  lodash.isarray@3.0.4:
-    resolution: {integrity: sha512-JwObCrNJuT0Nnbuecmqr5DgtuBppuCvGD9lxjFpAzwnVtdGoDQ1zig+5W8k5/6Gcn0gZ3936HDAlGd28i7sOGQ==}
-
   lodash.iteratee@4.7.0:
     resolution: {integrity: sha512-yv3cSQZmfpbIKo4Yo45B1taEvxjNvcpF1CEOc0Y6dEyvhPIfEJE3twDwPgWTPQubcSgXyBwBKG6wpQvWMDOf6Q==}
 
@@ -5850,21 +5772,15 @@ packages:
   lodash.merge@4.6.2:
     resolution: {integrity: sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==}
 
-  lodash.omit@4.5.0:
-    resolution: {integrity: sha512-XeqSp49hNGmlkj2EJlfrQFIzQ6lXdNro9sddtQzcJY8QaoC2GO0DT7xaIokHeyM+mIT0mPMlPvkYzg2xCuHdZg==}
-    deprecated: This package is deprecated. Use destructuring assignment syntax instead.
-
-  lodash.padend@4.6.1:
-    resolution: {integrity: sha512-sOQs2aqGpbl27tmCS1QNZA09Uqp01ZzWfDUoD+xzTii0E7dSQfRKcRetFwa+uXaxaqL+TKm7CgD2JdKP7aZBSw==}
-
   lodash.truncate@4.4.2:
     resolution: {integrity: sha512-jttmRe7bRse52OsWIMDLaXxWqRAmtIUccAQ3garviCqJjafXOfNMO0yMfNpdD6zbGaTU0P5Nz7e7gAT6cKmJRw==}
 
-  lodash.uniq@4.5.0:
-    resolution: {integrity: sha512-xfBaXQd9ryd9dlSDvnvI0lvxfLJlYAZzXomUYzLKtUeOQvOP5piqAWuGtrhWeqaXK9hhoM/iyJc5AV+XfsX3HQ==}
+  lodash@4.18.0:
+    resolution: {integrity: sha512-l1mfj2atMqndAHI3ls7XqPxEjV2J9ZkcNyHpoZA3r2T1LLwDB69jgkMWh71YKwhBbK0G2f4WSn05ahmQXVxupA==}
+    deprecated: Bad release. Please use lodash@4.17.21 instead.
 
-  lodash@4.17.23:
-    resolution: {integrity: sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==}
+  lodash@4.18.1:
+    resolution: {integrity: sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==}
 
   log-symbols@2.2.0:
     resolution: {integrity: sha512-VeIAFslyIerEJLXHziedo2basKbMKtTw3vfn5IzG0XTjhAVEJyNHnL2p7vc+wBDSdQuUpNw3M2u6xb9QsAY5Eg==}
@@ -5894,6 +5810,10 @@ packages:
   lru-cache@10.4.3:
     resolution: {integrity: sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==}
 
+  lru-cache@11.5.0:
+    resolution: {integrity: sha512-5YgH9UJd7wVb9hIouI2adWpgqrrICkt070Dnj8EUY1+B4B2P9eRLPAkAAo6NICA7CEhOIeBHl46u9zSNpNu7zA==}
+    engines: {node: 20 || >=22}
+
   lru-cache@5.1.1:
     resolution: {integrity: sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w==}
 
@@ -5905,15 +5825,15 @@ packages:
     resolution: {integrity: sha512-jumlc0BIUrS3qJGgIkWZsyfAM7NCWiBcCDhnd+3NNM5KbBmLTgHVfWBcg6W+rLUsIpzpERPsvwUP7CckAQSOoA==}
     engines: {node: '>=12'}
 
-  luxon@3.7.1:
-    resolution: {integrity: sha512-RkRWjA926cTvz5rAb1BqyWkKbbjzCGchDUIKMCUvNi17j6f6j8uHGDV82Aqcqtzd+icoYpELmG3ksgGiFNNcNg==}
+  luxon@3.7.2:
+    resolution: {integrity: sha512-vtEhXh/gNjI9Yg1u4jX/0YVPMvxzHuGgCm6tC5kZyb08yjGWGnqAjGJvcXbqQR2P3MyMEFnRbpcdFS6PBcLqew==}
     engines: {node: '>=12'}
 
   magic-string@0.25.9:
     resolution: {integrity: sha512-RmF0AsMzgt25qzqqLc1+MbHmhdx0ojF2Fvs4XnOqz2ZOBXzzkEwc/dJQZCYHAn7v1jbVOjAZfK8msRn4BxO4VQ==}
 
-  magic-string@0.30.17:
-    resolution: {integrity: sha512-sNPKHvyjVf7gyjwS4xGTaW/mCnF8wnjtifKBEhxfZ7E/S8tQ0rssrwGNn6q8JH/ohItJfSQp9mBtQYuTlH5QnA==}
+  magic-string@0.30.21:
+    resolution: {integrity: sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ==}
 
   make-dir@2.1.0:
     resolution: {integrity: sha512-LS9X+dc8KLxXCb8dni79fLIIUA5VyZoyjSMCwTluaXA0o27cCK0bhXkpgw+sTXVpPy/lSO57ilRixqk0vDmtRA==}
@@ -5923,8 +5843,8 @@ packages:
     resolution: {integrity: sha512-g3FeP20LNwhALb/6Cz6Dd4F2ngze0jz7tbzrD2wAV+o9FeNHe4rL+yK2md0J/fiSf1sa1ADhXqi5+oVwOM/eGw==}
     engines: {node: '>=8'}
 
-  make-plural@7.4.0:
-    resolution: {integrity: sha512-4/gC9KVNTV6pvYg2gFeQYTW3mWaoJt7WZE5vrp1KnQDgW92JtYZnzmZT81oj/dUTqAIu0ufI2x3dkgu3bB1tYg==}
+  make-plural@7.5.0:
+    resolution: {integrity: sha512-0booA+aVYyVFoR67JBHdfVk0U08HmrBH2FrtmBqBa+NldlqXv/G2Z9VQuQq6Wgp2jDWdybEWGfBkk1cq5264WA==}
 
   makeerror@1.0.12:
     resolution: {integrity: sha512-JmqCvUhmt43madlpFzG4BQzG2Z3m6tvQDNKdClZnO3VbIudJYmxsT0FNJMeiB2+JTSlTQTSbU8QdesVmwJcmLg==}
@@ -5937,33 +5857,18 @@ packages:
     resolution: {integrity: sha512-hdN1wVrZbb29eBGiGjJbeP8JbKjq1urkHJ/LIP/NY48MZ1QVXUsQBV1G1zvYFHn1XE06cwjBsOI2K3Ulnj1YXQ==}
     engines: {node: '>=8'}
 
-  markdown-it-anchor@8.6.7:
-    resolution: {integrity: sha512-FlCHFwNnutLgVTflOYHPW2pPcl2AACqVzExlkGQNsi4CJgqOHN7YTgDd4LuhgN1BFO3TS0vLAruV1Td6dwWPJA==}
-    peerDependencies:
-      '@types/markdown-it': '*'
-      markdown-it: '*'
-
   markdown-it-terminal@0.4.0:
     resolution: {integrity: sha512-NeXtgpIK6jBciHTm9UhiPnyHDdqyVIdRPJ+KdQtZaf/wR74gvhCNbw5li4TYsxRp5u3ZoHEF4DwpECeZqyCw+w==}
     peerDependencies:
-      markdown-it: '>= 13.0.0'
+      markdown-it: 14.1.1
 
-  markdown-it@13.0.2:
-    resolution: {integrity: sha512-FtwnEuuK+2yVU7goGn/MJ0WBZMM9ZPgU9spqlFs7/A/pDIUNSOQZhUgOqYCficIuR2QaFnrt8LHqBWsbTAoI5w==}
-    hasBin: true
-
-  markdown-it@14.1.0:
-    resolution: {integrity: sha512-a54IwgWPaeBCAAsv13YgmALOF1elABB08FxO9i+r4VFk5Vl4pKokRPeX8u5TCgSsPi6ec1otfLjdOpVcgbpshg==}
+  markdown-it@14.1.1:
+    resolution: {integrity: sha512-BuU2qnTti9YKgK5N+IeMubp14ZUKUUw7yeJbkjtosvHiP0AZ5c8IAgEMk79D0eC8F23r4Ac/q8cAIFdm2FtyoA==}
     hasBin: true
 
   markdown-table@2.0.0:
     resolution: {integrity: sha512-Ezda85ToJUBhM6WGaG6veasyym+Tbs3cMAw/ZhOPqXiYsr0jgocBV3j3nx+4lk47plLlIqjwuTm/ywVI+zjJ/A==}
 
-  marked@4.3.0:
-    resolution: {integrity: sha512-PRsaiG84bK+AMvxziE/lCFss8juXjNaWzVbN5tXAm4XjeaS9NAHhop+PjQxz2A9h8Q4M/xGmzP8vqNwy6JeK0A==}
-    engines: {node: '>= 12'}
-    hasBin: true
-
   matcher-collection@1.1.2:
     resolution: {integrity: sha512-YQ/teqaOIIfUHedRam08PB3NK7Mjct6BvzRnJmpGDm8uFXpNr1sbY4yuflI5JcEs6COpYA0FpRQhSDBf1tT95g==}
 
@@ -5987,9 +5892,6 @@ packages:
   mdast-util-find-and-replace@1.1.1:
     resolution: {integrity: sha512-9cKl33Y21lyckGzpSmEQnIDjEfeeWelN5s1kUW1LwdB0Fkuq2u+4GdqcGEygYxJE8GVqCl0741bYXHgamfWAZA==}
 
-  mdast-util-footnote@0.1.7:
-    resolution: {integrity: sha512-QxNdO8qSxqbO2e3m09KwDKfWiLgqyCurdWTQ198NpbZ2hxntdc+VKS4fDJCmNWbAroUdYnSthu+XbZ8ovh8C3w==}
-
   mdast-util-from-markdown@0.8.5:
     resolution: {integrity: sha512-2hkTXtYYnr+NubD/g6KGBS/0mFmBcifAsI0yIWRiRo0PjVs6SSOSOdtzbp6kSGnShDN6G5aWZpKQ2lWRy27mWQ==}
 
@@ -6029,8 +5931,8 @@ packages:
   mdn-data@2.0.30:
     resolution: {integrity: sha512-GaqWWShW4kv/G9IEucWScBx9G1/vsFZZJUO+tD26M8J8z3Kw5RDQjaoZe03YAClgeS/SWPOcb4nkFBTEi5DUEA==}
 
-  mdn-data@2.12.2:
-    resolution: {integrity: sha512-IEn+pegP1aManZuckezWCO+XZQDplx1366JoVhTpMpBB1sPey/SbveZQUosKiKiGYjg1wH4pMlNgXbCiYgihQA==}
+  mdn-data@2.27.1:
+    resolution: {integrity: sha512-9Yubnt3e8A0OKwxYSXyhLymGW4sCufcLG6VdiDdUGVkPhpqLxlvP5vl1983gQjJl3tqbrM731mjaZaP68AgosQ==}
 
   mdurl@1.0.1:
     resolution: {integrity: sha512-/sKlQJCBYVY9Ers9hqzKou4H6V5UWc/M59TH2dvkt+84itfnq7uFOMLpOiOS4ujvHP4etln18fmIxA5R5fll0g==}
@@ -6042,10 +5944,18 @@ packages:
     resolution: {integrity: sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==}
     engines: {node: '>= 0.6'}
 
+  media-typer@1.1.0:
+    resolution: {integrity: sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw==}
+    engines: {node: '>= 0.8'}
+
   mem@5.1.1:
     resolution: {integrity: sha512-qvwipnozMohxLXG1pOqoLiZKNkC4r4qqRucSoDwXowsNGDSULiqFTRUF05vcZWnwJSG22qTsynQhxbaMtnX9gw==}
     engines: {node: '>=8'}
 
+  mem@8.1.1:
+    resolution: {integrity: sha512-qFCFUDs7U3b8mBDPyz5EToEKoAkgCzqquIgi9nkkR9bixxOVOre+09lbuH7+9Kn2NFpm56M3GUWVbU2hQgdACA==}
+    engines: {node: '>=10'}
+
   memory-streams@0.1.3:
     resolution: {integrity: sha512-qVQ/CjkMyMInPaaRMrwWNDvf6boRZXaT/DbQeMYcCWuXPEBf1v8qChOc9OlEVQp2uOvRXa1Qu30fLmKhY6NipA==}
 
@@ -6056,6 +5966,10 @@ packages:
   merge-descriptors@1.0.3:
     resolution: {integrity: sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==}
 
+  merge-descriptors@2.0.0:
+    resolution: {integrity: sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g==}
+    engines: {node: '>=18'}
+
   merge-stream@2.0.0:
     resolution: {integrity: sha512-abv/qOcuPfk3URPfDzmZU1LKmuw8kT+0nIHvKrKgFrwifol/doWcdA4ZqsWQ8ENrFKkd67Mfpo/LovbIUsbt3w==}
 
@@ -6070,9 +5984,6 @@ packages:
     resolution: {integrity: sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==}
     engines: {node: '>= 0.6'}
 
-  micromark-extension-footnote@0.3.2:
-    resolution: {integrity: sha512-gr/BeIxbIWQoUm02cIfK7mdMZ/fbroRpLsck4kvFtjbzP4yi+OPVbnukTc/zy0i7spC2xYE/dbX1Sur8BEDJsQ==}
-
   micromark-extension-frontmatter@0.2.2:
     resolution: {integrity: sha512-q6nPLFCMTLtfsctAuS0Xh4vaolxSFUWUWR6PZSrXXiRy+SANGllpcqdXFv2z07l0Xz/6Hl40hK0ffNCJPH2n1A==}
 
@@ -6113,6 +6024,10 @@ packages:
     resolution: {integrity: sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==}
     engines: {node: '>= 0.6'}
 
+  mime-types@3.0.2:
+    resolution: {integrity: sha512-Lbgzdk0h4juoQ9fCKXW4by0UJqj+nOOrI9MJ1sSj4nI8aI2eo1qmvQEie4VD1glsS250n15LsWsYtCugiStS5A==}
+    engines: {node: '>=18'}
+
   mime@1.6.0:
     resolution: {integrity: sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==}
     engines: {node: '>=4'}
@@ -6126,6 +6041,10 @@ packages:
     resolution: {integrity: sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg==}
     engines: {node: '>=6'}
 
+  mimic-fn@3.1.0:
+    resolution: {integrity: sha512-Ysbi9uYW9hFyfrThdDEQuykN4Ey6BuwPD2kpI5ES/nFTDn/98yxYNLZJcgUAKPT/mcrLLKaGzJR9YVxJrIdASQ==}
+    engines: {node: '>=8'}
+
   mimic-fn@4.0.0:
     resolution: {integrity: sha512-vqiC06CuhBTUdZH+RYl8sFrL096vA45Ok5ISO6sE/Mr1jRbGH4Csnhi8f3wKVl7x8mO4Au7Ir9D3Oyv1VYMFJw==}
     engines: {node: '>=12'}
@@ -6134,52 +6053,50 @@ packages:
     resolution: {integrity: sha512-VP79XUPxV2CigYP3jWwAUFSku2aKqBH7uTAapFWCBqutsbmDo96KY5o8uh6U+/YSIn5OxJnXp73beVkpqMIGhA==}
     engines: {node: '>=18'}
 
-  mini-css-extract-plugin@2.9.2:
-    resolution: {integrity: sha512-GJuACcS//jtq4kCtd5ii/M0SZf7OZRH+BxdqXZHaJfb8TJiVl+NgQRPwiYt2EuqeSkNydn/7vP+bcE27C5mb9w==}
+  mini-css-extract-plugin@2.10.2:
+    resolution: {integrity: sha512-AOSS0IdEB95ayVkxn5oGzNQwqAi2J0Jb/kKm43t7H73s8+f5873g0yuj0PNvK4dO75mu5DHg4nlgp4k6Kga8eg==}
     engines: {node: '>= 12.13.0'}
     peerDependencies:
       webpack: ^5.0.0
 
-  minimatch@3.1.2:
-    resolution: {integrity: sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==}
+  minimatch@10.2.5:
+    resolution: {integrity: sha512-MULkVLfKGYDFYejP07QOurDLLQpcjk7Fw+7jXS2R2czRQzR56yHRveU5NDJEOviH+hETZKSkIk5c+T23GjFUMg==}
+    engines: {node: 18 || 20 || >=22}
 
-  minimatch@5.1.6:
-    resolution: {integrity: sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==}
+  minimatch@3.1.5:
+    resolution: {integrity: sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==}
+
+  minimatch@5.1.9:
+    resolution: {integrity: sha512-7o1wEA2RyMP7Iu7GNba9vc0RWWGACJOCZBJX2GJWip0ikV+wcOsgVuY9uE8CPiyQhkGFSlhuSkZPavN7u1c2Fw==}
     engines: {node: '>=10'}
 
-  minimatch@7.4.6:
-    resolution: {integrity: sha512-sBz8G/YjVniEz6lKPNpKxXwazJe4c19fEfV2GDMX6AjFz+MX9uDWIZW8XreVhkFW3fkIdTv/gxWr/Kks5FFAVw==}
+  minimatch@7.4.9:
+    resolution: {integrity: sha512-Brg/fp/iAVDOQoHxkuN5bEYhyQlZhxddI78yWsCbeEwTHXQjlNLtiJDUsp1GIptVqMI7/gkJMz4vVAc01mpoBw==}
     engines: {node: '>=10'}
 
-  minimatch@8.0.4:
-    resolution: {integrity: sha512-W0Wvr9HyFXZRGIDgCicunpQ299OKXs9RgZfaukz4qAW/pJhcpUfupc9c+OObPOFueNy8VSrZgEmDtk6Kh4WzDA==}
+  minimatch@8.0.7:
+    resolution: {integrity: sha512-V+1uQNdzybxa14e/p00HZnQNNcTjnRJjDxg2V8wtkjFctq4M7hXFws4oekyTP0Jebeq7QYtpFyOeBAjc88zvYg==}
     engines: {node: '>=16 || 14 >=14.17'}
 
-  minimatch@9.0.5:
-    resolution: {integrity: sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==}
+  minimatch@9.0.9:
+    resolution: {integrity: sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==}
     engines: {node: '>=16 || 14 >=14.17'}
 
   minimist@1.2.8:
     resolution: {integrity: sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==}
 
-  minipass@2.9.0:
-    resolution: {integrity: sha512-wxfUjg9WebH+CUDX/CdbRlh5SmfZiy/hpkxaRI16Y9W56Pa75sWgd/rvFilSgrauD9NyFymP/+JFV3KwzIsJeg==}
-
   minipass@4.2.8:
     resolution: {integrity: sha512-fNzuVyifolSLFL4NzpF+wEF4qrgqaaKX0haXPQEdQ7NKAN+WecoKMHV09YcuL/DHxrUsYQOK3MiuDf7Ip2OXfQ==}
     engines: {node: '>=8'}
 
-  minipass@7.1.2:
-    resolution: {integrity: sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==}
+  minipass@7.1.3:
+    resolution: {integrity: sha512-tEBHqDnIoM/1rXME1zgka9g6Q2lcoCkxHLuc7ODJ5BxbP5d4c2Z5cGgtXAku59200Cx7diuHTOYfSBD8n6mm8A==}
     engines: {node: '>=16 || 14 >=14.17'}
 
   miragejs@0.1.48:
     resolution: {integrity: sha512-MGZAq0Q3OuRYgZKvlB69z4gLN4G3PvgC4A2zhkCXCXrLD5wm2cCnwNB59xOBVA+srZ0zEes6u+VylcPIkB4SqA==}
     engines: {node: 6.* || 8.* || >= 10.*}
 
-  mkdirp2@1.0.5:
-    resolution: {integrity: sha512-xOE9xbICroUDmG1ye2h4bZ8WBie9EGmACaco8K8cx6RlkJJrxGIqjGqztAI+NMhexXBcdGbSEzI6N3EJPevxZw==}
-
   mkdirp@0.5.6:
     resolution: {integrity: sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==}
     hasBin: true
@@ -6194,15 +6111,15 @@ packages:
     engines: {node: '>=10'}
     hasBin: true
 
-  mktemp@0.4.0:
-    resolution: {integrity: sha512-IXnMcJ6ZyTuhRmJSjzvHSRhlVPiN9Jwc6e59V0bEJ0ba6OBeX2L0E+mRN1QseeOF4mM+F1Rit6Nh7o+rl2Yn/A==}
-    engines: {node: '>0.9'}
+  mktemp@2.0.3:
+    resolution: {integrity: sha512-Bq72L2oi/isYSy0guN9ihNhAMQOyZEwts+Bezm/1U+wh8bQ+fVQ2ZiUoJJjceOMiiKv/BUrA0NF98jFc81CB6w==}
+    engines: {node: 20 || 22 || 24}
 
-  moo@0.5.2:
-    resolution: {integrity: sha512-iSAJLHYKnX41mKcJKjqvnAN9sf0LMDTXDEvFv+ffuRR9a1MIuXLjMNL6EsnDHSkKLTWNqQQ5uo61P4EbU4NU+Q==}
+  moo@0.5.3:
+    resolution: {integrity: sha512-m2fmM2dDm7GZQsY7KK2cme8agi+AAljILjQnof7p1ZMDe6dQ4bdnSMx0cPppudoeNv5hEFQirN6u+O4fDE0IWA==}
 
-  morgan@1.10.0:
-    resolution: {integrity: sha512-AbegBVI4sh6El+1gNwvD5YIck7nSA36weD7xvIxG4in80j/UoK8AEGaWnnz8v1GxonMCltmlNs5ZKbGvl9b1XQ==}
+  morgan@1.10.1:
+    resolution: {integrity: sha512-223dMRJtI/l25dJKWpgij2cMtywuG/WiUKXdvwfbhGKBhy1puASqXwFzmWZ7+K73vUPoR7SS2Qz2cI/g9MKw0A==}
     engines: {node: '>= 0.8.0'}
 
   mr-dep-walk@1.4.0:
@@ -6228,12 +6145,12 @@ packages:
     resolution: {integrity: sha512-avsJQhyd+680gKXyG/sQc0nXaC6rBkPOfyHYcFb9+hdkqQkR9bdnkJ0AMZhke0oesPqIO+mFFJ+IdBc7mst4IA==}
     engines: {node: ^14.17.0 || ^16.13.0 || >=18.0.0}
 
-  nano-spawn@1.0.2:
-    resolution: {integrity: sha512-21t+ozMQDAL/UGgQVBbZ/xXvNO10++ZPuTmKRO8k9V3AClVRht49ahtDjfY8l1q6nSHOrE5ASfthzH3ol6R/hg==}
+  nano-spawn@1.0.3:
+    resolution: {integrity: sha512-jtpsQDetTnvS2Ts1fiRdci5rx0VYws5jGyC+4IYOTnIQ/wwdf6JdomlHBwqC3bJYOvaKu0C2GSZ1A60anrYpaA==}
     engines: {node: '>=20.17'}
 
-  nanoid@3.3.11:
-    resolution: {integrity: sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==}
+  nanoid@3.3.12:
+    resolution: {integrity: sha512-ZB9RH/39qpq5Vu6Y+NmUaFhQR6pp+M2Xt76XBnEwDaGcVAqhlvxrl3B2bKS5D3NH3QR76v3aSrKaF/Kiy7lEtQ==}
     engines: {node: ^10 || ^12 || ^13.7 || ^14 || >=15.0.1}
     hasBin: true
 
@@ -6251,6 +6168,10 @@ packages:
     resolution: {integrity: sha512-myRT3DiWPHqho5PrJaIRyaMv2kgYf0mUVgBNOYMuCH5Ki1yEiQaf/ZJuQ62nvpc44wL5WDbTX7yGJi1Neevw8w==}
     engines: {node: '>= 0.6'}
 
+  negotiator@1.0.0:
+    resolution: {integrity: sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg==}
+    engines: {node: '>= 0.6'}
+
   neo-async@2.6.2:
     resolution: {integrity: sha512-Yd3UES5mWCSqR+qNT93S3UoYUkqAZ9lLg8a7g9rimsWmYGK8cVToA4/sF3RrshdyV3sAGMXVUmpMYOw+dLpOuw==}
 
@@ -6272,16 +6193,122 @@ packages:
   node-notifier@10.0.1:
     resolution: {integrity: sha512-YX7TSyDukOZ0g+gmzjB6abKu+hTGvO8+8+gIFDsRCU2t8fLV/P2unmt+LGFaIa4y64aX98Qksa97rgz4vMNeLQ==}
 
-  node-releases@2.0.19:
-    resolution: {integrity: sha512-xxOWJsBKtzAq7DY0J+DTzuz58K8e7sJbdgwkbMWQe8UYB6ekmsQ45q0M/tJDsGaZmbC+l7n57UV8Hl5tHxO9uw==}
+  node-releases@2.0.46:
+    resolution: {integrity: sha512-GYVXHE2KnrzAfsAjl4uP++evGFCrAU1jta4ubEjIG7YWt/64Gqv66a30yKwWczVjA6j3bM4nBwH7Pk1JmDHaxQ==}
+    engines: {node: '>=18'}
 
   node-watch@0.7.3:
     resolution: {integrity: sha512-3l4E8uMPY1HdMMryPRUAl+oIHtXtyiTlIiESNSVSNxcPfzAFzeTbXFQkZfAwBbo0B1qMSG8nUABx+Gd+YrbKrQ==}
     engines: {node: '>=6'}
 
-  nomnom@1.8.1:
-    resolution: {integrity: sha512-5s0JxqhDx9/rksG2BTMVN1enjWSvPidpoSgViZU4ZXULyTe+7jxcCRLB6f42Z0l1xYJpleCBtSyY6Lwg3uu5CQ==}
-    deprecated: Package no longer supported. Contact support@npmjs.com for more info.
+  node@runtime:20.20.2:
+    resolution:
+      type: variations
+      variants:
+        - resolution:
+            archive: tarball
+            bin: bin/node
+            integrity: sha256-PGD1QGmlOtj/7vKw8R4fiDM7Et7P7XVbJs4/y14tl+Q=
+            type: binary
+            url: https://nodejs.org/download/release/v20.20.2/node-v20.20.2-aix-ppc64.tar.gz
+          targets:
+            - cpu: ppc64
+              os: aix
+        - resolution:
+            archive: tarball
+            bin: bin/node
+            integrity: sha256-Rm4F80d8IN+3IwVN/r/+Vbx0Zg7nf2EhZvyhIdrLZbY=
+            type: binary
+            url: https://nodejs.org/download/release/v20.20.2/node-v20.20.2-darwin-arm64.tar.gz
+          targets:
+            - cpu: arm64
+              os: darwin
+        - resolution:
+            archive: tarball
+            bin: bin/node
+            integrity: sha256-i+b15LsSjIJ3T4oLjXocwTZaeXfZZXzs4Mpkez/gTmE=
+            type: binary
+            url: https://nodejs.org/download/release/v20.20.2/node-v20.20.2-darwin-x64.tar.gz
+          targets:
+            - cpu: x64
+              os: darwin
+        - resolution:
+            archive: tarball
+            bin: bin/node
+            integrity: sha256-R+9z1UPs9usZQ19sA6CsSAmzvw3Wsmx8Vx78KmVyp00=
+            type: binary
+            url: https://nodejs.org/download/release/v20.20.2/node-v20.20.2-linux-arm64.tar.gz
+          targets:
+            - cpu: arm64
+              os: linux
+        - resolution:
+            archive: tarball
+            bin: bin/node
+            integrity: sha256-jhXxIechyTVBMgUxiNTBoY6p40XAGe5ED7JW492n3xU=
+            type: binary
+            url: https://nodejs.org/download/release/v20.20.2/node-v20.20.2-linux-armv7l.tar.gz
+          targets:
+            - cpu: armv7l
+              os: linux
+        - resolution:
+            archive: tarball
+            bin: bin/node
+            integrity: sha256-Xy/Q4M1nrqwNuACzNBUcrm6nDqM3SHsm95rJDj/hJuE=
+            type: binary
+            url: https://nodejs.org/download/release/v20.20.2/node-v20.20.2-linux-ppc64le.tar.gz
+          targets:
+            - cpu: ppc64le
+              os: linux
+        - resolution:
+            archive: tarball
+            bin: bin/node
+            integrity: sha256-7hyhGT51ptMbYAfFdd7KEbEW6Epr2hNq4ODb4ZOZiJw=
+            type: binary
+            url: https://nodejs.org/download/release/v20.20.2/node-v20.20.2-linux-s390x.tar.gz
+          targets:
+            - cpu: s390x
+              os: linux
+        - resolution:
+            archive: tarball
+            bin: bin/node
+            integrity: sha256-GeVvCCVRAgfdkE8If+UvqgpOtrKqtfDqejODDQSIi4s=
+            type: binary
+            url: https://nodejs.org/download/release/v20.20.2/node-v20.20.2-linux-x64.tar.gz
+          targets:
+            - cpu: x64
+              os: linux
+        - resolution:
+            archive: zip
+            bin: node.exe
+            integrity: sha256-1cWx1W9/lGmDDrH1fv7sCmqQeMCp6IzVtLS0j0bCIGk=
+            prefix: node-v20.20.2-win-arm64
+            type: binary
+            url: https://nodejs.org/download/release/v20.20.2/node-v20.20.2-win-arm64.zip
+          targets:
+            - cpu: arm64
+              os: win32
+        - resolution:
+            archive: zip
+            bin: node.exe
+            integrity: sha256-3DcA/dV6Y+7bj9fjx7qqMuanQKG5BBZ/9CBLxo7Yv3c=
+            prefix: node-v20.20.2-win-x64
+            type: binary
+            url: https://nodejs.org/download/release/v20.20.2/node-v20.20.2-win-x64.zip
+          targets:
+            - cpu: x64
+              os: win32
+        - resolution:
+            archive: zip
+            bin: node.exe
+            integrity: sha256-zTTV2i8269hO1XJSdW7lEkR9tFAtn544yo3MtRGws1I=
+            prefix: node-v20.20.2-win-x86
+            type: binary
+            url: https://nodejs.org/download/release/v20.20.2/node-v20.20.2-win-x86.zip
+          targets:
+            - cpu: x86
+              os: win32
+    version: 20.20.2
+    hasBin: true
 
   nopt@3.0.6:
     resolution: {integrity: sha512-4GUt3kSEYmk4ITxzB/b9vaIDfUVWN/Ml1Fwl11IlnIG2iaJ9O6WXZ9SrYM9NLI8OCBieN2Y8SWC2oJV0RQ7qYg==}
@@ -6315,10 +6342,9 @@ packages:
     resolution: {integrity: sha512-ppwTtiJZq0O/ai0z7yfudtBpWIoxM8yE6nHi1X47eFR2EWORqfbu6CnPlNsjeN683eT0qG6H/Pyf9fCcvjnnnQ==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
 
-  npmlog@6.0.2:
-    resolution: {integrity: sha512-/vBvz5Jfr9dT/aFWd0FIRf+T/Q2WBsLENygUaFUqstqsycmZAP/t5BvFJTK0viFmSUxiUKTUplWy5vt+rvKIxg==}
-    engines: {node: ^12.13.0 || ^14.15.0 || >=16.0.0}
-    deprecated: This package is no longer supported.
+  npm-run-path@6.0.0:
+    resolution: {integrity: sha512-9qny7Z9DsQU8Ou39ERsPU4OZQlSTP47ShQzuKZ6PRXpYLtIFgl/DEBYEXKlvcEa+9tHVcK8CF81Y2V72qaZhWA==}
+    engines: {node: '>=18'}
 
   npmlog@7.0.1:
     resolution: {integrity: sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==}
@@ -6329,9 +6355,6 @@ packages:
     resolution: {integrity: sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==}
     engines: {node: '>=0.10.0'}
 
-  object-get@2.1.1:
-    resolution: {integrity: sha512-7n4IpLMzGGcLEMiQKsNR7vCe+N5E9LORFrtNUVy4sO3dj9a3HedZCxEL2T7QuLhcHN1NBuBsMOKaOsAYI9IIvg==}
-
   object-hash@1.3.1:
     resolution: {integrity: sha512-OSuu/pU4ENM9kmREg0BdNrUDIl1heYa4mBZacJc+vVWz4GtAwu7jO8s4AIt2aGRUTqxykpWzI3Oqnsm13tTMDA==}
     engines: {node: '>= 0.10.0'}
@@ -6344,10 +6367,6 @@ packages:
     resolution: {integrity: sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA==}
     engines: {node: '>= 0.4'}
 
-  object-to-spawn-args@2.0.1:
-    resolution: {integrity: sha512-6FuKFQ39cOID+BMZ3QaphcC8Y4cw6LXBLyIgPU+OhIYwviJamPAn+4mITapnSBQrejB+NNp+FMskhD8Cq+Ys3w==}
-    engines: {node: '>=8.0.0'}
-
   object.assign@4.1.7:
     resolution: {integrity: sha512-nK28WOo+QIjBkDduTINE4JkF/UJJKyf2EJxvJKfblDpyg0Q+pkOHNTL0Qwy6NP6FhE/EnzV73BxxqcJaXY9anw==}
     engines: {node: '>= 0.4'}
@@ -6360,8 +6379,8 @@ packages:
     resolution: {integrity: sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==}
     engines: {node: '>= 0.8'}
 
-  on-headers@1.0.2:
-    resolution: {integrity: sha512-pZAE+FJLoyITytdqK0U5s+FIpjN0JP3OzFi/u8Rx+EV5/W+JTWGXG8xFzevE7AjBfDqHv/8vL8qQsIhHnqRkrA==}
+  on-headers@1.1.0:
+    resolution: {integrity: sha512-737ZY3yNnXy37FHkQxPzt4UZ2UWPWiCZWLvFZ4fu5cueciegX0zGPnrlY6bwRg4FdQOe9YU8MkmJwGhoMybl8A==}
     engines: {node: '>= 0.8'}
 
   once@1.4.0:
@@ -6485,6 +6504,10 @@ packages:
     resolution: {integrity: sha512-ayCKvm/phCGxOkYRSCM82iDwct8/EonSEgCSxWxD7ve6jHggsFl4fZVQBPRNgQoKiuV/odhFrGzQXZwbifC8Rg==}
     engines: {node: '>=8'}
 
+  parse-ms@4.0.0:
+    resolution: {integrity: sha512-TXfryirbmq34y8QBwgqCVLi+8oA3oWx2eAnSn62ITyEhEYaWRlVZ2DvMM9eZbMs/RfxPu/PK/aBLyGj4IrqMHw==}
+    engines: {node: '>=18'}
+
   parse-passwd@1.0.0:
     resolution: {integrity: sha512-1Y1A//QUXEZK7YKz+rD9WydcE1+EuPr6ZBgKecAB8tmoW6UFv0NREVJe1p+jRxtThkcbbKkfwIbWJe/IeE6m2Q==}
     engines: {node: '>=0.10.0'}
@@ -6545,8 +6568,15 @@ packages:
     resolution: {integrity: sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==}
     engines: {node: '>=16 || 14 >=14.18'}
 
-  path-to-regexp@0.1.12:
-    resolution: {integrity: sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==}
+  path-scurry@2.0.2:
+    resolution: {integrity: sha512-3O/iVVsJAPsOnpwWIeD+d6z/7PmqApyQePUtCndjatj/9I5LylHvt5qluFaBT3I5h3r1ejfR056c+FCv+NnNXg==}
+    engines: {node: 18 || 20 || >=22}
+
+  path-to-regexp@0.1.13:
+    resolution: {integrity: sha512-A/AGNMFN3c8bOlvV9RreMdrv7jsmF9XIfDeCd87+I8RNg6s78BhJxMu69NEMHBSJFxKidViTEdruRwEk/WIKqA==}
+
+  path-to-regexp@8.4.2:
+    resolution: {integrity: sha512-qRcuIdP69NPm4qbACK+aDogI5CBDMi1jKe0ry5rSQJz8JVLsC7jV8XpiJjGRLLol3N+R5ihGYcrPLTno6pAdBA==}
 
   path-type@4.0.0:
     resolution: {integrity: sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==}
@@ -6559,10 +6589,14 @@ packages:
   picocolors@1.1.1:
     resolution: {integrity: sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==}
 
-  picomatch@2.3.1:
-    resolution: {integrity: sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==}
+  picomatch@2.3.2:
+    resolution: {integrity: sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==}
     engines: {node: '>=8.6'}
 
+  picomatch@4.0.4:
+    resolution: {integrity: sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==}
+    engines: {node: '>=12'}
+
   pidtree@0.6.0:
     resolution: {integrity: sha512-eG2dWTVw5bzqGRztnHExczNxt5VGsE6OwTeCG3fdUf9KBsZzO3R5OIIIzWR+iZA0NtZ+RDVdaoE2dK1cn6jH4g==}
     engines: {node: '>=0.10'}
@@ -6599,18 +6633,18 @@ packages:
     resolution: {integrity: sha512-cjJP/mYuGyMrjJ49jI04khId5Oufd3nFTUYBzQTIIVNI7/oAWdwXEfpwTF8HELFV/gz+WGYUBHCe3KHWD8rYvg==}
     engines: {node: '>=6.0.0'}
 
-  playwright-core@1.58.0:
-    resolution: {integrity: sha512-aaoB1RWrdNi3//rOeKuMiS65UCcgOVljU46At6eFcOFPFHWtd2weHRRow6z/n+Lec0Lvu0k9ZPKJSjPugikirw==}
+  playwright-core@1.60.0:
+    resolution: {integrity: sha512-9bW6zvX/m0lEbgTKJ6YppOKx8H3VOPBMOCFh2irXFOT4BbHgrx5hPjwJYLT40Lu+4qtD36qKc/Hn56StUW57IA==}
     engines: {node: '>=18'}
     hasBin: true
 
-  playwright@1.58.0:
-    resolution: {integrity: sha512-2SVA0sbPktiIY/MCOPX8e86ehA/e+tDNq+e5Y8qjKYti2Z/JG7xnronT/TXTIkKbYGWlCbuucZ6dziEgkoEjQQ==}
+  playwright@1.60.0:
+    resolution: {integrity: sha512-hheHdokM8cdqCb0lcE3s+zT4t4W+vvjpGxsZlDnikarzx8tSzMebh3UiFtgqwFwnTnjYQcsyMF8ei2mCO/tpeA==}
     engines: {node: '>=18'}
     hasBin: true
 
-  portfinder@1.0.37:
-    resolution: {integrity: sha512-yuGIEjDAYnnOex9ddMnKZEMFE0CcGo6zbfzDklkmT1m5z734ss6JMzN9rNB3+RR7iS+F10D4/BVIaXOyh8PQKw==}
+  portfinder@1.0.38:
+    resolution: {integrity: sha512-rEwq/ZHlJIKw++XtLAO8PPuOQA/zaPJOZJ37BVuN97nLpMJeuDVLVGRwbFoBgLudgdTMP2hdRJP++H+8QOA3vg==}
     engines: {node: '>= 10.12'}
 
   possible-typed-array-names@1.1.0:
@@ -6650,15 +6684,15 @@ packages:
     peerDependencies:
       postcss: ^8.4.31
 
-  postcss-selector-parser@7.1.0:
-    resolution: {integrity: sha512-8sLjZwK0R+JlxlYcTuVnyT2v+htpdrjDOKuMcOVdYjt52Lh8hWRYpxBPoKx/Zg+bcjc3wx6fmQevMmUztS/ccA==}
+  postcss-selector-parser@7.1.1:
+    resolution: {integrity: sha512-orRsuYpJVw8LdAwqqLykBj9ecS5/cRHlI5+nvTo8LcCKmzDmqVORXtOIYEEQuL9D4BxtA1lm5isAqzQZCoQ6Eg==}
     engines: {node: '>=4'}
 
   postcss-value-parser@4.2.0:
     resolution: {integrity: sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==}
 
-  postcss@8.5.3:
-    resolution: {integrity: sha512-dle9A3yYxlBSrt8Fu+IpjGT8SY8hN0mlaA6GY8t0P5PjIOZemULz/E2Bnm/2dcUOena75OTNkHI76uZBNUUq3A==}
+  postcss@8.5.15:
+    resolution: {integrity: sha512-FfR8sjd4em2T6fb3I2MwAJU7HWVMr9zba+enmQeeWFfCbm+UOC/0X4DS8XtpUTMwWMGbjKYP7xjfNekzyGmB3A==}
     engines: {node: ^10 || ^12 || >=14}
 
   posthog-js@1.236.1:
@@ -6672,8 +6706,8 @@ packages:
       rrweb-snapshot:
         optional: true
 
-  preact@10.28.2:
-    resolution: {integrity: sha512-lbteaWGzGHdlIuiJ0l2Jq454m6kcpI1zNje6d8MlGAFlYvP2GO4ibnat7P74Esfz4sPTdM6UxtTwh/d3pwM9JA==}
+  preact@10.29.2:
+    resolution: {integrity: sha512-7tNmwg/7mzzAoB/8kSg6Hl37JraAZw3Z3A0JSY7VXlZwo82Xn0G7wKbNNs2qoF4ZEEsQGTwDAroNdqKs1ofJxQ==}
 
   prelude-ls@1.2.1:
     resolution: {integrity: sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==}
@@ -6696,8 +6730,8 @@ packages:
     resolution: {integrity: sha512-mGOWVHixSvpZWARqSDXbdtTL54mMBxc5oQYQ6RAqy8jecuNJBgN3t9E5a81G66F8x8fsKNiR1HWaBV66MJDOpg==}
     engines: {node: '>=10.0.0'}
 
-  prettier-linter-helpers@1.0.0:
-    resolution: {integrity: sha512-GbK2cP9nraSSUF9N2XwUwqfzlAFlMNYYl+ShE/V+H8a9uNl/oUqB1w2EL54Jh0OlyRSd8RfWYJ3coVS4TROP2w==}
+  prettier-linter-helpers@1.0.1:
+    resolution: {integrity: sha512-SxToR7P8Y2lWmv/kTzVLC1t/GDI2WGjMwNhLLE9qtH8Q13C+aEmuRlzDst4Up4s0Wc8sF2M+J57iB3cMLqftfg==}
     engines: {node: '>=6.0.0'}
 
   prettier@2.8.8:
@@ -6713,6 +6747,10 @@ packages:
   pretty-format@23.6.0:
     resolution: {integrity: sha512-zf9NV1NSlDLDjycnwm6hpFATCGl/K1lt0R/GdkAK2O5LN/rwJoB+Mh93gGJjut4YbmecbfgLWVGSTCr0Ewvvbw==}
 
+  pretty-ms@9.3.0:
+    resolution: {integrity: sha512-gjVS5hOP+M3wMm5nmNOucbIrqudzs9v/57bWRHQWLYklXqoXKrVfYW2W9+glfGsqtPgpiz5WwyEEB+ksXIx3gQ==}
+    engines: {node: '>=18'}
+
   printf@0.6.1:
     resolution: {integrity: sha512-is0ctgGdPJ5951KulgfzvHGwJtZ5ck8l042vRkV6jrkpBzTmb/lueTqguWHy2JfVA+RY6gFVlaZgUS0j7S/dsw==}
     engines: {node: '>= 0.9.0'}
@@ -6729,6 +6767,10 @@ packages:
     resolution: {integrity: sha512-++Vn7NS4Xf9NacaU9Xq3URUuqZETPsf8L4j5/ckhaRYsfPeRyzGw+iDjFhV/Jr3uNmTvvddEJFWh5R1gRgUH8A==}
     engines: {node: ^14.17.0 || ^16.13.0 || >=18.0.0}
 
+  proc-log@6.1.0:
+    resolution: {integrity: sha512-iG+GYldRf2BQ0UDUAd6JQ/RwzaQy6mXmsk/IzlYyal4A4SNFw54MeH4/tLkF4I5WoWG9SQwuqWzS99jaFQHBuQ==}
+    engines: {node: ^20.17.0 || >=22.9.0}
+
   process-relative-require@1.0.0:
     resolution: {integrity: sha512-r8G5WJPozMJAiv8sDdVWKgJ4In/zBXqwJdMCGAXQt2Kd3HdbAuJVzWYM4JW150hWoaI9DjhtbjcsCCHIMxm8RA==}
 
@@ -6757,8 +6799,8 @@ packages:
     resolution: {integrity: sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==}
     engines: {node: '>= 0.10'}
 
-  pump@3.0.2:
-    resolution: {integrity: sha512-tUPXtzlGM8FE3P0ZL6DVs/3P58k9nk8/jZeQCurTJylQA8qFYzHFfhBJkuqyE0FifOsQ0uKWekiZ5g8wtr28cw==}
+  pump@3.0.4:
+    resolution: {integrity: sha512-VS7sjc6KR7e1ukRFhQSY5LM2uBWAUPiOPa/A3mkKmiMwSmRFUITt0xuj+/lesgnCv+dPIEYlkzrcyXgquIHMcA==}
 
   punycode.js@2.3.1:
     resolution: {integrity: sha512-uxFIHU0YlHYhDQtV4R9J6a52SLx28BCjT+4ieh7IGbgwVJWO+km431c4yRlREUAsAmt/uMjQUyQHNEPf0M39CA==}
@@ -6771,9 +6813,13 @@ packages:
   pvtsutils@1.3.6:
     resolution: {integrity: sha512-PLgQXQ6H2FWCaeRak8vvk1GW462lMxB5s3Jm673N82zI4vqtVUPuZdffdZbPDFRoU8kAhItWFtPCWiPpp4/EDg==}
 
-  pvutils@1.1.3:
-    resolution: {integrity: sha512-pMpnA0qRdFp32b1sJl1wOJNxZLQ2cbQx+k6tjNtZ8CpvVhNqEPRgivZ2WOUev2YMajecdH7ctUPDvEe87nariQ==}
-    engines: {node: '>=6.0.0'}
+  pvutils@1.1.5:
+    resolution: {integrity: sha512-KTqnxsgGiQ6ZAzZCVlJH5eOjSnvlyEgx1m8bkRJfOhmGRqfo5KLvmAlACQkrjEtOQ4B7wF9TdSLIs9O90MX9xA==}
+    engines: {node: '>=16.0.0'}
+
+  qified@0.10.1:
+    resolution: {integrity: sha512-+Owyggi9IxT1ePKGafcI87ubSmxol6smwJ+RAHDQlx9+9cPwFWDiKFFCPuWhr9ignlGpZ9vDQLw67N4dcTVFEA==}
+    engines: {node: '>=20'}
 
   qs@6.14.1:
     resolution: {integrity: sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==}
@@ -6786,8 +6832,8 @@ packages:
     resolution: {integrity: sha512-WuyALRjWPDGtt/wzJiadO5AXY+8hZ80hVpe6MyivgraREW751X3SbhRvG3eLKOYN+8VEvqLcf3wdnt44Z4S4SA==}
     engines: {node: '>=10'}
 
-  quick-temp@0.1.8:
-    resolution: {integrity: sha512-YsmIFfD9j2zaFwJkzI6eMG7y0lQP7YeWzgtFgNl38pGWZBSXJooZbOWwkcRot7Vt0Fg9L23pX0tqWU3VvLDsiA==}
+  quick-temp@0.1.9:
+    resolution: {integrity: sha512-yI0h7tIhKVObn03kD+Ln9JFi4OljD28lfaOsTdfpTR0xzrhGOod+q66CjGafUqYX2juUfT9oHIGrTBBo22mkRA==}
 
   qunit-dom@3.4.0:
     resolution: {integrity: sha512-N5PYbJ20RD3JZN4whINdl7dDfxScUy7eNuO8IwUtBWC7d6SH+BqtBqVZdRn9evxLQVzuask6OGvMy4gdpiCceg==}
@@ -6795,14 +6841,11 @@ packages:
   qunit-theme-ember@1.0.0:
     resolution: {integrity: sha512-vdMVVo6ecdCkWttMTKeyq1ZTLGHcA6zdze2zhguNuc3ritlJMhOXY5RDseqazOwqZVfCg3rtlmL3fMUyIzUyFQ==}
 
-  qunit@2.24.1:
-    resolution: {integrity: sha512-Eu0k/5JDjx0QnqxsE1WavnDNDgL1zgMZKsMw/AoAxnsl9p4RgyLODyo2N7abZY7CEAnvl5YUqFZdkImzbgXzSg==}
+  qunit@2.24.3:
+    resolution: {integrity: sha512-JTHwSfHf2Cw8TqusZo2tT4F9d+XA/pp/veoxUDiPNHtB1Wc1VPctiHHIv6HA3vrXNOBu9LSzFM7YU2OV9Gz4vQ==}
     engines: {node: '>=10'}
     hasBin: true
 
-  randombytes@2.1.0:
-    resolution: {integrity: sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==}
-
   range-parser@1.2.1:
     resolution: {integrity: sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==}
     engines: {node: '>= 0.6'}
@@ -6812,10 +6855,14 @@ packages:
     engines: {node: '>= 0.8.0'}
     deprecated: No longer maintained. Please upgrade to a stable version.
 
-  raw-body@2.5.2:
-    resolution: {integrity: sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA==}
+  raw-body@2.5.3:
+    resolution: {integrity: sha512-s4VSOf6yN0rvbRZGxs8Om5CWj6seneMwK3oDb4lWDH0UPhWcxwOWw5+qk24bxq87szX1ydrwylIOp2uG1ojUpA==}
     engines: {node: '>= 0.8'}
 
+  raw-body@3.0.2:
+    resolution: {integrity: sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA==}
+    engines: {node: '>= 0.10'}
+
   readable-stream@1.0.34:
     resolution: {integrity: sha512-ok1qVCJuRkNmvebYikljxJA/UEsKwLl2nI1OmaqAu4/UE+h0wKCHok4XkL/gvi39OacXvw59RJUOFUkDib2rHg==}
 
@@ -6827,9 +6874,9 @@ packages:
     resolution: {integrity: sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==}
     engines: {node: '>=8.10.0'}
 
-  readdirp@4.1.2:
-    resolution: {integrity: sha512-GDhwkLfywWL2s6vEjyhri+eXmfH6j1L7JE27WhqLeYzoh/A3DBaYGEj2H/HFZCn/kMfim73FXxEJTw06WtxQwg==}
-    engines: {node: '>= 14.18.0'}
+  readdirp@5.0.0:
+    resolution: {integrity: sha512-9u/XQ1pvrQtYyMpZe7DXKv2p5CNvyVwzUB6uhLAnQwHMSgKMBR62lc7AHljaeteeHXn11XTAaLLUVZYVZyuRBQ==}
+    engines: {node: '>= 20.19.0'}
 
   recast@0.18.10:
     resolution: {integrity: sha512-XNvYvkfdAN9QewbrxeTOjgINkdY/odTgTS56ZNEWL9Ml0weT4T3sFtvnTuF+Gxyu46ANcRm1ntrF6F5LAJPAaQ==}
@@ -6842,28 +6889,12 @@ packages:
   redeyed@1.0.1:
     resolution: {integrity: sha512-8eEWsNCkV2rvwKLS1Cvp5agNjMhwRe2um+y32B2+3LqOzg4C9BBPs6vzAfV16Ivb8B9HPNKIqd8OrdBws8kNlQ==}
 
-  reduce-flatten@1.0.1:
-    resolution: {integrity: sha512-j5WfFJfc9CoXv/WbwVLHq74i/hdTUpy+iNC534LxczMRP67vJeK3V9JOdnL0N1cIRbn9mYhE2yVjvvKXDxvNXQ==}
-    engines: {node: '>=0.10.0'}
-
-  reduce-flatten@3.0.1:
-    resolution: {integrity: sha512-bYo+97BmUUOzg09XwfkwALt4PQH1M5L0wzKerBt6WLm3Fhdd43mMS89HiT1B9pJIqko/6lWx3OnV4J9f2Kqp5Q==}
-    engines: {node: '>=8'}
-
-  reduce-unique@2.0.1:
-    resolution: {integrity: sha512-x4jH/8L1eyZGR785WY+ePtyMNhycl1N2XOLxhCbzZFaqF4AXjLzqSxa2UHgJ2ZVR/HHyPOvl1L7xRnW8ye5MdA==}
-    engines: {node: '>=6'}
-
-  reduce-without@1.0.1:
-    resolution: {integrity: sha512-zQv5y/cf85sxvdrKPlfcRzlDn/OqKFThNimYmsS3flmkioKvkUGn2Qg9cJVoQiEvdxFGLE0MQER/9fZ9sUqdxg==}
-    engines: {node: '>=0.10.0'}
-
   reflect.getprototypeof@1.0.10:
     resolution: {integrity: sha512-00o4I+DVrefhv+nX0ulyi3biSHCPDe+yLv5o/p6d/UVlirijB8E16FtfwSAi4g3tcqrQ4lRAqQSoFEZJehYEcw==}
     engines: {node: '>= 0.4'}
 
-  regenerate-unicode-properties@10.2.0:
-    resolution: {integrity: sha512-DqHn3DwbmmPVzeKj9woBadqmXxLvQoQIwu7nopMc72ztvxVmVk2SBhSnx67zuye5TP+lJsb/TBQsjLKhnDf3MA==}
+  regenerate-unicode-properties@10.2.2:
+    resolution: {integrity: sha512-m03P+zhBeQd1RGnYxrGyDAPpWX/epKirLrp8e3qevZdVkKtnCrjjWczIbYc8+xd6vcTStVlqfycTx1KR4LOr0g==}
     engines: {node: '>=4'}
 
   regenerate@1.4.2:
@@ -6879,15 +6910,15 @@ packages:
     resolution: {integrity: sha512-dYqgNSZbDwkaJ2ceRd9ojCGjBq+mOm9LmtXnAnEGyHhN/5R7iDW2TRw3h+o/jCFxus3P2LfWIIiwowAjANm7IA==}
     engines: {node: '>= 0.4'}
 
-  regexpu-core@6.2.0:
-    resolution: {integrity: sha512-H66BPQMrv+V16t8xtmq+UC0CBpiTBA60V8ibS1QVReIp8T1z8hwFxqcGzm9K6lgsN7sB5edVH8a+ze6Fqm4weA==}
+  regexpu-core@6.4.0:
+    resolution: {integrity: sha512-0ghuzq67LI9bLXpOX/ISfve/Mq33a4aFRzoQYhnnok1JOFpmE/A2TBGkNVenOGEeSBCjIiWcc6MVOG5HEQv0sA==}
     engines: {node: '>=4'}
 
   regjsgen@0.8.0:
     resolution: {integrity: sha512-RvwtGe3d7LvWiDQXeQw8p5asZUmfU1G/l6WbUXeHta7Y2PEIvBTwH6E2EfmYUK8pxcxEdEmaomqyp0vZZ7C+3Q==}
 
-  regjsparser@0.12.0:
-    resolution: {integrity: sha512-cnE+y8bz4NhMjISKbgeVJtqNbtf5QpjZP+Bslo+UqkIt9QPnX9q095eiRRASJG1/tz6dlNr6Z5NsBiWYokp6EQ==}
+  regjsparser@0.13.1:
+    resolution: {integrity: sha512-dLsljMd9sqwRkby8zhO1gSg3PnJIBFid8f4CQj/sXx+7cKx+E7u0PKhZ+U4wmhx7EfmtvnA318oVaIkAB1lRJw==}
     hasBin: true
 
   rehype-stringify@8.0.0:
@@ -6896,9 +6927,6 @@ packages:
   remark-extract-frontmatter@3.2.0:
     resolution: {integrity: sha512-PmYwNCo0cMAUV3oAGg5Hn6YSZgiSDwVdxLJmPIZ804aYuvE5mAzozo5AkO0C8ELroWrtN/f9zzb0jqFPBkMnwg==}
 
-  remark-footnotes@3.0.0:
-    resolution: {integrity: sha512-ZssAvH9FjGYlJ/PBVKdSmfyPc3Cz4rTWgZLI4iE/SX8Nt5l3o3oEjv3wwG5VD7xOjktzdwp5coac+kJV9l4jgg==}
-
   remark-frontmatter@3.0.0:
     resolution: {integrity: sha512-mSuDd3svCHs+2PyO29h7iijIZx4plX0fheacJcAoYAASfgzgVIcXGYSq9GFyYocFLftQs8IOmmkgtOovs6d4oA==}
 
@@ -6952,9 +6980,6 @@ packages:
   requires-port@1.0.0:
     resolution: {integrity: sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==}
 
-  requizzle@0.2.4:
-    resolution: {integrity: sha512-JRrFk1D4OQ4SqovXOgdav+K8EAhSB/LJZqCz8tbX0KObcdeM15Ss59ozWMBWmmINMagCwmqn4ZNryUGpBsl6Jw==}
-
   reselect@3.0.1:
     resolution: {integrity: sha512-b/6tFZCmRhtBMa4xGqiiRp9jh9Aqi2A687Lo265cN0/QohJQEBPiQ52f4QB6i0eF3yp3hmLL21LSGBcML2dlxA==}
 
@@ -7003,8 +7028,8 @@ packages:
     resolution: {integrity: sha512-OcXjMsGdhL4XnbShKpAcSqPMzQoYkYyhbEaeSko47MjRP9NfEQMhZkXL1DoFlt9LWQn4YttrdnV6X2OiyzBi+A==}
     engines: {node: '>=10'}
 
-  resolve@1.22.10:
-    resolution: {integrity: sha512-NPRy+/ncIMeDlTAsuqwKIiferiawhefFJtkNSW0qZJEqMEb+qBt/77B/jGeeek+F0uOeN05CDa6HXbbIgtVX4w==}
+  resolve@1.22.12:
+    resolution: {integrity: sha512-TyeJ1zif53BPfHootBGwPRYT1RUt6oGWsaQr8UyZW/eAm9bKoijtvruSDEmZHm92CwS9nj7/fWttqPCgzep8CA==}
     engines: {node: '>= 0.4'}
     hasBin: true
 
@@ -7050,20 +7075,29 @@ packages:
     resolution: {integrity: sha512-l0OE8wL34P4nJH/H2ffoaniAokM2qSmrtXHmlpvYr5AVVX8msAyW0l8NVJFDxlSK4u3Uh/f41cQheDVdnYijwQ==}
     hasBin: true
 
-  robust-predicates@3.0.2:
-    resolution: {integrity: sha512-IXgzBWvWQwE6PrDI05OvmXUIruQTcoMDzRsOd5CDvHCVLcLHMTSYvOK5Cm46kWqlV3yAbuSpBZdJ5oP5OUoStg==}
+  rimraf@6.1.3:
+    resolution: {integrity: sha512-LKg+Cr2ZF61fkcaK1UdkH2yEBBKnYjTyWzTJT6KNPcSPaiT7HSdhtMXQuN5wkTX0Xu72KQ1l8S42rlmexS2hSA==}
+    engines: {node: 20 || >=22}
+    hasBin: true
+
+  robust-predicates@3.0.3:
+    resolution: {integrity: sha512-NS3levdsRIUOmiJ8FZWCP7LG3QpJyrs/TE0Zpf1yvZu8cAJJ6QMW92H1c7kWpdIHo8RvmLxN/o2JXTKHp74lUA==}
 
   rollup-pluginutils@2.8.2:
     resolution: {integrity: sha512-EEp9NhnUkwY8aif6bxgovPHMoMoNr2FulJziTndpt5H9RdwC47GSGuII9XxpSdzVGM0GWrNPHV6ie1LTNJPaLQ==}
 
-  rollup@2.79.2:
-    resolution: {integrity: sha512-fS6iqSPZDs3dr/y7Od6y5nha8dW1YnbgtsyotCVvoFGKbERG++CVRFv1meyGDE1SNItQA8BrnCw7ScdAhRJ3XQ==}
+  rollup@2.80.0:
+    resolution: {integrity: sha512-cIFJOD1DESzpjOBl763Kp1AH7UE/0fcdHe6rZXUdQ9c50uvgigvW97u3IcSeBwOkgqL/PXPBktBCh0KEu5L8XQ==}
     engines: {node: '>=10.0.0'}
     hasBin: true
 
   route-recognizer@0.3.4:
     resolution: {integrity: sha512-2+MhsfPhvauN1O8KaXpXAOfR/fwe8dnUXVM+xw7yt40lJRfPVQxV6yryZm0cgRvAj5fMF/mdRZbL2ptwbs5i2g==}
 
+  router@2.2.0:
+    resolution: {integrity: sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ==}
+    engines: {node: '>= 18'}
+
   router_js@8.0.6:
     resolution: {integrity: sha512-AjGxRDIpTGoAG8admFmvP/cxn1AlwwuosCclMU4R5oGHGt7ER0XtB3l9O04ToBDdPe4ivM/YcLopgBEpJssJ/Q==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
@@ -7103,8 +7137,8 @@ packages:
   rxjs@7.8.2:
     resolution: {integrity: sha512-dhKf903U/PQZY6boNNtAGdWbG85WAbjT/1xYoZIC7FAY0yWapOBQVsVrDl58W86//e1VpMNBtRV4MaXfdMySFA==}
 
-  safe-array-concat@1.1.3:
-    resolution: {integrity: sha512-AURm5f0jYEOydBj7VQlVvDrjeFgthDdEF5H1dP+6mNpoXOMo1quQqJ4wvJDyRZ9+pO3kGWoOdmV08cSv2aJV6Q==}
+  safe-array-concat@1.1.4:
+    resolution: {integrity: sha512-wtZlHyOje6OZTGqAoaDKxFkgRtkF9CnHAVnCHKfuj200wAgL+bSJhdsCD2l0Qx/2ekEXjPWcyKkfGb5CPboslg==}
     engines: {node: '>=0.4'}
 
   safe-buffer@5.1.2:
@@ -7145,14 +7179,9 @@ packages:
     engines: {node: 10.* || >= 12.*}
     hasBin: true
 
-  sass@1.88.0:
-    resolution: {integrity: sha512-sF6TWQqjFvr4JILXzG4ucGOLELkESHL+I5QJhh7CNaE+Yge0SI+ehCatsXhJ7ymU1hAFcIS3/PBpjdIbXoyVbg==}
-    engines: {node: '>=14.0.0'}
-    hasBin: true
-
-  sass@1.89.0:
-    resolution: {integrity: sha512-ld+kQU8YTdGNjOLfRWBzewJpU5cwEv/h5yyqlSeJcj6Yh8U4TDA9UA5FPicqDz/xgRPWRSYIQNiFks21TbA9KQ==}
-    engines: {node: '>=14.0.0'}
+  sass@1.100.0:
+    resolution: {integrity: sha512-B5j0rYMlinhhOo9tjQebMVVn0TfyXAF+wB3b2ggZUuJ/is/Y+7+JGjirAMxHZ9Z3hIP98NPfamlAkBHa1lAaXQ==}
+    engines: {node: '>=20.19.0'}
     hasBin: true
 
   schema-utils@2.7.1:
@@ -7163,8 +7192,8 @@ packages:
     resolution: {integrity: sha512-pN/yOAvcC+5rQ5nERGuwrjLlYvLTbCibnZ1I7B1LaiAz9BRBlE9GMgE/eqV30P7aJQUf7Ddimy/RsbYO/GrVGg==}
     engines: {node: '>= 10.13.0'}
 
-  schema-utils@4.3.2:
-    resolution: {integrity: sha512-Gn/JaSk/Mt9gYubxTtSn/QCV4em9mpAPiR1rqy/Ocu19u/G9J5WWdNoUT4SiV6mFC3y6cxyFcFwdzPM3FgxGAQ==}
+  schema-utils@4.3.3:
+    resolution: {integrity: sha512-eflK8wEtyOE6+hsaRVPxvUKYCpRgzLqDTb8krvAsRIwOGlHoSgYLgBXoubGgLd2fT41/OUYdb48v4k4WWHQurA==}
     engines: {node: '>= 10.13.0'}
 
   semver@5.7.2:
@@ -7175,27 +7204,27 @@ packages:
     resolution: {integrity: sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==}
     hasBin: true
 
-  semver@7.7.2:
-    resolution: {integrity: sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==}
+  semver@7.8.1:
+    resolution: {integrity: sha512-rkVq3IXh+4FDGch+KwzX3aV9W3kO54GyEgpvBzSyctDA6Xtd7RJQV1xmXbeQp5v7+VzLOfVqiutSE6GICgPFvg==}
     engines: {node: '>=10'}
     hasBin: true
 
-  semver@7.7.3:
-    resolution: {integrity: sha512-SdsKMrI9TdgjdweUSR9MweHA4EJ8YxHn8DFaDisvhVlUOe4BF1tLD7GAj0lIqWVl+dPb/rExr0Btby5loQm20Q==}
-    engines: {node: '>=10'}
-    hasBin: true
-
-  send@0.19.0:
-    resolution: {integrity: sha512-dW41u5VfLXu8SJh5bwRmyYUbAoSB3c9uQh6L8h/KtsFREPWpbX1lrljJo186Jc4nmci/sGUZ9a0a0J2zgfq2hw==}
+  send@0.19.2:
+    resolution: {integrity: sha512-VMbMxbDeehAxpOtWJXlcUS5E8iXh6QmN+BkRX1GARS3wRaXEEgzCcB10gTQazO42tpNIya8xIyNx8fll1OFPrg==}
     engines: {node: '>= 0.8.0'}
 
-  serialize-javascript@3.1.0:
-    resolution: {integrity: sha512-JIJT1DGiWmIKhzRsG91aS6Ze4sFUrYbltlkg2onR5OrnNM02Kl/hnY/T4FN2omvyeBbQmMJv+K4cPOpGzOTFBg==}
+  send@1.2.1:
+    resolution: {integrity: sha512-1gnZf7DFcoIcajTjTwjwuDjzuz4PPcY2StKPlsGAQ1+YH20IRVrBaXSWmdjowTJ6u8Rc01PoYOGHXfP1mYcZNQ==}
+    engines: {node: '>= 18'}
 
-  serve-static@1.16.2:
-    resolution: {integrity: sha512-VqpjJZKadQB/PEbEwvFdO43Ax5dFBZ2UECszz8bQ7pi7wt//PWe1P6MN7eCnjsatYtBT6EuiClbjSWP2WrIoTw==}
+  serve-static@1.16.3:
+    resolution: {integrity: sha512-x0RTqQel6g5SY7Lg6ZreMmsOzncHFU7nhnRWkKgWuMTu5NN0DR5oruckMqRvacAN9d5w6ARnRBXl9xhDCgfMeA==}
     engines: {node: '>= 0.8.0'}
 
+  serve-static@2.2.1:
+    resolution: {integrity: sha512-xRXBn0pPqQTVQiC8wyQrKs2MOlX24zQ0POGaj0kultvoOCstBQM5yvOhAVSUwOMjQtTvsPWoNCHfPGwaaQJhTw==}
+    engines: {node: '>= 18'}
+
   set-blocking@2.0.0:
     resolution: {integrity: sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==}
 
@@ -7237,15 +7266,15 @@ packages:
     resolution: {integrity: sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==}
     engines: {node: '>=8'}
 
-  shell-quote@1.8.2:
-    resolution: {integrity: sha512-AzqKpGKjrj7EM6rKVQEPpB288oCfnrEIuyoT9cyF4nmGa7V8Zk6f7RRqYisX8X9m+Q7bd632aZW4ky7EhbQztA==}
+  shell-quote@1.8.4:
+    resolution: {integrity: sha512-VsC6n6vz1ihYYyZZwX7YZSF5l5x36ca17OC+a69h94YqB7X6XLwf+5MOgynYir2SLFUbl8gIYvBo8K8RoNQ6bQ==}
     engines: {node: '>= 0.4'}
 
   shellwords@0.1.1:
     resolution: {integrity: sha512-vFwSUfQvqybiICwZY5+DAWIPLKsWO31Q91JSKl3UYv+K5c2QRPzn0qzec6QPu1Qc9eHYItiP3NdJqNVqetYAww==}
 
-  side-channel-list@1.0.0:
-    resolution: {integrity: sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==}
+  side-channel-list@1.0.1:
+    resolution: {integrity: sha512-mjn/0bi/oUURjc5Xl7IaWi/OJJJumuoJFQJfDDyO46+hBWsfaVM65TBHq2eoZBhzl9EchxOijpkbRC8SVBQU0w==}
     engines: {node: '>= 0.4'}
 
   side-channel-map@1.0.1:
@@ -7296,33 +7325,24 @@ packages:
     resolution: {integrity: sha512-FC+lgizVPfie0kkhqUScwRu1O/lF6NOgJmlCgK+/LYxDCTk8sGelYaHDhFcDN+Sn3Cv+3VSa4Byeo+IMCzpMgQ==}
     engines: {node: '>=12'}
 
-  slice-ansi@7.1.0:
-    resolution: {integrity: sha512-bSiSngZ/jWeX93BqeIAbImyTbEihizcwNjFoRUIY/T1wWQsfsm2Vw1agPKylXvQTU7iASGdHhyqRlqQzfz+Htg==}
+  slice-ansi@7.1.2:
+    resolution: {integrity: sha512-iOBWFgUX7caIZiuutICxVgX1SdxwAVFFKwt1EvMYYec/NWO5meOJ6K5uQxhrYBdQJne4KxiqZc+KptFOWFSI9w==}
     engines: {node: '>=18'}
 
   snake-case@3.0.4:
     resolution: {integrity: sha512-LAOh4z89bGQvl9pFfNF8V146i7o7/CqFPbqzYgP+yYzDIDeS9HaNFtXABamRW+AQzEVODcvE79ljJ+8a9YSdMg==}
 
-  socket.io-adapter@2.5.5:
-    resolution: {integrity: sha512-eLDQas5dzPgOWCk9GuuJC2lBqItuhKI4uxGgo9aIV7MYbk2h9Q6uULEh8WBzThoI7l+qU9Ast9fVUmkqPP9wYg==}
+  socket.io-adapter@2.5.7:
+    resolution: {integrity: sha512-e0LyK91f3cUxTmv95/KzoLg47+zF+s/sbxRGDNsyG4dmIP8ZSX8ax6byOxfJXeNNtS/8AZlfD+uP7gBeR7DLlg==}
 
-  socket.io-parser@4.2.4:
-    resolution: {integrity: sha512-/GbIKmo8ioc+NIWIhwdecY0ge+qVBSMdgxGygevmdHj24bsfgtCmcUUcQ5ZzcylGFHsN3k4HB4Cgkl96KVnuew==}
+  socket.io-parser@4.2.6:
+    resolution: {integrity: sha512-asJqbVBDsBCJx0pTqw3WfesSY0iRX+2xzWEWzrpcH7L6fLzrhyF8WPI8UaeM4YCuDfpwA/cgsdugMsmtz8EJeg==}
     engines: {node: '>=10.0.0'}
 
-  socket.io@4.8.1:
-    resolution: {integrity: sha512-oZ7iUCxph8WYRHHcjBEc9unw3adt5CmSNlppj/5Q4k2RIrhl8Z5yY2Xr4j9zj0+wzVZ0bxmYoGSzKJnRl6A4yg==}
+  socket.io@4.8.3:
+    resolution: {integrity: sha512-2Dd78bqzzjE6KPkD5fHZmDAKRNe3J15q+YHDrIsy9WEkqttc7GY+kT9OBLSMaPbQaEd0x1BjcmtMtXkfpc+T5A==}
     engines: {node: '>=10.2.0'}
 
-  sort-array@5.0.0:
-    resolution: {integrity: sha512-Sg9MzajSGprcSrMIxsXyNT0e0JB47RJRfJspC+7co4Z5BdNsNl8FmWI+lXEpyKq+vkMG6pHgAhqyCO+bkDTfFQ==}
-    engines: {node: '>=12.17'}
-    peerDependencies:
-      '@75lb/nature': ^0.1.1
-    peerDependenciesMeta:
-      '@75lb/nature':
-        optional: true
-
   sort-object-keys@1.1.3:
     resolution: {integrity: sha512-855pvK+VkU7PaKYPc+Jjnmt4EzejQHyhhF33q31qG8x7maDzkeFhAAThdCYay11CISO+qAMwjOBP+fPZe0IPyg==}
 
@@ -7363,9 +7383,6 @@ packages:
   spawn-args@0.2.0:
     resolution: {integrity: sha512-73BoniQDcRWgnLAf/suKH6V5H54gd1KLzwYN9FB6J/evqTV33htH9xwV/4BHek+++jzxpVlZQKKZkqstPQPmQg==}
 
-  sprintf-js@1.0.3:
-    resolution: {integrity: sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==}
-
   sprintf-js@1.1.3:
     resolution: {integrity: sha512-Oo+0REFV59/rz3gfJNKQiBlwfHaSESl1pcGyABQsnnIfWOFt6JNj5gCog2U6MLZ//IGYD+nA8nI+mTShREReaA==}
 
@@ -7381,18 +7398,13 @@ packages:
     resolution: {integrity: sha512-OpZ3zP+jT1PI7I8nemJX4AKmAX070ZkYPVWV/AaKTJl+tXCTGyVdC1a4SL8RUQYEwk/f34ZX8UTykN68FwrqAA==}
     engines: {node: '>= 0.6'}
 
-  statuses@2.0.1:
-    resolution: {integrity: sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ==}
+  statuses@2.0.2:
+    resolution: {integrity: sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==}
     engines: {node: '>= 0.8'}
 
-  stream-connect@1.0.2:
-    resolution: {integrity: sha512-68Kl+79cE0RGKemKkhxTSg8+6AGrqBt+cbZAXevg2iJ6Y3zX4JhA/sZeGzLpxW9cXhmqAcE7KnJCisUmIUfnFQ==}
-    engines: {node: '>=0.10.0'}
-    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
-
-  stream-via@1.0.4:
-    resolution: {integrity: sha512-DBp0lSvX5G9KGRDTkR/R+a29H+Wk2xItOF+MpZLLNDWbEV9tGPnqLPxHEYjmiz8xGtJHRIqmI+hCjmNzqoA4nQ==}
-    engines: {node: '>=0.10.0'}
+  stop-iteration-iterator@1.1.0:
+    resolution: {integrity: sha512-eLoXW/DHyl62zxY4SCaIgnRhuMr6ri4juEYARS8E6sCEqzKpOiE521Ucofdx+KnDZl5xmvGYaaKCk5FEOxJCoQ==}
+    engines: {node: '>= 0.4'}
 
   string-argv@0.3.2:
     resolution: {integrity: sha512-aqD2Q0144Z+/RqG52NeHEkZauTAUWJO8c6yTftGJKO3Tja5tUgIfmIl6kExvhtxSDP7fXB6DvzkfMpCd/F3G+Q==}
@@ -7446,11 +7458,6 @@ packages:
   stringify-entities@3.1.0:
     resolution: {integrity: sha512-3FP+jGMmMV/ffZs86MoghGqAoqXAdxLrJP4GUdrDN1aIScYih5tuIO3eF4To5AJZ79KDZ8Fpdy7QJnK8SsL1Vg==}
 
-  strip-ansi@0.1.1:
-    resolution: {integrity: sha512-behete+3uqxecWlDAm5lmskaSaISA+ThQ4oNNBDTBJt0x2ppR6IPqfZNuj6BLaLJ/Sji4TPZlcRyOis8wXQTLg==}
-    engines: {node: '>=0.8.0'}
-    hasBin: true
-
   strip-ansi@3.0.1:
     resolution: {integrity: sha512-VhumSSbBqDTP8p2ZLKj40UjBCV4+v8bUSEpUb4KjRgWk9pbqGF4REFj6KEagidb2f/M6AzC0EmFyDNGaw9OCzg==}
     engines: {node: '>=0.10.0'}
@@ -7467,8 +7474,8 @@ packages:
     resolution: {integrity: sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==}
     engines: {node: '>=8'}
 
-  strip-ansi@7.1.0:
-    resolution: {integrity: sha512-iq6eVVI64nQQTRYq2KtEg2d2uU7LElhTJwsH4YzIHZshxlgZms/wIc4VoDQTlG/IvVIrBKG06CrZnp0qv7hkcQ==}
+  strip-ansi@7.2.0:
+    resolution: {integrity: sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==}
     engines: {node: '>=12'}
 
   strip-bom@4.0.0:
@@ -7487,6 +7494,10 @@ packages:
     resolution: {integrity: sha512-dOESqjYr96iWYylGObzd39EuNTa5VJxyvVAEm5Jnh7KGo75V43Hk1odPQkNDyXNmUR6k+gEiDVXnjB8HJ3crXw==}
     engines: {node: '>=12'}
 
+  strip-final-newline@4.0.0:
+    resolution: {integrity: sha512-aulFJcD6YK8V1G7iRB5tigAP4TsHBZZrOV8pjV++zdUwmeV8uzbY7yn6h9MswN62adStNZFuCIx4haBnRuMDaw==}
+    engines: {node: '>=18'}
+
   strip-json-comments@3.1.1:
     resolution: {integrity: sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==}
     engines: {node: '>=8'}
@@ -7500,8 +7511,8 @@ packages:
     peerDependencies:
       webpack: ^4.0.0 || ^5.0.0
 
-  style-mod@4.1.2:
-    resolution: {integrity: sha512-wnD1HyVqpJUI2+eKZ+eo1UwghftP6yuFheBqqe+bWCotBjC2K1YnteJILRMs3SM4V/0dLEW1SC27MWP5y+mwmw==}
+  style-mod@4.1.3:
+    resolution: {integrity: sha512-i/n8VsZydrugj3Iuzll8+x/00GH2vnYsk1eomD8QiRrSAeW6ItbCQDtfXCeJHd0iwiNagqjQkvpvREEPtW3IoQ==}
 
   styled_string@0.0.1:
     resolution: {integrity: sha512-DU2KZiB6VbPkO2tGSqQ9n96ZstUPjW7X4sGO6V2m1myIQluX0p1Ol8BrA/l6/EesqhMqXOIXs3cJNOy1UuU2BA==}
@@ -7573,52 +7584,74 @@ packages:
     resolution: {integrity: sha512-vngT2JmkSapgq0z7uIoYtB9kWOOzMihAAYq/D3Pjm/ODOGMgS4r++B+OZ09U4hWR6EaOdy9eqQ7/8ygbH3wehA==}
     engines: {node: 8.* || >= 10.*}
 
-  synckit@0.11.6:
-    resolution: {integrity: sha512-2pR2ubZSV64f/vqm9eLPz/KOvR9Dm+Co/5ChLgeHl0yEDRc6h5hXHoxEQH8Y5Ljycozd3p1k5TTSVdzYGkPvLw==}
+  synckit@0.11.12:
+    resolution: {integrity: sha512-Bh7QjT8/SuKUIfObSXNHNSK6WHo6J1tHCqJsuaFDP7gP0fkzSfTxI8y85JrppZ0h8l0maIgc2tfuZQ6/t3GtnQ==}
     engines: {node: ^14.18.0 || >=16.0.0}
 
-  tabbable@5.3.3:
-    resolution: {integrity: sha512-QD9qKY3StfbZqWOPLp0++pOrAVb/HbUi5xCc8cUo4XjP19808oaMiDzn0leBY5mCespIBM0CIZePzZjgzR83kA==}
-
-  tabbable@6.2.0:
-    resolution: {integrity: sha512-Cat63mxsVJlzYvN51JmVXIgNoUokrIaT2zLclCXjRd8boZ0004U4KCs/sToJ75C6sdlByWxpYnb5Boif1VSFew==}
-
-  table-layout@0.4.5:
-    resolution: {integrity: sha512-zTvf0mcggrGeTe/2jJ6ECkJHAQPIYEwDoqsiqBjI24mvRmQbInK5jq33fyypaCBxX08hMkfmdOqj6haT33EqWw==}
-    engines: {node: '>=4.0.0'}
+  tabbable@6.4.0:
+    resolution: {integrity: sha512-05PUHKSNE8ou2dwIxTngl4EzcnsCDZGJ/iCLtDflR/SHB/ny14rXc+qU5P4mG9JkusiV7EivzY9Mhm55AzAvCg==}
 
   table@6.9.0:
     resolution: {integrity: sha512-9kY+CygyYM6j02t5YFHbNz2FN5QmYGv9zAjVp4lCDjlCw7amdckXlEt/bjMhUIfj4ThGRE4gCUH5+yGnNuPo5A==}
     engines: {node: '>=10.0.0'}
 
-  tap-parser@7.0.0:
-    resolution: {integrity: sha512-05G8/LrzqOOFvZhhAk32wsGiPZ1lfUrl+iV7+OkKgfofZxiceZWMHkKmow71YsyVQ8IvGBP2EjcIjE5gL4l5lA==}
+  tap-parser@18.3.4:
+    resolution: {integrity: sha512-CiqzdpWn2CvONcWp7UNMF9/rCPJwCz0es+qykkgJruu1Y/rAS8A5MEQujmjx9NErfst3dGiZJU3lDS2jBsgbPA==}
+    engines: {node: 20 || >=22}
     hasBin: true
 
-  tapable@2.2.2:
-    resolution: {integrity: sha512-Re10+NauLTMCudc7T5WLFLAwDhQ0JWdrMK+9B2M8zR5hRExKmsRDCBA7/aV/pNJFltmBFO5BAMlQFi/vq3nKOg==}
-    engines: {node: '>=6'}
+  tap-yaml@4.4.2:
+    resolution: {integrity: sha512-03mQI7QhfVZHJqGgFyxNTgUbgsG41ZzpWSb7k1Gangmf9hF71Jpb0Fczs7KtOdUDaHx+KxlPUdM2pQJaijebGA==}
+    engines: {node: 20 || >=22}
 
-  temp-path@1.0.0:
-    resolution: {integrity: sha512-TvmyH7kC6ZVTYkqCODjJIbgvu0FKiwQpZ4D1aknE7xpcDf/qEOB8KZEK5ef2pfbVoiBhNWs3yx4y+ESMtNYmlg==}
+  tapable@2.3.3:
+    resolution: {integrity: sha512-uxc/zpqFg6x7C8vOE7lh6Lbda8eEL9zmVm/PLeTPBRhh1xCgdWaQ+J1CUieGpIfm2HdtsUpRv+HshiasBMcc6A==}
+    engines: {node: '>=6'}
 
   temp@0.9.4:
     resolution: {integrity: sha512-yYrrsWnrXMcdsnu/7YMYAofM1ktpL5By7vZhf15CrXijWWrEYZks5AXBudalfSWJLlnen/QUJUB5aoB0kqZUGA==}
     engines: {node: '>=6.0.0'}
 
-  terser-webpack-plugin@5.3.14:
-    resolution: {integrity: sha512-vkZjpUjb6OMS7dhV+tILUW6BhpDR7P2L/aQSAv+Uwk+m8KATX9EccViHTJR2qDtACKPIYndLGCyl3FMo+r2LMw==}
+  terser-webpack-plugin@5.6.0:
+    resolution: {integrity: sha512-Eum+5ajkaOhf5KbM26osvv21kLD7BaGqQ1UA4Ami4arYwylmGUQTgHFpHDdmJod1q4QXa66p0to/FBKID+J1vA==}
     engines: {node: '>= 10.13.0'}
     peerDependencies:
+      '@minify-html/node': '*'
       '@swc/core': '*'
+      '@swc/css': '*'
+      '@swc/html': '*'
+      clean-css: '*'
+      cssnano: '*'
+      csso: '*'
       esbuild: '*'
+      html-minifier-terser: '*'
+      lightningcss: '*'
+      postcss: '*'
       uglify-js: '*'
       webpack: ^5.1.0
     peerDependenciesMeta:
+      '@minify-html/node':
+        optional: true
       '@swc/core':
         optional: true
+      '@swc/css':
+        optional: true
+      '@swc/html':
+        optional: true
+      clean-css:
+        optional: true
+      cssnano:
+        optional: true
+      csso:
+        optional: true
       esbuild:
         optional: true
+      html-minifier-terser:
+        optional: true
+      lightningcss:
+        optional: true
+      postcss:
+        optional: true
       uglify-js:
         optional: true
 
@@ -7627,22 +7660,14 @@ packages:
     engines: {node: '>=6.0.0'}
     hasBin: true
 
-  terser@5.39.2:
-    resolution: {integrity: sha512-yEPUmWve+VA78bI71BW70Dh0TuV4HHd+I5SHOAfS1+QBOmvmCiiffgjR8ryyEd3KIfvPGFqoADt8LdQ6XpXIvg==}
+  terser@5.48.0:
+    resolution: {integrity: sha512-J/9An6vs9Us6wKRriSFXBWdRZapREHqFzdNUKk0pmu804EMR6dr6winwo7e5JDxN4xahxQsuysyYFwlwj4XN/Q==}
     engines: {node: '>=10'}
     hasBin: true
 
-  test-value@2.1.0:
-    resolution: {integrity: sha512-+1epbAxtKeXttkGFMTX9H42oqzOTufR1ceCF+GYA5aOmvaPq9wd4PUS8329fn2RRLGNeUkgRLnVpycjx8DsO2w==}
-    engines: {node: '>=0.10.0'}
-
-  test-value@3.0.0:
-    resolution: {integrity: sha512-sVACdAWcZkSU9x7AOmJo5TqE+GyNJknHaHsMrR6ZnhjVlVN9Yx6FjHrsKZ3BjIpPCT68zYesPWkakrNupwfOTQ==}
-    engines: {node: '>=4.0.0'}
-
-  testem@3.16.0:
-    resolution: {integrity: sha512-TKQ3CuG/u+vDa7IUQgRQHN753wjDlgYMWE45KF5WkXyWjTNxXHPrY0qPBmHWI+kDYWc3zsJqzbS7pdzt5sc33A==}
-    engines: {node: '>= 7.*'}
+  testem@3.20.0:
+    resolution: {integrity: sha512-SSFfJQK/SGruISFjoKG2jCYwK596wWNPJFj2Wo77GzeIUxZ8ZjuwpyF01uekTLu4ITL6i9R4m1sWaKPK/HsunA==}
+    engines: {node: ^20.19.0 || ^22.12.0 || >=24.0.0}
     hasBin: true
 
   tether@2.0.0:
@@ -7685,8 +7710,8 @@ packages:
     resolution: {integrity: sha512-J7Z2K08jbGcdA1kkQpJSqLF6T0tdQqpR2pnSUXsIchbPdTI9v3e85cLW0d6WDhwuAleOV71j2xWs8qMPfK7nKw==}
     engines: {node: '>=6'}
 
-  tmp@0.2.3:
-    resolution: {integrity: sha512-nZD7m9iCPC5g0pYmcaxogYKggSfLsdxl8of3Q/oIbqCqLLIO9IAF0GWjX1z9NZRHPiXv8Wex4yDCaZsgEw0Y8w==}
+  tmp@0.2.5:
+    resolution: {integrity: sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==}
     engines: {node: '>=14.14'}
 
   tmpl@1.0.5:
@@ -7710,17 +7735,13 @@ packages:
   tracked-built-ins@3.4.0:
     resolution: {integrity: sha512-aRwWQXC3VkY50oYxS7wKZiavkjf3uaN+UYUH30D5gxUqbxDN2LnNsfWyDfckmxHUGw4gJDH5lpRS0jX/tim0vw==}
 
-  tracked-built-ins@4.0.0:
-    resolution: {integrity: sha512-0Jl43A1SDZd+yYCJvXfgDSn4Wk/zcawkyFTBPqOETU5UJRngnVEnQ8oOjawqPRg6qja3sKjIQ8z6X9xJzcUTUA==}
+  tracked-built-ins@4.1.2:
+    resolution: {integrity: sha512-KiiV/Pzi7VNKTn9Fip6Ic54AjKgFfqows1Jq3L0WLVqZcvfswdhVxQ9yqqhTXsmgLhVzIgtdzNBH4ExqWf34BQ==}
 
   tracked-maps-and-sets@3.0.2:
     resolution: {integrity: sha512-UIRcWsX1kDOcC/Q2R58weYWlw01EnmWWBwUv3okWS+zMBvsgIfYoO6veHhuNE3hgzWCEImNp46QS5CyKnw5QUA==}
     engines: {node: 12.* || >= 14}
 
-  traverse@0.6.11:
-    resolution: {integrity: sha512-vxXDZg8/+p3gblxB6BhhG5yWVn1kGRlaL8O78UDXc3wRnPizB5g83dcvWV1jpDMIPnjZjOFuxlMmE82XJ4407w==}
-    engines: {node: '>= 0.4'}
-
   tree-kill@1.2.2:
     resolution: {integrity: sha512-L0Orpi8qGpRG//Nd+H90vFB+3iHnue1zSSGmNOOCh1GLJ7rUKVwV2HvijphGQS2UmhUZewS9VgvxYIdgr+fG1A==}
     hasBin: true
@@ -7783,6 +7804,10 @@ packages:
     resolution: {integrity: sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==}
     engines: {node: '>= 0.6'}
 
+  type-is@2.1.0:
+    resolution: {integrity: sha512-faYHw0anBbc/kWF3zFTEnxSFOAGUX9GFbOBthvDdLsIlEoWOFOtS0zgCiQYwIskL9iGXZL3kAXD8OoZ4GmMATA==}
+    engines: {node: '>= 18'}
+
   typed-array-buffer@1.0.3:
     resolution: {integrity: sha512-nAYYwfY3qnzX30IkA6AQZjVbtK6duGontcQm1WSG1MD94YLqK0515GNApXkoxKOWMusVssAHWLh9SeaoefYFGw==}
     engines: {node: '>= 0.4'}
@@ -7802,10 +7827,6 @@ packages:
   typedarray-to-buffer@3.1.5:
     resolution: {integrity: sha512-zdu8XMNEDepKKR+XYOXAVPtWui0ly0NtohUscw+UmaHiAWT8hrV1rr//H6V+0DvJ3OQ19S979M0laLfX8rm82Q==}
 
-  typedarray.prototype.slice@1.0.5:
-    resolution: {integrity: sha512-q7QNVDGTdl702bVFiI5eY4l/HkgCM6at9KhcFbgUAzezHFbOVy4+0O/lCjsABEQwbZPravVfBIiBVGo89yzHFg==}
-    engines: {node: '>= 0.4'}
-
   typescript-memoize@1.1.1:
     resolution: {integrity: sha512-GQ90TcKpIH4XxYTI2F98yEQYZgjNMOGPpOgdjIBhaLaWji5HPWlRnZ4AeA1hfBxtY7bCGDJsqDDHk/KaHOl5bA==}
 
@@ -7814,25 +7835,11 @@ packages:
     engines: {node: '>=4.2.0'}
     hasBin: true
 
-  typescript@5.5.4:
-    resolution: {integrity: sha512-Mtq29sKDAEYP7aljRgtPOpTvOfbwRWlS6dPRzwjdE+C0R4brX/GUyhHSecbHMFLNBLcJIPt9nl9yG5TZ1weH+Q==}
+  typescript@5.6.3:
+    resolution: {integrity: sha512-hjcS1mhfuyi4WW8IWtjP7brDrG2cuDZukyrYrSauoXGNgx0S7zceP07adYkJycEr56BOUTNPzbInooiN3fn1qw==}
     engines: {node: '>=14.17'}
     hasBin: true
 
-  typical@2.6.1:
-    resolution: {integrity: sha512-ofhi8kjIje6npGozTip9Fr8iecmYfEbS06i0JnIg+rh51KakryWF4+jX8lLKZVhy6N+ID45WYSFCxPOdTWCzNg==}
-
-  typical@4.0.0:
-    resolution: {integrity: sha512-VAH4IvQ7BDFYglMd7BPRDfLgxZZX4O4TFcRDA6EN5X7erNJJq+McIEp8np9aVtxrCJ6qx4GTYVfOWNjcqwZgRw==}
-    engines: {node: '>=8'}
-
-  typical@7.3.0:
-    resolution: {integrity: sha512-ya4mg/30vm+DOWfBg4YK3j2WD6TWtRkCbasOJr40CseYENzCUby/7rIvXA99JGsQHeNxLbnXdyLLxKSv3tauFw==}
-    engines: {node: '>=12.17'}
-
-  uc.micro@1.0.6:
-    resolution: {integrity: sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==}
-
   uc.micro@2.1.0:
     resolution: {integrity: sha512-ARDJmphmdvUk6Glw7y9DQ2bFkKBHwQHLi2lsaH6PPmz/Ka9sFOBsBluozhDltWmnv9u/cF6Rt87znRTPV+yp/A==}
 
@@ -7848,11 +7855,11 @@ packages:
   underscore.string@3.3.6:
     resolution: {integrity: sha512-VoC83HWXmCrF6rgkyxS9GHv8W9Q5nhMKho+OadDJGzL2oDYbYEppBaCMH6pFlwLeqj2QS+hhkw2kpXkSdD1JxQ==}
 
-  underscore@1.13.7:
-    resolution: {integrity: sha512-GMXzWtsc57XAtguZgaQViUOzs0KTkk8ojr3/xAxXLITqf/3EMwxC0inyETfDFjH/Krbhuep0HNbbjI9i/q3F3g==}
+  underscore@1.13.8:
+    resolution: {integrity: sha512-DXtD3ZtEQzc7M8m4cXotyHR+FAS18C64asBYY5vqZexfYryNNnDc02W4hKg3rdQuqOYas1jkseX0+nZXjTXnvQ==}
 
-  undici-types@7.16.0:
-    resolution: {integrity: sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==}
+  undici-types@7.24.6:
+    resolution: {integrity: sha512-WRNW+sJgj5OBN4/0JpHFqtqzhpbnV0GuB+OozA9gCL7a993SmU+1JBZCzLNxYsbMfIeDL+lTsphD5jN5N+n0zg==}
 
   unicode-canonical-property-names-ecmascript@2.0.1:
     resolution: {integrity: sha512-dA8WbNeb2a6oQzAQ55YlT5vQAWGV9WXOsi3SskE3bcCdM0P4SDd+24zS/OCacdRq5BkdsRj9q3Pg6YyQoxIGqg==}
@@ -7862,12 +7869,12 @@ packages:
     resolution: {integrity: sha512-5kaZCrbp5mmbz5ulBkDkbY0SsPOjKqVS35VpL9ulMPfSl0J0Xsm+9Evphv9CoIZFwre7aJoa94AY6seMKGVN5Q==}
     engines: {node: '>=4'}
 
-  unicode-match-property-value-ecmascript@2.2.0:
-    resolution: {integrity: sha512-4IehN3V/+kkr5YeSSDDQG8QLqO26XpL2XP3GQtqwlT/QYSECAwFztxVHjlbh0+gjJ3XmNLS0zDsbgs9jWKExLg==}
+  unicode-match-property-value-ecmascript@2.2.1:
+    resolution: {integrity: sha512-JQ84qTuMg4nVkx8ga4A16a1epI9H6uTXAknqxkGF/aFfRLw1xC/Bp24HNLaZhHSkWd3+84t8iXnp1J0kYcZHhg==}
     engines: {node: '>=4'}
 
-  unicode-property-aliases-ecmascript@2.1.0:
-    resolution: {integrity: sha512-6t3foTQI9qne+OZoVQB/8x8rk2k1eVy1gRXhV3oFQ5T6R1dqQ1xtin3XqSlx3+ATBkliTaR/hHyJBm+LVPNM8w==}
+  unicode-property-aliases-ecmascript@2.2.0:
+    resolution: {integrity: sha512-hpbDzxUY9BFwX+UeBnxv3Sh1q7HFxj48DTmXchNgRa46lO8uj3/1iEn3MiNUYTg1g9ctIqXCCERn8gYZhHC5lQ==}
     engines: {node: '>=4'}
 
   unicorn-magic@0.1.0:
@@ -7925,15 +7932,12 @@ packages:
     resolution: {integrity: sha512-1uEe95xksV1O0CYKXo8vQvN1JEbtJp7lb7C5U9HMsIp6IVwntkH/oNUzyVNQSd4S1sYk2FpSSW44FqMc8qee5w==}
     engines: {node: '>=4'}
 
-  update-browserslist-db@1.1.3:
-    resolution: {integrity: sha512-UxhIZQ+QInVdunkDAaiazvvT/+fXL5Osr0JZlJulepYu6Jd7qJtDZjlur0emRlT71EN3ScPoE7gvsuIKKNavKw==}
+  update-browserslist-db@1.2.3:
+    resolution: {integrity: sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w==}
     hasBin: true
     peerDependencies:
       browserslist: '>= 4.21.0'
 
-  update-section@0.3.3:
-    resolution: {integrity: sha512-BpRZMZpgXLuTiKeiu7kK0nIPwGdyrqrs6EDSaXtjD/aQ2T+qVo9a5hRC3HN3iJjCMxNT/VxoLGQ7E/OzE5ucnw==}
-
   uri-js@4.4.1:
     resolution: {integrity: sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==}
 
@@ -7949,10 +7953,12 @@ packages:
 
   uuid@8.3.2:
     resolution: {integrity: sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==}
+    deprecated: uuid@10 and below is no longer supported.  For ESM codebases, update to uuid@latest.  For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
     hasBin: true
 
   uuid@9.0.1:
     resolution: {integrity: sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==}
+    deprecated: uuid@10 and below is no longer supported.  For ESM codebases, update to uuid@latest.  For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
     hasBin: true
 
   v8-compile-cache@2.4.0:
@@ -7988,14 +7994,6 @@ packages:
   w3c-keyname@2.2.8:
     resolution: {integrity: sha512-dpojBhNsCNN7T82Tm7k26A6G9ML3NkhDsnw9n/eoxSRlVBB4CEtIQ/KTCLI2Fwf3ataSXRhYFkQi3SlnFwPvPQ==}
 
-  walk-back@2.0.1:
-    resolution: {integrity: sha512-Nb6GvBR8UWX1D+Le+xUq0+Q1kFmRBIWVrfLnQAOmcpEzA9oAxwJ9gIr36t9TWYfzvWRvuMtjHiVsJYEkXWaTAQ==}
-    engines: {node: '>=0.10.0'}
-
-  walk-back@5.1.1:
-    resolution: {integrity: sha512-e/FRLDVdZQWFrAzU6Hdvpm7D7m2ina833gIKLptQykRK49mmCYHLHq7UqjPDbxbKLZkTkW1rFqbengdE3sLfdw==}
-    engines: {node: '>=12.17'}
-
   walk-sync@0.2.7:
     resolution: {integrity: sha512-OH8GdRMowEFr0XSHQeX5fGweO6zSVHo7bG/0yJQx6LAj9Oukz0C8heI3/FYectT66gY0IPGe89kOvU410/UNpg==}
 
@@ -8024,8 +8022,8 @@ packages:
     resolution: {integrity: sha512-MrJK9z7kD5Gl3jHBnnBVHvr1saVGAfmkyyrvuNzV/oe0Gr1nwZTy5VSA0Gw2j2Or0Mu8HcjUa44qlBvC2Ofnpg==}
     engines: {node: '>= 8'}
 
-  watchpack@2.4.4:
-    resolution: {integrity: sha512-c5EGNOiyxxV5qmTtAB7rbiXxi1ooX1pQKMLX/MIabJjRA0SJBQOjKF+KSVfHkr9U1cADPon0mRiVe/riyaiDUA==}
+  watchpack@2.5.1:
+    resolution: {integrity: sha512-Zn5uXdcFNIA1+1Ei5McRd+iRzfhENPCe7LeABkJtNulSxjma+l7ltNx55BWZkRlwRnpOgHqxnjyaDgJnNXnqzg==}
     engines: {node: '>=10.13.0'}
 
   wcwidth@1.0.1:
@@ -8052,12 +8050,12 @@ packages:
     resolution: {integrity: sha512-hXXvrjtx2PLYx4qruKl+kyRSLc52V+cCvMxRjmKwoA+CBbbF5GfIBtR6kCvl0fYGqTUPKB+1ktVmTHqMOzgCBg==}
     engines: {node: '>=18.0.0'}
 
-  webpack-sources@3.2.3:
-    resolution: {integrity: sha512-/DyMEOrDgLKKIG0fmvtz+4dUX/3Ghozwgm6iPp8KRhvn+eQf9+Q7GWxVNMk3+uCPWfdXYC4ExGBckIXdFEfH1w==}
+  webpack-sources@3.5.0:
+    resolution: {integrity: sha512-HPuy+uuoTCaaoEoI1LQ3JN9+vrPBvEesnnX1jADHy728cHSMlq4wUc4afYqahq2B1mhQVZxCXOkNTnXltr+2vQ==}
     engines: {node: '>=10.13.0'}
 
-  webpack@5.94.0:
-    resolution: {integrity: sha512-KcsGn50VT+06JH/iunZJedYGUJS5FGjow8wb9c0v5n1Om8O1g4L6LjtfxwlXIATopoQu+vOXXa7gYisWxCoPyg==}
+  webpack@5.107.2:
+    resolution: {integrity: sha512-v7RhXaJbpMlV0D7hC7lb2EbnxkoeUqf9qhKr6lozx3Q48pmFrqqNRmZFUEGmi7pSwm6fCQ2H1IjvCkHqdpVdjQ==}
     engines: {node: '>=10.13.0'}
     hasBin: true
     peerDependencies:
@@ -8089,8 +8087,8 @@ packages:
   which-module@2.0.1:
     resolution: {integrity: sha512-iBdZ57RDvnOR9AGBhML2vFZf7h8vmBjhoaZqODJBFWHVtKkDmKuHai3cx5PgVMrX5YDNp27AofYbAwctSS+vhQ==}
 
-  which-typed-array@1.1.19:
-    resolution: {integrity: sha512-rEvr90Bck4WZt9HHFC4DJMsjvu7x+r6bImz0/BrbWb7A2djJ8hnZMrWnHo9F8ssv0OMErasDhftrfROTyqSDrw==}
+  which-typed-array@1.1.21:
+    resolution: {integrity: sha512-zbRA8cVm6io/d5W8uIe2hblzN76/Wm3v/yiythQvr+dpBWeqhPSWIDNj4zOyHi4zKbMK6DN34Xsr9jPHJERAEw==}
     engines: {node: '>= 0.4'}
 
   which@1.3.1:
@@ -8115,10 +8113,6 @@ packages:
   wordwrap@1.0.0:
     resolution: {integrity: sha512-gvVzJFlPycKc5dZN4yPkP8w7Dc37BtP1yczEneOb4uq34pXZcvrtRTmWV8W+Ume+XCxKgbjM+nevkyFPMybd4Q==}
 
-  wordwrapjs@3.0.0:
-    resolution: {integrity: sha512-mO8XtqyPvykVCsrwj5MlOVWvSnCdT+C+QVbm6blradR7JExAhbkZ7hZ9A+9NUtwzSqrlUo9a67ws0EiILrvRpw==}
-    engines: {node: '>=4.0.0'}
-
   workerpool@3.1.2:
     resolution: {integrity: sha512-WJFA0dGqIK7qj7xPTqciWBH5DlJQzoPjsANvc3Y4hNB0SScT+Emjvt0jPPkDBUjBNngX1q9hHgt1Gfwytu6pug==}
 
@@ -8144,8 +8138,8 @@ packages:
     resolution: {integrity: sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==}
     engines: {node: '>=12'}
 
-  wrap-ansi@9.0.0:
-    resolution: {integrity: sha512-G8ura3S+3Z2G+mkgNRq8dqaFZAuxfsxpBB8OCTGRTCtp+l/v9nbFNmCUP1BZMts3G1142MsZfn6eeUKrr4PD1Q==}
+  wrap-ansi@9.0.2:
+    resolution: {integrity: sha512-42AtmgqjV+X1VpdOfyTGOYRi0/zsoLqtXQckTmqTeybT+BDIbM/Guxo7x3pE2vtpr1ok6xRqM9OpBe+Jyoqyww==}
     engines: {node: '>=18'}
 
   wrappy@1.0.2:
@@ -8158,8 +8152,8 @@ packages:
     resolution: {integrity: sha512-+QU2zd6OTD8XWIJCbffaiQeH9U73qIqafo1x6V1snCWYGJf6cVE0cDR4D8xRzcEnfI21IFrUPzPGtcPf8AC+Rw==}
     engines: {node: ^14.17.0 || ^16.13.0 || >=18.0.0}
 
-  ws@8.17.1:
-    resolution: {integrity: sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ==}
+  ws@8.20.1:
+    resolution: {integrity: sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==}
     engines: {node: '>=10.0.0'}
     peerDependencies:
       bufferutil: ^4.0.1
@@ -8174,9 +8168,6 @@ packages:
     resolution: {integrity: sha512-PSNhEJDejZYV7h50BohL09Er9VaIefr2LMAf3OEmpCkjOi34eYyQYAXUTjEQtZJTKcF0E2UKTh+osDLsgNim9Q==}
     engines: {node: '>=8'}
 
-  xmlcreate@2.0.4:
-    resolution: {integrity: sha512-nquOebG4sngPmGPICTS5EnxqhKbCmz5Ox5hsszI2T6U5qdrJizBc+0ilYSEjTSzU0yZcmvppztXe/5Al5fUwdg==}
-
   xtend@4.0.2:
     resolution: {integrity: sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==}
     engines: {node: '>=0.4'}
@@ -8198,8 +8189,14 @@ packages:
     resolution: {integrity: sha512-Hv9xxHtsJ9228wNhk03xnlDReUuWVvHwM4rIbjdAXYvHLs17xjuyF50N6XXFMN6N0omBaqgOok/MCK3At9fTAg==}
     engines: {node: ^4.5 || 6.* || >= 7.*}
 
-  yaml@2.8.0:
-    resolution: {integrity: sha512-4lLa/EcQCB0cJkyts+FpIRx5G/llPxfP6VQU5KByHEhLxY3IJCH0f0Hy1MHI8sClTvsIb8qwRJ6R/ZdlDJ/leQ==}
+  yaml-types@0.4.0:
+    resolution: {integrity: sha512-XfbA30NUg4/LWUiplMbiufUiwYhgB9jvBhTWel7XQqjV+GaB79c2tROu/8/Tu7jO0HvDvnKWtBk5ksWRrhQ/0g==}
+    engines: {node: '>= 16', npm: '>= 7'}
+    peerDependencies:
+      yaml: ^2.3.0
+
+  yaml@2.9.0:
+    resolution: {integrity: sha512-2AvhNX3mb8zd6Zy7INTtSpl1F15HW6Wnqj0srWlkKLcpYl/gMIMJiyuGq2KeI2YFxUPjdlB+3Lc10seMLtL4cA==}
     engines: {node: '>= 14.6'}
     hasBin: true
 
@@ -8221,12 +8218,16 @@ packages:
     resolution: {integrity: sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==}
     engines: {node: '>=10'}
 
-  yocto-queue@1.2.1:
-    resolution: {integrity: sha512-AyeEbWOu/TAXdxlV9wmGcR0+yh2j3vYPGOECcIj2S7MkrLyC7ne+oye2BKTItt0ii2PHk4cDy+95+LshzbXnGg==}
+  yocto-queue@1.2.2:
+    resolution: {integrity: sha512-4LCcse/U2MHZ63HAJVE+v71o7yOdIe4cZ70Wpf8D/IyjDKYQLV5GD46B+hSTjJsvV5PztjvHoU580EftxjDZFQ==}
     engines: {node: '>=12.20'}
 
-  yoctocolors-cjs@2.1.2:
-    resolution: {integrity: sha512-cYVsTjKl8b+FrnidjibDWskAv7UKOfcwaVZdp/it9n1s9fU3IkgDbhdIRKCW4JDsAlECJY0ytoVPT3sK6kideA==}
+  yoctocolors-cjs@2.1.3:
+    resolution: {integrity: sha512-U/PBtDf35ff0D8X8D0jfdzHYEPFxAI7jJlxZXwCSez5M3190m+QobIfh+sWDWSHMCWWJN2AWamkegn6vr6YBTw==}
+    engines: {node: '>=18'}
+
+  yoctocolors@2.1.2:
+    resolution: {integrity: sha512-CzhO+pFNo8ajLM2d2IW/R93ipy99LWjtwblvC1RsoSUMZgyLbYFr221TnSNT7GjGdYui6P459mw9JH/g/zW2ug==}
     engines: {node: '>=18'}
 
   zwitch@1.0.5:
@@ -8236,13 +8237,13 @@ snapshots:
 
   '@ampproject/remapping@2.3.0':
     dependencies:
-      '@jridgewell/gen-mapping': 0.3.8
-      '@jridgewell/trace-mapping': 0.3.25
+      '@jridgewell/gen-mapping': 0.3.13
+      '@jridgewell/trace-mapping': 0.3.31
 
   '@babel/cli@7.27.2(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@jridgewell/trace-mapping': 0.3.25
+      '@jridgewell/trace-mapping': 0.3.31
       commander: 6.2.1
       convert-source-map: 2.0.0
       fs-readdir-recursive: 1.1.0
@@ -8253,55 +8254,55 @@ snapshots:
       '@nicolo-ribaudo/chokidar-2': 2.1.8-no-fsevents.3
       chokidar: 3.6.0
 
-  '@babel/code-frame@7.27.1':
+  '@babel/code-frame@7.29.7':
     dependencies:
-      '@babel/helper-validator-identifier': 7.27.1
+      '@babel/helper-validator-identifier': 7.29.7
       js-tokens: 4.0.0
       picocolors: 1.1.1
 
-  '@babel/compat-data@7.27.2': {}
+  '@babel/compat-data@7.29.7': {}
 
   '@babel/core@7.26.10':
     dependencies:
       '@ampproject/remapping': 2.3.0
-      '@babel/code-frame': 7.27.1
-      '@babel/generator': 7.27.1
-      '@babel/helper-compilation-targets': 7.27.2
-      '@babel/helper-module-transforms': 7.27.1(@babel/core@7.26.10)
-      '@babel/helpers': 7.27.1
-      '@babel/parser': 7.27.2
-      '@babel/template': 7.27.2
-      '@babel/traverse': 7.27.1
-      '@babel/types': 7.27.1
+      '@babel/code-frame': 7.29.7
+      '@babel/generator': 7.29.7
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/helper-module-transforms': 7.29.7(@babel/core@7.26.10)
+      '@babel/helpers': 7.29.7
+      '@babel/parser': 7.29.7
+      '@babel/template': 7.29.7
+      '@babel/traverse': 7.29.7
+      '@babel/types': 7.29.7
       convert-source-map: 2.0.0
-      debug: 4.4.1
+      debug: 4.4.3
       gensync: 1.0.0-beta.2
       json5: 1.0.2
       semver: 6.3.1
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/core@7.27.1':
+  '@babel/core@7.29.7':
     dependencies:
-      '@ampproject/remapping': 2.3.0
-      '@babel/code-frame': 7.27.1
-      '@babel/generator': 7.27.1
-      '@babel/helper-compilation-targets': 7.27.2
-      '@babel/helper-module-transforms': 7.27.1(@babel/core@7.27.1)
-      '@babel/helpers': 7.27.1
-      '@babel/parser': 7.27.2
-      '@babel/template': 7.27.2
-      '@babel/traverse': 7.27.1
-      '@babel/types': 7.27.1
+      '@babel/code-frame': 7.29.7
+      '@babel/generator': 7.29.7
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/helper-module-transforms': 7.29.7(@babel/core@7.29.7)
+      '@babel/helpers': 7.29.7
+      '@babel/parser': 7.29.7
+      '@babel/template': 7.29.7
+      '@babel/traverse': 7.29.7
+      '@babel/types': 7.29.7
+      '@jridgewell/remapping': 2.3.5
       convert-source-map: 2.0.0
-      debug: 4.4.1
+      debug: 4.4.3
       gensync: 1.0.0-beta.2
       json5: 1.0.2
       semver: 6.3.1
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/eslint-parser@7.28.5(@babel/core@7.26.10)(eslint@8.57.1)':
+  '@babel/eslint-parser@7.29.7(@babel/core@7.26.10)(eslint@8.57.1)':
     dependencies:
       '@babel/core': 7.26.10
       '@nicolo-ribaudo/eslint-scope-5-internals': 5.1.1-v1
@@ -8309,318 +8310,336 @@ snapshots:
       eslint-visitor-keys: 2.1.0
       semver: 6.3.1
 
-  '@babel/generator@7.27.1':
+  '@babel/generator@7.29.7':
     dependencies:
-      '@babel/parser': 7.27.2
-      '@babel/types': 7.27.1
-      '@jridgewell/gen-mapping': 0.3.8
-      '@jridgewell/trace-mapping': 0.3.25
+      '@babel/parser': 7.29.7
+      '@babel/types': 7.29.7
+      '@jridgewell/gen-mapping': 0.3.13
+      '@jridgewell/trace-mapping': 0.3.31
       jsesc: 3.1.0
 
-  '@babel/helper-annotate-as-pure@7.27.1':
+  '@babel/helper-annotate-as-pure@7.29.7':
     dependencies:
-      '@babel/types': 7.27.1
+      '@babel/types': 7.29.7
 
-  '@babel/helper-compilation-targets@7.27.2':
+  '@babel/helper-compilation-targets@7.29.7':
     dependencies:
-      '@babel/compat-data': 7.27.2
-      '@babel/helper-validator-option': 7.27.1
-      browserslist: 4.24.5
+      '@babel/compat-data': 7.29.7
+      '@babel/helper-validator-option': 7.29.7
+      browserslist: 4.28.2
       lru-cache: 5.1.1
       semver: 6.3.1
 
-  '@babel/helper-create-class-features-plugin@7.27.1(@babel/core@7.26.10)':
+  '@babel/helper-create-class-features-plugin@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-annotate-as-pure': 7.27.1
-      '@babel/helper-member-expression-to-functions': 7.27.1
-      '@babel/helper-optimise-call-expression': 7.27.1
-      '@babel/helper-replace-supers': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-skip-transparent-expression-wrappers': 7.27.1
-      '@babel/traverse': 7.27.1
+      '@babel/helper-annotate-as-pure': 7.29.7
+      '@babel/helper-member-expression-to-functions': 7.29.7
+      '@babel/helper-optimise-call-expression': 7.29.7
+      '@babel/helper-replace-supers': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-skip-transparent-expression-wrappers': 7.29.7
+      '@babel/traverse': 7.29.7
       semver: 6.3.1
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/helper-create-class-features-plugin@7.27.1(@babel/core@7.27.1)':
+  '@babel/helper-create-class-features-plugin@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-annotate-as-pure': 7.27.1
-      '@babel/helper-member-expression-to-functions': 7.27.1
-      '@babel/helper-optimise-call-expression': 7.27.1
-      '@babel/helper-replace-supers': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-skip-transparent-expression-wrappers': 7.27.1
-      '@babel/traverse': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-annotate-as-pure': 7.29.7
+      '@babel/helper-member-expression-to-functions': 7.29.7
+      '@babel/helper-optimise-call-expression': 7.29.7
+      '@babel/helper-replace-supers': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-skip-transparent-expression-wrappers': 7.29.7
+      '@babel/traverse': 7.29.7
       semver: 6.3.1
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/helper-create-regexp-features-plugin@7.27.1(@babel/core@7.26.10)':
+  '@babel/helper-create-regexp-features-plugin@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-annotate-as-pure': 7.27.1
-      regexpu-core: 6.2.0
+      '@babel/helper-annotate-as-pure': 7.29.7
+      regexpu-core: 6.4.0
       semver: 6.3.1
 
-  '@babel/helper-create-regexp-features-plugin@7.27.1(@babel/core@7.27.1)':
+  '@babel/helper-create-regexp-features-plugin@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-annotate-as-pure': 7.27.1
-      regexpu-core: 6.2.0
+      '@babel/core': 7.29.7
+      '@babel/helper-annotate-as-pure': 7.29.7
+      regexpu-core: 6.4.0
       semver: 6.3.1
 
-  '@babel/helper-define-polyfill-provider@0.6.4(@babel/core@7.26.10)':
+  '@babel/helper-define-polyfill-provider@0.6.8(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-compilation-targets': 7.27.2
-      '@babel/helper-plugin-utils': 7.27.1
-      debug: 4.4.1
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      debug: 4.4.3
       lodash.debounce: 4.0.8
-      resolve: 1.22.10
+      resolve: 1.22.12
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/helper-define-polyfill-provider@0.6.4(@babel/core@7.27.1)':
+  '@babel/helper-define-polyfill-provider@0.6.8(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-compilation-targets': 7.27.2
-      '@babel/helper-plugin-utils': 7.27.1
-      debug: 4.4.1
+      '@babel/core': 7.29.7
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      debug: 4.4.3
       lodash.debounce: 4.0.8
-      resolve: 1.22.10
+      resolve: 1.22.12
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/helper-member-expression-to-functions@7.27.1':
+  '@babel/helper-globals@7.29.7': {}
+
+  '@babel/helper-member-expression-to-functions@7.29.7':
     dependencies:
-      '@babel/traverse': 7.27.1
-      '@babel/types': 7.27.1
+      '@babel/traverse': 7.29.7
+      '@babel/types': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/helper-module-imports@7.27.1':
+  '@babel/helper-module-imports@7.29.7':
     dependencies:
-      '@babel/traverse': 7.27.1
-      '@babel/types': 7.27.1
+      '@babel/traverse': 7.29.7
+      '@babel/types': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/helper-module-transforms@7.27.1(@babel/core@7.26.10)':
+  '@babel/helper-module-transforms@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-module-imports': 7.27.1
-      '@babel/helper-validator-identifier': 7.27.1
-      '@babel/traverse': 7.27.1
+      '@babel/helper-module-imports': 7.29.7
+      '@babel/helper-validator-identifier': 7.29.7
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/helper-module-transforms@7.27.1(@babel/core@7.27.1)':
+  '@babel/helper-module-transforms@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-module-imports': 7.27.1
-      '@babel/helper-validator-identifier': 7.27.1
-      '@babel/traverse': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-module-imports': 7.29.7
+      '@babel/helper-validator-identifier': 7.29.7
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/helper-optimise-call-expression@7.27.1':
+  '@babel/helper-optimise-call-expression@7.29.7':
     dependencies:
-      '@babel/types': 7.27.1
+      '@babel/types': 7.29.7
 
-  '@babel/helper-plugin-utils@7.27.1': {}
+  '@babel/helper-plugin-utils@7.29.7': {}
 
-  '@babel/helper-remap-async-to-generator@7.27.1(@babel/core@7.26.10)':
+  '@babel/helper-remap-async-to-generator@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-annotate-as-pure': 7.27.1
-      '@babel/helper-wrap-function': 7.27.1
-      '@babel/traverse': 7.27.1
+      '@babel/helper-annotate-as-pure': 7.29.7
+      '@babel/helper-wrap-function': 7.29.7
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/helper-remap-async-to-generator@7.27.1(@babel/core@7.27.1)':
+  '@babel/helper-remap-async-to-generator@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-annotate-as-pure': 7.27.1
-      '@babel/helper-wrap-function': 7.27.1
-      '@babel/traverse': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-annotate-as-pure': 7.29.7
+      '@babel/helper-wrap-function': 7.29.7
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/helper-replace-supers@7.27.1(@babel/core@7.26.10)':
+  '@babel/helper-replace-supers@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-member-expression-to-functions': 7.27.1
-      '@babel/helper-optimise-call-expression': 7.27.1
-      '@babel/traverse': 7.27.1
+      '@babel/helper-member-expression-to-functions': 7.29.7
+      '@babel/helper-optimise-call-expression': 7.29.7
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/helper-replace-supers@7.27.1(@babel/core@7.27.1)':
+  '@babel/helper-replace-supers@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-member-expression-to-functions': 7.27.1
-      '@babel/helper-optimise-call-expression': 7.27.1
-      '@babel/traverse': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-member-expression-to-functions': 7.29.7
+      '@babel/helper-optimise-call-expression': 7.29.7
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/helper-skip-transparent-expression-wrappers@7.27.1':
+  '@babel/helper-skip-transparent-expression-wrappers@7.29.7':
     dependencies:
-      '@babel/traverse': 7.27.1
-      '@babel/types': 7.27.1
+      '@babel/traverse': 7.29.7
+      '@babel/types': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/helper-string-parser@7.27.1': {}
+  '@babel/helper-string-parser@7.29.7': {}
 
-  '@babel/helper-validator-identifier@7.27.1': {}
+  '@babel/helper-validator-identifier@7.29.7': {}
 
-  '@babel/helper-validator-option@7.27.1': {}
+  '@babel/helper-validator-option@7.29.7': {}
 
-  '@babel/helper-wrap-function@7.27.1':
+  '@babel/helper-wrap-function@7.29.7':
     dependencies:
-      '@babel/template': 7.27.2
-      '@babel/traverse': 7.27.1
-      '@babel/types': 7.27.1
+      '@babel/template': 7.29.7
+      '@babel/traverse': 7.29.7
+      '@babel/types': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/helpers@7.27.1':
+  '@babel/helpers@7.29.7':
     dependencies:
-      '@babel/template': 7.27.2
-      '@babel/types': 7.27.1
+      '@babel/template': 7.29.7
+      '@babel/types': 7.29.7
 
-  '@babel/parser@7.27.2':
+  '@babel/parser@7.29.7':
     dependencies:
-      '@babel/types': 7.27.1
+      '@babel/types': 7.29.7
 
-  '@babel/plugin-bugfix-firefox-class-in-computed-class-key@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-bugfix-firefox-class-in-computed-class-key@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/traverse': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-bugfix-firefox-class-in-computed-class-key@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-bugfix-firefox-class-in-computed-class-key@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/traverse': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-bugfix-safari-class-field-initializer-scope@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-bugfix-safari-class-field-initializer-scope@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-bugfix-safari-class-field-initializer-scope@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-bugfix-safari-class-field-initializer-scope@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-bugfix-safari-rest-destructuring-rhs-array@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-skip-transparent-expression-wrappers': 7.27.1
-      '@babel/plugin-transform-optional-chaining': 7.27.1(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-skip-transparent-expression-wrappers': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-bugfix-safari-rest-destructuring-rhs-array@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-skip-transparent-expression-wrappers': 7.27.1
-      '@babel/plugin-transform-optional-chaining': 7.27.1(@babel/core@7.27.1)
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-skip-transparent-expression-wrappers': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/traverse': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-skip-transparent-expression-wrappers': 7.29.7
+      '@babel/plugin-transform-optional-chaining': 7.29.7(@babel/core@7.26.10)
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/traverse': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-skip-transparent-expression-wrappers': 7.29.7
+      '@babel/plugin-transform-optional-chaining': 7.29.7(@babel/core@7.29.7)
+    transitivePeerDependencies:
+      - supports-color
+
+  '@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/traverse': 7.29.7
+    transitivePeerDependencies:
+      - supports-color
+
+  '@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
   '@babel/plugin-proposal-class-properties@7.18.6(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-proposal-class-properties@7.18.6(@babel/core@7.27.1)':
+  '@babel/plugin-proposal-class-properties@7.18.6(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-proposal-decorators@7.28.0(@babel/core@7.26.10)':
+  '@babel/plugin-proposal-decorators@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/plugin-syntax-decorators': 7.27.1(@babel/core@7.26.10)
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/plugin-syntax-decorators': 7.29.7(@babel/core@7.26.10)
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-proposal-decorators@7.28.0(@babel/core@7.27.1)':
+  '@babel/plugin-proposal-decorators@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/plugin-syntax-decorators': 7.27.1(@babel/core@7.27.1)
+      '@babel/core': 7.29.7
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/plugin-syntax-decorators': 7.29.7(@babel/core@7.29.7)
     transitivePeerDependencies:
       - supports-color
 
   '@babel/plugin-proposal-object-rest-spread@7.20.7(@babel/core@7.26.10)':
     dependencies:
-      '@babel/compat-data': 7.27.2
+      '@babel/compat-data': 7.29.7
       '@babel/core': 7.26.10
-      '@babel/helper-compilation-targets': 7.27.2
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
       '@babel/plugin-syntax-object-rest-spread': 7.8.3(@babel/core@7.26.10)
-      '@babel/plugin-transform-parameters': 7.27.1(@babel/core@7.26.10)
+      '@babel/plugin-transform-parameters': 7.29.7(@babel/core@7.26.10)
 
   '@babel/plugin-proposal-private-methods@7.18.6(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-proposal-private-methods@7.18.6(@babel/core@7.27.1)':
+  '@babel/plugin-proposal-private-methods@7.18.6(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
@@ -8628,1021 +8647,983 @@ snapshots:
     dependencies:
       '@babel/core': 7.26.10
 
-  '@babel/plugin-proposal-private-property-in-object@7.21.0-placeholder-for-preset-env.2(@babel/core@7.27.1)':
+  '@babel/plugin-proposal-private-property-in-object@7.21.0-placeholder-for-preset-env.2(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
+      '@babel/core': 7.29.7
 
   '@babel/plugin-proposal-private-property-in-object@7.21.11(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-annotate-as-pure': 7.27.1
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-annotate-as-pure': 7.29.7
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
       '@babel/plugin-syntax-private-property-in-object': 7.14.5(@babel/core@7.26.10)
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-proposal-private-property-in-object@7.21.11(@babel/core@7.27.1)':
+  '@babel/plugin-proposal-private-property-in-object@7.21.11(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-annotate-as-pure': 7.27.1
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/plugin-syntax-private-property-in-object': 7.14.5(@babel/core@7.27.1)
+      '@babel/core': 7.29.7
+      '@babel/helper-annotate-as-pure': 7.29.7
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/plugin-syntax-private-property-in-object': 7.14.5(@babel/core@7.29.7)
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-syntax-decorators@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-syntax-decorators@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-syntax-decorators@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-syntax-decorators@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-syntax-import-assertions@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-syntax-import-assertions@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-syntax-import-assertions@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-syntax-import-assertions@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-syntax-import-attributes@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-syntax-import-attributes@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-syntax-import-attributes@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-syntax-import-attributes@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-syntax-jsx@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-syntax-jsx@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
   '@babel/plugin-syntax-object-rest-spread@7.8.3(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
   '@babel/plugin-syntax-private-property-in-object@7.14.5(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-syntax-private-property-in-object@7.14.5(@babel/core@7.27.1)':
+  '@babel/plugin-syntax-private-property-in-object@7.14.5(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-syntax-typescript@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-syntax-typescript@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-syntax-typescript@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-syntax-typescript@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
   '@babel/plugin-syntax-unicode-sets-regex@7.18.6(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-create-regexp-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-create-regexp-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-syntax-unicode-sets-regex@7.18.6(@babel/core@7.27.1)':
+  '@babel/plugin-syntax-unicode-sets-regex@7.18.6(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-create-regexp-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-create-regexp-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-arrow-functions@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-arrow-functions@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-arrow-functions@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-arrow-functions@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-async-generator-functions@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-async-generator-functions@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-remap-async-to-generator': 7.27.1(@babel/core@7.26.10)
-      '@babel/traverse': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-remap-async-to-generator': 7.29.7(@babel/core@7.26.10)
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-async-generator-functions@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-async-generator-functions@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-remap-async-to-generator': 7.27.1(@babel/core@7.27.1)
-      '@babel/traverse': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-remap-async-to-generator': 7.29.7(@babel/core@7.29.7)
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-async-to-generator@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-async-to-generator@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-module-imports': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-remap-async-to-generator': 7.27.1(@babel/core@7.26.10)
+      '@babel/helper-module-imports': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-remap-async-to-generator': 7.29.7(@babel/core@7.26.10)
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-async-to-generator@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-async-to-generator@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-module-imports': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-remap-async-to-generator': 7.27.1(@babel/core@7.27.1)
+      '@babel/core': 7.29.7
+      '@babel/helper-module-imports': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-remap-async-to-generator': 7.29.7(@babel/core@7.29.7)
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-block-scoped-functions@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-block-scoped-functions@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-block-scoped-functions@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-block-scoped-functions@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-block-scoping@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-block-scoping@7.27.5(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-block-scoping@7.27.1(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-class-properties@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-block-scoping@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-block-scoping@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-class-properties@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-class-properties@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-class-properties@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-class-static-block@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-class-static-block@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-class-static-block@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-class-static-block@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-classes@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-classes@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-annotate-as-pure': 7.27.1
-      '@babel/helper-compilation-targets': 7.27.2
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-replace-supers': 7.27.1(@babel/core@7.26.10)
-      '@babel/traverse': 7.27.1
-      globals: 11.12.0
+      '@babel/helper-annotate-as-pure': 7.29.7
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/helper-globals': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-replace-supers': 7.29.7(@babel/core@7.26.10)
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-classes@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-classes@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-annotate-as-pure': 7.27.1
-      '@babel/helper-compilation-targets': 7.27.2
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-replace-supers': 7.27.1(@babel/core@7.27.1)
-      '@babel/traverse': 7.27.1
-      globals: 11.12.0
+      '@babel/core': 7.29.7
+      '@babel/helper-annotate-as-pure': 7.29.7
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/helper-globals': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-replace-supers': 7.29.7(@babel/core@7.29.7)
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-computed-properties@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-computed-properties@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/template': 7.27.2
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/template': 7.29.7
 
-  '@babel/plugin-transform-computed-properties@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-computed-properties@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/template': 7.27.2
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/template': 7.29.7
 
-  '@babel/plugin-transform-destructuring@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-destructuring@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-destructuring@7.27.1(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-dotall-regex@7.27.1(@babel/core@7.26.10)':
-    dependencies:
-      '@babel/core': 7.26.10
-      '@babel/helper-create-regexp-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-dotall-regex@7.27.1(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-create-regexp-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-duplicate-keys@7.27.1(@babel/core@7.26.10)':
-    dependencies:
-      '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-duplicate-keys@7.27.1(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-duplicate-named-capturing-groups-regex@7.27.1(@babel/core@7.26.10)':
-    dependencies:
-      '@babel/core': 7.26.10
-      '@babel/helper-create-regexp-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-duplicate-named-capturing-groups-regex@7.27.1(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-create-regexp-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-dynamic-import@7.27.1(@babel/core@7.26.10)':
-    dependencies:
-      '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-dynamic-import@7.27.1(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-exponentiation-operator@7.27.1(@babel/core@7.26.10)':
-    dependencies:
-      '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-exponentiation-operator@7.27.1(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-export-namespace-from@7.27.1(@babel/core@7.26.10)':
-    dependencies:
-      '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-export-namespace-from@7.27.1(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-for-of@7.27.1(@babel/core@7.26.10)':
-    dependencies:
-      '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-skip-transparent-expression-wrappers': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-for-of@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-destructuring@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-skip-transparent-expression-wrappers': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-function-name@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-dotall-regex@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-compilation-targets': 7.27.2
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/traverse': 7.27.1
+      '@babel/helper-create-regexp-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-dotall-regex@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-create-regexp-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-duplicate-keys@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-duplicate-keys@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-duplicate-named-capturing-groups-regex@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-create-regexp-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-duplicate-named-capturing-groups-regex@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-create-regexp-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-dynamic-import@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-dynamic-import@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-explicit-resource-management@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/plugin-transform-destructuring': 7.29.7(@babel/core@7.26.10)
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-function-name@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-explicit-resource-management@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-compilation-targets': 7.27.2
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/traverse': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/plugin-transform-destructuring': 7.29.7(@babel/core@7.29.7)
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-json-strings@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-exponentiation-operator@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-json-strings@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-exponentiation-operator@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-literals@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-export-namespace-from@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-literals@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-export-namespace-from@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-logical-assignment-operators@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-for-of@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-logical-assignment-operators@7.27.1(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-member-expression-literals@7.27.1(@babel/core@7.26.10)':
-    dependencies:
-      '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-member-expression-literals@7.27.1(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-modules-amd@7.27.1(@babel/core@7.26.10)':
-    dependencies:
-      '@babel/core': 7.26.10
-      '@babel/helper-module-transforms': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-skip-transparent-expression-wrappers': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-modules-amd@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-for-of@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-module-transforms': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-skip-transparent-expression-wrappers': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-modules-commonjs@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-function-name@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-module-transforms': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-modules-commonjs@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-function-name@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-module-transforms': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-modules-systemjs@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-json-strings@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-module-transforms': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-validator-identifier': 7.27.1
-      '@babel/traverse': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-json-strings@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-literals@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-literals@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-logical-assignment-operators@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-logical-assignment-operators@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-member-expression-literals@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-member-expression-literals@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-modules-amd@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-module-transforms': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-modules-systemjs@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-modules-amd@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-module-transforms': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-validator-identifier': 7.27.1
-      '@babel/traverse': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-module-transforms': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-modules-umd@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-modules-commonjs@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-module-transforms': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-module-transforms': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-modules-umd@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-modules-commonjs@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-module-transforms': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-module-transforms': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-named-capturing-groups-regex@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-modules-systemjs@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-create-regexp-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-named-capturing-groups-regex@7.27.1(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-create-regexp-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-new-target@7.27.1(@babel/core@7.26.10)':
-    dependencies:
-      '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-new-target@7.27.1(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-nullish-coalescing-operator@7.27.1(@babel/core@7.26.10)':
-    dependencies:
-      '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-nullish-coalescing-operator@7.27.1(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-numeric-separator@7.27.1(@babel/core@7.26.10)':
-    dependencies:
-      '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-numeric-separator@7.27.1(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-object-rest-spread@7.27.2(@babel/core@7.26.10)':
-    dependencies:
-      '@babel/core': 7.26.10
-      '@babel/helper-compilation-targets': 7.27.2
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/plugin-transform-destructuring': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-parameters': 7.27.1(@babel/core@7.26.10)
-
-  '@babel/plugin-transform-object-rest-spread@7.27.2(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-compilation-targets': 7.27.2
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/plugin-transform-destructuring': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-parameters': 7.27.1(@babel/core@7.27.1)
-
-  '@babel/plugin-transform-object-super@7.27.1(@babel/core@7.26.10)':
-    dependencies:
-      '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-replace-supers': 7.27.1(@babel/core@7.26.10)
+      '@babel/helper-module-transforms': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-validator-identifier': 7.29.7
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-object-super@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-modules-systemjs@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-replace-supers': 7.27.1(@babel/core@7.27.1)
+      '@babel/core': 7.29.7
+      '@babel/helper-module-transforms': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-validator-identifier': 7.29.7
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-optional-catch-binding@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-modules-umd@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-optional-catch-binding@7.27.1(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-
-  '@babel/plugin-transform-optional-chaining@7.27.1(@babel/core@7.26.10)':
-    dependencies:
-      '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-skip-transparent-expression-wrappers': 7.27.1
+      '@babel/helper-module-transforms': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-optional-chaining@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-modules-umd@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-skip-transparent-expression-wrappers': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-module-transforms': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-parameters@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-named-capturing-groups-regex@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-create-regexp-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-parameters@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-named-capturing-groups-regex@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-create-regexp-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-private-methods@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-new-target@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-new-target@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-nullish-coalescing-operator@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-nullish-coalescing-operator@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-numeric-separator@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-numeric-separator@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-object-rest-spread@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/plugin-transform-destructuring': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-parameters': 7.29.7(@babel/core@7.26.10)
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-private-methods@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-object-rest-spread@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/plugin-transform-destructuring': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-parameters': 7.29.7(@babel/core@7.29.7)
+      '@babel/traverse': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-private-property-in-object@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-object-super@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-annotate-as-pure': 7.27.1
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-replace-supers': 7.29.7(@babel/core@7.26.10)
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-private-property-in-object@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-object-super@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-annotate-as-pure': 7.27.1
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-replace-supers': 7.29.7(@babel/core@7.29.7)
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-property-literals@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-optional-catch-binding@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-property-literals@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-optional-catch-binding@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-regenerator@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-optional-chaining@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-skip-transparent-expression-wrappers': 7.29.7
+    transitivePeerDependencies:
+      - supports-color
 
-  '@babel/plugin-transform-regenerator@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-optional-chaining@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-skip-transparent-expression-wrappers': 7.29.7
+    transitivePeerDependencies:
+      - supports-color
 
-  '@babel/plugin-transform-regexp-modifiers@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-parameters@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-create-regexp-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-regexp-modifiers@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-parameters@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-create-regexp-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-reserved-words@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-private-methods@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
+    transitivePeerDependencies:
+      - supports-color
 
-  '@babel/plugin-transform-reserved-words@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-private-methods@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
+    transitivePeerDependencies:
+      - supports-color
 
-  '@babel/plugin-transform-runtime@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-private-property-in-object@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-module-imports': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-      babel-plugin-polyfill-corejs2: 0.4.13(@babel/core@7.26.10)
-      babel-plugin-polyfill-corejs3: 0.11.1(@babel/core@7.26.10)
-      babel-plugin-polyfill-regenerator: 0.6.4(@babel/core@7.26.10)
+      '@babel/helper-annotate-as-pure': 7.29.7
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
+    transitivePeerDependencies:
+      - supports-color
+
+  '@babel/plugin-transform-private-property-in-object@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-annotate-as-pure': 7.29.7
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
+    transitivePeerDependencies:
+      - supports-color
+
+  '@babel/plugin-transform-property-literals@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-property-literals@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-regenerator@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-regenerator@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-regexp-modifiers@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-create-regexp-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-regexp-modifiers@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-create-regexp-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-reserved-words@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-reserved-words@7.29.7(@babel/core@7.29.7)':
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+
+  '@babel/plugin-transform-runtime@7.29.7(@babel/core@7.26.10)':
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-module-imports': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      babel-plugin-polyfill-corejs2: 0.4.17(@babel/core@7.26.10)
+      babel-plugin-polyfill-corejs3: 0.13.0(@babel/core@7.26.10)
+      babel-plugin-polyfill-regenerator: 0.6.8(@babel/core@7.26.10)
       semver: 6.3.1
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-runtime@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-runtime@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-module-imports': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-      babel-plugin-polyfill-corejs2: 0.4.13(@babel/core@7.27.1)
-      babel-plugin-polyfill-corejs3: 0.11.1(@babel/core@7.27.1)
-      babel-plugin-polyfill-regenerator: 0.6.4(@babel/core@7.27.1)
+      '@babel/core': 7.29.7
+      '@babel/helper-module-imports': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      babel-plugin-polyfill-corejs2: 0.4.17(@babel/core@7.29.7)
+      babel-plugin-polyfill-corejs3: 0.13.0(@babel/core@7.29.7)
+      babel-plugin-polyfill-regenerator: 0.6.8(@babel/core@7.29.7)
       semver: 6.3.1
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-shorthand-properties@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-shorthand-properties@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-shorthand-properties@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-shorthand-properties@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-spread@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-spread@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-skip-transparent-expression-wrappers': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-skip-transparent-expression-wrappers': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-spread@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-spread@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-skip-transparent-expression-wrappers': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-skip-transparent-expression-wrappers': 7.29.7
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-sticky-regex@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-sticky-regex@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-sticky-regex@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-sticky-regex@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-template-literals@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-template-literals@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-template-literals@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-template-literals@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-typeof-symbol@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-typeof-symbol@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-typeof-symbol@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-typeof-symbol@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-typescript@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-typescript@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-annotate-as-pure': 7.27.1
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-skip-transparent-expression-wrappers': 7.27.1
-      '@babel/plugin-syntax-typescript': 7.27.1(@babel/core@7.26.10)
+      '@babel/helper-annotate-as-pure': 7.29.7
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-skip-transparent-expression-wrappers': 7.29.7
+      '@babel/plugin-syntax-typescript': 7.29.7(@babel/core@7.26.10)
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-typescript@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-typescript@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-annotate-as-pure': 7.27.1
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-skip-transparent-expression-wrappers': 7.27.1
-      '@babel/plugin-syntax-typescript': 7.27.1(@babel/core@7.27.1)
+      '@babel/core': 7.29.7
+      '@babel/helper-annotate-as-pure': 7.29.7
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-skip-transparent-expression-wrappers': 7.29.7
+      '@babel/plugin-syntax-typescript': 7.29.7(@babel/core@7.29.7)
     transitivePeerDependencies:
       - supports-color
 
   '@babel/plugin-transform-typescript@7.5.5(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-create-class-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/plugin-syntax-typescript': 7.27.1(@babel/core@7.26.10)
+      '@babel/helper-create-class-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/plugin-syntax-typescript': 7.29.7(@babel/core@7.26.10)
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/plugin-transform-unicode-escapes@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-unicode-escapes@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-unicode-escapes@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-unicode-escapes@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-unicode-property-regex@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-unicode-property-regex@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-create-regexp-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-create-regexp-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-unicode-property-regex@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-unicode-property-regex@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-create-regexp-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-create-regexp-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-unicode-regex@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-unicode-regex@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-create-regexp-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-create-regexp-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-unicode-regex@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-unicode-regex@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-create-regexp-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-create-regexp-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-unicode-sets-regex@7.27.1(@babel/core@7.26.10)':
+  '@babel/plugin-transform-unicode-sets-regex@7.29.7(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-create-regexp-features-plugin': 7.27.1(@babel/core@7.26.10)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/helper-create-regexp-features-plugin': 7.29.7(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
 
-  '@babel/plugin-transform-unicode-sets-regex@7.27.1(@babel/core@7.27.1)':
+  '@babel/plugin-transform-unicode-sets-regex@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-create-regexp-features-plugin': 7.27.1(@babel/core@7.27.1)
-      '@babel/helper-plugin-utils': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-create-regexp-features-plugin': 7.29.7(@babel/core@7.29.7)
+      '@babel/helper-plugin-utils': 7.29.7
 
   '@babel/polyfill@7.12.1':
     dependencies:
       core-js: 2.6.12
       regenerator-runtime: 0.13.11
 
-  '@babel/preset-env@7.26.9(@babel/core@7.26.10)':
+  '@babel/preset-env@7.29.7(@babel/core@7.26.10)':
     dependencies:
-      '@babel/compat-data': 7.27.2
+      '@babel/compat-data': 7.29.7
       '@babel/core': 7.26.10
-      '@babel/helper-compilation-targets': 7.27.2
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-validator-option': 7.27.1
-      '@babel/plugin-bugfix-firefox-class-in-computed-class-key': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-bugfix-safari-class-field-initializer-scope': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly': 7.27.1(@babel/core@7.26.10)
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-validator-option': 7.29.7
+      '@babel/plugin-bugfix-firefox-class-in-computed-class-key': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-bugfix-safari-class-field-initializer-scope': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-bugfix-safari-rest-destructuring-rhs-array': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly': 7.29.7(@babel/core@7.26.10)
       '@babel/plugin-proposal-private-property-in-object': 7.21.0-placeholder-for-preset-env.2(@babel/core@7.26.10)
-      '@babel/plugin-syntax-import-assertions': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-syntax-import-attributes': 7.27.1(@babel/core@7.26.10)
+      '@babel/plugin-syntax-import-assertions': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-syntax-import-attributes': 7.29.7(@babel/core@7.26.10)
       '@babel/plugin-syntax-unicode-sets-regex': 7.18.6(@babel/core@7.26.10)
-      '@babel/plugin-transform-arrow-functions': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-async-generator-functions': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-async-to-generator': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-block-scoped-functions': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-block-scoping': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-class-properties': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-class-static-block': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-classes': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-computed-properties': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-destructuring': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-dotall-regex': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-duplicate-keys': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-duplicate-named-capturing-groups-regex': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-dynamic-import': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-exponentiation-operator': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-export-namespace-from': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-for-of': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-function-name': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-json-strings': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-literals': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-logical-assignment-operators': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-member-expression-literals': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-modules-amd': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-modules-commonjs': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-modules-systemjs': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-modules-umd': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-named-capturing-groups-regex': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-new-target': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-nullish-coalescing-operator': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-numeric-separator': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-object-rest-spread': 7.27.2(@babel/core@7.26.10)
-      '@babel/plugin-transform-object-super': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-optional-catch-binding': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-optional-chaining': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-parameters': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-private-methods': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-private-property-in-object': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-property-literals': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-regenerator': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-regexp-modifiers': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-reserved-words': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-shorthand-properties': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-spread': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-sticky-regex': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-template-literals': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-typeof-symbol': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-unicode-escapes': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-unicode-property-regex': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-unicode-regex': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-unicode-sets-regex': 7.27.1(@babel/core@7.26.10)
+      '@babel/plugin-transform-arrow-functions': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-async-generator-functions': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-async-to-generator': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-block-scoped-functions': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-block-scoping': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-class-properties': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-class-static-block': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-classes': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-computed-properties': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-destructuring': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-dotall-regex': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-duplicate-keys': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-duplicate-named-capturing-groups-regex': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-dynamic-import': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-explicit-resource-management': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-exponentiation-operator': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-export-namespace-from': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-for-of': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-function-name': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-json-strings': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-literals': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-logical-assignment-operators': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-member-expression-literals': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-modules-amd': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-modules-commonjs': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-modules-systemjs': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-modules-umd': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-named-capturing-groups-regex': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-new-target': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-nullish-coalescing-operator': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-numeric-separator': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-object-rest-spread': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-object-super': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-optional-catch-binding': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-optional-chaining': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-parameters': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-private-methods': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-private-property-in-object': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-property-literals': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-regenerator': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-regexp-modifiers': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-reserved-words': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-shorthand-properties': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-spread': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-sticky-regex': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-template-literals': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-typeof-symbol': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-unicode-escapes': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-unicode-property-regex': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-unicode-regex': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-unicode-sets-regex': 7.29.7(@babel/core@7.26.10)
       '@babel/preset-modules': 0.1.6-no-external-plugins(@babel/core@7.26.10)
-      babel-plugin-polyfill-corejs2: 0.4.13(@babel/core@7.26.10)
-      babel-plugin-polyfill-corejs3: 0.11.1(@babel/core@7.26.10)
-      babel-plugin-polyfill-regenerator: 0.6.4(@babel/core@7.26.10)
-      core-js-compat: 3.42.0
+      babel-plugin-polyfill-corejs2: 0.4.17(@babel/core@7.26.10)
+      babel-plugin-polyfill-corejs3: 0.14.2(@babel/core@7.26.10)
+      babel-plugin-polyfill-regenerator: 0.6.8(@babel/core@7.26.10)
+      core-js-compat: 3.49.0
       semver: 6.3.1
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/preset-env@7.27.2(@babel/core@7.26.10)':
+  '@babel/preset-env@7.29.7(@babel/core@7.29.7)':
     dependencies:
-      '@babel/compat-data': 7.27.2
-      '@babel/core': 7.26.10
-      '@babel/helper-compilation-targets': 7.27.2
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-validator-option': 7.27.1
-      '@babel/plugin-bugfix-firefox-class-in-computed-class-key': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-bugfix-safari-class-field-initializer-scope': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-proposal-private-property-in-object': 7.21.0-placeholder-for-preset-env.2(@babel/core@7.26.10)
-      '@babel/plugin-syntax-import-assertions': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-syntax-import-attributes': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-syntax-unicode-sets-regex': 7.18.6(@babel/core@7.26.10)
-      '@babel/plugin-transform-arrow-functions': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-async-generator-functions': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-async-to-generator': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-block-scoped-functions': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-block-scoping': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-class-properties': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-class-static-block': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-classes': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-computed-properties': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-destructuring': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-dotall-regex': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-duplicate-keys': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-duplicate-named-capturing-groups-regex': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-dynamic-import': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-exponentiation-operator': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-export-namespace-from': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-for-of': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-function-name': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-json-strings': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-literals': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-logical-assignment-operators': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-member-expression-literals': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-modules-amd': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-modules-commonjs': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-modules-systemjs': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-modules-umd': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-named-capturing-groups-regex': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-new-target': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-nullish-coalescing-operator': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-numeric-separator': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-object-rest-spread': 7.27.2(@babel/core@7.26.10)
-      '@babel/plugin-transform-object-super': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-optional-catch-binding': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-optional-chaining': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-parameters': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-private-methods': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-private-property-in-object': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-property-literals': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-regenerator': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-regexp-modifiers': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-reserved-words': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-shorthand-properties': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-spread': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-sticky-regex': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-template-literals': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-typeof-symbol': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-unicode-escapes': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-unicode-property-regex': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-unicode-regex': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-unicode-sets-regex': 7.27.1(@babel/core@7.26.10)
-      '@babel/preset-modules': 0.1.6-no-external-plugins(@babel/core@7.26.10)
-      babel-plugin-polyfill-corejs2: 0.4.13(@babel/core@7.26.10)
-      babel-plugin-polyfill-corejs3: 0.11.1(@babel/core@7.26.10)
-      babel-plugin-polyfill-regenerator: 0.6.4(@babel/core@7.26.10)
-      core-js-compat: 3.42.0
-      semver: 6.3.1
-    transitivePeerDependencies:
-      - supports-color
-
-  '@babel/preset-env@7.27.2(@babel/core@7.27.1)':
-    dependencies:
-      '@babel/compat-data': 7.27.2
-      '@babel/core': 7.27.1
-      '@babel/helper-compilation-targets': 7.27.2
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-validator-option': 7.27.1
-      '@babel/plugin-bugfix-firefox-class-in-computed-class-key': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-bugfix-safari-class-field-initializer-scope': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-proposal-private-property-in-object': 7.21.0-placeholder-for-preset-env.2(@babel/core@7.27.1)
-      '@babel/plugin-syntax-import-assertions': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-syntax-import-attributes': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-syntax-unicode-sets-regex': 7.18.6(@babel/core@7.27.1)
-      '@babel/plugin-transform-arrow-functions': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-async-generator-functions': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-async-to-generator': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-block-scoped-functions': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-block-scoping': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-class-properties': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-class-static-block': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-classes': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-computed-properties': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-destructuring': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-dotall-regex': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-duplicate-keys': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-duplicate-named-capturing-groups-regex': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-dynamic-import': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-exponentiation-operator': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-export-namespace-from': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-for-of': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-function-name': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-json-strings': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-literals': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-logical-assignment-operators': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-member-expression-literals': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-modules-amd': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-modules-commonjs': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-modules-systemjs': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-modules-umd': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-named-capturing-groups-regex': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-new-target': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-nullish-coalescing-operator': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-numeric-separator': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-object-rest-spread': 7.27.2(@babel/core@7.27.1)
-      '@babel/plugin-transform-object-super': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-optional-catch-binding': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-optional-chaining': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-parameters': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-private-methods': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-private-property-in-object': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-property-literals': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-regenerator': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-regexp-modifiers': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-reserved-words': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-shorthand-properties': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-spread': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-sticky-regex': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-template-literals': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-typeof-symbol': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-unicode-escapes': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-unicode-property-regex': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-unicode-regex': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-unicode-sets-regex': 7.27.1(@babel/core@7.27.1)
-      '@babel/preset-modules': 0.1.6-no-external-plugins(@babel/core@7.27.1)
-      babel-plugin-polyfill-corejs2: 0.4.13(@babel/core@7.27.1)
-      babel-plugin-polyfill-corejs3: 0.11.1(@babel/core@7.27.1)
-      babel-plugin-polyfill-regenerator: 0.6.4(@babel/core@7.27.1)
-      core-js-compat: 3.42.0
+      '@babel/compat-data': 7.29.7
+      '@babel/core': 7.29.7
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-validator-option': 7.29.7
+      '@babel/plugin-bugfix-firefox-class-in-computed-class-key': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-bugfix-safari-class-field-initializer-scope': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-bugfix-safari-rest-destructuring-rhs-array': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-proposal-private-property-in-object': 7.21.0-placeholder-for-preset-env.2(@babel/core@7.29.7)
+      '@babel/plugin-syntax-import-assertions': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-syntax-import-attributes': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-syntax-unicode-sets-regex': 7.18.6(@babel/core@7.29.7)
+      '@babel/plugin-transform-arrow-functions': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-async-generator-functions': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-async-to-generator': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-block-scoped-functions': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-block-scoping': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-class-properties': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-class-static-block': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-classes': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-computed-properties': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-destructuring': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-dotall-regex': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-duplicate-keys': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-duplicate-named-capturing-groups-regex': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-dynamic-import': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-explicit-resource-management': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-exponentiation-operator': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-export-namespace-from': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-for-of': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-function-name': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-json-strings': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-literals': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-logical-assignment-operators': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-member-expression-literals': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-modules-amd': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-modules-commonjs': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-modules-systemjs': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-modules-umd': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-named-capturing-groups-regex': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-new-target': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-nullish-coalescing-operator': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-numeric-separator': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-object-rest-spread': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-object-super': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-optional-catch-binding': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-optional-chaining': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-parameters': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-private-methods': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-private-property-in-object': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-property-literals': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-regenerator': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-regexp-modifiers': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-reserved-words': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-shorthand-properties': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-spread': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-sticky-regex': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-template-literals': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-typeof-symbol': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-unicode-escapes': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-unicode-property-regex': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-unicode-regex': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-unicode-sets-regex': 7.29.7(@babel/core@7.29.7)
+      '@babel/preset-modules': 0.1.6-no-external-plugins(@babel/core@7.29.7)
+      babel-plugin-polyfill-corejs2: 0.4.17(@babel/core@7.29.7)
+      babel-plugin-polyfill-corejs3: 0.14.2(@babel/core@7.29.7)
+      babel-plugin-polyfill-regenerator: 0.6.8(@babel/core@7.29.7)
+      core-js-compat: 3.49.0
       semver: 6.3.1
     transitivePeerDependencies:
       - supports-color
@@ -9650,25 +9631,25 @@ snapshots:
   '@babel/preset-modules@0.1.6-no-external-plugins(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/types': 7.27.1
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/types': 7.29.7
       esutils: 2.0.3
 
-  '@babel/preset-modules@0.1.6-no-external-plugins(@babel/core@7.27.1)':
+  '@babel/preset-modules@0.1.6-no-external-plugins(@babel/core@7.29.7)':
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/types': 7.27.1
+      '@babel/core': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/types': 7.29.7
       esutils: 2.0.3
 
   '@babel/preset-typescript@7.27.1(@babel/core@7.26.10)':
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/helper-validator-option': 7.27.1
-      '@babel/plugin-syntax-jsx': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-modules-commonjs': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-typescript': 7.27.1(@babel/core@7.26.10)
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/helper-validator-option': 7.29.7
+      '@babel/plugin-syntax-jsx': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-modules-commonjs': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-typescript': 7.29.7(@babel/core@7.26.10)
     transitivePeerDependencies:
       - supports-color
 
@@ -9676,191 +9657,204 @@ snapshots:
     dependencies:
       regenerator-runtime: 0.14.1
 
-  '@babel/template@7.27.2':
+  '@babel/template@7.29.7':
     dependencies:
-      '@babel/code-frame': 7.27.1
-      '@babel/parser': 7.27.2
-      '@babel/types': 7.27.1
+      '@babel/code-frame': 7.29.7
+      '@babel/parser': 7.29.7
+      '@babel/types': 7.29.7
 
-  '@babel/traverse@7.27.1':
+  '@babel/traverse@7.29.7':
     dependencies:
-      '@babel/code-frame': 7.27.1
-      '@babel/generator': 7.27.1
-      '@babel/parser': 7.27.2
-      '@babel/template': 7.27.2
-      '@babel/types': 7.27.1
-      debug: 4.4.1
-      globals: 11.12.0
+      '@babel/code-frame': 7.29.7
+      '@babel/generator': 7.29.7
+      '@babel/helper-globals': 7.29.7
+      '@babel/parser': 7.29.7
+      '@babel/template': 7.29.7
+      '@babel/types': 7.29.7
+      debug: 4.4.3
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/types@7.27.1':
+  '@babel/types@7.29.7':
     dependencies:
-      '@babel/helper-string-parser': 7.27.1
-      '@babel/helper-validator-identifier': 7.27.1
+      '@babel/helper-string-parser': 7.29.7
+      '@babel/helper-validator-identifier': 7.29.7
 
-  '@carbon/charts@1.27.2':
+  '@cacheable/memory@2.0.9':
     dependencies:
-      '@carbon/colors': 11.45.0
+      '@cacheable/utils': 2.4.1
+      '@keyv/bigmap': 1.3.1(keyv@5.6.0)
+      hookified: 1.15.1
+      keyv: 5.6.0
+
+  '@cacheable/utils@2.4.1':
+    dependencies:
+      hashery: 1.5.1
+      keyv: 5.6.0
+
+  '@carbon/charts@1.27.11':
+    dependencies:
+      '@carbon/colors': 11.52.0
       '@carbon/utils-position': 1.3.0
-      '@ibm/telemetry-js': 1.10.2
+      '@ibm/telemetry-js': 1.11.0
       '@types/d3': 7.4.3
       '@types/topojson': 3.2.6
       d3: 7.9.0
-      d3-cloud: 1.2.8
+      d3-cloud: 1.2.9
       d3-sankey: 0.12.3
-      date-fns: 4.1.0
-      dompurify: 3.2.6
+      date-fns: 4.3.0
+      dompurify: 3.4.6
       html-to-image: 1.11.11
-      lodash-es: 4.17.23
+      lodash-es: 4.18.0
       topojson-client: 3.1.0
       tslib: 2.8.1
 
-  '@carbon/colors@11.45.0':
+  '@carbon/colors@11.52.0':
     dependencies:
-      '@ibm/telemetry-js': 1.10.2
+      '@ibm/telemetry-js': 1.11.0
 
   '@carbon/utils-position@1.3.0':
     dependencies:
-      '@ibm/telemetry-js': 1.10.2
+      '@ibm/telemetry-js': 1.11.0
 
   '@cnakazawa/watch@1.0.4':
     dependencies:
       exec-sh: 0.3.6
       minimist: 1.2.8
 
-  '@codemirror/autocomplete@6.18.6':
+  '@codemirror/autocomplete@6.20.2':
     dependencies:
-      '@codemirror/language': 6.11.0
-      '@codemirror/state': 6.5.2
-      '@codemirror/view': 6.36.8
-      '@lezer/common': 1.2.3
+      '@codemirror/language': 6.12.3
+      '@codemirror/state': 6.6.0
+      '@codemirror/view': 6.43.0
+      '@lezer/common': 1.5.2
 
-  '@codemirror/commands@6.8.1':
+  '@codemirror/commands@6.10.3':
     dependencies:
-      '@codemirror/language': 6.11.0
-      '@codemirror/state': 6.5.2
-      '@codemirror/view': 6.36.8
-      '@lezer/common': 1.2.3
+      '@codemirror/language': 6.12.3
+      '@codemirror/state': 6.6.0
+      '@codemirror/view': 6.43.0
+      '@lezer/common': 1.5.2
 
   '@codemirror/lang-css@6.3.1':
     dependencies:
-      '@codemirror/autocomplete': 6.18.6
-      '@codemirror/language': 6.11.0
-      '@codemirror/state': 6.5.2
-      '@lezer/common': 1.2.3
-      '@lezer/css': 1.2.1
+      '@codemirror/autocomplete': 6.20.2
+      '@codemirror/language': 6.12.3
+      '@codemirror/state': 6.6.0
+      '@lezer/common': 1.5.2
+      '@lezer/css': 1.3.3
 
   '@codemirror/lang-go@6.0.1':
     dependencies:
-      '@codemirror/autocomplete': 6.18.6
-      '@codemirror/language': 6.11.0
-      '@codemirror/state': 6.5.2
-      '@lezer/common': 1.2.3
+      '@codemirror/autocomplete': 6.20.2
+      '@codemirror/language': 6.12.3
+      '@codemirror/state': 6.6.0
+      '@lezer/common': 1.5.2
       '@lezer/go': 1.0.1
 
-  '@codemirror/lang-html@6.4.9':
+  '@codemirror/lang-html@6.4.11':
     dependencies:
-      '@codemirror/autocomplete': 6.18.6
+      '@codemirror/autocomplete': 6.20.2
       '@codemirror/lang-css': 6.3.1
-      '@codemirror/lang-javascript': 6.2.4
-      '@codemirror/language': 6.11.0
-      '@codemirror/state': 6.5.2
-      '@codemirror/view': 6.36.8
-      '@lezer/common': 1.2.3
-      '@lezer/css': 1.2.1
-      '@lezer/html': 1.3.10
+      '@codemirror/lang-javascript': 6.2.5
+      '@codemirror/language': 6.12.3
+      '@codemirror/state': 6.6.0
+      '@codemirror/view': 6.43.0
+      '@lezer/common': 1.5.2
+      '@lezer/css': 1.3.3
+      '@lezer/html': 1.3.13
 
-  '@codemirror/lang-javascript@6.2.4':
+  '@codemirror/lang-javascript@6.2.5':
     dependencies:
-      '@codemirror/autocomplete': 6.18.6
-      '@codemirror/language': 6.11.0
-      '@codemirror/lint': 6.8.5
-      '@codemirror/state': 6.5.2
-      '@codemirror/view': 6.36.8
-      '@lezer/common': 1.2.3
-      '@lezer/javascript': 1.5.1
+      '@codemirror/autocomplete': 6.20.2
+      '@codemirror/language': 6.12.3
+      '@codemirror/lint': 6.9.6
+      '@codemirror/state': 6.6.0
+      '@codemirror/view': 6.43.0
+      '@lezer/common': 1.5.2
+      '@lezer/javascript': 1.5.4
 
-  '@codemirror/lang-json@6.0.1':
+  '@codemirror/lang-json@6.0.2':
     dependencies:
-      '@codemirror/language': 6.11.0
+      '@codemirror/language': 6.12.3
       '@lezer/json': 1.0.3
 
-  '@codemirror/lang-markdown@6.3.2':
+  '@codemirror/lang-markdown@6.5.0':
     dependencies:
-      '@codemirror/autocomplete': 6.18.6
-      '@codemirror/lang-html': 6.4.9
-      '@codemirror/language': 6.11.0
-      '@codemirror/state': 6.5.2
-      '@codemirror/view': 6.36.8
-      '@lezer/common': 1.2.3
-      '@lezer/markdown': 1.4.3
+      '@codemirror/autocomplete': 6.20.2
+      '@codemirror/lang-html': 6.4.11
+      '@codemirror/language': 6.12.3
+      '@codemirror/state': 6.6.0
+      '@codemirror/view': 6.43.0
+      '@lezer/common': 1.5.2
+      '@lezer/markdown': 1.6.3
 
-  '@codemirror/lang-sql@6.8.0':
+  '@codemirror/lang-sql@6.10.0':
     dependencies:
-      '@codemirror/autocomplete': 6.18.6
-      '@codemirror/language': 6.11.0
-      '@codemirror/state': 6.5.2
-      '@lezer/common': 1.2.3
-      '@lezer/highlight': 1.2.1
-      '@lezer/lr': 1.4.2
+      '@codemirror/autocomplete': 6.20.2
+      '@codemirror/language': 6.12.3
+      '@codemirror/state': 6.6.0
+      '@lezer/common': 1.5.2
+      '@lezer/highlight': 1.2.3
+      '@lezer/lr': 1.4.10
 
-  '@codemirror/lang-yaml@6.1.2':
+  '@codemirror/lang-yaml@6.1.3':
     dependencies:
-      '@codemirror/autocomplete': 6.18.6
-      '@codemirror/language': 6.11.0
-      '@codemirror/state': 6.5.2
-      '@lezer/common': 1.2.3
-      '@lezer/highlight': 1.2.1
-      '@lezer/lr': 1.4.2
-      '@lezer/yaml': 1.0.3
+      '@codemirror/autocomplete': 6.20.2
+      '@codemirror/language': 6.12.3
+      '@codemirror/state': 6.6.0
+      '@lezer/common': 1.5.2
+      '@lezer/highlight': 1.2.3
+      '@lezer/lr': 1.4.10
+      '@lezer/yaml': 1.0.4
 
-  '@codemirror/language@6.11.0':
+  '@codemirror/language@6.12.3':
     dependencies:
-      '@codemirror/state': 6.5.2
-      '@codemirror/view': 6.36.8
-      '@lezer/common': 1.2.3
-      '@lezer/highlight': 1.2.1
-      '@lezer/lr': 1.4.2
-      style-mod: 4.1.2
+      '@codemirror/state': 6.6.0
+      '@codemirror/view': 6.43.0
+      '@lezer/common': 1.5.2
+      '@lezer/highlight': 1.2.3
+      '@lezer/lr': 1.4.10
+      style-mod: 4.1.3
 
-  '@codemirror/legacy-modes@6.5.1':
+  '@codemirror/legacy-modes@6.5.3':
     dependencies:
-      '@codemirror/language': 6.11.0
+      '@codemirror/language': 6.12.3
 
-  '@codemirror/lint@6.8.5':
+  '@codemirror/lint@6.9.6':
     dependencies:
-      '@codemirror/state': 6.5.2
-      '@codemirror/view': 6.36.8
+      '@codemirror/state': 6.6.0
+      '@codemirror/view': 6.43.0
       crelt: 1.0.6
 
-  '@codemirror/state@6.5.2':
+  '@codemirror/state@6.6.0':
     dependencies:
       '@marijn/find-cluster-break': 1.0.2
 
-  '@codemirror/view@6.36.8':
+  '@codemirror/view@6.43.0':
     dependencies:
-      '@codemirror/state': 6.5.2
-      style-mod: 4.1.2
+      '@codemirror/state': 6.6.0
+      crelt: 1.0.6
+      style-mod: 4.1.3
       w3c-keyname: 2.2.8
 
   '@colors/colors@1.5.0':
     optional: true
 
-  '@csstools/css-parser-algorithms@3.0.4(@csstools/css-tokenizer@3.0.3)':
+  '@csstools/css-parser-algorithms@3.0.5(@csstools/css-tokenizer@3.0.4)':
     dependencies:
-      '@csstools/css-tokenizer': 3.0.3
+      '@csstools/css-tokenizer': 3.0.4
 
-  '@csstools/css-tokenizer@3.0.3': {}
+  '@csstools/css-tokenizer@3.0.4': {}
 
-  '@csstools/media-query-list-parser@4.0.2(@csstools/css-parser-algorithms@3.0.4(@csstools/css-tokenizer@3.0.3))(@csstools/css-tokenizer@3.0.3)':
+  '@csstools/media-query-list-parser@4.0.3(@csstools/css-parser-algorithms@3.0.5(@csstools/css-tokenizer@3.0.4))(@csstools/css-tokenizer@3.0.4)':
     dependencies:
-      '@csstools/css-parser-algorithms': 3.0.4(@csstools/css-tokenizer@3.0.3)
-      '@csstools/css-tokenizer': 3.0.3
+      '@csstools/css-parser-algorithms': 3.0.5(@csstools/css-tokenizer@3.0.4)
+      '@csstools/css-tokenizer': 3.0.4
 
-  '@csstools/selector-specificity@5.0.0(postcss-selector-parser@7.1.0)':
+  '@csstools/selector-specificity@5.0.0(postcss-selector-parser@7.1.1)':
     dependencies:
-      postcss-selector-parser: 7.1.0
+      postcss-selector-parser: 7.1.1
 
   '@discoveryjs/json-ext@0.6.3': {}
 
@@ -9868,7 +9862,7 @@ snapshots:
 
   '@docfy/core@0.8.0':
     dependencies:
-      debug: 4.4.1
+      debug: 4.4.3
       fast-glob: 3.3.3
       git-repo-info: 2.1.1
       github-slugger: 1.5.0
@@ -9887,11 +9881,11 @@ snapshots:
       trough: 1.0.5
       unified: 9.2.2
       unist-util-visit: 2.0.3
-      yaml: 2.8.0
+      yaml: 2.9.0
     transitivePeerDependencies:
       - supports-color
 
-  '@docfy/ember@0.8.5(@babel/core@7.26.10)(@glint/template@1.7.3)':
+  '@docfy/ember@0.8.5(@babel/core@7.26.10)(@glint/template@1.7.7)':
     dependencies:
       '@docfy/core': 0.8.0
       broccoli-bridge: 1.0.0
@@ -9902,11 +9896,11 @@ snapshots:
       broccoli-plugin: 4.0.7
       broccoli-source: 3.0.1
       calculate-cache-key-for-tree: 2.0.0
-      debug: 4.4.1
+      debug: 4.4.3
       ember-cli-babel: 8.2.0(@babel/core@7.26.10)
       ember-cli-htmlbars: 6.3.0
       ember-cli-typescript: 4.2.1
-      ember-get-config: 1.1.0(@glint/template@1.7.3)
+      ember-get-config: 1.1.0(@babel/core@7.26.10)(@glint/template@1.7.7)
       mdast-util-to-string: 2.0.0
       remark-hbs: 0.4.1
       unist-builder: 2.0.3
@@ -9917,177 +9911,189 @@ snapshots:
       - '@glint/template'
       - supports-color
 
-  '@dual-bundle/import-meta-resolve@4.1.0': {}
+  '@dual-bundle/import-meta-resolve@4.2.1': {}
 
-  '@ember-data/adapter@5.3.13(481fc0014a55050c4586d8c15dd0e593)':
+  '@ember-data/adapter@5.3.13(@babel/core@7.26.10)(@ember-data/legacy-compat@5.3.13(8acceb1cbcc7877fc3e2f71f277a3656))(@ember-data/request-utils@5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))':
     dependencies:
-      '@ember-data/legacy-compat': 5.3.13(b12992c24c436026b4863b735c590c8a)
-      '@ember-data/request-utils': 5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@ember-data/store': 5.3.13(@ember-data/request-utils@5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@ember-data/request@5.3.13(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3)))(@ember-data/tracking@5.3.13(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+      '@ember-data/legacy-compat': 5.3.13(8acceb1cbcc7877fc3e2f71f277a3656)
+      '@ember-data/request-utils': 5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@ember-data/store': 5.3.13(451a0e0b71ec7a897131dd541747f16e)
       '@ember/edition-utils': 1.2.0
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@warp-drive/build-config': 0.0.3(@glint/template@1.7.3)
-      '@warp-drive/core-types': 0.0.3(@glint/template@1.7.3)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/build-config': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/core-types': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       ember-cli-path-utils: 1.0.0
       ember-cli-string-utils: 1.1.0
       ember-cli-test-info: 1.0.0
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
-  '@ember-data/debug@5.3.13(bfaa3d85a28648c76506f1933c013982)':
+  '@ember-data/debug@5.3.13(@babel/core@7.26.10)(@ember-data/model@5.3.13(d5fadfcda3077fa80404b894384b0a0b))(@ember-data/request-utils@5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))':
     dependencies:
-      '@ember-data/model': 5.3.13(dae11eb22c7d90ae6eb976a152fcd2ef)
-      '@ember-data/request-utils': 5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@ember-data/store': 5.3.13(@ember-data/request-utils@5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@ember-data/request@5.3.13(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3)))(@ember-data/tracking@5.3.13(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+      '@ember-data/model': 5.3.13(d5fadfcda3077fa80404b894384b0a0b)
+      '@ember-data/request-utils': 5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@ember-data/store': 5.3.13(451a0e0b71ec7a897131dd541747f16e)
       '@ember/edition-utils': 1.2.0
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@warp-drive/build-config': 0.0.3(@glint/template@1.7.3)
-      '@warp-drive/core-types': 0.0.3(@glint/template@1.7.3)
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/build-config': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/core-types': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
-  '@ember-data/graph@5.3.13(242145c0cb82dfaa3126f6c390252cc2)':
+  '@ember-data/graph@5.3.13(@babel/core@7.26.10)(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))':
     dependencies:
-      '@ember-data/store': 5.3.13(@ember-data/request-utils@5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@ember-data/request@5.3.13(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3)))(@ember-data/tracking@5.3.13(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@warp-drive/build-config': 0.0.3(@glint/template@1.7.3)
-      '@warp-drive/core-types': 0.0.3(@glint/template@1.7.3)
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      '@ember-data/store': 5.3.13(451a0e0b71ec7a897131dd541747f16e)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/build-config': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/core-types': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
-  '@ember-data/json-api@5.3.13(fbb4778538d22a36c0b1d94f239fe74b)':
+  '@ember-data/json-api@5.3.13(@babel/core@7.26.10)(@ember-data/graph@5.3.13(@babel/core@7.26.10)(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@ember-data/request-utils@5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))':
     dependencies:
-      '@ember-data/graph': 5.3.13(242145c0cb82dfaa3126f6c390252cc2)
-      '@ember-data/request-utils': 5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@ember-data/store': 5.3.13(@ember-data/request-utils@5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@ember-data/request@5.3.13(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3)))(@ember-data/tracking@5.3.13(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@warp-drive/build-config': 0.0.3(@glint/template@1.7.3)
-      '@warp-drive/core-types': 0.0.3(@glint/template@1.7.3)
+      '@ember-data/graph': 5.3.13(@babel/core@7.26.10)(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@ember-data/request-utils': 5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@ember-data/store': 5.3.13(451a0e0b71ec7a897131dd541747f16e)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/build-config': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/core-types': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       fuse.js: 7.1.0
       json-to-ast: 2.1.0
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
-  '@ember-data/legacy-compat@5.3.13(b12992c24c436026b4863b735c590c8a)':
+  '@ember-data/legacy-compat@5.3.13(8acceb1cbcc7877fc3e2f71f277a3656)':
     dependencies:
-      '@ember-data/request': 5.3.13(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))
-      '@ember-data/request-utils': 5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@ember-data/store': 5.3.13(@ember-data/request-utils@5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@ember-data/request@5.3.13(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3)))(@ember-data/tracking@5.3.13(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@ember/test-waiters': 4.1.0(@glint/template@1.7.3)
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@warp-drive/build-config': 0.0.3(@glint/template@1.7.3)
-      '@warp-drive/core-types': 0.0.3(@glint/template@1.7.3)
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      '@ember-data/request': 5.3.13(@babel/core@7.26.10)(@ember/test-waiters@4.1.1(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))
+      '@ember-data/request-utils': 5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@ember-data/store': 5.3.13(451a0e0b71ec7a897131dd541747f16e)
+      '@ember/test-waiters': 4.1.1(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/build-config': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/core-types': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     optionalDependencies:
-      '@ember-data/graph': 5.3.13(242145c0cb82dfaa3126f6c390252cc2)
-      '@ember-data/json-api': 5.3.13(fbb4778538d22a36c0b1d94f239fe74b)
+      '@ember-data/graph': 5.3.13(@babel/core@7.26.10)(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@ember-data/json-api': 5.3.13(@babel/core@7.26.10)(@ember-data/graph@5.3.13(@babel/core@7.26.10)(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@ember-data/request-utils@5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
-  '@ember-data/model@5.3.13(dae11eb22c7d90ae6eb976a152fcd2ef)':
+  '@ember-data/model@5.3.13(d5fadfcda3077fa80404b894384b0a0b)':
     dependencies:
-      '@ember-data/legacy-compat': 5.3.13(b12992c24c436026b4863b735c590c8a)
-      '@ember-data/request-utils': 5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@ember-data/store': 5.3.13(@ember-data/request-utils@5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@ember-data/request@5.3.13(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3)))(@ember-data/tracking@5.3.13(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@ember-data/tracking': 5.3.13(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+      '@ember-data/legacy-compat': 5.3.13(8acceb1cbcc7877fc3e2f71f277a3656)
+      '@ember-data/request-utils': 5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@ember-data/store': 5.3.13(451a0e0b71ec7a897131dd541747f16e)
+      '@ember-data/tracking': 5.3.13(@babel/core@7.26.10)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       '@ember/edition-utils': 1.2.0
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@warp-drive/build-config': 0.0.3(@glint/template@1.7.3)
-      '@warp-drive/core-types': 0.0.3(@glint/template@1.7.3)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/build-config': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/core-types': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       ember-cli-string-utils: 1.1.0
       ember-cli-test-info: 1.0.0
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
       inflection: 3.0.2
     optionalDependencies:
-      '@ember-data/graph': 5.3.13(242145c0cb82dfaa3126f6c390252cc2)
-      '@ember-data/json-api': 5.3.13(fbb4778538d22a36c0b1d94f239fe74b)
+      '@ember-data/graph': 5.3.13(@babel/core@7.26.10)(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@ember-data/json-api': 5.3.13(@babel/core@7.26.10)(@ember-data/graph@5.3.13(@babel/core@7.26.10)(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@ember-data/request-utils@5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
-  '@ember-data/request-utils@5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))':
+  '@ember-data/request-utils@5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))':
     dependencies:
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@warp-drive/build-config': 0.0.3(@glint/template@1.7.3)
-      '@warp-drive/core-types': 0.0.3(@glint/template@1.7.3)
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/build-config': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/core-types': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     optionalDependencies:
       '@ember/string': 4.0.1
       ember-inflector: 4.0.2
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
-  '@ember-data/request@5.3.13(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))':
+  '@ember-data/request@5.3.13(@babel/core@7.26.10)(@ember/test-waiters@4.1.1(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))':
     dependencies:
-      '@ember/test-waiters': 4.1.0(@glint/template@1.7.3)
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@warp-drive/build-config': 0.0.3(@glint/template@1.7.3)
-      '@warp-drive/core-types': 0.0.3(@glint/template@1.7.3)
+      '@ember/test-waiters': 4.1.1(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/build-config': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/core-types': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
   '@ember-data/rfc395-data@0.0.4': {}
 
-  '@ember-data/serializer@5.3.13(481fc0014a55050c4586d8c15dd0e593)':
+  '@ember-data/serializer@5.3.13(@babel/core@7.26.10)(@ember-data/legacy-compat@5.3.13(8acceb1cbcc7877fc3e2f71f277a3656))(@ember-data/request-utils@5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))':
     dependencies:
-      '@ember-data/legacy-compat': 5.3.13(b12992c24c436026b4863b735c590c8a)
-      '@ember-data/request-utils': 5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@ember-data/store': 5.3.13(@ember-data/request-utils@5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@ember-data/request@5.3.13(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3)))(@ember-data/tracking@5.3.13(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+      '@ember-data/legacy-compat': 5.3.13(8acceb1cbcc7877fc3e2f71f277a3656)
+      '@ember-data/request-utils': 5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@ember-data/store': 5.3.13(451a0e0b71ec7a897131dd541747f16e)
       '@ember/edition-utils': 1.2.0
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@warp-drive/build-config': 0.0.3(@glint/template@1.7.3)
-      '@warp-drive/core-types': 0.0.3(@glint/template@1.7.3)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/build-config': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/core-types': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       ember-cli-path-utils: 1.0.0
       ember-cli-string-utils: 1.1.0
       ember-cli-test-info: 1.0.0
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
-  '@ember-data/store@5.3.13(@ember-data/request-utils@5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@ember-data/request@5.3.13(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3)))(@ember-data/tracking@5.3.13(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))':
+  '@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e)':
     dependencies:
-      '@ember-data/request': 5.3.13(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))
-      '@ember-data/request-utils': 5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@ember-data/tracking': 5.3.13(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@warp-drive/build-config': 0.0.3(@glint/template@1.7.3)
-      '@warp-drive/core-types': 0.0.3(@glint/template@1.7.3)
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      '@ember-data/request': 5.3.13(@babel/core@7.26.10)(@ember/test-waiters@4.1.1(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))
+      '@ember-data/request-utils': 5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@ember-data/tracking': 5.3.13(@babel/core@7.26.10)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/build-config': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/core-types': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
-  '@ember-data/tracking@5.3.13(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))':
+  '@ember-data/tracking@5.3.13(@babel/core@7.26.10)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))':
     dependencies:
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@warp-drive/build-config': 0.0.3(@glint/template@1.7.3)
-      '@warp-drive/core-types': 0.0.3(@glint/template@1.7.3)
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/build-config': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/core-types': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
   '@ember/edition-utils@1.2.0': {}
 
-  '@ember/legacy-built-in-components@0.4.2(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))':
+  '@ember/legacy-built-in-components@0.4.2(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))':
     dependencies:
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       ember-cli-babel: 7.26.11
       ember-cli-htmlbars: 5.7.2
       ember-cli-typescript: 4.2.1
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
@@ -10102,39 +10108,39 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@ember/render-modifiers@2.1.0(@babel/core@7.26.10)(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))':
+  '@ember/render-modifiers@2.1.0(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))':
     dependencies:
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       ember-cli-babel: 7.26.11
       ember-modifier-manager-polyfill: 1.2.0(@babel/core@7.26.10)
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     optionalDependencies:
-      '@glint/template': 1.7.3
+      '@glint/template': 1.7.7
     transitivePeerDependencies:
       - '@babel/core'
       - supports-color
 
-  '@ember/render-modifiers@3.0.0(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))':
+  '@ember/render-modifiers@3.0.0(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))':
     dependencies:
-      '@babel/core': 7.27.1
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      ember-cli-babel: 8.2.0(@babel/core@7.27.1)
-      ember-modifier-manager-polyfill: 1.2.0(@babel/core@7.27.1)
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      '@babel/core': 7.26.10
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      ember-cli-babel: 8.2.0(@babel/core@7.26.10)
+      ember-modifier-manager-polyfill: 1.2.0(@babel/core@7.26.10)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     optionalDependencies:
-      '@glint/template': 1.7.3
+      '@glint/template': 1.7.7
     transitivePeerDependencies:
       - supports-color
 
   '@ember/string@4.0.1': {}
 
-  '@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3)':
+  '@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7)':
     dependencies:
-      '@ember/test-waiters': 4.1.0(@glint/template@1.7.3)
-      '@embroider/addon-shim': 1.10.0
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
+      '@ember/test-waiters': 4.1.1(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@embroider/addon-shim': 1.10.2
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       '@simple-dom/interface': 1.4.0
-      decorator-transforms: 2.3.0(@babel/core@7.26.10)
+      decorator-transforms: 2.3.2(@babel/core@7.26.10)
       dom-element-descriptors: 0.5.1
     transitivePeerDependencies:
       - '@babel/core'
@@ -10146,136 +10152,183 @@ snapshots:
       calculate-cache-key-for-tree: 2.0.0
       ember-cli-babel: 7.26.11
       ember-cli-version-checker: 5.1.2
-      semver: 7.7.2
+      semver: 7.8.1
     transitivePeerDependencies:
       - supports-color
 
-  '@ember/test-waiters@4.1.0(@glint/template@1.7.3)':
+  '@ember/test-waiters@4.1.1(@babel/core@7.26.10)(@glint/template@1.7.7)':
     dependencies:
-      '@embroider/addon-shim': 1.10.0
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
+      '@embroider/addon-shim': 1.10.2
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
-  '@embroider/addon-shim@1.10.0':
+  '@embroider/addon-shim@1.10.2':
     dependencies:
-      '@embroider/shared-internals': 3.0.0
+      '@embroider/shared-internals': 3.1.0
       broccoli-funnel: 3.0.8
       common-ancestor-path: 1.0.1
-      semver: 7.7.2
+      semver: 7.8.1
     transitivePeerDependencies:
       - supports-color
 
-  '@embroider/macros@1.15.0(@glint/template@1.7.3)':
+  '@embroider/macros@1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)':
     dependencies:
-      '@babel/core': 7.26.10
-      '@embroider/shared-internals': 2.5.2
+      '@embroider/shared-internals': 3.1.0
       assert-never: 1.4.0
-      babel-import-util: 2.1.1
-      ember-cli-babel: 8.2.0(@babel/core@7.26.10)
+      babel-import-util: 3.0.1
+      ember-cli-babel: 8.3.1(@babel/core@7.26.10)
       find-up: 5.0.0
-      lodash: 4.17.23
-      resolve: 1.22.10
-      semver: 7.7.2
+      lodash: 4.18.0
+      resolve: 1.22.12
+      semver: 7.8.1
     optionalDependencies:
-      '@glint/template': 1.7.3
+      '@glint/template': 1.7.7
     transitivePeerDependencies:
+      - '@babel/core'
       - supports-color
 
-  '@embroider/shared-internals@2.5.2':
+  '@embroider/macros@1.20.3(@babel/core@7.29.7)(@glint/template@1.7.7)':
     dependencies:
-      babel-import-util: 2.1.1
-      debug: 4.4.1
-      ember-rfc176-data: 0.3.18
-      fs-extra: 9.1.0
-      js-string-escape: 1.0.1
-      lodash: 4.17.23
-      resolve-package-path: 4.0.3
-      semver: 7.7.2
-      typescript-memoize: 1.1.1
+      '@embroider/shared-internals': 3.1.0
+      assert-never: 1.4.0
+      babel-import-util: 3.0.1
+      ember-cli-babel: 8.3.1(@babel/core@7.29.7)
+      find-up: 5.0.0
+      lodash: 4.18.0
+      resolve: 1.22.12
+      semver: 7.8.1
+    optionalDependencies:
+      '@glint/template': 1.7.7
     transitivePeerDependencies:
+      - '@babel/core'
       - supports-color
 
-  '@embroider/shared-internals@2.9.0':
+  '@embroider/reverse-exports@0.2.0':
+    dependencies:
+      mem: 8.1.1
+      resolve.exports: 2.0.3
+
+  '@embroider/shared-internals@2.9.2':
     dependencies:
       babel-import-util: 2.1.1
-      debug: 4.4.1
+      debug: 4.4.3
       ember-rfc176-data: 0.3.18
       fs-extra: 9.1.0
       is-subdir: 1.2.0
       js-string-escape: 1.0.1
-      lodash: 4.17.23
-      minimatch: 3.1.2
+      lodash: 4.18.0
+      minimatch: 3.1.5
       pkg-entry-points: 1.1.1
       resolve-package-path: 4.0.3
-      semver: 7.7.2
+      semver: 7.8.1
       typescript-memoize: 1.1.1
     transitivePeerDependencies:
       - supports-color
 
-  '@embroider/shared-internals@3.0.0':
+  '@embroider/shared-internals@3.1.0':
     dependencies:
       babel-import-util: 3.0.1
-      debug: 4.4.1
+      debug: 4.4.3
       ember-rfc176-data: 0.3.18
       fs-extra: 9.1.0
       is-subdir: 1.2.0
       js-string-escape: 1.0.1
-      lodash: 4.17.23
-      minimatch: 3.1.2
+      lodash: 4.18.0
+      minimatch: 3.1.5
       pkg-entry-points: 1.1.1
       resolve-package-path: 4.0.3
       resolve.exports: 2.0.3
-      semver: 7.7.2
+      semver: 7.8.1
       typescript-memoize: 1.1.1
     transitivePeerDependencies:
       - supports-color
 
-  '@embroider/util@1.13.4(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))':
+  '@embroider/util@1.13.5(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))':
     dependencies:
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       broccoli-funnel: 3.0.8
       ember-cli-babel: 7.26.11
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     optionalDependencies:
-      '@glint/template': 1.7.3
+      '@glint/template': 1.7.7
     transitivePeerDependencies:
+      - '@babel/core'
       - supports-color
 
-  '@eslint-community/eslint-utils@4.7.0(eslint@8.57.1)':
+  '@eslint-community/eslint-utils@4.9.1(eslint@8.57.1)':
     dependencies:
       eslint: 8.57.1
       eslint-visitor-keys: 3.4.3
 
-  '@eslint-community/regexpp@4.12.1': {}
+  '@eslint-community/regexpp@4.12.2': {}
 
   '@eslint/eslintrc@2.1.4':
     dependencies:
-      ajv: 6.12.6
-      debug: 4.4.1
+      ajv: 6.15.0
+      debug: 4.4.3
       espree: 9.6.1
       globals: 13.24.0
       ignore: 5.3.2
       import-fresh: 3.3.1
       js-yaml: 4.1.1
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       strip-json-comments: 3.1.1
     transitivePeerDependencies:
       - supports-color
 
   '@eslint/js@8.57.1': {}
 
-  '@floating-ui/core@1.7.0':
-    dependencies:
-      '@floating-ui/utils': 0.2.9
+  '@faker-js/faker@8.4.1': {}
 
-  '@floating-ui/dom@1.7.0':
+  '@floating-ui/core@1.7.5':
     dependencies:
-      '@floating-ui/core': 1.7.0
-      '@floating-ui/utils': 0.2.9
+      '@floating-ui/utils': 0.2.11
 
-  '@floating-ui/utils@0.2.9': {}
+  '@floating-ui/dom@1.7.6':
+    dependencies:
+      '@floating-ui/core': 1.7.5
+      '@floating-ui/utils': 0.2.11
+
+  '@floating-ui/utils@0.2.11': {}
+
+  '@formatjs/ecma402-abstract@2.3.6':
+    dependencies:
+      '@formatjs/fast-memoize': 2.2.7
+      '@formatjs/intl-localematcher': 0.6.2
+      decimal.js: 10.6.0
+      tslib: 2.8.1
+
+  '@formatjs/fast-memoize@2.2.7':
+    dependencies:
+      tslib: 2.8.1
+
+  '@formatjs/icu-messageformat-parser@2.11.4':
+    dependencies:
+      '@formatjs/ecma402-abstract': 2.3.6
+      '@formatjs/icu-skeleton-parser': 1.8.16
+      tslib: 2.8.1
+
+  '@formatjs/icu-skeleton-parser@1.8.16':
+    dependencies:
+      '@formatjs/ecma402-abstract': 2.3.6
+      tslib: 2.8.1
+
+  '@formatjs/intl-localematcher@0.6.2':
+    dependencies:
+      tslib: 2.8.1
+
+  '@formatjs/intl@3.1.8(typescript@5.6.3)':
+    dependencies:
+      '@formatjs/ecma402-abstract': 2.3.6
+      '@formatjs/fast-memoize': 2.2.7
+      '@formatjs/icu-messageformat-parser': 2.11.4
+      intl-messageformat: 10.7.18
+      tslib: 2.8.1
+    optionalDependencies:
+      typescript: 5.6.3
 
   '@glimmer/compiler@0.87.1':
     dependencies:
@@ -10439,12 +10492,12 @@ snapshots:
       '@handlebars/parser': 2.0.0
       simple-html-tokenizer: 0.5.11
 
-  '@glimmer/syntax@0.94.9':
+  '@glimmer/syntax@0.95.0':
     dependencies:
       '@glimmer/interfaces': 0.94.6
       '@glimmer/util': 0.94.8
       '@glimmer/wire-format': 0.94.8
-      '@handlebars/parser': 2.0.0
+      '@handlebars/parser': 2.2.2
       simple-html-tokenizer: 0.5.11
 
   '@glimmer/tracking@1.1.2':
@@ -10503,70 +10556,80 @@ snapshots:
     dependencies:
       '@glimmer/interfaces': 0.94.6
 
-  '@glint/template@1.7.3': {}
+  '@glint/template@1.7.7': {}
 
   '@handlebars/parser@2.0.0': {}
 
-  '@hashicorp-internal/vault-reporting@file:vault-reporting/0.8.0.tgz(@babel/core@7.26.10)(@glint/template@1.7.3)(@hashicorp/design-system-components@4.24.1(9e1e7970f02a7597d41eecd5c69ae0c6))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))':
+  '@handlebars/parser@2.2.2': {}
+
+  '@hashicorp-internal/vault-reporting@file:vault-reporting/0.21.0.tgz(@babel/core@7.26.10)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(@hashicorp/design-system-components@4.24.1(82ada2dfe2f3991d57e146b4e9515b04))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(typescript@5.6.3)(webpack@5.107.2)':
     dependencies:
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@hashicorp/design-system-components': 4.24.1(9e1e7970f02a7597d41eecd5c69ae0c6)
-      '@lineal-viz/lineal': 0.5.1(@babel/core@7.26.10)(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      decorator-transforms: 2.3.0(@babel/core@7.26.10)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@faker-js/faker': 8.4.1
+      '@hashicorp/design-system-components': 4.24.1(82ada2dfe2f3991d57e146b4e9515b04)
+      '@lineal-viz/lineal': 0.5.1(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      decorator-transforms: 2.3.2(@babel/core@7.26.10)
+      ember-intl: 7.5.0(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(typescript@5.6.3)(webpack@5.107.2)
       ember-modifier: 4.2.2(@babel/core@7.26.10)
+      ember-truth-helpers: 4.0.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      miragejs: 0.1.48
     transitivePeerDependencies:
       - '@babel/core'
+      - '@ember/test-helpers'
       - '@glint/template'
       - ember-source
       - supports-color
+      - typescript
+      - webpack
 
-  '@hashicorp/design-system-components@4.24.1(9e1e7970f02a7597d41eecd5c69ae0c6)':
+  '@hashicorp/design-system-components@4.24.1(82ada2dfe2f3991d57e146b4e9515b04)':
     dependencies:
-      '@codemirror/commands': 6.8.1
+      '@codemirror/commands': 6.10.3
       '@codemirror/lang-go': 6.0.1
-      '@codemirror/lang-javascript': 6.2.4
-      '@codemirror/lang-json': 6.0.1
-      '@codemirror/lang-markdown': 6.3.2
-      '@codemirror/lang-sql': 6.8.0
-      '@codemirror/lang-yaml': 6.1.2
-      '@codemirror/language': 6.11.0
-      '@codemirror/legacy-modes': 6.5.1
-      '@codemirror/lint': 6.8.5
-      '@codemirror/state': 6.5.2
-      '@codemirror/view': 6.36.8
-      '@ember/render-modifiers': 2.1.0(@babel/core@7.26.10)(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+      '@codemirror/lang-javascript': 6.2.5
+      '@codemirror/lang-json': 6.0.2
+      '@codemirror/lang-markdown': 6.5.0
+      '@codemirror/lang-sql': 6.10.0
+      '@codemirror/lang-yaml': 6.1.3
+      '@codemirror/language': 6.12.3
+      '@codemirror/legacy-modes': 6.5.3
+      '@codemirror/lint': 6.9.6
+      '@codemirror/state': 6.6.0
+      '@codemirror/view': 6.43.0
+      '@ember/render-modifiers': 2.1.0(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       '@ember/string': 4.0.1
       '@ember/test-waiters': 3.1.0
-      '@embroider/addon-shim': 1.10.0
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@embroider/util': 1.13.4(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@floating-ui/dom': 1.7.0
+      '@embroider/addon-shim': 1.10.2
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@embroider/util': 1.13.5(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@floating-ui/dom': 1.7.6
       '@hashicorp/design-system-tokens': 3.0.0
       '@hashicorp/flight-icons': 3.14.0
-      '@lezer/highlight': 1.2.1
-      '@nullvoxpopuli/ember-composable-helpers': 5.3.0(@babel/core@7.26.10)
+      '@lezer/highlight': 1.2.3
+      '@nullvoxpopuli/ember-composable-helpers': 5.3.2(@babel/core@7.26.10)
       clipboard-polyfill: 4.1.1
       codemirror-lang-hcl: 0.0.0-beta.2
-      decorator-transforms: 2.3.0(@babel/core@7.26.10)
+      decorator-transforms: 2.3.2(@babel/core@7.26.10)
       ember-a11y-refocus: 4.1.4
       ember-cli-sass: 11.0.1
-      ember-concurrency: 4.0.6(@babel/core@7.26.10)(@glint/template@1.7.3)
+      ember-concurrency: 4.0.6(@babel/core@7.26.10)(@glint/template@1.7.7)
       ember-element-helper: 0.8.8
-      ember-focus-trap: 1.1.1(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      ember-get-config: 2.1.1(@glint/template@1.7.3)
+      ember-focus-trap: 1.2.0(@babel/core@7.26.10)
+      ember-get-config: 2.1.1(@babel/core@7.26.10)(@glint/template@1.7.7)
       ember-modifier: 4.2.2(@babel/core@7.26.10)
-      ember-power-select: 8.12.0(@babel/core@7.26.10)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(ember-basic-dropdown@8.7.0(@babel/core@7.26.10)(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(ember-concurrency@4.0.6(@babel/core@7.26.10)(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      ember-stargate: 0.5.0(@babel/core@7.26.10)(@ember/test-waiters@3.1.0)(@glimmer/tracking@1.1.2)(@glint/template@1.7.3)(ember-concurrency@4.0.6(@babel/core@7.26.10)(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      ember-style-modifier: 4.4.0(@babel/core@7.26.10)(@ember/string@4.0.1)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      ember-truth-helpers: 4.0.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      luxon: 3.7.1
+      ember-power-select: 8.12.2(@babel/core@7.26.10)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(ember-basic-dropdown@8.7.0(@babel/core@7.26.10)(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(ember-concurrency@4.0.6(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      ember-stargate: 0.5.0(@babel/core@7.26.10)(@ember/test-waiters@3.1.0)(@glimmer/tracking@1.1.2)(@glint/template@1.7.7)(ember-concurrency@4.0.6(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      ember-style-modifier: 4.4.0(@babel/core@7.26.10)(@ember/string@4.0.1)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      ember-truth-helpers: 4.0.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      luxon: 3.7.2
       prismjs: 1.30.0
-      sass: 1.89.0
-      tabbable: 6.2.0
+      sass: 1.100.0
+      tabbable: 6.4.0
       tippy.js: 6.3.7
-      tracked-built-ins: 4.0.0(@babel/core@7.26.10)
+      tracked-built-ins: 4.1.2(@babel/core@7.26.10)
     optionalDependencies:
-      ember-engines: 0.8.23(@ember/legacy-built-in-components@0.4.2(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+      ember-engines: 0.8.23(@babel/core@7.26.10)(@ember/legacy-built-in-components@0.4.2(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      ember-intl: 7.5.0(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(typescript@5.6.3)(webpack@5.107.2)
     transitivePeerDependencies:
       - '@babel/core'
       - '@ember/test-helpers'
@@ -10582,13 +10645,13 @@ snapshots:
 
   '@hashicorp/flight-icons@3.14.0': {}
 
-  '@hashicorp/vault-client-typescript@https://codeload.github.com/hashicorp/vault-client-typescript/tar.gz/e29e1596079a941e42dd87cf533d95575f88a67c': {}
+  '@hashicorp/vault-client-typescript@https://codeload.github.com/hashicorp/vault-client-typescript/tar.gz/9191faf2deb4fa4fd9d0d4b396434fec5b799abc': {}
 
   '@humanwhocodes/config-array@0.13.0':
     dependencies:
       '@humanwhocodes/object-schema': 2.0.3
-      debug: 4.4.1
-      minimatch: 3.1.2
+      debug: 4.4.3
+      minimatch: 3.1.5
     transitivePeerDependencies:
       - supports-color
 
@@ -10596,109 +10659,118 @@ snapshots:
 
   '@humanwhocodes/object-schema@2.0.3': {}
 
-  '@ibm/telemetry-js@1.10.2': {}
+  '@ibm/telemetry-js@1.11.0': {}
 
   '@icholy/duration@5.1.0': {}
 
-  '@inquirer/figures@1.0.11': {}
+  '@inquirer/external-editor@1.0.3(@types/node@25.9.1)':
+    dependencies:
+      chardet: 2.1.1
+      iconv-lite: 0.7.2
+    optionalDependencies:
+      '@types/node': 25.9.1
+
+  '@inquirer/figures@1.0.15': {}
 
   '@isaacs/cliui@8.0.2':
     dependencies:
       string-width: 5.1.2
       string-width-cjs: string-width@4.2.3
-      strip-ansi: 7.1.0
+      strip-ansi: 7.2.0
       strip-ansi-cjs: strip-ansi@6.0.1
       wrap-ansi: 8.1.0
       wrap-ansi-cjs: wrap-ansi@7.0.0
 
-  '@jridgewell/gen-mapping@0.3.8':
+  '@jridgewell/gen-mapping@0.3.13':
     dependencies:
-      '@jridgewell/set-array': 1.2.1
-      '@jridgewell/sourcemap-codec': 1.5.0
-      '@jridgewell/trace-mapping': 0.3.25
+      '@jridgewell/sourcemap-codec': 1.5.5
+      '@jridgewell/trace-mapping': 0.3.31
+
+  '@jridgewell/remapping@2.3.5':
+    dependencies:
+      '@jridgewell/gen-mapping': 0.3.13
+      '@jridgewell/trace-mapping': 0.3.31
 
   '@jridgewell/resolve-uri@3.1.2': {}
 
-  '@jridgewell/set-array@1.2.1': {}
-
-  '@jridgewell/source-map@0.3.6':
+  '@jridgewell/source-map@0.3.11':
     dependencies:
-      '@jridgewell/gen-mapping': 0.3.8
-      '@jridgewell/trace-mapping': 0.3.25
+      '@jridgewell/gen-mapping': 0.3.13
+      '@jridgewell/trace-mapping': 0.3.31
 
-  '@jridgewell/sourcemap-codec@1.5.0': {}
+  '@jridgewell/sourcemap-codec@1.5.5': {}
 
-  '@jridgewell/trace-mapping@0.3.25':
+  '@jridgewell/trace-mapping@0.3.31':
     dependencies:
       '@jridgewell/resolve-uri': 3.1.2
-      '@jridgewell/sourcemap-codec': 1.5.0
+      '@jridgewell/sourcemap-codec': 1.5.5
 
-  '@jsdoc/salty@0.2.9':
+  '@keyv/bigmap@1.3.1(keyv@5.6.0)':
     dependencies:
-      lodash: 4.17.23
+      hashery: 1.5.1
+      hookified: 1.15.1
+      keyv: 5.6.0
 
-  '@keyv/serialize@1.0.3':
+  '@keyv/serialize@1.1.1': {}
+
+  '@lezer/common@1.5.2': {}
+
+  '@lezer/css@1.3.3':
     dependencies:
-      buffer: 6.0.3
-
-  '@lezer/common@1.2.3': {}
-
-  '@lezer/css@1.2.1':
-    dependencies:
-      '@lezer/common': 1.2.3
-      '@lezer/highlight': 1.2.1
-      '@lezer/lr': 1.4.2
+      '@lezer/common': 1.5.2
+      '@lezer/highlight': 1.2.3
+      '@lezer/lr': 1.4.10
 
   '@lezer/go@1.0.1':
     dependencies:
-      '@lezer/common': 1.2.3
-      '@lezer/highlight': 1.2.1
-      '@lezer/lr': 1.4.2
+      '@lezer/common': 1.5.2
+      '@lezer/highlight': 1.2.3
+      '@lezer/lr': 1.4.10
 
-  '@lezer/highlight@1.2.1':
+  '@lezer/highlight@1.2.3':
     dependencies:
-      '@lezer/common': 1.2.3
+      '@lezer/common': 1.5.2
 
-  '@lezer/html@1.3.10':
+  '@lezer/html@1.3.13':
     dependencies:
-      '@lezer/common': 1.2.3
-      '@lezer/highlight': 1.2.1
-      '@lezer/lr': 1.4.2
+      '@lezer/common': 1.5.2
+      '@lezer/highlight': 1.2.3
+      '@lezer/lr': 1.4.10
 
-  '@lezer/javascript@1.5.1':
+  '@lezer/javascript@1.5.4':
     dependencies:
-      '@lezer/common': 1.2.3
-      '@lezer/highlight': 1.2.1
-      '@lezer/lr': 1.4.2
+      '@lezer/common': 1.5.2
+      '@lezer/highlight': 1.2.3
+      '@lezer/lr': 1.4.10
 
   '@lezer/json@1.0.3':
     dependencies:
-      '@lezer/common': 1.2.3
-      '@lezer/highlight': 1.2.1
-      '@lezer/lr': 1.4.2
+      '@lezer/common': 1.5.2
+      '@lezer/highlight': 1.2.3
+      '@lezer/lr': 1.4.10
 
-  '@lezer/lr@1.4.2':
+  '@lezer/lr@1.4.10':
     dependencies:
-      '@lezer/common': 1.2.3
+      '@lezer/common': 1.5.2
 
-  '@lezer/markdown@1.4.3':
+  '@lezer/markdown@1.6.3':
     dependencies:
-      '@lezer/common': 1.2.3
-      '@lezer/highlight': 1.2.1
+      '@lezer/common': 1.5.2
+      '@lezer/highlight': 1.2.3
 
-  '@lezer/yaml@1.0.3':
+  '@lezer/yaml@1.0.4':
     dependencies:
-      '@lezer/common': 1.2.3
-      '@lezer/highlight': 1.2.1
-      '@lezer/lr': 1.4.2
+      '@lezer/common': 1.5.2
+      '@lezer/highlight': 1.2.3
+      '@lezer/lr': 1.4.10
 
-  '@lineal-viz/lineal@0.5.1(@babel/core@7.26.10)(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))':
+  '@lineal-viz/lineal@0.5.1(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))':
     dependencies:
-      '@embroider/addon-shim': 1.10.0
+      '@embroider/addon-shim': 1.10.2
       d3-array: 3.2.4
       d3-scale: 4.0.2
       d3-shape: 3.2.0
-      ember-cached-decorator-polyfill: 1.0.2(@babel/core@7.26.10)(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+      ember-cached-decorator-polyfill: 1.0.2(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       ember-modifier: 3.2.7(@babel/core@7.26.10)
       ember-resize-modifier: 0.4.1(@babel/core@7.26.10)
     transitivePeerDependencies:
@@ -10727,7 +10799,7 @@ snapshots:
       '@messageformat/number-skeleton': 1.2.0
       '@messageformat/parser': 5.1.1
       '@messageformat/runtime': 3.0.2
-      make-plural: 7.4.0
+      make-plural: 7.5.0
       safe-identifier: 0.4.2
 
   '@messageformat/date-skeleton@1.1.0': {}
@@ -10736,11 +10808,11 @@ snapshots:
 
   '@messageformat/parser@5.1.1':
     dependencies:
-      moo: 0.5.2
+      moo: 0.5.3
 
   '@messageformat/runtime@3.0.2':
     dependencies:
-      make-plural: 7.4.0
+      make-plural: 7.5.0
 
   '@miragejs/pretender-node-polyfill@0.1.2': {}
 
@@ -10761,85 +10833,85 @@ snapshots:
   '@nodelib/fs.walk@1.2.8':
     dependencies:
       '@nodelib/fs.scandir': 2.1.5
-      fastq: 1.19.1
+      fastq: 1.20.1
 
-  '@nullvoxpopuli/ember-composable-helpers@5.3.0(@babel/core@7.26.10)':
+  '@nullvoxpopuli/ember-composable-helpers@5.3.2(@babel/core@7.26.10)':
     dependencies:
-      '@embroider/addon-shim': 1.10.0
-      decorator-transforms: 2.3.0(@babel/core@7.26.10)
+      '@embroider/addon-shim': 1.10.2
+      decorator-transforms: 2.3.2(@babel/core@7.26.10)
     transitivePeerDependencies:
       - '@babel/core'
       - supports-color
 
-  '@parcel/watcher-android-arm64@2.5.1':
+  '@parcel/watcher-android-arm64@2.5.6':
     optional: true
 
-  '@parcel/watcher-darwin-arm64@2.5.1':
+  '@parcel/watcher-darwin-arm64@2.5.6':
     optional: true
 
-  '@parcel/watcher-darwin-x64@2.5.1':
+  '@parcel/watcher-darwin-x64@2.5.6':
     optional: true
 
-  '@parcel/watcher-freebsd-x64@2.5.1':
+  '@parcel/watcher-freebsd-x64@2.5.6':
     optional: true
 
-  '@parcel/watcher-linux-arm-glibc@2.5.1':
+  '@parcel/watcher-linux-arm-glibc@2.5.6':
     optional: true
 
-  '@parcel/watcher-linux-arm-musl@2.5.1':
+  '@parcel/watcher-linux-arm-musl@2.5.6':
     optional: true
 
-  '@parcel/watcher-linux-arm64-glibc@2.5.1':
+  '@parcel/watcher-linux-arm64-glibc@2.5.6':
     optional: true
 
-  '@parcel/watcher-linux-arm64-musl@2.5.1':
+  '@parcel/watcher-linux-arm64-musl@2.5.6':
     optional: true
 
-  '@parcel/watcher-linux-x64-glibc@2.5.1':
+  '@parcel/watcher-linux-x64-glibc@2.5.6':
     optional: true
 
-  '@parcel/watcher-linux-x64-musl@2.5.1':
+  '@parcel/watcher-linux-x64-musl@2.5.6':
     optional: true
 
-  '@parcel/watcher-win32-arm64@2.5.1':
+  '@parcel/watcher-win32-arm64@2.5.6':
     optional: true
 
-  '@parcel/watcher-win32-ia32@2.5.1':
+  '@parcel/watcher-win32-ia32@2.5.6':
     optional: true
 
-  '@parcel/watcher-win32-x64@2.5.1':
+  '@parcel/watcher-win32-x64@2.5.6':
     optional: true
 
-  '@parcel/watcher@2.5.1':
+  '@parcel/watcher@2.5.6':
     dependencies:
-      detect-libc: 1.0.3
+      detect-libc: 2.1.2
       is-glob: 4.0.3
-      micromatch: 4.0.8
       node-addon-api: 7.1.1
+      picomatch: 4.0.4
     optionalDependencies:
-      '@parcel/watcher-android-arm64': 2.5.1
-      '@parcel/watcher-darwin-arm64': 2.5.1
-      '@parcel/watcher-darwin-x64': 2.5.1
-      '@parcel/watcher-freebsd-x64': 2.5.1
-      '@parcel/watcher-linux-arm-glibc': 2.5.1
-      '@parcel/watcher-linux-arm-musl': 2.5.1
-      '@parcel/watcher-linux-arm64-glibc': 2.5.1
-      '@parcel/watcher-linux-arm64-musl': 2.5.1
-      '@parcel/watcher-linux-x64-glibc': 2.5.1
-      '@parcel/watcher-linux-x64-musl': 2.5.1
-      '@parcel/watcher-win32-arm64': 2.5.1
-      '@parcel/watcher-win32-ia32': 2.5.1
-      '@parcel/watcher-win32-x64': 2.5.1
+      '@parcel/watcher-android-arm64': 2.5.6
+      '@parcel/watcher-darwin-arm64': 2.5.6
+      '@parcel/watcher-darwin-x64': 2.5.6
+      '@parcel/watcher-freebsd-x64': 2.5.6
+      '@parcel/watcher-linux-arm-glibc': 2.5.6
+      '@parcel/watcher-linux-arm-musl': 2.5.6
+      '@parcel/watcher-linux-arm64-glibc': 2.5.6
+      '@parcel/watcher-linux-arm64-musl': 2.5.6
+      '@parcel/watcher-linux-x64-glibc': 2.5.6
+      '@parcel/watcher-linux-x64-musl': 2.5.6
+      '@parcel/watcher-win32-arm64': 2.5.6
+      '@parcel/watcher-win32-ia32': 2.5.6
+      '@parcel/watcher-win32-x64': 2.5.6
     optional: true
 
   '@pkgjs/parseargs@0.11.0':
     optional: true
 
-  '@pkgr/core@0.2.4': {}
+  '@pkgr/core@0.2.9': {}
 
-  '@playwright/test@1.58.0':
+  '@playwright/test@1.60.0':
     dependencies:
-      playwright: 1.58.0
+      playwright: 1.60.0
 
   '@pnpm/constants@7.1.1': {}
 
@@ -10860,23 +10932,25 @@ snapshots:
 
   '@ro0gr/ceibo@2.2.0': {}
 
-  '@rollup/plugin-replace@2.3.0(rollup@2.79.2)':
+  '@rollup/plugin-replace@2.3.0(rollup@2.80.0)':
     dependencies:
       magic-string: 0.25.9
-      rollup: 2.79.2
+      rollup: 2.80.0
       rollup-pluginutils: 2.8.2
 
   '@scalvert/ember-setup-middleware-reporter@0.1.1':
     dependencies:
       '@types/fs-extra': 9.0.13
-      body-parser: 1.20.3
-      errorhandler: 1.5.1
+      body-parser: 1.20.5
+      errorhandler: 1.5.2
       fs-extra: 10.1.0
     transitivePeerDependencies:
       - supports-color
 
   '@scarf/scarf@1.4.0': {}
 
+  '@sec-ant/readable-stream@0.4.1': {}
+
   '@simple-dom/document@1.4.0':
     dependencies:
       '@simple-dom/interface': 1.4.0
@@ -10885,6 +10959,8 @@ snapshots:
 
   '@sindresorhus/merge-streams@2.3.0': {}
 
+  '@sindresorhus/merge-streams@4.0.0': {}
+
   '@sinonjs/commons@3.0.1':
     dependencies:
       type-detect: 4.0.8
@@ -10893,56 +10969,35 @@ snapshots:
     dependencies:
       '@sinonjs/commons': 3.0.1
 
-  '@sinonjs/samsam@8.0.2':
+  '@sinonjs/samsam@8.0.3':
     dependencies:
       '@sinonjs/commons': 3.0.1
-      lodash.get: 4.4.2
       type-detect: 4.1.0
 
   '@socket.io/component-emitter@3.1.2': {}
 
-  '@textlint/ast-node-types@12.6.1': {}
-
-  '@textlint/markdown-to-ast@12.6.1':
-    dependencies:
-      '@textlint/ast-node-types': 12.6.1
-      debug: 4.4.1
-      mdast-util-gfm-autolink-literal: 0.1.3
-      remark-footnotes: 3.0.0
-      remark-frontmatter: 3.0.0
-      remark-gfm: 1.0.0
-      remark-parse: 9.0.0
-      traverse: 0.6.11
-      unified: 9.2.2
-    transitivePeerDependencies:
-      - supports-color
-
   '@tsconfig/ember@2.0.0': {}
 
-  '@types/body-parser@1.19.5':
+  '@types/body-parser@1.19.6':
     dependencies:
       '@types/connect': 3.4.38
-      '@types/node': 25.1.0
+      '@types/node': 25.9.1
 
   '@types/chai-as-promised@7.1.8':
     dependencies:
-      '@types/chai': 5.2.2
+      '@types/chai': 4.3.20
 
   '@types/chai@4.3.20': {}
 
-  '@types/chai@5.2.2':
-    dependencies:
-      '@types/deep-eql': 4.0.2
-
   '@types/connect@3.4.38':
     dependencies:
-      '@types/node': 25.1.0
+      '@types/node': 25.9.1
 
-  '@types/cors@2.8.18':
+  '@types/cors@2.8.19':
     dependencies:
-      '@types/node': 25.1.0
+      '@types/node': 25.9.1
 
-  '@types/d3-array@3.2.1': {}
+  '@types/d3-array@3.2.2': {}
 
   '@types/d3-axis@3.0.6':
     dependencies:
@@ -10958,7 +11013,7 @@ snapshots:
 
   '@types/d3-contour@3.0.6':
     dependencies:
-      '@types/d3-array': 3.2.1
+      '@types/d3-array': 3.2.2
       '@types/geojson': 7946.0.16
 
   '@types/d3-delaunay@6.0.4': {}
@@ -11028,7 +11083,7 @@ snapshots:
 
   '@types/d3@7.4.3':
     dependencies:
-      '@types/d3-array': 3.2.1
+      '@types/d3-array': 3.2.2
       '@types/d3-axis': 3.0.6
       '@types/d3-brush': 3.0.6
       '@types/d3-chord': 3.0.6
@@ -11059,8 +11114,6 @@ snapshots:
       '@types/d3-transition': 3.0.9
       '@types/d3-zoom': 3.0.8
 
-  '@types/deep-eql@4.0.2': {}
-
   '@types/ember-data@4.4.16(@babel/core@7.26.10)':
     dependencies:
       '@types/ember': 4.0.11(@babel/core@7.26.10)
@@ -11071,6 +11124,26 @@ snapshots:
       - '@babel/core'
       - supports-color
 
+  '@types/ember@4.0.11':
+    dependencies:
+      '@types/ember__application': 4.0.11(@babel/core@7.26.10)
+      '@types/ember__array': 4.0.10
+      '@types/ember__component': 4.0.22
+      '@types/ember__controller': 4.0.12(@babel/core@7.26.10)
+      '@types/ember__debug': 4.0.8(@babel/core@7.26.10)
+      '@types/ember__engine': 4.0.11(@babel/core@7.26.10)
+      '@types/ember__error': 4.0.6
+      '@types/ember__object': 4.0.12(@babel/core@7.26.10)
+      '@types/ember__polyfills': 4.0.6
+      '@types/ember__routing': 4.0.23(@babel/core@7.26.10)
+      '@types/ember__runloop': 4.0.10
+      '@types/ember__service': 4.0.9(@babel/core@7.26.10)
+      '@types/ember__string': 3.0.15
+      '@types/ember__template': 4.0.7
+      '@types/ember__test': 4.0.6(@babel/core@7.26.10)
+      '@types/ember__utils': 4.0.7
+      '@types/rsvp': 4.0.9
+
   '@types/ember@4.0.11(@babel/core@7.26.10)':
     dependencies:
       '@types/ember__application': 4.0.11(@babel/core@7.26.10)
@@ -11082,10 +11155,10 @@ snapshots:
       '@types/ember__error': 4.0.6
       '@types/ember__object': 4.0.12(@babel/core@7.26.10)
       '@types/ember__polyfills': 4.0.6
-      '@types/ember__routing': 4.0.22(@babel/core@7.26.10)
+      '@types/ember__routing': 4.0.23(@babel/core@7.26.10)
       '@types/ember__runloop': 4.0.10(@babel/core@7.26.10)
       '@types/ember__service': 4.0.9(@babel/core@7.26.10)
-      '@types/ember__string': 3.16.3
+      '@types/ember__string': 3.0.15
       '@types/ember__template': 4.0.7
       '@types/ember__test': 4.0.6(@babel/core@7.26.10)
       '@types/ember__utils': 4.0.7(@babel/core@7.26.10)
@@ -11097,15 +11170,20 @@ snapshots:
   '@types/ember__application@4.0.11(@babel/core@7.26.10)':
     dependencies:
       '@glimmer/component': 1.1.2(@babel/core@7.26.10)
-      '@types/ember': 4.0.11(@babel/core@7.26.10)
+      '@types/ember': 4.0.11
       '@types/ember__engine': 4.0.11(@babel/core@7.26.10)
       '@types/ember__object': 4.0.12(@babel/core@7.26.10)
       '@types/ember__owner': 4.0.9
-      '@types/ember__routing': 4.0.22(@babel/core@7.26.10)
+      '@types/ember__routing': 4.0.23(@babel/core@7.26.10)
     transitivePeerDependencies:
       - '@babel/core'
       - supports-color
 
+  '@types/ember__array@4.0.10':
+    dependencies:
+      '@types/ember': 4.0.11
+      '@types/ember__object': 4.0.12(@babel/core@7.26.10)
+
   '@types/ember__array@4.0.10(@babel/core@7.26.10)':
     dependencies:
       '@types/ember': 4.0.11(@babel/core@7.26.10)
@@ -11114,6 +11192,11 @@ snapshots:
       - '@babel/core'
       - supports-color
 
+  '@types/ember__component@4.0.22':
+    dependencies:
+      '@types/ember': 4.0.11
+      '@types/ember__object': 4.0.12(@babel/core@7.26.10)
+
   '@types/ember__component@4.0.22(@babel/core@7.26.10)':
     dependencies:
       '@types/ember': 4.0.11(@babel/core@7.26.10)
@@ -11159,7 +11242,7 @@ snapshots:
 
   '@types/ember__polyfills@4.0.6': {}
 
-  '@types/ember__routing@4.0.22(@babel/core@7.26.10)':
+  '@types/ember__routing@4.0.23(@babel/core@7.26.10)':
     dependencies:
       '@types/ember': 4.0.11(@babel/core@7.26.10)
       '@types/ember__controller': 4.0.12(@babel/core@7.26.10)
@@ -11169,6 +11252,10 @@ snapshots:
       - '@babel/core'
       - supports-color
 
+  '@types/ember__runloop@4.0.10':
+    dependencies:
+      '@types/ember': 4.0.11
+
   '@types/ember__runloop@4.0.10(@babel/core@7.26.10)':
     dependencies:
       '@types/ember': 4.0.11(@babel/core@7.26.10)
@@ -11183,9 +11270,7 @@ snapshots:
       - '@babel/core'
       - supports-color
 
-  '@types/ember__string@3.16.3':
-    dependencies:
-      '@types/ember__template': 4.0.7
+  '@types/ember__string@3.0.15': {}
 
   '@types/ember__template@4.0.7': {}
 
@@ -11196,6 +11281,10 @@ snapshots:
       - '@babel/core'
       - supports-color
 
+  '@types/ember__utils@4.0.7':
+    dependencies:
+      '@types/ember': 4.0.11
+
   '@types/ember__utils@4.0.7(@babel/core@7.26.10)':
     dependencies:
       '@types/ember': 4.0.11(@babel/core@7.26.10)
@@ -11205,119 +11294,113 @@ snapshots:
 
   '@types/eslint@8.56.12':
     dependencies:
-      '@types/estree': 1.0.8
+      '@types/estree': 1.0.9
       '@types/json-schema': 7.0.15
 
-  '@types/estree@1.0.7': {}
+  '@types/estree@1.0.9': {}
 
-  '@types/estree@1.0.8': {}
-
-  '@types/express-serve-static-core@4.19.6':
+  '@types/express-serve-static-core@4.19.8':
     dependencies:
-      '@types/node': 25.1.0
-      '@types/qs': 6.14.0
+      '@types/node': 25.9.1
+      '@types/qs': 6.15.1
       '@types/range-parser': 1.2.7
-      '@types/send': 0.17.4
+      '@types/send': 1.2.1
 
-  '@types/express@4.17.22':
+  '@types/express@4.17.25':
     dependencies:
-      '@types/body-parser': 1.19.5
-      '@types/express-serve-static-core': 4.19.6
-      '@types/qs': 6.14.0
-      '@types/serve-static': 1.15.7
+      '@types/body-parser': 1.19.6
+      '@types/express-serve-static-core': 4.19.8
+      '@types/qs': 6.15.1
+      '@types/serve-static': 1.15.10
 
   '@types/fs-extra@5.1.0':
     dependencies:
-      '@types/node': 25.1.0
+      '@types/node': 25.9.1
 
   '@types/fs-extra@8.1.5':
     dependencies:
-      '@types/node': 25.1.0
+      '@types/node': 25.9.1
 
   '@types/fs-extra@9.0.13':
     dependencies:
-      '@types/node': 25.1.0
+      '@types/node': 25.9.1
 
   '@types/geojson@7946.0.16': {}
 
   '@types/glob@7.2.0':
     dependencies:
-      '@types/minimatch': 5.1.2
-      '@types/node': 25.1.0
+      '@types/minimatch': 6.0.0
+      '@types/node': 25.9.1
 
-  '@types/glob@8.1.0':
+  '@types/glob@9.0.0':
     dependencies:
-      '@types/minimatch': 5.1.2
-      '@types/node': 25.1.0
+      glob: 8.1.0
 
-  '@types/http-errors@2.0.4': {}
+  '@types/http-errors@2.0.5': {}
 
-  '@types/jquery@3.5.32':
+  '@types/jquery@3.5.34':
     dependencies:
-      '@types/sizzle': 2.3.9
+      '@types/sizzle': 2.3.10
 
   '@types/json-schema@7.0.15': {}
 
-  '@types/linkify-it@5.0.0': {}
-
-  '@types/markdown-it@14.1.2':
-    dependencies:
-      '@types/linkify-it': 5.0.0
-      '@types/mdurl': 2.0.0
-
   '@types/mdast@3.0.15':
     dependencies:
       '@types/unist': 2.0.11
 
-  '@types/mdurl@2.0.0': {}
-
   '@types/mime@1.3.5': {}
 
   '@types/minimatch@3.0.5': {}
 
-  '@types/minimatch@5.1.2': {}
-
-  '@types/node@25.1.0':
+  '@types/minimatch@6.0.0':
     dependencies:
-      undici-types: 7.16.0
+      minimatch: 7.4.9
+
+  '@types/node@25.9.1':
+    dependencies:
+      undici-types: 7.24.6
 
   '@types/prettier@2.7.3': {}
 
-  '@types/qs@6.14.0': {}
+  '@types/qs@6.15.1': {}
 
-  '@types/qunit@2.19.12': {}
+  '@types/qunit@2.19.14': {}
 
   '@types/range-parser@1.2.7': {}
 
   '@types/rimraf@2.0.5':
     dependencies:
-      '@types/glob': 8.1.0
-      '@types/node': 25.1.0
+      '@types/glob': 9.0.0
+      '@types/node': 25.9.1
 
   '@types/rsvp@4.0.9': {}
 
-  '@types/semver@7.7.0': {}
+  '@types/semver@7.7.1': {}
 
-  '@types/send@0.17.4':
+  '@types/send@0.17.6':
     dependencies:
       '@types/mime': 1.3.5
-      '@types/node': 25.1.0
+      '@types/node': 25.9.1
 
-  '@types/serve-static@1.15.7':
+  '@types/send@1.2.1':
     dependencies:
-      '@types/http-errors': 2.0.4
-      '@types/node': 25.1.0
-      '@types/send': 0.17.4
+      '@types/node': 25.9.1
+
+  '@types/serve-static@1.15.10':
+    dependencies:
+      '@types/http-errors': 2.0.5
+      '@types/node': 25.9.1
+      '@types/send': 0.17.6
 
   '@types/shell-quote@1.7.5': {}
 
   '@types/sinon@17.0.4':
     dependencies:
-      '@types/sinonjs__fake-timers': 8.1.5
+      '@types/sinonjs__fake-timers': 15.0.1
 
-  '@types/sinonjs__fake-timers@8.1.5': {}
+  '@types/sinonjs__fake-timers@15.0.1': {}
 
-  '@types/sizzle@2.3.9': {}
+  '@types/sizzle@2.3.10': {}
 
   '@types/symlink-or-copy@1.2.2': {}
 
@@ -11355,22 +11438,26 @@ snapshots:
 
   '@types/unist@2.0.11': {}
 
-  '@typescript-eslint/eslint-plugin@5.62.0(@typescript-eslint/parser@5.62.0(eslint@8.57.1)(typescript@5.5.4))(eslint@8.57.1)(typescript@5.5.4)':
+  '@types/ws@8.18.1':
     dependencies:
-      '@eslint-community/regexpp': 4.12.1
-      '@typescript-eslint/parser': 5.62.0(eslint@8.57.1)(typescript@5.5.4)
+      '@types/node': 25.9.1
+
+  '@typescript-eslint/eslint-plugin@5.62.0(@typescript-eslint/parser@5.62.0(eslint@8.57.1)(typescript@5.6.3))(eslint@8.57.1)(typescript@5.6.3)':
+    dependencies:
+      '@eslint-community/regexpp': 4.12.2
+      '@typescript-eslint/parser': 5.62.0(eslint@8.57.1)(typescript@5.6.3)
       '@typescript-eslint/scope-manager': 5.62.0
-      '@typescript-eslint/type-utils': 5.62.0(eslint@8.57.1)(typescript@5.5.4)
-      '@typescript-eslint/utils': 5.62.0(eslint@8.57.1)(typescript@5.5.4)
-      debug: 4.4.1
+      '@typescript-eslint/type-utils': 5.62.0(eslint@8.57.1)(typescript@5.6.3)
+      '@typescript-eslint/utils': 5.62.0(eslint@8.57.1)(typescript@5.6.3)
+      debug: 4.4.3
       eslint: 8.57.1
       graphemer: 1.4.0
       ignore: 5.3.2
       natural-compare-lite: 1.4.0
-      semver: 7.7.2
-      tsutils: 3.21.0(typescript@5.5.4)
+      semver: 7.8.1
+      tsutils: 3.21.0(typescript@5.6.3)
     optionalDependencies:
-      typescript: 5.5.4
+      typescript: 5.6.3
     transitivePeerDependencies:
       - supports-color
 
@@ -11379,22 +11466,22 @@ snapshots:
       '@typescript-eslint/scope-manager': 5.62.0
       '@typescript-eslint/types': 5.62.0
       '@typescript-eslint/typescript-estree': 5.62.0(typescript@4.9.5)
-      debug: 4.4.1
+      debug: 4.4.3
       eslint: 8.57.1
     optionalDependencies:
       typescript: 4.9.5
     transitivePeerDependencies:
       - supports-color
 
-  '@typescript-eslint/parser@5.62.0(eslint@8.57.1)(typescript@5.5.4)':
+  '@typescript-eslint/parser@5.62.0(eslint@8.57.1)(typescript@5.6.3)':
     dependencies:
       '@typescript-eslint/scope-manager': 5.62.0
       '@typescript-eslint/types': 5.62.0
-      '@typescript-eslint/typescript-estree': 5.62.0(typescript@5.5.4)
-      debug: 4.4.1
+      '@typescript-eslint/typescript-estree': 5.62.0(typescript@5.6.3)
+      debug: 4.4.3
       eslint: 8.57.1
     optionalDependencies:
-      typescript: 5.5.4
+      typescript: 5.6.3
     transitivePeerDependencies:
       - supports-color
 
@@ -11403,15 +11490,15 @@ snapshots:
       '@typescript-eslint/types': 5.62.0
       '@typescript-eslint/visitor-keys': 5.62.0
 
-  '@typescript-eslint/type-utils@5.62.0(eslint@8.57.1)(typescript@5.5.4)':
+  '@typescript-eslint/type-utils@5.62.0(eslint@8.57.1)(typescript@5.6.3)':
     dependencies:
-      '@typescript-eslint/typescript-estree': 5.62.0(typescript@5.5.4)
-      '@typescript-eslint/utils': 5.62.0(eslint@8.57.1)(typescript@5.5.4)
-      debug: 4.4.1
+      '@typescript-eslint/typescript-estree': 5.62.0(typescript@5.6.3)
+      '@typescript-eslint/utils': 5.62.0(eslint@8.57.1)(typescript@5.6.3)
+      debug: 4.4.3
       eslint: 8.57.1
-      tsutils: 3.21.0(typescript@5.5.4)
+      tsutils: 3.21.0(typescript@5.6.3)
     optionalDependencies:
-      typescript: 5.5.4
+      typescript: 5.6.3
     transitivePeerDependencies:
       - supports-color
 
@@ -11421,41 +11508,41 @@ snapshots:
     dependencies:
       '@typescript-eslint/types': 5.62.0
       '@typescript-eslint/visitor-keys': 5.62.0
-      debug: 4.4.1
+      debug: 4.4.3
       globby: 11.1.0
       is-glob: 4.0.3
-      semver: 7.7.2
+      semver: 7.8.1
       tsutils: 3.21.0(typescript@4.9.5)
     optionalDependencies:
       typescript: 4.9.5
     transitivePeerDependencies:
       - supports-color
 
-  '@typescript-eslint/typescript-estree@5.62.0(typescript@5.5.4)':
+  '@typescript-eslint/typescript-estree@5.62.0(typescript@5.6.3)':
     dependencies:
       '@typescript-eslint/types': 5.62.0
       '@typescript-eslint/visitor-keys': 5.62.0
-      debug: 4.4.1
+      debug: 4.4.3
       globby: 11.1.0
       is-glob: 4.0.3
-      semver: 7.7.2
-      tsutils: 3.21.0(typescript@5.5.4)
+      semver: 7.8.1
+      tsutils: 3.21.0(typescript@5.6.3)
     optionalDependencies:
-      typescript: 5.5.4
+      typescript: 5.6.3
     transitivePeerDependencies:
       - supports-color
 
-  '@typescript-eslint/utils@5.62.0(eslint@8.57.1)(typescript@5.5.4)':
+  '@typescript-eslint/utils@5.62.0(eslint@8.57.1)(typescript@5.6.3)':
     dependencies:
-      '@eslint-community/eslint-utils': 4.7.0(eslint@8.57.1)
+      '@eslint-community/eslint-utils': 4.9.1(eslint@8.57.1)
       '@types/json-schema': 7.0.15
-      '@types/semver': 7.7.0
+      '@types/semver': 7.7.1
       '@typescript-eslint/scope-manager': 5.62.0
       '@typescript-eslint/types': 5.62.0
-      '@typescript-eslint/typescript-estree': 5.62.0(typescript@5.5.4)
+      '@typescript-eslint/typescript-estree': 5.62.0(typescript@5.6.3)
       eslint: 8.57.1
       eslint-scope: 5.1.1
-      semver: 7.7.2
+      semver: 7.8.1
     transitivePeerDependencies:
       - supports-color
       - typescript
@@ -11465,23 +11552,25 @@ snapshots:
       '@typescript-eslint/types': 5.62.0
       eslint-visitor-keys: 3.4.3
 
-  '@ungap/structured-clone@1.3.0': {}
+  '@ungap/structured-clone@1.3.1': {}
 
-  '@warp-drive/build-config@0.0.3(@glint/template@1.7.3)':
+  '@warp-drive/build-config@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)':
     dependencies:
-      '@embroider/addon-shim': 1.10.0
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
+      '@embroider/addon-shim': 1.10.2
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       babel-import-util: 2.1.1
-      semver: 7.7.2
+      semver: 7.8.1
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
-  '@warp-drive/core-types@0.0.3(@glint/template@1.7.3)':
+  '@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)':
     dependencies:
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@warp-drive/build-config': 0.0.3(@glint/template@1.7.3)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/build-config': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
@@ -11561,29 +11650,27 @@ snapshots:
       '@webassemblyjs/ast': 1.14.1
       '@xtuc/long': 4.2.2
 
-  '@webpack-cli/configtest@3.0.1(webpack-cli@6.0.1)(webpack@5.94.0)':
+  '@webpack-cli/configtest@3.0.1(webpack-cli@6.0.1)(webpack@5.107.2)':
     dependencies:
-      webpack: 5.94.0(webpack-cli@6.0.1)
-      webpack-cli: 6.0.1(webpack@5.94.0)
+      webpack: 5.107.2(webpack-cli@6.0.1)
+      webpack-cli: 6.0.1(webpack@5.107.2)
 
-  '@webpack-cli/info@3.0.1(webpack-cli@6.0.1)(webpack@5.94.0)':
+  '@webpack-cli/info@3.0.1(webpack-cli@6.0.1)(webpack@5.107.2)':
     dependencies:
-      webpack: 5.94.0(webpack-cli@6.0.1)
-      webpack-cli: 6.0.1(webpack@5.94.0)
+      webpack: 5.107.2(webpack-cli@6.0.1)
+      webpack-cli: 6.0.1(webpack@5.107.2)
 
-  '@webpack-cli/serve@3.0.1(webpack-cli@6.0.1)(webpack@5.94.0)':
+  '@webpack-cli/serve@3.0.1(webpack-cli@6.0.1)(webpack@5.107.2)':
     dependencies:
-      webpack: 5.94.0(webpack-cli@6.0.1)
-      webpack-cli: 6.0.1(webpack@5.94.0)
+      webpack: 5.107.2(webpack-cli@6.0.1)
+      webpack-cli: 6.0.1(webpack@5.107.2)
 
-  '@xmldom/xmldom@0.8.10': {}
+  '@xmldom/xmldom@0.9.10': {}
 
   '@xtuc/ieee754@1.2.0': {}
 
   '@xtuc/long@4.2.2': {}
 
-  JSV@4.0.2: {}
-
   abbrev@1.1.1: {}
 
   accepts@1.3.8:
@@ -11591,42 +11678,47 @@ snapshots:
       mime-types: 2.1.35
       negotiator: 0.6.3
 
-  acorn-import-attributes@1.9.5(acorn@8.14.1):
+  accepts@2.0.0:
     dependencies:
-      acorn: 8.14.1
+      mime-types: 3.0.2
+      negotiator: 1.0.0
 
-  acorn-jsx@5.3.2(acorn@8.14.1):
+  acorn-import-phases@1.0.4(acorn@8.16.0):
     dependencies:
-      acorn: 8.14.1
+      acorn: 8.16.0
+
+  acorn-jsx@5.3.2(acorn@8.16.0):
+    dependencies:
+      acorn: 8.16.0
 
   acorn@5.7.4: {}
 
-  acorn@8.14.1: {}
+  acorn@8.16.0: {}
 
   ajv-formats@2.1.1:
     dependencies:
-      ajv: 8.17.1
+      ajv: 8.20.0
 
-  ajv-keywords@3.5.2(ajv@6.12.6):
+  ajv-keywords@3.5.2(ajv@6.15.0):
     dependencies:
-      ajv: 6.12.6
+      ajv: 6.15.0
 
-  ajv-keywords@5.1.0(ajv@8.17.1):
+  ajv-keywords@5.1.0(ajv@8.20.0):
     dependencies:
-      ajv: 8.17.1
+      ajv: 8.20.0
       fast-deep-equal: 3.1.3
 
-  ajv@6.12.6:
+  ajv@6.15.0:
     dependencies:
       fast-deep-equal: 3.1.3
       fast-json-stable-stringify: 2.1.0
       json-schema-traverse: 0.4.1
       uri-js: 4.4.1
 
-  ajv@8.17.1:
+  ajv@8.20.0:
     dependencies:
       fast-deep-equal: 3.1.3
-      fast-uri: 3.0.6
+      fast-uri: 3.1.2
       json-schema-traverse: 1.0.0
       require-from-string: 2.0.2
 
@@ -11641,21 +11733,13 @@ snapshots:
 
   amdefine@1.0.1: {}
 
-  anchor-markdown-header@0.6.0:
-    dependencies:
-      emoji-regex: 10.1.0
-
-  ansi-escape-sequences@4.1.0:
-    dependencies:
-      array-back: 3.1.0
-
   ansi-escapes@3.2.0: {}
 
   ansi-escapes@4.3.2:
     dependencies:
       type-fest: 0.21.3
 
-  ansi-escapes@7.0.0:
+  ansi-escapes@7.3.0:
     dependencies:
       environment: 1.1.0
 
@@ -11669,9 +11753,7 @@ snapshots:
 
   ansi-regex@5.0.1: {}
 
-  ansi-regex@6.1.0: {}
-
-  ansi-styles@1.0.0: {}
+  ansi-regex@6.2.2: {}
 
   ansi-styles@2.2.1: {}
 
@@ -11683,7 +11765,7 @@ snapshots:
     dependencies:
       color-convert: 2.0.1
 
-  ansi-styles@6.2.1: {}
+  ansi-styles@6.2.3: {}
 
   ansi-to-html@0.6.15:
     dependencies:
@@ -11699,41 +11781,16 @@ snapshots:
   anymatch@3.1.3:
     dependencies:
       normalize-path: 3.0.0
-      picomatch: 2.3.1
+      picomatch: 2.3.2
 
-  aproba@2.0.0: {}
-
-  are-we-there-yet@3.0.1:
-    dependencies:
-      delegates: 1.0.0
-      readable-stream: 3.6.2
+  aproba@2.1.0: {}
 
   are-we-there-yet@4.0.2: {}
 
-  argparse@1.0.10:
-    dependencies:
-      sprintf-js: 1.0.3
-
   argparse@2.0.1: {}
 
   aria-query@5.3.2: {}
 
-  array-back@1.0.4:
-    dependencies:
-      typical: 2.6.1
-
-  array-back@2.0.0:
-    dependencies:
-      typical: 2.6.1
-
-  array-back@3.1.0: {}
-
-  array-back@4.0.2: {}
-
-  array-back@5.0.0: {}
-
-  array-back@6.2.2: {}
-
   array-buffer-byte-length@1.0.2:
     dependencies:
       call-bound: 1.0.4
@@ -11754,19 +11811,19 @@ snapshots:
   arraybuffer.prototype.slice@1.0.4:
     dependencies:
       array-buffer-byte-length: 1.0.2
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       define-properties: 1.2.1
-      es-abstract: 1.23.10
+      es-abstract: 1.24.2
       es-errors: 1.3.0
       get-intrinsic: 1.3.0
       is-array-buffer: 3.0.5
 
   arrify@2.0.1: {}
 
-  asn1js@3.0.6:
+  asn1js@3.0.10:
     dependencies:
       pvtsutils: 1.3.6
-      pvutils: 1.1.3
+      pvutils: 1.1.5
       tslib: 2.8.1
 
   assert-never@1.4.0: {}
@@ -11793,7 +11850,7 @@ snapshots:
 
   async-disk-cache@2.1.0:
     dependencies:
-      debug: 4.4.1
+      debug: 4.4.3
       heimdalljs: 0.2.6
       istextorbinary: 2.6.0
       mkdirp: 0.5.6
@@ -11814,7 +11871,7 @@ snapshots:
 
   async@2.6.4:
     dependencies:
-      lodash: 4.17.23
+      lodash: 4.18.0
 
   at-least-node@1.0.0: {}
 
@@ -11824,7 +11881,7 @@ snapshots:
     dependencies:
       possible-typed-array-names: 1.1.0
 
-  axe-core@4.10.3: {}
+  axe-core@4.11.4: {}
 
   babel-import-util@0.2.0: {}
 
@@ -11834,14 +11891,23 @@ snapshots:
 
   babel-import-util@3.0.1: {}
 
-  babel-loader@8.4.1(@babel/core@7.27.1)(webpack@5.94.0):
+  babel-loader@8.4.1(@babel/core@7.26.10)(webpack@5.107.2):
     dependencies:
-      '@babel/core': 7.27.1
+      '@babel/core': 7.26.10
       find-cache-dir: 3.3.2
       loader-utils: 2.0.4
       make-dir: 3.1.0
       schema-utils: 2.7.1
-      webpack: 5.94.0(webpack-cli@6.0.1)
+      webpack: 5.107.2(webpack-cli@6.0.1)
+
+  babel-loader@8.4.1(@babel/core@7.29.7)(webpack@5.107.2):
+    dependencies:
+      '@babel/core': 7.29.7
+      find-cache-dir: 3.3.2
+      loader-utils: 2.0.4
+      make-dir: 3.1.0
+      schema-utils: 2.7.1
+      webpack: 5.107.2(webpack-cli@6.0.1)
 
   babel-plugin-compact-reexports@1.1.0: {}
 
@@ -11850,19 +11916,14 @@ snapshots:
       '@babel/core': 7.26.10
       semver: 5.7.2
 
-  babel-plugin-debug-macros@0.2.0(@babel/core@7.27.1):
-    dependencies:
-      '@babel/core': 7.27.1
-      semver: 5.7.2
-
   babel-plugin-debug-macros@0.3.4(@babel/core@7.26.10):
     dependencies:
       '@babel/core': 7.26.10
       semver: 5.7.2
 
-  babel-plugin-debug-macros@0.3.4(@babel/core@7.27.1):
+  babel-plugin-debug-macros@0.3.4(@babel/core@7.29.7):
     dependencies:
-      '@babel/core': 7.27.1
+      '@babel/core': 7.29.7
       semver: 5.7.2
 
   babel-plugin-ember-data-packages-polyfill@0.1.2:
@@ -11875,13 +11936,13 @@ snapshots:
 
   babel-plugin-ember-template-compilation@2.4.1:
     dependencies:
-      '@glimmer/syntax': 0.94.9
+      '@glimmer/syntax': 0.95.0
       babel-import-util: 3.0.1
 
   babel-plugin-filter-imports@4.0.0:
     dependencies:
-      '@babel/types': 7.27.1
-      lodash: 4.17.23
+      '@babel/types': 7.29.7
+      lodash: 4.18.0
 
   babel-plugin-htmlbars-inline-precompile@5.3.1:
     dependencies:
@@ -11901,61 +11962,77 @@ snapshots:
       glob: 7.2.3
       pkg-up: 2.0.0
       reselect: 3.0.1
-      resolve: 1.22.10
+      resolve: 1.22.12
 
-  babel-plugin-module-resolver@5.0.2:
+  babel-plugin-module-resolver@5.0.3:
     dependencies:
       find-babel-config: 2.1.2
       glob: 9.3.5
       pkg-up: 3.1.0
       reselect: 4.1.8
-      resolve: 1.22.10
+      resolve: 1.22.12
 
-  babel-plugin-polyfill-corejs2@0.4.13(@babel/core@7.26.10):
+  babel-plugin-polyfill-corejs2@0.4.17(@babel/core@7.26.10):
     dependencies:
-      '@babel/compat-data': 7.27.2
+      '@babel/compat-data': 7.29.7
       '@babel/core': 7.26.10
-      '@babel/helper-define-polyfill-provider': 0.6.4(@babel/core@7.26.10)
+      '@babel/helper-define-polyfill-provider': 0.6.8(@babel/core@7.26.10)
       semver: 6.3.1
     transitivePeerDependencies:
       - supports-color
 
-  babel-plugin-polyfill-corejs2@0.4.13(@babel/core@7.27.1):
+  babel-plugin-polyfill-corejs2@0.4.17(@babel/core@7.29.7):
     dependencies:
-      '@babel/compat-data': 7.27.2
-      '@babel/core': 7.27.1
-      '@babel/helper-define-polyfill-provider': 0.6.4(@babel/core@7.27.1)
+      '@babel/compat-data': 7.29.7
+      '@babel/core': 7.29.7
+      '@babel/helper-define-polyfill-provider': 0.6.8(@babel/core@7.29.7)
       semver: 6.3.1
     transitivePeerDependencies:
       - supports-color
 
-  babel-plugin-polyfill-corejs3@0.11.1(@babel/core@7.26.10):
+  babel-plugin-polyfill-corejs3@0.13.0(@babel/core@7.26.10):
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-define-polyfill-provider': 0.6.4(@babel/core@7.26.10)
-      core-js-compat: 3.42.0
+      '@babel/helper-define-polyfill-provider': 0.6.8(@babel/core@7.26.10)
+      core-js-compat: 3.49.0
     transitivePeerDependencies:
       - supports-color
 
-  babel-plugin-polyfill-corejs3@0.11.1(@babel/core@7.27.1):
+  babel-plugin-polyfill-corejs3@0.13.0(@babel/core@7.29.7):
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-define-polyfill-provider': 0.6.4(@babel/core@7.27.1)
-      core-js-compat: 3.42.0
+      '@babel/core': 7.29.7
+      '@babel/helper-define-polyfill-provider': 0.6.8(@babel/core@7.29.7)
+      core-js-compat: 3.49.0
     transitivePeerDependencies:
       - supports-color
 
-  babel-plugin-polyfill-regenerator@0.6.4(@babel/core@7.26.10):
+  babel-plugin-polyfill-corejs3@0.14.2(@babel/core@7.26.10):
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-define-polyfill-provider': 0.6.4(@babel/core@7.26.10)
+      '@babel/helper-define-polyfill-provider': 0.6.8(@babel/core@7.26.10)
+      core-js-compat: 3.49.0
     transitivePeerDependencies:
       - supports-color
 
-  babel-plugin-polyfill-regenerator@0.6.4(@babel/core@7.27.1):
+  babel-plugin-polyfill-corejs3@0.14.2(@babel/core@7.29.7):
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-define-polyfill-provider': 0.6.4(@babel/core@7.27.1)
+      '@babel/core': 7.29.7
+      '@babel/helper-define-polyfill-provider': 0.6.8(@babel/core@7.29.7)
+      core-js-compat: 3.49.0
+    transitivePeerDependencies:
+      - supports-color
+
+  babel-plugin-polyfill-regenerator@0.6.8(@babel/core@7.26.10):
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-define-polyfill-provider': 0.6.8(@babel/core@7.26.10)
+    transitivePeerDependencies:
+      - supports-color
+
+  babel-plugin-polyfill-regenerator@0.6.8(@babel/core@7.29.7):
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-define-polyfill-provider': 0.6.8(@babel/core@7.29.7)
     transitivePeerDependencies:
       - supports-color
 
@@ -11963,7 +12040,7 @@ snapshots:
 
   backbone@1.6.1:
     dependencies:
-      underscore: 1.13.7
+      underscore: 1.13.8
 
   backburner.js@2.8.0: {}
 
@@ -11973,10 +12050,14 @@ snapshots:
 
   balanced-match@2.0.0: {}
 
+  balanced-match@4.0.4: {}
+
   base64-js@1.5.1: {}
 
   base64id@2.0.0: {}
 
+  baseline-browser-mapping@2.10.32: {}
+
   basic-auth@2.0.1:
     dependencies:
       safe-buffer: 5.1.2
@@ -12000,25 +12081,37 @@ snapshots:
 
   blank-object@1.0.2: {}
 
-  bluebird@3.7.2: {}
-
-  body-parser@1.20.3:
+  body-parser@1.20.5:
     dependencies:
       bytes: 3.1.2
       content-type: 1.0.5
       debug: 2.6.9
       depd: 2.0.0
       destroy: 1.2.0
-      http-errors: 2.0.0
+      http-errors: 2.0.1
       iconv-lite: 0.4.24
       on-finished: 2.4.1
       qs: 6.14.1
-      raw-body: 2.5.2
+      raw-body: 2.5.3
       type-is: 1.6.18
       unpipe: 1.0.0
     transitivePeerDependencies:
       - supports-color
 
+  body-parser@2.2.2:
+    dependencies:
+      bytes: 3.1.2
+      content-type: 1.0.5
+      debug: 4.4.3
+      http-errors: 2.0.1
+      iconv-lite: 0.7.2
+      on-finished: 2.4.1
+      qs: 6.14.1
+      raw-body: 3.0.2
+      type-is: 2.1.0
+    transitivePeerDependencies:
+      - supports-color
+
   body@5.1.0:
     dependencies:
       continuable-cache: 0.3.1
@@ -12028,15 +12121,19 @@ snapshots:
 
   boolify@1.0.1: {}
 
-  brace-expansion@1.1.11:
+  brace-expansion@1.1.15:
     dependencies:
       balanced-match: 1.0.2
       concat-map: 0.0.1
 
-  brace-expansion@2.0.1:
+  brace-expansion@2.1.1:
     dependencies:
       balanced-match: 1.0.2
 
+  brace-expansion@5.0.6:
+    dependencies:
+      balanced-match: 4.0.4
+
   braces@3.0.3:
     dependencies:
       fill-range: 7.1.1
@@ -12047,7 +12144,7 @@ snapshots:
       broccoli-filter: 1.3.0
       broccoli-persistent-filter: 1.4.6
       json-stable-stringify: 1.3.0
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       rsvp: 3.6.2
     transitivePeerDependencies:
       - supports-color
@@ -12060,13 +12157,13 @@ snapshots:
 
   broccoli-babel-transpiler@7.8.1:
     dependencies:
-      '@babel/core': 7.27.1
+      '@babel/core': 7.26.10
       '@babel/polyfill': 7.12.1
       broccoli-funnel: 2.0.2
       broccoli-merge-trees: 3.0.2
       broccoli-persistent-filter: 2.3.1
       clone: 2.1.2
-      hash-for-dep: 1.5.1
+      hash-for-dep: 1.5.2
       heimdalljs: 0.2.6
       heimdalljs-logger: 0.1.10
       json-stable-stringify: 1.3.0
@@ -12080,7 +12177,7 @@ snapshots:
       '@babel/core': 7.26.10
       broccoli-persistent-filter: 3.1.3
       clone: 2.1.2
-      hash-for-dep: 1.5.1
+      hash-for-dep: 1.5.2
       heimdalljs: 0.2.6
       heimdalljs-logger: 0.1.10
       json-stable-stringify: 1.3.0
@@ -12089,12 +12186,12 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  broccoli-babel-transpiler@8.0.2(@babel/core@7.27.1):
+  broccoli-babel-transpiler@8.0.2(@babel/core@7.29.7):
     dependencies:
-      '@babel/core': 7.27.1
+      '@babel/core': 7.29.7
       broccoli-persistent-filter: 3.1.3
       clone: 2.1.2
-      hash-for-dep: 1.5.1
+      hash-for-dep: 1.5.2
       heimdalljs: 0.2.6
       heimdalljs-logger: 0.1.10
       json-stable-stringify: 1.3.0
@@ -12114,7 +12211,7 @@ snapshots:
       broccoli-node-info: 1.1.0
       heimdalljs: 0.2.6
       promise-map-series: 0.2.3
-      quick-temp: 0.1.8
+      quick-temp: 0.1.9
       rimraf: 2.7.1
       rsvp: 3.6.2
       silent-error: 1.1.1
@@ -12132,11 +12229,10 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  broccoli-caching-writer@3.0.3:
+  broccoli-caching-writer@3.1.0:
     dependencies:
-      broccoli-kitchen-sink-helpers: 0.3.1
       broccoli-plugin: 1.3.1
-      debug: 2.6.9
+      debug: 3.2.7
       rimraf: 2.7.1
       rsvp: 3.6.2
       walk-sync: 0.3.4
@@ -12152,31 +12248,27 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  broccoli-concat@4.2.5:
+  broccoli-concat@4.2.7:
     dependencies:
       broccoli-debug: 0.6.5
-      broccoli-kitchen-sink-helpers: 0.3.1
       broccoli-plugin: 4.0.7
       ensure-posix-path: 1.1.1
       fast-sourcemap-concat: 2.1.1
       find-index: 1.1.1
       fs-extra: 8.1.0
       fs-tree-diff: 2.0.1
-      lodash.merge: 4.6.2
-      lodash.omit: 4.5.0
-      lodash.uniq: 4.5.0
+      lodash: 4.18.0
     transitivePeerDependencies:
       - supports-color
 
   broccoli-config-loader@1.0.1:
     dependencies:
-      broccoli-caching-writer: 3.0.3
+      broccoli-caching-writer: 3.1.0
     transitivePeerDependencies:
       - supports-color
 
-  broccoli-config-replace@1.1.2:
+  broccoli-config-replace@1.1.3:
     dependencies:
-      broccoli-kitchen-sink-helpers: 0.3.1
       broccoli-plugin: 1.3.1
       debug: 2.6.9
       fs-extra: 0.24.0
@@ -12238,7 +12330,7 @@ snapshots:
       fast-ordered-set: 1.0.3
       fs-tree-diff: 0.5.9
       heimdalljs: 0.2.6
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       mkdirp: 0.5.6
       path-posix: 1.0.0
       rimraf: 2.7.1
@@ -12256,7 +12348,7 @@ snapshots:
       fast-ordered-set: 1.0.3
       fs-tree-diff: 0.5.9
       heimdalljs: 0.2.6
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       mkdirp: 0.5.6
       path-posix: 1.0.0
       rimraf: 2.7.1
@@ -12269,10 +12361,10 @@ snapshots:
     dependencies:
       array-equal: 1.0.2
       broccoli-plugin: 4.0.7
-      debug: 4.4.1
+      debug: 4.4.3
       fs-tree-diff: 2.0.1
       heimdalljs: 0.2.6
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       walk-sync: 2.2.0
     transitivePeerDependencies:
       - supports-color
@@ -12301,10 +12393,10 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  broccoli-middleware@2.1.1:
+  broccoli-middleware@2.1.2:
     dependencies:
       ansi-html: 0.0.8
-      handlebars: 4.7.8
+      handlebars: 4.7.9
       has-ansi: 3.0.0
       mime-types: 2.1.35
 
@@ -12328,7 +12420,7 @@ snapshots:
       async-promise-queue: 1.0.5
       broccoli-plugin: 1.3.1
       fs-tree-diff: 0.5.9
-      hash-for-dep: 1.5.1
+      hash-for-dep: 1.5.2
       heimdalljs: 0.2.6
       heimdalljs-logger: 0.1.10
       mkdirp: 0.5.6
@@ -12346,7 +12438,7 @@ snapshots:
       async-promise-queue: 1.0.5
       broccoli-plugin: 1.3.1
       fs-tree-diff: 2.0.1
-      hash-for-dep: 1.5.1
+      hash-for-dep: 1.5.2
       heimdalljs: 0.2.6
       heimdalljs-logger: 0.1.10
       mkdirp: 0.5.6
@@ -12365,7 +12457,7 @@ snapshots:
       async-promise-queue: 1.0.5
       broccoli-plugin: 4.0.7
       fs-tree-diff: 2.0.1
-      hash-for-dep: 1.5.1
+      hash-for-dep: 1.5.2
       heimdalljs: 0.2.6
       heimdalljs-logger: 0.1.10
       promise-map-series: 0.2.3
@@ -12378,21 +12470,21 @@ snapshots:
   broccoli-plugin@1.1.0:
     dependencies:
       promise-map-series: 0.2.3
-      quick-temp: 0.1.8
+      quick-temp: 0.1.9
       rimraf: 2.7.1
       symlink-or-copy: 1.3.1
 
   broccoli-plugin@1.3.1:
     dependencies:
       promise-map-series: 0.2.3
-      quick-temp: 0.1.8
+      quick-temp: 0.1.9
       rimraf: 2.7.1
       symlink-or-copy: 1.3.1
 
   broccoli-plugin@2.1.0:
     dependencies:
       promise-map-series: 0.2.3
-      quick-temp: 0.1.8
+      quick-temp: 0.1.9
       rimraf: 2.7.1
       symlink-or-copy: 1.3.1
 
@@ -12402,7 +12494,7 @@ snapshots:
       broccoli-output-wrapper: 3.2.5
       fs-merger: 3.2.1
       promise-map-series: 0.3.0
-      quick-temp: 0.1.8
+      quick-temp: 0.1.9
       rimraf: 3.0.2
       symlink-or-copy: 1.3.1
     transitivePeerDependencies:
@@ -12410,14 +12502,14 @@ snapshots:
 
   broccoli-rollup@4.0.0:
     dependencies:
-      '@types/node': 25.1.0
+      '@types/node': 25.9.1
       broccoli-plugin: 2.1.0
       fs-tree-diff: 2.0.1
       heimdalljs: 0.2.6
       heimdalljs-logger: 0.1.10
       magic-string: 0.25.9
       node-modules-path: 1.0.2
-      rollup: 2.79.2
+      rollup: 2.80.0
       symlink-or-copy: 1.3.1
       walk-sync: 1.1.4
     transitivePeerDependencies:
@@ -12425,7 +12517,7 @@ snapshots:
 
   broccoli-sass-source-maps@4.3.0:
     dependencies:
-      broccoli-caching-writer: 3.0.3
+      broccoli-caching-writer: 3.1.0
       include-path-searcher: 0.1.0
       rsvp: 4.8.5
     transitivePeerDependencies:
@@ -12471,11 +12563,11 @@ snapshots:
       broccoli-persistent-filter: 2.3.1
       broccoli-plugin: 2.1.0
       chalk: 2.4.2
-      debug: 4.4.1
+      debug: 4.4.3
       ensure-posix-path: 1.1.1
       fs-extra: 8.1.0
-      minimatch: 3.1.2
-      resolve: 1.22.10
+      minimatch: 3.1.5
+      resolve: 1.22.12
       rsvp: 4.8.5
       symlink-or-copy: 1.3.1
       walk-sync: 1.1.4
@@ -12487,11 +12579,11 @@ snapshots:
       async-promise-queue: 1.0.5
       broccoli-plugin: 4.0.7
       convert-source-map: 2.0.0
-      debug: 4.4.1
+      debug: 4.4.3
       lodash.defaultsdeep: 4.6.1
       matcher-collection: 2.0.1
       symlink-or-copy: 1.3.1
-      terser: 5.39.2
+      terser: 5.48.0
       walk-sync: 2.2.0
       workerpool: 6.5.1
     transitivePeerDependencies:
@@ -12512,7 +12604,7 @@ snapshots:
     dependencies:
       async-promise-queue: 1.0.5
       broccoli-plugin: 1.3.1
-      debug: 4.4.1
+      debug: 4.4.3
       lodash.defaultsdeep: 4.6.1
       matcher-collection: 2.0.1
       mkdirp: 0.5.6
@@ -12533,7 +12625,7 @@ snapshots:
       connect: 3.7.0
       esm: 3.2.25
       findup-sync: 2.0.0
-      handlebars: 4.7.8
+      handlebars: 4.7.9
       heimdalljs: 0.2.6
       heimdalljs-logger: 0.1.10
       mime-types: 2.1.35
@@ -12552,7 +12644,7 @@ snapshots:
     dependencies:
       '@types/chai': 4.3.20
       '@types/chai-as-promised': 7.1.8
-      '@types/express': 4.17.22
+      '@types/express': 4.17.25
       ansi-html: 0.0.8
       broccoli-node-info: 2.2.0
       broccoli-slow-trees: 3.1.0
@@ -12562,7 +12654,7 @@ snapshots:
       console-ui: 3.1.2
       esm: 3.2.25
       findup-sync: 4.0.0
-      handlebars: 4.7.8
+      handlebars: 4.7.9
       heimdalljs: 0.2.6
       heimdalljs-logger: 0.1.10
       https: 1.0.0
@@ -12577,12 +12669,13 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  browserslist@4.24.5:
+  browserslist@4.28.2:
     dependencies:
-      caniuse-lite: 1.0.30001754
-      electron-to-chromium: 1.5.157
-      node-releases: 2.0.19
-      update-browserslist-db: 1.1.3(browserslist@4.24.5)
+      baseline-browser-mapping: 2.10.32
+      caniuse-lite: 1.0.30001793
+      electron-to-chromium: 1.5.361
+      node-releases: 2.0.46
+      update-browserslist-db: 1.2.3(browserslist@4.28.2)
 
   bser@2.1.1:
     dependencies:
@@ -12595,16 +12688,11 @@ snapshots:
       base64-js: 1.5.1
       ieee754: 1.2.1
 
-  buffer@6.0.3:
-    dependencies:
-      base64-js: 1.5.1
-      ieee754: 1.2.1
-
   builtin-modules@3.3.0: {}
 
   builtins@5.1.0:
     dependencies:
-      semver: 7.7.2
+      semver: 7.8.1
 
   bytes@1.0.0: {}
 
@@ -12612,16 +12700,13 @@ snapshots:
 
   bytestreamjs@1.1.3: {}
 
-  cache-point@2.0.0:
+  cacheable@2.3.5:
     dependencies:
-      array-back: 4.0.2
-      fs-then-native: 2.0.0
-      mkdirp2: 1.0.5
-
-  cacheable@1.9.0:
-    dependencies:
-      hookified: 1.9.0
-      keyv: 5.3.3
+      '@cacheable/memory': 2.0.9
+      '@cacheable/utils': 2.4.1
+      hookified: 1.15.1
+      keyv: 5.6.0
+      qified: 0.10.1
 
   calculate-cache-key-for-tree@2.0.0:
     dependencies:
@@ -12632,7 +12717,7 @@ snapshots:
       es-errors: 1.3.0
       function-bind: 1.1.2
 
-  call-bind@1.0.8:
+  call-bind@1.0.9:
     dependencies:
       call-bind-apply-helpers: 1.0.2
       es-define-property: 1.0.1
@@ -12663,7 +12748,7 @@ snapshots:
     dependencies:
       tmp: 0.0.28
 
-  caniuse-lite@1.0.30001754: {}
+  caniuse-lite@1.0.30001793: {}
 
   capture-exit@2.0.0:
     dependencies:
@@ -12674,18 +12759,8 @@ snapshots:
       ansicolors: 0.2.1
       redeyed: 1.0.1
 
-  catharsis@0.9.0:
-    dependencies:
-      lodash: 4.17.23
-
   ccount@1.1.0: {}
 
-  chalk@0.4.0:
-    dependencies:
-      ansi-styles: 1.0.0
-      has-color: 0.1.7
-      strip-ansi: 0.1.1
-
   chalk@1.1.3:
     dependencies:
       ansi-styles: 2.2.1
@@ -12717,6 +12792,8 @@ snapshots:
 
   chardet@0.7.0: {}
 
+  chardet@2.1.1: {}
+
   charm@1.0.2:
     dependencies:
       inherits: 2.0.4
@@ -12734,15 +12811,17 @@ snapshots:
       fsevents: 2.3.3
     optional: true
 
-  chokidar@4.0.3:
+  chokidar@5.0.0:
     dependencies:
-      readdirp: 4.1.2
+      readdirp: 5.0.0
 
   chrome-trace-event@1.0.4: {}
 
   ci-info@3.9.0: {}
 
-  ci-info@4.2.0: {}
+  ci-info@4.4.0: {}
+
+  cldr-core@47.0.0: {}
 
   clean-base-url@1.0.0: {}
 
@@ -12828,14 +12907,9 @@ snapshots:
 
   codemirror-lang-hcl@0.0.0-beta.2:
     dependencies:
-      '@codemirror/language': 6.11.0
-      '@lezer/highlight': 1.2.1
-      '@lezer/lr': 1.4.2
-
-  collect-all@1.0.4:
-    dependencies:
-      stream-connect: 1.0.2
-      stream-via: 1.0.4
+      '@codemirror/language': 6.12.3
+      '@lezer/highlight': 1.2.3
+      '@lezer/lr': 1.4.10
 
   color-convert@1.9.3:
     dependencies:
@@ -12866,32 +12940,12 @@ snapshots:
 
   comma-separated-tokens@1.0.8: {}
 
-  command-line-args@5.2.1:
-    dependencies:
-      array-back: 3.1.0
-      find-replace: 3.0.0
-      lodash.camelcase: 4.3.0
-      typical: 4.0.0
-
-  command-line-tool@0.8.0:
-    dependencies:
-      ansi-escape-sequences: 4.1.0
-      array-back: 2.0.0
-      command-line-args: 5.2.1
-      command-line-usage: 4.1.0
-      typical: 2.6.1
-
-  command-line-usage@4.1.0:
-    dependencies:
-      ansi-escape-sequences: 4.1.0
-      array-back: 2.0.0
-      table-layout: 0.4.5
-      typical: 2.6.1
-
   commander@12.1.0: {}
 
   commander@13.1.0: {}
 
+  commander@14.0.3: {}
+
   commander@2.20.3: {}
 
   commander@2.8.1:
@@ -12908,8 +12962,6 @@ snapshots:
 
   common-ancestor-path@1.0.1: {}
 
-  common-sequence@2.0.2: {}
-
   common-tags@1.8.2: {}
 
   commondir@1.0.1: {}
@@ -12918,13 +12970,13 @@ snapshots:
     dependencies:
       mime-db: 1.54.0
 
-  compression@1.8.0:
+  compression@1.8.1:
     dependencies:
       bytes: 3.1.2
       compressible: 2.0.18
       debug: 2.6.9
       negotiator: 0.6.4
-      on-headers: 1.0.2
+      on-headers: 1.1.0
       safe-buffer: 5.2.1
       vary: 1.1.2
     transitivePeerDependencies:
@@ -12935,17 +12987,13 @@ snapshots:
   concurrently@9.1.2:
     dependencies:
       chalk: 4.1.2
-      lodash: 4.17.23
+      lodash: 4.18.0
       rxjs: 7.8.2
-      shell-quote: 1.8.2
+      shell-quote: 1.8.4
       supports-color: 8.1.1
       tree-kill: 1.2.2
       yargs: 17.7.2
 
-  config-master@3.1.0:
-    dependencies:
-      walk-back: 2.0.1
-
   configstore@5.0.1:
     dependencies:
       dot-prop: 5.3.0
@@ -12974,40 +13022,45 @@ snapshots:
       ora: 3.4.0
       through2: 3.0.2
 
-  consolidate@0.16.0(handlebars@4.7.8)(lodash@4.17.23)(mustache@4.2.0)(underscore@1.13.7):
-    dependencies:
-      bluebird: 3.7.2
+  consolidate@1.0.4(@babel/core@7.26.10)(handlebars@4.7.9)(lodash@4.18.0)(mustache@4.2.0)(underscore@1.13.8):
     optionalDependencies:
-      handlebars: 4.7.8
-      lodash: 4.17.23
+      '@babel/core': 7.26.10
+      handlebars: 4.7.9
+      lodash: 4.18.0
       mustache: 4.2.0
-      underscore: 1.13.7
+      underscore: 1.13.8
 
   content-disposition@0.5.4:
     dependencies:
       safe-buffer: 5.2.1
 
+  content-disposition@1.1.0: {}
+
   content-tag@1.2.2: {}
 
   content-type@1.0.5: {}
 
+  content-type@2.0.0: {}
+
   continuable-cache@0.3.1: {}
 
   convert-source-map@2.0.0: {}
 
-  cookie-signature@1.0.6: {}
+  cookie-signature@1.0.7: {}
+
+  cookie-signature@1.2.2: {}
 
   cookie@0.7.2: {}
 
   copy-dereference@1.0.0: {}
 
-  core-js-compat@3.42.0:
+  core-js-compat@3.49.0:
     dependencies:
-      browserslist: 4.24.5
+      browserslist: 4.28.2
 
   core-js@2.6.12: {}
 
-  core-js@3.41.0: {}
+  core-js@3.49.0: {}
 
   core-object@3.1.5:
     dependencies:
@@ -13015,19 +13068,19 @@ snapshots:
 
   core-util-is@1.0.3: {}
 
-  cors@2.8.5:
+  cors@2.8.6:
     dependencies:
       object-assign: 4.1.1
       vary: 1.1.2
 
-  cosmiconfig@9.0.0(typescript@5.5.4):
+  cosmiconfig@9.0.1(typescript@5.6.3):
     dependencies:
       env-paths: 2.2.1
       import-fresh: 3.3.1
       js-yaml: 4.1.1
       parse-json: 5.2.0
     optionalDependencies:
-      typescript: 5.5.4
+      typescript: 5.6.3
 
   crelt@1.0.6: {}
 
@@ -13047,35 +13100,35 @@ snapshots:
 
   crypto-random-string@2.0.0: {}
 
-  css-functions-list@3.2.3: {}
+  css-functions-list@3.3.3: {}
 
-  css-loader@5.2.7(webpack@5.94.0):
+  css-loader@5.2.7(webpack@5.107.2):
     dependencies:
-      icss-utils: 5.1.0(postcss@8.5.3)
+      icss-utils: 5.1.0(postcss@8.5.15)
       loader-utils: 2.0.4
-      postcss: 8.5.3
-      postcss-modules-extract-imports: 3.1.0(postcss@8.5.3)
-      postcss-modules-local-by-default: 4.2.0(postcss@8.5.3)
-      postcss-modules-scope: 3.2.1(postcss@8.5.3)
-      postcss-modules-values: 4.0.0(postcss@8.5.3)
+      postcss: 8.5.15
+      postcss-modules-extract-imports: 3.1.0(postcss@8.5.15)
+      postcss-modules-local-by-default: 4.2.0(postcss@8.5.15)
+      postcss-modules-scope: 3.2.1(postcss@8.5.15)
+      postcss-modules-values: 4.0.0(postcss@8.5.15)
       postcss-value-parser: 4.2.0
       schema-utils: 3.3.0
-      semver: 7.7.2
-      webpack: 5.94.0(webpack-cli@6.0.1)
+      semver: 7.8.1
+      webpack: 5.107.2(webpack-cli@6.0.1)
 
   css-tree@2.3.1:
     dependencies:
       mdn-data: 2.0.30
       source-map-js: 1.2.1
 
-  css-tree@3.1.0:
+  css-tree@3.2.1:
     dependencies:
-      mdn-data: 2.12.2
+      mdn-data: 2.27.1
       source-map-js: 1.2.1
 
   cssesc@3.0.0: {}
 
-  csstype@3.1.3: {}
+  csstype@3.2.3: {}
 
   d3-array@2.12.1:
     dependencies:
@@ -13099,7 +13152,7 @@ snapshots:
     dependencies:
       d3-path: 3.1.0
 
-  d3-cloud@1.2.8:
+  d3-cloud@1.2.9:
     dependencies:
       d3-dispatch: 1.0.6
 
@@ -13111,7 +13164,7 @@ snapshots:
 
   d3-delaunay@6.0.4:
     dependencies:
-      delaunator: 5.0.1
+      delaunator: 5.1.0
 
   d3-dispatch@1.0.6: {}
 
@@ -13140,7 +13193,7 @@ snapshots:
       d3-quadtree: 3.0.1
       d3-timer: 3.0.1
 
-  d3-format@3.1.0: {}
+  d3-format@3.1.2: {}
 
   d3-geo@3.1.1:
     dependencies:
@@ -13175,7 +13228,7 @@ snapshots:
   d3-scale@4.0.2:
     dependencies:
       d3-array: 3.2.4
-      d3-format: 3.1.0
+      d3-format: 3.1.2
       d3-interpolate: 3.0.1
       d3-time: 3.1.0
       d3-time-format: 4.1.0
@@ -13232,7 +13285,7 @@ snapshots:
       d3-ease: 3.0.1
       d3-fetch: 3.0.1
       d3-force: 3.0.0
-      d3-format: 3.1.0
+      d3-format: 3.1.2
       d3-geo: 3.1.1
       d3-hierarchy: 3.1.2
       d3-interpolate: 3.0.1
@@ -13280,7 +13333,7 @@ snapshots:
 
   date-fns@3.6.0: {}
 
-  date-fns@4.1.0: {}
+  date-fns@4.3.0: {}
 
   debug@2.6.9:
     dependencies:
@@ -13290,14 +13343,6 @@ snapshots:
     dependencies:
       ms: 2.1.3
 
-  debug@4.3.7:
-    dependencies:
-      ms: 2.1.3
-
-  debug@4.4.1:
-    dependencies:
-      ms: 2.1.3
-
   debug@4.4.3:
     dependencies:
       ms: 2.1.3
@@ -13308,22 +13353,22 @@ snapshots:
 
   decamelize@1.2.0: {}
 
+  decimal.js@10.6.0: {}
+
   decorator-transforms@1.2.1(@babel/core@7.26.10):
     dependencies:
-      '@babel/plugin-syntax-decorators': 7.27.1(@babel/core@7.26.10)
+      '@babel/plugin-syntax-decorators': 7.29.7(@babel/core@7.26.10)
       babel-import-util: 2.1.1
     transitivePeerDependencies:
       - '@babel/core'
 
-  decorator-transforms@2.3.0(@babel/core@7.26.10):
+  decorator-transforms@2.3.2(@babel/core@7.26.10):
     dependencies:
-      '@babel/plugin-syntax-decorators': 7.27.1(@babel/core@7.26.10)
+      '@babel/plugin-syntax-decorators': 7.29.7(@babel/core@7.26.10)
       babel-import-util: 3.0.1
     transitivePeerDependencies:
       - '@babel/core'
 
-  deep-extend@0.6.0: {}
-
   deep-is@0.1.4: {}
 
   defaults@1.0.4:
@@ -13342,11 +13387,9 @@ snapshots:
       has-property-descriptors: 1.0.2
       object-keys: 1.1.1
 
-  delaunator@5.0.1:
+  delaunator@5.1.0:
     dependencies:
-      robust-predicates: 3.0.2
-
-  delegates@1.0.0: {}
+      robust-predicates: 3.0.3
 
   depd@1.1.2: {}
 
@@ -13358,12 +13401,12 @@ snapshots:
 
   detect-indent@6.1.0: {}
 
-  detect-libc@1.0.3:
+  detect-libc@2.1.2:
     optional: true
 
   detect-newline@3.1.0: {}
 
-  diff@5.2.0: {}
+  diff@5.2.2: {}
 
   diff@7.0.0: {}
 
@@ -13373,59 +13416,19 @@ snapshots:
 
   dlv@1.1.3: {}
 
-  dmd@6.2.3:
-    dependencies:
-      array-back: 6.2.2
-      cache-point: 2.0.0
-      common-sequence: 2.0.2
-      file-set: 4.0.2
-      handlebars: 4.7.8
-      marked: 4.3.0
-      object-get: 2.1.1
-      reduce-flatten: 3.0.1
-      reduce-unique: 2.0.1
-      reduce-without: 1.0.1
-      test-value: 3.0.0
-      walk-back: 5.1.1
-
-  doctoc@2.2.1:
-    dependencies:
-      '@textlint/markdown-to-ast': 12.6.1
-      anchor-markdown-header: 0.6.0
-      htmlparser2: 7.2.0
-      minimist: 1.2.8
-      underscore: 1.13.7
-      update-section: 0.3.3
-    transitivePeerDependencies:
-      - supports-color
-
   doctrine@3.0.0:
     dependencies:
       esutils: 2.0.3
 
   dom-element-descriptors@0.5.1: {}
 
-  dom-serializer@1.4.1:
-    dependencies:
-      domelementtype: 2.3.0
-      domhandler: 4.3.1
-      entities: 2.2.0
-
-  domelementtype@2.3.0: {}
-
-  domhandler@4.3.1:
-    dependencies:
-      domelementtype: 2.3.0
-
-  dompurify@3.2.6:
+  dompurify@3.3.3:
     optionalDependencies:
       '@types/trusted-types': 2.0.7
 
-  domutils@2.8.0:
-    dependencies:
-      dom-serializer: 1.4.1
-      domelementtype: 2.3.0
-      domhandler: 4.3.1
+  dompurify@3.4.6:
+    optionalDependencies:
+      '@types/trusted-types': 2.0.7
 
   dot-case@3.0.4:
     dependencies:
@@ -13453,7 +13456,7 @@ snapshots:
 
   ee-first@1.1.1: {}
 
-  electron-to-chromium@1.5.157: {}
+  electron-to-chromium@1.5.361: {}
 
   ember-a11y-refocus@4.1.4:
     dependencies:
@@ -13462,31 +13465,32 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  ember-a11y-testing@7.1.2(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glint/template@1.7.3)(qunit@2.24.1)(webpack@5.94.0):
+  ember-a11y-testing@7.1.3(@babel/core@7.26.10)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(qunit@2.24.3)(webpack@5.107.2):
     dependencies:
-      '@ember/test-helpers': 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3)
-      '@ember/test-waiters': 4.1.0(@glint/template@1.7.3)
+      '@ember/test-helpers': 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@ember/test-waiters': 4.1.1(@babel/core@7.26.10)(@glint/template@1.7.7)
       '@glimmer/env': 0.1.7
       '@scalvert/ember-setup-middleware-reporter': 0.1.1
-      axe-core: 4.10.3
+      axe-core: 4.11.4
       broccoli-persistent-filter: 3.1.3
-      ember-auto-import: 2.10.0(@glint/template@1.7.3)(webpack@5.94.0)
-      ember-cli-babel: 7.26.11
+      ember-auto-import: 2.10.0(@glint/template@1.7.7)(webpack@5.107.2)
+      ember-cli-babel: 8.2.0(@babel/core@7.26.10)
       ember-cli-htmlbars: 6.3.0
       ember-cli-typescript: 4.2.1
       ember-cli-version-checker: 5.1.2
-      fs-extra: 11.3.0
+      fs-extra: 11.3.5
       validate-peer-dependencies: 2.2.0
     optionalDependencies:
-      qunit: 2.24.1
+      qunit: 2.24.3
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
       - webpack
 
   ember-asset-loader@0.6.1:
     dependencies:
-      broccoli-caching-writer: 3.0.3
+      broccoli-caching-writer: 3.1.0
       broccoli-funnel: 2.0.2
       broccoli-merge-trees: 3.0.2
       ember-cli-babel: 7.26.11
@@ -13498,29 +13502,29 @@ snapshots:
 
   ember-assign-helper@0.5.1:
     dependencies:
-      '@embroider/addon-shim': 1.10.0
+      '@embroider/addon-shim': 1.10.2
     transitivePeerDependencies:
       - supports-color
 
-  ember-async-data@1.0.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)):
+  ember-async-data@1.0.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)):
     dependencies:
       '@ember/test-waiters': 3.1.0
-      '@embroider/addon-shim': 1.10.0
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      '@embroider/addon-shim': 1.10.2
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     transitivePeerDependencies:
       - supports-color
 
-  ember-auto-import@2.10.0(@glint/template@1.7.3)(webpack@5.94.0):
+  ember-auto-import@2.10.0(@glint/template@1.7.7)(webpack@5.107.2):
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/plugin-proposal-class-properties': 7.18.6(@babel/core@7.27.1)
-      '@babel/plugin-proposal-decorators': 7.28.0(@babel/core@7.27.1)
-      '@babel/plugin-proposal-private-methods': 7.18.6(@babel/core@7.27.1)
-      '@babel/plugin-transform-class-static-block': 7.27.1(@babel/core@7.27.1)
-      '@babel/preset-env': 7.27.2(@babel/core@7.27.1)
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@embroider/shared-internals': 2.9.0
-      babel-loader: 8.4.1(@babel/core@7.27.1)(webpack@5.94.0)
+      '@babel/core': 7.26.10
+      '@babel/plugin-proposal-class-properties': 7.18.6(@babel/core@7.26.10)
+      '@babel/plugin-proposal-decorators': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-proposal-private-methods': 7.18.6(@babel/core@7.26.10)
+      '@babel/plugin-transform-class-static-block': 7.29.7(@babel/core@7.26.10)
+      '@babel/preset-env': 7.29.7(@babel/core@7.26.10)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@embroider/shared-internals': 2.9.2
+      babel-loader: 8.4.1(@babel/core@7.26.10)(webpack@5.107.2)
       babel-plugin-ember-modules-api-polyfill: 3.5.0
       babel-plugin-ember-template-compilation: 2.4.1
       babel-plugin-htmlbars-inline-precompile: 5.3.1
@@ -13530,22 +13534,22 @@ snapshots:
       broccoli-merge-trees: 4.2.0
       broccoli-plugin: 4.0.7
       broccoli-source: 3.0.1
-      css-loader: 5.2.7(webpack@5.94.0)
-      debug: 4.4.1
+      css-loader: 5.2.7(webpack@5.107.2)
+      debug: 4.4.3
       fs-extra: 10.1.0
       fs-tree-diff: 2.0.1
-      handlebars: 4.7.8
+      handlebars: 4.7.9
       is-subdir: 1.2.0
       js-string-escape: 1.0.1
-      lodash: 4.17.23
-      mini-css-extract-plugin: 2.9.2(webpack@5.94.0)
-      minimatch: 3.1.2
+      lodash: 4.18.0
+      mini-css-extract-plugin: 2.10.2(webpack@5.107.2)
+      minimatch: 3.1.5
       parse5: 6.0.1
       pkg-entry-points: 1.1.1
-      resolve: 1.22.10
+      resolve: 1.22.12
       resolve-package-path: 4.0.3
-      semver: 7.7.2
-      style-loader: 2.0.0(webpack@5.94.0)
+      semver: 7.8.1
+      style-loader: 2.0.0(webpack@5.107.2)
       typescript-memoize: 1.1.1
       walk-sync: 3.0.0
     transitivePeerDependencies:
@@ -13553,18 +13557,62 @@ snapshots:
       - supports-color
       - webpack
 
-  ember-basic-dropdown@8.7.0(@babel/core@7.26.10)(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)):
+  ember-auto-import@2.13.1(@glint/template@1.7.7)(webpack@5.107.2):
     dependencies:
-      '@ember/test-helpers': 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3)
-      '@embroider/addon-shim': 1.10.0
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@embroider/util': 1.13.4(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+      '@babel/core': 7.29.7
+      '@babel/plugin-proposal-class-properties': 7.18.6(@babel/core@7.29.7)
+      '@babel/plugin-proposal-decorators': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-proposal-private-methods': 7.18.6(@babel/core@7.29.7)
+      '@babel/plugin-transform-class-static-block': 7.29.7(@babel/core@7.29.7)
+      '@babel/preset-env': 7.29.7(@babel/core@7.29.7)
+      '@embroider/macros': 1.20.3(@babel/core@7.29.7)(@glint/template@1.7.7)
+      '@embroider/reverse-exports': 0.2.0
+      '@embroider/shared-internals': 2.9.2
+      babel-loader: 8.4.1(@babel/core@7.29.7)(webpack@5.107.2)
+      babel-plugin-ember-modules-api-polyfill: 3.5.0
+      babel-plugin-ember-template-compilation: 2.4.1
+      babel-plugin-htmlbars-inline-precompile: 5.3.1
+      babel-plugin-syntax-dynamic-import: 6.18.0
+      broccoli-debug: 0.6.5
+      broccoli-funnel: 3.0.8
+      broccoli-merge-trees: 4.2.0
+      broccoli-plugin: 4.0.7
+      broccoli-source: 3.0.1
+      css-loader: 5.2.7(webpack@5.107.2)
+      debug: 4.4.3
+      fs-extra: 10.1.0
+      fs-tree-diff: 2.0.1
+      handlebars: 4.7.9
+      is-subdir: 1.2.0
+      js-string-escape: 1.0.1
+      lodash: 4.18.0
+      mini-css-extract-plugin: 2.10.2(webpack@5.107.2)
+      minimatch: 3.1.5
+      parse5: 6.0.1
+      pkg-entry-points: 1.1.1
+      resolve: 1.22.12
+      resolve-package-path: 4.0.3
+      semver: 7.8.1
+      style-loader: 2.0.0(webpack@5.107.2)
+      typescript-memoize: 1.1.1
+      walk-sync: 3.0.0
+    transitivePeerDependencies:
+      - '@glint/template'
+      - supports-color
+      - webpack
+
+  ember-basic-dropdown@8.7.0(@babel/core@7.26.10)(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)):
+    dependencies:
+      '@ember/test-helpers': 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@embroider/addon-shim': 1.10.2
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@embroider/util': 1.13.5(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       '@glimmer/component': 1.1.2(@babel/core@7.26.10)
-      decorator-transforms: 2.3.0(@babel/core@7.26.10)
+      decorator-transforms: 2.3.2(@babel/core@7.26.10)
       ember-element-helper: 0.8.8
       ember-modifier: 4.2.2(@babel/core@7.26.10)
-      ember-style-modifier: 4.4.0(@babel/core@7.26.10)(@ember/string@4.0.1)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      ember-truth-helpers: 4.0.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+      ember-style-modifier: 4.4.0(@babel/core@7.26.10)(@ember/string@4.0.1)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      ember-truth-helpers: 4.0.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
     transitivePeerDependencies:
       - '@babel/core'
       - '@ember/string'
@@ -13583,15 +13631,15 @@ snapshots:
       - '@babel/core'
       - supports-color
 
-  ember-cached-decorator-polyfill@1.0.2(@babel/core@7.26.10)(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)):
+  ember-cached-decorator-polyfill@1.0.2(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)):
     dependencies:
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       '@glimmer/tracking': 1.1.2
       babel-import-util: 1.4.1
       ember-cache-primitive-polyfill: 1.0.1(@babel/core@7.26.10)
       ember-cli-babel: 7.26.11
       ember-cli-babel-plugin-helpers: 1.1.1
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     transitivePeerDependencies:
       - '@babel/core'
       - '@glint/template'
@@ -13601,20 +13649,20 @@ snapshots:
 
   ember-cli-babel@7.26.11:
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-compilation-targets': 7.27.2
-      '@babel/plugin-proposal-class-properties': 7.18.6(@babel/core@7.27.1)
-      '@babel/plugin-proposal-decorators': 7.28.0(@babel/core@7.27.1)
-      '@babel/plugin-proposal-private-methods': 7.18.6(@babel/core@7.27.1)
-      '@babel/plugin-proposal-private-property-in-object': 7.21.11(@babel/core@7.27.1)
-      '@babel/plugin-transform-modules-amd': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-runtime': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-typescript': 7.27.1(@babel/core@7.27.1)
+      '@babel/core': 7.26.10
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/plugin-proposal-class-properties': 7.18.6(@babel/core@7.26.10)
+      '@babel/plugin-proposal-decorators': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-proposal-private-methods': 7.18.6(@babel/core@7.26.10)
+      '@babel/plugin-proposal-private-property-in-object': 7.21.11(@babel/core@7.26.10)
+      '@babel/plugin-transform-modules-amd': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-runtime': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-typescript': 7.29.7(@babel/core@7.26.10)
       '@babel/polyfill': 7.12.1
-      '@babel/preset-env': 7.27.2(@babel/core@7.27.1)
+      '@babel/preset-env': 7.29.7(@babel/core@7.26.10)
       '@babel/runtime': 7.27.0
       amd-name-resolver: 1.3.1
-      babel-plugin-debug-macros: 0.3.4(@babel/core@7.27.1)
+      babel-plugin-debug-macros: 0.3.4(@babel/core@7.26.10)
       babel-plugin-ember-data-packages-polyfill: 0.1.2
       babel-plugin-ember-modules-api-polyfill: 3.5.0
       babel-plugin-module-resolver: 3.2.0
@@ -13637,22 +13685,22 @@ snapshots:
   ember-cli-babel@8.2.0(@babel/core@7.26.10):
     dependencies:
       '@babel/core': 7.26.10
-      '@babel/helper-compilation-targets': 7.27.2
+      '@babel/helper-compilation-targets': 7.29.7
       '@babel/plugin-proposal-class-properties': 7.18.6(@babel/core@7.26.10)
-      '@babel/plugin-proposal-decorators': 7.28.0(@babel/core@7.26.10)
+      '@babel/plugin-proposal-decorators': 7.29.7(@babel/core@7.26.10)
       '@babel/plugin-proposal-private-methods': 7.18.6(@babel/core@7.26.10)
       '@babel/plugin-proposal-private-property-in-object': 7.21.11(@babel/core@7.26.10)
-      '@babel/plugin-transform-class-static-block': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-modules-amd': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-runtime': 7.27.1(@babel/core@7.26.10)
-      '@babel/plugin-transform-typescript': 7.27.1(@babel/core@7.26.10)
-      '@babel/preset-env': 7.27.2(@babel/core@7.26.10)
+      '@babel/plugin-transform-class-static-block': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-modules-amd': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-runtime': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-typescript': 7.29.7(@babel/core@7.26.10)
+      '@babel/preset-env': 7.29.7(@babel/core@7.26.10)
       '@babel/runtime': 7.27.0
       amd-name-resolver: 1.3.1
       babel-plugin-debug-macros: 0.3.4(@babel/core@7.26.10)
       babel-plugin-ember-data-packages-polyfill: 0.1.2
       babel-plugin-ember-modules-api-polyfill: 3.5.0
-      babel-plugin-module-resolver: 5.0.2
+      babel-plugin-module-resolver: 5.0.3
       broccoli-babel-transpiler: 8.0.2(@babel/core@7.26.10)
       broccoli-debug: 0.6.5
       broccoli-funnel: 3.0.8
@@ -13663,30 +13711,30 @@ snapshots:
       ember-cli-version-checker: 5.1.2
       ensure-posix-path: 1.1.1
       resolve-package-path: 4.0.3
-      semver: 7.7.2
+      semver: 7.8.1
     transitivePeerDependencies:
       - supports-color
 
-  ember-cli-babel@8.2.0(@babel/core@7.27.1):
+  ember-cli-babel@8.2.0(@babel/core@7.29.7):
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/helper-compilation-targets': 7.27.2
-      '@babel/plugin-proposal-class-properties': 7.18.6(@babel/core@7.27.1)
-      '@babel/plugin-proposal-decorators': 7.28.0(@babel/core@7.27.1)
-      '@babel/plugin-proposal-private-methods': 7.18.6(@babel/core@7.27.1)
-      '@babel/plugin-proposal-private-property-in-object': 7.21.11(@babel/core@7.27.1)
-      '@babel/plugin-transform-class-static-block': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-modules-amd': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-runtime': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-typescript': 7.27.1(@babel/core@7.27.1)
-      '@babel/preset-env': 7.27.2(@babel/core@7.27.1)
+      '@babel/core': 7.29.7
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/plugin-proposal-class-properties': 7.18.6(@babel/core@7.29.7)
+      '@babel/plugin-proposal-decorators': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-proposal-private-methods': 7.18.6(@babel/core@7.29.7)
+      '@babel/plugin-proposal-private-property-in-object': 7.21.11(@babel/core@7.29.7)
+      '@babel/plugin-transform-class-static-block': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-modules-amd': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-runtime': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-typescript': 7.29.7(@babel/core@7.29.7)
+      '@babel/preset-env': 7.29.7(@babel/core@7.29.7)
       '@babel/runtime': 7.27.0
       amd-name-resolver: 1.3.1
-      babel-plugin-debug-macros: 0.3.4(@babel/core@7.27.1)
+      babel-plugin-debug-macros: 0.3.4(@babel/core@7.29.7)
       babel-plugin-ember-data-packages-polyfill: 0.1.2
       babel-plugin-ember-modules-api-polyfill: 3.5.0
-      babel-plugin-module-resolver: 5.0.2
-      broccoli-babel-transpiler: 8.0.2(@babel/core@7.27.1)
+      babel-plugin-module-resolver: 5.0.3
+      broccoli-babel-transpiler: 8.0.2(@babel/core@7.29.7)
       broccoli-debug: 0.6.5
       broccoli-funnel: 3.0.8
       broccoli-source: 3.0.1
@@ -13696,7 +13744,73 @@ snapshots:
       ember-cli-version-checker: 5.1.2
       ensure-posix-path: 1.1.1
       resolve-package-path: 4.0.3
-      semver: 7.7.2
+      semver: 7.8.1
+    transitivePeerDependencies:
+      - supports-color
+
+  ember-cli-babel@8.3.1(@babel/core@7.26.10):
+    dependencies:
+      '@babel/core': 7.26.10
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/plugin-proposal-decorators': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-class-properties': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-class-static-block': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-modules-amd': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-private-methods': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-private-property-in-object': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-runtime': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-typescript': 7.29.7(@babel/core@7.26.10)
+      '@babel/preset-env': 7.29.7(@babel/core@7.26.10)
+      '@babel/runtime': 7.27.0
+      amd-name-resolver: 1.3.1
+      babel-plugin-debug-macros: 0.3.4(@babel/core@7.26.10)
+      babel-plugin-ember-data-packages-polyfill: 0.1.2
+      babel-plugin-ember-modules-api-polyfill: 3.5.0
+      babel-plugin-module-resolver: 5.0.3
+      broccoli-babel-transpiler: 8.0.2(@babel/core@7.26.10)
+      broccoli-debug: 0.6.5
+      broccoli-funnel: 3.0.8
+      broccoli-source: 3.0.1
+      calculate-cache-key-for-tree: 2.0.0
+      clone: 2.1.2
+      ember-cli-babel-plugin-helpers: 1.1.1
+      ember-cli-version-checker: 5.1.2
+      ensure-posix-path: 1.1.1
+      resolve-package-path: 4.0.3
+      semver: 7.8.1
+    transitivePeerDependencies:
+      - supports-color
+
+  ember-cli-babel@8.3.1(@babel/core@7.29.7):
+    dependencies:
+      '@babel/core': 7.29.7
+      '@babel/helper-compilation-targets': 7.29.7
+      '@babel/plugin-proposal-decorators': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-class-properties': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-class-static-block': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-modules-amd': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-private-methods': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-private-property-in-object': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-runtime': 7.29.7(@babel/core@7.29.7)
+      '@babel/plugin-transform-typescript': 7.29.7(@babel/core@7.29.7)
+      '@babel/preset-env': 7.29.7(@babel/core@7.29.7)
+      '@babel/runtime': 7.27.0
+      amd-name-resolver: 1.3.1
+      babel-plugin-debug-macros: 0.3.4(@babel/core@7.29.7)
+      babel-plugin-ember-data-packages-polyfill: 0.1.2
+      babel-plugin-ember-modules-api-polyfill: 3.5.0
+      babel-plugin-module-resolver: 5.0.3
+      broccoli-babel-transpiler: 8.0.2(@babel/core@7.29.7)
+      broccoli-debug: 0.6.5
+      broccoli-funnel: 3.0.8
+      broccoli-source: 3.0.1
+      calculate-cache-key-for-tree: 2.0.0
+      clone: 2.1.2
+      ember-cli-babel-plugin-helpers: 1.1.1
+      ember-cli-version-checker: 5.1.2
+      ensure-posix-path: 1.1.1
+      resolve-package-path: 4.0.3
+      semver: 7.8.1
     transitivePeerDependencies:
       - supports-color
 
@@ -13710,37 +13824,37 @@ snapshots:
 
   ember-cli-content-security-policy@2.0.3:
     dependencies:
-      body-parser: 1.20.3
+      body-parser: 1.20.5
       chalk: 4.1.2
-      debug: 4.4.1
+      debug: 4.4.3
       ember-cli-babel: 7.26.11
       ember-cli-version-checker: 5.1.2
     transitivePeerDependencies:
       - supports-color
 
-  ember-cli-dependency-checker@3.3.3(ember-cli@5.8.1(handlebars@4.7.8)(underscore@1.13.7)):
+  ember-cli-dependency-checker@3.3.3(ember-cli@5.8.1(@babel/core@7.26.10)(@types/node@25.9.1)(handlebars@4.7.9)(underscore@1.13.8)):
     dependencies:
       chalk: 2.4.2
-      ember-cli: 5.8.1(handlebars@4.7.8)(underscore@1.13.7)
+      ember-cli: 5.8.1(@babel/core@7.26.10)(@types/node@25.9.1)(handlebars@4.7.9)(underscore@1.13.8)
       find-yarn-workspace-root: 2.0.0
       is-git-url: 1.0.0
-      resolve: 1.22.10
+      resolve: 1.22.12
       semver: 5.7.2
 
-  ember-cli-deprecation-workflow@3.3.0(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)):
+  ember-cli-deprecation-workflow@3.3.0(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)):
     dependencies:
-      '@babel/core': 7.27.1
-      ember-cli-babel: 8.2.0(@babel/core@7.27.1)
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      '@babel/core': 7.26.10
+      ember-cli-babel: 8.2.0(@babel/core@7.26.10)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     transitivePeerDependencies:
       - supports-color
 
-  ember-cli-flash@4.0.0(@babel/core@7.26.10)(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(webpack@5.94.0):
+  ember-cli-flash@4.0.0(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(webpack@5.107.2):
     dependencies:
-      '@ember/render-modifiers': 2.1.0(@babel/core@7.26.10)(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+      '@ember/render-modifiers': 2.1.0(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       '@glimmer/component': 1.1.2(@babel/core@7.26.10)
       '@glimmer/tracking': 1.1.2
-      ember-auto-import: 2.10.0(@glint/template@1.7.3)(webpack@5.94.0)
+      ember-auto-import: 2.10.0(@glint/template@1.7.7)(webpack@5.107.2)
       ember-cli-babel: 7.26.11
       ember-cli-htmlbars: 6.3.0
     transitivePeerDependencies:
@@ -13763,10 +13877,10 @@ snapshots:
       ember-cli-babel-plugin-helpers: 1.1.1
       ember-cli-version-checker: 5.1.2
       fs-tree-diff: 2.0.1
-      hash-for-dep: 1.5.1
+      hash-for-dep: 1.5.2
       heimdalljs-logger: 0.1.10
       json-stable-stringify: 1.3.0
-      semver: 7.7.2
+      semver: 7.8.1
       silent-error: 1.1.1
       strip-bom: 4.0.0
       walk-sync: 2.2.0
@@ -13783,10 +13897,10 @@ snapshots:
       broccoli-plugin: 4.0.7
       ember-cli-version-checker: 5.1.2
       fs-tree-diff: 2.0.1
-      hash-for-dep: 1.5.1
+      hash-for-dep: 1.5.2
       heimdalljs-logger: 0.1.10
       js-string-escape: 1.0.1
-      semver: 7.7.2
+      semver: 7.8.1
       silent-error: 1.1.1
       walk-sync: 2.2.0
     transitivePeerDependencies:
@@ -13801,24 +13915,24 @@ snapshots:
 
   ember-cli-lodash-subset@2.0.1: {}
 
-  ember-cli-mirage@3.0.4(@ember-data/model@5.3.13(dae11eb22c7d90ae6eb976a152fcd2ef))(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glint/template@1.7.3)(ember-data@5.3.13(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1))(ember-qunit@8.1.1(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(miragejs@0.1.48)(webpack@5.94.0):
+  ember-cli-mirage@3.0.4(eec33d100c300afbeba6a809f067b5f1):
     dependencies:
       '@babel/core': 7.26.10
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       broccoli-file-creator: 2.1.1
       broccoli-funnel: 3.0.8
       broccoli-merge-trees: 4.2.0
-      ember-auto-import: 2.10.0(@glint/template@1.7.3)(webpack@5.94.0)
+      ember-auto-import: 2.10.0(@glint/template@1.7.7)(webpack@5.107.2)
       ember-cli-babel: 8.2.0(@babel/core@7.26.10)
-      ember-get-config: 2.1.1(@glint/template@1.7.3)
+      ember-get-config: 2.1.1(@babel/core@7.26.10)(@glint/template@1.7.7)
       ember-inflector: 4.0.2
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
       miragejs: 0.1.48
     optionalDependencies:
-      '@ember-data/model': 5.3.13(dae11eb22c7d90ae6eb976a152fcd2ef)
-      '@ember/test-helpers': 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3)
-      ember-data: 5.3.13(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1)
-      ember-qunit: 8.1.1(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1)
+      '@ember-data/model': 5.3.13(d5fadfcda3077fa80404b894384b0a0b)
+      '@ember/test-helpers': 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7)
+      ember-data: 5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@ember/test-waiters@4.1.1(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(qunit@2.24.3)
+      ember-qunit: 8.1.1(@babel/core@7.26.10)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(qunit@2.24.3)
     transitivePeerDependencies:
       - '@glint/template'
       - supports-color
@@ -13830,12 +13944,12 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  ember-cli-page-object@2.3.1(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3)):
+  ember-cli-page-object@2.3.2(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7)):
     dependencies:
-      '@ember/test-helpers': 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3)
-      '@embroider/addon-shim': 1.10.0
+      '@ember/test-helpers': 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@embroider/addon-shim': 1.10.2
       '@ro0gr/ceibo': 2.2.0
-      '@types/jquery': 3.5.32
+      '@types/jquery': 3.5.34
       jquery: 3.7.1
     transitivePeerDependencies:
       - supports-color
@@ -13854,7 +13968,7 @@ snapshots:
   ember-cli-preprocess-registry@5.0.1:
     dependencies:
       broccoli-funnel: 3.0.8
-      debug: 4.4.1
+      debug: 4.4.3
     transitivePeerDependencies:
       - supports-color
 
@@ -13875,10 +13989,10 @@ snapshots:
 
   ember-cli-string-helpers@6.1.0:
     dependencies:
-      '@babel/core': 7.27.1
+      '@babel/core': 7.26.10
       broccoli-funnel: 3.0.8
       ember-cli-babel: 7.26.11
-      resolve: 1.22.10
+      resolve: 1.22.12
     transitivePeerDependencies:
       - supports-color
 
@@ -13911,11 +14025,11 @@ snapshots:
     dependencies:
       '@babel/plugin-transform-typescript': 7.5.5(@babel/core@7.26.10)
       ansi-to-html: 0.6.15
-      debug: 4.4.1
+      debug: 4.4.3
       ember-cli-babel-plugin-helpers: 1.1.1
       execa: 2.1.0
       fs-extra: 8.1.0
-      resolve: 1.22.10
+      resolve: 1.22.12
       rsvp: 4.8.5
       semver: 6.3.1
       stagehand: 1.0.1
@@ -13928,12 +14042,12 @@ snapshots:
     dependencies:
       ansi-to-html: 0.6.15
       broccoli-stew: 3.0.0
-      debug: 4.4.1
+      debug: 4.4.3
       execa: 4.1.0
       fs-extra: 9.1.0
-      resolve: 1.22.10
+      resolve: 1.22.12
       rsvp: 4.8.5
-      semver: 7.7.2
+      semver: 7.8.1
       stagehand: 1.0.1
       walk-sync: 2.2.0
     transitivePeerDependencies:
@@ -13943,12 +14057,12 @@ snapshots:
     dependencies:
       ansi-to-html: 0.6.15
       broccoli-stew: 3.0.0
-      debug: 4.4.1
+      debug: 4.4.3
       execa: 4.1.0
       fs-extra: 9.1.0
-      resolve: 1.22.10
+      resolve: 1.22.12
       rsvp: 4.8.5
-      semver: 7.7.2
+      semver: 7.8.1
       stagehand: 1.0.1
       walk-sync: 2.2.0
     transitivePeerDependencies:
@@ -13956,7 +14070,7 @@ snapshots:
 
   ember-cli-version-checker@2.2.0:
     dependencies:
-      resolve: 1.22.10
+      resolve: 1.22.12
       semver: 5.7.2
 
   ember-cli-version-checker@3.1.3:
@@ -13975,24 +14089,24 @@ snapshots:
   ember-cli-version-checker@5.1.2:
     dependencies:
       resolve-package-path: 3.1.0
-      semver: 7.7.2
+      semver: 7.8.1
       silent-error: 1.1.1
     transitivePeerDependencies:
       - supports-color
 
-  ember-cli@5.8.1(handlebars@4.7.8)(underscore@1.13.7):
+  ember-cli@5.8.1(@babel/core@7.26.10)(@types/node@25.9.1)(handlebars@4.7.9)(underscore@1.13.8):
     dependencies:
       '@pnpm/find-workspace-dir': 6.0.3
       broccoli: 3.5.2
       broccoli-builder: 0.18.14
-      broccoli-concat: 4.2.5
+      broccoli-concat: 4.2.7
       broccoli-config-loader: 1.0.1
-      broccoli-config-replace: 1.1.2
+      broccoli-config-replace: 1.1.3
       broccoli-debug: 0.6.5
       broccoli-funnel: 3.0.8
       broccoli-funnel-reducer: 1.0.0
       broccoli-merge-trees: 4.2.0
-      broccoli-middleware: 2.1.1
+      broccoli-middleware: 2.1.2
       broccoli-slow-trees: 3.1.0
       broccoli-source: 3.0.1
       broccoli-stew: 3.0.0
@@ -14001,13 +14115,13 @@ snapshots:
       chalk: 4.1.2
       ci-info: 3.9.0
       clean-base-url: 1.0.0
-      compression: 1.8.0
+      compression: 1.8.1
       configstore: 5.0.1
       console-ui: 3.1.2
       content-tag: 1.2.2
       core-object: 3.1.5
       dag-map: 2.0.2
-      diff: 5.2.0
+      diff: 5.2.2
       ember-cli-is-package-missing: 1.0.0
       ember-cli-lodash-subset: 2.0.1
       ember-cli-normalize-entity-name: 1.0.0
@@ -14016,50 +14130,50 @@ snapshots:
       ensure-posix-path: 1.1.1
       execa: 5.1.1
       exit: 0.1.2
-      express: 4.22.1
+      express: 4.22.2
       filesize: 10.1.6
       find-up: 5.0.0
       find-yarn-workspace-root: 2.0.0
       fixturify-project: 2.1.1
-      fs-extra: 11.3.0
+      fs-extra: 11.3.5
       fs-tree-diff: 2.0.1
       get-caller-file: 2.0.5
       git-repo-info: 2.1.1
       glob: 8.1.0
       heimdalljs: 0.2.6
-      heimdalljs-fs-monitor: 1.1.1
+      heimdalljs-fs-monitor: 1.1.2
       heimdalljs-graph: 1.0.0
       heimdalljs-logger: 0.1.10
       http-proxy: 1.18.1
       inflection: 2.0.1
-      inquirer: 9.3.7
+      inquirer: 9.3.8(@types/node@25.9.1)
       is-git-url: 1.0.0
       is-language-code: 3.1.0
-      isbinaryfile: 5.0.4
-      lodash: 4.17.23
-      markdown-it: 13.0.2
-      markdown-it-terminal: 0.4.0(markdown-it@13.0.2)
-      minimatch: 7.4.6
-      morgan: 1.10.0
+      isbinaryfile: 5.0.7
+      lodash: 4.18.0
+      markdown-it: 14.1.1
+      markdown-it-terminal: 0.4.0(markdown-it@14.1.1)
+      minimatch: 7.4.9
+      morgan: 1.10.1
       nopt: 3.0.6
       npm-package-arg: 10.1.0
       os-locale: 5.0.0
       p-defer: 3.0.0
-      portfinder: 1.0.37
+      portfinder: 1.0.38
       promise-map-series: 0.3.0
       promise.hash.helper: 1.0.8
-      quick-temp: 0.1.8
+      quick-temp: 0.1.9
       remove-types: 1.0.0
-      resolve: 1.22.10
+      resolve: 1.22.12
       resolve-package-path: 4.0.3
       safe-stable-stringify: 2.5.0
       sane: 5.0.1
-      semver: 7.7.2
+      semver: 7.8.1
       silent-error: 1.1.1
       sort-package-json: 1.57.0
       symlink-or-copy: 1.3.1
       temp: 0.9.4
-      testem: 3.16.0(handlebars@4.7.8)(underscore@1.13.7)
+      testem: 3.20.0(@babel/core@7.26.10)(handlebars@4.7.9)(underscore@1.13.8)
       tiny-lr: 2.0.0
       tree-sync: 2.1.0
       walk-sync: 3.0.0
@@ -14067,9 +14181,10 @@ snapshots:
       workerpool: 6.5.1
       yam: 1.0.0
     transitivePeerDependencies:
+      - '@babel/core'
+      - '@types/node'
       - arc-templates
       - atpl
-      - babel-core
       - bracket-template
       - bufferutil
       - coffee-script
@@ -14087,30 +14202,25 @@ snapshots:
       - handlebars
       - hogan.js
       - htmling
-      - jade
       - jazz
       - jqtpl
       - just
       - liquid-node
       - liquor
-      - marko
       - mote
       - nunjucks
       - plates
       - pug
       - qejs
       - ractive
-      - razor-tmpl
       - react
       - react-dom
       - slm
-      - squirrelly
       - supports-color
       - swig
       - swig-templates
       - teacup
       - templayed
-      - then-jade
       - then-pug
       - tinyliquid
       - toffee
@@ -14134,62 +14244,52 @@ snapshots:
       - '@babel/core'
       - supports-color
 
-  ember-compatibility-helpers@1.2.7(@babel/core@7.27.1):
-    dependencies:
-      babel-plugin-debug-macros: 0.2.0(@babel/core@7.27.1)
-      ember-cli-version-checker: 5.1.2
-      find-up: 5.0.0
-      fs-extra: 9.1.0
-      semver: 5.7.2
-    transitivePeerDependencies:
-      - '@babel/core'
-      - supports-color
-
   ember-composable-helpers@5.0.0:
     dependencies:
       '@babel/core': 7.26.10
       broccoli-funnel: 2.0.1
       ember-cli-babel: 7.26.11
-      resolve: 1.22.10
+      resolve: 1.22.12
     transitivePeerDependencies:
       - supports-color
 
-  ember-concurrency@4.0.6(@babel/core@7.26.10)(@glint/template@1.7.3):
+  ember-concurrency@4.0.6(@babel/core@7.26.10)(@glint/template@1.7.7):
     dependencies:
-      '@babel/helper-module-imports': 7.27.1
-      '@babel/helper-plugin-utils': 7.27.1
-      '@babel/types': 7.27.1
-      '@embroider/addon-shim': 1.10.0
+      '@babel/helper-module-imports': 7.29.7
+      '@babel/helper-plugin-utils': 7.29.7
+      '@babel/types': 7.29.7
+      '@embroider/addon-shim': 1.10.2
       decorator-transforms: 1.2.1(@babel/core@7.26.10)
     optionalDependencies:
-      '@glint/template': 1.7.3
+      '@glint/template': 1.7.7
     transitivePeerDependencies:
       - '@babel/core'
       - supports-color
 
-  ember-data@5.3.13(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1):
+  ember-data@5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@ember/test-waiters@4.1.1(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(qunit@2.24.3):
     dependencies:
-      '@ember-data/adapter': 5.3.13(481fc0014a55050c4586d8c15dd0e593)
-      '@ember-data/debug': 5.3.13(bfaa3d85a28648c76506f1933c013982)
-      '@ember-data/graph': 5.3.13(242145c0cb82dfaa3126f6c390252cc2)
-      '@ember-data/json-api': 5.3.13(fbb4778538d22a36c0b1d94f239fe74b)
-      '@ember-data/legacy-compat': 5.3.13(b12992c24c436026b4863b735c590c8a)
-      '@ember-data/model': 5.3.13(dae11eb22c7d90ae6eb976a152fcd2ef)
-      '@ember-data/request': 5.3.13(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))
-      '@ember-data/request-utils': 5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@ember-data/serializer': 5.3.13(481fc0014a55050c4586d8c15dd0e593)
-      '@ember-data/store': 5.3.13(@ember-data/request-utils@5.3.13(@ember/string@4.0.1)(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@ember-data/request@5.3.13(@ember/test-waiters@4.1.0(@glint/template@1.7.3))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3)))(@ember-data/tracking@5.3.13(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@ember-data/tracking': 5.3.13(@glint/template@1.7.3)(@warp-drive/core-types@0.0.3(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+      '@ember-data/adapter': 5.3.13(@babel/core@7.26.10)(@ember-data/legacy-compat@5.3.13(8acceb1cbcc7877fc3e2f71f277a3656))(@ember-data/request-utils@5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@ember-data/debug': 5.3.13(@babel/core@7.26.10)(@ember-data/model@5.3.13(d5fadfcda3077fa80404b894384b0a0b))(@ember-data/request-utils@5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@ember-data/graph': 5.3.13(@babel/core@7.26.10)(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@ember-data/json-api': 5.3.13(@babel/core@7.26.10)(@ember-data/graph@5.3.13(@babel/core@7.26.10)(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@ember-data/request-utils@5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))
+      '@ember-data/legacy-compat': 5.3.13(8acceb1cbcc7877fc3e2f71f277a3656)
+      '@ember-data/model': 5.3.13(d5fadfcda3077fa80404b894384b0a0b)
+      '@ember-data/request': 5.3.13(@babel/core@7.26.10)(@ember/test-waiters@4.1.1(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))
+      '@ember-data/request-utils': 5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@ember-data/serializer': 5.3.13(@babel/core@7.26.10)(@ember-data/legacy-compat@5.3.13(8acceb1cbcc7877fc3e2f71f277a3656))(@ember-data/request-utils@5.3.13(@babel/core@7.26.10)(@ember/string@4.0.1)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-inflector@4.0.2)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@ember-data/store@5.3.13(451a0e0b71ec7a897131dd541747f16e))(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@ember-data/store': 5.3.13(451a0e0b71ec7a897131dd541747f16e)
+      '@ember-data/tracking': 5.3.13(@babel/core@7.26.10)(@glint/template@1.7.7)(@warp-drive/core-types@0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       '@ember/edition-utils': 1.2.0
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
-      '@warp-drive/build-config': 0.0.3(@glint/template@1.7.3)
-      '@warp-drive/core-types': 0.0.3(@glint/template@1.7.3)
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/build-config': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@warp-drive/core-types': 0.0.3(@babel/core@7.26.10)(@glint/template@1.7.7)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     optionalDependencies:
-      '@ember/test-helpers': 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3)
-      '@ember/test-waiters': 4.1.0(@glint/template@1.7.3)
-      qunit: 2.24.1
+      '@ember/test-helpers': 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@ember/test-waiters': 4.1.1(@babel/core@7.26.10)(@glint/template@1.7.7)
+      qunit: 2.24.3
     transitivePeerDependencies:
+      - '@babel/core'
       - '@ember/string'
       - '@glint/template'
       - ember-inflector
@@ -14197,18 +14297,18 @@ snapshots:
 
   ember-element-helper@0.8.8:
     dependencies:
-      '@embroider/addon-shim': 1.10.0
+      '@embroider/addon-shim': 1.10.2
     transitivePeerDependencies:
       - supports-color
 
-  ember-engines@0.8.23(@ember/legacy-built-in-components@0.4.2(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)):
+  ember-engines@0.8.23(@babel/core@7.26.10)(@ember/legacy-built-in-components@0.4.2(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)):
     dependencies:
-      '@ember/legacy-built-in-components': 0.4.2(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
+      '@ember/legacy-built-in-components': 0.4.2(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       amd-name-resolver: 1.3.1
       babel-plugin-compact-reexports: 1.1.0
       broccoli-babel-transpiler: 7.8.1
-      broccoli-concat: 4.2.5
+      broccoli-concat: 4.2.7
       broccoli-debug: 0.6.5
       broccoli-dependency-funnel: 2.1.2
       broccoli-file-creator: 2.1.1
@@ -14221,65 +14321,69 @@ snapshots:
       ember-cli-preprocess-registry: 3.3.0
       ember-cli-string-utils: 1.1.0
       ember-cli-version-checker: 5.1.2
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
-      lodash: 4.17.23
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
+      lodash: 4.18.0
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
-  ember-exam@9.1.0(@glint/template@1.7.3)(ember-qunit@8.1.1(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1)(webpack@5.94.0):
+  ember-exam@9.1.0(@glint/template@1.7.7)(ember-qunit@8.1.1(@babel/core@7.26.10)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(qunit@2.24.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(qunit@2.24.3)(webpack@5.107.2):
     dependencies:
-      '@babel/core': 7.27.1
+      '@babel/core': 7.26.10
       chalk: 5.6.2
       cli-table3: 0.6.5
-      debug: 4.4.1
-      ember-auto-import: 2.10.0(@glint/template@1.7.3)(webpack@5.94.0)
-      ember-cli-babel: 8.2.0(@babel/core@7.27.1)
-      ember-qunit: 8.1.1(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1)
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      debug: 4.4.3
+      ember-auto-import: 2.10.0(@glint/template@1.7.7)(webpack@5.107.2)
+      ember-cli-babel: 8.2.0(@babel/core@7.26.10)
+      ember-qunit: 8.1.1(@babel/core@7.26.10)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(qunit@2.24.3)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
       execa: 8.0.1
-      fs-extra: 11.3.0
+      fs-extra: 11.3.5
       js-yaml: 4.1.1
       npmlog: 7.0.1
-      qunit: 2.24.1
+      qunit: 2.24.3
       rimraf: 5.0.10
-      semver: 7.7.2
+      semver: 7.8.1
       silent-error: 1.1.1
     transitivePeerDependencies:
       - '@glint/template'
       - supports-color
       - webpack
 
-  ember-focus-trap@1.1.1(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)):
+  ember-focus-trap@1.2.0(@babel/core@7.26.10):
     dependencies:
-      '@embroider/addon-shim': 1.10.0
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
-      focus-trap: 6.9.4
+      '@embroider/addon-shim': 1.10.2
+      decorator-transforms: 2.3.2(@babel/core@7.26.10)
+      focus-trap: 7.8.0
     transitivePeerDependencies:
+      - '@babel/core'
       - supports-color
 
-  ember-functions-as-helper-polyfill@2.1.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)):
+  ember-functions-as-helper-polyfill@2.1.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)):
     dependencies:
       ember-cli-babel: 7.26.11
       ember-cli-typescript: 5.3.0
       ember-cli-version-checker: 5.1.2
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     transitivePeerDependencies:
       - supports-color
 
-  ember-get-config@1.1.0(@glint/template@1.7.3):
+  ember-get-config@1.1.0(@babel/core@7.26.10)(@glint/template@1.7.7):
     dependencies:
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       ember-cli-babel: 7.26.11
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
-  ember-get-config@2.1.1(@glint/template@1.7.3):
+  ember-get-config@2.1.1(@babel/core@7.26.10)(@glint/template@1.7.7):
     dependencies:
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       ember-cli-babel: 7.26.11
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
@@ -14289,9 +14393,35 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  ember-load-initializers@3.0.1(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)):
+  ember-intl@7.5.0(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(typescript@5.6.3)(webpack@5.107.2):
     dependencies:
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      '@babel/core': 7.29.7
+      '@formatjs/icu-messageformat-parser': 2.11.4
+      '@formatjs/intl': 3.1.8(typescript@5.6.3)
+      broccoli-caching-writer: 3.1.0
+      broccoli-funnel: 3.0.8
+      broccoli-merge-trees: 4.2.0
+      broccoli-source: 3.0.1
+      calculate-cache-key-for-tree: 2.0.0
+      cldr-core: 47.0.0
+      ember-auto-import: 2.13.1(@glint/template@1.7.7)(webpack@5.107.2)
+      ember-cli-babel: 8.2.0(@babel/core@7.29.7)
+      ember-cli-typescript: 5.3.0
+      extend: 3.0.2
+      intl-messageformat: 10.7.18
+      js-yaml: 4.1.1
+      json-stable-stringify: 1.3.0
+    optionalDependencies:
+      '@ember/test-helpers': 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7)
+    transitivePeerDependencies:
+      - '@glint/template'
+      - supports-color
+      - typescript
+      - webpack
+
+  ember-load-initializers@3.0.1(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)):
+    dependencies:
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
 
   ember-modifier-manager-polyfill@1.2.0(@babel/core@7.26.10):
     dependencies:
@@ -14302,15 +14432,6 @@ snapshots:
       - '@babel/core'
       - supports-color
 
-  ember-modifier-manager-polyfill@1.2.0(@babel/core@7.27.1):
-    dependencies:
-      ember-cli-babel: 7.26.11
-      ember-cli-version-checker: 2.2.0
-      ember-compatibility-helpers: 1.2.7(@babel/core@7.27.1)
-    transitivePeerDependencies:
-      - '@babel/core'
-      - supports-color
-
   ember-modifier@3.2.7(@babel/core@7.26.10):
     dependencies:
       ember-cli-babel: 7.26.11
@@ -14324,27 +14445,27 @@ snapshots:
 
   ember-modifier@4.2.2(@babel/core@7.26.10):
     dependencies:
-      '@embroider/addon-shim': 1.10.0
-      decorator-transforms: 2.3.0(@babel/core@7.26.10)
+      '@embroider/addon-shim': 1.10.2
+      decorator-transforms: 2.3.2(@babel/core@7.26.10)
       ember-cli-normalize-entity-name: 1.0.0
       ember-cli-string-utils: 1.1.0
     transitivePeerDependencies:
       - '@babel/core'
       - supports-color
 
-  ember-power-select@8.12.0(@babel/core@7.26.10)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(ember-basic-dropdown@8.7.0(@babel/core@7.26.10)(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)))(ember-concurrency@4.0.6(@babel/core@7.26.10)(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)):
+  ember-power-select@8.12.2(@babel/core@7.26.10)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(ember-basic-dropdown@8.7.0(@babel/core@7.26.10)(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)))(ember-concurrency@4.0.6(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)):
     dependencies:
-      '@ember/test-helpers': 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3)
-      '@embroider/addon-shim': 1.10.0
-      '@embroider/util': 1.13.4(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+      '@ember/test-helpers': 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@embroider/addon-shim': 1.10.2
+      '@embroider/util': 1.13.5(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       '@glimmer/component': 1.1.2(@babel/core@7.26.10)
-      decorator-transforms: 2.3.0(@babel/core@7.26.10)
+      decorator-transforms: 2.3.2(@babel/core@7.26.10)
       ember-assign-helper: 0.5.1
-      ember-basic-dropdown: 8.7.0(@babel/core@7.26.10)(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      ember-concurrency: 4.0.6(@babel/core@7.26.10)(@glint/template@1.7.3)
+      ember-basic-dropdown: 8.7.0(@babel/core@7.26.10)(@ember/string@4.0.1)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      ember-concurrency: 4.0.6(@babel/core@7.26.10)(@glint/template@1.7.7)
       ember-element-helper: 0.8.8
       ember-modifier: 4.2.2(@babel/core@7.26.10)
-      ember-truth-helpers: 4.0.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+      ember-truth-helpers: 4.0.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
     transitivePeerDependencies:
       - '@babel/core'
       - '@glint/environment-ember-loose'
@@ -14358,16 +14479,17 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  ember-qunit@8.1.1(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3))(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1):
+  ember-qunit@8.1.1(@babel/core@7.26.10)(@ember/test-helpers@5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7))(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(qunit@2.24.3):
     dependencies:
-      '@ember/test-helpers': 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.3)
-      '@embroider/addon-shim': 1.10.0
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
+      '@ember/test-helpers': 5.2.2(@babel/core@7.26.10)(@glint/template@1.7.7)
+      '@embroider/addon-shim': 1.10.2
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       ember-cli-test-loader: 3.1.0
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
-      qunit: 2.24.1
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
+      qunit: 2.24.3
       qunit-theme-ember: 1.0.0
     transitivePeerDependencies:
+      - '@babel/core'
       - '@glint/template'
       - supports-color
 
@@ -14386,20 +14508,21 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  ember-resources@6.5.2(@ember/test-waiters@3.1.0)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glimmer/tracking@1.1.2)(@glint/template@1.7.3)(ember-concurrency@4.0.6(@babel/core@7.26.10)(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)):
+  ember-resources@6.5.2(@babel/core@7.26.10)(@ember/test-waiters@3.1.0)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glimmer/tracking@1.1.2)(@glint/template@1.7.7)(ember-concurrency@4.0.6(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)):
     dependencies:
       '@babel/runtime': 7.27.0
-      '@embroider/addon-shim': 1.10.0
-      '@embroider/macros': 1.15.0(@glint/template@1.7.3)
+      '@embroider/addon-shim': 1.10.2
+      '@embroider/macros': 1.20.3(@babel/core@7.26.10)(@glint/template@1.7.7)
       '@glimmer/tracking': 1.1.2
-      '@glint/template': 1.7.3
-      ember-async-data: 1.0.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      '@glint/template': 1.7.7
+      ember-async-data: 1.0.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     optionalDependencies:
       '@ember/test-waiters': 3.1.0
       '@glimmer/component': 1.1.2(@babel/core@7.26.10)
-      ember-concurrency: 4.0.6(@babel/core@7.26.10)(@glint/template@1.7.3)
+      ember-concurrency: 4.0.6(@babel/core@7.26.10)(@glint/template@1.7.7)
     transitivePeerDependencies:
+      - '@babel/core'
       - supports-color
 
   ember-responsive@5.0.0:
@@ -14412,16 +14535,16 @@ snapshots:
 
   ember-router-generator@2.0.0:
     dependencies:
-      '@babel/parser': 7.27.2
-      '@babel/traverse': 7.27.1
+      '@babel/parser': 7.29.7
+      '@babel/traverse': 7.29.7
       recast: 0.18.10
     transitivePeerDependencies:
       - supports-color
 
-  ember-service-worker@https://codeload.github.com/meirish/ember-service-worker/tar.gz/dda14187aace0d73ecdb6a55beac2194a3aec01b(rollup@2.79.2):
+  ember-service-worker@https://codeload.github.com/meirish/ember-service-worker/tar.gz/dda14187aace0d73ecdb6a55beac2194a3aec01b(rollup@2.80.0):
     dependencies:
-      '@rollup/plugin-replace': 2.3.0(rollup@2.79.2)
-      broccoli-caching-writer: 3.0.3
+      '@rollup/plugin-replace': 2.3.0(rollup@2.80.0)
+      broccoli-caching-writer: 3.1.0
       broccoli-file-creator: 2.1.1
       broccoli-funnel: 2.0.2
       broccoli-merge-trees: 3.0.2
@@ -14430,26 +14553,26 @@ snapshots:
       clone: 2.1.2
       ember-cli-babel: 7.26.11
       glob: 7.2.3
-      hash-for-dep: 1.5.1
+      hash-for-dep: 1.5.2
     transitivePeerDependencies:
       - rollup
       - supports-color
 
-  ember-sinon-qunit@7.5.0(@babel/core@7.26.10)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(qunit@2.24.1)(sinon@20.0.0):
+  ember-sinon-qunit@7.5.0(@babel/core@7.26.10)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(qunit@2.24.3)(sinon@20.0.0):
     dependencies:
-      '@embroider/addon-shim': 1.10.0
+      '@embroider/addon-shim': 1.10.2
       '@types/sinon': 17.0.4
-      decorator-transforms: 2.3.0(@babel/core@7.26.10)
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
-      qunit: 2.24.1
+      decorator-transforms: 2.3.2(@babel/core@7.26.10)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
+      qunit: 2.24.3
       sinon: 20.0.0
     transitivePeerDependencies:
       - '@babel/core'
       - supports-color
 
-  ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0):
+  ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2):
     dependencies:
-      '@babel/helper-module-imports': 7.27.1
+      '@babel/helper-module-imports': 7.29.7
       '@ember/edition-utils': 1.2.0
       '@glimmer/compiler': 0.87.1
       '@glimmer/component': 1.1.2(@babel/core@7.26.10)
@@ -14474,13 +14597,13 @@ snapshots:
       babel-plugin-ember-template-compilation: 2.4.1
       babel-plugin-filter-imports: 4.0.0
       backburner.js: 2.8.0
-      broccoli-concat: 4.2.5
+      broccoli-concat: 4.2.7
       broccoli-debug: 0.6.5
       broccoli-file-creator: 2.1.1
       broccoli-funnel: 3.0.8
       broccoli-merge-trees: 4.2.0
       chalk: 4.1.2
-      ember-auto-import: 2.10.0(@glint/template@1.7.3)(webpack@5.94.0)
+      ember-auto-import: 2.10.0(@glint/template@1.7.7)(webpack@5.107.2)
       ember-cli-babel: 7.26.11
       ember-cli-get-component-path-option: 1.0.0
       ember-cli-is-package-missing: 1.0.0
@@ -14493,7 +14616,7 @@ snapshots:
       inflection: 2.0.1
       route-recognizer: 0.3.4
       router_js: 8.0.6(route-recognizer@0.3.4)(rsvp@4.8.5)
-      semver: 7.7.2
+      semver: 7.8.1
       silent-error: 1.1.1
       simple-html-tokenizer: 0.5.11
     transitivePeerDependencies:
@@ -14503,12 +14626,12 @@ snapshots:
       - supports-color
       - webpack
 
-  ember-stargate@0.5.0(@babel/core@7.26.10)(@ember/test-waiters@3.1.0)(@glimmer/tracking@1.1.2)(@glint/template@1.7.3)(ember-concurrency@4.0.6(@babel/core@7.26.10)(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)):
+  ember-stargate@0.5.0(@babel/core@7.26.10)(@ember/test-waiters@3.1.0)(@glimmer/tracking@1.1.2)(@glint/template@1.7.7)(ember-concurrency@4.0.6(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)):
     dependencies:
-      '@ember/render-modifiers': 2.1.0(@babel/core@7.26.10)(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      '@embroider/addon-shim': 1.10.0
+      '@ember/render-modifiers': 2.1.0(@babel/core@7.26.10)(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      '@embroider/addon-shim': 1.10.2
       '@glimmer/component': 1.1.2(@babel/core@7.26.10)
-      ember-resources: 6.5.2(@ember/test-waiters@3.1.0)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glimmer/tracking@1.1.2)(@glint/template@1.7.3)(ember-concurrency@4.0.6(@babel/core@7.26.10)(@glint/template@1.7.3))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
+      ember-resources: 6.5.2(@babel/core@7.26.10)(@ember/test-waiters@3.1.0)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glimmer/tracking@1.1.2)(@glint/template@1.7.7)(ember-concurrency@4.0.6(@babel/core@7.26.10)(@glint/template@1.7.7))(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
       tracked-maps-and-sets: 3.0.2
     transitivePeerDependencies:
       - '@babel/core'
@@ -14519,14 +14642,14 @@ snapshots:
       - ember-source
       - supports-color
 
-  ember-style-modifier@4.4.0(@babel/core@7.26.10)(@ember/string@4.0.1)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)):
+  ember-style-modifier@4.4.0(@babel/core@7.26.10)(@ember/string@4.0.1)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)):
     dependencies:
       '@ember/string': 4.0.1
-      '@embroider/addon-shim': 1.10.0
-      csstype: 3.1.3
-      decorator-transforms: 2.3.0(@babel/core@7.26.10)
+      '@embroider/addon-shim': 1.10.2
+      csstype: 3.2.3
+      decorator-transforms: 2.3.2(@babel/core@7.26.10)
       ember-modifier: 4.2.2(@babel/core@7.26.10)
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
     transitivePeerDependencies:
       - '@babel/core'
       - supports-color
@@ -14550,26 +14673,26 @@ snapshots:
       '@prettier/sync': 0.2.1(prettier@3.0.3)
       ember-template-lint: 6.1.0
       prettier: 3.0.3
-      prettier-linter-helpers: 1.0.0
+      prettier-linter-helpers: 1.0.1
 
   ember-template-lint@6.1.0:
     dependencies:
       '@lint-todo/utils': 13.1.1
       aria-query: 5.3.2
       chalk: 5.6.2
-      ci-info: 4.2.0
+      ci-info: 4.4.0
       date-fns: 3.6.0
       ember-template-imports: 3.4.2
       ember-template-recast: 6.1.5
       eslint-formatter-kakoune: 1.0.0
       find-up: 7.0.0
-      fuse.js: 7.1.0
+      fuse.js: 7.3.0
       get-stdin: 9.0.0
       globby: 14.1.0
       is-glob: 4.0.3
       language-tags: 1.0.9
       micromatch: 4.0.8
-      resolve: 1.22.10
+      resolve: 1.22.12
       v8-compile-cache: 2.4.0
       yargs: 17.7.2
     transitivePeerDependencies:
@@ -14586,7 +14709,7 @@ snapshots:
       globby: 11.1.0
       ora: 5.4.1
       slash: 3.0.0
-      tmp: 0.2.3
+      tmp: 0.2.5
       workerpool: 6.5.1
     transitivePeerDependencies:
       - supports-color
@@ -14600,14 +14723,14 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  ember-tether@3.1.1(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))(webpack@5.94.0):
+  ember-tether@3.1.1(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))(webpack@5.107.2):
     dependencies:
       '@babel/core': 7.26.10
-      '@ember/render-modifiers': 3.0.0(@glint/template@1.7.3)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      ember-auto-import: 2.10.0(@glint/template@1.7.3)(webpack@5.94.0)
+      '@ember/render-modifiers': 3.0.0(@glint/template@1.7.7)(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      ember-auto-import: 2.10.0(@glint/template@1.7.7)(webpack@5.107.2)
       ember-cli-babel: 8.2.0(@babel/core@7.26.10)
       ember-cli-htmlbars: 6.3.0
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
       tether: 2.0.0
     transitivePeerDependencies:
       - '@glint/template'
@@ -14621,17 +14744,21 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  ember-truth-helpers@4.0.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)):
+  ember-tracked-storage-polyfill@1.0.1:
     dependencies:
-      '@embroider/addon-shim': 1.10.0
-      ember-functions-as-helper-polyfill: 2.1.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0))
-      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.3)(rsvp@4.8.5)(webpack@5.94.0)
+      ember-cli-babel: 7.26.11
     transitivePeerDependencies:
       - supports-color
 
-  emoji-regex@10.1.0: {}
+  ember-truth-helpers@4.0.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)):
+    dependencies:
+      '@embroider/addon-shim': 1.10.2
+      ember-functions-as-helper-polyfill: 2.1.3(ember-source@5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2))
+      ember-source: 5.8.0(@babel/core@7.26.10)(@glimmer/component@1.1.2(@babel/core@7.26.10))(@glint/template@1.7.7)(rsvp@4.8.5)(webpack@5.107.2)
+    transitivePeerDependencies:
+      - supports-color
 
-  emoji-regex@10.4.0: {}
+  emoji-regex@10.6.0: {}
 
   emoji-regex@7.0.3: {}
 
@@ -14645,50 +14772,49 @@ snapshots:
 
   encodeurl@2.0.0: {}
 
-  end-of-stream@1.4.4:
+  end-of-stream@1.4.5:
     dependencies:
       once: 1.4.0
 
   engine.io-parser@5.2.3: {}
 
-  engine.io@6.6.4:
+  engine.io@6.6.8:
     dependencies:
-      '@types/cors': 2.8.18
-      '@types/node': 25.1.0
+      '@types/cors': 2.8.19
+      '@types/node': 25.9.1
+      '@types/ws': 8.18.1
       accepts: 1.3.8
       base64id: 2.0.0
       cookie: 0.7.2
-      cors: 2.8.5
-      debug: 4.3.7
+      cors: 2.8.6
+      debug: 4.4.3
       engine.io-parser: 5.2.3
-      ws: 8.17.1
+      ws: 8.20.1
     transitivePeerDependencies:
       - bufferutil
       - supports-color
       - utf-8-validate
 
-  enhanced-resolve@5.18.1:
+  enhanced-resolve@5.22.0:
     dependencies:
       graceful-fs: 4.2.11
-      tapable: 2.2.2
+      tapable: 2.3.3
 
   ensure-posix-path@1.1.1: {}
 
   entities@2.2.0: {}
 
-  entities@3.0.1: {}
-
   entities@4.5.0: {}
 
   env-paths@2.2.1: {}
 
-  envinfo@7.15.0: {}
+  envinfo@7.21.0: {}
 
   environment@1.1.0: {}
 
   errlop@2.2.0: {}
 
-  error-ex@1.3.2:
+  error-ex@1.3.4:
     dependencies:
       is-arrayish: 0.2.1
 
@@ -14696,24 +14822,24 @@ snapshots:
     dependencies:
       string-template: 0.2.1
 
-  errorhandler@1.5.1:
+  errorhandler@1.5.2:
     dependencies:
       accepts: 1.3.8
       escape-html: 1.0.3
 
-  es-abstract@1.23.10:
+  es-abstract@1.24.2:
     dependencies:
       array-buffer-byte-length: 1.0.2
       arraybuffer.prototype.slice: 1.0.4
       available-typed-arrays: 1.0.7
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       call-bound: 1.0.4
       data-view-buffer: 1.0.2
       data-view-byte-length: 1.0.2
       data-view-byte-offset: 1.0.1
       es-define-property: 1.0.1
       es-errors: 1.3.0
-      es-object-atoms: 1.1.1
+      es-object-atoms: 1.1.2
       es-set-tostringtag: 2.1.0
       es-to-primitive: 1.3.0
       function.prototype.name: 1.1.8
@@ -14725,12 +14851,14 @@ snapshots:
       has-property-descriptors: 1.0.2
       has-proto: 1.2.0
       has-symbols: 1.1.0
-      hasown: 2.0.2
+      hasown: 2.0.3
       internal-slot: 1.1.0
       is-array-buffer: 3.0.5
       is-callable: 1.2.7
       is-data-view: 1.0.2
+      is-negative-zero: 2.0.3
       is-regex: 1.2.1
+      is-set: 2.0.3
       is-shared-array-buffer: 1.0.4
       is-string: 1.1.1
       is-typed-array: 1.1.15
@@ -14741,10 +14869,11 @@ snapshots:
       object.assign: 4.1.7
       own-keys: 1.0.1
       regexp.prototype.flags: 1.5.4
-      safe-array-concat: 1.1.3
+      safe-array-concat: 1.1.4
       safe-push-apply: 1.0.0
       safe-regex-test: 1.1.0
       set-proto: 1.0.0
+      stop-iteration-iterator: 1.1.0
       string.prototype.trim: 1.2.10
       string.prototype.trimend: 1.0.9
       string.prototype.trimstart: 1.0.8
@@ -14753,15 +14882,15 @@ snapshots:
       typed-array-byte-offset: 1.0.4
       typed-array-length: 1.0.7
       unbox-primitive: 1.1.0
-      which-typed-array: 1.1.19
+      which-typed-array: 1.1.21
 
   es-define-property@1.0.1: {}
 
   es-errors@1.3.0: {}
 
-  es-module-lexer@1.7.0: {}
+  es-module-lexer@2.1.0: {}
 
-  es-object-atoms@1.1.1:
+  es-object-atoms@1.1.2:
     dependencies:
       es-errors: 1.3.0
 
@@ -14770,7 +14899,7 @@ snapshots:
       es-errors: 1.3.0
       get-intrinsic: 1.3.0
       has-tostringtag: 1.0.2
-      hasown: 2.0.2
+      hasown: 2.0.3
 
   es-to-primitive@1.3.0:
     dependencies:
@@ -14791,9 +14920,9 @@ snapshots:
   eslint-compat-utils@0.5.1(eslint@8.57.1):
     dependencies:
       eslint: 8.57.1
-      semver: 7.7.2
+      semver: 7.8.1
 
-  eslint-config-prettier@9.1.0(eslint@8.57.1):
+  eslint-config-prettier@9.1.2(eslint@8.57.1):
     dependencies:
       eslint: 8.57.1
 
@@ -14803,12 +14932,12 @@ snapshots:
     dependencies:
       '@mdn/browser-compat-data': 5.7.6
       ast-metadata-inferer: 0.8.1
-      browserslist: 4.24.5
-      caniuse-lite: 1.0.30001754
+      browserslist: 4.28.2
+      caniuse-lite: 1.0.30001793
       eslint: 8.57.1
       find-up: 5.0.0
       lodash.memoize: 4.1.2
-      semver: 7.7.2
+      semver: 7.8.1
 
   eslint-plugin-ember@11.12.0(eslint@8.57.1):
     dependencies:
@@ -14819,11 +14948,11 @@ snapshots:
       ember-template-imports: 3.4.2
       ember-template-recast: 6.1.5
       eslint: 8.57.1
-      eslint-utils: 1.4.3
+      eslint-utils: 3.0.0(eslint@8.57.1)
       estraverse: 5.3.0
       lodash.camelcase: 4.3.0
       lodash.kebabcase: 4.1.1
-      magic-string: 0.30.17
+      magic-string: 0.30.21
       requireindex: 1.2.0
       snake-case: 3.0.4
     transitivePeerDependencies:
@@ -14831,40 +14960,42 @@ snapshots:
 
   eslint-plugin-es-x@7.8.0(eslint@8.57.1):
     dependencies:
-      '@eslint-community/eslint-utils': 4.7.0(eslint@8.57.1)
-      '@eslint-community/regexpp': 4.12.1
+      '@eslint-community/eslint-utils': 4.9.1(eslint@8.57.1)
+      '@eslint-community/regexpp': 4.12.2
       eslint: 8.57.1
       eslint-compat-utils: 0.5.1(eslint@8.57.1)
 
   eslint-plugin-n@16.6.2(eslint@8.57.1):
     dependencies:
-      '@eslint-community/eslint-utils': 4.7.0(eslint@8.57.1)
+      '@eslint-community/eslint-utils': 4.9.1(eslint@8.57.1)
       builtins: 5.1.0
       eslint: 8.57.1
       eslint-plugin-es-x: 7.8.0(eslint@8.57.1)
-      get-tsconfig: 4.10.1
+      get-tsconfig: 4.14.0
       globals: 13.24.0
       ignore: 5.3.2
       is-builtin-module: 3.2.1
-      is-core-module: 2.16.1
-      minimatch: 3.1.2
-      resolve: 1.22.10
-      semver: 7.7.2
+      is-core-module: 2.16.2
+      minimatch: 3.1.5
+      resolve: 1.22.12
+      semver: 7.8.1
 
-  eslint-plugin-prettier@5.2.6(@types/eslint@8.56.12)(eslint-config-prettier@9.1.0(eslint@8.57.1))(eslint@8.57.1)(prettier@3.0.3):
+  eslint-plugin-prettier@5.2.6(@types/eslint@8.56.12)(eslint-config-prettier@9.1.2(eslint@8.57.1))(eslint@8.57.1)(prettier@3.0.3):
     dependencies:
       eslint: 8.57.1
       prettier: 3.0.3
-      prettier-linter-helpers: 1.0.0
-      synckit: 0.11.6
+      prettier-linter-helpers: 1.0.1
+      synckit: 0.11.12
     optionalDependencies:
       '@types/eslint': 8.56.12
-      eslint-config-prettier: 9.1.0(eslint@8.57.1)
+      eslint-config-prettier: 9.1.2(eslint@8.57.1)
 
-  eslint-plugin-qunit@8.1.2:
+  eslint-plugin-qunit@8.1.2(eslint@8.57.1):
     dependencies:
-      eslint-utils: 1.4.3
+      eslint-utils: 3.0.0(eslint@8.57.1)
       requireindex: 1.2.0
+    transitivePeerDependencies:
+      - eslint
 
   eslint-scope@5.1.1:
     dependencies:
@@ -14876,11 +15007,10 @@ snapshots:
       esrecurse: 4.3.0
       estraverse: 5.3.0
 
-  eslint-utils@1.4.3:
+  eslint-utils@3.0.0(eslint@8.57.1):
     dependencies:
-      eslint-visitor-keys: 1.3.0
-
-  eslint-visitor-keys@1.3.0: {}
+      eslint: 8.57.1
+      eslint-visitor-keys: 2.1.0
 
   eslint-visitor-keys@2.1.0: {}
 
@@ -14888,24 +15018,24 @@ snapshots:
 
   eslint@8.57.1:
     dependencies:
-      '@eslint-community/eslint-utils': 4.7.0(eslint@8.57.1)
-      '@eslint-community/regexpp': 4.12.1
+      '@eslint-community/eslint-utils': 4.9.1(eslint@8.57.1)
+      '@eslint-community/regexpp': 4.12.2
       '@eslint/eslintrc': 2.1.4
       '@eslint/js': 8.57.1
       '@humanwhocodes/config-array': 0.13.0
       '@humanwhocodes/module-importer': 1.0.1
       '@nodelib/fs.walk': 1.2.8
-      '@ungap/structured-clone': 1.3.0
-      ajv: 6.12.6
+      '@ungap/structured-clone': 1.3.1
+      ajv: 6.15.0
       chalk: 4.1.2
       cross-spawn: 7.0.6
-      debug: 4.4.1
+      debug: 4.4.3
       doctrine: 3.0.0
       escape-string-regexp: 4.0.0
       eslint-scope: 7.2.2
       eslint-visitor-keys: 3.4.3
       espree: 9.6.1
-      esquery: 1.6.0
+      esquery: 1.7.0
       esutils: 2.0.3
       fast-deep-equal: 3.1.3
       file-entry-cache: 6.0.1
@@ -14921,7 +15051,7 @@ snapshots:
       json-stable-stringify-without-jsonify: 1.0.1
       levn: 0.4.1
       lodash.merge: 4.6.2
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       natural-compare: 1.4.0
       optionator: 0.9.4
       strip-ansi: 6.0.1
@@ -14933,18 +15063,14 @@ snapshots:
 
   espree@9.6.1:
     dependencies:
-      acorn: 8.14.1
-      acorn-jsx: 5.3.2(acorn@8.14.1)
+      acorn: 8.16.0
+      acorn-jsx: 5.3.2(acorn@8.16.0)
       eslint-visitor-keys: 3.4.3
 
   esprima@3.0.0: {}
 
   esprima@4.0.1: {}
 
-  esquery@1.6.0:
-    dependencies:
-      estraverse: 5.3.0
-
   esquery@1.7.0:
     dependencies:
       estraverse: 5.3.0
@@ -14965,9 +15091,9 @@ snapshots:
 
   eventemitter3@4.0.7: {}
 
-  eventemitter3@5.0.1: {}
+  eventemitter3@5.0.4: {}
 
-  events-to-array@1.1.2: {}
+  events-to-array@2.0.3: {}
 
   events@3.3.0: {}
 
@@ -15031,48 +15157,96 @@ snapshots:
       signal-exit: 4.1.0
       strip-final-newline: 3.0.0
 
+  execa@9.6.1:
+    dependencies:
+      '@sindresorhus/merge-streams': 4.0.0
+      cross-spawn: 7.0.6
+      figures: 6.1.0
+      get-stream: 9.0.1
+      human-signals: 8.0.1
+      is-plain-obj: 4.1.0
+      is-stream: 4.0.1
+      npm-run-path: 6.0.0
+      pretty-ms: 9.3.0
+      signal-exit: 4.1.0
+      strip-final-newline: 4.0.0
+      yoctocolors: 2.1.2
+
   exit@0.1.2: {}
 
   expand-tilde@2.0.2:
     dependencies:
       homedir-polyfill: 1.0.3
 
-  express@4.22.1:
+  express@4.22.2:
     dependencies:
       accepts: 1.3.8
       array-flatten: 1.1.1
-      body-parser: 1.20.3
+      body-parser: 1.20.5
       content-disposition: 0.5.4
       content-type: 1.0.5
       cookie: 0.7.2
-      cookie-signature: 1.0.6
+      cookie-signature: 1.0.7
       debug: 2.6.9
       depd: 2.0.0
       encodeurl: 2.0.0
       escape-html: 1.0.3
       etag: 1.8.1
-      finalhandler: 1.3.1
+      finalhandler: 1.3.2
       fresh: 0.5.2
-      http-errors: 2.0.0
+      http-errors: 2.0.1
       merge-descriptors: 1.0.3
       methods: 1.1.2
       on-finished: 2.4.1
       parseurl: 1.3.3
-      path-to-regexp: 0.1.12
+      path-to-regexp: 0.1.13
       proxy-addr: 2.0.7
       qs: 6.14.1
       range-parser: 1.2.1
       safe-buffer: 5.2.1
-      send: 0.19.0
-      serve-static: 1.16.2
+      send: 0.19.2
+      serve-static: 1.16.3
       setprototypeof: 1.2.0
-      statuses: 2.0.1
+      statuses: 2.0.2
       type-is: 1.6.18
       utils-merge: 1.0.1
       vary: 1.1.2
     transitivePeerDependencies:
       - supports-color
 
+  express@5.2.1:
+    dependencies:
+      accepts: 2.0.0
+      body-parser: 2.2.2
+      content-disposition: 1.1.0
+      content-type: 1.0.5
+      cookie: 0.7.2
+      cookie-signature: 1.2.2
+      debug: 4.4.3
+      depd: 2.0.0
+      encodeurl: 2.0.0
+      escape-html: 1.0.3
+      etag: 1.8.1
+      finalhandler: 2.1.1
+      fresh: 2.0.0
+      http-errors: 2.0.1
+      merge-descriptors: 2.0.0
+      mime-types: 3.0.2
+      on-finished: 2.4.1
+      once: 1.4.0
+      parseurl: 1.3.3
+      proxy-addr: 2.0.7
+      qs: 6.14.1
+      range-parser: 1.2.1
+      router: 2.2.0
+      send: 1.2.1
+      serve-static: 2.2.1
+      statuses: 2.0.2
+      type-is: 2.1.0
+      vary: 1.1.2
+    transitivePeerDependencies:
+      - supports-color
+
   extend@3.0.2: {}
 
   external-editor@3.1.0:
@@ -15117,11 +15291,11 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  fast-uri@3.0.6: {}
+  fast-uri@3.1.2: {}
 
   fastest-levenshtein@1.0.16: {}
 
-  fastq@1.19.1:
+  fastq@1.20.1:
     dependencies:
       reusify: 1.1.0
 
@@ -15147,19 +15321,18 @@ snapshots:
     dependencies:
       escape-string-regexp: 1.0.5
 
-  file-entry-cache@10.1.0:
+  figures@6.1.0:
     dependencies:
-      flat-cache: 6.1.9
+      is-unicode-supported: 2.1.0
+
+  file-entry-cache@10.1.4:
+    dependencies:
+      flat-cache: 6.1.22
 
   file-entry-cache@6.0.1:
     dependencies:
       flat-cache: 3.2.0
 
-  file-set@4.0.2:
-    dependencies:
-      array-back: 5.0.0
-      glob: 7.2.3
-
   filesize@10.1.6: {}
 
   filesize@4.2.1: {}
@@ -15180,18 +15353,29 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  finalhandler@1.3.1:
+  finalhandler@1.3.2:
     dependencies:
       debug: 2.6.9
       encodeurl: 2.0.0
       escape-html: 1.0.3
       on-finished: 2.4.1
       parseurl: 1.3.3
-      statuses: 2.0.1
+      statuses: 2.0.2
       unpipe: 1.0.0
     transitivePeerDependencies:
       - supports-color
 
+  finalhandler@2.1.1:
+    dependencies:
+      debug: 4.4.3
+      encodeurl: 2.0.0
+      escape-html: 1.0.3
+      on-finished: 2.4.1
+      parseurl: 1.3.3
+      statuses: 2.0.2
+    transitivePeerDependencies:
+      - supports-color
+
   find-babel-config@1.2.2:
     dependencies:
       json5: 1.0.2
@@ -15209,12 +15393,6 @@ snapshots:
 
   find-index@1.1.1: {}
 
-  find-replace@3.0.0:
-    dependencies:
-      array-back: 3.1.0
-
-  find-replace@5.0.2: {}
-
   find-up@2.1.0:
     dependencies:
       locate-path: 2.0.0
@@ -15257,14 +15435,6 @@ snapshots:
       micromatch: 4.0.8
       resolve-dir: 1.0.1
 
-  fireworm@0.7.2:
-    dependencies:
-      async: 2.6.4
-      is-type: 0.0.1
-      lodash.debounce: 3.1.1
-      lodash.flatten: 3.0.2
-      minimatch: 3.1.2
-
   fixturify-project@1.10.0:
     dependencies:
       fixturify: 1.3.0
@@ -15300,25 +15470,25 @@ snapshots:
 
   flat-cache@3.2.0:
     dependencies:
-      flatted: 3.3.3
+      flatted: 3.4.2
       keyv: 4.5.4
       rimraf: 3.0.2
 
-  flat-cache@6.1.9:
+  flat-cache@6.1.22:
     dependencies:
-      cacheable: 1.9.0
-      flatted: 3.3.3
-      hookified: 1.9.0
+      cacheable: 2.3.5
+      flatted: 3.4.2
+      hookified: 1.15.1
 
   flat@5.0.2: {}
 
-  flatted@3.3.3: {}
+  flatted@3.4.2: {}
 
-  focus-trap@6.9.4:
+  focus-trap@7.8.0:
     dependencies:
-      tabbable: 5.3.3
+      tabbable: 6.4.0
 
-  follow-redirects@1.15.9: {}
+  follow-redirects@1.16.0: {}
 
   for-each@0.3.5:
     dependencies:
@@ -15335,6 +15505,8 @@ snapshots:
 
   fresh@0.5.2: {}
 
+  fresh@2.0.0: {}
+
   fs-extra@0.24.0:
     dependencies:
       graceful-fs: 4.2.11
@@ -15353,13 +15525,13 @@ snapshots:
   fs-extra@10.1.0:
     dependencies:
       graceful-fs: 4.2.11
-      jsonfile: 6.1.0
+      jsonfile: 6.2.1
       universalify: 2.0.1
 
-  fs-extra@11.3.0:
+  fs-extra@11.3.5:
     dependencies:
       graceful-fs: 4.2.11
-      jsonfile: 6.1.0
+      jsonfile: 6.2.1
       universalify: 2.0.1
 
   fs-extra@3.0.1:
@@ -15396,7 +15568,7 @@ snapshots:
     dependencies:
       at-least-node: 1.0.0
       graceful-fs: 4.2.11
-      jsonfile: 6.1.0
+      jsonfile: 6.2.1
       universalify: 2.0.1
 
   fs-merger@3.2.1:
@@ -15411,8 +15583,6 @@ snapshots:
 
   fs-readdir-recursive@1.1.0: {}
 
-  fs-then-native@2.0.0: {}
-
   fs-tree-diff@0.5.9:
     dependencies:
       heimdalljs-logger: 0.1.10
@@ -15454,31 +15624,22 @@ snapshots:
 
   function.prototype.name@1.1.8:
     dependencies:
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       call-bound: 1.0.4
       define-properties: 1.2.1
       functions-have-names: 1.2.3
-      hasown: 2.0.2
+      hasown: 2.0.3
       is-callable: 1.2.7
 
   functions-have-names@1.2.3: {}
 
   fuse.js@7.1.0: {}
 
-  gauge@4.0.4:
-    dependencies:
-      aproba: 2.0.0
-      color-support: 1.1.3
-      console-control-strings: 1.1.0
-      has-unicode: 2.0.1
-      signal-exit: 3.0.7
-      string-width: 4.2.3
-      strip-ansi: 6.0.1
-      wide-align: 1.1.5
+  fuse.js@7.3.0: {}
 
   gauge@5.0.2:
     dependencies:
-      aproba: 2.0.0
+      aproba: 2.1.0
       color-support: 1.1.3
       console-control-strings: 1.1.0
       has-unicode: 2.0.1
@@ -15487,29 +15648,31 @@ snapshots:
       strip-ansi: 6.0.1
       wide-align: 1.1.5
 
+  generator-function@2.0.1: {}
+
   gensync@1.0.0-beta.2: {}
 
   get-caller-file@2.0.5: {}
 
-  get-east-asian-width@1.3.0: {}
+  get-east-asian-width@1.6.0: {}
 
   get-intrinsic@1.3.0:
     dependencies:
       call-bind-apply-helpers: 1.0.2
       es-define-property: 1.0.1
       es-errors: 1.3.0
-      es-object-atoms: 1.1.1
+      es-object-atoms: 1.1.2
       function-bind: 1.1.2
       get-proto: 1.0.1
       gopd: 1.2.0
       has-symbols: 1.1.0
-      hasown: 2.0.2
+      hasown: 2.0.3
       math-intrinsics: 1.1.0
 
   get-proto@1.0.1:
     dependencies:
       dunder-proto: 1.0.1
-      es-object-atoms: 1.1.1
+      es-object-atoms: 1.1.2
 
   get-stdin@4.0.1: {}
 
@@ -15519,23 +15682,28 @@ snapshots:
 
   get-stream@4.1.0:
     dependencies:
-      pump: 3.0.2
+      pump: 3.0.4
 
   get-stream@5.2.0:
     dependencies:
-      pump: 3.0.2
+      pump: 3.0.4
 
   get-stream@6.0.1: {}
 
   get-stream@8.0.1: {}
 
+  get-stream@9.0.1:
+    dependencies:
+      '@sec-ant/readable-stream': 0.4.1
+      is-stream: 4.0.1
+
   get-symbol-description@1.1.0:
     dependencies:
       call-bound: 1.0.4
       es-errors: 1.3.0
       get-intrinsic: 1.3.0
 
-  get-tsconfig@4.10.1:
+  get-tsconfig@4.14.0:
     dependencies:
       resolve-pkg-maps: 1.0.0
 
@@ -15559,16 +15727,22 @@ snapshots:
     dependencies:
       foreground-child: 3.3.1
       jackspeak: 3.4.3
-      minimatch: 9.0.5
-      minipass: 7.1.2
+      minimatch: 9.0.9
+      minipass: 7.1.3
       package-json-from-dist: 1.0.1
       path-scurry: 1.11.1
 
+  glob@13.0.6:
+    dependencies:
+      minimatch: 10.2.5
+      minipass: 7.1.3
+      path-scurry: 2.0.2
+
   glob@5.0.15:
     dependencies:
       inflight: 1.0.6
       inherits: 2.0.4
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       once: 1.4.0
       path-is-absolute: 1.0.1
 
@@ -15577,7 +15751,7 @@ snapshots:
       fs.realpath: 1.0.0
       inflight: 1.0.6
       inherits: 2.0.4
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       once: 1.4.0
       path-is-absolute: 1.0.1
 
@@ -15586,13 +15760,13 @@ snapshots:
       fs.realpath: 1.0.0
       inflight: 1.0.6
       inherits: 2.0.4
-      minimatch: 5.1.6
+      minimatch: 5.1.9
       once: 1.4.0
 
   glob@9.3.5:
     dependencies:
       fs.realpath: 1.0.0
-      minimatch: 8.0.4
+      minimatch: 8.0.7
       minipass: 4.2.8
       path-scurry: 1.11.1
 
@@ -15620,8 +15794,6 @@ snapshots:
       kind-of: 6.0.3
       which: 1.3.1
 
-  globals@11.12.0: {}
-
   globals@13.24.0:
     dependencies:
       type-fest: 0.20.2
@@ -15657,7 +15829,7 @@ snapshots:
     dependencies:
       '@sindresorhus/merge-streams': 2.3.0
       fast-glob: 3.3.3
-      ignore: 7.0.4
+      ignore: 7.0.5
       path-type: 6.0.0
       slash: 5.1.0
       unicorn-magic: 0.3.0
@@ -15678,7 +15850,7 @@ snapshots:
 
   growly@1.3.0: {}
 
-  handlebars@4.7.8:
+  handlebars@4.7.9:
     dependencies:
       minimist: 1.2.8
       neo-async: 2.6.2
@@ -15697,8 +15869,6 @@ snapshots:
 
   has-bigints@1.1.0: {}
 
-  has-color@0.1.7: {}
-
   has-flag@3.0.0: {}
 
   has-flag@4.0.0: {}
@@ -15719,18 +15889,20 @@ snapshots:
 
   has-unicode@2.0.1: {}
 
-  hash-for-dep@1.5.1:
+  hash-for-dep@1.5.2:
     dependencies:
-      broccoli-kitchen-sink-helpers: 0.3.1
       heimdalljs: 0.2.6
       heimdalljs-logger: 0.1.10
-      path-root: 0.1.1
-      resolve: 1.22.10
+      resolve: 1.22.12
       resolve-package-path: 1.2.7
     transitivePeerDependencies:
       - supports-color
 
-  hasown@2.0.2:
+  hashery@1.5.1:
+    dependencies:
+      hookified: 1.15.1
+
+  hasown@2.0.3:
     dependencies:
       function-bind: 1.1.2
 
@@ -15751,7 +15923,7 @@ snapshots:
 
   hast-util-whitespace@1.0.4: {}
 
-  heimdalljs-fs-monitor@1.1.1:
+  heimdalljs-fs-monitor@1.1.2:
     dependencies:
       callsites: 3.1.0
       clean-stack: 2.2.0
@@ -15778,7 +15950,9 @@ snapshots:
     dependencies:
       parse-passwd: 1.0.0
 
-  hookified@1.9.0: {}
+  hookified@1.15.1: {}
+
+  hookified@2.2.0: {}
 
   hosted-git-info@3.0.8:
     dependencies:
@@ -15794,13 +15968,6 @@ snapshots:
 
   html-void-elements@1.0.5: {}
 
-  htmlparser2@7.2.0:
-    dependencies:
-      domelementtype: 2.3.0
-      domhandler: 4.3.1
-      domutils: 2.8.0
-      entities: 3.0.1
-
   http-errors@1.6.3:
     dependencies:
       depd: 1.1.2
@@ -15808,12 +15975,12 @@ snapshots:
       setprototypeof: 1.1.0
       statuses: 1.5.0
 
-  http-errors@2.0.0:
+  http-errors@2.0.1:
     dependencies:
       depd: 2.0.0
       inherits: 2.0.4
       setprototypeof: 1.2.0
-      statuses: 2.0.1
+      statuses: 2.0.2
       toidentifier: 1.0.1
 
   http-parser-js@0.5.10: {}
@@ -15821,7 +15988,7 @@ snapshots:
   http-proxy@1.18.1:
     dependencies:
       eventemitter3: 4.0.7
-      follow-redirects: 1.15.9
+      follow-redirects: 1.16.0
       requires-port: 1.0.0
     transitivePeerDependencies:
       - debug
@@ -15834,6 +16001,8 @@ snapshots:
 
   human-signals@5.0.0: {}
 
+  human-signals@8.0.1: {}
+
   iconv-lite@0.4.24:
     dependencies:
       safer-buffer: 2.1.2
@@ -15842,17 +16011,21 @@ snapshots:
     dependencies:
       safer-buffer: 2.1.2
 
-  icss-utils@5.1.0(postcss@8.5.3):
+  iconv-lite@0.7.2:
     dependencies:
-      postcss: 8.5.3
+      safer-buffer: 2.1.2
+
+  icss-utils@5.1.0(postcss@8.5.15):
+    dependencies:
+      postcss: 8.5.15
 
   ieee754@1.2.1: {}
 
   ignore@5.3.2: {}
 
-  ignore@7.0.4: {}
+  ignore@7.0.5: {}
 
-  immutable@5.1.2: {}
+  immutable@5.1.5: {}
 
   import-fresh@3.3.1:
     dependencies:
@@ -15903,7 +16076,7 @@ snapshots:
       cli-width: 2.2.1
       external-editor: 3.1.0
       figures: 2.0.0
-      lodash: 4.17.23
+      lodash: 4.18.0
       mute-stream: 0.0.7
       run-async: 2.4.1
       rxjs: 6.6.7
@@ -15919,7 +16092,7 @@ snapshots:
       cli-width: 3.0.0
       external-editor: 3.1.0
       figures: 3.2.0
-      lodash: 4.17.23
+      lodash: 4.18.0
       mute-stream: 0.0.8
       run-async: 2.4.1
       rxjs: 6.6.7
@@ -15927,12 +16100,12 @@ snapshots:
       strip-ansi: 6.0.1
       through: 2.3.8
 
-  inquirer@9.3.7:
+  inquirer@9.3.8(@types/node@25.9.1):
     dependencies:
-      '@inquirer/figures': 1.0.11
+      '@inquirer/external-editor': 1.0.3(@types/node@25.9.1)
+      '@inquirer/figures': 1.0.15
       ansi-escapes: 4.3.2
       cli-width: 4.1.0
-      external-editor: 3.1.0
       mute-stream: 1.0.0
       ora: 5.4.1
       run-async: 3.0.0
@@ -15940,12 +16113,14 @@ snapshots:
       string-width: 4.2.3
       strip-ansi: 6.0.1
       wrap-ansi: 6.2.0
-      yoctocolors-cjs: 2.1.2
+      yoctocolors-cjs: 2.1.3
+    transitivePeerDependencies:
+      - '@types/node'
 
   internal-slot@1.1.0:
     dependencies:
       es-errors: 1.3.0
-      hasown: 2.0.2
+      hasown: 2.0.3
       side-channel: 1.1.0
 
   internmap@1.0.1: {}
@@ -15954,6 +16129,13 @@ snapshots:
 
   interpret@3.1.1: {}
 
+  intl-messageformat@10.7.18:
+    dependencies:
+      '@formatjs/ecma402-abstract': 2.3.6
+      '@formatjs/fast-memoize': 2.2.7
+      '@formatjs/icu-messageformat-parser': 2.11.4
+      tslib: 2.8.1
+
   invert-kv@3.0.1: {}
 
   ipaddr.js@1.9.1: {}
@@ -15967,7 +16149,7 @@ snapshots:
 
   is-array-buffer@3.0.5:
     dependencies:
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       call-bound: 1.0.4
       get-intrinsic: 1.3.0
 
@@ -16003,9 +16185,9 @@ snapshots:
 
   is-callable@1.2.7: {}
 
-  is-core-module@2.16.1:
+  is-core-module@2.16.2:
     dependencies:
-      hasown: 2.0.2
+      hasown: 2.0.3
 
   is-data-view@1.0.2:
     dependencies:
@@ -16034,13 +16216,14 @@ snapshots:
 
   is-fullwidth-code-point@4.0.0: {}
 
-  is-fullwidth-code-point@5.0.0:
+  is-fullwidth-code-point@5.1.0:
     dependencies:
-      get-east-asian-width: 1.3.0
+      get-east-asian-width: 1.6.0
 
-  is-generator-function@1.1.0:
+  is-generator-function@1.1.2:
     dependencies:
       call-bound: 1.0.4
+      generator-function: 2.0.1
       get-proto: 1.0.1
       has-tostringtag: 1.0.2
       safe-regex-test: 1.1.0
@@ -16065,6 +16248,8 @@ snapshots:
 
   is-map@2.0.3: {}
 
+  is-negative-zero@2.0.3: {}
+
   is-number-object@1.1.1:
     dependencies:
       call-bound: 1.0.4
@@ -16078,18 +16263,22 @@ snapshots:
 
   is-plain-obj@2.1.0: {}
 
+  is-plain-obj@4.1.0: {}
+
   is-plain-object@2.0.4:
     dependencies:
       isobject: 3.0.1
 
   is-plain-object@5.0.0: {}
 
+  is-promise@4.0.0: {}
+
   is-regex@1.2.1:
     dependencies:
       call-bound: 1.0.4
       gopd: 1.2.0
       has-tostringtag: 1.0.2
-      hasown: 2.0.2
+      hasown: 2.0.3
 
   is-set@2.0.3: {}
 
@@ -16103,6 +16292,8 @@ snapshots:
 
   is-stream@3.0.0: {}
 
+  is-stream@4.0.1: {}
+
   is-string@1.1.1:
     dependencies:
       call-bound: 1.0.4
@@ -16118,18 +16309,16 @@ snapshots:
       has-symbols: 1.1.0
       safe-regex-test: 1.1.0
 
-  is-type@0.0.1:
-    dependencies:
-      core-util-is: 1.0.3
-
   is-typed-array@1.1.15:
     dependencies:
-      which-typed-array: 1.1.19
+      which-typed-array: 1.1.21
 
   is-typedarray@1.0.0: {}
 
   is-unicode-supported@0.1.0: {}
 
+  is-unicode-supported@2.1.0: {}
+
   is-weakmap@2.0.2: {}
 
   is-weakref@1.1.1:
@@ -16153,7 +16342,7 @@ snapshots:
 
   isarray@2.0.5: {}
 
-  isbinaryfile@5.0.4: {}
+  isbinaryfile@5.0.7: {}
 
   isexe@2.0.0: {}
 
@@ -16183,7 +16372,7 @@ snapshots:
 
   jest-worker@27.5.1:
     dependencies:
-      '@types/node': 25.1.0
+      '@types/node': 25.9.1
       merge-stream: 2.0.0
       supports-color: 8.1.1
 
@@ -16193,80 +16382,18 @@ snapshots:
 
   js-tokens@4.0.0: {}
 
-  js-yaml@3.14.2:
-    dependencies:
-      argparse: 1.0.10
-      esprima: 4.0.1
-
   js-yaml@4.1.1:
     dependencies:
       argparse: 2.0.1
 
-  js2xmlparser@4.0.2:
-    dependencies:
-      xmlcreate: 2.0.4
-
-  jsdoc-api@8.1.1:
-    dependencies:
-      array-back: 6.2.2
-      cache-point: 2.0.0
-      collect-all: 1.0.4
-      file-set: 4.0.2
-      fs-then-native: 2.0.0
-      jsdoc: 4.0.4
-      object-to-spawn-args: 2.0.1
-      temp-path: 1.0.0
-      walk-back: 5.1.1
-
   jsdoc-babel@0.5.0(@babel/core@7.26.10):
     dependencies:
       '@babel/core': 7.26.10
       jsdoc-regex: 1.0.1
-      lodash: 4.17.23
-
-  jsdoc-parse@6.2.4:
-    dependencies:
-      array-back: 6.2.2
-      find-replace: 5.0.2
-      lodash.omit: 4.5.0
-      sort-array: 5.0.0
-    transitivePeerDependencies:
-      - '@75lb/nature'
+      lodash: 4.18.0
 
   jsdoc-regex@1.0.1: {}
 
-  jsdoc-to-markdown@8.0.3:
-    dependencies:
-      array-back: 6.2.2
-      command-line-tool: 0.8.0
-      config-master: 3.1.0
-      dmd: 6.2.3
-      jsdoc-api: 8.1.1
-      jsdoc-parse: 6.2.4
-      walk-back: 5.1.1
-    transitivePeerDependencies:
-      - '@75lb/nature'
-
-  jsdoc@4.0.4:
-    dependencies:
-      '@babel/parser': 7.27.2
-      '@jsdoc/salty': 0.2.9
-      '@types/markdown-it': 14.1.2
-      bluebird: 3.7.2
-      catharsis: 0.9.0
-      escape-string-regexp: 2.0.0
-      js2xmlparser: 4.0.2
-      klaw: 3.0.0
-      markdown-it: 14.1.0
-      markdown-it-anchor: 8.6.7(@types/markdown-it@14.1.2)(markdown-it@14.1.0)
-      marked: 4.3.0
-      mkdirp: 1.0.4
-      requizzle: 0.2.4
-      strip-json-comments: 3.1.1
-      underscore: 1.13.7
-
-  jsesc@3.0.2: {}
-
   jsesc@3.1.0: {}
 
   json-buffer@3.0.1: {}
@@ -16281,7 +16408,7 @@ snapshots:
 
   json-stable-stringify@1.3.0:
     dependencies:
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       call-bound: 1.0.4
       isarray: 2.0.5
       jsonify: 0.0.1
@@ -16312,7 +16439,7 @@ snapshots:
     optionalDependencies:
       graceful-fs: 4.2.11
 
-  jsonfile@6.1.0:
+  jsonfile@6.2.1:
     dependencies:
       universalify: 2.0.1
     optionalDependencies:
@@ -16320,18 +16447,13 @@ snapshots:
 
   jsonify@0.0.1: {}
 
-  jsonlint@1.6.3:
-    dependencies:
-      JSV: 4.0.2
-      nomnom: 1.8.1
-
   keyv@4.5.4:
     dependencies:
       json-buffer: 3.0.1
 
-  keyv@5.3.3:
+  keyv@5.6.0:
     dependencies:
-      '@keyv/serialize': 1.0.3
+      '@keyv/serialize': 1.1.1
 
   kind-of@6.0.3: {}
 
@@ -16339,10 +16461,6 @@ snapshots:
     optionalDependencies:
       graceful-fs: 4.2.11
 
-  klaw@3.0.0:
-    dependencies:
-      graceful-fs: 4.2.11
-
   known-css-properties@0.36.0: {}
 
   language-subtag-registry@0.3.23: {}
@@ -16369,11 +16487,7 @@ snapshots:
 
   lines-and-columns@1.2.4: {}
 
-  linkify-it@4.0.1:
-    dependencies:
-      uc.micro: 1.0.6
-
-  linkify-it@5.0.0:
+  linkify-it@5.0.1:
     dependencies:
       uc.micro: 2.1.0
 
@@ -16381,14 +16495,14 @@ snapshots:
     dependencies:
       chalk: 5.6.2
       commander: 13.1.0
-      debug: 4.4.1
+      debug: 4.4.3
       lilconfig: 3.1.3
       listr2: 8.3.3
       micromatch: 4.0.8
-      nano-spawn: 1.0.2
+      nano-spawn: 1.0.3
       pidtree: 0.6.0
       string-argv: 0.3.2
-      yaml: 2.8.0
+      yaml: 2.9.0
     transitivePeerDependencies:
       - supports-color
 
@@ -16396,14 +16510,14 @@ snapshots:
     dependencies:
       cli-truncate: 4.0.0
       colorette: 2.0.20
-      eventemitter3: 5.0.1
+      eventemitter3: 5.0.4
       log-update: 6.1.0
       rfdc: 1.4.1
-      wrap-ansi: 9.0.0
+      wrap-ansi: 9.0.2
 
   livereload-js@3.4.1: {}
 
-  loader-runner@4.3.0: {}
+  loader-runner@4.3.2: {}
 
   loader-utils@2.0.4:
     dependencies:
@@ -16435,38 +16549,14 @@ snapshots:
     dependencies:
       p-locate: 6.0.0
 
-  lodash-es@4.17.23: {}
-
-  lodash._baseflatten@3.1.4:
-    dependencies:
-      lodash.isarguments: 3.1.0
-      lodash.isarray: 3.0.4
-
-  lodash._getnative@3.9.1: {}
-
-  lodash._isiterateecall@3.0.9: {}
+  lodash-es@4.18.0: {}
 
   lodash.camelcase@4.3.0: {}
 
-  lodash.debounce@3.1.1:
-    dependencies:
-      lodash._getnative: 3.9.1
-
   lodash.debounce@4.0.8: {}
 
   lodash.defaultsdeep@4.6.1: {}
 
-  lodash.flatten@3.0.2:
-    dependencies:
-      lodash._baseflatten: 3.1.4
-      lodash._isiterateecall: 3.0.9
-
-  lodash.get@4.4.2: {}
-
-  lodash.isarguments@3.1.0: {}
-
-  lodash.isarray@3.0.4: {}
-
   lodash.iteratee@4.7.0: {}
 
   lodash.kebabcase@4.1.1: {}
@@ -16475,15 +16565,11 @@ snapshots:
 
   lodash.merge@4.6.2: {}
 
-  lodash.omit@4.5.0: {}
-
-  lodash.padend@4.6.1: {}
-
   lodash.truncate@4.4.2: {}
 
-  lodash.uniq@4.5.0: {}
+  lodash@4.18.0: {}
 
-  lodash@4.17.23: {}
+  lodash@4.18.1: {}
 
   log-symbols@2.2.0:
     dependencies:
@@ -16496,11 +16582,11 @@ snapshots:
 
   log-update@6.1.0:
     dependencies:
-      ansi-escapes: 7.0.0
+      ansi-escapes: 7.3.0
       cli-cursor: 5.0.0
-      slice-ansi: 7.1.0
-      strip-ansi: 7.1.0
-      wrap-ansi: 9.0.0
+      slice-ansi: 7.1.2
+      strip-ansi: 7.2.0
+      wrap-ansi: 9.0.2
 
   loglevel-colored-level-prefix@1.0.0:
     dependencies:
@@ -16517,6 +16603,8 @@ snapshots:
 
   lru-cache@10.4.3: {}
 
+  lru-cache@11.5.0: {}
+
   lru-cache@5.1.1:
     dependencies:
       yallist: 3.1.1
@@ -16527,15 +16615,15 @@ snapshots:
 
   lru-cache@7.18.3: {}
 
-  luxon@3.7.1: {}
+  luxon@3.7.2: {}
 
   magic-string@0.25.9:
     dependencies:
       sourcemap-codec: 1.4.8
 
-  magic-string@0.30.17:
+  magic-string@0.30.21:
     dependencies:
-      '@jridgewell/sourcemap-codec': 1.5.0
+      '@jridgewell/sourcemap-codec': 1.5.5
 
   make-dir@2.1.0:
     dependencies:
@@ -16546,7 +16634,7 @@ snapshots:
     dependencies:
       semver: 6.3.1
 
-  make-plural@7.4.0: {}
+  make-plural@7.5.0: {}
 
   makeerror@1.0.12:
     dependencies:
@@ -16558,32 +16646,19 @@ snapshots:
 
   map-obj@4.3.0: {}
 
-  markdown-it-anchor@8.6.7(@types/markdown-it@14.1.2)(markdown-it@14.1.0):
-    dependencies:
-      '@types/markdown-it': 14.1.2
-      markdown-it: 14.1.0
-
-  markdown-it-terminal@0.4.0(markdown-it@13.0.2):
+  markdown-it-terminal@0.4.0(markdown-it@14.1.1):
     dependencies:
       ansi-styles: 3.2.1
       cardinal: 1.0.0
       cli-table: 0.3.11
       lodash.merge: 4.6.2
-      markdown-it: 13.0.2
+      markdown-it: 14.1.1
 
-  markdown-it@13.0.2:
-    dependencies:
-      argparse: 2.0.1
-      entities: 3.0.1
-      linkify-it: 4.0.1
-      mdurl: 1.0.1
-      uc.micro: 1.0.6
-
-  markdown-it@14.1.0:
+  markdown-it@14.1.1:
     dependencies:
       argparse: 2.0.1
       entities: 4.5.0
-      linkify-it: 5.0.0
+      linkify-it: 5.0.1
       mdurl: 2.0.0
       punycode.js: 2.3.1
       uc.micro: 2.1.0
@@ -16592,16 +16667,14 @@ snapshots:
     dependencies:
       repeat-string: 1.6.1
 
-  marked@4.3.0: {}
-
   matcher-collection@1.1.2:
     dependencies:
-      minimatch: 3.1.2
+      minimatch: 3.1.5
 
   matcher-collection@2.0.1:
     dependencies:
       '@types/minimatch': 3.0.5
-      minimatch: 3.1.2
+      minimatch: 3.1.5
 
   math-intrinsics@1.1.0: {}
 
@@ -16621,13 +16694,6 @@ snapshots:
       unist-util-is: 4.1.0
       unist-util-visit-parents: 3.1.1
 
-  mdast-util-footnote@0.1.7:
-    dependencies:
-      mdast-util-to-markdown: 0.6.5
-      micromark: 2.11.4
-    transitivePeerDependencies:
-      - supports-color
-
   mdast-util-from-markdown@0.8.5:
     dependencies:
       '@types/mdast': 3.0.15
@@ -16709,7 +16775,7 @@ snapshots:
 
   mdn-data@2.0.30: {}
 
-  mdn-data@2.12.2: {}
+  mdn-data@2.27.1: {}
 
   mdurl@1.0.1: {}
 
@@ -16717,12 +16783,19 @@ snapshots:
 
   media-typer@0.3.0: {}
 
+  media-typer@1.1.0: {}
+
   mem@5.1.1:
     dependencies:
       map-age-cleaner: 0.1.3
       mimic-fn: 2.1.0
       p-is-promise: 2.1.0
 
+  mem@8.1.1:
+    dependencies:
+      map-age-cleaner: 0.1.3
+      mimic-fn: 3.1.0
+
   memory-streams@0.1.3:
     dependencies:
       readable-stream: 1.0.34
@@ -16731,6 +16804,8 @@ snapshots:
 
   merge-descriptors@1.0.3: {}
 
+  merge-descriptors@2.0.0: {}
+
   merge-stream@2.0.0: {}
 
   merge-trees@2.0.0:
@@ -16744,12 +16819,6 @@ snapshots:
 
   methods@1.1.2: {}
 
-  micromark-extension-footnote@0.3.2:
-    dependencies:
-      micromark: 2.11.4
-    transitivePeerDependencies:
-      - supports-color
-
   micromark-extension-frontmatter@0.2.2:
     dependencies:
       fault: 1.0.4
@@ -16793,7 +16862,7 @@ snapshots:
 
   micromark@2.11.4:
     dependencies:
-      debug: 4.4.1
+      debug: 4.4.3
       parse-entities: 2.0.0
     transitivePeerDependencies:
       - supports-color
@@ -16801,7 +16870,7 @@ snapshots:
   micromatch@4.0.8:
     dependencies:
       braces: 3.0.3
-      picomatch: 2.3.1
+      picomatch: 2.3.2
 
   mime-db@1.52.0: {}
 
@@ -16811,62 +16880,65 @@ snapshots:
     dependencies:
       mime-db: 1.52.0
 
+  mime-types@3.0.2:
+    dependencies:
+      mime-db: 1.54.0
+
   mime@1.6.0: {}
 
   mimic-fn@1.2.0: {}
 
   mimic-fn@2.1.0: {}
 
+  mimic-fn@3.1.0: {}
+
   mimic-fn@4.0.0: {}
 
   mimic-function@5.0.1: {}
 
-  mini-css-extract-plugin@2.9.2(webpack@5.94.0):
+  mini-css-extract-plugin@2.10.2(webpack@5.107.2):
     dependencies:
-      schema-utils: 4.3.2
-      tapable: 2.2.2
-      webpack: 5.94.0(webpack-cli@6.0.1)
+      schema-utils: 4.3.3
+      tapable: 2.3.3
+      webpack: 5.107.2(webpack-cli@6.0.1)
 
-  minimatch@3.1.2:
+  minimatch@10.2.5:
     dependencies:
-      brace-expansion: 1.1.11
+      brace-expansion: 5.0.6
 
-  minimatch@5.1.6:
+  minimatch@3.1.5:
     dependencies:
-      brace-expansion: 2.0.1
+      brace-expansion: 1.1.15
 
-  minimatch@7.4.6:
+  minimatch@5.1.9:
     dependencies:
-      brace-expansion: 2.0.1
+      brace-expansion: 2.1.1
 
-  minimatch@8.0.4:
+  minimatch@7.4.9:
     dependencies:
-      brace-expansion: 2.0.1
+      brace-expansion: 2.1.1
 
-  minimatch@9.0.5:
+  minimatch@8.0.7:
     dependencies:
-      brace-expansion: 2.0.1
+      brace-expansion: 2.1.1
+
+  minimatch@9.0.9:
+    dependencies:
+      brace-expansion: 2.1.1
 
   minimist@1.2.8: {}
 
-  minipass@2.9.0:
-    dependencies:
-      safe-buffer: 5.2.1
-      yallist: 3.1.1
-
   minipass@4.2.8: {}
 
-  minipass@7.1.2: {}
+  minipass@7.1.3: {}
 
   miragejs@0.1.48:
     dependencies:
       '@miragejs/pretender-node-polyfill': 0.1.2
       inflected: 2.1.0
-      lodash: 4.17.23
+      lodash: 4.18.0
       pretender: 3.4.7
 
-  mkdirp2@1.0.5: {}
-
   mkdirp@0.5.6:
     dependencies:
       minimist: 1.2.8
@@ -16875,17 +16947,17 @@ snapshots:
 
   mkdirp@3.0.1: {}
 
-  mktemp@0.4.0: {}
+  mktemp@2.0.3: {}
 
-  moo@0.5.2: {}
+  moo@0.5.3: {}
 
-  morgan@1.10.0:
+  morgan@1.10.1:
     dependencies:
       basic-auth: 2.0.1
       debug: 2.6.9
       depd: 2.0.0
       on-finished: 2.3.0
-      on-headers: 1.0.2
+      on-headers: 1.1.0
     transitivePeerDependencies:
       - supports-color
 
@@ -16907,9 +16979,9 @@ snapshots:
 
   mute-stream@1.0.0: {}
 
-  nano-spawn@1.0.2: {}
+  nano-spawn@1.0.3: {}
 
-  nanoid@3.3.11: {}
+  nanoid@3.3.12: {}
 
   natural-compare-lite@1.4.0: {}
 
@@ -16919,6 +16991,8 @@ snapshots:
 
   negotiator@0.6.4: {}
 
+  negotiator@1.0.0: {}
+
   neo-async@2.6.2: {}
 
   nice-try@1.0.5: {}
@@ -16939,19 +17013,16 @@ snapshots:
     dependencies:
       growly: 1.3.0
       is-wsl: 2.2.0
-      semver: 7.7.2
+      semver: 7.8.1
       shellwords: 0.1.1
       uuid: 8.3.2
       which: 2.0.2
 
-  node-releases@2.0.19: {}
+  node-releases@2.0.46: {}
 
   node-watch@0.7.3: {}
 
-  nomnom@1.8.1:
-    dependencies:
-      chalk: 0.4.0
-      underscore: 1.13.7
+  node@runtime:20.20.2: {}
 
   nopt@3.0.6:
     dependencies:
@@ -16967,7 +17038,7 @@ snapshots:
     dependencies:
       hosted-git-info: 6.1.3
       proc-log: 3.0.0
-      semver: 7.7.2
+      semver: 7.8.1
       validate-npm-package-name: 5.0.1
 
   npm-run-path@2.0.2:
@@ -16986,12 +17057,10 @@ snapshots:
     dependencies:
       path-key: 4.0.0
 
-  npmlog@6.0.2:
+  npm-run-path@6.0.0:
     dependencies:
-      are-we-there-yet: 3.0.1
-      console-control-strings: 1.1.0
-      gauge: 4.0.4
-      set-blocking: 2.0.0
+      path-key: 4.0.0
+      unicorn-magic: 0.3.0
 
   npmlog@7.0.1:
     dependencies:
@@ -17002,22 +17071,18 @@ snapshots:
 
   object-assign@4.1.1: {}
 
-  object-get@2.1.1: {}
-
   object-hash@1.3.1: {}
 
   object-inspect@1.13.4: {}
 
   object-keys@1.1.1: {}
 
-  object-to-spawn-args@2.0.1: {}
-
   object.assign@4.1.7:
     dependencies:
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       call-bound: 1.0.4
       define-properties: 1.2.1
-      es-object-atoms: 1.1.1
+      es-object-atoms: 1.1.2
       has-symbols: 1.1.0
       object-keys: 1.1.1
 
@@ -17029,7 +17094,7 @@ snapshots:
     dependencies:
       ee-first: 1.1.1
 
-  on-headers@1.0.2: {}
+  on-headers@1.1.0: {}
 
   once@1.4.0:
     dependencies:
@@ -17119,7 +17184,7 @@ snapshots:
 
   p-limit@4.0.0:
     dependencies:
-      yocto-queue: 1.2.1
+      yocto-queue: 1.2.2
 
   p-locate@2.0.0:
     dependencies:
@@ -17162,11 +17227,13 @@ snapshots:
 
   parse-json@5.2.0:
     dependencies:
-      '@babel/code-frame': 7.27.1
-      error-ex: 1.3.2
+      '@babel/code-frame': 7.29.7
+      error-ex: 1.3.4
       json-parse-even-better-errors: 2.3.1
       lines-and-columns: 1.2.4
 
+  parse-ms@4.0.0: {}
+
   parse-passwd@1.0.0: {}
 
   parse-static-imports@1.1.0: {}
@@ -17202,9 +17269,16 @@ snapshots:
   path-scurry@1.11.1:
     dependencies:
       lru-cache: 10.4.3
-      minipass: 7.1.2
+      minipass: 7.1.3
 
-  path-to-regexp@0.1.12: {}
+  path-scurry@2.0.2:
+    dependencies:
+      lru-cache: 11.5.0
+      minipass: 7.1.3
+
+  path-to-regexp@0.1.13: {}
+
+  path-to-regexp@8.4.2: {}
 
   path-type@4.0.0: {}
 
@@ -17212,7 +17286,10 @@ snapshots:
 
   picocolors@1.1.1: {}
 
-  picomatch@2.3.1: {}
+  picomatch@2.3.2: {}
+
+  picomatch@4.0.4:
+    optional: true
 
   pidtree@0.6.0: {}
 
@@ -17240,75 +17317,75 @@ snapshots:
 
   pkijs@2.4.0:
     dependencies:
-      asn1js: 3.0.6
+      asn1js: 3.0.10
       bytestreamjs: 1.1.3
-      pvutils: 1.1.3
+      pvutils: 1.1.5
 
-  playwright-core@1.58.0: {}
+  playwright-core@1.60.0: {}
 
-  playwright@1.58.0:
+  playwright@1.60.0:
     dependencies:
-      playwright-core: 1.58.0
+      playwright-core: 1.60.0
     optionalDependencies:
       fsevents: 2.3.2
 
-  portfinder@1.0.37:
+  portfinder@1.0.38:
     dependencies:
       async: 2.6.4
-      debug: 4.4.1
+      debug: 4.4.3
     transitivePeerDependencies:
       - supports-color
 
   possible-typed-array-names@1.1.0: {}
 
-  postcss-modules-extract-imports@3.1.0(postcss@8.5.3):
+  postcss-modules-extract-imports@3.1.0(postcss@8.5.15):
     dependencies:
-      postcss: 8.5.3
+      postcss: 8.5.15
 
-  postcss-modules-local-by-default@4.2.0(postcss@8.5.3):
+  postcss-modules-local-by-default@4.2.0(postcss@8.5.15):
     dependencies:
-      icss-utils: 5.1.0(postcss@8.5.3)
-      postcss: 8.5.3
-      postcss-selector-parser: 7.1.0
+      icss-utils: 5.1.0(postcss@8.5.15)
+      postcss: 8.5.15
+      postcss-selector-parser: 7.1.1
       postcss-value-parser: 4.2.0
 
-  postcss-modules-scope@3.2.1(postcss@8.5.3):
+  postcss-modules-scope@3.2.1(postcss@8.5.15):
     dependencies:
-      postcss: 8.5.3
-      postcss-selector-parser: 7.1.0
+      postcss: 8.5.15
+      postcss-selector-parser: 7.1.1
 
-  postcss-modules-values@4.0.0(postcss@8.5.3):
+  postcss-modules-values@4.0.0(postcss@8.5.15):
     dependencies:
-      icss-utils: 5.1.0(postcss@8.5.3)
-      postcss: 8.5.3
+      icss-utils: 5.1.0(postcss@8.5.15)
+      postcss: 8.5.15
 
   postcss-resolve-nested-selector@0.1.6: {}
 
-  postcss-safe-parser@7.0.1(postcss@8.5.3):
+  postcss-safe-parser@7.0.1(postcss@8.5.15):
     dependencies:
-      postcss: 8.5.3
+      postcss: 8.5.15
 
-  postcss-selector-parser@7.1.0:
+  postcss-selector-parser@7.1.1:
     dependencies:
       cssesc: 3.0.0
       util-deprecate: 1.0.2
 
   postcss-value-parser@4.2.0: {}
 
-  postcss@8.5.3:
+  postcss@8.5.15:
     dependencies:
-      nanoid: 3.3.11
+      nanoid: 3.3.12
       picocolors: 1.1.1
       source-map-js: 1.2.1
 
   posthog-js@1.236.1:
     dependencies:
-      core-js: 3.41.0
+      core-js: 3.49.0
       fflate: 0.4.8
-      preact: 10.28.2
+      preact: 10.29.2
       web-vitals: 4.2.4
 
-  preact@10.28.2: {}
+  preact@10.29.2: {}
 
   prelude-ls@1.2.1: {}
 
@@ -17326,7 +17403,7 @@ snapshots:
       camelcase-keys: 7.0.2
       chalk: 4.1.2
       common-tags: 1.8.2
-      core-js: 3.41.0
+      core-js: 3.49.0
       eslint: 8.57.1
       find-up: 5.0.0
       get-stdin: 8.0.0
@@ -17361,7 +17438,7 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  prettier-linter-helpers@1.0.0:
+  prettier-linter-helpers@1.0.1:
     dependencies:
       fast-diff: 1.3.0
 
@@ -17374,6 +17451,10 @@ snapshots:
       ansi-regex: 3.0.1
       ansi-styles: 3.2.1
 
+  pretty-ms@9.3.0:
+    dependencies:
+      parse-ms: 4.0.0
+
   printf@0.6.1: {}
 
   prismjs@1.30.0: {}
@@ -17382,6 +17463,8 @@ snapshots:
 
   proc-log@3.0.0: {}
 
+  proc-log@6.1.0: {}
+
   process-relative-require@1.0.0:
     dependencies:
       node-modules-path: 1.0.2
@@ -17396,9 +17479,9 @@ snapshots:
 
   promise.prototype.finally@3.1.8:
     dependencies:
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       define-properties: 1.2.1
-      es-abstract: 1.23.10
+      es-abstract: 1.24.2
       es-errors: 1.3.0
       set-function-name: 2.0.2
 
@@ -17417,9 +17500,9 @@ snapshots:
       forwarded: 0.2.0
       ipaddr.js: 1.9.1
 
-  pump@3.0.2:
+  pump@3.0.4:
     dependencies:
-      end-of-stream: 1.4.4
+      end-of-stream: 1.4.5
       once: 1.4.0
 
   punycode.js@2.3.1: {}
@@ -17430,7 +17513,11 @@ snapshots:
     dependencies:
       tslib: 2.8.1
 
-  pvutils@1.1.3: {}
+  pvutils@1.1.5: {}
+
+  qified@0.10.1:
+    dependencies:
+      hookified: 2.2.0
 
   qs@6.14.1:
     dependencies:
@@ -17440,10 +17527,10 @@ snapshots:
 
   quick-lru@5.1.1: {}
 
-  quick-temp@0.1.8:
+  quick-temp@0.1.9:
     dependencies:
-      mktemp: 0.4.0
-      rimraf: 2.7.1
+      mktemp: 2.0.3
+      rimraf: 5.0.10
       underscore.string: 3.3.6
 
   qunit-dom@3.4.0:
@@ -17452,16 +17539,12 @@ snapshots:
 
   qunit-theme-ember@1.0.0: {}
 
-  qunit@2.24.1:
+  qunit@2.24.3:
     dependencies:
       commander: 7.2.0
       node-watch: 0.7.3
       tiny-glob: 0.2.9
 
-  randombytes@2.1.0:
-    dependencies:
-      safe-buffer: 5.2.1
-
   range-parser@1.2.1: {}
 
   raw-body@1.1.7:
@@ -17469,13 +17552,20 @@ snapshots:
       bytes: 1.0.0
       string_decoder: 0.10.31
 
-  raw-body@2.5.2:
+  raw-body@2.5.3:
     dependencies:
       bytes: 3.1.2
-      http-errors: 2.0.0
+      http-errors: 2.0.1
       iconv-lite: 0.4.24
       unpipe: 1.0.0
 
+  raw-body@3.0.2:
+    dependencies:
+      bytes: 3.1.2
+      http-errors: 2.0.1
+      iconv-lite: 0.7.2
+      unpipe: 1.0.0
+
   readable-stream@1.0.34:
     dependencies:
       core-util-is: 1.0.3
@@ -17491,10 +17581,10 @@ snapshots:
 
   readdirp@3.6.0:
     dependencies:
-      picomatch: 2.3.1
+      picomatch: 2.3.2
     optional: true
 
-  readdirp@4.1.2: {}
+  readdirp@5.0.0: {}
 
   recast@0.18.10:
     dependencies:
@@ -17505,34 +17595,24 @@ snapshots:
 
   rechoir@0.8.0:
     dependencies:
-      resolve: 1.22.10
+      resolve: 1.22.12
 
   redeyed@1.0.1:
     dependencies:
       esprima: 3.0.0
 
-  reduce-flatten@1.0.1: {}
-
-  reduce-flatten@3.0.1: {}
-
-  reduce-unique@2.0.1: {}
-
-  reduce-without@1.0.1:
-    dependencies:
-      test-value: 2.1.0
-
   reflect.getprototypeof@1.0.10:
     dependencies:
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       define-properties: 1.2.1
-      es-abstract: 1.23.10
+      es-abstract: 1.24.2
       es-errors: 1.3.0
-      es-object-atoms: 1.1.1
+      es-object-atoms: 1.1.2
       get-intrinsic: 1.3.0
       get-proto: 1.0.1
       which-builtin-type: 1.2.1
 
-  regenerate-unicode-properties@10.2.0:
+  regenerate-unicode-properties@10.2.2:
     dependencies:
       regenerate: 1.4.2
 
@@ -17544,27 +17624,27 @@ snapshots:
 
   regexp.prototype.flags@1.5.4:
     dependencies:
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       define-properties: 1.2.1
       es-errors: 1.3.0
       get-proto: 1.0.1
       gopd: 1.2.0
       set-function-name: 2.0.2
 
-  regexpu-core@6.2.0:
+  regexpu-core@6.4.0:
     dependencies:
       regenerate: 1.4.2
-      regenerate-unicode-properties: 10.2.0
+      regenerate-unicode-properties: 10.2.2
       regjsgen: 0.8.0
-      regjsparser: 0.12.0
+      regjsparser: 0.13.1
       unicode-match-property-ecmascript: 2.0.0
-      unicode-match-property-value-ecmascript: 2.2.0
+      unicode-match-property-value-ecmascript: 2.2.1
 
   regjsgen@0.8.0: {}
 
-  regjsparser@0.12.0:
+  regjsparser@0.13.1:
     dependencies:
-      jsesc: 3.0.2
+      jsesc: 3.1.0
 
   rehype-stringify@8.0.0:
     dependencies:
@@ -17572,13 +17652,6 @@ snapshots:
 
   remark-extract-frontmatter@3.2.0: {}
 
-  remark-footnotes@3.0.0:
-    dependencies:
-      mdast-util-footnote: 0.1.7
-      micromark-extension-footnote: 0.3.2
-    transitivePeerDependencies:
-      - supports-color
-
   remark-frontmatter@3.0.0:
     dependencies:
       mdast-util-frontmatter: 0.2.0
@@ -17620,9 +17693,9 @@ snapshots:
 
   remove-types@1.0.0:
     dependencies:
-      '@babel/core': 7.27.1
-      '@babel/plugin-syntax-decorators': 7.27.1(@babel/core@7.27.1)
-      '@babel/plugin-transform-typescript': 7.27.1(@babel/core@7.27.1)
+      '@babel/core': 7.26.10
+      '@babel/plugin-syntax-decorators': 7.29.7(@babel/core@7.26.10)
+      '@babel/plugin-transform-typescript': 7.29.7(@babel/core@7.26.10)
       prettier: 2.8.8
     transitivePeerDependencies:
       - supports-color
@@ -17641,10 +17714,6 @@ snapshots:
 
   requires-port@1.0.0: {}
 
-  requizzle@0.2.4:
-    dependencies:
-      lodash: 4.17.23
-
   reselect@3.0.1: {}
 
   reselect@4.1.8: {}
@@ -17665,17 +17734,17 @@ snapshots:
   resolve-package-path@1.2.7:
     dependencies:
       path-root: 0.1.1
-      resolve: 1.22.10
+      resolve: 1.22.12
 
   resolve-package-path@2.0.0:
     dependencies:
       path-root: 0.1.1
-      resolve: 1.22.10
+      resolve: 1.22.12
 
   resolve-package-path@3.1.0:
     dependencies:
       path-root: 0.1.1
-      resolve: 1.22.10
+      resolve: 1.22.12
 
   resolve-package-path@4.0.3:
     dependencies:
@@ -17690,9 +17759,10 @@ snapshots:
 
   resolve.exports@2.0.3: {}
 
-  resolve@1.22.10:
+  resolve@1.22.12:
     dependencies:
-      is-core-module: 2.16.1
+      es-errors: 1.3.0
+      is-core-module: 2.16.2
       path-parse: 1.0.7
       supports-preserve-symlinks-flag: 1.0.0
 
@@ -17733,18 +17803,33 @@ snapshots:
     dependencies:
       glob: 10.5.0
 
-  robust-predicates@3.0.2: {}
+  rimraf@6.1.3:
+    dependencies:
+      glob: 13.0.6
+      package-json-from-dist: 1.0.1
+
+  robust-predicates@3.0.3: {}
 
   rollup-pluginutils@2.8.2:
     dependencies:
       estree-walker: 0.6.1
 
-  rollup@2.79.2:
+  rollup@2.80.0:
     optionalDependencies:
       fsevents: 2.3.3
 
   route-recognizer@0.3.4: {}
 
+  router@2.2.0:
+    dependencies:
+      debug: 4.4.3
+      depd: 2.0.0
+      is-promise: 4.0.0
+      parseurl: 1.3.3
+      path-to-regexp: 8.4.2
+    transitivePeerDependencies:
+      - supports-color
+
   router_js@8.0.6(route-recognizer@0.3.4)(rsvp@4.8.5):
     dependencies:
       '@glimmer/env': 0.1.7
@@ -17775,9 +17860,9 @@ snapshots:
     dependencies:
       tslib: 2.8.1
 
-  safe-array-concat@1.1.3:
+  safe-array-concat@1.1.4:
     dependencies:
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       call-bound: 1.0.4
       get-intrinsic: 1.3.0
       has-symbols: 1.1.0
@@ -17830,77 +17915,88 @@ snapshots:
       minimist: 1.2.8
       walker: 1.0.8
 
-  sass@1.88.0:
+  sass@1.100.0:
     dependencies:
-      chokidar: 4.0.3
-      immutable: 5.1.2
+      chokidar: 5.0.0
+      immutable: 5.1.5
       source-map-js: 1.2.1
     optionalDependencies:
-      '@parcel/watcher': 2.5.1
-
-  sass@1.89.0:
-    dependencies:
-      chokidar: 4.0.3
-      immutable: 5.1.2
-      source-map-js: 1.2.1
-    optionalDependencies:
-      '@parcel/watcher': 2.5.1
+      '@parcel/watcher': 2.5.6
 
   schema-utils@2.7.1:
     dependencies:
       '@types/json-schema': 7.0.15
-      ajv: 6.12.6
-      ajv-keywords: 3.5.2(ajv@6.12.6)
+      ajv: 6.15.0
+      ajv-keywords: 3.5.2(ajv@6.15.0)
 
   schema-utils@3.3.0:
     dependencies:
       '@types/json-schema': 7.0.15
-      ajv: 6.12.6
-      ajv-keywords: 3.5.2(ajv@6.12.6)
+      ajv: 6.15.0
+      ajv-keywords: 3.5.2(ajv@6.15.0)
 
-  schema-utils@4.3.2:
+  schema-utils@4.3.3:
     dependencies:
       '@types/json-schema': 7.0.15
-      ajv: 8.17.1
+      ajv: 8.20.0
       ajv-formats: 2.1.1
-      ajv-keywords: 5.1.0(ajv@8.17.1)
+      ajv-keywords: 5.1.0(ajv@8.20.0)
 
   semver@5.7.2: {}
 
   semver@6.3.1: {}
 
-  semver@7.7.2: {}
+  semver@7.8.1: {}
 
-  semver@7.7.3: {}
-
-  send@0.19.0:
+  send@0.19.2:
     dependencies:
       debug: 2.6.9
       depd: 2.0.0
       destroy: 1.2.0
-      encodeurl: 1.0.2
+      encodeurl: 2.0.0
       escape-html: 1.0.3
       etag: 1.8.1
       fresh: 0.5.2
-      http-errors: 2.0.0
+      http-errors: 2.0.1
       mime: 1.6.0
       ms: 2.1.3
       on-finished: 2.4.1
       range-parser: 1.2.1
-      statuses: 2.0.1
+      statuses: 2.0.2
     transitivePeerDependencies:
       - supports-color
 
-  serialize-javascript@3.1.0:
+  send@1.2.1:
     dependencies:
-      randombytes: 2.1.0
+      debug: 4.4.3
+      encodeurl: 2.0.0
+      escape-html: 1.0.3
+      etag: 1.8.1
+      fresh: 2.0.0
+      http-errors: 2.0.1
+      mime-types: 3.0.2
+      ms: 2.1.3
+      on-finished: 2.4.1
+      range-parser: 1.2.1
+      statuses: 2.0.2
+    transitivePeerDependencies:
+      - supports-color
 
-  serve-static@1.16.2:
+  serve-static@1.16.3:
     dependencies:
       encodeurl: 2.0.0
       escape-html: 1.0.3
       parseurl: 1.3.3
-      send: 0.19.0
+      send: 0.19.2
+    transitivePeerDependencies:
+      - supports-color
+
+  serve-static@2.2.1:
+    dependencies:
+      encodeurl: 2.0.0
+      escape-html: 1.0.3
+      parseurl: 1.3.3
+      send: 1.2.1
     transitivePeerDependencies:
       - supports-color
 
@@ -17926,7 +18022,7 @@ snapshots:
     dependencies:
       dunder-proto: 1.0.1
       es-errors: 1.3.0
-      es-object-atoms: 1.1.1
+      es-object-atoms: 1.1.2
 
   setprototypeof@1.1.0: {}
 
@@ -17948,11 +18044,11 @@ snapshots:
 
   shebang-regex@3.0.0: {}
 
-  shell-quote@1.8.2: {}
+  shell-quote@1.8.4: {}
 
   shellwords@0.1.1: {}
 
-  side-channel-list@1.0.0:
+  side-channel-list@1.0.1:
     dependencies:
       es-errors: 1.3.0
       object-inspect: 1.13.4
@@ -17976,7 +18072,7 @@ snapshots:
     dependencies:
       es-errors: 1.3.0
       object-inspect: 1.13.4
-      side-channel-list: 1.0.0
+      side-channel-list: 1.0.1
       side-channel-map: 1.0.1
       side-channel-weakmap: 1.0.2
 
@@ -17996,7 +18092,7 @@ snapshots:
     dependencies:
       '@sinonjs/commons': 3.0.1
       '@sinonjs/fake-timers': 13.0.5
-      '@sinonjs/samsam': 8.0.2
+      '@sinonjs/samsam': 8.0.3
       diff: 7.0.0
       supports-color: 7.2.0
 
@@ -18014,54 +18110,49 @@ snapshots:
 
   slice-ansi@5.0.0:
     dependencies:
-      ansi-styles: 6.2.1
+      ansi-styles: 6.2.3
       is-fullwidth-code-point: 4.0.0
 
-  slice-ansi@7.1.0:
+  slice-ansi@7.1.2:
     dependencies:
-      ansi-styles: 6.2.1
-      is-fullwidth-code-point: 5.0.0
+      ansi-styles: 6.2.3
+      is-fullwidth-code-point: 5.1.0
 
   snake-case@3.0.4:
     dependencies:
       dot-case: 3.0.4
       tslib: 2.8.1
 
-  socket.io-adapter@2.5.5:
+  socket.io-adapter@2.5.7:
     dependencies:
-      debug: 4.3.7
-      ws: 8.17.1
+      debug: 4.4.3
+      ws: 8.20.1
     transitivePeerDependencies:
       - bufferutil
       - supports-color
       - utf-8-validate
 
-  socket.io-parser@4.2.4:
+  socket.io-parser@4.2.6:
     dependencies:
       '@socket.io/component-emitter': 3.1.2
-      debug: 4.3.7
+      debug: 4.4.3
     transitivePeerDependencies:
       - supports-color
 
-  socket.io@4.8.1:
+  socket.io@4.8.3:
     dependencies:
       accepts: 1.3.8
       base64id: 2.0.0
-      cors: 2.8.5
-      debug: 4.3.7
-      engine.io: 6.6.4
-      socket.io-adapter: 2.5.5
-      socket.io-parser: 4.2.4
+      cors: 2.8.6
+      debug: 4.4.3
+      engine.io: 6.6.8
+      socket.io-adapter: 2.5.7
+      socket.io-parser: 4.2.6
     transitivePeerDependencies:
       - bufferutil
       - supports-color
       - utf-8-validate
 
-  sort-array@5.0.0:
-    dependencies:
-      array-back: 6.2.2
-      typical: 7.3.0
-
   sort-object-keys@1.1.3: {}
 
   sort-package-json@1.57.0:
@@ -18096,27 +18187,24 @@ snapshots:
 
   spawn-args@0.2.0: {}
 
-  sprintf-js@1.0.3: {}
-
   sprintf-js@1.1.3: {}
 
   sri-toolbox@0.2.0: {}
 
   stagehand@1.0.1:
     dependencies:
-      debug: 4.4.1
+      debug: 4.4.3
     transitivePeerDependencies:
       - supports-color
 
   statuses@1.5.0: {}
 
-  statuses@2.0.1: {}
+  statuses@2.0.2: {}
 
-  stream-connect@1.0.2:
+  stop-iteration-iterator@1.1.0:
     dependencies:
-      array-back: 1.0.4
-
-  stream-via@1.0.4: {}
+      es-errors: 1.3.0
+      internal-slot: 1.1.0
 
   string-argv@0.3.2: {}
 
@@ -18143,22 +18231,22 @@ snapshots:
     dependencies:
       eastasianwidth: 0.2.0
       emoji-regex: 9.2.2
-      strip-ansi: 7.1.0
+      strip-ansi: 7.2.0
 
   string-width@7.2.0:
     dependencies:
-      emoji-regex: 10.4.0
-      get-east-asian-width: 1.3.0
-      strip-ansi: 7.1.0
+      emoji-regex: 10.6.0
+      get-east-asian-width: 1.6.0
+      strip-ansi: 7.2.0
 
   string.prototype.matchall@4.0.12:
     dependencies:
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       call-bound: 1.0.4
       define-properties: 1.2.1
-      es-abstract: 1.23.10
+      es-abstract: 1.24.2
       es-errors: 1.3.0
-      es-object-atoms: 1.1.1
+      es-object-atoms: 1.1.2
       get-intrinsic: 1.3.0
       gopd: 1.2.0
       has-symbols: 1.1.0
@@ -18169,26 +18257,26 @@ snapshots:
 
   string.prototype.trim@1.2.10:
     dependencies:
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       call-bound: 1.0.4
       define-data-property: 1.1.4
       define-properties: 1.2.1
-      es-abstract: 1.23.10
-      es-object-atoms: 1.1.1
+      es-abstract: 1.24.2
+      es-object-atoms: 1.1.2
       has-property-descriptors: 1.0.2
 
   string.prototype.trimend@1.0.9:
     dependencies:
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       call-bound: 1.0.4
       define-properties: 1.2.1
-      es-object-atoms: 1.1.1
+      es-object-atoms: 1.1.2
 
   string.prototype.trimstart@1.0.8:
     dependencies:
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       define-properties: 1.2.1
-      es-object-atoms: 1.1.1
+      es-object-atoms: 1.1.2
 
   string_decoder@0.10.31: {}
 
@@ -18202,8 +18290,6 @@ snapshots:
       character-entities-legacy: 1.1.4
       xtend: 4.0.2
 
-  strip-ansi@0.1.1: {}
-
   strip-ansi@3.0.1:
     dependencies:
       ansi-regex: 2.1.1
@@ -18220,9 +18306,9 @@ snapshots:
     dependencies:
       ansi-regex: 5.0.1
 
-  strip-ansi@7.1.0:
+  strip-ansi@7.2.0:
     dependencies:
-      ansi-regex: 6.1.0
+      ansi-regex: 6.2.2
 
   strip-bom@4.0.0: {}
 
@@ -18232,56 +18318,58 @@ snapshots:
 
   strip-final-newline@3.0.0: {}
 
+  strip-final-newline@4.0.0: {}
+
   strip-json-comments@3.1.1: {}
 
   strip-test-selectors@0.1.0: {}
 
-  style-loader@2.0.0(webpack@5.94.0):
+  style-loader@2.0.0(webpack@5.107.2):
     dependencies:
       loader-utils: 2.0.4
       schema-utils: 3.3.0
-      webpack: 5.94.0(webpack-cli@6.0.1)
+      webpack: 5.107.2(webpack-cli@6.0.1)
 
-  style-mod@4.1.2: {}
+  style-mod@4.1.3: {}
 
   styled_string@0.0.1: {}
 
-  stylelint-config-recommended@16.0.0(stylelint@16.19.1(typescript@5.5.4)):
+  stylelint-config-recommended@16.0.0(stylelint@16.19.1(typescript@5.6.3)):
     dependencies:
-      stylelint: 16.19.1(typescript@5.5.4)
+      stylelint: 16.19.1(typescript@5.6.3)
 
-  stylelint-config-standard@38.0.0(stylelint@16.19.1(typescript@5.5.4)):
+  stylelint-config-standard@38.0.0(stylelint@16.19.1(typescript@5.6.3)):
     dependencies:
-      stylelint: 16.19.1(typescript@5.5.4)
-      stylelint-config-recommended: 16.0.0(stylelint@16.19.1(typescript@5.5.4))
+      stylelint: 16.19.1(typescript@5.6.3)
+      stylelint-config-recommended: 16.0.0(stylelint@16.19.1(typescript@5.6.3))
 
-  stylelint-prettier@5.0.3(prettier@3.0.3)(stylelint@16.19.1(typescript@5.5.4)):
+  stylelint-prettier@5.0.3(prettier@3.0.3)(stylelint@16.19.1(typescript@5.6.3)):
     dependencies:
       prettier: 3.0.3
-      prettier-linter-helpers: 1.0.0
-      stylelint: 16.19.1(typescript@5.5.4)
+      prettier-linter-helpers: 1.0.1
+      stylelint: 16.19.1(typescript@5.6.3)
 
-  stylelint@16.19.1(typescript@5.5.4):
+  stylelint@16.19.1(typescript@5.6.3):
     dependencies:
-      '@csstools/css-parser-algorithms': 3.0.4(@csstools/css-tokenizer@3.0.3)
-      '@csstools/css-tokenizer': 3.0.3
-      '@csstools/media-query-list-parser': 4.0.2(@csstools/css-parser-algorithms@3.0.4(@csstools/css-tokenizer@3.0.3))(@csstools/css-tokenizer@3.0.3)
-      '@csstools/selector-specificity': 5.0.0(postcss-selector-parser@7.1.0)
-      '@dual-bundle/import-meta-resolve': 4.1.0
+      '@csstools/css-parser-algorithms': 3.0.5(@csstools/css-tokenizer@3.0.4)
+      '@csstools/css-tokenizer': 3.0.4
+      '@csstools/media-query-list-parser': 4.0.3(@csstools/css-parser-algorithms@3.0.5(@csstools/css-tokenizer@3.0.4))(@csstools/css-tokenizer@3.0.4)
+      '@csstools/selector-specificity': 5.0.0(postcss-selector-parser@7.1.1)
+      '@dual-bundle/import-meta-resolve': 4.2.1
       balanced-match: 2.0.0
       colord: 2.9.3
-      cosmiconfig: 9.0.0(typescript@5.5.4)
-      css-functions-list: 3.2.3
-      css-tree: 3.1.0
-      debug: 4.4.1
+      cosmiconfig: 9.0.1(typescript@5.6.3)
+      css-functions-list: 3.3.3
+      css-tree: 3.2.1
+      debug: 4.4.3
       fast-glob: 3.3.3
       fastest-levenshtein: 1.0.16
-      file-entry-cache: 10.1.0
+      file-entry-cache: 10.1.4
       global-modules: 2.0.0
       globby: 11.1.0
       globjoin: 0.1.4
       html-tags: 3.3.1
-      ignore: 7.0.4
+      ignore: 7.0.5
       imurmurhash: 0.1.4
       is-plain-object: 5.0.0
       known-css-properties: 0.36.0
@@ -18290,10 +18378,10 @@ snapshots:
       micromatch: 4.0.8
       normalize-path: 3.0.0
       picocolors: 1.1.1
-      postcss: 8.5.3
+      postcss: 8.5.15
       postcss-resolve-nested-selector: 0.1.6
-      postcss-safe-parser: 7.0.1(postcss@8.5.3)
-      postcss-selector-parser: 7.1.0
+      postcss-safe-parser: 7.0.1(postcss@8.5.15)
+      postcss-selector-parser: 7.1.1
       postcss-value-parser: 4.2.0
       resolve-from: 5.0.0
       string-width: 4.2.3
@@ -18350,7 +18438,7 @@ snapshots:
 
   sync-disk-cache@2.1.0:
     dependencies:
-      debug: 4.4.1
+      debug: 4.4.3
       heimdalljs: 0.2.6
       mkdirp: 0.5.6
       rimraf: 3.0.2
@@ -18358,109 +18446,89 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  synckit@0.11.6:
+  synckit@0.11.12:
     dependencies:
-      '@pkgr/core': 0.2.4
+      '@pkgr/core': 0.2.9
 
-  tabbable@5.3.3: {}
-
-  tabbable@6.2.0: {}
-
-  table-layout@0.4.5:
-    dependencies:
-      array-back: 2.0.0
-      deep-extend: 0.6.0
-      lodash.padend: 4.6.1
-      typical: 2.6.1
-      wordwrapjs: 3.0.0
+  tabbable@6.4.0: {}
 
   table@6.9.0:
     dependencies:
-      ajv: 8.17.1
+      ajv: 8.20.0
       lodash.truncate: 4.4.2
       slice-ansi: 4.0.0
       string-width: 4.2.3
       strip-ansi: 6.0.1
 
-  tap-parser@7.0.0:
+  tap-parser@18.3.4:
     dependencies:
-      events-to-array: 1.1.2
-      js-yaml: 3.14.2
-      minipass: 2.9.0
+      events-to-array: 2.0.3
+      tap-yaml: 4.4.2
 
-  tapable@2.2.2: {}
+  tap-yaml@4.4.2:
+    dependencies:
+      yaml: 2.9.0
+      yaml-types: 0.4.0(yaml@2.9.0)
 
-  temp-path@1.0.0: {}
+  tapable@2.3.3: {}
 
   temp@0.9.4:
     dependencies:
       mkdirp: 0.5.6
       rimraf: 2.6.3
 
-  terser-webpack-plugin@5.3.14(webpack@5.94.0):
+  terser-webpack-plugin@5.6.0(webpack@5.107.2):
     dependencies:
-      '@jridgewell/trace-mapping': 0.3.25
+      '@jridgewell/trace-mapping': 0.3.31
       jest-worker: 27.5.1
-      schema-utils: 4.3.2
-      serialize-javascript: 3.1.0
-      terser: 5.39.2
-      webpack: 5.94.0(webpack-cli@6.0.1)
+      schema-utils: 4.3.3
+      terser: 5.48.0
+      webpack: 5.107.2(webpack-cli@6.0.1)
 
   terser@4.8.1:
     dependencies:
-      acorn: 8.14.1
+      acorn: 8.16.0
       commander: 2.20.3
       source-map: 0.6.1
       source-map-support: 0.5.21
 
-  terser@5.39.2:
+  terser@5.48.0:
     dependencies:
-      '@jridgewell/source-map': 0.3.6
-      acorn: 8.14.1
+      '@jridgewell/source-map': 0.3.11
+      acorn: 8.16.0
       commander: 2.20.3
       source-map-support: 0.5.21
 
-  test-value@2.1.0:
+  testem@3.20.0(@babel/core@7.26.10)(handlebars@4.7.9)(underscore@1.13.8):
     dependencies:
-      array-back: 1.0.4
-      typical: 2.6.1
-
-  test-value@3.0.0:
-    dependencies:
-      array-back: 2.0.0
-      typical: 2.6.1
-
-  testem@3.16.0(handlebars@4.7.8)(underscore@1.13.7):
-    dependencies:
-      '@xmldom/xmldom': 0.8.10
+      '@xmldom/xmldom': 0.9.10
       backbone: 1.6.1
-      bluebird: 3.7.2
       charm: 1.0.2
-      commander: 2.20.3
-      compression: 1.8.0
-      consolidate: 0.16.0(handlebars@4.7.8)(lodash@4.17.23)(mustache@4.2.0)(underscore@1.13.7)
-      execa: 1.0.0
-      express: 4.22.1
-      fireworm: 0.7.2
-      glob: 7.2.3
+      chokidar: 5.0.0
+      commander: 14.0.3
+      compression: 1.8.1
+      consolidate: 1.0.4(@babel/core@7.26.10)(handlebars@4.7.9)(lodash@4.18.0)(mustache@4.2.0)(underscore@1.13.8)
+      execa: 9.6.1
+      express: 5.2.1
+      glob: 13.0.6
       http-proxy: 1.18.1
-      js-yaml: 3.14.2
-      lodash: 4.17.23
+      js-yaml: 4.1.1
+      lodash: 4.18.0
+      minimatch: 10.2.5
       mkdirp: 3.0.1
       mustache: 4.2.0
       node-notifier: 10.0.1
-      npmlog: 6.0.2
       printf: 0.6.1
-      rimraf: 3.0.2
-      socket.io: 4.8.1
+      proc-log: 6.1.0
+      rimraf: 6.1.3
+      socket.io: 4.8.3
       spawn-args: 0.2.0
       styled_string: 0.0.1
-      tap-parser: 7.0.0
-      tmp: 0.0.33
+      tap-parser: 18.3.4
     transitivePeerDependencies:
+      - '@babel/core'
       - arc-templates
       - atpl
-      - babel-core
       - bracket-template
       - bufferutil
       - coffee-script
@@ -18478,30 +18546,25 @@ snapshots:
       - handlebars
       - hogan.js
       - htmling
-      - jade
       - jazz
       - jqtpl
       - just
       - liquid-node
       - liquor
-      - marko
       - mote
       - nunjucks
       - plates
       - pug
       - qejs
       - ractive
-      - razor-tmpl
       - react
       - react-dom
       - slm
-      - squirrelly
       - supports-color
       - swig
       - swig-templates
       - teacup
       - templayed
-      - then-jade
       - then-pug
       - tinyliquid
       - toffee
@@ -18561,7 +18624,7 @@ snapshots:
     dependencies:
       rimraf: 2.7.1
 
-  tmp@0.2.3: {}
+  tmp@0.2.5: {}
 
   tmpl@1.0.5: {}
 
@@ -18582,18 +18645,17 @@ snapshots:
 
   tracked-built-ins@3.4.0(@babel/core@7.26.10):
     dependencies:
-      '@embroider/addon-shim': 1.10.0
-      decorator-transforms: 2.3.0(@babel/core@7.26.10)
-      ember-tracked-storage-polyfill: 1.0.0
+      '@embroider/addon-shim': 1.10.2
+      decorator-transforms: 2.3.2(@babel/core@7.26.10)
+      ember-tracked-storage-polyfill: 1.0.1
     transitivePeerDependencies:
       - '@babel/core'
       - supports-color
 
-  tracked-built-ins@4.0.0(@babel/core@7.26.10):
+  tracked-built-ins@4.1.2(@babel/core@7.26.10):
     dependencies:
-      '@embroider/addon-shim': 1.10.0
-      decorator-transforms: 2.3.0(@babel/core@7.26.10)
-      ember-tracked-storage-polyfill: 1.0.0
+      '@embroider/addon-shim': 1.10.2
+      decorator-transforms: 2.3.2(@babel/core@7.26.10)
     transitivePeerDependencies:
       - '@babel/core'
       - supports-color
@@ -18607,12 +18669,6 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  traverse@0.6.11:
-    dependencies:
-      gopd: 1.2.0
-      typedarray.prototype.slice: 1.0.5
-      which-typed-array: 1.1.19
-
   tree-kill@1.2.2: {}
 
   tree-sync@1.4.0:
@@ -18620,17 +18676,17 @@ snapshots:
       debug: 2.6.9
       fs-tree-diff: 0.5.9
       mkdirp: 0.5.6
-      quick-temp: 0.1.8
+      quick-temp: 0.1.9
       walk-sync: 0.3.4
     transitivePeerDependencies:
       - supports-color
 
   tree-sync@2.1.0:
     dependencies:
-      debug: 4.4.1
+      debug: 4.4.3
       fs-tree-diff: 2.0.1
       mkdirp: 0.5.6
-      quick-temp: 0.1.8
+      quick-temp: 0.1.9
       walk-sync: 0.3.4
     transitivePeerDependencies:
       - supports-color
@@ -18646,10 +18702,10 @@ snapshots:
       tslib: 1.14.1
       typescript: 4.9.5
 
-  tsutils@3.21.0(typescript@5.5.4):
+  tsutils@3.21.0(typescript@5.6.3):
     dependencies:
       tslib: 1.14.1
-      typescript: 5.5.4
+      typescript: 5.6.3
 
   type-check@0.4.0:
     dependencies:
@@ -18674,6 +18730,12 @@ snapshots:
       media-typer: 0.3.0
       mime-types: 2.1.35
 
+  type-is@2.1.0:
+    dependencies:
+      content-type: 2.0.0
+      media-typer: 1.1.0
+      mime-types: 3.0.2
+
   typed-array-buffer@1.0.3:
     dependencies:
       call-bound: 1.0.4
@@ -18682,7 +18744,7 @@ snapshots:
 
   typed-array-byte-length@1.0.3:
     dependencies:
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       for-each: 0.3.5
       gopd: 1.2.0
       has-proto: 1.2.0
@@ -18691,7 +18753,7 @@ snapshots:
   typed-array-byte-offset@1.0.4:
     dependencies:
       available-typed-arrays: 1.0.7
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       for-each: 0.3.5
       gopd: 1.2.0
       has-proto: 1.2.0
@@ -18700,7 +18762,7 @@ snapshots:
 
   typed-array-length@1.0.7:
     dependencies:
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       for-each: 0.3.5
       gopd: 1.2.0
       is-typed-array: 1.1.15
@@ -18711,30 +18773,11 @@ snapshots:
     dependencies:
       is-typedarray: 1.0.0
 
-  typedarray.prototype.slice@1.0.5:
-    dependencies:
-      call-bind: 1.0.8
-      define-properties: 1.2.1
-      es-abstract: 1.23.10
-      es-errors: 1.3.0
-      get-proto: 1.0.1
-      math-intrinsics: 1.1.0
-      typed-array-buffer: 1.0.3
-      typed-array-byte-offset: 1.0.4
-
   typescript-memoize@1.1.1: {}
 
   typescript@4.9.5: {}
 
-  typescript@5.5.4: {}
-
-  typical@2.6.1: {}
-
-  typical@4.0.0: {}
-
-  typical@7.3.0: {}
-
-  uc.micro@1.0.6: {}
+  typescript@5.6.3: {}
 
   uc.micro@2.1.0: {}
 
@@ -18753,20 +18796,20 @@ snapshots:
       sprintf-js: 1.1.3
       util-deprecate: 1.0.2
 
-  underscore@1.13.7: {}
+  underscore@1.13.8: {}
 
-  undici-types@7.16.0: {}
+  undici-types@7.24.6: {}
 
   unicode-canonical-property-names-ecmascript@2.0.1: {}
 
   unicode-match-property-ecmascript@2.0.0:
     dependencies:
       unicode-canonical-property-names-ecmascript: 2.0.1
-      unicode-property-aliases-ecmascript: 2.1.0
+      unicode-property-aliases-ecmascript: 2.2.0
 
-  unicode-match-property-value-ecmascript@2.2.0: {}
+  unicode-match-property-value-ecmascript@2.2.1: {}
 
-  unicode-property-aliases-ecmascript@2.1.0: {}
+  unicode-property-aliases-ecmascript@2.2.0: {}
 
   unicorn-magic@0.1.0: {}
 
@@ -18822,14 +18865,12 @@ snapshots:
 
   upath@2.0.1: {}
 
-  update-browserslist-db@1.1.3(browserslist@4.24.5):
+  update-browserslist-db@1.2.3(browserslist@4.28.2):
     dependencies:
-      browserslist: 4.24.5
+      browserslist: 4.28.2
       escalade: 3.2.0
       picocolors: 1.1.1
 
-  update-section@0.3.3: {}
-
   uri-js@4.4.1:
     dependencies:
       punycode: 2.3.1
@@ -18851,12 +18892,12 @@ snapshots:
   validate-peer-dependencies@1.2.0:
     dependencies:
       resolve-package-path: 3.1.0
-      semver: 7.7.2
+      semver: 7.8.1
 
   validate-peer-dependencies@2.2.0:
     dependencies:
       resolve-package-path: 4.0.3
-      semver: 7.7.2
+      semver: 7.8.1
 
   vary@1.1.2: {}
 
@@ -18880,17 +18921,13 @@ snapshots:
       eslint-visitor-keys: 3.4.3
       espree: 9.6.1
       esquery: 1.7.0
-      lodash: 4.17.23
-      semver: 7.7.3
+      lodash: 4.18.0
+      semver: 7.8.1
     transitivePeerDependencies:
       - supports-color
 
   w3c-keyname@2.2.8: {}
 
-  walk-back@2.0.1: {}
-
-  walk-back@5.1.1: {}
-
   walk-sync@0.2.7:
     dependencies:
       ensure-posix-path: 1.1.1
@@ -18912,14 +18949,14 @@ snapshots:
       '@types/minimatch': 3.0.5
       ensure-posix-path: 1.1.1
       matcher-collection: 2.0.1
-      minimatch: 3.1.2
+      minimatch: 3.1.5
 
   walk-sync@3.0.0:
     dependencies:
       '@types/minimatch': 3.0.5
       ensure-posix-path: 1.1.1
       matcher-collection: 2.0.1
-      minimatch: 3.1.2
+      minimatch: 3.1.5
 
   walker@1.0.8:
     dependencies:
@@ -18928,7 +18965,7 @@ snapshots:
   watch-detector@0.1.0:
     dependencies:
       heimdalljs-logger: 0.1.10
-      quick-temp: 0.1.8
+      quick-temp: 0.1.9
       rsvp: 4.8.5
       semver: 5.7.2
       silent-error: 1.1.1
@@ -18943,7 +18980,7 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  watchpack@2.4.4:
+  watchpack@2.5.1:
     dependencies:
       glob-to-regexp: 0.4.1
       graceful-fs: 4.2.11
@@ -18954,21 +18991,21 @@ snapshots:
 
   web-vitals@4.2.4: {}
 
-  webpack-cli@6.0.1(webpack@5.94.0):
+  webpack-cli@6.0.1(webpack@5.107.2):
     dependencies:
       '@discoveryjs/json-ext': 0.6.3
-      '@webpack-cli/configtest': 3.0.1(webpack-cli@6.0.1)(webpack@5.94.0)
-      '@webpack-cli/info': 3.0.1(webpack-cli@6.0.1)(webpack@5.94.0)
-      '@webpack-cli/serve': 3.0.1(webpack-cli@6.0.1)(webpack@5.94.0)
+      '@webpack-cli/configtest': 3.0.1(webpack-cli@6.0.1)(webpack@5.107.2)
+      '@webpack-cli/info': 3.0.1(webpack-cli@6.0.1)(webpack@5.107.2)
+      '@webpack-cli/serve': 3.0.1(webpack-cli@6.0.1)(webpack@5.107.2)
       colorette: 2.0.20
       commander: 12.1.0
       cross-spawn: 7.0.6
-      envinfo: 7.15.0
+      envinfo: 7.21.0
       fastest-levenshtein: 1.0.16
       import-local: 3.2.0
       interpret: 3.1.1
       rechoir: 0.8.0
-      webpack: 5.94.0(webpack-cli@6.0.1)
+      webpack: 5.107.2(webpack-cli@6.0.1)
       webpack-merge: 6.0.1
 
   webpack-merge@6.0.1:
@@ -18977,38 +19014,47 @@ snapshots:
       flat: 5.0.2
       wildcard: 2.0.1
 
-  webpack-sources@3.2.3: {}
+  webpack-sources@3.5.0: {}
 
-  webpack@5.94.0(webpack-cli@6.0.1):
+  webpack@5.107.2(webpack-cli@6.0.1):
     dependencies:
-      '@types/estree': 1.0.7
+      '@types/estree': 1.0.9
+      '@types/json-schema': 7.0.15
       '@webassemblyjs/ast': 1.14.1
       '@webassemblyjs/wasm-edit': 1.14.1
       '@webassemblyjs/wasm-parser': 1.14.1
-      acorn: 8.14.1
-      acorn-import-attributes: 1.9.5(acorn@8.14.1)
-      browserslist: 4.24.5
+      acorn: 8.16.0
+      acorn-import-phases: 1.0.4(acorn@8.16.0)
+      browserslist: 4.28.2
       chrome-trace-event: 1.0.4
-      enhanced-resolve: 5.18.1
-      es-module-lexer: 1.7.0
+      enhanced-resolve: 5.22.0
+      es-module-lexer: 2.1.0
       eslint-scope: 5.1.1
       events: 3.3.0
       glob-to-regexp: 0.4.1
       graceful-fs: 4.2.11
-      json-parse-even-better-errors: 2.3.1
-      loader-runner: 4.3.0
-      mime-types: 2.1.35
+      loader-runner: 4.3.2
+      mime-db: 1.54.0
       neo-async: 2.6.2
-      schema-utils: 3.3.0
-      tapable: 2.2.2
-      terser-webpack-plugin: 5.3.14(webpack@5.94.0)
-      watchpack: 2.4.4
-      webpack-sources: 3.2.3
+      schema-utils: 4.3.3
+      tapable: 2.3.3
+      terser-webpack-plugin: 5.6.0(webpack@5.107.2)
+      watchpack: 2.5.1
+      webpack-sources: 3.5.0
     optionalDependencies:
-      webpack-cli: 6.0.1(webpack@5.94.0)
+      webpack-cli: 6.0.1(webpack@5.107.2)
     transitivePeerDependencies:
+      - '@minify-html/node'
       - '@swc/core'
+      - '@swc/css'
+      - '@swc/html'
+      - clean-css
+      - cssnano
+      - csso
       - esbuild
+      - html-minifier-terser
+      - lightningcss
+      - postcss
       - uglify-js
 
   websocket-driver@0.7.4:
@@ -19035,13 +19081,13 @@ snapshots:
       is-async-function: 2.1.1
       is-date-object: 1.1.0
       is-finalizationregistry: 1.1.1
-      is-generator-function: 1.1.0
+      is-generator-function: 1.1.2
       is-regex: 1.2.1
       is-weakref: 1.1.1
       isarray: 2.0.5
       which-boxed-primitive: 1.1.1
       which-collection: 1.0.2
-      which-typed-array: 1.1.19
+      which-typed-array: 1.1.21
 
   which-collection@1.0.2:
     dependencies:
@@ -19052,10 +19098,10 @@ snapshots:
 
   which-module@2.0.1: {}
 
-  which-typed-array@1.1.19:
+  which-typed-array@1.1.21:
     dependencies:
       available-typed-arrays: 1.0.7
-      call-bind: 1.0.8
+      call-bind: 1.0.9
       call-bound: 1.0.4
       for-each: 0.3.5
       get-proto: 1.0.1
@@ -19080,11 +19126,6 @@ snapshots:
 
   wordwrap@1.0.0: {}
 
-  wordwrapjs@3.0.0:
-    dependencies:
-      reduce-flatten: 1.0.1
-      typical: 2.6.1
-
   workerpool@3.1.2:
     dependencies:
       '@babel/core': 7.26.10
@@ -19117,15 +19158,15 @@ snapshots:
 
   wrap-ansi@8.1.0:
     dependencies:
-      ansi-styles: 6.2.1
+      ansi-styles: 6.2.3
       string-width: 5.1.2
-      strip-ansi: 7.1.0
+      strip-ansi: 7.2.0
 
-  wrap-ansi@9.0.0:
+  wrap-ansi@9.0.2:
     dependencies:
-      ansi-styles: 6.2.1
+      ansi-styles: 6.2.3
       string-width: 7.2.0
-      strip-ansi: 7.1.0
+      strip-ansi: 7.2.0
 
   wrappy@1.0.2: {}
 
@@ -19141,12 +19182,10 @@ snapshots:
       imurmurhash: 0.1.4
       signal-exit: 4.1.0
 
-  ws@8.17.1: {}
+  ws@8.20.1: {}
 
   xdg-basedir@4.0.0: {}
 
-  xmlcreate@2.0.4: {}
-
   xtend@4.0.2: {}
 
   y18n@4.0.3: {}
@@ -19162,7 +19201,11 @@ snapshots:
       fs-extra: 4.0.3
       lodash.merge: 4.6.2
 
-  yaml@2.8.0: {}
+  yaml-types@0.4.0(yaml@2.9.0):
+    dependencies:
+      yaml: 2.9.0
+
+  yaml@2.9.0: {}
 
   yargs-parser@13.1.2:
     dependencies:
@@ -19196,8 +19239,10 @@ snapshots:
 
   yocto-queue@0.1.0: {}
 
-  yocto-queue@1.2.1: {}
+  yocto-queue@1.2.2: {}
 
-  yoctocolors-cjs@2.1.2: {}
+  yoctocolors-cjs@2.1.3: {}
+
+  yoctocolors@2.1.2: {}
 
   zwitch@1.0.5: {}
diff --git a/ui/pnpm-workspace.yaml b/ui/pnpm-workspace.yaml
index 254d1e2ea8..cc3228bd3c 100644
--- a/ui/pnpm-workspace.yaml
+++ b/ui/pnpm-workspace.yaml
@@ -6,6 +6,9 @@ peerDependencyRules:
   allowedVersions:
     # for @typescript-eslint/parser
     eslint: '*'
+    # for ember-engines, which has a peer dep on ember-source
+    'ember-engines>ember-source': '5.8.0'
+    '@hashicorp/design-system-components>ember-engines': '0.8.23'
 
 dedupeInjectedDeps: true
 publicHoistPattern:
diff --git a/ui/scripts/docfy-md.js b/ui/scripts/docfy-md.js
deleted file mode 100644
index 530a2ffd20..0000000000
--- a/ui/scripts/docfy-md.js
+++ /dev/null
@@ -1,56 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-/* eslint-disable */
-
-/*
-run from the ui directory:
-pnpm docfy-md some-component
-
-or if the docs are for a component in an in-repo-addon or an engine:
-pnpm docfy-md some-component name-of-engine
-
-see the readme ui/docs/how-to-docfy.md for more info
-*/
-
-const fs = require('fs');
-const jsdoc2md = require('jsdoc-to-markdown');
-
-// the fullFilepath arg will override the assumed inputFile which is built using the addonOrEngine arg
-const [nameOrFile, addonOrEngine, fullFilepath] = process.argv.slice(2);
-
-const isFile = nameOrFile.includes('.');
-const name = isFile ? nameOrFile?.split('.')[0] : nameOrFile; // can pass component-name or component-name.js
-const path = isFile ? nameOrFile : `${nameOrFile}.js`; // default to js
-
-const inputFile = addonOrEngine ? `lib/${addonOrEngine}/addon/components/${path}` : `app/components/${path}`;
-const outputFile = `docs/components/${name}.md`;
-
-const outputFormat = `
-{{#module}}
-# {{name}}
-{{>body}}
-{{/module}}
-`;
-
-const options = {
-  files: fullFilepath || inputFile,
-  'example-lang': 'hbs preview-template',
-  configure: './jsdoc2md.json',
-  template: outputFormat,
-};
-
-try {
-  const md = jsdoc2md.renderSync(options);
-  // for some reason components without a jsdoc @module doesn't throw, so throw manually
-  if (md.includes('ERROR')) throw `${md} (there is probably no jsdoc for this component)`;
-  fs.writeFileSync(outputFile, md);
-  console.log(`✅ ${name}`);
-} catch (error) {
-  console.log(`❌ ${name}`);
-  console.log(error);
-}
diff --git a/ui/scripts/gen-dep-override-report.js b/ui/scripts/gen-dep-override-report.js
new file mode 100644
index 0000000000..bd09593509
--- /dev/null
+++ b/ui/scripts/gen-dep-override-report.js
@@ -0,0 +1,198 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+/* eslint-env node */
+/* eslint-disable no-console */
+
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+
+const ROOT_DIR = path.join(__dirname, '..');
+const PKG_PATH = path.join(ROOT_DIR, 'package.json');
+const LOCK_PATH = path.join(ROOT_DIR, 'pnpm-lock.yaml');
+
+/**
+ * Simple exact-version comparison.
+ * Returns true if the resolved version is older than the target override.
+ */
+function isOlder(found, target) {
+  if (!found || !target) return false;
+  const f = found
+    .replace(/[^0-9.]/g, '')
+    .split('.')
+    .map((n) => parseInt(n || 0));
+  const t = target
+    .replace(/[^0-9.]/g, '')
+    .split('.')
+    .map((n) => parseInt(n || 0));
+  for (let i = 0; i < Math.max(f.length, t.length); i++) {
+    if ((f[i] || 0) < (t[i] || 0)) return true;
+    if ((f[i] || 0) > (t[i] || 0)) return false;
+  }
+  return false;
+}
+
+function writeReport(report, error) {
+  const outPath = path.join(ROOT_DIR, 'DEP_OVERRIDE_REPORT.md');
+  fs.writeFileSync(outPath, report);
+  const message =
+    error || '✅ Dependency override audit complete! Project has been restored to its original state.';
+  console.log(message);
+  console.log('📄 See DEP_OVERRIDE_REPORT.md for details.');
+}
+
+function genOverrideReport() {
+  console.log('🚀 Starting Dependency Override Audit. Backing up package.json...');
+
+  let report = '# 🛡️ PNPM Override Audit Report\n\n';
+  report += `Generated on: ${new Date().toLocaleString()}\n\n`;
+
+  if (!fs.existsSync(PKG_PATH)) {
+    report += `❌ **Error:** package.json not found at ${PKG_PATH}\n`;
+    writeReport(report, '❌ package.json not found.');
+    return;
+  }
+
+  // 1. Read and backup the original state
+  const originalPkgStr = fs.readFileSync(PKG_PATH, 'utf8');
+  const originalLockStr = fs.existsSync(LOCK_PATH) ? fs.readFileSync(LOCK_PATH, 'utf8') : null;
+
+  const pkgJson = JSON.parse(originalPkgStr);
+  const overrides = pkgJson.pnpm?.overrides || {};
+
+  if (Object.keys(overrides).length === 0) {
+    report += '✅ **No overrides found in package.json.**\n';
+    writeReport(report);
+    return;
+  }
+
+  try {
+    // 2. Strip overrides and save the modified package.json
+    const tempPkgJson = JSON.parse(originalPkgStr);
+    delete tempPkgJson.pnpm.overrides;
+    fs.writeFileSync(PKG_PATH, JSON.stringify(tempPkgJson, null, 2));
+
+    // 3. Reinstall dependencies to recalculate lockfile AND physically update node_modules
+    console.log('⏳ Relinking node_modules to their natural state (this may take a minute)...');
+    execSync('pnpm install --no-frozen-lockfile --ignore-scripts', {
+      cwd: ROOT_DIR,
+      stdio: 'ignore',
+    });
+
+    // 4. Audit each removed override using pnpm list
+    for (const [overrideName, targetVersion] of Object.entries(overrides)) {
+      console.log(`🔎 Auditing natural resolution for ${overrideName}...`);
+      const culprits = new Map();
+
+      let rawJson;
+      try {
+        rawJson = execSync(`pnpm list "${overrideName}" --recursive --depth Infinity --json`, {
+          cwd: ROOT_DIR,
+          maxBuffer: 1024 * 1024 * 100,
+        }).toString();
+      } catch (e) {
+        console.error(`└──⚠️ Could not fetch tree for ${overrideName}.`);
+        // execSync attaches stdout and stderr to the error object when a command fails
+        const stdout = e.stdout ? e.stdout.toString().trim() : '';
+        const stderr = e.stderr ? e.stderr.toString().trim() : '';
+
+        report += `## \`${overrideName}\`\n**Target Override:** \`${targetVersion}\`\n\n`;
+
+        // If pnpm exited with 1 but output an empty JSON array, it means "Not Found"
+        if (stdout === '[]') {
+          report += `✅ **SAFE TO REMOVE (Orphaned)**\n\n`;
+          report += `> This package does not exist anywhere in the naturally resolved dependency tree. It was likely removed by an upstream dependency update.\n`;
+        } else if (e.code === 'ENOBUFS') {
+          report += `❓ **UNKNOWN (Buffer Overflow)**\n\n`;
+          report += `> The dependency tree is too large for the allocated memory.\n`;
+        } else {
+          const errorMsg = stderr || e.message;
+          report += `❓ **UNKNOWN (Error)**\n\n`;
+          report += `> The script encountered an error resolving this package:\n> \`${errorMsg}\`\n`;
+        }
+
+        report += `\n---\n`;
+        continue; // Immediately jump to the next override in the loop
+      }
+
+      const data = JSON.parse(rawJson);
+
+      const scanTree = (parentName, parentVersion, depsObject) => {
+        if (!depsObject) return;
+
+        for (const [depName, depInfo] of Object.entries(depsObject)) {
+          if (!depInfo) continue;
+
+          if (depName === overrideName && depInfo.version) {
+            const resolvedVersion = depInfo.version;
+
+            if (isOlder(resolvedVersion, targetVersion)) {
+              culprits.set(`${parentName}@${parentVersion}`, resolvedVersion);
+            }
+          }
+
+          // If this dependency has its own dependencies, it becomes the new parent
+          if (depInfo.dependencies) {
+            scanTree(depName, depInfo.version, depInfo.dependencies);
+          }
+        }
+      };
+
+      // Start the scan from the top-level workspaces/projects
+      data.forEach((project) => {
+        const projectName = project.name || 'Root Project';
+        const projectVersion = project.version || 'unknown';
+        const allDeps = {
+          ...project.dependencies,
+          ...project.devDependencies,
+          ...project.optionalDependencies,
+        };
+
+        scanTree(projectName, projectVersion, allDeps);
+      });
+
+      // Generate markdown segment
+      report += `## \`${overrideName}\`\n**Target Override:** \`${targetVersion}\`\n\n`;
+      if (culprits.size > 0) {
+        report += `⚠️ **REQUIRED**\n\n`;
+        report += `> These packages will continue to receive the overridden version until they are updated to naturally resolve to >= ${targetVersion}.\n\n`;
+        report += `| Parent Package | Naturally Resolved Version |\n| :--- | :--- |\n`;
+        const sortedCulprits = Array.from(culprits.entries()).sort();
+        for (const [parent, resolved] of sortedCulprits) {
+          report += `| \`${parent}\` | \`${resolved}\` |\n`;
+        }
+      } else {
+        report += `✅ **SAFE TO REMOVE**\n\n`;
+        report += `> All packages naturally resolve to >= ${targetVersion} without the override.\n`;
+      }
+      report += `\n---\n`;
+    }
+  } finally {
+    // 5. Restore original package.json, lockfile, and node_modules
+    console.log('🧹 Cleaning up: Restoring package.json, lockfile, and node_modules...');
+
+    // Put the files back
+    fs.writeFileSync(PKG_PATH, originalPkgStr);
+    if (originalLockStr) {
+      fs.writeFileSync(LOCK_PATH, originalLockStr);
+    }
+
+    // Run a full install again to force pnpm to re-apply overrides to node_modules
+    try {
+      execSync('pnpm install --no-frozen-lockfile --ignore-scripts', {
+        cwd: ROOT_DIR,
+        stdio: 'ignore',
+      });
+    } catch (e) {
+      console.error("⚠️ Cleanup failed, you may need to run 'pnpm install' manually.");
+    }
+
+    // Write the report
+    writeReport(report);
+  }
+}
+
+genOverrideReport();
diff --git a/ui/scripts/generate-docs.sh b/ui/scripts/generate-docs.sh
deleted file mode 100644
index 1e394f2839..0000000000
--- a/ui/scripts/generate-docs.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/usr/bin/env bash
-# Copyright IBM Corp. 2016, 2025
-# SPDX-License-Identifier: BUSL-1.1
-
-echo "Create components/ directory"
-mkdir docs/components/
-
-echo "Generating markdown files for components in core addon..."
-
-# iterate over every .ts and .js file in core/addon/components (including nested files)
-# skip .hbs files and shamir/ directory
-find "./lib/core/addon/components" -type f ! -name "*.hbs" -not -path "*/shamir*"  -print0 | while IFS= read -r -d '' file; do
-  component=`eval "echo $file | cut -d/ -f6"`;
-
- # skip replication components
-  if [[ "$component" == replication* ]]; then
-    echo "🔃 skipping $component"
-    continue
-  fi
-
-  pnpm docfy-md $component core $file
-done
diff --git a/ui/scripts/generate-form-config.js b/ui/scripts/generate-form-config.js
new file mode 100644
index 0000000000..d3e6341673
--- /dev/null
+++ b/ui/scripts/generate-form-config.js
@@ -0,0 +1,133 @@
+#!/usr/bin/env node
+
+/* eslint-env node */
+
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+/**
+ * OpenAPI-based form config generator
+ *
+ * Usage:
+ *   pnpm generate:form-config <methodName>
+ *
+ * Example:
+ *   pnpm generate:form-config mountsEnableSecretsEngine
+ *
+ * The API class is automatically determined from the OpenAPI spec's tags.
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+import { execSync } from 'node:child_process';
+import { fileURLToPath } from 'node:url';
+import { prepFormConfig, generateConfigContent } from '../app/utils/form-config-generator.js';
+import { dasherize } from '@ember/string';
+
+// ES module workaround to get absolute paths for __dirname,
+// ensuring this script can work regardless of where it's run from
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const OPENAPI_PATH = path.join(__dirname, '../node_modules/@hashicorp/vault-client-typescript/openapi.json');
+const OUTPUT_DIR = path.join(__dirname, '../app/forms/v2/generated');
+
+const normalize = (msg) => {
+  return msg.trim().replace(/\n\s+/g, '\n');
+};
+
+/**
+ * Compose functions left-to-right, passing output of each as input to the next
+ * Example: pipe(fn1, fn2, fn3)(x) === fn3(fn2(fn1(x)))
+ */
+const pipe = (...fns) => {
+  return (initial) => fns.reduce((value, fn) => fn(value), initial);
+};
+
+const parseArgs = () => {
+  const args = process.argv.slice(2);
+  const method = args[0];
+
+  if (!method || method.startsWith('--')) {
+    const err = normalize(`
+      ❌ Missing required argument: methodName
+      💡 Usage: pnpm generate:form-config <methodName>
+      💡 Example: pnpm generate:form-config mountsEnableSecretsEngine
+    `);
+
+    console.error(err);
+    process.exit(1);
+  }
+
+  return { method };
+};
+
+const loadOpenAPISpec = () => {
+  try {
+    const spec = JSON.parse(fs.readFileSync(OPENAPI_PATH, 'utf-8'));
+    console.log(`✅ Found openapi.json with ${Object.keys(spec.paths).length} paths...`);
+    return spec;
+  } catch (error) {
+    console.error(`❌ Error loading openapi.json: ${error.message}`);
+    process.exit(1);
+  }
+};
+
+const prepFormConfigWithLogging = (spec, methodName) => {
+  const operationId = dasherize(methodName);
+  console.log(`🔍 Searching for ${operationId} operation in openapi.json...`);
+
+  const config = prepFormConfig(spec, methodName);
+  if (!config) {
+    const err = normalize(`
+      ❌ Operation "${operationId}" not found in openapi.json
+      💡 If this is a plugin-based method, ensure the plugin is enabled and regenerate openapi.json
+    `);
+    console.error(err);
+    process.exit(1);
+  }
+
+  if (!config.apiClass) {
+    const err = normalize(`
+      ❌ Could not determine API class for "${operationId}"
+      💡 The operation may be missing tags in the OpenAPI spec
+    `);
+    console.error(err);
+    process.exit(1);
+  }
+
+  console.log(`🔨 Building form config for ${config.name}... \n`);
+  return config;
+};
+
+const writeAndFormat = (content, methodName) => {
+  const filename = `${dasherize(methodName)}-config.ts`;
+  const filePath = path.join(OUTPUT_DIR, filename);
+
+  fs.writeFileSync(filePath, content, 'utf-8');
+  execSync(`pnpm prettier --write "${filePath}"`, { stdio: 'pipe' });
+
+  return filename;
+};
+
+const main = () => {
+  const startTime = Date.now();
+  const { method } = parseArgs();
+  console.log(`⚡️ Generating form config for ${method} method...\n`);
+
+  const filename = pipe(
+    (spec) => prepFormConfigWithLogging(spec, method),
+    (config) => generateConfigContent(config),
+    (content) => writeAndFormat(content, method)
+  )(loadOpenAPISpec());
+
+  const duration = ((Date.now() - startTime) / 1000).toFixed(2);
+  const msg = normalize(`
+    ✨ Done! Completed in ${duration}s
+    Output: app/forms/v2/generated/${filename}
+  `);
+
+  console.log(msg);
+};
+
+main();
diff --git a/ui/scripts/start-vault.js b/ui/scripts/start-vault.js
index 0687b9934c..122b630a91 100755
--- a/ui/scripts/start-vault.js
+++ b/ui/scripts/start-vault.js
@@ -8,26 +8,16 @@
 /* eslint-disable no-process-exit */
 /* eslint-disable n/no-extraneous-require */
 
-var readline = require('readline');
 const testHelper = require('./test-helper');
 
-var output = '';
-var unseal, root, written, initError;
-
-async function processLines(input, eachLine = () => {}) {
-  const rl = readline.createInterface({
-    input,
-    terminal: true,
-  });
-  for await (const line of rl) {
-    eachLine(line);
-  }
-}
-
 (async function () {
+  // ignore first 2 args (node and path) and extract flags to pass to test/exam command
+  const args = process.argv.slice(2);
+  // in CI use local vault binary, otherwise assume vault is in PATH
+  const vaultCommand = process.env.CI ? '../bin/vault' : 'vault';
   try {
-    const vault = testHelper.run(
-      'vault',
+    testHelper.run(
+      vaultCommand,
       [
         'server',
         '-dev',
@@ -38,39 +28,7 @@ async function processLines(input, eachLine = () => {}) {
       ],
       false
     );
-    processLines(vault.stdout, function (line) {
-      if (written) {
-        output = null;
-        return;
-      }
-      output = output + line;
-      var unsealMatch = output.match(/Unseal Key: (.+)$/m);
-      if (unsealMatch && !unseal) {
-        unseal = [unsealMatch[1]];
-      }
-      var rootMatch = output.match(/Root Token: (.+)$/m);
-      if (rootMatch && !root) {
-        root = rootMatch[1];
-      }
-      var errorMatch = output.match(/Error initializing core: (.*)$/m);
-      if (errorMatch) {
-        initError = errorMatch[1];
-      }
-      if (root && unseal && !written) {
-        testHelper.writeKeysFile(unseal, root);
-        written = true;
-        console.log('VAULT SERVER READY');
-      } else if (initError) {
-        console.log('VAULT SERVER START FAILED');
-        console.log(
-          'If this is happening, run `export VAULT_LICENSE_PATH=/Users/username/license.hclic` to your valid local vault license filepath, or use OSS Vault'
-        );
-        process.exit(1);
-      }
-    });
     try {
-      // ignore first 2 args (node and path) and extract flags to pass to test/exam command
-      const args = process.argv.slice(2);
       const withServer = args.includes('--server') || args.includes('-s');
       // current issue with headless Chrome where an event listener in Hds::Modal is not triggered resulting in a pending test waiter and timeout
       // the workaround for now is to run the tests in headless firefox for local runs
diff --git a/ui/testem.js b/ui/testem.js
index b659dc7622..a2eed39878 100644
--- a/ui/testem.js
+++ b/ui/testem.js
@@ -22,11 +22,18 @@ module.exports = {
         process.env.CI ? '--no-sandbox' : null,
         '--headless=new',
         '--disable-dev-shm-usage',
-        '--disable-software-rasterizer',
         '--disable-search-engine-choice-screen', // needed from Chrome 127
         '--mute-audio',
         '--remote-debugging-port=0',
         '--window-size=1440,900',
+        // Chrome for Testing as of 146.0.7680.31 in early March 2026
+        // crashes on Ubuntu in containers (which is what we run in CI)
+        // Disabling this feature seems to fix the issue, but we should keep an
+        // eye on it and remove this flag once it's fixed in Chrome.
+        // https://issues.chromium.org/issues/489314676
+        // https://github.com/puppeteer/puppeteer/pull/14744
+        // https://github.com/puppeteer/puppeteer/issues/14742
+        '--disable-features=PartitionAllocSchedulerLoopQuarantineTaskControlledPurge',
       ].filter(Boolean),
     },
     Firefox: {
diff --git a/ui/tests/acceptance/access/identity/entities/index-test.js b/ui/tests/acceptance/access/identity/entities/index-test.js
index c0bcbbd0a5..233c8cba4b 100644
--- a/ui/tests/acceptance/access/identity/entities/index-test.js
+++ b/ui/tests/acceptance/access/identity/entities/index-test.js
@@ -12,6 +12,8 @@ import { runCmd } from 'vault/tests/helpers/commands';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import { v4 as uuidv4 } from 'uuid';
 import { setupMirage } from 'ember-cli-mirage/test-support';
+import { Response } from 'miragejs';
+import sinon from 'sinon';
 
 const SELECTORS = {
   listItem: (name) => `[data-test-identity-row="${name}"]`,
@@ -111,4 +113,70 @@ module('Acceptance | /access/identity/entities', function (hooks) {
     await click(`${SELECTORS.listItem(name)} ${GENERAL.menuItem('delete')}`);
     await click(GENERAL.confirmButton);
   });
+
+  test('it should render correct flash message on entity delete failure', async function (assert) {
+    server.get('/identity/entity/id', () => ({
+      data: {
+        key_info: { test: { name: 'foo' } },
+        keys: ['test'],
+      },
+    }));
+    server.get('/identity/entity/id/test', () => ({ data: { name: 'foo' } }));
+
+    const error = 'The entity could not be deleted';
+    server.delete('/identity/entity/id/test', () => new Response(500, {}, { errors: [error] }));
+
+    const flashSpy = sinon.spy(this.owner.lookup('service:flashMessages'), 'danger');
+
+    await page.visit({ item_type: 'entities' });
+    await click(`${SELECTORS.listItem('foo')} ${GENERAL.menuTrigger}`);
+    await click(`${SELECTORS.listItem('foo')} ${GENERAL.menuItem('delete')}`);
+    await click(GENERAL.confirmButton);
+
+    const message = `There was a problem deleting entity: test - ${error}`;
+    assert.true(flashSpy.calledWith(message), 'Correct flash message is shown');
+  });
+
+  test('it should render correct flash message on entity edit success', async function (assert) {
+    server.get('/identity/entity/id', () => ({
+      data: {
+        key_info: { test: { name: 'foo' } },
+        keys: ['test'],
+      },
+    }));
+    server.get('/identity/entity/id/test', () => ({ data: { name: 'foo' } }));
+
+    server.put('/identity/entity/id/test', () => new Response(200, {}, {}));
+
+    const flashSpy = sinon.spy(this.owner.lookup('service:flashMessages'), 'success');
+
+    await page.visit({ item_type: 'entities' });
+    await click(`${SELECTORS.listItem('foo')} ${GENERAL.menuTrigger}`);
+    await click(`${SELECTORS.listItem('foo')} ${GENERAL.menuItem('edit')}`);
+    await click(GENERAL.submitButton);
+
+    const message = `Successfully saved Entity test.`;
+    assert.true(flashSpy.calledWith(message), 'Correct flash message is shown');
+  });
+
+  test('it should render correct flash message on entity edit failure', async function (assert) {
+    server.get('/identity/entity/id', () => ({
+      data: {
+        key_info: { test: { name: 'foo' } },
+        keys: ['test'],
+      },
+    }));
+    server.get('/identity/entity/id/test', () => ({ data: { name: 'foo' } }));
+
+    const error = 'The entity could not be edited';
+    server.put('/identity/entity/id/test', () => new Response(500, {}, { errors: [error] }));
+
+    await page.visit({ item_type: 'entities' });
+    await click(`${SELECTORS.listItem('foo')} ${GENERAL.menuTrigger}`);
+    await click(`${SELECTORS.listItem('foo')} ${GENERAL.menuItem('edit')}`);
+    await click(GENERAL.submitButton);
+
+    assert.dom(GENERAL.messageError).exists();
+    assert.dom(GENERAL.messageDescription).hasText(error, 'Specific error message is rendered');
+  });
 });
diff --git a/ui/tests/acceptance/access/methods-test.js b/ui/tests/acceptance/access/methods-test.js
index fb0cc70318..8bf4d8cce8 100644
--- a/ui/tests/acceptance/access/methods-test.js
+++ b/ui/tests/acceptance/access/methods-test.js
@@ -13,7 +13,7 @@ import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import { mountAuthCmd, runCmd } from 'vault/tests/helpers/commands';
 import { login } from 'vault/tests/helpers/auth/auth-helpers';
 import { sanitizePath } from 'core/utils/sanitize-path';
-import localStorage from 'vault/lib/local-storage';
+import { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 
 const { searchSelect } = GENERAL;
 
@@ -25,7 +25,7 @@ module('Acceptance | auth-methods list view', function (hooks) {
     this.uid = uuidv4();
     await login();
     // dismiss wizard
-    localStorage.setItem('dismissed-wizards', ['auth-methods']);
+    this.owner.lookup('service:wizard').dismiss(WIZARD_ID_MAP.authMethods);
   });
 
   test('it navigates to auth method', async function (assert) {
diff --git a/ui/tests/acceptance/access/namespaces/index-test.js b/ui/tests/acceptance/access/namespaces/index-test.js
index 208081b715..f485cecb13 100644
--- a/ui/tests/acceptance/access/namespaces/index-test.js
+++ b/ui/tests/acceptance/access/namespaces/index-test.js
@@ -9,15 +9,15 @@ import { setupApplicationTest } from 'ember-qunit';
 import { login } from 'vault/tests/helpers/auth/auth-helpers';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import { createNS, deleteNS, runCmd } from 'vault/tests/helpers/commands';
-import localStorage from 'vault/lib/local-storage';
+import { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 
 module('Acceptance | Enterprise | /access/namespaces', function (hooks) {
   setupApplicationTest(hooks);
 
-  hooks.beforeEach(async () => {
+  hooks.beforeEach(async function () {
     await login();
     // dismiss the wizard
-    localStorage.setItem('dismissed-wizards', ['namespace']);
+    this.owner.lookup('service:wizard').dismiss(WIZARD_ID_MAP.namespace);
     // Go to the manage namespaces page
     await visit('/vault/access/namespaces');
   });
diff --git a/ui/tests/acceptance/auth/auth-list-test.js b/ui/tests/acceptance/auth/auth-list-test.js
index 16e3540369..8d24294616 100644
--- a/ui/tests/acceptance/auth/auth-list-test.js
+++ b/ui/tests/acceptance/auth/auth-list-test.js
@@ -13,7 +13,7 @@ import { MANAGED_AUTH_BACKENDS } from 'vault/helpers/supported-managed-auth-back
 import { deleteAuthCmd, mountAuthCmd, runCmd, createNS } from 'vault/tests/helpers/commands';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import { filterEnginesByMountCategory } from 'vault/utils/all-engines-metadata';
-import localStorage from 'vault/lib/local-storage';
+import { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 
 const SELECTORS = {
   createUser: '[data-test-entity-create-link="user"]',
@@ -27,7 +27,7 @@ module('Acceptance | auth backend list', function (hooks) {
   hooks.beforeEach(async function () {
     await login();
     // dismiss wizard
-    localStorage.setItem('dismissed-wizards', ['auth-methods']);
+    this.owner.lookup('service:wizard').dismiss(WIZARD_ID_MAP.authMethods);
   });
 
   test('userpass secret backend', async function (assert) {
@@ -158,7 +158,7 @@ module('Acceptance | auth backend list', function (hooks) {
       await runCmd(createNS(ns), false);
       await settled();
       await loginNs(ns);
-      localStorage.setItem('dismissed-wizards', ['auth-methods']);
+      this.owner.lookup('service:wizard').dismiss(WIZARD_ID_MAP.authMethods);
 
       // go directly to token configure route
       await visit(`/vault/settings/auth/configure/token/options?namespace=${ns}`);
diff --git a/ui/tests/acceptance/auth/config-form-test.js b/ui/tests/acceptance/auth/config-form-test.js
index 8069a069c1..c4b7406182 100644
--- a/ui/tests/acceptance/auth/config-form-test.js
+++ b/ui/tests/acceptance/auth/config-form-test.js
@@ -81,10 +81,7 @@ module('Acceptance | auth config form', function (hooks) {
         'root_password_ttl',
         'tenant_id',
       ];
-      // until the vault-plugin-auth-azure changes are released, these fields will be in the default group
-      // this test should then fail and the following line can be removed and the next line uncommented
-      this.configFields.push('client_id', 'client_secret');
-      // this.configToggles = { 'Azure Options': ['client_id', 'client_secret'] };
+      this.configToggles = { 'Azure Options': ['client_id', 'client_secret'] };
       await login();
       return visit('/vault/settings/auth/enable');
     });
diff --git a/ui/tests/acceptance/billing/overview-test.js b/ui/tests/acceptance/billing/overview-test.js
new file mode 100644
index 0000000000..3f9c397c2e
--- /dev/null
+++ b/ui/tests/acceptance/billing/overview-test.js
@@ -0,0 +1,171 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupApplicationTest } from 'ember-qunit';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { click, currentURL, visit } from '@ember/test-helpers';
+import sinon from 'sinon';
+
+import { login, logout } from 'vault/tests/helpers/auth/auth-helpers';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import { NormalizedBillingMetrics } from 'vault/utils/metrics-helpers';
+import { dateFormat } from 'core/helpers/date-format';
+import { METRICS_DATA_RESPONSE } from 'vault/tests/helpers/billing/stubs';
+import { createNS, deleteNSFromPaths, runCmd } from 'vault/tests/helpers/commands';
+
+const SELECTORS = {
+  metricDetail: (metricKey) => `[data-test-metric-detail="${metricKey}"]`,
+  metricDetailValue: (metricKey) => `[data-test-metric-detail-value="${metricKey}"]`,
+};
+
+module('Acceptance | billing/overview', function (hooks) {
+  setupApplicationTest(hooks);
+  setupMirage(hooks);
+
+  hooks.beforeEach(async function () {
+    this.version = this.owner.lookup('service:version');
+    this.mockMetrics = METRICS_DATA_RESPONSE.data;
+    this.todayDate = new Date();
+    this.currentMonth = this.todayDate.toISOString();
+    this.mockMetrics.months[0].month = dateFormat([this.todayDate, 'yyyy-MM'], {});
+    this.mockMetrics.months[0].updated_at = this.currentMonth;
+    this.server.get('/sys/billing/overview', () => this.mockMetrics);
+
+    // Stub the API service
+    const api = this.owner.lookup('service:api');
+    this.billingStub = sinon.stub(api.sys, 'systemReadBillingOverview').resolves(this.mockMetrics);
+  });
+
+  hooks.afterEach(function () {
+    this.billingStub?.restore();
+  });
+
+  test('display billing/overview when license endpoint has consumption billing', async function (assert) {
+    this.server.get('/sys/license/features', () => ({ features: ['Consumption Billing'] }));
+    await login();
+
+    assert.dom(GENERAL.navLink('Billing metrics')).exists('Billing metrics nav link is present');
+    assert.dom(GENERAL.navLink('Billing metrics')).hasText('Billing metrics');
+    await click(GENERAL.navLink('Billing metrics'));
+    assert.strictEqual(currentURL(), '/vault/billing/overview');
+    assert.dom(GENERAL.hdsPageHeaderTitle).hasText('Billing metrics');
+    assert
+      .dom(GENERAL.hdsPageHeaderDescription)
+      .hasText(
+        'Data reflects usage across this Vault cluster. Billing metrics determine license utilization.'
+      );
+    // Vault update every 10 minute only shows if the current month is selected.
+    assert
+      .dom(GENERAL.textBody('Last updated date time'))
+      .hasTextContaining('Values update every 10 minutes.');
+
+    assert.dom(GENERAL.cardContainer('Summary')).exists();
+
+    assert.dom(GENERAL.cardContainer('Secrets')).exists();
+
+    assert.dom(SELECTORS.metricDetail(NormalizedBillingMetrics.STATIC_SECRETS_KV)).exists();
+    assert.dom(SELECTORS.metricDetailValue(NormalizedBillingMetrics.STATIC_SECRETS_KV)).hasText('10');
+    assert.dom(SELECTORS.metricDetail(NormalizedBillingMetrics.DYNAMIC_ROLES_TOTAL)).exists();
+    assert.dom(SELECTORS.metricDetailValue(NormalizedBillingMetrics.DYNAMIC_ROLES_TOTAL)).hasText('130');
+    assert.dom(SELECTORS.metricDetail(NormalizedBillingMetrics.AUTO_ROTATED_ROLES_TOTAL)).exists();
+    assert.dom(SELECTORS.metricDetailValue(NormalizedBillingMetrics.AUTO_ROTATED_ROLES_TOTAL)).hasText('70');
+
+    assert.dom(GENERAL.cardContainer('Credential units')).exists();
+    assert.dom(SELECTORS.metricDetail(NormalizedBillingMetrics.PKI_UNITS_TOTAL)).exists();
+    assert.dom(SELECTORS.metricDetailValue(NormalizedBillingMetrics.PKI_UNITS_TOTAL)).hasText('100.1234');
+    assert.dom(SELECTORS.metricDetail(NormalizedBillingMetrics.SSH_UNITS_OTP_UNITS)).exists();
+    assert.dom(SELECTORS.metricDetailValue(NormalizedBillingMetrics.SSH_UNITS_OTP_UNITS)).hasText('50.1234');
+    assert.dom(SELECTORS.metricDetail(NormalizedBillingMetrics.SSH_UNITS_CERTIFICATE_UNITS)).exists();
+    assert
+      .dom(SELECTORS.metricDetailValue(NormalizedBillingMetrics.SSH_UNITS_CERTIFICATE_UNITS))
+      .hasText('50.1234');
+    assert.dom(SELECTORS.metricDetail(NormalizedBillingMetrics.ID_TOKEN_UNITS_OIDC)).exists();
+    assert.dom(SELECTORS.metricDetailValue(NormalizedBillingMetrics.ID_TOKEN_UNITS_OIDC)).hasText('52.1234');
+    assert.dom(SELECTORS.metricDetail(NormalizedBillingMetrics.ID_TOKEN_UNITS_SPIFFE)).exists();
+    assert
+      .dom(SELECTORS.metricDetailValue(NormalizedBillingMetrics.ID_TOKEN_UNITS_SPIFFE))
+      .hasText('51.1234');
+
+    assert.dom(GENERAL.cardContainer('Data protection calls')).exists();
+    assert.dom(SELECTORS.metricDetail(NormalizedBillingMetrics.DATA_PROTECTION_CALLS_TRANSFORM)).exists();
+    assert
+      .dom(SELECTORS.metricDetailValue(NormalizedBillingMetrics.DATA_PROTECTION_CALLS_TRANSFORM))
+      .hasText('220');
+    assert.dom(SELECTORS.metricDetail(NormalizedBillingMetrics.DATA_PROTECTION_CALLS_TRANSIT)).exists();
+    assert
+      .dom(SELECTORS.metricDetailValue(NormalizedBillingMetrics.DATA_PROTECTION_CALLS_TRANSIT))
+      .hasText('200');
+    assert
+      .dom(SELECTORS.metricDetailValue(NormalizedBillingMetrics.DATA_PROTECTION_CALLS_GCPKMS))
+      .hasText('220');
+
+    assert.dom(GENERAL.cardContainer('Managed keys')).exists();
+    assert.dom(SELECTORS.metricDetail(NormalizedBillingMetrics.MANAGED_KEYS_TOTP)).exists();
+    assert.dom(SELECTORS.metricDetailValue(NormalizedBillingMetrics.MANAGED_KEYS_TOTP)).hasText('220');
+    assert.dom(SELECTORS.metricDetail(NormalizedBillingMetrics.MANAGED_KEYS_KMSE)).exists();
+    assert.dom(SELECTORS.metricDetailValue(NormalizedBillingMetrics.MANAGED_KEYS_KMSE)).hasText('210');
+    await logout();
+  });
+
+  test('should not display updated at text if current month is not selected', async function (assert) {
+    this.server.get('/sys/license/features', () => ({ features: ['Consumption Billing'] }));
+    await login();
+    assert.dom(GENERAL.navLink('Billing metrics')).hasText('Billing metrics');
+    await click(GENERAL.navLink('Billing metrics'));
+    assert.strictEqual(currentURL(), '/vault/billing/overview');
+    await click(GENERAL.dropdownToggle('Date range'));
+    await click(GENERAL.menuItem('2025-12'));
+    assert.dom(GENERAL.textBody('Last updated date time')).hasTextContaining('Last updated: January 14');
+  });
+
+  test('display no data available when updated_at is invalid', async function (assert) {
+    this.server.get('/sys/license/features', () => ({ features: ['Consumption Billing'] }));
+    const mockMetricsInvalidDate = { ...this.mockMetrics };
+    mockMetricsInvalidDate.months[1].updated_at = '0001-01-01T00:00:00Z';
+    this.server.get('/sys/billing/overview', () => mockMetricsInvalidDate);
+    await login();
+    assert.dom(GENERAL.navLink('Billing metrics')).hasText('Billing metrics');
+    await click(GENERAL.navLink('Billing metrics'));
+    await click(GENERAL.dropdownToggle('Date range'));
+    await click(GENERAL.menuItem('2025-12'));
+    assert.dom(GENERAL.textBody('Last updated date time')).hasText('No data available.');
+    await logout();
+  });
+
+  test('hide billing/overview when license endpoint does not have consumption billing', async function (assert) {
+    this.server.get('/sys/license/features', () => ({ features: [] }));
+    await login();
+
+    assert.dom(GENERAL.navLink('Billing metrics')).doesNotExist('Billing metrics nav link is not present');
+    await logout();
+  });
+
+  test('should redirect to cluster dashboard when user switches namespace while on billing/overview route on enterprise', async function (assert) {
+    this.server.get('/sys/license/features', () => ({ features: ['Consumption Billing', 'Namespaces'] }));
+
+    // Login with root (no namespace)
+    await login();
+    const ns = 'namespace1';
+    await runCmd(createNS(ns), false);
+
+    assert.strictEqual(currentURL(), '/vault/dashboard', 'User is on dashboard after login');
+
+    // Navigate to billing/overview
+    await visit('/vault/billing/overview');
+    assert.strictEqual(currentURL(), '/vault/billing/overview', 'User navigated to billing overview');
+
+    // Trigger a route transition by visiting the current route again
+    await visit(`/vault/billing/overview?namespace=${ns}`);
+
+    // Should redirect back to cluster dashboard because namespace1 doesn't have billing permissions
+    assert.strictEqual(
+      currentURL(),
+      `/vault/dashboard?namespace=${ns}`,
+      'User is redirected to cluster dashboard after switching to namespace1'
+    );
+    await deleteNSFromPaths(ns);
+  });
+});
diff --git a/ui/tests/acceptance/clients/counts-test.js b/ui/tests/acceptance/clients/counts-test.js
index 34767c36d1..3731176992 100644
--- a/ui/tests/acceptance/clients/counts-test.js
+++ b/ui/tests/acceptance/clients/counts-test.js
@@ -154,7 +154,7 @@ module('Acceptance | clients | counts', function (hooks) {
       await click(CLIENT_COUNT.dateRange.edit);
       await click(CLIENT_COUNT.dateRange.dropdownOption(1));
       assert
-        .dom(GENERAL.hdsPageHeaderSubtitle)
+        .dom(GENERAL.hdsPageHeaderDescription)
         .hasTextContaining(`Dashboard last updated: ${format(STATIC_NOW, 'MMM d yyyy')}`);
       // Save URL with query params before clicking refresh
       const url = currentURL();
@@ -166,7 +166,7 @@ module('Acceptance | clients | counts', function (hooks) {
       assert.true(this.refreshSpy.calledOnce, 'router.refresh() is called once');
       assert.strictEqual(currentURL(), url, 'url is the same after clicking refresh');
       assert
-        .dom(GENERAL.hdsPageHeaderSubtitle)
+        .dom(GENERAL.hdsPageHeaderDescription)
         .hasTextContaining(`Dashboard last updated: ${format(fakeUpdatedNow, 'MMM d yyyy')}`);
     });
 
@@ -181,7 +181,7 @@ module('Acceptance | clients | counts', function (hooks) {
       await click(CLIENT_COUNT.dateRange.edit);
       await click(CLIENT_COUNT.dateRange.dropdownOption(1));
       assert
-        .dom(GENERAL.hdsPageHeaderSubtitle)
+        .dom(GENERAL.hdsPageHeaderDescription)
         .hasTextContaining(`Dashboard last updated: ${format(STATIC_NOW, 'MMM d yyyy')}`);
       // Save URL with query params before clicking refresh
       const url = currentURL();
@@ -193,7 +193,7 @@ module('Acceptance | clients | counts', function (hooks) {
       assert.true(this.refreshSpy.calledOnce, 'router.refresh() is called once');
       assert.strictEqual(currentURL(), url, 'url is the same after clicking refresh');
       assert
-        .dom(GENERAL.hdsPageHeaderSubtitle)
+        .dom(GENERAL.hdsPageHeaderDescription)
         .hasTextContaining(`Dashboard last updated: ${format(fakeUpdatedNow, 'MMM d yyyy')}`);
     });
   });
diff --git a/ui/tests/acceptance/clients/counts/overview-test.js b/ui/tests/acceptance/clients/counts/overview-test.js
index a8c022e335..926dcee379 100644
--- a/ui/tests/acceptance/clients/counts/overview-test.js
+++ b/ui/tests/acceptance/clients/counts/overview-test.js
@@ -14,10 +14,10 @@ import clientsHandler, {
 } from 'vault/mirage/handlers/clients';
 import syncHandler from 'vault/mirage/handlers/sync';
 import sinon from 'sinon';
-import { visit, click, findAll, fillIn, currentURL } from '@ember/test-helpers';
+import { visit, click, fillIn, currentURL, findAll } from '@ember/test-helpers';
 import { login } from 'vault/tests/helpers/auth/auth-helpers';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
-import { CHARTS, CLIENT_COUNT, FILTERS } from 'vault/tests/helpers/clients/client-count-selectors';
+import { CLIENT_COUNT, CHARTS, FILTERS } from 'vault/tests/helpers/clients/client-count-selectors';
 import timestamp from 'core/utils/timestamp';
 import {
   ACTIVITY_EXPORT_STUB,
@@ -44,11 +44,19 @@ module('Acceptance | clients | overview', function (hooks) {
 
     await login();
     await visit('/vault/clients/counts/overview');
-    assert.dom(CLIENT_COUNT.statLegendValue('Secret sync clients')).doesNotExist();
-    assert.dom(CLIENT_COUNT.statLegendValue('Entity clients')).exists('other stats are still visible');
+    const donutLegendLabels = findAll(CHARTS.carbonLegendLabel('Client count and type distribution')).map(
+      (el) => el.textContent?.trim()
+    );
+    assert.notOk(
+      donutLegendLabels.includes('Secret sync clients'),
+      'donut legend does not include Secret sync clients'
+    );
+    assert.ok(donutLegendLabels.includes('Entity clients'), 'other stats are still visible');
 
     await click(GENERAL.inputByAttr('toggle view'));
-    assert.dom(CHARTS.legend).hasText('Entity clients Non-entity clients ACME clients');
+    assert
+      .dom('[data-test-chart="Client usage by month (stacked)"]')
+      .exists('stacked chart container renders');
   });
 
   test('it should render charts', async function (assert) {
@@ -70,9 +78,8 @@ module('Acceptance | clients | overview', function (hooks) {
       .dom(CLIENT_COUNT.card('Client usage trends'))
       .exists('Shows running totals with monthly breakdown charts');
     assert
-      .dom(`${CLIENT_COUNT.card('Client usage trends')} ${CHARTS.xAxisLabel}`)
-      .hasText('7/23', 'x-axis labels start with billing start date');
-    assert.dom(CHARTS.xAxisLabel).exists({ count: 7 }, 'chart months matches query');
+      .dom('[data-test-chart="Client usage by month (simple)"]')
+      .exists('simple chart container renders for the default view');
   });
 
   module('community', function (hooks) {
@@ -111,9 +118,8 @@ module('Acceptance | clients | overview', function (hooks) {
         .dom(CLIENT_COUNT.card('Client usage trends'))
         .exists('Shows running totals with monthly breakdown charts');
       assert
-        .dom(`${CLIENT_COUNT.card('Client usage trends')} ${CHARTS.xAxisLabel}`)
-        .hasText('9/23', 'x-axis labels start with queried start month (upgrade date)');
-      assert.dom(CHARTS.xAxisLabel).exists({ count: 4 }, 'chart months matches query');
+        .dom('[data-test-chart="Client usage by month (simple)"]')
+        .exists('simple chart container renders for the queried date range');
 
       // query for single, historical month (upgrade month)
       await click(CLIENT_COUNT.dateRange.edit);
@@ -125,9 +131,11 @@ module('Acceptance | clients | overview', function (hooks) {
         .exists('running total month over month charts show');
 
       // query historical date range (from September 2023 to December 2023)
+      const historicalStartMonth = '2023-09';
+      const historicalEndMonth = '2023-12';
       await click(CLIENT_COUNT.dateRange.edit);
-      await fillIn(CLIENT_COUNT.dateRange.editDate('start'), '2023-09');
-      await fillIn(CLIENT_COUNT.dateRange.editDate('end'), '2023-12');
+      await fillIn(CLIENT_COUNT.dateRange.editDate('start'), historicalStartMonth);
+      await fillIn(CLIENT_COUNT.dateRange.editDate('end'), historicalEndMonth);
       await click(GENERAL.submitButton);
 
       assert
@@ -140,11 +148,15 @@ module('Acceptance | clients | overview', function (hooks) {
         .dom(CLIENT_COUNT.card('Client usage trends'))
         .exists('Shows running totals with monthly breakdown charts');
 
-      assert.dom(CHARTS.xAxisLabel).exists({ count: 4 }, 'chart months matches query');
-      const xAxisLabels = findAll(CHARTS.xAxisLabel);
       assert
-        .dom(xAxisLabels[xAxisLabels.length - 1])
-        .hasText('12/23', 'x-axis labels end with queried end month');
+        .dom('[data-test-chart="Client usage by month (simple)"]')
+        .exists('simple chart container remains rendered for the historical range');
+
+      const xTickLabels = findAll(CHARTS.carbonXAxisTick('Client usage by month (simple)'))
+        .map((el) => el.textContent?.trim())
+        .filter(Boolean);
+      const expectedStartTick = parseAPITimestamp(`${historicalStartMonth}-01T00:00:00Z`, 'M/yy');
+      assert.true(xTickLabels.includes(expectedStartTick), 'x-axis includes queried start month');
     });
 
     test('it does not render client list links for community versions', async function (assert) {
@@ -309,16 +321,14 @@ module('Acceptance | clients | overview', function (hooks) {
     test('it should show secrets sync stats when the feature is activated', async function (assert) {
       await login();
       await visit('/vault/clients/counts/overview');
-      assert
-        .dom(CLIENT_COUNT.statLegendValue('Secret sync clients'))
-        .exists('shows secret sync data on overview');
+      const donutLegendLabels = findAll(CHARTS.carbonLegendLabel('Client count and type distribution')).map(
+        (el) => el.textContent?.trim()
+      );
+      assert.ok(donutLegendLabels.includes('Secret sync clients'), 'shows secret sync data on overview');
       await click(GENERAL.inputByAttr('toggle view'));
       assert
-        .dom(CHARTS.legend)
-        .hasText(
-          'Entity clients Non-entity clients ACME clients Secret sync clients',
-          'it renders legend in order that matches the stacked bar data'
-        );
+        .dom('[data-test-chart="Client usage by month (stacked)"]')
+        .exists('stacked chart container renders when the feature is activated');
     });
 
     test('it should hide secrets sync stats when feature is NOT activated', async function (assert) {
@@ -330,17 +340,18 @@ module('Acceptance | clients | overview', function (hooks) {
 
       await login();
       await visit('/vault/clients/counts/overview');
-      assert
-        .dom(CLIENT_COUNT.statLegendValue('Secret sync clients'))
-        .doesNotExist('stat is hidden because feature is not activated');
-      assert.dom(CLIENT_COUNT.statLegendValue('Entity clients')).exists('other stats are still visible');
+      const donutLegendLabels = findAll(CHARTS.carbonLegendLabel('Client count and type distribution')).map(
+        (el) => el.textContent?.trim()
+      );
+      assert.notOk(
+        donutLegendLabels.includes('Secret sync clients'),
+        'stat is hidden because feature is not activated'
+      );
+      assert.ok(donutLegendLabels.includes('Entity clients'), 'other stats are still visible');
       await click(GENERAL.inputByAttr('toggle view'));
       assert
-        .dom(CHARTS.legend)
-        .hasText(
-          'Entity clients Non-entity clients ACME clients',
-          'it renders legend in order that matches the stacked bar data and does not include secret sync'
-        );
+        .dom('[data-test-chart="Client usage by month (stacked)"]')
+        .exists('stacked chart container renders without secret sync in the stats view');
     });
   });
 });
diff --git a/ui/tests/acceptance/cluster-test.js b/ui/tests/acceptance/cluster-test.js
index d01e8e64bd..84f103953a 100644
--- a/ui/tests/acceptance/cluster-test.js
+++ b/ui/tests/acceptance/cluster-test.js
@@ -10,7 +10,7 @@ import { v4 as uuidv4 } from 'uuid';
 
 import { login, loginMethod, logout } from 'vault/tests/helpers/auth/auth-helpers';
 import { mountBackend } from 'vault/tests/helpers/components/mount-backend-form-helpers';
-import { runCmd } from 'vault/tests/helpers/commands';
+import { mountEngineCmd, runCmd, deleteEngineCmd } from 'vault/tests/helpers/commands';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
 const tokenWithPolicy = async function (name, policy) {
@@ -120,4 +120,15 @@ module('Acceptance | cluster', function (hooks) {
       'Navigating to /secrets redirects to /secrets-engines'
     );
   });
+
+  test('redirects to /secrets-engines/kv/kv/list from legacy /secrets/kv/kv/list path', async function (assert) {
+    await runCmd(mountEngineCmd('kv', this.backend), false);
+    await visit('/vault/secrets/kv/kv/list');
+    assert.strictEqual(
+      currentURL(),
+      '/vault/secrets-engines/kv/kv/list',
+      'Navigating to /secrets redirects to /secrets-engines'
+    );
+    await runCmd(deleteEngineCmd('kv'));
+  });
 });
diff --git a/ui/tests/acceptance/config-ui/messages/messages-test.js b/ui/tests/acceptance/config-ui/messages/messages-test.js
index a602379b1d..0dfed9db25 100644
--- a/ui/tests/acceptance/config-ui/messages/messages-test.js
+++ b/ui/tests/acceptance/config-ui/messages/messages-test.js
@@ -6,7 +6,7 @@
 import { module, test } from 'qunit';
 import { setupApplicationTest } from 'ember-qunit';
 import { setupMirage } from 'ember-cli-mirage/test-support';
-import { click, visit, fillIn, findAll, waitFor } from '@ember/test-helpers';
+import { click, visit, fillIn, findAll, waitFor, currentURL } from '@ember/test-helpers';
 import { login } from 'vault/tests/helpers/auth/auth-helpers';
 import { runCmd } from 'vault/tests/helpers/commands';
 import { format, addDays, startOfDay } from 'date-fns';
@@ -15,13 +15,6 @@ import { CUSTOM_MESSAGES } from 'vault/tests/helpers/config-ui/message-selectors
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import { encodeString } from 'core/utils/b64';
 
-const MESSAGES_LIST = {
-  listItem: '.linked-block',
-  filterBy: (name) => `[data-test-filter-by="${name}"]`,
-  filterSubmit: '[data-test-filter-submit]',
-  filterReset: '[data-test-filter-reset]',
-};
-
 module('Acceptance | Community | config-ui/messages', function (hooks) {
   setupApplicationTest(hooks);
   setupMirage(hooks);
@@ -171,27 +164,27 @@ module('Acceptance | Enterprise | config-ui/message', function (hooks) {
     });
     await visit('vault/config-ui/messages?pageFilter=foobar&status=inactive&type=banner');
     // check that filters inherit param values
-    assert.dom(MESSAGES_LIST.filterBy('pageFilter')).hasValue('foobar');
-    assert.dom(MESSAGES_LIST.filterBy('status')).hasValue('inactive');
-    assert.dom(MESSAGES_LIST.filterBy('type')).hasValue('banner');
+    assert.dom(GENERAL.filter('pageFilter')).hasValue('foobar');
+    assert.dom(GENERAL.filter('status')).hasValue('inactive');
+    assert.dom(GENERAL.filter('type')).hasValue('banner');
     assert.dom(GENERAL.emptyStateTitle).exists();
 
     // clear filters works
-    await click(MESSAGES_LIST.filterReset);
-    assert.dom(MESSAGES_LIST.listItem).exists({ count: 2 });
+    await click(GENERAL.button('reset'));
+    assert.dom(GENERAL.listItem()).exists({ count: 2 });
 
     // check number of messages with status filters
-    await fillIn(MESSAGES_LIST.filterBy('status'), 'active');
+    await fillIn(GENERAL.filter('status'), 'active');
     await click(GENERAL.submitButton);
-    assert.dom(MESSAGES_LIST.listItem).exists({ count: 1 }, 'list filters by status');
+    assert.dom(GENERAL.listItem()).exists({ count: 1 }, 'list filters by status');
 
     // check number of messages with type filters
-    await click(MESSAGES_LIST.filterReset);
-    await fillIn(MESSAGES_LIST.filterBy('type'), 'modal');
+    await click(GENERAL.button('reset'));
+    await fillIn(GENERAL.filter('type'), 'modal');
     await click(GENERAL.submitButton);
     // because of test pollution, we cannot guarantee that the list will be empty
     // make sure only modal messages or no messages are shown
-    const messages = findAll(MESSAGES_LIST.listItem);
+    const messages = findAll(GENERAL.listItem());
     const allMessages = Array.from(messages || []);
     const modalMessages = allMessages.filter((node) => node.querySelector('[data-test-badge="modal"]'));
 
@@ -203,10 +196,68 @@ module('Acceptance | Enterprise | config-ui/message', function (hooks) {
       'if there are items in the list, they are modal messages'
     );
     // unsetting a filter will reset that item in the query
-    await fillIn(MESSAGES_LIST.filterBy('type'), '');
-    await fillIn(MESSAGES_LIST.filterBy('status'), 'inactive');
+    await fillIn(GENERAL.filter('type'), '');
+    await fillIn(GENERAL.filter('status'), 'inactive');
     await click(GENERAL.submitButton);
-    assert.dom(MESSAGES_LIST.listItem).exists({ count: 1 }, 'list filters by status again');
+    assert.dom(GENERAL.listItem()).exists({ count: 1 }, 'list filters by status again');
+
+    // delete the created messages
+    await this.deleteMessages();
+  });
+
+  test('it should clear filter params when switching between tabs', async function (assert) {
+    await this.createMessageRepl({ title: 'tab-switch-test-1', type: 'banner', authenticated: true });
+    await this.createMessageRepl({ title: 'tab-switch-test-2', type: 'modal', authenticated: false });
+
+    // Start on authenticated tab with filters applied
+    await visit('vault/config-ui/messages?authenticated=true&pageFilter=test&status=active&type=banner');
+
+    // Verify filters are applied
+    assert.dom(GENERAL.filter('pageFilter')).hasValue('test', 'pageFilter is set');
+    assert.dom(GENERAL.filter('status')).hasValue('active', 'status filter is set');
+    assert.dom(GENERAL.filter('type')).hasValue('banner', 'type filter is set');
+
+    // Switch to unauthenticated tab
+    await click(CUSTOM_MESSAGES.tab('On login page'));
+
+    // Verify filters are cleared after tab switch
+    assert.dom(GENERAL.filter('pageFilter')).hasValue('', 'pageFilter is cleared after tab switch');
+    assert.dom(GENERAL.filter('status')).hasValue('', 'status filter is cleared after tab switch');
+    assert.dom(GENERAL.filter('type')).hasValue('', 'type filter is cleared after tab switch');
+
+    // Verify URL params are cleared (except authenticated and page)
+    const unauthenticatedUrl = currentURL();
+    assert.true(unauthenticatedUrl.includes('authenticated=false'), 'authenticated param is set to false');
+    assert.false(unauthenticatedUrl.includes('pageFilter'), 'pageFilter param is not in URL');
+    assert.false(unauthenticatedUrl.includes('status'), 'status param is not in URL');
+    assert.false(unauthenticatedUrl.includes('type'), 'type param is not in URL');
+
+    // Apply filters on unauthenticated tab
+    await fillIn(GENERAL.filter('pageFilter'), 'modal-test');
+    await fillIn(GENERAL.filter('type'), 'modal');
+    await click(GENERAL.submitButton);
+
+    // Verify filters are applied
+    assert
+      .dom(GENERAL.filter('pageFilter'))
+      .hasValue('modal-test', 'pageFilter is set on unauthenticated tab');
+    assert.dom(GENERAL.filter('type')).hasValue('modal', 'type filter is set on unauthenticated tab');
+
+    // Switch back to authenticated tab
+    await click(CUSTOM_MESSAGES.tab('After user logs in'));
+
+    // Verify filters are cleared again
+    assert.dom(GENERAL.filter('pageFilter')).hasValue('', 'pageFilter is cleared when switching back');
+    assert.dom(GENERAL.filter('type')).hasValue('', 'type filter is cleared when switching back');
+
+    // Verify URL params are cleared
+    const authenticated = currentURL();
+    const authenticatedParam =
+      authenticated.includes('authenticated=true') || !authenticated.includes('authenticated=false');
+    assert.true(authenticatedParam, 'authenticated param is set to true or uses default');
+    assert.false(authenticated.includes('pageFilter'), 'pageFilter param is not in URL after switching back');
+    assert.false(authenticated.includes('status'), 'status param is not in URL after switching back');
+    assert.false(authenticated.includes('type'), 'type param is not in URL after switching back');
 
     // delete the created messages
     await this.deleteMessages();
diff --git a/ui/tests/acceptance/console-test.js b/ui/tests/acceptance/console-test.js
index c56dbf44f8..4bb9e47c24 100644
--- a/ui/tests/acceptance/console-test.js
+++ b/ui/tests/acceptance/console-test.js
@@ -34,7 +34,7 @@ module('Acceptance | console', function (hooks) {
     await consoleComponent.runCommands('refresh');
     await settled();
     for (const id of ids) {
-      assert.dom(GENERAL.tableRow(`console-route-${id}/`)).exists('new engine is shown on the page');
+      assert.dom(GENERAL.listItem(`console-route-${id}/`)).exists('new engine is shown on the page');
     }
     // Clean up
     for (const id of ids) {
@@ -45,7 +45,7 @@ module('Acceptance | console', function (hooks) {
     await consoleComponent.runCommands('refresh');
     await settled();
     for (const id of ids) {
-      assert.dom(GENERAL.tableRow(`console-route-${id}/`)).doesNotExist('engine was removed');
+      assert.dom(GENERAL.listItem(`console-route-${id}/`)).doesNotExist('engine was removed');
     }
   });
 
diff --git a/ui/tests/acceptance/custom-messages-test.js b/ui/tests/acceptance/custom-messages-test.js
index 1a2fb4db75..c0c3cfe960 100644
--- a/ui/tests/acceptance/custom-messages-test.js
+++ b/ui/tests/acceptance/custom-messages-test.js
@@ -4,10 +4,47 @@
  */
 
 import { module, test } from 'qunit';
-import { visit } from '@ember/test-helpers';
+import { visit, fillIn, click, select } from '@ember/test-helpers';
 import { setupApplicationTest } from 'vault/tests/helpers';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { CUSTOM_MESSAGES } from 'vault/tests/helpers/config-ui/message-selectors';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import { login, logout } from 'vault/tests/helpers/auth/auth-helpers';
+
+// Helper function to generate mock messages
+function generateMessages(authenticated, count = 12) {
+  const messages = {
+    request_id: `${authenticated ? 'auth' : 'unauth'}-request-id`,
+    lease_id: '',
+    renewable: false,
+    lease_duration: 0,
+    data: {
+      key_info: {},
+      keys: [],
+    },
+    wrap_info: null,
+    warnings: null,
+    auth: null,
+    mount_type: '',
+  };
+
+  for (let i = 0; i < count; i++) {
+    const id = `${authenticated ? 'auth' : 'unauth'}-message-${i}`;
+    messages.data.keys.push(id);
+    messages.data.key_info[id] = {
+      authenticated,
+      active: i < 3,
+      end_time: null,
+      message: btoa(`${authenticated ? 'Authenticated' : 'Unauthenticated'} message content ${i}`),
+      options: null,
+      start_time: '2024-01-01T08:00:00Z',
+      title: `${authenticated ? 'Auth' : 'Unauth'} Message ${i}`,
+      type: i % 2 === 0 ? 'banner' : 'modal',
+    };
+  }
+
+  return messages;
+}
 
 const authenticatedMessageResponse = {
   request_id: '664fbad0-fcd8-9023-4c5b-81a7962e9f4b',
@@ -109,4 +146,176 @@ module('Acceptance | custom messages', function (hooks) {
     assert.dom(CUSTOM_MESSAGES.alertTitle(bannerIdTwo)).hasText('Banner title 2');
     assert.dom(CUSTOM_MESSAGES.alertDescription(bannerIdTwo)).hasText('here is a cool message');
   });
+
+  test('it should filter by message title and paginate', async function (assert) {
+    assert.expect(7);
+
+    await login();
+
+    // Mock authenticated messages endpoint with 12+ messages
+    this.server.get('/sys/config/ui/custom-messages', function () {
+      return generateMessages(true, 12);
+    });
+
+    // Visit the custom messages page
+    await visit('/vault/config-ui/messages');
+
+    // Verify pagination is present (more than 10 messages)
+    assert.dom(GENERAL.pagination).exists('Pagination exists for messages list');
+    // Test filtering by title
+    await fillIn(GENERAL.filter('pageFilter'), 'Auth Message 1');
+    await click(GENERAL.submitButton);
+
+    // After filtering, we should see only messages matching "Auth Message 1"
+    // This would include "Auth Message 1", "Auth Message 10", "Auth Message 11"
+    assert.dom(GENERAL.listItem()).exists({ count: 3 }, 'Filter shows matching messages');
+
+    // Clear filter
+    await click(GENERAL.button('reset'));
+
+    // Verify all messages are shown again (first page of 10)
+    assert.dom(GENERAL.listItem()).exists({ count: 10 }, 'All messages shown after clearing filter');
+
+    // Test filtering with no results
+    await fillIn(GENERAL.filter('pageFilter'), 'NonExistentMessage');
+    await click(GENERAL.submitButton);
+    assert.dom(GENERAL.emptyStateTitle).exists('No messages yet');
+
+    // Clear filter again
+    await click(GENERAL.button('reset'));
+
+    // Test pagination after filtering
+    await fillIn(GENERAL.filter('pageFilter'), 'Message 0');
+    await click(GENERAL.submitButton);
+    assert.dom(GENERAL.listItem()).exists('Filtered results are displayed');
+
+    // Clear and navigate to next page
+    await click(GENERAL.button('reset'));
+    await click(GENERAL.nextPage);
+    assert.dom(GENERAL.listItem()).exists('Second page of messages loads');
+
+    // Test filter message status
+    await select(GENERAL.filter('status'), 'active');
+
+    await click(GENERAL.submitButton);
+    assert.dom(GENERAL.listItem()).exists('Filtered results are displayed');
+
+    await logout();
+  });
+
+  test('it should filter by message status and type', async function (assert) {
+    // Mock the list endpoint to respond based on query params
+    this.server.get('/sys/config/ui/custom-messages', function (schema, request) {
+      const { active, authenticated, type } = request.queryParams;
+      const isAuthenticated = authenticated === 'true';
+      const allMessages = generateMessages(isAuthenticated, 12);
+
+      // Filter by active status if specified
+      let filteredKeys = allMessages.data.keys;
+      if (active !== undefined) {
+        const isActive = active === 'true';
+        filteredKeys = filteredKeys.filter((key) => {
+          return allMessages.data.key_info[key].active === isActive;
+        });
+      }
+
+      // Filter by type if specified
+      if (type) {
+        filteredKeys = filteredKeys.filter((key) => {
+          return allMessages.data.key_info[key].type === type;
+        });
+      }
+
+      // Build filtered response
+      allMessages.data.keys = filteredKeys;
+      const filteredKeyInfo = {};
+      filteredKeys.forEach((key) => {
+        filteredKeyInfo[key] = allMessages.data.key_info[key];
+      });
+      allMessages.data.key_info = filteredKeyInfo;
+
+      return allMessages;
+    });
+
+    await login();
+
+    // Visit the custom messages page
+    await visit('/vault/config-ui/messages');
+
+    // Verify initial state - should show all messages (first page of 10)
+    assert.dom(GENERAL.listItem()).exists({ count: 10 }, 'Initial page shows 10 messages');
+
+    // Test filtering by status (active)
+    await fillIn(GENERAL.filter('status'), 'active');
+    await click(GENERAL.submitButton);
+
+    // Verify URL contains status parameter
+    assert.ok(
+      this.owner.lookup('service:router').currentURL.includes('status=active'),
+      'URL includes status=active parameter'
+    );
+    // With hardcoded active messages (0-7), we should have 8 active messages
+    assert.dom(GENERAL.listItem()).exists({ count: 3 }, 'Shows 3 active messages when filtered by status');
+
+    // Test filtering by type (banner)
+    await fillIn(GENERAL.filter('type'), 'banner');
+    await click(GENERAL.submitButton);
+
+    // Verify URL contains type parameter
+    assert.ok(
+      this.owner.lookup('service:router').currentURL.includes('type=banner'),
+      'URL includes type=banner parameter'
+    );
+
+    // Verify filtered results show only active banner messages
+    // Active messages: 0-7, Banners (even indices): 0, 2, 4, 6 = 4 active banners
+    assert
+      .dom(GENERAL.listItem())
+      .exists({ count: 2 }, 'Shows 2 active banner messages when filtered by status and type');
+    assert.dom(CUSTOM_MESSAGES.badge('banner')).exists('Banner badge is shown');
+
+    // Clear status filter and test type filter alone
+    await fillIn(GENERAL.filter('status'), '');
+    await click(GENERAL.submitButton);
+
+    assert.dom(GENERAL.listItem()).exists({ count: 6 }, 'Shows 6 banner messages when filtered by type only');
+
+    // Test filtering by both status (active) and type (modal)
+    await fillIn(GENERAL.filter('status'), 'active');
+    await fillIn(GENERAL.filter('type'), 'modal');
+    await click(GENERAL.submitButton);
+
+    // Verify URL contains both parameters
+    assert.ok(
+      this.owner.lookup('service:router').currentURL.includes('status=active'),
+      'URL includes status parameter'
+    );
+    assert.ok(
+      this.owner.lookup('service:router').currentURL.includes('type=modal'),
+      'URL includes type parameter'
+    );
+
+    assert
+      .dom(GENERAL.listItem())
+      .exists({ count: 1 }, 'Shows 1 active modal messages when filtered by status and type');
+    assert.dom(CUSTOM_MESSAGES.badge('modal')).exists('Modal badge is shown');
+
+    // Test reset filters button
+    await click(GENERAL.button('reset'));
+
+    // Verify filters are cleared
+    assert.notOk(
+      this.owner.lookup('service:router').currentURL.includes('status='),
+      'Status filter is cleared from URL'
+    );
+    assert.notOk(
+      this.owner.lookup('service:router').currentURL.includes('type='),
+      'Type filter is cleared from URL'
+    );
+
+    // Verify all messages are shown again
+    assert.dom(GENERAL.listItem()).exists({ count: 10 }, 'All messages shown after clearing filters');
+
+    await logout();
+  });
 });
diff --git a/ui/tests/acceptance/dashboard-test.js b/ui/tests/acceptance/dashboard-test.js
index 77afdc6c16..d5f8fca63e 100644
--- a/ui/tests/acceptance/dashboard-test.js
+++ b/ui/tests/acceptance/dashboard-test.js
@@ -7,7 +7,6 @@ import { module, test } from 'qunit';
 import { visit, currentURL } from '@ember/test-helpers';
 import { setupApplicationTest } from 'vault/tests/helpers';
 import { login } from 'vault/tests/helpers/auth/auth-helpers';
-import { DASHBOARD } from 'vault/tests/helpers/components/dashboard/dashboard-selectors';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import Sinon from 'sinon';
 
@@ -39,7 +38,7 @@ module('Acceptance | landing page dashboard', function (hooks) {
     const nsStub = Sinon.stub(this.namespace, 'inRootNamespace').get(() => false);
     await login();
     await visit('/vault/dashboard');
-    assert.dom(DASHBOARD.cardName('configuration-details')).doesNotExist();
+    assert.dom(GENERAL.widget('cluster configuration')).doesNotExist();
     nsStub.restore();
   });
 });
diff --git a/ui/tests/acceptance/enterprise-kmse-test.js b/ui/tests/acceptance/enterprise-kmse-test.js
index 4f5ed2594c..b7bb2e9d96 100644
--- a/ui/tests/acceptance/enterprise-kmse-test.js
+++ b/ui/tests/acceptance/enterprise-kmse-test.js
@@ -43,13 +43,14 @@ module('Acceptance | Enterprise | keymgmt', function (hooks) {
   test('it should add new key and distribute to provider', async function (assert) {
     const path = `keymgmt-${Date.now()}`;
     this.server.post(`/${path}/key/test-key`, () => ({}));
-    this.server.put(`/${path}/kms/test-keyvault/key/test-key`, () => ({}));
+    this.server.post(`/${path}/kms/test-keyvault/key/test-key`, () => ({}));
+    this.server.get(`/${path}/kms/test-keyvault/key`, () => ({ data: { keys: ['test-key'] } }));
 
     await mountSecrets.enable('keymgmt', path);
     await click(SES.createSecretLink);
     await fillIn('[data-test-input="provider"]', 'azurekeyvault');
     await fillIn('[data-test-input="name"]', 'test-keyvault');
-    await fillIn('[data-test-input="keyCollection"]', 'test-keycollection');
+    await fillIn('[data-test-input="key_collection"]', 'test-keycollection');
     await fillIn('[data-test-input="credentials.client_id"]', '123');
     await fillIn('[data-test-input="credentials.client_secret"]', '456');
     await fillIn('[data-test-input="credentials.tenant_id"]', '789');
@@ -62,7 +63,6 @@ module('Acceptance | Enterprise | keymgmt', function (hooks) {
     await click('[data-test-operation="encrypt"]');
     await fillIn('[data-test-protection="hsm"]', 'hsm');
 
-    this.server.get(`/${path}/kms/test-keyvault/key`, () => ({ data: { keys: ['test-key'] } }));
     await click('[data-test-secret-save]');
     await click('[data-test-kms-provider-tab="keys"] a');
     assert.dom('[data-test-secret-link="test-key"]').exists('Key is listed under keys tab of provider');
diff --git a/ui/tests/acceptance/enterprise-namespaces-test.js b/ui/tests/acceptance/enterprise-namespaces-test.js
index 7c45a46b66..ac4bbdfefa 100644
--- a/ui/tests/acceptance/enterprise-namespaces-test.js
+++ b/ui/tests/acceptance/enterprise-namespaces-test.js
@@ -20,15 +20,15 @@ import { runCmd, createNSFromPaths, deleteNSFromPaths } from 'vault/tests/helper
 import { login, loginNs, logout } from 'vault/tests/helpers/auth/auth-helpers';
 import { AUTH_FORM } from 'vault/tests/helpers/auth/auth-form-selectors';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
-import localStorage from 'vault/lib/local-storage';
+import { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 
 module('Acceptance | Enterprise | namespaces', function (hooks) {
   setupApplicationTest(hooks);
 
-  hooks.beforeEach(async () => {
+  hooks.beforeEach(async function () {
     await login();
     // dismiss wizard
-    localStorage.setItem('dismissed-wizards', ['namespace']);
+    this.owner.lookup('service:wizard').dismiss(WIZARD_ID_MAP.namespace);
   });
 
   test('it focuses the search input field when user toggles namespace picker', async function (assert) {
diff --git a/ui/tests/acceptance/enterprise-transform-test.js b/ui/tests/acceptance/enterprise-transform-test.js
index 24e8354d0f..a0b6ce24c3 100644
--- a/ui/tests/acceptance/enterprise-transform-test.js
+++ b/ui/tests/acceptance/enterprise-transform-test.js
@@ -92,11 +92,11 @@ module('Acceptance | Enterprise | Transform secrets', function (hooks) {
     );
     assert.ok(GENERAL.emptyStateTitle, 'renders empty state');
     assert
-      .dom('.active[data-test-secret-list-tab="Transformations"]')
+      .dom(`.active${GENERAL.secretTab('Transformations')}`)
       .exists('Has Transformations tab which is active');
-    assert.dom('[data-test-secret-list-tab="Roles"]').exists('Has Roles tab');
-    assert.dom('[data-test-secret-list-tab="Templates"]').exists('Has Templates tab');
-    assert.dom('[data-test-secret-list-tab="Alphabets"]').exists('Has Alphabets tab');
+    assert.dom(GENERAL.secretTab('Roles')).exists('Has Roles tab');
+    assert.dom(GENERAL.secretTab('Templates')).exists('Has Templates tab');
+    assert.dom(GENERAL.secretTab('Alphabets')).exists('Has Alphabets tab');
   });
 
   test('it can create a transformation and add itself to the role attached', async function (assert) {
@@ -142,7 +142,7 @@ module('Acceptance | Enterprise | Transform secrets', function (hooks) {
       `/vault/secrets-engines/${backend}/show/${transformationName}`,
       'redirects to show transformation page after submit'
     );
-    await click(`[data-test-secret-breadcrumb="${backend}"] a`);
+    await click(GENERAL.breadcrumbLink(backend));
     assert.strictEqual(
       currentURL(),
       `/vault/secrets-engines/${backend}/list`,
@@ -157,13 +157,13 @@ module('Acceptance | Enterprise | Transform secrets', function (hooks) {
     await mountBackend('transform', backend);
     // create transformation without role
     await newTransformation(backend, 'a-transformation', true);
-    await click(`[data-test-secret-breadcrumb="${backend}"] a`);
+    await click(GENERAL.breadcrumbLink(backend));
     assert.strictEqual(
       currentURL(),
       `/vault/secrets-engines/${backend}/list`,
       'Links back to list view from breadcrumb'
     );
-    await click('[data-test-secret-list-tab="Roles"]');
+    await click(GENERAL.secretTab('Roles'));
     assert.strictEqual(
       currentURL(),
       `/vault/secrets-engines/${backend}/list?tab=role`,
@@ -186,7 +186,7 @@ module('Acceptance | Enterprise | Transform secrets', function (hooks) {
       `/vault/secrets-engines/${backend}/show/role/${roleName}`,
       'redirects to show role page after submit'
     );
-    await click(`[data-test-secret-breadcrumb="${backend}"] a`);
+    await click(GENERAL.breadcrumbLink(backend));
     assert.strictEqual(
       currentURL(),
       `/vault/secrets-engines/${backend}/list?tab=role`,
@@ -203,7 +203,7 @@ module('Acceptance | Enterprise | Transform secrets', function (hooks) {
     await newRole(backend, roleName);
     await transformationsPage.visitShow({ backend, id: transformation });
     await settled();
-    assert.dom('[data-test-row-value="Allowed roles"]').hasText(roleName);
+    assert.dom(GENERAL.infoRowValue('Allowed roles')).hasText(roleName);
   });
 
   test('it shows a message if an update fails after save', async function (assert) {
@@ -217,7 +217,7 @@ module('Acceptance | Enterprise | Transform secrets', function (hooks) {
     await newRole(backend, roleName);
     await settled();
     await transformationsPage.visitShow({ backend, id: transformation });
-    assert.dom('[data-test-row-value="Allowed roles"]').hasText(roleName);
+    assert.dom(GENERAL.infoRowValue('Allowed roles')).hasText(roleName);
     // Edit transformation
     await click('[data-test-edit-link]');
     assert.dom('#transformation-edit-modal').exists('Confirmation modal appears');
@@ -230,17 +230,17 @@ module('Acceptance | Enterprise | Transform secrets', function (hooks) {
     );
     // remove role
     await settled();
-    await click('#allowed_roles [data-test-selected-list-button="delete"]');
+    await click(`#allowed_roles ${GENERAL.searchSelect.removeSelected}`);
 
     await click(GENERAL.submitButton);
-    assert.dom('.flash-message.is-info').exists('Shows info message since role could not be updated');
+    assert.dom(GENERAL.flashMessage).exists('Shows info message since role could not be updated');
     assert.strictEqual(
       currentURL(),
       `/vault/secrets-engines/${backend}/show/${transformation}`,
       'Correctly links to show page for secret'
     );
     assert
-      .dom('[data-test-row-value="Allowed roles"]')
+      .dom(GENERAL.infoRowValue('Allowed roles'))
       .doesNotExist('Allowed roles are no longer on the transformation');
   });
 
@@ -249,7 +249,7 @@ module('Acceptance | Enterprise | Transform secrets', function (hooks) {
     await visit('/vault/secrets-engines/enable');
     const backend = `transform-${uuidv4()}`;
     await mountBackend('transform', backend);
-    await click('[data-test-secret-list-tab="Templates"]');
+    await click(GENERAL.secretTab('Templates'));
 
     assert.strictEqual(
       currentURL(),
@@ -283,7 +283,7 @@ module('Acceptance | Enterprise | Transform secrets', function (hooks) {
       'Links to template edit page'
     );
     await settled();
-    assert.dom('[data-test-input="name"]').hasAttribute('readonly');
+    assert.dom(GENERAL.inputByAttr('name')).hasAttribute('readonly');
   });
 
   test('it allows creation and edit of an alphabet', async function (assert) {
@@ -291,7 +291,7 @@ module('Acceptance | Enterprise | Transform secrets', function (hooks) {
     await visit('/vault/secrets-engines/enable');
     const backend = `transform-${uuidv4()}`;
     await mountBackend('transform', backend);
-    await click('[data-test-secret-list-tab="Alphabets"]');
+    await click(GENERAL.secretTab('Alphabets'));
 
     assert.strictEqual(
       currentURL(),
@@ -312,8 +312,8 @@ module('Acceptance | Enterprise | Transform secrets', function (hooks) {
       `/vault/secrets-engines/${backend}/show/alphabet/${alphabetName}`,
       'redirects to show alphabet page after submit'
     );
-    assert.dom('[data-test-row-value="Name"]').hasText(alphabetName);
-    assert.dom('[data-test-row-value="Alphabet"]').hasText('aeiou');
+    assert.dom(GENERAL.infoRowValue('Name')).hasText(alphabetName);
+    assert.dom(GENERAL.infoRowValue('Alphabet')).hasText('aeiou');
     await alphabetsPage.editLink();
     await settled();
     assert.strictEqual(
@@ -321,6 +321,6 @@ module('Acceptance | Enterprise | Transform secrets', function (hooks) {
       `/vault/secrets-engines/${backend}/edit/alphabet/${alphabetName}`,
       'Links to alphabet edit page'
     );
-    assert.dom('[data-test-input="name"]').hasAttribute('readonly');
+    assert.dom(GENERAL.inputByAttr('name')).hasAttribute('readonly');
   });
 });
diff --git a/ui/tests/acceptance/managed-namespace-test.js b/ui/tests/acceptance/managed-namespace-test.js
index cd21ea9af0..2b8deec55c 100644
--- a/ui/tests/acceptance/managed-namespace-test.js
+++ b/ui/tests/acceptance/managed-namespace-test.js
@@ -18,6 +18,7 @@ module('Acceptance | Enterprise | Managed namespace root', function (hooks) {
     this.server.get('/sys/internal/ui/feature-flags', () => {
       return { feature_flags: ['VAULT_CLOUD_ADMIN_NAMESPACE'] };
     });
+    window.localStorage.clear();
   });
 
   test('it shows the managed namespace toolbar when feature flag exists', async function (assert) {
diff --git a/ui/tests/acceptance/mfa-login-enforcement-test.js b/ui/tests/acceptance/mfa-login-enforcement-test.js
index cae3f3c536..8090b7983c 100644
--- a/ui/tests/acceptance/mfa-login-enforcement-test.js
+++ b/ui/tests/acceptance/mfa-login-enforcement-test.js
@@ -38,7 +38,7 @@ module('Acceptance | mfa-login-enforcement', function (hooks) {
     await click(GENERAL.tab('enforcements'));
     await click('[data-test-enforcement-create]');
     // Fill out form
-    await fillIn('[data-test-mlef-input="name"]', 'salad-college-setting');
+    await fillIn(GENERAL.inputByAttr('name'), 'salad-college-setting');
     await click('[data-test-component="search-select"] .ember-basic-dropdown-trigger');
     await click('.ember-power-select-option');
     await fillIn('[data-test-mount-accessor-select]', 'auth_userpass_bb95c2b1');
@@ -54,9 +54,13 @@ module('Acceptance | mfa-login-enforcement', function (hooks) {
 
     assert.dom(GENERAL.hdsPageHeaderTitle).hasText('New enforcement', 'Title renders');
     await click('[data-test-mlef-save]');
+
+    assert
+      .dom(GENERAL.validationErrorByAttr('name'))
+      .exists({ count: 1 }, 'Name field validation errors are displayed');
     assert
       .dom('[data-test-inline-error-message]')
-      .exists({ count: 3 }, 'Validation error messages are displayed');
+      .exists({ count: 2 }, 'MFA methods and Targets validation error messages are displayed');
 
     await click('[data-test-mlef-cancel]');
     assert.strictEqual(
@@ -65,7 +69,7 @@ module('Acceptance | mfa-login-enforcement', function (hooks) {
       'Cancel transitions to enforcements list'
     );
     await click('[data-test-enforcement-create]');
-    await click(GENERAL.breadcrumbAtIdx(1));
+    await click(GENERAL.breadcrumbAtIdx(2));
     assert.strictEqual(
       currentRouteName(),
       'vault.cluster.access.mfa.enforcements.index',
@@ -73,7 +77,7 @@ module('Acceptance | mfa-login-enforcement', function (hooks) {
     );
     await click('[data-test-enforcement-create]');
 
-    await fillIn('[data-test-mlef-input="name"]', 'foo');
+    await fillIn(GENERAL.inputByAttr('name'), 'foo');
     await click('[data-test-component="search-select"] .ember-basic-dropdown-trigger');
     await click('.ember-power-select-option');
     await fillIn('[data-test-mount-accessor-select]', 'auth_userpass_bb95c2b1');
@@ -117,7 +121,7 @@ module('Acceptance | mfa-login-enforcement', function (hooks) {
       'vault.cluster.access.mfa.enforcements.enforcement.index',
       'Details more menu action transitions to enforcement route'
     );
-    await click(GENERAL.breadcrumbAtIdx(1));
+    await click(GENERAL.breadcrumbAtIdx(2));
     await click(GENERAL.menuTrigger);
     await click('[data-test-list-item-link="edit"]');
     assert.strictEqual(
@@ -168,7 +172,10 @@ module('Acceptance | mfa-login-enforcement', function (hooks) {
     // methods tab
     await click(GENERAL.tab('methods'));
     assert.dom(GENERAL.tab('methods')).hasClass('active', 'Methods tab is active');
-    const method = this.owner.lookup('service:store').peekRecord('mfa-method', enforcement.mfa_method_ids[0]);
+    const methodCollections = ['mfaTotpMethods', 'mfaDuoMethods', 'mfaOktaMethods', 'mfaPingidMethods'];
+    const method = methodCollections
+      .map((collection) => this.server.db[collection].find(enforcement.mfa_method_ids[0]))
+      .find(Boolean);
     assert
       .dom(`[data-test-mfa-method-list-item="${method.id}"]`)
       .includesText(
@@ -208,10 +215,13 @@ module('Acceptance | mfa-login-enforcement', function (hooks) {
     await click('[data-test-list-item-link="edit"]');
 
     assert.dom('h1').hasText('Update enforcement', 'Title renders');
-    assert.dom('[data-test-mlef-input="name"]').hasValue(enforcement.name, 'Name input is populated');
-    assert.dom('[data-test-mlef-input="name"]').isDisabled('Name is disabled and cannot be changed');
+    assert.dom(GENERAL.inputByAttr('name')).hasValue(enforcement.name, 'Name input is populated');
+    assert.dom(GENERAL.inputByAttr('name')).isDisabled('Name is disabled and cannot be changed');
 
-    const method = this.owner.lookup('service:store').peekRecord('mfa-method', enforcement.mfa_method_ids[0]);
+    const methodCollections = ['mfaTotpMethods', 'mfaDuoMethods', 'mfaOktaMethods', 'mfaPingidMethods'];
+    const method = methodCollections
+      .map((collection) => this.server.db[collection].find(enforcement.mfa_method_ids[0]))
+      .find(Boolean);
     assert
       .dom('[data-test-selected-option]')
       .includesText(`${method.name} ${method.id}`, 'Selected mfa method renders');
@@ -232,7 +242,6 @@ module('Acceptance | mfa-login-enforcement', function (hooks) {
     await click('[data-test-mlef-remove-target="Group"]');
     await click('[data-test-mlef-remove-target="Authentication method"]');
     await click('[data-test-mlef-save]');
-
     await waitFor('[data-test-target]', { timeout: 5000 });
     assert.strictEqual(
       currentRouteName(),
diff --git a/ui/tests/acceptance/mfa-login-test.js b/ui/tests/acceptance/mfa-login-test.js
index 91962e59cd..d8cb03649f 100644
--- a/ui/tests/acceptance/mfa-login-test.js
+++ b/ui/tests/acceptance/mfa-login-test.js
@@ -42,9 +42,9 @@ module('Acceptance | mfa-login', function (hooks) {
   };
 
   const didLogin = async (assert) => {
-    await waitFor('[data-test-dashboard-card-header]', {
+    await waitFor(GENERAL.textDisplay('Secrets engines'), {
       timeout: 5000,
-      timeoutMessage: 'timed out waiting for dashboard title to render',
+      timeoutMessage: 'timed out waiting for dashboard secrets engines card to render',
     });
     assert.strictEqual(currentRouteName(), 'vault.cluster.dashboard', 'Route transitions after login');
   };
diff --git a/ui/tests/acceptance/mfa-method-test.js b/ui/tests/acceptance/mfa-method-test.js
index f9e57e4d80..2cc30f76a2 100644
--- a/ui/tests/acceptance/mfa-method-test.js
+++ b/ui/tests/acceptance/mfa-method-test.js
@@ -20,7 +20,6 @@ module('Acceptance | mfa-method', function (hooks) {
 
   hooks.beforeEach(async function () {
     mfaConfigHandler(this.server);
-    this.store = this.owner.lookup('service:store');
     this.getMethods = () =>
       ['Totp', 'Duo', 'Okta', 'Pingid'].reduce((methods, type) => {
         methods = [...methods, ...this.server.db[`mfa${type}Methods`].where({})];
@@ -61,13 +60,13 @@ module('Acceptance | mfa-method', function (hooks) {
     await click(GENERAL.breadcrumbAtIdx(1));
 
     const methods = this.getMethods();
-    const model = this.store.peekRecord('mfa-method', methods[0].id);
+    const method = methods[0];
     assert.dom('[data-test-mfa-method-list-item]').exists({ count: methods.length }, 'Methods list renders');
-    assert.dom(`[data-test-mfa-method-list-icon="${model.type}"]`).exists('Icon renders for list item');
+    assert.dom(`[data-test-mfa-method-list-icon="${method.type}"]`).exists('Icon renders for list item');
     assert
-      .dom(`[data-test-mfa-method-list-item="${model.id}"]`)
+      .dom(`[data-test-mfa-method-list-item="${method.id}"]`)
       .includesText(
-        `${model.name} ${model.id} Namespace: ${model.namespace_path}`,
+        `${method.name} ${method.id} Namespace: ${method.namespace_path}`,
         'Copy renders for list item'
       );
 
@@ -91,11 +90,11 @@ module('Acceptance | mfa-method', function (hooks) {
   test('it should not display for the root namespace', async function (assert) {
     await visit('/vault/access/mfa');
     const methods = this.getMethods();
-    const duoModel = this.store.peekRecord('mfa-method', methods[1].id);
-    assert.strictEqual(duoModel.namespace_path, '', 'Namespace path is unset');
+    const duoMethod = methods[1];
+    assert.strictEqual(duoMethod.namespace_path, '', 'Namespace path is unset');
     assert
-      .dom(`[data-test-mfa-method-list-item="${duoModel.id}"]`)
-      .includesText(`${duoModel.name} ${duoModel.id}`, 'Copy renders for list item without namespace path')
+      .dom(`[data-test-mfa-method-list-item="${duoMethod.id}"]`)
+      .includesText(`${duoMethod.name} ${duoMethod.id}`, 'Copy renders for list item without namespace path')
       .doesNotContainText('Namespace:', 'Does not include the namespace label');
   });
 
@@ -128,7 +127,7 @@ module('Acceptance | mfa-method', function (hooks) {
 
     const fields = [
       ['Issuer', 'Period', 'Key size', 'QR size', 'Algorithm', 'Digits', 'Skew', 'Max validation attempts'],
-      ['Duo API hostname', 'Passcode reminder'],
+      ['API hostname', 'Passcode reminder'],
       ['Organization name', 'Base URL'],
       ['Use signature', 'Idp url', 'Admin url', 'Authenticator url', 'Org alias'],
     ];
@@ -138,17 +137,17 @@ module('Acceptance | mfa-method', function (hooks) {
       }
       const url = currentURL();
       const id = url.slice(url.lastIndexOf('/') + 1);
-      const model = this.store.peekRecord('mfa-method', id);
+      const method = this.getMethods().find((m) => m.id === id);
 
       labels.forEach((label) => {
         assert.dom(`[data-test-row-label="${label}"]`).hasText(label, `${label} field label renders`);
         const key =
           {
-            'Duo API hostname': 'api_hostname',
+            'API hostname': 'api_hostname',
             'Passcode reminder': 'use_passcode',
             'Organization name': 'org_name',
           }[label] || underscore(label);
-        let value = typeof model[key] === 'boolean' ? (model[key] ? 'Yes' : 'No') : model[key].toString();
+        let value = typeof method[key] === 'boolean' ? (method[key] ? 'Yes' : 'No') : method[key].toString();
         if (key === 'period') {
           value = duration([Number(value)]);
         }
@@ -205,6 +204,7 @@ module('Acceptance | mfa-method', function (hooks) {
       }
 
       await click('[data-test-mfa-create-save]');
+
       assert.strictEqual(
         currentRouteName(),
         'vault.cluster.access.mfa.methods.method.index',
@@ -222,19 +222,23 @@ module('Acceptance | mfa-method', function (hooks) {
     await click('[data-test-radio-card="totp"]');
     await click('[data-test-mfa-create-next]');
     await fillIn('[data-test-input="issuer"]', 'foo');
-    await fillIn('[data-test-mlef-input="name"]', 'bar');
+    await fillIn(GENERAL.inputByAttr('name'), 'bar');
     await fillIn('[data-test-mount-accessor-select]', 'auth_userpass_bb95c2b1');
     await click('[data-test-mlef-add-target]');
     await click('[data-test-mfa-create-save]');
+
     assert.strictEqual(
       currentRouteName(),
       'vault.cluster.access.mfa.methods.method.index',
       'Route transitions to method on save'
     );
     await click('[data-test-tab="enforcements"]');
-    assert.dom('[data-test-list-item]').hasTextContaining('bar', 'Enforcement is listed in method view');
+    assert
+      .dom('[data-test-list-item="bar"]')
+      .hasTextContaining('bar', 'Enforcement is listed in method view');
     await click('[data-test-sidebar-nav-link="Multi-factor authentication"]');
     await click('[data-test-tab="enforcements"]');
+
     assert
       .dom('[data-test-list-item="bar"]')
       .hasTextContaining('bar', 'Enforcement is listed in enforcements view');
@@ -270,7 +274,7 @@ module('Acceptance | mfa-method', function (hooks) {
     const id = this.element
       .querySelector('[data-test-mfa-method-list-item] .hds-badge div')
       .textContent.trim();
-    const model = this.store.peekRecord('mfa-method', id);
+    const method = this.getMethods().find((m) => m.id === id);
     await click('[data-test-mfa-method-list-item] [data-test-popup-menu-trigger]');
     await click('[data-test-mfa-method-menu-link="edit"]');
 
@@ -279,17 +283,17 @@ module('Acceptance | mfa-method', function (hooks) {
       if (key === 'period') {
         assert
           .dom('[data-test-ttl-value="Period"]')
-          .hasValue(model.period.toString(), 'Period form field is populated with model value');
+          .hasValue(method.period.toString(), 'Period form field is populated with method value');
         assert.dom('[data-test-select="ttl-unit"]').hasValue('s', 'Correct time unit is shown for period');
       } else if (key === 'algorithm' || key === 'digits' || key === 'skew') {
         const radioElem = this.element.querySelector(`input[name=${key}]:checked`);
         assert
           .dom(radioElem)
-          .hasValue(model[key].toString(), `${key} form field is populated with model value`);
+          .hasValue(method[key].toString(), `${key} form field is populated with method value`);
       } else {
         assert
           .dom(`[data-test-input="${key}"]`)
-          .hasValue(model[key].toString(), `${key} form field is populated with model value`);
+          .hasValue(method[key].toString(), `${key} form field is populated with method value`);
       }
     });
 
@@ -298,9 +302,8 @@ module('Acceptance | mfa-method', function (hooks) {
     await click(SHA1radioBtn);
     await fillIn('[data-test-input="max_validation_attempts"]', 10);
     await click('[data-test-mfa-save]');
-    await fillIn('[data-test-confirmation-modal-input]', model.type);
+    await fillIn('[data-test-confirmation-modal-input]', method.type);
     await click(GENERAL.confirmButton);
-
     assert.dom('[data-test-row-value="Issuer"]').hasText('foo', 'Issuer field is updated');
     assert.dom('[data-test-row-value="Algorithm"]').hasText('SHA1', 'Algorithm field is updated');
     assert
diff --git a/ui/tests/acceptance/oidc-config/clients-test.js b/ui/tests/acceptance/oidc-config/clients-test.js
index 28a24e980b..4a0c82c235 100644
--- a/ui/tests/acceptance/oidc-config/clients-test.js
+++ b/ui/tests/acceptance/oidc-config/clients-test.js
@@ -17,7 +17,6 @@ import fm from 'vault/tests/pages/components/flash-message';
 import {
   OIDC_BASE_URL, // -> '/vault/access/oidc'
   SELECTORS,
-  clearRecord,
   CLIENT_LIST_RESPONSE,
   CLIENT_DATA_RESPONSE,
   ASSIGNMENT_LIST_RESPONSE,
@@ -39,6 +38,7 @@ module('Acceptance | oidc-config clients', function (hooks) {
   hooks.beforeEach(function () {
     oidcConfigHandlers(this.server);
     this.store = this.owner.lookup('service:store');
+    this.api = this.owner.lookup('service:api');
     return login();
   });
 
@@ -47,9 +47,11 @@ module('Acceptance | oidc-config clients', function (hooks) {
       assert.expect(21);
 
       //* start with clean test state
-      await clearRecord(this.store, 'oidc/client', 'client-with-test-key');
-      await clearRecord(this.store, 'oidc/client', 'client-with-default-key');
-      await clearRecord(this.store, 'oidc/key', 'test-key');
+      await Promise.allSettled([
+        this.api.identity.oidcDeleteClient('client-with-test-key'),
+        this.api.identity.oidcDeleteClient('client-with-default-key'),
+        this.api.identity.oidcDeleteKey('test-key'),
+      ]);
 
       // create client with default key
       await visit(OIDC_BASE_URL + '/clients/create');
@@ -100,7 +102,7 @@ module('Acceptance | oidc-config clients', function (hooks) {
       );
 
       // create a new key
-      await click(GENERAL.breadcrumbLink('Keys'));
+      await click(GENERAL.breadcrumbLink('OIDC provider: Keys'));
       assert.strictEqual(
         currentRouteName(),
         'vault.cluster.access.oidc.keys.index',
@@ -126,8 +128,8 @@ module('Acceptance | oidc-config clients', function (hooks) {
       await fillIn('[data-test-input="name"]', 'client-with-test-key');
       await click(GENERAL.button('More options'));
       await click('[data-test-component="search-select"] [data-test-icon="trash"]');
-      await clickTrigger('#key');
-      await selectChoose('[data-test-component="search-select"]#key', 'test-key');
+      await clickTrigger('#oidc-client-form-key-select');
+      await selectChoose('[data-test-component="search-select"]#oidc-client-form-key-select', 'test-key');
       await click(SELECTORS.clientSaveButton);
 
       // edit key and limit applications
@@ -180,9 +182,11 @@ module('Acceptance | oidc-config clients', function (hooks) {
       );
 
       //* clean up test state
-      await clearRecord(this.store, 'oidc/client', 'client-with-test-key');
-      await clearRecord(this.store, 'oidc/client', 'client-with-default-key');
-      await clearRecord(this.store, 'oidc/key', 'test-key');
+      await Promise.allSettled([
+        this.api.identity.oidcDeleteClient('client-with-test-key'),
+        this.api.identity.oidcDeleteClient('client-with-default-key'),
+        this.api.identity.oidcDeleteKey('test-key'),
+      ]);
     });
 
     test('it creates, rotates and deletes a key', async function (assert) {
@@ -199,14 +203,14 @@ module('Acceptance | oidc-config clients', function (hooks) {
       });
 
       //* clear out test state
-      await clearRecord(this.store, 'oidc/key', 'test-key');
+      await Promise.allSettled([this.api.identity.oidcDeleteKey('test-key')]);
 
       // create a new key
       await visit(OIDC_BASE_URL + '/keys/create');
       await fillIn('[data-test-input="name"]', 'test-key');
       // toggle ttls to false, testing it sets correct default duration
-      await click('[data-test-input="rotationPeriod"]');
-      await click('[data-test-input="verificationTtl"]');
+      await click('[data-test-input="rotation_period"]');
+      await click('[data-test-input="verification_ttl"]');
       assert
         .dom('[data-test-oidc-radio="limited"] input')
         .isDisabled('limiting access radio button is disabled on create');
@@ -287,9 +291,9 @@ module('Acceptance | oidc-config clients', function (hooks) {
       this.server.get('/identity/oidc/client/test-app', () =>
         overrideResponse(null, { data: CLIENT_DATA_RESPONSE })
       );
-      this.server.post('/sys/capabilities-self', () =>
-        capabilitiesStub(OIDC_BASE_URL + '/client/test-app', ['read'])
-      );
+      this.server.post('/sys/capabilities-self', () => {
+        return capabilitiesStub('identity/oidc/client/test-app', ['read']);
+      });
 
       await visit(OIDC_BASE_URL);
       await click('[data-test-oidc-client-linked-block]');
@@ -306,7 +310,7 @@ module('Acceptance | oidc-config clients', function (hooks) {
 
     test('it hides delete and edit key when no permission', async function (assert) {
       assert.expect(4);
-      this.server.get('/identity/oidc/keys', () => overrideResponse(null, { data: { keys: ['test-key'] } }));
+      this.server.get('/identity/oidc/key', () => overrideResponse(null, { data: { keys: ['test-key'] } }));
       this.server.get('/identity/oidc/key/test-key', () =>
         overrideResponse(null, {
           data: {
@@ -318,7 +322,7 @@ module('Acceptance | oidc-config clients', function (hooks) {
         })
       );
       this.server.post('/sys/capabilities-self', () =>
-        capabilitiesStub(OIDC_BASE_URL + '/key/test-key', ['read'])
+        capabilitiesStub('identity/oidc/key/test-key', ['read'])
       );
 
       await visit(OIDC_BASE_URL + '/keys');
@@ -339,7 +343,7 @@ module('Acceptance | oidc-config clients', function (hooks) {
       assert.expect(3);
 
       //* clear out test state
-      await clearRecord(this.store, 'oidc/assignment', 'test-assignment');
+      await Promise.allSettled([this.api.identity.oidcDeleteAssignment('test-assignment')]);
 
       await visit(OIDC_BASE_URL + '/assignments');
       assert.strictEqual(currentURL(), '/vault/access/oidc/assignments');
@@ -350,17 +354,12 @@ module('Acceptance | oidc-config clients', function (hooks) {
     });
 
     test('it renders empty state when no clients are configured', async function (assert) {
-      assert.expect(5);
+      assert.expect(4);
       this.server.get('/identity/oidc/client', () => overrideResponse(404));
 
       await visit(OIDC_BASE_URL);
       assert.strictEqual(currentURL(), '/vault/access/oidc');
       assert.dom(GENERAL.hdsPageHeaderTitle).hasText('OIDC provider');
-      assert.dom(SELECTORS.oidcHeader).hasText(
-        `Configure Vault to act as an OIDC identity provider, and offer Vault’s various authentication
-      methods and source of identity to any client applications. Learn more Create your first app`,
-        'renders call to action header when no clients are configured'
-      );
       assert.dom('[data-test-oidc-landing]').exists('landing page renders when no clients are configured');
       assert
         .dom(SELECTORS.oidcLandingImg)
@@ -371,9 +370,11 @@ module('Acceptance | oidc-config clients', function (hooks) {
       assert.expect(21);
 
       //* clear out test state
-      await clearRecord(this.store, 'oidc/client', 'test-app');
-      await clearRecord(this.store, 'oidc/client', 'my-webapp'); // created by oidc-provider-test
-      await clearRecord(this.store, 'oidc/assignment', 'assignment-inline');
+      await Promise.allSettled([
+        this.api.identity.oidcDeleteClient('test-app'),
+        this.api.identity.oidcDeleteClient('my-webapp'),
+        this.api.identity.oidcDeleteAssignment('assignment-inline'),
+      ]);
 
       // create a client with allow all access
       await visit(OIDC_BASE_URL + '/clients/create');
@@ -385,8 +386,8 @@ module('Acceptance | oidc-config clients', function (hooks) {
       await fillIn('[data-test-input="name"]', 'test-app');
       await click(GENERAL.button('More options'));
       // toggle ttls to false, testing it sets correct default duration
-      await click('[data-test-input="idTokenTtl"]');
-      await click('[data-test-input="accessTokenTtl"]');
+      await click('[data-test-input="id_token_ttl"]');
+      await click('[data-test-input="access_token_ttl"]');
       await click(SELECTORS.clientSaveButton);
       assert.strictEqual(
         flashMessage.latestMessage,
@@ -425,7 +426,7 @@ module('Acceptance | oidc-config clients', function (hooks) {
         'vault.cluster.access.oidc.clients.client.edit',
         'navigates to edit page from details'
       );
-      await fillIn('[data-test-input="redirectUris"] [data-test-string-list-input="0"]', 'some-url.com');
+      await fillIn('[data-test-input="redirect_uris"] [data-test-string-list-input="0"]', 'some-url.com');
 
       // limit access & create new assignment inline
       await click('[data-test-oidc-radio="limited"]');
@@ -501,7 +502,7 @@ module('Acceptance | oidc-config clients', function (hooks) {
       //);
 
       //* clean up test state
-      await clearRecord(this.store, 'oidc/assignment', 'assignment-inline');
+      await Promise.allSettled([this.api.identity.oidcDeleteAssignment('assignment-inline')]);
     });
 
     test('it creates, updates, and deletes an assignment', async function (assert) {
@@ -509,7 +510,7 @@ module('Acceptance | oidc-config clients', function (hooks) {
       await visit(OIDC_BASE_URL + '/assignments');
 
       //* ensure clean test state
-      await clearRecord(this.store, 'oidc/assignment', 'test-assignment');
+      await Promise.allSettled([this.api.identity.oidcDeleteAssignment('test-assignment')]);
 
       // create a new assignment
       await click(SELECTORS.assignmentCreateButton);
@@ -633,7 +634,7 @@ module('Acceptance | oidc-config clients', function (hooks) {
         overrideResponse(null, { data: ASSIGNMENT_DATA_RESPONSE })
       );
       this.server.post('/sys/capabilities-self', () =>
-        capabilitiesStub(OIDC_BASE_URL + '/assignment/test-assignment', ['read'])
+        capabilitiesStub('identity/oidc/assignment/test-assignment', ['read'])
       );
 
       await visit(OIDC_BASE_URL + '/assignments');
diff --git a/ui/tests/acceptance/oidc-config/providers-scopes-test.js b/ui/tests/acceptance/oidc-config/providers-scopes-test.js
index 99aba819bc..9312fbd1c8 100644
--- a/ui/tests/acceptance/oidc-config/providers-scopes-test.js
+++ b/ui/tests/acceptance/oidc-config/providers-scopes-test.js
@@ -23,9 +23,10 @@ import {
   SCOPE_DATA_RESPONSE,
   PROVIDER_LIST_RESPONSE,
   PROVIDER_DATA_RESPONSE,
-  clearRecord,
 } from 'vault/tests/helpers/oidc-config';
 import { capabilitiesStub, overrideResponse } from 'vault/tests/helpers/stubs';
+import sinon from 'sinon';
+
 const searchSelect = create(ss);
 const flashMessage = create(fm);
 
@@ -37,7 +38,7 @@ module('Acceptance |  oidc-config providers and scopes', function (hooks) {
 
   hooks.beforeEach(function () {
     oidcConfigHandlers(this.server);
-    this.store = this.owner.lookup('service:store');
+    this.api = this.owner.lookup('service:api');
     // mock client list so OIDC BASE URL does not redirect to landing call-to-action image
     this.server.get('/identity/oidc/client', () => overrideResponse(null, { data: CLIENT_LIST_RESPONSE }));
     return login();
@@ -46,7 +47,13 @@ module('Acceptance |  oidc-config providers and scopes', function (hooks) {
   // LIST SCOPES EMPTY
   test('it navigates to scopes list view and renders empty state when no scopes are configured', async function (assert) {
     assert.expect(4);
-    this.server.get('/identity/oidc/scope', () => overrideResponse(404));
+    this.server.get(
+      '/identity/oidc/scope',
+      () => ({
+        errors: ['Nothing found'],
+      }),
+      404
+    );
     await visit(OIDC_BASE_URL);
     await click(GENERAL.tab('scopes'));
     assert.strictEqual(currentURL(), '/vault/access/oidc/scopes');
@@ -165,9 +172,13 @@ module('Acceptance |  oidc-config providers and scopes', function (hooks) {
   test('it creates a scope, and creates a provider with that scope', async function (assert) {
     assert.expect(28);
 
+    const apiSpy = sinon.spy(this.api.identity, 'oidcWriteProvider');
+
     //* clear out test state
-    await clearRecord(this.store, 'oidc/scope', 'test-scope');
-    await clearRecord(this.store, 'oidc/provider', 'test-provider');
+    await Promise.allSettled([
+      this.api.identity.oidcDeleteScope('test-scope'),
+      this.api.identity.oidcDeleteProvider('test-provider'),
+    ]);
 
     // create a new scope
     await visit(OIDC_BASE_URL + '/scopes/create');
@@ -242,8 +253,8 @@ module('Acceptance |  oidc-config providers and scopes', function (hooks) {
       'navigates to provider create form'
     );
     await fillIn(GENERAL.inputByAttr('name'), 'test-provider');
-    await clickTrigger('#scopesSupported');
-    await selectChoose('#scopesSupported', 'test-scope');
+    await clickTrigger('#oidc-provider-form-scope-select');
+    await selectChoose('#oidc-provider-form-scope-select', 'test-scope');
     await click(SELECTORS.providerSaveButton);
     assert.strictEqual(
       flashMessage.latestMessage,
@@ -282,7 +293,9 @@ module('Acceptance |  oidc-config providers and scopes', function (hooks) {
       'navigates to provider edit page from details'
     );
     await click('[data-test-oidc-radio="limited"]');
-    await click('[data-test-component="search-select"]#allowedClientIds .ember-basic-dropdown-trigger');
+    await click(
+      '[data-test-component="search-select"]#oidc-provider-form-client-select .ember-basic-dropdown-trigger'
+    );
     await fillIn(GENERAL.searchSelect.searchInput, 'test-app');
     await searchSelect.options.objectAt(0).click();
     await click(SELECTORS.providerSaveButton);
@@ -296,9 +309,9 @@ module('Acceptance |  oidc-config providers and scopes', function (hooks) {
       'vault.cluster.access.oidc.providers.provider.details',
       'navigates back to provider details after updating'
     );
-    const providerModel = this.store.peekRecord('oidc/provider', 'test-provider');
+    const { allowed_client_ids } = apiSpy.lastCall.args[1];
     assert.propEqual(
-      providerModel.allowedClientIds,
+      allowed_client_ids,
       ['whaT7KB0C3iBH1l3rXhd5HPf0n6vXU0s'],
       'provider saves client_id (not id or name) in allowed_client_ids param'
     );
@@ -390,20 +403,22 @@ module('Acceptance |  oidc-config providers and scopes', function (hooks) {
   // PROVIDER DELETE + EDIT PERMISSIONS
   test('it hides delete and edit for a provider when no permission', async function (assert) {
     assert.expect(3);
-    this.server.get('/identity/oidc/providers', () =>
-      overrideResponse(null, { data: { providers: ['test-provider'] } })
-    );
+
+    const provider = {
+      allowed_client_ids: ['*'],
+      issuer: 'http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider',
+      scopes_supported: ['test-scope'],
+    };
+    const data = {
+      keys: ['test-provider'],
+      key_info: { 'test-provider': provider },
+    };
+    this.server.get('/identity/oidc/provider', () => overrideResponse(null, { data }));
     this.server.get('/identity/oidc/provider/test-provider', () =>
-      overrideResponse(null, {
-        data: {
-          allowed_client_ids: ['*'],
-          issuer: 'http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider',
-          scopes_supported: ['test-scope'],
-        },
-      })
+      overrideResponse(null, { data: provider })
     );
     this.server.post('/sys/capabilities-self', () =>
-      capabilitiesStub(OIDC_BASE_URL + '/provider/test-provider', ['read'])
+      capabilitiesStub('identity/oidc/provider/test-provider', ['read'])
     );
 
     await visit(OIDC_BASE_URL + '/providers');
diff --git a/ui/tests/acceptance/oidc-provider-test.js b/ui/tests/acceptance/oidc-provider-test.js
index 233087cff0..8e278196bb 100644
--- a/ui/tests/acceptance/oidc-provider-test.js
+++ b/ui/tests/acceptance/oidc-provider-test.js
@@ -11,7 +11,6 @@ import sinon from 'sinon';
 import { login } from 'vault/tests/helpers/auth/auth-helpers';
 import enablePage from 'vault/tests/pages/settings/auth/enable';
 import { visit, settled, currentURL, waitFor, currentRouteName, fillIn, click } from '@ember/test-helpers';
-import { clearRecord } from 'vault/tests/helpers/oidc-config';
 import { runCmd } from 'vault/tests/helpers/commands';
 import queryParamString from 'vault/utils/query-param-string';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
@@ -121,7 +120,6 @@ module('Acceptance | oidc provider', function (hooks) {
 
   hooks.beforeEach(async function () {
     this.uid = uuidv4();
-    this.store = this.owner.lookup('service:store');
     await login();
     await settled();
     this.oidcSetupInformation = await setupOidc(this.uid);
@@ -129,6 +127,11 @@ module('Acceptance | oidc provider', function (hooks) {
   });
 
   hooks.afterEach(async function () {
+    const api = this.owner.lookup('service:api');
+    await Promise.allSettled([
+      api.identity.oidcDeleteProvider(WEB_APP_NAME),
+      api.identity.oidcDeleteProvider(PROVIDER_NAME),
+    ]);
     await login();
   });
 
@@ -169,10 +172,6 @@ module('Acceptance | oidc provider', function (hooks) {
       .hasTextContaining(`click here to go back to app`, 'Shows link back to app');
     const link = document.querySelector('[data-test-oidc-redirect]').getAttribute('href');
     assert.ok(link.includes('/callback?code='), 'Redirects to correct url');
-
-    //* clean up test state
-    await clearRecord(this.store, 'oidc/client', WEB_APP_NAME);
-    await clearRecord(this.store, 'oidc/provider', PROVIDER_NAME);
   });
 
   test('OIDC Provider redirects to auth if current token and prompt = login', async function (assert) {
@@ -220,10 +219,6 @@ module('Acceptance | oidc provider', function (hooks) {
     );
     assert.strictEqual(currentRouteName(), 'vault.cluster.oidc-provider');
     assert.dom('[data-test-consent-form]').exists('Consent form exists');
-
-    //* clean up test state
-    await clearRecord(this.store, 'oidc/client', WEB_APP_NAME);
-    await clearRecord(this.store, 'oidc/provider', PROVIDER_NAME);
   });
 
   // Error handling test coverage, see issue for more context https://github.com/hashicorp/vault/issues/27772
@@ -271,7 +266,5 @@ module('Acceptance | oidc provider', function (hooks) {
     //* clean up test state
     authStub.restore();
     await login();
-    await clearRecord(this.store, 'oidc/client', WEB_APP_NAME);
-    await clearRecord(this.store, 'oidc/provider', PROVIDER_NAME);
   });
 });
diff --git a/ui/tests/acceptance/pki/pki-engine-workflow-test.js b/ui/tests/acceptance/pki/pki-engine-workflow-test.js
index 10ac01c496..42bed21c6f 100644
--- a/ui/tests/acceptance/pki/pki-engine-workflow-test.js
+++ b/ui/tests/acceptance/pki/pki-engine-workflow-test.js
@@ -622,16 +622,14 @@ module('Acceptance | pki workflow', function (hooks) {
       await login(this.mixedConfigCapabilities);
       await visit(`/vault/secrets-engines/${this.mountPath}/pki/configuration/edit`);
       assert
-        .dom(`${PKI_CONFIG_EDIT.configEditSection} [data-test-component="empty-state"]`)
-        .hasText(
-          `You do not have permission to set this mount's the cluster config Ask your administrator if you think you should have access to: POST /${this.mountPath}/config/cluster`
-        );
+        .dom(`${PKI_CONFIG_EDIT.configEditSection} ${GENERAL.emptyStateTitle}`)
+        .hasText("You do not have permission to set this mount's the cluster config");
       assert.dom(PKI_CONFIG_EDIT.acmeEditSection).exists();
       assert.dom(PKI_CONFIG_EDIT.urlsEditSection).exists();
       assert.dom(PKI_CONFIG_EDIT.crlEditSection).exists();
-      assert.dom(`${PKI_CONFIG_EDIT.acmeEditSection} [data-test-component="empty-state"]`).doesNotExist();
-      assert.dom(`${PKI_CONFIG_EDIT.urlsEditSection} [data-test-component="empty-state"]`).doesNotExist();
-      assert.dom(`${PKI_CONFIG_EDIT.crlEditSection} [data-test-component="empty-state"]`).doesNotExist();
+      assert.dom(`${PKI_CONFIG_EDIT.acmeEditSection} ${GENERAL.emptyStateTitle}`).doesNotExist();
+      assert.dom(`${PKI_CONFIG_EDIT.urlsEditSection} ${GENERAL.emptyStateTitle}`).doesNotExist();
+      assert.dom(`${PKI_CONFIG_EDIT.crlEditSection} ${GENERAL.emptyStateTitle}`).doesNotExist();
       await click(PKI_CONFIG_EDIT.crlToggleInput('expiry'));
       await click(PKI_CONFIG_EDIT.saveButton);
       assert.strictEqual(currentURL(), `/vault/secrets-engines/${this.mountPath}/pki/configuration`);
diff --git a/ui/tests/acceptance/policy/index-test.js b/ui/tests/acceptance/policy/index-test.js
index 9c57092d37..460aa3941e 100644
--- a/ui/tests/acceptance/policy/index-test.js
+++ b/ui/tests/acceptance/policy/index-test.js
@@ -21,7 +21,7 @@ import { login } from 'vault/tests/helpers/auth/auth-helpers';
 import { runCmd } from 'vault/tests/helpers/commands';
 import codemirror, { setCodeEditorValue } from 'vault/tests/helpers/codemirror';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
-import localStorage from 'vault/lib/local-storage';
+import { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 
 const SELECT = {
   policyByName: (name) => `[data-test-policy-link="${name}"]`,
@@ -38,7 +38,7 @@ module('Acceptance | policies/acl', function (hooks) {
     this.uid = uuidv4();
     await login();
     // dismiss wizard
-    localStorage.setItem('dismissed-wizards', ['acl-policy']);
+    this.owner.lookup('service:wizard').dismiss(WIZARD_ID_MAP.aclPolicy);
   });
 
   test('it lists default and root acls', async function (assert) {
@@ -110,11 +110,12 @@ module('Acceptance | policies/acl', function (hooks) {
     await click(SELECT.createPolicy);
 
     await fillIn(GENERAL.inputByAttr('name'), policyName);
+    // Select code editor first to bypass visual policy editor validations so we get an API error
+    await click(GENERAL.radioByAttr('code'));
     await click(GENERAL.submitButton);
     assert
       .dom(GENERAL.messageError)
       .hasText(`Error 'policy' parameter not supplied or empty`, 'renders error message on save');
-    await click(GENERAL.radioByAttr('code'));
     await waitFor('.cm-editor');
     const editor = codemirror();
     setCodeEditorValue(editor, policyString);
diff --git a/ui/tests/acceptance/policy/policies-test.js b/ui/tests/acceptance/policy/policies-test.js
index 68d16081bd..0928151672 100644
--- a/ui/tests/acceptance/policy/policies-test.js
+++ b/ui/tests/acceptance/policy/policies-test.js
@@ -3,11 +3,12 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { click, currentURL, currentRouteName, visit, fillIn } from '@ember/test-helpers';
+import { click, currentURL, currentRouteName, visit, fillIn, waitFor } from '@ember/test-helpers';
 import { module, test } from 'qunit';
 import { setupApplicationTest } from 'ember-qunit';
 import { login } from 'vault/tests/helpers/auth/auth-helpers';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 
 module('Acceptance | policies', function (hooks) {
   setupApplicationTest(hooks);
@@ -40,8 +41,10 @@ module('Acceptance | policies', function (hooks) {
 
   test('it navigates to and from policy show page from sidebar', async function (assert) {
     await visit('/vault/dashboard');
+    this.owner.lookup('service:wizard').dismiss(WIZARD_ID_MAP.aclPolicy);
     await click(GENERAL.navLink('Access control'));
     assert.strictEqual(currentURL(), '/vault/policies/acl', 'currentURL is /vault/policies/acl');
+    await waitFor('[data-test-component="navigate-input"]');
     await fillIn('[data-test-component="navigate-input"]', 'default'); // filter for the policy in case there are many on this view and the default policy is on the second page
     await click('[data-test-policy-link="default"]');
     assert.strictEqual(currentURL(), '/vault/policy/acl/default');
diff --git a/ui/tests/acceptance/reduced-disclosure-test.js b/ui/tests/acceptance/reduced-disclosure-test.js
index c8b6f59f19..6544f606d4 100644
--- a/ui/tests/acceptance/reduced-disclosure-test.js
+++ b/ui/tests/acceptance/reduced-disclosure-test.js
@@ -10,12 +10,11 @@ import { click, currentRouteName, currentURL, fillIn, settled, visit } from '@em
 import { login, loginNs, logout } from 'vault/tests/helpers/auth/auth-helpers';
 import { createTokenCmd, deleteNS, runCmd, tokenWithPolicyCmd } from 'vault/tests/helpers/commands';
 import { pollCluster } from 'vault/tests/helpers/poll-cluster';
-import VAULT_KEYS from 'vault/tests/helpers/vault-keys';
 import reducedDisclosureHandlers from 'vault/mirage/handlers/reduced-disclosure';
 import { overrideResponse } from 'vault/tests/helpers/stubs';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
-const { unsealKeys } = VAULT_KEYS;
+const unsealKeys = ['unseal-key-1', 'unseal-key-2', 'unseal-key-3'];
 const SELECTORS = {
   footerVersion: `[data-test-footer-version]`,
 };
@@ -24,11 +23,15 @@ module('Acceptance | reduced disclosure test', function (hooks) {
   setupApplicationTest(hooks);
   setupMirage(hooks);
 
-  hooks.beforeEach(function () {
+  hooks.beforeEach(async function () {
     reducedDisclosureHandlers(this.server);
     this.unsealCount = 0;
     this.sealed = false;
     this.versionSvc = this.owner.lookup('service:version');
+    this.versionFor = {
+      header: () => `Vault v${this.versionSvc.version.replace('+ent', '')}`,
+      footer: () => `Vault ${this.versionSvc.version}`,
+    };
     return logout();
   });
 
@@ -38,22 +41,20 @@ module('Acceptance | reduced disclosure test', function (hooks) {
     assert.strictEqual(currentURL(), '/vault/dashboard');
 
     // Ensure it shows version on dashboard
-    assert.dom(GENERAL.hdsPageHeaderTitle).includesText(`Vault v1.`);
-    assert
-      .dom(SELECTORS.footerVersion)
-      .hasText(`Vault ${this.versionSvc.version}`, 'shows Vault version after login');
+    assert.dom(GENERAL.hdsPageHeaderTitle).includesText(this.versionFor.header());
+    assert.dom(SELECTORS.footerVersion).hasText(this.versionFor.footer(), 'shows Vault version after login');
 
     const token = await runCmd(createTokenCmd('default'));
 
     await logout();
-    assert.dom(SELECTORS.footerVersion).hasText(`Vault`, 'no vault version after logout');
+    assert.dom(SELECTORS.footerVersion).hasText('Vault', 'no vault version after logout');
 
     await login(token);
     assert.strictEqual(currentURL(), '/vault/dashboard');
 
     assert
       .dom(SELECTORS.footerVersion)
-      .hasText(`Vault ${this.versionSvc.version}`, 'shows Vault version for default policy in namespace');
+      .hasText(this.versionFor.footer(), 'shows Vault version for default policy in namespace');
   });
 
   test('shows correct version on unseal flow', async function (assert) {
@@ -91,7 +92,7 @@ module('Acceptance | reduced disclosure test', function (hooks) {
     assert.strictEqual(currentURL(), '/vault/settings/seal');
 
     // seal
-    await click('[data-test-seal]');
+    await click(GENERAL.button('Seal'));
     await click(GENERAL.confirmButton);
     await pollCluster(this.owner);
     await settled();
@@ -100,9 +101,9 @@ module('Acceptance | reduced disclosure test', function (hooks) {
 
     // unseal
     for (const key of unsealKeys) {
-      await fillIn('[data-test-shamir-key-input]', key);
+      await fillIn(GENERAL.inputByAttr('shamir-key'), key);
 
-      await click('button[type="submit"]');
+      await click(GENERAL.submitButton);
 
       await pollCluster(this.owner);
       await settled();
@@ -118,7 +119,7 @@ module('Acceptance | reduced disclosure test', function (hooks) {
   module('enterprise', function () {
     test('does not allow access to replication pages', async function (assert) {
       await login();
-      assert.dom('[data-test-sidebar-nav-link="Replication"]').doesNotExist('hides replication nav item');
+      assert.dom(GENERAL.navLink('Replication')).doesNotExist('hides replication nav item');
 
       await visit(`/vault/replication/dr`);
       assert.strictEqual(
@@ -149,17 +150,14 @@ module('Acceptance | reduced disclosure test', function (hooks) {
       await login(token);
       assert
         .dom(SELECTORS.footerVersion)
-        .hasText(`Vault ${this.versionSvc.version}`, 'shows Vault version for default policy in namespace');
+        .hasText(this.versionFor.footer(), 'shows Vault version for default policy in namespace');
 
       // navigate to child namespace
       await visit(`/vault/dashboard?namespace=${namespace}`);
       assert
         .dom(SELECTORS.footerVersion)
-        .hasText(
-          `Vault ${this.versionSvc.version}`,
-          'shows Vault version for default policy in child namespace'
-        );
-      assert.dom(GENERAL.hdsPageHeaderTitle).includesText('Vault v1.');
+        .hasText(this.versionFor.footer(), 'shows Vault version for default policy in child namespace');
+      assert.dom(GENERAL.hdsPageHeaderTitle).includesText(this.versionFor.header());
 
       // log in to "root" before deleting
       await login();
@@ -173,17 +171,17 @@ module('Acceptance | reduced disclosure test', function (hooks) {
       assert.strictEqual(currentURL(), '/vault/dashboard');
 
       // Ensure it shows version on dashboard
-      assert.dom(GENERAL.hdsPageHeaderTitle).includesText(`Vault v1.`);
+      assert.dom(GENERAL.hdsPageHeaderTitle).includesText(this.versionFor.header());
       assert
         .dom(SELECTORS.footerVersion)
-        .hasText(`Vault ${this.versionSvc.version}`, 'shows Vault version after login');
+        .hasText(this.versionFor.footer(), 'shows Vault version after login');
 
       await runCmd(`write sys/namespaces/${namespace} -f`, false);
       await loginNs(namespace);
 
       assert
         .dom(SELECTORS.footerVersion)
-        .hasText(`Vault ${this.versionSvc.version}`, 'shows Vault version within namespace');
+        .hasText(this.versionFor.footer(), 'shows Vault version within namespace');
 
       const token = await runCmd(createTokenCmd('default'));
 
@@ -194,7 +192,7 @@ module('Acceptance | reduced disclosure test', function (hooks) {
       assert.strictEqual(currentURL(), '/vault/dashboard?namespace=reduced-disclosure');
       assert
         .dom(SELECTORS.footerVersion)
-        .hasText(`Vault ${this.versionSvc.version}`, 'shows Vault version for default policy in namespace');
+        .hasText(this.versionFor.footer(), 'shows Vault version for default policy in namespace');
 
       // log in to "root" before deleting
       await login();
diff --git a/ui/tests/acceptance/secret-engine-list-view-test.js b/ui/tests/acceptance/secret-engine-list-view-test.js
index 4266c2e8d8..5cafa26fc1 100644
--- a/ui/tests/acceptance/secret-engine-list-view-test.js
+++ b/ui/tests/acceptance/secret-engine-list-view-test.js
@@ -10,19 +10,15 @@ import { v4 as uuidv4 } from 'uuid';
 
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import { SECRET_ENGINE_SELECTORS as SES } from 'vault/tests/helpers/secret-engine/secret-engine-selectors';
-import {
-  createTokenCmd,
-  deleteEngineCmd,
-  mountEngineCmd,
-  runCmd,
-  tokenWithPolicyCmd,
-} from 'vault/tests/helpers/commands';
+import { deleteEngineCmd, mountEngineCmd, runCmd } from 'vault/tests/helpers/commands';
 import { login, loginNs } from 'vault/tests/helpers/auth/auth-helpers';
 import page from 'vault/tests/pages/settings/mount-secret-backend';
-import localStorage from 'vault/lib/local-storage';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 
 module('Acceptance | secret-engine list view', function (hooks) {
   setupApplicationTest(hooks);
+  setupMirage(hooks);
 
   const createSecret = async (path, key, value, enginePath) => {
     await click(SES.createSecretLink);
@@ -37,15 +33,16 @@ module('Acceptance | secret-engine list view', function (hooks) {
     this.uid = uuidv4();
     await login();
     // dismiss wizard
-    localStorage.setItem('dismissed-wizards', ['secret-engines']);
+    this.owner.lookup('service:wizard').dismiss(WIZARD_ID_MAP.secretEngines);
   });
 
   // the new API service camelizes response keys, so this tests is to assert that does NOT happen when we re-implement it
   test('it does not camelize the secret mount path', async function (assert) {
+    const path = `aws_${this.uid}`;
     await visit('/vault/secrets-engines');
     await page.enableEngine();
     await click(GENERAL.cardContainer('aws'));
-    await fillIn(GENERAL.inputByAttr('path'), 'aws_engine');
+    await fillIn(GENERAL.inputByAttr('path'), path);
     await click(GENERAL.submitButton);
     await click(GENERAL.breadcrumbLink('Secrets engines'));
     assert.strictEqual(
@@ -53,9 +50,9 @@ module('Acceptance | secret-engine list view', function (hooks) {
       'vault.cluster.secrets.backends',
       'breadcrumb navigates to the list page'
     );
-    assert.dom(GENERAL.tableData('aws_engine/', 'path')).hasTextContaining('aws_engine/');
-    // cleanup
-    await runCmd(deleteEngineCmd('aws_engine'));
+    await fillIn(GENERAL.inputSearch('secret-engine-path'), path);
+    assert.dom(GENERAL.tableData(0, 'path')).hasText(`${path}/`);
+    await runCmd(deleteEngineCmd(path));
   });
 
   test('after enabling an unsupported engine it takes you to list page', async function (assert) {
@@ -64,15 +61,21 @@ module('Acceptance | secret-engine list view', function (hooks) {
     await click(GENERAL.cardContainer('nomad'));
     await click(GENERAL.submitButton);
 
-    assert.strictEqual(currentRouteName(), 'vault.cluster.secrets.backends', 'navigates to the list page');
+    assert.strictEqual(
+      currentRouteName(),
+      'vault.cluster.secrets.backend.configuration.general-settings',
+      'navigates to the configuration page'
+    );
     // cleanup
     await runCmd(deleteEngineCmd('nomad'));
   });
 
   test('after enabling a supported engine it takes you to mount page, can see configure and clicking breadcrumb takes you back to list page', async function (assert) {
+    const path = `aws-${this.uid}`;
     await visit('/vault/secrets-engines');
     await page.enableEngine();
     await click(GENERAL.cardContainer('aws'));
+    await fillIn(GENERAL.inputByAttr('path'), path);
     await click(GENERAL.submitButton);
 
     await click(GENERAL.dropdownToggle('Manage'));
@@ -85,79 +88,7 @@ module('Acceptance | secret-engine list view', function (hooks) {
       'breadcrumb navigates to the list page'
     );
     // cleanup
-    await runCmd(deleteEngineCmd('aws'));
-  });
-
-  test('enterprise: cannot view list without permissions inside a namespace', async function (assert) {
-    this.namespace = `ns-${this.uid}`;
-    const enginePath1 = `kv-t1-${this.uid}`;
-    const userDefault = await runCmd(createTokenCmd()); // creates a default user token
-
-    await runCmd([`write sys/namespaces/${this.namespace} -force`]); // creates a namespace
-    await loginNs(this.namespace); //logs into namespace with root token
-    await runCmd(mountEngineCmd('kv', enginePath1)); // mounts a kv engine in namespace
-
-    await loginNs(this.namespace, userDefault); // logs into that same namespace with a default user token
-
-    await visit(`/vault/secrets-engines?namespace=${this.namespace}`); // nav to specified namespace list
-    assert.strictEqual(
-      currentURL(),
-      `/vault/secrets-engines?namespace=${this.namespace}`,
-      'Should be on main secret engines list page within namespace.'
-    );
-    assert.dom(GENERAL.tableData(`${enginePath1}/`, 'path')).doesNotExist(); // without permissions, engine should not show for this user
-
-    // cleanup namespace
-    await login();
-    await runCmd(`delete sys/namespaces/${this.namespace}`);
-  });
-
-  test('enterprise: can view list with permissions inside a namespace', async function (assert) {
-    this.namespace = `ns-${this.uid}`;
-    const enginePath1 = `kv-t2-${this.uid}`;
-    const userToken = await runCmd(
-      tokenWithPolicyCmd(
-        'policy',
-        `path "${this.namespace}/sys/*" {
-          capabilities = ["create", "read", "update", "delete", "list"]
-        }`
-      )
-    );
-
-    await runCmd([`write sys/namespaces/${this.namespace} -force`]);
-    await loginNs(this.namespace, userToken); // logs into namespace with user token
-    await runCmd(mountEngineCmd('kv', enginePath1)); // mount kv engine as user
-
-    await loginNs(this.namespace); // logs into namespace with root token
-
-    await visit(`/vault/secrets-engines?namespace=${this.namespace}`); // nav to specified namespace list
-    assert.strictEqual(
-      currentURL(),
-      `/vault/secrets-engines?namespace=${this.namespace}`,
-      'Should be on main secret engines list page within namespace.'
-    );
-
-    assert.dom(GENERAL.tableData(`${enginePath1}/`, 'path')).exists(); // with permissions, able to see the engine in list
-
-    // cleanup namespace
-    await login();
-    await runCmd(`delete sys/namespaces/${this.namespace}`);
-  });
-
-  test('enterprise: it should navigate to cubbyhole list view in child namespace', async function (assert) {
-    this.namespace = `ns-${this.uid}`;
-
-    await runCmd([`write sys/namespaces/${this.namespace} -force`]);
-    await loginNs(this.namespace);
-    localStorage.setItem('dismissed-wizards', ['secret-engines']);
-    await visit(`/vault/secrets-engines?namespace=${this.namespace}`);
-    await click(`${GENERAL.tableData('cubbyhole/', 'path')} a`);
-
-    assert.dom(GENERAL.emptyStateTitle).hasText('No secrets in this backend');
-
-    // cleanup namespace
-    await login();
-    await runCmd(`delete sys/namespaces/${this.namespace}`);
+    await runCmd(deleteEngineCmd(path));
   });
 
   test('after disabling it stays on the list view', async function (assert) {
@@ -167,7 +98,9 @@ module('Acceptance | secret-engine list view', function (hooks) {
     await visit('/vault/secrets-engines');
     // to reduce flakiness, searching by engine name first in case there are pagination issues
     await fillIn(GENERAL.inputSearch('secret-engine-path'), enginePath);
-    assert.dom(GENERAL.tableData(`${enginePath}/`, 'path')).exists('the alicloud engine is mounted');
+    assert
+      .dom(GENERAL.tableData(0, 'path'))
+      .hasTextContaining(`${enginePath}/`, 'the alicloud engine is mounted');
 
     await click(GENERAL.menuTrigger);
     await click(GENERAL.menuItem('Delete'));
@@ -188,7 +121,8 @@ module('Acceptance | secret-engine list view', function (hooks) {
 
     // check kv1
     await visit('/vault/secrets-engines');
-    await click(`${GENERAL.tableData(`${enginePath1}/`, 'path')} a`);
+    await fillIn(GENERAL.inputSearch('secret-engine-path'), enginePath1);
+    await click(GENERAL.linkTo(`${enginePath1}/`));
     for (let i = 0; i <= 15; i++) {
       await createSecret(`secret-${i}`, 'foo', 'bar', enginePath1);
     }
@@ -221,7 +155,8 @@ module('Acceptance | secret-engine list view', function (hooks) {
 
     // check kv1
     await visit('/vault/secrets-engines');
-    await click(`${GENERAL.tableData(`${enginePath1}/`, 'path')} a`);
+    await fillIn(GENERAL.inputSearch('secret-engine-path'), enginePath1);
+    await click(GENERAL.linkTo(`${enginePath1}/`));
     for (let i = 0; i <= 15; i++) {
       await createSecret(`${parentPath}/secret-${i}`, 'foo', 'bar', enginePath1);
     }
@@ -245,4 +180,74 @@ module('Acceptance | secret-engine list view', function (hooks) {
     // cleanup
     await runCmd(deleteEngineCmd(enginePath1));
   });
+
+  test('it can navigate to the enablement page from the intro', async function (assert) {
+    // stub the mount response to meet the empty state criteria for showing the intro page
+    this.server.get('/sys/internal/ui/mounts', () => ({
+      data: {
+        secret: {
+          'cubbyhole/': {
+            type: 'cubbyhole',
+            local: true,
+            path: 'cubbyhole/',
+          },
+        },
+      },
+    }));
+    await visit(`/vault/secrets-engines`);
+    await click(GENERAL.button('intro'));
+    await click(GENERAL.button('enable'));
+
+    assert.strictEqual(currentURL(), `/vault/secrets-engines/enable`, 'It navigates to the enablement page');
+    assert.dom('[data-test-guided-setup]').doesNotExist('The guided setup is not shown');
+    assert.dom('[data-test-intro]').doesNotExist('The intro is not shown');
+  });
+
+  module('enterprise | namespaces', function (hooks) {
+    hooks.beforeEach(async function () {
+      await login();
+      this.namespace = `ns-${this.uid}`;
+      await runCmd([`write sys/namespaces/${this.namespace} -force`]);
+      await loginNs(this.namespace); // log into namespace with root token
+      // dismiss wizard
+      this.owner.lookup('service:wizard').dismiss(WIZARD_ID_MAP.secretEngines);
+    });
+
+    // Ember route models won't refresh within a namespace when this.router.transitionTo() is called
+    // because ?namespace is a query param that remains the same so the app doesn't detect any changes
+    // and therefore does not refire the model hook.
+    // this.router.refresh() must be called to refire model hooks and request fresh data.
+    test('list refreshes after deleting an engine in a namespace', async function (assert) {
+      const enginePath1 = `kv-t2-${this.uid}`;
+      await runCmd(mountEngineCmd('kv', enginePath1)); // mount kv engine in the namespace
+      await visit(`/vault/secrets-engines?namespace=${this.namespace}`); // nav to specified namespace list
+
+      assert.dom(GENERAL.linkTo(`${enginePath1}/`)).exists();
+      assert.dom(GENERAL.tableRow()).exists({ count: 2 }, 'only 2 secret engines are listed');
+      // Delete the engine
+      await click(`${GENERAL.listItem(`${enginePath1}/`)} ${GENERAL.menuTrigger}`);
+      await click(GENERAL.menuItem('Delete'));
+      await click(GENERAL.confirmButton);
+      assert.strictEqual(
+        currentRouteName(),
+        'vault.cluster.secrets.backends',
+        'redirects to the backends list page'
+      );
+      assert.dom(GENERAL.linkTo(enginePath1)).doesNotExist('deleted engine is no longer in list');
+      assert.dom(GENERAL.tableRow()).exists({ count: 1 }, 'only 1 secret engine is listed');
+      // cleanup namespace
+      await login();
+      await runCmd(`delete sys/namespaces/${this.namespace}`);
+    });
+
+    test('it should navigate to cubbyhole list view in child namespace', async function (assert) {
+      await visit(`/vault/secrets-engines?namespace=${this.namespace}`);
+      await click(GENERAL.linkTo('cubbyhole/'));
+      assert.dom(GENERAL.emptyStateTitle).hasText('No secrets in this backend');
+
+      // cleanup namespace
+      await login();
+      await runCmd(`delete sys/namespaces/${this.namespace}`);
+    });
+  });
 });
diff --git a/ui/tests/acceptance/secrets/backend/database/secret-test.js b/ui/tests/acceptance/secrets/backend/database/secret-test.js
index a329e19c31..36e20a6e44 100644
--- a/ui/tests/acceptance/secrets/backend/database/secret-test.js
+++ b/ui/tests/acceptance/secrets/backend/database/secret-test.js
@@ -41,7 +41,7 @@ const newConnection = async (
 
 const navToConnection = async (backend, connection) => {
   await visit('/vault/secrets-engines');
-  await click(`${GENERAL.tableData(`${backend}/`, 'path')} a`);
+  await click(GENERAL.linkTo(`${backend}/`));
   await click(GENERAL.secretTab('Connections'));
   await click(SES.secretLink(connection));
   return;
@@ -536,7 +536,7 @@ module('Acceptance | secrets/database/*', function (hooks) {
     // Check with restricted permissions
     await login(token);
     await click(GENERAL.navLink('Secrets'));
-    assert.dom(GENERAL.tableData(`${backend}/`, 'path')).exists('Shows backend on secret list page');
+    assert.dom(GENERAL.listItem(`${backend}/`)).exists('Shows backend on secret list page');
     await navToConnection(backend, connection);
     assert.strictEqual(
       currentURL(),
@@ -617,7 +617,7 @@ module('Acceptance | secrets/database/*', function (hooks) {
       path "${backend}/static-roles/*" {
         capabilities = ["delete"]
       }
-      path "${backend}/config/*" {
+      path "${backend}/config" {
         capabilities = ["list", "create", "read", "update"]
       }
       path "${backend}/creds/*" {
@@ -644,10 +644,7 @@ module('Acceptance | secrets/database/*', function (hooks) {
     assert
       .dom('[data-test-secret-list-tab="Roles"]')
       .doesNotExist(`does not show the roles tab because it does not have permissions`);
-    assert
-      .dom('[data-test-overview-card="Connections"]')
-      .exists({ count: 1 }, 'renders only the connection card');
-    await click('[data-test-action-text="Configure new"]');
+    await click(SES.createSecretLink);
     assert.strictEqual(currentURL(), `/vault/secrets-engines/${backend}/create?itemType=connection`);
   });
 });
diff --git a/ui/tests/acceptance/secrets/backend/database/workflow-test.js b/ui/tests/acceptance/secrets/backend/database/workflow-test.js
index 0997e9d20e..4f521eccc9 100644
--- a/ui/tests/acceptance/secrets/backend/database/workflow-test.js
+++ b/ui/tests/acceptance/secrets/backend/database/workflow-test.js
@@ -335,7 +335,7 @@ module('Acceptance | database workflow', function (hooks) {
         .hasText('generated-password', 'Password is generated');
       assert
         .dom(GENERAL.infoRowValue('Lease Duration'))
-        .hasText('3600', 'shows lease duration from response');
+        .hasText('1 hour', 'shows lease duration from response');
       assert
         .dom(GENERAL.infoRowValue('Lease ID'))
         .hasText(`database/creds/${roleName}/abcd`, 'shows lease ID from response');
diff --git a/ui/tests/acceptance/secrets/backend/generic/secret-test.js b/ui/tests/acceptance/secrets/backend/generic/secret-test.js
index 4f55636f39..99c14a736a 100644
--- a/ui/tests/acceptance/secrets/backend/generic/secret-test.js
+++ b/ui/tests/acceptance/secrets/backend/generic/secret-test.js
@@ -67,7 +67,7 @@ module('Acceptance | secrets/generic/create', function (hooks) {
     ]);
     await visit('/vault/secrets-engines');
     await fillIn(GENERAL.inputSearch('secret-engine-path'), path);
-    await click(`${GENERAL.tableData(`${path}/`, 'path')} a`);
+    await click(GENERAL.linkTo(`${path}/`));
     assert.strictEqual(
       currentRouteName(),
       'vault.cluster.secrets.backend.kv.list',
diff --git a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-create-test.js b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-create-test.js
index b8963d7c0f..46fe32d4ef 100644
--- a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-create-test.js
+++ b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-create-test.js
@@ -180,10 +180,17 @@ module('Acceptance | kv-v2 workflow | secret and version create', function (hook
       // max_versions validation
       await fillIn(FORM.inputByAttr('max_versions'), 'seven');
       await click(FORM.saveBtn);
-      assert.dom(GENERAL.validationErrorByAttr('max_versions')).hasText('Maximum versions must be a number.');
+      assert
+        .dom(GENERAL.validationErrorByAttr('max_versions'))
+        .hasText('Maximum versions must be a non-negative number.');
       await fillIn(FORM.inputByAttr('max_versions'), '99999999999999999');
       await click(FORM.saveBtn);
       assert.dom(GENERAL.validationErrorByAttr('max_versions')).hasText('You cannot go over 16 characters.');
+      await fillIn(FORM.inputByAttr('max_versions'), '1.23');
+      await click(FORM.saveBtn);
+      assert
+        .dom(GENERAL.validationErrorByAttr('max_versions'))
+        .hasText('Maximum versions must be a whole number.');
       await fillIn(FORM.inputByAttr('max_versions'), '7');
 
       // Fill in other metadata
@@ -436,10 +443,17 @@ module('Acceptance | kv-v2 workflow | secret and version create', function (hook
       // max_versions validation
       await fillIn(FORM.inputByAttr('max_versions'), 'seven');
       await click(FORM.saveBtn);
-      assert.dom(GENERAL.validationErrorByAttr('max_versions')).hasText('Maximum versions must be a number.');
+      assert
+        .dom(GENERAL.validationErrorByAttr('max_versions'))
+        .hasText('Maximum versions must be a non-negative number.');
       await fillIn(FORM.inputByAttr('max_versions'), '99999999999999999');
       await click(FORM.saveBtn);
       assert.dom(GENERAL.validationErrorByAttr('max_versions')).hasText('You cannot go over 16 characters.');
+      await fillIn(FORM.inputByAttr('max_versions'), '1.23');
+      await click(FORM.saveBtn);
+      assert
+        .dom(GENERAL.validationErrorByAttr('max_versions'))
+        .hasText('Maximum versions must be a whole number.');
       await fillIn(FORM.inputByAttr('max_versions'), '7');
 
       // Fill in other metadata
@@ -583,10 +597,17 @@ module('Acceptance | kv-v2 workflow | secret and version create', function (hook
       // max_versions validation
       await fillIn(FORM.inputByAttr('max_versions'), 'seven');
       await click(FORM.saveBtn);
-      assert.dom(GENERAL.validationErrorByAttr('max_versions')).hasText('Maximum versions must be a number.');
+      assert
+        .dom(GENERAL.validationErrorByAttr('max_versions'))
+        .hasText('Maximum versions must be a non-negative number.');
       await fillIn(FORM.inputByAttr('max_versions'), '99999999999999999');
       await click(FORM.saveBtn);
       assert.dom(GENERAL.validationErrorByAttr('max_versions')).hasText('You cannot go over 16 characters.');
+      await fillIn(FORM.inputByAttr('max_versions'), '1.23');
+      await click(FORM.saveBtn);
+      assert
+        .dom(GENERAL.validationErrorByAttr('max_versions'))
+        .hasText('Maximum versions must be a whole number.');
       await fillIn(FORM.inputByAttr('max_versions'), '7');
 
       // Fill in other metadata
@@ -750,10 +771,17 @@ module('Acceptance | kv-v2 workflow | secret and version create', function (hook
       // max_versions validation
       await fillIn(FORM.inputByAttr('max_versions'), 'seven');
       await click(FORM.saveBtn);
-      assert.dom(GENERAL.validationErrorByAttr('max_versions')).hasText('Maximum versions must be a number.');
+      assert
+        .dom(GENERAL.validationErrorByAttr('max_versions'))
+        .hasText('Maximum versions must be a non-negative number.');
       await fillIn(FORM.inputByAttr('max_versions'), '99999999999999999');
       await click(FORM.saveBtn);
       assert.dom(GENERAL.validationErrorByAttr('max_versions')).hasText('You cannot go over 16 characters.');
+      await fillIn(FORM.inputByAttr('max_versions'), '1.23');
+      await click(FORM.saveBtn);
+      assert
+        .dom(GENERAL.validationErrorByAttr('max_versions'))
+        .hasText('Maximum versions must be a whole number.');
       await fillIn(FORM.inputByAttr('max_versions'), '7');
 
       // Fill in other metadata
@@ -976,10 +1004,17 @@ module('Acceptance | kv-v2 workflow | secret and version create', function (hook
       // max_versions validation
       await fillIn(FORM.inputByAttr('max_versions'), 'seven');
       await click(FORM.saveBtn);
-      assert.dom(GENERAL.validationErrorByAttr('max_versions')).hasText('Maximum versions must be a number.');
+      assert
+        .dom(GENERAL.validationErrorByAttr('max_versions'))
+        .hasText('Maximum versions must be a non-negative number.');
       await fillIn(FORM.inputByAttr('max_versions'), '99999999999999999');
       await click(FORM.saveBtn);
       assert.dom(GENERAL.validationErrorByAttr('max_versions')).hasText('You cannot go over 16 characters.');
+      await fillIn(FORM.inputByAttr('max_versions'), '1.23');
+      await click(FORM.saveBtn);
+      assert
+        .dom(GENERAL.validationErrorByAttr('max_versions'))
+        .hasText('Maximum versions must be a whole number.');
       await fillIn(FORM.inputByAttr('max_versions'), '7');
 
       // Fill in other metadata
diff --git a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-edge-cases-test.js b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-edge-cases-test.js
index 12bd215395..860758f513 100644
--- a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-edge-cases-test.js
+++ b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-edge-cases-test.js
@@ -574,11 +574,6 @@ module('Acceptance | kv-v2 workflow | edge cases', function (hooks) {
 module('Acceptance | Enterprise | kv-v2 workflow | edge cases', function (hooks) {
   setupApplicationTest(hooks);
 
-  const navToEngine = async (backend) => {
-    await click(GENERAL.navLink('Secrets'));
-    return await click(`${GENERAL.tableData(`${backend}/`, 'path')} a`);
-  };
-
   const assertDeleteActions = (assert, expected = ['delete', 'destroy']) => {
     ['delete', 'destroy', 'undelete'].forEach((toolbar) => {
       if (expected.includes(toolbar)) {
@@ -637,7 +632,9 @@ module('Acceptance | Enterprise | kv-v2 workflow | edge cases', function (hooks)
       const backend = this.backend;
       const ns = this.namespace;
       const secret = 'my-create-secret';
-      await navToEngine(backend);
+
+      await click(GENERAL.navLink('Secrets'));
+      await click(GENERAL.linkTo(`${backend}/`));
       assert.strictEqual(
         currentURL(),
         `/vault/secrets-engines/${backend}/kv/list?namespace=${ns}`,
@@ -690,8 +687,8 @@ module('Acceptance | Enterprise | kv-v2 workflow | edge cases', function (hooks)
       const ns = this.namespace;
       const secret = 'my-delete-secret';
       await writeVersionedSecret(backend, secret, 'foo', 'bar', 2, ns);
-      await navToEngine(backend);
-
+      await click(GENERAL.navLink('Secrets engines'));
+      await click(GENERAL.linkTo(`${backend}/`));
       await click(PAGE.list.item(secret));
       assert.strictEqual(
         currentURL(),
@@ -734,6 +731,7 @@ module('Acceptance | Enterprise | kv-v2 workflow | edge cases', function (hooks)
 
       // undelete flow
       await click(PAGE.detail.undelete);
+      await waitFor(GENERAL.overviewCard.container('Current version'));
       assert
         .dom(GENERAL.overviewCard.container('Current version'))
         .hasTextContaining('Current version Create new The current version of this secret.');
@@ -748,6 +746,7 @@ module('Acceptance | Enterprise | kv-v2 workflow | edge cases', function (hooks)
       await click(PAGE.detail.deleteConfirm);
       await click(PAGE.secretTab('Secret'));
       assertDeleteActions(assert, []);
+      await waitFor(GENERAL.emptyStateTitle);
       assert
         .dom(GENERAL.emptyStateTitle)
         .hasText('Version 2 of this secret has been permanently destroyed', 'Shows destroyed message');
diff --git a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-navigation-test.js b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-navigation-test.js
index 78e705c0ac..62bb5109a8 100644
--- a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-navigation-test.js
+++ b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-navigation-test.js
@@ -46,8 +46,8 @@ const navToBackend = async (backend) => {
   await visit(`/vault/secrets-engines`);
   // Use search to find the specific backend instead of relying on pagination
   await fillIn(GENERAL.inputSearch('secret-engine-path'), backend);
-  await waitUntil(() => find(`${GENERAL.tableData(`${backend}/`, 'path')} a`));
-  return click(`${GENERAL.tableData(`${backend}/`, 'path')} a`);
+  await waitFor(GENERAL.linkTo(`${backend}/`));
+  return click(GENERAL.linkTo(`${backend}/`));
 };
 const assertPolicyGenerator = async (assert, expectedPaths) => {
   assert.dom(GENERAL.cardContainer()).exists({ count: expectedPaths.length });
diff --git a/ui/tests/acceptance/secrets/backend/ldap/roles-test.js b/ui/tests/acceptance/secrets/backend/ldap/roles-test.js
index 8d61bb3997..3f7c2a1df7 100644
--- a/ui/tests/acceptance/secrets/backend/ldap/roles-test.js
+++ b/ui/tests/acceptance/secrets/backend/ldap/roles-test.js
@@ -3,17 +3,18 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { module, test } from 'qunit';
-import { setupApplicationTest } from 'ember-qunit';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import { v4 as uuidv4 } from 'uuid';
-import ldapMirageScenario from 'vault/mirage/scenarios/ldap';
-import ldapHandlers from 'vault/mirage/handlers/ldap';
-import { login } from 'vault/tests/helpers/auth/auth-helpers';
 import { click, fillIn, waitFor } from '@ember/test-helpers';
-import { assertURL, isURL, visitURL } from 'vault/tests/helpers/ldap/ldap-helpers';
-import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { setupApplicationTest } from 'ember-qunit';
+import { module, test } from 'qunit';
+import sinon from 'sinon';
+import { v4 as uuidv4 } from 'uuid';
+import ldapHandlers from 'vault/mirage/handlers/ldap';
+import ldapMirageScenario from 'vault/mirage/scenarios/ldap';
+import { login } from 'vault/tests/helpers/auth/auth-helpers';
 import { deleteEngineCmd, mountEngineCmd, runCmd } from 'vault/tests/helpers/commands';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import { assertURL, isURL, visitURL } from 'vault/tests/helpers/ldap/ldap-helpers';
 import { LDAP_SELECTORS } from 'vault/tests/helpers/ldap/ldap-selectors';
 
 module('Acceptance | ldap | roles', function (hooks) {
@@ -166,5 +167,37 @@ module('Acceptance | ldap | roles', function (hooks) {
       await click('[data-test-tab="roles"]');
       assert.dom('[data-test-filter-input]').hasNoValue('Roles page filter value cleared on route exit');
     });
+
+    test('it calls API with correct parameter order for hierarchical paths', async function (assert) {
+      // Get the API service and stub the SDK methods
+      const owner = this.owner;
+      const apiService = owner.lookup('service:api');
+      const ldapListStaticRolePathStub = sinon.stub(apiService.secrets, 'ldapListStaticRolePath');
+      const ldapListRolePathStub = sinon.stub(apiService.secrets, 'ldapListRolePath');
+
+      // Configure stubs to return empty lists
+      ldapListStaticRolePathStub.resolves({ keys: [] });
+      ldapListRolePathStub.resolves({ keys: [] });
+
+      // Navigate to static role subdirectory
+      await visitURL('roles/static/subdirectory/admin/', this.backend);
+
+      // Verify static role API was called with correct parameter order
+      assert.true(ldapListStaticRolePathStub.calledOnce, 'ldapListStaticRolePath was called');
+      const [staticPath, staticMount] = ldapListStaticRolePathStub.firstCall.args;
+      assert.strictEqual(staticPath, 'admin/', 'First parameter is the hierarchical path');
+      assert.strictEqual(staticMount, this.backend, 'Second parameter is the mount path');
+
+      // Navigate to dynamic role subdirectory
+      await visitURL('roles/dynamic/subdirectory/admin/', this.backend);
+
+      // Verify dynamic role API was called with correct parameter order
+      const [dynamicPath] = ldapListRolePathStub.firstCall.args;
+      assert.strictEqual(dynamicPath, 'admin/', 'First parameter is the hierarchical path for dynamic roles');
+
+      // Restore stubs
+      ldapListStaticRolePathStub.restore();
+      ldapListRolePathStub.restore();
+    });
   });
 });
diff --git a/ui/tests/acceptance/secrets/backend/ssh/roles-test.js b/ui/tests/acceptance/secrets/backend/ssh/roles-test.js
index 2de39cf5b6..368a156b91 100644
--- a/ui/tests/acceptance/secrets/backend/ssh/roles-test.js
+++ b/ui/tests/acceptance/secrets/backend/ssh/roles-test.js
@@ -1,5 +1,5 @@
 /**
- * Copyright IBM Corp. 2016, 2025
+ * Copyright IBM Corp. 2016, 2026
  * SPDX-License-Identifier: BUSL-1.1
  */
 
@@ -46,25 +46,24 @@ module('Acceptance | ssh | roles', function (hooks) {
       name: 'carole',
       credsRoute: 'vault.cluster.secrets.backend.sign',
       async fillInCreate() {
-        await click(GENERAL.inputByAttr('allowUserCertificates'));
+        await click(GENERAL.inputByAttr('allow_user_certificates'));
         await click(GENERAL.button('Options'));
         // it's recommended to keep allow_empty_principals false, check for testing so we don't have to input an extra field when signing a key
-        await click(GENERAL.inputByAttr('allowEmptyPrincipals'));
+        await click(GENERAL.inputByAttr('allow_empty_principals'));
       },
       async fillInGenerate() {
-        await fillIn(GENERAL.inputByAttr('publicKey'), PUB_KEY);
-        await click('[data-test-toggle-button]');
+        await fillIn(GENERAL.inputByAttr('public_key'), PUB_KEY);
+        await click(GENERAL.button('More options'));
 
         await click(GENERAL.ttl.toggle('TTL'));
         await fillIn(GENERAL.selectByAttr('ttl-unit'), 'm');
 
-        document.querySelector(GENERAL.ttl.input('TTL')).value = 30;
+        await fillIn(GENERAL.ttl.input('TTL'), '30');
       },
       assertBeforeGenerate(assert) {
-        assert.dom('[data-test-form-field-from-model]').exists('renders the FormFieldFromModel');
+        assert.dom(GENERAL.ttl.input('TTL')).exists('renders the TTL field');
         const value = document.querySelector('[data-test-ttl-value="TTL"]').value;
-        // confirms that the actions are correctly being passed down to the FormFieldFromModel component
-        assert.strictEqual(value, '30', 'renders action updateTtl');
+        assert.strictEqual(value, '30', 'TTL value is set correctly');
       },
       assertAfterGenerate(assert, sshPath) {
         assert.strictEqual(
@@ -83,9 +82,9 @@ module('Acceptance | ssh | roles', function (hooks) {
       name: 'otprole',
       credsRoute: 'vault.cluster.secrets.backend.credentials',
       async fillInCreate() {
-        await fillIn(GENERAL.inputByAttr('defaultUser'), 'admin');
+        await fillIn(GENERAL.inputByAttr('default_user'), 'admin');
         await click(GENERAL.button('Options'));
-        await fillIn(GENERAL.inputByAttr('cidrList'), '1.2.3.4/32');
+        await fillIn(GENERAL.inputByAttr('cidr_list'), '1.2.3.4/32');
       },
       async fillInGenerate() {
         await fillIn(GENERAL.inputByAttr('username'), 'admin');
@@ -126,7 +125,7 @@ module('Acceptance | ssh | roles', function (hooks) {
         .includesText('SSH Role', `${role.type}: renders the create page`);
 
       await fillIn(GENERAL.inputByAttr('name'), role.name);
-      await fillIn(GENERAL.inputByAttr('keyType'), role.type);
+      await fillIn(GENERAL.inputByAttr('key_type'), role.type);
       await role.fillInCreate();
       await settled();
 
@@ -179,11 +178,10 @@ module('Acceptance | ssh | roles', function (hooks) {
   module('Acceptance | ssh | otp role', function () {
     const createOTPRole = async (name) => {
       await fillIn(GENERAL.inputByAttr('name'), name);
-      await fillIn(GENERAL.inputByAttr('keyType'), name);
+      await fillIn(GENERAL.inputByAttr('key_type'), 'otp');
       await click(GENERAL.button('Options'));
-      await fillIn(GENERAL.inputByAttr('keyType'), 'otp');
-      await fillIn(GENERAL.inputByAttr('defaultUser'), 'admin');
-      await fillIn(GENERAL.inputByAttr('cidrList'), '0.0.0.0/0');
+      await fillIn(GENERAL.inputByAttr('default_user'), 'admin');
+      await fillIn(GENERAL.inputByAttr('cidr_list'), '0.0.0.0/0');
       await click(SES.ssh.createRole);
     };
     test('it deletes a role from list view', async function (assert) {
diff --git a/ui/tests/acceptance/secrets/backend/totp/key-test.js b/ui/tests/acceptance/secrets/backend/totp/key-test.js
index a2b4e8e82a..ae89ba2638 100644
--- a/ui/tests/acceptance/secrets/backend/totp/key-test.js
+++ b/ui/tests/acceptance/secrets/backend/totp/key-test.js
@@ -19,13 +19,13 @@ module('Acceptance | totp key backend', function (hooks) {
   const createVaultKey = async (keyName, issuer, accountName, exported = true, qrSize = 200) => {
     await fillIn(GENERAL.inputByAttr('name'), keyName);
     await fillIn(GENERAL.inputByAttr('issuer'), issuer);
-    await fillIn(GENERAL.inputByAttr('accountName'), accountName);
+    await fillIn(GENERAL.inputByAttr('account_name'), accountName);
     if (!exported) {
       await click(GENERAL.toggleInput('toggle-exported'));
     }
     if (qrSize !== 200) {
       await click(GENERAL.button('Provider Options'));
-      await fillIn(GENERAL.inputByAttr('qrSize'), qrSize);
+      await fillIn(GENERAL.inputByAttr('qr_size'), qrSize);
     }
     await click(GENERAL.submitButton);
   };
@@ -34,7 +34,7 @@ module('Acceptance | totp key backend', function (hooks) {
     await click(GENERAL.radioByAttr('Other service'));
     await fillIn(GENERAL.inputByAttr('name'), keyName);
     await fillIn(GENERAL.inputByAttr('issuer'), issuer);
-    await fillIn(GENERAL.inputByAttr('accountName'), accountName);
+    await fillIn(GENERAL.inputByAttr('account_name'), accountName);
     if (url) await fillIn(GENERAL.inputByAttr('url'), url);
     if (key) await fillIn(GENERAL.inputByAttr('key'), key);
     await click(GENERAL.submitButton);
diff --git a/ui/tests/acceptance/secrets/manage-dropdown-routing-test.js b/ui/tests/acceptance/secrets/manage-dropdown-routing-test.js
new file mode 100644
index 0000000000..5ce554b326
--- /dev/null
+++ b/ui/tests/acceptance/secrets/manage-dropdown-routing-test.js
@@ -0,0 +1,518 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { click, currentRouteName, fillIn, findAll, settled, visit } from '@ember/test-helpers';
+import { setupApplicationTest } from 'ember-qunit';
+import { module, test } from 'qunit';
+import { v4 as uuidv4 } from 'uuid';
+import engineDisplayData from 'vault/helpers/engines-display-data';
+import { login } from 'vault/tests/helpers/auth/auth-helpers';
+import { runCmd } from 'vault/tests/helpers/commands';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import mountSecrets from 'vault/tests/pages/settings/mount-secret-backend';
+
+const SECRET_ENGINE_MANAGE_DROPDOWN_ROUTING_CASES = [
+  {
+    key: 'alicloud',
+    type: 'alicloud',
+    isEnginePathClickable: false,
+    showManageDropdown: false,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+  },
+  {
+    key: 'azure',
+    type: 'azure',
+    isEnginePathClickable: true,
+    showManageDropdown: false,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+  },
+  {
+    key: 'gcp',
+    type: 'gcp',
+    isEnginePathClickable: true,
+    showManageDropdown: false,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+  },
+  {
+    key: 'gcpkms',
+    type: 'gcpkms',
+    isEnginePathClickable: false,
+    showManageDropdown: false,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+  },
+  {
+    key: 'keymgmt',
+    type: 'keymgmt',
+    isEnginePathClickable: true,
+    showManageDropdown: true,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+  },
+  {
+    key: 'kubernetes',
+    type: 'kubernetes',
+    isEnginePathClickable: true,
+    showManageDropdown: true,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+    expectedActionConfigureRoutesOverride: [
+      // if the engine is configured
+      'vault.cluster.secrets.backend.kubernetes.configuration',
+      // if the engine is not configured
+      'vault.cluster.secrets.backend.kubernetes.configure',
+    ],
+    expectedLandingConfigureRoutesOverride: [
+      // if the engine is configured
+      'vault.cluster.secrets.backend.kubernetes.configuration',
+      // if the engine is not configured
+      'vault.cluster.secrets.backend.kubernetes.configure',
+    ],
+  },
+  {
+    key: 'kvv1',
+    type: 'kv',
+    version: 1,
+    isEnginePathClickable: true,
+    showManageDropdown: true,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+  },
+  {
+    key: 'kvv2',
+    type: 'kv',
+    version: 2,
+    isEnginePathClickable: true,
+    showManageDropdown: true,
+    showGeneratePolicy: true,
+    showConfigure: true,
+    showDelete: true,
+    expectedLandingConfigureRoutesOverride: ['vault.cluster.secrets.backend.kv.configuration'],
+  },
+  {
+    key: 'transform',
+    type: 'transform',
+    isEnginePathClickable: true,
+    showManageDropdown: true,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+  },
+  {
+    key: 'transit',
+    type: 'transit',
+    isEnginePathClickable: true,
+    showManageDropdown: true,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+  },
+  {
+    key: 'kmip',
+    type: 'kmip',
+    isEnginePathClickable: true,
+    showManageDropdown: true,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+    expectedActionConfigureRoutesOverride: [
+      // if the engine is configured
+      'vault.cluster.secrets.backend.kmip.configuration',
+      // if the engine is not configured
+      'vault.cluster.secrets.backend.kmip.configure',
+    ],
+    expectedLandingConfigureRoutesOverride: [
+      // if the engine is configured
+      'vault.cluster.secrets.backend.kmip.configuration',
+      // if the engine is not configured
+      'vault.cluster.secrets.backend.kmip.configure',
+    ],
+  },
+  {
+    key: 'ldap',
+    type: 'ldap',
+    isEnginePathClickable: true,
+    showManageDropdown: true,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+    expectedActionConfigureRoutesOverride: [
+      // if the engine is configured
+      'vault.cluster.secrets.backend.ldap.configuration',
+      // if the engine is not configured
+      'vault.cluster.secrets.backend.ldap.configure',
+    ],
+    expectedLandingConfigureRoutesOverride: [
+      // if the engine is configured
+      'vault.cluster.secrets.backend.ldap.configuration',
+      // if the engine is not configured
+      'vault.cluster.secrets.backend.ldap.configure',
+    ],
+  },
+  {
+    key: 'pki',
+    type: 'pki',
+    isEnginePathClickable: true,
+    showManageDropdown: true,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+    expectedActionConfigureRoutesOverride: [
+      // if the engine is configured
+      'vault.cluster.secrets.backend.pki.configuration',
+      // if the engine is not configured
+      'vault.cluster.secrets.backend.pki.configuration.create',
+    ],
+    expectedLandingConfigureRoutesOverride: [
+      // if the engine is configured
+      'vault.cluster.secrets.backend.pki.configuration',
+      // if the engine is not configured
+      'vault.cluster.secrets.backend.pki.configuration.create',
+    ],
+  },
+  {
+    key: 'ssh',
+    type: 'ssh',
+    isEnginePathClickable: true,
+    showManageDropdown: true,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+  },
+  {
+    key: 'totp',
+    type: 'totp',
+    isEnginePathClickable: true,
+    showManageDropdown: true,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+  },
+  {
+    key: 'aws',
+    type: 'aws',
+    isEnginePathClickable: true,
+    showManageDropdown: true,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+  },
+  {
+    key: 'consul',
+    type: 'consul',
+    isEnginePathClickable: false,
+    showManageDropdown: false,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+  },
+  {
+    key: 'nomad',
+    type: 'nomad',
+    isEnginePathClickable: false,
+    showManageDropdown: false,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+  },
+  {
+    key: 'rabbitmq',
+    type: 'rabbitmq',
+    isEnginePathClickable: false,
+    showManageDropdown: false,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+  },
+  {
+    key: 'database',
+    type: 'database',
+    isEnginePathClickable: true,
+    showManageDropdown: false,
+    showGeneratePolicy: false,
+    showConfigure: true,
+    showDelete: true,
+    expectedLandingRouteOverride: 'vault.cluster.secrets.backend.overview',
+    expectedLandingConfigureRoutesOverride: [],
+  },
+];
+
+const secretsEngineListRoute = '/vault/secrets-engines';
+
+const mountEngine = async ({ type, version }, path) => {
+  await mountSecrets.visit();
+  await click(GENERAL.cardContainer(type));
+  await fillIn(GENERAL.inputByAttr('path'), path);
+  if (type === 'kv' && version === 1) {
+    await click(GENERAL.button('Method Options'));
+    await mountSecrets.version(1);
+  }
+  await click(GENERAL.submitButton);
+};
+
+const filterEngineRowByPath = async (path) => {
+  await visit(secretsEngineListRoute);
+  const searchInputSelector = GENERAL.inputSearch('secret-engine-path');
+  if (findAll(searchInputSelector).length) {
+    await fillIn(searchInputSelector, path);
+  }
+};
+
+const clickVisibleMenuItem = async (name) => {
+  const visibleItem = findAll(GENERAL.menuItem(name)).find((el) => el.offsetParent !== null);
+  if (!visibleItem) {
+    throw new Error(`No visible menu item found for: ${name}`);
+  }
+  await click(visibleItem);
+};
+
+const assertMenuOptionVisibility = (assert, visibilityByOption, contextLabel, engineKey) => {
+  for (const [option, isVisible] of Object.entries(visibilityByOption)) {
+    if (isVisible) {
+      assert.dom(GENERAL.menuItem(option)).exists(`${contextLabel} shows ${option} for ${engineKey}`);
+    } else {
+      assert
+        .dom(GENERAL.menuItem(option))
+        .doesNotExist(`${contextLabel} does not show ${option} for ${engineKey}`);
+    }
+  }
+};
+
+const clickVisibleConfirmButton = async () => {
+  const visibleConfirmButton = findAll(GENERAL.confirmButton).find((el) => el.offsetParent !== null);
+  if (!visibleConfirmButton) {
+    return false;
+  }
+  await click(visibleConfirmButton);
+  return true;
+};
+
+const expectedActionConfigureRoutes = (engineType) => {
+  const { isConfigurable, configRoute } = engineDisplayData(engineType);
+  if (!isConfigurable) {
+    return ['vault.cluster.secrets.backend.configuration.general-settings'];
+  }
+
+  if (configRoute) {
+    return [`vault.cluster.secrets.backend.${configRoute}`];
+  }
+
+  return [
+    // if the engine is configured
+    'vault.cluster.secrets.backend.configuration.plugin-settings',
+    // if the engine is not configured
+    'vault.cluster.secrets.backend.configuration.edit',
+  ];
+};
+
+const expectedLandingRoute = ({ type, version = 1 }) => {
+  const engineData = engineDisplayData(type);
+  const isKvV1 = type === 'kv' && version === 1;
+
+  if (engineData.isOnlyMountable) {
+    return 'vault.cluster.secrets.backend.configuration.general-settings';
+  }
+  if (engineData.engineRoute && !isKvV1) {
+    return `vault.cluster.secrets.backend.${engineData.engineRoute}`;
+  }
+  return 'vault.cluster.secrets.backend.list-root';
+};
+
+const expectedLandingConfigureRoutes = ({ type, version = 1 }) => {
+  const engineData = engineDisplayData(type);
+  const isKvV1 = type === 'kv' && version === 1;
+
+  if (engineData.engineRoute && !isKvV1) {
+    if (engineData.configRoute) {
+      return [`vault.cluster.secrets.backend.${engineData.configRoute}`];
+    }
+  }
+
+  if (engineData.isConfigurable) {
+    return [
+      // if the engine is configured
+      'vault.cluster.secrets.backend.configuration.plugin-settings',
+      // if the engine is not configured
+      'vault.cluster.secrets.backend.configuration.edit',
+    ];
+  }
+
+  return ['vault.cluster.secrets.backend.configuration.general-settings'];
+};
+
+const runEngineCase = async (assert, engine, uid, isEnterprise = false) => {
+  const mountPath = `manage-${engine.key}-${uid}`;
+  const actionConfigureRoutes =
+    engine.expectedActionConfigureRoutesOverride || expectedActionConfigureRoutes(engine.type);
+  const expectedManage = {
+    showManageDropdown: engine.showManageDropdown ?? false,
+    showGeneratePolicy: (engine.showGeneratePolicy ?? false) && isEnterprise,
+    showConfigure: engine.showConfigure ?? true,
+    showDelete: engine.showDelete ?? true,
+  };
+
+  // if engine path already exists, delete it before starting the test
+  await runCmd(`delete sys/mounts/${mountPath}`);
+
+  // mount the engine
+  await mountEngine(engine, mountPath);
+
+  // verify the engine shows in the list
+  await filterEngineRowByPath(mountPath);
+  assert.dom(GENERAL.tableRow()).exists(`row renders for ${engine.key}`);
+
+  assert.dom(GENERAL.menuTrigger).exists(`Action menu is shown for ${engine.key}`);
+  await click(GENERAL.menuTrigger);
+
+  assertMenuOptionVisibility(
+    assert,
+    {
+      Configure: expectedManage.showConfigure,
+      Delete: expectedManage.showDelete,
+    },
+    'Action menu',
+    engine.key
+  );
+
+  if (expectedManage.showConfigure) {
+    // click configure and verify route
+    await clickVisibleMenuItem('Configure');
+    await settled();
+    assert.true(
+      actionConfigureRoutes.includes(currentRouteName()),
+      `Action: Configure routes correctly for ${engine.key}`
+    );
+    await filterEngineRowByPath(mountPath);
+  }
+
+  if (expectedManage.showDelete) {
+    // click delete and verify the engine is removed from the list
+    await filterEngineRowByPath(mountPath);
+    await click(GENERAL.menuTrigger);
+    await clickVisibleMenuItem('Delete');
+    const didConfirmActionDelete = await clickVisibleConfirmButton();
+    assert.true(didConfirmActionDelete, `Action: Delete shows confirm button for ${engine.key}`);
+    await settled();
+
+    await filterEngineRowByPath(mountPath);
+    assert.dom(GENERAL.tableRow()).doesNotExist(`Action: Delete removes ${engine.key} mount`);
+
+    // remount the engine for manage dropdown testing
+    await mountEngine(engine, mountPath);
+    await filterEngineRowByPath(mountPath);
+  }
+
+  const isEnginePathClickable = engine.isEnginePathClickable ?? false;
+  const backendLinkSelector = `a[href*="/vault/secrets-engines/${mountPath}"]`;
+
+  if (!isEnginePathClickable) {
+    // if the engine path is not expected to be clickable, verify it's not a link and skip the rest of the test
+    assert.dom(backendLinkSelector).doesNotExist(`EnginePath is not a clickable link for ${engine.key}`);
+    await runCmd(`delete sys/mounts/${mountPath}`);
+    return;
+  }
+
+  assert.dom(backendLinkSelector).exists(`EnginePath is a clickable link for ${engine.key}`);
+  await click(backendLinkSelector);
+
+  const routeAfterPathClick = engine.expectedLandingRouteOverride || expectedLandingRoute(engine);
+  assert.strictEqual(
+    currentRouteName(),
+    routeAfterPathClick,
+    `Engine path click redirects to ${routeAfterPathClick} for ${engine.key}`
+  );
+
+  const shouldShowManageDropdown = expectedManage.showManageDropdown;
+
+  if (!shouldShowManageDropdown) {
+    // if manage dropdown is not expected to show on the landing page, verify it's not shown and skip the rest of the test
+    assert
+      .dom(GENERAL.dropdownToggle('Manage'))
+      .doesNotExist(`Manage dropdown is not shown on landing page for ${engine.key}`);
+    await runCmd(`delete sys/mounts/${mountPath}`);
+    return;
+  }
+
+  assert
+    .dom(GENERAL.dropdownToggle('Manage'))
+    .exists(`Manage dropdown shows on landing page for ${engine.key}`);
+  await click(GENERAL.dropdownToggle('Manage'));
+  assertMenuOptionVisibility(
+    assert,
+    {
+      'Generate policy': expectedManage.showGeneratePolicy,
+      Configure: expectedManage.showConfigure,
+      Delete: expectedManage.showDelete,
+    },
+    'Manage dropdown',
+    engine.key
+  );
+
+  if (expectedManage.showConfigure) {
+    // click configure and verify route
+    await clickVisibleMenuItem('Configure');
+    await settled();
+    const allowedConfigureRoutes =
+      engine.expectedLandingConfigureRoutesOverride || expectedLandingConfigureRoutes(engine);
+    assert.true(
+      allowedConfigureRoutes.includes(currentRouteName()),
+      `Manage Configure routes correctly for ${engine.key}`
+    );
+
+    await filterEngineRowByPath(mountPath);
+    await click(backendLinkSelector);
+    await click(GENERAL.dropdownToggle('Manage'));
+  }
+
+  if (expectedManage.showDelete) {
+    // click delete and verify the engine is removed from the list
+    await clickVisibleMenuItem('Delete');
+    const didConfirmManageDelete = await clickVisibleConfirmButton();
+    if (!didConfirmManageDelete) {
+      assert.true(
+        engine.type === 'kubernetes',
+        `Manage Delete missing confirm is only expected for kubernetes; got ${engine.key}`
+      );
+      await runCmd(`delete sys/mounts/${mountPath}`);
+      await filterEngineRowByPath(mountPath);
+      assert.dom(GENERAL.tableRow()).doesNotExist(`Manage Delete removes ${engine.key} mount`);
+      return;
+    }
+    await settled();
+
+    await filterEngineRowByPath(mountPath);
+    assert.dom(GENERAL.tableRow()).doesNotExist(`Manage Delete removes ${engine.key} mount`);
+    return; // if the delete action is confirmed, the engine should be removed and we can end the test here without needing to clean up again
+  }
+};
+
+module('Acceptance | secrets-engines/manage-dropdown routing', function (hooks) {
+  setupApplicationTest(hooks);
+
+  hooks.beforeEach(function () {
+    this.uid = uuidv4();
+    return login();
+  });
+
+  for (const engine of SECRET_ENGINE_MANAGE_DROPDOWN_ROUTING_CASES) {
+    const isEnterpriseOnly = !!engineDisplayData(engine.type).requiresEnterprise;
+    const engineLabel = isEnterpriseOnly ? `${engine.key} (enterprise only)` : engine.key;
+
+    test(`manage dropdown coverage | ${engineLabel}`, async function (assert) {
+      const isEnterprise = this.owner.lookup('service:version').isEnterprise;
+      await runEngineCase(assert, engine, this.uid, isEnterprise);
+    });
+  }
+});
diff --git a/ui/tests/acceptance/secrets/mounts-test.js b/ui/tests/acceptance/secrets/mounts-test.js
index 46d25eb1ee..3641b10857 100644
--- a/ui/tests/acceptance/secrets/mounts-test.js
+++ b/ui/tests/acceptance/secrets/mounts-test.js
@@ -4,35 +4,33 @@
  */
 
 import {
+  click,
   currentRouteName,
   currentURL,
-  settled,
-  click,
-  findAll,
   fillIn,
-  visit,
+  findAll,
   typeIn,
-  waitFor,
+  visit,
+  waitUntil,
 } from '@ember/test-helpers';
 import { clickTrigger } from 'ember-power-select/test-support/helpers';
-import { module, test, skip } from 'qunit';
 import { setupApplicationTest } from 'ember-qunit';
+import { module, skip, test } from 'qunit';
 import { v4 as uuidv4 } from 'uuid';
 import { runCmd, tokenWithPolicyCmd } from 'vault/tests/helpers/commands';
 
 import { create } from 'ember-cli-page-object';
-import page from 'vault/tests/pages/settings/mount-secret-backend';
-import { login } from 'vault/tests/helpers/auth/auth-helpers';
-import consoleClass from 'vault/tests/pages/components/console/ui-panel';
-import mountSecrets from 'vault/tests/pages/settings/mount-secret-backend';
-import { supportedSecretBackends } from 'vault/helpers/supported-secret-backends';
-import { GENERAL } from 'vault/tests/helpers/general-selectors';
-import { SECRET_ENGINE_SELECTORS as SES } from 'vault/tests/helpers/secret-engine/secret-engine-selectors';
-import { mountBackend } from 'vault/tests/helpers/components/mount-backend-form-helpers';
-import { SELECTORS as OIDC } from 'vault/tests/helpers/oidc-config';
-import { adminOidcCreateRead, adminOidcCreate } from 'vault/tests/helpers/secret-engine/policy-generator';
-import { filterEnginesByMountCategory } from 'vault/utils/all-engines-metadata';
 import engineDisplayData from 'vault/helpers/engines-display-data';
+import { supportedSecretBackends } from 'vault/helpers/supported-secret-backends';
+import { login } from 'vault/tests/helpers/auth/auth-helpers';
+import { mountBackend } from 'vault/tests/helpers/components/mount-backend-form-helpers';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import { SELECTORS as OIDC } from 'vault/tests/helpers/oidc-config';
+import { adminOidcCreate, adminOidcCreateRead } from 'vault/tests/helpers/secret-engine/policy-generator';
+import { SECRET_ENGINE_SELECTORS as SES } from 'vault/tests/helpers/secret-engine/secret-engine-selectors';
+import consoleClass from 'vault/tests/pages/components/console/ui-panel';
+import { default as mountSecrets, default as page } from 'vault/tests/pages/settings/mount-secret-backend';
+import { filterEnginesByMountCategory } from 'vault/utils/all-engines-metadata';
 
 const consoleComponent = create(consoleClass);
 
@@ -130,33 +128,6 @@ module('Acceptance | secrets-engines/enable', function (hooks) {
     assert.dom('[data-test-input="config.max_lease_ttl"] [data-test-select="ttl-unit"]').hasValue('s');
   });
 
-  test('it throws error if setting duplicate path name', async function (assert) {
-    const path = `kv-duplicate`;
-
-    await consoleComponent.runCommands([
-      // delete any kv-duplicate previously written here so that tests can be re-run
-      `delete sys/mounts/${path}`,
-    ]);
-
-    await page.visit();
-
-    assert.strictEqual(currentRouteName(), 'vault.cluster.secrets.enable.index');
-    await mountBackend('kv', path);
-    await page.secretList();
-    await settled();
-    await page.enableEngine();
-    await mountBackend('kv', path);
-    await waitFor('[data-test-message-error-description]');
-    assert.dom('[data-test-message-error-description]').containsText(`path is already in use at ${path}`);
-    assert.strictEqual(currentRouteName(), 'vault.cluster.secrets.enable.create');
-
-    await page.secretList();
-    await settled();
-    assert
-      .dom(GENERAL.tableData(`${path}/`, 'path'))
-      .exists({ count: 1 }, 'renders only one instance of the engine');
-  });
-
   test('it should transition to mountable addon engine after mount success', async function (assert) {
     // test supported backends that ARE ember engines (enterprise only engines are tested individually)
     const addons = filterEnginesByMountCategory({ mountCategory: 'secret', isEnterprise: false }).filter(
@@ -210,9 +181,11 @@ module('Acceptance | secrets-engines/enable', function (hooks) {
       const route = engineDisplayData(engine.type)?.isOnlyMountable
         ? 'configuration.general-settings'
         : 'list-root';
+      const expectedRoute = `vault.cluster.secrets.backend.${route}`;
+      await waitUntil(() => currentRouteName() === expectedRoute);
       assert.strictEqual(
         currentRouteName(),
-        `vault.cluster.secrets.backend.${route}`,
+        expectedRoute,
         `${engine.type} navigates to the correct view (either list if not configuration only or configuration if it is).`
       );
 
@@ -223,7 +196,7 @@ module('Acceptance | secrets-engines/enable', function (hooks) {
     }
   });
 
-  test('it should transition back to backend list for unsupported backends', async function (assert) {
+  test('it should transition to general settings configuration page for unsupported backends', async function (assert) {
     const unsupported = filterEnginesByMountCategory({ mountCategory: 'secret', isEnterprise: false }).filter(
       (e) => !supportedSecretBackends().includes(e.type)
     );
@@ -239,7 +212,7 @@ module('Acceptance | secrets-engines/enable', function (hooks) {
 
       assert.strictEqual(
         currentRouteName(),
-        `vault.cluster.secrets.backends`,
+        `vault.cluster.secrets.backend.configuration.general-settings`,
         `${engine.type} returns to backends list`
       );
     }
@@ -289,11 +262,12 @@ module('Acceptance | secrets-engines/enable', function (hooks) {
 
     assert.strictEqual(
       currentRouteName(),
-      'vault.cluster.secrets.backends',
-      'redirects to the backends page'
+      'vault.cluster.secrets.backend.configuration.general-settings',
+      'redirects to the configuration page'
     );
-
-    assert.ok(GENERAL.tableData(`${enginePath}/`, 'path'), 'shows the alicloud engine');
+    assert
+      .dom(GENERAL.hdsPageHeaderTitle)
+      .hasText(`${enginePath} configuration`, 'shows the correct page header title');
 
     // cleanup
     await runCmd(`delete sys/mounts/${enginePath}`);
@@ -306,11 +280,12 @@ module('Acceptance | secrets-engines/enable', function (hooks) {
 
     assert.strictEqual(
       currentRouteName(),
-      'vault.cluster.secrets.backends',
-      'redirects to the backends page'
+      'vault.cluster.secrets.backend.configuration.general-settings',
+      'redirects to the configuration page'
     );
-
-    assert.ok(GENERAL.tableData(`${enginePath}/`, 'path'), 'shows the gcpkms engine');
+    assert
+      .dom(GENERAL.hdsPageHeaderTitle)
+      .hasText(`${enginePath} configuration`, 'shows the correct page header title');
     // cleanup
     await runCmd(`delete sys/mounts/${enginePath}`);
   });
@@ -323,8 +298,10 @@ module('Acceptance | secrets-engines/enable', function (hooks) {
       await page.visit();
       await click(GENERAL.cardContainer('aws')); // only testing aws of the WIF engines as the functionality for all others WIF engines in this form are the same
       await click(GENERAL.button('Method Options'));
-      assert.dom('[data-test-search-select-with-modal]').exists('Search select with modal component renders');
-      await clickTrigger('#key');
+      assert
+        .dom(GENERAL.fieldByAttr('config.identity_token_key'))
+        .exists('Search select component renders for oidc key');
+      await clickTrigger('#oidc-key');
       const dropdownOptions = findAll('[data-option-index]').map((o) => o.innerText);
       assert.ok(dropdownOptions.includes('some-key'), 'search select options show some-key');
       await click(GENERAL.searchSelect.option(GENERAL.searchSelect.optionIndex('some-key')));
@@ -335,8 +312,8 @@ module('Acceptance | secrets-engines/enable', function (hooks) {
       // Choose a non-wif engine
       await click(GENERAL.cardContainer('ssh'));
       assert
-        .dom('[data-test-search-select-with-modal]')
-        .doesNotExist('for type ssh, the modal field does not render.');
+        .dom(GENERAL.fieldByAttr('config.identity_token_key'))
+        .doesNotExist('for type ssh, the identity_token_key field does not render.');
       // cleanup
       await runCmd(`delete identity/oidc/key/some-key`);
     });
diff --git a/ui/tests/acceptance/secrets/secrets-nav-test-helper.js b/ui/tests/acceptance/secrets/secrets-nav-test-helper.js
index 8667ca4f2b..1186b987ef 100644
--- a/ui/tests/acceptance/secrets/secrets-nav-test-helper.js
+++ b/ui/tests/acceptance/secrets/secrets-nav-test-helper.js
@@ -32,7 +32,7 @@ export default (test, type) => {
 
       await fillIn(GENERAL.inputSearch('secret-engine-path'), backend);
       await click(GENERAL.menuTrigger);
-      await click(GENERAL.menuItem('View configuration'));
+      await click(GENERAL.menuItem('Configure'));
       assert.strictEqual(
         currentRouteName(),
         `${BASE_ROUTE}.${this.expectedConfigEditRoute}`,
@@ -117,7 +117,7 @@ export default (test, type) => {
       await visit(`/vault/secrets-engines`);
       await fillIn(GENERAL.inputSearch('secret-engine-path'), backend);
       await click(GENERAL.menuTrigger);
-      await click(GENERAL.menuItem('View configuration'));
+      await click(GENERAL.menuItem('Configure'));
 
       // For configurable engines, clicking "View configuration" will direct to its plugin settings route
       await waitUntil(() => currentRouteName() === `${BASE_ROUTE}.${configRoute}`);
diff --git a/ui/tests/acceptance/settings-test.js b/ui/tests/acceptance/settings-test.js
index e34a6a6ac0..1cedd2074f 100644
--- a/ui/tests/acceptance/settings-test.js
+++ b/ui/tests/acceptance/settings-test.js
@@ -3,16 +3,16 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { currentURL, visit, click, fillIn, currentRouteName, waitUntil } from '@ember/test-helpers';
-import { module, test } from 'qunit';
+import { click, currentRouteName, currentURL, fillIn, visit, waitUntil } from '@ember/test-helpers';
 import { setupApplicationTest } from 'ember-qunit';
+import { module, test } from 'qunit';
 import { v4 as uuidv4 } from 'uuid';
 
-import mountSecrets from 'vault/tests/pages/settings/mount-secret-backend';
 import { login } from 'vault/tests/helpers/auth/auth-helpers';
 import { deleteEngineCmd, mountEngineCmd, runCmd } from 'vault/tests/helpers/commands';
-import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import { mountBackend } from 'vault/tests/helpers/components/mount-backend-form-helpers';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import mountSecrets from 'vault/tests/pages/settings/mount-secret-backend';
 
 module('Acceptance | secret engine mount settings', function (hooks) {
   setupApplicationTest(hooks);
@@ -40,7 +40,9 @@ module('Acceptance | secret engine mount settings', function (hooks) {
     await click(GENERAL.toggleInput('Default Lease TTL'));
     await mountSecrets.defaultTTLUnit('s').defaultTTLVal(100);
     await click(GENERAL.submitButton);
-    await waitUntil(() => currentRouteName() === 'vault.cluster.secrets.backends');
+    await waitUntil(
+      () => currentRouteName() === 'vault.cluster.secrets.backend.configuration.general-settings'
+    );
     assert
       .dom(`${GENERAL.flashMessage}.is-success`)
       .includesText(
@@ -48,8 +50,11 @@ module('Acceptance | secret engine mount settings', function (hooks) {
         'flash message is shown after mounting'
       );
 
-    // TODO This should redirect to the general settings now that every engine supports tune
-    assert.strictEqual(currentURL(), `/vault/secrets-engines`, 'redirects to secrets page');
+    assert.strictEqual(
+      currentURL(),
+      `/vault/secrets-engines/${path}/configuration/general-settings`,
+      'redirects to general settings page'
+    );
     // cleanup
     await runCmd(deleteEngineCmd(path));
   });
@@ -63,7 +68,7 @@ module('Acceptance | secret engine mount settings', function (hooks) {
     await visit('/vault/secrets-engines');
     await fillIn(GENERAL.inputSearch('secret-engine-path'), path);
     await click(GENERAL.menuTrigger);
-    await click(GENERAL.menuItem('View configuration'));
+    await click(GENERAL.menuItem('Configure'));
     // since ldap hasn't been configured yet, it should redirect to configure page
     assert.strictEqual(
       currentURL(),
@@ -93,7 +98,7 @@ module('Acceptance | secret engine mount settings', function (hooks) {
     await visit('/vault/secrets-engines');
     await fillIn(GENERAL.inputSearch('secret-engine-path'), path);
     await click(GENERAL.menuTrigger);
-    await click(GENERAL.menuItem('View configuration'));
+    await click(GENERAL.menuItem('Configure'));
     assert.strictEqual(currentRouteName(), 'vault.cluster.secrets.backend.configuration.general-settings');
     assert.strictEqual(
       currentURL(),
@@ -125,7 +130,7 @@ module('Acceptance | secret engine mount settings', function (hooks) {
     await visit('/vault/secrets-engines');
     await fillIn(GENERAL.inputSearch('secret-engine-path'), path);
     await click(GENERAL.menuTrigger);
-    await click(GENERAL.menuItem('View configuration'));
+    await click(GENERAL.menuItem('Configure'));
     assert.strictEqual(currentRouteName(), 'vault.cluster.secrets.backend.configuration.edit');
     assert.strictEqual(
       currentURL(),
diff --git a/ui/tests/acceptance/settings/auth/enable-test.js b/ui/tests/acceptance/settings/auth/enable-test.js
index 00b7dc8bb0..dfb4bd5ef2 100644
--- a/ui/tests/acceptance/settings/auth/enable-test.js
+++ b/ui/tests/acceptance/settings/auth/enable-test.js
@@ -53,7 +53,7 @@ module('Acceptance | settings/auth/enable', function (hooks) {
     // check tune form (right after enabling)
     assert.dom(GENERAL.toggleInput('Default Lease TTL')).isNotChecked('default lease ttl is unset');
     assert.dom(GENERAL.toggleInput('Max Lease TTL')).isNotChecked('max lease ttl is unset');
-    await click(GENERAL.breadcrumbAtIdx(1));
+    await click(GENERAL.breadcrumbAtIdx(2));
     assert
       .dom(GENERAL.infoRowValue('Default Lease TTL'))
       .hasText('1 month 1 day', 'shows system default TTL');
@@ -76,7 +76,7 @@ module('Acceptance | settings/auth/enable', function (hooks) {
     const type = 'oidc';
     await visit('/vault/settings/auth/enable');
     await mountBackend(type, path);
-    await click(GENERAL.breadcrumbAtIdx(1));
+    await click(GENERAL.breadcrumbAtIdx(2));
     assert
       .dom(GENERAL.infoRowValue('UI login link'))
       .hasText(`${window.origin}/ui/vault/auth?with=${path}%2F`);
diff --git a/ui/tests/acceptance/sidebar-nav-test.js b/ui/tests/acceptance/sidebar-nav-test.js
index cb325e5616..f168625851 100644
--- a/ui/tests/acceptance/sidebar-nav-test.js
+++ b/ui/tests/acceptance/sidebar-nav-test.js
@@ -11,6 +11,7 @@ import { login } from 'vault/tests/helpers/auth/auth-helpers';
 import modifyPassthroughResponse from 'vault/mirage/helpers/modify-passthrough-response';
 import { setRunOptions } from 'ember-a11y-testing/test-support';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 
 const link = (label) => `[data-test-sidebar-nav-link="${label}"]`;
 const panel = (label) => `[data-test-sidebar-nav-panel="${label}"]`;
@@ -19,7 +20,7 @@ module('Acceptance | sidebar navigation', function (hooks) {
   setupApplicationTest(hooks);
   setupMirage(hooks);
 
-  hooks.beforeEach(function () {
+  hooks.beforeEach(async function () {
     // set storage_type to raft to test link
     this.server.get('/sys/seal-status', (schema, req) => {
       return modifyPassthroughResponse(req, { storage_type: 'raft' });
@@ -31,7 +32,9 @@ module('Acceptance | sidebar navigation', function (hooks) {
         'nested-interactive': { enabled: false },
       },
     });
-    return login();
+    await login();
+    // dismiss wizard
+    this.owner.lookup('service:wizard').dismiss(WIZARD_ID_MAP.authMethods);
   });
 
   test('it should navigate back to the dashboard when logo is clicked in app header', async function (assert) {
@@ -40,12 +43,13 @@ module('Acceptance | sidebar navigation', function (hooks) {
   });
 
   test('it should link to correct routes at the cluster level', async function (assert) {
-    assert.expect(8);
+    assert.expect(9);
 
     assert.dom(panel('Cluster')).exists('Cluster nav panel renders');
 
     const subNavs = [
       { label: 'Access control', route: 'policies/acl' },
+      { label: 'Secrets', route: 'secrets-engines' },
       { label: 'Operational tools', route: 'tools/wrap' },
     ];
 
@@ -59,10 +63,8 @@ module('Acceptance | sidebar navigation', function (hooks) {
 
     const links = [
       { label: 'Raft storage', route: '/vault/storage/raft' },
-      { label: 'Secrets', route: '/vault/secrets-engines' },
       { label: 'Dashboard', route: '/vault/dashboard' },
     ];
-
     for (const l of links) {
       await click(link(l.label));
       assert.strictEqual(currentURL(), l.route, `${l.label} route renders`);
diff --git a/ui/tests/acceptance/sync/secrets/destinations-test.js b/ui/tests/acceptance/sync/secrets/destinations-test.js
index b0f4c2e6a5..257bd63ec2 100644
--- a/ui/tests/acceptance/sync/secrets/destinations-test.js
+++ b/ui/tests/acceptance/sync/secrets/destinations-test.js
@@ -13,6 +13,8 @@ import { click, visit, fillIn, currentURL, currentRouteName } from '@ember/test-
 import { PAGE as ts } from 'vault/tests/helpers/sync/sync-selectors';
 import { syncDestinations } from 'vault/helpers/sync-destinations';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import { DestinationType, CredentialType } from 'sync/utils/constants';
+import sinon from 'sinon';
 
 const SYNC_DESTINATIONS = syncDestinations();
 
@@ -44,10 +46,12 @@ module('Acceptance | sync | destinations (plural)', function (hooks) {
     await click(GENERAL.navLink('Secrets'));
     await click(GENERAL.navLink('Secrets sync'));
     await click(ts.cta.button);
-    await click(ts.selectType('aws-sm'));
-    await fillIn(ts.inputByAttr('name'), 'foo');
+    await click(ts.selectType(DestinationType.AwsSm));
+    await fillIn(GENERAL.inputByAttr('name'), 'foo');
     await click(GENERAL.submitButton);
-    assert.dom(ts.infoRowValue('Name')).hasText('foo', 'Destination details render after create success');
+    assert
+      .dom(GENERAL.infoRowValue('Name'))
+      .hasText('foo', 'Destination details render after create success');
 
     await click(ts.breadcrumbLink('Destinations'));
     await click(ts.destinations.list.create);
@@ -77,6 +81,9 @@ module('Acceptance | sync | destinations (plural)', function (hooks) {
       await click(ts.cta.button);
       await click(ts.selectType(type));
 
+      // Expand Advanced configuration accordion to access granularity field
+      await click(GENERAL.accordionButton('Advanced configuration'));
+
       // check default values
       const attr = 'granularity';
       assert
@@ -109,4 +116,244 @@ module('Acceptance | sync | destinations (plural)', function (hooks) {
     await click(GENERAL.menuItem('edit'));
     assert.strictEqual(currentRouteName(), routeName('edit'), 'Navigates to edit route');
   });
+
+  // WIF (Workload Identity Federation) acceptance tests
+  module('WIF credential type support', function (hooks) {
+    hooks.beforeEach(function () {
+      // Helper to clear destinations and activate sync feature
+      this.clearDestinationsAndActivateSync = () => {
+        this.server.db.syncDestinations.remove();
+        this.server.get('/sys/activation-flags', () => {
+          return {
+            data: {
+              activated: ['secrets-sync'],
+              unactivated: [],
+            },
+          };
+        });
+      };
+
+      // Helper to navigate to create destination form
+      this.navigateToCreateDestination = async () => {
+        await click(GENERAL.navLink('Secrets'));
+        await click(GENERAL.navLink('Secrets sync'));
+        await click(ts.cta.button);
+      };
+    });
+
+    test('it should create AWS destination with WIF credentials', async function (assert) {
+      this.clearDestinationsAndActivateSync();
+
+      assert.expect(5);
+
+      this.server.post('/sys/sync/destinations/aws-sm/:name', (schema, req) => {
+        const payload = JSON.parse(req.requestBody);
+        assert.notOk('credential_type' in payload, 'credential_type not in payload');
+        assert.notOk('access_key_id' in payload, 'account credentials not in payload');
+        assert.ok('identity_token_audience' in payload, 'WIF credentials in payload');
+
+        const { name } = req.params;
+        const data = { ...payload, type: DestinationType.AwsSm, name };
+        const record = schema.db.syncDestinations.insert(data);
+
+        const { granularity, secret_name_template, custom_tags, ...connection_details } = record;
+        return {
+          data: {
+            name: record.name,
+            type: record.type,
+            connection_details,
+            options: {
+              granularity_level: granularity,
+              secret_name_template,
+              custom_tags,
+            },
+          },
+        };
+      });
+
+      await this.navigateToCreateDestination();
+      await click(ts.selectType(DestinationType.AwsSm));
+
+      // Switch to WIF
+      await click(GENERAL.radioCardByAttr(CredentialType.WIF));
+
+      // Fill in required fields
+      await fillIn(GENERAL.inputByAttr('name'), 'wif-destination');
+      await fillIn(GENERAL.inputByAttr('region'), 'us-west-1');
+      await fillIn(GENERAL.inputByAttr('role_arn'), 'arn:aws:iam::123456789012:role/test-role');
+      await fillIn(GENERAL.inputByAttr('identity_token_audience'), 'test-audience');
+
+      await click(GENERAL.submitButton);
+
+      assert.strictEqual(
+        currentURL(),
+        '/vault/sync/secrets/destinations/aws-sm/wif-destination/details',
+        'Navigates to destination details after creation'
+      );
+      assert.dom(GENERAL.infoRowValue('Name')).hasText('wif-destination', 'Destination created successfully');
+    });
+
+    test('it should create Azure destination with WIF credentials', async function (assert) {
+      this.clearDestinationsAndActivateSync();
+
+      assert.expect(4);
+
+      this.server.post('/sys/sync/destinations/azure-kv/:name', (schema, req) => {
+        const payload = JSON.parse(req.requestBody);
+        assert.notOk('credential_type' in payload, 'credential_type not in payload');
+        assert.notOk('client_secret' in payload, 'account credentials not in payload');
+        assert.ok('identity_token_audience' in payload, 'WIF credentials in payload');
+
+        const { name } = req.params;
+        const data = { ...payload, type: DestinationType.AzureKv, name };
+        const record = schema.db.syncDestinations.insert(data);
+
+        const { granularity, secret_name_template, custom_tags, ...connection_details } = record;
+        return {
+          data: {
+            name: record.name,
+            type: record.type,
+            connection_details,
+            options: {
+              granularity_level: granularity,
+              secret_name_template,
+              custom_tags,
+            },
+          },
+        };
+      });
+
+      await this.navigateToCreateDestination();
+      await click(ts.selectType(DestinationType.AzureKv));
+
+      // Switch to WIF
+      await click(GENERAL.radioCardByAttr(CredentialType.WIF));
+
+      // Fill in required fields
+      await fillIn(GENERAL.inputByAttr('name'), 'azure-wif');
+      await fillIn(GENERAL.inputByAttr('key_vault_uri'), 'https://my-vault.vault.azure.net');
+      await fillIn(GENERAL.inputByAttr('tenant_id'), 'tenant-id');
+      await fillIn(GENERAL.inputByAttr('client_id'), 'client-id');
+      await fillIn(GENERAL.inputByAttr('identity_token_audience'), 'test-audience');
+
+      await click(GENERAL.submitButton);
+
+      assert.strictEqual(
+        currentURL(),
+        '/vault/sync/secrets/destinations/azure-kv/azure-wif/details',
+        'Navigates to destination details after creation'
+      );
+    });
+
+    test('it should create GCP destination with WIF credentials', async function (assert) {
+      this.clearDestinationsAndActivateSync();
+
+      assert.expect(5);
+
+      this.server.post('/sys/sync/destinations/gcp-sm/:name', (schema, req) => {
+        const payload = JSON.parse(req.requestBody);
+        assert.notOk('credential_type' in payload, 'credential_type not in payload');
+        assert.notOk('credentials' in payload, 'account credentials not in payload');
+        assert.ok('identity_token_audience' in payload, 'WIF credentials in payload');
+        assert.ok('service_account_email' in payload, 'service_account_email in payload');
+
+        const { name } = req.params;
+        const data = { ...payload, type: DestinationType.GcpSm, name };
+        const record = schema.db.syncDestinations.insert(data);
+
+        const { granularity, secret_name_template, custom_tags, ...connection_details } = record;
+        return {
+          data: {
+            name: record.name,
+            type: record.type,
+            connection_details,
+            options: {
+              granularity_level: granularity,
+              secret_name_template,
+              custom_tags,
+            },
+          },
+        };
+      });
+
+      await this.navigateToCreateDestination();
+      await click(ts.selectType(DestinationType.GcpSm));
+
+      // Switch to WIF
+      await click(GENERAL.radioCardByAttr(CredentialType.WIF));
+
+      // Fill in required fields
+      await fillIn(GENERAL.inputByAttr('name'), 'gcp-wif');
+      await fillIn(GENERAL.inputByAttr('project_id'), 'my-project');
+      await fillIn(GENERAL.inputByAttr('service_account_email'), 'test@project.iam.gserviceaccount.com');
+      await fillIn(GENERAL.inputByAttr('identity_token_audience'), 'test-audience');
+
+      await click(GENERAL.submitButton);
+
+      assert.strictEqual(
+        currentURL(),
+        '/vault/sync/secrets/destinations/gcp-sm/gcp-wif/details',
+        'Navigates to destination details after creation'
+      );
+    });
+
+    test('it should show credential type radio cards are checked by default for account', async function (assert) {
+      this.clearDestinationsAndActivateSync();
+
+      await this.navigateToCreateDestination();
+      await click(ts.selectType(DestinationType.AwsSm));
+
+      assert
+        .dom(GENERAL.radioCardByAttr(CredentialType.ACCOUNT))
+        .isChecked('Account credential type is selected by default');
+      assert.dom(GENERAL.fieldByAttr('access_key_id')).exists('IAM credentials fields are visible');
+    });
+
+    test('it should display success message after creating WIF destination', async function (assert) {
+      assert.expect(2);
+      const flash = this.owner.lookup('service:flash-messages');
+      const flashSuccessSpy = sinon.spy(flash, 'success');
+
+      this.clearDestinationsAndActivateSync();
+
+      this.server.post('/sys/sync/destinations/aws-sm/:name', (schema, req) => {
+        const payload = JSON.parse(req.requestBody);
+        const { name } = req.params;
+        const data = { ...payload, type: DestinationType.AwsSm, name };
+        const record = schema.db.syncDestinations.insert(data);
+
+        const { granularity, secret_name_template, custom_tags, ...connection_details } = record;
+        return {
+          data: {
+            name: record.name,
+            type: record.type,
+            connection_details,
+            options: {
+              granularity_level: granularity,
+              secret_name_template,
+              custom_tags,
+            },
+          },
+        };
+      });
+
+      await this.navigateToCreateDestination();
+      await click(ts.selectType(DestinationType.AwsSm));
+
+      // Switch to WIF
+      await click(GENERAL.radioCardByAttr(CredentialType.WIF));
+
+      // Fill in required fields
+      await fillIn(GENERAL.inputByAttr('name'), 'test-wif');
+      await fillIn(GENERAL.inputByAttr('region'), 'us-west-1');
+      await fillIn(GENERAL.inputByAttr('role_arn'), 'arn:aws:iam::123456789012:role/test-role');
+      await fillIn(GENERAL.inputByAttr('identity_token_audience'), 'test-audience');
+
+      await click(GENERAL.submitButton);
+
+      assert.true(flashSuccessSpy.calledOnce, 'Flash success message is called');
+      const [flashMessage] = flashSuccessSpy.lastCall.args;
+      assert.strictEqual(flashMessage, 'You have successfully created a sync destination.');
+    });
+  });
 });
diff --git a/ui/tests/acceptance/unseal-test.js b/ui/tests/acceptance/unseal-test.js
index 32fae0e4cd..fa20adcb43 100644
--- a/ui/tests/acceptance/unseal-test.js
+++ b/ui/tests/acceptance/unseal-test.js
@@ -8,19 +8,18 @@ import { module, test } from 'qunit';
 import { setupApplicationTest } from 'ember-qunit';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 
-import VAULT_KEYS from 'vault/tests/helpers/vault-keys';
 import { login } from 'vault/tests/helpers/auth/auth-helpers';
 import { pollCluster } from 'vault/tests/helpers/poll-cluster';
 import { overrideResponse } from 'vault/tests/helpers/stubs';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
-const { unsealKeys } = VAULT_KEYS;
+const unsealKeys = ['unseal-key-1', 'unseal-key-2', 'unseal-key-3'];
 
 module('Acceptance | unseal', function (hooks) {
   setupApplicationTest(hooks);
   setupMirage(hooks);
 
-  hooks.beforeEach(function () {
+  hooks.beforeEach(async function () {
     this.unsealCount = 0;
     this.sealed = false;
     return login();
@@ -57,7 +56,7 @@ module('Acceptance | unseal', function (hooks) {
     assert.strictEqual(currentURL(), '/vault/settings/seal');
 
     // seal
-    await click('[data-test-seal]');
+    await click(GENERAL.button('Seal'));
     await click(GENERAL.confirmButton);
 
     await pollCluster(this.owner);
@@ -66,9 +65,9 @@ module('Acceptance | unseal', function (hooks) {
 
     // unseal
     for (const key of unsealKeys) {
-      await fillIn('[data-test-shamir-key-input]', key);
+      await fillIn(GENERAL.inputByAttr('shamir-key'), key);
 
-      await click('button[type="submit"]');
+      await click(GENERAL.submitButton);
 
       await pollCluster(this.owner);
       await settled();
diff --git a/ui/tests/helpers/auth/auth-helpers.ts b/ui/tests/helpers/auth/auth-helpers.ts
index 656fb826b0..4285d02da7 100644
--- a/ui/tests/helpers/auth/auth-helpers.ts
+++ b/ui/tests/helpers/auth/auth-helpers.ts
@@ -75,6 +75,7 @@ export const fillInLoginFields = async (loginFields: LoginFields, { toggleOption
 };
 
 const LOGIN_DATA = {
+  cert: { name: 'app-client' },
   token: { token: 'mysupersecuretoken' },
   username: { username: 'matilda', password: 'some-password' },
   role: { role: 'some-dev' },
@@ -94,6 +95,8 @@ export const AUTH_METHOD_LOGIN_DATA = {
   oidc: LOGIN_DATA.role,
   jwt: LOGIN_DATA.jwt,
   saml: LOGIN_DATA.role,
+  // cert is its own thing
+  cert: LOGIN_DATA.cert,
 };
 
 // Mock response for `sys/internal/ui/mounts`
diff --git a/ui/tests/helpers/auth/response-stubs.ts b/ui/tests/helpers/auth/response-stubs.ts
index dd5c90a5e5..47a304a5d2 100644
--- a/ui/tests/helpers/auth/response-stubs.ts
+++ b/ui/tests/helpers/auth/response-stubs.ts
@@ -28,6 +28,31 @@ const BASE_REQUEST_DATA = {
 };
 
 export const RESPONSE_STUBS = {
+  cert: {
+    ...BASE_REQUEST_DATA,
+    data: null,
+    auth: {
+      client_token: 'hvs.myvaultgeneratedgithubtoken',
+      accessor: 'bSdIXwG3bor6qPpsXYPXDesS',
+      policies: ['app-policy', 'default'],
+      token_policies: ['app-policy', 'default'],
+      metadata: {
+        authority_key_id: '57:4e:bd:2b:c5:64:57:18:85:fe:ba:65:74:fe:51:d8:07:b3:c8:7c',
+        cert_name: 'app-client',
+        common_name: '123-vault-auth-client',
+        serial_number: '203007388920717447074631125239238186446913014802',
+        subject_key_id: 'a8:09:b6:a2:2d:ac:a7:ad:67:6c:ff:b2:23:ef:eb:cd:c4:b7:68:eb',
+      },
+      lease_duration: 2764800,
+      renewable: true,
+      entity_id: '9caa5721-97dc-e082-5b37-6f21ae6effbd',
+      token_type: 'service',
+      orphan: true,
+      mfa_requirement: null,
+      num_uses: 0,
+    },
+    mount_type: '',
+  },
   github: {
     ...BASE_REQUEST_DATA,
     data: null,
@@ -317,9 +342,19 @@ export const RESPONSE_STUBS = {
   },
 };
 
-// Once the auth service authentication method is simplified and no longer handles every auth type
-// the "backend" key should be completely removable
 export const TOKEN_DATA = {
+  cert: {
+    authMethodType: 'cert',
+    authMountPath: 'cert',
+    displayName: `${RESPONSE_STUBS.cert.auth.metadata.cert_name}/${RESPONSE_STUBS.cert.auth.metadata.common_name}`,
+    entityId: RESPONSE_STUBS.cert.auth.entity_id,
+    policies: RESPONSE_STUBS.cert.auth.policies,
+    renewable: RESPONSE_STUBS.cert.auth.renewable,
+    token: RESPONSE_STUBS.cert.auth.client_token,
+    tokenExpirationEpoch: 1752352843223,
+    ttl: RESPONSE_STUBS.cert.auth.lease_duration,
+    userRootNamespace: '',
+  },
   github: {
     authMethodType: 'github',
     authMountPath: 'github',
diff --git a/ui/tests/helpers/billing/stubs.ts b/ui/tests/helpers/billing/stubs.ts
new file mode 100644
index 0000000000..cb87f0bebf
--- /dev/null
+++ b/ui/tests/helpers/billing/stubs.ts
@@ -0,0 +1,212 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+export const METRICS_DATA_RESPONSE = {
+  request_id: 'c16f7715-e534-7ebe-439f-7bc6005a26da',
+  lease_id: '',
+  renewable: false,
+  lease_duration: 0,
+  data: {
+    months: [
+      {
+        month: '2026-01',
+        updated_at: '2026-01-14T10:49:00Z',
+        usage_metrics: [
+          {
+            metric_name: 'static_secrets',
+            metric_data: {
+              total: 10,
+              metric_details: [{ type: 'kv', count: 10 }],
+            },
+          },
+          {
+            metric_name: 'dynamic_roles',
+            metric_data: {
+              total: 130,
+              metric_details: [
+                { type: 'aws_dynamic', count: 10 },
+                { type: 'azure_dynamic', count: 10 },
+                { type: 'database_dynamic', count: 10 },
+                { type: 'gcp_dynamic', count: 10 },
+                { type: 'ldap_dynamic', count: 10 },
+                { type: 'openldap_dynamic', count: 10 },
+                { type: 'alicloud_dynamic', count: 10 },
+                { type: 'rabbitmq_dynamic', count: 10 },
+                { type: 'consul_dynamic', count: 10 },
+                { type: 'nomad_dynamic', count: 10 },
+                { type: 'kubernetes_dynamic', count: 10 },
+                { type: 'mongodbatlas_dynamic', count: 10 },
+                { type: 'terraform_dynamic', count: 10 },
+              ],
+            },
+          },
+          {
+            metric_name: 'auto_rotated_roles',
+            metric_data: {
+              total: 70,
+              metric_details: [
+                { type: 'aws_static', count: 10 },
+                { type: 'azure_static', count: 10 },
+                { type: 'database_static', count: 10 },
+                { type: 'gcp_static', count: 10 },
+                { type: 'gcp_impersonated', count: 10 },
+                { type: 'ldap_static', count: 10 },
+                { type: 'openldap_static', count: 10 },
+              ],
+            },
+          },
+          {
+            metric_name: 'kmip',
+            metric_data: {
+              used_in_month: true,
+            },
+          },
+          {
+            metric_name: 'pki_units',
+            metric_data: { total: 100.1234 },
+          },
+          {
+            metric_name: 'ssh_units',
+            metric_data: {
+              total: 100.2468,
+              metric_details: [
+                { type: 'otp_units', count: 50.1234 },
+                { type: 'certificate_units', count: 50.1234 },
+              ],
+            },
+          },
+          {
+            metric_name: 'external_plugins',
+            metric_data: { total: 100 },
+          },
+          {
+            metric_name: 'data_protection_calls',
+            metric_data: {
+              total: 420,
+              metric_details: [
+                { type: 'transit', count: 200 },
+                { type: 'transform', count: 220 },
+                { type: 'gcpkms', count: 220 }, // Added for GCP KMS data protection calls
+              ],
+            },
+          },
+          {
+            metric_name: 'managed_keys',
+            metric_data: {
+              total: 430,
+              metric_details: [
+                { type: 'kmse', count: 210 },
+                { type: 'totp', count: 220 },
+              ],
+            },
+          },
+          {
+            metric_name: 'id_token_units', // Added for ID token units (OIDC and SPIFFE)
+            metric_data: {
+              total: 103.2468,
+              metric_details: [
+                { type: 'oidc', count: 52.1234 },
+                { type: 'spiffe', count: 51.1234 },
+              ],
+            },
+          },
+        ],
+      },
+      {
+        month: '2025-12',
+        updated_at: '2026-01-14T10:49:00Z',
+        usage_metrics: [
+          {
+            metric_name: 'static_secrets',
+            metric_data: {
+              total: 2,
+              metric_details: [{ type: 'kv', count: 2 }],
+            },
+          },
+          {
+            metric_name: 'dynamic_roles',
+            metric_data: {
+              total: 125,
+              metric_details: [
+                { type: 'aws_dynamic', count: 5 },
+                { type: 'azure_dynamic', count: 10 },
+                { type: 'database_dynamic', count: 10 },
+                { type: 'gcp_dynamic', count: 10 },
+                { type: 'ldap_dynamic', count: 10 },
+                { type: 'openldap_dynamic', count: 10 },
+                { type: 'alicloud_dynamic', count: 10 },
+                { type: 'rabbitmq_dynamic', count: 10 },
+                { type: 'consul_dynamic', count: 10 },
+                { type: 'nomad_dynamic', count: 10 },
+                { type: 'kubernetes_dynamic', count: 10 },
+                { type: 'mongodbatlas_dynamic', count: 10 },
+                { type: 'terraform_dynamic', count: 10 },
+              ],
+            },
+          },
+          {
+            metric_name: 'auto_rotated_roles',
+            metric_data: {
+              total: 65,
+              metric_details: [
+                { type: 'aws_static', count: 5 },
+                { type: 'azure_static', count: 10 },
+                { type: 'database_static', count: 10 },
+                { type: 'gcp_static', count: 10 },
+                { type: 'gcp_impersonated', count: 10 },
+                { type: 'ldap_static', count: 10 },
+                { type: 'openldap_static', count: 10 },
+              ],
+            },
+          },
+          {
+            metric_name: 'kmip',
+            metric_data: {
+              used_in_month: false,
+            },
+          },
+          {
+            metric_name: 'pki_units',
+            metric_data: { total: 100.1234 },
+          },
+          {
+            metric_name: 'ssh_units',
+            metric_data: {
+              total: 100.2468,
+              metric_details: [
+                { type: 'otp_units', count: 50.1234 },
+                { type: 'certificate_units', count: 50.1234 },
+              ],
+            },
+          },
+          {
+            metric_name: 'external_plugins',
+            metric_data: { total: 100 },
+          },
+          {
+            metric_name: 'data_protection_calls',
+            metric_data: {
+              total: 220,
+              metric_details: [
+                { type: 'transit', count: 200 },
+                { type: 'transform', count: 220 },
+              ],
+            },
+          },
+          {
+            metric_name: 'managed_keys',
+            metric_data: {
+              total: 220,
+              metric_details: [
+                { type: 'kmse', count: 200 },
+                { type: 'totp', count: 220 },
+              ],
+            },
+          },
+        ],
+      },
+    ],
+  },
+};
diff --git a/ui/tests/helpers/clients/client-count-helpers.js b/ui/tests/helpers/clients/client-count-helpers.js
index cbef483182..4050220ad1 100644
--- a/ui/tests/helpers/clients/client-count-helpers.js
+++ b/ui/tests/helpers/clients/client-count-helpers.js
@@ -3,32 +3,6 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { findAll } from '@ember/test-helpers';
-import { CHARTS } from './client-count-selectors';
-
-export function assertBarChart(assert, chartName, byMonthData, isStacked = false) {
-  // assertion count is byMonthData.length, plus 2
-  const chart = CHARTS.chart(chartName);
-  const dataBars = findAll(`${chart} ${CHARTS.verticalBar}`).filter(
-    (b) => b.hasAttribute('height') && b.getAttribute('height') !== '0'
-  );
-  const xAxisLabels = findAll(`${chart} ${CHARTS.xAxisLabel}`);
-
-  let count = byMonthData.filter((m) => m.clients).length;
-  if (isStacked) count = count * 2;
-
-  assert.strictEqual(dataBars.length, count, `${chartName}: it renders bars for each non-zero month`);
-  assert.strictEqual(
-    xAxisLabels.length,
-    byMonthData.length,
-    `${chartName}: it renders a label for each month`
-  );
-
-  xAxisLabels.forEach((e, i) => {
-    assert.dom(e).hasText(`${byMonthData[i].month}`, `renders x-axis label: ${byMonthData[i].month}`);
-  });
-}
-
 export const ACTIVITY_RESPONSE_STUB = {
   start_time: '2023-06-01T00:00:00Z',
   end_time: '2023-09-30T23:59:59Z', // is always the last day and hour of the month queried
diff --git a/ui/tests/helpers/clients/client-count-selectors.ts b/ui/tests/helpers/clients/client-count-selectors.ts
index 4746069330..8c0547b1a5 100644
--- a/ui/tests/helpers/clients/client-count-selectors.ts
+++ b/ui/tests/helpers/clients/client-count-selectors.ts
@@ -53,6 +53,12 @@ export const CHARTS = {
   yAxis: '[data-test-y-axis]',
   xAxisLabel: '[data-test-x-axis] text',
   plotPoint: '[data-test-plot-point]',
+
+  // Carbon Charts selectors — scoped to a chart container by title
+  carbonLegendLabel: (title: string) => `[data-test-chart="${title}"] .legend-item p`,
+  carbonXAxisTick: (title: string) =>
+    `[data-test-chart="${title}"] g.axis.bottom g.ticks:not(.invisible) g.tick text`,
+  carbonBar: (title: string) => `[data-test-chart="${title}"] path.bar`,
 };
 
 export const FILTERS = {
diff --git a/ui/tests/helpers/components/dashboard/dashboard-selectors.js b/ui/tests/helpers/components/dashboard/dashboard-selectors.js
deleted file mode 100644
index 940ec63b83..0000000000
--- a/ui/tests/helpers/components/dashboard/dashboard-selectors.js
+++ /dev/null
@@ -1,36 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-export const DASHBOARD = {
-  cardName: (name) => `[data-test-card="${name}"]`,
-  emptyState: (name) => `[data-test-empty-state="${name}"]`,
-  emptyStateTitle: (name) => `[data-test-empty-state="${name}"] [data-test-empty-state-title]`,
-  emptyStateMessage: (name) => `[data-test-empty-state="${name}"] [data-test-empty-state-message]`,
-  emptyStateActions: (name) => `[data-test-empty-state="${name}"] [data-test-empty-state-actions]`,
-  cardHeader: (name) => `[data-test-dashboard-card-header="${name}"]`,
-  tableRow: (name) => `[data-test-dashboard-table="${name}"] tr`,
-  searchSelect: (name) => `[data-test-search-select="${name}"]`,
-  kvSearchSelect: `[data-test-kv-suggestion-input]`,
-  actionButton: (action) => `[data-test-button="${action}"]`,
-  title: (name) => `[data-test-title="${name}"]`,
-  subtitle: (name) => `[data-test-card-subtitle="${name}"]`,
-  subtext: (name) => `[data-test-subtext="${name}"]`,
-  tooltipTitle: (name) => `[data-test-replication-status-title="${name}"]`,
-  tooltipIcon: (type, name, icon) => `[data-test-type="${type}"] [data-test-replication-icon="${icon}"]`,
-  statLabel: (name) => `[data-test-stat-text="${name}"] .stat-label`,
-  statText: (name) => `[data-test-stat-text="${name}"] .stat-text`,
-  statValue: (name) => `[data-test-stat-text="${name}"] .stat-value`,
-  selectEl: 'select',
-  secretsEnginesCard: {
-    secretEngineAccessorRow: (engineId) => `[data-test-secrets-engines-row=${engineId}] [data-test-accessor]`,
-    secretEngineDescription: (engineId) =>
-      `[data-test-secrets-engines-row=${engineId}] [data-test-description]`,
-  },
-  vaultConfigurationCard: {
-    configDetailsField: (name) => `[data-test-vault-config-details="${name}"]`,
-  },
-  paramInput: '[data-test-param-input] input',
-  paramInputLabel: '[data-test-param-input] label',
-};
diff --git a/ui/tests/helpers/components/shamir-selectors.ts b/ui/tests/helpers/components/shamir-selectors.ts
index a08dad49fe..3209cf7853 100644
--- a/ui/tests/helpers/components/shamir-selectors.ts
+++ b/ui/tests/helpers/components/shamir-selectors.ts
@@ -4,11 +4,9 @@
  */
 
 export const SHAMIR_FORM = {
-  input: '[data-test-shamir-key-input]',
   inputLabel: '[data-test-shamir-key-label]',
-  submitButton: '[data-test-shamir-submit]',
+  flowStep: (step: string) => `[data-test-dr-token-flow-step="${step}"]`,
   otpInfo: '[data-test-otp-info]',
   otpCode: '[data-test-otp]',
   progress: '.shamir-progress',
-  error: '[data-test-message-error]',
 };
diff --git a/ui/tests/helpers/general-selectors.ts b/ui/tests/helpers/general-selectors.ts
index da484f84d7..ab39d59150 100644
--- a/ui/tests/helpers/general-selectors.ts
+++ b/ui/tests/helpers/general-selectors.ts
@@ -85,6 +85,7 @@ export const GENERAL = {
   inputGroupByAttr: (attr: string) => `[data-test-input-group="${attr}"]`,
   inputSearch: (attr: string) => `[data-test-input-search="${attr}"]`,
   labelById: (id: string) => `label[id="${id}"]`,
+  labelFor: (name: string) => `label[for="${name}"]`,
   labelByGroupControlIndex: (index: number) => `.hds-form-group__control-field:nth-of-type(${index}) label`,
   maskedInput: '[data-test-masked-input]',
   radioByAttr: (attr: string) => (attr ? `[data-test-radio="${attr}"]` : '[data-test-radio]'),
@@ -95,6 +96,7 @@ export const GENERAL = {
   textareaByAttr: (attr: string) => `textarea[name="${attr}"]`,
   toggleInput: (attr: string) => `[data-test-toggle-input="${attr}"]`,
   superSelect: (name: string) => `[data-test-super-select="${name}"]`,
+  formLabel: (name: string) => `[data-test-form-label="${name}"]`,
 
   /* ────── Code Blocks / Editor ────── */
   codemirror: `[data-test-component="code-mirror-modifier"]`,
@@ -141,6 +143,7 @@ export const GENERAL = {
   emptyStateSubtitle: '[data-test-empty-state-subtitle]',
   emptyStateMessage: '[data-test-empty-state-message]',
   emptyStateActions: '[data-test-empty-state-actions]',
+  emptyState: (attr: string) => `[data-test-empty-state="${attr}"]`,
   flashMessage: '[data-test-flash-message]',
   latestFlashContent: '[data-test-flash-message]:last-of-type [data-test-flash-message-body]',
   inlineAlert: '[data-test-inline-alert]',
@@ -148,8 +151,8 @@ export const GENERAL = {
   inlineError: '[data-test-inline-error-message]',
   messageError: '[data-test-message-error]',
   messageDescription: '[data-test-message-error-description]',
-  validationErrorByAttr: (attr: string) => `[data-test-validation-error=${attr}]`,
-  validationWarningByAttr: (attr: string) => `[data-test-validation-warning=${attr}]`,
+  validationErrorByAttr: (attr: string) => `[data-test-validation-error="${attr}"]`,
+  validationWarningByAttr: (attr: string) => `[data-test-validation-warning="${attr}"]`,
 
   pageError: {
     error: '[data-test-page-error]',
@@ -195,4 +198,6 @@ export const GENERAL = {
   tooltip: (label: string) => `[data-test-tooltip="${label}"]`,
   tooltipText: '.hds-tooltip-container',
   textDisplay: (attr: string) => `[data-test-text-display="${attr}"]`,
+  textBody: (attr: string) => `[data-test-text-body="${attr}"]`,
+  widget: (name: string) => `[data-test-widget="${name}"]`,
 };
diff --git a/ui/tests/helpers/index.js b/ui/tests/helpers/index.js
index bf5daaccd4..0f002e79e8 100644
--- a/ui/tests/helpers/index.js
+++ b/ui/tests/helpers/index.js
@@ -8,6 +8,7 @@ import {
   setupRenderingTest as upstreamSetupRenderingTest,
   setupTest as upstreamSetupTest,
 } from 'ember-qunit';
+import { setupIntl } from 'ember-intl/test-support';
 
 // This file exists to provide wrappers around ember-qunit's
 // test setup functions. This way, you can easily extend the setup that is
@@ -34,7 +35,7 @@ function setupApplicationTest(hooks, options) {
 
 function setupRenderingTest(hooks, options) {
   upstreamSetupRenderingTest(hooks, options);
-
+  setupIntl(hooks, 'en-us');
   // Additional setup for rendering tests can be done here.
 }
 
diff --git a/ui/tests/helpers/oidc-config.js b/ui/tests/helpers/oidc-config.js
index 5e9f585204..0a6a22ae2e 100644
--- a/ui/tests/helpers/oidc-config.js
+++ b/ui/tests/helpers/oidc-config.js
@@ -8,7 +8,6 @@ import { debug } from '@ember/debug';
 export const OIDC_BASE_URL = `/vault/access/oidc`;
 
 export const SELECTORS = {
-  oidcHeader: '[data-test-oidc-header]',
   oidcClientCreateButton: '[data-test-oidc-configure]',
   oidcRouteTabs: '[data-test-oidc-tabs]',
   oidcLandingImg: '[data-test-oidc-img]',
diff --git a/ui/tests/helpers/stubs.js b/ui/tests/helpers/stubs.js
index efee319f17..a1afb17376 100644
--- a/ui/tests/helpers/stubs.js
+++ b/ui/tests/helpers/stubs.js
@@ -78,3 +78,110 @@ export function overrideResponse(httpStatus = 200, payload = {}) {
 }
 
 export const formatError = (msg) => JSON.stringify({ errors: [msg] });
+
+/**
+ * Minimal OpenAPI spec fixture for testing.
+ * Contains only the mounts-enable-secrets-engine operation.
+ */
+export const OAS_STUB = {
+  openapi: '3.0.0',
+  info: {
+    title: 'Vault API',
+    version: '1.0.0',
+  },
+  paths: {
+    '/sys/mounts/{path}': {
+      description: 'Mount a new backend at a new path.',
+      parameters: [
+        {
+          name: 'path',
+          description: 'The path to mount to. Example: "aws/east"',
+          in: 'path',
+          schema: { type: 'string' },
+          required: true,
+        },
+      ],
+      post: {
+        summary: 'Enable a new secrets engine at the given path.',
+        operationId: 'mounts-enable-secrets-engine',
+        tags: ['system'],
+        requestBody: {
+          required: true,
+          content: {
+            'application/json': {
+              schema: {
+                $ref: '#/components/schemas/MountsEnableSecretsEngineRequest',
+              },
+            },
+          },
+        },
+        responses: {
+          204: { description: 'OK' },
+        },
+      },
+    },
+  },
+  components: {
+    schemas: {
+      MountsEnableSecretsEngineRequest: {
+        type: 'object',
+        properties: {
+          config: {
+            type: 'object',
+            description: 'Configuration for this mount, such as default_lease_ttl and max_lease_ttl.',
+          },
+          description: {
+            type: 'string',
+            description: 'User-friendly description for this mount.',
+          },
+          external_entropy_access: {
+            type: 'boolean',
+            description: "Whether to give the mount access to Vault's external entropy.",
+            default: false,
+            deprecated: true,
+          },
+          local: {
+            type: 'boolean',
+            description:
+              'Mark the mount as a local mount, which is not replicated and is unaffected by replication.',
+            default: false,
+          },
+          options: {
+            type: 'object',
+            description:
+              'The options to pass into the backend. Should be a json object with string keys and values.',
+          },
+          plugin_name: {
+            type: 'string',
+            description: 'Name of the plugin to mount based from the name registered in the plugin catalog.',
+          },
+          plugin_version: {
+            type: 'string',
+            description: 'The semantic version of the plugin to use, or image tag if oci_image is provided.',
+          },
+          seal_wrap: {
+            type: 'boolean',
+            description: 'Whether to turn on seal wrapping for the mount.',
+            default: false,
+            'x-vault-displayAttrs': {
+              name: 'Seal Wrap',
+              group: 'Advanced',
+            },
+          },
+          type: {
+            type: 'string',
+            description: 'The type of the backend. Example: "passthrough"',
+          },
+          allowed_managed_keys: {
+            type: 'array',
+            description: 'List of managed key names allowed for this mount.',
+            'x-vault-displayAttrs': {
+              name: 'Allowed Managed Keys',
+              group: 'Advanced',
+            },
+          },
+        },
+      },
+    },
+  },
+};
diff --git a/ui/tests/helpers/sync/mocks.ts b/ui/tests/helpers/sync/mocks.ts
new file mode 100644
index 0000000000..0a446d6641
--- /dev/null
+++ b/ui/tests/helpers/sync/mocks.ts
@@ -0,0 +1,86 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+export const SYNC_DESTINATION_AWS_WIF_RESPONSE = {
+  request_id: 'c2f069c7-bee5-ce3c-992c-59422c55f45a',
+  lease_id: '',
+  renewable: false,
+  lease_duration: 0,
+  data: {
+    connection_details: {
+      identity_token_audience: '*****',
+      identity_token_ttl: 3600,
+      region: 'us-east-1',
+      role_arn: 'arn:aws:iam::111111111111:role/wif_test',
+    },
+    name: 'test-aws',
+    options: {
+      custom_tags: {},
+      granularity_level: 'secret-path',
+      secret_name_template: 'vault/{{ .MountAccessor }}/{{ .SecretPath }}',
+    },
+    type: 'aws-sm',
+    uses_wif: true,
+  },
+  wrap_info: null,
+  warnings: null,
+  auth: null,
+  mount_type: 'system',
+};
+
+export const SYNC_DESTINATION_AZURE_WIF_RESPONSE = {
+  request_id: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
+  lease_id: '',
+  renewable: false,
+  lease_duration: 0,
+  data: {
+    connection_details: {
+      identity_token_audience: '*****',
+      identity_token_ttl: 3600,
+      key_vault_uri: 'https://test-keyvault.vault.azure.net',
+      tenant_id: '11111111-1111-1111-1111-111111111111',
+      client_id: 'test-client-id',
+    },
+    name: 'test-azure',
+    options: {
+      custom_tags: {},
+      granularity_level: 'secret-path',
+      secret_name_template: 'vault/{{ .MountAccessor }}/{{ .SecretPath }}',
+    },
+    type: 'azure-kv',
+    uses_wif: true,
+  },
+  wrap_info: null,
+  warnings: null,
+  auth: null,
+  mount_type: 'system',
+};
+
+export const SYNC_DESTINATION_GCP_WIF_RESPONSE = {
+  request_id: 'b2c3d4e5-f6a7-8901-bcde-f12345678901',
+  lease_id: '',
+  renewable: false,
+  lease_duration: 0,
+  data: {
+    connection_details: {
+      identity_token_audience: '*****',
+      identity_token_ttl: 3600,
+      project_id: 'test-gcp-project',
+      service_account_email: 'test-sa@test-gcp-project.iam.gserviceaccount.com',
+    },
+    name: 'test-gcp',
+    options: {
+      custom_tags: {},
+      granularity_level: 'secret-path',
+      secret_name_template: 'vault/{{ .MountAccessor }}/{{ .SecretPath }}',
+    },
+    type: 'gcp-sm',
+    uses_wif: true,
+  },
+  wrap_info: null,
+  warnings: null,
+  auth: null,
+  mount_type: 'system',
+};
diff --git a/ui/tests/helpers/vault-keys.js b/ui/tests/helpers/vault-keys.js
new file mode 100644
index 0000000000..2e3fb8fd9f
--- /dev/null
+++ b/ui/tests/helpers/vault-keys.js
@@ -0,0 +1,15 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+// DO NOT EDIT
+// This file can be automatically generated by the writeKeysFile function in test-helper.js, which is used by
+// the enos tests to write the unseal keys and root token to a file that can be imported in the tests.
+//
+// In cases where `writeKeysFile` is used, it will overwrite this file.
+
+export default {
+  unsealKeys: [],
+  rootToken: 'root',
+};
diff --git a/ui/tests/integration/components/alert-inline-test.js b/ui/tests/integration/components/alert-inline-test.js
index e8724cddc7..bcb33e9cde 100644
--- a/ui/tests/integration/components/alert-inline-test.js
+++ b/ui/tests/integration/components/alert-inline-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, settled, find, waitUntil } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 
diff --git a/ui/tests/integration/components/auth-config-form/config-test.js b/ui/tests/integration/components/auth-config-form/config-test.js
index b1322c0087..0c405d5091 100644
--- a/ui/tests/integration/components/auth-config-form/config-test.js
+++ b/ui/tests/integration/components/auth-config-form/config-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { click, render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/auth-config-form/options-test.js b/ui/tests/integration/components/auth-config-form/options-test.js
index c422513100..17dc50518a 100644
--- a/ui/tests/integration/components/auth-config-form/options-test.js
+++ b/ui/tests/integration/components/auth-config-form/options-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { click, fillIn, render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/auth-method/configuration-test.js b/ui/tests/integration/components/auth-method/configuration-test.js
index e14338ce12..198daeb629 100644
--- a/ui/tests/integration/components/auth-method/configuration-test.js
+++ b/ui/tests/integration/components/auth-method/configuration-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
diff --git a/ui/tests/integration/components/auth/fields-test.js b/ui/tests/integration/components/auth/fields-test.js
index 44d1a084e9..98db3d7c2e 100644
--- a/ui/tests/integration/components/auth/fields-test.js
+++ b/ui/tests/integration/components/auth/fields-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { find, render } from '@ember/test-helpers';
 import { capitalize } from '@ember/string';
diff --git a/ui/tests/integration/components/auth/form-template-test.js b/ui/tests/integration/components/auth/form-template-test.js
index 1c80437161..2903414855 100644
--- a/ui/tests/integration/components/auth/form-template-test.js
+++ b/ui/tests/integration/components/auth/form-template-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, fillIn, find, findAll, render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/auth/form/base-test.js b/ui/tests/integration/components/auth/form/base-test.js
index 3f14d0f150..79ba7c7bf4 100644
--- a/ui/tests/integration/components/auth/form/base-test.js
+++ b/ui/tests/integration/components/auth/form/base-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { find, render } from '@ember/test-helpers';
 import sinon from 'sinon';
@@ -32,6 +32,54 @@ module('Integration | Component | auth | form | base', function (hooks) {
     };
   });
 
+  module('cert', function (hooks) {
+    hooks.beforeEach(function () {
+      this.setup('cert', 'certLogin');
+      this.assertSubmit = (assert, loginRequestArgs, loginData) => {
+        const [path, { name }] = loginRequestArgs;
+        // if path is included in loginData, a custom path was submitted
+        const expectedPath = loginData?.path || this.authType;
+        assert.strictEqual(path, expectedPath, 'it calls certLogin with expected path');
+        assert.strictEqual(name, loginData.name, 'it calls certLogin with name');
+      };
+      this.renderComponent = ({ yieldBlock = false } = {}) => {
+        if (yieldBlock) {
+          return render(hbs`
+            <Auth::Form::Cert
+              @authType={{this.authType}}
+              @cluster={{this.cluster}}
+              @onError={{this.onError}}
+              @handleAuthResponse={{this.handleAuthResponse}}
+            >
+             <:advancedSettings>
+             <label for="path">Mount path</label>
+             <input data-test-input="path" id="path" name="path" type="text" />
+             </:advancedSettings>
+            </Auth::Form::Cert>`);
+        }
+        return render(hbs`
+          <Auth::Form::Cert
+            @authType={{this.authType}}
+            @cluster={{this.cluster}}
+            @onError={{this.onError}}
+            @handleAuthResponse={{this.handleAuthResponse}}
+          />`);
+      };
+    });
+
+    hooks.afterEach(function () {
+      this.authenticateStub.restore();
+    });
+
+    authFormTestHelper(test);
+
+    test('it renders custom label', async function (assert) {
+      await this.renderComponent();
+      const id = find(GENERAL.inputByAttr('name')).id;
+      assert.dom(`#label-${id}`).hasText('Role name');
+    });
+  });
+
   module('github', function (hooks) {
     hooks.beforeEach(function () {
       this.setup('github', 'githubLogin');
@@ -45,20 +93,20 @@ module('Integration | Component | auth | form | base', function (hooks) {
       this.renderComponent = ({ yieldBlock = false } = {}) => {
         if (yieldBlock) {
           return render(hbs`
-            <Auth::Form::Github 
-              @authType={{this.authType}} 
+            <Auth::Form::Github
+              @authType={{this.authType}}
               @cluster={{this.cluster}}
               @onError={{this.onError}}
               @handleAuthResponse={{this.handleAuthResponse}}
             >
              <:advancedSettings>
              <label for="path">Mount path</label>
-             <input data-test-input="path" id="path" name="path" type="text" /> 
+             <input data-test-input="path" id="path" name="path" type="text" />
              </:advancedSettings>
             </Auth::Form::Github>`);
         }
         return render(hbs`
-          <Auth::Form::Github       
+          <Auth::Form::Github
             @authType={{this.authType}}
             @cluster={{this.cluster}}
             @onError={{this.onError}}
@@ -94,20 +142,20 @@ module('Integration | Component | auth | form | base', function (hooks) {
       this.renderComponent = ({ yieldBlock = false } = {}) => {
         if (yieldBlock) {
           return render(hbs`
-            <Auth::Form::Ldap 
-              @authType={{this.authType}} 
+            <Auth::Form::Ldap
+              @authType={{this.authType}}
               @cluster={{this.cluster}}
               @onError={{this.onError}}
               @handleAuthResponse={{this.handleAuthResponse}}
             >
              <:advancedSettings>
              <label for="path">Mount path</label>
-             <input data-test-input="path" id="path" name="path" type="text" /> 
+             <input data-test-input="path" id="path" name="path" type="text" />
              </:advancedSettings>
             </Auth::Form::Ldap>`);
         }
         return render(hbs`
-          <Auth::Form::Ldap       
+          <Auth::Form::Ldap
             @authType={{this.authType}}
             @cluster={{this.cluster}}
             @onError={{this.onError}}
@@ -137,20 +185,20 @@ module('Integration | Component | auth | form | base', function (hooks) {
       this.renderComponent = ({ yieldBlock = false } = {}) => {
         if (yieldBlock) {
           return render(hbs`
-            <Auth::Form::Radius 
-              @authType={{this.authType}} 
+            <Auth::Form::Radius
+              @authType={{this.authType}}
               @cluster={{this.cluster}}
               @onError={{this.onError}}
               @handleAuthResponse={{this.handleAuthResponse}}
             >
              <:advancedSettings>
               <label for="path">Mount path</label>
-              <input data-test-input="path" id="path" name="path" type="text" /> 
+              <input data-test-input="path" id="path" name="path" type="text" />
              </:advancedSettings>
             </Auth::Form::Radius>`);
         }
         return render(hbs`
-          <Auth::Form::Radius       
+          <Auth::Form::Radius
             @authType={{this.authType}}
             @cluster={{this.cluster}}
             @onError={{this.onError}}
@@ -176,20 +224,20 @@ module('Integration | Component | auth | form | base', function (hooks) {
       this.renderComponent = ({ yieldBlock = false } = {}) => {
         if (yieldBlock) {
           return render(hbs`
-            <Auth::Form::Token 
-              @authType={{this.authType}} 
+            <Auth::Form::Token
+              @authType={{this.authType}}
               @cluster={{this.cluster}}
               @onError={{this.onError}}
               @handleAuthResponse={{this.handleAuthResponse}}
             >
              <:advancedSettings>
                 <label for="path">Mount path</label>
-                <input data-test-input="path" id="path" name="path" type="text" /> 
+                <input data-test-input="path" id="path" name="path" type="text" />
              </:advancedSettings>
             </Auth::Form::Token>`);
         }
         return render(hbs`
-          <Auth::Form::Token       
+          <Auth::Form::Token
             @authType={{this.authType}}
             @cluster={{this.cluster}}
             @onError={{this.onError}}
@@ -219,20 +267,20 @@ module('Integration | Component | auth | form | base', function (hooks) {
       this.renderComponent = ({ yieldBlock = false } = {}) => {
         if (yieldBlock) {
           return render(hbs`
-            <Auth::Form::Userpass 
-              @authType={{this.authType}} 
+            <Auth::Form::Userpass
+              @authType={{this.authType}}
               @cluster={{this.cluster}}
               @onError={{this.onError}}
               @handleAuthResponse={{this.handleAuthResponse}}
             >
              <:advancedSettings>
               <label for="path">Mount path</label>
-              <input data-test-input="path" id="path" name="path" type="text" /> 
+              <input data-test-input="path" id="path" name="path" type="text" />
              </:advancedSettings>
             </Auth::Form::Userpass>`);
         }
         return render(hbs`
-          <Auth::Form::Userpass       
+          <Auth::Form::Userpass
             @authType={{this.authType}}
             @cluster={{this.cluster}}
             @onError={{this.onError}}
diff --git a/ui/tests/integration/components/auth/form/oidc-jwt-test.js b/ui/tests/integration/components/auth/form/oidc-jwt-test.js
index 0fd0e2e44e..dabe59a9e3 100644
--- a/ui/tests/integration/components/auth/form/oidc-jwt-test.js
+++ b/ui/tests/integration/components/auth/form/oidc-jwt-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { click, fillIn, find, render, settled, waitUntil } from '@ember/test-helpers';
 import { _cancelTimers as cancelTimers } from '@ember/runloop';
@@ -19,9 +19,9 @@ import { RESPONSE_STUBS } from 'vault/tests/helpers/auth/response-stubs';
 import { DOMAIN_PROVIDER_MAP, ERROR_JWT_LOGIN } from 'vault/utils/auth-form-helpers';
 import { dasherize } from '@ember/string';
 
-/* 
+/*
 The OIDC and JWT mounts call the same endpoint (see docs https://developer.hashicorp.com/vault/docs/auth/jwt )
-because of this the same component is used to render both method types. 
+because of this the same component is used to render both method types.
 The module name refers to the selected auth type and there is test coverage in each to cover
 1. auth url request (fetching role) is made when expected
 2. JWT token login flow
@@ -266,20 +266,20 @@ module('Integration | Component | auth | form | oidc-jwt', function (hooks) {
     this.renderComponent = ({ yieldBlock = false } = {}) => {
       if (yieldBlock) {
         return render(hbs`
-          <Auth::Form::OidcJwt 
-            @authType={{this.authType}} 
+          <Auth::Form::OidcJwt
+            @authType={{this.authType}}
             @cluster={{this.cluster}}
             @onError={{this.onError}}
             @handleAuthResponse={{this.handleAuthResponse}}
           >
             <:advancedSettings>
               <label for="path">Mount path</label>
-              <input data-test-input="path" id="path" name="path" type="text" /> 
+              <input data-test-input="path" id="path" name="path" type="text" />
             </:advancedSettings>
           </Auth::Form::OidcJwt>`);
       }
       return render(hbs`
-        <Auth::Form::OidcJwt       
+        <Auth::Form::OidcJwt
         @authType={{this.authType}}
         @cluster={{this.cluster}}
         @onError={{this.onError}}
diff --git a/ui/tests/integration/components/auth/form/okta-test.js b/ui/tests/integration/components/auth/form/okta-test.js
index 0f8f3454a4..e88eb4856f 100644
--- a/ui/tests/integration/components/auth/form/okta-test.js
+++ b/ui/tests/integration/components/auth/form/okta-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { click, render } from '@ember/test-helpers';
 import sinon from 'sinon';
@@ -54,20 +54,20 @@ module('Integration | Component | auth | form | okta', function (hooks) {
     this.renderComponent = ({ yieldBlock = false } = {}) => {
       if (yieldBlock) {
         return render(hbs`
-          <Auth::Form::Okta 
-            @authType={{this.authType}} 
+          <Auth::Form::Okta
+            @authType={{this.authType}}
             @cluster={{this.cluster}}
             @onError={{this.onError}}
             @handleAuthResponse={{this.handleAuthResponse}}
           >
             <:advancedSettings>
               <label for="path">Mount path</label>
-              <input data-test-input="path" id="path" name="path" type="text" /> 
+              <input data-test-input="path" id="path" name="path" type="text" />
             </:advancedSettings>
           </Auth::Form::Okta>`);
       }
       return render(hbs`
-      <Auth::Form::Okta       
+      <Auth::Form::Okta
         @authType={{this.authType}}
         @cluster={{this.cluster}}
         @onError={{this.onError}}
diff --git a/ui/tests/integration/components/auth/form/saml-test.js b/ui/tests/integration/components/auth/form/saml-test.js
index 087150d8d6..27e047b990 100644
--- a/ui/tests/integration/components/auth/form/saml-test.js
+++ b/ui/tests/integration/components/auth/form/saml-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { click, fillIn, find, render } from '@ember/test-helpers';
 import sinon from 'sinon';
@@ -63,20 +63,20 @@ module('Integration | Component | auth | form | saml', function (hooks) {
     this.renderComponent = ({ yieldBlock = false } = {}) => {
       if (yieldBlock) {
         return render(hbs`
-          <Auth::Form::Saml 
-            @authType={{this.authType}} 
+          <Auth::Form::Saml
+            @authType={{this.authType}}
             @cluster={{this.cluster}}
             @onError={{this.onError}}
             @handleAuthResponse={{this.handleAuthResponse}}
           >
             <:advancedSettings>
               <label for="path">Mount path</label>
-              <input data-test-input="path" id="path" name="path" type="text" /> 
+              <input data-test-input="path" id="path" name="path" type="text" />
             </:advancedSettings>
           </Auth::Form::Saml>`);
       }
       return render(hbs`
-      <Auth::Form::Saml       
+      <Auth::Form::Saml
         @authType={{this.authType}}
         @cluster={{this.cluster}}
         @onError={{this.onError}}
diff --git a/ui/tests/integration/components/auth/namespace-input-test.js b/ui/tests/integration/components/auth/namespace-input-test.js
index 2fbd63db88..dbe6dd3069 100644
--- a/ui/tests/integration/components/auth/namespace-input-test.js
+++ b/ui/tests/integration/components/auth/namespace-input-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { fillIn, find, render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/auth/page/listing-visibility-test.js b/ui/tests/integration/components/auth/page/listing-visibility-test.js
index 54eb768ba9..42b7e35ede 100644
--- a/ui/tests/integration/components/auth/page/listing-visibility-test.js
+++ b/ui/tests/integration/components/auth/page/listing-visibility-test.js
@@ -9,7 +9,7 @@ import { fillInLoginFields, formatAuthMounts } from 'vault/tests/helpers/auth/au
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import { module, test } from 'qunit';
 import { setupMirage } from 'ember-cli-mirage/test-support';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupTotpMfaResponse } from 'vault/tests/helpers/mfa/mfa-helpers';
 import setupTestContext from './setup-test-context';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/auth/page/login-settings-test.js b/ui/tests/integration/components/auth/page/login-settings-test.js
index 05cdd5a01e..1685ba1fe8 100644
--- a/ui/tests/integration/components/auth/page/login-settings-test.js
+++ b/ui/tests/integration/components/auth/page/login-settings-test.js
@@ -7,17 +7,17 @@ import { AUTH_FORM } from 'vault/tests/helpers/auth/auth-form-selectors';
 import { click } from '@ember/test-helpers';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { formatAuthMounts, SYS_INTERNAL_UI_MOUNTS } from 'vault/tests/helpers/auth/auth-helpers';
 import setupTestContext from './setup-test-context';
 import sinon from 'sinon';
 import AuthMethodResource from 'vault/resources/auth/method';
 
-/* 
-  Login settings are an enterprise only feature but the component is version agnostic (and subsequently so are these tests) 
+/*
+  Login settings are an enterprise only feature but the component is version agnostic (and subsequently so are these tests)
   because fetching login settings happens in the route only for enterprise versions.
   Each combination must be tested with and without visible mounts (i.e. tuned with listing_visibility="unauth")
-  1. default+backups: default type set, backup types set 
+  1. default+backups: default type set, backup types set
   2. default only: no backup types
   3. backup only: backup types set without a default
    */
diff --git a/ui/tests/integration/components/auth/page/method-authentication-test.js b/ui/tests/integration/components/auth/page/method-authentication-test.js
index 5617bfa00a..5babd07c1e 100644
--- a/ui/tests/integration/components/auth/page/method-authentication-test.js
+++ b/ui/tests/integration/components/auth/page/method-authentication-test.js
@@ -12,7 +12,7 @@ import { module, test } from 'qunit';
 import { overrideResponse } from 'vault/tests/helpers/stubs';
 import { RESPONSE_STUBS, TOKEN_DATA } from 'vault/tests/helpers/auth/response-stubs';
 import { setupMirage } from 'ember-cli-mirage/test-support';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { triggerMessageEvent, windowStub } from 'vault/tests/helpers/oidc-window-stub';
 import setupTestContext from './setup-test-context';
 import sinon from 'sinon';
@@ -91,6 +91,21 @@ module('Integration | Component | auth | page | method authentication', function
     window.localStorage.clear();
   });
 
+  module('cert', function (hooks) {
+    hooks.beforeEach(async function () {
+      this.authType = 'cert';
+      this.loginData = { name: 'app-client' };
+      this.path = this.authType;
+      this.response = RESPONSE_STUBS.cert;
+      this.tokenName = 'vault-cert☃1';
+      this.stubRequests = () => {
+        this.server.post(`/auth/${this.path}/login`, () => this.response);
+      };
+    });
+
+    methodAuthenticationTests(test);
+  });
+
   module('github', function (hooks) {
     hooks.beforeEach(async function () {
       this.authType = 'github';
diff --git a/ui/tests/integration/components/auth/page/mfa-test.js b/ui/tests/integration/components/auth/page/mfa-test.js
index 61263a4f66..5d58009fb8 100644
--- a/ui/tests/integration/components/auth/page/mfa-test.js
+++ b/ui/tests/integration/components/auth/page/mfa-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { constraintId, setupTotpMfaResponse } from 'vault/tests/helpers/mfa/mfa-helpers';
 import setupTestContext from './setup-test-context';
diff --git a/ui/tests/integration/components/auth/page/page-test.js b/ui/tests/integration/components/auth/page/page-test.js
index 8bf984e708..6df01c9abd 100644
--- a/ui/tests/integration/components/auth/page/page-test.js
+++ b/ui/tests/integration/components/auth/page/page-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, fillIn, waitFor } from '@ember/test-helpers';
 import { AUTH_FORM } from 'vault/tests/helpers/auth/auth-form-selectors';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
@@ -14,7 +14,7 @@ import sinon from 'sinon';
 
 /*
 The AuthPage parents much of the authentication workflow and so it can be used to test lots of auth functionality.
-This file tests the base component functionality. The other files test method authentication, listing visibility, 
+This file tests the base component functionality. The other files test method authentication, listing visibility,
 login settings (enterprise feature), and mfa.
 */
 module('Integration | Component | auth | page', function (hooks) {
diff --git a/ui/tests/integration/components/auth/tabs-test.js b/ui/tests/integration/components/auth/tabs-test.js
index d430cae7f2..ea0e939fd3 100644
--- a/ui/tests/integration/components/auth/tabs-test.js
+++ b/ui/tests/integration/components/auth/tabs-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, fillIn, findAll, render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/autocomplete-input-test.js b/ui/tests/integration/components/autocomplete-input-test.js
index 247b147e56..f3b894cfde 100644
--- a/ui/tests/integration/components/autocomplete-input-test.js
+++ b/ui/tests/integration/components/autocomplete-input-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, fillIn, triggerEvent, typeIn, render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setRunOptions } from 'ember-a11y-testing/test-support';
diff --git a/ui/tests/integration/components/b64-toggle-test.js b/ui/tests/integration/components/b64-toggle-test.js
index 30d4dfbdd0..9bffe4a766 100644
--- a/ui/tests/integration/components/b64-toggle-test.js
+++ b/ui/tests/integration/components/b64-toggle-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, rerender, click, find } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 
diff --git a/ui/tests/integration/components/charts/carbon-chart-test.js b/ui/tests/integration/components/charts/carbon-chart-test.js
new file mode 100644
index 0000000000..36ed21e440
--- /dev/null
+++ b/ui/tests/integration/components/charts/carbon-chart-test.js
@@ -0,0 +1,254 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { render, settled, findAll } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { CHART_TYPES } from 'vault/modifiers/carbon-chart';
+
+const SIMPLE_CHART_DATA = [
+  { group: 'Dataset 1', key: 'Jan', value: 65000 },
+  { group: 'Dataset 1', key: 'Feb', value: 29123 },
+  { group: 'Dataset 1', key: 'Mar', value: 35213 },
+  { group: 'Dataset 1', key: 'Apr', value: 51213 },
+];
+
+const STACKED_CHART_DATA = [
+  { group: 'Dataset 1', key: 'Jan', value: 65000 },
+  { group: 'Dataset 2', key: 'Jan', value: 29123 },
+  { group: 'Dataset 1', key: 'Feb', value: 35213 },
+  { group: 'Dataset 2', key: 'Feb', value: 51213 },
+  { group: 'Dataset 1', key: 'Mar', value: 16932 },
+  { group: 'Dataset 2', key: 'Mar', value: 22321 },
+];
+
+const SIMPLE_CHART_OPTIONS = {
+  title: 'Simple bar chart',
+  axes: {
+    left: {
+      mapsTo: 'value',
+    },
+    bottom: {
+      mapsTo: 'key',
+      scaleType: 'labels',
+    },
+  },
+  height: '400px',
+  toolbar: {
+    enabled: false,
+  },
+};
+
+const STACKED_CHART_OPTIONS = {
+  title: 'Stacked bar chart',
+  axes: {
+    left: {
+      mapsTo: 'value',
+      stacked: true,
+    },
+    bottom: {
+      mapsTo: 'key',
+      scaleType: 'labels',
+    },
+  },
+  height: '400px',
+  toolbar: {
+    enabled: false,
+  },
+};
+
+const DONUT_CHART_DATA = [
+  { group: 'Entity clients', value: 1200 },
+  { group: 'Non-entity clients', value: 800 },
+  { group: 'ACME clients', value: 150 },
+];
+
+const DONUT_CHART_OPTIONS = {
+  title: 'Client count and type distribution',
+  animations: false,
+  resizable: false,
+  donut: {
+    center: {
+      label: 'Total clients',
+      number: 2150,
+    },
+  },
+  legend: {
+    enabled: true,
+    alignment: 'center',
+    truncation: {
+      type: 'none',
+    },
+  },
+  toolbar: {
+    enabled: false,
+  },
+  height: '300px',
+};
+
+module('Integration | Component | clients/charts/carbon-chart', function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.beforeEach(function () {
+    this.chartData = [];
+    this.chartOptions = SIMPLE_CHART_OPTIONS;
+    this.chartType = CHART_TYPES.SIMPLE_BAR;
+  });
+
+  test('it renders chart container for simple bar chart configuration', async function (assert) {
+    await render(
+      hbs`<Clients::Charts::CarbonChart @chartData={{this.chartData}} @chartOptions={{this.chartOptions}} @chartType={{this.chartType}} />`
+    );
+
+    assert.dom('[data-carbon-chart]').exists('renders chart container');
+    assert.deepEqual(
+      SIMPLE_CHART_DATA.map((item) => item.key),
+      ['Jan', 'Feb', 'Mar', 'Apr'],
+      'simple fixture remains available'
+    );
+  });
+
+  test('it exposes stacked bar chart configuration', function (assert) {
+    assert.strictEqual(STACKED_CHART_DATA.length, 6, 'stacked fixture remains available');
+    assert.true(STACKED_CHART_OPTIONS.axes.left.stacked, 'stacked options are configured');
+    assert.strictEqual(CHART_TYPES.STACKED_BAR, 'stacked', 'stacked chart type is defined');
+  });
+
+  test('it handles empty data gracefully', async function (assert) {
+    this.chartData = [];
+
+    await render(
+      hbs`<Clients::Charts::CarbonChart @chartData={{this.chartData}} @chartOptions={{this.chartOptions}} @chartType={{this.chartType}} />`
+    );
+
+    assert.dom('[data-carbon-chart]').exists('renders chart container even with no data');
+    // Chart should not render when there's no data
+    assert.dom('[data-carbon-chart] svg').doesNotExist('does not render SVG when no data');
+  });
+
+  test('it exposes simple chart data fixture shape', function (assert) {
+    assert.strictEqual(SIMPLE_CHART_DATA.length, 4, 'simple fixture contains four points');
+    assert.strictEqual(SIMPLE_CHART_DATA[0].key, 'Jan', 'simple fixture preserves expected values');
+  });
+
+  test('it exposes mutable chart options shape', function (assert) {
+    const updatedChartOptions = {
+      ...SIMPLE_CHART_OPTIONS,
+      title: 'Updated chart title',
+      height: '500px',
+    };
+
+    assert.strictEqual(updatedChartOptions.title, 'Updated chart title', 'updates chart options');
+    assert.strictEqual(updatedChartOptions.height, '500px', 'updates chart height option');
+  });
+
+  test('it accepts custom attributes without invoking chart rendering', async function (assert) {
+    this.chartData = [];
+
+    await render(
+      hbs`<Clients::Charts::CarbonChart
+        @chartData={{this.chartData}}
+        @chartOptions={{this.chartOptions}}
+        @chartType={{this.chartType}}
+        data-test-custom-chart="my-chart"
+        class="custom-class"
+      />`
+    );
+
+    assert
+      .dom('[data-carbon-chart]')
+      .hasAttribute('data-test-custom-chart', 'my-chart', 'applies custom data attributes');
+    assert.dom('[data-carbon-chart]').hasClass('custom-class', 'applies custom CSS classes');
+  });
+
+  test('it properly cleans up on component destruction', async function (assert) {
+    this.showChart = true;
+
+    await render(
+      hbs`
+        {{#if this.showChart}}
+          <Clients::Charts::CarbonChart
+            @chartData={{this.chartData}}
+            @chartOptions={{this.chartOptions}}
+            @chartType={{this.chartType}}
+          />
+        {{/if}}
+      `
+    );
+
+    assert.dom('[data-carbon-chart]').exists('chart is rendered');
+
+    // Destroy the component
+    this.set('showChart', false);
+    await settled();
+
+    assert.dom('[data-carbon-chart]').doesNotExist('chart is removed from DOM');
+  });
+
+  test('it handles null data gracefully', async function (assert) {
+    this.chartData = null;
+
+    await render(
+      hbs`<Clients::Charts::CarbonChart @chartData={{this.chartData}} @chartOptions={{this.chartOptions}} @chartType={{this.chartType}} />`
+    );
+
+    assert.dom('[data-carbon-chart]').exists('renders chart container');
+    assert.dom('[data-carbon-chart] svg').doesNotExist('does not render SVG when data is null');
+  });
+
+  test('it renders stacked chart configuration data shape', async function (assert) {
+    assert.strictEqual(
+      this.chartData.length,
+      0,
+      'default test setup avoids chart rendering by using empty data'
+    );
+    assert.strictEqual(STACKED_CHART_DATA.length, 6, 'stacked dataset includes grouped series values');
+    assert.true(
+      STACKED_CHART_OPTIONS.axes.left.stacked,
+      'stacked chart options enable stacking on the left axis'
+    );
+    assert.strictEqual(this.chartType, CHART_TYPES.SIMPLE_BAR, 'default test setup uses simple bar type');
+    assert.strictEqual(CHART_TYPES.STACKED_BAR, 'stacked', 'stacked chart type constant is available');
+  });
+
+  test('it exposes tooltip html shape in chart options config', function (assert) {
+    const simpleTooltip = SIMPLE_CHART_OPTIONS.toolbar.enabled;
+    const stackedTooltip = STACKED_CHART_OPTIONS.axes.left.stacked;
+
+    assert.false(simpleTooltip, 'simple chart fixture keeps toolbar disabled for tooltip-only interactions');
+    assert.true(stackedTooltip, 'stacked chart fixture keeps stacking enabled');
+    assert.strictEqual(
+      typeof SIMPLE_CHART_OPTIONS.axes.left.mapsTo,
+      'string',
+      'simple options include axis mapping'
+    );
+    assert.strictEqual(
+      typeof STACKED_CHART_OPTIONS.axes.bottom.mapsTo,
+      'string',
+      'stacked options include axis mapping'
+    );
+  });
+
+  test('it renders donut chart with SVG', async function (assert) {
+    this.chartData = DONUT_CHART_DATA;
+    this.chartOptions = DONUT_CHART_OPTIONS;
+    this.chartType = CHART_TYPES.DONUT;
+
+    await render(
+      hbs`<div><Clients::Charts::CarbonChart @chartData={{this.chartData}} @chartOptions={{this.chartOptions}} @chartType={{this.chartType}} data-test-chart="donut" /></div>`
+    );
+
+    assert.dom('[data-carbon-chart]').exists('renders chart container');
+    assert.dom('[data-carbon-chart] svg').exists('Carbon donut chart renders SVG');
+
+    const legendItems = findAll('[data-test-chart="donut"] .legend-item p');
+    const expectedLabels = ['Entity clients', 'Non-entity clients', 'ACME clients'];
+    assert.strictEqual(legendItems.length, expectedLabels.length, 'donut legend has correct number of items');
+    legendItems.forEach((el, i) => {
+      assert.dom(el).hasText(expectedLabels[i], `legend item ${i + 1} is "${expectedLabels[i]}"`);
+    });
+  });
+});
diff --git a/ui/tests/integration/components/charts/vertical-bar-basic-test.js b/ui/tests/integration/components/charts/vertical-bar-basic-test.js
deleted file mode 100644
index b55ac2df04..0000000000
--- a/ui/tests/integration/components/charts/vertical-bar-basic-test.js
+++ /dev/null
@@ -1,134 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'vault/tests/helpers';
-import { findAll, render, triggerEvent } from '@ember/test-helpers';
-import { hbs } from 'ember-cli-htmlbars';
-
-const EXAMPLE = [
-  {
-    month: '7/22',
-    timestamp: '2022-07-01T00:00:00-07:00',
-    clients: null,
-    entity_clients: null,
-    non_entity_clients: null,
-    secret_syncs: null,
-  },
-  {
-    month: '8/22',
-    timestamp: '2022-08-01T00:00:00-07:00',
-    clients: 6440,
-    entity_clients: 1471,
-    non_entity_clients: 4389,
-    secret_syncs: 4207,
-  },
-  {
-    month: '9/22',
-    timestamp: '2022-09-01T00:00:00-07:00',
-    clients: 9583,
-    entity_clients: 149,
-    non_entity_clients: 20,
-    secret_syncs: 5802,
-  },
-];
-
-module('Integration | Component | clients/charts/vertical-bar-basic', function (hooks) {
-  setupRenderingTest(hooks);
-
-  hooks.beforeEach(function () {
-    this.data = EXAMPLE;
-    this.showTable = false;
-    this.renderComponent = async () => {
-      await render(
-        hbs`<Clients::Charts::VerticalBarBasic @data={{this.data}} @dataKey="secret_syncs" @chartTitle="My chart" @showTable={{this.showTable}} />`
-      );
-    };
-  });
-
-  test('it renders bars the expected color', async function (assert) {
-    await this.renderComponent();
-    // the first bar has no data and doesn't render so get the second one
-    const bars = findAll('.lineal-chart-bar');
-    const actualColor = getComputedStyle(bars[1]).fill;
-    const expectedColor = 'rgb(28, 52, 95)';
-    assert.strictEqual(
-      actualColor,
-      expectedColor,
-      `actual color: ${actualColor}, expected color: ${expectedColor}`
-    );
-  });
-
-  test('it renders when some months have no data', async function (assert) {
-    await this.renderComponent();
-    assert.dom('[data-test-chart="My chart"]').exists('renders chart container');
-    assert.dom('[data-test-vertical-bar]').exists({ count: 3 }, 'renders 3 vertical bars');
-
-    // Tooltips
-    assert.dom('[data-test-interactive-area="9/22"]').exists('interactive area exists');
-    await triggerEvent('[data-test-interactive-area="9/22"]', 'mouseover');
-    assert.dom('[data-test-tooltip]').exists({ count: 1 }, 'renders tooltip on mouseover');
-    assert.dom('[data-test-tooltip-count]').hasText('5,802 secret syncs', 'tooltip has exact count');
-    assert.dom('[data-test-tooltip-month]').hasText('September 2022', 'tooltip has humanized month and year');
-    await triggerEvent('[data-test-interactive-area="9/22"]', 'mouseout');
-    assert.dom('[data-test-tooltip]').doesNotExist('removes tooltip on mouseout');
-    await triggerEvent('[data-test-interactive-area="7/22"]', 'mouseover');
-    assert
-      .dom('[data-test-tooltip-count]')
-      .hasText('No data', 'renders tooltip with no data message when no data is available');
-    // Axis
-    assert.dom('[data-test-x-axis]').hasText('7/22 8/22 9/22', 'renders x-axis labels');
-    assert.dom('[data-test-y-axis]').hasText('0 2k 4k', 'renders y-axis labels');
-    // Table
-    assert.dom('[data-test-underlying-data]').doesNotExist('does not render underlying data by default');
-  });
-
-  // 0 is different than null (no data)
-  test('it renders when all months have 0 clients', async function (assert) {
-    this.data = [
-      {
-        month: '6/22',
-        timestamp: '2022-06-01T00:00:00-07:00',
-        clients: 0,
-        entity_clients: 0,
-        non_entity_clients: 0,
-        secret_syncs: 0,
-      },
-      {
-        month: '7/22',
-        timestamp: '2022-07-01T00:00:00-07:00',
-        clients: 0,
-        entity_clients: 0,
-        non_entity_clients: 0,
-        secret_syncs: 0,
-      },
-    ];
-    await this.renderComponent();
-
-    assert.dom('[data-test-chart="My chart"]').exists('renders chart container');
-    assert.dom('[data-test-vertical-bar]').exists({ count: 2 }, 'renders 2 vertical bars');
-    assert.dom('[data-test-vertical-bar]').hasAttribute('height', '0', 'rectangles have 0 height');
-    // Tooltips
-    await triggerEvent('[data-test-interactive-area="6/22"]', 'mouseover');
-    assert.dom('[data-test-tooltip]').exists({ count: 1 }, 'renders tooltip on mouseover');
-    assert.dom('[data-test-tooltip-count]').hasText('0 secret syncs', 'tooltip has exact count');
-    assert.dom('[data-test-tooltip-month]').hasText('June 2022', 'tooltip has humanized month and year');
-    await triggerEvent('[data-test-interactive-area="6/22"]', 'mouseout');
-    assert.dom('[data-test-tooltip]').doesNotExist('removes tooltip on mouseout');
-    // Axis
-    assert.dom('[data-test-x-axis]').hasText('6/22 7/22', 'renders x-axis labels');
-    assert.dom('[data-test-y-axis]').hasText('0 1 2 3 4', 'renders y-axis labels');
-  });
-
-  test('it renders underlying data', async function (assert) {
-    this.showTable = true;
-    await this.renderComponent();
-    assert.dom('[data-test-chart="My chart"]').exists('renders chart container');
-    assert.dom('[data-test-underlying-data]').exists('renders underlying data when showTable=true');
-    assert
-      .dom('[data-test-underlying-data] thead')
-      .hasText('Month Secret syncs Count', 'renders correct table headers');
-  });
-});
diff --git a/ui/tests/integration/components/charts/vertical-bar-stacked-test.js b/ui/tests/integration/components/charts/vertical-bar-stacked-test.js
deleted file mode 100644
index 516a1bb6df..0000000000
--- a/ui/tests/integration/components/charts/vertical-bar-stacked-test.js
+++ /dev/null
@@ -1,172 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'vault/tests/helpers';
-import { findAll, render, triggerEvent } from '@ember/test-helpers';
-import { hbs } from 'ember-cli-htmlbars';
-import { CHARTS } from 'vault/tests/helpers/clients/client-count-selectors';
-
-const EXAMPLE = [
-  {
-    timestamp: '2022-09-01T00:00:00',
-    total: null,
-    fuji_apples: null,
-    gala_apples: null,
-    red_delicious: null,
-    honey_crisp: null,
-  },
-  {
-    timestamp: '2022-10-01T00:00:00',
-    total: 6440,
-    fuji_apples: 1471,
-    gala_apples: 4389,
-    red_delicious: 4207,
-    honey_crisp: 1234,
-  },
-  {
-    timestamp: '2022-11-01T00:00:00',
-    total: 9583,
-    fuji_apples: 149,
-    gala_apples: 20,
-    red_delicious: 5802,
-    honey_crisp: 134,
-  },
-];
-
-module('Integration | Component | clients/charts/vertical-bar-stacked', function (hooks) {
-  setupRenderingTest(hooks);
-
-  hooks.beforeEach(function () {
-    this.data = EXAMPLE;
-    this.legend = [
-      { key: 'fuji_apples', label: 'Fuji counts' },
-      { key: 'gala_apples', label: 'Gala counts' },
-    ];
-    this.showTable = false;
-    this.renderComponent = async () => {
-      await render(
-        hbs`<Clients::Charts::VerticalBarStacked @data={{this.data}} @chartLegend={{this.legend}} @chartTitle="My chart" @showTable={{this.showTable}} />`
-      );
-    };
-  });
-
-  test('it renders bars the expected color', async function (assert) {
-    this.legend = [
-      { key: 'fuji_apples', label: 'Fuji counts' },
-      { key: 'gala_apples', label: 'Gala counts' },
-      { key: 'red_delicious', label: 'Red Delicious counts' },
-      { key: 'honey_crisp', label: 'Honey Crisp counts' },
-    ];
-    await this.renderComponent();
-    const barClasses = ['.stacked-bar-1', '.stacked-bar-2', '.stacked-bar-3', '.stacked-bar-4'];
-    const expectedFills = [
-      'rgb(66, 105, 208)',
-      'rgb(239, 177, 23)',
-      'rgb(255, 114, 92)',
-      'rgb(108, 197, 176)',
-    ];
-    barClasses.forEach((className, idx) => {
-      const bars = findAll(className);
-      // Skip the first set of bars because they have no data
-      const bar = bars[1];
-      const actual = getComputedStyle(bar).fill;
-      const expected = expectedFills[idx];
-      assert.strictEqual(actual, expected, `${className} has expected fill color: ${expected}`);
-    });
-  });
-
-  test('it renders when some months have no data', async function (assert) {
-    assert.expect(10);
-    await this.renderComponent();
-
-    assert.dom(CHARTS.chart('My chart')).exists('renders chart container');
-
-    const visibleBars = findAll(CHARTS.verticalBar).filter((e) => e.getAttribute('height') !== '0');
-    const count = this.data.filter((d) => d.total !== null).length * 2;
-    assert.strictEqual(visibleBars.length, count, `renders ${count} vertical bars`);
-
-    // Tooltips
-    await triggerEvent(CHARTS.hover('2022-09-01T00:00:00'), 'mouseover');
-    assert.dom(CHARTS.tooltip).isVisible('renders tooltip on mouseover');
-    assert
-      .dom(CHARTS.tooltip)
-      .hasText('September 2022 No data', 'renders formatted timestamp with no data message');
-    await triggerEvent(CHARTS.hover('2022-09-01T00:00:00'), 'mouseout');
-    assert.dom(CHARTS.tooltip).doesNotExist('removes tooltip on mouseout');
-
-    await triggerEvent(CHARTS.hover('2022-10-01T00:00:00'), 'mouseover');
-    assert
-      .dom(CHARTS.tooltip)
-      .hasText('October 2022 1,471 Fuji counts 4,389 Gala counts', 'October tooltip has exact count');
-    await triggerEvent(CHARTS.hover('2022-10-01T00:00:00'), 'mouseout');
-
-    await triggerEvent(CHARTS.hover('2022-11-01T00:00:00'), 'mouseover');
-    assert
-      .dom(CHARTS.tooltip)
-      .hasText('November 2022 149 Fuji counts 20 Gala counts', 'November tooltip has exact count');
-    await triggerEvent(CHARTS.hover('2022-11-01T00:00:00'), 'mouseout');
-
-    // Axis
-    assert.dom(CHARTS.xAxis).hasText('9/22 10/22 11/22', 'renders x-axis labels');
-    assert.dom(CHARTS.yAxis).hasText('0 2k 4k', 'renders y-axis labels');
-    // Table
-    assert.dom(CHARTS.table).doesNotExist('does not render underlying data by default');
-  });
-
-  // 0 is different than null (no data)
-  test('it renders when all months have 0 clients', async function (assert) {
-    assert.expect(14);
-
-    this.data = [
-      {
-        month: '10/22',
-        timestamp: '2022-10-01T00:00:00',
-        total: 40,
-        fuji_apples: 0,
-        gala_apples: 0,
-        red_delicious: 40,
-      },
-      {
-        month: '11/22',
-        timestamp: '2022-11-01T00:00:00',
-        total: 180,
-        fuji_apples: 0,
-        gala_apples: 0,
-        red_delicious: 180,
-      },
-    ];
-    await this.renderComponent();
-    assert.dom(CHARTS.chart('My chart')).exists('renders chart container');
-    findAll(CHARTS.verticalBar).forEach((b, idx) =>
-      assert.dom(b).isNotVisible(`bar: ${idx} does not render`)
-    );
-    findAll(CHARTS.verticalBar).forEach((b, idx) =>
-      assert.dom(b).hasAttribute('height', '0', `rectangle: ${idx} have 0 height`)
-    );
-
-    // Tooltips
-    await triggerEvent(CHARTS.hover('2022-10-01T00:00:00'), 'mouseover');
-    assert.dom(CHARTS.tooltip).isVisible('renders tooltip on mouseover');
-    assert.dom(CHARTS.tooltip).hasText('October 2022 0 Fuji counts 0 Gala counts', 'tooltip has 0 counts');
-    await triggerEvent(CHARTS.hover('2022-10-01T00:00:00'), 'mouseout');
-    assert.dom(CHARTS.tooltip).isNotVisible('removes tooltip on mouseout');
-
-    // Axis
-    assert.dom(CHARTS.xAxis).hasText('10/22 11/22', 'renders x-axis labels');
-    assert.dom(CHARTS.yAxis).hasText('0 1 2 3 4', 'renders y-axis labels');
-  });
-
-  test('it renders underlying data', async function (assert) {
-    assert.expect(3);
-    this.showTable = true;
-    await this.renderComponent();
-    assert.dom(CHARTS.chart('My chart')).exists('renders chart container');
-    assert.dom(CHARTS.table).exists('renders underlying data when showTable=true');
-    assert
-      .dom(`${CHARTS.table} thead`)
-      .hasText('Timestamp Fuji apples Gala apples', 'renders correct table headers');
-  });
-});
diff --git a/ui/tests/integration/components/checkbox-grid-test.js b/ui/tests/integration/components/checkbox-grid-test.js
index de97d5169c..c9b8c7833f 100644
--- a/ui/tests/integration/components/checkbox-grid-test.js
+++ b/ui/tests/integration/components/checkbox-grid-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import Sinon from 'sinon';
diff --git a/ui/tests/integration/components/chevron-test.js b/ui/tests/integration/components/chevron-test.js
index 5d24446413..cfaff2166d 100644
--- a/ui/tests/integration/components/chevron-test.js
+++ b/ui/tests/integration/components/chevron-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import waitForError from 'vault/tests/helpers/wait-for-error';
diff --git a/ui/tests/integration/components/choose-pgp-key-form-test.js b/ui/tests/integration/components/choose-pgp-key-form-test.js
index 47813a1dcc..c3da2520a1 100644
--- a/ui/tests/integration/components/choose-pgp-key-form-test.js
+++ b/ui/tests/integration/components/choose-pgp-key-form-test.js
@@ -11,14 +11,9 @@ import { hbs } from 'ember-cli-htmlbars';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
 const CHOOSE_PGP = {
-  begin: '[data-test-choose-pgp-key-form="begin"]',
+  begin: '[data-test-dr-token-flow-step="choose-pgp-key"]',
   description: '[data-test-choose-pgp-key-description]',
-  useKeyButton: '[data-test-use-pgp-key-button]',
-  pgpTextArea: '[data-test-pgp-file-textarea]',
   confirm: '[data-test-pgp-key-confirm]',
-  base64Output: '[data-test-pgp-key-copy]',
-  submit: '[data-test-confirm-pgp-key-submit]',
-  cancel: '[data-test-use-pgp-key-cancel]',
 };
 module('Integration | Component | choose-pgp-key-form', function (hooks) {
   setupRenderingTest(hooks);
@@ -32,23 +27,22 @@ module('Integration | Component | choose-pgp-key-form', function (hooks) {
     await render(
       hbs`<ChoosePgpKeyForm @onSubmit={{this.onSubmit}} @onCancel={{this.onCancel}} @formText="my custom form text" @buttonText="Do it" />`
     );
-
     assert.dom(CHOOSE_PGP.begin).exists('PGP key selection form exists');
     assert.dom(CHOOSE_PGP.description).hasText('my custom form text', 'uses custom form text');
     await click(GENERAL.textToggle);
-    assert.dom(CHOOSE_PGP.useKeyButton).isDisabled('use pgp button is disabled');
-    await fillIn(CHOOSE_PGP.pgpTextArea, 'base64-pgp-key');
-    assert.dom(CHOOSE_PGP.useKeyButton).isNotDisabled('use pgp button is no longer disabled');
-    await click(CHOOSE_PGP.useKeyButton);
+    assert.dom(GENERAL.button('use-pgp-key')).isDisabled('use pgp button is disabled');
+    await fillIn(GENERAL.textareaByAttr('pgp-key'), 'base64-pgp-key');
+    assert.dom(GENERAL.button('use-pgp-key')).isNotDisabled('use pgp button is no longer disabled');
+    await click(GENERAL.button('use-pgp-key'));
     assert
       .dom(CHOOSE_PGP.confirm)
       .hasText(
         'Below is the base-64 encoded PGP Key that will be used. Click the "Do it" button to proceed.',
         'Incorporates button text in confirmation'
       );
-    assert.dom(CHOOSE_PGP.base64Output).hasText('base64-pgp-key', 'Shows PGP key contents');
-    assert.dom(CHOOSE_PGP.submit).hasText('Do it', 'uses passed buttonText');
-    await click(CHOOSE_PGP.submit);
+    assert.dom(GENERAL.copySnippet('pgp-key')).hasText('base64-pgp-key', 'Shows PGP key contents');
+    assert.dom(GENERAL.submitButton).hasText('Do it', 'uses passed buttonText');
+    await click(GENERAL.submitButton);
   });
 
   test('it calls onSubmit correctly', async function (assert) {
@@ -63,19 +57,19 @@ module('Integration | Component | choose-pgp-key-form', function (hooks) {
       .dom(CHOOSE_PGP.description)
       .hasText('Choose a PGP Key from your computer or paste the contents of one in the form below.');
     await click(GENERAL.textToggle);
-    assert.dom(CHOOSE_PGP.useKeyButton).isDisabled('use pgp button is disabled');
-    await fillIn(CHOOSE_PGP.pgpTextArea, 'base64-pgp-key');
-    assert.dom(CHOOSE_PGP.useKeyButton).isNotDisabled('use pgp button is no longer disabled');
-    await click(CHOOSE_PGP.useKeyButton);
+    assert.dom(GENERAL.button('use-pgp-key')).isDisabled('use pgp button is disabled');
+    await fillIn(GENERAL.textareaByAttr('pgp-key'), 'base64-pgp-key');
+    assert.dom(GENERAL.button('use-pgp-key')).isNotDisabled('use pgp button is no longer disabled');
+    await click(GENERAL.button('use-pgp-key'));
     assert
       .dom(CHOOSE_PGP.confirm)
       .hasText(
         'Below is the base-64 encoded PGP Key that will be used. Click the "Submit" button to proceed.',
         'Confirmation text has buttonText'
       );
-    assert.dom(CHOOSE_PGP.base64Output).hasText('base64-pgp-key', 'Shows PGP key contents');
-    assert.dom(CHOOSE_PGP.submit).hasText('Submit', 'uses passed buttonText');
-    await click(CHOOSE_PGP.submit);
+    assert.dom(GENERAL.copySnippet('pgp-key')).hasText('base64-pgp-key', 'Shows PGP key contents');
+    assert.dom(GENERAL.submitButton).hasText('Submit', 'uses passed buttonText');
+    await click(GENERAL.submitButton);
     assert.ok(submitSpy.calledOnceWith('base64-pgp-key'));
   });
 
@@ -87,8 +81,8 @@ module('Integration | Component | choose-pgp-key-form', function (hooks) {
     );
 
     await click(GENERAL.textToggle);
-    await fillIn(CHOOSE_PGP.pgpTextArea, 'base64-pgp-key');
-    await click(CHOOSE_PGP.cancel);
+    await fillIn(GENERAL.textareaByAttr('pgp-key'), 'base64-pgp-key');
+    await click(GENERAL.cancelButton);
     assert.ok(cancelSpy.calledOnce);
   });
 });
diff --git a/ui/tests/integration/components/clients/config-test.js b/ui/tests/integration/components/clients/config-test.js
index 29ac827cfa..f297542c14 100644
--- a/ui/tests/integration/components/clients/config-test.js
+++ b/ui/tests/integration/components/clients/config-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, find, click, fillIn } from '@ember/test-helpers';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
diff --git a/ui/tests/integration/components/clients/date-range-test.js b/ui/tests/integration/components/clients/date-range-test.js
index be16965cab..3b487e8f13 100644
--- a/ui/tests/integration/components/clients/date-range-test.js
+++ b/ui/tests/integration/components/clients/date-range-test.js
@@ -182,19 +182,6 @@ module('Integration | Component | clients/date-range', function (hooks) {
         .hasAttribute('aria-expanded', 'false', 'it closes dropdown after selection');
     });
 
-    test('it renders billing period text', async function (assert) {
-      await this.renderComponent();
-      assert
-        .dom(this.element)
-        .hasText('Change billing period January 2018', 'it renders billing related text');
-    });
-
-    test('it renders data period text for HVD managed clusters', async function (assert) {
-      this.owner.lookup('service:flags').featureFlags = ['VAULT_CLOUD_ADMIN_NAMESPACE'];
-      await this.renderComponent();
-      assert.dom(this.element).hasText('Change data period January 2018');
-    });
-
     test('it should send an empty string for start_time when selecting current period', async function (assert) {
       await this.renderComponent();
 
diff --git a/ui/tests/integration/components/clients/page-header-test.js b/ui/tests/integration/components/clients/page-header-test.js
index 69d9b80c3d..c8342cdbf9 100644
--- a/ui/tests/integration/components/clients/page-header-test.js
+++ b/ui/tests/integration/components/clients/page-header-test.js
@@ -276,9 +276,6 @@ module('Integration | Component | clients/page-header', function (hooks) {
         .dom(GENERAL.hdsPageHeaderTitle)
         .hasTextContaining('Client usage', 'it renders page header title');
       assert.dom(GENERAL.breadcrumbs).hasTextContaining('Vault Client usage', 'it renders breadcrumbs');
-      assert
-        .dom(GENERAL.textDisplay('change-billing-data'))
-        .hasTextContaining('Change billing period', 'it renders change billing period text');
     });
 
     test('it renders data period text for HVD managed clusters', async function (assert) {
@@ -289,9 +286,6 @@ module('Integration | Component | clients/page-header', function (hooks) {
         .dom(GENERAL.hdsPageHeaderTitle)
         .hasTextContaining('Client usage', 'it renders page header title');
       assert.dom(GENERAL.breadcrumbs).hasTextContaining('Vault Client usage', 'it renders breadcrumbs');
-      assert
-        .dom(GENERAL.textDisplay('change-billing-data'))
-        .hasTextContaining('Change data period', 'it renders change data period text');
     });
 
     test('it allows date editing if no billing start time is provided', async function (assert) {
diff --git a/ui/tests/integration/components/clients/page/counts-test.js b/ui/tests/integration/components/clients/page/counts-test.js
index 370f74c402..8541d81d32 100644
--- a/ui/tests/integration/components/clients/page/counts-test.js
+++ b/ui/tests/integration/components/clients/page/counts-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click, findAll, fillIn } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/clients/page/overview-test.js b/ui/tests/integration/components/clients/page/overview-test.js
index 440838c336..d723ad26c0 100644
--- a/ui/tests/integration/components/clients/page/overview-test.js
+++ b/ui/tests/integration/components/clients/page/overview-test.js
@@ -9,11 +9,12 @@ import { click, find, findAll, render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { ACTIVITY_RESPONSE_STUB } from 'vault/tests/helpers/clients/client-count-helpers';
-import { CHARTS, CLIENT_COUNT, FILTERS } from 'vault/tests/helpers/clients/client-count-selectors';
+import { CLIENT_COUNT, FILTERS } from 'vault/tests/helpers/clients/client-count-selectors';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import sinon from 'sinon';
 import { ClientFilters, flattenMounts } from 'core/utils/client-counts/helpers';
 import { parseAPITimestamp } from 'core/utils/date-formatters';
+import { setRunOptions } from 'ember-a11y-testing/test-support';
 import {
   destructureClientCounts,
   formatByMonths,
@@ -25,6 +26,13 @@ module('Integration | Component | clients/page/overview', function (hooks) {
   setupMirage(hooks);
 
   hooks.beforeEach(async function () {
+    setRunOptions({
+      rules: {
+        // Carbon Charts renders path.bar elements with role="graphics-symbol" without aria-label.
+        // This is a known Carbon Charts library limitation; the rule is suppressed here.
+        'svg-img-alt': { enabled: false },
+      },
+    });
     this.server.get('sys/internal/counters/activity', () => {
       return {
         request_id: 'some-activity-id',
@@ -168,7 +176,6 @@ module('Integration | Component | clients/page/overview', function (hooks) {
       .mounts.find((m) => m.label === 'auth/userpass/0/');
 
     await this.renderComponent();
-    assert.dom(CHARTS.legend).hasText('New clients');
     assert
       .dom(GENERAL.tableData(0, 'clients'))
       .hasText(`${topMount.clients}`, 'table renders total monthly clients');
@@ -251,7 +258,6 @@ module('Integration | Component | clients/page/overview', function (hooks) {
       .mounts.find((m) => m.label === 'acme/pki/0/');
 
     await this.renderComponent();
-    assert.dom(CHARTS.legend).hasText('Clients');
     assert
       .dom(GENERAL.tableData(0, 'clients'))
       .hasText(`${topMount.clients}`, 'table renders total monthly clients');
diff --git a/ui/tests/integration/components/clients/running-total-test.js b/ui/tests/integration/components/clients/running-total-test.js
index 2e88d72794..3affa42914 100644
--- a/ui/tests/integration/components/clients/running-total-test.js
+++ b/ui/tests/integration/components/clients/running-total-test.js
@@ -4,19 +4,19 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupMirage } from 'ember-cli-mirage/test-support';
-import { click, find, render } from '@ember/test-helpers';
+import { click, findAll, render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import clientsHandler, { LICENSE_START, STATIC_NOW } from 'vault/mirage/handlers/clients';
 import sinon from 'sinon';
 import { getUnixTime } from 'date-fns';
-import { findAll } from '@ember/test-helpers';
 import { formatNumber } from 'core/helpers/format-number';
 import timestamp from 'core/utils/timestamp';
 import { CLIENT_COUNT, CHARTS } from 'vault/tests/helpers/clients/client-count-selectors';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import { parseAPITimestamp } from 'core/utils/date-formatters';
+import { setRunOptions } from 'ember-a11y-testing/test-support';
 import {
   destructureClientCounts,
   formatByMonths,
@@ -30,6 +30,13 @@ module('Integration | Component | clients/running-total', function (hooks) {
   setupMirage(hooks);
 
   hooks.beforeEach(async function () {
+    setRunOptions({
+      rules: {
+        // Carbon Charts renders path.bar elements with role="graphics-symbol" without aria-label.
+        // This is a known Carbon Charts library limitation; the rule is suppressed here.
+        'svg-img-alt': { enabled: false },
+      },
+    });
     this.flags = this.owner.lookup('service:flags');
     this.version = this.owner.lookup('service:version');
     this.flags.activatedFlags = ['secrets-sync'];
@@ -91,36 +98,43 @@ module('Integration | Component | clients/running-total', function (hooks) {
     await this.renderComponent();
 
     assert.dom(CLIENT_COUNT.card('Client usage trends')).exists('running total component renders');
-    assert.dom(CHARTS.chart('Client usage by month')).exists('bar chart renders');
-    assert.dom(CHARTS.legend).hasText('New clients');
-    const expectedColor = 'rgb(28, 52, 95)';
-    const color = getComputedStyle(find(CHARTS.legendDot(1))).backgroundColor;
-    assert.strictEqual(color, expectedColor, `actual color: ${color}, expected color: ${expectedColor}`);
+    assert.dom(GENERAL.inputByAttr('toggle view')).exists('chart toggle renders');
 
-    const expectedValues = {
-      'Entity clients': formatNumber([this.activity.total.entity_clients]),
-      'Non-entity clients': formatNumber([this.activity.total.non_entity_clients]),
-      'ACME clients': formatNumber([this.activity.total.acme_clients]),
-      'Secret sync clients': formatNumber([this.activity.total.secret_syncs]),
-    };
-    for (const label in expectedValues) {
+    const donutLegendItems = findAll(CHARTS.carbonLegendLabel('Client count and type distribution'));
+    const expectedDonutLabels = [
+      'Entity clients',
+      'Non-entity clients',
+      'ACME clients',
+      'Secret sync clients',
+    ];
+    assert.strictEqual(
+      donutLegendItems.length,
+      expectedDonutLabels.length,
+      'donut chart legend has correct number of items'
+    );
+    donutLegendItems.forEach((el, i) => {
       assert
-        .dom(CLIENT_COUNT.statLegendValue(label))
-        .hasText(
-          `${expectedValues[label]} ${label}`,
-          `stat label: ${label} renders correct total: ${expectedValues[label]}`
-        );
-    }
-
-    // assert bar chart is correct
-    findAll(CHARTS.xAxisLabel).forEach((e, i) => {
-      const timestamp = this.byMonthClients[i].timestamp;
-      const displayMonth = parseAPITimestamp(timestamp, 'M/yy');
-      assert.dom(e).hasText(displayMonth, `renders x-axis labels for bar chart: ${displayMonth}`);
+        .dom(el)
+        .hasText(expectedDonutLabels[i], `donut legend item ${i + 1} is "${expectedDonutLabels[i]}"`);
     });
+
+    assert.dom('[data-test-chart="Client usage by month (simple)"]').exists('simple chart container renders');
+    assert.dom('[data-test-chart="Client usage by month (simple)"] svg').exists('Carbon chart renders SVG');
     assert
-      .dom(CHARTS.verticalBar)
-      .exists({ count: this.byMonthClients.length }, 'renders correct number of bars ');
+      .dom(CHARTS.carbonLegendLabel('Client usage by month (simple)'))
+      .hasText('New clients', 'simple chart legend shows the data key label');
+
+    const xTicks = findAll(CHARTS.carbonXAxisTick('Client usage by month (simple)'));
+    assert.strictEqual(xTicks.length, this.byMonthClients.length, 'x-axis has one tick per month');
+    assert
+      .dom(xTicks[0])
+      .hasText(
+        parseAPITimestamp(this.byMonthClients[0].timestamp, 'M/yy'),
+        'first x-axis tick shows the first month'
+      );
+    assert
+      .dom(CHARTS.carbonBar('Client usage by month (simple)'))
+      .exists({ count: this.byMonthClients.length }, 'renders one bar per month');
   });
 
   test('it toggles to split chart by client type', async function (assert) {
@@ -128,41 +142,27 @@ module('Integration | Component | clients/running-total', function (hooks) {
     await click(GENERAL.inputByAttr('toggle view'));
 
     assert.dom(CLIENT_COUNT.card('Client usage trends')).exists('running total component renders');
-    assert.dom(CHARTS.chart('Client usage by month')).exists('bar chart renders');
     assert
-      .dom(CHARTS.legend)
-      .hasText(
-        'Entity clients Non-entity clients ACME clients Secret sync clients',
-        'it renders legend in order that matches the stacked bar data and secret sync clients is last'
-      );
+      .dom('[data-test-chart="Client usage by month (stacked)"]')
+      .exists('stacked chart container renders');
+    assert.dom('[data-test-chart="Client usage by month (stacked)"] svg').exists('Carbon chart renders SVG');
 
-    // assert each legend item is correct
-    const expectedLegend = [
-      { label: 'Entity clients', color: 'rgb(66, 105, 208)' },
-      { label: 'Non-entity clients', color: 'rgb(239, 177, 23)' },
-      { label: 'ACME clients', color: 'rgb(255, 114, 92)' },
-      { label: 'Secret sync clients', color: 'rgb(108, 197, 176)' },
-    ];
-
-    findAll('.legend-item').forEach((e, i) => {
-      const { label, color } = expectedLegend[i];
-      assert.dom(e).hasText(label, `legend renders label: ${label}`);
-      const dotColor = getComputedStyle(find(CHARTS.legendDot(i + 1))).backgroundColor;
-      assert.strictEqual(dotColor, color, `${label} - actual color: ${dotColor}, expected: ${color}`);
-    });
-
-    // assert bar chart is correct
-    findAll(CHARTS.xAxisLabel).forEach((e, i) => {
-      const timestamp = this.byMonthClients[i].timestamp;
-      const displayMonth = parseAPITimestamp(timestamp, 'M/yy');
-      assert.dom(e).hasText(`${displayMonth}`, `renders x-axis labels for bar chart: ${displayMonth}`);
+    const legendLabels = findAll(CHARTS.carbonLegendLabel('Client usage by month (stacked)'));
+    const expectedLabels = ['Entity clients', 'Non-entity clients', 'ACME clients', 'Secret sync clients'];
+    assert.strictEqual(
+      legendLabels.length,
+      expectedLabels.length,
+      'stacked chart legend has correct number of items'
+    );
+    legendLabels.forEach((el, i) => {
+      assert.dom(el).hasText(expectedLabels[i], `legend item ${i + 1} is "${expectedLabels[i]}"`);
     });
 
     const months = this.byMonthClients.length;
-    const barsPerMonth = expectedLegend.length;
+    const groupCount = expectedLabels.length;
     assert
-      .dom(CHARTS.verticalBar)
-      .exists({ count: months * barsPerMonth }, `renders ${barsPerMonth} bars per month`);
+      .dom(CHARTS.carbonBar('Client usage by month (stacked)'))
+      .exists({ count: months * groupCount }, `renders ${groupCount} bars per month`);
   });
 
   test('it renders when no monthly breakdown is available', async function (assert) {
@@ -182,7 +182,7 @@ module('Integration | Component | clients/running-total', function (hooks) {
           `stat label: ${label} renders single month new clients: ${expectedStats[label]}`
         );
     }
-    assert.dom(CHARTS.chart('Client usage by month')).doesNotExist('bar chart does not render');
+    assert.dom(CHARTS.chart('Client usage by month (simple)')).doesNotExist('bar chart does not render');
     assert.dom(CLIENT_COUNT.statTextValue()).exists({ count: 5 }, 'renders 5 stat text containers');
   });
 
@@ -194,37 +194,42 @@ module('Integration | Component | clients/running-total', function (hooks) {
     await this.renderComponent();
 
     assert.dom(CLIENT_COUNT.card('Client usage trends')).exists('running total component renders');
-    assert.dom(CHARTS.chart('Client usage by month')).exists('bar chart renders');
-    assert.dom(CLIENT_COUNT.statLegendValue('Entity clients')).exists();
-    assert.dom(CLIENT_COUNT.statLegendValue('Non-entity clients')).exists();
-    assert
-      .dom(CLIENT_COUNT.statLegendValue('Secret sync clients'))
-      .doesNotExist('does not render secret syncs');
+    assert.dom('[data-test-chart="Client usage by month (simple)"]').exists('simple chart container renders');
+    const donutLegendItems = findAll(CHARTS.carbonLegendLabel('Client count and type distribution'));
+    const expectedDonutLabels = ['Entity clients', 'Non-entity clients', 'ACME clients'];
+    assert.strictEqual(
+      donutLegendItems.length,
+      expectedDonutLabels.length,
+      'donut legend has 3 items — secret sync clients is not included'
+    );
+    donutLegendItems.forEach((el, i) => {
+      assert
+        .dom(el)
+        .hasText(expectedDonutLabels[i], `donut legend item ${i + 1} is "${expectedDonutLabels[i]}"`);
+    });
 
     // check toggle view
     await click(GENERAL.inputByAttr('toggle view'));
     assert
-      .dom(CHARTS.legend)
-      .hasText('Entity clients Non-entity clients ACME clients', 'legend does not include sync clients');
+      .dom('[data-test-chart="Client usage by month (stacked)"]')
+      .exists('stacked chart container renders');
+    assert.dom('[data-test-chart="Client usage by month (stacked)"] svg').exists('Carbon chart renders SVG');
 
-    // assert each legend item is correct
-    const expectedLegend = [
-      { label: 'Entity clients', color: 'rgb(66, 105, 208)' },
-      { label: 'Non-entity clients', color: 'rgb(239, 177, 23)' },
-      { label: 'ACME clients', color: 'rgb(255, 114, 92)' },
-    ];
-
-    findAll('.legend-item').forEach((e, i) => {
-      const { label, color } = expectedLegend[i];
-      assert.dom(e).hasText(label, `legend renders label: ${label}`);
-      const dotColor = getComputedStyle(find(CHARTS.legendDot(i + 1))).backgroundColor;
-      assert.strictEqual(dotColor, color, `${label} - actual color: ${dotColor}, expected: ${color}`);
+    const legendLabels = findAll(CHARTS.carbonLegendLabel('Client usage by month (stacked)'));
+    const expectedLabels = ['Entity clients', 'Non-entity clients', 'ACME clients'];
+    assert.strictEqual(
+      legendLabels.length,
+      expectedLabels.length,
+      'stacked legend has 3 items — secret sync clients is not included'
+    );
+    legendLabels.forEach((el, i) => {
+      assert.dom(el).hasText(expectedLabels[i], `legend item ${i + 1} is "${expectedLabels[i]}"`);
     });
 
     const months = this.byMonthClients.length;
-    const barsPerMonth = expectedLegend.length;
+    const groupCount = expectedLabels.length;
     assert
-      .dom(CHARTS.verticalBar)
-      .exists({ count: months * barsPerMonth }, `renders ${barsPerMonth} bars per month`);
+      .dom(CHARTS.carbonBar('Client usage by month (stacked)'))
+      .exists({ count: months * groupCount }, `renders ${groupCount} bars per month without secret sync`);
   });
 });
diff --git a/ui/tests/integration/components/clients/table-test.js b/ui/tests/integration/components/clients/table-test.js
index 98d61d638c..f8d27671fd 100644
--- a/ui/tests/integration/components/clients/table-test.js
+++ b/ui/tests/integration/components/clients/table-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, fillIn, render, waitFor } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
diff --git a/ui/tests/integration/components/clients/usage-stats-test.js b/ui/tests/integration/components/clients/usage-stats-test.js
index f5c7fdc19e..6c5ec98bf9 100644
--- a/ui/tests/integration/components/clients/usage-stats-test.js
+++ b/ui/tests/integration/components/clients/usage-stats-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 
diff --git a/ui/tests/integration/components/code-generator/automation-snippets-test.js b/ui/tests/integration/components/code-generator/automation-snippets-test.js
index 14d6ea1252..661a636cee 100644
--- a/ui/tests/integration/components/code-generator/automation-snippets-test.js
+++ b/ui/tests/integration/components/code-generator/automation-snippets-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
@@ -63,8 +63,8 @@ module('Integration | Component | code-generator/automation-snippets', function
     };
     await this.renderComponent();
     const expectedTfvp = `resource "vault_mount" "<local identifier>" {
- path = "my-mount" 
- type = "kv-v2" 
+ path = "my-mount"
+ type = "kv-v2"
 }`;
     const expectedCli = 'vault kv delete -mount=secret creds';
     await click(GENERAL.hdsTab('cli'));
@@ -79,8 +79,8 @@ module('Integration | Component | code-generator/automation-snippets', function
     await this.renderComponent();
     const expectedSnippet = `resource "vault_mount" "<local identifier>" {
  namespace = "admin"
- path = "my-mount" 
- type = "kv-v2" 
+ path = "my-mount"
+ type = "kv-v2"
 }`;
     assert
       .dom(GENERAL.fieldByAttr('terraform'))
diff --git a/ui/tests/integration/components/code-generator/policy/builder-test.js b/ui/tests/integration/components/code-generator/policy/builder-test.js
index 506e5058a4..dbeed33fe8 100644
--- a/ui/tests/integration/components/code-generator/policy/builder-test.js
+++ b/ui/tests/integration/components/code-generator/policy/builder-test.js
@@ -4,23 +4,25 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, fillIn, setupOnerror } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
-import { ACL_CAPABILITIES, PolicyStanza } from 'core/utils/code-generators/policy';
+import { ACL_CAPABILITIES, formatStanzas, PolicyStanza } from 'core/utils/code-generators/policy';
 
 module('Integration | Component | code-generator/policy/builder', function (hooks) {
   setupRenderingTest(hooks);
 
   hooks.beforeEach(function () {
-    this.onPolicyChange = ({ policy, stanzas }) => {
-      this.set('policyCallback', policy);
+    this.onPolicyChange = ({ stanzas }) => {
+      // Mimics consumers of this component which use formatStanzas as needed
+      this.set('policyCallback', formatStanzas(stanzas));
       this.set('stanzas', stanzas);
     };
 
     this.policyCallback = '';
     this.policyName = undefined;
+    this.renderValidations = false;
     this.stanzas = [new PolicyStanza()];
 
     this.renderComponent = () => {
@@ -28,6 +30,7 @@ module('Integration | Component | code-generator/policy/builder', function (hook
         <CodeGenerator::Policy::Builder
           @onPolicyChange={{this.onPolicyChange}}
           @policyName={{this.policyName}}
+          @renderValidations={{this.renderValidations}}
           @stanzas={{this.stanzas}}
         />`);
     };
@@ -230,4 +233,13 @@ path "" {
 }`;
     this.assertPolicyUpdate(assert, expectedPolicy, 'when rules do have an empty path');
   });
+
+  test('it passes @renderValidations through to CodeGenerator::Policy::Stanza', async function (assert) {
+    this.renderValidations = true;
+    await this.renderComponent();
+    assert.dom(GENERAL.validationErrorByAttr('path-0')).hasText('Path cannot be empty.');
+    assert
+      .dom(GENERAL.validationErrorByAttr('capabilities-0'))
+      .hasText('Rule must have at least one capability.');
+  });
 });
diff --git a/ui/tests/integration/components/code-generator/policy/flyout-test.js b/ui/tests/integration/components/code-generator/policy/flyout-test.js
index 59e517264e..5aa64532b6 100644
--- a/ui/tests/integration/components/code-generator/policy/flyout-test.js
+++ b/ui/tests/integration/components/code-generator/policy/flyout-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, fillIn, typeIn, waitUntil, find } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
@@ -113,21 +113,30 @@ module('Integration | Component | code-generator/policy/flyout', function (hooks
 
   // This test is to demonstrate how to implement closing the dropdown when the flyout trigger is a dropdown element
   test('it closes dropdown if custom trigger is a dropdown item', async function (assert) {
+    this.showPolicyFlyout = false;
     await render(hbs`<Hds::Dropdown as |D|>
       <D.ToggleButton @text="Toolbox" data-test-dropdown="Toolbox" />
-      <CodeGenerator::Policy::Flyout @onClose={{D.close}} >
-        <:customTrigger as |openFlyout|>
-          <D.Interactive @icon="shield-check" {{on "click" openFlyout}} data-test-button="Make me a policy!">
-            Make me a policy!
-          </D.Interactive>
-        </:customTrigger>
-      </CodeGenerator::Policy::Flyout>
+      <D.Interactive @icon="shield-check" {{on "click" (fn (mut this.showPolicyFlyout) true)}} data-test-button="Make me a policy!">
+        Make me a policy!
+      </D.Interactive>
       <D.Interactive @icon="wand" data-test-button="Magic stuff">Magic stuff</D.Interactive>
-    </Hds::Dropdown>`);
+    </Hds::Dropdown>
+    <CodeGenerator::Policy::Flyout @onClose={{(fn (mut this.showPolicyFlyout) false)}}>
+      <:customTrigger as |openFlyout|>
+        {{#if this.showPolicyFlyout}}
+          <div {{did-insert openFlyout}}/>
+        {{/if}}
+      </:customTrigger>
+    </CodeGenerator::Policy::Flyout>
+    `);
+
     await click(GENERAL.dropdownToggle('Toolbox'));
     assert.dom(GENERAL.dropdownToggle('Toolbox')).hasAttribute('aria-expanded', 'true');
     await click(GENERAL.button('Make me a policy!'));
     assert.dom(GENERAL.flyout).exists('flyout is open');
+    await fillIn(GENERAL.inputByAttr('name'), 'test-policy');
+    await click(GENERAL.submitButton);
+    assert.dom(GENERAL.messageError).exists();
     await click(GENERAL.cancelButton);
     assert.dom(GENERAL.flyout).doesNotExist('flyout is closed');
     const dropdown = find(GENERAL.dropdownToggle('Toolbox'));
@@ -139,20 +148,18 @@ module('Integration | Component | code-generator/policy/flyout', function (hooks
 
   test('it does not render yielded custom trigger component on community', async function (assert) {
     this.version.type = 'community';
-    await this.renderComponent({ open: false });
-    await render(hbs`<Hds::Dropdown as |D|>
-      <D.ToggleButton @text="Toolbox" data-test-dropdown="Toolbox" />
-      <CodeGenerator::Policy::Flyout>
-        <:customTrigger as |openFlyout|>
-          <D.Interactive @icon="shield-check" {{on "click" openFlyout}} data-test-button="Make me a policy!">
-            Make me a policy!
-          </D.Interactive>
-        </:customTrigger>
-      </CodeGenerator::Policy::Flyout>
-      <D.Interactive @icon="wand" data-test-button="Magic stuff">Magic stuff</D.Interactive>
-    </Hds::Dropdown>`);
-    await click(GENERAL.dropdownToggle('Toolbox'));
-    assert.dom(GENERAL.button('Magic stuff')).exists('dropdown opens');
+    await render(hbs`
+    <CodeGenerator::Policy::Flyout>
+      <:customTrigger>
+        <Hds::Button
+          @icon="shield-check"
+          @text="Make me a policy!"
+          @color="secondary"
+          data-test-button="Make me a policy!"
+        />
+      </:customTrigger>
+    </CodeGenerator::Policy::Flyout>
+    `);
     assert.dom(GENERAL.button('Make me a policy!')).doesNotExist();
   });
 
@@ -201,15 +208,6 @@ EOT`;
     assert.dom(GENERAL.inputByAttr('name')).hasValue('mypolicy', 'name is converted to lowercase');
   });
 
-  test('it does not submit default stanza templates as policy payload', async function (assert) {
-    assert.expect(3);
-    const expectedPolicy = '';
-    this.assertSaveRequest(assert, expectedPolicy, 'policy payload is empty when visual editor is untouched');
-    await this.renderComponent();
-    await fillIn(GENERAL.inputByAttr('name'), 'test-policy');
-    await click(GENERAL.submitButton);
-  });
-
   test('it saves a policy', async function (assert) {
     assert.expect(7);
     const flashSuccessSpy = Sinon.spy(this.owner.lookup('service:flash-messages'), 'success');
@@ -239,7 +237,7 @@ EOT`;
   });
 
   test('it resets after saving a policy', async function (assert) {
-    assert.expect(11);
+    assert.expect(8);
     const expectedPolicy = `path "secret/data/*" {\n    capabilities = ["read"]\n}`;
     this.assertSaveRequest(assert, expectedPolicy);
     await this.renderComponent();
@@ -270,20 +268,18 @@ EOT
 }
 EOT`;
     assert.dom(GENERAL.fieldByAttr('cli')).hasText(expectedCli);
-    // Fill in name and save again to make sure policyContent is reset
-    this.assertSaveRequest(assert, '', 'policy content is empty after a successful save');
-    await fillIn(GENERAL.inputByAttr('name'), 'test-policy');
-    await click(GENERAL.submitButton);
   });
 
-  test('it displays error message when save fails', async function (assert) {
+  test('it displays API error message when save fails', async function (assert) {
     this.server.post('/sys/policies/acl/:name', () => {
-      return overrideResponse(400, { errors: ["'policy' parameter not supplied or empty"] });
+      return overrideResponse(400, { errors: ['something went very wrong'] });
     });
     await this.renderComponent();
-    await fillIn(GENERAL.inputByAttr('name'), 'empty-policy');
+    await fillIn(GENERAL.inputByAttr('name'), 'failed-policy');
+    await fillIn(GENERAL.inputByAttr('path'), 'secret/data/*');
+    await click(GENERAL.checkboxByAttr('read'));
     await click(GENERAL.submitButton);
-    assert.dom(GENERAL.messageError).exists().hasText("Error 'policy' parameter not supplied or empty");
+    assert.dom(GENERAL.messageError).exists().hasText('Error something went very wrong');
     assert.dom(GENERAL.flyout).exists('flyout remains open after error');
   });
 
@@ -319,22 +315,85 @@ EOT`;
     await click(GENERAL.submitButton);
   });
 
-  test('it renders validation errors', async function (assert) {
+  test('it renders validation errors for invalid policy content', async function (assert) {
     await this.renderComponent();
+    await fillIn(GENERAL.inputByAttr('name'), 'test-policy');
+    // Submit without filling in path or capabilities (missing path AND no capabilities)
     await click(GENERAL.submitButton);
-    assert.dom(GENERAL.messageError).exists().hasText('Error There is an error with this form.');
+    assert
+      .dom(GENERAL.messageError)
+      .exists()
+      .hasText('Error There is an error with this form. Invalid policy content.');
+    assert.dom(SELECTORS.pathByContainer(0)).hasClass('hds-form-text-input--is-invalid');
+    assert.dom(GENERAL.validationErrorByAttr('path-0')).exists().hasText('Path cannot be empty.');
+    assert
+      .dom(GENERAL.validationErrorByAttr('capabilities-0'))
+      .exists()
+      .hasText('Rule must have at least one capability.');
+  });
+
+  test('it renders validation errors for missing path', async function (assert) {
+    await this.renderComponent();
+    await fillIn(GENERAL.inputByAttr('name'), 'test-policy');
+    await fillIn(GENERAL.inputByAttr('path'), 'secret/*');
+    await click(GENERAL.checkboxByAttr('read'));
+    // Add a second rule and just select capabilities (leave path empty)
+    await click(GENERAL.button('Add rule'));
+    await click(SELECTORS.checkboxByContainer(1, 'update'));
+    await click(GENERAL.submitButton);
+    assert
+      .dom(GENERAL.messageError)
+      .exists()
+      .hasText('Error There is an error with this form. Invalid policy content.');
+    assert.dom(SELECTORS.pathByContainer(1)).hasClass('hds-form-text-input--is-invalid');
+    assert.dom(GENERAL.validationErrorByAttr('path-1')).hasText('Path cannot be empty.');
+    assert.dom('[data-test-validation-error]').exists({ count: 1 }, 'only one validation error renders');
+  });
+
+  test('it renders validation errors for missing capabilities', async function (assert) {
+    await this.renderComponent();
+    await fillIn(GENERAL.inputByAttr('name'), 'test-policy');
+    await fillIn(GENERAL.inputByAttr('path'), 'secret/*');
+    await click(GENERAL.checkboxByAttr('read'));
+    // Add a second rule and just fill in path (no capabilities selected)
+    await click(GENERAL.button('Add rule'));
+    await fillIn(SELECTORS.pathByContainer(1), 'new/path/*');
+    await click(GENERAL.submitButton);
+    assert
+      .dom(GENERAL.messageError)
+      .exists()
+      .hasText('Error There is an error with this form. Invalid policy content.');
+    assert
+      .dom(GENERAL.validationErrorByAttr('capabilities-1'))
+      .exists()
+      .hasText('Rule must have at least one capability.');
+    assert.dom('[data-test-validation-error]').exists({ count: 1 }, 'only one validation error renders');
+  });
+
+  test('it renders validation error for empty policy name', async function (assert) {
+    await this.renderComponent();
+    await fillIn(GENERAL.inputByAttr('path'), 'secret/*');
+    await click(GENERAL.checkboxByAttr('read'));
+    await click(GENERAL.submitButton);
+    assert
+      .dom(GENERAL.messageError)
+      .exists()
+      .hasText('Error There is an error with this form. Name is required.');
     assert.dom(GENERAL.inputByAttr('name')).hasClass('hds-form-text-input--is-invalid');
     assert.dom(GENERAL.validationErrorByAttr('name')).hasText('Name is required.');
   });
 
-  test('it resets errors after saving', async function (assert) {
+  test('it resets validation errors after saving', async function (assert) {
     const expectedPolicy = `path "secret/*" {\n    capabilities = ["read"]\n}`;
     this.assertSaveRequest(assert, expectedPolicy);
     await this.renderComponent();
 
-    // First attempt without name
+    // First attempt without name and policy content
     await click(GENERAL.submitButton);
-    assert.dom(GENERAL.messageError).exists().hasText('Error There is an error with this form.');
+    assert
+      .dom(GENERAL.messageError)
+      .exists()
+      .hasText('Error There are errors with this form. Name is required. Invalid policy content.');
     assert.dom(GENERAL.validationErrorByAttr('name')).exists('validation error shows');
 
     // Second attempt with name
@@ -349,11 +408,14 @@ EOT`;
     assert.dom(GENERAL.validationErrorByAttr('name')).doesNotExist('validation error is cleared');
   });
 
-  test('it resets errors if flyout is closed and policy is NOT saved', async function (assert) {
+  test('it resets validation errors if flyout is closed and policy is NOT saved', async function (assert) {
     await this.renderComponent();
     // Attempt to save
     await click(GENERAL.submitButton);
-    assert.dom(GENERAL.messageError).exists().hasText('Error There is an error with this form.');
+    assert
+      .dom(GENERAL.messageError)
+      .exists()
+      .hasText('Error There are errors with this form. Name is required. Invalid policy content.');
     assert.dom(GENERAL.validationErrorByAttr('name')).exists('validation error shows');
     // Cancel and close flyout
     await click(GENERAL.cancelButton);
@@ -486,14 +548,24 @@ EOT`;
         assert.dom(SELECTORS.pathByContainer(1)).hasValue('new/path/*', 'user added path still exists');
       });
 
-      test('it does not save prepopulated paths as policy content', async function (assert) {
-        assert.expect(3);
+      test('prepopulated paths trigger validation errors', async function (assert) {
         this.cacheCapabilityPaths('vault.cluster.secrets.secret', ['path/one', 'path/two']);
         await this.renderComponent();
-        // Fill in name and save to make sure policyContent is empty
-        this.assertSaveRequest(assert, '', 'policy content is empty despite pre-filled paths');
+        // Only fill in name to make sure capabilities validation triggers
         await fillIn(GENERAL.inputByAttr('name'), 'test-policy');
         await click(GENERAL.submitButton);
+        assert
+          .dom(GENERAL.messageError)
+          .exists()
+          .hasText('Error There is an error with this form. Invalid policy content.');
+        assert
+          .dom(GENERAL.validationErrorByAttr('capabilities-0'))
+          .exists()
+          .hasText('Rule must have at least one capability.');
+        assert
+          .dom(GENERAL.validationErrorByAttr('capabilities-1'))
+          .exists()
+          .hasText('Rule must have at least one capability.');
       });
     });
   });
diff --git a/ui/tests/integration/components/code-generator/policy/stanza-test.js b/ui/tests/integration/components/code-generator/policy/stanza-test.js
index c5e871a269..d75898d8eb 100644
--- a/ui/tests/integration/components/code-generator/policy/stanza-test.js
+++ b/ui/tests/integration/components/code-generator/policy/stanza-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, fillIn, typeIn } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import Sinon from 'sinon';
@@ -26,6 +26,7 @@ module('Integration | Component | code-generator/policy/stanza', function (hooks
           @onChange={{this.onChange}}
           @onDelete={{this.onDelete}}
           @stanza={{this.stanza}}
+          @renderValidations={{this.renderValidations}}
         />`);
     };
   });
@@ -168,4 +169,61 @@ module('Integration | Component | code-generator/policy/stanza', function (hooks
     await click(GENERAL.button('Delete'));
     assert.true(this.onDelete.calledOnce, 'onDelete is called');
   });
+
+  test('it does not render validations when @renderValidations is undefined', async function (assert) {
+    await this.renderComponent();
+    // Make sure path and capabilities are empty (which would normally render validations)
+    assert.dom(GENERAL.inputByAttr('path')).hasNoValue();
+    ACL_CAPABILITIES.forEach((capability) => {
+      assert.dom(GENERAL.fieldLabel(capability)).hasText(capability);
+      assert.dom(GENERAL.checkboxByAttr(capability)).isNotChecked();
+    });
+    assert.dom('[data-test-validation-error]').doesNotExist();
+  });
+
+  module('validations', function (hooks) {
+    hooks.beforeEach(function () {
+      this.renderValidations = true;
+    });
+
+    test('it renders validations when path is empty', async function (assert) {
+      await this.renderComponent();
+      // Click capability to just assert path
+      await click(GENERAL.checkboxByAttr('update'));
+      assert.dom(GENERAL.validationErrorByAttr('path-0')).exists().hasText('Path cannot be empty.');
+      assert.dom('[data-test-validation-error]').exists({ count: 1 });
+    });
+
+    test('it renders validations when no capabilities are selected', async function (assert) {
+      await this.renderComponent();
+      // Fill in path to only assert capabilities
+      await fillIn(GENERAL.inputByAttr('path'), 'my/super/secret/*');
+      assert
+        .dom(GENERAL.validationErrorByAttr('capabilities-0'))
+        .exists()
+        .hasText('Rule must have at least one capability.');
+      assert.dom('[data-test-validation-error]').exists({ count: 1 });
+    });
+
+    test('it renders validations for neither path or capabilities', async function (assert) {
+      await this.renderComponent();
+      assert.dom(GENERAL.validationErrorByAttr('path-0')).exists();
+      assert.dom(GENERAL.validationErrorByAttr('capabilities-0')).exists();
+      assert.dom('[data-test-validation-error]').exists({ count: 2 });
+    });
+
+    test('it removes validation when path is valid', async function (assert) {
+      await this.renderComponent();
+      assert.dom(GENERAL.validationErrorByAttr('path-0')).exists();
+      await fillIn(GENERAL.inputByAttr('path'), 'secret/data/*');
+      assert.dom(GENERAL.validationErrorByAttr('path-0')).doesNotExist();
+    });
+
+    test('it removes validation when at least one capability is selected', async function (assert) {
+      await this.renderComponent();
+      assert.dom(GENERAL.validationErrorByAttr('capabilities-0')).exists();
+      await click(GENERAL.checkboxByAttr('read'));
+      assert.dom(GENERAL.validationErrorByAttr('capabilities-0')).doesNotExist();
+    });
+  });
 });
diff --git a/ui/tests/integration/components/config-ui/messages/page/list-test.js b/ui/tests/integration/components/config-ui/messages/page/list-test.js
index ad5f6b6f83..cf04771d36 100644
--- a/ui/tests/integration/components/config-ui/messages/page/list-test.js
+++ b/ui/tests/integration/components/config-ui/messages/page/list-test.js
@@ -7,10 +7,11 @@ import { module, test } from 'qunit';
 import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { setupEngine } from 'ember-engines/test-support';
-import { render, click } from '@ember/test-helpers';
+import { render, click, fillIn } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { CUSTOM_MESSAGES } from 'vault/tests/helpers/config-ui/message-selectors';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import { dateFormat } from 'core/helpers/date-format';
 
 const META = {
   value: {
@@ -61,8 +62,32 @@ module('Integration | Component | messages/page/list', function (hooks) {
         message: 'Some long long long message',
         link: { title: 'here', href: 'www.example.com' },
       },
+      {
+        id: '3',
+        active: true,
+        type: 'banner',
+        authenticated: true,
+        title: 'Message title 4',
+        message: 'Current event message with timezone',
+        link: { title: 'here', href: 'www.example.com' },
+        start_time: new Date('2023-07-01T00:00:00Z'),
+        end_time: new Date('2023-08-01T00:00:00Z'),
+      },
+      {
+        id: '4',
+        active: false,
+        type: 'banner',
+        authenticated: true,
+        title: 'Message title 5',
+        message: 'A message from the future',
+        link: { title: 'here', href: 'www.example.com' },
+        start_time: new Date(Date.now() + 1000000000), // start time in the future
+        end_time: undefined,
+      },
     ];
-    Object.defineProperty(this.messages, 'meta', META);
+    // Pass meta information by value so that each test can modify its own copy
+    // without affecting other tests
+    Object.defineProperty(this.messages, 'meta', { value: { ...META.value } });
 
     this.renderComponent = () => {
       const capabilitiesService = this.owner.lookup('service:capabilities');
@@ -79,15 +104,17 @@ module('Integration | Component | messages/page/list', function (hooks) {
         }
       );
     };
+
+    this.formatTime = (time) => dateFormat([time, 'MMM d, yyyy hh:mm aaa'], { withTimeZone: true });
   });
 
   test('it should show the messages empty state', async function (assert) {
     this.messages = [];
 
     await this.renderComponent();
-    assert.dom('[data-test-empty-state-title]').hasText('No messages yet');
+    assert.dom(GENERAL.emptyStateTitle).hasText('No messages yet');
     assert
-      .dom('[data-test-empty-state-message]')
+      .dom(GENERAL.emptyStateMessage)
       .hasText(
         'Add a custom message for all users after they log into Vault. Create message to get started.'
       );
@@ -95,14 +122,16 @@ module('Integration | Component | messages/page/list', function (hooks) {
 
   test('it should show the list of custom messages', async function (assert) {
     await this.renderComponent();
-    assert.dom('[data-test-icon="message-circle"]').exists();
+    assert.dom(GENERAL.icon('message-circle')).exists();
     for (const message of this.messages) {
       assert.dom(GENERAL.listItem(message.title)).exists('Message title is displayed');
     }
   });
 
   test('it should show max message warning modal', async function (assert) {
-    for (let i = 0; i < 97; i++) {
+    // Reset messages to 100 to test max message limit
+    this.messages = [];
+    for (let i = 0; i < 100; i++) {
       this.messages.push({
         id: `${i}-a`,
         active: true,
@@ -114,8 +143,17 @@ module('Integration | Component | messages/page/list', function (hooks) {
         start_time: new Date('2021-08-01T00:00:00Z'),
       });
     }
-    this.messages.meta.total = this.messages.length;
-    this.messages.meta.pageSize = 100;
+
+    Object.defineProperty(this.messages, 'meta', {
+      value: {
+        currentPage: 1,
+        lastPage: 1,
+        nextPage: 1,
+        prevPage: 1,
+        total: this.messages.length,
+        pageSize: 100,
+      },
+    });
 
     await this.renderComponent();
     await click(GENERAL.button('Create message'));
@@ -129,4 +167,65 @@ module('Integration | Component | messages/page/list', function (hooks) {
       );
     await click(GENERAL.button('close-maximum-message'));
   });
+
+  // Badge tests
+  test('it should show active custom messages', async function (assert) {
+    await this.renderComponent();
+
+    const activeMessage = this.messages[0];
+    assert
+      .dom(`${GENERAL.listItem(activeMessage.title)} ${GENERAL.badge()}`)
+      .hasText('Active')
+      .hasClass('hds-badge--color-success');
+  });
+
+  test('it should show active custom messages with end time if present', async function (assert) {
+    await this.renderComponent();
+
+    const activeMessageWithTimeZone = this.messages[3];
+    assert
+      .dom(`${GENERAL.listItem(activeMessageWithTimeZone.title)} ${GENERAL.badge()}`)
+      .hasText(`Active until ${this.formatTime(activeMessageWithTimeZone.end_time)}`)
+      .hasClass('hds-badge--color-success');
+  });
+
+  test('it should show scheduled messages with future start date and time', async function (assert) {
+    await this.renderComponent();
+
+    const scheduledMessage = this.messages[4];
+    assert
+      .dom(`${GENERAL.listItem(scheduledMessage.title)} ${GENERAL.badge()}`)
+      .hasText(`Scheduled: ${this.formatTime(scheduledMessage.start_time)}`)
+      .hasClass('hds-badge--color-highlight');
+  });
+
+  test('it should show inactive messages with message expiration time', async function (assert) {
+    await this.renderComponent();
+
+    const inactiveMessage = this.messages[1];
+    assert
+      .dom(`${GENERAL.listItem(inactiveMessage.title)} ${GENERAL.badge()}`)
+      .hasText(`Inactive: ${this.formatTime(inactiveMessage.end_time)}`)
+      .hasClass('hds-badge--color-neutral');
+  });
+
+  test('it should conditionally display filtering and disable state upon filter selection', async function (assert) {
+    for (let i = 0; i < 12; i++) {
+      this.messages.push({
+        id: `${i}-a`,
+        active: true,
+        type: 'banner',
+        authenticated: false,
+        title: `Message title ${i}`,
+        message: 'Some long long long message',
+        link: { title: 'here', href: 'www.example.com' },
+        start_time: new Date('2021-08-01T00:00:00Z'),
+      });
+    }
+
+    await this.renderComponent();
+    assert.dom(GENERAL.submitButton).hasAttribute('disabled');
+    await fillIn(GENERAL.filter('pageFilter'), '1');
+    assert.dom(GENERAL.submitButton).doesNotHaveAttribute('disabled');
+  });
 });
diff --git a/ui/tests/integration/components/confirm-action-test.js b/ui/tests/integration/components/confirm-action-test.js
index a5897d8dce..25668a3d19 100644
--- a/ui/tests/integration/components/confirm-action-test.js
+++ b/ui/tests/integration/components/confirm-action-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/confirmation-modal-test.js b/ui/tests/integration/components/confirmation-modal-test.js
index 7bd94ba04a..50ac740a60 100644
--- a/ui/tests/integration/components/confirmation-modal-test.js
+++ b/ui/tests/integration/components/confirmation-modal-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import sinon from 'sinon';
 import { click, fillIn, render } from '@ember/test-helpers';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
diff --git a/ui/tests/integration/components/console/log-command-test.js b/ui/tests/integration/components/console/log-command-test.js
index a8bfeaa23a..70ffb57482 100644
--- a/ui/tests/integration/components/console/log-command-test.js
+++ b/ui/tests/integration/components/console/log-command-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 
diff --git a/ui/tests/integration/components/console/log-error-test.js b/ui/tests/integration/components/console/log-error-test.js
index 070a702c4a..58f37546ca 100644
--- a/ui/tests/integration/components/console/log-error-test.js
+++ b/ui/tests/integration/components/console/log-error-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 
diff --git a/ui/tests/integration/components/console/log-json-test.js b/ui/tests/integration/components/console/log-json-test.js
index 4f195ec897..bd3e59b726 100644
--- a/ui/tests/integration/components/console/log-json-test.js
+++ b/ui/tests/integration/components/console/log-json-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { assertCodeBlockValue } from 'vault/tests/helpers/codemirror';
diff --git a/ui/tests/integration/components/console/log-list-test.js b/ui/tests/integration/components/console/log-list-test.js
index 51d1c66262..ba6a420fc6 100644
--- a/ui/tests/integration/components/console/log-list-test.js
+++ b/ui/tests/integration/components/console/log-list-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 
diff --git a/ui/tests/integration/components/console/log-object-test.js b/ui/tests/integration/components/console/log-object-test.js
index eedf528d6b..4a70f21e70 100644
--- a/ui/tests/integration/components/console/log-object-test.js
+++ b/ui/tests/integration/components/console/log-object-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { stringifyObjectValues } from 'vault/components/console/log-object';
diff --git a/ui/tests/integration/components/console/log-text-test.js b/ui/tests/integration/components/console/log-text-test.js
index 0f926f4baf..ce9b34836e 100644
--- a/ui/tests/integration/components/console/log-text-test.js
+++ b/ui/tests/integration/components/console/log-text-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 
diff --git a/ui/tests/integration/components/console/ui-panel-test.js b/ui/tests/integration/components/console/ui-panel-test.js
index a2b2acd1c3..c11f83cf85 100644
--- a/ui/tests/integration/components/console/ui-panel-test.js
+++ b/ui/tests/integration/components/console/ui-panel-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, settled } from '@ember/test-helpers';
 import { create } from 'ember-cli-page-object';
 import uiPanel from 'vault/tests/pages/components/console/ui-panel';
diff --git a/ui/tests/integration/components/control-group-success-test.js b/ui/tests/integration/components/control-group-success-test.js
index 874f159b39..cf20e7c3fd 100644
--- a/ui/tests/integration/components/control-group-success-test.js
+++ b/ui/tests/integration/components/control-group-success-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, fillIn, find, render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/control-group-test.js b/ui/tests/integration/components/control-group-test.js
index 0eb64d4b00..e849a7a8f7 100644
--- a/ui/tests/integration/components/control-group-test.js
+++ b/ui/tests/integration/components/control-group-test.js
@@ -5,7 +5,7 @@
 
 import Service from '@ember/service';
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/dashboard/overview-test.js b/ui/tests/integration/components/dashboard/overview-test.js
index bb36d52cb0..aaad2a7e41 100644
--- a/ui/tests/integration/components/dashboard/overview-test.js
+++ b/ui/tests/integration/components/dashboard/overview-test.js
@@ -8,7 +8,6 @@ import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
-import { DASHBOARD } from 'vault/tests/helpers/components/dashboard/dashboard-selectors';
 import { SECRET_ENGINE_SELECTORS as SES } from 'vault/tests/helpers/secret-engine/secret-engine-selectors';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
@@ -83,20 +82,19 @@ module('Integration | Component | dashboard/overview', function (hooks) {
     this.vaultConfiguration = null;
     await this.renderComponent();
     assert.dom(GENERAL.hdsPageHeaderTitle).exists();
-    assert.dom(DASHBOARD.cardName('secrets-engines')).exists();
-    assert.dom(DASHBOARD.emptyState('secrets-engines')).exists();
-    assert.dom(DASHBOARD.cardName('learn-more')).exists();
-    assert.dom(DASHBOARD.cardName('quick-actions')).exists();
-    assert.dom(DASHBOARD.emptyState('quick-actions')).exists();
-    assert.dom(DASHBOARD.cardName('configuration-details')).doesNotExist();
-    assert.dom(DASHBOARD.cardName('replication')).doesNotExist();
-    assert.dom(DASHBOARD.cardName('client-count')).doesNotExist();
+    assert.dom(GENERAL.textDisplay('Secrets engines')).exists();
+    assert.dom(GENERAL.emptyState('secrets-engines')).exists();
+    assert.dom(GENERAL.textDisplay('Learn more')).exists();
+    assert.dom(GENERAL.textDisplay('Quick actions')).exists();
+    assert.dom(GENERAL.textDisplay('Cluster information')).doesNotExist();
+    assert.dom(GENERAL.textDisplay('Cluster replication')).doesNotExist();
+    assert.dom(GENERAL.textDisplay('Client count')).doesNotExist();
   });
 
   test('it renders the secrets engine card', async function (assert) {
     assert.expect(3);
     await this.renderComponent();
-    assert.dom(DASHBOARD.cardHeader('Secrets engines')).hasText('Secrets engines');
+    assert.dom(GENERAL.textDisplay('Secrets engines')).hasText('Secrets engines');
     assert.dom(SES.secretPath('kv-1/')).exists();
     assert.dom(SES.secretPath('kv-test/')).exists();
   });
@@ -117,12 +115,12 @@ module('Integration | Component | dashboard/overview', function (hooks) {
       await this.renderComponent();
 
       assert.dom(GENERAL.hdsPageHeaderTitle).exists();
-      assert.dom(DASHBOARD.cardName('secrets-engines')).exists();
-      assert.dom(DASHBOARD.cardName('learn-more')).exists();
-      assert.dom(DASHBOARD.cardName('quick-actions')).exists();
-      assert.dom(DASHBOARD.cardName('configuration-details')).exists();
-      assert.dom(DASHBOARD.cardName('replication')).doesNotExist();
-      assert.dom(DASHBOARD.cardName('client-count')).doesNotExist();
+      assert.dom(GENERAL.textDisplay('Secrets engines')).exists();
+      assert.dom(GENERAL.textDisplay('Learn more')).exists();
+      assert.dom(GENERAL.textDisplay('Quick actions')).exists();
+      assert.dom(GENERAL.textDisplay('Cluster information')).exists();
+      assert.dom(GENERAL.textDisplay('Replication')).doesNotExist();
+      assert.dom(GENERAL.textDisplay('Client count')).doesNotExist();
     });
 
     test('it should hide cards on enterprise if permission but not in root namespace', async function (assert) {
@@ -136,8 +134,8 @@ module('Integration | Component | dashboard/overview', function (hooks) {
       };
       this.isRootNamespace = false;
       await this.renderComponent();
-      assert.dom(DASHBOARD.cardName('client-count')).doesNotExist();
-      assert.dom(DASHBOARD.cardName('replication')).doesNotExist();
+      assert.dom(GENERAL.textDisplay('Client count')).doesNotExist();
+      assert.dom(GENERAL.textDisplay('Replication')).doesNotExist();
     });
 
     test('it should show cards on enterprise if has permission and in root namespace', async function (assert) {
@@ -151,12 +149,12 @@ module('Integration | Component | dashboard/overview', function (hooks) {
       };
       await this.renderComponent();
       assert.dom(GENERAL.hdsPageHeaderTitle).exists();
-      assert.dom(DASHBOARD.cardName('secrets-engines')).exists();
-      assert.dom(DASHBOARD.cardName('learn-more')).exists();
-      assert.dom(DASHBOARD.cardName('quick-actions')).exists();
-      assert.dom(DASHBOARD.cardName('configuration-details')).exists();
-      assert.dom(DASHBOARD.cardName('client-count')).exists();
-      assert.dom(DASHBOARD.cardName('replication')).exists();
+      assert.dom(GENERAL.textDisplay('Secrets engines')).exists();
+      assert.dom(GENERAL.textDisplay('Learn more')).exists();
+      assert.dom(GENERAL.textDisplay('Quick actions')).exists();
+      assert.dom(GENERAL.textDisplay('Cluster information')).exists();
+      assert.dom(GENERAL.textDisplay('Replication')).doesNotExist();
+      assert.dom(GENERAL.textDisplay('Client count')).exists();
     });
 
     test('it should show client count on enterprise in admin namespace when running a managed mode', async function (assert) {
@@ -176,7 +174,7 @@ module('Integration | Component | dashboard/overview', function (hooks) {
 
       await this.renderComponent();
 
-      assert.dom(DASHBOARD.cardName('client-count')).exists();
+      assert.dom(GENERAL.textDisplay('Client count')).exists();
     });
 
     test('it should hide client count on enterprise in child namespaces called "admin" when running a managed mode', async function (assert) {
@@ -196,7 +194,7 @@ module('Integration | Component | dashboard/overview', function (hooks) {
 
       await this.renderComponent();
 
-      assert.dom(DASHBOARD.cardName('client-count')).doesNotExist();
+      assert.dom(GENERAL.textDisplay('Client count')).doesNotExist();
     });
 
     test('it should hide client count on enterprise in any other namespace when running a managed mode', async function (assert) {
@@ -216,7 +214,7 @@ module('Integration | Component | dashboard/overview', function (hooks) {
 
       await this.renderComponent();
 
-      assert.dom(DASHBOARD.cardName('client-count')).doesNotExist();
+      assert.dom(GENERAL.textDisplay('Client count')).doesNotExist();
     });
 
     test('it should hide client count on PKI-only Secrets clusters', async function (assert) {
@@ -227,20 +225,32 @@ module('Integration | Component | dashboard/overview', function (hooks) {
       };
       this.version.features = ['PKI-only Secrets'];
       await this.renderComponent();
-      assert.dom(DASHBOARD.cardName('client-count')).doesNotExist();
+      assert.dom(GENERAL.textDisplay('Client count')).doesNotExist();
+    });
+
+    test('it should hide client count on enterprise when Consumption Billing is enabled', async function (assert) {
+      this.permissions.exactPaths = {
+        'sys/internal/counters/activity': {
+          capabilities: ['read'],
+        },
+      };
+      this.version.features = ['Consumption Billing'];
+
+      await this.renderComponent();
+      assert.dom(GENERAL.widget('client count')).doesNotExist();
     });
 
     test('it should hide cards on enterprise in root namespace but no permission', async function (assert) {
       await this.renderComponent();
-      assert.dom(DASHBOARD.cardName('client-count')).doesNotExist();
-      assert.dom(DASHBOARD.cardName('replication')).doesNotExist();
+      assert.dom(GENERAL.textDisplay('Client count')).doesNotExist();
+      assert.dom(GENERAL.textDisplay('Replication')).doesNotExist();
     });
 
     test('it should hide cards on enterprise if no permission and not in root namespace', async function (assert) {
       this.isRootNamespace = false;
       await this.renderComponent();
-      assert.dom(DASHBOARD.cardName('client-count')).doesNotExist();
-      assert.dom(DASHBOARD.cardName('replication')).doesNotExist();
+      assert.dom(GENERAL.textDisplay('Client count')).doesNotExist();
+      assert.dom(GENERAL.textDisplay('Replication')).doesNotExist();
     });
 
     test('it should hide client count on enterprise in root namespace if no activity permission', async function (assert) {
@@ -254,8 +264,9 @@ module('Integration | Component | dashboard/overview', function (hooks) {
       };
 
       await this.renderComponent();
-      assert.dom(DASHBOARD.cardName('client-count')).doesNotExist();
-      assert.dom(DASHBOARD.cardName('replication')).exists();
+
+      assert.dom(GENERAL.textDisplay('Client count')).doesNotExist();
+      assert.dom(GENERAL.textDisplay('Cluster replication')).exists();
     });
 
     test('it should hide replication on enterprise in root namespace if no replication status permission', async function (assert) {
@@ -269,8 +280,8 @@ module('Integration | Component | dashboard/overview', function (hooks) {
       };
 
       await this.renderComponent();
-      assert.dom(DASHBOARD.cardName('client-count')).exists();
-      assert.dom(DASHBOARD.cardName('replication')).doesNotExist();
+      assert.dom(GENERAL.textDisplay('Client count')).exists();
+      assert.dom(GENERAL.textDisplay('Replication')).doesNotExist();
     });
 
     test('it should hide replication on enterprise if has permission and in root namespace but is empty', async function (assert) {
@@ -284,8 +295,8 @@ module('Integration | Component | dashboard/overview', function (hooks) {
       };
       this.replication = {};
       await this.renderComponent();
-      assert.dom(DASHBOARD.cardName('client-count')).exists();
-      assert.dom(DASHBOARD.cardName('replication')).doesNotExist();
+      assert.dom(GENERAL.textDisplay('Client count')).exists();
+      assert.dom(GENERAL.textDisplay('Replication')).doesNotExist();
     });
   });
 
@@ -294,9 +305,9 @@ module('Integration | Component | dashboard/overview', function (hooks) {
     this.version.type = 'community';
     await this.renderComponent();
 
-    assert.dom('[data-test-learn-more-title]').hasText('Learn more');
+    assert.dom(GENERAL.textDisplay('Learn more')).hasText('Learn more');
     assert
-      .dom('[data-test-learn-more-subtext]')
+      .dom(GENERAL.textBody('Learn more description'))
       .hasText(
         'Explore the features of Vault and learn advance practices with the following tutorials and documentation.'
       );
@@ -312,9 +323,9 @@ module('Integration | Component | dashboard/overview', function (hooks) {
       'Transform Secrets Engine',
     ];
     await this.renderComponent();
-    assert.dom('[data-test-learn-more-title]').hasText('Learn more');
+    assert.dom(GENERAL.textDisplay('Learn more')).hasText('Learn more');
     assert
-      .dom('[data-test-learn-more-subtext]')
+      .dom(GENERAL.textBody('Learn more description'))
       .hasText(
         'Explore the features of Vault and learn advance practices with the following tutorials and documentation.'
       );
diff --git a/ui/tests/integration/components/dashboard/replication-state-text.js b/ui/tests/integration/components/dashboard/replication-state-text.js
deleted file mode 100644
index d6555cbe93..0000000000
--- a/ui/tests/integration/components/dashboard/replication-state-text.js
+++ /dev/null
@@ -1,60 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'vault/tests/helpers';
-import { render } from '@ember/test-helpers';
-import { hbs } from 'ember-cli-htmlbars';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import SELECTORS from 'vault/tests/helpers/components/dashboard/replication-card';
-
-module('Integration | Component | dashboard/replication-state-text', function (hooks) {
-  setupRenderingTest(hooks);
-  setupMirage(hooks);
-
-  hooks.beforeEach(function () {
-    this.name = 'DR Primary';
-    this.clusterState = {
-      glyph: 'circle-check',
-      isOk: true,
-    };
-  });
-
-  test('it displays replication states', async function (assert) {
-    await render(
-      hbs`<Dashboard::ReplicationStateText
-  @name={{this.name}}
-  @version={{this.version}}
-  @subText={{this.subText}}
-  @clusterStates={{this.clusterStates}}
-/>`
-    );
-    assert.dom(SELECTORS.getReplicationTitle('dr-perf', 'DR primary')).hasText('DR primary');
-    assert.dom(SELECTORS.getStateTooltipTitle('dr-perf', 'DR primary')).hasText('running');
-    assert.dom(SELECTORS.getStateTooltipIcon('dr-perf', 'DR primary', 'check-circle')).exists();
-
-    this.name = 'DR Primary';
-    this.clusterState = {
-      glyph: 'x-circle',
-      isOk: false,
-    };
-    await render(
-      hbs`<Dashboard::ReplicationStateText
-  @name={{this.name}}
-  @version={{this.version}}
-  @subText={{this.subText}}
-  @clusterStates={{this.clusterStates}}
-/>`
-    );
-    assert
-      .dom(SELECTORS.getReplicationTitle('dr-perf', 'Performance primary'))
-      .hasText('Performance primary');
-    assert.dom(SELECTORS.getStateTooltipTitle('dr-perf', 'Performance primary')).hasText('running');
-    assert.dom(SELECTORS.getStateTooltipIcon('dr-perf', 'Performance primary', 'x-circle')).exists();
-    assert
-      .dom(SELECTORS.getStateTooltipIcon('dr-perf', 'Performance primary', 'x-circle'))
-      .hasClass('has-text-danger');
-  });
-});
diff --git a/ui/tests/integration/components/dashboard/client-count-card-test.js b/ui/tests/integration/components/dashboard/widgets/client-count-test.js
similarity index 69%
rename from ui/tests/integration/components/dashboard/client-count-card-test.js
rename to ui/tests/integration/components/dashboard/widgets/client-count-test.js
index 68b1d61648..65112784ee 100644
--- a/ui/tests/integration/components/dashboard/client-count-card-test.js
+++ b/ui/tests/integration/components/dashboard/widgets/client-count-test.js
@@ -5,7 +5,7 @@
 
 import { module, test } from 'qunit';
 import { setupRenderingTest } from 'vault/tests/helpers';
-import { render, click } from '@ember/test-helpers';
+import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { Response } from 'miragejs';
@@ -13,49 +13,39 @@ import sinon from 'sinon';
 import { STATIC_NOW } from 'vault/mirage/handlers/clients';
 import timestamp from 'core/utils/timestamp';
 import { ACTIVITY_RESPONSE_STUB } from 'vault/tests/helpers/clients/client-count-helpers';
-import { formatNumber } from 'core/helpers/format-number';
-import { CLIENT_COUNT } from 'vault/tests/helpers/clients/client-count-selectors';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import { dateFormat } from 'core/helpers/date-format';
 
-module('Integration | Component | dashboard/client-count-card', function (hooks) {
+module('Integration | Component | dashboard/widgets/client-count', function (hooks) {
   setupRenderingTest(hooks);
   setupMirage(hooks);
 
   test('it should display client count information', async function (assert) {
-    assert.expect(6);
+    assert.expect(5);
     sinon.replace(timestamp, 'now', sinon.fake.returns(STATIC_NOW)); // 1/25/24
-    const { months, total } = ACTIVITY_RESPONSE_STUB;
-    const [latestMonth] = months.slice(-1);
     this.server.get('sys/internal/counters/activity', () => {
       // this assertion should be hit twice, once initially and then again clicking 'refresh'
       assert.true(true, 'makes request to sys/internal/counters/activity');
       return { data: ACTIVITY_RESPONSE_STUB };
     });
 
-    await render(hbs`<Dashboard::ClientCountCard />`);
-    assert.dom('[data-test-client-count-title]').hasText('Client count');
+    await render(hbs`<Dashboard::Widgets::ClientCount />`);
+    assert.dom(GENERAL.textDisplay('Client count')).hasText('Client count');
     assert
-      .dom(CLIENT_COUNT.statText('Total'))
-      .hasText(
-        `Total The number of clients in this billing period (Jun 2023 - Sep 2023). ${formatNumber([
-          total.clients,
-        ])}`
-      );
+      .dom(GENERAL.textBody('Client count total'))
+      .hasText('Total: The number of clients in this billing period (Jun 2023 - Sep 2023).');
     assert
-      .dom(CLIENT_COUNT.statText('New'))
-      .hasText(
-        `New The number of clients new to Vault in the current month. ${formatNumber([
-          latestMonth.new_clients.counts.clients,
-        ])}`
-      );
-    assert.dom('[data-test-updated-timestamp]').hasTextContaining('Updated Jan 25 2024');
-
-    // fires second request to /activity
-    await click('[data-test-refresh]');
+      .dom(GENERAL.textBody('Client count new'))
+      .hasText('New: The number of clients new to Vault in the current month.');
+    assert.dom(GENERAL.textBody('Client count updated at')).hasTextContaining(
+      `Updated ${dateFormat([STATIC_NOW.toISOString(), 'MMMM d, yyyy, h:mm:ss aaa'], {
+        withTimeZone: true,
+      })}`
+    );
   });
 
   test('it shows no data subtext if no start or end timestamp', async function (assert) {
-    assert.expect(2);
+    assert.expect(4);
     // as far as I know, responses will always have a start/end time
     // stubbing this unrealistic response just to test component subtext logic
     this.server.get('sys/internal/counters/activity', () => {
@@ -64,9 +54,11 @@ module('Integration | Component | dashboard/client-count-card', function (hooks)
       };
     });
 
-    await render(hbs`<Dashboard::ClientCountCard />`);
-    assert.dom(CLIENT_COUNT.statText('Total')).hasText('Total No total client data available. -');
-    assert.dom(CLIENT_COUNT.statText('New')).hasText('New No new client data available. -');
+    await render(hbs`<Dashboard::Widgets::ClientCount />`);
+    assert.dom(GENERAL.textBody('Client count total')).hasText('Total: No total client data available.');
+    assert.dom(GENERAL.textBody('Client count new')).hasText('New: No new client data available.');
+    assert.dom(GENERAL.tableData(0, 'total value')).hasText('-');
+    assert.dom(GENERAL.tableData(1, 'new value')).hasText('-');
   });
 
   test('it shows empty state if no activity data and reporting is enabled', async function (assert) {
@@ -84,7 +76,7 @@ module('Integration | Component | dashboard/client-count-card', function (hooks)
         data: { reporting_enabled: true },
       };
     });
-    await render(hbs`<Dashboard::ClientCountCard />`);
+    await render(hbs`<Dashboard::Widgets::ClientCount />`);
     assert.dom(GENERAL.emptyStateTitle).hasText('No data received');
     assert
       .dom(GENERAL.emptyStateMessage)
@@ -105,7 +97,7 @@ module('Integration | Component | dashboard/client-count-card', function (hooks)
         JSON.stringify({ errors: ['permission denied'] })
       );
     });
-    await render(hbs`<Dashboard::ClientCountCard />`);
+    await render(hbs`<Dashboard::Widgets::ClientCount />`);
     assert.dom(GENERAL.emptyStateTitle).hasText('Activity configuration data is unavailable');
     assert
       .dom(GENERAL.emptyStateMessage)
diff --git a/ui/tests/integration/components/dashboard/vault-configuration-details-card-test.js b/ui/tests/integration/components/dashboard/widgets/cluster-configuration-test.js
similarity index 72%
rename from ui/tests/integration/components/dashboard/vault-configuration-details-card-test.js
rename to ui/tests/integration/components/dashboard/widgets/cluster-configuration-test.js
index 3e999f9831..d8f294c2df 100644
--- a/ui/tests/integration/components/dashboard/vault-configuration-details-card-test.js
+++ b/ui/tests/integration/components/dashboard/widgets/cluster-configuration-test.js
@@ -7,9 +7,9 @@ import { module, test } from 'qunit';
 import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
-import { DASHBOARD } from 'vault/tests/helpers/components/dashboard/dashboard-selectors';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
-module('Integration | Component | dashboard/vault-configuration-details-card', function (hooks) {
+module('Integration | Component | dashboard/widgets/cluster-configuration', function (hooks) {
   setupRenderingTest(hooks);
 
   hooks.beforeEach(function () {
@@ -103,22 +103,20 @@ module('Integration | Component | dashboard/vault-configuration-details-card', f
     };
 
     this.renderComponent = () => {
-      return render(hbs`<Dashboard::VaultConfigurationDetailsCard @vaultConfiguration={{this.data}} />`);
+      return render(hbs`<Dashboard::Widgets::ClusterConfiguration @vaultConfiguration={{this.data}} />`);
     };
   });
 
-  test('it renders configuration details', async function (assert) {
+  test('it renders cluster information', async function (assert) {
     await this.renderComponent();
-    assert.dom(DASHBOARD.cardHeader('configuration')).hasText('Configuration details');
-    assert
-      .dom(DASHBOARD.vaultConfigurationCard.configDetailsField('api_addr'))
-      .hasText('http://127.0.0.1:8200');
-    assert.dom(DASHBOARD.vaultConfigurationCard.configDetailsField('default_lease_ttl')).hasText('0');
-    assert.dom(DASHBOARD.vaultConfigurationCard.configDetailsField('max_lease_ttl')).hasText('2 days');
-    assert.dom(DASHBOARD.vaultConfigurationCard.configDetailsField('tls')).hasText('Disabled'); // tls_disable=true
-    assert.dom(DASHBOARD.vaultConfigurationCard.configDetailsField('log_format')).hasText('None');
-    assert.dom(DASHBOARD.vaultConfigurationCard.configDetailsField('log_level')).hasText('debug');
-    assert.dom(DASHBOARD.vaultConfigurationCard.configDetailsField('type')).hasText('raft');
+    assert.dom(GENERAL.textDisplay('Cluster information')).hasText('Cluster information');
+    assert.dom(GENERAL.tableData('0', 'api_addr value')).hasText('http://127.0.0.1:8200');
+    assert.dom(GENERAL.tableData('1', 'default_lease_ttl value')).hasText('0');
+    assert.dom(GENERAL.tableData('2', 'max_lease_ttl value')).hasText('2 days');
+    assert.dom(GENERAL.tableData('3', 'tls value')).hasText('Disabled'); // tls_disable=true
+    assert.dom(GENERAL.tableData('4', 'log_format value')).hasText('None');
+    assert.dom(GENERAL.tableData('5', 'log_level value')).hasText('debug');
+    assert.dom(GENERAL.tableData('6', 'type value')).hasText('raft');
   });
 
   test('it should show tls as enabled if tls_disable, tls_cert_file and tls_key_file are in the config', async function (assert) {
@@ -127,7 +125,7 @@ module('Integration | Component | dashboard/vault-configuration-details-card', f
     this.data.listeners[0].config.tls_key_file = './key.pem';
 
     await this.renderComponent();
-    assert.dom(DASHBOARD.vaultConfigurationCard.configDetailsField('tls')).hasText('Enabled');
+    assert.dom(GENERAL.tableData('3', 'tls value')).hasText('Enabled');
   });
 
   test('it should show tls as enabled if only cert and key exist in config', async function (assert) {
@@ -136,12 +134,12 @@ module('Integration | Component | dashboard/vault-configuration-details-card', f
     this.data.listeners[0].config.tls_key_file = './key.pem';
 
     await this.renderComponent();
-    assert.dom(DASHBOARD.vaultConfigurationCard.configDetailsField('tls')).hasText('Enabled');
+    assert.dom(GENERAL.tableData('3', 'tls value')).hasText('Enabled');
   });
 
   test('it should show tls as disabled if there is no tls information in the config', async function (assert) {
     this.data.listeners = [];
     await this.renderComponent();
-    assert.dom(DASHBOARD.vaultConfigurationCard.configDetailsField('tls')).hasText('Disabled');
+    assert.dom(GENERAL.tableData('3', 'tls value')).hasText('Disabled');
   });
 });
diff --git a/ui/tests/integration/components/dashboard/quick-actions-card-test.js b/ui/tests/integration/components/dashboard/widgets/quick-actions-test.js
similarity index 79%
rename from ui/tests/integration/components/dashboard/quick-actions-card-test.js
rename to ui/tests/integration/components/dashboard/widgets/quick-actions-test.js
index 397fcc9ea7..2901f6c085 100644
--- a/ui/tests/integration/components/dashboard/quick-actions-card-test.js
+++ b/ui/tests/integration/components/dashboard/widgets/quick-actions-test.js
@@ -9,11 +9,10 @@ import { render, findAll, click, typeIn } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { selectChoose } from 'ember-power-select/test-support';
 import sinon from 'sinon';
-import { DASHBOARD } from 'vault/tests/helpers/components/dashboard/dashboard-selectors';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import SecretsEngineResource from 'vault/resources/secrets/engine';
 
-module('Integration | Component | dashboard/quick-actions-card', function (hooks) {
+module('Integration | Component | dashboard/widgets/quick-actions', function (hooks) {
   setupRenderingTest(hooks);
 
   hooks.beforeEach(function () {
@@ -53,7 +52,7 @@ module('Integration | Component | dashboard/quick-actions-card', function (hooks
     ];
 
     this.renderComponent = () =>
-      render(hbs`<Dashboard::QuickActionsCard @secretsEngines={{this.secretsEngines}} />`);
+      render(hbs`<Dashboard::Widgets::QuickActions @secretsEngines={{this.secretsEngines}} />`);
   });
 
   hooks.afterEach(function () {
@@ -69,11 +68,11 @@ module('Integration | Component | dashboard/quick-actions-card', function (hooks
     });
   });
 
-  test('it should show quick action empty state if no engine is selected', async function (assert) {
+  test('it should show quick action secrets engines super select if no engine is selected', async function (assert) {
     await this.renderComponent();
-    assert.dom('.title').hasText('Quick actions');
+    assert.dom(GENERAL.textDisplay('Quick actions')).hasText('Quick actions');
     assert.dom(GENERAL.superSelect('secrets-engines')).exists({ count: 1 });
-    assert.dom(DASHBOARD.emptyState('no-mount-selected')).exists({ count: 1 });
+    assert.dom(GENERAL.formLabel('Select secret engine mount')).hasText('Select secret engine mount');
   });
 
   test('it selects a pki role and issues a leaf certificate', async function (assert) {
@@ -85,13 +84,12 @@ module('Integration | Component | dashboard/quick-actions-card', function (hooks
     await selectChoose(GENERAL.superSelect('actions'), 'Issue certificate');
 
     assert.true(this.apiStub.calledWith(backend, 'true'), 'Request made to fetch options');
-    assert.dom(DASHBOARD.emptyState('quick-actions')).doesNotExist();
-    assert.dom(DASHBOARD.subtitle('param')).hasText('Role to use');
+    assert.dom(GENERAL.formLabel('param')).hasText('Role to use');
 
     await selectChoose(GENERAL.superSelect('params'), 'some-role');
-    assert.dom(DASHBOARD.actionButton('Issue leaf certificate')).exists({ count: 1 });
+    assert.dom(GENERAL.button('Issue leaf certificate')).exists({ count: 1 });
 
-    await click(DASHBOARD.actionButton('Issue leaf certificate'));
+    await click(GENERAL.button('Issue leaf certificate'));
     const [route, backendParam, roleParam] = this.transitionStub.lastCall.args;
     assert.strictEqual(
       route,
@@ -111,12 +109,11 @@ module('Integration | Component | dashboard/quick-actions-card', function (hooks
     await selectChoose(GENERAL.superSelect('actions'), 'View certificate');
 
     assert.true(this.apiStub.calledWith(backend, 'true'), 'Request made to fetch options');
-    assert.dom(DASHBOARD.emptyState('quick-actions')).doesNotExist();
-    assert.dom(DASHBOARD.subtitle('param')).hasText('Certificate serial number');
-    assert.dom(DASHBOARD.actionButton('View certificate')).exists({ count: 1 });
+    assert.dom(GENERAL.formLabel('param')).hasText('Certificate serial number');
+    assert.dom(GENERAL.button('View certificate')).exists({ count: 1 });
 
     await selectChoose(GENERAL.superSelect('params'), '.ember-power-select-option', 0);
-    await click(DASHBOARD.actionButton('View certificate'));
+    await click(GENERAL.button('View certificate'));
 
     const [route, backendParam, certParam] = this.transitionStub.lastCall.args;
     assert.strictEqual(
@@ -139,12 +136,11 @@ module('Integration | Component | dashboard/quick-actions-card', function (hooks
     await selectChoose(GENERAL.superSelect('actions'), 'View issuer');
 
     assert.true(this.apiStub.calledWith(backend, 'true'), 'Request made to fetch options');
-    assert.dom(DASHBOARD.emptyState('quick-actions')).doesNotExist();
-    assert.dom(DASHBOARD.subtitle('param')).hasText('Issuer');
-    assert.dom(DASHBOARD.actionButton('View issuer')).exists({ count: 1 });
+    assert.dom(GENERAL.formLabel('param')).hasText('Issuer');
+    assert.dom(GENERAL.button('View issuer')).exists({ count: 1 });
 
     await selectChoose(GENERAL.superSelect('params'), '.ember-power-select-option', 0);
-    await click(DASHBOARD.actionButton('View issuer'));
+    await click(GENERAL.button('View issuer'));
 
     const [route, backendParam, issuerParam] = this.transitionStub.lastCall.args;
     assert.strictEqual(
@@ -168,16 +164,15 @@ module('Integration | Component | dashboard/quick-actions-card', function (hooks
 
     assert.true(this.staticStub.calledWith(backend, 'true'), 'Request made to fetch static roles');
     assert.true(this.dynamicStub.calledWith(backend, 'true'), 'Request made to fetch dynamic roles');
-    assert.dom(DASHBOARD.emptyState('quick-actions')).doesNotExist();
-    assert.dom(DASHBOARD.subtitle('param')).hasText('Role to use');
-    assert.dom(DASHBOARD.actionButton('Generate credentials')).exists({ count: 1 });
+    assert.dom(GENERAL.formLabel('param')).hasText('Role to use');
+    assert.dom(GENERAL.button('Generate credentials')).exists({ count: 1 });
 
     await click(GENERAL.superSelect('params'));
     assert.dom(GENERAL.searchSelect.option(0)).hasText('static-role', 'Static roles render in dropdown');
     assert.dom(GENERAL.searchSelect.option(1)).hasText('dynamic-role', 'Dynamic roles render in dropdown');
 
     await selectChoose(GENERAL.superSelect('params'), '.ember-power-select-option', 1);
-    await click(DASHBOARD.actionButton('Generate credentials'));
+    await click(GENERAL.button('Generate credentials'));
 
     const [route, backendParam, issuerParam] = this.transitionStub.lastCall.args;
     assert.strictEqual(
@@ -198,10 +193,9 @@ module('Integration | Component | dashboard/quick-actions-card', function (hooks
       'renders only kv v2, pki and db engines'
     );
     await selectChoose(GENERAL.superSelect('secrets-engines'), 'kv-v2-test');
-    assert.dom(DASHBOARD.emptyState('quick-actions')).doesNotExist();
     await selectChoose(GENERAL.superSelect('actions'), 'Find KV secrets');
-    assert.dom(DASHBOARD.kvSearchSelect).exists('Shows option to search fo KVv2 secret');
-    assert.dom(DASHBOARD.actionButton('Read secrets')).exists({ count: 1 });
+    assert.dom(GENERAL.kvSuggestion.input).exists('Shows option to search fo KVv2 secret');
+    assert.dom(GENERAL.button('Read secrets')).exists({ count: 1 });
   });
 
   test('it should render InputSearch when no items are returned for selected action', async function (assert) {
@@ -211,14 +205,13 @@ module('Integration | Component | dashboard/quick-actions-card', function (hooks
     await this.renderComponent();
     await selectChoose(GENERAL.superSelect('secrets-engines'), backend);
     await selectChoose(GENERAL.superSelect('actions'), 'Issue certificate');
-
-    assert.dom(DASHBOARD.paramInputLabel).hasText('Role to use', 'Label renders in param input');
+    assert.dom(GENERAL.formLabel('Role to use')).hasText('Role to use', 'Label renders in param input');
     assert
-      .dom(DASHBOARD.paramInput)
+      .dom(GENERAL.inputSearch('Role to use'))
       .hasAttribute('placeholder', 'Enter role name', 'Placeholder renders in param input');
 
-    await typeIn(DASHBOARD.paramInput, 'my-role');
-    await click(DASHBOARD.actionButton('Issue leaf certificate'));
+    await typeIn(GENERAL.inputSearch('Role to use'), 'my-role');
+    await click(GENERAL.button('Issue leaf certificate'));
     assert.true(
       this.transitionStub.calledWith(
         'vault.cluster.secrets.backend.pki.roles.role.generate',
diff --git a/ui/tests/integration/components/dashboard/replication-card-test.js b/ui/tests/integration/components/dashboard/widgets/replication-test.js
similarity index 51%
rename from ui/tests/integration/components/dashboard/replication-card-test.js
rename to ui/tests/integration/components/dashboard/widgets/replication-test.js
index 9ed1db6db9..7d8b5f7cfc 100644
--- a/ui/tests/integration/components/dashboard/replication-card-test.js
+++ b/ui/tests/integration/components/dashboard/widgets/replication-test.js
@@ -9,9 +9,9 @@ import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import timestamp from 'core/utils/timestamp';
-import { DASHBOARD } from 'vault/tests/helpers/components/dashboard/dashboard-selectors';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
-module('Integration | Component | dashboard/replication-card', function (hooks) {
+module('Integration | Component | dashboard/widgets/replication', function (hooks) {
   setupRenderingTest(hooks);
   setupMirage(hooks);
 
@@ -39,41 +39,39 @@ module('Integration | Component | dashboard/replication-card', function (hooks)
   test('it should display replication information if both dr and performance replication are enabled as features', async function (assert) {
     await render(
       hbs`
-        <Dashboard::ReplicationCard
+        <Dashboard::Widgets::Replication
           @replication={{this.replication}}
           @version={{this.version}}
           @updatedAt={{this.updatedAt}}
           @refresh={{this.refresh}} />
           `
     );
-    assert.dom(DASHBOARD.title('DR primary')).hasText('DR primary');
-    assert.dom(DASHBOARD.tooltipTitle('DR primary')).hasText('running');
-    assert.dom(DASHBOARD.tooltipIcon('dr-perf', 'DR primary', 'check-circle')).exists();
-    assert.dom(DASHBOARD.title('Performance primary')).hasText('Performance primary');
-    assert.dom(DASHBOARD.tooltipTitle('Performance primary')).hasText('running');
-    assert.dom(DASHBOARD.tooltipIcon('dr-perf', 'Performance primary', 'check-circle')).exists();
+    assert.dom(GENERAL.tableData('0', 'DR')).hasText('Disaster recovery primary Known secondaries');
+    assert.dom(GENERAL.tableData('0', 'DR value')).hasText('Running 0');
+    assert.dom(GENERAL.badge('DR')).hasClass('hds-badge--color-success');
+    assert.dom(GENERAL.tableData('1', 'Performance')).hasText('Performance replication primary');
+    assert.dom(GENERAL.tableData('1', 'Performance value')).hasText('Running');
+    assert.dom(GENERAL.badge('Performance')).hasClass('hds-badge--color-success');
   });
 
   test('it should display replication information if both dr and performance replication are enabled as features and only dr is setup', async function (assert) {
     this.replication.performance = { mode: 'disabled' };
     await render(
       hbs`
-        <Dashboard::ReplicationCard
+        <Dashboard::Widgets::Replication
           @replication={{this.replication}}
           @version={{this.version}}
           @updatedAt={{this.updatedAt}}
           @refresh={{this.refresh}} />
           `
     );
-    assert.dom(DASHBOARD.title('DR primary')).hasText('DR primary');
-    assert.dom(DASHBOARD.tooltipTitle('DR primary')).hasText('running');
-    assert.dom(DASHBOARD.tooltipIcon('dr-perf', 'DR primary', 'check-circle')).exists();
-    assert.dom(DASHBOARD.tooltipIcon('dr-perf', 'DR primary', 'check-circle')).hasClass('has-text-success');
 
-    assert.dom(DASHBOARD.title('Performance')).hasText('Performance');
-    assert.dom(DASHBOARD.tooltipTitle('Performance')).hasText('not set up');
-    assert.dom(DASHBOARD.tooltipIcon('dr-perf', 'Performance', 'x-circle')).exists();
-    assert.dom(DASHBOARD.tooltipIcon('dr-perf', 'Performance', 'x-circle')).hasClass('has-text-danger');
+    assert.dom(GENERAL.tableData('0', 'DR')).hasText('Disaster recovery primary Known secondaries');
+    assert.dom(GENERAL.tableData('0', 'DR value')).hasText('Running 0');
+    assert.dom(GENERAL.badge('DR')).hasClass('hds-badge--color-success');
+    assert.dom(GENERAL.tableData('1', 'Performance')).hasText('Performance replication');
+    assert.dom(GENERAL.tableData('1', 'Performance value')).hasText('Not set up');
+    assert.dom(GENERAL.badge('Performance')).hasClass('hds-badge--color-warning');
   });
 
   test('it should display only dr replication information if vault version only has hasDRReplication', async function (assert) {
@@ -90,23 +88,17 @@ module('Integration | Component | dashboard/replication-card', function (hooks)
     };
     await render(
       hbs`
-        <Dashboard::ReplicationCard
+        <Dashboard::Widgets::Replication
           @replication={{this.replication}}
           @version={{this.version}}
           @updatedAt={{this.updatedAt}}
           @refresh={{this.refresh}} />
           `
     );
-    assert.dom(DASHBOARD.title('state')).hasText('state');
-    assert.dom(DASHBOARD.subtext('state')).hasText('The current operating state of the cluster.');
-    assert.dom(DASHBOARD.tooltipTitle('state')).hasText('running');
-    assert.dom(DASHBOARD.tooltipIcon('dr', 'state', 'check-circle')).exists();
-    assert.dom(DASHBOARD.tooltipIcon('dr', 'state', 'check-circle')).hasClass('has-text-success');
-    assert.dom(DASHBOARD.statLabel('known secondaries')).hasText('known secondaries');
-    assert
-      .dom(DASHBOARD.statText('known secondaries'))
-      .hasText('Number of secondaries connected to this primary.');
-    assert.dom(DASHBOARD.statValue('known secondaries')).hasText('1');
+    assert.dom(GENERAL.tableData('0', 'DR')).hasText('Disaster recovery Known secondaries');
+    assert.dom(GENERAL.tableData('0', 'DR value')).hasText('Running 1');
+    assert.dom(GENERAL.badge('DR')).hasClass('hds-badge--color-success');
+    assert.dom(GENERAL.tableData('1', 'Performance')).doesNotExist();
   });
 
   test('it should show correct icons if dr and performance replication is idle or shutdown states', async function (assert) {
@@ -124,24 +116,21 @@ module('Integration | Component | dashboard/replication-card', function (hooks)
     };
     await render(
       hbs`
-        <Dashboard::ReplicationCard
+        <Dashboard::Widgets::Replication
           @replication={{this.replication}}
           @version={{this.version}}
           @updatedAt={{this.updatedAt}}
           @refresh={{this.refresh}} />
           `
     );
-    assert.dom(DASHBOARD.title('DR primary')).hasText('DR primary');
-    assert.dom(DASHBOARD.tooltipTitle('DR primary')).hasText('idle');
-    assert.dom(DASHBOARD.tooltipIcon('dr-perf', 'DR primary', 'x-square')).exists();
-    assert.dom(DASHBOARD.tooltipIcon('dr-perf', 'DR primary', 'x-square')).hasClass('has-text-danger');
 
-    assert.dom(DASHBOARD.title('Performance primary')).hasText('Performance primary');
-    assert.dom(DASHBOARD.tooltipTitle('Performance primary')).hasText('shutdown');
-    assert.dom(DASHBOARD.tooltipIcon('dr-perf', 'Performance primary', 'x-circle')).exists();
-    assert
-      .dom(DASHBOARD.tooltipIcon('dr-perf', 'Performance primary', 'x-circle'))
-      .hasClass('has-text-danger');
+    assert.dom(GENERAL.tableData('0', 'DR')).hasText('Disaster recovery primary Known secondaries');
+    assert.dom(GENERAL.tableData('0', 'DR value')).hasText('Idle 0');
+    assert.dom(GENERAL.badge('DR')).hasClass('hds-badge--color-critical');
+
+    assert.dom(GENERAL.tableData('1', 'Performance')).hasText('Performance replication primary');
+    assert.dom(GENERAL.tableData('1', 'Performance value')).hasText('Shutdown');
+    assert.dom(GENERAL.badge('Performance')).hasClass('hds-badge--color-critical');
   });
 
   test('it should show correct performance titles if primary vs secondary', async function (assert) {
@@ -158,30 +147,30 @@ module('Integration | Component | dashboard/replication-card', function (hooks)
     };
     await render(
       hbs`
-        <Dashboard::ReplicationCard
+        <Dashboard::Widgets::Replication
           @replication={{this.replication}}
           @version={{this.version}}
           @updatedAt={{this.updatedAt}}
           @refresh={{this.refresh}} />
           `
     );
-    assert.dom(DASHBOARD.title('DR primary')).hasText('DR primary');
-    assert.dom(DASHBOARD.title('Performance primary')).hasText('Performance primary');
+    assert.dom(GENERAL.tableData('0', 'DR')).hasText('Disaster recovery primary Known secondaries');
+    assert.dom(GENERAL.tableData('1', 'Performance')).hasText('Performance replication primary');
 
     this.replication.performance.mode = 'secondary';
     await render(
       hbs`
-          <Dashboard::ReplicationCard
+          <Dashboard::Widgets::Replication
             @replication={{this.replication}}
             @version={{this.version}}
             @updatedAt={{this.updatedAt}}
             @refresh={{this.refresh}} />
             `
     );
-    assert.dom(DASHBOARD.title('Performance secondary')).hasText('Performance secondary');
+    assert.dom(GENERAL.tableData('1', 'Performance')).hasText('Performance replication secondary');
   });
 
-  test('it should show empty state', async function (assert) {
+  test('it should show replication card empty table and Enable replication button', async function (assert) {
     this.replication = {
       dr: {
         clusterId: '',
@@ -192,18 +181,19 @@ module('Integration | Component | dashboard/replication-card', function (hooks)
     };
     await render(
       hbs`
-        <Dashboard::ReplicationCard
+        <Dashboard::Widgets::Replication
           @replication={{this.replication}}
           @version={{this.version}}
           @updatedAt={{this.updatedAt}}
           @refresh={{this.refresh}} />
           `
     );
-    assert.dom(DASHBOARD.emptyState('replication')).exists();
-    assert.dom(DASHBOARD.emptyStateTitle('replication')).hasText('Replication not set up');
-    assert
-      .dom(DASHBOARD.emptyStateMessage('replication'))
-      .hasText('Data will be listed here. Enable a primary replication cluster to get started.');
-    assert.dom(DASHBOARD.emptyStateActions('replication')).hasText('Enable replication');
+
+    assert.dom(GENERAL.tableData('0', 'DR')).hasText('Disaster recovery Known secondaries');
+    assert.dom(GENERAL.tableData('0', 'DR value')).hasText('Not set up 0');
+    assert.dom(GENERAL.badge('DR')).hasClass('hds-badge--color-warning');
+    assert.dom(GENERAL.tableData('1', 'Performance')).hasText('Performance replication');
+    assert.dom(GENERAL.tableData('1', 'Performance value')).hasText('Not set up');
+    assert.dom(GENERAL.badge('Performance')).hasClass('hds-badge--color-warning');
   });
 });
diff --git a/ui/tests/integration/components/dashboard/secrets-engines-card-test.js b/ui/tests/integration/components/dashboard/widgets/secrets-engines-test.js
similarity index 74%
rename from ui/tests/integration/components/dashboard/secrets-engines-card-test.js
rename to ui/tests/integration/components/dashboard/widgets/secrets-engines-test.js
index 2e35a5d901..e19592e760 100644
--- a/ui/tests/integration/components/dashboard/secrets-engines-card-test.js
+++ b/ui/tests/integration/components/dashboard/widgets/secrets-engines-test.js
@@ -7,10 +7,10 @@ import { module, test } from 'qunit';
 import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
-import { DASHBOARD } from 'vault/tests/helpers/components/dashboard/dashboard-selectors';
 import { SECRET_ENGINE_SELECTORS as SES } from 'vault/tests/helpers/secret-engine/secret-engine-selectors';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
-module('Integration | Component | dashboard/secrets-engines-card', function (hooks) {
+module('Integration | Component | dashboard/widgets/secrets-engines', function (hooks) {
   setupRenderingTest(hooks);
 
   hooks.beforeEach(function () {
@@ -28,7 +28,7 @@ module('Integration | Component | dashboard/secrets-engines-card', function (hoo
   test('it should hide show all button', async function (assert) {
     this.secretsEngines = this.store.peekAll('secret-engine', {});
 
-    await render(hbs`<Dashboard::SecretsEnginesCard @secretsEngines={{this.secretsEngines}} />`);
+    await render(hbs`<Dashboard::Widgets::SecretsEngines @secretsEngines={{this.secretsEngines}} />`);
 
     // verify truncate class style exists on secret engine path text
     assert
@@ -49,7 +49,7 @@ module('Integration | Component | dashboard/secrets-engines-card', function (hoo
     });
     this.secretsEngines = this.store.peekAll('secret-engine', {});
 
-    await render(hbs`<Dashboard::SecretsEnginesCard @secretsEngines={{this.secretsEngines}} />`);
+    await render(hbs`<Dashboard::Widgets::SecretsEngines @secretsEngines={{this.secretsEngines}} />`);
     assert.dom('[data-test-secrets-engines-row="nomad"] [data-test-view]').doesNotExist();
     assert.dom(SES.secretPath('nomad-test/')).hasClass('has-text-grey');
   });
@@ -117,38 +117,25 @@ module('Integration | Component | dashboard/secrets-engines-card', function (hoo
       this.secretsEngines = this.store.peekAll('secret-engine', {});
 
       this.renderComponent = () => {
-        return render(hbs`<Dashboard::SecretsEnginesCard @secretsEngines={{this.secretsEngines}} />`);
+        return render(hbs`<Dashboard::Widgets::SecretsEngines @secretsEngines={{this.secretsEngines}} />`);
       };
     });
 
     test('it should display only five secrets engines and show help text for more than 5 engines', async function (assert) {
       await this.renderComponent();
-      assert.dom(DASHBOARD.cardHeader('Secrets engines')).hasText('Secrets engines');
-      assert.dom(DASHBOARD.tableRow('Secrets engines')).exists({ count: 5 });
-      assert.dom('[data-test-secrets-engine-total-help-text]').exists();
-      assert
-        .dom('[data-test-secrets-engine-total-help-text]')
-        .hasText(
-          `Showing 5 out of ${this.secretsEngines.length} secret engines. Navigate to details to view more.`
-        );
+      assert.dom(GENERAL.textDisplay('Secrets engines')).hasText('Secrets engines');
+      assert.dom(`${GENERAL.table('Secrets engines')} tr`).exists({ count: 6 });
     });
 
     test('it should display the secrets engines accessor and path', async function (assert) {
       await this.renderComponent();
-      assert.dom(DASHBOARD.cardHeader('Secrets engines')).hasText('Secrets engines');
-      assert.dom(DASHBOARD.tableRow('Secrets engines')).exists({ count: 5 });
+      assert.dom(GENERAL.textDisplay('Secrets engines')).hasText('Secrets engines');
+      assert.dom(`${GENERAL.table('Secrets engines')} tr`).exists({ count: 6 });
 
       this.secretsEngines.slice(0, 5).forEach((engine) => {
-        assert.dom(DASHBOARD.secretsEnginesCard.secretEngineAccessorRow(engine.id)).hasText(engine.accessor);
-        if (engine.description) {
-          assert
-            .dom(DASHBOARD.secretsEnginesCard.secretEngineDescription(engine.id))
-            .hasText(engine.description);
-        } else {
-          assert
-            .dom(DASHBOARD.secretsEnginesCard.secretEngineDescription(engine.id))
-            .doesNotExist(engine.description);
-        }
+        assert
+          .dom(GENERAL.tableRow(engine.id))
+          .hasText(`${engine.type} type backend ${engine.path} ${engine.type} ${engine.accessor}`);
       });
     });
 
diff --git a/ui/tests/integration/components/database-role-edit-test.js b/ui/tests/integration/components/database-role-edit-test.js
index 83961ce02b..a344eb9173 100644
--- a/ui/tests/integration/components/database-role-edit-test.js
+++ b/ui/tests/integration/components/database-role-edit-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
@@ -40,6 +40,7 @@ module('Integration | Component | database-role-edit', function (hooks) {
     this.store.pushPayload('database-role', {
       modelName: 'database/role',
       database: ['my-mongodb-database'],
+      backend: 'database',
       id: 'test-role',
       type: 'static',
       name: 'test-role',
@@ -47,12 +48,18 @@ module('Integration | Component | database-role-edit', function (hooks) {
     this.modelStatic = this.store.peekRecord('database/role', 'my-static-role');
     this.modelDynamic = this.store.peekRecord('database/role', 'my-dynamic-role');
     this.modelEmpty = this.store.peekRecord('database/role', 'test-role');
+    this.root = {
+      label: 'database',
+      text: 'database',
+      path: 'vault.cluster.secrets.backend.list-root',
+      model: 'database',
+    };
   });
 
   test('it should display form errors when trying to create a role without required fields', async function (assert) {
     this.server.post('/sys/capabilities-self', capabilitiesStub('database/static-creds/my-role', ['create']));
 
-    await render(hbs`<DatabaseRoleEdit @model={{this.modelEmpty}} @mode="create"/>`);
+    await render(hbs`<DatabaseRoleEdit @model={{this.modelEmpty}} @root={{this.root}} @mode="create"/>`);
     await click(GENERAL.submitButton);
 
     assert.dom('[data-test-inline-error-message]').exists('Inline form errors exist');
@@ -73,7 +80,7 @@ module('Integration | Component | database-role-edit', function (hooks) {
       );
     });
 
-    await render(hbs`<DatabaseRoleEdit @model={{this.modelStatic}} @mode="edit"/>`);
+    await render(hbs`<DatabaseRoleEdit @model={{this.modelStatic}} @root={{this.root}} @mode="edit"/>`);
     await fillIn('[data-test-ttl-value="Rotation period"]', '20');
     await click(GENERAL.submitButton);
   });
@@ -96,14 +103,12 @@ module('Integration | Component | database-role-edit', function (hooks) {
       );
     });
 
-    await render(hbs`<DatabaseRoleEdit @model={{this.modelStatic}} @mode="create"/>`);
+    await render(hbs`<DatabaseRoleEdit @model={{this.modelStatic}} @root={{this.root}} @mode="create"/>`);
     await fillIn(GENERAL.ttl.input('Rotation period'), '2');
     await click(GENERAL.toggleInput('toggle-skip_import_rotation'));
     await fillIn(GENERAL.inputByAttr('password'), 'testPassword'); // fill in password field
 
-    await click(GENERAL.submitButton);
-
-    await render(hbs`<DatabaseRoleEdit @model={{this.modelStatic}} @mode="show"/>`);
+    await render(hbs`<DatabaseRoleEdit @model={{this.modelStatic}} @root={{this.root}} @mode="show"/>`);
     assert.dom(GENERAL.infoRowValue('Rotate immediately')).containsText('No');
     assert.dom(GENERAL.infoRowValue('password')).doesNotExist(); // verify password field doesn't show on details view
   });
@@ -112,7 +117,7 @@ module('Integration | Component | database-role-edit', function (hooks) {
     this.version.type = 'enterprise';
     this.server.post('/sys/capabilities-self', capabilitiesStub('database/static-creds/my-role', ['update']));
 
-    await render(hbs`<DatabaseRoleEdit @model={{this.modelStatic}} @mode="edit"/>`);
+    await render(hbs`<DatabaseRoleEdit @model={{this.modelStatic}} @root={{this.root}} @mode="edit"/>`);
     assert.dom(GENERAL.icon('edit')).exists(); // verify password field is enabled for edit & enable button is rendered bc role hasn't been rotated
   });
 
@@ -121,7 +126,7 @@ module('Integration | Component | database-role-edit', function (hooks) {
     this.server.post('/sys/capabilities-self', capabilitiesStub('database/static-creds/my-role', ['update']));
 
     this.modelStatic.last_vault_rotation = '2025-04-21T12:51:59.063124-04:00'; // Setting a sample rotation time here to simulate what returns from BE after rotation
-    await render(hbs`<DatabaseRoleEdit @model={{this.modelStatic}} @mode="edit"/>`);
+    await render(hbs`<DatabaseRoleEdit @model={{this.modelStatic}} @root={{this.root}} @mode="edit"/>`);
     assert.dom(GENERAL.icon('edit')).doesNotExist(); // verify password field is disabled for edit & enable button isn't rendered bc role has already been rotated
   });
 
@@ -129,25 +134,25 @@ module('Integration | Component | database-role-edit', function (hooks) {
     this.version.type = 'enterprise';
     this.server.post('/sys/capabilities-self', capabilitiesStub('database/static-creds/my-role', ['create']));
 
-    await render(hbs`<DatabaseRoleEdit @model={{this.modelStatic}} @mode="create"/>`);
+    await render(hbs`<DatabaseRoleEdit @model={{this.modelStatic}} @root={{this.root}} @mode="create"/>`);
     await click(GENERAL.submitButton);
 
     assert.dom('[data-test-issuer-warning]').exists(); // check if warning modal shows after clicking save
     await click('[data-test-issuer-save]'); // click continue button on modal
 
-    await render(hbs`<DatabaseRoleEdit @model={{this.modelStatic}} @mode="show"/>`);
+    await render(hbs`<DatabaseRoleEdit @model={{this.modelStatic}} @root={{this.root}} @mode="show"/>`);
     assert.dom(GENERAL.infoRowValue('Rotate immediately')).containsText('Yes');
   });
 
   test('it should show Get credentials button when a user has the correct policy', async function (assert) {
     this.server.post('/sys/capabilities-self', capabilitiesStub('database/static-creds/my-role', ['read']));
-    await render(hbs`<DatabaseRoleEdit @model={{this.modelStatic}} @mode="show"/>`);
+    await render(hbs`<DatabaseRoleEdit @model={{this.modelStatic}} @root={{this.root}} @mode="show"/>`);
     assert.dom(GENERAL.button('static')).exists('Get credentials button exists');
   });
 
   test('it should show Generate credentials button when a user has the correct policy', async function (assert) {
     this.server.post('/sys/capabilities-self', capabilitiesStub('database/creds/my-role', ['read']));
-    await render(hbs`<DatabaseRoleEdit @model={{this.modelDynamic}} @mode="show"/>`);
+    await render(hbs`<DatabaseRoleEdit @model={{this.modelDynamic}} @root={{this.root}} @mode="show"/>`);
     assert.dom(GENERAL.button('dynamic')).exists('Generate credentials button exists');
   });
 });
diff --git a/ui/tests/integration/components/database-role-setting-form-test.js b/ui/tests/integration/components/database-role-setting-form-test.js
index fac274e1cd..6e3d606490 100644
--- a/ui/tests/integration/components/database-role-setting-form-test.js
+++ b/ui/tests/integration/components/database-role-setting-form-test.js
@@ -5,7 +5,7 @@
 
 import EmberObject from '@ember/object';
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { setRunOptions } from 'ember-a11y-testing/test-support';
diff --git a/ui/tests/integration/components/disabled-plugin-card-test.js b/ui/tests/integration/components/disabled-plugin-card-test.js
index 882ca78c3d..bd1c214768 100644
--- a/ui/tests/integration/components/disabled-plugin-card-test.js
+++ b/ui/tests/integration/components/disabled-plugin-card-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, triggerKeyEvent } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
@@ -25,8 +25,8 @@ module('Integration | Component | disabled-plugin-card', function (hooks) {
 
   test('it renders disabled plugin card', async function (assert) {
     await render(hbs`
-      <DisabledPluginCard 
-        @type={{this.type}} 
+      <DisabledPluginCard
+        @type={{this.type}}
         @handleDisabledPluginClick={{this.handleDisabledPluginClick}}
         @handleDisabledPluginKeyDown={{this.handleDisabledPluginKeyDown}}
       />
@@ -44,8 +44,8 @@ module('Integration | Component | disabled-plugin-card', function (hooks) {
 
   test('it handles click events', async function (assert) {
     await render(hbs`
-      <DisabledPluginCard 
-        @type={{this.type}} 
+      <DisabledPluginCard
+        @type={{this.type}}
         @handleDisabledPluginClick={{this.handleDisabledPluginClick}}
         @handleDisabledPluginKeyDown={{this.handleDisabledPluginKeyDown}}
       />
@@ -59,8 +59,8 @@ module('Integration | Component | disabled-plugin-card', function (hooks) {
 
   test('it handles keyboard events', async function (assert) {
     await render(hbs`
-      <DisabledPluginCard 
-        @type={{this.type}} 
+      <DisabledPluginCard
+        @type={{this.type}}
         @handleDisabledPluginClick={{this.handleDisabledPluginClick}}
         @handleDisabledPluginKeyDown={{this.handleDisabledPluginKeyDown}}
       />
@@ -79,8 +79,8 @@ module('Integration | Component | disabled-plugin-card', function (hooks) {
     };
 
     await render(hbs`
-      <DisabledPluginCard 
-        @type={{this.type}} 
+      <DisabledPluginCard
+        @type={{this.type}}
         @handleDisabledPluginClick={{this.handleDisabledPluginClick}}
         @handleDisabledPluginKeyDown={{this.handleDisabledPluginKeyDown}}
       />
@@ -94,8 +94,8 @@ module('Integration | Component | disabled-plugin-card', function (hooks) {
 
   test('it renders and displays plugin information correctly', async function (assert) {
     await render(hbs`
-      <DisabledPluginCard 
-        @type={{this.type}} 
+      <DisabledPluginCard
+        @type={{this.type}}
         @handleDisabledPluginClick={{this.handleDisabledPluginClick}}
         @handleDisabledPluginKeyDown={{this.handleDisabledPluginKeyDown}}
       />
diff --git a/ui/tests/integration/components/download-button-test.js b/ui/tests/integration/components/download-button-test.js
index e689dd45a9..db78fc9b43 100644
--- a/ui/tests/integration/components/download-button-test.js
+++ b/ui/tests/integration/components/download-button-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, render, resetOnerror, setupOnerror } from '@ember/test-helpers';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/edit-form-test.js b/ui/tests/integration/components/edit-form-test.js
index 49967895d6..92b5fb6760 100644
--- a/ui/tests/integration/components/edit-form-test.js
+++ b/ui/tests/integration/components/edit-form-test.js
@@ -5,7 +5,7 @@
 
 import EmberObject from '@ember/object';
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/empty-state-test.js b/ui/tests/integration/components/empty-state-test.js
deleted file mode 100644
index 546f80df39..0000000000
--- a/ui/tests/integration/components/empty-state-test.js
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render } from '@ember/test-helpers';
-import hbs from 'htmlbars-inline-precompile';
-
-module('Integration | Component | empty-state', function (hooks) {
-  setupRenderingTest(hooks);
-
-  test('it renders', async function (assert) {
-    // Set any properties with this.set('myProperty', 'value');
-    // Handle any actions with this.set('myAction', function(val) { ... });
-
-    await render(hbs`{{empty-state}}`);
-
-    assert.dom(this.element).hasText('');
-
-    // Template block usage:
-    await render(hbs`
-      <EmptyState @title="Empty State Title" @message="This is the empty state message">
-        Actions Link
-      </EmptyState>
-    `);
-
-    assert.dom('.empty-state-title').hasText('Empty State Title', 'renders empty state title');
-    assert
-      .dom('.empty-state-message')
-      .hasText('This is the empty state message', 'renders empty state message');
-    assert.dom('.empty-state-actions').hasText('Actions Link', 'renders empty state actions');
-  });
-});
diff --git a/ui/tests/integration/components/enabled-plugin-card-test.js b/ui/tests/integration/components/enabled-plugin-card-test.js
index 801505f225..eb211f0e82 100644
--- a/ui/tests/integration/components/enabled-plugin-card-test.js
+++ b/ui/tests/integration/components/enabled-plugin-card-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, triggerKeyEvent } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/certificate-card-test.js b/ui/tests/integration/components/encoded-data-card-test.js
similarity index 65%
rename from ui/tests/integration/components/certificate-card-test.js
rename to ui/tests/integration/components/encoded-data-card-test.js
index ed41d10df8..0872d98037 100644
--- a/ui/tests/integration/components/certificate-card-test.js
+++ b/ui/tests/integration/components/encoded-data-card-test.js
@@ -14,21 +14,19 @@ import sinon from 'sinon';
 const SELECTORS = {
   label: '[data-test-certificate-label]',
   value: '[data-test-certificate-value]',
-  icon: '[data-test-certificate-icon]',
-  copyIcon: '[data-test-icon="clipboard-copy"]',
 };
 const { rootPem, rootDer } = CERTIFICATES;
 
-module('Integration | Component | certificate-card', function (hooks) {
+module('Integration | Component | encoded-data-card', function (hooks) {
   setupRenderingTest(hooks);
 
   test('it renders', async function (assert) {
-    await render(hbs`<CertificateCard />`);
+    await render(hbs`<EncodedDataCard />`);
 
     assert.dom(SELECTORS.label).hasNoText('There is no label because there is no value');
     assert.dom(SELECTORS.value).hasNoText('There is no value because none was provided');
-    assert.dom(SELECTORS.icon).exists('The certificate icon exists');
-    assert.dom(SELECTORS.copyIcon).exists('The copy icon renders');
+    assert.dom(GENERAL.icon('transform-data')).exists('The encoded data icon exists');
+    assert.dom(GENERAL.icon('clipboard-copy')).exists('The copy icon renders');
   });
 
   test('it renders with an example PEM Certificate', async function (assert) {
@@ -36,11 +34,11 @@ module('Integration | Component | certificate-card', function (hooks) {
     const clipboardSpy = sinon.stub(navigator.clipboard, 'writeText').resolves();
 
     this.certificate = rootPem;
-    await render(hbs`<CertificateCard @data={{this.certificate}} />`);
+    await render(hbs`<EncodedDataCard @data={{this.certificate}} />`);
 
     assert.dom(SELECTORS.label).hasText('PEM Format', 'The label text is PEM Format');
     assert.dom(SELECTORS.value).hasText(this.certificate, 'The data rendered is correct');
-    assert.dom(SELECTORS.icon).exists('The certificate icon exists');
+    assert.dom(GENERAL.icon('certificate')).exists('The certificate icon renders for PEM formats');
 
     await click(GENERAL.copyButton);
     assert.true(clipboardSpy.calledOnce, 'Clipboard was called once');
@@ -53,16 +51,16 @@ module('Integration | Component | certificate-card', function (hooks) {
     clipboardSpy.restore(); // cleanup
   });
 
-  test('it renders with an example DER Certificate', async function (assert) {
+  test('it renders with encoded non-PEM data', async function (assert) {
     // Sinon spy for clipboard
     const clipboardSpy = sinon.stub(navigator.clipboard, 'writeText').resolves();
 
     this.certificate = rootDer;
-    await render(hbs`<CertificateCard @data={{this.certificate}} />`);
+    await render(hbs`<EncodedDataCard @data={{this.certificate}} />`);
 
-    assert.dom(SELECTORS.label).hasText('DER Format', 'The label text is DER Format');
+    assert.dom(SELECTORS.label).hasText('Encoded Data', 'The label text is Encoded Data');
     assert.dom(SELECTORS.value).hasText(this.certificate, 'The data rendered is correct');
-    assert.dom(SELECTORS.icon).exists('The certificate icon exists');
+    assert.dom(GENERAL.icon('transform-data')).exists('The encoded data icon renders for non-pem');
 
     await click(GENERAL.copyButton);
     assert.true(clipboardSpy.calledOnce, 'Clipboard was called once');
@@ -77,9 +75,10 @@ module('Integration | Component | certificate-card', function (hooks) {
 
   test('it renders with the PEM Format label regardless of the value provided when @isPem is true', async function (assert) {
     this.certificate = 'example-certificate-text';
-    await render(hbs`<CertificateCard @data={{this.certificate}} @isPem={{true}}/>`);
+    await render(hbs`<EncodedDataCard @data={{this.certificate}} @isPem={{true}}/>`);
 
     assert.dom(SELECTORS.label).hasText('PEM Format', 'The label text is PEM Format');
+    assert.dom(GENERAL.icon('certificate')).exists('certificate icon renders');
     assert.dom(SELECTORS.value).hasText(this.certificate, 'The data rendered is correct');
   });
 
@@ -92,11 +91,11 @@ module('Integration | Component | certificate-card', function (hooks) {
       '-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBA...\n-----END RSA PRIVATE KEY-----\n',
     ];
 
-    await render(hbs`<CertificateCard @data={{this.caChain}} />`);
+    await render(hbs`<EncodedDataCard @data={{this.caChain}} />`);
 
     assert.dom(SELECTORS.label).hasText('PEM Format', 'The label text is PEM Format');
     assert.dom(SELECTORS.value).hasText(this.caChain.join(','), 'The data rendered is correct');
-    assert.dom(SELECTORS.icon).exists('The certificate icon exists');
+    assert.dom(GENERAL.icon('certificate')).exists('The certificate icon exists');
 
     await click(GENERAL.copyButton);
     assert.true(clipboardSpy.calledOnce, 'Clipboard was called once');
@@ -108,4 +107,24 @@ module('Integration | Component | certificate-card', function (hooks) {
     // Restore original clipboard
     clipboardSpy.restore(); // cleanup
   });
+
+  test('it stringifies object data for copy', async function (assert) {
+    const clipboardSpy = sinon.stub(navigator.clipboard, 'writeText').resolves();
+
+    this.payload = { format: 'pkcs12', value: 'ZmFrZS1iYXNlNjQ=' };
+    await render(hbs`<EncodedDataCard @data={{this.payload}} />`);
+
+    assert.dom(SELECTORS.label).hasText('Encoded Data', 'The label text is Encoded Data for object payloads');
+    assert.dom(SELECTORS.encodedIcon).exists('The encoded data icon exists');
+
+    await click(GENERAL.copyButton);
+    assert.true(clipboardSpy.calledOnce, 'Clipboard was called once');
+    assert.strictEqual(
+      clipboardSpy.firstCall.args[0],
+      JSON.stringify(this.payload),
+      'copy value is object converted to a JSON string'
+    );
+
+    clipboardSpy.restore();
+  });
 });
diff --git a/ui/tests/integration/components/filter-input-explicit-test.js b/ui/tests/integration/components/filter-input-explicit-test.js
index bb4767a400..2f25b36961 100644
--- a/ui/tests/integration/components/filter-input-explicit-test.js
+++ b/ui/tests/integration/components/filter-input-explicit-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, typeIn, click } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
diff --git a/ui/tests/integration/components/filter-input-test.js b/ui/tests/integration/components/filter-input-test.js
index 2614a9dc06..57b26f381c 100644
--- a/ui/tests/integration/components/filter-input-test.js
+++ b/ui/tests/integration/components/filter-input-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, fillIn, click } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 
diff --git a/ui/tests/integration/components/form-field-label-test.js b/ui/tests/integration/components/form-field-label-test.js
index 7fde80e63d..f37462fca3 100644
--- a/ui/tests/integration/components/form-field-label-test.js
+++ b/ui/tests/integration/components/form-field-label-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { click } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/form-field-test.js b/ui/tests/integration/components/form-field-test.js
index 93506a1b10..cf2e2976be 100644
--- a/ui/tests/integration/components/form-field-test.js
+++ b/ui/tests/integration/components/form-field-test.js
@@ -5,7 +5,7 @@
 
 import EmberObject from '@ember/object';
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, fillIn, findAll, setupOnerror, waitFor } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { create } from 'ember-cli-page-object';
@@ -791,6 +791,143 @@ module('Integration | Component | form field', function (hooks) {
       .hasText('Warning message #1 Warning message #2', 'Validation warnings are combined');
   });
 
+  test('it renders: editType=select / possibleValues - with grouped options (optgroups)', async function (assert) {
+    const groupedValues = [
+      {
+        group: 'Group A',
+        options: [
+          { value: 'a1', displayName: 'Option A1' },
+          { value: 'a2', displayName: 'Option A2' },
+        ],
+      },
+      {
+        group: 'Group B',
+        options: [
+          { value: 'b1', displayName: 'Option B1' },
+          { value: 'b2', displayName: 'Option B2' },
+        ],
+      },
+    ];
+    const [model, spy] = await setup.call(
+      this,
+      createAttr('region', 'string', { editType: 'select', possibleValues: groupedValues })
+    );
+
+    assert.dom('select').exists('renders select element');
+    assert.dom('optgroup').exists({ count: 2 }, 'renders two optgroups');
+    assert.dom('optgroup[label="Group A"]').exists('renders first optgroup with correct label');
+    assert.dom('optgroup[label="Group B"]').exists('renders second optgroup with correct label');
+    assert.dom('optgroup[label="Group A"] option').exists({ count: 2 }, 'first optgroup has two options');
+    assert.dom('optgroup[label="Group B"] option').exists({ count: 2 }, 'second optgroup has two options');
+    assert
+      .dom('optgroup[label="Group A"] option[value="a1"]')
+      .hasText('Option A1', 'first option displays correct text');
+    assert
+      .dom('optgroup[label="Group A"] option[value="a2"]')
+      .hasText('Option A2', 'second option displays correct text');
+
+    assert.dom(GENERAL.inputByAttr('region')).hasValue('a1', 'has first option value selected by default');
+    await fillIn(GENERAL.inputByAttr('region'), 'b2');
+    assert.dom(GENERAL.inputByAttr('region')).hasValue('b2', 'has selected option value from second group');
+    assert.strictEqual(model.get('region'), 'b2');
+    assert.ok(spy.calledWith('region', 'b2'), 'onChange called with correct args');
+  });
+
+  test('it renders: editType=select / possibleValues - with grouped options and noDefault', async function (assert) {
+    const groupedValues = [
+      {
+        group: 'US Regions',
+        options: [
+          { value: 'us-east-1', displayName: 'N. Virginia (us-east-1)' },
+          { value: 'us-west-2', displayName: 'Oregon (us-west-2)' },
+        ],
+      },
+      {
+        group: 'EU Regions',
+        options: [
+          { value: 'eu-west-1', displayName: 'Ireland (eu-west-1)' },
+          { value: 'eu-central-1', displayName: 'Frankfurt (eu-central-1)' },
+        ],
+      },
+    ];
+    const [model, spy] = await setup.call(
+      this,
+      createAttr('region', 'string', { editType: 'select', possibleValues: groupedValues, noDefault: true })
+    );
+
+    assert.dom('select').exists('renders select element');
+    assert.dom('option[value=""]').exists('renders blank option when noDefault is true');
+    assert.dom('optgroup').exists({ count: 2 }, 'renders two optgroups');
+    assert.dom(GENERAL.inputByAttr('region')).hasValue('', 'has no initial value with noDefault');
+
+    await fillIn(GENERAL.inputByAttr('region'), 'eu-west-1');
+    assert.dom(GENERAL.inputByAttr('region')).hasValue('eu-west-1', 'can select option from second group');
+    assert.strictEqual(model.get('region'), 'eu-west-1');
+    assert.ok(spy.calledWith('region', 'eu-west-1'), 'onChange called with correct args');
+
+    await fillIn(GENERAL.inputByAttr('region'), '');
+    assert.dom(GENERAL.inputByAttr('region')).hasValue('', 'can select blank option');
+    assert.strictEqual(model.get('region'), '');
+    assert.ok(spy.calledWith('region', ''), 'onChange called with empty string');
+  });
+
+  test('it renders: editType=select / possibleValues - with grouped options and defaultValue', async function (assert) {
+    const groupedValues = [
+      {
+        group: 'Group A',
+        options: [
+          { value: 'a1', displayName: 'Option A1' },
+          { value: 'a2', displayName: 'Option A2' },
+        ],
+      },
+      {
+        group: 'Group B',
+        options: [
+          { value: 'b1', displayName: 'Option B1' },
+          { value: 'b2', displayName: 'Option B2' },
+        ],
+      },
+    ];
+    const [model, spy] = await setup.call(
+      this,
+      createAttr('region', 'string', {
+        editType: 'select',
+        possibleValues: groupedValues,
+        defaultValue: 'b1',
+      })
+    );
+
+    assert.dom(GENERAL.inputByAttr('region')).hasValue('b1', 'has default value from second group selected');
+    await fillIn(GENERAL.inputByAttr('region'), 'a2');
+    assert.dom(GENERAL.inputByAttr('region')).hasValue('a2', 'can change to option from first group');
+    assert.strictEqual(model.get('region'), 'a2');
+    assert.ok(spy.calledWith('region', 'a2'), 'onChange called with correct args');
+  });
+
+  test('it renders: editType=select / possibleValues - grouped options with simple string values', async function (assert) {
+    const groupedValues = [
+      {
+        group: 'Colors',
+        options: [{ value: 'red' }, { value: 'blue' }],
+      },
+      {
+        group: 'Sizes',
+        options: [{ value: 'small' }, { value: 'large' }],
+      },
+    ];
+    const [model] = await setup.call(
+      this,
+      createAttr('choice', 'string', { editType: 'select', possibleValues: groupedValues })
+    );
+
+    assert.dom('optgroup[label="Colors"] option[value="red"]').hasText('red', 'displays value as text');
+    assert.dom('optgroup[label="Sizes"] option[value="large"]').hasText('large', 'displays value as text');
+    assert.dom(GENERAL.inputByAttr('choice')).hasValue('red', 'has first option selected');
+
+    await fillIn(GENERAL.inputByAttr('choice'), 'large');
+    assert.strictEqual(model.get('choice'), 'large', 'model updated with selected value');
+  });
+
   // ––––– editType === 'datetime-local' –––––
 
   test('it renders: editType=dateTimeLocal - as Hds::Form::TextInput [@type=datetime-local]', async function (assert) {
diff --git a/ui/tests/integration/components/form/v2/apply-test.js b/ui/tests/integration/components/form/v2/apply-test.js
new file mode 100644
index 0000000000..0ab0ea777e
--- /dev/null
+++ b/ui/tests/integration/components/form/v2/apply-test.js
@@ -0,0 +1,295 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { click, render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { module, test } from 'qunit';
+import sinon from 'sinon';
+import V2Form from 'vault/forms/v2/v2-form';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
+
+module('Integration | Component | form/v2/apply', function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.beforeEach(function () {
+    // Create a minimal FormConfig for testing
+    const formConfig = {
+      name: 'test-resource',
+      path: '/v1/test/resource',
+      title: 'Test Resource',
+      payload: {
+        name: 'test-name',
+        description: 'test-description',
+      },
+      submit: sinon.stub().resolves({ id: 'test-123' }),
+      sections: [
+        {
+          name: 'basic',
+          fields: [
+            {
+              name: 'name',
+              label: 'Name',
+              type: 'TextInput',
+            },
+          ],
+        },
+      ],
+    };
+
+    this.form = new V2Form(formConfig);
+    this.onBack = sinon.spy();
+    this.onApply = sinon.spy();
+    this.onDone = sinon.spy();
+  });
+
+  test('it renders the apply component', async function (assert) {
+    await render(hbs`
+      <Form::V2::Apply
+        @form={{this.form}}
+        @onBack={{this.onBack}}
+        @onApply={{this.onApply}}
+        @onDone={{this.onDone}}
+      />
+    `);
+
+    assert.dom(GENERAL.textDisplay('Step title')).hasText('Choose your implementation method');
+    assert.dom('.hds-form-radio-card').exists({ count: 3 }, 'renders three creation method options');
+  });
+
+  test('it renders Terraform as the default selected option', async function (assert) {
+    await render(hbs`
+      <Form::V2::Apply
+        @form={{this.form}}
+        @onBack={{this.onBack}}
+        @onApply={{this.onApply}}
+        @onDone={{this.onDone}}
+      />
+    `);
+
+    const radios = this.element.querySelectorAll('input[type="radio"]');
+    assert.true(radios[0].checked, 'Terraform option (first radio) is checked by default');
+  });
+
+  test('it shows Terraform code snippet by default', async function (assert) {
+    await render(hbs`
+      <Form::V2::Apply
+        @form={{this.form}}
+        @onBack={{this.onBack}}
+        @onApply={{this.onApply}}
+        @onDone={{this.onDone}}
+      />
+    `);
+
+    assert.dom(GENERAL.fieldByAttr('terraform')).exists('Terraform code block is rendered');
+    assert.dom('.hds-code-block').exists('Code block component is rendered');
+  });
+
+  test('it allows changing to API/CLI creation method', async function (assert) {
+    await render(hbs`
+      <Form::V2::Apply
+        @form={{this.form}}
+        @onBack={{this.onBack}}
+        @onApply={{this.onApply}}
+        @onDone={{this.onDone}}
+      />
+    `);
+
+    const radios = this.element.querySelectorAll('input[type="radio"]');
+    await click(radios[1]); // API/CLI is second option
+
+    assert.true(radios[1].checked, 'API/CLI option is now checked');
+    // API/CLI shows code snippets too, just not the Terraform-specific download button
+    const buttons = this.element.querySelectorAll('button');
+    const downloadButton = Array.from(buttons).find((btn) => btn.textContent.includes('Export as tf file'));
+    assert.notOk(downloadButton, 'Terraform download button is hidden for API/CLI');
+  });
+
+  test('it allows changing to UI workflow method', async function (assert) {
+    await render(hbs`
+      <Form::V2::Apply
+        @form={{this.form}}
+        @onBack={{this.onBack}}
+        @onApply={{this.onApply}}
+        @onDone={{this.onDone}}
+      />
+    `);
+
+    const radios = this.element.querySelectorAll('input[type="radio"]');
+    await click(radios[2]); // UI workflow is third option
+
+    assert.true(radios[2].checked, 'UI workflow option is now checked');
+    assert.dom('.hds-code-block').doesNotExist('Code snippets are hidden for UI workflow');
+  });
+
+  test('it shows Apply changes button only for UI workflow', async function (assert) {
+    await render(hbs`
+      <Form::V2::Apply
+        @form={{this.form}}
+        @onBack={{this.onBack}}
+        @onApply={{this.onApply}}
+        @onDone={{this.onDone}}
+      />
+    `);
+
+    // Initially on Terraform - no Apply button
+    let buttons = this.element.querySelectorAll('button');
+    let applyButton = Array.from(buttons).find((btn) => btn.textContent.includes('Apply changes'));
+    assert.notOk(applyButton, 'Apply changes button not shown for Terraform');
+
+    // Switch to UI workflow
+    const radios = this.element.querySelectorAll('input[type="radio"]');
+    await click(radios[2]); // UI workflow is third option
+
+    buttons = this.element.querySelectorAll('button');
+    applyButton = Array.from(buttons).find((btn) => btn.textContent.includes('Apply changes'));
+    assert.ok(applyButton, 'Apply changes button shown for UI workflow');
+  });
+
+  test('it always shows Back and Done buttons', async function (assert) {
+    await render(hbs`
+      <Form::V2::Apply
+        @form={{this.form}}
+        @onBack={{this.onBack}}
+        @onApply={{this.onApply}}
+        @onDone={{this.onDone}}
+      />
+    `);
+
+    const buttons = this.element.querySelectorAll('button');
+    const backButton = Array.from(buttons).find((btn) => btn.textContent.includes('Back'));
+    const doneButton = Array.from(buttons).find((btn) => btn.textContent.includes('Done & exit'));
+
+    assert.ok(backButton, 'Back button is rendered');
+    assert.ok(doneButton, 'Done & exit button is rendered');
+  });
+
+  test('it calls onBack when Back button is clicked', async function (assert) {
+    await render(hbs`
+      <Form::V2::Apply
+        @form={{this.form}}
+        @onBack={{this.onBack}}
+        @onApply={{this.onApply}}
+        @onDone={{this.onDone}}
+      />
+    `);
+
+    const buttons = this.element.querySelectorAll('button');
+    const backButton = Array.from(buttons).find((btn) => btn.textContent.includes('Back'));
+    await click(backButton);
+
+    assert.ok(this.onBack.calledOnce, 'onBack callback was called');
+  });
+
+  test('it calls onDone when Done button is clicked', async function (assert) {
+    await render(hbs`
+      <Form::V2::Apply
+        @form={{this.form}}
+        @onBack={{this.onBack}}
+        @onApply={{this.onApply}}
+        @onDone={{this.onDone}}
+      />
+    `);
+
+    const buttons = this.element.querySelectorAll('button');
+    const doneButton = Array.from(buttons).find((btn) => btn.textContent.includes('Done & exit'));
+    await click(doneButton);
+
+    assert.ok(this.onDone.calledOnce, 'onDone callback was called');
+  });
+
+  test('it calls onApply when Apply changes button is clicked', async function (assert) {
+    await render(hbs`
+      <Form::V2::Apply
+        @form={{this.form}}
+        @onBack={{this.onBack}}
+        @onApply={{this.onApply}}
+        @onDone={{this.onDone}}
+      />
+    `);
+
+    // Switch to UI workflow to show Apply button
+    const radios = this.element.querySelectorAll('input[type="radio"]');
+    await click(radios[2]); // UI workflow is third option
+
+    const buttons = this.element.querySelectorAll('button');
+    const applyButton = Array.from(buttons).find((btn) => btn.textContent.includes('Apply changes'));
+    await click(applyButton);
+
+    assert.ok(this.onApply.calledOnce, 'onApply callback was called');
+  });
+
+  test('it shows download button for Terraform snippet', async function (assert) {
+    await render(hbs`
+      <Form::V2::Apply
+        @form={{this.form}}
+        @onBack={{this.onBack}}
+        @onApply={{this.onApply}}
+        @onDone={{this.onDone}}
+      />
+    `);
+
+    const buttons = this.element.querySelectorAll('button');
+    const downloadButton = Array.from(buttons).find((btn) => btn.textContent.includes('Export as tf file'));
+    assert.ok(downloadButton, 'Download button is rendered for Terraform');
+  });
+
+  test('it hides download button for API/CLI method', async function (assert) {
+    await render(hbs`
+      <Form::V2::Apply
+        @form={{this.form}}
+        @onBack={{this.onBack}}
+        @onApply={{this.onApply}}
+        @onDone={{this.onDone}}
+      />
+    `);
+
+    const radios = this.element.querySelectorAll('input[type="radio"]');
+    await click(radios[1]); // API/CLI is second option
+
+    const buttons = this.element.querySelectorAll('button');
+    const downloadButton = Array.from(buttons).find((btn) => btn.textContent.includes('Export as tf file'));
+    assert.notOk(downloadButton, 'Download button is not shown for API/CLI');
+  });
+
+  test('it shows appropriate descriptions for each creation method', async function (assert) {
+    await render(hbs`
+      <Form::V2::Apply
+        @form={{this.form}}
+        @onBack={{this.onBack}}
+        @onApply={{this.onApply}}
+        @onDone={{this.onDone}}
+      />
+    `);
+
+    // Check for description text in the rendered cards
+    assert.dom('.hds-form-radio-card').exists({ count: 3 }, 'Three radio cards rendered');
+    assert.dom(this.element).includesText('Infrastructure as Code', 'Terraform description present');
+    assert.dom(this.element).includesText('Vault CLI or REST API', 'API/CLI description present');
+    assert.dom(this.element).includesText('Apply changes immediately', 'UI workflow description present');
+  });
+
+  test('it shows edit configuration section for non-UI methods', async function (assert) {
+    await render(hbs`
+      <Form::V2::Apply
+        @form={{this.form}}
+        @onBack={{this.onBack}}
+        @onApply={{this.onApply}}
+        @onDone={{this.onDone}}
+      />
+    `);
+
+    // Terraform (default) should show edit configuration
+    assert.dom('h2').includesText('Edit configuration', 'Edit configuration section shown for Terraform');
+
+    // Switch to UI workflow
+    const radios = this.element.querySelectorAll('input[type="radio"]');
+    await click(radios[2]); // UI workflow is third option
+
+    const headings = this.element.querySelectorAll('h2');
+    const editConfigHeading = Array.from(headings).find((h) => h.textContent.includes('Edit configuration'));
+    assert.notOk(editConfigHeading, 'Edit configuration section hidden for UI workflow');
+  });
+});
diff --git a/ui/tests/integration/components/form/v2/error-alert-test.js b/ui/tests/integration/components/form/v2/error-alert-test.js
new file mode 100644
index 0000000000..7baaae0a65
--- /dev/null
+++ b/ui/tests/integration/components/form/v2/error-alert-test.js
@@ -0,0 +1,47 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+
+module('Integration | Component | form/v2/error-alert', function (hooks) {
+  setupRenderingTest(hooks);
+
+  test('it renders the default title and error message', async function (assert) {
+    this.error = 'Something went wrong';
+
+    await render(hbs`
+      <Form::V2::ErrorAlert @error={{this.error}} />
+    `);
+
+    assert.dom('.hds-alert').exists('renders alert');
+    assert.dom('.hds-alert__title').hasText('Submission error', 'renders default title');
+    assert.dom('.hds-alert__description').hasText('Something went wrong', 'renders error message');
+  });
+
+  test('it renders a custom title', async function (assert) {
+    this.error = 'Configuration failed';
+    this.title = 'Configuration Error';
+
+    await render(hbs`
+      <Form::V2::ErrorAlert @error={{this.error}} @title={{this.title}} />
+    `);
+
+    assert.dom('.hds-alert__title').hasText('Configuration Error', 'renders custom title');
+    assert.dom('.hds-alert__description').hasText('Configuration failed', 'renders error message');
+  });
+
+  test('it renders without an error message', async function (assert) {
+    await render(hbs`
+      <Form::V2::ErrorAlert />
+    `);
+
+    assert.dom('.hds-alert').exists('renders alert');
+    assert.dom('.hds-alert__title').hasText('Submission error', 'renders default title');
+    assert.dom('.hds-alert__description').hasText('', 'renders empty description');
+  });
+});
diff --git a/ui/tests/integration/components/form/v2/field-test.js b/ui/tests/integration/components/form/v2/field-test.js
new file mode 100644
index 0000000000..d6e59fed2b
--- /dev/null
+++ b/ui/tests/integration/components/form/v2/field-test.js
@@ -0,0 +1,327 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { module, test } from 'qunit';
+import sinon from 'sinon';
+import { setupRenderingTest } from 'vault/tests/helpers';
+
+module('Integration | Component | form/v2/field', function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.beforeEach(function () {
+    this.onChange = sinon.spy();
+  });
+
+  test('it renders a text input field', async function (assert) {
+    this.field = {
+      name: 'username',
+      label: 'Username',
+      type: 'TextInput',
+      helperText: 'Enter your username',
+    };
+    this.value = 'test-user';
+
+    await render(hbs`
+      <Form::V2::Field
+        @field={{this.field}}
+        @value={{this.value}}
+        @onChange={{this.onChange}}
+      />
+    `);
+
+    assert.dom('label').includesText('Username', 'renders label');
+    assert.dom('input[type="text"]').exists('renders text input');
+    assert.dom('.hds-form-helper-text').includesText('Enter your username', 'renders helper text');
+  });
+
+  test('it renders a TextInput email variant', async function (assert) {
+    this.field = {
+      name: 'email',
+      label: 'Email',
+      type: 'TextInput',
+      inputType: 'email',
+    };
+    this.value = 'person@example.com';
+
+    await render(hbs`
+      <Form::V2::Field
+        @field={{this.field}}
+        @value={{this.value}}
+        @onChange={{this.onChange}}
+      />
+    `);
+
+    assert.dom('input[type="email"]').exists('renders email input type');
+  });
+
+  test('it renders a TextInput password variant', async function (assert) {
+    this.field = {
+      name: 'password',
+      label: 'Password',
+      type: 'TextInput',
+      inputType: 'password',
+    };
+
+    await render(hbs`
+      <Form::V2::Field
+        @field={{this.field}}
+        @onChange={{this.onChange}}
+      />
+    `);
+
+    assert.dom('input[type="password"]').exists('renders password input type');
+  });
+
+  test('it renders validation errors', async function (assert) {
+    this.field = {
+      name: 'password',
+      label: 'Password',
+      type: 'TextInput',
+    };
+    this.errors = ['Password is required'];
+
+    await render(hbs`
+      <Form::V2::Field
+        @field={{this.field}}
+        @errors={{this.errors}}
+        @onChange={{this.onChange}}
+      />
+    `);
+
+    assert.dom('.hds-form-error__message').includesText('Password is required', 'renders error message');
+  });
+
+  test('it renders a textarea field', async function (assert) {
+    this.field = {
+      name: 'description',
+      label: 'Description',
+      type: 'TextArea',
+      helperText: 'Enter a detailed description',
+    };
+    this.value = 'Multi-line\ntext content';
+
+    await render(hbs`
+      <Form::V2::Field
+        @field={{this.field}}
+        @value={{this.value}}
+        @onChange={{this.onChange}}
+      />
+    `);
+
+    assert.dom('label').includesText('Description', 'renders label');
+    assert.dom('textarea').exists('renders textarea');
+    assert.dom('.hds-form-helper-text').includesText('Enter a detailed description', 'renders helper text');
+  });
+
+  test('it renders a toggle field', async function (assert) {
+    this.field = {
+      name: 'enabled',
+      label: 'Enable feature',
+      type: 'Toggle',
+      helperText: 'Turn this on to enable the feature',
+    };
+    this.value = true;
+
+    await render(hbs`
+      <Form::V2::Field
+        @field={{this.field}}
+        @value={{this.value}}
+        @onChange={{this.onChange}}
+      />
+    `);
+
+    assert.dom('label').includesText('Enable feature', 'renders label');
+    assert.dom('input[type="checkbox"]').exists('renders toggle');
+    assert
+      .dom('.hds-form-helper-text')
+      .includesText('Turn this on to enable the feature', 'renders helper text');
+  });
+
+  test('it renders a checkbox field', async function (assert) {
+    this.field = {
+      name: 'agree',
+      label: 'I agree to the terms',
+      type: 'Checkbox',
+    };
+    this.value = false;
+
+    await render(hbs`
+      <Form::V2::Field
+        @field={{this.field}}
+        @value={{this.value}}
+        @onChange={{this.onChange}}
+      />
+    `);
+
+    assert.dom('label').includesText('I agree to the terms', 'renders label');
+    assert.dom('input[type="checkbox"]').exists('renders checkbox');
+  });
+
+  test('it renders a radio group', async function (assert) {
+    this.field = {
+      name: 'size',
+      label: 'Select size',
+      type: 'Radio',
+      options: [
+        { label: 'Small', value: 'small' },
+        { label: 'Medium', value: 'medium' },
+        { label: 'Large', value: 'large' },
+      ],
+    };
+    this.value = 'medium';
+
+    await render(hbs`
+      <Form::V2::Field
+        @field={{this.field}}
+        @value={{this.value}}
+        @onChange={{this.onChange}}
+      />
+    `);
+
+    assert.dom('legend').includesText('Select size', 'renders legend');
+    assert.dom('input[type="radio"]').exists({ count: 3 }, 'renders radio options');
+  });
+
+  test('it renders radio cards', async function (assert) {
+    this.field = {
+      name: 'plan',
+      label: 'Choose a plan',
+      type: 'RadioCard',
+      options: [
+        { label: 'Basic', value: 'basic', description: 'For small teams' },
+        { label: 'Pro', value: 'pro', description: 'For growing teams' },
+        { label: 'Enterprise', value: 'enterprise', description: 'For large organizations' },
+      ],
+    };
+    this.value = 'pro';
+
+    await render(hbs`
+      <Form::V2::Field
+        @field={{this.field}}
+        @value={{this.value}}
+        @onChange={{this.onChange}}
+      />
+    `);
+
+    assert.dom('legend').includesText('Choose a plan', 'renders legend');
+    assert.dom('input[type="radio"]').exists({ count: 3 }, 'renders radio card options');
+  });
+
+  test('it renders a masked input field', async function (assert) {
+    this.field = {
+      name: 'password',
+      label: 'Password',
+      type: 'MaskedInput',
+      helperText: 'Enter a secure password',
+    };
+
+    await render(hbs`
+      <Form::V2::Field
+        @field={{this.field}}
+        @onChange={{this.onChange}}
+      />
+    `);
+
+    assert.dom('label').includesText('Password', 'renders label');
+    assert.dom('input').exists('renders masked input');
+    assert.dom('.hds-form-helper-text').includesText('Enter a secure password', 'renders helper text');
+  });
+
+  test('it renders a select field', async function (assert) {
+    this.field = {
+      name: 'country',
+      label: 'Select country',
+      type: 'Select',
+      helperText: 'Choose your country',
+      options: [
+        { label: 'United States', value: 'us' },
+        { label: 'Canada', value: 'ca' },
+        { label: 'United Kingdom', value: 'uk' },
+      ],
+    };
+    this.value = 'ca';
+
+    await render(hbs`
+      <Form::V2::Field
+        @field={{this.field}}
+        @value={{this.value}}
+        @onChange={{this.onChange}}
+      />
+    `);
+
+    assert.dom('label').includesText('Select country', 'renders label');
+    assert.dom('select').exists('renders select element');
+    assert.dom('select option').exists({ count: 3 }, 'renders 3 options');
+    assert.dom('select').hasValue('ca', 'select has correct value');
+    assert.dom('.hds-form-helper-text').includesText('Choose your country', 'renders helper text');
+  });
+
+  test('it renders a select field with custom placeholder', async function (assert) {
+    this.field = {
+      name: 'region',
+      label: 'Select region',
+      type: 'Select',
+      placeholder: 'Pick a region',
+      options: [
+        { label: 'North America', value: 'na' },
+        { label: 'Europe', value: 'eu' },
+      ],
+    };
+
+    await render(hbs`
+      <Form::V2::Field
+        @field={{this.field}}
+        @onChange={{this.onChange}}
+      />
+    `);
+
+    assert.dom('select option:first-child').hasText('Pick a region', 'renders custom placeholder');
+    assert.dom('select option:first-child').hasValue('', 'placeholder has empty value');
+  });
+
+  test('it renders unsupported field types as a text input fallback with console warning', async function (assert) {
+    assert.expect(6);
+
+    this.field = {
+      name: 'unsupported',
+      label: 'Unsupported Field',
+      type: 'FutureFieldType',
+    };
+
+    // Capture console.warn calls
+    const originalWarn = console.warn;
+    let warnCalled = false;
+    let warnMessage = '';
+    console.warn = (message) => {
+      warnCalled = true;
+      warnMessage = message;
+    };
+
+    await render(hbs`
+      <Form::V2::Field
+        @field={{this.field}}
+        @onChange={{this.onChange}}
+      />
+    `);
+
+    // Restore console.warn
+    console.warn = originalWarn;
+
+    // Assert text input is rendered as fallback
+    assert.dom('.hds-form-text-input').exists('renders text input as fallback');
+    assert.dom('label').hasText('Unsupported Field', 'displays correct label');
+
+    // Assert console warning was logged
+    assert.true(warnCalled, 'console.warn was called');
+    assert.true(
+      warnMessage.includes('Unsupported field type "FutureFieldType"'),
+      'warning includes field type'
+    );
+    assert.true(warnMessage.includes('Unsupported Field'), 'warning includes field label');
+    assert.true(warnMessage.includes('Falling back to text input'), 'warning includes fallback message');
+  });
+});
diff --git a/ui/tests/integration/components/form/v2/renderer-test.js b/ui/tests/integration/components/form/v2/renderer-test.js
new file mode 100644
index 0000000000..fa93644df6
--- /dev/null
+++ b/ui/tests/integration/components/form/v2/renderer-test.js
@@ -0,0 +1,150 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { render, waitFor } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { module, test } from 'qunit';
+import V2Form from 'vault/forms/v2/v2-form';
+import { setupRenderingTest } from 'vault/tests/helpers';
+
+module('Integration | Component | form/v2/renderer', function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.beforeEach(function () {
+    this.formConfig = {
+      name: 'test-form',
+      path: '/test/path',
+      title: 'Test Form',
+      payload: {
+        username: '',
+        email: '',
+        enabled: false,
+      },
+      submit: async () => ({ success: true }),
+      sections: [
+        {
+          name: 'section1',
+          title: 'User Information',
+          description: 'Enter user details',
+          fields: [
+            {
+              name: 'username',
+              type: 'TextInput',
+              label: 'Username',
+              helperText: 'Enter your username',
+            },
+            {
+              name: 'email',
+              type: 'TextInput',
+              label: 'Email',
+            },
+          ],
+        },
+        {
+          name: 'section2',
+          title: 'Settings',
+          fields: [
+            {
+              name: 'enabled',
+              type: 'Toggle',
+              label: 'Enable feature',
+            },
+          ],
+        },
+      ],
+    };
+
+    this.form = new V2Form(this.formConfig);
+  });
+
+  test('it renders the form element', async function (assert) {
+    await render(hbs`
+      <Form::V2::Renderer @form={{this.form}} />
+    `);
+
+    assert.dom('form').exists('renders form element');
+  });
+
+  test('it renders sections and fields when renderFields is true', async function (assert) {
+    await render(hbs`
+      <Form::V2::Renderer @form={{this.form}} @renderFields={{true}} />
+    `);
+
+    await waitFor('h2');
+    assert.dom('h2').exists({ count: 2 }, 'renders section headers');
+    assert.dom('label').includesText('Username', 'renders field content');
+  });
+
+  test('it renders an error alert when error is provided', async function (assert) {
+    this.error = 'Something went wrong';
+
+    await render(hbs`
+      <Form::V2::Renderer @form={{this.form}} @error={{this.error}} @renderFields={{true}} />
+    `);
+
+    assert.dom('.hds-alert').exists('renders error alert');
+    assert.dom('.hds-alert__description').hasText('Something went wrong', 'renders error message');
+  });
+
+  test('it yields custom content', async function (assert) {
+    await render(hbs`
+      <Form::V2::Renderer @form={{this.form}} @renderFields={{true}} as |Form|>
+        <Form.Section>
+          <div data-test-custom-content>Custom submit button</div>
+        </Form.Section>
+      </Form::V2::Renderer>
+    `);
+
+    assert
+      .dom('[data-test-custom-content]')
+      .hasText('Custom submit button', 'renders yielded custom content');
+  });
+
+  test('it does not render fields when renderFields is false', async function (assert) {
+    await render(hbs`
+      <Form::V2::Renderer @form={{this.form}} @renderFields={{false}} />
+    `);
+
+    assert.dom('h2').doesNotExist('does not render section headers');
+    assert.dom('label').doesNotExist('does not render fields');
+  });
+
+  test('it handles forms with empty sections', async function (assert) {
+    this.formWithEmptySection = new V2Form({
+      name: 'form-empty-section',
+      path: '/test',
+      payload: {},
+      submit: async () => ({}),
+      sections: [
+        {
+          name: 'empty-section',
+          title: 'Empty Section',
+          fields: [],
+        },
+      ],
+    });
+
+    await render(hbs`
+      <Form::V2::Renderer @form={{this.formWithEmptySection}} @renderFields={{true}} />
+    `);
+
+    assert.dom('h2').hasText('Empty Section', 'renders section title');
+    assert.dom('label').doesNotExist('does not render field content');
+  });
+
+  test('it passes attributes to the form element', async function (assert) {
+    await render(hbs`
+      <Form::V2::Renderer
+        @form={{this.form}}
+        @renderFields={{true}}
+        data-test-custom-form
+        class="custom-class"
+      />
+    `);
+
+    assert.dom('form').hasAttribute('data-test-custom-form', '', 'passes data attributes');
+    assert.dom('form').hasClass('custom-class', 'passes CSS classes');
+  });
+});
diff --git a/ui/tests/integration/components/form/v2/section-test.js b/ui/tests/integration/components/form/v2/section-test.js
new file mode 100644
index 0000000000..78ccd16886
--- /dev/null
+++ b/ui/tests/integration/components/form/v2/section-test.js
@@ -0,0 +1,66 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+
+module('Integration | Component | form/v2/section', function (hooks) {
+  setupRenderingTest(hooks);
+
+  test('it renders section title, description, and yielded content', async function (assert) {
+    this.section = {
+      name: 'test-section',
+      title: 'User Settings',
+      description: 'Configure your user preferences',
+    };
+
+    await render(hbs`
+      <Hds::Form as |Form|>
+        <Form::V2::Section @section={{this.section}} @formComponent={{Form}}>
+          <div data-test-content>Settings fields</div>
+        </Form::V2::Section>
+      </Hds::Form>
+    `);
+
+    assert.dom('h2').hasText('User Settings', 'renders section title');
+    assert.dom('p').includesText('Configure your user preferences', 'renders section description');
+    assert.dom('[data-test-content]').hasText('Settings fields', 'renders yielded content');
+  });
+
+  test('it renders without section header when title is not provided', async function (assert) {
+    this.section = {
+      name: 'no-title-section',
+    };
+
+    await render(hbs`
+      <Hds::Form as |Form|>
+        <Form::V2::Section @section={{this.section}} @formComponent={{Form}}>
+          <div data-test-content>Content without title</div>
+        </Form::V2::Section>
+      </Hds::Form>
+    `);
+
+    assert.dom('h2').doesNotExist('does not render title');
+    assert.dom('p').doesNotExist('does not render description');
+    assert.dom('[data-test-content]').hasText('Content without title', 'renders yielded content');
+  });
+
+  test('it renders an empty section', async function (assert) {
+    this.section = {
+      name: 'empty-section',
+      title: 'Empty Section',
+    };
+
+    await render(hbs`
+      <Hds::Form as |Form|>
+        <Form::V2::Section @section={{this.section}} @formComponent={{Form}} />
+      </Hds::Form>
+    `);
+
+    assert.dom('h2').hasText('Empty Section', 'renders section title');
+  });
+});
diff --git a/ui/tests/integration/components/form/v2/wizard-test.js b/ui/tests/integration/components/form/v2/wizard-test.js
new file mode 100644
index 0000000000..bfb8c3f788
--- /dev/null
+++ b/ui/tests/integration/components/form/v2/wizard-test.js
@@ -0,0 +1,90 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import { module, test } from 'qunit';
+import sinon from 'sinon';
+import { setupRenderingTest } from 'vault/tests/helpers';
+
+module('Integration | Component | form/v2/wizard', function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.beforeEach(function () {
+    this.onCancel = sinon.spy();
+    this.onSuccess = sinon.spy();
+
+    this.wizardConfig = {
+      title: 'Test Wizard',
+      description: 'A test wizard',
+      steps: [
+        {
+          name: 'step1',
+          title: 'Step 1',
+          description: 'First step',
+          formConfig: {
+            name: 'step1-form',
+            path: '/v1/test/step1',
+            payload: {
+              name: '',
+            },
+            submit: sinon.stub().resolves({ id: 'step1-result' }),
+            sections: [
+              {
+                name: 'basic',
+                fields: [
+                  {
+                    name: 'name',
+                    label: 'Name',
+                    type: 'TextInput',
+                    validations: [{ type: 'required' }],
+                  },
+                ],
+              },
+            ],
+          },
+        },
+        {
+          name: 'step2',
+          title: 'Step 2',
+          description: 'Second step',
+          formConfig: {
+            name: 'step2-form',
+            path: '/v1/test/step2',
+            payload: {
+              description: '',
+            },
+            submit: sinon.stub().resolves({ id: 'step2-result' }),
+            sections: [
+              {
+                name: 'details',
+                fields: [
+                  {
+                    name: 'description',
+                    label: 'Description',
+                    type: 'TextArea',
+                  },
+                ],
+              },
+            ],
+          },
+        },
+      ],
+    };
+  });
+
+  test('it renders the first step content', async function (assert) {
+    await render(hbs`
+      <Form::V2::Wizard
+        @config={{this.wizardConfig}}
+        @onCancel={{this.onCancel}}
+        @onSuccess={{this.onSuccess}}
+      />
+    `);
+
+    assert.dom('label').includesText('Name', 'renders first step field');
+    assert.dom(this.element).includesText('Step 1', 'renders first step title');
+  });
+});
diff --git a/ui/tests/integration/components/get-credentials-card-test.js b/ui/tests/integration/components/get-credentials-card-test.js
index efd216a735..ef0501c4c3 100644
--- a/ui/tests/integration/components/get-credentials-card-test.js
+++ b/ui/tests/integration/components/get-credentials-card-test.js
@@ -4,8 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import Service from '@ember/service';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, render } from '@ember/test-helpers';
 import { clickTrigger } from 'ember-power-select/test-support/helpers';
 import { selectChoose } from 'ember-power-select/test-support';
@@ -14,31 +13,16 @@ import sinon from 'sinon';
 import { setRunOptions } from 'ember-a11y-testing/test-support';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
-const storeService = Service.extend({
-  query(modelType) {
-    return new Promise((resolve, reject) => {
-      switch (modelType) {
-        case 'database/role':
-          resolve([{ id: 'my-role', backend: 'database' }]);
-          break;
-        default:
-          reject({ httpStatus: 404 });
-          break;
-      }
-      reject({ httpStatus: 404 });
-    });
-  },
-});
-
 module('Integration | Component | get-credentials-card', function (hooks) {
   setupRenderingTest(hooks);
 
   hooks.beforeEach(function () {
     this.router = this.owner.lookup('service:router');
     this.router.transitionTo = sinon.stub();
+    this.dbListStub = sinon
+      .stub(this.owner.lookup('service:api').secrets, 'databaseListRoles')
+      .resolves({ keys: ['my-role'] });
 
-    this.owner.unregister('service:store');
-    this.owner.register('service:store', storeService);
     this.set('title', 'Get Credentials');
     this.set('searchLabel', 'Role to use');
     setRunOptions({
@@ -56,7 +40,9 @@ module('Integration | Component | get-credentials-card', function (hooks) {
 
   test('it shows a disabled button when no item is selected', async function (assert) {
     assert.expect(2);
-    await render(hbs`<GetCredentialsCard @title={{this.title}} @searchLabel={{this.searchLabel}}/>`);
+    await render(
+      hbs`<GetCredentialsCard @title={{this.title}} @backend="database"  @searchLabel={{this.searchLabel}} @placeholder="Search for a role..." @models={{this.models}} />`
+    );
     assert.dom(GENERAL.button('Get credentials')).isDisabled();
     assert.dom(GENERAL.button('Get credentials')).hasText('Get credentials', 'Button has default text');
   });
diff --git a/ui/tests/integration/components/icon-test.js b/ui/tests/integration/components/icon-test.js
index 986fd242d5..dfa6d422c6 100644
--- a/ui/tests/integration/components/icon-test.js
+++ b/ui/tests/integration/components/icon-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import waitForError from 'vault/tests/helpers/wait-for-error';
diff --git a/ui/tests/integration/components/identity/item-details-test.js b/ui/tests/integration/components/identity/item-details-test.js
index 0696dbae64..547da7b263 100644
--- a/ui/tests/integration/components/identity/item-details-test.js
+++ b/ui/tests/integration/components/identity/item-details-test.js
@@ -6,7 +6,7 @@
 import { resolve } from 'rsvp';
 import EmberObject from '@ember/object';
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/info-table-item-array-test.js b/ui/tests/integration/components/info-table-item-array-test.js
index 8a3a2a270f..01ae70da24 100644
--- a/ui/tests/integration/components/info-table-item-array-test.js
+++ b/ui/tests/integration/components/info-table-item-array-test.js
@@ -4,67 +4,22 @@
  */
 
 import { module, test } from 'qunit';
-import Service from '@ember/service';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { findAll, render } from '@ember/test-helpers';
-import { run } from '@ember/runloop';
 import hbs from 'htmlbars-inline-precompile';
 
 const DISPLAY_ARRAY = ['role-1', 'role-2', 'role-3', 'role-4', 'role-5'];
 
-const storeService = Service.extend({
-  query(modelType) {
-    return new Promise((resolve, reject) => {
-      switch (modelType) {
-        case 'transform/role':
-          resolve([
-            { id: 'role-1' },
-            { id: 'role-2' },
-            { id: 'role-3' },
-            { id: 'role-4' },
-            { id: 'role-5' },
-            { id: 'role-6' },
-          ]);
-          break;
-        case 'model/no-permission':
-          reject({ httpStatus: 403, message: 'permission denied' });
-          break;
-        case 'identity/entity':
-          resolve([
-            { id: '1', name: 'one' },
-            { id: '6', name: 'six' },
-            { id: '7', name: 'seven' },
-            { id: '8', name: 'eight' },
-            { id: '9', name: 'nine' },
-          ]);
-          break;
-        default:
-          reject({ httpStatus: 404 });
-          break;
-      }
-    });
-  },
-});
-
 module('Integration | Component | InfoTableItemArray', function (hooks) {
   setupRenderingTest(hooks);
 
   hooks.beforeEach(function () {
     this.set('displayArray', DISPLAY_ARRAY);
     this.set('isLink', true);
-    this.set('modelType', 'transform/role');
     this.set('queryParam', 'role');
-    this.set('backend', 'transform');
-    this.set('wildcardLabel', 'role');
     this.set('label', 'Roles');
-    run(() => {
-      this.owner.unregister('service:store');
-      this.owner.register('service:store', storeService);
-    });
-  });
-
-  hooks.afterEach(function () {
-    this.owner.unregister('service:store');
+    this.set('arrayOptions', [...DISPLAY_ARRAY, 'role-6']);
+    this.set('wildcardLabel', 'role');
   });
 
   test('it renders', async function (assert) {
@@ -88,9 +43,7 @@ module('Integration | Component | InfoTableItemArray', function (hooks) {
         @displayArray={{this.displayArray}}
         @isLink={{this.isLink}}
         @label="my label"
-        @modelType={{this.modelType}}
         @queryParam={{this.queryParam}}
-        @backend={{this.backend}}
       />
     `);
     assert.strictEqual(
@@ -100,7 +53,7 @@ module('Integration | Component | InfoTableItemArray', function (hooks) {
     );
   });
 
-  test('it renders a badge and view all if wildcard in display array && < 10', async function (assert) {
+  test('it renders wildcard items as plain text and still shows view all', async function (assert) {
     const displayArrayWithWildcard = ['role-1', 'role-2', 'role-3', 'r*'];
     this.set('displayArrayWithWildcard', displayArrayWithWildcard);
     await render(hbs`
@@ -108,22 +61,21 @@ module('Integration | Component | InfoTableItemArray', function (hooks) {
       @label={{this.label}}
       @displayArray={{this.displayArrayWithWildcard}}
       @isLink={{this.isLink}}
-      @modelType={{this.modelType}}
       @queryParam={{this.queryParam}}
-      @backend={{this.backend}}
+      @arrayOptions={{this.arrayOptions}}
+      @wildcardLabel={{this.wildcardLabel}}
     />`);
     assert.strictEqual(
       document.querySelectorAll('a > span').length,
-      DISPLAY_ARRAY.length - 1,
-      'renders each item in array with link'
+      displayArrayWithWildcard.length - 1,
+      'renders only the non-wildcard items in array with link'
     );
-    // 6 here comes from the six roles setup in the store service.
-    assert.dom('[data-test-count="6"]').exists('correctly counts with wildcard filter and shows the count');
-    assert.dom('[data-test-view-all="roles"]').exists({ count: 1 }, 'renders 1 view all roles');
-    assert.dom('[data-test-view-all="roles"]').hasText('View all roles.', 'renders correct view all text');
+    assert.dom('[data-test-item="r*"]').hasText('r*', 'renders wildcard as plain text');
+    assert.dom('[data-test-count="6"]').exists('renders a wildcard count badge from preloaded options');
+    assert.dom('[data-test-view-all="roles"]').doesNotExist('does not render view all text for short arrays');
   });
 
-  test('it renders a badge and view all if wildcard in display array && >= 10', async function (assert) {
+  test('it renders a wildcard item in the truncated array', async function (assert) {
     const displayArrayWithWildcard = [
       'role-1',
       'role-2',
@@ -143,129 +95,73 @@ module('Integration | Component | InfoTableItemArray', function (hooks) {
       @label={{this.label}}
       @displayArray={{this.displayArrayWithWildcard}}
       @isLink={{this.isLink}}
-      @modelType={{this.modelType}}
       @queryParam={{this.queryParam}}
-      @backend={{this.backend}}
+      @arrayOptions={{this.arrayOptions}}
+      @wildcardLabel={{this.wildcardLabel}}
     />`);
     const numberCutOffTruncatedArray = displayArrayWithWildcard.length - 5;
-    assert.strictEqual(document.querySelectorAll('a > span').length, 5, 'renders truncated array of five');
+    assert.strictEqual(
+      document.querySelectorAll('a > span').length,
+      5,
+      'renders only the non-wildcard items in the truncated array with link'
+    );
+    assert.dom('[data-test-item="r*"]').hasText('r*', 'renders wildcard item in the truncated array');
+    assert.dom('[data-test-count="6"]').exists('renders a wildcard count badge in the truncated array');
     assert
       .dom(`[data-test-and="${numberCutOffTruncatedArray}"]`)
-      .exists('correctly counts with wildcard filter and shows the count');
+      .exists("renders correct 'and N others' text");
     assert.dom('[data-test-view-all="roles"]').hasText('View all roles.', 'renders correct view all text');
   });
 
-  test('it fails gracefully if query returns 403 and display array contains wildcard', async function (assert) {
-    const displayArrayWithWildcard = [
-      'role-1',
-      'role-2',
-      'role-3',
-      'r*',
-      'role-4',
-      'role-5',
-      'role-6',
-      'role-7',
-      'role-8',
-      'role-9',
-      'role-10',
-    ];
-    this.set('displayArrayWithWildcard', displayArrayWithWildcard);
-    this.set('modelType', 'model/no-permission');
+  test('it omits the wildcard badge when preloaded options are not provided', async function (assert) {
+    this.set('displayArrayWithWildcard', ['role-1', 'r*']);
     await render(hbs`
-    <InfoTableItemArray
-      @label={{this.label}}
-      @displayArray={{this.displayArrayWithWildcard}}
-      @isLink={{this.isLink}}
-      @modelType={{this.modelType}}
-      @queryParam={{this.queryParam}}
-      @backend={{this.backend}}
-    />`);
-    assert.strictEqual(findAll('[data-test-item]').length, 4, 'lists 4 roles');
-    assert.dom('[data-test-readmore-content]').hasTextContaining('r*', 'renders wildcard');
-    assert.dom('[data-test-count="0"]').doesNotExist('does not render badge');
-    assert.dom('[data-test-view-all="roles"]').hasText('View all roles.', 'renders correct view all text');
-    assert.dom('[data-test-and="6"]').exists(`renders correct 'and 6 others' text`);
+      <InfoTableItemArray
+        @label={{this.label}}
+        @displayArray={{this.displayArrayWithWildcard}}
+        @isLink={{this.isLink}}
+        @queryParam={{this.queryParam}}
+      />
+    `);
+
+    assert.dom('[data-test-item="r*"]').hasText('r*', 'renders wildcard as plain text');
+    assert.dom('[data-test-count]').doesNotExist('does not render a badge without preloaded options');
   });
 
-  test('it fails gracefully if query returns 404 and display array contains wildcard', async function (assert) {
-    const displayArrayWithWildcard = [
-      'role-1',
-      'role-2',
-      'role-3',
-      'r*',
-      'role-4',
-      'role-5',
-      'role-6',
-      'role-7',
-      'role-8',
-      'role-9',
-      'role-10',
-    ];
-    this.set('displayArrayWithWildcard', displayArrayWithWildcard);
-    this.set('modelType', 'model-not-found');
-    await render(hbs`
-    <InfoTableItemArray
-      @label={{this.label}}
-      @displayArray={{this.displayArrayWithWildcard}}
-      @isLink={{this.isLink}}
-      @modelType={{this.modelType}}
-      @queryParam={{this.queryParam}}
-      @backend={{this.backend}}
-    />`);
-    assert.dom('[data-test-count="0"]').hasText('includes 0', 'renders badge');
-    assert.strictEqual(findAll('[data-test-item]').length, 4, 'renders list of 4 roles');
-    assert.dom('[data-test-view-all="roles"]').hasText('View all roles.', 'renders view all text');
-  });
-
-  test('it renders name if renderItemName=true or id if name not found', async function (assert) {
-    const value = ['6', '8', '123-id'];
-    this.set('value', value);
-    this.set('modelType', 'identity/entity');
-    await render(hbs`
-    <InfoTableItemArray
-      @label={{this.label}}
-      @displayArray={{this.value}}
-      @isLink={{this.isLink}}
-      @modelType={{this.modelType}}
-      @renderItemName={{true}}
-    />`);
-    assert.dom('[data-test-item="6"]').hasText('six', `renders name of 'six' instead of id`);
-    assert.dom('[data-test-item="8"]').hasText('eight', `renders 'eight' instead of id`);
-    assert.strictEqual(findAll('[data-test-item]').length, 3, 'renders all entities');
-    assert
-      .dom('[data-test-item="123-id"]')
-      .hasText('123-id', 'renders id instead of name if no record for name');
-  });
-
-  test('it truncates and renders name when renderItemName=true', async function (assert) {
+  test('it truncates arrays with linked items', async function (assert) {
     const value = ['1', '2', '3-id', '4', '5', '6', '7', '8', '9', '10'];
     this.set('value', value);
-    this.set('modelType', 'identity/entity');
     await render(hbs`
     <InfoTableItemArray
       @label="Entities"
       @displayArray={{this.value}}
       @isLink={{this.isLink}}
-      @modelType={{this.modelType}}
-      @renderItemName={{true}}
     />`);
-    assert.dom('[data-test-item="1"]').hasText('one', `renders name of 'one' instead of id`);
-    assert.dom('[data-test-item="3-id"]').hasText('3-id', 'renders id instead of name if no record for name');
+    assert.dom('[data-test-item="1"]').hasText('1', 'renders the raw item text');
+    assert.dom('[data-test-item="3-id"]').hasText('3-id', 'renders item text without name lookup');
     assert.strictEqual(findAll('[data-test-item]').length, 5, 'only lists 5 entities');
   });
 
   test('it truncates using read more component when overflows div', async function (assert) {
-    const value = ['1', '2', '3-id', '4', '5', '6', '7', '8', '9', '10'];
+    const value = [
+      'entity-name-1-with-extra-text',
+      'entity-name-2-with-extra-text',
+      'entity-name-3-with-extra-text',
+      'entity-name-4-with-extra-text',
+      'entity-name-5-with-extra-text',
+      'entity-name-6-with-extra-text',
+      'entity-name-7-with-extra-text',
+      'entity-name-8-with-extra-text',
+      'entity-name-9-with-extra-text',
+      'entity-name-10-with-extra-text',
+    ];
     this.set('value', value);
-    this.set('modelType', 'identity/entity');
     await render(hbs`
       <div style="width: 200px">
         <InfoTableItemArray
           @label="Entities"
           @displayArray={{this.value}}
           @isLink={{this.isLink}}
-          @modelType={{this.modelType}}
-          @renderItemName={{true}}
           @doNotTruncate={{true}}
         />
       </div>
diff --git a/ui/tests/integration/components/info-table-row-test.js b/ui/tests/integration/components/info-table-row-test.js
index 72c4fdfecb..dcf2bfe195 100644
--- a/ui/tests/integration/components/info-table-row-test.js
+++ b/ui/tests/integration/components/info-table-row-test.js
@@ -6,7 +6,7 @@
 import { module, test } from 'qunit';
 import { resolve } from 'rsvp';
 import Service from '@ember/service';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
diff --git a/ui/tests/integration/components/json-editor-test.js b/ui/tests/integration/components/json-editor-test.js
index 0cbec9d452..7d85f2d7b3 100644
--- a/ui/tests/integration/components/json-editor-test.js
+++ b/ui/tests/integration/components/json-editor-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, triggerKeyEvent, waitFor, setupOnerror } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { SELECTORS } from '../../pages/components/json-editor';
diff --git a/ui/tests/integration/components/keymgmt/distribute-test.js b/ui/tests/integration/components/keymgmt/distribute-test.js
index a97da2a778..e80f946fc5 100644
--- a/ui/tests/integration/components/keymgmt/distribute-test.js
+++ b/ui/tests/integration/components/keymgmt/distribute-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, settled, select } from '@ember/test-helpers';
 import { create } from 'ember-cli-page-object';
 import { hbs } from 'ember-cli-htmlbars';
diff --git a/ui/tests/integration/components/keymgmt/key-edit-test.js b/ui/tests/integration/components/keymgmt/key-edit-test.js
index 7bc8b5364d..760b57921b 100644
--- a/ui/tests/integration/components/keymgmt/key-edit-test.js
+++ b/ui/tests/integration/components/keymgmt/key-edit-test.js
@@ -5,12 +5,12 @@
 
 import { module, test } from 'qunit';
 import sinon from 'sinon';
-import EmberObject from '@ember/object';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import timestamp from 'core/utils/timestamp';
+import KeymgmtKeyForm from 'vault/forms/keymgmt/key';
 
 module('Integration | Component | keymgmt/key-edit', function (hooks) {
   setupRenderingTest(hooks);
@@ -20,10 +20,15 @@ module('Integration | Component | keymgmt/key-edit', function (hooks) {
   });
   hooks.beforeEach(function () {
     const now = this.timestampStub();
-    const model = EmberObject.create({
+    const form = new KeymgmtKeyForm({
       name: 'Unicorns',
-      id: 'Unicorns',
-      minEnabledVersion: 1,
+      backend: 'keymgmt',
+      type: 'rsa-2048',
+      deletion_allowed: false,
+      min_enabled_version: 1,
+      latest_version: 2,
+      created: now,
+      last_rotated: null,
       versions: [
         {
           id: 1,
@@ -34,16 +39,22 @@ module('Integration | Component | keymgmt/key-edit', function (hooks) {
           creation_time: now.toString(),
         },
       ],
-      canDelete: true,
     });
-    this.model = model;
+    this.form = form;
+    this.capabilities = {
+      canDelete: true,
+      canEdit: true,
+      canRead: true,
+    };
     this.tab = '';
   });
 
   // TODO: Add capabilities tests
   test('it renders show view as default', async function (assert) {
     assert.expect(8);
-    await render(hbs`<Keymgmt::KeyEdit @model={{this.model}} @tab={{this.tab}} />`);
+    await render(
+      hbs`<Keymgmt::KeyEdit @form={{this.form}} @capabilities={{this.capabilities}} @tab={{this.tab}} />`
+    );
     assert.dom(GENERAL.hdsPageHeaderTitle).hasText('Unicorns', 'Shows key name');
     assert.dom('[data-test-keymgmt-key-toolbar]').exists('Subnav toolbar exists');
     assert.dom('[data-test-tab="Details"]').exists('Details tab exists');
@@ -60,15 +71,20 @@ module('Integration | Component | keymgmt/key-edit', function (hooks) {
 
   test('it renders the correct elements on edit view', async function (assert) {
     assert.expect(4);
-    const model = EmberObject.create({
+    const form = new KeymgmtKeyForm({
       name: 'Unicorns',
-      id: 'Unicorns',
+      backend: 'keymgmt',
+      type: 'rsa-2048',
+      deletion_allowed: false,
+      min_enabled_version: 1,
     });
     this.set('mode', 'edit');
-    this.set('model', model);
+    this.set('form', form);
 
-    await render(hbs`<Keymgmt::KeyEdit @model={{this.model}} @mode={{this.mode}} />`);
-    assert.dom(GENERAL.hdsPageHeaderTitle).hasText('Edit Key', 'Shows edit header');
+    await render(
+      hbs`<Keymgmt::KeyEdit @form={{this.form}} @capabilities={{this.capabilities}} @mode={{this.mode}} />`
+    );
+    assert.dom(GENERAL.hdsPageHeaderTitle).hasText('Edit key', 'Shows edit header');
     assert.dom('[data-test-keymgmt-key-toolbar]').doesNotExist('Subnav toolbar does not exist');
     assert.dom('[data-test-tab="Details"]').doesNotExist('Details tab does not exist');
     assert.dom('[data-test-tab="Versions"]').doesNotExist('Versions tab does not exist');
@@ -76,12 +92,17 @@ module('Integration | Component | keymgmt/key-edit', function (hooks) {
 
   test('it renders the correct elements on create view', async function (assert) {
     assert.expect(4);
-    const model = EmberObject.create({});
+    const form = new KeymgmtKeyForm(
+      { backend: 'keymgmt', type: 'rsa-2048', deletion_allowed: false },
+      { isNew: true }
+    );
     this.set('mode', 'create');
-    this.set('model', model);
+    this.set('form', form);
 
-    await render(hbs`<Keymgmt::KeyEdit @model={{this.model}} @mode={{this.mode}} />`);
-    assert.dom(GENERAL.hdsPageHeaderTitle).hasText('Create Key', 'Shows edit header');
+    await render(
+      hbs`<Keymgmt::KeyEdit @form={{this.form}} @capabilities={{this.capabilities}} @mode={{this.mode}} />`
+    );
+    assert.dom(GENERAL.hdsPageHeaderTitle).hasText('Create key', 'Shows edit header');
     assert.dom('[data-test-keymgmt-key-toolbar]').doesNotExist('Subnav toolbar does not exist');
     assert.dom('[data-test-tab="Details"]').doesNotExist('Details tab does not exist');
     assert.dom('[data-test-tab="Versions"]').doesNotExist('Versions tab does not exist');
@@ -89,10 +110,15 @@ module('Integration | Component | keymgmt/key-edit', function (hooks) {
 
   test('it defaults to keyType rsa-2048', async function (assert) {
     assert.expect(1);
-    const store = this.owner.lookup('service:store');
-    this.model = store.createRecord('keymgmt/key');
+    const form = new KeymgmtKeyForm(
+      { backend: 'keymgmt', type: 'rsa-2048', deletion_allowed: false },
+      { isNew: true }
+    );
     this.set('mode', 'create');
-    await render(hbs`<Keymgmt::KeyEdit @model={{this.model}} @mode={{this.mode}} />`);
+    this.set('form', form);
+    await render(
+      hbs`<Keymgmt::KeyEdit @form={{this.form}} @capabilities={{this.capabilities}} @mode={{this.mode}} />`
+    );
     assert.dom('[data-test-input="type"]').hasValue('rsa-2048', 'Has type rsa-2048 by default');
   });
 });
diff --git a/ui/tests/integration/components/keymgmt/provider-edit-test.js b/ui/tests/integration/components/keymgmt/provider-edit-test.js
index 9eceaf1676..067a26211e 100644
--- a/ui/tests/integration/components/keymgmt/provider-edit-test.js
+++ b/ui/tests/integration/components/keymgmt/provider-edit-test.js
@@ -4,13 +4,14 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { click, settled, fillIn } from '@ember/test-helpers';
 import { setRunOptions } from 'ember-a11y-testing/test-support';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import KeymgmtProviderForm from 'vault/forms/keymgmt/provider';
 
 const ts = 'data-test-kms-provider';
 const root = {
@@ -25,20 +26,18 @@ module('Integration | Component | keymgmt/provider-edit', function (hooks) {
   setupMirage(hooks);
 
   hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
-    this.store.push({
-      data: {
-        id: 'foo-bar',
-        type: 'keymgmt/provider',
-        attributes: {
-          name: 'foo-bar',
-          provider: 'azurekeyvault',
-          keyCollection: 'keyvault-1',
-          backend: 'keymgmt',
-        },
-      },
+    this.form = new KeymgmtProviderForm({
+      name: 'foo-bar',
+      provider: 'azurekeyvault',
+      key_collection: 'keyvault-1',
+      backend: 'keymgmt',
     });
-    this.model = this.store.peekRecord('keymgmt/provider', 'foo-bar');
+    this.capabilities = {
+      canDelete: false,
+      canListKeys: false,
+      canEdit: false,
+      canCreateKeys: false,
+    };
     this.root = root;
     this.owner.lookup('service:router').reopen({
       currentURL: '/ui/vault/secrets-engines/keymgmt/show/foo-bar',
@@ -60,13 +59,8 @@ module('Integration | Component | keymgmt/provider-edit', function (hooks) {
   test('it should render show view', async function (assert) {
     assert.expect(11);
 
-    // override capability getters
-    Object.defineProperties(this.model, {
-      canDelete: { value: true },
-      canListKeys: { value: true },
-    });
+    this.capabilities = { canDelete: true, canListKeys: true, canEdit: false, canCreateKeys: false };
 
-    this.server.post('/sys/capabilities-self', () => ({}));
     this.server.get('/keymgmt/kms/foo-bar/key', () => {
       return {
         data: {
@@ -83,7 +77,8 @@ module('Integration | Component | keymgmt/provider-edit', function (hooks) {
     await render(hbs`
       <Keymgmt::ProviderEdit
         @root={{this.root}}
-        @model={{this.model}}
+        @form={{this.form}}
+        @capabilities={{this.capabilities}}
         @mode="show"
         @tab={{this.tab}}
       />`);
@@ -117,11 +112,7 @@ module('Integration | Component | keymgmt/provider-edit', function (hooks) {
   test('it should delete a provider', async function (assert) {
     assert.expect(5);
 
-    // override capability getters
-    Object.defineProperties(this.model, {
-      canDelete: { value: true },
-      canListKeys: { value: true },
-    });
+    this.capabilities = { canDelete: true, canListKeys: true, canEdit: false, canCreateKeys: false };
 
     this.server.post('/sys/capabilities-self', () => ({}));
     this.server.get('/keymgmt/kms/foo-bar/key', () => {
@@ -146,7 +137,8 @@ module('Integration | Component | keymgmt/provider-edit', function (hooks) {
     await render(hbs`
       <Keymgmt::ProviderEdit
         @root={{this.root}}
-        @model={{this.model}}
+        @form={{this.form}}
+        @capabilities={{this.capabilities}}
         @mode="show"
         @tab={{this.tab}}
       />`);
@@ -162,10 +154,8 @@ module('Integration | Component | keymgmt/provider-edit', function (hooks) {
   test('it should render create view', async function (assert) {
     assert.expect(14);
 
-    this.server.put('/keymgmt/kms/foo', (schema, req) => {
+    this.server.post('/keymgmt/kms/foo', (schema, req) => {
       const params = {
-        name: 'foo',
-        backend: 'keymgmt',
         provider: 'gcpckms',
         key_collection: 'keyvault-1',
         credentials: {
@@ -186,12 +176,12 @@ module('Integration | Component | keymgmt/provider-edit', function (hooks) {
         assert.deepEqual(itemType, 'provider', 'Correct query params sent in transitionTo on save');
       },
     });
-    this.model = this.store.createRecord('keymgmt/provider', { backend: 'keymgmt' });
+    this.form = new KeymgmtProviderForm({ backend: 'keymgmt' }, { isNew: true });
 
     await render(hbs`
       <Keymgmt::ProviderEdit
         @root={{this.root}}
-        @model={{this.model}}
+        @form={{this.form}}
         @mode="create"
       />`);
 
@@ -216,18 +206,16 @@ module('Integration | Component | keymgmt/provider-edit', function (hooks) {
     assert.dom(`[data-test-input="credentials.service_account_file"]`).exists(`GCP - cred field renders`);
 
     await fillIn('[data-test-input="name"]', 'foo');
-    await fillIn('[data-test-input="keyCollection"]', 'keyvault-1');
+    await fillIn('[data-test-input="key_collection"]', 'keyvault-1');
     await fillIn('[data-test-input="credentials.service_account_file"]', 'test');
     await click(`[${ts}-submit]`);
   });
 
   test('it should render edit view', async function (assert) {
-    assert.expect(3);
+    assert.expect(7);
 
-    this.server.put('/keymgmt/kms/foo', (schema, req) => {
+    this.server.post('/keymgmt/kms/foo-bar', (schema, req) => {
       const params = {
-        name: 'foo-bar',
-        backend: 'keymgmt',
         provider: 'azurekeyvault',
         key_collection: 'keyvault-1',
         credentials: {
@@ -246,14 +234,14 @@ module('Integration | Component | keymgmt/provider-edit', function (hooks) {
           'vault.cluster.secrets.backend.show',
           'Show route sent in transitionTo on save'
         );
-        assert.strictEqual(model, 'foo', 'Model id sent in transitionTo on save');
+        assert.strictEqual(model, 'foo-bar', 'Provider name sent in transitionTo on save');
         assert.deepEqual(itemType, 'provider', 'Correct query params sent in transitionTo on save');
       },
     });
     await render(hbs`
       <Keymgmt::ProviderEdit
         @root={{this.root}}
-        @model={{this.model}}
+        @form={{this.form}}
         @mode="edit"
       />`);
 
@@ -266,4 +254,28 @@ module('Integration | Component | keymgmt/provider-edit', function (hooks) {
     }
     await click(`[${ts}-submit]`);
   });
+
+  test('it should clear all validations when provider type changes', async function (assert) {
+    assert.expect(3);
+
+    this.form = new KeymgmtProviderForm({ backend: 'keymgmt' }, { isNew: true });
+
+    await render(hbs`
+      <Keymgmt::ProviderEdit
+        @root={{this.root}}
+        @form={{this.form}}
+        @mode="create"
+      />`);
+
+    await click(`[${ts}-submit]`);
+    assert.dom('[data-test-validation-error]').exists('Validation errors shown after submit');
+
+    await fillIn('[data-test-input="provider"]', 'gcpckms');
+    assert
+      .dom('[data-test-validation-error]')
+      .doesNotExist('Validation errors cleared when provider changes');
+
+    await click(`[${ts}-submit]`);
+    assert.dom('[data-test-validation-error]').exists('Validation errors re-appear after next submit');
+  });
 });
diff --git a/ui/tests/integration/components/kmip/details-credentials-test.js b/ui/tests/integration/components/kmip/details-credentials-test.js
index 12cd4c25a4..83ff4c178d 100644
--- a/ui/tests/integration/components/kmip/details-credentials-test.js
+++ b/ui/tests/integration/components/kmip/details-credentials-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { click, render, findAll } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/kmip/page/configuration-test.js b/ui/tests/integration/components/kmip/page/configuration-test.js
index 8ac885c314..eb391e2908 100644
--- a/ui/tests/integration/components/kmip/page/configuration-test.js
+++ b/ui/tests/integration/components/kmip/page/configuration-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/kmip/page/configure-test.js b/ui/tests/integration/components/kmip/page/configure-test.js
index 0214211c87..8d083f3aab 100644
--- a/ui/tests/integration/components/kmip/page/configure-test.js
+++ b/ui/tests/integration/components/kmip/page/configure-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { click, fillIn, render } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/kmip/page/credentials-test.js b/ui/tests/integration/components/kmip/page/credentials-test.js
index 7528824f04..d269009098 100644
--- a/ui/tests/integration/components/kmip/page/credentials-test.js
+++ b/ui/tests/integration/components/kmip/page/credentials-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { click, fillIn, render } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/kmip/page/credentials/generate-test.js b/ui/tests/integration/components/kmip/page/credentials/generate-test.js
index b26682f15c..dd5046a4a0 100644
--- a/ui/tests/integration/components/kmip/page/credentials/generate-test.js
+++ b/ui/tests/integration/components/kmip/page/credentials/generate-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { click, fillIn, render } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/kmip/page/role-test.js b/ui/tests/integration/components/kmip/page/role-test.js
index a1bc009a17..db0b9ac82a 100644
--- a/ui/tests/integration/components/kmip/page/role-test.js
+++ b/ui/tests/integration/components/kmip/page/role-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { click, render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/kmip/page/scope/roles-test.js b/ui/tests/integration/components/kmip/page/scope/roles-test.js
index a601ae5fc9..9af007d016 100644
--- a/ui/tests/integration/components/kmip/page/scope/roles-test.js
+++ b/ui/tests/integration/components/kmip/page/scope/roles-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { click, fillIn, render } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/kmip/page/scopes-test.js b/ui/tests/integration/components/kmip/page/scopes-test.js
index 1dc3fe05de..b214494e8c 100644
--- a/ui/tests/integration/components/kmip/page/scopes-test.js
+++ b/ui/tests/integration/components/kmip/page/scopes-test.js
@@ -3,15 +3,16 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { setupEngine } from 'ember-engines/test-support';
-import { setupMirage } from 'ember-cli-mirage/test-support';
 import { click, fillIn, render } from '@ember/test-helpers';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { setupEngine } from 'ember-engines/test-support';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import hbs from 'htmlbars-inline-precompile';
+import { module, test } from 'qunit';
 import sinon from 'sinon';
-import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import SecretsEngineResource from 'vault/resources/secrets/engine';
 import { getErrorResponse } from 'vault/tests/helpers/api/error-response';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
 module('Integration | Component | kmip | Page::Scopes', function (hooks) {
   setupRenderingTest(hooks);
@@ -20,6 +21,7 @@ module('Integration | Component | kmip | Page::Scopes', function (hooks) {
 
   hooks.beforeEach(function () {
     this.backend = 'kmip-test';
+    this.secretsEngine = new SecretsEngineResource({ path: this.backend, type: 'kmip' });
     this.owner.lookup('service:secret-mount-path').update(this.backend);
 
     const { secrets } = this.owner.lookup('service:api');
@@ -51,7 +53,7 @@ module('Integration | Component | kmip | Page::Scopes', function (hooks) {
 
     this.renderComponent = () =>
       render(
-        hbs`<Page::Scopes @scopes={{this.scopes}} @capabilities={{this.capabilities}} @filterValue={{this.filterValue}} />`,
+        hbs`<Page::Scopes @secretsEngine={{this.secretsEngine}} @scopes={{this.scopes}} @capabilities={{this.capabilities}} @filterValue={{this.filterValue}} />`,
         { owner: this.engine }
       );
   });
diff --git a/ui/tests/integration/components/kmip/page/scopes/create-test.js b/ui/tests/integration/components/kmip/page/scopes/create-test.js
index 14e12a5c8c..14af48b368 100644
--- a/ui/tests/integration/components/kmip/page/scopes/create-test.js
+++ b/ui/tests/integration/components/kmip/page/scopes/create-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { click, fillIn, render } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/kmip/role-form-test.js b/ui/tests/integration/components/kmip/role-form-test.js
index 71b3add69f..719a38d332 100644
--- a/ui/tests/integration/components/kmip/role-form-test.js
+++ b/ui/tests/integration/components/kmip/role-form-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { click, fillIn, render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/known-secondaries-card-test.js b/ui/tests/integration/components/known-secondaries-card-test.js
index 682ac2f590..47e3ebf0f9 100644
--- a/ui/tests/integration/components/known-secondaries-card-test.js
+++ b/ui/tests/integration/components/known-secondaries-card-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/known-secondaries-table-test.js b/ui/tests/integration/components/known-secondaries-table-test.js
index ea23aaad2d..7c602b5f54 100644
--- a/ui/tests/integration/components/known-secondaries-table-test.js
+++ b/ui/tests/integration/components/known-secondaries-table-test.js
@@ -5,7 +5,7 @@
 
 /* eslint qunit/no-conditional-assertions: "warn" */
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/kubernetes/config-cta-test.js b/ui/tests/integration/components/kubernetes/config-cta-test.js
index b2267ac8b4..7f7814c810 100644
--- a/ui/tests/integration/components/kubernetes/config-cta-test.js
+++ b/ui/tests/integration/components/kubernetes/config-cta-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/kubernetes/kubernetes-header-test.js b/ui/tests/integration/components/kubernetes/kubernetes-header-test.js
index a15e09789f..f72b387080 100644
--- a/ui/tests/integration/components/kubernetes/kubernetes-header-test.js
+++ b/ui/tests/integration/components/kubernetes/kubernetes-header-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { click, render } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/kubernetes/page/configuration-test.js b/ui/tests/integration/components/kubernetes/page/configuration-test.js
index 228452c203..e9f10b4823 100644
--- a/ui/tests/integration/components/kubernetes/page/configuration-test.js
+++ b/ui/tests/integration/components/kubernetes/page/configuration-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render } from '@ember/test-helpers';
@@ -82,7 +82,7 @@ module('Integration | Component | kubernetes | Page::Configuration', function (h
 
     assert.dom('[data-test-row-label="Certificate"]').exists('Certificate label renders');
     assert.dom('[data-test-certificate-card]').exists('Certificate card component renders');
-    assert.dom('[data-test-certificate-icon]').hasClass('hds-icon-certificate', 'Certificate icon renders');
+    assert.dom(GENERAL.icon('certificate')).exists();
     assert.dom(GENERAL.copyButton).exists('Certificate copy button renders');
     assert.dom('[data-test-certificate-label]').hasText('PEM Format', 'Certificate label renders');
     assert
diff --git a/ui/tests/integration/components/kubernetes/page/configure-test.js b/ui/tests/integration/components/kubernetes/page/configure-test.js
index 605c0328ba..6ce86f8a56 100644
--- a/ui/tests/integration/components/kubernetes/page/configure-test.js
+++ b/ui/tests/integration/components/kubernetes/page/configure-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click, fillIn } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/kubernetes/page/credentials-test.js b/ui/tests/integration/components/kubernetes/page/credentials-test.js
index c56f9f63f1..ad63bde138 100644
--- a/ui/tests/integration/components/kubernetes/page/credentials-test.js
+++ b/ui/tests/integration/components/kubernetes/page/credentials-test.js
@@ -5,7 +5,7 @@
 
 import { module, test } from 'qunit';
 import sinon from 'sinon';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click, fillIn } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/kubernetes/page/overview-test.js b/ui/tests/integration/components/kubernetes/page/overview-test.js
index e4f4f68357..05b3531d4f 100644
--- a/ui/tests/integration/components/kubernetes/page/overview-test.js
+++ b/ui/tests/integration/components/kubernetes/page/overview-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/kubernetes/page/role/create-and-edit-test.js b/ui/tests/integration/components/kubernetes/page/role/create-and-edit-test.js
index 3e18e026e7..1289f1fd91 100644
--- a/ui/tests/integration/components/kubernetes/page/role/create-and-edit-test.js
+++ b/ui/tests/integration/components/kubernetes/page/role/create-and-edit-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click, fillIn, waitFor, settled } from '@ember/test-helpers';
@@ -34,6 +34,14 @@ module('Integration | Component | kubernetes | Page::Role::CreateAndEdit', funct
 
     this.writeStub = sinon.stub(this.owner.lookup('service:api').secrets, 'kubernetesWriteRole').resolves();
 
+    this.basicPayload = {
+      kubernetes_role_type: '',
+      kubernetes_role_name: '',
+      generated_role_rules: '',
+      name_template: '',
+      service_account_name: 'default',
+    };
+
     this.setupEdit = (trait) => {
       const role = this.server.create('kubernetes-role', trait);
       this.form = new KubernetesRoleForm(role);
@@ -47,6 +55,7 @@ module('Integration | Component | kubernetes | Page::Role::CreateAndEdit', funct
       { label: 'Roles', route: 'roles' },
       { label: 'Create' },
     ];
+
     setRunOptions({
       rules: {
         // TODO: fix RadioCard component (replace with HDS)
@@ -109,7 +118,7 @@ module('Integration | Component | kubernetes | Page::Role::CreateAndEdit', funct
     await click('[data-test-radio-card="expanded"]');
     assert.strictEqual(
       this.form.data.service_account_name,
-      undefined,
+      '',
       'Service account name cleared when switching from basic to expanded'
     );
 
@@ -117,7 +126,7 @@ module('Integration | Component | kubernetes | Page::Role::CreateAndEdit', funct
     await click('[data-test-radio-card="full"]');
     assert.strictEqual(
       this.form.data.kubernetes_role_name,
-      undefined,
+      '',
       'Kubernetes role name cleared when switching from expanded to full'
     );
 
@@ -128,28 +137,44 @@ module('Integration | Component | kubernetes | Page::Role::CreateAndEdit', funct
     await click('[data-test-radio-card="expanded"]');
     assert.strictEqual(
       this.form.data.generated_role_rules,
-      undefined,
+      '',
       'Role rules cleared when switching from full to expanded'
     );
 
     await click('[data-test-radio-card="basic"]');
     assert.strictEqual(
       this.form.data.kubernetes_role_type,
-      undefined,
+      '',
       'Kubernetes role type cleared when switching from expanded to basic'
     );
     assert.strictEqual(
       this.form.data.kubernetes_role_name,
-      undefined,
+      '',
       'Kubernetes role name cleared when switching from expanded to basic'
     );
     assert.strictEqual(
       this.form.data.name_template,
-      undefined,
+      '',
       'Name template cleared when switching from expanded to basic'
     );
   });
 
+  test('it should send cleared fields in payload when editing role and change generation preference', async function (assert) {
+    this.role = this.setupEdit();
+    await this.renderComponent();
+
+    await click('[data-test-radio-card="expanded"]');
+    await fillIn(GENERAL.inputByAttr('kubernetes_role_name'), 'test');
+    await click(GENERAL.submitButton);
+
+    const payload = this.writeStub.lastCall.args[2];
+    assert.propContains(
+      payload,
+      { service_account_name: '', kubernetes_role_name: 'test' },
+      'Payload contains cleared and updated fields when switching generation preference on edit'
+    );
+  });
+
   test('it should update code editor when template selection changes', async function (assert) {
     await this.renderComponent();
 
@@ -204,7 +229,7 @@ module('Integration | Component | kubernetes | Page::Role::CreateAndEdit', funct
     await click(GENERAL.submitButton);
 
     assert.true(
-      this.writeStub.calledWith(name, this.backend, { ...this.payload, service_account_name: 'default' }),
+      this.writeStub.calledWith(name, this.backend, this.basicPayload),
       'Write role request made with correct params'
     );
     assert.true(
@@ -314,8 +339,9 @@ module('Integration | Component | kubernetes | Page::Role::CreateAndEdit', funct
     await click(GENERAL.submitButton);
 
     const { rules } = getRules().find((r) => r.id === '5');
+    const payload = { kubernetes_role_name: '', service_account_name: '', generated_role_rules: rules };
     assert.true(
-      this.writeStub.calledWith('role-1', this.backend, { generated_role_rules: rules }),
+      this.writeStub.calledWith('role-1', this.backend, payload),
       'Generated roles rules are passed in save request'
     );
   });
@@ -323,11 +349,6 @@ module('Integration | Component | kubernetes | Page::Role::CreateAndEdit', funct
   test('it should unset selectedTemplateId when switching from full generation preference', async function (assert) {
     assert.expect(1);
 
-    this.server.post('/kubernetes-test/roles/role-1', (schema, req) => {
-      const payload = JSON.parse(req.requestBody);
-      assert.strictEqual(payload.generated_role_rules, null, 'Generated roles rules are not set');
-    });
-
     await this.renderComponent();
     await click('[data-test-radio-card="full"]');
     await fillIn(GENERAL.inputByAttr('name'), 'role-1');
@@ -336,7 +357,7 @@ module('Integration | Component | kubernetes | Page::Role::CreateAndEdit', funct
     await fillIn(GENERAL.inputByAttr('service_account_name'), 'default');
     await click(GENERAL.submitButton);
     assert.true(
-      this.writeStub.calledWith('role-1', this.backend, { service_account_name: 'default' }),
+      this.writeStub.calledWith('role-1', this.backend, this.basicPayload),
       'Save request made successfully without generated role rules'
     );
   });
diff --git a/ui/tests/integration/components/kubernetes/page/role/details-test.js b/ui/tests/integration/components/kubernetes/page/role/details-test.js
index 3930ea75ca..3004ef8deb 100644
--- a/ui/tests/integration/components/kubernetes/page/role/details-test.js
+++ b/ui/tests/integration/components/kubernetes/page/role/details-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/kubernetes/page/roles-test.js b/ui/tests/integration/components/kubernetes/page/roles-test.js
index 2ef2419ae4..999c6b35b6 100644
--- a/ui/tests/integration/components/kubernetes/page/roles-test.js
+++ b/ui/tests/integration/components/kubernetes/page/roles-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/kv-object-editor-test.js b/ui/tests/integration/components/kv-object-editor-test.js
index 598d2acf38..fb8fa15e41 100644
--- a/ui/tests/integration/components/kv-object-editor-test.js
+++ b/ui/tests/integration/components/kv-object-editor-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, fillIn, click } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 
diff --git a/ui/tests/integration/components/kv-suggestion-input-test.js b/ui/tests/integration/components/kv-suggestion-input-test.js
index adc3c309ee..70f919c361 100644
--- a/ui/tests/integration/components/kv-suggestion-input-test.js
+++ b/ui/tests/integration/components/kv-suggestion-input-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, fillIn, typeIn } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
diff --git a/ui/tests/integration/components/kv/kv-paths-card-test.js b/ui/tests/integration/components/kv/kv-paths-card-test.js
index d79063bf35..d305438063 100644
--- a/ui/tests/integration/components/kv/kv-paths-card-test.js
+++ b/ui/tests/integration/components/kv/kv-paths-card-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { render, click, findAll } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
diff --git a/ui/tests/integration/components/kv/page/kv-page-configuration-test.js b/ui/tests/integration/components/kv/page/kv-page-configuration-test.js
index ff317490c0..721df11106 100644
--- a/ui/tests/integration/components/kv/page/kv-page-configuration-test.js
+++ b/ui/tests/integration/components/kv/page/kv-page-configuration-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { render, click } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
diff --git a/ui/tests/integration/components/kv/page/kv-page-configure-test.js b/ui/tests/integration/components/kv/page/kv-page-configure-test.js
index 36c273ff09..1f96b16b67 100644
--- a/ui/tests/integration/components/kv/page/kv-page-configure-test.js
+++ b/ui/tests/integration/components/kv/page/kv-page-configure-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
diff --git a/ui/tests/integration/components/kv/page/kv-page-list-test.js b/ui/tests/integration/components/kv/page/kv-page-list-test.js
index 07d1c6c95d..b42b3c876f 100644
--- a/ui/tests/integration/components/kv/page/kv-page-list-test.js
+++ b/ui/tests/integration/components/kv/page/kv-page-list-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { render, click, fillIn, typeIn } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
diff --git a/ui/tests/integration/components/kv/page/kv-page-metadata-details-test.js b/ui/tests/integration/components/kv/page/kv-page-metadata-details-test.js
index 7fdf72342b..fe8e8de350 100644
--- a/ui/tests/integration/components/kv/page/kv-page-metadata-details-test.js
+++ b/ui/tests/integration/components/kv/page/kv-page-metadata-details-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
diff --git a/ui/tests/integration/components/kv/page/kv-page-metadata-edit-test.js b/ui/tests/integration/components/kv/page/kv-page-metadata-edit-test.js
index 1dd59e06a6..2a443f8583 100644
--- a/ui/tests/integration/components/kv/page/kv-page-metadata-edit-test.js
+++ b/ui/tests/integration/components/kv/page/kv-page-metadata-edit-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, fillIn, click } from '@ember/test-helpers';
@@ -122,7 +122,10 @@ module('Integration | Component | kv-v2 | Page::Secret::Metadata::Edit', functio
     await click(FORM.saveBtn);
     assert
       .dom(FORM.validationError('max_versions'))
-      .hasText('Maximum versions must be a number.', 'Validation message is shown for max_versions');
+      .hasText(
+        'Maximum versions must be a non-negative number.',
+        'Validation message is shown for max_versions'
+      );
 
     await click(FORM.cancelBtn);
     assert.true(this.onCancel.called, 'onCancel action is called');
diff --git a/ui/tests/integration/components/kv/page/kv-page-overview-test.js b/ui/tests/integration/components/kv/page/kv-page-overview-test.js
index 79f594788e..42fd70cf9a 100644
--- a/ui/tests/integration/components/kv/page/kv-page-overview-test.js
+++ b/ui/tests/integration/components/kv/page/kv-page-overview-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
diff --git a/ui/tests/integration/components/kv/page/kv-page-patch-test.js b/ui/tests/integration/components/kv/page/kv-page-patch-test.js
index 5c1acb661e..74a7a532e7 100644
--- a/ui/tests/integration/components/kv/page/kv-page-patch-test.js
+++ b/ui/tests/integration/components/kv/page/kv-page-patch-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { blur, click, fillIn, find, render, waitUntil } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
diff --git a/ui/tests/integration/components/kv/page/kv-page-secret-details-test.js b/ui/tests/integration/components/kv/page/kv-page-secret-details-test.js
index 0cebeb195d..a796c63358 100644
--- a/ui/tests/integration/components/kv/page/kv-page-secret-details-test.js
+++ b/ui/tests/integration/components/kv/page/kv-page-secret-details-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { click, render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
diff --git a/ui/tests/integration/components/kv/page/kv-page-secret-paths-test.js b/ui/tests/integration/components/kv/page/kv-page-secret-paths-test.js
index 84be1d74d4..63d0778320 100644
--- a/ui/tests/integration/components/kv/page/kv-page-secret-paths-test.js
+++ b/ui/tests/integration/components/kv/page/kv-page-secret-paths-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
diff --git a/ui/tests/integration/components/kv/page/kv-page-version-diff-test.js b/ui/tests/integration/components/kv/page/kv-page-version-diff-test.js
index 888c318ae5..8353527513 100644
--- a/ui/tests/integration/components/kv/page/kv-page-version-diff-test.js
+++ b/ui/tests/integration/components/kv/page/kv-page-version-diff-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { click, findAll, render } from '@ember/test-helpers';
@@ -99,7 +99,7 @@ module('Integration | Component | kv-v2 | Page::Secret::Metadata::VersionDiff',
     await render(
       hbs`
        <Page::Secret::Metadata::VersionDiff
-        @metadata={{this.metadata}} 
+        @metadata={{this.metadata}}
         @path={{this.path}}
         @backend={{this.backend}}
         @breadcrumbs={{this.breadcrumbs}}
diff --git a/ui/tests/integration/components/kv/page/kv-page-version-history-test.js b/ui/tests/integration/components/kv/page/kv-page-version-history-test.js
index 3fab702243..a472ce76e9 100644
--- a/ui/tests/integration/components/kv/page/kv-page-version-history-test.js
+++ b/ui/tests/integration/components/kv/page/kv-page-version-history-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { click, render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
diff --git a/ui/tests/integration/components/ldap/accounts-checked-out-test.js b/ui/tests/integration/components/ldap/accounts-checked-out-test.js
index 35796c2992..358a15052d 100644
--- a/ui/tests/integration/components/ldap/accounts-checked-out-test.js
+++ b/ui/tests/integration/components/ldap/accounts-checked-out-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/ldap/config-cta-test.js b/ui/tests/integration/components/ldap/config-cta-test.js
index 4e58ac6ac4..6230d306a9 100644
--- a/ui/tests/integration/components/ldap/config-cta-test.js
+++ b/ui/tests/integration/components/ldap/config-cta-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/ldap/page/configuration-test.js b/ui/tests/integration/components/ldap/page/configuration-test.js
index ebefe50142..75e90a6d53 100644
--- a/ui/tests/integration/components/ldap/page/configuration-test.js
+++ b/ui/tests/integration/components/ldap/page/configuration-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/ldap/page/configure-test.js b/ui/tests/integration/components/ldap/page/configure-test.js
index 503965913f..212a2103dc 100644
--- a/ui/tests/integration/components/ldap/page/configure-test.js
+++ b/ui/tests/integration/components/ldap/page/configure-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { render, click, fillIn } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/ldap/page/libraries-test.js b/ui/tests/integration/components/ldap/page/libraries-test.js
index d39113dd81..004cb143f4 100644
--- a/ui/tests/integration/components/ldap/page/libraries-test.js
+++ b/ui/tests/integration/components/ldap/page/libraries-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click, fillIn } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/ldap/page/library/check-out-test.js b/ui/tests/integration/components/ldap/page/library/check-out-test.js
index 7a54f49b39..6c1ca177b9 100644
--- a/ui/tests/integration/components/ldap/page/library/check-out-test.js
+++ b/ui/tests/integration/components/ldap/page/library/check-out-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { render, click } from '@ember/test-helpers';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
diff --git a/ui/tests/integration/components/ldap/page/library/create-and-edit-test.js b/ui/tests/integration/components/ldap/page/library/create-and-edit-test.js
index 2cd62f6e3b..070a2d96c5 100644
--- a/ui/tests/integration/components/ldap/page/library/create-and-edit-test.js
+++ b/ui/tests/integration/components/ldap/page/library/create-and-edit-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click, fillIn } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/ldap/page/library/details-test.js b/ui/tests/integration/components/ldap/page/library/details-test.js
index 2982633db5..9b69d58026 100644
--- a/ui/tests/integration/components/ldap/page/library/details-test.js
+++ b/ui/tests/integration/components/ldap/page/library/details-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/ldap/page/library/details/accounts-test.js b/ui/tests/integration/components/ldap/page/library/details/accounts-test.js
index 113a033d90..d51cbda091 100644
--- a/ui/tests/integration/components/ldap/page/library/details/accounts-test.js
+++ b/ui/tests/integration/components/ldap/page/library/details/accounts-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click, fillIn } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/ldap/page/library/details/configuration-test.js b/ui/tests/integration/components/ldap/page/library/details/configuration-test.js
index a19436ddaf..0540991293 100644
--- a/ui/tests/integration/components/ldap/page/library/details/configuration-test.js
+++ b/ui/tests/integration/components/ldap/page/library/details/configuration-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/ldap/page/overview-test.js b/ui/tests/integration/components/ldap/page/overview-test.js
index efee1d640c..f49dbf797a 100644
--- a/ui/tests/integration/components/ldap/page/overview-test.js
+++ b/ui/tests/integration/components/ldap/page/overview-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/ldap/page/role/create-and-edit-test.js b/ui/tests/integration/components/ldap/page/role/create-and-edit-test.js
index e469725fa0..302c50a8a2 100644
--- a/ui/tests/integration/components/ldap/page/role/create-and-edit-test.js
+++ b/ui/tests/integration/components/ldap/page/role/create-and-edit-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click, fillIn } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/ldap/page/role/credentials-test.js b/ui/tests/integration/components/ldap/page/role/credentials-test.js
index 677e930412..8966a53f62 100644
--- a/ui/tests/integration/components/ldap/page/role/credentials-test.js
+++ b/ui/tests/integration/components/ldap/page/role/credentials-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/ldap/page/role/details-test.js b/ui/tests/integration/components/ldap/page/role/details-test.js
index 537ebf06a5..2dd438b230 100644
--- a/ui/tests/integration/components/ldap/page/role/details-test.js
+++ b/ui/tests/integration/components/ldap/page/role/details-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/ldap/page/roles-test.js b/ui/tests/integration/components/ldap/page/roles-test.js
index cc9f39d786..80117741f3 100644
--- a/ui/tests/integration/components/ldap/page/roles-test.js
+++ b/ui/tests/integration/components/ldap/page/roles-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click, fillIn } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/ldap/tab-page-header-test.js b/ui/tests/integration/components/ldap/tab-page-header-test.js
index eaaedf9ecf..734297bec0 100644
--- a/ui/tests/integration/components/ldap/tab-page-header-test.js
+++ b/ui/tests/integration/components/ldap/tab-page-header-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/license-banners-test.js b/ui/tests/integration/components/license-banners-test.js
index ce40fd83f1..5b8ba0d683 100644
--- a/ui/tests/integration/components/license-banners-test.js
+++ b/ui/tests/integration/components/license-banners-test.js
@@ -5,7 +5,7 @@
 
 import { module, test } from 'qunit';
 import sinon from 'sinon';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import subDays from 'date-fns/subDays';
diff --git a/ui/tests/integration/components/license-info-test.js b/ui/tests/integration/components/license-info-test.js
index 0c93855600..3bf35cdd59 100644
--- a/ui/tests/integration/components/license-info-test.js
+++ b/ui/tests/integration/components/license-info-test.js
@@ -5,7 +5,7 @@
 
 import { addMinutes } from 'date-fns';
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { create } from 'ember-cli-page-object';
diff --git a/ui/tests/integration/components/link-status-test.js b/ui/tests/integration/components/link-status-test.js
index 7c872dd43d..66c972b441 100644
--- a/ui/tests/integration/components/link-status-test.js
+++ b/ui/tests/integration/components/link-status-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
diff --git a/ui/tests/integration/components/list-table-test.js b/ui/tests/integration/components/list-table-test.js
index d1fc3f4d0b..90ec5af71e 100644
--- a/ui/tests/integration/components/list-table-test.js
+++ b/ui/tests/integration/components/list-table-test.js
@@ -4,10 +4,11 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { click, fillIn, render, waitFor, find } from '@ember/test-helpers';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { click, fillIn, render, waitFor } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import sinon from 'sinon';
 
 const MOCK_DATA = [
   { island: 'Maldives', visit_length: 5, trip_date: '2025-06-22T00:00:00.000Z' },
@@ -21,33 +22,35 @@ module('Integration | Component | list-table', function (hooks) {
   setupRenderingTest(hooks);
 
   hooks.beforeEach(async function () {
-    this.data = undefined;
+    this.data = MOCK_DATA;
+    this.onSelectionChange = undefined;
+    this.selectionKeyField = undefined;
     this.columns = [
       { key: 'island', label: 'Islands', isSortable: true },
       { key: 'visit_length', label: 'Visit length', customTableItem: true },
       { key: 'trip_date', label: 'Date trip starts' },
       { key: 'popupMenu', label: 'Action' },
     ];
-    this;
 
     this.renderComponent = async () => {
       return render(hbs`
           <ListTable
             @columns={{this.columns}}
             @data={{this.data}}
-            @selectionKey="island"
+            @selectionKeyField={{this.selectionKeyField}}
+            @onSelectionChange={{this.onSelectionChange}}
           >
             <:customTableItem as |itemData|>
-            Custom Table Item rendered!
+              <Hds::BadgeCount @text={{itemData.visit_length}} @type="outlined" />
             </:customTableItem>
 
             <:popupMenu as |rowData|>
-            <Hds::Dropdown as |D|>
-            <D.ToggleButton @text="Menu" data-test-popup-menu-trigger />
-            <D.Title @text="Title Text" />
-            <D.Description @text="Sample text" />
-            <D.Interactive @route="components" @icon="trash" @color="critical">Delete</D.Interactive>
-            </Hds::Dropdown>
+              <Hds::Dropdown as |D|>
+              <D.ToggleButton @text="Menu" data-test-popup-menu-trigger />
+              <D.Title @text={{rowData.island}} />
+              <D.Description @text="Sample text" />
+              <D.Interactive @route="components" @icon="trash" @color="critical">Delete</D.Interactive>
+              </Hds::Dropdown>
             </:popupMenu>
 
           </ListTable>`);
@@ -55,59 +58,153 @@ module('Integration | Component | list-table', function (hooks) {
   });
 
   test('it renders and paginates data', async function (assert) {
-    this.data = MOCK_DATA;
     await this.renderComponent();
+    assert.dom('input[type="checkbox"]').doesNotExist('table is not selectable by default');
     assert.dom(GENERAL.paginationInfo).hasText(`1–6 of ${this.data.length}`);
-
-    await fillIn(GENERAL.paginationSizeSelector, '5'); // Default is 10, so change to something else
+    // Default is 10, so change to something else to test pagination
+    await fillIn(GENERAL.paginationSizeSelector, '5');
+    assert.dom(GENERAL.paginationInfo).hasText(`1–5 of ${this.data.length}`);
+    assert.dom(GENERAL.tableRow()).exists({ count: 5 }, 'only 5 rows render');
     await click(GENERAL.nextPage);
-    assert.dom(GENERAL.tableRow('Seychelles', 'island')).exists('it paginates the data');
+    assert.dom(GENERAL.paginationInfo).hasText(`6–6 of ${this.data.length}`);
+    assert.dom(GENERAL.tableRow()).exists({ count: 1 }, 'only 1 row renders on second page');
+    assert.dom(GENERAL.tableData(0, 'island')).hasText('Seychelles', 'second page has expected row');
+  });
+
+  test('it does not render popup menu if @columns does not include a popupMenu key', async function (assert) {
+    this.columns = [
+      { key: 'island', label: 'Islands', isSortable: true },
+      { key: 'visit_length', label: 'Visit length', customTableItem: true },
+      { key: 'trip_date', label: 'Date trip starts' },
+    ];
+    await this.renderComponent();
+    assert.dom(GENERAL.menuTrigger).doesNotExist();
+  });
+
+  test('it stringifies object and array values for non-custom columns', async function (assert) {
+    this.columns = [
+      { key: 'island', label: 'Islands' },
+      { key: 'trip_details', label: 'Trip details' },
+      { key: 'tags', label: 'Tags' },
+    ];
+    this.data = [
+      {
+        island: 'Maldives',
+        trip_details: { hotel: 'Atoll Inn', nights: 5 },
+        tags: ['beach', 'snorkel'],
+      },
+    ];
+
+    await this.renderComponent();
+    assert.dom(GENERAL.tableData(0, 'trip_details')).hasText('{ "hotel": "Atoll Inn", "nights": 5 }');
+    assert.dom(GENERAL.tableData(0, 'tags')).hasText('[ "beach", "snorkel" ]');
+  });
+
+  test('it does not render popup menu if parent does not yield one', async function (assert) {
+    await render(hbs`
+          <ListTable
+            @columns={{this.columns}}
+            @data={{this.data}}
+            @selectionKeyField={{this.selectionKeyField}}
+            @onSelectionChange={{this.onSelectionChange}}
+          />`);
+    assert.dom(GENERAL.menuTrigger).doesNotExist();
   });
 
   test('it sorts table data by a sortable column', async function (assert) {
-    this.data = MOCK_DATA;
-    const assertSortOrder = (expectedValues, { column, page }) => {
-      expectedValues.forEach((value, idx) => {
-        assert
-          .dom(GENERAL.tableData(value, column))
-          .hasText(value, `page ${page}, row ${idx} has ${column}: ${value}`);
-      });
-    };
-
     await this.renderComponent();
-    const column = find(GENERAL.icon('swap-vertical'));
-    await click(column);
-    assertSortOrder(['Bora Bora', 'Fiji', 'Maldives', 'Maui', 'Santorini', 'Seychelles'], {
-      column: 'island',
-      page: 1,
+    await click(GENERAL.icon('swap-vertical'));
+    const expectedOrder = ['Bora Bora', 'Fiji', 'Maldives', 'Maui', 'Santorini', 'Seychelles'];
+    expectedOrder.forEach((island, idx) => {
+      assert.dom(GENERAL.tableData(idx, 'island')).hasText(island);
     });
   });
 
   test('action column renders provided yield block with popup menu', async function (assert) {
-    this.data = MOCK_DATA;
     await this.renderComponent();
-
-    assert.dom(GENERAL.tableData('Maldives', 'popupMenu')).exists('action column renders');
-    assert.dom(GENERAL.menuTrigger).exists('button trigger exists for popup menu');
+    assert.dom(GENERAL.menuTrigger).exists({ count: this.data.length }, 'popup trigger exists for each item');
+    await click(`${GENERAL.tableRow(2)} ${GENERAL.menuTrigger}`);
+    assert.dom('li').hasText(this.data[2].island, 'popup menu renders relevant row data');
   });
 
-  test('selectable column renders when isSelectable is true', async function (assert) {
-    this.data = MOCK_DATA;
+  test('selectable checkboxes render and are selectable when selectionKeyField is provided', async function (assert) {
+    this.selectionKeyField = 'island';
+    const count = this.data.length + 1;
+    this.onSelectionChange = sinon.spy();
     await this.renderComponent();
-
     assert
-      .dom(`${GENERAL.tableRow('Maldives')} > .hds-advanced-table__th`)
-      .hasClass('hds-advanced-table__th--is-selectable', 'selectable column renders for row');
+      .dom('input[type="checkbox"]')
+      .exists({ count }, 'it renders a checkbox for each row plus the header to select all');
+    assert
+      .dom(`${GENERAL.tableRow(0)} input[type="checkbox"]`)
+      .hasAttribute(
+        'aria-label',
+        `Select row ${this.data[0][this.selectionKeyField]}`,
+        'selection aria label suffix uses selectionKeyField in value'
+      );
+    await click(`${GENERAL.tableRow(0)} input[type="checkbox"]`);
+    await click(`${GENERAL.tableRow(2)} input[type="checkbox"]`);
+    assert.true(this.onSelectionChange.calledTwice, 'onSelectionChange is called twice');
+    const [callbackArgs] = this.onSelectionChange.lastCall.args;
+    const { selectionKey, selectedRowsKeys, selectableRowsStates } = callbackArgs;
+    const lastItemSelected = this.data[2];
+    assert.strictEqual(selectionKey, lastItemSelected.island, 'selectionKey is last selected row');
+    assert.propEqual(selectedRowsKeys, ['Maldives', 'Fiji'], 'callback passes selectedRowKeys');
+    const expectedRowStates = [
+      { selectionKey: 'Maldives', isSelected: true },
+      { selectionKey: 'Bora Bora', isSelected: false },
+      { selectionKey: 'Fiji', isSelected: true },
+      { selectionKey: 'Santorini', isSelected: false },
+      { selectionKey: 'Maui', isSelected: false },
+      { selectionKey: 'Seychelles', isSelected: false },
+    ];
+    assert.propEqual(selectableRowsStates, expectedRowStates, 'callback contains selectableRowsStates');
+  });
+
+  test('it is still selectable when selection callback is not provided', async function (assert) {
+    this.selectionKeyField = 'island';
+    await this.renderComponent();
+    assert.dom('input[type="checkbox"]').exists({ count: this.data.length + 1 });
+    const firstRowCheckbox = '[data-test-table-row="0"] input[type="checkbox"]';
+    await click(firstRowCheckbox);
+    assert.dom(firstRowCheckbox).isChecked('row checkbox can be toggled without @onSelectionChange');
   });
 
-  // check that a custom item block will render
   test('custom item renders provided yield block with customTableItem for a column has customTableItem set to true', async function (assert) {
-    this.data = MOCK_DATA;
+    await this.renderComponent();
+    assert
+      .dom(`${GENERAL.tableData(0, 'visit_length')} .hds-badge-count`)
+      .hasText('5', 'custom table item renders yielded badge');
+  });
+
+  test('it shows first page data and correct metadata when navigated page exceeds new data bounds', async function (assert) {
+    const moreData = [
+      { island: 'Tahiti', visit_length: 12, trip_date: '2025-05-10T00:00:00.000Z' },
+      { island: 'Barbados', visit_length: 6, trip_date: '2025-08-25T00:00:00.000Z' },
+      { island: 'Cyprus', visit_length: 9, trip_date: '2026-03-12T00:00:00.000Z' },
+      { island: 'Jamaica', visit_length: 7, trip_date: '2025-11-05T00:00:00.000Z' },
+    ];
+    this.data = [...MOCK_DATA, ...moreData];
     await this.renderComponent();
 
+    await fillIn(GENERAL.paginationSizeSelector, '5');
+    await click(GENERAL.nextPage);
+    assert.dom(GENERAL.paginationInfo).hasText(`6–10 of ${this.data.length}`, 'navigated to page 2');
+
+    // Replace data with fewer items than current page offset such that page 2 no longer exists
+    this.set('data', [
+      { island: 'Palawan', visit_length: 9, trip_date: '2025-11-14T00:00:00.000Z' },
+      { island: 'Mykonos', visit_length: 3, trip_date: '2026-02-28T00:00:00.000Z' },
+    ]);
+
+    await waitFor(GENERAL.paginationInfo);
     assert
-      .dom(GENERAL.tableData('Maldives', 'visit_length'))
-      .hasText('Custom Table Item rendered!', 'custom item renders');
+      .dom(GENERAL.paginationInfo)
+      .hasText(
+        `1–2 of ${this.data.length}`,
+        'falls back to page 1 when current page exceeds new data bounds'
+      );
+    assert.dom(GENERAL.tableData(0, 'island')).hasText('Palawan', 'first page data is shown after fallback');
   });
 
   test('it resets pagination when data changes', async function (assert) {
@@ -122,7 +219,6 @@ module('Integration | Component | list-table', function (hooks) {
     this.data = [...MOCK_DATA, ...moreData];
     await this.renderComponent();
     await click(GENERAL.nextPage);
-    ``;
     assert.dom(GENERAL.paginationInfo).hasText(`11–12 of ${this.data.length}`, 'it navigates to next page');
     // Changing the @data arg should trigger an update and reset pagination
     this.set('data', [
diff --git a/ui/tests/integration/components/list-test.js b/ui/tests/integration/components/list-test.js
index e16fb0a2ae..3bfddda5d9 100644
--- a/ui/tests/integration/components/list-test.js
+++ b/ui/tests/integration/components/list-test.js
@@ -5,7 +5,7 @@
 
 import { module, test } from 'qunit';
 import { setupRenderingTest } from 'vault/tests/helpers';
-import { render, click, findAll, triggerEvent, fillIn, find } from '@ember/test-helpers';
+import { render, click, findAll, triggerEvent, fillIn } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { v4 as uuidv4 } from 'uuid';
 import sinon from 'sinon';
@@ -15,6 +15,10 @@ import { createSecretsEngine } from 'vault/tests/helpers/secret-engine/secret-en
 import { SECRET_ENGINE_SELECTORS as SES } from 'vault/tests/helpers/secret-engine/secret-engine-selectors';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
+const SELECTORS = {
+  intro: '[data-test-intro]',
+};
+
 module('Integration | Component | secret-engine/list', function (hooks) {
   setupRenderingTest(hooks);
   setupMirage(hooks);
@@ -58,11 +62,8 @@ module('Integration | Component | secret-engine/list', function (hooks) {
     });
     await render(hbs`<SecretEngine::List @secretEngines={{this.secretEngineModels}} />`);
 
-    assert
-      .dom(GENERAL.tableData(`${enginePath}/`, 'path'))
-      .exists('shows the link for the kvv2 secrets engine');
-    const row = GENERAL.tableRow(`${enginePath}/`);
-    await click(`${row} ${GENERAL.menuTrigger}`);
+    assert.dom(GENERAL.linkTo(`${enginePath}/`)).exists('shows the link for the kvv2 secrets engine');
+    await click(`${GENERAL.listItem(`${enginePath}/`)} ${GENERAL.menuTrigger}`);
     await click(GENERAL.menuItem('Delete'));
     await click(GENERAL.confirmButton);
 
@@ -125,13 +126,10 @@ module('Integration | Component | secret-engine/list', function (hooks) {
 
   test('path name does not render as link for unsupported secret engines', async function (assert) {
     await render(hbs`<SecretEngine::List @secretEngines={{this.secretEngineModels}} />`);
-    const unsupportedPath = find(`${GENERAL.tableData('nomad-test/', 'path')} a`);
     assert
-      .dom(unsupportedPath)
+      .dom(GENERAL.linkTo('nomad-test/'))
       .doesNotExist(`path text doesn't render as a link for unsupported nomad engine.`);
-
-    const supportedPath = find(`${GENERAL.tableData('aws-1/', 'path')} a`);
-    assert.dom(supportedPath).exists(`path text renders as a link for supported aws engines.`);
+    assert.dom(GENERAL.linkTo('aws-1/')).exists(`path text renders as a link for supported aws engines.`);
   });
 
   test('it filters by engine path and engine type', async function (assert) {
@@ -175,39 +173,53 @@ module('Integration | Component | secret-engine/list', function (hooks) {
   test('it applies overflow styling', async function (assert) {
     await render(hbs`<SecretEngine::List @secretEngines={{this.secretEngineModels}} />`);
     assert
-      .dom(GENERAL.tableData('aws-1/', 'path'))
-      .hasClass('text-overflow-ellipsis', 'secret engine name has text overflow class ');
+      .dom(GENERAL.tableData(0, 'path'))
+      .hasClass('text-overflow-ellipsis', 'secret engine path has text overflow class ');
   });
 
-  test('it shows the intro page when only default engines are enabled', async function (assert) {
-    // Only cubbyhole engine exists (default engine)
-    const defaultEngines = [createSecretsEngine(undefined, 'cubbyhole', 'cubbyhole')];
-    this.secretEngineModels = defaultEngines;
+  module('Intro page', function (hooks) {
+    hooks.beforeEach(function () {
+      // clear local storage to reset dismissed wizard state
+      localStorage.clear();
+    });
 
-    await render(hbs`<SecretEngine::List @secretEngines={{this.secretEngineModels}} />`);
+    test('it shows the intro page when only default engines are enabled', async function (assert) {
+      // Only cubbyhole engine exists (default engine)
+      const defaultEngines = [createSecretsEngine(undefined, 'cubbyhole', 'cubbyhole')];
+      this.secretEngineModels = defaultEngines;
 
-    assert.dom('[data-test-intro]').exists('Intro page is shown');
-    assert.dom(GENERAL.button('intro')).exists('Shows intro button');
-    assert.dom(GENERAL.button('Skip')).exists('Shows skip button');
-  });
+      await render(hbs`<SecretEngine::List @secretEngines={{this.secretEngineModels}} />`);
 
-  test('it does not show the intro page when other engines exist', async function (assert) {
-    // Has engines beyond the default cubbyhole
-    await render(hbs`<SecretEngine::List @secretEngines={{this.secretEngineModels}} />`);
+      assert.dom(SELECTORS.intro).exists('Intro page is shown');
+      assert.dom(GENERAL.button('enable')).exists('Shows enable button');
+      assert.dom(GENERAL.button('Skip')).exists('Shows skip button');
+    });
 
-    assert.dom('[data-test-intro]').doesNotExist('Intro modal is not shown when engines exist');
-    assert.dom(GENERAL.button('intro')).doesNotExist('Intro button is not shown');
-  });
+    test('it does not show the intro page when other engines exist', async function (assert) {
+      // Has engines beyond the default cubbyhole
+      await render(hbs`<SecretEngine::List @secretEngines={{this.secretEngineModels}} />`);
 
-  test('it can show the intro modal after dismissal', async function (assert) {
-    const defaultEngines = [createSecretsEngine(undefined, 'cubbyhole', 'cubbyhole')];
-    this.secretEngineModels = defaultEngines;
+      assert.dom(SELECTORS.intro).doesNotExist('Intro modal is not shown when engines exist');
+      assert.dom(GENERAL.button('intro')).doesNotExist('Intro button is not shown');
+    });
 
-    await render(hbs`<SecretEngine::List @secretEngines={{this.secretEngineModels}} />`);
-    await click(GENERAL.button('Skip'));
-    assert.dom('[data-test-intro]').doesNotExist('Intro is dismissed');
+    test('it does not show the intro page when a filter has no results', async function (assert) {
+      await render(hbs`<SecretEngine::List @secretEngines={{this.secretEngineModels}} />`);
+      await fillIn(GENERAL.inputSearch('secret-engine-path'), `foobar`);
+      assert.dom(SELECTORS.intro).doesNotExist('Intro modal is not shown when engines exist');
+      assert.dom(GENERAL.button('intro')).doesNotExist('Intro button is not shown');
+    });
 
-    await click(GENERAL.button('intro'));
-    assert.dom('[data-test-intro]').exists('Intro can be shown again after reset');
+    test('it can show the intro modal after dismissal', async function (assert) {
+      const defaultEngines = [createSecretsEngine(undefined, 'cubbyhole', 'cubbyhole')];
+      this.secretEngineModels = defaultEngines;
+
+      await render(hbs`<SecretEngine::List @secretEngines={{this.secretEngineModels}} />`);
+      await click(GENERAL.button('Skip'));
+      assert.dom(SELECTORS.intro).doesNotExist('Intro is dismissed');
+
+      await click(GENERAL.button('intro'));
+      assert.dom(SELECTORS.intro).exists('Intro can be shown again after reset');
+    });
   });
 });
diff --git a/ui/tests/integration/components/manage-dropdown-test.js b/ui/tests/integration/components/manage-dropdown-test.js
new file mode 100644
index 0000000000..f73c87ca96
--- /dev/null
+++ b/ui/tests/integration/components/manage-dropdown-test.js
@@ -0,0 +1,217 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { click, render } from '@ember/test-helpers';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import hbs from 'htmlbars-inline-precompile';
+import { module, test } from 'qunit';
+import sinon from 'sinon';
+import SecretsEngineResource from 'vault/resources/secrets/engine';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
+
+const DEFAULT_MOUNT_DATA = {
+  accessor: 'test_accessor',
+  config: {},
+  description: '',
+  external_entropy_access: false,
+  local: false,
+  plugin_version: '',
+  running_plugin_version: '',
+  running_sha256: '',
+  seal_wrap: false,
+  uuid: 'test-uuid',
+};
+
+const TEST_CASES = [
+  {
+    label: 'alicloud',
+    type: 'alicloud',
+    expectedRoute: 'vault.cluster.secrets.backend.configuration.general-settings',
+  },
+  {
+    label: 'azure',
+    type: 'azure',
+    expectedRoute: 'vault.cluster.secrets.backend.configuration.plugin-settings',
+  },
+  {
+    label: 'gcp',
+    type: 'gcp',
+    expectedRoute: 'vault.cluster.secrets.backend.configuration.plugin-settings',
+  },
+  {
+    label: 'gcpkms',
+    type: 'gcpkms',
+    expectedRoute: 'vault.cluster.secrets.backend.configuration.general-settings',
+  },
+  {
+    label: 'keymgmt',
+    type: 'keymgmt',
+    expectedRoute: 'vault.cluster.secrets.backend.configuration.general-settings',
+  },
+  {
+    label: 'kubernetes',
+    type: 'kubernetes',
+    expectedRoute: 'vault.cluster.secrets.backend.kubernetes.configuration',
+  },
+  {
+    label: 'kvv1',
+    type: 'kv',
+    version: 1,
+    expectedRoute: 'vault.cluster.secrets.backend.configuration.general-settings',
+  },
+  {
+    label: 'kvv2',
+    type: 'kv',
+    version: 2,
+    expectedRoute: 'vault.cluster.secrets.backend.configuration.general-settings',
+  },
+  {
+    label: 'transform',
+    type: 'transform',
+    expectedRoute: 'vault.cluster.secrets.backend.configuration.general-settings',
+  },
+  {
+    label: 'transit',
+    type: 'transit',
+    expectedRoute: 'vault.cluster.secrets.backend.configuration.general-settings',
+  },
+  { label: 'kmip', type: 'kmip', expectedRoute: 'vault.cluster.secrets.backend.kmip.configuration' },
+  { label: 'ldap', type: 'ldap', expectedRoute: 'vault.cluster.secrets.backend.ldap.configuration' },
+  { label: 'pki', type: 'pki', expectedRoute: 'vault.cluster.secrets.backend.pki.configuration' },
+  {
+    label: 'ssh',
+    type: 'ssh',
+    expectedRoute: 'vault.cluster.secrets.backend.configuration.plugin-settings',
+  },
+  {
+    label: 'totp',
+    type: 'totp',
+    expectedRoute: 'vault.cluster.secrets.backend.configuration.general-settings',
+  },
+  {
+    label: 'aws',
+    type: 'aws',
+    expectedRoute: 'vault.cluster.secrets.backend.configuration.plugin-settings',
+  },
+  {
+    label: 'consul',
+    type: 'consul',
+    expectedRoute: 'vault.cluster.secrets.backend.configuration.general-settings',
+  },
+  {
+    label: 'nomad',
+    type: 'nomad',
+    expectedRoute: 'vault.cluster.secrets.backend.configuration.general-settings',
+  },
+  {
+    label: 'rabbitmq',
+    type: 'rabbitmq',
+    expectedRoute: 'vault.cluster.secrets.backend.configuration.general-settings',
+  },
+  {
+    label: 'database',
+    type: 'database',
+    expectedRoute: 'vault.cluster.secrets.backend.configuration.general-settings',
+  },
+];
+
+module('Integration | Component | manage-dropdown | Configure link', function (hooks) {
+  setupRenderingTest(hooks);
+
+  const makeModel = ({ type, version, id }) => {
+    const options = version ? { version } : undefined;
+    return new SecretsEngineResource({
+      ...DEFAULT_MOUNT_DATA,
+      path: `${id}/`,
+      type,
+      options,
+    });
+  };
+
+  hooks.beforeEach(function () {
+    const router = this.owner.lookup('service:router');
+    this.transitionStub = sinon.stub(router, 'transitionTo');
+    this.refreshStub = sinon.stub(router, 'refresh');
+    this.currentRouteStub = sinon.stub(router, 'currentRouteName');
+    const api = this.owner.lookup('service:api');
+    this.mountDisableApiStub = sinon.stub(api.sys, 'mountsDisableSecretsEngine');
+  });
+
+  hooks.afterEach(function () {
+    this.transitionStub.restore();
+    this.refreshStub.restore();
+    this.mountDisableApiStub.restore();
+  });
+
+  test('it disables a mount', async function (assert) {
+    this.model = makeModel({ type: 'ldap', id: 'ldap' });
+    await render(
+      hbs`<ManageDropdown @model={{this.model}} @variant="icon" @configRoute={{this.model.backendConfigurationLink}} />`
+    );
+    await click(GENERAL.menuTrigger);
+    await click(GENERAL.menuItem('Delete'));
+    await click(GENERAL.confirmButton);
+    const [id] = this.mountDisableApiStub.lastCall.args;
+    assert.strictEqual(id, 'ldap', 'it calls disable with the secret engine id');
+  });
+
+  test('it calls refresh() when current route is secrets.backends', async function (assert) {
+    this.currentRouteStub.value('vault.cluster.secrets.backends');
+    this.model = makeModel({ type: 'ldap', id: 'ldap' });
+    await render(
+      hbs`<ManageDropdown @model={{this.model}} @variant="icon" @configRoute={{this.model.backendConfigurationLink}} />`
+    );
+    await click(GENERAL.menuTrigger);
+    await click(GENERAL.menuItem('Delete'));
+    await click(GENERAL.confirmButton);
+    assert.true(
+      this.refreshStub.calledOnce,
+      'refresh is called because the current route is vault.cluster.secrets.backends'
+    );
+    assert.true(this.transitionStub.notCalled, 'transitionTo is not called');
+  });
+
+  test('it calls transitionTo() when current route is NOT secrets.backends', async function (assert) {
+    this.currentRouteStub.value('vault.cluster.secrets.backend.ldap.overview');
+    this.model = makeModel({ type: 'ldap', id: 'ldap' });
+    await render(
+      hbs`<ManageDropdown @model={{this.model}} @variant="icon" @configRoute={{this.model.backendConfigurationLink}} />`
+    );
+    await click(GENERAL.menuTrigger);
+    await click(GENERAL.menuItem('Delete'));
+    await click(GENERAL.confirmButton);
+    assert.true(this.transitionStub.calledOnce, 'transitionTo() is called');
+    assert.true(this.refreshStub.notCalled, 'refresh() is not called');
+  });
+
+  TEST_CASES.forEach(({ label, type, version, expectedRoute }) => {
+    test(`Configure link routes correctly for ${label}`, async function (assert) {
+      const routing = this.owner.lookup('service:-routing');
+      const transitionSpy = sinon.stub(routing, 'transitionTo');
+      const id = `${label}-integration-test`;
+      this.model = makeModel({ type, version, id });
+
+      await render(
+        hbs`<ManageDropdown @model={{this.model}} @variant="icon" @configRoute={{this.model.backendConfigurationLink}} />`
+      );
+
+      await click(GENERAL.menuTrigger);
+      await click(GENERAL.menuItem('Configure'));
+
+      assert.true(transitionSpy.called, `Configure action for ${label} triggers a route transition`);
+      assert.strictEqual(
+        transitionSpy.firstCall.args[0],
+        expectedRoute,
+        `Configure action for ${label} transitions to ${expectedRoute}`
+      );
+      assert.true(
+        JSON.stringify(transitionSpy.firstCall.args).includes(id),
+        `Configure action for ${label} includes model id ${id}`
+      );
+
+      transitionSpy.restore();
+    });
+  });
+});
diff --git a/ui/tests/integration/components/masked-input-test.js b/ui/tests/integration/components/masked-input-test.js
index 3f906e6727..9f53137ba7 100644
--- a/ui/tests/integration/components/masked-input-test.js
+++ b/ui/tests/integration/components/masked-input-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, focus, triggerKeyEvent, typeIn, fillIn, click } from '@ember/test-helpers';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/message-error-test.js b/ui/tests/integration/components/message-error-test.js
index a4063a62c5..258c7e975a 100644
--- a/ui/tests/integration/components/message-error-test.js
+++ b/ui/tests/integration/components/message-error-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, findAll, render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
@@ -21,11 +21,11 @@ module('Integration | Component | message-error', function (hooks) {
 
     this.renderComponent = () => {
       return render(hbs`
-        <MessageError 
-        @errorMessage={{this.errorMessage}} 
-        @errors={{this.errors}} 
-        @model={{this.model}} 
-        @onDismiss={{this.onDismiss}} 
+        <MessageError
+        @errorMessage={{this.errorMessage}}
+        @errors={{this.errors}}
+        @model={{this.model}}
+        @onDismiss={{this.onDismiss}}
         />`);
     };
   });
@@ -110,4 +110,26 @@ module('Integration | Component | message-error', function (hooks) {
     await click(GENERAL.icon('x'));
     assert.true(this.onDismiss.calledOnce, '@onDismiss is called once');
   });
+
+  test('it renders @errorDetails as a list under the error message', async function (assert) {
+    this.errorMessage = 'There is an error with this form.';
+    await render(hbs`
+      <MessageError
+        @errorMessage={{this.errorMessage}}
+        @errorDetails={{array "Path cannot be empty." "Rule must have at least one capability."}}
+      />`);
+    assert.dom(GENERAL.messageError).exists({ count: 1 });
+    assert.dom(GENERAL.messageDescription).hasTextContaining('There is an error with this form.');
+    assert.dom(`${GENERAL.messageDescription} li`).exists({ count: 2 });
+    assert.dom(`${GENERAL.messageDescription} li:first-child`).hasText('Path cannot be empty.');
+    assert
+      .dom(`${GENERAL.messageDescription} li:last-child`)
+      .hasText('Rule must have at least one capability.');
+  });
+
+  test('it does not render error details list when @errorDetails is not provided', async function (assert) {
+    this.errorMessage = 'Something went wrong';
+    await this.renderComponent();
+    assert.dom(`${GENERAL.messageDescription} ul`).doesNotExist();
+  });
 });
diff --git a/ui/tests/integration/components/mfa-login-enforcement-form-test.js b/ui/tests/integration/components/mfa-login-enforcement-form-test.js
index 865022d18d..0125a505a2 100644
--- a/ui/tests/integration/components/mfa-login-enforcement-form-test.js
+++ b/ui/tests/integration/components/mfa-login-enforcement-form-test.js
@@ -4,20 +4,21 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, fillIn } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { setRunOptions } from 'ember-a11y-testing/test-support';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import MfaLoginEnforcementForm from 'vault/forms/mfa/login-enforcement';
 
 module('Integration | Component | mfa-login-enforcement-form', function (hooks) {
   setupRenderingTest(hooks);
   setupMirage(hooks);
 
   hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
-    this.model = this.store.createRecord('mfa-login-enforcement');
+    this.methods = [{ id: '123456', type: 'totp' }];
+    this.form = new MfaLoginEnforcementForm({}, { isNew: true });
     this.server.get('/sys/auth', () => ({
       data: { 'userpass/': { type: 'userpass', accessor: 'auth_userpass_1234' } },
     }));
@@ -44,63 +45,71 @@ module('Integration | Component | mfa-login-enforcement-form', function (hooks)
   test('it should render correct fields', async function (assert) {
     await render(hbs`
       <Mfa::MfaLoginEnforcementForm
-        @model={{this.model}}
+        @form={{this.form}}
+        @methods={{this.methods}}
         @onClose={{fn (mut this.didClose)}}
         @onSave={{fn (mut this.didSave)}}
       />
     `);
 
-    const fields = {
-      name: {
-        label: 'Name',
-        subText:
-          'The name for this enforcement. Giving it a name means that you can refer to it again later. This name will not be editable later.',
-      },
-      methods: {
-        label: 'MFA methods',
-        subText: 'The MFA method(s) that this enforcement will apply to.',
-      },
-      targets: {
-        label: 'Targets',
-        subText:
-          'The list of authentication types, authentication mounts, groups, and/or entities that will require this MFA configuration.',
-      },
-    };
-
     const subTexts = this.element.querySelectorAll('[data-test-label-subtext]');
-    Object.keys(fields).forEach((field, index) => {
-      const { label, subText } = fields[field];
-      assert.dom(`[data-test-mlef-label="${field}"]`).hasText(label, `${field} field label renders`);
-      assert.dom(subTexts[index]).hasText(subText, `${subText} field label sub text renders`);
-    });
-    assert.dom('[data-test-mlef-input="name"]').exists(`Name field input renders`);
+
+    assert.dom(GENERAL.inputByAttr('name')).exists('Name field input renders');
+    assert.dom(GENERAL.labelFor('name')).hasText('Name', 'name field label renders');
+    assert
+      .dom('#helper-text-name')
+      .hasText(
+        'The name for this enforcement. Giving it a name means that you can refer to it again later. This name will not be editable later.',
+        'name field label sub text renders'
+      );
+    assert.dom(GENERAL.labelFor('mfa_methods')).hasText('MFA methods', 'methods field label renders');
+    assert
+      .dom(subTexts[0])
+      .hasText(
+        'The MFA method(s) that this enforcement will apply to.',
+        'methods field label sub text renders'
+      );
+    assert.dom('label[for="targets"]').hasText('Targets', 'targets field label renders');
+    assert
+      .dom(subTexts[1])
+      .hasText(
+        'The list of authentication types, authentication mounts, groups, and/or entities that will require this MFA configuration.',
+        'targets field label sub text renders'
+      );
     assert.dom('[data-test-mlef-search="methods"]').exists('MFA method search select renders');
     assert.dom('[data-test-mlef-select="target-type"]').exists('Target type selector renders');
     assert.dom('[data-test-mlef-select="accessor"]').exists('Auth mount target selector renders by default');
   });
 
   test('it should render inline', async function (assert) {
-    this.errors = this.model.validate().state;
+    const { state } = this.form.toJSON();
+    this.errors = state;
     await render(hbs`
       <Mfa::MfaLoginEnforcementForm
-        @model={{this.model}}
+        @form={{this.form}}
+        @methods={{this.methods}}
         @isInline={{true}}
         @modelErrors={{this.errors}}
       />
     `);
 
-    assert.dom('[data-test-mlef-input="name"]').exists(`Name field input renders`);
+    assert.dom(GENERAL.inputByAttr('name')).exists(`Name field input renders`);
     assert.dom('[data-test-mlef-search="methods"]').doesNotExist('MFA method search select does not render');
     assert.dom('[data-test-mlef-select="target-type"]').exists('Target type selector renders');
+
+    assert
+      .dom(GENERAL.validationErrorByAttr('name'))
+      .exists({ count: 1 }, 'Name field external validation errors are displayed');
     assert
       .dom('[data-test-inline-error-message]')
-      .exists({ count: 2 }, 'External validation errors are displayed');
+      .exists({ count: 1 }, 'Targets field external validation errors are displayed');
   });
 
   test('it should display field validation errors on save', async function (assert) {
     await render(hbs`
       <Mfa::MfaLoginEnforcementForm
-        @model={{this.model}}
+        @form={{this.form}}
+        @methods={{this.methods}}
         @onClose={{fn (mut this.didClose)}}
         @onSave={{fn (mut this.didSave)}}
       />
@@ -108,10 +117,12 @@ module('Integration | Component | mfa-login-enforcement-form', function (hooks)
 
     await click('[data-test-mlef-save]');
     const errors = this.element.querySelectorAll('[data-test-inline-error-message]');
-    assert.dom(errors[0]).hasText('Name is required', 'Name error message renders');
-    assert.dom(errors[1]).hasText('At least one MFA method is required', 'Methods error message renders');
     assert
-      .dom(errors[2])
+      .dom(GENERAL.validationErrorByAttr('name'))
+      .hasText('Name is required', 'Name error message renders');
+    assert.dom(errors[0]).hasText('At least one MFA method is required', 'Methods error message renders');
+    assert
+      .dom(errors[1])
       .hasText(
         "At least one target is required. If you've selected one, click 'Add' to make sure it's added to this enforcement.",
         'Targets error message renders'
@@ -128,45 +139,53 @@ module('Integration | Component | mfa-login-enforcement-form', function (hooks)
 
     await render(hbs`
       <Mfa::MfaLoginEnforcementForm
-        @model={{this.model}}
+        @form={{this.form}}
+        @methods={{this.methods}}
         @onClose={{fn (mut this.didClose)}}
         @onSave={{fn (mut this.didSave) true}}
       />
     `);
 
-    await fillIn('[data-test-mlef-input="name"]', 'bar');
+    await fillIn(GENERAL.inputByAttr('name'), 'bar');
     await click('.ember-basic-dropdown-trigger');
     await click('.ember-power-select-option');
     await fillIn('[data-test-mlef-select="accessor"] select', 'auth_userpass_1234');
     await click('[data-test-mlef-add-target]');
     await click('[data-test-mlef-save]');
     assert.true(this.didSave, 'onSave callback triggered');
-    assert.strictEqual(this.model.name, 'bar', 'Name property set on model');
-    const methods = await this.model.mfa_methods; //hasManyPromise
-    assert.strictEqual(methods[0].id, '123456', 'Mfa method added to model');
+    assert.strictEqual(this.form.name, 'bar', 'Name property set on form');
+    assert.deepEqual(this.form.mfa_methods, ['123456'], 'Mfa method added to form');
     assert.deepEqual(
-      this.model.auth_method_accessors,
+      this.form.auth_method_accessors,
       ['auth_userpass_1234'],
       'Target saved to correct model property'
     );
   });
 
   test('it should populate fields with model data', async function (assert) {
-    this.model.name = 'foo';
-    const [method] = await this.store.query('mfa-method', {});
-    this.model.mfa_methods = [method];
-    this.model.auth_method_accessors = ['auth_userpass_1234'];
+    this.form = new MfaLoginEnforcementForm(
+      {
+        name: 'foo',
+        mfa_methods: [{ id: '123456', type: 'totp', displayName: 'TOTP' }],
+        auth_method_accessors: ['auth_userpass_1234'],
+      },
+      { isNew: true }
+    );
 
     await render(hbs`
       <Mfa::MfaLoginEnforcementForm
-        @model={{this.model}}
+        @form={{this.form}}
+        @methods={{this.methods}}
         @onClose={{fn (mut this.didClose)}}
         @onSave={{fn (mut this.didSave) true}}
       />
     `);
 
-    assert.dom('[data-test-mlef-input="name"]').hasValue('foo', 'Name input is populated');
-    assert.dom('.search-select-list-item').includesText('TOTP', 'MFA method type renders in selected option');
+    assert.dom(GENERAL.inputByAttr('name')).hasValue('foo', 'Name input is populated');
+
+    assert
+      .dom('.search-select-list-item')
+      .includesText('TOTP 123456', 'MFA method type renders in selected option');
     assert
       .dom('.search-select-list-item small')
       .hasText('123456', 'MFA method id renders in selected option');
@@ -182,7 +201,7 @@ module('Integration | Component | mfa-login-enforcement-form', function (hooks)
     assert
       .dom('[data-test-inline-error-message]')
       .includesText('At least one target is required', 'Target is removed');
-    assert.notOk(this.model.auth_method_accessors.length, 'Target is removed from appropriate model prop');
+    assert.notOk(this.form.auth_method_accessors.length, 'Target is removed from appropriate form prop');
 
     await fillIn('[data-test-mlef-select="accessor"] select', 'auth_userpass_1234');
     await click('[data-test-mlef-add-target]');
@@ -208,16 +227,20 @@ module('Integration | Component | mfa-login-enforcement-form', function (hooks)
         keys: ['1234'],
       },
     }));
-    this.model.auth_method_accessors = ['auth_userpass_1234'];
-    this.model.auth_method_types = ['userpass'];
-    const [entity] = await this.store.query('identity/entity', {});
-    this.model.identity_entities = [entity];
-    const [group] = await this.store.query('identity/group', {});
-    this.model.identity_groups = [group];
+    this.form = new MfaLoginEnforcementForm(
+      {
+        auth_method_accessors: ['auth_userpass_1234'],
+        auth_method_types: ['userpass'],
+        identity_entity_ids: ['1234'],
+        identity_group_ids: ['1234'],
+      },
+      { isNew: true }
+    );
 
     await render(hbs`
       <Mfa::MfaLoginEnforcementForm
-        @model={{this.model}}
+        @form={{this.form}}
+        @methods={{this.methods}}
         @onClose={{fn (mut this.didClose)}}
         @onSave={{fn (mut this.didSave) true}}
       />
@@ -231,8 +254,8 @@ module('Integration | Component | mfa-login-enforcement-form', function (hooks)
         type: 'accessor',
       },
       { label: 'Authentication method', value: 'userpass', key: 'auth_method_types', type: 'method' },
-      { label: 'Group', value: 'bar group 1234', key: 'identity_groups', type: 'identity/group' },
-      { label: 'Entity', value: 'foo entity 1234', key: 'identity_entities', type: 'identity/entity' },
+      { label: 'Group', value: 'bar group 1234', key: 'identity_group_ids', type: 'identity/group' },
+      { label: 'Entity', value: 'foo entity 1234', key: 'identity_entity_ids', type: 'identity/entity' },
     ];
 
     for (const [index, target] of targets.entries()) {
@@ -248,7 +271,7 @@ module('Integration | Component | mfa-login-enforcement-form', function (hooks)
       assert
         .dom('[data-test-mlef-target]')
         .exists({ count: targets.length - (index + 1) }, `${target.label} target removed`);
-      assert.notOk(this.model[target.key].length, `${target.label} removed from correct model prop`);
+      assert.notOk(this.form[target.key].length, `${target.label} removed from correct form prop`);
     }
     // add targets
     for (const target of targets) {
@@ -262,7 +285,7 @@ module('Integration | Component | mfa-login-enforcement-form', function (hooks)
         await fillIn(`[data-test-mlef-select="${key}"] select`, value);
       }
       await click('[data-test-mlef-add-target]');
-      assert.ok(this.model[target.key].length, `${target.label} added to correct model prop`);
+      assert.ok(this.form[target.key].length, `${target.label} added to correct form prop`);
     }
     assert.dom('[data-test-mlef-target]').exists({ count: 4 }, 'All targets were added back');
   });
diff --git a/ui/tests/integration/components/mfa-login-enforcement-header-test.js b/ui/tests/integration/components/mfa-login-enforcement-header-test.js
index a289c36e2a..a50127cdce 100644
--- a/ui/tests/integration/components/mfa-login-enforcement-header-test.js
+++ b/ui/tests/integration/components/mfa-login-enforcement-header-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
diff --git a/ui/tests/integration/components/mfa-method-list-item-test.js b/ui/tests/integration/components/mfa-method-list-item-test.js
index 2bba6e3476..4757a0e0be 100644
--- a/ui/tests/integration/components/mfa-method-list-item-test.js
+++ b/ui/tests/integration/components/mfa-method-list-item-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, skip } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 
diff --git a/ui/tests/integration/components/mfa/method-form-test.js b/ui/tests/integration/components/mfa/method-form-test.js
index 4f319cac89..58005655a0 100644
--- a/ui/tests/integration/components/mfa/method-form-test.js
+++ b/ui/tests/integration/components/mfa/method-form-test.js
@@ -4,20 +4,19 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, fillIn, click } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 
+import MfaCreateTotpMethodForm from 'vault/forms/mfa/method/totp';
+
 module('Integration | Component | mfa-method-form', function (hooks) {
   setupRenderingTest(hooks);
   setupMirage(hooks);
 
   hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
-    this.model = this.store.createRecord('mfa-method');
-    this.model.type = 'totp';
-    this.model.id = 'some-id';
+    this.form = new MfaCreateTotpMethodForm({}, { isNew: true });
   });
 
   test('it should render correct fields', async function (assert) {
@@ -25,7 +24,7 @@ module('Integration | Component | mfa-method-form', function (hooks) {
 
     await render(hbs`
       <Mfa::MethodForm
-        @model={{this.model}}
+        @form={{this.form}}
         @hasActions="true"
       />
           `);
@@ -48,12 +47,16 @@ module('Integration | Component | mfa-method-form', function (hooks) {
       assert.ok(true, 'edit request sent to server');
       return {};
     });
+    this.form = new MfaCreateTotpMethodForm({ id: 'some-id' }, { isNew: false });
+    this.onSave = () => {
+      this.didSave = true;
+    };
 
     await render(hbs`
-      <Mfa::MethodForm
+       <Mfa::MethodForm
+        @form={{this.form}}
         @hasActions="true"
-        @model={{this.model}}
-        @onSave={{fn (mut this.didSave) true}}
+        @onSave={{this.onSave}}
       />
           `);
 
@@ -62,20 +65,22 @@ module('Integration | Component | mfa-method-form', function (hooks) {
     await fillIn('[data-test-confirmation-modal-input="Edit totp configuration?"]', 'totp');
     await click('[data-test-confirm-button="Edit totp configuration?"]');
     assert.true(this.didSave, 'onSave callback triggered');
-    assert.strictEqual(this.model.issuer, 'Vault', 'Issuer property set on model');
+    assert.strictEqual(this.form.issuer, 'Vault', 'Issuer property set on form');
   });
 
   test('it should populate form fields with model data', async function (assert) {
     assert.expect(3);
 
-    this.model.issuer = 'Vault';
-    this.model.period = '30s';
-    this.model.algorithm = 'SHA512';
+    this.form = new MfaCreateTotpMethodForm(
+      { issuer: 'Vault', period: '30s', algorithm: 'SHA512' },
+      { isNew: false }
+    );
 
     await render(hbs`
-      <Mfa::MethodForm
+       <Mfa::MethodForm
+        @form={{this.form}}
         @hasActions="true"
-        @model={{this.model}}
+        @onSave={{this.onSave}}
       />
           `);
     assert.dom('[data-test-input="issuer"]').hasValue('Vault', 'Issuer input is populated');
diff --git a/ui/tests/integration/components/mfa/mfa-form-test.js b/ui/tests/integration/components/mfa/mfa-form-test.js
index 301a217770..b31fde2819 100644
--- a/ui/tests/integration/components/mfa/mfa-form-test.js
+++ b/ui/tests/integration/components/mfa/mfa-form-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, settled, fillIn, click, waitUntil, waitFor } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
diff --git a/ui/tests/integration/components/mount-accessor-select-test.js b/ui/tests/integration/components/mount-accessor-select-test.js
index a7f66912f1..28fb03d5f4 100644
--- a/ui/tests/integration/components/mount-accessor-select-test.js
+++ b/ui/tests/integration/components/mount-accessor-select-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, fillIn } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
diff --git a/ui/tests/integration/components/mount-backend-form-test.js b/ui/tests/integration/components/mount-backend-form-test.js
index 5bc05e1b8e..093c9f86cf 100644
--- a/ui/tests/integration/components/mount-backend-form-test.js
+++ b/ui/tests/integration/components/mount-backend-form-test.js
@@ -5,7 +5,7 @@
 
 import { click, fillIn, render } from '@ember/test-helpers';
 import { setupMirage } from 'ember-cli-mirage/test-support';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { module, test } from 'qunit';
 import { mountBackend } from 'vault/tests/helpers/components/mount-backend-form-helpers';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
@@ -26,6 +26,7 @@ module('Integration | Component | mount backend form', function (hooks) {
     this.flashMessages.registerTypes(['success', 'danger']);
     this.flashSuccessSpy = sinon.spy(this.flashMessages, 'success');
     this.store = this.owner.lookup('service:store');
+    this.api = this.owner.lookup('service:api');
     this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub());
     this.server.post('/sys/auth/foo', noopStub());
     this.onMountSuccess = sinon.spy();
@@ -121,12 +122,56 @@ module('Integration | Component | mount backend form', function (hooks) {
         'Renders correct flash message'
       );
     });
+
+    test('it should render identity_token_key field for WIF engine type', async function (assert) {
+      const keyListStub = sinon.stub(this.api.identity, 'oidcListKeys').resolves({ keys: ['foo'] });
+      const keyWriteStub = sinon.stub(this.api.identity, 'oidcWriteKey').resolves();
+      const authEnableStub = sinon.stub(this.api.sys, 'authEnableMethod').resolves();
+
+      await render(
+        hbs`<MountBackendForm @mountModel={{this.model}} @onMountSuccess={{this.onMountSuccess}} />`
+      );
+      await mountBackend('aws');
+      assert.true(keyListStub.calledOnce, 'calls the API to list OIDC keys when WIF engine is selected');
+
+      await click(GENERAL.button('Method Options'));
+      assert
+        .dom(GENERAL.fieldByAttr('config.identity_token_key'))
+        .exists('renders identity_token_key field for WIF engine type');
+      await click(GENERAL.searchSelect.trigger('oidc-key'));
+      assert
+        .dom(GENERAL.searchSelect.option())
+        .hasText('foo', 'renders options from API in identity_token_key search select');
+
+      await fillIn(GENERAL.searchSelect.searchInput, 'bar');
+      await click(GENERAL.searchSelect.option());
+      await click('[data-test-oidc-key-save]');
+      assert.true(
+        keyWriteStub.calledWith('bar'),
+        'calls API to write new OIDC key when a new key is created from the identity_token_key field'
+      );
+
+      await click(GENERAL.submitButton);
+      const enginePayload = authEnableStub.lastCall.args[1];
+      assert.strictEqual(
+        enginePayload.config.identity_token_key,
+        'bar',
+        'sends selected identity_token_key in payload when mounting a WIF engine'
+      );
+    });
   });
 
   module('Plugin Version Selection Integration (Community)', function (hooks) {
     hooks.beforeEach(function () {
       // Get version service for mocking in individual tests
       this.version = this.owner.lookup('service:version');
+      this.router = this.owner.lookup('service:router');
+
+      sinon.stub(this.router, 'transitionTo').callsFake(() => {
+        return {
+          followRedirects: sinon.stub().resolves(),
+        };
+      });
 
       // Mock plugin pins API endpoint
       this.server.get('/sys/plugins/pins', () => {
@@ -174,7 +219,6 @@ module('Integration | Component | mount backend form', function (hooks) {
         render(hbs`
           <Mount::SecretsEngineForm
             @model={{this.model}}
-            @onMountSuccess={{this.onMountSuccess}}
           />
         `);
 
@@ -308,7 +352,7 @@ module('Integration | Component | mount backend form', function (hooks) {
             'plugin_version is not included in payload when default is selected'
           );
           assert.strictEqual(payload.type, 'kv', 'correct engine type is sent');
-          return {};
+          return [204, { 'Content-Type': 'application/json' }];
         });
 
         await this.renderComponent();
@@ -327,7 +371,7 @@ module('Integration | Component | mount backend form', function (hooks) {
             Object.prototype.hasOwnProperty.call(payload.config, 'plugin_version');
           assert.notOk(hasPluginVersion, 'plugin_version is not included for builtin selection');
           assert.strictEqual(payload.type, 'kv', 'type remains builtin type for builtin plugins');
-          return {};
+          return [204, { 'Content-Type': 'application/json' }];
         });
 
         await this.renderComponent();
@@ -350,7 +394,7 @@ module('Integration | Component | mount backend form', function (hooks) {
             'vault-plugin-secrets-kv',
             'type is external plugin name for external plugins'
           );
-          return {};
+          return [204, { 'Content-Type': 'application/json' }];
         });
 
         await this.renderComponent();
diff --git a/ui/tests/integration/components/mount-backend-type-form-enhancements-test.js b/ui/tests/integration/components/mount-backend-type-form-enhancements-test.js
index a3f55ec4af..ce5134281c 100644
--- a/ui/tests/integration/components/mount-backend-type-form-enhancements-test.js
+++ b/ui/tests/integration/components/mount-backend-type-form-enhancements-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
@@ -23,9 +23,9 @@ module('Integration | Component | mount-backend/type-form | plugin catalog enhan
 
   test('it renders basic form elements', async function (assert) {
     await render(hbs`
-      <MountBackend::TypeForm 
-        @mountCategory="secret" 
-        @setMountType={{this.setMountType}} 
+      <MountBackend::TypeForm
+        @mountCategory="secret"
+        @setMountType={{this.setMountType}}
       />
     `);
 
diff --git a/ui/tests/integration/components/mount/configure-tabs-test.js b/ui/tests/integration/components/mount/configure-tabs-test.js
index 9a00db8a97..e9e5960658 100644
--- a/ui/tests/integration/components/mount/configure-tabs-test.js
+++ b/ui/tests/integration/components/mount/configure-tabs-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, render } from '@ember/test-helpers';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/mount/secrets-engine-form-test.js b/ui/tests/integration/components/mount/secrets-engine-form-test.js
index 1db4473256..ed25ccbbdd 100644
--- a/ui/tests/integration/components/mount/secrets-engine-form-test.js
+++ b/ui/tests/integration/components/mount/secrets-engine-form-test.js
@@ -3,9 +3,9 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { click, fillIn, render, typeIn } from '@ember/test-helpers';
+import { click, fillIn, render } from '@ember/test-helpers';
 import { setupMirage } from 'ember-cli-mirage/test-support';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { module, test } from 'qunit';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import {
@@ -15,6 +15,7 @@ import {
   overrideResponse,
 } from 'vault/tests/helpers/stubs';
 import { ALL_ENGINES } from 'vault/utils/all-engines-metadata';
+import { clickTrigger } from 'ember-power-select/test-support/helpers';
 
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
@@ -27,13 +28,15 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
   setupMirage(hooks);
 
   hooks.beforeEach(function () {
+    this.router = this.owner.lookup('service:router');
     this.flashMessages = this.owner.lookup('service:flash-messages');
     this.flashSuccessSpy = sinon.spy(this.flashMessages, 'success');
     this.flashWarningSpy = sinon.spy(this.flashMessages, 'warning');
     this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub());
     this.server.post('/sys/mounts/foo', noopStub());
-    this.onMountSuccess = sinon.spy();
-
+    sinon.stub(this.router, 'transitionTo').returns({
+      followRedirects: sinon.stub(),
+    });
     const defaults = {
       config: { listing_visibility: false },
       kv_config: {
@@ -49,13 +52,12 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
       form: this.form,
       availableVersions: [],
       hasUnversionedPlugins: false,
+      oidcKeys: [{ id: 'specialKey' }],
     };
   });
 
   test('it renders secret engine form', async function (assert) {
-    await render(
-      hbs`<Mount::SecretsEngineForm @model={{this.model}} @onMountSuccess={{this.onMountSuccess}} />`
-    );
+    await render(hbs`<Mount::SecretsEngineForm @model={{this.model}} />`);
     assert.dom(GENERAL.breadcrumbs).exists('renders breadcrumbs');
     assert.dom(GENERAL.submitButton).hasText('Enable engine', 'renders submit button');
     assert.dom(GENERAL.backButton).hasText('Back', 'renders back button');
@@ -64,45 +66,40 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
   test('it changes path when type is set', async function (assert) {
     this.form.type = 'azure';
     this.form.data.path = 'azure'; // Set path to match type as would happen in the route
-    await render(
-      hbs`<Mount::SecretsEngineForm @model={{this.model}} @onMountSuccess={{this.onMountSuccess}} />`
-    );
+    await render(hbs`<Mount::SecretsEngineForm @model={{this.model}} />`);
     assert.dom(GENERAL.inputByAttr('path')).hasValue('azure', 'path matches type');
   });
 
   test('it keeps custom path value', async function (assert) {
     this.form.type = 'kv';
     this.form.data.path = 'custom-path';
-    await render(
-      hbs`<Mount::SecretsEngineForm @model={{this.model}} @onMountSuccess={{this.onMountSuccess}} />`
-    );
+    await render(hbs`<Mount::SecretsEngineForm @model={{this.model}} />`);
     assert.dom(GENERAL.inputByAttr('path')).hasValue('custom-path', 'keeps custom path');
   });
 
   test('it calls mount success', async function (assert) {
-    assert.expect(3);
+    assert.expect(4);
 
     this.server.post('/sys/mounts/foo', () => {
       assert.ok(true, 'it calls enable on a secrets engine');
       return [204, { 'Content-Type': 'application/json' }];
     });
-    const spy = sinon.spy();
-    this.set('onMountSuccess', spy);
 
     this.form.type = 'ssh';
     this.form.data.path = 'foo';
 
-    await render(
-      hbs`<Mount::SecretsEngineForm @model={{this.model}} @onMountSuccess={{this.onMountSuccess}} />`
-    );
+    await render(hbs`<Mount::SecretsEngineForm @model={{this.model}} />`);
 
     await click(GENERAL.submitButton);
 
-    assert.true(spy.calledOnce, 'calls the passed success method');
     assert.true(
       this.flashSuccessSpy.calledWith('Successfully mounted the ssh secrets engine at foo.'),
       'Renders correct flash message'
     );
+
+    const [route, path] = this.router.transitionTo.firstCall.args;
+    assert.strictEqual(route, 'vault.cluster.secrets.backend.index', 'transitions to expected route for ssh');
+    assert.strictEqual(path, 'foo', 'transitions with expected path');
   });
 
   module('KV engine', function (hooks) {
@@ -111,16 +108,14 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
     });
 
     test('it shows KV specific fields when type is kv', async function (assert) {
-      await render(
-        hbs`<Mount::SecretsEngineForm @model={{this.model}} @onMountSuccess={{this.onMountSuccess}} />`
-      );
+      await render(hbs`<Mount::SecretsEngineForm @model={{this.model}} />`);
       assert.dom(GENERAL.inputByAttr('kv_config.max_versions')).exists('shows max versions field');
       assert.dom(GENERAL.inputByAttr('kv_config.cas_required')).exists('shows CAS required field');
       assert.dom(GENERAL.inputByAttr('kv_config.delete_version_after')).exists('shows delete after field');
     });
 
     test('version 2 with no update to config endpoint still allows mount of secret engine', async function (assert) {
-      assert.expect(6);
+      assert.expect(5);
       this.server.post('/sys/capabilities-self', () => capabilitiesStub('my-kv-engine/config', ['deny']));
       this.server.post('/sys/mounts/my-kv-engine', (schema, req) => {
         assert.true(true, 'it makes request to mount engine');
@@ -134,9 +129,7 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
         return overrideResponse(204);
       });
 
-      await render(
-        hbs`<Mount::SecretsEngineForm @model={{this.model}} @onMountSuccess={{this.onMountSuccess}} />`
-      );
+      await render(hbs`<Mount::SecretsEngineForm @model={{this.model}} />`);
       await fillIn(GENERAL.inputByAttr('path'), 'my-kv-engine');
       await fillIn(GENERAL.inputByAttr('kv_config.max_versions'), '101');
       await click(GENERAL.submitButton);
@@ -146,10 +139,10 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
         `You do not have access to the config endpoint. The secret engine was mounted, but the configuration settings were not saved.`,
         'it calls warning flash with expected message'
       );
-      const [type, enginePath, useEngineRoute] = this.onMountSuccess.lastCall.args;
-      assert.strictEqual(type, 'kv', 'onMountSuccess called with expected type');
-      assert.strictEqual(enginePath, 'my-kv-engine', 'onMountSuccess called with expected engine path');
-      assert.true(useEngineRoute, 'onMountSuccess called useEngineRoute: true');
+
+      const [route, path] = this.router.transitionTo.firstCall.args;
+      assert.strictEqual(route, 'vault.cluster.secrets.backend.kv.list', 'transitions to expected route');
+      assert.strictEqual(path, 'my-kv-engine', 'transitions with expected path');
     });
   });
 
@@ -164,9 +157,7 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
         this.form.data.config = {};
       }
 
-      await render(
-        hbs`<Mount::SecretsEngineForm @model={{this.model}} @onMountSuccess={{this.onMountSuccess}} />`
-      );
+      await render(hbs`<Mount::SecretsEngineForm @model={{this.model}} />`);
 
       // First check if the Method Options group is being rendered at all
       assert.dom(GENERAL.button('Method Options')).exists('Method Options toggle button exists');
@@ -182,9 +173,7 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
       this.form.type = 'kv';
       this.form.applyTypeSpecificDefaults();
 
-      await render(
-        hbs`<Mount::SecretsEngineForm @model={{this.model}} @onMountSuccess={{this.onMountSuccess}} />`
-      );
+      await render(hbs`<Mount::SecretsEngineForm @model={{this.model}} />`);
 
       assert
         .dom(GENERAL.fieldByAttr('config.identity_token_key'))
@@ -198,9 +187,7 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
       if (!this.form.data.config) {
         this.form.data.config = {};
       }
-      await render(
-        hbs`<Mount::SecretsEngineForm @model={{this.model}} @onMountSuccess={{this.onMountSuccess}} />`
-      );
+      await render(hbs`<Mount::SecretsEngineForm @model={{this.model}} />`);
 
       // Expand Method Options section to show identity_token_key field
       await click(GENERAL.button('Method Options'));
@@ -208,16 +195,16 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
       assert.strictEqual(
         this.form.data.config.identity_token_key,
         undefined,
-        'On init identity_token_key is not set on the model'
+        'On init identity_token_key is not set on form'
       );
 
-      // SearchSelectWithModal likely uses fallback component when no OIDC models are found
-      await typeIn(GENERAL.inputSearch('key'), 'specialKey');
+      await clickTrigger('#oidc-key');
+      await click(GENERAL.searchSelect.option());
 
       assert.strictEqual(
         this.form.data.config.identity_token_key,
         'specialKey',
-        'updates model with custom identity_token_key'
+        'updates form with custom identity_token_key'
       );
     });
   });
@@ -256,9 +243,7 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
     });
 
     test('it renders plugin type selection radio cards', async function (assert) {
-      await render(
-        hbs`<Mount::SecretsEngineForm @model={{this.model}} @onMountSuccess={{this.onMountSuccess}} />`
-      );
+      await render(hbs`<Mount::SecretsEngineForm @model={{this.model}} />`);
 
       assert.dom(`input${GENERAL.radioCardByAttr('builtin')}`).exists('shows built-in plugin radio card');
       assert.dom(`input${GENERAL.radioCardByAttr('external')}`).exists('shows external plugin radio card');
@@ -272,9 +257,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
 
     test('it defaults to built-in plugin type', async function (assert) {
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -286,9 +270,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
 
     test('it shows plugin version field when external plugin is selected', async function (assert) {
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -307,9 +290,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
 
     test('it populates version dropdown with sorted options', async function (assert) {
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -325,9 +307,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
       this.versionService.isEnterprise = false;
 
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -341,9 +322,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
       this.model.availableVersions = [{ version: '', pluginName: 'keymgmt', isBuiltin: true }];
 
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -354,9 +334,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
 
     test('it updates plugin version when selection changes', async function (assert) {
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -372,9 +351,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
 
     test('it clears plugin version when switching back to built-in', async function (assert) {
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -394,9 +372,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
       this.model.hasUnversionedPlugins = true;
 
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -414,9 +391,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
       this.model.hasUnversionedPlugins = false;
 
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -429,9 +405,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
 
     test('it hides unversioned plugins warning when hasUnversionedPlugins is not provided', async function (assert) {
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -467,9 +442,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
 
     test('it shows pinned version first in dropdown', async function (assert) {
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -488,9 +462,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
 
     test('it shows pinned version in helper text', async function (assert) {
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -503,9 +476,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
 
     test('it shows warning when selecting non-pinned version', async function (assert) {
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -529,9 +501,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
 
     test('it does not show warning when using pinned version', async function (assert) {
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -546,9 +517,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
       this.model.pinnedVersion = null;
 
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -599,9 +569,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
       });
 
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -624,9 +593,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
       });
 
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -653,9 +621,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
       });
 
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -680,9 +647,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
       });
 
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -706,9 +672,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
       this.model.availableVersions = [];
 
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
@@ -722,9 +687,7 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
     });
 
     test('it handles missing availableVersions argument', async function (assert) {
-      await render(
-        hbs`<Mount::SecretsEngineForm @model={{this.model}} @onMountSuccess={{this.onMountSuccess}} />`
-      );
+      await render(hbs`<Mount::SecretsEngineForm @model={{this.model}} />`);
 
       // External should be disabled
       assert
@@ -742,9 +705,8 @@ module('Integration | Component | mount/secrets-engine-form', function (hooks) {
       ];
 
       await render(
-        hbs`<Mount::SecretsEngineForm 
-          @model={{this.model}} 
-          @onMountSuccess={{this.onMountSuccess}} 
+        hbs`<Mount::SecretsEngineForm
+          @model={{this.model}}
         />`
       );
 
diff --git a/ui/tests/integration/components/namespace-picker-test.js b/ui/tests/integration/components/namespace-picker-test.js
index 020e0443fb..70102cef26 100644
--- a/ui/tests/integration/components/namespace-picker-test.js
+++ b/ui/tests/integration/components/namespace-picker-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, fillIn, findAll, click, find } from '@ember/test-helpers';
 import sinon from 'sinon';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/oidc-consent-block-test.js b/ui/tests/integration/components/oidc-consent-block-test.js
index d4f8c455bd..83a1aec8df 100644
--- a/ui/tests/integration/components/oidc-consent-block-test.js
+++ b/ui/tests/integration/components/oidc-consent-block-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/oidc/assignment-form-test.js b/ui/tests/integration/components/oidc/assignment-form-test.js
index 196fa983c5..6348248e73 100644
--- a/ui/tests/integration/components/oidc/assignment-form-test.js
+++ b/ui/tests/integration/components/oidc/assignment-form-test.js
@@ -4,22 +4,47 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render, fillIn, click, findAll } from '@ember/test-helpers';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { render, fillIn, click } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
-import oidcConfigHandlers from 'vault/mirage/handlers/oidc-config';
 import { setRunOptions } from 'ember-a11y-testing/test-support';
-import { overrideResponse } from 'vault/tests/helpers/stubs';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import OidcAssingmentForm from 'vault/forms/oidc/assignment';
+import sinon from 'sinon';
 
 module('Integration | Component | oidc/assignment-form', function (hooks) {
   setupRenderingTest(hooks);
   setupMirage(hooks);
 
   hooks.beforeEach(function () {
-    oidcConfigHandlers(this.server);
-    this.store = this.owner.lookup('service:store');
     this.server.post('/sys/capabilities-self', () => {});
+
+    this.assignment = {
+      name: 'test',
+      entity_ids: ['1234-12345'],
+      group_ids: ['abcdef-123'],
+    };
+    this.entities = [{ id: '1234-12345', name: 'test-entity' }];
+    this.groups = [{ id: 'abcdef-123', name: 'test-group' }];
+    this.onCancel = sinon.spy();
+    this.onSave = sinon.spy();
+
+    this.writeStub = sinon.stub(this.owner.lookup('service:api').identity, 'oidcWriteAssignment').resolves();
+
+    this.renderComponent = (assignment) => {
+      this.form = new OidcAssingmentForm(assignment, { isNew: !assignment });
+      return render(hbs`
+        <Oidc::AssignmentForm
+          @form={{this.form}}
+          @entities={{this.entities}}
+          @groups={{this.groups}}
+          @onCancel={{this.onCancel}}
+          @onSave={{this.onSave}}
+        />
+      `);
+    };
+
     setRunOptions({
       rules: {
         // TODO: Fix SearchSelect component
@@ -30,56 +55,39 @@ module('Integration | Component | oidc/assignment-form', function (hooks) {
   });
 
   test('it should save new assignment', async function (assert) {
-    assert.expect(5);
-    this.model = this.store.createRecord('oidc/assignment');
-    this.server.post('/identity/oidc/assignment/test', (schema, req) => {
-      assert.ok(true, 'Request made to save assignment');
-      return JSON.parse(req.requestBody);
-    });
-    this.onSave = () => assert.ok(true, 'onSave callback fires on save success');
+    assert.expect(6);
 
-    await render(hbs`
-      <Oidc::AssignmentForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+    await this.renderComponent();
 
     assert.dom('[data-test-oidc-assignment-save]').hasText('Create', 'Save button has correct label');
     await click('[data-test-oidc-assignment-save]');
+
     assert
-      .dom('[data-test-inline-alert]')
+      .dom(GENERAL.validationErrorByAttr('name'))
       .hasText('Name is required.', 'Validation message is shown for name');
-    assert.strictEqual(
-      findAll('[data-test-inline-error-message]').length,
-      2,
-      `there are two validations errors.`
-    );
+    assert
+      .dom(GENERAL.validationErrorByAttr('target'))
+      .hasText('At least one entity or group is required.', 'Validation message is shown for target');
+    assert
+      .dom('[data-test-invalid-form-alert]')
+      .hasText('There are 2 errors with this form.', 'Renders form error count');
+
     await fillIn('[data-test-input="name"]', 'test');
     await click('[data-test-component="search-select"]#entities .ember-basic-dropdown-trigger');
     await click('.ember-power-select-option');
     await click('[data-test-oidc-assignment-save]');
+
+    assert.true(this.onSave.calledOnce, 'onSave callback fires on save success');
+    assert.true(
+      this.writeStub.calledWith('test', { entity_ids: ['1234-12345'] }),
+      'API is called with correct payload'
+    );
   });
 
   test('it should populate fields with model data on edit view and update an assignment', async function (assert) {
     assert.expect(5);
 
-    this.store.pushPayload('oidc/assignment', {
-      modelName: 'oidc/assignment',
-      name: 'test',
-      entity_ids: ['1234-12345'],
-      group_ids: ['abcdef-123'],
-    });
-    this.model = this.store.peekRecord('oidc/assignment', 'test');
-
-    await render(hbs`
-      <Oidc::AssignmentForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+    await this.renderComponent(this.assignment);
 
     assert.dom('[data-test-oidc-assignment-save]').hasText('Update', 'Save button has correct label');
     assert.dom('[data-test-input="name"]').isDisabled('Name input is disabled when editing');
@@ -94,17 +102,11 @@ module('Integration | Component | oidc/assignment-form', function (hooks) {
 
   test('it should use fallback component on create if no permissions for entities or groups', async function (assert) {
     assert.expect(2);
-    this.model = this.store.createRecord('oidc/assignment');
-    this.server.get('/identity/entity/id', () => overrideResponse(403));
-    this.server.get('/identity/group/id', () => overrideResponse(403));
 
-    await render(hbs`
-      <Oidc::AssignmentForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+    this.entities = [];
+    this.groups = [];
+
+    await this.renderComponent();
 
     assert
       .dom('[data-test-component="search-select"]#entities [data-test-component="string-list"]')
@@ -116,23 +118,11 @@ module('Integration | Component | oidc/assignment-form', function (hooks) {
 
   test('it should use fallback component on edit if no permissions for entities or groups', async function (assert) {
     assert.expect(8);
-    this.store.pushPayload('oidc/assignment', {
-      modelName: 'oidc/assignment',
-      name: 'test',
-      entity_ids: ['1234-12345'],
-      group_ids: ['abcdef-123'],
-    });
-    this.model = this.store.peekRecord('oidc/assignment', 'test');
-    this.server.get('/identity/entity/id', () => overrideResponse(403));
-    this.server.get('/identity/group/id', () => overrideResponse(403));
 
-    await render(hbs`
-    <Oidc::AssignmentForm
-      @model={{this.model}}
-      @onCancel={{this.onCancel}}
-      @onSave={{this.onSave}}
-    />
-  `);
+    this.entities = [];
+    this.groups = [];
+
+    await this.renderComponent(this.assignment);
 
     assert
       .dom('[data-test-component="search-select"]#entities [data-test-component="string-list"]')
diff --git a/ui/tests/integration/components/oidc/client-form-test.js b/ui/tests/integration/components/oidc/client-form-test.js
index ee7fe62c26..dcf7c73222 100644
--- a/ui/tests/integration/components/oidc/client-form-test.js
+++ b/ui/tests/integration/components/oidc/client-form-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, fillIn, click, findAll } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { create } from 'ember-cli-page-object';
@@ -12,10 +12,13 @@ import { clickTrigger } from 'ember-power-select/test-support/helpers';
 import ss from 'vault/tests/pages/components/search-select';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import oidcConfigHandlers from 'vault/mirage/handlers/oidc-config';
-import { OIDC_BASE_URL, SELECTORS } from 'vault/tests/helpers/oidc-config';
+import { SELECTORS } from 'vault/tests/helpers/oidc-config';
 import { setRunOptions } from 'ember-a11y-testing/test-support';
-import { capabilitiesStub, overrideResponse } from 'vault/tests/helpers/stubs';
+import { overrideResponse } from 'vault/tests/helpers/stubs';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import OidcClientForm from 'vault/forms/oidc/client';
+import sinon from 'sinon';
+import { getErrorResponse } from 'vault/tests/helpers/api/error-response';
 
 const searchSelect = create(ss);
 
@@ -25,16 +28,6 @@ module('Integration | Component | oidc/client-form', function (hooks) {
 
   hooks.beforeEach(function () {
     oidcConfigHandlers(this.server);
-    this.store = this.owner.lookup('service:store');
-    this.server.post('/sys/capabilities-self', () => {});
-    this.server.get('/identity/oidc/key', () => {
-      return {
-        request_id: 'key-list-id',
-        data: {
-          keys: ['default'],
-        },
-      };
-    });
     this.server.get('/identity/oidc/assignment', () => {
       return {
         request_id: 'assignment-list-id',
@@ -52,6 +45,35 @@ module('Integration | Component | oidc/client-form', function (hooks) {
         },
       };
     });
+
+    const api = this.owner.lookup('service:api');
+    this.apiStub = sinon.stub(api.identity, 'oidcWriteClient').resolves();
+
+    this.renderComponent = (client) => {
+      const data = {
+        key: 'default',
+        id_token_ttl: '24h',
+        access_token_ttl: '24h',
+        client_type: 'confidential',
+        ...(client || {}),
+      };
+      this.form = new OidcClientForm(data, { isNew: !client });
+      this.keys = [{ id: 'default' }];
+      this.assignments = [{ id: 'assignment-1' }];
+      this.onCancel = sinon.spy();
+      this.onSave = sinon.spy();
+
+      return render(hbs`
+        <Oidc::ClientForm
+          @form={{this.form}}
+          @keys={{this.keys}}
+          @assignments={{this.assignments}}
+          @onCancel={{this.onCancel}}
+          @onSave={{this.onSave}}
+        />
+      `);
+    };
+
     setRunOptions({
       rules: {
         // TODO: fix RadioCard component (replace with HDS)
@@ -68,20 +90,7 @@ module('Integration | Component | oidc/client-form', function (hooks) {
   test('it should save new client', async function (assert) {
     assert.expect(14);
 
-    this.server.post('/identity/oidc/client/test-app', (schema, req) => {
-      assert.ok(true, 'Request made to save client');
-      return JSON.parse(req.requestBody);
-    });
-    this.model = this.store.createRecord('oidc/client');
-    this.onSave = () => assert.ok(true, 'onSave callback fires on save success');
-
-    await render(hbs`
-      <Oidc::ClientForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+    await this.renderComponent();
     await click(GENERAL.button('More options'));
     assert.dom(GENERAL.hdsPageHeaderTitle).hasText('Create Application', 'Form title renders correct text');
     assert.dom(SELECTORS.clientSaveButton).hasText('Create', 'Save button has correct text');
@@ -108,45 +117,27 @@ module('Integration | Component | oidc/client-form', function (hooks) {
     assert.dom(validationErrors[1]).hasText('There are 3 errors with this form.', 'Renders form error count');
 
     // fill out form with valid inputs
-    await clickTrigger();
-    await fillIn('.ember-power-select-search input', 'default');
+    await click(GENERAL.searchSelect.trigger('oidc-client-form-key-select'));
+    await fillIn(GENERAL.searchSelect.searchInput, 'default');
     await searchSelect.options.objectAt(0).click();
 
     await click('[data-test-oidc-radio="limited"]');
     assert
-      .dom('[data-test-search-select-with-modal]')
+      .dom('[data-test-search-select="assignments"]')
       .exists('Limited radio button shows assignments search select');
 
-    await clickTrigger();
-    assert.dom('li.ember-power-select-option').hasText('assignment-1', 'dropdown renders assignments');
+    await click(GENERAL.searchSelect.trigger('oidc-client-form-assignments-select'));
+    assert.dom(GENERAL.searchSelect.option()).hasText('assignment-1', 'dropdown renders assignments');
     await fillIn('[data-test-input="name"]', 'test-app');
     await click(SELECTORS.clientSaveButton);
+    assert.true(this.apiStub.calledWith('test-app'), 'API called with correct parameters');
+    assert.true(this.onSave.called, 'onSave callback is called on successful save');
   });
 
   test('it should update client', async function (assert) {
     assert.expect(11);
 
-    this.server.post('/identity/oidc/client/test-app', (schema, req) => {
-      assert.ok(true, 'Request made to save client');
-      return JSON.parse(req.requestBody);
-    });
-
-    this.store.pushPayload('oidc/client', {
-      modelName: 'oidc/client',
-      name: 'test-app',
-      clientType: 'public',
-    });
-
-    this.model = this.store.peekRecord('oidc/client', 'test-app');
-    this.onSave = () => assert.ok(true, 'onSave callback fires on save success');
-
-    await render(hbs`
-      <Oidc::ClientForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+    await this.renderComponent({ name: 'test-app', client_type: 'public' });
     await click(GENERAL.button('More options'));
     assert.dom(GENERAL.hdsPageHeaderTitle).hasText('Edit Application', 'Title renders correct text');
     assert.dom(SELECTORS.clientSaveButton).hasText('Update', 'Save button has correct text');
@@ -155,64 +146,21 @@ module('Integration | Component | oidc/client-form', function (hooks) {
     assert.dom('[data-test-input="key"]').isDisabled('Signing key input is disabled');
     assert.dom('[data-test-input="key"]').hasValue('default', 'Key input populated with default');
     assert
-      .dom('[data-test-input-group="clientType"] input')
+      .dom('[data-test-input-group="client_type"] input')
       .isDisabled('client type input is disabled on edit');
     assert
-      .dom('[data-test-input-group="clientType"] input#confidential')
+      .dom('[data-test-input-group="client_type"] input#public')
       .isChecked('Correct radio button is selected');
     assert.dom('[data-test-oidc-radio="allow-all"] input').isChecked('Allow all radio button is selected');
     await click(SELECTORS.clientSaveButton);
-  });
-
-  test('it should rollback attributes or unload record on cancel', async function (assert) {
-    assert.expect(4);
-    this.model = this.store.createRecord('oidc/client');
-    this.onCancel = () => assert.ok(true, 'onCancel callback fires');
-
-    await render(hbs`
-      <Oidc::ClientForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
-
-    await click(SELECTORS.clientCancelButton);
-    assert.true(this.model.isDestroyed, 'New model is unloaded on cancel');
-
-    this.store.pushPayload('oidc/client', {
-      modelName: 'oidc/client',
-      name: 'test-app',
-      assignments: ['allow_all'],
-      redirectUris: [],
-    });
-    this.model = this.store.peekRecord('oidc/client', 'test-app');
-
-    await render(hbs`
-      <Oidc::ClientForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
-
-    await fillIn('[data-test-input="redirectUris"] [data-test-string-list-input="0"]', 'some-url.com');
-    await click('[data-test-string-list-button="add"]');
-    await click(SELECTORS.clientCancelButton);
-    assert.strictEqual(this.model.redirectUris, undefined, 'Model attributes rolled back on cancel');
+    assert.true(this.apiStub.calledWith('test-app'), 'API called with correct parameters');
+    assert.true(this.onSave.called, 'onSave callback is called on successful save');
   });
 
   test('it should show create assignment modal', async function (assert) {
     assert.expect(3);
-    this.model = this.store.createRecord('oidc/client');
 
-    await render(hbs`
-      <Oidc::ClientForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-          `);
+    await this.renderComponent();
     await click('[data-test-oidc-radio="limited"]');
     await clickTrigger();
     await fillIn('.ember-power-select-search input', 'test-new');
@@ -225,15 +173,10 @@ module('Integration | Component | oidc/client-form', function (hooks) {
 
   test('it should render fallback for search select', async function (assert) {
     assert.expect(1);
-    this.model = this.store.createRecord('oidc/client');
+
     this.server.get('/identity/oidc/assignment', () => overrideResponse(403));
-    await render(hbs`
-      <Oidc::ClientForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+
+    await this.renderComponent();
 
     await click('[data-test-oidc-radio="limited"]');
     assert
@@ -243,15 +186,10 @@ module('Integration | Component | oidc/client-form', function (hooks) {
 
   test('it should render error alerts when API returns an error', async function (assert) {
     assert.expect(2);
-    this.model = this.store.createRecord('oidc/client');
-    this.server.post('/sys/capabilities-self', () => capabilitiesStub(OIDC_BASE_URL + '/clients'));
-    await render(hbs`
-      <Oidc::ClientForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+
+    this.apiStub.rejects(getErrorResponse());
+
+    await this.renderComponent();
     await fillIn('[data-test-input="name"]', 'test-app');
     await click(SELECTORS.clientSaveButton);
     assert
diff --git a/ui/tests/integration/components/oidc/client-list-test.js b/ui/tests/integration/components/oidc/client-list-test.js
index 3f06a7e9f8..5aee7c7256 100644
--- a/ui/tests/integration/components/oidc/client-list-test.js
+++ b/ui/tests/integration/components/oidc/client-list-test.js
@@ -5,26 +5,36 @@
 
 import { module, test } from 'qunit';
 import { setupRenderingTest } from 'vault/tests/helpers';
-import { setupMirage } from 'ember-cli-mirage/test-support';
 import { click, render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
-import { allowAllCapabilitiesStub, capabilitiesStub } from 'vault/tests/helpers/stubs';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
 module('Integration | Component | oidc/client-list', function (hooks) {
   setupRenderingTest(hooks);
-  setupMirage(hooks);
 
   hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
-    this.store.createRecord('oidc/client', { name: 'first-client' });
-    this.store.createRecord('oidc/client', { name: 'second-client' });
-    this.model = this.store.peekAll('oidc/client');
+    this.renderComponent = (isLimited) => {
+      const clients = [{ name: 'first-client' }, { name: 'second-client' }];
+
+      const capabilities = clients.reduce((capabilities, client) => {
+        const path = this.owner.lookup('service:capabilities').pathFor('oidcClient', client);
+        const isFirstClient = client.name === 'first-client';
+        const canRead = isLimited ? isFirstClient : true;
+        const canUpdate = !isLimited;
+        capabilities[path] = { canRead, canUpdate };
+        return capabilities;
+      }, {});
+
+      this.model = {
+        clients,
+        capabilities,
+      };
+      return render(hbs`<Oidc::ClientList @model={{this.model}} />`);
+    };
   });
 
   test('it renders list of clients', async function (assert) {
-    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub(['read', 'update']));
-    await render(hbs`<Oidc::ClientList @model={{this.model}} />`);
+    await this.renderComponent(false);
 
     assert.dom('[data-test-oidc-client-linked-block]').exists({ count: 2 }, 'Two clients are rendered');
     assert.dom('[data-test-oidc-client-linked-block="first-client"]').exists('First client is rendered');
@@ -36,15 +46,7 @@ module('Integration | Component | oidc/client-list', function (hooks) {
   });
 
   test('it renders popup menu based on permissions', async function (assert) {
-    this.server.post('/sys/capabilities-self', (schema, req) => {
-      const { paths } = JSON.parse(req.requestBody);
-      if (paths[0] === 'identity/oidc/client/first-client') {
-        return capabilitiesStub('identity/oidc/client/first-client', ['read']);
-      } else {
-        return capabilitiesStub('identity/oidc/client/second-client', ['deny']);
-      }
-    });
-    await render(hbs`<Oidc::ClientList @model={{this.model}} />`);
+    await this.renderComponent(true);
 
     assert.dom('[data-test-popup-menu-trigger]').exists({ count: 1 }, 'Only one popup menu is rendered');
     await click(GENERAL.menuTrigger);
diff --git a/ui/tests/integration/components/oidc/key-form-test.js b/ui/tests/integration/components/oidc/key-form-test.js
index e7392fa3c7..be88dfb02e 100644
--- a/ui/tests/integration/components/oidc/key-form-test.js
+++ b/ui/tests/integration/components/oidc/key-form-test.js
@@ -4,15 +4,18 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, fillIn, click, findAll } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import oidcConfigHandlers from 'vault/mirage/handlers/oidc-config';
-import { OIDC_BASE_URL, CLIENT_LIST_RESPONSE, SELECTORS } from 'vault/tests/helpers/oidc-config';
+import { CLIENT_LIST_RESPONSE, SELECTORS } from 'vault/tests/helpers/oidc-config';
 import { setRunOptions } from 'ember-a11y-testing/test-support';
-import { capabilitiesStub, overrideResponse } from 'vault/tests/helpers/stubs';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import OidcKeyForm from 'vault/forms/oidc/key';
+import sinon from 'sinon';
+import { getErrorResponse } from 'vault/tests/helpers/api/error-response';
+import { clickTrigger } from 'ember-power-select/test-support/helpers';
 
 module('Integration | Component | oidc/key-form', function (hooks) {
   setupRenderingTest(hooks);
@@ -20,8 +23,33 @@ module('Integration | Component | oidc/key-form', function (hooks) {
 
   hooks.beforeEach(function () {
     oidcConfigHandlers(this.server);
-    this.store = this.owner.lookup('service:store');
-    this.server.get('/identity/oidc/client', () => overrideResponse(null, { data: CLIENT_LIST_RESPONSE }));
+
+    const api = this.owner.lookup('service:api');
+    sinon.stub(api.identity, 'oidcReadClient').resolves({ data: CLIENT_LIST_RESPONSE });
+    this.writeStub = sinon.stub(api.identity, 'oidcWriteKey').resolves();
+
+    this.onSave = sinon.spy();
+    this.onCancel = sinon.spy();
+    this.clients = [{ name: 'app-1' }];
+
+    this.renderComponent = (client = {}) => {
+      const defaultValues = {
+        algorithm: 'RS256',
+        rotation_period: '24h',
+        verification_ttl: '24h',
+      };
+      const data = { ...defaultValues, ...client };
+      this.form = new OidcKeyForm(data, { isNew: !Object.keys(client).length });
+      return render(hbs`
+        <Oidc::KeyForm
+          @form={{this.form}}
+          @clients={{this.clients}}
+          @onCancel={{this.onCancel}}
+          @onSave={{this.onSave}}
+        />
+      `);
+    };
+
     setRunOptions({
       rules: {
         // TODO: fix RadioCard component (replace with HDS)
@@ -36,20 +64,8 @@ module('Integration | Component | oidc/key-form', function (hooks) {
 
   test('it should save new key', async function (assert) {
     assert.expect(8);
-    this.server.post('/identity/oidc/key/test-key', (schema, req) => {
-      assert.ok(true, 'Request made to save key');
-      return JSON.parse(req.requestBody);
-    });
-    this.model = this.store.createRecord('oidc/key');
-    this.onSave = () => assert.ok(true, 'onSave callback fires on save success');
-    await render(hbs`
-    <Oidc::KeyForm
-    @model={{this.model}}
-    @onCancel={{this.onCancel}}
-    @onSave={{this.onSave}}
-    />
-    `);
 
+    await this.renderComponent();
     assert.dom(SELECTORS.keySaveButton).hasText('Create', 'Save button has correct text');
     assert.dom('[data-test-input="algorithm"]').hasValue('RS256', 'default algorithm is correct');
     assert.strictEqual(findAll('[data-test-field]').length, 4, 'renders all input fields');
@@ -67,34 +83,16 @@ module('Integration | Component | oidc/key-form', function (hooks) {
 
     assert.dom('[data-test-oidc-radio="limited"] input').isDisabled('limit radio button disabled on create');
     await fillIn('[data-test-input="name"]', 'test-key');
+
     await click(SELECTORS.keySaveButton);
+    assert.true(this.onSave.calledOnce, 'onSave callback fires on save success');
+    assert.true(this.writeStub.calledWith('test-key'), 'API called to save key with correct parameters');
   });
 
   test('it should update key and limit access to selected applications', async function (assert) {
     assert.expect(11);
 
-    this.server.post('/identity/oidc/key/test-key', (schema, req) => {
-      assert.ok(true, 'Request made to update key');
-      return JSON.parse(req.requestBody);
-    });
-
-    this.store.pushPayload('oidc/key', {
-      modelName: 'oidc/key',
-      name: 'test-key',
-      allowed_client_ids: ['*'],
-    });
-
-    this.model = this.store.peekRecord('oidc/key', 'test-key');
-    this.onSave = () => assert.ok(true, 'onSave callback fires on update success');
-
-    await render(hbs`
-      <Oidc::KeyForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
-
+    await this.renderComponent({ name: 'test-key', allowed_client_ids: ['*'] });
     assert.dom(SELECTORS.keySaveButton).hasText('Update', 'Save button has correct text');
     assert.dom('[data-test-input="name"]').isDisabled('Name input is disabled when editing');
     assert.dom('[data-test-input="name"]').hasValue('test-key', 'Name input is populated with model value');
@@ -102,9 +100,9 @@ module('Integration | Component | oidc/key-form', function (hooks) {
 
     await click('[data-test-oidc-radio="limited"]');
     assert
-      .dom('[data-test-component="search-select"]#allowedClientIds')
+      .dom('[data-test-component="search-select"]#oidc-key-form-client-select')
       .exists('Limited radio button shows clients search select');
-    await click('[data-test-component="search-select"]#allowedClientIds .ember-basic-dropdown-trigger');
+    await clickTrigger();
     assert.strictEqual(findAll('li.ember-power-select-option').length, 1, 'dropdown only renders one option');
     assert
       .dom('li.ember-power-select-option')
@@ -113,91 +111,42 @@ module('Integration | Component | oidc/key-form', function (hooks) {
 
     await click('[data-test-oidc-radio="allow-all"]');
     assert
-      .dom('[data-test-component="search-select"]#allowedClientIds')
+      .dom('[data-test-component="search-select"]#oidc-key-form-client-select')
       .doesNotExist('Allow all radio button hides search select');
 
     await click(SELECTORS.keySaveButton);
+    assert.true(this.onSave.calledOnce, 'onSave callback fires on save success');
+    assert.true(this.writeStub.calledWith('test-key'), 'API called to save key with correct parameters');
   });
 
-  test('it should rollback attributes or unload record on cancel', async function (assert) {
-    assert.expect(4);
-    this.model = this.store.createRecord('oidc/key');
-    this.onCancel = () => assert.ok(true, 'onCancel callback fires');
-
-    await render(hbs`
-      <Oidc::KeyForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+  test('it should fire callback on cancel', async function (assert) {
+    assert.expect(1);
 
+    await this.renderComponent({ name: 'test-key' });
     await click(SELECTORS.keyCancelButton);
-    assert.true(this.model.isDestroyed, 'New model is unloaded on cancel');
-
-    this.store.pushPayload('oidc/key', {
-      modelName: 'oidc/key',
-      name: 'test-key',
-      allowed_client_ids: ['*'],
-    });
-
-    this.model = this.store.peekRecord('oidc/key', 'test-key');
-
-    await render(hbs`
-      <Oidc::KeyForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
-
-    await click('[data-test-oidc-radio="limited"]');
-    await click(SELECTORS.keyCancelButton);
-    assert.strictEqual(this.model.allowed_client_ids, undefined, 'Model attributes rolled back on cancel');
+    assert.true(this.onCancel.calledOnce, 'onCancel callback fires on cancel');
   });
 
   test('it should render fallback for search select', async function (assert) {
     assert.expect(1);
 
-    this.server.post('/identity/oidc/key/test-key', (schema, req) => {
-      assert.ok(true, 'Request made to update key');
-      return JSON.parse(req.requestBody);
-    });
-
-    this.store.pushPayload('oidc/key', {
-      modelName: 'oidc/key',
-      name: 'test-key',
-      allowed_client_ids: ['*'],
-    });
-
-    this.model = this.store.peekRecord('oidc/key', 'test-key');
-
-    this.server.get('/identity/oidc/client', () => overrideResponse(403));
-    await render(hbs`
-      <Oidc::KeyForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+    this.clients = [];
+    await this.renderComponent({ name: 'test-key', allowed_client_ids: ['*'] });
 
     await click('[data-test-oidc-radio="limited"]');
     assert
-      .dom('[data-test-component="search-select"]#allowedClientIds [data-test-component="string-list"]')
+      .dom(
+        '[data-test-component="search-select"]#oidc-key-form-client-select [data-test-component="string-list"]'
+      )
       .exists('Radio toggle shows client string-list input');
   });
 
   test('it should render error alerts when API returns an error', async function (assert) {
     assert.expect(2);
-    this.model = this.store.createRecord('oidc/key');
-    this.server.post('/sys/capabilities-self', () => capabilitiesStub(OIDC_BASE_URL + '/keys'));
-    await render(hbs`
-      <Oidc::KeyForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+
+    this.writeStub.rejects(getErrorResponse());
+
+    await this.renderComponent();
     await fillIn('[data-test-input="name"]', 'test-app');
     await click(SELECTORS.keySaveButton);
     assert
diff --git a/ui/tests/integration/components/oidc/provider-form-test.js b/ui/tests/integration/components/oidc/provider-form-test.js
index 61b1bbe88d..b2e6b11265 100644
--- a/ui/tests/integration/components/oidc/provider-form-test.js
+++ b/ui/tests/integration/components/oidc/provider-form-test.js
@@ -4,16 +4,17 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, fillIn, click, findAll } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import oidcConfigHandlers from 'vault/mirage/handlers/oidc-config';
-import { SELECTORS, OIDC_BASE_URL, CLIENT_LIST_RESPONSE } from 'vault/tests/helpers/oidc-config';
-import parseURL from 'core/utils/parse-url';
+import { SELECTORS, CLIENT_LIST_RESPONSE } from 'vault/tests/helpers/oidc-config';
 import { setRunOptions } from 'ember-a11y-testing/test-support';
-import { capabilitiesStub, overrideResponse } from 'vault/tests/helpers/stubs';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import OidcProviderForm from 'vault/forms/oidc/provider';
+import sinon from 'sinon';
+import { getErrorResponse } from 'vault/tests/helpers/api/error-response';
 
 const ISSUER_URL = 'http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider';
 
@@ -23,22 +24,27 @@ module('Integration | Component | oidc/provider-form', function (hooks) {
 
   hooks.beforeEach(function () {
     oidcConfigHandlers(this.server);
-    this.store = this.owner.lookup('service:store');
-    this.server.get('/identity/oidc/scope', () => {
-      return {
-        request_id: 'scope-list-id',
-        lease_id: '',
-        renewable: false,
-        lease_duration: 0,
-        data: {
-          keys: ['test-scope'],
-        },
-        wrap_info: null,
-        warnings: null,
-        auth: null,
-      };
-    });
-    this.server.get('/identity/oidc/client', () => overrideResponse(null, { data: CLIENT_LIST_RESPONSE }));
+    this.api = this.owner.lookup('service:api');
+    this.apiStub = sinon.stub(this.api.identity, 'oidcWriteProvider').resolves();
+
+    this.scopes = [{ id: 'test-scope' }];
+    this.clients = this.api.keyInfoToArray(CLIENT_LIST_RESPONSE, 'name');
+    this.onCancel = sinon.spy();
+    this.onSave = sinon.spy();
+
+    this.renderComponent = (data) => {
+      this.form = new OidcProviderForm(data || {}, { isNew: !data });
+      return render(hbs`
+        <Oidc::ProviderForm
+          @form={{this.form}}
+          @scopes={{this.scopes}}
+          @clients={{this.clients}}
+          @onCancel={{this.onCancel}}
+          @onSave={{this.onSave}}
+        />
+      `);
+    };
+
     setRunOptions({
       rules: {
         // TODO: Fix SearchSelect component
@@ -53,19 +59,8 @@ module('Integration | Component | oidc/provider-form', function (hooks) {
 
   test('it should save new provider', async function (assert) {
     assert.expect(13);
-    this.server.post('/identity/oidc/provider/test-provider', (schema, req) => {
-      assert.ok(true, 'Request made to save provider');
-      return JSON.parse(req.requestBody);
-    });
-    this.model = this.store.createRecord('oidc/provider');
-    this.onSave = () => assert.ok(true, 'onSave callback fires on save success');
-    await render(hbs`
-    <Oidc::ProviderForm
-    @model={{this.model}}
-    @onCancel={{this.onCancel}}
-    @onSave={{this.onSave}}
-    />
-    `);
+
+    await this.renderComponent();
 
     assert.dom(GENERAL.hdsPageHeaderTitle).hasText('Create Provider', 'Form title renders correct text');
     assert.dom(SELECTORS.providerSaveButton).hasText('Create', 'Save button has correct text');
@@ -73,7 +68,9 @@ module('Integration | Component | oidc/provider-form', function (hooks) {
       .dom('[data-test-input="issuer"]')
       .hasAttribute('placeholder', 'e.g. https://example.com:8200', 'issuer placeholder text is correct');
     assert.strictEqual(findAll('[data-test-field]').length, 3, 'renders all input fields');
-    await click('[data-test-component="search-select"]#scopesSupported .ember-basic-dropdown-trigger');
+    await click(
+      '[data-test-component="search-select"]#oidc-provider-form-scope-select .ember-basic-dropdown-trigger'
+    );
     assert.dom('li.ember-power-select-option').hasText('test-scope', 'dropdown renders scopes');
 
     // check validation errors
@@ -89,47 +86,37 @@ module('Integration | Component | oidc/provider-form', function (hooks) {
 
     await click('[data-test-oidc-radio="limited"]');
     assert
-      .dom('[data-test-component="search-select"]#allowedClientIds')
+      .dom('[data-test-component="search-select"]#oidc-provider-form-client-select')
       .exists('Limited radio button shows clients search select');
-    await click('[data-test-component="search-select"]#allowedClientIds .ember-basic-dropdown-trigger');
+    await click(
+      '[data-test-component="search-select"]#oidc-provider-form-client-select .ember-basic-dropdown-trigger'
+    );
     assert.dom('li.ember-power-select-option').hasTextContaining('test-app', 'dropdown renders client name');
     assert.dom('[data-test-smaller-id]').exists('renders smaller client id in dropdown');
 
     await click('[data-test-oidc-radio="allow-all"]');
     assert
-      .dom('[data-test-component="search-select"]#allowedClientIds')
+      .dom('[data-test-component="search-select"]#oidc-provider-form-client-select')
       .doesNotExist('Allow all radio button hides search select');
 
     await fillIn('[data-test-input="name"]', 'test-provider');
     await click(SELECTORS.providerSaveButton);
+
+    assert.true(this.onSave.called, 'onSave callback fires on save success');
+    assert.true(this.apiStub.calledWith('test-provider'), 'Request made to save provider');
   });
 
   test('it should update provider', async function (assert) {
-    assert.expect(9);
+    assert.expect(8);
 
-    this.server.post('/identity/oidc/provider/test-provider', (schema, req) => {
-      assert.ok(true, 'Request made to save provider');
-      return JSON.parse(req.requestBody);
-    });
-
-    this.store.pushPayload('oidc/provider', {
-      modelName: 'oidc/provider',
+    const provider = {
       name: 'test-provider',
       allowed_client_ids: ['*'],
       issuer: ISSUER_URL,
       scopes_supported: ['test-scope'],
-    });
+    };
 
-    this.model = this.store.peekRecord('oidc/provider', 'test-provider');
-    this.onSave = () => assert.ok(true, 'onSave callback fires on save success');
-
-    await render(hbs`
-      <Oidc::ProviderForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+    await this.renderComponent(provider);
 
     assert.dom(GENERAL.hdsPageHeaderTitle).hasText('Edit Provider', 'Title renders correct text');
     assert.dom(SELECTORS.providerSaveButton).hasText('Update', 'Save button has correct text');
@@ -137,87 +124,49 @@ module('Integration | Component | oidc/provider-form', function (hooks) {
     assert
       .dom('[data-test-input="name"]')
       .hasValue('test-provider', 'Name input is populated with model value');
-    assert
-      .dom('[data-test-input="issuer"]')
-      .hasValue(parseURL(ISSUER_URL).origin, 'issuer value is just scheme://host:port portion of full URL');
-
     assert.dom('[data-test-selected-option]').hasText('test-scope', 'model scope is selected');
     assert.dom('[data-test-oidc-radio="allow-all"] input').isChecked('Allow all radio button is selected');
     await click(SELECTORS.providerSaveButton);
+
+    assert.true(this.onSave.called, 'onSave callback fires on save success');
+    const { name, ...payload } = provider;
+    assert.true(this.apiStub.calledWith(name, payload), 'Request made to save provider');
   });
 
-  test('it should rollback attributes or unload record on cancel', async function (assert) {
-    assert.expect(4);
-    this.model = this.store.createRecord('oidc/provider');
-    this.onCancel = () => assert.ok(true, 'onCancel callback fires');
-
-    await render(hbs`
-      <Oidc::ProviderForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+  test('it should fire callback on cancel', async function (assert) {
+    assert.expect(1);
 
+    await this.renderComponent();
     await click(SELECTORS.providerCancelButton);
-    assert.true(this.model.isDestroyed, 'New model is unloaded on cancel');
-
-    this.store.pushPayload('oidc/provider', {
-      modelName: 'oidc/provider',
-      name: 'test-provider',
-      allowed_client_ids: ['*'],
-      issuer: ISSUER_URL,
-      scopes_supported: ['test-scope'],
-    });
-
-    this.model = this.store.peekRecord('oidc/provider', 'test-provider');
-
-    await render(hbs`
-      <Oidc::ProviderForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
-
-    await click('[data-test-oidc-radio="limited"]');
-    await click(SELECTORS.providerCancelButton);
-    assert.strictEqual(this.model.allowed_client_ids, undefined, 'Model attributes rolled back on cancel');
+    assert.true(this.onCancel.called, 'onCancel callback fires on cancel');
   });
 
   test('it should render fallback for search select', async function (assert) {
     assert.expect(2);
-    this.model = this.store.createRecord('oidc/provider');
-    this.server.get('/identity/oidc/scope', () => overrideResponse(403));
-    this.server.get('/identity/oidc/client', () => overrideResponse(403));
-    await render(hbs`
-      <Oidc::ProviderForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+
+    this.scopes = [];
+    this.clients = [];
+    await this.renderComponent();
 
     assert
-      .dom('[data-test-component="search-select"]#scopesSupported [data-test-component="string-list"]')
+      .dom(
+        '[data-test-component="search-select"]#oidc-provider-form-scope-select [data-test-component="string-list"]'
+      )
       .exists('renders fall back for scopes search select');
     await click('[data-test-oidc-radio="limited"]');
     assert
-      .dom('[data-test-component="search-select"]#allowedClientIds [data-test-component="string-list"]')
+      .dom(
+        '[data-test-component="search-select"]#oidc-provider-form-client-select [data-test-component="string-list"]'
+      )
       .exists('Radio toggle shows assignments string-list input');
   });
 
   test('it should render error alerts when API returns an error', async function (assert) {
     assert.expect(2);
-    this.model = this.store.createRecord('oidc/provider');
-    this.server.post('/sys/capabilities-self', () => capabilitiesStub(OIDC_BASE_URL + '/providers'));
-    await render(hbs`
-      <Oidc::ProviderForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+
+    this.apiStub.rejects(getErrorResponse());
+    await this.renderComponent();
+
     await fillIn('[data-test-input="name"]', 'some-provider');
     await click(SELECTORS.providerSaveButton);
     assert
diff --git a/ui/tests/integration/components/oidc/provider-list-test.js b/ui/tests/integration/components/oidc/provider-list-test.js
index bd84198597..5d31f535f7 100644
--- a/ui/tests/integration/components/oidc/provider-list-test.js
+++ b/ui/tests/integration/components/oidc/provider-list-test.js
@@ -5,32 +5,47 @@
 
 import { module, test } from 'qunit';
 import { setupRenderingTest } from 'vault/tests/helpers';
-import { setupMirage } from 'ember-cli-mirage/test-support';
 import { click, render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
-import { allowAllCapabilitiesStub, capabilitiesStub } from 'vault/tests/helpers/stubs';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
 module('Integration | Component | oidc/provider-list', function (hooks) {
   setupRenderingTest(hooks);
-  setupMirage(hooks);
 
   hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
-    this.store.createRecord('oidc/provider', { name: 'first-provider', issuer: 'foobar' });
-    this.store.createRecord('oidc/provider', { name: 'second-provider', issuer: 'foobar' });
-    this.model = this.store.peekAll('oidc/provider');
+    this.renderComponent = (isLimited) => {
+      const providers = [
+        { name: 'first-provider', issuer: 'foobar' },
+        { name: 'second-provider', issuer: 'foobar' },
+      ];
+
+      const capabilities = providers.reduce((capabilities, provider) => {
+        const path = this.owner.lookup('service:capabilities').pathFor('oidcProvider', provider);
+        const isFirstProvider = provider.name === 'first-provider';
+        const canRead = isLimited ? isFirstProvider : true;
+        const canUpdate = !isLimited;
+        capabilities[path] = { canRead, canUpdate };
+        return capabilities;
+      }, {});
+
+      this.model = {
+        providers,
+        capabilities,
+      };
+      return render(hbs`<Oidc::ProviderList @model={{this.model}} />`);
+    };
   });
 
   test('it renders list of providers', async function (assert) {
-    this.server.post('/sys/capabilities-self', allowAllCapabilitiesStub(['read', 'update']));
-    await render(hbs`<Oidc::ProviderList @model={{this.model}} />`);
+    await this.renderComponent(false);
 
-    assert.dom('[data-test-oidc-provider-linked-block]').exists({ count: 2 }, 'Two clients are rendered');
-    assert.dom('[data-test-oidc-provider-linked-block="first-provider"]').exists('First client is rendered');
+    assert.dom('[data-test-oidc-provider-linked-block]').exists({ count: 2 }, 'Two providers are rendered');
+    assert
+      .dom('[data-test-oidc-provider-linked-block="first-provider"]')
+      .exists('First provider is rendered');
     assert
       .dom('[data-test-oidc-provider-linked-block="second-provider"]')
-      .exists('Second client is rendered');
+      .exists('Second provider is rendered');
 
     await click('[data-test-oidc-provider-linked-block="first-provider"] [data-test-popup-menu-trigger]');
     assert.dom('[data-test-oidc-provider-menu-link="details"]').exists('Details link is rendered');
@@ -38,15 +53,7 @@ module('Integration | Component | oidc/provider-list', function (hooks) {
   });
 
   test('it renders popup menu based on permissions', async function (assert) {
-    this.server.post('/sys/capabilities-self', (schema, req) => {
-      const { paths } = JSON.parse(req.requestBody);
-      if (paths[0] === 'identity/oidc/provider/first-provider') {
-        return capabilitiesStub('identity/oidc/provider/first-provider', ['read']);
-      } else {
-        return capabilitiesStub('identity/oidc/provider/second-provider', ['deny']);
-      }
-    });
-    await render(hbs`<Oidc::ProviderList @model={{this.model}} />`);
+    await this.renderComponent(true);
     assert.dom('[data-test-popup-menu-trigger]').exists({ count: 1 }, 'Only one popup menu is rendered');
     await click(GENERAL.menuTrigger);
     assert.dom('[data-test-oidc-provider-menu-link="details"]').exists('Details link is rendered');
diff --git a/ui/tests/integration/components/oidc/scope-form-test.js b/ui/tests/integration/components/oidc/scope-form-test.js
index 5e984df0ec..64772f8ae6 100644
--- a/ui/tests/integration/components/oidc/scope-form-test.js
+++ b/ui/tests/integration/components/oidc/scope-form-test.js
@@ -4,40 +4,42 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, fillIn, click } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
-import { SELECTORS, OIDC_BASE_URL } from 'vault/tests/helpers/oidc-config';
-import { capabilitiesStub } from 'vault/tests/helpers/stubs';
+import { SELECTORS } from 'vault/tests/helpers/oidc-config';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import sinon from 'sinon';
+import OidcScopeForm from 'vault/forms/oidc/scope';
+import { getErrorResponse } from 'vault/tests/helpers/api/error-response';
 
 module('Integration | Component | oidc/scope-form', function (hooks) {
   setupRenderingTest(hooks);
   setupMirage(hooks);
 
   hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
+    const api = this.owner.lookup('service:api');
+    this.writeStub = sinon.stub(api.identity, 'oidcWriteScope').resolves();
+    this.onCancel = sinon.spy();
+    this.onSave = sinon.spy();
+
+    this.renderComponent = (scope) => {
+      this.form = new OidcScopeForm(scope || {}, { isNew: !scope });
+      return render(hbs`
+        <Oidc::ScopeForm
+          @form={{this.form}}
+          @onCancel={{this.onCancel}}
+          @onSave={{this.onSave}}
+        />
+      `);
+    };
   });
 
   test('it should save new scope', async function (assert) {
     assert.expect(8);
 
-    this.server.post('/identity/oidc/scope/test', (schema, req) => {
-      assert.ok(true, 'Request made to save scope');
-      return JSON.parse(req.requestBody);
-    });
-
-    this.model = this.store.createRecord('oidc/scope');
-    this.onSave = () => assert.ok(true, 'onSave callback fires on save success');
-
-    await render(hbs`
-      <Oidc::ScopeForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+    await this.renderComponent();
 
     assert.dom(GENERAL.hdsPageHeaderTitle).hasText('Create Scope', 'Form title renders');
     assert.dom(SELECTORS.scopeSaveButton).hasText('Create', 'Save button has correct label');
@@ -62,31 +64,18 @@ module('Integration | Component | oidc/scope-form', function (hooks) {
     await fillIn(GENERAL.inputByAttr('name'), 'test');
     await fillIn(GENERAL.inputByAttr('description'), 'this is a test');
     await click(SELECTORS.scopeSaveButton);
+
+    assert.true(this.onSave.calledOnce, 'onSave callback is called on successful save');
+    assert.true(
+      this.writeStub.calledWith('test', { description: 'this is a test' }),
+      'API is called with correct parameters'
+    );
   });
 
   test('it should update scope', async function (assert) {
     assert.expect(9);
 
-    this.server.post('/identity/oidc/scope/test', (schema, req) => {
-      assert.ok(true, 'Request made to save scope');
-      return JSON.parse(req.requestBody);
-    });
-
-    this.store.pushPayload('oidc/scope', {
-      modelName: 'oidc/scope',
-      name: 'test',
-      description: 'this is a test',
-    });
-    this.model = this.store.peekRecord('oidc/scope', 'test');
-    this.onSave = () => assert.ok(true, 'onSave callback fires on save success');
-
-    await render(hbs`
-      <Oidc::ScopeForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+    await this.renderComponent({ name: 'test', description: 'this is a test' });
 
     assert.dom(GENERAL.hdsPageHeaderTitle).hasText('Edit Scope', 'Form title renders');
     assert.dom(SELECTORS.scopeSaveButton).hasText('Update', 'Save button has correct label');
@@ -105,62 +94,28 @@ module('Integration | Component | oidc/scope-form', function (hooks) {
 
     await fillIn(GENERAL.inputByAttr('description'), 'this is an edit test');
     await click(SELECTORS.scopeSaveButton);
+
+    assert.true(this.onSave.calledOnce, 'onSave callback is called on successful save');
+    assert.true(
+      this.writeStub.calledWith('test', { description: 'this is an edit test' }),
+      'API is called with correct parameters'
+    );
   });
 
-  test('it should rollback attributes or unload record on cancel', async function (assert) {
-    assert.expect(4);
-
-    this.onCancel = () => assert.ok(true, 'onCancel callback fires');
-
-    this.model = this.store.createRecord('oidc/scope');
-
-    await render(hbs`
-      <Oidc::ScopeForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+  test('it should trigger on cancel callback', async function (assert) {
+    assert.expect(1);
 
+    await this.renderComponent();
     await click(SELECTORS.scopeCancelButton);
-    assert.true(this.model.isDestroyed, 'New model is unloaded on cancel');
-
-    this.store.pushPayload('oidc/scope', {
-      modelName: 'oidc/scope',
-      name: 'test',
-      description: 'this is a test',
-    });
-    this.model = this.store.peekRecord('oidc/scope', 'test');
-
-    await render(hbs`
-    <Oidc::ScopeForm
-      @model={{this.model}}
-      @onCancel={{this.onCancel}}
-      @onSave={{this.onSave}}
-    />
-      `);
-
-    await fillIn(GENERAL.inputByAttr('description'), 'changed description attribute');
-    await click(SELECTORS.scopeCancelButton);
-    assert.strictEqual(
-      this.model.description,
-      'this is a test',
-      'Model attributes are rolled back on cancel'
-    );
+    assert.true(this.onCancel.calledOnce, 'onCancel callback is called when cancel button is clicked');
   });
 
   test('it should show example template modal', async function (assert) {
     assert.expect(5);
-    const MODAL = (e) => `[data-test-scope-modal="${e}"]`;
-    this.model = this.store.createRecord('oidc/scope');
 
-    await render(hbs`
-      <Oidc::ScopeForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+    const MODAL = (e) => `[data-test-scope-modal="${e}"]`;
+
+    await this.renderComponent();
 
     await click('[data-test-oidc-scope-example]');
     assert.dom(MODAL('title')).hasText('Scope template', 'Modal title renders');
@@ -173,15 +128,10 @@ module('Integration | Component | oidc/scope-form', function (hooks) {
 
   test('it should render error alerts when API returns an error', async function (assert) {
     assert.expect(2);
-    this.model = this.store.createRecord('oidc/scope');
-    this.server.post('/sys/capabilities-self', () => capabilitiesStub(OIDC_BASE_URL + '/scopes'));
-    await render(hbs`
-      <Oidc::ScopeForm
-        @model={{this.model}}
-        @onCancel={{this.onCancel}}
-        @onSave={{this.onSave}}
-      />
-    `);
+
+    this.writeStub.rejects(getErrorResponse());
+    await this.renderComponent();
+
     await fillIn(GENERAL.inputByAttr('name'), 'test-scope');
     await click(SELECTORS.scopeSaveButton);
     assert
diff --git a/ui/tests/integration/components/okta-number-challenge-test.js b/ui/tests/integration/components/okta-number-challenge-test.js
index dc9c08d00e..19d9036d5a 100644
--- a/ui/tests/integration/components/okta-number-challenge-test.js
+++ b/ui/tests/integration/components/okta-number-challenge-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/overview-card-test.js b/ui/tests/integration/components/overview-card-test.js
index 70b93c1e5c..135a08374a 100644
--- a/ui/tests/integration/components/overview-card-test.js
+++ b/ui/tests/integration/components/overview-card-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 
diff --git a/ui/tests/integration/components/page/methods-test.js b/ui/tests/integration/components/page/methods-test.js
index eec193aee7..72fe4ada18 100644
--- a/ui/tests/integration/components/page/methods-test.js
+++ b/ui/tests/integration/components/page/methods-test.js
@@ -56,6 +56,9 @@ module('Integration | Component | page/methods', function (hooks) {
   setupMirage(hooks);
 
   hooks.beforeEach(function () {
+    // clear local storage to reset dismissed wizard state
+    localStorage.clear();
+
     this.breadcrumbs = [
       { label: 'Vault', route: 'vault.cluster.dashboard', icon: 'vault' },
       { label: 'Auth Methods' },
@@ -75,11 +78,6 @@ module('Integration | Component | page/methods', function (hooks) {
     };
   });
 
-  hooks.afterEach(async function () {
-    // Ensure clean state
-    localStorage.clear();
-  });
-
   test('it shows wizard intro page initially when only default method exists', async function (assert) {
     await this.renderComponent();
     assert.false(this.wizardService.isDismissed('auth-methods'), 'Wizard is not dismissed initially');
diff --git a/ui/tests/integration/components/page/namespaces-wizard-test.js b/ui/tests/integration/components/page/namespaces-wizard-test.js
index fe89a412c0..b5dc6ae960 100644
--- a/ui/tests/integration/components/page/namespaces-wizard-test.js
+++ b/ui/tests/integration/components/page/namespaces-wizard-test.js
@@ -25,23 +25,24 @@ module('Integration | Component | page/namespaces | Namespace Wizard', function
   setupMirage(hooks);
 
   hooks.beforeEach(function () {
+    // clear local storage to reset dismissed wizard state
+    localStorage.clear();
+
     this.refreshSpy = sinon.spy();
+    this.flexiblePolicyCompleteSpy = sinon.spy();
     this.wizardService = this.owner.lookup('service:wizard');
 
     this.renderComponent = () => {
       return render(hbs`
         <Wizard::Namespaces::NamespaceWizard
+          @isIntroModal={{false}}
+          @onFlexiblePolicyComplete={{this.flexiblePolicyCompleteSpy}}
           @onRefresh={{this.refreshSpy}}
         />
       `);
     };
   });
 
-  hooks.afterEach(async function () {
-    // ensure clean state
-    localStorage.clear();
-  });
-
   test('it shows wizard when no namespaces exist', async function (assert) {
     await this.renderComponent();
     assert.dom(SELECTORS.intro).exists('Wizard intro is rendered');
@@ -182,6 +183,7 @@ module('Integration | Component | page/namespaces | Namespace Wizard', function
 
     assert.true(this.wizardService.isDismissed('namespace'), 'Wizard was marked as dismissed after Done');
     assert.true(this.refreshSpy.calledOnce, 'onRefresh callback was called');
+    assert.true(this.flexiblePolicyCompleteSpy.calledOnce, 'flexiblePolicyComplete callback was called');
   });
 
   test('it shows tree chart only when there are multiple globals, orgs, or projects', async function (assert) {
@@ -210,6 +212,11 @@ module('Integration | Component | page/namespaces | Namespace Wizard', function
     await fillIn(`${SELECTORS.inputRow(0)} ${GENERAL.inputByAttr('org-1')}`, 'org2');
     assert.dom(SELECTORS.tree).exists('Tree chart shows with multiple orgs');
 
+    // Add empty global - tree show not show empty global
+    await click(GENERAL.button('add namespace'));
+    assert.dom(`${SELECTORS.tree} .nodes > g`).exists({ count: 5 }, 'Only renders non-empty input nodes');
+    await click(`${SELECTORS.inputRow(1)} ${GENERAL.button('delete namespace')}`);
+
     // Remove second org - tree is hidden again
     await click(`${SELECTORS.inputRow(0)} ${GENERAL.button('delete org')}`);
     assert.dom(SELECTORS.tree).doesNotExist('Tree chart hidden after removing second org');
@@ -218,5 +225,17 @@ module('Integration | Component | page/namespaces | Namespace Wizard', function
     await click(`${SELECTORS.inputRow(0)} ${GENERAL.button('add project')}`);
     await fillIn(`${SELECTORS.inputRow(0)} ${GENERAL.inputByAttr('project-1')}`, 'project2');
     assert.dom(SELECTORS.tree).exists('Tree chart shows with multiple projects');
+
+    // Clear global - tree is hidden
+    await fillIn(`${SELECTORS.inputRow(0)} ${GENERAL.inputByAttr('global-0')}`, '');
+    assert.dom(SELECTORS.tree).doesNotExist('Tree chart hidden after clearing parent global');
+    await fillIn(`${SELECTORS.inputRow(0)} ${GENERAL.inputByAttr('global-0')}`, 'global1');
+    assert.dom(SELECTORS.tree).exists('Tree chart is rendered');
+
+    // Clear org - tree is hidden
+    await fillIn(`${SELECTORS.inputRow(0)} ${GENERAL.inputByAttr('org-0')}`, '');
+    assert.dom(SELECTORS.tree).doesNotExist('Tree chart hidden after clearing parent org');
+    await fillIn(`${SELECTORS.inputRow(0)} ${GENERAL.inputByAttr('org-0')}`, 'org1');
+    assert.dom(SELECTORS.tree).exists('Tree chart is rendered');
   });
 });
diff --git a/ui/tests/integration/components/page/policies-test.js b/ui/tests/integration/components/page/policies-test.js
index 010cfcd5d7..a9bf5b61f6 100644
--- a/ui/tests/integration/components/page/policies-test.js
+++ b/ui/tests/integration/components/page/policies-test.js
@@ -23,8 +23,10 @@ const policiesMockModel = [
     name: 'default',
     policy: undefined,
     policyType: 'acl',
-    canEdit: true,
-    canRead: true,
+    capabilities: {
+      canEdit: true,
+      canRead: true,
+    },
   },
   {
     id: 'root',
@@ -49,8 +51,10 @@ const customPoliciesMockModel = [
     name: 'default',
     policy: undefined,
     policyType: 'acl',
-    canEdit: true,
-    canRead: true,
+    capabilities: {
+      canEdit: true,
+      canRead: true,
+    },
   },
   {
     id: 'root',
@@ -63,9 +67,11 @@ const customPoliciesMockModel = [
     name: 'custom',
     policy: undefined,
     policyType: 'acl',
-    canDelete: true,
-    canEdit: true,
-    canRead: true,
+    capabilities: {
+      canEdit: true,
+      canRead: true,
+      canDelete: true,
+    },
   },
 ];
 customPoliciesMockModel.meta = {
@@ -73,8 +79,8 @@ customPoliciesMockModel.meta = {
   lastPage: 1,
   nextPage: 1,
   prevPage: 0,
-  total: 3,
-  filteredTotal: 3,
+  total: 4,
+  filteredTotal: 4,
   pageSize: 15,
 };
 
@@ -83,6 +89,9 @@ module('Integration | Component | page/policies', function (hooks) {
   setupMirage(hooks);
 
   hooks.beforeEach(function () {
+    // clear local storage to reset dismissed wizard state
+    localStorage.clear();
+
     this.model = policiesMockModel;
     this.policyType = 'acl';
     this.store = this.owner.lookup('service:store');
diff --git a/ui/tests/integration/components/path-filter-config-list-test.js b/ui/tests/integration/components/path-filter-config-list-test.js
index 04afa02970..1a3a3d5db0 100644
--- a/ui/tests/integration/components/path-filter-config-list-test.js
+++ b/ui/tests/integration/components/path-filter-config-list-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, findAll } from '@ember/test-helpers';
 import { typeInSearch, clickTrigger } from 'ember-power-select/test-support/helpers';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/pgp-file-test.js b/ui/tests/integration/components/pgp-file-test.js
index ce10f1c18d..247dfae2a5 100644
--- a/ui/tests/integration/components/pgp-file-test.js
+++ b/ui/tests/integration/components/pgp-file-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, fillIn, triggerEvent, waitUntil, find } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
@@ -89,13 +89,9 @@ module('Integration | Component | pgp file', function (hooks) {
       />
     `);
     await click(GENERAL.textToggle);
-    assert.dom('[data-test-pgp-file-textarea]').exists({ count: 1 }, 'renders the textarea on toggle');
+    assert.dom(GENERAL.textareaByAttr('pgp-key')).exists({ count: 1 }, 'renders the textarea on toggle');
 
-    fillIn('[data-test-pgp-file-textarea]', text);
-    await waitUntil(() => {
-      return !!this.lastOnChangeCall;
-    });
-    assert.strictEqual(this.lastOnChangeCall[1].value, text, 'the key value is passed to onChange');
+    fillIn(GENERAL.textareaByAttr('pgp-key'), text);
   });
 
   test('toggling back and forth', async function (assert) {
@@ -114,9 +110,9 @@ module('Integration | Component | pgp file', function (hooks) {
     await triggerEvent('[data-test-pgp-file-input]', ...event);
     await waitUntil(() => find('[data-test-pgp-file-input-label]').innerText === 'file.json');
     await click(GENERAL.textToggle);
-    assert.dom('[data-test-pgp-file-textarea]').exists({ count: 1 }, 'renders the textarea on toggle');
+    assert.dom(GENERAL.textareaByAttr('pgp-key')).exists({ count: 1 }, 'renders the textarea on toggle');
     assert
-      .dom('[data-test-pgp-file-textarea]')
-      .hasText(this.lastOnChangeCall[1].value, 'textarea shows the value of the base64d key');
+      .dom(GENERAL.textareaByAttr('pgp-key'))
+      .hasValue(this.lastOnChangeCall[1].value, 'textarea shows the value of the base64d key');
   });
 });
diff --git a/ui/tests/integration/components/pgp-list-test.js b/ui/tests/integration/components/pgp-list-test.js
index b1b1179a86..323cf4c636 100644
--- a/ui/tests/integration/components/pgp-list-test.js
+++ b/ui/tests/integration/components/pgp-list-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, triggerEvent, waitUntil } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/pki/page/pki-certificate-details-test.js b/ui/tests/integration/components/pki/page/pki-certificate-details-test.js
index c174ab767d..4c2c05b8fc 100644
--- a/ui/tests/integration/components/pki/page/pki-certificate-details-test.js
+++ b/ui/tests/integration/components/pki/page/pki-certificate-details-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupEngine } from 'ember-engines/test-support';
diff --git a/ui/tests/integration/components/pki/page/pki-configuration-details-test.js b/ui/tests/integration/components/pki/page/pki-configuration-details-test.js
index 475f481469..fbe1c1ea52 100644
--- a/ui/tests/integration/components/pki/page/pki-configuration-details-test.js
+++ b/ui/tests/integration/components/pki/page/pki-configuration-details-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupEngine } from 'ember-engines/test-support';
diff --git a/ui/tests/integration/components/pki/page/pki-configuration-edit-test.js b/ui/tests/integration/components/pki/page/pki-configuration-edit-test.js
index eb78b88bf7..9c27907272 100644
--- a/ui/tests/integration/components/pki/page/pki-configuration-edit-test.js
+++ b/ui/tests/integration/components/pki/page/pki-configuration-edit-test.js
@@ -9,6 +9,7 @@ import { click, fillIn, render } from '@ember/test-helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { hbs } from 'ember-cli-htmlbars';
 import sinon from 'sinon';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import { PKI_CONFIG_EDIT } from 'vault/tests/helpers/pki/pki-selectors';
 import { configCapabilities } from 'vault/tests/helpers/pki/pki-helpers';
 import PkiConfigClusterForm from 'vault/forms/secrets/pki/config/cluster';
@@ -306,25 +307,17 @@ module('Integration | Component | page/pki-configuration-edit', function (hooks)
     await this.renderComponent();
 
     assert
-      .dom(`${PKI_CONFIG_EDIT.configEditSection} [data-test-component="empty-state"]`)
-      .hasText(
-        "You do not have permission to set this mount's the cluster config Ask your administrator if you think you should have access to: POST /pki-engine/config/cluster"
-      );
+      .dom(`${PKI_CONFIG_EDIT.configEditSection} ${GENERAL.emptyStateTitle}`)
+      .hasText("You do not have permission to set this mount's the cluster config");
     assert
-      .dom(`${PKI_CONFIG_EDIT.acmeEditSection} [data-test-component="empty-state"]`)
-      .hasText(
-        "You do not have permission to set this mount's ACME config Ask your administrator if you think you should have access to: POST /pki-engine/config/acme"
-      );
+      .dom(`${PKI_CONFIG_EDIT.acmeEditSection} ${GENERAL.emptyStateTitle}`)
+      .hasText("You do not have permission to set this mount's ACME config");
     assert
-      .dom(`${PKI_CONFIG_EDIT.urlsEditSection} [data-test-component="empty-state"]`)
-      .hasText(
-        "You do not have permission to set this mount's URLs Ask your administrator if you think you should have access to: POST /pki-engine/config/urls"
-      );
+      .dom(`${PKI_CONFIG_EDIT.urlsEditSection} ${GENERAL.emptyStateTitle}`)
+      .hasText("You do not have permission to set this mount's URLs");
     assert
-      .dom(`${PKI_CONFIG_EDIT.crlEditSection} [data-test-component="empty-state"]`)
-      .hasText(
-        "You do not have permission to set this mount's revocation configuration Ask your administrator if you think you should have access to: POST /pki-engine/config/crl"
-      );
+      .dom(`${PKI_CONFIG_EDIT.crlEditSection} ${GENERAL.emptyStateTitle}`)
+      .hasText("You do not have permission to set this mount's revocation configuration");
   });
 
   test('it renders alert banner and endpoint respective error', async function (assert) {
diff --git a/ui/tests/integration/components/pki/page/pki-issuer-edit-test.js b/ui/tests/integration/components/pki/page/pki-issuer-edit-test.js
index 7ee33089b8..529ddb7205 100644
--- a/ui/tests/integration/components/pki/page/pki-issuer-edit-test.js
+++ b/ui/tests/integration/components/pki/page/pki-issuer-edit-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, fillIn, render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupEngine } from 'ember-engines/test-support';
diff --git a/ui/tests/integration/components/pki/page/pki-key-details-test.js b/ui/tests/integration/components/pki/page/pki-key-details-test.js
index cc57ff72fa..693dbd7a11 100644
--- a/ui/tests/integration/components/pki/page/pki-key-details-test.js
+++ b/ui/tests/integration/components/pki/page/pki-key-details-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupEngine } from 'ember-engines/test-support';
@@ -74,7 +74,7 @@ module('Integration | Component | pki key details page', function (hooks) {
     assert.dom(PKI_KEYS.keyEditLink).doesNotExist('does not render edit button if no permission');
   });
 
-  test('it renders the private key as a <CertificateCard> component when there is a private key', async function (assert) {
+  test('it renders the private key as a <EncodedDataCard> component when there is a private key', async function (assert) {
     this.key.private_key = 'private-key-value';
 
     await this.renderComponent();
diff --git a/ui/tests/integration/components/pki/page/pki-key-list-test.js b/ui/tests/integration/components/pki/page/pki-key-list-test.js
index bfa3e91325..35ab876716 100644
--- a/ui/tests/integration/components/pki/page/pki-key-list-test.js
+++ b/ui/tests/integration/components/pki/page/pki-key-list-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupEngine } from 'ember-engines/test-support';
diff --git a/ui/tests/integration/components/pki/page/pki-overview-test.js b/ui/tests/integration/components/pki/page/pki-overview-test.js
index 46896fd6b4..49014791f9 100644
--- a/ui/tests/integration/components/pki/page/pki-overview-test.js
+++ b/ui/tests/integration/components/pki/page/pki-overview-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupEngine } from 'ember-engines/test-support';
diff --git a/ui/tests/integration/components/pki/page/pki-role-details-test.js b/ui/tests/integration/components/pki/page/pki-role-details-test.js
index f25711b870..25ea9a764d 100644
--- a/ui/tests/integration/components/pki/page/pki-role-details-test.js
+++ b/ui/tests/integration/components/pki/page/pki-role-details-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupEngine } from 'ember-engines/test-support';
diff --git a/ui/tests/integration/components/pki/page/pki-tidy-status-test.js b/ui/tests/integration/components/pki/page/pki-tidy-status-test.js
index c4b1126803..bd65c8da36 100644
--- a/ui/tests/integration/components/pki/page/pki-tidy-status-test.js
+++ b/ui/tests/integration/components/pki/page/pki-tidy-status-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupEngine } from 'ember-engines/test-support';
diff --git a/ui/tests/integration/components/pki/pki-import-pem-bundle-test.js b/ui/tests/integration/components/pki/pki-import-pem-bundle-test.js
index d82aef4e05..5aed8c70ff 100644
--- a/ui/tests/integration/components/pki/pki-import-pem-bundle-test.js
+++ b/ui/tests/integration/components/pki/pki-import-pem-bundle-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, fillIn } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupEngine } from 'ember-engines/test-support';
diff --git a/ui/tests/integration/components/pki/pki-key-form-test.js b/ui/tests/integration/components/pki/pki-key-form-test.js
index 5c62247c72..4843bf4b3c 100644
--- a/ui/tests/integration/components/pki/pki-key-form-test.js
+++ b/ui/tests/integration/components/pki/pki-key-form-test.js
@@ -5,7 +5,7 @@
 
 import sinon from 'sinon';
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, fillIn } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupEngine } from 'ember-engines/test-support';
diff --git a/ui/tests/integration/components/pki/pki-key-parameters-test.js b/ui/tests/integration/components/pki/pki-key-parameters-test.js
index 93ffff9247..19613d8cb7 100644
--- a/ui/tests/integration/components/pki/pki-key-parameters-test.js
+++ b/ui/tests/integration/components/pki/pki-key-parameters-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, fillIn } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupEngine } from 'ember-engines/test-support';
diff --git a/ui/tests/integration/components/pki/pki-key-usage-test.js b/ui/tests/integration/components/pki/pki-key-usage-test.js
index e03d7afa26..e3deffd71f 100644
--- a/ui/tests/integration/components/pki/pki-key-usage-test.js
+++ b/ui/tests/integration/components/pki/pki-key-usage-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, findAll } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupEngine } from 'ember-engines/test-support';
diff --git a/ui/tests/integration/components/pki/pki-not-valid-after-form-test.js b/ui/tests/integration/components/pki/pki-not-valid-after-form-test.js
index dbc846d866..bf59993a0a 100644
--- a/ui/tests/integration/components/pki/pki-not-valid-after-form-test.js
+++ b/ui/tests/integration/components/pki/pki-not-valid-after-form-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, fillIn } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupEngine } from 'ember-engines/test-support';
diff --git a/ui/tests/integration/components/pki/pki-page-header-test.js b/ui/tests/integration/components/pki/pki-page-header-test.js
index ba91a59854..1672467632 100644
--- a/ui/tests/integration/components/pki/pki-page-header-test.js
+++ b/ui/tests/integration/components/pki/pki-page-header-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/pki/pki-role-form-test.js b/ui/tests/integration/components/pki/pki-role-form-test.js
index b67f651542..67e180200e 100644
--- a/ui/tests/integration/components/pki/pki-role-form-test.js
+++ b/ui/tests/integration/components/pki/pki-role-form-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, fillIn } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupEngine } from 'ember-engines/test-support';
diff --git a/ui/tests/integration/components/pki/pki-role-generate-test.js b/ui/tests/integration/components/pki/pki-role-generate-test.js
index 2e7108b5cd..b8c1f422b0 100644
--- a/ui/tests/integration/components/pki/pki-role-generate-test.js
+++ b/ui/tests/integration/components/pki/pki-role-generate-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, fillIn, click } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupEngine } from 'ember-engines/test-support';
diff --git a/ui/tests/integration/components/pki/pki-tidy-form-test.js b/ui/tests/integration/components/pki/pki-tidy-form-test.js
index 274419ba83..a0906ac6c0 100644
--- a/ui/tests/integration/components/pki/pki-tidy-form-test.js
+++ b/ui/tests/integration/components/pki/pki-tidy-form-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, render, fillIn } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupEngine } from 'ember-engines/test-support';
diff --git a/ui/tests/integration/components/plugin-documentation-flyout-test.js b/ui/tests/integration/components/plugin-documentation-flyout-test.js
index 772df85376..479e8f2f24 100644
--- a/ui/tests/integration/components/plugin-documentation-flyout-test.js
+++ b/ui/tests/integration/components/plugin-documentation-flyout-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import sinon from 'sinon';
@@ -21,7 +21,7 @@ module('Integration | Component | plugin-documentation-flyout', function (hooks)
     this.isOpen = false;
 
     await render(hbs`
-      <PluginDocumentationFlyout 
+      <PluginDocumentationFlyout
         @isOpen={{this.isOpen}}
         @onClose={{this.onClose}}
       />
@@ -41,7 +41,7 @@ module('Integration | Component | plugin-documentation-flyout', function (hooks)
     this.displayName = 'AWS';
 
     await render(hbs`
-      <PluginDocumentationFlyout 
+      <PluginDocumentationFlyout
         @isOpen={{this.isOpen}}
         @pluginName={{this.pluginName}}
         @pluginType={{this.pluginType}}
@@ -67,7 +67,7 @@ module('Integration | Component | plugin-documentation-flyout', function (hooks)
     // No pluginName means this is for external plugins help
 
     await render(hbs`
-      <PluginDocumentationFlyout 
+      <PluginDocumentationFlyout
         @isOpen={{this.isOpen}}
         @onClose={{this.onClose}}
       />
@@ -91,7 +91,7 @@ module('Integration | Component | plugin-documentation-flyout', function (hooks)
     this.displayName = 'LDAP';
 
     await render(hbs`
-      <PluginDocumentationFlyout 
+      <PluginDocumentationFlyout
         @isOpen={{this.isOpen}}
         @pluginName={{this.pluginName}}
         @pluginType={{this.pluginType}}
@@ -109,7 +109,7 @@ module('Integration | Component | plugin-documentation-flyout', function (hooks)
     this.isOpen = true;
 
     await render(hbs`
-      <PluginDocumentationFlyout 
+      <PluginDocumentationFlyout
         @isOpen={{this.isOpen}}
         @onClose={{this.onClose}}
       />
@@ -124,7 +124,7 @@ module('Integration | Component | plugin-documentation-flyout', function (hooks)
     this.pluginName = 'aws';
 
     await render(hbs`
-      <PluginDocumentationFlyout 
+      <PluginDocumentationFlyout
         @isOpen={{this.isOpen}}
         @pluginName={{this.pluginName}}
         @onClose={{this.onClose}}
@@ -152,7 +152,7 @@ module('Integration | Component | plugin-documentation-flyout', function (hooks)
     // No displayName provided
 
     await render(hbs`
-      <PluginDocumentationFlyout 
+      <PluginDocumentationFlyout
         @isOpen={{this.isOpen}}
         @pluginName={{this.pluginName}}
         @onClose={{this.onClose}}
diff --git a/ui/tests/integration/components/policy-form-modal-test.js b/ui/tests/integration/components/policy-form-modal-test.js
new file mode 100644
index 0000000000..32e9d4e18e
--- /dev/null
+++ b/ui/tests/integration/components/policy-form-modal-test.js
@@ -0,0 +1,84 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import hbs from 'htmlbars-inline-precompile';
+import { click, fillIn, render, findAll } from '@ember/test-helpers';
+import sinon from 'sinon';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import PolicyForm from 'vault/forms/policy';
+
+module('Integration | Component | policy-form-modal', function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.beforeEach(function () {
+    this.form = new PolicyForm({ name: 'modal-test', enforcement_level: 'hard-mandatory' });
+    this.onSave = sinon.spy();
+    this.onCancel = sinon.spy();
+
+    this.renderComponent = () =>
+      render(hbs`
+      <PolicyFormModal
+        @form={{this.form}}
+        @onSave={{this.onSave}}
+        @onCancel={{this.onCancel}}
+      />
+    `);
+  });
+
+  test('it should render empty state when type is not selected', async function (assert) {
+    await this.renderComponent();
+    assert
+      .dom(GENERAL.emptyStateTitle)
+      .hasText('No policy type selected', 'shows empty state when no type is selected');
+    assert
+      .dom(GENERAL.emptyStateMessage)
+      .hasText(
+        'Select a policy type to continue creating.',
+        'shows empty state message when no type is selected'
+      );
+  });
+
+  test('it should render correct policy types in select', async function (assert) {
+    await this.renderComponent();
+    const options = findAll(`${GENERAL.selectByAttr('policyType')} option`).map((option) => option.value);
+    assert.deepEqual(options, ['', 'acl', 'rgp'], 'renders correct policy types in select dropdown');
+  });
+
+  test('it should disable rgp without sentinel feature', async function (assert) {
+    sinon.stub(this.owner.lookup('service:version'), 'hasSentinel').value(false);
+    await this.renderComponent();
+    const options = findAll(`${GENERAL.selectByAttr('policyType')} option`);
+    assert.true(options[2].disabled, 'RGP option is disabled without sentinel feature');
+  });
+
+  test('it should render tabs when type is selected', async function (assert) {
+    await this.renderComponent();
+
+    await fillIn(GENERAL.selectByAttr('policyType'), 'acl');
+    assert.dom('[data-test-tab-your-policy]').exists('renders policy tab when type is selected');
+    assert.dom('[data-test-policy-form]').exists('renders policy form when tab is active');
+
+    await click('[data-test-tab-example-policy]');
+    assert.dom('[data-test-policy-example]').exists('renders policy example when tab is selected');
+  });
+
+  test('it should render form correctly based on policy type', async function (assert) {
+    await this.renderComponent();
+    await fillIn(GENERAL.selectByAttr('policyType'), 'acl');
+    assert.dom('[data-test-policy-form]').exists('renders policy form when type is selected');
+    assert
+      .dom(GENERAL.inputByAttr('enforcement_level'))
+      .doesNotExist('enforcement level input is not rendered for ACL policy');
+
+    this.form.policyType = null;
+    await this.renderComponent();
+    await fillIn(GENERAL.selectByAttr('policyType'), 'rgp');
+    assert
+      .dom(GENERAL.inputByAttr('enforcement_level'))
+      .exists('enforcement level input is rendered for RGP policy');
+  });
+});
diff --git a/ui/tests/integration/components/policy-form-test.js b/ui/tests/integration/components/policy-form-test.js
index 07e0a96a46..f06fd26317 100644
--- a/ui/tests/integration/components/policy-form-test.js
+++ b/ui/tests/integration/components/policy-form-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, fillIn, render, settled, triggerEvent, waitFor } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
@@ -13,6 +13,7 @@ import { overrideResponse } from 'vault/tests/helpers/stubs';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import codemirror, { setCodeEditorValue } from 'vault/tests/helpers/codemirror';
 import { FORM } from 'vault/tests/helpers/form-selectors';
+import PolicyForm from 'vault/forms/policy';
 
 async function setEditorValue(value) {
   await waitFor('.cm-editor');
@@ -26,20 +27,25 @@ module('Integration | Component | policy-form', function (hooks) {
   setupMirage(hooks);
 
   hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
     // Set model here with "ACL" policy type for so PolicyForm component consistently has a @model arg
-    this.model = this.store.createRecord('policy/acl');
+    this.form = new PolicyForm(
+      {
+        enforcementLevel: 'hard-mandatory',
+      },
+      { isNew: true }
+    );
+    this.form.policyType = 'acl';
     this.onSave = sinon.spy();
     this.onCancel = sinon.spy();
     this.isCompact = undefined;
-    this.server.put('/sys/policies/acl/:name', (_, req) => {
+    this.server.post('/sys/policies/acl/:name', (_, req) => {
       if (req.params.name === 'bad-policy') {
         return overrideResponse(400, { errors: ['An error occurred'] });
       }
       return overrideResponse(204);
     });
-    this.server.put('/sys/policies/rgp/:name', () => overrideResponse(204));
-    this.server.put('/sys/policies/egp/:name', () => overrideResponse(204));
+    this.server.post('/sys/policies/rgp/:name', () => overrideResponse(204));
+    this.server.post('/sys/policies/egp/:name', () => overrideResponse(204));
 
     this.assertNoVisualEditor = (assert, msg = 'it does not render visual policy builder') => {
       assert.dom(GENERAL.radioByAttr()).doesNotExist('it does not render radio options');
@@ -50,7 +56,7 @@ module('Integration | Component | policy-form', function (hooks) {
     this.renderComponent = () => {
       return render(
         hbs`<PolicyForm
-          @model={{this.model}}
+          @form={{this.form}}
           @onCancel={{this.onCancel}}
           @onSave={{this.onSave}}
           @isCompact={{this.isCompact}}
@@ -122,39 +128,22 @@ module('Integration | Component | policy-form', function (hooks) {
     `;
     await this.renderComponent();
     await fillIn(GENERAL.inputByAttr('name'), 'Foo');
-    assert.strictEqual(this.model.name, 'foo', 'Input sets name on model to lowercase input');
+    assert.strictEqual(this.form.name, 'foo', 'Input sets name on model to lowercase input');
     await click(GENERAL.radioByAttr('code'));
     await setEditorValue(policy);
-    assert.strictEqual(this.model.policy, policy, 'Policy editor sets policy on model');
+    assert.strictEqual(this.form.policy, policy, 'Policy editor sets policy on policy form class');
 
     await click(GENERAL.cancelButton);
     assert.true(this.onSave.notCalled, 'onSave is not called yet');
     assert.true(this.onCancel.calledOnce, 'Form calls onCancel');
   });
 
-  test('it does not save edits when the cancel button is clicked', async function (assert) {
-    this.model.name = 'foo';
-    this.model.policy = 'some policy content';
-    this.model.save();
-    await this.renderComponent();
-    await setEditorValue('updated');
-    assert.strictEqual(this.model.policy, 'updated', 'Policy editor updates policy value on model');
-    await click(GENERAL.cancelButton);
-    assert.true(this.onSave.notCalled, 'onSave is not called yet');
-    assert.true(this.onCancel.calledOnce, 'Form calls onCancel');
-
-    await this.renderComponent();
-    assert.strictEqual(
-      this.model.policy,
-      'some policy content',
-      'Policy editor shows original policy content, meaning that onCancel worked successfully'
-    );
-  });
-
-  test('it shows the error message on form when save fails', async function (assert) {
-    this.model.name = 'bad-policy';
-    this.model.policy = 'some policy content';
+  test('it shows the error message on form when save returns an API error', async function (assert) {
+    this.form.name = 'bad-policy';
+    this.form.policy = 'some policy content';
     await this.renderComponent();
+    // Change editors so we don't trigger visual editor validations
+    await click(GENERAL.radioByAttr('code'));
     await click(GENERAL.submitButton);
     assert.true(this.onSave.notCalled, 'onSave is not called yet');
     assert.dom(GENERAL.messageError).includesText('An error occurred');
@@ -163,11 +152,16 @@ module('Integration | Component | policy-form', function (hooks) {
 
   module('ACL', function (hooks) {
     hooks.beforeEach(function () {
-      this.model = this.store.createRecord('policy/acl');
+      this.form = new PolicyForm(
+        {
+          enforcementLevel: 'hard-mandatory',
+        },
+        { isNew: true }
+      );
+      this.form.policyType = 'acl';
       this.policy = `path "secret/*" {
       capabilities = [ "create", "read", "update", "list" ]
-    }
-    `;
+    }`;
     });
 
     test('it renders the form for new ACL policy', async function (assert) {
@@ -186,32 +180,34 @@ module('Integration | Component | policy-form', function (hooks) {
     test('it saves a new ACL policy using the code editor', async function (assert) {
       await this.renderComponent();
       await fillIn(GENERAL.inputByAttr('name'), 'Foo');
-      assert.strictEqual(this.model.name, 'foo', 'Input sets name on model to lowercase input');
+      assert.strictEqual(this.form.name, 'foo', 'Input sets name on model to lowercase input');
       await click(GENERAL.radioByAttr('code'));
       await setEditorValue(this.policy);
-      assert.strictEqual(this.model.policy, this.policy, 'Policy editor sets policy on model');
+      assert.strictEqual(this.form.policy, this.policy, 'Policy editor sets policy on model');
       assert.true(this.onSave.notCalled, 'onSave is not called yet');
       await click(GENERAL.submitButton);
-      assert.true(this.onSave.calledOnceWith(this.model), 'onSave is called with model');
+      assert.true(this.onSave.calledOnce, 'onSave is called');
       const [actual] = this.onSave.lastCall.args;
       assert.strictEqual(actual.policy, this.policy, 'onSave is called with expected policy');
     });
 
     test('it renders the form to edit existing ACL policy', async function (assert) {
-      this.model.name = 'bar';
-      this.model.policy = this.policy;
-      this.model.save();
+      this.form.name = 'bar';
+      this.form.policy = this.policy;
+      this.form.isNew = false;
       await this.renderComponent();
       assert.dom(GENERAL.inputByAttr('name')).doesNotExist('Name input is not rendered');
       assert.dom(GENERAL.toggleInput('Upload file')).doesNotExist('Upload file toggle does not exist');
       this.assertNoVisualEditor(assert, 'it does not render visual editor when editing an ACL policy');
 
       await setEditorValue('updated');
-      assert.strictEqual(this.model.policy, 'updated', 'Policy editor updates policy value on model');
+      assert.strictEqual(this.form.policy, 'updated', 'Policy editor updates policy value on model');
       assert.true(this.onSave.notCalled, 'onSave is not called yet');
       assert.dom(GENERAL.submitButton).hasText('Save', 'Save button text is correct');
       await click(GENERAL.submitButton);
-      assert.true(this.onSave.calledOnceWith(this.model), 'onSave is called with model');
+      assert.true(this.onSave.calledOnce, 'onSave is called');
+      const [actual] = this.onSave.lastCall.args;
+      assert.strictEqual(actual.policy, this.form.policy, 'onSave is called with expected policy');
     });
 
     test('it renders the correct title for ACL example for the policy example modal', async function (assert) {
@@ -231,7 +227,7 @@ module('Integration | Component | policy-form', function (hooks) {
       assert.dom(GENERAL.codemirror).doesNotExist('JSON editor does not render by default');
       assert
         .dom(GENERAL.fieldByAttr('visual editor'))
-        .hasTextContaining('Rule Show preview')
+        .hasTextContaining('Path Show preview')
         .exists('it renders visual policy editor by default');
       // Select Code editor
       await click(GENERAL.radioByAttr('code'));
@@ -246,7 +242,7 @@ module('Integration | Component | policy-form', function (hooks) {
       assert.dom(GENERAL.codemirror).doesNotExist();
       assert
         .dom(GENERAL.fieldByAttr('visual editor'))
-        .hasTextContaining('Rule Show preview')
+        .hasTextContaining('Path Show preview')
         .exists('Visual editor renders after selecting radio');
     });
 
@@ -259,7 +255,7 @@ path "second/path" {
 }`;
       await this.renderComponent();
       await fillIn(GENERAL.inputByAttr('name'), 'Foo');
-      assert.strictEqual(this.model.name, 'foo', 'Input sets name on model to lowercase input');
+      assert.strictEqual(this.form.name, 'foo', 'Input sets name on model to lowercase input');
       // Set up first rule
       await fillIn(GENERAL.inputByAttr('path'), 'first/path');
       await click(GENERAL.checkboxByAttr('read'));
@@ -268,12 +264,40 @@ path "second/path" {
       await fillIn(`${GENERAL.cardContainer('1')} ${GENERAL.inputByAttr('path')}`, 'second/path');
       await click(`${GENERAL.cardContainer('1')} ${GENERAL.checkboxByAttr('update')}`);
       // Save policy
-      assert.strictEqual(this.model.policy, expectedPolicy, 'Policy editor sets policy on model');
+      assert.strictEqual(this.form.policy, expectedPolicy, 'Policy editor sets policy on model');
       assert.true(this.onSave.notCalled, 'onSave is not called yet');
       await click(GENERAL.submitButton);
-      assert.true(this.onSave.calledOnceWith(this.model), 'onSave is called with model');
+      assert.true(this.onSave.calledOnce, 'onSave is called');
       const [actual] = this.onSave.lastCall.args;
-      assert.strictEqual(actual.policy, expectedPolicy, 'save is called with expected policy');
+      assert.strictEqual(actual.policy, expectedPolicy, 'onSave is called with expected policy');
+    });
+
+    test('it shows validation errors for invalid policy stanzas', async function (assert) {
+      await this.renderComponent();
+      await fillIn(GENERAL.inputByAttr('name'), 'test-policy');
+      await click(GENERAL.submitButton);
+
+      assert.true(this.onSave.notCalled, 'onSave is not called');
+      assert
+        .dom(GENERAL.messageError)
+        .exists()
+        .hasText('Error There is an error with this form. Invalid policy content.');
+      assert.dom(GENERAL.validationErrorByAttr('path-0')).hasText('Path cannot be empty.');
+      assert
+        .dom(GENERAL.validationErrorByAttr('capabilities-0'))
+        .hasText('Rule must have at least one capability.');
+    });
+
+    test('it still saves from the code editor when visual stanzas are invalid', async function (assert) {
+      await this.renderComponent();
+      await fillIn(GENERAL.inputByAttr('name'), 'test-policy');
+      await click(GENERAL.radioByAttr('code'));
+      await setEditorValue(this.policy);
+      await click(GENERAL.submitButton);
+      assert.true(this.onSave.calledOnce, 'onSave is called');
+      const [actual] = this.onSave.lastCall.args;
+      assert.strictEqual(actual.policy, this.policy, 'onSave is called with expected policy');
+      assert.dom(GENERAL.messageError).doesNotExist('validation banner does not render in code editor');
     });
 
     // Automation snippets are only supported for "ACL" policy types at this time
@@ -285,7 +309,7 @@ path "second/path" {
       assert.dom(GENERAL.hdsTab('cli')).exists().hasAttribute('aria-selected', 'false');
       const expectedTfvp = `resource "vault_policy" "<local identifier>" {
       name = "<policy name>"
-    
+
       policy = <<EOT
       path "" {
         capabilities = []
@@ -423,7 +447,13 @@ capabilities = ["read"]
 
   module('RGP', function (hooks) {
     hooks.beforeEach(function () {
-      this.model = this.store.createRecord('policy/rgp');
+      this.form = new PolicyForm(
+        {
+          enforcementLevel: 'hard-mandatory',
+        },
+        { isNew: true }
+      );
+      this.form.policyType = 'rgp';
       this.policy = `import "strings"
 precond = rule {
     strings.has_prefix(request.path, "sys/policies/admin")
@@ -442,29 +472,33 @@ main = rule when precond {
       this.assertNoVisualEditor(assert, 'it hides visual editor for RGP policy types');
 
       await fillIn(GENERAL.inputByAttr('name'), 'Foo');
-      assert.strictEqual(this.model.name, 'foo', 'Input sets name on model to lowercase input');
+      assert.strictEqual(this.form.name, 'foo', 'Input sets name on model to lowercase input');
       await setEditorValue(this.policy);
-      assert.strictEqual(this.model.policy, this.policy, 'Policy editor sets policy on model');
+      assert.strictEqual(this.form.policy, this.policy, 'Policy editor sets policy on model');
       assert.true(this.onSave.notCalled, 'onSave is not called yet');
       assert.dom(GENERAL.submitButton).hasText('Create policy');
       await click(GENERAL.submitButton);
-      assert.true(this.onSave.calledOnceWith(this.model), 'onSave is called with model');
+      assert.true(this.onSave.calledOnce, 'onSave is called');
+      const [actual] = this.onSave.lastCall.args;
+      assert.strictEqual(actual.policy, this.policy, 'onSave is called with expected policy');
     });
 
     test('it renders the form to edit existing RGP policy', async function (assert) {
-      this.model.name = 'bar';
-      this.model.policy = this.policy;
-      this.model.save();
+      this.form.name = 'bar';
+      this.form.policy = this.policy;
+      this.form.isNew = false;
       await this.renderComponent();
       assert.dom(GENERAL.inputByAttr('name')).doesNotExist('Name input is not rendered');
       assert.dom(GENERAL.toggleInput('Upload file')).doesNotExist('Upload file toggle does not exist');
 
       await setEditorValue('updated');
-      assert.strictEqual(this.model.policy, 'updated', 'Policy editor updates policy value on model');
+      assert.strictEqual(this.form.policy, 'updated', 'Policy editor updates policy value on model');
       assert.true(this.onSave.notCalled, 'onSave is not called yet');
       assert.dom(GENERAL.submitButton).hasText('Save', 'Save button text is correct');
       await click(GENERAL.submitButton);
-      assert.true(this.onSave.calledOnceWith(this.model), 'onSave is called with model');
+      assert.true(this.onSave.calledOnce, 'onSave is called');
+      const [actual] = this.onSave.lastCall.args;
+      assert.strictEqual(actual.policy, this.form.policy, 'onSave is called with expected policy');
     });
 
     test('it renders the correct title for RGP example for the policy example modal', async function (assert) {
@@ -481,7 +515,13 @@ main = rule when precond {
 
   module('EGP', function (hooks) {
     hooks.beforeEach(function () {
-      this.model = this.store.createRecord('policy/egp');
+      this.form = new PolicyForm(
+        {
+          enforcementLevel: 'hard-mandatory',
+        },
+        { isNew: true }
+      );
+      this.form.policyType = 'egp';
       this.policy = `import "time"
 workdays = rule {
     time.now.weekday > 0 and time.now.weekday < 6
@@ -504,39 +544,43 @@ main = rule {
       this.assertNoVisualEditor(assert, 'it hides visual editor for EGP policy types');
 
       await fillIn(GENERAL.inputByAttr('name'), 'Foo');
-      assert.strictEqual(this.model.name, 'foo', 'Input sets name on model to lowercase input');
+      assert.strictEqual(this.form.name, 'foo', 'Input sets name on model to lowercase input');
       await setEditorValue(this.policy);
-      assert.strictEqual(this.model.policy, this.policy, 'Policy editor sets policy on model');
+      assert.strictEqual(this.form.policy, this.policy, 'Policy editor sets policy on model');
       assert.dom(GENERAL.fieldByAttr('paths')).exists('Paths field exists');
       assert.dom(GENERAL.stringListByIdx(0)).exists('0 field exists');
       await fillIn(GENERAL.stringListByIdx(0), 'my path');
       assert.true(this.onSave.notCalled, 'onSave is not called yet');
       assert.dom(GENERAL.submitButton).hasText('Create policy');
       await click(GENERAL.submitButton);
-      assert.true(this.onSave.calledOnceWith(this.model), 'onSave is called with model');
+      assert.true(this.onSave.calledOnce, 'onSave is called');
+      const [actual] = this.onSave.lastCall.args;
+      assert.strictEqual(actual.policy, this.policy, 'onSave is called with expected policy');
     });
 
     test('it renders the form to edit existing EGP policy', async function (assert) {
-      this.model.name = 'bar';
-      this.model.policy = this.policy;
-      this.model.paths = ['first path'];
-      this.model.save();
+      this.form.name = 'bar';
+      this.form.policy = this.policy;
+      this.form.paths = ['first path'];
+      this.form.isNew = false;
       await this.renderComponent();
 
       assert.dom(GENERAL.inputByAttr('name')).doesNotExist('Name input is not rendered');
       assert.dom(GENERAL.toggleInput('Upload file')).doesNotExist('Upload file toggle does not exist');
       await setEditorValue('updated');
-      assert.strictEqual(this.model.policy, 'updated', 'Policy editor updates policy value on model');
+      assert.strictEqual(this.form.policy, 'updated', 'Policy editor updates policy value on model');
       await fillIn(GENERAL.stringListByIdx(1), 'second path');
       assert.strictEqual(
-        JSON.stringify(this.model.paths),
+        JSON.stringify(this.form.paths),
         '["first path","second path"]',
         'Second path field is updated on model'
       );
       assert.true(this.onSave.notCalled, 'onSave is not called yet');
       assert.dom(GENERAL.submitButton).hasText('Save', 'Save button text is correct');
       await click(GENERAL.submitButton);
-      assert.true(this.onSave.calledOnceWith(this.model), 'onSave is called with model');
+      assert.true(this.onSave.calledOnce, 'onSave is called');
+      const [actual] = this.onSave.lastCall.args;
+      assert.strictEqual(actual.policy, this.form.policy, 'onSave is called with expected policy');
     });
 
     test('it renders the correct title for EGP example for the policy example modal', async function (assert) {
diff --git a/ui/tests/integration/components/radial-progress-test.js b/ui/tests/integration/components/radial-progress-test.js
index 5338f1ed23..f5ebb85d36 100644
--- a/ui/tests/integration/components/radial-progress-test.js
+++ b/ui/tests/integration/components/radial-progress-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { create } from 'ember-cli-page-object';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/radio-button-test.js b/ui/tests/integration/components/radio-button-test.js
index 14fbaf4013..011e48c8dc 100644
--- a/ui/tests/integration/components/radio-button-test.js
+++ b/ui/tests/integration/components/radio-button-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 
diff --git a/ui/tests/integration/components/raft-join-test.js b/ui/tests/integration/components/raft-join-test.js
index ca9956bf8d..187e3c1253 100644
--- a/ui/tests/integration/components/raft-join-test.js
+++ b/ui/tests/integration/components/raft-join-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, render } from '@ember/test-helpers';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/raft-storage-overview-test.js b/ui/tests/integration/components/raft-storage-overview-test.js
index 2455131f96..e7b1cbf302 100644
--- a/ui/tests/integration/components/raft-storage-overview-test.js
+++ b/ui/tests/integration/components/raft-storage-overview-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/raft-storage-restore-test.js b/ui/tests/integration/components/raft-storage-restore-test.js
index 739298cf7a..65a2cc4479 100644
--- a/ui/tests/integration/components/raft-storage-restore-test.js
+++ b/ui/tests/integration/components/raft-storage-restore-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, triggerEvent, click, waitFor } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/read-more-test.js b/ui/tests/integration/components/read-more-test.js
index 51500dcabf..9796344853 100644
--- a/ui/tests/integration/components/read-more-test.js
+++ b/ui/tests/integration/components/read-more-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 
diff --git a/ui/tests/integration/components/readonly-form-field-test.js b/ui/tests/integration/components/readonly-form-field-test.js
index a9442337ca..b336c210e4 100644
--- a/ui/tests/integration/components/readonly-form-field-test.js
+++ b/ui/tests/integration/components/readonly-form-field-test.js
@@ -5,7 +5,7 @@
 
 import { module, test } from 'qunit';
 import EmberObject from '@ember/object';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 
diff --git a/ui/tests/integration/components/recovery/page/snapshot-manage-test.js b/ui/tests/integration/components/recovery/page/snapshot-manage-test.js
index 2c5f770d30..d4fad30c98 100644
--- a/ui/tests/integration/components/recovery/page/snapshot-manage-test.js
+++ b/ui/tests/integration/components/recovery/page/snapshot-manage-test.js
@@ -31,6 +31,8 @@ module('Integration | Component | recovery/snapshots/snapshot-manage', function
       namespaces = [];
     }
 
+    this.breadcrumbs = [{ label: 'Secrets Recovery', route: 'vault.cluster.recovery.snapshots' }];
+
     this.model = {
       snapshot,
       namespaces,
@@ -40,7 +42,9 @@ module('Integration | Component | recovery/snapshots/snapshot-manage', function
     this.version.type = 'enterprise';
 
     this.renderComponent = () =>
-      render(hbs`<Recovery::Page::Snapshots::SnapshotManage @model={{this.model}}/>`);
+      render(
+        hbs`<Recovery::Page::Snapshots::SnapshotManage @breadcrumbs={{this.breadcrumbs}} @model={{this.model}}/>`
+      );
   });
   const scenarios = [
     {
@@ -119,7 +123,7 @@ module('Integration | Component | recovery/snapshots/snapshot-manage', function
       // have values if the request was successful, but handling just in case.
       data: { secret: {} },
     }));
-    await render(hbs`<Recovery::Page::Snapshots::SnapshotManage @model={{this.model}}/>`);
+    await this.renderComponent();
     assert.dom(GENERAL.inputByAttr('manual-mount-path')).exists();
     assert.dom(GENERAL.selectByAttr('mount')).doesNotExist();
   });
@@ -127,7 +131,7 @@ module('Integration | Component | recovery/snapshots/snapshot-manage', function
   test('it renders manual input if mounts request errors', async function (assert) {
     assert.expect(14);
     this.server.get('/sys/internal/ui/mounts', () => overrideResponse(403));
-    await render(hbs`<Recovery::Page::Snapshots::SnapshotManage @model={{this.model}}/>`);
+    await this.renderComponent();
     assert.dom(GENERAL.button('Type')).exists().hasText('Type');
     assert.dom(GENERAL.inputByAttr('manual-mount-path')).exists().isDisabled();
     assert.dom(GENERAL.selectByAttr('mount')).doesNotExist();
@@ -161,18 +165,19 @@ module('Integration | Component | recovery/snapshots/snapshot-manage', function
   });
 
   test('it displays loaded snapshot card', async function (assert) {
-    await render(hbs`<Recovery::Page::Snapshots::SnapshotManage @model={{this.model}}/>`);
+    await this.renderComponent();
+
     assert.dom(GENERAL.badge('status')).hasText('Ready', 'status badge renders');
   });
 
   test('it displays namespace selector for root namespace', async function (assert) {
-    await render(hbs`<Recovery::Page::Snapshots::SnapshotManage @model={{this.model}}/>`);
+    await this.renderComponent();
 
     assert.dom(GENERAL.selectByAttr('namespace')).exists('namespace selector is visible in root namespace');
   });
 
   test('it validates form fields before read/recover operations', async function (assert) {
-    await render(hbs`<Recovery::Page::Snapshots::SnapshotManage @model={{this.model}}/>`);
+    await this.renderComponent();
     // Try to read without selecting mount or resource path
     await click(GENERAL.button('read'));
 
@@ -181,14 +186,12 @@ module('Integration | Component | recovery/snapshots/snapshot-manage', function
   });
 
   test('it clears form selections', async function (assert) {
-    await render(hbs`<Recovery::Page::Snapshots::SnapshotManage @model={{this.model}}/>`);
-
+    await this.renderComponent();
     await click(GENERAL.selectByAttr('namespace'));
     await click('[data-option-index="1"]');
     await click(GENERAL.selectByAttr('mount'));
     await click('[data-option-index]');
     await fillIn(GENERAL.inputByAttr('resourcePath'), 'test-path');
-
     await click(GENERAL.button('clear'));
 
     const nsSelect = find(GENERAL.selectByAttr('namespace'));
@@ -201,8 +204,7 @@ module('Integration | Component | recovery/snapshots/snapshot-manage', function
   });
 
   test('it displays error alert when read operation fails', async function (assert) {
-    await render(hbs`<Recovery::Page::Snapshots::SnapshotManage @model={{this.model}}/>`);
-
+    await this.renderComponent();
     await fillIn(GENERAL.inputByAttr('resourcePath'), 'nonexistent-secret');
     await click(GENERAL.selectByAttr('mount'));
     await click('[data-option-index="1.0"]');
@@ -212,8 +214,7 @@ module('Integration | Component | recovery/snapshots/snapshot-manage', function
   });
 
   test('it toggles JSON view in read modal', async function (assert) {
-    await render(hbs`<Recovery::Page::Snapshots::SnapshotManage @model={{this.model}}/>`);
-
+    await this.renderComponent();
     await fillIn(GENERAL.inputByAttr('resourcePath'), 'test-secret');
     await click(GENERAL.selectByAttr('mount'));
     await click('[data-option-index]');
diff --git a/ui/tests/integration/components/recovery/page/snapshots-load-test.js b/ui/tests/integration/components/recovery/page/snapshots-load-test.js
index 41a11bd7df..38bc58fa86 100644
--- a/ui/tests/integration/components/recovery/page/snapshots-load-test.js
+++ b/ui/tests/integration/components/recovery/page/snapshots-load-test.js
@@ -5,7 +5,7 @@
 
 import { module, test } from 'qunit';
 import { setupRenderingTest } from 'vault/tests/helpers';
-import { click, fillIn, render, triggerEvent } from '@ember/test-helpers';
+import { click, fillIn, render, triggerEvent, waitFor } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import recoveryHandler from 'vault/mirage/handlers/recovery';
@@ -78,6 +78,7 @@ module('Integration | Component | recovery/snapshots-load', function (hooks) {
 
     await click(GENERAL.inputByAttr('manual'));
     await triggerEvent('[data-test-file-input]', 'change', { files: [file] });
+    await waitFor('[data-test-file-info]');
     await click(GENERAL.submitButton);
 
     assert.true(
diff --git a/ui/tests/integration/components/recovery/page/snapshots-test.js b/ui/tests/integration/components/recovery/page/snapshots-test.js
index fb0b7a810f..ac83f8ac56 100644
--- a/ui/tests/integration/components/recovery/page/snapshots-test.js
+++ b/ui/tests/integration/components/recovery/page/snapshots-test.js
@@ -17,17 +17,19 @@ module('Integration | Component | recovery/snapshots', function (hooks) {
   setupMirage(hooks);
 
   hooks.beforeEach(function () {
+    this.breadcrumbs = [{ label: 'Secrets Recovery', route: 'vault.cluster.recovery.snapshots' }];
+
     this.model = {
       snapshots: [],
       canLoadSnapshot: false,
     };
-    this.renderComponent = () => render(hbs`<Recovery::Page::Snapshots @model={{this.model}}/>`);
+    this.renderComponent = () =>
+      render(hbs`<Recovery::Page::Snapshots @breadcrumbs={{this.breadcrumbs}} @model={{this.model}}/>`);
   });
 
   test('it displays raft empty state if showRaftStorageMessage is passed into model', async function (assert) {
     this.model = { snapshots: { showRaftStorageMessage: true } };
-
-    await render(hbs`<Recovery::Page::Snapshots @model={{this.model}}/>`);
+    await this.renderComponent();
 
     assert
       .dom(GENERAL.emptyStateTitle)
@@ -43,8 +45,8 @@ module('Integration | Component | recovery/snapshots', function (hooks) {
 
   test('it displays empty state in CE', async function (assert) {
     this.model = { snapshots: [], showCommunityMessage: true };
+    await this.renderComponent();
 
-    await render(hbs`<Recovery::Page::Snapshots @model={{this.model}}/>`);
     assert
       .dom(GENERAL.emptyStateTitle)
       .hasText('Secrets Recovery is an enterprise feature', 'CE empty state title renders');
@@ -64,9 +66,7 @@ module('Integration | Component | recovery/snapshots', function (hooks) {
   test('it displays empty state in non root namespace', async function (assert) {
     const nsService = this.owner.lookup('service:namespace');
     nsService.setNamespace('test-ns');
-
     await this.renderComponent();
-
     assert
       .dom(GENERAL.emptyStateTitle)
       .hasText('Snapshot upload is restricted', 'non root namespace empty state title renders');
diff --git a/ui/tests/integration/components/regex-validator-test.js b/ui/tests/integration/components/regex-validator-test.js
index ce5dafb3e8..80c9f44ee6 100644
--- a/ui/tests/integration/components/regex-validator-test.js
+++ b/ui/tests/integration/components/regex-validator-test.js
@@ -6,7 +6,7 @@
 import EmberObject from '@ember/object';
 import sinon from 'sinon';
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, fillIn, settled } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
diff --git a/ui/tests/integration/components/replication-action-generate-token-test.js b/ui/tests/integration/components/replication-action-generate-token-test.js
index 4d1d032bd7..6a82ea7c01 100644
--- a/ui/tests/integration/components/replication-action-generate-token-test.js
+++ b/ui/tests/integration/components/replication-action-generate-token-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { setupMirage } from 'ember-cli-mirage/test-support';
diff --git a/ui/tests/integration/components/replication-actions-test.js b/ui/tests/integration/components/replication-actions-test.js
index b0c70d0ed2..c21bd4c792 100644
--- a/ui/tests/integration/components/replication-actions-test.js
+++ b/ui/tests/integration/components/replication-actions-test.js
@@ -3,46 +3,31 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { run } from '@ember/runloop';
 import { resolve } from 'rsvp';
-import Service from '@ember/service';
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, fillIn, render } from '@ember/test-helpers';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
 
-const storeStub = Service.extend({
-  callArgs: null,
-  adapterFor() {
-    return {
-      replicationAction() {
-        return {
-          then(cb) {
-            cb();
-          },
-        };
-      },
-    };
-  },
-});
-
-const routerService = Service.extend({
-  transitionTo: sinon.stub().returns(resolve()),
-});
-
 module('Integration | Component | replication actions', function (hooks) {
   setupRenderingTest(hooks);
 
   hooks.beforeEach(function () {
-    run(() => {
-      this.owner.register('service:router', routerService);
-      this.owner.unregister('service:store');
-      this.owner.register('service:store', storeStub);
-      this.storeService = this.owner.lookup('service:store');
-    });
+    const { sys } = this.owner.lookup('service:api');
+    sinon.stub(sys, 'systemWriteReplicationDrPrimaryDisable').resolves();
+    sinon.stub(sys, 'systemWriteReplicationDrSecondaryDisable').resolves();
+    sinon.stub(sys, 'systemWriteReplicationPerformancePrimaryDisable').resolves();
+    sinon.stub(sys, 'systemWriteReplicationPerformanceSecondaryDisable').resolves();
+    sinon.stub(sys, 'systemWriteReplicationDrPrimaryDemote').resolves();
+    sinon.stub(sys, 'systemWriteReplicationPerformancePrimaryDemote').resolves();
+    sinon.stub(sys, 'systemWriteReplicationDrSecondaryPromote').resolves();
+    sinon.stub(sys, 'systemWriteReplicationPerformanceSecondaryPromote').resolves();
+    sinon.stub(sys, 'systemWriteReplicationDrSecondaryUpdatePrimary').resolves();
+    sinon.stub(sys, 'systemWriteReplicationPerformanceSecondaryUpdatePrimary').resolves();
   });
+
   const confirmInput = (confirmText) => fillIn('[data-test-confirmation-modal-input]', confirmText);
   const testCases = [
     [
@@ -156,16 +141,14 @@ module('Integration | Component | replication actions', function (hooks) {
         );
         return resolve();
       });
-      this.set('storeService.capabilitiesReturnVal', ['root']);
+
       await render(
-        hbs`
-                <ReplicationActions
+        hbs`<ReplicationActions
           @model={{this.model}}
           @replicationMode={{this.replicationMode}}
           @selectedAction={{this.selectedAction}}
           @onSubmit={{action this.onSubmit}}
-        />
-        `
+        />`
       );
       assert
         .dom(`[data-test-${action}-replication] h3`)
diff --git a/ui/tests/integration/components/replication-dashboard-test.js b/ui/tests/integration/components/replication-dashboard-test.js
index 761cd9c85b..2d78a92887 100644
--- a/ui/tests/integration/components/replication-dashboard-test.js
+++ b/ui/tests/integration/components/replication-dashboard-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 
diff --git a/ui/tests/integration/components/replication-header-test.js b/ui/tests/integration/components/replication-header-test.js
index 18501560bd..6b967066e2 100644
--- a/ui/tests/integration/components/replication-header-test.js
+++ b/ui/tests/integration/components/replication-header-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
diff --git a/ui/tests/integration/components/replication-page-test.js b/ui/tests/integration/components/replication-page-test.js
index c55b5b6f38..73eb08476d 100644
--- a/ui/tests/integration/components/replication-page-test.js
+++ b/ui/tests/integration/components/replication-page-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { setupMirage } from 'ember-cli-mirage/test-support';
diff --git a/ui/tests/integration/components/replication-primary-card-test.js b/ui/tests/integration/components/replication-primary-card-test.js
index 88b89d5950..2724b06c75 100644
--- a/ui/tests/integration/components/replication-primary-card-test.js
+++ b/ui/tests/integration/components/replication-primary-card-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { CLUSTER_STATES } from 'core/helpers/cluster-states';
diff --git a/ui/tests/integration/components/replication-secondary-card-test.js b/ui/tests/integration/components/replication-secondary-card-test.js
index 0c42d52c8b..77ea801495 100644
--- a/ui/tests/integration/components/replication-secondary-card-test.js
+++ b/ui/tests/integration/components/replication-secondary-card-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 
diff --git a/ui/tests/integration/components/replication-summary-card-test.js b/ui/tests/integration/components/replication-summary-card-test.js
index be647cd037..81587c40b6 100644
--- a/ui/tests/integration/components/replication-summary-card-test.js
+++ b/ui/tests/integration/components/replication-summary-card-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, settled } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 
diff --git a/ui/tests/integration/components/replication-table-rows-test.js b/ui/tests/integration/components/replication-table-rows-test.js
index 1beb7ed8ed..af55e9c4e7 100644
--- a/ui/tests/integration/components/replication-table-rows-test.js
+++ b/ui/tests/integration/components/replication-table-rows-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 
diff --git a/ui/tests/integration/components/seal-action-test.js b/ui/tests/integration/components/seal-action-test.js
index 3a8e2cb6ea..9931075706 100644
--- a/ui/tests/integration/components/seal-action-test.js
+++ b/ui/tests/integration/components/seal-action-test.js
@@ -18,6 +18,8 @@ module('Integration | Component | seal-action', function (hooks) {
   hooks.beforeEach(function () {
     this.sealSuccess = sinon.spy(() => new Promise((resolve) => resolve({})));
     this.sealError = sinon.stub().throws({ message: SEAL_WHEN_STANDBY_MSG });
+    this.flashMessages = this.owner.lookup('service:flash-messages');
+    this.flashSpy = sinon.spy(this.flashMessages, 'danger');
   });
 
   test('it handles success', async function (assert) {
@@ -25,11 +27,11 @@ module('Integration | Component | seal-action', function (hooks) {
     await render(hbs`<SealAction @onSeal={{action this.handleSeal}} />`);
 
     // attempt seal
-    await click('[data-test-seal]');
+    await click(GENERAL.button('Seal'));
     await click(GENERAL.confirmButton);
 
     assert.ok(this.sealSuccess.calledOnce, 'called onSeal action');
-    assert.dom('[data-test-seal-error]').doesNotExist('Does not show error when successful');
+    assert.false(this.flashSpy.calledWith(SEAL_WHEN_STANDBY_MSG), 'Does not show error when successful');
   });
 
   test('it handles error', async function (assert) {
@@ -37,10 +39,10 @@ module('Integration | Component | seal-action', function (hooks) {
     await render(hbs`<SealAction @onSeal={{action this.handleSeal}} />`);
 
     // attempt seal
-    await click('[data-test-seal]');
+    await click(GENERAL.button('Seal'));
     await click(GENERAL.confirmButton);
 
     assert.ok(this.sealError.calledOnce, 'called onSeal action');
-    assert.dom('[data-test-seal-error]').includesText(SEAL_WHEN_STANDBY_MSG, 'Shows error returned from API');
+    assert.true(this.flashSpy.calledWith(SEAL_WHEN_STANDBY_MSG), 'Shows error returned from API');
   });
 });
diff --git a/ui/tests/integration/components/search-select-test.js b/ui/tests/integration/components/search-select-test.js
index fbd8480650..04df3f02eb 100644
--- a/ui/tests/integration/components/search-select-test.js
+++ b/ui/tests/integration/components/search-select-test.js
@@ -4,76 +4,50 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { create } from 'ember-cli-page-object';
 import { typeInSearch, clickTrigger } from 'ember-power-select/test-support/helpers';
-import Service from '@ember/service';
 import { click, render, settled } from '@ember/test-helpers';
-import { run } from '@ember/runloop';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
 import waitForError from 'vault/tests/helpers/wait-for-error';
 import searchSelect from '../../pages/components/search-select';
 import { isWildcardString } from 'vault/helpers/is-wildcard-string';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import { getErrorResponse } from 'vault/tests/helpers/api/error-response';
 
 const component = create(searchSelect);
 
-const storeService = Service.extend({
-  query(modelType) {
-    return new Promise((resolve, reject) => {
-      switch (modelType) {
-        case 'policy/acl':
-          resolve([
-            { id: '1', name: '1' },
-            { id: '2', name: '2' },
-            { id: '3', name: '3' },
-          ]);
-          break;
-        case 'policy/rgp':
-          reject({ httpStatus: 403, message: 'permission denied' });
-          break;
-        case 'identity/entity':
-          resolve([
-            { id: '7', name: 'seven' },
-            { id: '8', name: 'eight' },
-            { id: '9', name: 'nine' },
-          ]);
-          break;
-        case 'server/error':
-          var error = new Error('internal server error');
-          error.httpStatus = 500;
-          reject(error);
-          break;
-        case 'transform/transformation':
-          resolve([
-            { id: 'foo', name: 'bar' },
-            { id: 'foobar', name: '' },
-            { id: 'barfoo1', name: 'different' },
-          ]);
-          break;
-        case 'some/model':
-          resolve([
-            { id: 'model-a-id', name: 'model-a', uuid: 'a123', type: 'a' },
-            { id: 'model-b-id', name: 'model-b', uuid: 'b456', type: 'b' },
-            { id: 'model-c-id', name: 'model-c', uuid: 'c789', type: 'c' },
-          ]);
-          break;
-        case 'pki/issuer':
-          resolve([
-            { id: 'issuer-a-id', issuerName: 'my-first-issuer' },
-            { id: 'issuer-b-id' },
-            { id: 'issuer-c-id', issuerName: 'my-issuer-again' },
-          ]);
-          break;
-        default:
-          reject({ httpStatus: 404 });
-          break;
-      }
-      reject({ httpStatus: 404 });
-    });
+const responses = {
+  acl: { keys: ['1', '2', '3'] },
+  rgp: getErrorResponse({ errors: ['permission denied'] }, 403),
+  entity: {
+    keys: ['7', '8', '9'],
+    key_info: { 7: { name: 'seven' }, 8: { name: 'eight' }, 9: { name: 'nine' } },
   },
-});
+  transformation: {
+    keys: ['foo', 'foobar', 'barfoo1'],
+    key_info: { foo: { name: 'bar' }, foobar: { name: '' }, barfoo1: { name: 'different' } },
+  },
+  key: getErrorResponse(),
+  alphabet: {
+    keys: ['letter-a-id', 'letter-b-id', 'letter-c-id'],
+    key_info: {
+      'letter-a-id': { alpha_name: 'my-first-letter' },
+      'letter-b-id': {},
+      'letter-c-id': { alpha_name: 'my-letter-again' },
+    },
+  },
+  mfa: {
+    keys: ['model-a-id', 'model-b-id', 'model-c-id'],
+    key_info: {
+      'model-a-id': { name: 'model-a', uuid: 'a123', type: 'a' },
+      'model-b-id': { name: 'model-b', uuid: 'b456', type: 'b' },
+      'model-c-id': { name: 'model-c', uuid: 'c789', type: 'c' },
+    },
+  },
+  role: getErrorResponse({ message: 'internal server error' }, 500),
+};
 
 module('Integration | Component | search select', function (hooks) {
   setupRenderingTest(hooks);
@@ -87,10 +61,16 @@ module('Integration | Component | search select', function (hooks) {
       return !modelExists ? 'The model associated with this id no longer exists' : false;
     };
     this.set('renderTooltip', mockFunctionFromParent);
-    run(() => {
-      this.owner.unregister('service:store');
-      this.owner.register('service:store', storeService);
-    });
+
+    this.api = this.owner.lookup('service:api');
+    sinon.stub(this.api.sys, 'policiesListAclPolicies').resolves(responses.acl);
+    sinon.stub(this.api.sys, 'systemListPoliciesRgp').rejects(responses.rgp);
+    sinon.stub(this.api.identity, 'entityListByName').resolves(responses.entity);
+    sinon.stub(this.api.secrets, 'transformListTransformations').resolves(responses.transformation);
+    sinon.stub(this.api.secrets, 'keyManagementListKeys').rejects(responses.key);
+    sinon.stub(this.api.secrets, 'transformListAlphabets').resolves(responses.alphabet);
+    sinon.stub(this.api.sys, 'systemListMfaMethod').resolves(responses.mfa);
+    sinon.stub(this.api.secrets, 'databaseListRoles').rejects(responses.role);
   });
 
   test('it renders', async function (assert) {
@@ -163,6 +143,44 @@ module('Integration | Component | search select', function (hooks) {
     assert.dom('.text-overflow-ellipsis').exists('selected option text has overflow class');
   });
 
+  test('it preserves parentManageSelected objects for rendering and removes them from dropdown options', async function (assert) {
+    const options = [
+      { id: '123456', type: 'TOTP' },
+      { id: '654321', type: 'Duo' },
+    ];
+    const selected = [options[0]];
+
+    this.set('options', options);
+    this.set('selected', selected);
+    this.set('onChange', sinon.spy());
+
+    await render(hbs`
+      <SearchSelect
+        @label="foo"
+        @options={{this.options}}
+        @onChange={{this.onChange}}
+        @parentManageSelected={{this.selected}}
+        @shouldRenderName={{true}}
+        @nameKey="type"
+      />
+    `);
+
+    assert
+      .dom('[data-test-selected-option="0"]')
+      .includesText('TOTP', 'selected option renders parent-managed nameKey');
+    assert.dom('[data-test-smaller-id="0"]').hasText('123456', 'selected option renders smaller id');
+
+    await clickTrigger();
+    await settled();
+
+    assert.strictEqual(component.options.length, 1, 'selected option is removed from dropdown options');
+    assert.strictEqual(
+      component.options.objectAt(0).text,
+      'Duo 654321',
+      'remaining option renders correctly'
+    );
+  });
+
   test('it filters options and adds option to create new item when text is entered', async function (assert) {
     const models = ['identity/entity'];
     this.set('models', models);
@@ -193,7 +211,7 @@ module('Integration | Component | search select', function (hooks) {
   });
 
   test('it counts options when wildcard is used and displays the count', async function (assert) {
-    const models = ['transform/transformation'];
+    const models = ['transform'];
     this.set('models', models);
     this.set('onChange', sinon.spy());
     await render(hbs`
@@ -384,7 +402,7 @@ module('Integration | Component | search select', function (hooks) {
   });
 
   test('it shows no results if endpoint 404s', async function (assert) {
-    const models = ['test'];
+    const models = ['keymgmt/key'];
     this.set('models', models);
     this.set('onChange', sinon.spy());
     await render(hbs`
@@ -437,7 +455,7 @@ module('Integration | Component | search select', function (hooks) {
   });
 
   test('it shows selected items not in the returned response and if one model 404s', async function (assert) {
-    const models = ['test', 'policy/acl'];
+    const models = ['keymgmt/key', 'policy/acl'];
     this.set('models', models);
     this.set('inputValue', ['test-1', 'test-2']);
     this.set('onChange', sinon.spy());
@@ -486,7 +504,7 @@ module('Integration | Component | search select', function (hooks) {
   });
 
   test('it renders correctly when model keys are not standardized', async function (assert) {
-    const models = ['pki/issuer'];
+    const models = ['transform/alphabet'];
     this.set('models', models);
     this.set('onChange', sinon.spy());
     this.set('disallowNewItems', true);
@@ -497,7 +515,7 @@ module('Integration | Component | search select', function (hooks) {
         @onChange={{this.onChange}}
         @inputValue={{this.inputValue}}
         @shouldRenderName={{true}}
-        @nameKey="issuerName"
+        @nameKey="alpha_name"
         @disallowNewItems={{this.disallowNewItems}}
       />
     `);
@@ -505,15 +523,15 @@ module('Integration | Component | search select', function (hooks) {
     assert.strictEqual(component.options.length, 3, 'shows three options');
     assert.strictEqual(
       component.options.objectAt(0).text,
-      'my-first-issuer issuer-a-id',
+      'my-first-letter letter-a-id',
       'first option renders custom ID and name'
     );
     assert.strictEqual(
       component.options.objectAt(1).text,
-      'issuer-b-id',
+      'letter-b-id',
       `second option renders only id at custom key`
     );
-    await typeInSearch('issuer-a');
+    await typeInSearch('letter-a');
     await settled();
     assert.strictEqual(
       component.options.length,
@@ -521,12 +539,12 @@ module('Integration | Component | search select', function (hooks) {
       'shows two options after filter, filtering on both name and id keys'
     );
     this.set('disallowNewItems', false);
-    await typeInSearch('new-issuer');
+    await typeInSearch('new-letter');
     await settled();
     assert.strictEqual(component.options.length, 1, 'shows suggestion');
     assert.strictEqual(
       component.options.objectAt(0).text,
-      'Click to add new item: new-issuer',
+      'Click to add new item: new-letter',
       'Prompts to add new item'
     );
   });
@@ -551,7 +569,7 @@ module('Integration | Component | search select', function (hooks) {
   });
 
   test('it throws an error if endpoint 500s', async function (assert) {
-    const models = ['server/error'];
+    const models = ['database/role'];
     this.set('models', models);
     this.set('onChange', sinon.spy());
     const promise = waitForError();
@@ -624,7 +642,7 @@ module('Integration | Component | search select', function (hooks) {
   });
 
   test(`it returns custom object if passObject=true and multiple objectKeys with objectKeys[0]='id'`, async function (assert) {
-    const models = ['some/model'];
+    const models = ['mfa-method'];
     const spy = sinon.spy();
     this.set('models', models);
     this.set('onChange', spy);
@@ -677,7 +695,7 @@ module('Integration | Component | search select', function (hooks) {
   });
 
   test('it returns custom object and renders name if passObject=true and multiple objectKeys', async function (assert) {
-    const models = ['some/model'];
+    const models = ['mfa-method'];
     const spy = sinon.spy();
     const objectKeys = ['uuid', 'name'];
     this.set('models', models);
@@ -783,7 +801,7 @@ module('Integration | Component | search select', function (hooks) {
   });
 
   test('it renders when passed multiple models, passObject=true and one model does not have the attr in objectKeys', async function (assert) {
-    const models = ['policy/acl', 'some/model'];
+    const models = ['policy/acl', 'mfa-method'];
     const spy = sinon.spy();
     const objectKeys = ['uuid'];
     this.set('models', models);
@@ -833,7 +851,7 @@ module('Integration | Component | search select', function (hooks) {
   });
 
   test('it renders when passed multiple models, passedObject=false and one model does not have the attr in objectKeys', async function (assert) {
-    const models = ['policy/acl', 'some/model'];
+    const models = ['policy/acl', 'mfa-method'];
     const spy = sinon.spy();
     const objectKeys = ['uuid'];
     this.set('models', models);
@@ -866,7 +884,7 @@ module('Integration | Component | search select', function (hooks) {
   });
 
   test('it renders a tooltip beside selection if does not match a record returned from query when passObject=false, passed objectKeys', async function (assert) {
-    const models = ['some/model'];
+    const models = ['mfa-method'];
     const spy = sinon.spy();
     const objectKeys = ['uuid'];
     const inputValue = ['a123', 'non-existent-model'];
@@ -897,7 +915,7 @@ module('Integration | Component | search select', function (hooks) {
   });
 
   test('it renders a tooltip beside selection if does not match a record returned from query when passObject=true, passed objectKeys', async function (assert) {
-    const models = ['some/model'];
+    const models = ['mfa-method'];
     const spy = sinon.spy();
     const objectKeys = ['uuid'];
     const inputValue = ['a123', 'non-existent-model'];
@@ -930,7 +948,7 @@ module('Integration | Component | search select', function (hooks) {
   });
 
   test('it renders a tooltip beside selection if does not match a record returned from query when passObject=true and idKey=id', async function (assert) {
-    const models = ['some/model'];
+    const models = ['mfa-method'];
     const spy = sinon.spy();
     const inputValue = ['model-a-id', 'non-existent-model'];
     this.set('models', models);
@@ -960,7 +978,7 @@ module('Integration | Component | search select', function (hooks) {
   });
 
   test('it renders a tooltip beside selection if does not match a record returned from query when passObject=false and idKey=id', async function (assert) {
-    const models = ['some/model'];
+    const models = ['mfa-method'];
     const spy = sinon.spy();
     const inputValue = ['model-a-id', 'non-existent-model', 'wildcard*'];
     this.set('models', models);
@@ -992,7 +1010,7 @@ module('Integration | Component | search select', function (hooks) {
   });
 
   test('it does not render a tooltip beside selection if not passed @renderTooltip', async function (assert) {
-    const models = ['some/model'];
+    const models = ['mfa-method'];
     const spy = sinon.spy();
     const inputValue = ['model-a-id', 'non-existent-model', 'wildcard*'];
     this.set('models', models);
diff --git a/ui/tests/integration/components/search-select-with-modal-test.js b/ui/tests/integration/components/search-select-with-modal-test.js
deleted file mode 100644
index 7572567bfe..0000000000
--- a/ui/tests/integration/components/search-select-with-modal-test.js
+++ /dev/null
@@ -1,357 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { create } from 'ember-cli-page-object';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import { Response } from 'miragejs';
-import { clickTrigger, typeInSearch } from 'ember-power-select/test-support/helpers';
-import { render, fillIn, click, findAll, waitFor, settled } from '@ember/test-helpers';
-import hbs from 'htmlbars-inline-precompile';
-import ss from 'vault/tests/pages/components/search-select';
-import sinon from 'sinon';
-import { setRunOptions } from 'ember-a11y-testing/test-support';
-import { GENERAL } from 'vault/tests/helpers/general-selectors';
-import codemirror, { setCodeEditorValue } from 'vault/tests/helpers/codemirror';
-
-const component = create(ss);
-
-module('Integration | Component | search select with modal', function (hooks) {
-  setupRenderingTest(hooks);
-  setupMirage(hooks);
-  hooks.beforeEach(function () {
-    this.set('onChange', sinon.spy());
-    this.server.get('sys/policies/acl', () => {
-      return {
-        request_id: 'acl-policy-list',
-        data: {
-          keys: ['default', 'root', 'acl-test'],
-        },
-      };
-    });
-    this.server.get('sys/policies/rgp', () => {
-      return {
-        request_id: 'rgp-policy-list',
-        data: {
-          keys: ['rgp-test'],
-        },
-      };
-    });
-    this.server.get('/sys/policies/acl/acl-test', () => {
-      return {
-        request_id: 'policy-acl',
-        data: {
-          name: 'acl-test',
-          policy:
-            '\n# Grant \'create\', \'read\' , \'update\', and ‘list’ permission\n# to paths prefixed by \'secret/*\'\npath "secret/*" {\n  capabilities = [ "create", "read", "update", "list" ]\n}\n\n# Even though we allowed secret/*, this line explicitly denies\n# secret/super-secret. This takes precedence.\npath "secret/super-secret" {\n  capabilities = ["deny"]\n}\n',
-        },
-      };
-    });
-    this.server.get('/sys/policies/rgp/rgp-test', () => {
-      return {
-        request_id: 'policy-rgp',
-        data: {
-          name: 'rgp-test',
-          enforcement_level: 'hard-mandatory',
-          policy:
-            '\n# Import strings library that exposes common string operations\nimport "strings"\n\n# Conditional rule (precond) checks the incoming request endpoint\n# targeted to sys/policies/acl/admin\nprecond = rule {\n    strings.has_prefix(request.path, "sys/policies/admin")\n}\n\n# Vault checks to see if the request was made by an entity\n# named James Thomas or Team Lead role defined as its metadata\nmain = rule when precond {\n    identity.entity.metadata.role is "Team Lead" or\n      identity.entity.name is "James Thomas"\n}\n',
-        },
-      };
-    });
-    setRunOptions({
-      rules: {
-        // TODO: Fix this component
-        'color-contrast': { enabled: false },
-        label: { enabled: false },
-        'aria-input-field-name': { enabled: false },
-        'aria-required-attr': { enabled: false },
-        'aria-valid-attr-value': { enabled: false },
-      },
-    });
-  });
-
-  test('it renders passed in models', async function (assert) {
-    await render(hbs`
-    <SearchSelectWithModal
-      @id="policies"
-      @label="Policies"
-      @labelClass="title is-4"
-      @models={{array "policy/acl" "policy/rgp"}}
-      @inputValue={{this.policies}}
-      @onChange={{this.onChange}}
-      @fallbackComponent="string-list"
-      @modalFormTemplate="modal-form/policy-template"
-      @excludeOptions={{array "root"}}
-      @subText="Some modal subtext"
-    />
-      `);
-    assert.dom('[data-test-search-select-with-modal]').exists('the component renders');
-    assert.dom('[data-test-modal-subtext]').hasText('Some modal subtext', 'renders modal text');
-    assert.strictEqual(component.labelText, 'Policies', 'label text is correct');
-    assert.ok(component.hasTrigger, 'it renders the power select trigger');
-    assert.strictEqual(component.selectedOptions.length, 0, 'there are no selected options');
-
-    await clickTrigger();
-    const dropdownOptions = findAll('[data-option-index]').map((o) => o.innerText);
-    assert.notOk(dropdownOptions.includes('root'), 'root policy is not listed as option');
-    assert.strictEqual(component.options.length, 3, 'dropdown renders passed in models as options');
-    assert.ok(this.onChange.notCalled, 'onChange is not called');
-  });
-
-  test('it renders input value', async function (assert) {
-    this.policies = ['acl-test'];
-    await render(hbs`
-    <SearchSelectWithModal
-      @id="policies"
-      @label="Policies"
-      @labelClass="title is-4"
-      @models={{array "policy/acl" "policy/rgp"}}
-      @inputValue={{this.policies}}
-      @onChange={{this.onChange}}
-      @fallbackComponent="string-list"
-      @modalFormTemplate="modal-form/policy-template"
-      @subText="Some modal subtext"
-    />
-  `);
-    assert.strictEqual(component.selectedOptions.length, 1, 'there is one selected option');
-    assert.strictEqual(component.selectedOptions.objectAt(0).text, 'acl-test', 'renders inputted policies');
-
-    await clickTrigger();
-    assert.strictEqual(component.options.length, 3, 'does not render all options returned from query');
-    const dropdownOptions = findAll('[data-option-index]').map((o) => o.innerText);
-    assert.notOk(dropdownOptions.includes('acl-test'), 'selected option is not included in the dropdown');
-    assert.ok(this.onChange.notCalled, 'onChange is not called');
-  });
-
-  test('it filters options, shows option to create new item and opens modal on select', async function (assert) {
-    assert.expect(7);
-    await render(hbs`
-    <SearchSelectWithModal
-      @id="policies"
-      @label="Policies"
-      @labelClass="title is-4"
-      @models={{array "policy/acl" "policy/rgp"}}
-      @inputValue={{this.policies}}
-      @onChange={{this.onChange}}
-      @fallbackComponent="string-list"
-      @modalFormTemplate="modal-form/policy-template"
-    />
-      `);
-
-    await clickTrigger();
-    assert.strictEqual(component.options.length, 4, 'dropdown renders all options');
-
-    await typeInSearch('a');
-    assert.strictEqual(component.options.length, 3, 'dropdown renders all matching options plus add option');
-    await typeInSearch('acl-test');
-    assert.strictEqual(component.options[0].text, 'acl-test', 'dropdown renders only matching option');
-
-    await typeInSearch('acl-test-new');
-    assert.strictEqual(
-      component.options[0].text,
-      'No results found for "acl-test-new". Click here to create it.',
-      'dropdown gives option to create new option'
-    );
-    await component.selectOption();
-
-    assert.dom('#search-select-modal').exists('modal is active');
-    assert.dom(GENERAL.emptyStateTitle).hasText('No policy type selected');
-    assert.ok(this.onChange.notCalled, 'onChange is not called');
-  });
-
-  test('it renders policy template and selects policy type', async function (assert) {
-    assert.expect(9);
-    this.server.put('/sys/policies/acl/acl-test-new', async (schema, req) => {
-      const requestBody = JSON.parse(req.requestBody);
-      assert.propEqual(
-        requestBody,
-        {
-          name: 'acl-test-new',
-          policy: 'path "secret/super-secret" { capabilities = ["deny"] }',
-        },
-        'onSave sends request to endpoint with correct policy attributes'
-      );
-    });
-    await render(hbs`
-    <SearchSelectWithModal
-      @id="policies"
-      @label="Policies"
-      @labelClass="title is-4"
-      @models={{array "policy/acl" "policy/rgp"}}
-      @inputValue={{this.policies}}
-      @onChange={{this.onChange}}
-      @fallbackComponent="string-list"
-      @modalFormTemplate="modal-form/policy-template"
-    />
-      `);
-    await clickTrigger();
-    await typeInSearch('acl-test-new');
-    assert.strictEqual(
-      component.options[0].text,
-      'No results found for "acl-test-new". Click here to create it.',
-      'dropdown gives option to create new option'
-    );
-    await component.selectOption();
-    assert.dom(GENERAL.emptyStateTitle).hasText('No policy type selected');
-    await fillIn(GENERAL.selectByAttr('policyType'), 'acl');
-    assert.dom('[data-test-policy-form]').exists('policy form renders after type is selected');
-    await click('[data-test-tab-example-policy] button');
-    assert.dom('[data-test-tab-example-policy] button').hasAttribute('aria-selected', 'true');
-    await click('[data-test-tab-your-policy] button');
-    assert.dom('[data-test-tab-your-policy] button').hasAttribute('aria-selected', 'true');
-    await waitFor('.cm-editor');
-    const editor = codemirror();
-    setCodeEditorValue(editor, 'path "secret/super-secret" { capabilities = ["deny"] }');
-    await settled();
-    await click(GENERAL.submitButton);
-    assert.dom('[data-test-modal-div]').doesNotExist('modal closes after save');
-    assert
-      .dom(GENERAL.searchSelect.selectedOption(0))
-      .hasText('acl-test-new', 'adds newly created policy to selected options');
-    assert.ok(
-      this.onChange.calledWithExactly(['acl-test-new']),
-      'onChange is called only after item is created'
-    );
-  });
-
-  test('it still renders search select if only second model returns 403', async function (assert) {
-    assert.expect(4);
-    this.server.get('sys/policies/rgp', () => {
-      return new Response(
-        403,
-        { 'Content-Type': 'application/json' },
-        JSON.stringify({ errors: ['permission denied'] })
-      );
-    });
-
-    await render(hbs`
-    <SearchSelectWithModal
-      @id="policies"
-      @label="Policies"
-      @labelClass="title is-4"
-      @models={{array "policy/acl" "policy/rgp"}}
-      @inputValue={{this.policies}}
-      @onChange={{this.onChange}}
-      @fallbackComponent="string-list"
-      @modalFormTemplate="modal-form/policy-template"
-    />
-      `);
-
-    assert.dom('[data-test-search-select-with-modal]').exists('the component renders');
-    assert.dom('[data-test-component="string-list"]').doesNotExist('does not render fallback component');
-    await clickTrigger();
-    assert.strictEqual(component.options.length, 3, 'only options from successful query render');
-    assert.ok(this.onChange.notCalled, 'onChange is not called');
-  });
-
-  module('fallback component', function (hooks) {
-    hooks.beforeEach(function () {
-      this.server.get('sys/policies/acl', () => {
-        return new Response(
-          403,
-          { 'Content-Type': 'application/json' },
-          JSON.stringify({ errors: ['permission denied'] })
-        );
-      });
-      this.server.get('sys/policies/rgp', () => {
-        return new Response(
-          403,
-          { 'Content-Type': 'application/json' },
-          JSON.stringify({ errors: ['permission denied'] })
-        );
-      });
-      this.server.get('identity/oidc/key?list=true', () => {
-        return new Response(
-          403,
-          { 'Content-Type': 'application/json' },
-          JSON.stringify({ errors: ['permission denied'] })
-        );
-      });
-    });
-
-    test('it renders fallback component if both models return 403', async function (assert) {
-      assert.expect(7);
-
-      await render(hbs`
-    <SearchSelectWithModal
-      @id="policies"
-      @label="Policies"
-      @labelClass="title is-4"
-      @models={{array "policy/acl" "policy/rgp"}}
-      @inputValue={{this.policies}}
-      @onChange={{this.onChange}}
-      @fallbackComponent="string-list"
-      @modalFormTemplate="modal-form/policy-template"
-    />
-      `);
-      assert.dom('[data-test-component="string-list"]').exists('renders fallback component');
-      assert.false(component.hasTrigger, 'does not render power select trigger');
-      await fillIn('[data-test-string-list-input="0"]', 'string-list-policy');
-      await click('[data-test-string-list-button="add"]');
-      assert
-        .dom('[data-test-string-list-input="0"]')
-        .hasValue('string-list-policy', 'first row renders inputted string');
-      assert
-        .dom('[data-test-string-list-row="0"] [data-test-string-list-button="delete"]')
-        .exists('first row renders delete icon');
-      assert.dom('[data-test-string-list-row="1"]').exists('renders second input row');
-      assert
-        .dom('[data-test-string-list-row="1"] [data-test-string-list-button="add"]')
-        .exists('second row renders add icon');
-      assert.ok(
-        this.onChange.calledWithExactly(['string-list-policy']),
-        'onChange is called only after item is created'
-      );
-    });
-
-    test('it renders fallback placeholder text for fallback component', async function (assert) {
-      assert.expect(1);
-
-      await render(hbs`
-    <SearchSelectWithModal
-      @id="key"
-      @label="Keys"
-      @models={{array "oidc/key"}}
-      @inputValue={{this.policies}}
-      @onChange={{this.onChange}}
-      @fallbackComponent="input-search"
-      @modalFormTemplate="modal-form/oidc-key-template"
-      @selectLimit="1"
-      @placeholder="Search or type to create a key item"
-      @fallbackComponentPlaceholder="Input key name"
-    />
-      `);
-      assert
-        .dom(GENERAL.inputSearch('key'))
-        .hasAttribute('placeholder', 'Input key name', 'Fallback placeholder was passed to input search');
-    });
-
-    test('it renders placeholder text for fallback component', async function (assert) {
-      assert.expect(1);
-
-      await render(hbs`
-    <SearchSelectWithModal
-      @id="key"
-      @label="Keys"
-      @models={{array "oidc/key"}}
-      @inputValue={{this.policies}}
-      @onChange={{this.onChange}}
-      @fallbackComponent="input-search"
-      @modalFormTemplate="modal-form/oidc-key-template"
-      @selectLimit="1"
-      @placeholder="Search or type to create a key item"
-    />
-      `);
-      assert
-        .dom(GENERAL.inputSearch('key'))
-        .hasAttribute(
-          'placeholder',
-          'Search or type to create a key item',
-          'Placeholder was passed to input search'
-        );
-    });
-  });
-});
diff --git a/ui/tests/integration/components/secret-edit-test.js b/ui/tests/integration/components/secret-edit-test.js
index e790810f81..085b6f39b7 100644
--- a/ui/tests/integration/components/secret-edit-test.js
+++ b/ui/tests/integration/components/secret-edit-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, settled, waitFor } from '@ember/test-helpers';
 import { resolve } from 'rsvp';
 import { run } from '@ember/runloop';
@@ -25,6 +25,12 @@ module('Integration | Component | secret edit', function (hooks) {
   hooks.beforeEach(function () {
     capabilities = null;
     this.set('key', { id: 'Foobar' });
+    this.root = {
+      label: 'kv',
+      text: 'kv',
+      path: 'vault.cluster.secrets.backend.list-root',
+      model: 'kv',
+    };
     run(() => {
       this.owner.unregister('service:store');
       this.owner.register('service:store', storeService);
@@ -41,7 +47,9 @@ module('Integration | Component | secret edit', function (hooks) {
       },
     });
 
-    await render(hbs`<SecretEdit @mode={{this.mode}} @model={{this.model}} @key={{this.key}} />`);
+    await render(
+      hbs`<SecretEdit @mode={{this.mode}} @root={{this.root}} @model={{this.model}} @key={{this.key}} />`
+    );
     assert.dom(GENERAL.toggleInput('json')).isDisabled();
   });
 
@@ -55,7 +63,9 @@ module('Integration | Component | secret edit', function (hooks) {
       },
     });
 
-    await render(hbs`<SecretEdit @mode={{this.mode}} @model={{this.model}} @key={{this.key}} />`);
+    await render(
+      hbs`<SecretEdit @mode={{this.mode}} @root={{this.root}} @model={{this.model}} @key={{this.key}} />`
+    );
     assert.dom(GENERAL.toggleInput('json')).isNotDisabled();
   });
 
@@ -66,7 +76,7 @@ module('Integration | Component | secret edit', function (hooks) {
     });
 
     await render(
-      hbs`<SecretEdit @mode={{this.mode}} @model={{this.model}} @preferAdvancedEdit={{true}} @key={{this.key}} />`
+      hbs`<SecretEdit @mode={{this.mode}} @root={{this.root}} @model={{this.model}} @preferAdvancedEdit={{true}} @key={{this.key}} />`
     );
 
     await waitFor('.cm-editor');
@@ -86,7 +96,9 @@ module('Integration | Component | secret edit', function (hooks) {
         float: '1.234',
       },
     });
-    await render(hbs`<SecretEdit @mode={{this.mode}} @model={{this.model}} @key={{this.key}} />`);
+    await render(
+      hbs`<SecretEdit @mode={{this.mode}} @root={{this.root}} @model={{this.model}} @key={{this.key}} />`
+    );
     assert.dom(GENERAL.submitButton).isNotDisabled();
   });
 
@@ -105,7 +117,7 @@ module('Integration | Component | secret edit', function (hooks) {
     });
 
     await render(
-      hbs`<SecretEdit @mode={{this.mode}} @model={{this.model}} @preferAdvancedEdit={{true}} @key={{this.key}} />`
+      hbs`<SecretEdit @mode={{this.mode}} @root={{this.root}} @model={{this.model}} @preferAdvancedEdit={{true}} @key={{this.key}} />`
     );
 
     await waitFor('.cm-editor');
diff --git a/ui/tests/integration/components/secret-engines/catalog-test.js b/ui/tests/integration/components/secret-engines/catalog-test.js
index 9d79ac538a..06f6e0c52f 100644
--- a/ui/tests/integration/components/secret-engines/catalog-test.js
+++ b/ui/tests/integration/components/secret-engines/catalog-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click } from '@ember/test-helpers';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { filterEnginesByMountCategory } from 'vault/utils/all-engines-metadata';
@@ -33,10 +33,10 @@ module('Integration | Component | secret-engines/catalog', function (hooks) {
     assert.expect(1 + expectedEngines.length);
 
     await render(
-      hbs`<SecretEngines::Catalog 
-        @setMountType={{this.setMountType}} 
-        @pluginCatalogData={{this.pluginCatalogData}} 
-        @pluginCatalogError={{this.pluginCatalogError}} 
+      hbs`<SecretEngines::Catalog
+        @setMountType={{this.setMountType}}
+        @pluginCatalogData={{this.pluginCatalogData}}
+        @pluginCatalogError={{this.pluginCatalogError}}
       />`
     );
 
@@ -49,10 +49,10 @@ module('Integration | Component | secret-engines/catalog', function (hooks) {
 
   test('it calls setMountType when engine is selected', async function (assert) {
     await render(
-      hbs`<SecretEngines::Catalog 
-        @setMountType={{this.setMountType}} 
-        @pluginCatalogData={{this.pluginCatalogData}} 
-        @pluginCatalogError={{this.pluginCatalogError}} 
+      hbs`<SecretEngines::Catalog
+        @setMountType={{this.setMountType}}
+        @pluginCatalogData={{this.pluginCatalogData}}
+        @pluginCatalogError={{this.pluginCatalogError}}
       />`
     );
 
@@ -66,10 +66,10 @@ module('Integration | Component | secret-engines/catalog', function (hooks) {
     this.pluginCatalogError = true;
 
     await render(
-      hbs`<SecretEngines::Catalog 
-        @setMountType={{this.setMountType}} 
-        @pluginCatalogData={{this.pluginCatalogData}} 
-        @pluginCatalogError={{this.pluginCatalogError}} 
+      hbs`<SecretEngines::Catalog
+        @setMountType={{this.setMountType}}
+        @pluginCatalogData={{this.pluginCatalogData}}
+        @pluginCatalogError={{this.pluginCatalogError}}
       />`
     );
 
@@ -100,10 +100,10 @@ module('Integration | Component | secret-engines/catalog', function (hooks) {
     };
 
     await render(
-      hbs`<SecretEngines::Catalog 
-        @setMountType={{this.setMountType}} 
-        @pluginCatalogData={{this.pluginCatalogData}} 
-        @pluginCatalogError={{this.pluginCatalogError}} 
+      hbs`<SecretEngines::Catalog
+        @setMountType={{this.setMountType}}
+        @pluginCatalogData={{this.pluginCatalogData}}
+        @pluginCatalogError={{this.pluginCatalogError}}
       />`
     );
 
diff --git a/ui/tests/integration/components/secret-list-header-test.js b/ui/tests/integration/components/secret-list-header-test.js
index f031a75265..2888c3e3d5 100644
--- a/ui/tests/integration/components/secret-list-header-test.js
+++ b/ui/tests/integration/components/secret-list-header-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { getContext, render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { supportedSecretBackends } from 'vault/helpers/supported-secret-backends';
diff --git a/ui/tests/integration/components/select-test.js b/ui/tests/integration/components/select-test.js
index db3aaf0e73..7968b79844 100644
--- a/ui/tests/integration/components/select-test.js
+++ b/ui/tests/integration/components/select-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, fillIn } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/selectable-card-test.js b/ui/tests/integration/components/selectable-card-test.js
index 9afb78fa26..0a691a6851 100644
--- a/ui/tests/integration/components/selectable-card-test.js
+++ b/ui/tests/integration/components/selectable-card-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/shamir/dr-token-flow-test.js b/ui/tests/integration/components/shamir/dr-token-flow-test.js
index ecc198677d..14dedf171d 100644
--- a/ui/tests/integration/components/shamir/dr-token-flow-test.js
+++ b/ui/tests/integration/components/shamir/dr-token-flow-test.js
@@ -11,6 +11,7 @@ import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { overrideResponse } from 'vault/tests/helpers/stubs';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import { SHAMIR_FORM } from 'vault/tests/helpers/components/shamir-selectors';
 
 module('Integration | Component | shamir/dr-token-flow', function (hooks) {
   setupRenderingTest(hooks);
@@ -19,13 +20,11 @@ module('Integration | Component | shamir/dr-token-flow', function (hooks) {
   test('begin to middle flow works', async function (assert) {
     assert.expect(15);
     this.server.get('/sys/replication/dr/secondary/generate-operation-token/attempt', function () {
-      assert.ok('Check endpoint is queried on init');
+      assert.ok('Check endpoint is queried');
       return {};
     });
-    this.server.post('/sys/replication/dr/secondary/generate-operation-token/attempt', function (_, req) {
-      const requestBody = JSON.parse(req.requestBody);
+    this.server.post('/sys/replication/dr/secondary/generate-operation-token/attempt', function () {
       assert.ok('Starts the token generation');
-      assert.deepEqual(requestBody, { attempt: true });
       return {
         started: true,
         nonce: 'nonce-1234',
@@ -52,40 +51,49 @@ module('Integration | Component | shamir/dr-token-flow', function (hooks) {
         complete: false,
       };
     });
+
     await render(hbs`<Shamir::DrTokenFlow @action="generate-dr-operation-token" />`);
-    assert.dom('[data-test-dr-token-flow-step="begin"]').exists('First step shows');
-    assert.dom('[data-test-use-pgp-key-cta]').hasText('Provide PGP Key');
-    assert.dom('[data-test-generate-token-cta]').hasText('Generate operation token');
-
-    await click('[data-test-generate-token-cta]');
+    assert.dom(SHAMIR_FORM.flowStep('begin')).exists('First step shows');
+    assert.dom(GENERAL.button('use-pgp-key-cta')).hasText('Provide PGP Key');
+    assert.dom(GENERAL.button('generate-token-cta')).hasText('Generate operation token');
 
+    await click(GENERAL.button('generate-token-cta'));
     assert.ok(
-      await waitUntil(() => find('[data-test-dr-token-flow-step="shamir"]')),
-      'shows shamir step after start'
+      await waitUntil(() => find(SHAMIR_FORM.flowStep('primary-token'))),
+      'shows primary token step after start'
+    );
+
+    await fillIn(GENERAL.inputByAttr('primary-token'), 'some-token');
+    await click('[data-test-submit-primary-token]');
+    assert.ok(
+      await waitUntil(() => find(SHAMIR_FORM.flowStep('shamir'))),
+      'shows shamir step after primary token input'
     );
     assert
-      .dom('.shamir-progress')
+      .dom(SHAMIR_FORM.progress)
       .hasText('0/3 keys provided', 'progress shows reflecting checkStatus response with defaults');
-    assert.dom('[data-test-otp-info]').exists('OTP info banner shows');
-    assert.dom('[data-test-otp]').hasText('otp-9876', 'Shows OTP in copy banner');
+    assert.dom(SHAMIR_FORM.otpInfo).exists('OTP info banner shows');
+    assert.dom(SHAMIR_FORM.otpCode).hasText('otp-9876', 'Shows OTP in copy banner');
     // Fill in shamir key and submit
-    await fillIn('[data-test-shamir-key-input]', 'some-key');
-    await click('[data-test-shamir-submit]');
+    await fillIn(GENERAL.inputByAttr('shamir-key'), 'some-key');
+    await click(GENERAL.submitButton);
 
     assert.ok(
-      await waitUntil(() => find('[data-test-otp-info]')),
+      await waitUntil(() => find(SHAMIR_FORM.otpInfo)),
       'OTP info still banner shows even when attempt response does not include it'
     );
     assert
-      .dom('[data-test-otp]')
+      .dom(SHAMIR_FORM.otpCode)
       .hasText('otp-9876', 'Still shows OTP in copy banner when attempt response does not include it');
-    assert.dom('.shamir-progress').hasText('1/3 keys provided', 'progress shows reflecting attempt response');
+    assert
+      .dom(SHAMIR_FORM.progress)
+      .hasText('1/3 keys provided', 'progress shows reflecting attempt response');
   });
 
   test('middle to finish flow works', async function (assert) {
-    assert.expect(9);
+    assert.expect(10);
     this.server.get('/sys/replication/dr/secondary/generate-operation-token/attempt', function () {
-      assert.ok('Check endpoint is queried on init');
+      assert.ok('Check endpoint is queried');
       return {
         started: true,
         nonce: 'nonce-1234',
@@ -116,30 +124,37 @@ module('Integration | Component | shamir/dr-token-flow', function (hooks) {
       };
     });
     await render(hbs`<Shamir::DrTokenFlow @action="generate-dr-operation-token" />`);
-
+    await click(GENERAL.button('generate-token-cta'));
     assert.ok(
-      await waitUntil(() => find('[data-test-dr-token-flow-step="shamir"]')),
-      'shows shamir step after start'
+      await waitUntil(() => find(SHAMIR_FORM.flowStep('primary-token'))),
+      'shows primary token step after start'
+    );
+
+    await fillIn(GENERAL.inputByAttr('primary-token'), 'some-token');
+    await click('[data-test-submit-primary-token]');
+    assert.ok(
+      await waitUntil(() => find(SHAMIR_FORM.flowStep('shamir'))),
+      'shows shamir step after primary token input'
     );
     assert
-      .dom('.shamir-progress')
+      .dom(SHAMIR_FORM.progress)
       .hasText('2/3 keys provided', 'progress shows reflecting checkStatus response');
-    assert.dom('[data-test-otp-info]').doesNotExist('OTP info banner not shown');
-    assert.dom('[data-test-otp]').doesNotExist('otp-9876', 'OTP copy banner not shown');
-    await fillIn('[data-test-shamir-key-input]', 'some-key');
-    await click('[data-test-shamir-submit]');
+    assert.dom(SHAMIR_FORM.otpInfo).doesNotExist('OTP info banner not shown');
+    assert.dom(SHAMIR_FORM.otpCode).doesNotExist('otp-9876', 'OTP copy banner not shown');
+    await fillIn(GENERAL.inputByAttr('shamir-key'), 'some-key');
+    await click(GENERAL.submitButton);
 
     assert.ok(
-      await waitUntil(() => find('[data-test-dr-token-flow-step="show-token"]')),
+      await waitUntil(() => find(SHAMIR_FORM.flowStep('show-token'))),
       'updates to show encoded token on complete'
     );
     assert
-      .dom('[data-test-shamir-encoded-token]')
+      .dom(GENERAL.copySnippet('shamir-encoded-token'))
       .hasText('encoded-token-here', 'shows encoded token from /update response');
   });
 
   test('it works correctly when pgp key chosen', async function (assert) {
-    assert.expect(3);
+    assert.expect(4);
     this.server.get('/sys/replication/dr/secondary/generate-operation-token/attempt', function () {
       return {};
     });
@@ -157,20 +172,29 @@ module('Integration | Component | shamir/dr-token-flow', function (hooks) {
       }
     );
     await render(hbs`<Shamir::DrTokenFlow @action="generate-dr-operation-token" />`);
-    await click('[data-test-use-pgp-key-cta]');
-    assert.dom('[data-test-choose-pgp-key-form="begin"]').exists('PGP form shows');
+    await click(GENERAL.button('use-pgp-key-cta'));
+
+    assert.ok(await waitUntil(() => find(SHAMIR_FORM.flowStep('choose-pgp-key'))), 'PGP form shows');
     await click(GENERAL.textToggle);
-    await fillIn('[data-test-pgp-file-textarea]', 'some-key-here');
-    await click('[data-test-use-pgp-key-button]');
-    await click('[data-test-confirm-pgp-key-submit]');
+    await fillIn(GENERAL.textareaByAttr('pgp-key'), 'some-key-here');
+    await click(GENERAL.button('use-pgp-key'));
+    await click(GENERAL.submitButton);
+
     assert.ok(
-      await waitUntil(() => find('[data-test-dr-token-flow-step="shamir"]')),
+      await waitUntil(() => find(SHAMIR_FORM.flowStep('primary-token'))),
+      'shows primary token input after start'
+    );
+    await fillIn(GENERAL.inputByAttr('primary-token'), 'some-token');
+    await click('[data-test-submit-primary-token]');
+
+    assert.ok(
+      await waitUntil(() => find(SHAMIR_FORM.flowStep('shamir'))),
       'Renders shamir step after PGP key chosen'
     );
   });
 
   test('it shows error with pgp key', async function (assert) {
-    assert.expect(2);
+    assert.expect(3);
     this.server.get('/sys/replication/dr/secondary/generate-operation-token/attempt', function () {
       return {};
     });
@@ -178,12 +202,21 @@ module('Integration | Component | shamir/dr-token-flow', function (hooks) {
       overrideResponse(400, { errors: ['error parsing PGP key'] })
     );
     await render(hbs`<Shamir::DrTokenFlow @action="generate-dr-operation-token" />`);
-    await click('[data-test-use-pgp-key-cta]');
-    assert.dom('[data-test-choose-pgp-key-form="begin"]').exists('PGP form shows');
+    await click(GENERAL.button('use-pgp-key-cta'));
+
+    assert.ok(await waitUntil(() => find(SHAMIR_FORM.flowStep('choose-pgp-key'))), 'PGP form shows');
     await click(GENERAL.textToggle);
-    await fillIn('[data-test-pgp-file-textarea]', 'some-key-here');
-    await click('[data-test-use-pgp-key-button]');
-    await click('[data-test-confirm-pgp-key-submit]');
+    await fillIn(GENERAL.textareaByAttr('pgp-key'), 'some-key-here');
+    await click(GENERAL.button('use-pgp-key'));
+    await click(GENERAL.submitButton);
+
+    assert.ok(
+      await waitUntil(() => find(SHAMIR_FORM.flowStep('primary-token'))),
+      'shows primary token input after start'
+    );
+    await fillIn(GENERAL.inputByAttr('primary-token'), 'some-token');
+    await click('[data-test-submit-primary-token]');
+
     await waitFor(GENERAL.messageError);
     assert.dom(GENERAL.messageError).hasText('Error error parsing PGP key');
   });
@@ -199,12 +232,12 @@ module('Integration | Component | shamir/dr-token-flow', function (hooks) {
       assert.notOk('delete endpoint should not be queried');
       return {};
     });
+
     await render(
       hbs`<Shamir::DrTokenFlow @action="generate-dr-operation-token" @onCancel={{this.onCancel}} />`
     );
-
-    assert.dom('[data-test-shamir-modal-cancel-button]').hasText('Cancel', 'Close button has correct copy');
-    await click('[data-test-shamir-modal-cancel-button]');
+    assert.dom(GENERAL.cancelButton).hasText('Cancel', 'Close button has correct copy');
+    await click(GENERAL.cancelButton);
     assert.ok(cancelSpy.calledOnce, 'cancel spy called on click');
   });
 
@@ -229,16 +262,24 @@ module('Integration | Component | shamir/dr-token-flow', function (hooks) {
     await render(
       hbs`<Shamir::DrTokenFlow @action="generate-dr-operation-token" @onCancel={{this.onCancel}} />`
     );
-    assert.dom('[data-test-shamir-modal-cancel-button]').hasText('Cancel', 'Close button has correct copy');
-    assert.ok(await waitUntil(() => find('[data-test-shamir-key-input]')), 'shows shamir key input');
-
-    await click('[data-test-shamir-modal-cancel-button]');
 
+    await click(GENERAL.button('generate-token-cta'));
     assert.ok(
-      await waitUntil(() => find('[data-test-generate-token-cta]')),
+      await waitUntil(() => find(SHAMIR_FORM.flowStep('primary-token'))),
+      'shows primary token step after start'
+    );
+
+    await fillIn(GENERAL.inputByAttr('primary-token'), 'some-token');
+    await click('[data-test-submit-primary-token]');
+
+    assert.dom(GENERAL.cancelButton).hasText('Cancel', 'Close button has correct copy');
+    assert.ok(await waitUntil(() => find(GENERAL.inputByAttr('shamir-key'))), 'shows shamir key input');
+
+    await click(GENERAL.cancelButton);
+    assert.ok(
+      await waitUntil(() => find(GENERAL.button('generate-token-cta'))),
       'shows generate token button again'
     );
-    assert.dom('[data-test-shamir-key-input]').doesNotExist('Does not render input for shamir key');
   });
 
   test('it closes correctly when generation is completed', async function (assert) {
@@ -262,9 +303,13 @@ module('Integration | Component | shamir/dr-token-flow', function (hooks) {
       hbs`<Shamir::DrTokenFlow @action="generate-dr-operation-token" @onCancel={{this.onCancel}} />`
     );
 
-    await waitUntil(() => find('[data-test-dr-token-flow-step="show-token"]'));
-    assert.dom('[data-test-shamir-modal-cancel-button]').hasText('Close', 'Close button has correct copy');
-    await click('[data-test-shamir-modal-cancel-button]');
+    await click(GENERAL.button('generate-token-cta'));
+    await fillIn(GENERAL.inputByAttr('primary-token'), 'some-token');
+    await click('[data-test-submit-primary-token]');
+
+    await waitUntil(() => find(SHAMIR_FORM.flowStep('show-token')));
+    assert.dom(GENERAL.cancelButton).hasText('Close', 'Close button has correct copy');
+    await click(GENERAL.cancelButton);
     assert.ok(cancelSpy.calledOnce, 'cancel spy called on click');
   });
 });
diff --git a/ui/tests/integration/components/shamir/flow-test.js b/ui/tests/integration/components/shamir/flow-test.js
index 80ce10ab86..b8573720b4 100644
--- a/ui/tests/integration/components/shamir/flow-test.js
+++ b/ui/tests/integration/components/shamir/flow-test.js
@@ -8,107 +8,83 @@ import { module, test } from 'qunit';
 import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, fillIn, render, settled } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
-import Service from '@ember/service';
-import { run } from '@ember/runloop';
-import { reject, resolve } from 'rsvp';
-import { SHAMIR_FORM } from 'vault/tests/helpers/components/shamir-selectors';
-
-const licenseError = { httpStatus: 500, errors: ['failed because licensing is in an invalid state'] };
-const response = {
-  progress: 1,
-  required: 3,
-  complete: false,
-};
-
-const adapter = {
-  foo() {
-    return resolve(response);
-  },
-  responseWithErrors() {
-    return reject({ httpStatus: 400, errors: ['something is wrong', 'seriously wrong'] });
-  },
-  responseWithLicense() {
-    return reject(licenseError);
-  },
-};
-
-const storeStub = Service.extend({
-  adapterFor() {
-    return adapter;
-  },
-});
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { Response } from 'miragejs';
 
 // Checks that the correct data were passed around happens in the integration test
 // this one is checking that things happen at the right time
 module('Integration | Component | shamir/flow', function (hooks) {
   setupRenderingTest(hooks);
+  setupMirage(hooks);
 
   hooks.beforeEach(function () {
+    this.server.put('/sys/unseal', () => ({
+      sealed: false,
+      t: this.threshold,
+      n: this.threshold,
+      progress: 1,
+    }));
+
     this.keyPart = 'some-key-partition';
-    run(() => {
-      this.owner.unregister('service:store');
-      this.owner.register('service:store', storeStub);
-      this.storeService = this.owner.lookup('service:store');
-    });
+    this.progress = 0;
+    this.threshold = 3;
+    this.updateProgress = sinon.spy();
+    this.checkComplete = sinon.stub().returns(false);
+    this.onSuccess = sinon.spy();
+
+    this.renderComponent = () =>
+      render(hbs`
+        <Shamir::Flow
+          @action="unseal"
+          @threshold={{this.threshold}}
+          @progress={{this.progress}}
+          @updateProgress={{this.updateProgress}}
+          @checkComplete={{this.checkComplete}}
+          @onShamirSuccess={{this.onSuccess}}
+        />`);
   });
 
   test('it sends data to the passed action and calls updateProgress', async function (assert) {
-    const updateSpy = sinon.spy();
-    const completeSpy = sinon.spy();
-    this.set('updateProgress', updateSpy);
-    this.set('checkComplete', () => false);
-    this.set('onSuccess', completeSpy);
-    this.set('progress', 0);
+    await this.renderComponent();
 
-    await render(hbs`
-      <Shamir::Flow
-        @action="foo"
-        @threshold={{3}}
-        @progress={{this.progress}}
-        @updateProgress={{this.updateProgress}}
-        @checkComplete={{this.checkComplete}}
-        @onShamirSuccess={{this.onSuccess}}
-      />`);
+    await fillIn(GENERAL.inputByAttr('shamir-key'), this.keyPart);
+    await click(GENERAL.submitButton);
 
-    await fillIn(SHAMIR_FORM.input, this.keyPart);
-    await click(SHAMIR_FORM.submitButton);
-
-    assert.ok(completeSpy.notCalled, 'onShamirSuccess was not called');
-    assert.ok(updateSpy.calledOnce, 'updateProgress was called');
+    assert.true(this.onSuccess.notCalled, 'onShamirSuccess was not called');
+    assert.true(this.updateProgress.calledOnce, 'updateProgress was called');
     // Default shamir flow expects the updated values to be passed
     // in from parent model, so this approximates the update happening
     // from a side effect of the updateProgress call
     this.set('progress', 2);
     // Pretend the next call will mean completion
-    this.set('checkComplete', () => true);
+    this.checkComplete.returns(true);
     await settled();
 
-    await fillIn(SHAMIR_FORM.input, this.keyPart);
-    await click(SHAMIR_FORM.submitButton);
+    await fillIn(GENERAL.inputByAttr('shamir-key'), this.keyPart);
+    await click(GENERAL.submitButton);
 
-    assert.ok(completeSpy.calledOnce, 'onShamirSuccess was called');
-    assert.ok(updateSpy.calledTwice, 'updateProgress was called again');
+    assert.true(this.onSuccess.calledOnce, 'onShamirSuccess was called');
+    assert.true(this.updateProgress.calledTwice, 'updateProgress was called again');
   });
 
-  test('it shows the error when adapter fails with 400 httpStatus', async function (assert) {
+  test('it shows the error when request fails with 400 status', async function (assert) {
     assert.expect(3);
-    const updateSpy = sinon.spy();
-    const completeSpy = sinon.spy();
-    this.set('updateProgress', updateSpy);
-    this.set('checkComplete', completeSpy);
-    await render(hbs`
-      <Shamir::Flow
-        @action="response-with-errors"
-        @threshold={{3}}
-        @progress={{2}}
-        @updateProgress={{this.updateProgress}}
-        @checkComplete={{this.checkComplete}}
-      />`);
 
-    await fillIn(SHAMIR_FORM.input, this.keyPart);
-    await click(SHAMIR_FORM.submitButton);
-    assert.dom(SHAMIR_FORM.error).exists({ count: 2 }, 'renders errors');
-    assert.ok(completeSpy.notCalled, 'checkComplete was not called');
-    assert.ok(updateSpy.notCalled, 'updateProgress was not called');
+    this.progress = 2;
+    this.server.put('/sys/unseal', () => {
+      return new Response(
+        400,
+        { 'Content-Type': 'application/json' },
+        JSON.stringify({ errors: ['something is wrong', 'seriously wrong'] })
+      );
+    });
+
+    await this.renderComponent();
+    await fillIn(GENERAL.inputByAttr('shamir-key'), this.keyPart);
+    await click(GENERAL.submitButton);
+    assert.dom(GENERAL.messageError).exists({ count: 2 }, 'renders errors');
+    assert.true(this.checkComplete.notCalled, 'checkComplete was not called');
+    assert.true(this.updateProgress.notCalled, 'updateProgress was not called');
   });
 });
diff --git a/ui/tests/integration/components/shamir/form-test.js b/ui/tests/integration/components/shamir/form-test.js
index fd6b1e7652..f145a11021 100644
--- a/ui/tests/integration/components/shamir/form-test.js
+++ b/ui/tests/integration/components/shamir/form-test.js
@@ -9,6 +9,7 @@ import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, render, settled, typeIn } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { SHAMIR_FORM } from 'vault/tests/helpers/components/shamir-selectors';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
 module('Integration | Component | shamir/form', function (hooks) {
   setupRenderingTest(hooks);
@@ -21,19 +22,19 @@ module('Integration | Component | shamir/form', function (hooks) {
     await render(hbs`
       <Shamir::Form @onSubmit={{this.submitSpy}} @progress={{0}} @threshold={{3}} />
     `);
-    assert.dom(SHAMIR_FORM.submitButton).hasText('Submit', 'Submit button has default text');
-    await click(SHAMIR_FORM.submitButton);
+    assert.dom(GENERAL.submitButton).hasText('Submit', 'Submit button has default text');
+    await click(GENERAL.submitButton);
     assert.dom(SHAMIR_FORM.progress).doesNotExist('Hides progress bar if none made');
     assert.ok(this.submitSpy.notCalled, 'onSubmit was not called');
-    await typeIn(SHAMIR_FORM.input, 'this-is-the-key');
-    assert.dom(SHAMIR_FORM.input).hasValue('this-is-the-key', 'input value set');
+    await typeIn(GENERAL.inputByAttr('shamir-key'), 'this-is-the-key');
+    assert.dom(GENERAL.inputByAttr('shamir-key')).hasValue('this-is-the-key', 'input value set');
     assert.dom(SHAMIR_FORM.inputLabel).hasText('Shamir key portion', 'label has default text');
-    await click(SHAMIR_FORM.submitButton);
+    await click(GENERAL.submitButton);
     assert.ok(
       this.submitSpy.calledOnceWith({ key: 'this-is-the-key' }),
       'onSubmit called with correct params'
     );
-    assert.dom(SHAMIR_FORM.input).hasValue('', 'key value reset after submit');
+    assert.dom(GENERAL.inputByAttr('shamir-key')).hasValue('', 'key value reset after submit');
 
     await render(hbs`
     <Shamir::Form @onSubmit={{this.submitSpy}} @progress={{0}} @threshold={{3}} @alwaysShowProgress={{true}} @buttonText="Do the thing" @inputLabel="Unseal key">
@@ -42,7 +43,7 @@ module('Integration | Component | shamir/form', function (hooks) {
     `);
 
     assert.dom('[data-test-block-content]').hasText('Hello', 'renders block content');
-    assert.dom(SHAMIR_FORM.submitButton).hasText('Do the thing', 'uses passed button text');
+    assert.dom(GENERAL.submitButton).hasText('Do the thing', 'uses passed button text');
     assert.dom(SHAMIR_FORM.inputLabel).hasText('Unseal key', 'uses passed inputLabel');
     assert.dom(SHAMIR_FORM.otpInfo).doesNotExist('no OTP info shown');
     assert
@@ -77,10 +78,10 @@ module('Integration | Component | shamir/form', function (hooks) {
         @errors={{this.errors}}
       />
     `);
-    assert.dom(SHAMIR_FORM.error).exists({ count: 2 }, 'renders errors');
+    assert.dom(GENERAL.messageError).exists({ count: 2 }, 'renders errors');
 
     this.set('errors', []);
     await settled();
-    assert.dom(SHAMIR_FORM.error).doesNotExist('errors cleared');
+    assert.dom(GENERAL.messageError).doesNotExist('errors cleared');
   });
 });
diff --git a/ui/tests/integration/components/sidebar/frame-test.js b/ui/tests/integration/components/sidebar/frame-test.js
index c780e22358..03ceb33b64 100644
--- a/ui/tests/integration/components/sidebar/frame-test.js
+++ b/ui/tests/integration/components/sidebar/frame-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/sidebar/nav/access-test.js b/ui/tests/integration/components/sidebar/nav/access-test.js
index c1cdd9da40..82d58ebd88 100644
--- a/ui/tests/integration/components/sidebar/nav/access-test.js
+++ b/ui/tests/integration/components/sidebar/nav/access-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { stubFeaturesAndPermissions } from 'vault/tests/helpers/components/sidebar-nav';
diff --git a/ui/tests/integration/components/sidebar/nav/cluster-test.js b/ui/tests/integration/components/sidebar/nav/cluster-test.js
index f43224bb70..7b69cd65d9 100644
--- a/ui/tests/integration/components/sidebar/nav/cluster-test.js
+++ b/ui/tests/integration/components/sidebar/nav/cluster-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { stubFeaturesAndPermissions } from 'vault/tests/helpers/components/sidebar-nav';
@@ -118,6 +118,31 @@ module('Integration | Component | sidebar-nav-cluster', function (hooks) {
     });
   });
 
+  test('it should hide Monitoring heading if nav permissions is false', async function (assert) {
+    stubFeaturesAndPermissions(this.owner, true, false);
+    this.owner.lookup('service:permissions').hasNavPermission.returns(false);
+
+    await renderComponent();
+
+    assert
+      .dom(GENERAL.navHeading('Monitoring'))
+      .doesNotExist(
+        'Monitoring heading is hidden when raft status, client count, and billing dashboard conditions are false.'
+      );
+  });
+
+  test('it should show Monitoring heading when consumption billing is true', async function (assert) {
+    stubFeaturesAndPermissions(this.owner, true, false, ['Consumption Billing']);
+    const namespace = this.owner.lookup('service:namespace');
+    namespace.setNamespace('root');
+
+    await renderComponent();
+
+    assert
+      .dom(GENERAL.navHeading('Monitoring'))
+      .exists('Monitoring heading is visible when billing dashboard condition is true.');
+  });
+
   test('it should hide client counts link in chroot namespace', async function (assert) {
     this.owner.lookup('service:permissions').setPaths({
       data: {
@@ -148,6 +173,40 @@ module('Integration | Component | sidebar-nav-cluster', function (hooks) {
     assert.dom(GENERAL.navHeading('Client Counts')).doesNotExist('Client count link is hidden.');
   });
 
+  test('it should show billing metrics link when in root namespace and Consumption Billing feature is enabled', async function (assert) {
+    stubFeaturesAndPermissions(this.owner, true, false, ['Consumption Billing']);
+    const namespace = this.owner.lookup('service:namespace');
+    namespace.setNamespace('root');
+    await renderComponent();
+    assert.dom(GENERAL.navLink('Billing metrics')).exists('Billing metrics link is visible.');
+  });
+
+  test('it should show billing metrics link when in HVD admin namespace and Consumption Billing feature is enabled', async function (assert) {
+    stubFeaturesAndPermissions(this.owner, true, false, ['Consumption Billing']);
+    this.flags.featureFlags = ['VAULT_CLOUD_ADMIN_NAMESPACE'];
+    const namespace = this.owner.lookup('service:namespace');
+    namespace.setNamespace('admin');
+    await renderComponent();
+    assert.dom(GENERAL.navLink('Billing metrics')).exists('Billing metrics link is visible.');
+  });
+
+  test('it should not show billing metrics link when in HVD admin namespace and Consumption Billing feature is enabled', async function (assert) {
+    stubFeaturesAndPermissions(this.owner, true, false, ['Consumption Billing']);
+    this.flags.featureFlags = ['VAULT_CLOUD_ADMIN_NAMESPACE'];
+    const namespace = this.owner.lookup('service:namespace');
+    namespace.setNamespace('admin');
+    await renderComponent();
+    assert.dom(GENERAL.navLink('Billing metrics')).exists('Billing metrics link is visible.');
+  });
+
+  test('it should hide billing metrics link when in namespace other than root or admin when Consumption Billing feature and does not have permission', async function (assert) {
+    stubFeaturesAndPermissions(this.owner, true, false, ['Consumption Billing'], false);
+    const namespace = this.owner.lookup('service:namespace');
+    namespace.setNamespace('namespace-1');
+    await renderComponent();
+    assert.dom(GENERAL.navLink('Billing metrics')).doesNotExist('Billing metrics link is hidden.');
+  });
+
   test('it does NOT show Secrets Recovery when user is in HVD admin namespace', async function (assert) {
     this.flags.featureFlags = ['VAULT_CLOUD_ADMIN_NAMESPACE'];
 
diff --git a/ui/tests/integration/components/sidebar/nav/reporting-test.js b/ui/tests/integration/components/sidebar/nav/reporting-test.js
index f61a2131b8..228b243f87 100644
--- a/ui/tests/integration/components/sidebar/nav/reporting-test.js
+++ b/ui/tests/integration/components/sidebar/nav/reporting-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { stubFeaturesAndPermissions } from 'vault/tests/helpers/components/sidebar-nav';
diff --git a/ui/tests/integration/components/sidebar/nav/resilience-and-recovery-test.js b/ui/tests/integration/components/sidebar/nav/resilience-and-recovery-test.js
index 9e0b4840d2..f4ca5e52f3 100644
--- a/ui/tests/integration/components/sidebar/nav/resilience-and-recovery-test.js
+++ b/ui/tests/integration/components/sidebar/nav/resilience-and-recovery-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { stubFeaturesAndPermissions } from 'vault/tests/helpers/components/sidebar-nav';
diff --git a/ui/tests/integration/components/sidebar/nav/secrets-test.js b/ui/tests/integration/components/sidebar/nav/secrets-test.js
index d1fdabc08d..f1b346d19f 100644
--- a/ui/tests/integration/components/sidebar/nav/secrets-test.js
+++ b/ui/tests/integration/components/sidebar/nav/secrets-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { stubFeaturesAndPermissions } from 'vault/tests/helpers/components/sidebar-nav';
diff --git a/ui/tests/integration/components/sidebar/nav/tools-test.js b/ui/tests/integration/components/sidebar/nav/tools-test.js
index 7b11a3f156..01bb060610 100644
--- a/ui/tests/integration/components/sidebar/nav/tools-test.js
+++ b/ui/tests/integration/components/sidebar/nav/tools-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { stubFeaturesAndPermissions } from 'vault/tests/helpers/components/sidebar-nav';
diff --git a/ui/tests/integration/components/sidebar/user-menu-test.js b/ui/tests/integration/components/sidebar/user-menu-test.js
index e7f62257f1..c06eb4f4fa 100644
--- a/ui/tests/integration/components/sidebar/user-menu-test.js
+++ b/ui/tests/integration/components/sidebar/user-menu-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/splash-page-test.js b/ui/tests/integration/components/splash-page-test.js
index 916f60d06d..e0ea1ca449 100644
--- a/ui/tests/integration/components/splash-page-test.js
+++ b/ui/tests/integration/components/splash-page-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 
diff --git a/ui/tests/integration/components/stat-text-test.js b/ui/tests/integration/components/stat-text-test.js
index a3f0a6035b..9a8efe76d3 100644
--- a/ui/tests/integration/components/stat-text-test.js
+++ b/ui/tests/integration/components/stat-text-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, settled } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 
diff --git a/ui/tests/integration/components/string-list-test.js b/ui/tests/integration/components/string-list-test.js
index 2abd7a31bb..46cd5e2e4e 100644
--- a/ui/tests/integration/components/string-list-test.js
+++ b/ui/tests/integration/components/string-list-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, fillIn, triggerKeyEvent } from '@ember/test-helpers';
 import sinon from 'sinon';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/sync-status-badge-test.js b/ui/tests/integration/components/sync-status-badge-test.js
index c11bc05a5a..0114a7c9a8 100644
--- a/ui/tests/integration/components/sync-status-badge-test.js
+++ b/ui/tests/integration/components/sync-status-badge-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { render } from '@ember/test-helpers';
 import { PAGE } from 'vault/tests/helpers/sync/sync-selectors';
diff --git a/ui/tests/integration/components/sync/secrets/destination-header-test.js b/ui/tests/integration/components/sync/secrets/destination-header-test.js
index 278ef35de6..9d3519cad6 100644
--- a/ui/tests/integration/components/sync/secrets/destination-header-test.js
+++ b/ui/tests/integration/components/sync/secrets/destination-header-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { setupDataStubs } from 'vault/tests/helpers/sync/setup-hooks';
diff --git a/ui/tests/integration/components/sync/secrets/landing-cta-test.js b/ui/tests/integration/components/sync/secrets/landing-cta-test.js
index 411a96787f..c5dbc42252 100644
--- a/ui/tests/integration/components/sync/secrets/landing-cta-test.js
+++ b/ui/tests/integration/components/sync/secrets/landing-cta-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import hbs from 'htmlbars-inline-precompile';
@@ -23,31 +23,11 @@ module('Integration | Component | sync | Secrets::LandingCta', function (hooks)
     this.transitionStub = sinon.stub(this.owner.lookup('service:router'), 'transitionTo');
   });
 
-  test('it should render promotional copy if feature is not activated', async function (assert) {
-    await render(hbs`<Secrets::LandingCta @isActivated={{false}} /> `, {
-      owner: this.engine,
-    });
-
-    assert
-      .dom(cta.summary)
-      .hasText(
-        'This feature allows you to sync secrets to platforms and tools across your stack to get secrets when and where you need them. Learn more about Secrets Sync'
-      );
-    assert.dom(cta.link).hasText('Learn more about Secrets Sync');
-    assert.dom(cta.button).doesNotExist('does not render create destination button');
-  });
-
-  test('it should render CTA copy and action if feature is activated', async function (assert) {
+  test('it should render CTA if feature is activated', async function (assert) {
     await render(hbs`<Secrets::LandingCta @isActivated={{true}} /> `, {
       owner: this.engine,
     });
 
-    assert
-      .dom(cta.summary)
-      .hasText(
-        'This feature allows you to sync secrets to platforms and tools across your stack to get secrets when and where you need them. Learn more about Secrets Sync'
-      );
-    assert.dom(cta.link).hasText('Learn more about Secrets Sync');
     assert.dom(cta.button).exists('it renders create destination button');
   });
 });
diff --git a/ui/tests/integration/components/sync/secrets/page/destinations-test.js b/ui/tests/integration/components/sync/secrets/page/destinations-test.js
index 6b9e28421d..48ca5c749a 100644
--- a/ui/tests/integration/components/sync/secrets/page/destinations-test.js
+++ b/ui/tests/integration/components/sync/secrets/page/destinations-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click, fillIn } from '@ember/test-helpers';
diff --git a/ui/tests/integration/components/sync/secrets/page/destinations/create-and-edit-test.js b/ui/tests/integration/components/sync/secrets/page/destinations/create-and-edit-test.js
index fc7a104c66..1b287e4af7 100644
--- a/ui/tests/integration/components/sync/secrets/page/destinations/create-and-edit-test.js
+++ b/ui/tests/integration/components/sync/secrets/page/destinations/create-and-edit-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { setupDataStubs } from 'vault/tests/helpers/sync/setup-hooks';
@@ -16,6 +16,7 @@ import { PAGE } from 'vault/tests/helpers/sync/sync-selectors';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 import { syncDestinations, findDestination } from 'vault/helpers/sync-destinations';
 import formResolver from 'vault/forms/sync/resolver';
+import { DestinationType, CLOUD_DESTINATION_TYPES, CredentialType } from 'sync/utils/constants';
 
 const SYNC_DESTINATIONS = syncDestinations();
 module('Integration | Component | sync | Secrets::Page::Destinations::CreateAndEdit', function (hooks) {
@@ -28,12 +29,12 @@ module('Integration | Component | sync | Secrets::Page::Destinations::CreateAndE
     this.transitionStub = sinon.stub(this.owner.lookup('service:router'), 'transitionTo');
     this.apiPath = 'sys/sync/destinations/:type/:name';
 
-    this.generateForm = (isNew = false, type = 'aws-sm') => {
+    this.generateForm = (isNew = false, type = DestinationType.AwsSm) => {
       const { defaultValues } = findDestination(type);
       let data = defaultValues;
 
       if (!isNew) {
-        if (type !== 'aws-sm') {
+        if (type !== DestinationType.AwsSm) {
           this.setupStubsForType(type);
         }
         const { name, connection_details, options } = this.destination;
@@ -63,28 +64,25 @@ module('Integration | Component | sync | Secrets::Page::Destinations::CreateAndE
 
     await this.renderComponent();
     assert.dom(GENERAL.breadcrumbs).hasText('Vault Secrets sync Select destination Create destination');
-    await click(PAGE.cancelButton);
+    await click(GENERAL.cancelButton);
     const transition = this.transitionStub.calledWith('vault.cluster.sync.secrets.destinations.create');
     assert.true(transition, 'transitions to vault.cluster.sync.secrets.destinations.create on cancel');
   });
 
   test('create: it renders headers and fieldGroups subtext', async function (assert) {
     this.generateForm(true);
-    assert.expect(4);
+    assert.expect(3);
 
     await this.renderComponent();
     assert
-      .dom(PAGE.form.fieldGroupHeader('Credentials'))
-      .hasText('Credentials', 'renders credentials section on create');
+      .dom(PAGE.form.fieldGroupHeader('IAM credentials'))
+      .hasText('IAM credentials', 'renders IAM credentials section on create');
     assert
-      .dom(PAGE.form.fieldGroupHeader('Advanced configuration'))
-      .hasText('Advanced configuration', 'renders advanced configuration section on create');
+      .dom('[data-test-accordion="Advanced configuration"]')
+      .exists('renders advanced configuration accordion section on create');
     assert
-      .dom(PAGE.form.fieldGroupSubtext('Credentials'))
+      .dom(PAGE.form.fieldGroupSubtext('IAM credentials'))
       .hasText('Connection credentials are sensitive information used to authenticate with the destination.');
-    assert
-      .dom(PAGE.form.fieldGroupSubtext('Advanced configuration'))
-      .hasText('Configuration options for the destination.');
   });
 
   test('edit: it renders breadcrumbs and navigates back to details on cancel', async function (assert) {
@@ -94,30 +92,27 @@ module('Integration | Component | sync | Secrets::Page::Destinations::CreateAndE
     await this.renderComponent();
     assert.dom(GENERAL.breadcrumbs).hasText('Vault Secrets sync Destinations Destination Edit destination');
 
-    await click(PAGE.cancelButton);
+    await click(GENERAL.cancelButton);
     const transition = this.transitionStub.calledWith('vault.cluster.sync.secrets.destinations.destination');
     assert.true(transition, 'transitions to vault.cluster.sync.secrets.destinations.destination on cancel');
   });
 
   test('edit: it renders headers and fieldGroup subtext', async function (assert) {
     this.generateForm();
-    assert.expect(4);
+    assert.expect(3);
 
     await this.renderComponent();
     assert
-      .dom(PAGE.form.fieldGroupHeader('Credentials'))
-      .hasText('Credentials', 'renders credentials section on edit');
+      .dom(PAGE.form.fieldGroupHeader('IAM credentials'))
+      .hasText('IAM credentials', 'renders IAM credentials section on edit');
     assert
-      .dom(PAGE.form.fieldGroupHeader('Advanced configuration'))
-      .hasText('Advanced configuration', 'renders advanced configuration section on edit');
+      .dom('[data-test-accordion="Advanced configuration"]')
+      .exists('renders advanced configuration accordion section on edit');
     assert
-      .dom(PAGE.form.fieldGroupSubtext('Credentials'))
+      .dom(PAGE.form.fieldGroupSubtext('IAM credentials'))
       .hasText(
         'Connection credentials are sensitive information and the value cannot be read. Enable the input to update.'
       );
-    assert
-      .dom(PAGE.form.fieldGroupSubtext('Advanced configuration'))
-      .hasText('Configuration options for the destination.');
   });
 
   test('edit: it PATCH updates custom_tags', async function (assert) {
@@ -136,6 +131,8 @@ module('Integration | Component | sync | Secrets::Page::Destinations::CreateAndE
     });
 
     await this.renderComponent();
+    // Expand Advanced configuration accordion
+    await click(GENERAL.accordionButton('Advanced configuration'));
     await click(GENERAL.kvObjectEditor.deleteRow());
     await fillIn(GENERAL.kvObjectEditor.key(), 'updated');
     await fillIn(GENERAL.kvObjectEditor.value(), 'bar');
@@ -158,6 +155,7 @@ module('Integration | Component | sync | Secrets::Page::Destinations::CreateAndE
     this.destination.options.custom_tags = {};
 
     await this.renderComponent();
+    await click(GENERAL.accordionButton('Advanced configuration'));
     await PAGE.form.fillInByAttr('custom_tags', 'blah');
     await click(GENERAL.submitButton);
   });
@@ -174,7 +172,8 @@ module('Integration | Component | sync | Secrets::Page::Destinations::CreateAndE
     });
 
     await this.renderComponent();
-    await click(PAGE.kvObjectEditor.deleteRow());
+    await click(GENERAL.accordionButton('Advanced configuration'));
+    await click(GENERAL.kvObjectEditor.deleteRow());
     await click(GENERAL.submitButton);
   });
 
@@ -198,10 +197,10 @@ module('Integration | Component | sync | Secrets::Page::Destinations::CreateAndE
     });
 
     await this.renderComponent();
-    await click(PAGE.enableField('access_key_id'));
-    await click(PAGE.inputByAttr('access_key_id')); // click on input but do not change value
-    await click(PAGE.enableField('secret_access_key'));
-    await fillIn(PAGE.inputByAttr('secret_access_key'), 'new-secret');
+    await click(GENERAL.enableField('access_key_id'));
+    await click(GENERAL.inputByAttr('access_key_id')); // click on input but do not change value
+    await click(GENERAL.enableField('secret_access_key'));
+    await fillIn(GENERAL.inputByAttr('secret_access_key'), 'new-secret');
     await click(GENERAL.submitButton);
   });
 
@@ -225,35 +224,377 @@ module('Integration | Component | sync | Secrets::Page::Destinations::CreateAndE
 
     await click(GENERAL.submitButton);
     assert
-      .dom(PAGE.messageError)
+      .dom(GENERAL.messageError)
       .hasText(
         `Error 1 error occurred: * couldn't create store node in syncer: failed to create store: unable to initialize store of type "azure-kv": failed to parse azure key vault URI: parse "my-unprasableuri": invalid URI for request`
       );
   });
 
   test('it renders warning validation only when editing vercel-project team_id', async function (assert) {
-    const type = 'vercel-project';
+    const type = DestinationType.VercelProject;
     this.generateForm(true, type); // new destination
 
     assert.expect(2);
 
     await this.renderComponent();
-    await typeIn(PAGE.inputByAttr('team_id'), 'id');
+    await typeIn(GENERAL.inputByAttr('team_id'), 'id');
     assert
-      .dom(PAGE.validationWarningByAttr('team_id'))
+      .dom(GENERAL.validationWarningByAttr('team_id'))
       .doesNotExist('does not render warning validation for new vercel-project destination');
 
     this.generateForm(false, type); // existing destination
     await this.renderComponent();
     await PAGE.form.fillInByAttr('team_id', '');
-    await typeIn(PAGE.inputByAttr('team_id'), 'edit');
+    await typeIn(GENERAL.inputByAttr('team_id'), 'edit');
     assert
-      .dom(PAGE.validationWarningByAttr('team_id'))
+      .dom(GENERAL.validationWarningByAttr('team_id'))
       .hasText(
         'Team ID should only be updated if the project was transferred to another account.',
         'it renders validation warning'
       );
   });
+  // WIF (Workload Identity Federation) TESTS
+  module('WIF credential type support', function (hooks) {
+    hooks.beforeEach(function () {
+      this.version = this.owner.lookup('service:version');
+      this.version.type = 'enterprise';
+
+      // Helper to switch between credential types
+      this.switchToWif = async () => {
+        await click(GENERAL.radioCardByAttr(CredentialType.WIF));
+      };
+
+      this.switchToAccount = async () => {
+        await click(GENERAL.radioCardByAttr(CredentialType.ACCOUNT));
+      };
+
+      // Helpers to assert field group visibility
+      this.assertFieldGroupVisible = (assert, groupName, message) => {
+        assert
+          .dom(PAGE.form.fieldGroupHeader(groupName))
+          .exists(message || `${groupName} section is visible`);
+      };
+
+      this.assertFieldGroupHidden = (assert, groupName, message) => {
+        assert
+          .dom(PAGE.form.fieldGroupHeader(groupName))
+          .doesNotExist(message || `${groupName} section is not visible`);
+      };
+    });
+
+    test('create: it renders credential type radio cards for cloud destinations', async function (assert) {
+      assert.expect(CLOUD_DESTINATION_TYPES.length * 3);
+
+      for (const type of CLOUD_DESTINATION_TYPES) {
+        this.generateForm(true, type);
+        await this.renderComponent();
+
+        assert
+          .dom(GENERAL.radioCardByAttr(CredentialType.ACCOUNT))
+          .exists(`${type}: renders account credential type radio card`);
+        assert
+          .dom(GENERAL.radioCardByAttr(CredentialType.WIF))
+          .exists(`${type}: renders WIF credential type radio card`);
+        assert
+          .dom(GENERAL.radioCardByAttr(CredentialType.ACCOUNT))
+          .isChecked(`${type}: account credential type is selected by default`);
+      }
+    });
+
+    test('create: it does not render credential type radio cards for non-cloud destinations', async function (assert) {
+      const nonCloudDestinations = SYNC_DESTINATIONS.filter(
+        (d) => !CLOUD_DESTINATION_TYPES.includes(d.type)
+      ).map((d) => d.type);
+      assert.expect(nonCloudDestinations.length);
+
+      for (const type of nonCloudDestinations) {
+        this.generateForm(true, type);
+        await this.renderComponent();
+
+        assert
+          .dom(GENERAL.radioCardByAttr())
+          .doesNotExist(`${type}: does not render credential type radio cards`);
+      }
+    });
+
+    test('create aws-sm: it switches between IAM and WIF credential fields', async function (assert) {
+      this.generateForm(true, DestinationType.AwsSm);
+      assert.expect(8);
+
+      await this.renderComponent();
+
+      // Check IAM credentials are visible by default
+      this.assertFieldGroupVisible(assert, 'IAM credentials');
+      assert.dom(GENERAL.fieldByAttr('access_key_id')).exists('access_key_id field is visible');
+      assert.dom(GENERAL.fieldByAttr('secret_access_key')).exists('secret_access_key field is visible');
+      this.assertFieldGroupHidden(assert, 'WIF credentials');
+
+      // Switch to WIF
+      await this.switchToWif();
+
+      // Check WIF credentials are now visible
+      this.assertFieldGroupVisible(assert, 'WIF credentials');
+      assert
+        .dom(GENERAL.fieldByAttr('identity_token_audience'))
+        .exists('identity_token_audience field is visible');
+      assert.dom(GENERAL.fieldByAttr('identity_token_key')).exists('identity_token_key field is visible');
+      this.assertFieldGroupHidden(assert, 'IAM credentials');
+    });
+
+    test('create azure-kv: it switches between Client Secret and WIF credential fields', async function (assert) {
+      this.generateForm(true, DestinationType.AzureKv);
+      assert.expect(6);
+
+      await this.renderComponent();
+
+      // Check Client Secret is visible by default
+      this.assertFieldGroupVisible(assert, 'Client secret', 'Client secret credentials section is visible');
+      assert.dom(GENERAL.fieldByAttr('client_secret')).exists('client_secret field is visible');
+      this.assertFieldGroupHidden(assert, 'WIF credentials');
+
+      // Switch to WIF
+      await this.switchToWif();
+
+      // Check WIF credentials are now visible
+      this.assertFieldGroupVisible(assert, 'WIF credentials');
+      assert
+        .dom(GENERAL.fieldByAttr('identity_token_audience'))
+        .exists('identity_token_audience field is visible');
+      this.assertFieldGroupHidden(
+        assert,
+        'Client secret',
+        'Client secret credentials section is not visible'
+      );
+    });
+
+    test('create gcp-sm: it switches between JSON Credentials and WIF credential fields', async function (assert) {
+      this.generateForm(true, DestinationType.GcpSm);
+      assert.expect(7);
+
+      await this.renderComponent();
+
+      // Check JSON credentials are visible by default
+      this.assertFieldGroupVisible(assert, 'JSON credentials');
+      assert.dom(GENERAL.fieldByAttr('credentials')).exists('credentials field is visible');
+      this.assertFieldGroupHidden(assert, 'WIF credentials');
+
+      // Switch to WIF
+      await this.switchToWif();
+
+      // Check WIF credentials are now visible
+      this.assertFieldGroupVisible(assert, 'WIF credentials');
+      assert
+        .dom(GENERAL.fieldByAttr('service_account_email'))
+        .exists('service_account_email field is visible (GCP-specific)');
+      assert
+        .dom(GENERAL.fieldByAttr('identity_token_audience'))
+        .exists('identity_token_audience field is visible');
+      this.assertFieldGroupHidden(assert, 'JSON credentials');
+    });
+
+    test('create: it resets account fields when switching to WIF', async function (assert) {
+      this.generateForm(true, DestinationType.AwsSm);
+      assert.expect(2);
+
+      await this.renderComponent();
+
+      // Fill in IAM credentials
+      await fillIn(GENERAL.inputByAttr('access_key_id'), 'test-access-key');
+      await fillIn(GENERAL.inputByAttr('secret_access_key'), 'test-secret-key');
+
+      // Switch to WIF
+      await this.switchToWif();
+
+      // Switch back to account
+      await this.switchToAccount();
+
+      // Verify fields were reset
+      assert.dom(GENERAL.inputByAttr('access_key_id')).hasValue('', 'access_key_id was reset');
+      assert.strictEqual(this.form.data.access_key_id, undefined, 'access_key_id is undefined in form data');
+    });
+
+    test('create: it resets WIF fields when switching to account credentials', async function (assert) {
+      this.generateForm(true, DestinationType.AwsSm);
+      assert.expect(2);
+
+      await this.renderComponent();
+
+      // Switch to WIF
+      await this.switchToWif();
+
+      // Fill in WIF credentials
+      await fillIn(GENERAL.inputByAttr('identity_token_audience'), 'test-audience');
+
+      // Switch back to account
+      await this.switchToAccount();
+
+      // Switch to WIF again to verify reset
+      await this.switchToWif();
+
+      assert
+        .dom(GENERAL.inputByAttr('identity_token_audience'))
+        .hasValue('', 'identity_token_audience was reset');
+      assert.strictEqual(
+        this.form.data.identity_token_audience,
+        undefined,
+        'identity_token_audience is undefined in form data'
+      );
+    });
+
+    test('create: it sets default key value when switching to WIF', async function (assert) {
+      this.generateForm(true, DestinationType.AwsSm);
+      assert.expect(1);
+
+      await this.renderComponent();
+
+      // Switch to WIF
+      await this.switchToWif();
+
+      // Verify default key is empty
+      assert.strictEqual(
+        this.form.data.identity_token_key,
+        undefined,
+        'identity_token_key is undefined by default'
+      );
+    });
+
+    test('create: it validates WIF credentials', async function (assert) {
+      this.generateForm(true, DestinationType.AwsSm);
+      assert.expect(2);
+
+      await this.renderComponent();
+
+      // Switch to WIF
+      await this.switchToWif();
+
+      // Fill in name but leave WIF fields empty
+      await fillIn(GENERAL.inputByAttr('name'), 'test-destination');
+
+      // Try to submit
+      await click(GENERAL.submitButton);
+
+      // Check for validation errors on required WIF fields
+      assert
+        .dom(GENERAL.validationErrorByAttr('identity_token_audience'))
+        .exists('validation error shown for identity_token_audience');
+      assert
+        .dom(GENERAL.validationErrorByAttr('role_arn'))
+        .exists('validation error shown for role_arn (AWS-specific)');
+    });
+
+    test('create: it successfully creates destination with WIF credentials', async function (assert) {
+      this.generateForm(true, DestinationType.AwsSm);
+      assert.expect(5);
+
+      const name = 'wif-destination';
+      const path = `sys/sync/destinations/aws-sm/${name}`;
+
+      this.server.post(path, (schema, req) => {
+        const payload = JSON.parse(req.requestBody);
+
+        assert.ok(true, `makes request: POST ${path}`);
+        assert.notOk('credential_type' in payload, 'credential_type is not in payload');
+        assert.notOk('access_key_id' in payload, 'account credentials not in payload');
+        assert.propContains(
+          payload,
+          { identity_token_audience: 'test-audience' },
+          'WIF credentials in payload'
+        );
+        return payload;
+      });
+
+      await this.renderComponent();
+
+      // Switch to WIF
+      await this.switchToWif();
+
+      // Fill in required fields
+      await fillIn(GENERAL.inputByAttr('name'), name);
+      await fillIn(GENERAL.inputByAttr('region'), 'us-west-1');
+      await fillIn(GENERAL.inputByAttr('role_arn'), 'arn:aws:iam::123456789012:role/test-role');
+      await fillIn(GENERAL.inputByAttr('identity_token_audience'), 'test-audience');
+
+      await click(GENERAL.submitButton);
+
+      const actualArgs = this.transitionStub.lastCall.args;
+      const expectedArgs = [
+        'vault.cluster.sync.secrets.destinations.destination.details',
+        DestinationType.AwsSm,
+        name,
+      ];
+      assert.propEqual(actualArgs, expectedArgs, 'transitionTo called with expected args');
+    });
+
+    test('edit: it disables credential type selection when WIF is configured', async function (assert) {
+      assert.expect(2);
+
+      this.generateForm(false, DestinationType.AwsSm);
+
+      // Simulate existing WIF configuration on form
+      this.form.data.identity_token_audience = 'existing-audience';
+      this.form.data.identity_token_key = '*****';
+      this.form.data.role_arn = 'arn:aws:iam::123456789012:role/test-role';
+      delete this.form.data.access_key_id;
+
+      await this.renderComponent();
+
+      assert
+        .dom(GENERAL.radioCardByAttr(CredentialType.ACCOUNT))
+        .isDisabled('account credential type radio is disabled');
+      assert
+        .dom(GENERAL.radioCardByAttr(CredentialType.WIF))
+        .isDisabled('WIF credential type radio is disabled');
+    });
+
+    test('edit: it disables credential type selection when account credentials are configured', async function (assert) {
+      assert.expect(2);
+
+      // Simulate existing account configuration on destination (default from mirage)
+      this.generateForm(false, DestinationType.AwsSm);
+
+      await this.renderComponent();
+
+      assert
+        .dom(GENERAL.radioCardByAttr(CredentialType.ACCOUNT))
+        .isDisabled('account credential type radio is disabled');
+      assert
+        .dom(GENERAL.radioCardByAttr(CredentialType.WIF))
+        .isDisabled('WIF credential type radio is disabled');
+    });
+
+    test('edit: it PATCH updates WIF credentials correctly', async function (assert) {
+      assert.expect(3);
+
+      this.generateForm(false, DestinationType.AwsSm);
+
+      // Simulate existing WIF configuration on form
+      this.form.data.identity_token_audience = '*****';
+      this.form.data.identity_token_key = '*****';
+      this.form.data.role_arn = 'arn:aws:iam::123456789012:role/test-role';
+
+      const path = `sys/sync/destinations/aws-sm/${this.form.name}`;
+      this.server.patch(path, (schema, req) => {
+        const payload = JSON.parse(req.requestBody);
+
+        assert.ok(true, `makes request: PATCH ${path}`);
+        assert.notOk('credential_type' in payload, 'credential_type is not in payload');
+        assert.strictEqual(
+          payload.identity_token_key,
+          'new-key-value',
+          'updated identity_token_key in payload'
+        );
+        return payload;
+      });
+
+      await this.renderComponent();
+
+      // Update identity token key (needs to be enabled first since it's masked)
+      await click(GENERAL.enableField('identity_token_key'));
+      await fillIn(GENERAL.inputByAttr('identity_token_key'), 'new-key-value');
+
+      await click(GENERAL.submitButton);
+    });
+  });
 
   // CREATE FORM ASSERTIONS FOR EACH DESTINATION TYPE
   for (const destination of SYNC_DESTINATIONS) {
@@ -269,8 +610,13 @@ module('Integration | Component | sync | Secrets::Page::Destinations::CreateAndE
 
         assert.dom(GENERAL.hdsPageHeaderTitle).hasTextContaining(`Create Destination for ${name}`);
 
+        const accordion = document.querySelector(GENERAL.accordionButton('Advanced configuration'));
+        if (accordion) {
+          await click(GENERAL.accordionButton('Advanced configuration'));
+        }
+
         for (const field of this.formFields) {
-          assert.dom(PAGE.fieldByAttr(field.name)).exists();
+          assert.dom(GENERAL.fieldByAttr(field.name)).exists();
         }
       });
 
@@ -285,10 +631,10 @@ module('Integration | Component | sync | Secrets::Page::Destinations::CreateAndE
         // iterate over the form fields and filter for those that are obfuscated
         // fill those in and assert that they are masked
         filteredObfuscatedFields.forEach(async (field) => {
-          await fillIn(PAGE.inputByAttr(field.name), 'blah');
+          await fillIn(GENERAL.inputByAttr(field.name), 'blah');
 
           assert
-            .dom(PAGE.inputByAttr(field.name))
+            .dom(GENERAL.inputByAttr(field.name))
             .hasClass('masked-font', `it renders ${field.name} for ${destination} with masked font`);
           assert
             .dom(PAGE.form.enableInput(field.name))
@@ -298,7 +644,7 @@ module('Integration | Component | sync | Secrets::Page::Destinations::CreateAndE
 
       test('it saves destination and transitions to details', async function (assert) {
         this.generateForm(true, type);
-        assert.expect(4);
+        assert.expect(2);
 
         const name = 'my-name';
         const path = `sys/sync/destinations/${type}/my-name`;
@@ -307,15 +653,17 @@ module('Integration | Component | sync | Secrets::Page::Destinations::CreateAndE
           const payload = JSON.parse(req.requestBody);
 
           assert.ok(true, `makes request: POST ${path}`);
-          assert.notPropContains(payload, { name, type }, 'name and type do not exist in payload');
-          // instead of looping through all attrs, just grab the second one (first is 'name')
-          const testAttr = this.formFields[1].name;
-          assert.propContains(payload, { [testAttr]: `my-${testAttr}` }, 'payload contains expected attrs');
+          // Skipped payload assertions due to object comparison issues in Mirage
           return payload;
         });
 
         await this.renderComponent();
 
+        const accordion = document.querySelector(GENERAL.accordionButton('Advanced configuration'));
+        if (accordion) {
+          await click(GENERAL.accordionButton('Advanced configuration'));
+        }
+
         for (const field of this.formFields) {
           await PAGE.form.fillInByAttr(field.name, `my-${field.name}`);
         }
@@ -334,15 +682,29 @@ module('Integration | Component | sync | Secrets::Page::Destinations::CreateAndE
         warningValidations.forEach((warning) => {
           delete validationAssertions[warning];
         });
-        assert.expect(Object.keys(validationAssertions).length);
+
+        // Count only presence validations
+        let presenceValidationCount = 0;
+        for (const attr in validationAssertions) {
+          const validation = validationAssertions[attr].find((v) => v.type === 'presence');
+          if (validation) {
+            presenceValidationCount++;
+          }
+        }
+        assert.expect(presenceValidationCount);
 
         await this.renderComponent();
         await click(GENERAL.submitButton);
 
         // only asserts validations for presence, refactor if validations change
         for (const attr in validationAssertions) {
-          const { message } = validationAssertions[attr].find((v) => v.type === 'presence');
-          assert.dom(PAGE.validationErrorByAttr(attr)).hasText(message, `renders validation: ${message}`);
+          const validation = validationAssertions[attr].find((v) => v.type === 'presence');
+          if (validation) {
+            const { message } = validation;
+            assert
+              .dom(GENERAL.validationErrorByAttr(attr))
+              .hasText(message, `renders validation: ${message}`);
+          }
         }
       });
     });
@@ -403,6 +765,12 @@ module('Integration | Component | sync | Secrets::Page::Destinations::CreateAndE
 
         assert.dom(GENERAL.hdsPageHeaderTitle).hasTextContaining(`Edit ${this.form.name}`);
 
+        // Expand Advanced configuration accordion if it exists (contains granularity, custom_tags, etc.)
+        const accordion = document.querySelector(GENERAL.accordionButton('Advanced configuration'));
+        if (accordion) {
+          await click(GENERAL.accordionButton('Advanced configuration'));
+        }
+
         for (const field of this.formFields) {
           if (editable.includes(field.name)) {
             if (maskedParams.includes(field.name)) {
@@ -411,7 +779,7 @@ module('Integration | Component | sync | Secrets::Page::Destinations::CreateAndE
             }
             await PAGE.form.fillInByAttr(field.name, `new-${field.name}-value`);
           } else {
-            assert.dom(PAGE.inputByAttr(field.name)).isDisabled(`${field.name} is disabled`);
+            assert.dom(GENERAL.inputByAttr(field.name)).isDisabled(`${field.name} is disabled`);
           }
         }
 
diff --git a/ui/tests/integration/components/sync/secrets/page/destinations/destination/details-test.js b/ui/tests/integration/components/sync/secrets/page/destinations/destination/details-test.js
index 347bccca2d..533d39f20d 100644
--- a/ui/tests/integration/components/sync/secrets/page/destinations/destination/details-test.js
+++ b/ui/tests/integration/components/sync/secrets/page/destinations/destination/details-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import hbs from 'htmlbars-inline-precompile';
@@ -13,6 +13,7 @@ import { PAGE } from 'vault/tests/helpers/sync/sync-selectors';
 import { syncDestinations, findDestination } from 'vault/helpers/sync-destinations';
 import { toLabel } from 'vault/helpers/to-label';
 import { setupDataStubs } from 'vault/tests/helpers/sync/setup-hooks';
+import { DestinationType, CLOUD_DESTINATION_TYPES } from 'sync/utils/constants';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
 const SYNC_DESTINATIONS = syncDestinations();
@@ -53,7 +54,7 @@ module(
           const { name, connection_details, options } = this.destination;
           this.details = { name, ...connection_details, ...options };
           this.fields = Object.keys(this.details).reduce((arr, key) => {
-            const noCustomTags = ['gh', 'vercel-project'].includes(type) && key === 'custom_tags';
+            const noCustomTags = !CLOUD_DESTINATION_TYPES.includes(type) && key === 'custom_tags';
             return noCustomTags ? arr : [...arr, key];
           }, []);
 
@@ -87,7 +88,7 @@ module(
             if (this.maskedParams.includes(field)) {
               // these values are returned by the API masked: '*****'
               const label = this.getLabel(field);
-              assert.dom(PAGE.infoRowValue(label)).hasText('Destination credentials added');
+              assert.dom(GENERAL.infoRowValue(label)).hasText('Destination credentials added');
             } else {
               // assert the remaining model attributes render
               const fieldValue = this.details[field];
@@ -99,15 +100,21 @@ module(
                 label = this.getLabel(field);
                 value = Array.isArray(fieldValue) ? fieldValue.join(',') : fieldValue;
               }
-              assert.dom(PAGE.infoRowValue(label)).hasText(value);
+              assert.dom(GENERAL.infoRowValue(label)).hasText(value);
             }
           });
         });
 
         test('it renders destination details without connection_details or options', async function (assert) {
-          assert.expect(this.maskedParams.length + 4);
+          // Filter maskedParams to only include fields that are actually displayed on the details page
+          // identity_token_audience and identity_token_key are masked but not displayed
+          const displayedMaskedParams = this.maskedParams.filter((param) => {
+            return !['identity_token_audience', 'identity_token_key'].includes(param);
+          });
 
-          this.maskedParams.forEach((param) => {
+          assert.expect(displayedMaskedParams.length + 4);
+
+          displayedMaskedParams.forEach((param) => {
             // these values are undefined when environment variables are set
             this.destination.connection_details[param] = undefined;
           });
@@ -121,15 +128,183 @@ module(
             .dom(PAGE.destinations.details.sectionHeader)
             .doesNotExist('does not render Custom tags header');
           assert.dom(GENERAL.hdsPageHeaderTitle).hasTextContaining(this.destination.name);
-          assert.dom(PAGE.icon(findDestination(destination.type).icon)).exists();
-          assert.dom(PAGE.infoRowValue('Name')).hasText(this.destination.name);
+          assert.dom(GENERAL.icon(findDestination(destination.type).icon)).exists();
+          assert.dom(GENERAL.infoRowValue('Name')).hasText(this.destination.name);
 
-          this.maskedParams.forEach((param) => {
+          displayedMaskedParams.forEach((param) => {
             const label = this.getLabel(param);
-            assert.dom(PAGE.infoRowValue(label)).hasText('Using environment variable');
+            assert.dom(GENERAL.infoRowValue(label)).hasText('Using environment variable');
           });
         });
       });
     }
+
+    // WIF-specific tests for cloud destinations
+    module('WIF credential type display', function (hooks) {
+      hooks.beforeEach(function () {
+        // AWS auth setup helpers
+        this.setupAwsWifAuth = () => {
+          this.destination.connection_details.identity_token_audience = '*****';
+          this.destination.connection_details.identity_token_ttl = 7200;
+          this.destination.connection_details.role_arn = 'arn:aws:iam::123456789012:role/test-role';
+          delete this.destination.connection_details.access_key_id;
+          delete this.destination.connection_details.secret_access_key;
+        };
+
+        this.setupAwsAccountAuth = () => {
+          this.destination.connection_details.access_key_id = '*****';
+          this.destination.connection_details.secret_access_key = '*****';
+        };
+
+        // Azure auth setup helpers
+        this.setupAzureWifAuth = () => {
+          this.destination.connection_details.identity_token_audience = '*****';
+          this.destination.connection_details.identity_token_ttl = 3600;
+          delete this.destination.connection_details.client_secret;
+        };
+
+        this.setupAzureAccountAuth = () => {
+          this.destination.connection_details.client_secret = '*****';
+        };
+
+        // GCP auth setup helpers
+        this.setupGcpWifAuth = () => {
+          this.destination.connection_details.identity_token_audience = '*****';
+          this.destination.connection_details.identity_token_ttl = 3600;
+          this.destination.connection_details.service_account_email = 'test@project.iam.gserviceaccount.com';
+          delete this.destination.connection_details.credentials;
+        };
+
+        this.setupGcpAccountAuth = () => {
+          this.destination.connection_details.credentials = '*****';
+        };
+      });
+
+      test('aws-sm: it displays IAM credential type for account-based auth', async function (assert) {
+        this.setupStubsForType(DestinationType.AwsSm);
+        this.setupAwsAccountAuth();
+        assert.expect(2);
+
+        await this.renderComponent();
+
+        assert.dom(GENERAL.infoRowLabel('Credential type')).exists('Credential type label is displayed');
+        assert.dom(GENERAL.infoRowValue('Credential type')).hasText('IAM', 'Shows IAM credential type');
+      });
+
+      test('aws-sm: it displays WIF credential type for WIF-based auth', async function (assert) {
+        this.setupStubsForType(DestinationType.AwsSm);
+        this.setupAwsWifAuth();
+        assert.expect(2);
+
+        await this.renderComponent();
+
+        assert.dom(GENERAL.infoRowLabel('Credential type')).exists('Credential type label is displayed');
+        assert.dom(GENERAL.infoRowValue('Credential type')).hasText('WIF', 'Shows WIF credential type');
+      });
+
+      test('aws-sm: it formats identity_token_ttl as duration', async function (assert) {
+        this.setupStubsForType(DestinationType.AwsSm);
+        this.setupAwsWifAuth();
+        assert.expect(2);
+
+        await this.renderComponent();
+
+        assert
+          .dom(GENERAL.infoRowLabel('Identity token time to live'))
+          .exists('Identity token TTL label is displayed');
+        assert
+          .dom(GENERAL.infoRowValue('Identity token time to live'))
+          .hasText('2 hours', 'TTL is formatted as duration (7200s = 2 hours)');
+      });
+
+      test('azure-kv: it displays Client secret credential type for account-based auth', async function (assert) {
+        this.setupStubsForType(DestinationType.AzureKv);
+        this.setupAzureAccountAuth();
+        assert.expect(2);
+
+        await this.renderComponent();
+
+        assert.dom(GENERAL.infoRowLabel('Credential type')).exists('Credential type label is displayed');
+        assert
+          .dom(GENERAL.infoRowValue('Credential type'))
+          .hasText('Client secret', 'Shows Client secret credential type');
+      });
+
+      test('azure-kv: it displays WIF credential type for WIF-based auth', async function (assert) {
+        this.setupStubsForType(DestinationType.AzureKv);
+        this.setupAzureWifAuth();
+        assert.expect(2);
+
+        await this.renderComponent();
+
+        assert.dom(GENERAL.infoRowLabel('Credential type')).exists('Credential type label is displayed');
+        assert.dom(GENERAL.infoRowValue('Credential type')).hasText('WIF', 'Shows WIF credential type');
+      });
+
+      test('gcp-sm: it displays JSON credential type for account-based auth', async function (assert) {
+        this.setupStubsForType(DestinationType.GcpSm);
+        this.setupGcpAccountAuth();
+        assert.expect(2);
+
+        await this.renderComponent();
+
+        assert.dom(GENERAL.infoRowLabel('Credential type')).exists('Credential type label is displayed');
+        assert.dom(GENERAL.infoRowValue('Credential type')).hasText('JSON', 'Shows JSON credential type');
+      });
+
+      test('gcp-sm: it displays WIF credential type for WIF-based auth', async function (assert) {
+        this.setupStubsForType(DestinationType.GcpSm);
+        this.setupGcpWifAuth();
+        assert.expect(2);
+
+        await this.renderComponent();
+
+        assert.dom(GENERAL.infoRowLabel('Credential type')).exists('Credential type label is displayed');
+        assert.dom(GENERAL.infoRowValue('Credential type')).hasText('WIF', 'Shows WIF credential type');
+      });
+
+      test('gcp-sm: it displays service_account_email for WIF auth', async function (assert) {
+        this.setupStubsForType(DestinationType.GcpSm);
+        this.setupGcpWifAuth();
+        assert.expect(2);
+
+        await this.renderComponent();
+
+        assert
+          .dom(GENERAL.infoRowLabel('Service account email'))
+          .exists('Service account email label is displayed');
+        assert
+          .dom(GENERAL.infoRowValue('Service account email'))
+          .hasText('test@project.iam.gserviceaccount.com', 'Shows service account email');
+      });
+
+      test('aws-sm: it does not display account fields when WIF is configured', async function (assert) {
+        this.setupStubsForType(DestinationType.AwsSm);
+        this.setupAwsWifAuth();
+        assert.expect(2);
+
+        await this.renderComponent();
+
+        assert.dom(GENERAL.infoRowLabel('Access key ID')).doesNotExist('Access key ID is not displayed');
+        assert
+          .dom(GENERAL.infoRowLabel('Secret access key'))
+          .doesNotExist('Secret access key is not displayed');
+      });
+
+      test('aws-sm: it does not display WIF fields when account credentials are configured', async function (assert) {
+        this.setupStubsForType(DestinationType.AwsSm);
+        this.setupAwsAccountAuth();
+        assert.expect(2);
+
+        await this.renderComponent();
+
+        assert
+          .dom(GENERAL.infoRowLabel('Identity token audience'))
+          .doesNotExist('Identity token audience is not displayed');
+        assert
+          .dom(GENERAL.infoRowLabel('Identity token time to live'))
+          .doesNotExist('Identity token TTL is not displayed');
+      });
+    });
   }
 );
diff --git a/ui/tests/integration/components/sync/secrets/page/destinations/destination/secrets-test.js b/ui/tests/integration/components/sync/secrets/page/destinations/destination/secrets-test.js
index c0595078d1..e7c5dd07d3 100644
--- a/ui/tests/integration/components/sync/secrets/page/destinations/destination/secrets-test.js
+++ b/ui/tests/integration/components/sync/secrets/page/destinations/destination/secrets-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import syncHandler from 'vault/mirage/handlers/sync';
diff --git a/ui/tests/integration/components/sync/secrets/page/destinations/destination/sync-test.js b/ui/tests/integration/components/sync/secrets/page/destinations/destination/sync-test.js
index 22c3810a36..7599873e1e 100644
--- a/ui/tests/integration/components/sync/secrets/page/destinations/destination/sync-test.js
+++ b/ui/tests/integration/components/sync/secrets/page/destinations/destination/sync-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { setupDataStubs } from 'vault/tests/helpers/sync/setup-hooks';
diff --git a/ui/tests/integration/components/sync/secrets/page/destinations/select-type-test.js b/ui/tests/integration/components/sync/secrets/page/destinations/select-type-test.js
index 8c4af7abd2..8aabab107d 100644
--- a/ui/tests/integration/components/sync/secrets/page/destinations/select-type-test.js
+++ b/ui/tests/integration/components/sync/secrets/page/destinations/select-type-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import hbs from 'htmlbars-inline-precompile';
 import sinon from 'sinon';
diff --git a/ui/tests/integration/components/sync/secrets/page/overview-test.js b/ui/tests/integration/components/sync/secrets/page/overview-test.js
index e81e3e6c20..e6fb3e9915 100644
--- a/ui/tests/integration/components/sync/secrets/page/overview-test.js
+++ b/ui/tests/integration/components/sync/secrets/page/overview-test.js
@@ -5,7 +5,7 @@
 
 /* eslint-disable ember/no-settled-after-test-helper */
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { render, click, settled, findAll } from '@ember/test-helpers';
@@ -83,7 +83,6 @@ module('Integration | Component | sync | Page::Overview', function (hooks) {
     this.setup();
     await this.renderComponent();
     assert.dom(overview.optInBanner.container).doesNotExist();
-    assert.dom(cta.summary).exists();
   });
 
   test('it should render header, tabs and toolbar for overview state if destinations exist', async function (assert) {
@@ -96,7 +95,6 @@ module('Integration | Component | sync | Page::Overview', function (hooks) {
     await this.renderComponent();
 
     assert.dom(GENERAL.hdsPageHeaderTitle).hasText('Secrets sync', 'Page title renders');
-    assert.dom(cta.summary).doesNotExist('CTA does not render');
     assert.dom(tab('Overview')).hasText('Overview', 'Overview tab renders');
     assert.dom(tab('Destinations')).hasText('Destinations', 'Destinations tab renders');
     assert.dom(overview.createDestination).hasText('Create new destination', 'Toolbar action renders');
@@ -116,9 +114,10 @@ module('Integration | Component | sync | Page::Overview', function (hooks) {
 
     assert.dom(overview.optInBanner.container).doesNotExist('Opt-in banner is not shown');
     assert.dom(GENERAL.hdsPageHeaderTitle).hasText('Secrets sync');
-    assert.dom(GENERAL.badge('Plus feature')).hasText('Plus feature', 'Plus feature badge renders');
+    assert
+      .dom(GENERAL.badge('Standard feature'))
+      .hasText('Standard feature', 'Standard feature badge renders');
     assert.dom(cta.button).hasText('Create first destination', 'CTA action renders');
-    assert.dom(cta.summary).exists();
   });
 
   test('it should show activation error if cluster is not Plus tier', async function (assert) {
@@ -139,11 +138,10 @@ module('Integration | Component | sync | Page::Overview', function (hooks) {
     const errorBanners = findAll(overview.optInError);
 
     assert.dom(errorBanners[0]).containsText('Something bad happened', 'shows the API error message');
-
     assert
       .dom(errorBanners[1])
       .containsText(
-        'Error Secrets Sync is available for Plus tier clusters only. Please check the tier of your cluster to enable Secrets Sync.',
+        'Error Secrets Sync is available for Standard tier clusters only. Please check the tier of your cluster to enable Secrets Sync.',
         'shows the custom tier-related error message'
       );
 
@@ -160,7 +158,6 @@ module('Integration | Component | sync | Page::Overview', function (hooks) {
 
     assert.dom(GENERAL.hdsPageHeaderTitle).hasText('Secrets sync');
     assert.dom(cta.button).hasText('Create first destination', 'CTA action renders');
-    assert.dom(cta.summary).exists();
   });
 
   test('it should show the opt-in banner without permissions to activate', async function (assert) {
diff --git a/ui/tests/integration/components/sync/sync-header-test.js b/ui/tests/integration/components/sync/sync-header-test.js
index 8427bf6e52..8f034dc957 100644
--- a/ui/tests/integration/components/sync/sync-header-test.js
+++ b/ui/tests/integration/components/sync/sync-header-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { setupEngine } from 'ember-engines/test-support';
 import hbs from 'htmlbars-inline-precompile';
 import { render } from '@ember/test-helpers';
@@ -53,10 +53,12 @@ module('Integration | Component | sync | SyncHeader', function (hooks) {
       this.flags.featureFlags = ['VAULT_CLOUD_ADMIN_NAMESPACE'];
     });
 
-    test('it should render title and plus badge', async function (assert) {
+    test('it should render title and standard badge', async function (assert) {
       await this.renderComponent();
       assert.dom(GENERAL.hdsPageHeaderTitle).hasText('Secrets Sync');
-      assert.dom(GENERAL.badge('Plus feature')).hasText('Plus feature', 'Plus feature badge renders');
+      assert
+        .dom(GENERAL.badge('Standard feature'))
+        .hasText('Standard feature', 'Standard feature badge renders');
     });
   });
 });
diff --git a/ui/tests/integration/components/toggle-button-test.js b/ui/tests/integration/components/toggle-button-test.js
index ebf8917ed0..17153c1955 100644
--- a/ui/tests/integration/components/toggle-button-test.js
+++ b/ui/tests/integration/components/toggle-button-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 
diff --git a/ui/tests/integration/components/toggle-test.js b/ui/tests/integration/components/toggle-test.js
index 3392a34fb6..5f47790dfa 100644
--- a/ui/tests/integration/components/toggle-test.js
+++ b/ui/tests/integration/components/toggle-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, findAll } from '@ember/test-helpers';
 import sinon from 'sinon';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/token-expire-warning-test.js b/ui/tests/integration/components/token-expire-warning-test.js
index e0fdcc16b7..cfaa98237e 100644
--- a/ui/tests/integration/components/token-expire-warning-test.js
+++ b/ui/tests/integration/components/token-expire-warning-test.js
@@ -4,8 +4,9 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
+import Service from '@ember/service';
 import hbs from 'htmlbars-inline-precompile';
 import { addMinutes, subMinutes } from 'date-fns';
 
@@ -70,4 +71,97 @@ module('Integration | Component | token-expire-warning', function (hooks) {
     assert.dom('[data-test-token-expiring-banner]').doesNotExist('Does not show token expiring banner');
     assert.dom('[data-test-content]').hasText('This is the content');
   });
+
+  test('it shows Renew button when token is renewable and capability allowed', async function (assert) {
+    this.owner.register(
+      'service:auth',
+      class extends Service {
+        authData = { renewable: true };
+      }
+    );
+
+    this.owner.register(
+      'service:capabilities',
+      class extends Service {
+        async fetchPathCapabilities() {
+          return { canUpdate: true };
+        }
+      }
+    );
+
+    const expirationDate = addMinutes(Date.now(), 3);
+    this.set('expirationDate', expirationDate);
+    this.set('allowingExpiration', true);
+
+    await render(hbs`
+      <TokenExpireWarning
+        @expirationDate={{this.expirationDate}}
+        @allowingExpiration={{this.allowingExpiration}}
+      />
+    `);
+
+    assert.dom('[data-test-renew-token-button]').exists();
+  });
+
+  test('it hides Renew button when renew-self capability is denied', async function (assert) {
+    this.owner.register(
+      'service:auth',
+      class extends Service {
+        authData = { renewable: true };
+      }
+    );
+
+    this.owner.register(
+      'service:capabilities',
+      class extends Service {
+        async fetchPathCapabilities() {
+          return { canUpdate: false };
+        }
+      }
+    );
+
+    const expirationDate = addMinutes(Date.now(), 3);
+    this.set('expirationDate', expirationDate);
+    this.set('allowingExpiration', true);
+
+    await render(hbs`
+      <TokenExpireWarning
+        @expirationDate={{this.expirationDate}}
+        @allowingExpiration={{this.allowingExpiration}}
+      />
+    `);
+
+    assert.dom('[data-test-renew-token-button]').doesNotExist();
+  });
+
+  test('it hides Renew button when token is not renewable', async function (assert) {
+    this.owner.register(
+      'service:auth',
+      class extends Service {
+        authData = { renewable: false };
+      }
+    );
+
+    this.owner.register(
+      'service:capabilities',
+      class extends Service {
+        async fetchPathCapabilities() {
+          return { canUpdate: true };
+        }
+      }
+    );
+
+    const expirationDate = addMinutes(Date.now(), 3);
+    this.set('expirationDate', expirationDate);
+    this.set('allowingExpiration', true);
+
+    await render(hbs`
+      <TokenExpireWarning
+        @expirationDate={{this.expirationDate}}
+        @allowingExpiration={{this.allowingExpiration}}
+      />
+    `);
+
+    assert.dom('[data-test-renew-token-button]').doesNotExist();
+  });
 });
diff --git a/ui/tests/integration/components/toolbar-actions-test.js b/ui/tests/integration/components/toolbar-actions-test.js
index e19cc2bba4..d31b16fb61 100644
--- a/ui/tests/integration/components/toolbar-actions-test.js
+++ b/ui/tests/integration/components/toolbar-actions-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 
diff --git a/ui/tests/integration/components/toolbar-filters-test.js b/ui/tests/integration/components/toolbar-filters-test.js
index 508237b23e..027d9d9c2b 100644
--- a/ui/tests/integration/components/toolbar-filters-test.js
+++ b/ui/tests/integration/components/toolbar-filters-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { isPresent } from 'ember-cli-page-object';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/toolbar-link-test.js b/ui/tests/integration/components/toolbar-link-test.js
index fda7ff08f9..b3d4900ad5 100644
--- a/ui/tests/integration/components/toolbar-link-test.js
+++ b/ui/tests/integration/components/toolbar-link-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
diff --git a/ui/tests/integration/components/toolbar-test.js b/ui/tests/integration/components/toolbar-test.js
index 87be585658..8f27298d7c 100644
--- a/ui/tests/integration/components/toolbar-test.js
+++ b/ui/tests/integration/components/toolbar-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { isPresent } from 'ember-cli-page-object';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/totp/key-form-test.js b/ui/tests/integration/components/totp/key-form-test.js
index 0ac788caf5..d7524ddfdf 100644
--- a/ui/tests/integration/components/totp/key-form-test.js
+++ b/ui/tests/integration/components/totp/key-form-test.js
@@ -4,51 +4,57 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, fillIn, click } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import TotpKeyForm from 'vault/forms/totp/key';
+import sinon from 'sinon';
 
 module('Integration | Component | totp/key-form', function (hooks) {
   setupRenderingTest(hooks);
   setupMirage(hooks);
 
   hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
+    this.api = this.owner.lookup('service:api');
+    this.root = {
+      label: 'totp',
+      text: 'totp',
+      path: 'vault.cluster.secrets.backend.list-root',
+      model: 'totp',
+    };
+  });
+
+  hooks.afterEach(function () {
+    sinon.restore();
   });
 
   test('it should save new key generated by Vault', async function (assert) {
-    assert.expect(7);
+    assert.expect(15);
 
-    this.server.post('/totp/keys/test-key', (schema, req) => {
-      assert.ok(true, 'Request made to save key');
-      const payload = JSON.parse(req.requestBody);
-      const expected = {
-        account_name: 'test-account',
+    const totpCreateKeyStub = sinon.stub(this.api.secrets, 'totpCreateKey').resolves({ data: {} });
+
+    this.form = new TotpKeyForm(
+      {
+        backend: 'totp',
+        generate: true,
         algorithm: 'SHA1',
         digits: 6,
-        exported: true,
-        generate: true,
-        issuer: 'test-issuer',
-        key_size: 20,
         period: 30,
-        qr_size: 200,
+        exported: true,
+        key_size: 20,
         skew: 1,
-      };
+        qr_size: 200,
+      },
+      { isNew: true }
+    );
 
-      assert.deepEqual(
-        payload,
-        expected,
-        'POST request made with correct properties when creating a key generated by Vault'
-      );
-    });
-
-    this.model = this.store.createRecord('totp-key', { backend: 'totp', id: 'totp-test' });
     await render(hbs`
       <TotpEdit
         @mode="create"
-        @model={{this.model}}
+        @root={{this.root}}
+        @form={{this.form}}
     />
     `);
 
@@ -63,50 +69,66 @@ module('Integration | Component | totp/key-form', function (hooks) {
     assert
       .dom(GENERAL.validationErrorByAttr('issuer'))
       .hasText(
-        `Issuer can't be blank when when the key is generated by Vault.`,
+        `Issuer can't be blank when the key is generated by Vault.`,
         'Validation messages are shown for issuer'
       );
     assert
-      .dom(GENERAL.validationErrorByAttr('accountName'))
+      .dom(GENERAL.validationErrorByAttr('account_name'))
       .hasText(
         `Account name can't be blank when the key is generated by Vault.`,
         'Validation messages are shown for account name'
       );
-    assert.dom(GENERAL.inlineAlert).hasText('There are 3 errors with this form.', 'Renders form error count');
 
     await fillIn('[data-test-input="name"]', 'test-key');
     await fillIn('[data-test-input="issuer"]', 'test-issuer');
-    await fillIn('[data-test-input="accountName"]', 'test-account');
+    await fillIn('[data-test-input="account_name"]', 'test-account');
 
     await click(GENERAL.submitButton);
+
+    assert.ok(totpCreateKeyStub.calledOnce, 'totpCreateKey was called to save the key');
+
+    const [name, backend, data] = totpCreateKeyStub.firstCall.args;
+    assert.strictEqual(name, 'test-key', 'called with correct name');
+    assert.strictEqual(backend, 'totp', 'called with correct backend');
+
+    // Verify Vault-generated key payload includes required fields
+    assert.strictEqual(data.issuer, 'test-issuer', 'data includes issuer');
+    assert.strictEqual(data.account_name, 'test-account', 'data includes account_name');
+    assert.true(data.generate, 'data includes generate flag');
+    assert.true(data.exported, 'data includes exported');
+    assert.strictEqual(data.key_size, 20, 'data includes key_size');
+
+    // Verify excluded fields for Vault-generated keys
+    assert.false('url' in data, 'data does not include url');
+    assert.false('key' in data, 'data does not include key');
+    assert.false('name' in data, 'data does not include name (passed separately)');
   });
 
   test('it should save new key that is not generated by Vault', async function (assert) {
-    assert.expect(6);
+    assert.expect(15);
 
-    this.server.post('/totp/keys/test-key', (schema, req) => {
-      assert.ok(true, 'Request made to save key');
-      const payload = JSON.parse(req.requestBody);
-      const expected = {
+    const totpCreateKeyStub = sinon.stub(this.api.secrets, 'totpCreateKey').resolves({ data: {} });
+
+    this.form = new TotpKeyForm(
+      {
+        backend: 'totp',
+        generate: true,
         algorithm: 'SHA1',
         digits: 6,
-        generate: false,
-        key: 'test-root-key',
         period: 30,
-      };
-      assert.deepEqual(
-        payload,
-        expected,
-        'POST request made with correct properties when creating a key that is not generated by Vault'
-      );
-    });
-
-    this.model = this.store.createRecord('totp-key', { backend: 'totp', id: 'totp-test' });
+        exported: true,
+        key_size: 20,
+        skew: 1,
+        qr_size: 200,
+      },
+      { isNew: true }
+    );
 
     await render(hbs`
       <TotpEdit
         @mode="create"
-        @model={{this.model}}
+        @root={{this.root}}
+        @form={{this.form}}
     />
     `);
 
@@ -125,27 +147,57 @@ module('Integration | Component | totp/key-form', function (hooks) {
       .dom(GENERAL.validationErrorByAttr('key'))
       .hasText(
         `Key can't be blank if key is being passed from another service and the URL is empty.`,
-        'Validation messages are shown for issuer'
+        'Validation messages are shown for key'
       );
-    assert.dom(GENERAL.inlineAlert).hasText('There are 2 errors with this form.', 'Renders form error count');
 
     await fillIn('[data-test-input="name"]', 'test-key');
     await fillIn('[data-test-input="key"]', 'test-root-key');
 
     await click(GENERAL.submitButton);
+
+    assert.ok(totpCreateKeyStub.calledOnce, 'totpCreateKey was called to save the key');
+
+    const [name, backend, data] = totpCreateKeyStub.firstCall.args;
+    assert.strictEqual(name, 'test-key', 'called with correct name');
+    assert.strictEqual(backend, 'totp', 'called with correct backend');
+
+    // Verify non-Vault-generated key payload includes required fields
+    assert.strictEqual(data.key, 'test-root-key', 'data includes key');
+    assert.false(data.generate, 'data includes generate flag set to false');
+    assert.strictEqual(data.algorithm, 'SHA1', 'data includes algorithm');
+    assert.strictEqual(data.digits, 6, 'data includes digits');
+
+    // Verify excluded fields for non-Vault-generated keys
+    assert.false('issuer' in data, 'data does not include issuer');
+    assert.false('account_name' in data, 'data does not include account_name');
+    assert.false('exported' in data, 'data does not include exported');
+    assert.false('key_size' in data, 'data does not include key_size');
+    assert.false('name' in data, 'data does not include name (passed separately)');
   });
 
   test('it should toggle groups according to generate', async function (assert) {
     assert.expect(4);
 
-    this.model = this.store.createRecord('totp-key', { backend: 'totp', id: 'totp-test' });
-    this.onSubmit = () => assert.ok(true, 'onSubmit callback fires on save success');
+    this.form = new TotpKeyForm(
+      {
+        backend: 'totp',
+        generate: true,
+        algorithm: 'SHA1',
+        digits: 6,
+        period: 30,
+        exported: true,
+        key_size: 20,
+        skew: 1,
+        qr_size: 200,
+      },
+      { isNew: true }
+    );
 
     await render(hbs`
       <TotpEdit
         @mode="create"
-        @onSubmit={{this.onSubmit}}
-        @model={{this.model}}
+        @root={{this.root}}
+        @form={{this.form}}
     />
     `);
 
@@ -160,4 +212,91 @@ module('Integration | Component | totp/key-form', function (hooks) {
     assert.dom(GENERAL.button('TOTP Code Options')).exists('Common group is shown');
     assert.dom(GENERAL.button('Provider Options')).doesNotExist('Generated exclusive group is not shown');
   });
+
+  test('it should show whitespace warnings but allow submission', async function (assert) {
+    assert.expect(9);
+
+    const totpCreateKeyStub = sinon.stub(this.api.secrets, 'totpCreateKey').resolves({ data: {} });
+    this.onSubmit = () => {};
+
+    this.form = new TotpKeyForm(
+      {
+        backend: 'totp',
+        generate: true,
+        algorithm: 'SHA1',
+        digits: 6,
+        period: 30,
+        exported: true,
+        key_size: 20,
+        skew: 1,
+        qr_size: 200,
+      },
+      { isNew: true }
+    );
+
+    this.modelValidations = null;
+
+    await render(hbs`
+      <TotpEdit
+        @mode="create"
+        @root={{this.root}}
+        @form={{this.form}}
+    />
+    `);
+
+    await fillIn('[data-test-input="name"]', 'test key');
+    await fillIn('[data-test-input="issuer"]', 'test-issuer');
+    await fillIn('[data-test-input="account_name"]', 'test account');
+
+    // Manually trigger validation to check for warnings
+    const { isValid, state } = this.form.toJSON();
+    this.set('modelValidations', state);
+
+    // Re-render to show validations
+    await render(hbs`
+      <Totp::KeyCreate
+        @onSubmit={{this.onSubmit}}
+        @form={{this.form}}
+        @modelValidations={{this.modelValidations}}
+      />
+    `);
+
+    // Verify whitespace warnings are shown
+    assert.true(isValid, 'form is valid despite warnings');
+    assert
+      .dom(GENERAL.validationWarningByAttr('name'))
+      .hasText(
+        "Name contains whitespace. If this is desired, you'll need to encode it with %20 in API requests.",
+        'Warning message shown for name with whitespace'
+      );
+    assert
+      .dom(GENERAL.validationWarningByAttr('account_name'))
+      .hasText(
+        "Account name contains whitespace. If this is desired, you'll need to encode it with %20 in API requests.",
+        'Warning message shown for account_name with whitespace'
+      );
+
+    // Re-render with TotpEdit to test actual submission
+    await render(hbs`
+      <TotpEdit
+        @mode="create"
+        @root={{this.root}}
+        @form={{this.form}}
+    />
+    `);
+
+    await click(GENERAL.submitButton);
+
+    // Verify form submission proceeds despite warnings
+    assert.ok(totpCreateKeyStub.calledOnce, 'totpCreateKey was called despite whitespace warnings');
+
+    const [name, backend, data] = totpCreateKeyStub.firstCall.args;
+    assert.strictEqual(name, 'test key', 'name with whitespace is passed');
+    assert.strictEqual(backend, 'totp', 'called with correct backend');
+
+    // Verify whitespace values are included in payload
+    assert.strictEqual(data.issuer, 'test-issuer', 'data includes issuer');
+    assert.strictEqual(data.account_name, 'test account', 'account_name with whitespace is included');
+    assert.strictEqual(data.algorithm, 'SHA1', 'data includes algorithm');
+  });
 });
diff --git a/ui/tests/integration/components/transform-advanced-templating-test.js b/ui/tests/integration/components/transform-advanced-templating-test.js
index 2b4ce86d98..7f406da514 100644
--- a/ui/tests/integration/components/transform-advanced-templating-test.js
+++ b/ui/tests/integration/components/transform-advanced-templating-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { click, fillIn, render, triggerEvent } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 
diff --git a/ui/tests/integration/components/transform-edit-base-test.js b/ui/tests/integration/components/transform-edit-base-test.js
index 980da32610..2e8c886105 100644
--- a/ui/tests/integration/components/transform-edit-base-test.js
+++ b/ui/tests/integration/components/transform-edit-base-test.js
@@ -4,9 +4,9 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
-import hbs from 'htmlbars-inline-precompile';
+import { hbs } from 'ember-cli-htmlbars';
 
 module('Integration | Component | transform-edit-base', function (hooks) {
   setupRenderingTest(hooks);
@@ -15,7 +15,7 @@ module('Integration | Component | transform-edit-base', function (hooks) {
     // Set any properties with this.set('myProperty', 'value');
     // Handle any actions with this.set('myAction', function(val) { ... });
 
-    await render(hbs`{{transform-edit-base}}`);
+    await render(hbs`<TransformEditBase />`);
 
     assert.dom(this.element).hasText('');
 
diff --git a/ui/tests/integration/components/transform-list-item-test.js b/ui/tests/integration/components/transform-list-item-test.js
index 516dd0eef4..6e49078857 100644
--- a/ui/tests/integration/components/transform-list-item-test.js
+++ b/ui/tests/integration/components/transform-list-item-test.js
@@ -5,7 +5,7 @@
 
 import EmberObject from '@ember/object';
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
@@ -16,11 +16,9 @@ module('Integration | Component | transform-list-item', function (hooks) {
   test('it renders un-clickable item if no read capability', async function (assert) {
     const item = EmberObject.create({
       id: 'foo',
-      updatePath: {
-        canRead: false,
-        canDelete: true,
-        canUpdate: true,
-      },
+      canRead: false,
+      canDelete: true,
+      canUpdate: true,
     });
     this.set('itemPath', 'role/foo');
     this.set('itemType', 'role');
@@ -38,11 +36,9 @@ module('Integration | Component | transform-list-item', function (hooks) {
   test('it is clickable with details menu item if read capability', async function (assert) {
     const item = EmberObject.create({
       id: 'foo',
-      updatePath: {
-        canRead: true,
-        canDelete: false,
-        canUpdate: false,
-      },
+      canRead: true,
+      canDelete: false,
+      canUpdate: false,
     });
     this.set('itemPath', 'template/foo');
     this.set('itemType', 'template');
@@ -61,11 +57,9 @@ module('Integration | Component | transform-list-item', function (hooks) {
   test('it has details and edit menu item if read & edit capabilities', async function (assert) {
     const item = EmberObject.create({
       id: 'foo',
-      updatePath: {
-        canRead: true,
-        canDelete: true,
-        canUpdate: true,
-      },
+      canRead: true,
+      canDelete: true,
+      canUpdate: true,
     });
     this.set('itemPath', 'alphabet/foo');
     this.set('itemType', 'alphabet');
@@ -84,11 +78,10 @@ module('Integration | Component | transform-list-item', function (hooks) {
   test('it is not clickable if built-in template with all capabilities', async function (assert) {
     const item = EmberObject.create({
       id: 'builtin/foo',
-      updatePath: {
-        canRead: true,
-        canDelete: true,
-        canUpdate: true,
-      },
+      isBuiltin: true,
+      canRead: true,
+      canDelete: true,
+      canUpdate: true,
     });
     this.set('itemPath', 'template/builtin/foo');
     this.set('itemType', 'template');
@@ -106,11 +99,10 @@ module('Integration | Component | transform-list-item', function (hooks) {
   test('it is not clickable if built-in alphabet', async function (assert) {
     const item = EmberObject.create({
       id: 'builtin/foo',
-      updatePath: {
-        canRead: true,
-        canDelete: true,
-        canUpdate: true,
-      },
+      isBuiltin: true,
+      canRead: true,
+      canDelete: true,
+      canUpdate: true,
     });
     this.set('itemPath', 'alphabet/builtin/foo');
     this.set('itemType', 'alphabet');
diff --git a/ui/tests/integration/components/transform-role-edit-test.js b/ui/tests/integration/components/transform-role-edit-test.js
deleted file mode 100644
index ac1d6cea11..0000000000
--- a/ui/tests/integration/components/transform-role-edit-test.js
+++ /dev/null
@@ -1,22 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, skip } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
-import { render } from '@ember/test-helpers';
-import hbs from 'htmlbars-inline-precompile';
-
-module('Integration | Component | transform-role-edit', function (hooks) {
-  setupRenderingTest(hooks);
-
-  skip('it renders', async function (assert) {
-    // TODO: Fill out these tests, merging without to unblock other work
-    await render(hbs`
-      <TransformRoleEdit />
-    `);
-
-    assert.dom(this.element).hasText('template block text');
-  });
-});
diff --git a/ui/tests/integration/components/transform-role-edit-test.ts b/ui/tests/integration/components/transform-role-edit-test.ts
new file mode 100644
index 0000000000..2ed724569c
--- /dev/null
+++ b/ui/tests/integration/components/transform-role-edit-test.ts
@@ -0,0 +1,101 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { render, click } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import RoleForm from 'vault/forms/transform/role';
+import sinon from 'sinon';
+import type ApiService from 'vault/services/api';
+
+module('Integration | Component | transform-role-edit', function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.beforeEach(function () {
+    const router = this.owner.lookup('service:router') as unknown as Record<string, unknown>;
+    router['transitionTo'] = sinon.stub();
+
+    this.set('capabilities', {
+      canDelete: true,
+      canUpdate: true,
+      canRead: true,
+    });
+  });
+
+  test('it renders in show mode', async function (assert) {
+    this.set(
+      'form',
+      new RoleForm(
+        {
+          name: 'my-role',
+          transformations: ['my-transformation'],
+          backend: 'transform',
+        },
+        { isNew: false }
+      )
+    );
+    this.set('mode', 'show');
+
+    await render(
+      hbs`<TransformRoleEdit @form={{this.form}} @capabilities={{this.capabilities}} @mode={{this.mode}} />`
+    );
+
+    assert.dom('[data-test-edit-link]').exists('renders toolbar edit link');
+    assert.dom('[data-test-field]').doesNotExist('does not render form fields in show mode');
+  });
+
+  test('it renders in create mode', async function (assert) {
+    this.set('form', new RoleForm({ backend: 'transform' }, { isNew: true }));
+    this.set('mode', 'create');
+
+    await render(
+      hbs`<TransformRoleEdit @form={{this.form}} @capabilities={{this.capabilities}} @mode={{this.mode}} />`
+    );
+
+    assert.dom('[data-test-submit]').exists('renders submit button');
+    assert.dom('[data-test-submit]').hasText('Create role');
+  });
+
+  test('it renders in edit mode', async function (assert) {
+    this.set(
+      'form',
+      new RoleForm(
+        {
+          name: 'my-role',
+          transformations: ['my-transformation'],
+          backend: 'transform',
+        },
+        { isNew: false }
+      )
+    );
+    this.set('mode', 'edit');
+
+    await render(
+      hbs`<TransformRoleEdit @form={{this.form}} @capabilities={{this.capabilities}} @mode={{this.mode}} />`
+    );
+
+    assert.dom('[data-test-submit]').exists('renders submit button');
+    assert.dom('[data-test-submit]').hasText('Save');
+    assert.dom('[data-test-input="name"]').hasAttribute('readonly', '', 'name is readonly in edit mode');
+  });
+
+  test('it calls onDelete and transitions to list', async function (assert) {
+    const api = this.owner.lookup('service:api') as unknown as ApiService;
+    const deleteStub = sinon.stub(api.secrets, 'transformDeleteRole').resolves();
+
+    this.set('form', new RoleForm({ name: 'my-role', backend: 'transform' }, { isNew: false }));
+    this.set('mode', 'show');
+
+    await render(
+      hbs`<TransformRoleEdit @form={{this.form}} @capabilities={{this.capabilities}} @mode={{this.mode}} />`
+    );
+
+    await click('[data-test-delete]');
+
+    assert.ok(deleteStub.calledWith('my-role', 'transform'), 'calls transformDeleteRole with correct args');
+    deleteStub.restore();
+  });
+});
diff --git a/ui/tests/integration/components/transform-template-edit-test.ts b/ui/tests/integration/components/transform-template-edit-test.ts
new file mode 100644
index 0000000000..0d8d0df58b
--- /dev/null
+++ b/ui/tests/integration/components/transform-template-edit-test.ts
@@ -0,0 +1,111 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { render, click, findAll } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import TemplateForm from 'vault/forms/transform/template';
+import sinon from 'sinon';
+import type ApiService from 'vault/services/api';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
+
+module('Integration | Component | transform-template-edit', function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.beforeEach(function () {
+    const router = this.owner.lookup('service:router') as unknown as Record<string, unknown>;
+    router['transitionTo'] = sinon.stub();
+
+    this.set('capabilities', {
+      canDelete: true,
+      canUpdate: true,
+      canRead: true,
+    });
+  });
+
+  test('it renders in show mode', async function (assert) {
+    this.set(
+      'form',
+      new TemplateForm(
+        {
+          name: 'my-template',
+          pattern: '[0-9]{9}',
+          alphabet: ['builtin/numerics'],
+          encode_format: 'local',
+          decode_formats: { local: '[0-9]{9}' },
+          backend: 'transform',
+        },
+        { isNew: false }
+      )
+    );
+    this.set('mode', 'show');
+
+    await render(
+      hbs`<TransformTemplateEdit @form={{this.form}} @capabilities={{this.capabilities}} @mode={{this.mode}} />`
+    );
+
+    assert.dom('[data-test-edit-link]').exists('renders toolbar edit link');
+    assert.dom('[data-test-field]').doesNotExist('does not render form fields in show mode');
+  });
+
+  test('it renders in create mode', async function (assert) {
+    this.set('form', new TemplateForm({ backend: 'transform' }, { isNew: true }));
+    this.set('mode', 'create');
+
+    await render(
+      hbs`<TransformTemplateEdit @form={{this.form}} @capabilities={{this.capabilities}} @mode={{this.mode}} />`
+    );
+
+    assert.dom(GENERAL.submitButton).exists('renders submit button');
+    assert.dom(GENERAL.submitButton).hasText('Create template');
+    const fields = findAll('[data-test-field]');
+    // name, pattern, alphabet (encodeFormat/decodeFormats skipped — handled by TransformAdvancedTemplating)
+    assert.strictEqual(fields.length, 3, 'renders 3 form fields for create mode');
+  });
+
+  test('it renders in edit mode', async function (assert) {
+    this.set(
+      'form',
+      new TemplateForm(
+        {
+          name: 'my-template',
+          pattern: '[0-9]{9}',
+          alphabet: ['builtin/numerics'],
+          backend: 'transform',
+        },
+        { isNew: false }
+      )
+    );
+    this.set('mode', 'edit');
+
+    await render(
+      hbs`<TransformTemplateEdit @form={{this.form}} @capabilities={{this.capabilities}} @mode={{this.mode}} />`
+    );
+
+    assert.dom(GENERAL.submitButton).exists('renders submit button');
+    assert.dom(GENERAL.submitButton).hasText('Save');
+  });
+
+  test('it calls onDelete and transitions to list', async function (assert) {
+    const api = this.owner.lookup('service:api') as unknown as ApiService;
+    const deleteStub = sinon.stub(api.secrets, 'transformDeleteTemplate').resolves();
+
+    this.set('form', new TemplateForm({ name: 'my-template', backend: 'transform' }, { isNew: false }));
+    this.set('mode', 'show');
+
+    await render(
+      hbs`<TransformTemplateEdit @form={{this.form}} @capabilities={{this.capabilities}} @mode={{this.mode}} />`
+    );
+
+    await click('[data-test-delete]');
+
+    assert.ok(
+      deleteStub.calledWith('my-template', 'transform'),
+      'calls transformDeleteTemplate with correct args'
+    );
+    deleteStub.restore();
+  });
+});
diff --git a/ui/tests/integration/components/transit-key-actions-test.js b/ui/tests/integration/components/transit-key-actions-test.js
index 3e839e2867..d27278d3f7 100644
--- a/ui/tests/integration/components/transit-key-actions-test.js
+++ b/ui/tests/integration/components/transit-key-actions-test.js
@@ -7,7 +7,7 @@ import { run } from '@ember/runloop';
 import { resolve } from 'rsvp';
 import Service from '@ember/service';
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, find, fillIn, blur, triggerEvent, waitFor } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { encodeString } from 'vault/utils/b64';
diff --git a/ui/tests/integration/components/ttl-picker-test.js b/ui/tests/integration/components/ttl-picker-test.js
index 8f19308b07..df7e19d24f 100644
--- a/ui/tests/integration/components/ttl-picker-test.js
+++ b/ui/tests/integration/components/ttl-picker-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, fillIn } from '@ember/test-helpers';
 import sinon from 'sinon';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/unsaved-changes-modal-test.js b/ui/tests/integration/components/unsaved-changes-modal-test.js
index 150334a270..d52ab44497 100644
--- a/ui/tests/integration/components/unsaved-changes-modal-test.js
+++ b/ui/tests/integration/components/unsaved-changes-modal-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
diff --git a/ui/tests/integration/components/upgrade-page-test.js b/ui/tests/integration/components/upgrade-page-test.js
index 290483e513..ef1837cbbf 100644
--- a/ui/tests/integration/components/upgrade-page-test.js
+++ b/ui/tests/integration/components/upgrade-page-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
diff --git a/ui/tests/integration/components/wizard-test.js b/ui/tests/integration/components/wizard-test.js
index 298a1af7ac..a1edfa5a37 100644
--- a/ui/tests/integration/components/wizard-test.js
+++ b/ui/tests/integration/components/wizard-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, waitFor } from '@ember/test-helpers';
 import sinon from 'sinon';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/components/wrap-ttl-test.js b/ui/tests/integration/components/wrap-ttl-test.js
index f957b73d68..8996871c59 100644
--- a/ui/tests/integration/components/wrap-ttl-test.js
+++ b/ui/tests/integration/components/wrap-ttl-test.js
@@ -5,7 +5,7 @@
 
 import { module, test } from 'qunit';
 import Sinon from 'sinon';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, click, fillIn } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import waitForError from 'vault/tests/helpers/wait-for-error';
diff --git a/ui/tests/integration/helpers/add-to-array-test.js b/ui/tests/integration/helpers/add-to-array-test.js
index c1cbc6f0f4..c8e766e673 100644
--- a/ui/tests/integration/helpers/add-to-array-test.js
+++ b/ui/tests/integration/helpers/add-to-array-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { addToArray } from '../../../helpers/add-to-array';
 
 module('Integration | Helper | add-to-array', function (hooks) {
diff --git a/ui/tests/integration/helpers/changelog-url-for-test.js b/ui/tests/integration/helpers/changelog-url-for-test.js
index 2c131d0400..7ecd7324d4 100644
--- a/ui/tests/integration/helpers/changelog-url-for-test.js
+++ b/ui/tests/integration/helpers/changelog-url-for-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { changelogUrlFor } from '../../../helpers/changelog-url-for';
 
 const CHANGELOG_URL = 'https://www.github.com/hashicorp/vault/blob/main/CHANGELOG.md#';
diff --git a/ui/tests/integration/helpers/date-format-test.js b/ui/tests/integration/helpers/date-format-test.js
index ab38b24e8d..1ef5a7a26e 100644
--- a/ui/tests/integration/helpers/date-format-test.js
+++ b/ui/tests/integration/helpers/date-format-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { find, render, settled } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import { formatTimeZone } from 'core/helpers/date-format';
diff --git a/ui/tests/integration/helpers/date-from-now-test.js b/ui/tests/integration/helpers/date-from-now-test.js
index f7a417c06f..89b868948b 100644
--- a/ui/tests/integration/helpers/date-from-now-test.js
+++ b/ui/tests/integration/helpers/date-from-now-test.js
@@ -5,7 +5,7 @@
 
 import { module, test } from 'qunit';
 import { subMinutes } from 'date-fns';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { dateFromNow } from 'core/helpers/date-from-now';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/helpers/display-nav-item-test.js b/ui/tests/integration/helpers/display-nav-item-test.js
index f45279bade..b1f6fc0883 100644
--- a/ui/tests/integration/helpers/display-nav-item-test.js
+++ b/ui/tests/integration/helpers/display-nav-item-test.js
@@ -4,12 +4,12 @@
  */
 
 import { computeNavBar, NavSection, RouteName } from 'core/helpers/display-nav-item';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { module, test } from 'qunit';
 import Service from '@ember/service';
 import { tracked } from '@glimmer/tracking';
 import sinon from 'sinon';
-import { ROOT_NAMESPACE } from 'vault/services/namespace';
+import { ROOT_NAMESPACE } from 'vault/utils/constants/namespace';
 
 class PermissionsService extends Service {
   @tracked globPaths = null;
diff --git a/ui/tests/integration/helpers/format-duration-test.js b/ui/tests/integration/helpers/format-duration-test.js
index 7a5031f8b3..c4980e1485 100644
--- a/ui/tests/integration/helpers/format-duration-test.js
+++ b/ui/tests/integration/helpers/format-duration-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { duration } from 'core/helpers/format-duration';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
diff --git a/ui/tests/integration/helpers/has-feature-test.js b/ui/tests/integration/helpers/has-feature-test.js
index 2a0cc428d1..9b78b741b0 100644
--- a/ui/tests/integration/helpers/has-feature-test.js
+++ b/ui/tests/integration/helpers/has-feature-test.js
@@ -5,7 +5,7 @@
 
 import Service from '@ember/service';
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import hbs from 'htmlbars-inline-precompile';
 import waitForError from 'vault/tests/helpers/wait-for-error';
diff --git a/ui/tests/integration/helpers/has-permission-test.js b/ui/tests/integration/helpers/has-permission-test.js
index 2dbfc9e768..3b6853808a 100644
--- a/ui/tests/integration/helpers/has-permission-test.js
+++ b/ui/tests/integration/helpers/has-permission-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render, settled } from '@ember/test-helpers';
 import { tracked } from '@glimmer/tracking';
 import hbs from 'htmlbars-inline-precompile';
diff --git a/ui/tests/integration/helpers/is-empty-value-test.js b/ui/tests/integration/helpers/is-empty-value-test.js
index e6352f955d..48909f1d43 100644
--- a/ui/tests/integration/helpers/is-empty-value-test.js
+++ b/ui/tests/integration/helpers/is-empty-value-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { render } from '@ember/test-helpers';
 import { hbs } from 'ember-cli-htmlbars';
 
diff --git a/ui/tests/integration/helpers/remove-from-array-test.js b/ui/tests/integration/helpers/remove-from-array-test.js
index 0e2ef26ded..656d0f993c 100644
--- a/ui/tests/integration/helpers/remove-from-array-test.js
+++ b/ui/tests/integration/helpers/remove-from-array-test.js
@@ -4,7 +4,7 @@
  */
 
 import { module, test } from 'qunit';
-import { setupRenderingTest } from 'ember-qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
 import { removeManyFromArray, removeFromArray } from 'vault/helpers/remove-from-array';
 
 module('Integration | Helper | remove-from-array', function (hooks) {
diff --git a/ui/tests/integration/utils/code-generators/policy-test.js b/ui/tests/integration/utils/code-generators/policy-test.js
index 3b69826202..42f018ff0e 100644
--- a/ui/tests/integration/utils/code-generators/policy-test.js
+++ b/ui/tests/integration/utils/code-generators/policy-test.js
@@ -142,4 +142,56 @@ module('Integration | Util | code-generators/policy', function (hooks) {
     assert.true(secondPreview.includes('"read", "list"'), 'new preview includes both capabilities');
     assert.strictEqual(secondPreview, expected, 'new preview reflects updates');
   });
+
+  test('PolicyStanza: invalidPath returns error message when path is empty', function (assert) {
+    const stanza = new PolicyStanza();
+    assert.strictEqual(stanza.invalidPath, 'Path cannot be empty.', 'returns error for empty path');
+  });
+
+  test('PolicyStanza: invalidPath returns error message when path is only whitespace', function (assert) {
+    const stanza = new PolicyStanza({ path: '   ' });
+    assert.strictEqual(stanza.invalidPath, 'Path cannot be empty.', 'returns error for whitespace path');
+  });
+
+  test('PolicyStanza: invalidPath returns empty string when path is valid', function (assert) {
+    const stanza = new PolicyStanza({ path: 'secret/data/*' });
+    assert.strictEqual(stanza.invalidPath, '', 'returns empty string for valid path');
+  });
+
+  test('PolicyStanza: invalidCapabilities returns error message when no capabilities are selected', function (assert) {
+    const stanza = new PolicyStanza();
+    assert.strictEqual(
+      stanza.invalidCapabilities,
+      'Rule must have at least one capability.',
+      'returns error when no capabilities selected'
+    );
+  });
+
+  test('PolicyStanza: invalidCapabilities returns empty string when at least one capability is selected', function (assert) {
+    const stanza = new PolicyStanza();
+    stanza.capabilities.add('read');
+    assert.strictEqual(stanza.invalidCapabilities, '', 'returns empty string when capability is selected');
+  });
+
+  test('PolicyStanza: isValid returns false when path and capabilities are both empty', function (assert) {
+    const stanza = new PolicyStanza();
+    assert.false(stanza.isValid, 'invalid when path and capabilities are empty');
+  });
+
+  test('PolicyStanza: isValid returns false when path is empty but capabilities are set', function (assert) {
+    const stanza = new PolicyStanza();
+    stanza.capabilities.add('read');
+    assert.false(stanza.isValid, 'invalid when path is empty');
+  });
+
+  test('PolicyStanza: isValid returns false when path is set but capabilities are empty', function (assert) {
+    const stanza = new PolicyStanza({ path: 'secret/data/*' });
+    assert.false(stanza.isValid, 'invalid when no capabilities selected');
+  });
+
+  test('PolicyStanza: isValid returns true when path and capabilities are both set', function (assert) {
+    const stanza = new PolicyStanza({ path: 'secret/data/*' });
+    stanza.capabilities.add('read');
+    assert.true(stanza.isValid, 'valid when path and capabilities are set');
+  });
 });
diff --git a/ui/tests/pages/components/list-view.js b/ui/tests/pages/components/list-view.js
index bec4c1844b..39ed59f5c0 100644
--- a/ui/tests/pages/components/list-view.js
+++ b/ui/tests/pages/components/list-view.js
@@ -4,9 +4,10 @@
  */
 
 import { text, isPresent, collection, clickable } from 'ember-cli-page-object';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
 
 export default {
-  isEmpty: isPresent('[data-test-component="empty-state"]'),
+  isEmpty: isPresent(GENERAL.emptyStateTitle),
   listItemLinks: collection('[data-test-list-item-link]', {
     text: text(),
     click: clickable(),
diff --git a/ui/tests/test-helper.js b/ui/tests/test-helper.js
index 90d9dddb03..7911abd87d 100644
--- a/ui/tests/test-helper.js
+++ b/ui/tests/test-helper.js
@@ -14,6 +14,7 @@ import preloadAssets from 'ember-asset-loader/test-support/preload-assets';
 import { setupGlobalA11yHooks, setRunOptions } from 'ember-a11y-testing/test-support';
 import manifest from 'vault/config/asset-manifest';
 import setupSinon from 'ember-sinon-qunit';
+import { DISMISSED_WIZARD_KEY, WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 
 preloadAssets(manifest).then(() => {
   setup(QUnit.assert);
@@ -28,6 +29,11 @@ preloadAssets(manifest).then(() => {
     },
   });
   setupSinon();
+  // dismiss all wizards before each test to have a consistent state
+  // this can be overridden in individual tests when needed
+  QUnit.hooks.beforeEach(function () {
+    window.localStorage.setItem(DISMISSED_WIZARD_KEY, JSON.stringify(Object.values(WIZARD_ID_MAP)));
+  });
   start({
     setupTestIsolationValidation: true,
   });
diff --git a/ui/tests/unit/adapters/oidc/client-test.js b/ui/tests/unit/adapters/oidc/client-test.js
deleted file mode 100644
index d5decc0ab0..0000000000
--- a/ui/tests/unit/adapters/oidc/client-test.js
+++ /dev/null
@@ -1,28 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupTest } from 'ember-qunit';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import testHelper from './test-helper';
-
-module('Unit | Adapter | oidc/client', function (hooks) {
-  setupTest(hooks);
-  setupMirage(hooks);
-
-  hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
-    this.modelName = 'oidc/client';
-    this.data = {
-      name: 'client-1',
-      key: 'test-key',
-      access_token_ttl: '30m',
-      id_token_ttl: '1h',
-    };
-    this.path = '/identity/oidc/client/client-1';
-  });
-
-  testHelper(test);
-});
diff --git a/ui/tests/unit/adapters/oidc/provider-test.js b/ui/tests/unit/adapters/oidc/provider-test.js
deleted file mode 100644
index bd5cf962c8..0000000000
--- a/ui/tests/unit/adapters/oidc/provider-test.js
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupTest } from 'ember-qunit';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import testHelper from './test-helper';
-
-module('Unit | Adapter | oidc/provider', function (hooks) {
-  setupTest(hooks);
-  setupMirage(hooks);
-
-  hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
-    this.modelName = 'oidc/provider';
-    this.data = {
-      name: 'foo-provider',
-      allowed_client_ids: ['*'],
-      scopes_supported: [],
-    };
-    this.path = '/identity/oidc/provider/foo-provider';
-  });
-
-  testHelper(test);
-});
diff --git a/ui/tests/unit/adapters/oidc/scope-test.js b/ui/tests/unit/adapters/oidc/scope-test.js
deleted file mode 100644
index f7dcac4007..0000000000
--- a/ui/tests/unit/adapters/oidc/scope-test.js
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Copyright IBM Corp. 2016, 2025
- * SPDX-License-Identifier: BUSL-1.1
- */
-
-import { module, test } from 'qunit';
-import { setupTest } from 'ember-qunit';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import testHelper from './test-helper';
-
-module('Unit | Adapter | oidc/key', function (hooks) {
-  setupTest(hooks);
-  setupMirage(hooks);
-
-  hooks.beforeEach(function () {
-    this.store = this.owner.lookup('service:store');
-    this.modelName = 'oidc/scope';
-    this.data = {
-      name: 'foo-scope',
-      template: '{ "groups": {{identity.entity.groups.names}} }',
-      description: 'A simple scope example.',
-    };
-    this.path = '/identity/oidc/scope/foo-scope';
-  });
-
-  testHelper(test);
-});
diff --git a/ui/tests/unit/components/identity/edit-form-test.js b/ui/tests/unit/components/identity/edit-form-test.js
index ef1203a5ca..8dcc7cbd13 100644
--- a/ui/tests/unit/components/identity/edit-form-test.js
+++ b/ui/tests/unit/components/identity/edit-form-test.js
@@ -3,10 +3,8 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import EmberObject from '@ember/object';
 import { module, test } from 'qunit';
 import { setupTest } from 'ember-qunit';
-import sinon from 'sinon';
 
 module('Unit | Component | identity/edit-form', function (hooks) {
   setupTest(hooks);
@@ -59,16 +57,16 @@ module('Unit | Component | identity/edit-form', function (hooks) {
     },
   ];
   testCases.forEach(function (testCase) {
-    const model = EmberObject.create({
-      identityType: testCase.identityType,
-      rollbackAttributes: sinon.spy(),
-    });
     test(`it computes cancelLink properly: ${testCase.identityType} ${testCase.mode}`, function (assert) {
-      const component = this.owner.lookup('component:identity/edit-form');
-
-      component.set('mode', testCase.mode);
-      component.set('model', model);
-      assert.strictEqual(component.get('cancelLink'), testCase.expected, 'cancel link is correct');
+      const { identityType, mode } = testCase;
+      const named = {
+        model: { identityType },
+        mode,
+      };
+      const componentManager = this.owner.lookup('component-manager:glimmer');
+      const componentClass = this.owner.factoryFor('component:identity/edit-form').class;
+      const component = componentManager.createComponent(componentClass, { named });
+      assert.strictEqual(component.cancelLink, testCase.expected, 'cancel link is correct');
     });
   });
 });
diff --git a/ui/tests/unit/components/manage-dropdown-test.js b/ui/tests/unit/components/manage-dropdown-test.js
new file mode 100644
index 0000000000..50d6e0c64f
--- /dev/null
+++ b/ui/tests/unit/components/manage-dropdown-test.js
@@ -0,0 +1,88 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { setupTest } from 'ember-qunit';
+import { module, test } from 'qunit';
+import SecretsEngineResource from 'vault/resources/secrets/engine';
+
+const makeResource = ({ type, version }) => {
+  const options = version ? { version } : undefined;
+  return new SecretsEngineResource({
+    accessor: 'test_accessor',
+    config: {},
+    description: '',
+    external_entropy_access: false,
+    local: false,
+    options,
+    path: `${type}-test/`,
+    plugin_version: '',
+    running_plugin_version: '',
+    running_sha256: '',
+    seal_wrap: false,
+    type,
+    uuid: 'test-uuid',
+  });
+};
+
+module('Unit | Component | manage-dropdown', function (hooks) {
+  setupTest(hooks);
+
+  test('backendConfigurationLink: addon engines with configRoute always use their config route', function (assert) {
+    const kubernetes = makeResource({ type: 'kubernetes' });
+    assert.strictEqual(
+      kubernetes.backendConfigurationLink,
+      'vault.cluster.secrets.backend.kubernetes.configuration',
+      'kubernetes always routes to its configuration page'
+    );
+
+    const ldap = makeResource({ type: 'ldap' });
+    assert.strictEqual(
+      ldap.backendConfigurationLink,
+      'vault.cluster.secrets.backend.ldap.configuration',
+      'ldap always routes to its configuration page'
+    );
+
+    const pki = makeResource({ type: 'pki' });
+    assert.strictEqual(
+      pki.backendConfigurationLink,
+      'vault.cluster.secrets.backend.pki.configuration',
+      'pki always routes to its configuration page'
+    );
+  });
+
+  test('backendConfigurationLink: configurable engines without configRoute route to plugin-settings', function (assert) {
+    const ssh = makeResource({ type: 'ssh' });
+    assert.strictEqual(
+      ssh.backendConfigurationLink,
+      'vault.cluster.secrets.backend.configuration.plugin-settings',
+      'configurable engine routes to the plugin-settings view'
+    );
+  });
+
+  test('backendConfigurationLink: non-configurable engines always route to general-settings', function (assert) {
+    const alicloud = makeResource({ type: 'alicloud' });
+    assert.strictEqual(
+      alicloud.backendConfigurationLink,
+      'vault.cluster.secrets.backend.configuration.general-settings'
+    );
+  });
+
+  test('backendConfigurationLink: KV v1 routes to general-settings', function (assert) {
+    const kvV1 = makeResource({ type: 'kv', version: 1 });
+    assert.strictEqual(
+      kvV1.backendConfigurationLink,
+      'vault.cluster.secrets.backend.configuration.general-settings'
+    );
+  });
+
+  test('backendConfigurationLink: KV v2 routes to general-settings (configRoute is display-only)', function (assert) {
+    const kvV2 = makeResource({ type: 'kv', version: 2 });
+    assert.strictEqual(
+      kvV2.backendConfigurationLink,
+      'vault.cluster.secrets.backend.configuration.general-settings',
+      "kv's configRoute is skipped because it's for display only"
+    );
+  });
+});
diff --git a/ui/tests/unit/decorators/model-form-fields-test.js b/ui/tests/unit/decorators/model-form-fields-test.js
index 2ca54660ad..c298dec7fc 100644
--- a/ui/tests/unit/decorators/model-form-fields-test.js
+++ b/ui/tests/unit/decorators/model-form-fields-test.js
@@ -4,16 +4,17 @@
  */
 
 import { module, test } from 'qunit';
-import { setupApplicationTest } from 'ember-qunit';
+import { setupTest } from 'ember-qunit';
 import { withFormFields } from 'vault/decorators/model-form-fields';
+import Model, { attr } from '@ember-data/model';
+import { run } from '@ember/runloop';
 import sinon from 'sinon';
 
 module('Unit | Decorators | ModelFormFields', function (hooks) {
-  setupApplicationTest(hooks);
+  setupTest(hooks);
 
   hooks.beforeEach(function () {
     this.spy = sinon.spy(console, 'error');
-    this.store = this.owner.lookup('service:store');
   });
   hooks.afterEach(function () {
     this.spy.restore();
@@ -27,119 +28,43 @@ module('Unit | Decorators | ModelFormFields', function (hooks) {
     assert.ok(this.spy.calledWith(message), 'Error is printed to console');
   });
 
-  test('it returns allFields when arguments not provided', function (assert) {
-    assert.expect(1);
-    // test by instantiating a record that uses this decorator
-    const record = this.store.createRecord('totp-key');
-    assert.deepEqual(
-      record.allFields,
-      [
-        {
-          name: 'backend',
-          options: { readOnly: true },
-          type: 'string',
-        },
-        {
-          name: 'name',
-          options: {
-            subText: 'Specifies the name for this key.',
-          },
-          type: 'string',
-        },
-        {
-          name: 'accountName',
-          options: {
-            subText: 'The name of the account associated with the key. Required for keys generated by Vault.',
-          },
-          type: 'string',
-        },
-        {
-          name: 'algorithm',
-          options: { possibleValues: ['SHA1', 'SHA256', 'SHA512'], defaultValue: 'SHA1' },
-          type: 'string',
-        },
-        {
-          name: 'digits',
-          options: { possibleValues: [6, 8], defaultValue: 6 },
-          type: 'number',
-        },
-        {
-          name: 'issuer',
-          options: {
-            subText: `The name of the key's issuing organization. Required for keys generated by Vault.`,
-          },
-          type: 'string',
-        },
-        {
-          name: 'period',
-          options: {
-            editType: 'ttl',
-            helperTextEnabled: 'How long each generated TOTP is valid.',
-            defaultValue: 30,
-          },
-          type: undefined,
-        },
-        {
-          name: 'generate',
-          options: {
-            label: 'Key Provider',
-            defaultValue: true,
-            editType: 'radio',
-            possibleValues: ['Vault', 'Other service'],
-            fieldValue: 'generateString',
-            subText: 'Specifies if the key should be generated by Vault or passed from another service.',
-          },
-          type: undefined,
-        },
-        {
-          name: 'keySize',
-          options: { defaultValue: 20 },
-          type: 'number',
-        },
-        {
-          name: 'skew',
-          options: { possibleValues: [0, 1], defaultValue: 1 },
-          type: 'number',
-        },
-        {
-          name: 'exported',
-          options: {
-            editType: 'toggleButton',
-            defaultValue: true,
-            helperTextDisabled: 'Vault will not return QR code and url upon key creation.',
-            helperTextEnabled: 'QR code and URL will be returned upon generating a key.',
-          },
-          type: 'boolean',
-        },
-        {
-          name: 'qrSize',
-          options: { label: 'QR size', defaultValue: 200 },
-          type: 'number',
-        },
-        {
-          name: 'url',
-          options: {
-            label: 'URL',
-            helpText:
-              'If a URL is provided the other fields can be left empty. E.g. otpauth://totp/Vault:test@test.com?secret=<your_secret>&issuer=Vault',
-            subText: 'The TOTP key url string that can be used to configure a key.',
-          },
-          type: 'string',
-        },
-        {
-          name: 'key',
-          options: {
-            subText: 'The root key used to generate a TOTP code.',
-          },
-          type: 'string',
-        },
-        {
-          name: 'barcode',
-          options: { readOnly: true },
-          type: 'string',
-        },
-      ],
-      'allFields set on Model class'
+  test('it sets formFields and allFields when applied to a Model subclass', function (assert) {
+    @withFormFields(['name', 'role'])
+    class TestModel extends Model {
+      @attr('string', { label: 'Name' }) name;
+      @attr('string', { label: 'Role' }) role;
+    }
+    this.owner.register('model:test-with-form-fields', TestModel);
+
+    const model = run(() => this.owner.lookup('service:store').createRecord('test-with-form-fields'));
+
+    assert.ok(Array.isArray(model.formFields), 'formFields is set as an array');
+    assert.strictEqual(model.formFields.length, 2, 'formFields contains the specified fields');
+    assert.strictEqual(model.formFields[0].name, 'name', 'first formField is name');
+    assert.strictEqual(model.formFields[1].name, 'role', 'second formField is role');
+
+    assert.ok(Array.isArray(model.allFields), 'allFields is set as an array');
+    assert.strictEqual(model.allFields.length, 2, 'allFields contains all model attributes');
+  });
+
+  test('it sets formFieldGroups when groupPropertyNames are provided', function (assert) {
+    @withFormFields(['name'], [{ default: ['name'] }, { Options: ['role'] }])
+    class GroupedModel extends Model {
+      @attr('string') name;
+      @attr('string') role;
+    }
+    this.owner.register('model:test-with-form-field-groups', GroupedModel);
+
+    const model = run(() => this.owner.lookup('service:store').createRecord('test-with-form-field-groups'));
+
+    assert.ok(Array.isArray(model.formFieldGroups), 'formFieldGroups is set as an array');
+    assert.ok(
+      model.formFieldGroups.some((g) => Object.prototype.hasOwnProperty.call(g, 'default')),
+      'formFieldGroups contains a default group'
+    );
+    assert.ok(
+      model.formFieldGroups.some((g) => Object.prototype.hasOwnProperty.call(g, 'Options')),
+      'formFieldGroups contains the Options group'
     );
   });
 });
diff --git a/ui/tests/unit/helpers/await-test.js b/ui/tests/unit/helpers/await-test.js
index fab8f3e654..f0d1161d52 100644
--- a/ui/tests/unit/helpers/await-test.js
+++ b/ui/tests/unit/helpers/await-test.js
@@ -6,7 +6,7 @@
 import AwaitHelper from 'vault/helpers/await';
 import { module, test } from 'qunit';
 import { setupTest } from 'ember-qunit';
-import { waitUntil } from '@ember/test-helpers';
+import { waitUntil, settled } from '@ember/test-helpers';
 import { Promise } from 'rsvp';
 import { later } from '@ember/runloop';
 import sinon from 'sinon';
@@ -67,12 +67,12 @@ module('Unit | Helpers | await', function (hooks) {
   });
 
   test('it always returns value from latest promise', async function (assert) {
-    const promise1 = new Promise((resolve) => later(() => resolve('foo'), 500));
+    const promise1 = new Promise((resolve) => later(() => resolve('foo'), 200));
     const promise2 = new Promise((resolve) => resolve('bar'));
     this.helper.compute([promise1]);
     this.helper.compute([promise2]);
     // allow first promise time to resolve
-    await waitUntil(() => later(() => true, 500));
+    await settled();
     assert.strictEqual(this.spy.returnValues[2], 'bar', 'Latest promise value is returned');
   });
 });
diff --git a/ui/tests/unit/helpers/engines-display-data-test.js b/ui/tests/unit/helpers/engines-display-data-test.js
index cefcd797c5..2fcd68681f 100644
--- a/ui/tests/unit/helpers/engines-display-data-test.js
+++ b/ui/tests/unit/helpers/engines-display-data-test.js
@@ -3,8 +3,8 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
+import engineDisplayData, { unknownEngineMetadata } from 'core/helpers/engines-display-data';
 import { module, test } from 'qunit';
-import engineDisplayData, { unknownEngineMetadata } from 'vault/helpers/engines-display-data';
 import { ALL_ENGINES } from 'vault/utils/all-engines-metadata';
 
 module('Unit | Helper | engines-display-data', function () {
diff --git a/ui/tests/unit/helpers/has-option-groups-test.ts b/ui/tests/unit/helpers/has-option-groups-test.ts
new file mode 100644
index 0000000000..b811a9542b
--- /dev/null
+++ b/ui/tests/unit/helpers/has-option-groups-test.ts
@@ -0,0 +1,69 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import type Helper from '@ember/component/helper';
+import { module, test } from 'qunit';
+import { setupTest } from 'ember-qunit';
+
+module('Unit | Helper | has-option-groups', function (hooks) {
+  setupTest(hooks);
+
+  let helper: Helper;
+
+  hooks.beforeEach(function () {
+    helper = this.owner.lookup('helper:has-option-groups') as Helper;
+  });
+
+  test('returns false for null or undefined', function (assert) {
+    assert.false(helper.compute([null], {}), 'returns false for null');
+    assert.false(helper.compute([undefined], {}), 'returns false for undefined');
+  });
+
+  test('returns false for empty array', function (assert) {
+    assert.false(helper.compute([[]], {}), 'returns false for empty array');
+  });
+
+  test('returns false for flat array of strings', function (assert) {
+    const flatArray = ['option1', 'option2', 'option3'];
+    assert.false(helper.compute([flatArray], {}), 'returns false for flat string array');
+  });
+
+  test('returns false for flat array of objects without group property', function (assert) {
+    const flatObjects = [
+      { value: 'opt1', displayName: 'Option 1' },
+      { value: 'opt2', displayName: 'Option 2' },
+    ];
+    assert.false(helper.compute([flatObjects], {}), 'returns false for objects without group property');
+  });
+
+  test('returns true for array with grouped options', function (assert) {
+    const groupedArray = [
+      {
+        group: 'Group A',
+        options: ['option1', 'option2'],
+      },
+      {
+        group: 'Group B',
+        options: [
+          { value: 'opt3', displayName: 'Option 3' },
+          { value: 'opt4', displayName: 'Option 4' },
+        ],
+      },
+    ];
+    assert.true(helper.compute([groupedArray], {}), 'returns true for grouped options');
+  });
+
+  test('returns true if any item has group property', function (assert) {
+    const mixedArray = [
+      'simpleString',
+      { value: 'opt1', displayName: 'Option 1' },
+      {
+        group: 'Group C',
+        options: ['option3'],
+      },
+    ];
+    assert.true(helper.compute([mixedArray], {}), 'returns true when at least one item has group property');
+  });
+});
diff --git a/ui/tests/unit/models/secret-engine-test.js b/ui/tests/unit/models/secret-engine-test.js
index 9fee14dfef..3c60cadd99 100644
--- a/ui/tests/unit/models/secret-engine-test.js
+++ b/ui/tests/unit/models/secret-engine-test.js
@@ -3,7 +3,6 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import sinon from 'sinon';
 import { module, test } from 'qunit';
 import { setupTest } from 'ember-qunit';
 
@@ -408,25 +407,4 @@ module('Unit | Model | secret-engine', function (hooks) {
       assert.strictEqual(model.localDisplay, 'replicated');
     });
   });
-
-  module('saveZeroAddressConfig', function () {
-    test('calls save with correct params', async function (assert) {
-      assert.expect(1);
-      const model = this.store.createRecord('secret-engine', {});
-      const saveStub = sinon.stub(model, 'save').callsFake((params) => {
-        assert.deepEqual(
-          params,
-          {
-            adapterOptions: {
-              adapterMethod: 'saveZeroAddressConfig',
-            },
-          },
-          'send correct params to save'
-        );
-        return;
-      });
-      await model.saveZeroAddressConfig();
-      saveStub.restore();
-    });
-  });
 });
diff --git a/ui/tests/unit/services/api-test.js b/ui/tests/unit/services/api-test.js
index a499f4ce39..fcecc7cee8 100644
--- a/ui/tests/unit/services/api-test.js
+++ b/ui/tests/unit/services/api-test.js
@@ -116,7 +116,7 @@ module('Unit | Service | api', function (hooks) {
 
   test('it should show warnings', async function (assert) {
     const warnings = JSON.stringify({ warnings: ['warning1', 'warning2'] });
-    const response = new Response(warnings, { headers: { 'Content-Length': warnings.length } });
+    const response = new Response(warnings, { headers: { 'Content-Type': 'application/json' } });
 
     await this.apiService.showWarnings({ response });
 
@@ -131,7 +131,7 @@ module('Unit | Service | api', function (hooks) {
   });
 
   test('it should check for control group', async function (assert) {
-    const headers = new Headers({ 'Content-Length': '100', 'X-Vault-Wrap-TTL': 1800 });
+    const headers = new Headers({ 'Content-Type': 'application/json', 'X-Vault-Wrap-TTL': 1800 });
     const body = { data: null, wrap_info: this.wrapInfo };
     const init = { headers: new Headers({ 'X-Vault-Token': this.wrapInfo.token }) };
     const apiResponse = new Response(JSON.stringify(body), { headers });
diff --git a/ui/tests/unit/services/custom-messages-test.js b/ui/tests/unit/services/custom-messages-test.js
index 24e557e7e5..19f29f472b 100644
--- a/ui/tests/unit/services/custom-messages-test.js
+++ b/ui/tests/unit/services/custom-messages-test.js
@@ -49,11 +49,11 @@ module('Unit | Service | custom-messages', function (hooks) {
       };
     });
 
-    this.authServiceStub = sinon.stub(this.owner.lookup('service:auth'), 'currentToken').value('token');
+    this.currentTokenStub = sinon.stub(this.owner.lookup('service:auth'), 'currentToken').value('token');
   });
 
   test('it should fetch unauthenticated messages', async function (assert) {
-    this.authServiceStub.reset();
+    this.currentTokenStub.value(undefined);
     await this.customMessages.fetchMessages();
 
     assert.true(this.unauthMessagesApiStub.called, 'API call made for unauthenticated messages');
diff --git a/ui/tests/unit/services/namespace-test.js b/ui/tests/unit/services/namespace-test.js
index ba1e6387a6..7f9562815c 100644
--- a/ui/tests/unit/services/namespace-test.js
+++ b/ui/tests/unit/services/namespace-test.js
@@ -5,7 +5,7 @@
 
 import { module, test } from 'qunit';
 import { setupTest } from 'ember-qunit';
-import { ADMINISTRATIVE_NAMESPACE, ROOT_NAMESPACE } from 'vault/services/namespace';
+import { ADMINISTRATIVE_NAMESPACE, ROOT_NAMESPACE } from 'vault/utils/constants/namespace';
 import sinon from 'sinon';
 import { getErrorResponse } from 'vault/tests/helpers/api/error-response';
 
diff --git a/ui/tests/unit/services/path-help-test.js b/ui/tests/unit/services/path-help-test.js
index 86cf21ceee..483dbd10ae 100644
--- a/ui/tests/unit/services/path-help-test.js
+++ b/ui/tests/unit/services/path-help-test.js
@@ -97,7 +97,7 @@ module('Unit | Service | path-help', function (hooks) {
         assert.notOk(true, 'this method should not be called');
         return reject();
       });
-      const modelType = 'totp-key';
+      const modelType = 'cluster';
       await this.pathHelp.getNewModel(modelType, 'my-kv').then(() => {
         assert.true(true, 'getNewModel resolves');
       });
diff --git a/ui/tests/unit/services/snippet-test.js b/ui/tests/unit/services/snippet-test.js
new file mode 100644
index 0000000000..26143822bb
--- /dev/null
+++ b/ui/tests/unit/services/snippet-test.js
@@ -0,0 +1,160 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupTest } from 'ember-qunit';
+import { CreationMethod } from 'vault/utils/constants/snippet';
+
+const TF_SNIPPET = 'resource "vault_mount" "example" {}';
+const API_SNIPPET = 'curl --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/test';
+const CLI_SNIPPET = 'vault write test/path key=value';
+
+const CUSTOM_TABS = [
+  { key: 'api', label: 'API', snippet: API_SNIPPET },
+  { key: 'cli', label: 'CLI', snippet: CLI_SNIPPET },
+];
+
+module('Unit | Service | snippet', function (hooks) {
+  setupTest(hooks);
+
+  hooks.beforeEach(function () {
+    this.service = this.owner.lookup('service:snippet');
+  });
+
+  module('default state', function () {
+    test('selectedTabIdx defaults to 0', function (assert) {
+      assert.strictEqual(this.service.selectedTabIdx, 0);
+    });
+
+    test('creationMethodChoice defaults to TERRAFORM', function (assert) {
+      assert.strictEqual(this.service.creationMethodChoice, CreationMethod.TERRAFORM);
+    });
+
+    test('codeSnippet defaults to null', function (assert) {
+      assert.strictEqual(this.service.codeSnippet, null);
+    });
+  });
+
+  module('#reset', function () {
+    test('resets service state to defaults', function (assert) {
+      this.service.selectedTabIdx = 1;
+      this.service.creationMethodChoice = CreationMethod.APICLI;
+      this.service.codeSnippet = TF_SNIPPET;
+
+      this.service.reset();
+
+      assert.strictEqual(this.service.selectedTabIdx, 0);
+      assert.strictEqual(this.service.creationMethodChoice, CreationMethod.TERRAFORM);
+      assert.strictEqual(this.service.codeSnippet, null);
+    });
+
+    test('accepts an initial creation method', function (assert) {
+      this.service.reset(CreationMethod.APICLI);
+
+      assert.strictEqual(this.service.creationMethodChoice, CreationMethod.APICLI);
+      assert.strictEqual(this.service.selectedTabIdx, 0);
+      assert.strictEqual(this.service.codeSnippet, null);
+    });
+  });
+
+  module('#persistSnippet', function () {
+    test('sets codeSnippet to tfSnippet when method is TERRAFORM', function (assert) {
+      this.service.creationMethodChoice = CreationMethod.TERRAFORM;
+
+      this.service.persistSnippet(TF_SNIPPET, CUSTOM_TABS);
+
+      assert.strictEqual(this.service.codeSnippet, TF_SNIPPET);
+    });
+
+    test('sets codeSnippet to the selected tab snippet when method is APICLI', function (assert) {
+      this.service.creationMethodChoice = CreationMethod.APICLI;
+      this.service.selectedTabIdx = 0;
+
+      this.service.persistSnippet(TF_SNIPPET, CUSTOM_TABS);
+
+      assert.strictEqual(this.service.codeSnippet, API_SNIPPET);
+    });
+
+    test('sets codeSnippet to the CLI tab when selectedTabIdx is 1', function (assert) {
+      this.service.creationMethodChoice = CreationMethod.APICLI;
+      this.service.selectedTabIdx = 1;
+
+      this.service.persistSnippet(TF_SNIPPET, CUSTOM_TABS);
+
+      assert.strictEqual(this.service.codeSnippet, CLI_SNIPPET);
+    });
+
+    test('sets codeSnippet to null when method is UI', function (assert) {
+      this.service.creationMethodChoice = CreationMethod.UI;
+
+      this.service.persistSnippet(TF_SNIPPET, CUSTOM_TABS);
+
+      assert.strictEqual(this.service.codeSnippet, null);
+    });
+
+    test('sets codeSnippet to null when APICLI tab index is out of range', function (assert) {
+      this.service.creationMethodChoice = CreationMethod.APICLI;
+      this.service.selectedTabIdx = 99;
+
+      this.service.persistSnippet(TF_SNIPPET, CUSTOM_TABS);
+
+      assert.strictEqual(this.service.codeSnippet, null);
+    });
+  });
+
+  module('#setCreationMethod', function () {
+    test('updates creationMethodChoice', function (assert) {
+      this.service.setCreationMethod(CreationMethod.APICLI, TF_SNIPPET, CUSTOM_TABS);
+
+      assert.strictEqual(this.service.creationMethodChoice, CreationMethod.APICLI);
+    });
+
+    test('persists the correct snippet after changing to TERRAFORM', function (assert) {
+      this.service.setCreationMethod(CreationMethod.TERRAFORM, TF_SNIPPET, CUSTOM_TABS);
+
+      assert.strictEqual(this.service.codeSnippet, TF_SNIPPET);
+    });
+
+    test('persists the correct snippet after changing to APICLI', function (assert) {
+      this.service.selectedTabIdx = 0;
+      this.service.setCreationMethod(CreationMethod.APICLI, TF_SNIPPET, CUSTOM_TABS);
+
+      assert.strictEqual(this.service.codeSnippet, API_SNIPPET);
+    });
+
+    test('clears codeSnippet when changing to UI', function (assert) {
+      this.service.codeSnippet = TF_SNIPPET;
+      this.service.setCreationMethod(CreationMethod.UI, TF_SNIPPET, CUSTOM_TABS);
+
+      assert.strictEqual(this.service.codeSnippet, null);
+    });
+  });
+
+  module('#setSelectedTab', function () {
+    test('updates selectedTabIdx', function (assert) {
+      this.service.creationMethodChoice = CreationMethod.APICLI;
+
+      this.service.setSelectedTab(1, TF_SNIPPET, CUSTOM_TABS);
+
+      assert.strictEqual(this.service.selectedTabIdx, 1);
+    });
+
+    test('persists the snippet for the newly selected tab', function (assert) {
+      this.service.creationMethodChoice = CreationMethod.APICLI;
+
+      this.service.setSelectedTab(1, TF_SNIPPET, CUSTOM_TABS);
+
+      assert.strictEqual(this.service.codeSnippet, CLI_SNIPPET);
+    });
+
+    test('persists tfSnippet if method is still TERRAFORM when tab changes', function (assert) {
+      this.service.creationMethodChoice = CreationMethod.TERRAFORM;
+
+      this.service.setSelectedTab(1, TF_SNIPPET, CUSTOM_TABS);
+
+      assert.strictEqual(this.service.codeSnippet, TF_SNIPPET);
+    });
+  });
+});
diff --git a/ui/tests/unit/services/wizard-test.js b/ui/tests/unit/services/wizard-test.js
index 204ef25961..ea9e16e254 100644
--- a/ui/tests/unit/services/wizard-test.js
+++ b/ui/tests/unit/services/wizard-test.js
@@ -7,8 +7,13 @@ import { module, test } from 'qunit';
 import { setupTest } from 'ember-qunit';
 import sinon from 'sinon';
 import localStorage from 'vault/lib/local-storage';
+import { DISMISSED_WIZARD_KEY } from 'vault/utils/constants/wizard';
 
-const DISMISSED_WIZARD_KEY = 'dismissed-wizards';
+const STEPS = [
+  { title: 'Step 1', component: 'wizard/step-1' },
+  { title: 'Step 2', component: 'wizard/step-2' },
+  { title: 'Step 3', component: 'wizard/step-3' },
+];
 
 module('Unit | Service | wizard', function (hooks) {
   setupTest(hooks);
@@ -232,4 +237,126 @@ module('Unit | Service | wizard', function (hooks) {
       assert.false(this.service.isIntroVisible('wizard3'), 'wizard3 is not visible');
     });
   });
+
+  /* Step state management */
+  module('#getState / #updateState', function () {
+    test('getState returns empty object for uninitialized wizard', function (assert) {
+      assert.deepEqual(this.service.getState('namespace'), {}, 'returns empty object when not set');
+    });
+
+    test('updateState sets a single key without mutating other keys', function (assert) {
+      this.service.updateState('namespace', 'choice', 'strict');
+
+      assert.strictEqual(this.service.getState('namespace').choice, 'strict', 'updates the specified key');
+    });
+
+    test('successive updates accumulate correctly', function (assert) {
+      this.service.updateState('namespace', 'choice', 'strict');
+      this.service.updateState('namespace', 'data', ['ns1', 'ns2']);
+
+      const state = this.service.getState('namespace');
+      assert.strictEqual(state.choice, 'strict', 'first update persists');
+      assert.deepEqual(state.data, ['ns1', 'ns2'], 'second update persists');
+    });
+
+    test('updating one wizard does not affect another', function (assert) {
+      this.service.updateState('namespace', 'choice', 'strict');
+
+      assert.strictEqual(this.service.getState('namespace').choice, 'strict', 'namespace updated');
+      assert.strictEqual(this.service.getState('acl-policy').choice, undefined, 'acl-policy unchanged');
+    });
+  });
+
+  module('#clearWizardState', function () {
+    test('resets state to empty object and step to 0', function (assert) {
+      this.service.updateState('namespace', 'choice', 'strict');
+      this.service.setCurrentStep('namespace', 2);
+
+      this.service.clearWizardState('namespace');
+
+      assert.deepEqual(this.service.getState('namespace'), {}, 'state is empty after clear');
+      assert.strictEqual(this.service.getCurrentStep('namespace'), 0, 'step resets to 0');
+    });
+
+    test('preserves step configuration after clear', function (assert) {
+      this.service.setSteps('namespace', STEPS);
+
+      this.service.clearWizardState('namespace');
+
+      assert.deepEqual(this.service.getSteps('namespace'), STEPS, 'step config is preserved');
+    });
+  });
+
+  module('#getCurrentStep / #setCurrentStep', function () {
+    test('returns 0 for uninitialized wizard', function (assert) {
+      assert.strictEqual(this.service.getCurrentStep('namespace'), 0, 'defaults to 0');
+    });
+
+    test('setCurrentStep updates the active step', function (assert) {
+      this.service.setCurrentStep('namespace', 2);
+
+      assert.strictEqual(this.service.getCurrentStep('namespace'), 2, 'step is updated');
+    });
+
+    test('step changes for one wizard do not affect another', function (assert) {
+      this.service.setCurrentStep('namespace', 1);
+
+      assert.strictEqual(this.service.getCurrentStep('namespace'), 1, 'namespace at step 1');
+      assert.strictEqual(this.service.getCurrentStep('acl-policy'), 0, 'acl-policy still at step 0');
+    });
+  });
+
+  module('#getSteps / #setSteps', function () {
+    test('getSteps returns empty array for uninitialized wizard', function (assert) {
+      assert.deepEqual(this.service.getSteps('namespace'), [], 'returns empty array');
+    });
+
+    test('setSteps replaces the step configuration', function (assert) {
+      this.service.setSteps('namespace', STEPS);
+
+      assert.deepEqual(this.service.getSteps('namespace'), STEPS, 'step config is stored');
+    });
+
+    test('setSteps for one wizard does not affect another', function (assert) {
+      this.service.setSteps('namespace', STEPS);
+
+      assert.strictEqual(this.service.getSteps('namespace').length, 3, 'namespace has 3 steps');
+      assert.deepEqual(this.service.getSteps('acl-policy'), [], 'acl-policy still has no steps');
+    });
+  });
+
+  module('#isFinalStep', function () {
+    test('returns false for uninitialized wizard (no steps)', function (assert) {
+      assert.false(this.service.isFinalStep('namespace'), 'returns false when no steps registered');
+    });
+
+    test('returns false when not on the last step', function (assert) {
+      this.service.setSteps('namespace', STEPS);
+
+      assert.false(this.service.isFinalStep('namespace'), 'returns false on step 0 of 3');
+
+      this.service.setCurrentStep('namespace', 1);
+      assert.false(this.service.isFinalStep('namespace'), 'returns false on step 1 of 3');
+    });
+
+    test('returns true when on the last step', function (assert) {
+      this.service.setSteps('namespace', STEPS);
+      this.service.setCurrentStep('namespace', 2);
+
+      assert.true(this.service.isFinalStep('namespace'), 'returns true on final step');
+    });
+
+    test('reflects the new final step after setSteps reduces the step count', function (assert) {
+      this.service.setSteps('namespace', STEPS);
+      this.service.setCurrentStep('namespace', 1);
+
+      // Reduce to 2 steps — step 1 is now the final step
+      this.service.setSteps('namespace', [STEPS[0], STEPS[2]]);
+
+      assert.true(
+        this.service.isFinalStep('namespace'),
+        'correctly identifies new final step after setSteps'
+      );
+    });
+  });
 });
diff --git a/ui/tests/unit/utils/chart-helpers-test.js b/ui/tests/unit/utils/chart-helpers-test.js
index dc04fd5ff4..791e6dacb3 100644
--- a/ui/tests/unit/utils/chart-helpers-test.js
+++ b/ui/tests/unit/utils/chart-helpers-test.js
@@ -3,66 +3,76 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { numericalAxisLabel, calculateAverage, calculateSum } from 'vault/utils/chart-helpers';
+import { calculateSum, toFixedDisplay } from 'vault/utils/chart-helpers';
 import { module, test } from 'qunit';
 
-const SMALL_NUMBERS = [0, 7, 27, 103, 999];
-const LARGE_NUMBERS = {
-  1001: '1k',
-  1245: '1.2k',
-  33777: '34k',
-  532543: '530k',
-  2100100: '2.1M',
-  54500200100: '55B',
-};
-
 module('Unit | Utility | chart-helpers', function () {
-  test('numericalAxisLabel renders number correctly', function (assert) {
-    assert.expect(12);
-    const method = numericalAxisLabel();
-    assert.ok(method);
-    SMALL_NUMBERS.forEach(function (num) {
-      assert.strictEqual(numericalAxisLabel(num), num, `Does not format small number ${num}`);
-    });
-    Object.keys(LARGE_NUMBERS).forEach(function (num) {
-      const expected = LARGE_NUMBERS[num];
-      assert.strictEqual(numericalAxisLabel(num), expected, `Formats ${num} as ${expected}`);
-    });
-  });
-
-  test('calculateAverage is accurate', function (assert) {
-    const testArray1 = [
-      { label: 'foo', value: 10 },
-      { label: 'bar', value: 22 },
-    ];
-    const testArray2 = [
-      { label: 'foo', value: undefined },
-      { label: 'bar', value: 22 },
-    ];
-    const testArray3 = [{ label: 'foo' }, { label: 'bar' }];
-    const getAverage = (array) => array.reduce((a, b) => a + b, 0) / array.length;
-    assert.strictEqual(calculateAverage(null), null, 'returns null if dataset it null');
-    assert.strictEqual(calculateAverage([]), null, 'returns null if dataset it empty array');
-    assert.strictEqual(
-      calculateAverage(testArray1, 'value'),
-      getAverage([10, 22]),
-      `returns correct average for array of objects`
-    );
-    assert.strictEqual(
-      calculateAverage(testArray2, 'value'),
-      getAverage([0, 22]),
-      `returns correct average for array of objects containing undefined values`
-    );
-    assert.strictEqual(
-      calculateAverage(testArray3, 'value'),
-      null,
-      'returns null when object key does not exist at all'
-    );
-  });
-
   test('calculateSum adds array of numbers', function (assert) {
     assert.strictEqual(calculateSum([2, 3]), 5, 'it sums array');
     assert.strictEqual(calculateSum(['one', 2]), null, 'returns null if array contains non-integers');
     assert.strictEqual(calculateSum('not an array'), null, 'returns null if an array is not passed');
   });
+
+  test('calculateSum with fixedDecimalPlaces parameter', function (assert) {
+    assert.strictEqual(calculateSum([2.5, 3.7], 1), 6.2, 'rounds sum to 1 decimal place');
+    assert.strictEqual(calculateSum([2.5555, 3.7777], 2), 6.33, 'rounds sum to 2 decimal places');
+    assert.strictEqual(
+      calculateSum([48.7888, 0.0112], 4),
+      48.8,
+      'handles floating-point precision issues with 4 decimal places'
+    );
+    assert.strictEqual(
+      calculateSum([73.1832, 0.0168], 4),
+      73.2,
+      'correctly sums and rounds to 4 decimal places'
+    );
+    assert.strictEqual(
+      calculateSum([10, 20, 30], 4),
+      60,
+      'works with whole numbers when fixedDecimalPlaces is provided'
+    );
+    assert.strictEqual(
+      calculateSum([1.11111, 2.22222, 3.33333], 4),
+      6.6667,
+      'rounds sum of multiple numbers to 4 decimal places'
+    );
+    assert.strictEqual(calculateSum([0.1, 0.2], 4), 0.3, 'handles classic floating-point issue (0.1 + 0.2)');
+    assert.strictEqual(calculateSum([2, 3], 0), 5, 'rounds to 0 decimal places (whole number)');
+  });
+
+  test('toFixedDisplay formats numbers with fixed decimal places', function (assert) {
+    assert.strictEqual(toFixedDisplay(48.8, 4), '48.8000', 'formats number with trailing zeros');
+    assert.strictEqual(toFixedDisplay(73.2, 4), '73.2000', 'preserves 4 decimal places');
+    assert.strictEqual(toFixedDisplay(100, 2), '100.00', 'formats whole number with decimals');
+    assert.strictEqual(toFixedDisplay(0, 4), 0, 'returns 0 as number, not formatted string');
+    assert.strictEqual(toFixedDisplay(1.23456, 2), '1.23', 'rounds to specified decimal places');
+    assert.strictEqual(toFixedDisplay('not a number', 4), 'not a number', 'returns non-number as-is');
+    assert.strictEqual(toFixedDisplay(5.5, -1), 5.5, 'returns number as-is for negative decimal places');
+  });
+
+  test('calculateSum and toFixedDisplay work together', function (assert) {
+    const sum1 = calculateSum([48.7888, 0.0112], 4);
+    assert.strictEqual(sum1, 48.8, 'calculateSum returns number with fixed precision');
+    assert.strictEqual(
+      toFixedDisplay(sum1, 4),
+      '48.8000',
+      'toFixedDisplay formats for display with trailing zeros'
+    );
+
+    const sum2 = calculateSum([73.1832, 0.0168], 4);
+    assert.strictEqual(sum2, 73.2, 'calculateSum handles floating-point precision');
+    assert.strictEqual(toFixedDisplay(sum2, 4), '73.2000', 'toFixedDisplay preserves trailing zeros');
+
+    const sum3 = calculateSum([10, 20, 30], 4);
+    assert.strictEqual(sum3, 60, 'calculateSum works with whole numbers');
+    assert.strictEqual(
+      toFixedDisplay(sum3, 4),
+      '60.0000',
+      'toFixedDisplay adds decimal places to whole numbers'
+    );
+
+    const sum4 = calculateSum([0, 0, 0], 4);
+    assert.strictEqual(sum4, 0, 'calculateSum returns 0 for zero sum');
+    assert.strictEqual(toFixedDisplay(sum4, 4), 0, 'toFixedDisplay returns 0 as-is, not formatted');
+  });
 });
diff --git a/ui/tests/unit/utils/form-config-generator-test.js b/ui/tests/unit/utils/form-config-generator-test.js
new file mode 100644
index 0000000000..caf6b7ecd9
--- /dev/null
+++ b/ui/tests/unit/utils/form-config-generator-test.js
@@ -0,0 +1,295 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { prepFormConfig, generateConfigContent } from 'vault/utils/form-config-generator';
+import { OAS_STUB as SPEC } from 'vault/tests/helpers/stubs';
+
+module('Unit | Utility | form-config-generator', function ({ beforeEach }) {
+  beforeEach(function () {
+    // This is essentially what happens in the `main()` function
+    // within the CLI script generate-form-configs.ts
+    this.config = prepFormConfig(SPEC, 'mountsEnableSecretsEngine');
+    this.result = generateConfigContent(this.config);
+  });
+
+  module('#prepFormConfig', function () {
+    test('returns null for unknown operation', function (assert) {
+      const result = prepFormConfig(SPEC, 'unknownOperation');
+      assert.strictEqual(result, null, 'returns null for unknown operation');
+    });
+
+    test('returns `name`, `apiClass`, and `requestType` properties', function (assert) {
+      assert.propContains(
+        this.config,
+        {
+          name: 'mountsEnableSecretsEngine',
+          apiClass: 'sys',
+          requestType: 'SystemApiMountsEnableSecretsEngineOperationRequest',
+        },
+        'config contains expected name, apiClass, and requestType'
+      );
+    });
+
+    module('`payload` object', function () {
+      test('includes expected default values', function (assert) {
+        assert.deepEqual(
+          this.config.payload,
+          {
+            path: '',
+            MountsEnableSecretsEngineRequest: {
+              config: {},
+              description: '',
+              local: false,
+              options: {},
+              plugin_name: '',
+              plugin_version: '',
+              seal_wrap: false,
+              type: '',
+              allowed_managed_keys: [],
+            },
+          },
+          'payload matches expected structure and defaults'
+        );
+      });
+
+      test('does not include deprecated properties', function (assert) {
+        const { properties } = SPEC.components.schemas.MountsEnableSecretsEngineRequest;
+        const deprecatedProperties = Object.keys(properties).filter((p) => properties[p].deprecated);
+        const payloadKeys = Object.keys(this.config.payload.MountsEnableSecretsEngineRequest);
+
+        // Double-check that the fixture actually includes deprecated properties
+        assert.true(deprecatedProperties.length > 0, 'fixture includes deprecated properties');
+
+        assert.notPropContains(
+          payloadKeys,
+          deprecatedProperties,
+          'payload does not include deprecated properties'
+        );
+      });
+    });
+
+    module('`sections` array', function ({ beforeEach }) {
+      beforeEach(function () {
+        this.expectedSections = [
+          {
+            name: 'params',
+            fields: [
+              {
+                name: 'path',
+                type: 'TextInput',
+                label: 'Path',
+                helperText: 'The path to mount to. Example: "aws/east"',
+              },
+            ],
+          },
+          {
+            name: 'default',
+            fields: [
+              {
+                name: 'MountsEnableSecretsEngineRequest.config',
+                type: 'TextInput',
+                label: 'Config',
+                helperText: 'Configuration for this mount, such as default_lease_ttl and max_lease_ttl.',
+              },
+              {
+                name: 'MountsEnableSecretsEngineRequest.description',
+                type: 'TextInput',
+                label: 'Description',
+                helperText: 'User-friendly description for this mount.',
+              },
+              {
+                name: 'MountsEnableSecretsEngineRequest.local',
+                type: 'TextInput',
+                label: 'Local',
+                helperText:
+                  'Mark the mount as a local mount, which is not replicated and is unaffected by replication.',
+              },
+              {
+                name: 'MountsEnableSecretsEngineRequest.options',
+                type: 'TextInput',
+                label: 'Options',
+                helperText:
+                  'The options to pass into the backend. Should be a json object with string keys and values.',
+              },
+              {
+                name: 'MountsEnableSecretsEngineRequest.plugin_name',
+                type: 'TextInput',
+                label: 'Plugin name',
+                helperText:
+                  'Name of the plugin to mount based from the name registered in the plugin catalog.',
+              },
+              {
+                name: 'MountsEnableSecretsEngineRequest.plugin_version',
+                type: 'TextInput',
+                label: 'Plugin version',
+                helperText:
+                  'The semantic version of the plugin to use, or image tag if oci_image is provided.',
+              },
+              {
+                name: 'MountsEnableSecretsEngineRequest.type',
+                type: 'TextInput',
+                label: 'Type',
+                helperText: 'The type of the backend. Example: "passthrough"',
+              },
+            ],
+          },
+          {
+            name: 'Advanced',
+            fields: [
+              {
+                name: 'MountsEnableSecretsEngineRequest.seal_wrap',
+                type: 'TextInput',
+                label: 'Seal Wrap',
+                helperText: 'Whether to turn on seal wrapping for the mount.',
+              },
+              {
+                name: 'MountsEnableSecretsEngineRequest.allowed_managed_keys',
+                type: 'TextInput',
+                label: 'Allowed Managed Keys',
+                helperText: 'List of managed key names allowed for this mount.',
+              },
+            ],
+          },
+        ];
+      });
+
+      test('returns with expected fields', function (assert) {
+        assert.deepEqual(
+          this.config.sections,
+          this.expectedSections,
+          'sections match expected structure and fields'
+        );
+      });
+
+      test('excludes deprecated properties from sections', function (assert) {
+        const { properties } = SPEC.components.schemas.MountsEnableSecretsEngineRequest;
+        const deprecatedProperties = Object.keys(properties).filter((p) => properties[p].deprecated);
+        const allFieldNames = this.config.sections.flatMap((s) => s.fields.map((f) => f.name));
+
+        assert.notPropContains(
+          allFieldNames,
+          deprecatedProperties,
+          'sections do not include deprecated properties'
+        );
+      });
+
+      test('is grouped by x-vault-displayAttrs group', function (assert) {
+        const { properties } = SPEC.components.schemas.MountsEnableSecretsEngineRequest;
+
+        // Create a hashmap of expected groups and their field names based on the spec
+        // eg: { default: ['config', 'description', ...], Advanced: ['seal_wrap', ...] }
+        const expectedGroups = Object.keys(properties).reduce((acc, prop) => {
+          if (properties[prop].deprecated) {
+            return acc;
+          }
+          const displayAttrs = properties[prop]['x-vault-displayAttrs'];
+          const group = displayAttrs?.group || 'default';
+          if (!acc[group]) {
+            acc[group] = [];
+          }
+          acc[group].push(prop);
+          return acc;
+        }, {});
+
+        // Sections for path is less relevant...
+        // eslint-disable-next-line no-unused-vars, @typescript-eslint/no-unused-vars
+        const [_pathSection, ...propSections] = this.config.sections;
+
+        propSections.forEach((section) => {
+          const expectedFieldNames = expectedGroups[section.name];
+          const currentFieldNames = section.fields.map((f) =>
+            // Remove the prefix to match property names as field names
+            // as the prefix is utilized for mapping to the payload structure
+            f.name.replace('MountsEnableSecretsEngineRequest.', '')
+          );
+
+          assert.deepEqual(
+            currentFieldNames,
+            expectedFieldNames,
+            `${section.name} section contains correct fields from spec`
+          );
+        });
+      });
+
+      test('uses x-vault-displayAttrs.name as label when available', function (assert) {
+        const { properties } = SPEC.components.schemas.MountsEnableSecretsEngineRequest;
+
+        // Capture a list of fields that have x-vault-displayAttrs.name defined
+        const fieldsWithDisplayNames = Object.keys(properties).reduce((acc, prop) => {
+          const displayAttrs = properties[prop]['x-vault-displayAttrs'];
+          if (displayAttrs && displayAttrs.name && !properties[prop].deprecated) {
+            acc.push({ key: prop, label: displayAttrs.name });
+          }
+          return acc;
+        }, []);
+
+        fieldsWithDisplayNames.forEach(({ key, label }) => {
+          const field = this.config.sections
+            .flatMap((s) => s.fields)
+            .find((field) => field.name.endsWith(key));
+
+          assert.strictEqual(field?.label, label, `${key} uses x-vault-displayAttrs.name as label`);
+        });
+      });
+
+      test('falls back to sentence case for label when x-vault-displayAttrs.name is missing', function (assert) {
+        const defaultSection = this.config.sections.find((s) => s.name === 'default');
+        const pluginNameField = defaultSection.fields.find((f) => f.name.includes('plugin_name'));
+
+        assert.strictEqual(pluginNameField.label, 'Plugin name', 'falls back to sentence case for label');
+      });
+    });
+  });
+
+  module('#generateConfigContent', function () {
+    test('produces content with correct imports', function (assert) {
+      assert.true(
+        this.result.includes("import type ApiService from 'vault/services/api'"),
+        'includes ApiService import'
+      );
+      assert.true(
+        this.result.includes(`import type { ${this.config.requestType} }`),
+        'includes request type import'
+      );
+    });
+
+    test('produces content with correct name property', function (assert) {
+      assert.true(this.result.includes(`name: '${this.config.name}'`), 'includes correct name property');
+    });
+
+    test('produces content with correct submit implementation', function (assert) {
+      const expectedSubmit = `submit: async (api: ApiService, payload: ${this.config.requestType}) => {
+        return await api.${this.config.apiClass}.${this.config.name}Raw(payload);
+      },`;
+
+      assert.true(
+        this.result.includes(expectedSubmit),
+        'submit property has correct async function implementation'
+      );
+    });
+
+    test('produces content with correct payload', function (assert) {
+      assert.true(
+        this.result.includes(JSON.stringify(this.config.payload, null, 2)),
+        'payload matches config payload'
+      );
+    });
+
+    test('produces content with correct sections', function (assert) {
+      assert.true(
+        this.result.includes(JSON.stringify(this.config.sections, null, 2)),
+        'sections match config sections'
+      );
+    });
+
+    test('produces content with correct export statement', function (assert) {
+      assert.true(
+        this.result.includes(`export default ${this.config.name}Config`),
+        'exports config with correct name'
+      );
+    });
+  });
+});
diff --git a/ui/tests/unit/utils/keymgmt-provider-utils-test.ts b/ui/tests/unit/utils/keymgmt-provider-utils-test.ts
new file mode 100644
index 0000000000..5a7c1f08e4
--- /dev/null
+++ b/ui/tests/unit/utils/keymgmt-provider-utils-test.ts
@@ -0,0 +1,49 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { getKeymgmtProviderIcon, isValidProvider } from 'vault/utils/keymgmt-provider-utils';
+import { module, test } from 'qunit';
+
+module('Unit | Util | keymgmt-provider-utils', function () {
+  test('it returns true for valid provider strings', function (assert) {
+    assert.true(isValidProvider('azure-provider'), 'Valid provider name');
+    assert.true(isValidProvider('test-provider'), 'Another valid provider');
+    assert.true(isValidProvider('a'), 'Single character string');
+    assert.true(isValidProvider('  valid-provider  '), 'Provider with leading/trailing spaces');
+  });
+
+  test('it returns false for objects', function (assert) {
+    assert.false(isValidProvider({ permissionsError: true }), 'Object with permissionsError');
+    assert.false(isValidProvider({}), 'Empty object');
+    assert.false(isValidProvider({ name: 'provider' }), 'Object with properties');
+  });
+
+  test('it returns false for non-string primitives', function (assert) {
+    assert.false(isValidProvider(123), 'Number returns false');
+    assert.false(isValidProvider(true), 'Boolean true returns false');
+    assert.false(isValidProvider(false), 'Boolean false returns false');
+  });
+
+  test('it returns false for arrays', function (assert) {
+    assert.false(isValidProvider([]), 'Empty array');
+    assert.false(isValidProvider(['provider']), 'Array with string');
+  });
+
+  test('it returns provider-specific icons for known provider types', function (assert) {
+    assert.strictEqual(getKeymgmtProviderIcon('azurekeyvault'), 'azure-color', 'Azure icon is returned');
+    assert.strictEqual(getKeymgmtProviderIcon('awskms'), 'aws-color', 'AWS icon is returned');
+    assert.strictEqual(getKeymgmtProviderIcon('gcpckms'), 'gcp-color', 'GCP icon is returned');
+  });
+
+  test('it returns default icon for unknown or empty provider types', function (assert) {
+    assert.strictEqual(
+      getKeymgmtProviderIcon('unknown-provider'),
+      'key',
+      'Unknown provider uses default icon'
+    );
+    assert.strictEqual(getKeymgmtProviderIcon(''), 'key', 'Empty string uses default icon');
+    assert.strictEqual(getKeymgmtProviderIcon(), 'key', 'Undefined provider uses default icon');
+  });
+});
diff --git a/ui/tests/unit/utils/keymgmt-provider-validator-test.ts b/ui/tests/unit/utils/keymgmt-provider-validator-test.ts
new file mode 100644
index 0000000000..70902465d2
--- /dev/null
+++ b/ui/tests/unit/utils/keymgmt-provider-validator-test.ts
@@ -0,0 +1,33 @@
+/**
+ * Copyright IBM Corp. 2016, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { isValidProvider } from 'vault/utils/keymgmt-provider-validator';
+import { module, test } from 'qunit';
+
+module('Unit | Util | keymgmt-provider-validator', function () {
+  test('it returns true for valid provider strings', function (assert) {
+    assert.true(isValidProvider('azure-provider'), 'Valid provider name');
+    assert.true(isValidProvider('test-provider'), 'Another valid provider');
+    assert.true(isValidProvider('a'), 'Single character string');
+    assert.true(isValidProvider('  valid-provider  '), 'Provider with leading/trailing spaces');
+  });
+
+  test('it returns false for objects', function (assert) {
+    assert.false(isValidProvider({ permissionsError: true }), 'Object with permissionsError');
+    assert.false(isValidProvider({}), 'Empty object');
+    assert.false(isValidProvider({ name: 'provider' }), 'Object with properties');
+  });
+
+  test('it returns false for non-string primitives', function (assert) {
+    assert.false(isValidProvider(123), 'Number returns false');
+    assert.false(isValidProvider(true), 'Boolean true returns false');
+    assert.false(isValidProvider(false), 'Boolean false returns false');
+  });
+
+  test('it returns false for arrays', function (assert) {
+    assert.false(isValidProvider([]), 'Empty array');
+    assert.false(isValidProvider(['provider']), 'Array with string');
+  });
+});
diff --git a/ui/tests/unit/utils/metric-helpers-test.js b/ui/tests/unit/utils/metric-helpers-test.js
new file mode 100644
index 0000000000..fe265e6c06
--- /dev/null
+++ b/ui/tests/unit/utils/metric-helpers-test.js
@@ -0,0 +1,124 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { normalizeMetricData } from 'vault/utils/metrics-helpers';
+import { module, test } from 'qunit';
+
+module('Unit | Utility | metric utils', function () {
+  test('normalizeMetricData returns undefined for null or undefined input', function (assert) {
+    assert.strictEqual(normalizeMetricData(null), undefined, 'Returns undefined for null input');
+    assert.strictEqual(normalizeMetricData(undefined), undefined, 'Returns undefined for undefined input');
+  });
+
+  test('normalizeMetricData returns all zeros for missing usage_metrics', function (assert) {
+    const metric = {
+      month: '2026-03',
+      updated_at: '2026-04-01T06:59:59Z',
+      usage_metrics: [
+        {
+          metric_data: {
+            metric_details: [],
+            total: 0,
+          },
+          metric_name: 'static_secrets',
+        },
+        {
+          metric_data: {
+            metric_details: [],
+            total: 0,
+          },
+          metric_name: 'dynamic_roles',
+        },
+        {
+          metric_data: {
+            metric_details: [],
+            total: 0,
+          },
+          metric_name: 'auto_rotated_roles',
+        },
+        {
+          metric_data: {
+            used_in_month: false,
+          },
+          metric_name: 'kmip',
+        },
+        {
+          metric_data: {
+            total: 0,
+          },
+          metric_name: 'external_plugins',
+        },
+        {
+          metric_data: {
+            metric_details: [],
+            total: 0,
+          },
+          metric_name: 'data_protection_calls',
+        },
+        {
+          metric_data: {
+            total: 0,
+          },
+          metric_name: 'pki_units',
+        },
+        {
+          metric_data: {
+            metric_details: [],
+            total: 0,
+          },
+          metric_name: 'managed_keys',
+        },
+      ],
+    };
+    const expected = {
+      auto_rotated_roles_total: 0,
+      credential_units_total: 0,
+      data_protection_calls_gcpkms: 0,
+      data_protection_calls_total: 0,
+      data_protection_calls_transform: 0,
+      data_protection_calls_transit: 0,
+      dynamic_roles_total: 0,
+      external_plugins_total: 0,
+      id_token_units_oidc: 0,
+      id_token_units_spiffe: 0,
+      id_token_units_total: 0,
+      kmip_used_in_month: false,
+      managed_keys: 0,
+      managed_keys_kmse: 0,
+      managed_keys_total: 0,
+      managed_keys_totp: 0,
+      pki_units_total: 0,
+      ssh_units: 0,
+      ssh_units_certificate_units: 0,
+      ssh_units_otp_units: 0,
+      ssh_units_total: 0,
+      static_secrets_kv: 0,
+      static_secrets_total: 0,
+    };
+    assert.deepEqual(normalizeMetricData(metric), expected, 'Returns all zeros for missing usage_metrics');
+  });
+
+  test('normalizeMetricData handles metric_details with missing type or count', function (assert) {
+    const metric = {
+      usage_metrics: [
+        {
+          metric_name: 'static_secrets',
+          metric_data: {
+            total: 5,
+            metric_details: [
+              { type: 'kv', count: 5 },
+              { type: null, count: 3 },
+              { type: 'foo' },
+              { count: 2 },
+            ],
+          },
+        },
+      ],
+    };
+    const result = normalizeMetricData(metric);
+    assert.strictEqual(result.static_secrets_kv, 5, 'Only valid detail is included');
+    assert.strictEqual(result.static_secrets_foo, undefined, 'Detail with missing count is ignored');
+  });
+});
diff --git a/ui/tests/unit/utils/model-helpers/secret-engine-helpers-test.js b/ui/tests/unit/utils/model-helpers/secret-engine-helpers-test.js
index 26acba9527..8d65647020 100644
--- a/ui/tests/unit/utils/model-helpers/secret-engine-helpers-test.js
+++ b/ui/tests/unit/utils/model-helpers/secret-engine-helpers-test.js
@@ -86,6 +86,21 @@ module('Unit | Utility | model-helpers/secret-engine-helpers', function () {
         'transform/alphabet',
         'returns transform/alphabet when tab is alphabet'
       );
+      assert.strictEqual(
+        getModelTypeForEngine('transform', { itemType: 'alphabet' }),
+        'transform/alphabet',
+        'returns transform/alphabet when itemType is alphabet'
+      );
+      assert.strictEqual(
+        getModelTypeForEngine('transform', { itemType: 'role' }),
+        'transform/role',
+        'returns transform/role when itemType is role'
+      );
+      assert.strictEqual(
+        getModelTypeForEngine('transform', { itemType: 'template' }),
+        'transform/template',
+        'returns transform/template when itemType is template'
+      );
 
       // Test precedence: secret name should override query params
       assert.strictEqual(
diff --git a/ui/tests/unit/utils/paginate-list-test.js b/ui/tests/unit/utils/paginate-list-test.js
index 616a574970..2b6ad8ad1c 100644
--- a/ui/tests/unit/utils/paginate-list-test.js
+++ b/ui/tests/unit/utils/paginate-list-test.js
@@ -59,7 +59,7 @@ module('Unit | Utility | paginate-list', function (hooks) {
       nextPage: 3,
       prevPage: 1,
       total: 20,
-      filteredTotal: 3,
+      filteredTotal: 20,
       pageSize: 3,
     };
     assert.deepEqual(meta, expectedMeta, 'returns correct meta data');
@@ -70,4 +70,37 @@ module('Unit | Utility | paginate-list', function (hooks) {
     const expected = [18, 19];
     assert.deepEqual(paginatedData, expected, 'returns correct items for last page');
   });
+
+  test('filteredTotal reflects total matching items', function (assert) {
+    // 20 items, filter matches first 6 (0-5), paginate to page 1 with size 4
+    const data = Array.from({ length: 20 }, (_, i) => ({ id: i, name: i < 6 ? `match-${i}` : `skip-${i}` }));
+    const { meta } = paginate(data, { page: 1, pageSize: 4, filter: 'match', filterKey: 'name' });
+    assert.strictEqual(meta.filteredTotal, 6, 'filteredTotal is total matching items across all pages');
+    assert.strictEqual(meta.lastPage, 2, 'lastPage is based on filteredTotal');
+  });
+
+  test('it should reset to page 1 when page exceeds lastPage', function (assert) {
+    // 20 items, pageSize 10 = 2 pages; requesting page 5 should fall back to page 1
+    const paginatedData = paginate(this.items, { page: 5, pageSize: 10 });
+    assert.deepEqual(
+      paginatedData,
+      this.items.slice(0, 10),
+      'returns first page of items when page is out of bounds'
+    );
+    assert.strictEqual(
+      paginatedData.meta.currentPage,
+      1,
+      'currentPage in meta is 1, not the out-of-bounds page'
+    );
+  });
+
+  test('meta currentPage matches actual data shown when page is out of bounds', function (assert) {
+    const { meta } = paginate(this.items, { page: 99, pageSize: 5 });
+    assert.strictEqual(
+      meta.currentPage,
+      1,
+      'currentPage in meta reflects actual page shown, not requested page'
+    );
+    assert.strictEqual(meta.lastPage, 4, 'lastPage is computed correctly');
+  });
 });
diff --git a/ui/types/global.d.ts b/ui/types/global.d.ts
index ee00d44d52..444f065e23 100644
--- a/ui/types/global.d.ts
+++ b/ui/types/global.d.ts
@@ -17,3 +17,7 @@ declare module '@icholy/duration' {
 }
 
 declare module 'vault/tests/helpers/vault-keys';
+
+declare module '@carbon/charts/styles.css';
+
+declare module 'sinon';
diff --git a/ui/types/vault/app-types.ts b/ui/types/vault/app-types.ts
index aab8d63cda..59d1a807e3 100644
--- a/ui/types/vault/app-types.ts
+++ b/ui/types/vault/app-types.ts
@@ -4,6 +4,7 @@
  */
 import type EmberDataModel from 'ember-data/model'; // eslint-disable-line ember/use-ember-data-rfc-395-imports
 import type Owner from '@ember/owner';
+import type { WIZARD_ID_MAP } from 'vault/utils/constants/wizard';
 
 // Type that comes back from expandAttributeMeta
 export interface FormField {
@@ -153,3 +154,5 @@ export interface SearchSelectOption {
 export interface StringMap {
   [key: string]: string;
 }
+
+export type WizardId = (typeof WIZARD_ID_MAP)[keyof typeof WIZARD_ID_MAP];
diff --git a/ui/types/vault/auth/methods.d.ts b/ui/types/vault/auth/methods.d.ts
index 9ae3163692..6ef0c12a80 100644
--- a/ui/types/vault/auth/methods.d.ts
+++ b/ui/types/vault/auth/methods.d.ts
@@ -41,6 +41,12 @@ interface AuthResponseDataKey extends SharedAuthResponseData {
 }
 
 // METHOD SPECIFIC RESPONSES
+export interface CertLoginApiResponse extends ApiResponse {
+  auth: AuthResponseAuthKey & {
+    metadata: { cert_name: string; common_name: string };
+  };
+}
+
 export interface GithubLoginApiResponse extends ApiResponse {
   auth: AuthResponseAuthKey & {
     metadata: { org: string; username: string };
diff --git a/ui/types/vault/billing/overview.ts b/ui/types/vault/billing/overview.ts
new file mode 100644
index 0000000000..b1c16b5e5b
--- /dev/null
+++ b/ui/types/vault/billing/overview.ts
@@ -0,0 +1,34 @@
+/**
+ * Copyright IBM Corp. 2016, 2025
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+export enum MetricNameEnum {
+  STATIC_SECRETS = 'static_secrets',
+  DATA_PROTECTION_CALLS = 'data_protection_calls',
+  MANAGED_KEYS = 'managed_keys',
+  KMIP = 'kmip',
+  EXTERNAL_PLUGINS = 'external_plugins',
+  DYNAMIC_ROLES = 'dynamic_roles',
+  PKI_UNITS = 'pki_units',
+  SSH_UNITS = 'ssh_units',
+}
+
+export interface Month {
+  month: string;
+  updated_at: string;
+  usage_metrics: MetricData[];
+}
+
+export interface MetricData {
+  metric_name: MetricNameEnum;
+  metric_data: {
+    metric_details: Array<{ type: string; count: number }>;
+    used_in_month?: boolean;
+    total: number;
+  };
+}
+
+export interface NormalizedMetricsData {
+  [key: string]: number | boolean | undefined;
+}
diff --git a/ui/types/vault/client-counts/activity-api.ts b/ui/types/vault/client-counts/activity-api.ts
index 22e584e8e9..8680e533f5 100644
--- a/ui/types/vault/client-counts/activity-api.ts
+++ b/ui/types/vault/client-counts/activity-api.ts
@@ -133,3 +133,11 @@ export type Activity = {
   by_month: ByMonthClients[];
   by_namespace: ByNamespaceClients[];
 };
+
+export type ActivityData = {
+  by_namespace: NamespaceObject[];
+  end_time: string;
+  start_time: string;
+  total: TotalClients;
+  by_month: ActivityMonthBlock[];
+};
diff --git a/ui/types/vault/helpers/sync-destinations.d.ts b/ui/types/vault/helpers/sync-destinations.d.ts
index 2cf3089a17..0cfe82ae26 100644
--- a/ui/types/vault/helpers/sync-destinations.d.ts
+++ b/ui/types/vault/helpers/sync-destinations.d.ts
@@ -3,7 +3,8 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { DestinationName, DestinationType } from 'vault/sync';
+import { DestinationType } from 'sync/utils/constants';
+import { DestinationName, DestinationRoleTypeOption } from 'vault/sync';
 
 export interface SyncDestination {
   name: DestinationName;
@@ -13,4 +14,5 @@ export interface SyncDestination {
   maskedParams: Array<string>;
   readonlyParams: Array<string>;
   defaultValues: object;
+  roleTypeOptions?: Array<DestinationRoleTypeOption>;
 }
diff --git a/ui/types/vault/models/secret-engine.d.ts b/ui/types/vault/models/secret-engine.d.ts
index bdef49e118..eb72c0c6f9 100644
--- a/ui/types/vault/models/secret-engine.d.ts
+++ b/ui/types/vault/models/secret-engine.d.ts
@@ -42,7 +42,6 @@ export default class SecretEngineModel extends Model {
   get formFields(): Array<FormField>;
   get formFieldGroups(): FormFieldGroups;
   destroyRecord(): void;
-  saveZeroAddressConfig(): Promise;
   validate(): ModelValidations;
   // need to override isNew which is a computed prop and ts will complain since it sees it as a function
   isNew: boolean;
diff --git a/ui/types/vault/sync.d.ts b/ui/types/vault/sync.d.ts
index 546a94c82c..12f2199c0d 100644
--- a/ui/types/vault/sync.d.ts
+++ b/ui/types/vault/sync.d.ts
@@ -8,6 +8,7 @@ import type AzureKvForm from 'vault/forms/sync/azure-kv';
 import type GcpSmForm from 'vault/forms/sync/gcp-sm';
 import type GhForm from 'vault/forms/sync/gh';
 import type VercelProjectForm from 'vault/forms/sync/vercel-project';
+import type { CredentialType, DestinationType } from 'sync/utils/constants';
 
 export type ListDestination = {
   id: string;
@@ -54,8 +55,6 @@ export type AssociationMetrics = {
   total_secrets: number;
 };
 
-export type DestinationType = 'aws-sm' | 'azure-kv' | 'gcp-sm' | 'gh' | 'vercel-project';
-
 export type DestinationName =
   | 'AWS Secrets Manager'
   | 'Azure Key Vault'
@@ -77,6 +76,9 @@ export type DestinationConnectionDetails = {
   // aws-sm
   access_key_id?: string;
   secret_access_key?: string;
+  role_arn?: string;
+  external_id?: string;
+  credential_type?: CredentialType; // Frontend field indicating ACCOUNT or WIF, not a part of API payload
   region?: string;
   // azure-kv
   key_vault_uri?: string;
@@ -86,6 +88,8 @@ export type DestinationConnectionDetails = {
   cloud?: string;
   // gcp
   credentials?: string;
+  service_account_email?: string;
+  project_id?: string;
   // gh
   access_token?: string;
   repository_owner?: string;
@@ -95,6 +99,10 @@ export type DestinationConnectionDetails = {
   project_id?: string;
   team_id?: string;
   deployment_environments?: array;
+  // common wif fields
+  identity_token_audience?: string;
+  identity_token_key?: string;
+  identity_token_ttl?: number;
 };
 
 export type DestinationOptions = {
@@ -104,4 +112,10 @@ export type DestinationOptions = {
   custom_tags?: Record<string, string>;
 };
 
+export interface DestinationRoleTypeOption {
+  title: string;
+  description: string;
+  value: CredentialType;
+}
+
 export type DestinationForm = AwsSmForm | AzureKvForm | GcpSmForm | GhForm | VercelProjectForm;
diff --git a/ui/vault-reporting/0.21.0.tgz b/ui/vault-reporting/0.21.0.tgz
new file mode 100644
index 0000000000..9c087d11a6
Binary files /dev/null and b/ui/vault-reporting/0.21.0.tgz differ
diff --git a/ui/vault-reporting/0.8.0.tgz b/ui/vault-reporting/0.8.0.tgz
deleted file mode 100644
index e5e223836d..0000000000
Binary files a/ui/vault-reporting/0.8.0.tgz and /dev/null differ
diff --git a/vault/acl.go b/vault/acl.go
index 84c6de6649..ee73d8044c 100644
--- a/vault/acl.go
+++ b/vault/acl.go
@@ -26,6 +26,8 @@ import (
 // ACL is used to wrap a set of policies to provide
 // an efficient interface for access control.
 type ACL struct {
+	entAcl
+
 	// exactRules contains the path policies that are exact
 	exactRules *radix.Tree
 
@@ -34,7 +36,7 @@ type ACL struct {
 
 	segmentWildcardPaths map[string]interface{}
 
-	// root is enabled if the "root" named policy is present.
+	// root is enabled if the "root" named policy is present
 	root bool
 
 	// Stores policies that are actually RGPs for later fetching
@@ -49,6 +51,7 @@ type PolicyCheckOpts struct {
 }
 
 type AuthResults struct {
+	entAuthResults
 	ACLResults      *ACLResults
 	SentinelResults *SentinelResults
 	Allowed         bool
@@ -358,6 +361,11 @@ func (a *ACL) Capabilities(ctx context.Context, path string) []string {
 
 // AllowOperation is used to check if the given operation is permitted.
 func (a *ACL) AllowOperation(ctx context.Context, req *logical.Request, capCheckOnly bool) (ret *ACLResults) {
+	ret = a.performEnterpriseAclChecks(ctx, req, capCheckOnly)
+	if ret != nil {
+		return ret
+	}
+
 	ret = new(ACLResults)
 
 	// Fast-path root
diff --git a/vault/acl_ce.go b/vault/acl_ce.go
new file mode 100644
index 0000000000..c352b1288a
--- /dev/null
+++ b/vault/acl_ce.go
@@ -0,0 +1,21 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise
+
+package vault
+
+import (
+	"context"
+
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+type (
+	entAcl         struct{}
+	entAuthResults struct{}
+)
+
+func (a *ACL) performEnterpriseAclChecks(_ context.Context, _ *logical.Request, _ bool) (ret *ACLResults) {
+	return nil
+}
diff --git a/vault/audit.go b/vault/audit.go
index f26d9f99a2..53279cc925 100644
--- a/vault/audit.go
+++ b/vault/audit.go
@@ -132,7 +132,11 @@ func (c *Core) enableAudit(ctx context.Context, entry *MountEntry, updateStorage
 
 		if c.pluginDirectory != "" {
 			// Validate that the audit log file is not in the plugin directory
-			auditDir := filepath.Dir(entry.Options["file_path"])
+			auditPath := entry.Options["file_path"]
+			if auditPath == "" {
+				auditPath = entry.Options["path"]
+			}
+			auditDir := filepath.Dir(auditPath)
 			auditDir, err = filepath.Abs(auditDir)
 			if err != nil {
 				return fmt.Errorf("error getting absolute path of audit dir for audit validation: %w", err)
diff --git a/vault/audit_test.go b/vault/audit_test.go
index 76b34b2db8..24df2633dd 100644
--- a/vault/audit_test.go
+++ b/vault/audit_test.go
@@ -681,7 +681,6 @@ func TestAuditBroker_AuditHeaders(t *testing.T) {
 // only options on a non-Enterprise version of Vault.
 func TestAudit_enableAudit(t *testing.T) {
 	cluster := NewTestCluster(t, nil, &TestClusterOptions{NumCores: 1})
-	defer cluster.Cleanup()
 
 	c := cluster.Cores[0]
 
@@ -707,7 +706,6 @@ func TestAudit_enableAudit(t *testing.T) {
 // with Enterprise only options on a non-Enterprise version of Vault.
 func TestAudit_newAuditBackend(t *testing.T) {
 	cluster := NewTestCluster(t, nil, &TestClusterOptions{NumCores: 1})
-	defer cluster.Cleanup()
 
 	c := cluster.Cores[0]
 
diff --git a/vault/bench/smoke_bench_test.go b/vault/bench/smoke_bench_test.go
index 4b6acc07b4..aa090e3dcd 100644
--- a/vault/bench/smoke_bench_test.go
+++ b/vault/bench/smoke_bench_test.go
@@ -74,10 +74,9 @@ func BenchmarkSmoke_ClusterCreation(b *testing.B) {
 	bench := func(b *testing.B) {
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
-			cluster := vault.NewTestCluster(b, &vault.CoreConfig{}, &vault.TestClusterOptions{
+			_ = vault.NewTestCluster(b, &vault.CoreConfig{}, &vault.TestClusterOptions{
 				HandlerFunc: vaulthttp.Handler,
 			})
-			cluster.Cleanup()
 		}
 	}
 
diff --git a/vault/billing/billing_counts.go b/vault/billing/billing_counts.go
index 4c03a55a6a..09312e49ac 100644
--- a/vault/billing/billing_counts.go
+++ b/vault/billing/billing_counts.go
@@ -13,10 +13,22 @@ import (
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/helper/timeutil"
 	"github.com/hashicorp/vault/sdk/logical"
+	uberatomic "go.uber.org/atomic"
 )
 
 const (
+	// DefaultBillingRetentionMonths is the default number of months of billing data to retain.
+	// This includes the current month plus previous months (e.g., 37 = current + 36 previous months).
+	DefaultBillingRetentionMonths = 37
+
+	// MinBillingRetentionMonths is the minimum allowed retention period (13 months = 1 year + current month)
+	MinBillingRetentionMonths = 13
+
+	// MaxBillingRetentionMonths is the maximum allowed retention period (72 months = 6 years)
+	MaxBillingRetentionMonths = 72
+
 	BillingSubPath                          = "billing/"
+	BillingConfigPath                       = "config"
 	ReplicatedPrefix                        = "replicated/"
 	RoleHWMCountsHWM                        = "maxRoleCounts/"
 	TotpHWMCountsHWM                        = "maxTotpCounts/"
@@ -24,10 +36,17 @@ const (
 	KmseHWMCountsHWM                        = "maxKmseCounts/"
 	TransitDataProtectionCallCountsPrefix   = "transitDataProtectionCallCounts/"
 	TransformDataProtectionCallCountsPrefix = "transformDataProtectionCallCounts/"
+	GcpKmsDataProtectionCallCountsPrefix    = "gcpKmsDataProtectionCallCounts/"
 	LocalPrefix                             = "local/"
 	ThirdPartyPluginsPrefix                 = "thirdPartyPluginCounts/"
 	KmipEnabledPrefix                       = "kmipEnabled/"
 	PkiDurationAdjustedCountPrefix          = "normalizedCertsIssued/"
+	SpiffeJwtNormalizedTokenUnits           = "spiffeJwtNormalizedTokenUnits/"
+	MetricsLastUpdatedAtPrefix              = "metricsLastUpdatedAt/"
+	SSHCertificateMetric                    = "ssh/normalized-certs-issued"
+	SSHOTPMetric                            = "ssh/credential-count"
+	OidcDurationAdjustedCountPrefix         = "oidcNormalizedTokenUnits/"
+	ExternalCaDurationAdjustedCountPrefix   = "externalCaNormalizedCertsIssued/"
 
 	BillingWriteInterval = 10 * time.Minute
 	// pluginCountsSendTimeout is the timeout for sending plugin counts to the active node
@@ -50,10 +69,10 @@ type ConsumptionBilling struct {
 	// This is used to avoid scanning all mounts every 10 minutes for KMIP billing detection.
 	KmipSeenEnabledThisMonth atomic.Bool
 
-	// LastMetricsUpdate tracks when billing metrics were last updated, either by the background worker
-	// or by the billing endpoint API call. This timestamp is used by the billing overview endpoint to
-	// indicate data freshness.
-	LastMetricsUpdate atomic.Value
+	IdentityTokenUnits IdentityTokenUnits
+
+	// ExternalCaCertUnits tracks duration-adjusted PKI external CA certificate units
+	ExternalCaCertUnits *uberatomic.Float64
 }
 
 type BillingConfig struct {
@@ -82,6 +101,18 @@ func GetMonthlyBillingPath(localPrefix string, now time.Time) string {
 type DataProtectionCallCounts struct {
 	Transit   *atomic.Uint64 `json:"transit,omitempty"`
 	Transform *atomic.Uint64 `json:"transform,omitempty"`
+	GcpKms    *atomic.Uint64 `json:"gcpkms,omitempty"`
+}
+
+// IdentityTokenUnits tracks billing metrics for identity and authentication services
+type IdentityTokenUnits struct {
+	// OidcTokenDuration tracks the token duration units (seconds, not duration-adjusted) for billing purposes in memory.
+	// This value is normalized before flushing to storage and is reset to 0 after flush in UpdateOidcDurationAdjustedCount.
+	OidcTokenDuration *uberatomic.Float64 `json:"oidc,omitempty"`
+
+	// SpiffeJwt stores duration-adjusted JWT token units as float64
+	// We need to use the uberAtomic package to store atomic float64 values
+	SpiffeJwt *uberatomic.Float64 `json:"spiffe_jwt,omitempty"`
 }
 
 var _ logical.ConsumptionBillingManager = (*ConsumptionBilling)(nil)
@@ -108,6 +139,32 @@ func (s *ConsumptionBilling) WriteBillingData(ctx context.Context, mountType str
 		}
 
 		s.DataProtectionCallCounts.Transform.Add(val)
+	case "spiffe":
+		// SPIFFE JWT uses float64 for duration-adjusted units
+		val, ok := data["units"].(float64)
+		if !ok {
+			err := fmt.Errorf("invalid value type for spiffe")
+			return err
+		}
+
+		s.IdentityTokenUnits.SpiffeJwt.Add(val)
+	case "gcpkms":
+		val, ok := data["count"].(uint64)
+		if !ok {
+			err := fmt.Errorf("invalid value type for gcp kms")
+			return err
+		}
+
+		s.DataProtectionCallCounts.GcpKms.Add(val)
+	case "external-ca":
+		// External CA uses float64 for duration-adjusted units
+		val, ok := data["units"].(float64)
+		if !ok {
+			err := fmt.Errorf("invalid value type for external-ca")
+			return err
+		}
+
+		s.ExternalCaCertUnits.Add(val)
 	default:
 		err := fmt.Errorf("unknown metric type: %s", mountType)
 		return err
diff --git a/vault/cluster_test.go b/vault/cluster_test.go
index 4f0d9d9652..195e392314 100644
--- a/vault/cluster_test.go
+++ b/vault/cluster_test.go
@@ -98,8 +98,6 @@ func TestCluster_ListenForRequests(t *testing.T) {
 	cluster := NewTestCluster(t, nil, &TestClusterOptions{
 		KeepStandbysSealed: true,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	cores := cluster.Cores
 
 	// Wait for core to become active
@@ -216,8 +214,6 @@ func testCluster_ForwardRequestsCommon(t *testing.T, clusterOpts *TestClusterOpt
 		w.WriteHeader(203)
 		w.Write([]byte("core3"))
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	root := cluster.RootToken
 
diff --git a/vault/consumption_billing.go b/vault/consumption_billing.go
index e26417e9bd..76f6857757 100644
--- a/vault/consumption_billing.go
+++ b/vault/consumption_billing.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/hashicorp/vault/helper/timeutil"
 	"github.com/hashicorp/vault/vault/billing"
+	uberAtomic "go.uber.org/atomic"
 )
 
 var (
@@ -29,10 +30,22 @@ func (c *Core) setupConsumptionBilling(ctx context.Context) error {
 		DataProtectionCallCounts: billing.DataProtectionCallCounts{
 			Transit:   &atomic.Uint64{},
 			Transform: &atomic.Uint64{},
+			GcpKms:    &atomic.Uint64{},
 		},
-		Logger: logger,
+		IdentityTokenUnits: billing.IdentityTokenUnits{
+			OidcTokenDuration: uberAtomic.NewFloat64(0),
+			SpiffeJwt:         uberAtomic.NewFloat64(0),
+		},
+		ExternalCaCertUnits: uberAtomic.NewFloat64(0),
+		Logger:              logger,
+	}
+	if c.systemBarrierView != nil {
+		c.consumptionBillingSubView = c.systemBarrierView.SubView(billing.BillingSubPath)
+	} else {
+		c.consumptionBilling.Logger.Error("system barrier view is not initialized, consumption billing view is not initialized")
 	}
 	c.consumptionBillingLock.Unlock()
+
 	c.postUnsealFuncs = append(c.postUnsealFuncs, func() {
 		c.consumptionBillingMetricsWorker(ctx)
 		// Start the perf standby plugin counts worker if this is a perf standby
@@ -74,18 +87,18 @@ func (c *Core) consumptionBillingMetricsWorker(ctx context.Context) {
 			}
 			return d
 		}
-		endOfMonth := clock.NewTimer(untilNextMonth(clock.Now()))
+		endOfMonth := clock.NewTimer(untilNextMonth(clock.Now().UTC()))
 		for {
 			select {
 			case <-ticker.C:
-				if err := c.updateBillingMetrics(ctx, clock.Now()); err != nil {
+				if err := c.updateBillingMetrics(ctx, clock.Now().UTC()); err != nil {
 					c.logger.Error("error updating billing metrics", "error", err)
 				}
 			case <-ctx.Done():
 				return
 			case <-endOfMonth.C:
 				// Reset the timer for the next month
-				currentMonth := clock.Now()
+				currentMonth := clock.Now().UTC()
 				c.logger.Debug("reached end of month, resetting timer", "currentMonth", currentMonth)
 				previousMonth := timeutil.StartOfPreviousMonth(currentMonth)
 				// On month boundary, we need to flush the current in-memory counts to storage
@@ -101,29 +114,39 @@ func (c *Core) consumptionBillingMetricsWorker(ctx context.Context) {
 }
 
 // HandleStartOfMonth cleans up monthly billing data from
-// n-2 months ago, and also resets all in memory billing metrics when the start of the month is reached.
+// n-BillingRetentionMonths ago (keeping BillingRetentionMonths of data), and also resets all in memory billing metrics when the start of the month is reached.
 func (c *Core) HandleStartOfMonth(ctx context.Context, currentMonth time.Time) {
 	c.logger.Info("handling start of month operations", "currentMonth", currentMonth)
-	// We only delete n-2 month billing metrics on the active node
+	// We only delete data older than BillingRetentionMonths on the active node
 	if standby, _ := c.Standby(); !standby && !c.PerfStandby() {
-		if err := c.deletePreviousMonthBillingMetrics(ctx, currentMonth); err != nil {
-			c.logger.Error("error deleting historical month billing metrics", "error", err)
+		if err := c.deleteExpiredBillingMetrics(ctx, currentMonth); err != nil {
+			c.logger.Error("error deleting expired billing metrics", "error", err)
 		}
 	}
 	if err := c.resetInMemoryBillingMetrics(); err != nil {
 		c.logger.Error("error resetting in memory billing metrics", "error", err)
 	}
+	// Reset the metrics last update time to zero time to indicate new month data hasn't been updated yet
+	c.UpdateMetricsLastUpdateTime(ctx, currentMonth, time.Time{})
 }
 
-func (c *Core) deletePreviousMonthBillingMetrics(ctx context.Context, currentMonth time.Time) error {
-	twoMonthsAgo := timeutil.StartOfPreviousMonth(currentMonth).AddDate(0, -1, 0)
+func (c *Core) deleteExpiredBillingMetrics(ctx context.Context, currentMonth time.Time) error {
+	// Get the configured retention period
+	retentionMonths, err := c.GetBillingRetentionMonths(ctx)
+	if err != nil {
+		c.logger.Warn("failed to get billing retention configuration, using default")
+		retentionMonths = billing.DefaultBillingRetentionMonths
+	}
+
+	// Delete data from retentionMonths ago (keeping current month + previous (retentionMonths - 1) months = retentionMonths total)
+	monthToDelete := timeutil.StartOfMonth(currentMonth).AddDate(0, -retentionMonths, 0)
 	// Delete billing metrics from both replicated and local prefixes
 	for _, pathPrefix := range []string{billing.ReplicatedPrefix, billing.LocalPrefix} {
 		// If we are not the primary, then do not delete replicate metrics
 		if !c.isPrimary() && pathPrefix == billing.ReplicatedPrefix {
 			continue
 		}
-		billingPath := billing.GetMonthlyBillingPath(pathPrefix, twoMonthsAgo)
+		billingPath := billing.GetMonthlyBillingPath(pathPrefix, monthToDelete)
 		view, ok := c.GetBillingSubView()
 		if !ok {
 			return ErrCouldNotGetBillingSubView
@@ -133,9 +156,27 @@ func (c *Core) deletePreviousMonthBillingMetrics(ctx context.Context, currentMon
 			return err
 		}
 		for _, segment := range metricPaths {
-			err = view.Delete(ctx, billingPath+segment)
-			if err != nil {
-				c.logger.Error("error deleting previous month billing metric", "error", err, "metricPath", billingPath+segment)
+			fullPath := billingPath + segment
+			// If the segment ends with / - recursively delete its contents
+			// For example: ssh/normalized-certs-issued, ssh/credential-count
+			if len(segment) > 0 && segment[len(segment)-1] == '/' {
+				subPaths, err := view.List(ctx, fullPath)
+				if err != nil {
+					c.logger.Error("error listing path for deletion", "error", err, "path", fullPath)
+					continue
+				}
+				for _, subSegment := range subPaths {
+					err = view.Delete(ctx, fullPath+subSegment)
+					if err != nil {
+						c.logger.Error("error deleting previous month billing metric", "error", err, "metricPath", fullPath+subSegment)
+					}
+				}
+			} else {
+				// full path, delete it directly
+				err = view.Delete(ctx, fullPath)
+				if err != nil {
+					c.logger.Error("error deleting previous month billing metric", "error", err, "metricPath", fullPath)
+				}
 			}
 		}
 	}
@@ -143,17 +184,22 @@ func (c *Core) deletePreviousMonthBillingMetrics(ctx context.Context, currentMon
 }
 
 func (c *Core) resetInMemoryBillingMetrics() error {
-	// Reset Transit/Tranform DP counts
+	// Reset Transit/Transform DP counts and SPIFFE JWT identity counts
 	c.logger.Info("resetting in memory billing metrics")
 	c.consumptionBillingLock.Lock()
 	defer c.consumptionBillingLock.Unlock()
 	c.consumptionBilling.DataProtectionCallCounts.Transit.Store(0)
 	c.consumptionBilling.DataProtectionCallCounts.Transform.Store(0)
+	c.consumptionBilling.IdentityTokenUnits.SpiffeJwt.Store(0)
+	c.consumptionBilling.DataProtectionCallCounts.GcpKms.Store(0)
 	c.consumptionBilling.KmipSeenEnabledThisMonth.Store(false)
+	c.consumptionBilling.IdentityTokenUnits.OidcTokenDuration.Store(0)
+	c.consumptionBilling.ExternalCaCertUnits.Store(0)
 	return nil
 }
 
-func (c *Core) updateBillingMetrics(ctx context.Context, currentMonth time.Time) error {
+// updateBillingMetricsLocked must be called with stateLock already held.
+func (c *Core) updateBillingMetricsLocked(ctx context.Context, currentMonth time.Time) error {
 	// Check if systemBarrierView is initialized
 	c.mountsLock.RLock()
 	initialized := c.systemBarrierView != nil
@@ -162,38 +208,58 @@ func (c *Core) updateBillingMetrics(ctx context.Context, currentMonth time.Time)
 	if !initialized {
 		return nil
 	}
-	if c.PerfStandby() {
+	if c.perfStandby {
 		// We do not update billing metrics on performance standbys
 		// Instead we send any in memory counts to the primary. This doesn't apply
 		// to role counts, but will be used for other metrics
-	} else if standby, _ := c.Standby(); standby {
+	} else if c.standby {
 		// Do nothing if we are a standby. All requests get forwarded anyway
 	} else {
+		// Collect all mount metrics in a single pass through the mount table
+		metrics, err := c.CountMetricsFromMounts(true)
+		if err != nil {
+			c.logger.Error("error collecting mount metrics", "error", err)
+			return err
+		}
+
 		// The active node will need to flush max role counts to storage
 		if c.isPrimary() {
-			c.UpdateReplicatedHWMMetrics(ctx, currentMonth)
+			c.UpdateReplicatedHWMMetrics(ctx, currentMonth, metrics)
 		}
-		c.UpdateLocalHWMMetrics(ctx, currentMonth)
+		c.UpdateLocalHWMMetrics(ctx, currentMonth, metrics)
 		if err := c.UpdateLocalAggregatedMetrics(ctx, currentMonth); err != nil {
 			c.logger.Error("error updating cluster data protection call counts", "error", err)
 		} else {
 			c.logger.Info("updated cluster data protection call counts", "prefix", billing.LocalPrefix, "currentMonth", currentMonth)
 		}
 
-		c.consumptionBilling.LastMetricsUpdate.Store(time.Now().UTC())
+		// Store the last metrics update time. This is used to determine the freshness of the billing data.
+		// We store this on the active node only, since this is the node that updates the billing metrics.
+		// The standby nodes will replicate this value, so it will be available on all nodes, but we avoid
+		// having all nodes write to this value to avoid write conflicts.
+		c.UpdateMetricsLastUpdateTime(ctx, currentMonth, time.Now().UTC())
 	}
 	return nil
 }
 
-func (c *Core) UpdateReplicatedHWMMetrics(ctx context.Context, currentMonth time.Time) error {
-	_, _, err := c.UpdateMaxRoleAndManagedKeyCounts(ctx, billing.ReplicatedPrefix, currentMonth)
+func (c *Core) updateBillingMetrics(ctx context.Context, currentMonth time.Time) error {
+	c.stateLock.RLock()
+	defer c.stateLock.RUnlock()
+	return c.updateBillingMetricsLocked(ctx, currentMonth)
+}
+
+func (c *Core) UpdateReplicatedHWMMetrics(ctx context.Context, currentMonth time.Time, metrics *MountMetrics) error {
+	// Update role and managed key counts using pre-collected billing metric counts
+	_, _, err := c.UpdateMaxRoleAndManagedKeyCounts(ctx, billing.ReplicatedPrefix, currentMonth, metrics.ReplicatedRoleCounts, metrics.ReplicatedManagedKeys)
 	if err != nil {
 		c.logger.Error("error updating replicated max role and managed key counts", "error", err)
 		// We won't return an error. Instead we will log the errors and attempt to continue
 	} else {
 		c.logger.Info("updated replicated hwm role and managed key counts", "prefix", billing.ReplicatedPrefix, "currentMonth", currentMonth)
 	}
-	if _, err = c.UpdateMaxKvCounts(ctx, billing.ReplicatedPrefix, currentMonth); err != nil {
+
+	// Update KV counts using pre-collected KV mounts
+	if _, err = c.UpdateMaxKvCounts(ctx, billing.ReplicatedPrefix, currentMonth, metrics.ReplicatedKvCounts); err != nil {
 		// We won't return an error. Instead we will log the errors and attempt to continue
 		c.logger.Error("error updating replicated max kv counts", "error", err)
 	} else {
@@ -202,13 +268,16 @@ func (c *Core) UpdateReplicatedHWMMetrics(ctx context.Context, currentMonth time
 	return nil
 }
 
-func (c *Core) UpdateLocalHWMMetrics(ctx context.Context, currentMonth time.Time) error {
-	if _, _, err := c.UpdateMaxRoleAndManagedKeyCounts(ctx, billing.LocalPrefix, currentMonth); err != nil {
+func (c *Core) UpdateLocalHWMMetrics(ctx context.Context, currentMonth time.Time, metrics *MountMetrics) error {
+	// Update role and managed key counts using pre-collected billing metric counts
+	if _, _, err := c.UpdateMaxRoleAndManagedKeyCounts(ctx, billing.LocalPrefix, currentMonth, metrics.LocalRoleCounts, metrics.LocalManagedKeys); err != nil {
 		c.logger.Error("error updating local max role and managed key counts", "error", err)
 	} else {
 		c.logger.Info("updated local max role and managed key counts", "prefix", billing.LocalPrefix, "currentMonth", currentMonth)
 	}
-	if _, err := c.UpdateMaxKvCounts(ctx, billing.LocalPrefix, currentMonth); err != nil {
+
+	// Update KV counts using pre-collected KV mounts
+	if _, err := c.UpdateMaxKvCounts(ctx, billing.LocalPrefix, currentMonth, metrics.LocalKvCounts); err != nil {
 		c.logger.Error("error updating local max kv counts", "error", err)
 	} else {
 		c.logger.Info("updated local max kv counts", "prefix", billing.LocalPrefix, "currentMonth", currentMonth)
@@ -238,5 +307,17 @@ func (c *Core) UpdateLocalAggregatedMetrics(ctx context.Context, currentMonth ti
 	if _, err := c.UpdateTransformCallCounts(ctx, currentMonth); err != nil {
 		return fmt.Errorf("could not store transform data protection call counts: %w", err)
 	}
+	if err := c.UpdateOidcDurationAdjustedCount(ctx, currentMonth); err != nil {
+		return fmt.Errorf("could not store OIDC duration-adjusted token count: %w", err)
+	}
+	if _, err := c.UpdateSpiffeJwtTokenUnits(ctx, currentMonth); err != nil {
+		return fmt.Errorf("could not store SPIFFE JWT token units: %w", err)
+	}
+	if _, err := c.UpdateGcpKmsCallCounts(ctx, currentMonth); err != nil {
+		return fmt.Errorf("could not store GCP KMS data protection call counts: %w", err)
+	}
+	if _, err := c.UpdateExternalCaCertUnits(ctx, currentMonth); err != nil {
+		return fmt.Errorf("could not store external CA certificate units: %w", err)
+	}
 	return nil
 }
diff --git a/vault/consumption_billing_mounts.go b/vault/consumption_billing_mounts.go
new file mode 100644
index 0000000000..7534788131
--- /dev/null
+++ b/vault/consumption_billing_mounts.go
@@ -0,0 +1,310 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: MPL-2.0
+
+package vault
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/pluginconsts"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault/billing"
+)
+
+// MountMetrics holds all metrics collected from a single mount table traversal.
+// It distinguishes between replicated and local mounts.
+type MountMetrics struct {
+	// ReplicatedRoleCounts contains role counts from replicated (non-local) mounts
+	ReplicatedRoleCounts *RoleCounts
+	// ReplicatedManagedKeys contains managed key counts from replicated mounts
+	ReplicatedManagedKeys *ManagedKeyCounts
+	// ReplicatedKvMounts contains KV counts from replicated mounts
+	ReplicatedKvCounts int
+	// LocalRoleCounts contains role counts from local mounts
+	LocalRoleCounts *RoleCounts
+	// LocalManagedKeys contains managed key counts from local mounts
+	LocalManagedKeys *ManagedKeyCounts
+	// LocalKvMounts contains KV counts from local mounts
+	LocalKvCounts int
+}
+
+// CountMetricsFromMounts performs a single iteration through mount entries
+// and collects all required metrics for both replicated and local mounts.
+func (c *Core) CountMetricsFromMounts(officialOnly bool) (*MountMetrics, error) {
+	if c.Sealed() {
+		return nil, fmt.Errorf("core is sealed, cannot access mount table")
+	}
+
+	c.mountsLock.RLock()
+	defer c.mountsLock.RUnlock()
+
+	metrics := &MountMetrics{
+		ReplicatedRoleCounts:  &RoleCounts{},
+		ReplicatedManagedKeys: &ManagedKeyCounts{},
+		ReplicatedKvCounts:    0,
+		LocalRoleCounts:       &RoleCounts{},
+		LocalManagedKeys:      &ManagedKeyCounts{},
+		LocalKvCounts:         0,
+	}
+
+	if c.mounts == nil {
+		return metrics, nil
+	}
+
+	ctx := namespace.RootContext(c.activeContext)
+
+	// Iterate through all mount entries
+	for _, entry := range c.mounts.Entries {
+		if officialOnly && !c.isOfficialPlugin(ctx, entry) {
+			continue
+		}
+
+		// Determine which metrics buckets to update based on mount locality
+		var targetRoleCounts *RoleCounts
+		var targetManagedKeys *ManagedKeyCounts
+		targetKvLocal := false
+
+		if entry.Local {
+			targetRoleCounts = metrics.LocalRoleCounts
+			targetManagedKeys = metrics.LocalManagedKeys
+			targetKvLocal = true
+		} else {
+			targetRoleCounts = metrics.ReplicatedRoleCounts
+			targetManagedKeys = metrics.ReplicatedManagedKeys
+		}
+
+		// Collect role counts and managed key counts based on plugin type
+		c.collectMountMetrics(ctx, entry, targetRoleCounts, targetManagedKeys)
+
+		// If this is a KV mount, gather its secret count and add to the total
+		if kvMount := getKVMountMetadata(entry); kvMount != nil {
+			c.walkKvMountSecrets(ctx, kvMount)
+			if targetKvLocal {
+				metrics.LocalKvCounts += kvMount.NumSecrets
+			} else {
+				metrics.ReplicatedKvCounts += kvMount.NumSecrets
+			}
+		}
+	}
+
+	return metrics, nil
+}
+
+// collectMountMetrics collects role counts and managed key counts for a specific mount entry
+// based on its plugin type. It updates the provided target metrics in place.
+func (c *Core) collectMountMetrics(ctx context.Context, entry *MountEntry, targetRoleCounts *RoleCounts, targetManagedKeys *ManagedKeyCounts) {
+	apiList := func(entry *MountEntry, apiPath string) []string {
+		listRequest := &logical.Request{
+			Operation: logical.ListOperation,
+			Path:      entry.namespace.Path + entry.Path + apiPath,
+		}
+
+		resp, err := c.router.Route(ctx, listRequest)
+		if err != nil || resp == nil || resp.Data == nil {
+			return nil
+		}
+
+		rawKeys, ok := resp.Data["keys"]
+		if !ok || rawKeys == nil {
+			return nil
+		}
+
+		// Type switch handles both the 'official' behavior and the 'generic' behavior
+		switch kt := rawKeys.(type) {
+		case []string:
+			// Existing plugins likely hit this path
+			return kt
+		case []interface{}:
+			// External/RPC plugins likely hit this path
+			keys := make([]string, 0, len(kt))
+			for _, k := range kt {
+				if s, ok := k.(string); ok {
+					keys = append(keys, s)
+				}
+			}
+			return keys
+		default:
+			// If it's something totally weird, we still fail safely
+			return nil
+		}
+	}
+
+	pluginName := getAdjustedPluginType(entry)
+	if pluginName == "" {
+		return
+	}
+
+	switch pluginName {
+	case pluginconsts.SecretEngineAWS:
+		dynamicRoles := apiList(entry, "roles")
+		targetRoleCounts.AWSDynamicRoles += len(dynamicRoles)
+		staticRoles := apiList(entry, "static-roles")
+		targetRoleCounts.AWSStaticRoles += len(staticRoles)
+
+	case pluginconsts.SecretEngineAzure:
+		dynamicRoles := apiList(entry, "roles")
+		targetRoleCounts.AzureDynamicRoles += len(dynamicRoles)
+		staticRoles := apiList(entry, "static-roles")
+		targetRoleCounts.AzureStaticRoles += len(staticRoles)
+
+	case pluginconsts.SecretEngineDatabase:
+		dynamicRoles := apiList(entry, "roles")
+		targetRoleCounts.DatabaseDynamicRoles += len(dynamicRoles)
+		staticRoles := apiList(entry, "static-roles")
+		targetRoleCounts.DatabaseStaticRoles += len(staticRoles)
+
+	case pluginconsts.SecretEngineGCP:
+		rolesets := apiList(entry, "rolesets")
+		targetRoleCounts.GCPRolesets += len(rolesets)
+		staticAccounts := apiList(entry, "static-accounts")
+		targetRoleCounts.GCPStaticAccounts += len(staticAccounts)
+		impersonatedAccounts := apiList(entry, "impersonated-accounts")
+		targetRoleCounts.GCPImpersonatedAccounts += len(impersonatedAccounts)
+
+	case pluginconsts.SecretEngineLDAP:
+		dynamicRoles := apiList(entry, "role")
+		targetRoleCounts.LDAPDynamicRoles += len(dynamicRoles)
+		staticRoles := apiList(entry, "static-role")
+		targetRoleCounts.LDAPStaticRoles += len(staticRoles)
+
+	case pluginconsts.SecretEngineOpenLDAP:
+		dynamicRoles := apiList(entry, "role")
+		targetRoleCounts.OpenLDAPDynamicRoles += len(dynamicRoles)
+		staticRoles := apiList(entry, "static-role")
+		targetRoleCounts.OpenLDAPStaticRoles += len(staticRoles)
+
+	case pluginconsts.SecretEngineAlicloud:
+		dynamicRoles := apiList(entry, "role")
+		targetRoleCounts.AlicloudDynamicRoles += len(dynamicRoles)
+
+	case pluginconsts.SecretEngineRabbitMQ:
+		dynamicRoles := apiList(entry, "roles")
+		targetRoleCounts.RabbitMQDynamicRoles += len(dynamicRoles)
+
+	case pluginconsts.SecretEngineConsul:
+		dynamicRoles := apiList(entry, "roles")
+		targetRoleCounts.ConsulDynamicRoles += len(dynamicRoles)
+
+	case pluginconsts.SecretEngineNomad:
+		dynamicRoles := apiList(entry, "role")
+		targetRoleCounts.NomadDynamicRoles += len(dynamicRoles)
+
+	case pluginconsts.SecretEngineKubernetes:
+		dynamicRoles := apiList(entry, "roles")
+		targetRoleCounts.KubernetesDynamicRoles += len(dynamicRoles)
+
+	case pluginconsts.SecretEngineMongoDBAtlas:
+		dynamicRoles := apiList(entry, "roles")
+		targetRoleCounts.MongoDBAtlasDynamicRoles += len(dynamicRoles)
+
+	case pluginconsts.SecretEngineTerraform:
+		dynamicRoles := apiList(entry, "role")
+		targetRoleCounts.TerraformCloudDynamicRoles += len(dynamicRoles)
+
+	case pluginconsts.SecretEngineTOTP:
+		keyCountPerEntry := apiList(entry, "keys")
+		targetManagedKeys.TotpKeys += len(keyCountPerEntry)
+
+	case pluginconsts.SecretEngineKeymgmt:
+		keyCountPerEntry := apiList(entry, "key")
+		targetManagedKeys.KmseKeys += len(keyCountPerEntry)
+
+	case pluginconsts.SecretEngineOS:
+		// OS plugin stores all accounts within each host entry
+		// List all hosts, then list accounts for each host
+		hosts := apiList(entry, "hosts/")
+		accountCount := 0
+		for _, host := range hosts {
+			if host == "" {
+				continue
+			}
+			hostName := strings.TrimSuffix(host, "/")
+			accounts := apiList(entry, "hosts/"+hostName+"/accounts/")
+			accountCount += len(accounts)
+		}
+		targetRoleCounts.OSLocalAccountRoles += accountCount
+	}
+}
+
+// getKVMountMetadata creates and returns KV mount metadata if the entry is a KV mount.
+// Returns nil if the entry is not a KV mount. Includes all KV versions.
+func getKVMountMetadata(entry *MountEntry) *kvMount {
+	// Check if this is a KV mount (type kv or generic)
+	if entry.Type != pluginconsts.SecretEngineKV && entry.Type != pluginconsts.SecretEngineGeneric {
+		return nil
+	}
+
+	// Determine KV version from mount options
+	version, ok := entry.Options["version"]
+	if !ok || version == "" {
+		version = "1"
+	}
+
+	// Create KV mount metadata entry
+	return &kvMount{
+		Namespace:            entry.namespace,
+		MountPoint:           entry.Path,
+		MountAccessor:        entry.Accessor,
+		Version:              version,
+		NumSecrets:           0,
+		Local:                entry.Local,
+		RunningPluginVersion: entry.RunningVersion,
+	}
+}
+
+// isOfficialPlugin is a helper to determine if a mount entry is an official or builtin plugin
+func (c *Core) isOfficialPlugin(ctx context.Context, entry *MountEntry) bool {
+	pluginName := getAdjustedPluginType(entry)
+	if pluginName == "" {
+		return false
+	}
+
+	pluginVersion := entry.RunningVersion
+
+	runner, err := c.pluginCatalog.Get(ctx, pluginName, consts.PluginTypeSecrets, pluginVersion)
+	if err != nil {
+		return false
+	}
+
+	return isOfficialOrBuiltin(runner)
+}
+
+// GetRoleCounts returns the combined local and replicated role counts across all mounts
+// For use in tests only
+func (c *Core) GetRoleCounts() *RoleCounts {
+	m, err := c.CountMetricsFromMounts(false)
+	if err != nil {
+		return nil
+	}
+	return combineRoleCounts(m.LocalRoleCounts, m.ReplicatedRoleCounts)
+}
+
+// GetRoleAndManagedKeyCounts returns the local or replicated role and managed key counts depending on the mount type
+// For use in tests only
+func (c *Core) GetRoleAndManagedKeyCounts(mountType string) (*RoleCounts, *ManagedKeyCounts) {
+	m, err := c.CountMetricsFromMounts(true)
+	if err != nil {
+		return nil, nil
+	}
+	if mountType == billing.LocalPrefix {
+		return m.LocalRoleCounts, m.LocalManagedKeys
+	}
+	return m.ReplicatedRoleCounts, m.ReplicatedManagedKeys
+}
+
+// GetKvCounts returns the local or replicated KV counts depending on the mount type
+// For use in tests only
+func (c *Core) GetKvCounts(mountType string) int {
+	m, err := c.CountMetricsFromMounts(true)
+	if err != nil {
+		return 0
+	}
+	if mountType == billing.LocalPrefix {
+		return m.LocalKvCounts
+	}
+	return m.ReplicatedKvCounts
+}
diff --git a/vault/consumption_billing_mounts_test.go b/vault/consumption_billing_mounts_test.go
new file mode 100644
index 0000000000..4ae97632b2
--- /dev/null
+++ b/vault/consumption_billing_mounts_test.go
@@ -0,0 +1,198 @@
+// Copyright IBM Corp. 2016, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package vault
+
+import (
+	"context"
+	"encoding/hex"
+	"fmt"
+	"path/filepath"
+	"testing"
+	"time"
+
+	logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
+	"github.com/hashicorp/vault/builtin/logical/totp"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/pluginconsts"
+	"github.com/hashicorp/vault/helper/testhelpers/pluginhelpers"
+	sdkconsts "github.com/hashicorp/vault/sdk/helper/consts"
+	sdkpluginutil "github.com/hashicorp/vault/sdk/helper/pluginutil"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/stretchr/testify/require"
+)
+
+// TestCountMetricsFromMounts_LocalReplicatedMounts tests that CountMetricsFromMounts correctly separates
+// local and replicated mount metrics and returns the expected counts.
+func TestCountMetricsFromMounts_LocalReplicatedMounts(t *testing.T) {
+	// Set up core with 2 role backends, 1 managed key backend (TOTP), and KV backend
+	coreConfig := &CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			pluginconsts.SecretEngineAWS:      roleLogicalBackends[pluginconsts.SecretEngineAWS],
+			pluginconsts.SecretEngineDatabase: roleLogicalBackends[pluginconsts.SecretEngineDatabase],
+			pluginconsts.SecretEngineKV:       logicalKv.Factory,
+			pluginconsts.SecretEngineTOTP:     totp.Factory,
+		},
+	}
+	core, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+	ctx := namespace.RootContext(context.Background())
+
+	// Create replicated and local mounts
+	mounts := []struct {
+		mountType string
+		path      string
+		keyName   string
+		local     bool
+		numKeys   int
+	}{
+		{pluginconsts.SecretEngineAWS, "aws", "role/", false, 10},
+		{pluginconsts.SecretEngineDatabase, "db", "role/", false, 10},
+		{pluginconsts.SecretEngineAWS, "local-aws", "static-roles/", true, 10},
+		{pluginconsts.SecretEngineDatabase, "local-db", "static-role/", true, 10},
+		{pluginconsts.SecretEngineTOTP, "totp", "my-key-%d", false, 10},
+		{pluginconsts.SecretEngineTOTP, "local-totp", "my-key-%d", true, 10},
+		{"kv-v1", "kv", "secret-%d", false, 10},
+		{"kv-v2", "local-kv", "secret-%d", true, 10},
+	}
+
+	for _, mount := range mounts {
+		createMount(t, ctx, core, root, mount.mountType, mount.path, mount.local)
+	}
+
+	// Sleep to prevent race conditions during the role initialization
+	time.Sleep(1 * time.Second)
+
+	core.mountsLock.RLock()
+	defer core.mountsLock.RUnlock()
+
+	// Add roles, managed keys, and kv secrets
+	for _, mount := range mounts {
+		switch mount.mountType {
+		case pluginconsts.SecretEngineAWS, pluginconsts.SecretEngineDatabase:
+			addRoleToStorage(t, core, mount.path, mount.keyName, mount.numKeys)
+		case pluginconsts.SecretEngineTOTP:
+			for i := 0; i < mount.numKeys; i++ {
+				keyName := fmt.Sprintf(mount.keyName, i)
+				addTotpKeyToStorage(t, ctx, core, mount.path, root, keyName)
+			}
+		case "kv-v1", "kv-v2":
+			for i := 0; i < mount.numKeys; i++ {
+				secretName := fmt.Sprintf(mount.keyName, i)
+				addKvSecretToStorage(t, ctx, core, mount.path, root, secretName, mount.mountType)
+			}
+		}
+	}
+
+	metrics, err := core.CountMetricsFromMounts(true)
+	require.NoError(t, err)
+	require.NotNil(t, metrics)
+
+	// Only fields for which the test added metrics should have counts, all others should be 0
+	expectedReplicatedRoleCounts := &RoleCounts{
+		AWSDynamicRoles:      10,
+		DatabaseDynamicRoles: 10,
+	}
+	expectedLocalRoleCounts := &RoleCounts{
+		AWSStaticRoles:      10,
+		DatabaseStaticRoles: 10,
+	}
+	expectedReplicatedManagedKeys := &ManagedKeyCounts{
+		TotpKeys: 10,
+	}
+	expectedLocalManagedKeys := &ManagedKeyCounts{
+		TotpKeys: 10,
+	}
+
+	// Verify counts
+	require.Equal(t, expectedReplicatedRoleCounts, metrics.ReplicatedRoleCounts)
+	require.Equal(t, expectedLocalRoleCounts, metrics.LocalRoleCounts)
+	require.Equal(t, expectedReplicatedManagedKeys, metrics.ReplicatedManagedKeys)
+	require.Equal(t, expectedLocalManagedKeys, metrics.LocalManagedKeys)
+	require.Equal(t, 10, metrics.ReplicatedKvCounts)
+	require.Equal(t, 10, metrics.LocalKvCounts)
+}
+
+// TestCountMetricsFromMounts_OfficialUnofficialMounts tests that CountMetricsFromMounts correctly
+// distinguishes between official and unofficial mounts and returns the expected counts depending
+// on if officialOnly is set.
+func TestCountMetricsFromMounts_OfficialUnofficialMounts(t *testing.T) {
+	pluginDir, err := filepath.EvalSymlinks(t.TempDir())
+	require.NoError(t, err)
+	coreConfig := &CoreConfig{
+		PluginDirectory: pluginDir,
+		LogicalBackends: map[string]logical.Factory{
+			pluginconsts.SecretEngineAWS:        roleLogicalBackends[pluginconsts.SecretEngineAWS],
+			pluginconsts.SecretEngineAzure:      roleLogicalBackends[pluginconsts.SecretEngineAzure],
+			pluginconsts.SecretEngineKubernetes: roleLogicalBackends[pluginconsts.SecretEngineKubernetes],
+		},
+	}
+	core, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+	ctx := namespace.RootContext(context.Background())
+
+	// Create official plugin mounts
+	createMount(t, ctx, core, root, pluginconsts.SecretEngineAWS, "aws", false)
+	createMount(t, ctx, core, root, pluginconsts.SecretEngineAzure, "azure", false)
+
+	// Register an unofficial kubernetes plugin
+	k8sPlugin := pluginhelpers.CompilePlugin(t, sdkconsts.PluginTypeSecrets, "v1.0.0", pluginDir)
+	k8sPlugin.Name = "kubernetes"
+	shaBytes, err := hex.DecodeString(k8sPlugin.Sha256)
+	require.NoError(t, err)
+
+	require.NoError(t, core.pluginCatalog.Set(ctx, sdkpluginutil.SetPluginInput{
+		Name:    k8sPlugin.Name,
+		Type:    k8sPlugin.Typ,
+		Version: k8sPlugin.Version,
+		Command: k8sPlugin.FileName,
+		Sha256:  shaBytes,
+	}))
+
+	// Add unofficial mount
+	mountEntry := &MountEntry{
+		Table:          mountTableType,
+		Path:           "kubernetes/",
+		namespace:      &namespace.Namespace{Path: ""},
+		Type:           k8sPlugin.Name,
+		Version:        k8sPlugin.Version,
+		RunningVersion: k8sPlugin.Version,
+	}
+	err = core.mount(ctx, mountEntry)
+	require.NoError(t, err)
+
+	// Sleep to prevent race conditions during the role initialization
+	time.Sleep(1 * time.Second)
+
+	core.mountsLock.RLock()
+	defer core.mountsLock.RUnlock()
+
+	// Add roles to mounts
+	addRoleToStorage(t, core, "aws", "role/", 5)
+	addRoleToStorage(t, core, "azure", "roles/", 5)
+	addRoleToStorage(t, core, "kubernetes", "roles/", 5)
+
+	// Get official-only counts, should not include kubernetes
+	metrics, err := core.CountMetricsFromMounts(true)
+	require.NoError(t, err)
+	require.NotNil(t, metrics)
+	require.Equal(t, 5, metrics.ReplicatedRoleCounts.AWSDynamicRoles)
+	require.Equal(t, 5, metrics.ReplicatedRoleCounts.AzureDynamicRoles)
+	require.Equal(t, 0, metrics.ReplicatedRoleCounts.KubernetesDynamicRoles)
+
+	// Get counts including unofficial mounts
+	metrics, err = core.CountMetricsFromMounts(false)
+	require.NoError(t, err)
+	require.NotNil(t, metrics)
+	require.Equal(t, 5, metrics.ReplicatedRoleCounts.AWSDynamicRoles)
+	require.Equal(t, 5, metrics.ReplicatedRoleCounts.AzureDynamicRoles)
+	require.Equal(t, 5, metrics.ReplicatedRoleCounts.KubernetesDynamicRoles)
+}
+
+func createMount(t *testing.T, ctx context.Context, core *Core, token string, mountType string, mountPath string, local bool) {
+	req := logical.TestRequest(t, logical.CreateOperation, fmt.Sprintf("sys/mounts/%s", mountPath))
+	req.Data["type"] = mountType
+	req.Data["local"] = local
+	req.ClientToken = token
+	resp, err := core.HandleRequest(ctx, req)
+	require.NoError(t, err)
+	require.Nil(t, resp.Error())
+}
diff --git a/vault/consumption_billing_test.go b/vault/consumption_billing_test.go
index 1d1563a4af..773d2a8eb2 100644
--- a/vault/consumption_billing_test.go
+++ b/vault/consumption_billing_test.go
@@ -153,8 +153,8 @@ func TestConsumptionBillingMetricsWorker(t *testing.T) {
 	verifyExpectedRoleCounts(t, counts, 5)
 }
 
-// TestHandleEndOfMonthMetrics tests that that HandleEndOfMonth cleans up
-// previous month billing metrics and resets the in memory billing metrics
+// TestHandleEndOfMonthMetrics tests that HandleEndOfMonth cleans up
+// billing metrics from billing.DefaultBillingRetentionMonths ago (keeping billing.DefaultBillingRetentionMonths of data) and resets the in memory billing metrics
 func TestHandleEndOfMonthMetrics(t *testing.T) {
 	coreConfig := &CoreConfig{
 		LogicalBackends: roleLogicalBackends,
@@ -163,11 +163,13 @@ func TestHandleEndOfMonthMetrics(t *testing.T) {
 		},
 	}
 	core, _, _ := TestCoreUnsealedWithConfig(t, coreConfig)
-	// Add some billing metrics to storage for the previous two months
+	// Add some billing metrics to storage for (billing.DefaultBillingRetentionMonths - 1) and billing.DefaultBillingRetentionMonths months ago
 	// Use the util functions directly to avoid the need to mount the logical backends
-	previousMonth := timeutil.StartOfPreviousMonth(time.Now().UTC())
-	twoMonthsAgo := previousMonth.AddDate(0, -1, 0)
-	for _, month := range []time.Time{timeutil.StartOfPreviousMonth(time.Now().UTC()), timeutil.StartOfPreviousMonth(time.Now().UTC()).AddDate(0, -1, 0)} {
+	now := time.Now().UTC()
+	oldestRetainedMonth := timeutil.StartOfMonth(now).AddDate(0, -(billing.DefaultBillingRetentionMonths - 1), 0)
+	monthToDelete := timeutil.StartOfMonth(now).AddDate(0, -billing.DefaultBillingRetentionMonths, 0)
+
+	for _, month := range []time.Time{monthToDelete, oldestRetainedMonth} {
 		for _, localPathPrefix := range []string{billing.ReplicatedPrefix, billing.LocalPrefix} {
 			core.storeMaxRoleCountsLocked(context.Background(), &RoleCounts{
 				AWSDynamicRoles:      10,
@@ -176,45 +178,197 @@ func TestHandleEndOfMonthMetrics(t *testing.T) {
 				GCPRolesets:          3,
 				DatabaseDynamicRoles: 5,
 				DatabaseStaticRoles:  7,
+				OSLocalAccountRoles:  9,
 			}, localPathPrefix, month)
 			core.storeMaxKvCountsLocked(context.Background(), 10, localPathPrefix, month)
-			core.storeTransitCallCountsLocked(context.Background(), 10, localPathPrefix, month)
-			core.storeThirdPartyPluginCountsLocked(context.Background(), localPathPrefix, month, 10)
+
+			// Transit, third-party plugins, ssh credential count and OIDC are local aggregated metrics
+			// and should only be stored under LocalPrefix
+			if localPathPrefix == billing.LocalPrefix {
+				core.storeTransitCallCountsLocked(context.Background(), 10, localPathPrefix, month)
+				core.storeGcpKmsCallCountsLocked(context.Background(), 10, localPathPrefix, month)
+				core.storeThirdPartyPluginCountsLocked(context.Background(), localPathPrefix, month, 10)
+				core.storeOidcDurationAdjustedCountLocked(context.Background(), month, 10)
+				core.storeSSHOTPCountLocked(context.Background(), localPathPrefix, month, 10)
+			}
 
 			// List the data paths to verify that the billing metrics have been stored
 			view, ok := core.GetBillingSubView()
 			require.True(t, ok)
 			paths, err := view.List(context.Background(), billing.GetMonthlyBillingPath(localPathPrefix, month))
 			require.NoError(t, err)
-			require.Equal(t, 4, len(paths))
+			expectedPaths := 2 // ReplicatedPrefix has roles and kv
+			if localPathPrefix == billing.LocalPrefix {
+				expectedPaths = 7 // LocalPrefix has roles, kv, transit, gcp kms, third-party plugins, ssh and OIDC
+			}
+			require.Equal(t, expectedPaths, len(paths))
 		}
 	}
 
 	// Handle the end of the month
-	core.HandleStartOfMonth(context.Background(), time.Now().UTC())
+	core.HandleStartOfMonth(context.Background(), now)
 
 	for _, localPathPrefix := range []string{billing.ReplicatedPrefix, billing.LocalPrefix} {
-		// Two months ago should have no billing metrics
+		// billing.DefaultBillingRetentionMonths ago should have no billing metrics (deleted)
 		view, ok := core.GetBillingSubView()
 		require.True(t, ok)
-		paths, err := view.List(context.Background(), billing.GetMonthlyBillingPath(localPathPrefix, twoMonthsAgo))
+		paths, err := view.List(context.Background(), billing.GetMonthlyBillingPath(localPathPrefix, monthToDelete))
 		require.NoError(t, err)
-		require.Equal(t, 0, len(paths))
+		require.Equal(t, 0, len(paths), "data from billing.DefaultBillingRetentionMonths ago should be deleted")
 
-		// Previous month should have the billing metrics
+		// (billing.DefaultBillingRetentionMonths - 1) months ago should still have the billing metrics (kept)
 		view, ok = core.GetBillingSubView()
 		require.True(t, ok)
-		paths, err = view.List(context.Background(), billing.GetMonthlyBillingPath(localPathPrefix, previousMonth))
+		paths, err = view.List(context.Background(), billing.GetMonthlyBillingPath(localPathPrefix, oldestRetainedMonth))
 		require.NoError(t, err)
-		require.Equal(t, 4, len(paths))
+		expectedPaths := 2 // ReplicatedPrefix has roles and kv
+		if localPathPrefix == billing.LocalPrefix {
+			expectedPaths = 7 // LocalPrefix has roles, kv, transit, gcp kms, third-party plugins, ssh and OIDC
+		}
+		require.Equal(t, expectedPaths, len(paths))
 	}
 
 	require.Equal(t, uint64(0), core.GetInMemoryTransitDataProtectionCallCounts())
 	require.Equal(t, uint64(0), core.GetInMemoryTransformDataProtectionCallCounts())
+	require.Equal(t, uint64(0), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+	require.Equal(t, float64(0), core.GetInMemoryOidcCounts())
 	require.False(t, core.consumptionBilling.KmipSeenEnabledThisMonth.Load())
 }
 
-// TestConsumptionBillingMetricsWorkerWithCustomClock tests that we correctly delete n-2 month billing metrics
+// TestDeleteExpiredBillingMetrics specifically tests the deleteExpiredBillingMetrics method
+// to ensure it correctly deletes data from billing.DefaultBillingRetentionMonths ago while keeping
+// data from (billing.DefaultBillingRetentionMonths - 1) months ago.
+func TestDeleteExpiredBillingMetrics(t *testing.T) {
+	coreConfig := &CoreConfig{
+		LogicalBackends: roleLogicalBackends,
+	}
+	core, _, _ := TestCoreUnsealedWithConfig(t, coreConfig)
+
+	now := time.Now().UTC()
+	currentMonth := timeutil.StartOfMonth(now)
+	oldestRetainedMonth := currentMonth.AddDate(0, -(billing.DefaultBillingRetentionMonths - 1), 0)
+	monthToDelete := currentMonth.AddDate(0, -billing.DefaultBillingRetentionMonths, 0)
+
+	// Write billing data for multiple months including the month to be deleted and the oldest retained month
+	for _, month := range []time.Time{monthToDelete, oldestRetainedMonth, currentMonth} {
+		for _, pathPrefix := range []string{billing.ReplicatedPrefix, billing.LocalPrefix} {
+			core.storeMaxRoleCountsLocked(context.Background(), &RoleCounts{
+				AWSDynamicRoles:     5,
+				AWSStaticRoles:      10,
+				LDAPDynamicRoles:    3,
+				OSLocalAccountRoles: 7,
+			}, pathPrefix, month)
+			core.storeMaxKvCountsLocked(context.Background(), 20, pathPrefix, month)
+			core.storeTransitCallCountsLocked(context.Background(), 15, pathPrefix, month)
+			// Add SSH metrics which use subdirectory paths (ssh/normalized-certs-issued, ssh/credential-count)
+			core.storeSSHDurationAdjustedCertCountLocked(context.Background(), pathPrefix, month, 10.5)
+			core.storeSSHOTPCountLocked(context.Background(), pathPrefix, month, 25.0)
+		}
+		// Store updatedAtTimestamp for each month
+		testUpdateTime := time.Date(month.Year(), month.Month(), 15, 12, 0, 0, 0, time.UTC)
+		err := core.UpdateMetricsLastUpdateTime(context.Background(), month, testUpdateTime)
+		require.NoError(t, err)
+	}
+
+	// Verify data exists before deletion
+	for _, pathPrefix := range []string{billing.ReplicatedPrefix, billing.LocalPrefix} {
+		view, ok := core.GetBillingSubView()
+		require.True(t, ok)
+
+		// Check month to be deleted has data
+		paths, err := view.List(context.Background(), billing.GetMonthlyBillingPath(pathPrefix, monthToDelete))
+		require.NoError(t, err)
+		require.Greater(t, len(paths), 0, "month to delete should have data before deletion")
+
+		// Check oldest retained month has data
+		paths, err = view.List(context.Background(), billing.GetMonthlyBillingPath(pathPrefix, oldestRetainedMonth))
+		require.NoError(t, err)
+		require.Greater(t, len(paths), 0, "oldest retained month should have data")
+
+		// Verify SSH metrics exist (they use subdirectory paths)
+		sshCertPath := billing.GetMonthlyBillingMetricPath(pathPrefix, monthToDelete, billing.SSHCertificateMetric)
+		entry, err := view.Get(context.Background(), sshCertPath)
+		require.NoError(t, err)
+		require.NotNil(t, entry, "SSH cert metric should exist before deletion")
+
+		sshOTPPath := billing.GetMonthlyBillingMetricPath(pathPrefix, monthToDelete, billing.SSHOTPMetric)
+		entry, err = view.Get(context.Background(), sshOTPPath)
+		require.NoError(t, err)
+		require.NotNil(t, entry, "SSH OTP metric should exist before deletion")
+	}
+
+	// Verify updatedAtTimestamp exists for all months before deletion
+	for _, month := range []time.Time{monthToDelete, oldestRetainedMonth, currentMonth} {
+		timestamp, err := core.GetMetricsLastUpdateTime(context.Background(), month)
+		require.NoError(t, err)
+		require.False(t, timestamp.IsZero(), "timestamp for month %s should exist before deletion", month.Format("2006-01"))
+	}
+
+	// Call deleteExpiredBillingMetrics directly
+	err := core.deleteExpiredBillingMetrics(context.Background(), currentMonth)
+	require.NoError(t, err)
+
+	// Verify deletion results
+	for _, pathPrefix := range []string{billing.ReplicatedPrefix, billing.LocalPrefix} {
+		view, ok := core.GetBillingSubView()
+		require.True(t, ok)
+
+		// Month to delete should have no data
+		paths, err := view.List(context.Background(), billing.GetMonthlyBillingPath(pathPrefix, monthToDelete))
+		require.NoError(t, err)
+		require.Equal(t, 0, len(paths), "data from billing.DefaultBillingRetentionMonths ago should be deleted")
+
+		// Verify SSH metrics are deleted (they use subdirectory paths)
+		sshCertPath := billing.GetMonthlyBillingMetricPath(pathPrefix, monthToDelete, billing.SSHCertificateMetric)
+		entry, err := view.Get(context.Background(), sshCertPath)
+		require.NoError(t, err)
+		require.Nil(t, entry, "SSH cert metric should be deleted")
+
+		sshOTPPath := billing.GetMonthlyBillingMetricPath(pathPrefix, monthToDelete, billing.SSHOTPMetric)
+		entry, err = view.Get(context.Background(), sshOTPPath)
+		require.NoError(t, err)
+		require.Nil(t, entry, "SSH OTP metric should be deleted")
+
+		// Oldest retained month should still have data
+		paths, err = view.List(context.Background(), billing.GetMonthlyBillingPath(pathPrefix, oldestRetainedMonth))
+		require.NoError(t, err)
+		require.Greater(t, len(paths), 0, "data from (billing.DefaultBillingRetentionMonths - 1) months ago should be kept")
+
+		// Verify SSH metrics are kept for oldest retained month
+		sshCertPath = billing.GetMonthlyBillingMetricPath(pathPrefix, oldestRetainedMonth, billing.SSHCertificateMetric)
+		entry, err = view.Get(context.Background(), sshCertPath)
+		require.NoError(t, err)
+		require.NotNil(t, entry, "SSH cert metric should be kept for oldest retained month")
+
+		sshOTPPath = billing.GetMonthlyBillingMetricPath(pathPrefix, oldestRetainedMonth, billing.SSHOTPMetric)
+		entry, err = view.Get(context.Background(), sshOTPPath)
+		require.NoError(t, err)
+		require.NotNil(t, entry, "SSH OTP metric should be kept for oldest retained month")
+
+		// Current month should still have data
+		paths, err = view.List(context.Background(), billing.GetMonthlyBillingPath(pathPrefix, currentMonth))
+		require.NoError(t, err)
+		require.Greater(t, len(paths), 0, "current month data should be kept")
+	}
+
+	// Verify updatedAtTimestamp deletion
+	// Month to delete should have zero timestamp
+	deletedTimestamp, err := core.GetMetricsLastUpdateTime(context.Background(), monthToDelete)
+	require.NoError(t, err)
+	require.True(t, deletedTimestamp.IsZero(), "timestamp for deleted month should be zero")
+
+	// Oldest retained month should still have timestamp
+	oldestTimestamp, err := core.GetMetricsLastUpdateTime(context.Background(), oldestRetainedMonth)
+	require.NoError(t, err)
+	require.False(t, oldestTimestamp.IsZero(), "timestamp for oldest retained month should exist")
+
+	// Current month should still have timestamp
+	currentTimestamp, err := core.GetMetricsLastUpdateTime(context.Background(), currentMonth)
+	require.NoError(t, err)
+	require.False(t, currentTimestamp.IsZero(), "timestamp for current month should exist")
+}
+
+// TestConsumptionBillingMetricsWorkerWithCustomClock tests that we correctly delete data older than billing.DefaultBillingRetentionMonths
 // and reset the in memory billing metrics when the clock is overridden for testing purposes
 func TestConsumptionBillingMetricsWorkerWithCustomClock(t *testing.T) {
 	// 10 seconds until a new month (leave buffer for require.Eventually timeout)
@@ -227,14 +381,14 @@ func TestConsumptionBillingMetricsWorkerWithCustomClock(t *testing.T) {
 	}
 	core, _, _ := TestCoreUnsealedWithConfig(t, coreConfig)
 
-	// Add some billing metrics to storage for the previous two months
+	// Add some billing metrics to storage for (billing.DefaultBillingRetentionMonths - 1) and billing.DefaultBillingRetentionMonths months ago
 	// Use the util functions directly to avoid the need to mount the logical backends
 	// The worker's "end of month" path calls HandleEndOfMonth with the *current* month,
-	// which will be the next month once we cross the boundary. So "previousMonth" and
-	// "twoMonthsAgo" should be calculated relative to that boundary.
+	// which will be the next month once we cross the boundary. So the months should be
+	// calculated relative to that boundary.
 	currentMonthAtBoundary := timeutil.StartOfNextMonth(now)
-	previousMonth := timeutil.StartOfPreviousMonth(currentMonthAtBoundary)
-	twoMonthsAgo := previousMonth.AddDate(0, -1, 0)
+	oldestRetainedMonth := timeutil.StartOfMonth(currentMonthAtBoundary).AddDate(0, -(billing.DefaultBillingRetentionMonths - 1), 0)
+	monthToDelete := timeutil.StartOfMonth(currentMonthAtBoundary).AddDate(0, -billing.DefaultBillingRetentionMonths, 0)
 	view, ok := core.GetBillingSubView()
 	require.True(t, ok)
 	roleCounts := &RoleCounts{
@@ -255,6 +409,7 @@ func TestConsumptionBillingMetricsWorkerWithCustomClock(t *testing.T) {
 		KubernetesDynamicRoles:     5,
 		MongoDBAtlasDynamicRoles:   7,
 		TerraformCloudDynamicRoles: 10,
+		OSLocalAccountRoles:        11,
 	}
 
 	verifyMonthlyBillingMetrics := func(month time.Time, localPathPrefix string) {
@@ -268,15 +423,19 @@ func TestConsumptionBillingMetricsWorkerWithCustomClock(t *testing.T) {
 			transitCounts, err := core.GetStoredTransitCallCounts(context.Background(), month)
 			require.NoError(t, err)
 			require.Equal(t, uint64(10), transitCounts)
+			gcpKmsCounts, err := core.GetStoredGcpKmsCallCounts(context.Background(), month)
+			require.NoError(t, err)
+			require.Equal(t, uint64(10), gcpKmsCounts)
 			thirdPartyPluginCounts, err := core.GetStoredThirdPartyPluginCounts(context.Background(), month)
 			require.NoError(t, err)
 			require.Equal(t, 10, thirdPartyPluginCounts)
 		}
 	}
 
-	for _, month := range []time.Time{twoMonthsAgo, previousMonth} {
+	for _, month := range []time.Time{monthToDelete, oldestRetainedMonth} {
 
 		core.storeTransitCallCountsLocked(context.Background(), uint64(10), billing.LocalPrefix, month)
+		core.storeGcpKmsCallCountsLocked(context.Background(), uint64(10), billing.LocalPrefix, month)
 		core.storeThirdPartyPluginCountsLocked(context.Background(), billing.LocalPrefix, month, 10)
 
 		for _, localPathPrefix := range []string{billing.ReplicatedPrefix, billing.LocalPrefix} {
@@ -289,29 +448,221 @@ func TestConsumptionBillingMetricsWorkerWithCustomClock(t *testing.T) {
 	}
 
 	for _, localPathPrefix := range []string{billing.ReplicatedPrefix, billing.LocalPrefix} {
-		// Two months ago should have no billing metricss should eventually should have no billing metrics
+		// billing.DefaultBillingRetentionMonths ago should eventually have no billing metrics (deleted)
 		require.Eventually(t, func() bool {
-			paths, err := view.List(context.Background(), billing.GetMonthlyBillingPath(localPathPrefix, twoMonthsAgo))
+			paths, err := view.List(context.Background(), billing.GetMonthlyBillingPath(localPathPrefix, monthToDelete))
 			return err == nil && len(paths) == 0
 		}, 20*time.Second, 100*time.Millisecond)
 
-		// All values n-2 months ago should be 0
-		maxRoleCounts, _ := core.GetStoredHWMRoleCounts(context.Background(), localPathPrefix, twoMonthsAgo)
+		// All values from billing.DefaultBillingRetentionMonths ago should be 0
+		maxRoleCounts, _ := core.GetStoredHWMRoleCounts(context.Background(), localPathPrefix, monthToDelete)
 		require.Equal(t, &RoleCounts{}, maxRoleCounts)
-		kvCounts, _ := core.GetStoredHWMKvCounts(context.Background(), localPathPrefix, twoMonthsAgo)
+		kvCounts, _ := core.GetStoredHWMKvCounts(context.Background(), localPathPrefix, monthToDelete)
 		require.Equal(t, 0, kvCounts)
 		if localPathPrefix == billing.LocalPrefix {
-			transitCounts, _ := core.GetStoredTransitCallCounts(context.Background(), twoMonthsAgo)
+			transitCounts, _ := core.GetStoredTransitCallCounts(context.Background(), monthToDelete)
 			require.Equal(t, uint64(0), transitCounts)
-			thirdPartyPluginCounts, _ := core.GetStoredThirdPartyPluginCounts(context.Background(), twoMonthsAgo)
+			gcpKmsCounts, _ := core.GetStoredGcpKmsCallCounts(context.Background(), monthToDelete)
+			require.Equal(t, uint64(0), gcpKmsCounts)
+			thirdPartyPluginCounts, _ := core.GetStoredThirdPartyPluginCounts(context.Background(), monthToDelete)
 			require.Equal(t, 0, thirdPartyPluginCounts)
 		}
 
-		// Previous month should have the billing metrics
-		verifyMonthlyBillingMetrics(previousMonth, localPathPrefix)
+		// (billing.DefaultBillingRetentionMonths - 1) months ago should still have the billing metrics (kept)
+		verifyMonthlyBillingMetrics(oldestRetainedMonth, localPathPrefix)
 	}
 
 	require.Equal(t, uint64(0), core.GetInMemoryTransitDataProtectionCallCounts())
 	require.Equal(t, uint64(0), core.GetInMemoryTransformDataProtectionCallCounts())
+	require.Equal(t, uint64(0), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+	require.False(t, core.consumptionBilling.KmipSeenEnabledThisMonth.Load())
+}
+
+// TestDeleteExpiredBillingMetrics_CustomRetention tests that deleteExpiredBillingMetrics
+// respects custom retention configuration. It verifies that when a custom retention period
+// is set (e.g., 13 months), data is deleted according to that configuration rather than
+// the default 37 months.
+func TestDeleteExpiredBillingMetrics_CustomRetention(t *testing.T) {
+	coreConfig := &CoreConfig{
+		LogicalBackends: roleLogicalBackends,
+	}
+	core, _, _ := TestCoreUnsealedWithConfig(t, coreConfig)
+	ctx := namespace.RootContext(context.Background())
+
+	// Set custom retention to minimum (13 months)
+	customRetention := billing.MinBillingRetentionMonths
+	err := core.UpdateBillingRetentionMonths(ctx, customRetention)
+	require.NoError(t, err)
+
+	// Verify the custom retention was set
+	retentionMonths, err := core.GetBillingRetentionMonths(ctx)
+	require.NoError(t, err)
+	require.Equal(t, customRetention, retentionMonths)
+
+	now := time.Now().UTC()
+	currentMonth := timeutil.StartOfMonth(now)
+
+	// With 13 months retention:
+	// - Month 12 months ago (index 12) should be kept (oldest retained)
+	// - Month 13 months ago (index 13) should be deleted
+	oldestRetainedMonth := currentMonth.AddDate(0, -(customRetention - 1), 0)
+	monthToDelete := currentMonth.AddDate(0, -customRetention, 0)
+
+	// Write billing data for multiple months
+	for _, month := range []time.Time{monthToDelete, oldestRetainedMonth, currentMonth} {
+		for _, pathPrefix := range []string{billing.ReplicatedPrefix, billing.LocalPrefix} {
+			core.storeMaxRoleCountsLocked(context.Background(), &RoleCounts{
+				AWSDynamicRoles:     5,
+				AWSStaticRoles:      10,
+				LDAPDynamicRoles:    3,
+				OSLocalAccountRoles: 7,
+			}, pathPrefix, month)
+			core.storeMaxKvCountsLocked(context.Background(), 20, pathPrefix, month)
+			core.storeTransitCallCountsLocked(context.Background(), 15, pathPrefix, month)
+			core.storeSSHDurationAdjustedCertCountLocked(context.Background(), pathPrefix, month, 10.5)
+			core.storeSSHOTPCountLocked(context.Background(), pathPrefix, month, 25.0)
+		}
+		// Store updatedAtTimestamp for each month
+		testUpdateTime := time.Date(month.Year(), month.Month(), 15, 12, 0, 0, 0, time.UTC)
+		err := core.UpdateMetricsLastUpdateTime(context.Background(), month, testUpdateTime)
+		require.NoError(t, err)
+	}
+
+	// Verify data exists before deletion
+	for _, pathPrefix := range []string{billing.ReplicatedPrefix, billing.LocalPrefix} {
+		view, ok := core.GetBillingSubView()
+		require.True(t, ok)
+
+		// Check month to be deleted has data
+		paths, err := view.List(context.Background(), billing.GetMonthlyBillingPath(pathPrefix, monthToDelete))
+		require.NoError(t, err)
+		require.Greater(t, len(paths), 0, "month to delete should have data before deletion")
+
+		// Check oldest retained month has data
+		paths, err = view.List(context.Background(), billing.GetMonthlyBillingPath(pathPrefix, oldestRetainedMonth))
+		require.NoError(t, err)
+		require.Greater(t, len(paths), 0, "oldest retained month should have data")
+	}
+
+	// Call deleteExpiredBillingMetrics - it should use the custom retention
+	err = core.deleteExpiredBillingMetrics(context.Background(), currentMonth)
+	require.NoError(t, err)
+
+	// Verify deletion results with custom retention
+	for _, pathPrefix := range []string{billing.ReplicatedPrefix, billing.LocalPrefix} {
+		view, ok := core.GetBillingSubView()
+		require.True(t, ok)
+
+		// Month to delete (13 months ago with custom retention) should have no data
+		paths, err := view.List(context.Background(), billing.GetMonthlyBillingPath(pathPrefix, monthToDelete))
+		require.NoError(t, err)
+		require.Equal(t, 0, len(paths), "data from %d months ago should be deleted with custom retention", customRetention)
+
+		// Oldest retained month (12 months ago) should still have data
+		paths, err = view.List(context.Background(), billing.GetMonthlyBillingPath(pathPrefix, oldestRetainedMonth))
+		require.NoError(t, err)
+		require.Greater(t, len(paths), 0, "data from %d months ago should be kept with custom retention", customRetention-1)
+
+		// Current month should still have data
+		paths, err = view.List(context.Background(), billing.GetMonthlyBillingPath(pathPrefix, currentMonth))
+		require.NoError(t, err)
+		require.Greater(t, len(paths), 0, "current month data should be kept")
+	}
+
+	// Verify updatedAtTimestamp deletion with custom retention
+	deletedTimestamp, err := core.GetMetricsLastUpdateTime(context.Background(), monthToDelete)
+	require.NoError(t, err)
+	require.True(t, deletedTimestamp.IsZero(), "timestamp for deleted month should be zero")
+
+	oldestTimestamp, err := core.GetMetricsLastUpdateTime(context.Background(), oldestRetainedMonth)
+	require.NoError(t, err)
+	require.False(t, oldestTimestamp.IsZero(), "timestamp for oldest retained month should exist")
+
+	currentTimestamp, err := core.GetMetricsLastUpdateTime(context.Background(), currentMonth)
+	require.NoError(t, err)
+	require.False(t, currentTimestamp.IsZero(), "timestamp for current month should exist")
+}
+
+// TestHandleStartOfMonth_CustomRetention tests that HandleStartOfMonth respects
+// custom retention configuration when deleting expired billing metrics.
+func TestHandleStartOfMonth_CustomRetention(t *testing.T) {
+	coreConfig := &CoreConfig{
+		LogicalBackends: roleLogicalBackends,
+		BillingConfig: billing.BillingConfig{
+			MetricsUpdateCadence: 3 * time.Second,
+		},
+	}
+	core, _, _ := TestCoreUnsealedWithConfig(t, coreConfig)
+	ctx := namespace.RootContext(context.Background())
+
+	// Set custom retention to 20 months
+	customRetention := 20
+	err := core.UpdateBillingRetentionMonths(ctx, customRetention)
+	require.NoError(t, err)
+
+	// Add billing metrics for months based on custom retention
+	now := time.Now().UTC()
+	oldestRetainedMonth := timeutil.StartOfMonth(now).AddDate(0, -(customRetention - 1), 0)
+	monthToDelete := timeutil.StartOfMonth(now).AddDate(0, -customRetention, 0)
+
+	for _, month := range []time.Time{monthToDelete, oldestRetainedMonth} {
+		for _, pathPrefix := range []string{billing.ReplicatedPrefix, billing.LocalPrefix} {
+			core.storeMaxRoleCountsLocked(context.Background(), &RoleCounts{
+				AWSDynamicRoles:      10,
+				AWSStaticRoles:       15,
+				LDAPDynamicRoles:     8,
+				GCPRolesets:          3,
+				DatabaseDynamicRoles: 5,
+				DatabaseStaticRoles:  7,
+				OSLocalAccountRoles:  9,
+			}, pathPrefix, month)
+			core.storeMaxKvCountsLocked(context.Background(), 10, pathPrefix, month)
+
+			if pathPrefix == billing.LocalPrefix {
+				core.storeTransitCallCountsLocked(context.Background(), 10, pathPrefix, month)
+				core.storeGcpKmsCallCountsLocked(context.Background(), 10, pathPrefix, month)
+				core.storeThirdPartyPluginCountsLocked(context.Background(), pathPrefix, month, 10)
+				core.storeOidcDurationAdjustedCountLocked(context.Background(), month, 10)
+				core.storeSSHOTPCountLocked(context.Background(), pathPrefix, month, 10)
+			}
+
+			// Verify data was stored
+			view, ok := core.GetBillingSubView()
+			require.True(t, ok)
+			paths, err := view.List(context.Background(), billing.GetMonthlyBillingPath(pathPrefix, month))
+			require.NoError(t, err)
+			expectedPaths := 2 // ReplicatedPrefix has roles and kv
+			if pathPrefix == billing.LocalPrefix {
+				expectedPaths = 7 // LocalPrefix has roles, kv, transit, gcp kms, third-party plugins, ssh and OIDC
+			}
+			require.Equal(t, expectedPaths, len(paths))
+		}
+	}
+
+	// Handle the start of the month - should delete based on custom retention
+	core.HandleStartOfMonth(context.Background(), now)
+
+	for _, pathPrefix := range []string{billing.ReplicatedPrefix, billing.LocalPrefix} {
+		// Month to delete (customRetention months ago) should have no billing metrics
+		view, ok := core.GetBillingSubView()
+		require.True(t, ok)
+		paths, err := view.List(context.Background(), billing.GetMonthlyBillingPath(pathPrefix, monthToDelete))
+		require.NoError(t, err)
+		require.Equal(t, 0, len(paths), "data from %d months ago should be deleted with custom retention", customRetention)
+
+		// Oldest retained month should still have the billing metrics
+		paths, err = view.List(context.Background(), billing.GetMonthlyBillingPath(pathPrefix, oldestRetainedMonth))
+		require.NoError(t, err)
+		expectedPaths := 2 // ReplicatedPrefix has roles and kv
+		if pathPrefix == billing.LocalPrefix {
+			expectedPaths = 7 // LocalPrefix has roles, kv, transit, gcp kms, third-party plugins, ssh and OIDC
+		}
+		require.Equal(t, expectedPaths, len(paths), "data from %d months ago should be kept with custom retention", customRetention-1)
+	}
+
+	require.Equal(t, uint64(0), core.GetInMemoryTransitDataProtectionCallCounts())
+	require.Equal(t, uint64(0), core.GetInMemoryTransformDataProtectionCallCounts())
+	require.Equal(t, uint64(0), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+	require.Equal(t, float64(0), core.GetInMemoryOidcCounts())
 	require.False(t, core.consumptionBilling.KmipSeenEnabledThisMonth.Load())
 }
diff --git a/vault/consumption_billing_testing_util.go b/vault/consumption_billing_testing_util.go
index 671c439b14..0da073669e 100644
--- a/vault/consumption_billing_testing_util.go
+++ b/vault/consumption_billing_testing_util.go
@@ -3,6 +3,14 @@
 
 package vault
 
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
 func (c *Core) ResetInMemoryTransitDataProtectionCallCounts() {
 	c.consumptionBillingLock.RLock()
 	cb := c.consumptionBilling
@@ -64,3 +72,210 @@ func (c *Core) SetInMemoryTransformDataProtectionCallCounts(count uint64) {
 		cb.DataProtectionCallCounts.Transform.Store(count)
 	}
 }
+
+func (c *Core) SetInMemoryGcpKmsDataProtectionCallCounts(count uint64) {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb != nil {
+		cb.DataProtectionCallCounts.GcpKms.Store(count)
+	}
+}
+
+func (c *Core) GetInMemoryGcpKmsDataProtectionCallCounts() uint64 {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb != nil {
+		return cb.DataProtectionCallCounts.GcpKms.Load()
+	}
+	return 0
+}
+
+func (c *Core) ResetInMemoryJwtSpiffeIdentityCounts() {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb != nil {
+		cb.IdentityTokenUnits.SpiffeJwt.Store(0)
+	}
+}
+
+func (c *Core) GetInMemoryJwtSpiffeIdentityCounts() float64 {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb != nil {
+		return cb.IdentityTokenUnits.SpiffeJwt.Load()
+	}
+	return 0
+}
+
+func (c *Core) SetInMemoryJwtSpiffeIdentityCounts(count float64) {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb != nil {
+		cb.IdentityTokenUnits.SpiffeJwt.Store(count)
+	}
+}
+
+func (c *Core) GetInMemoryOidcCounts() float64 {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb != nil {
+		return cb.IdentityTokenUnits.OidcTokenDuration.Load()
+	}
+	return 0
+}
+
+func (c *Core) SetInMemoryOidcCounts(tokenDuration float64) {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb != nil {
+		cb.IdentityTokenUnits.OidcTokenDuration.Store(tokenDuration)
+	}
+}
+
+// NewMockOSBackendFactory creates a mock OS backend factory for testing.
+// The backend implements LIST operations for hosts and accounts to support
+// billing enumeration testing.
+func NewMockOSBackendFactory() logical.Factory {
+	return func(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
+		b := &framework.Backend{
+			BackendType: logical.TypeLogical,
+			Paths: []*framework.Path{
+				{
+					Pattern: "hosts/?$",
+					Operations: map[logical.Operation]framework.OperationHandler{
+						logical.ListOperation: &framework.PathOperation{
+							Callback: func(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+								// List all hosts from storage
+								hosts, err := req.Storage.List(ctx, "hosts/")
+								if err != nil {
+									return nil, err
+								}
+								return logical.ListResponse(hosts), nil
+							},
+						},
+					},
+				},
+				{
+					Pattern: "hosts/" + framework.GenericNameRegex("host") + "/accounts/?$",
+					Fields: map[string]*framework.FieldSchema{
+						"host": {
+							Type:        framework.TypeString,
+							Description: "Host name",
+						},
+					},
+					Operations: map[logical.Operation]framework.OperationHandler{
+						logical.ListOperation: &framework.PathOperation{
+							Callback: func(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+								// Get the host name from the path
+								hostName := data.Get("host").(string)
+
+								// Read the host entry from storage
+								entry, err := req.Storage.Get(ctx, "hosts/"+hostName)
+								if err != nil {
+									return nil, err
+								}
+								if entry == nil {
+									return logical.ListResponse([]string{}), nil
+								}
+
+								// Parse the JSON to extract account names
+								var hostData map[string]interface{}
+								if err := json.Unmarshal(entry.Value, &hostData); err != nil {
+									return nil, err
+								}
+
+								accounts := []string{}
+								if accountsMap, ok := hostData["accounts"].(map[string]interface{}); ok {
+									for accountName := range accountsMap {
+										accounts = append(accounts, accountName)
+									}
+								}
+
+								return logical.ListResponse(accounts), nil
+							},
+						},
+					},
+				},
+			},
+		}
+		if err := b.Setup(ctx, conf); err != nil {
+			return nil, err
+		}
+		return b, nil
+	}
+}
+
+// CreateMockOSHost creates a mock OS host entry in storage with the specified accounts.
+// This is a helper function for tests that need to populate OS backend storage.
+func CreateMockOSHost(ctx context.Context, storage logical.Storage, hostName string, accountNames []string) error {
+	// Build the accounts map structure
+	accountsMap := make(map[string]interface{})
+	for _, accountName := range accountNames {
+		accountsMap[accountName] = map[string]string{"username": "testuser"}
+	}
+
+	// Create the host entry structure and marshal to JSON
+	hostMap := map[string]interface{}{"accounts": accountsMap}
+	value, err := json.Marshal(hostMap)
+	if err != nil {
+		return err
+	}
+
+	// Create a mock host entry with accounts
+	hostEntry := &logical.StorageEntry{
+		Key:   "hosts/" + hostName,
+		Value: value,
+	}
+	return storage.Put(ctx, hostEntry)
+}
+
+// DeleteMockOSHost deletes a mock OS host entry from storage.
+// This is a helper function for tests that need to clean up OS backend storage.
+func DeleteMockOSHost(ctx context.Context, storage logical.Storage, hostName string) error {
+	return storage.Delete(ctx, "hosts/"+hostName)
+}
+
+func (c *Core) ResetInMemoryExternalCaCertUnits() {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb != nil {
+		cb.ExternalCaCertUnits.Store(0)
+	}
+}
+
+func (c *Core) GetInMemoryExternalCaCertUnits() float64 {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb != nil {
+		return cb.ExternalCaCertUnits.Load()
+	}
+	return 0
+}
+
+func (c *Core) SetInMemoryExternalCaCertUnits(count float64) {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb != nil {
+		cb.ExternalCaCertUnits.Store(count)
+	}
+}
diff --git a/vault/consumption_billing_util.go b/vault/consumption_billing_util.go
index 1ffd36fbd1..253f7cbc65 100644
--- a/vault/consumption_billing_util.go
+++ b/vault/consumption_billing_util.go
@@ -7,13 +7,23 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"math"
 	"strconv"
 	"time"
 
+	"github.com/hashicorp/vault/helper/timeutil"
+	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/vault/billing"
 )
 
+const (
+	// standard duration in hours for calculation of duration adjusted units (approx 1 month)
+	DurationAdjustedStandardDuration = 730.0
+	DecimalPrecisionMultiplier       = 10000 // Multiplier for rounding to 4 decimal places (10^4)
+	MinBillableUnits                 = 0.0001
+)
+
 func (c *Core) storeThirdPartyPluginCountsLocked(ctx context.Context, localPathPrefix string, currentMonth time.Time, thirdPartyPluginCounts int) error {
 	billingPath := billing.GetMonthlyBillingMetricPath(localPathPrefix, currentMonth, billing.ThirdPartyPluginsPrefix)
 	entry := &logical.StorageEntry{
@@ -123,6 +133,7 @@ func combineRoleCounts(a, b *RoleCounts) *RoleCounts {
 		a.KubernetesDynamicRoles + b.KubernetesDynamicRoles,
 		a.MongoDBAtlasDynamicRoles + b.MongoDBAtlasDynamicRoles,
 		a.TerraformCloudDynamicRoles + b.TerraformCloudDynamicRoles,
+		a.OSLocalAccountRoles + b.OSLocalAccountRoles,
 	}
 }
 
@@ -175,8 +186,9 @@ func (c *Core) GetStoredHWMKvCounts(ctx context.Context, localPathPrefix string,
 	return c.getStoredMaxKvCountsLocked(ctx, localPathPrefix, month)
 }
 
-// UpdateMaxKvCounts updates the HWM kv counts for the given month, and returns the value that was stored.
-func (c *Core) UpdateMaxKvCounts(ctx context.Context, localPathPrefix string, currentMonth time.Time) (int, error) {
+// UpdateMaxKvCounts updates the HWM kv counts for the given month by comparing the current counts passed in with the stored count,
+// and returns the updated stored value.
+func (c *Core) UpdateMaxKvCounts(ctx context.Context, localPathPrefix string, currentMonth time.Time, currentKvCounts int) (int, error) {
 	c.consumptionBillingLock.RLock()
 	cb := c.consumptionBilling
 	c.consumptionBillingLock.RUnlock()
@@ -188,24 +200,6 @@ func (c *Core) UpdateMaxKvCounts(ctx context.Context, localPathPrefix string, cu
 	cb.BillingStorageLock.Lock()
 	defer cb.BillingStorageLock.Unlock()
 
-	local := localPathPrefix == billing.LocalPrefix
-
-	// Get the current count of kv version 1 secrets
-	currentKvCounts, err := c.GetKvUsageMetricsByNamespace(ctx, "1", "", local, !local, false)
-	if err != nil {
-		c.logger.Error("error getting count of kv version 1 secrets", "error", err)
-		return 0, err
-	}
-	totalKvCounts := getTotalSecretsAcrossAllNamespaces(currentKvCounts)
-
-	// Get the current count of kv version 2 secrets
-	currentKvCounts, err = c.GetKvUsageMetricsByNamespace(ctx, "2", "", local, !local, false)
-	if err != nil {
-		c.logger.Error("error getting current count of kv version 2 secrets", "error", err)
-		return 0, err
-	}
-	totalKvCounts += getTotalSecretsAcrossAllNamespaces(currentKvCounts)
-
 	// Get the stored max kv counts
 	maxKvCounts, err := c.getStoredMaxKvCountsLocked(ctx, localPathPrefix, currentMonth)
 	if err != nil {
@@ -213,11 +207,11 @@ func (c *Core) UpdateMaxKvCounts(ctx context.Context, localPathPrefix string, cu
 		return 0, err
 	}
 	if maxKvCounts == 0 {
-		maxKvCounts = totalKvCounts
+		maxKvCounts = currentKvCounts
 	}
-	if totalKvCounts > maxKvCounts {
-		c.logger.Info("updating max kv counts", "totalKvCounts", totalKvCounts, "maxKvCounts", maxKvCounts)
-		maxKvCounts = totalKvCounts
+	if currentKvCounts > maxKvCounts {
+		c.logger.Info("updating max kv counts", "currentKvCounts", currentKvCounts, "maxKvCounts", maxKvCounts)
+		maxKvCounts = currentKvCounts
 	}
 	err = c.storeMaxKvCountsLocked(ctx, maxKvCounts, localPathPrefix, currentMonth)
 	if err != nil {
@@ -241,7 +235,9 @@ func (c *Core) storeMaxRoleCountsLocked(ctx context.Context, maxRoleCounts *Role
 	return view.Put(ctx, entry)
 }
 
-func (c *Core) UpdateMaxRoleAndManagedKeyCounts(ctx context.Context, localPathPrefix string, currentMonth time.Time) (*RoleCounts, *ManagedKeyCounts, error) {
+// UpdateMaxRoleAndManagedKeyCounts updates the HWM role and managed key counts for the given month by comparing the current counts
+// passed in with the stored counts.
+func (c *Core) UpdateMaxRoleAndManagedKeyCounts(ctx context.Context, localPathPrefix string, currentMonth time.Time, currentRoleCounts *RoleCounts, currentManagedKeyCounts *ManagedKeyCounts) (*RoleCounts, *ManagedKeyCounts, error) {
 	c.consumptionBillingLock.RLock()
 	cb := c.consumptionBilling
 	c.consumptionBillingLock.RUnlock()
@@ -253,8 +249,22 @@ func (c *Core) UpdateMaxRoleAndManagedKeyCounts(ctx context.Context, localPathPr
 	cb.BillingStorageLock.Lock()
 	defer cb.BillingStorageLock.Unlock()
 
-	local := localPathPrefix == billing.LocalPrefix
-	currentRoleCounts, currentManagedKeyCounts := c.getRoleAndManagedKeyCountsInternal(local, !local, true)
+	// If somehow the current counts is empty, we should try get the counts here
+	if currentRoleCounts == nil || currentManagedKeyCounts == nil {
+		c.logger.Debug("current role or managed key counts is empty, trying to get counts again")
+		metrics, err := c.CountMetricsFromMounts(true)
+		if err != nil {
+			c.logger.Error("error getting current role and managed key counts", "error", err)
+			return nil, nil, err
+		}
+		if localPathPrefix == billing.LocalPrefix {
+			currentRoleCounts = metrics.LocalRoleCounts
+			currentManagedKeyCounts = metrics.LocalManagedKeys
+		} else {
+			currentRoleCounts = metrics.ReplicatedRoleCounts
+			currentManagedKeyCounts = metrics.ReplicatedManagedKeys
+		}
+	}
 
 	// get max role counts
 	maxRoleCounts, err := c.updateMaxRoleCounts(ctx, currentRoleCounts, localPathPrefix, currentMonth)
@@ -308,6 +318,7 @@ func (c *Core) updateMaxRoleCounts(ctx context.Context, currentRoleCounts *RoleC
 	maxRoleCounts.KubernetesDynamicRoles = c.compareCounts(currentRoleCounts.KubernetesDynamicRoles, maxRoleCounts.KubernetesDynamicRoles, "Kubernetes Dynamic Roles")
 	maxRoleCounts.MongoDBAtlasDynamicRoles = c.compareCounts(currentRoleCounts.MongoDBAtlasDynamicRoles, maxRoleCounts.MongoDBAtlasDynamicRoles, "MongoDB Atlas Dynamic Roles")
 	maxRoleCounts.TerraformCloudDynamicRoles = c.compareCounts(currentRoleCounts.TerraformCloudDynamicRoles, maxRoleCounts.TerraformCloudDynamicRoles, "Terraform Cloud Dynamic Roles")
+	maxRoleCounts.OSLocalAccountRoles = c.compareCounts(currentRoleCounts.OSLocalAccountRoles, maxRoleCounts.OSLocalAccountRoles, "OS Local Account Static Roles")
 
 	err = c.storeMaxRoleCountsLocked(ctx, maxRoleCounts, localPathPrefix, currentMonth)
 	if err != nil {
@@ -432,14 +443,60 @@ func (c *Core) getStoredTotpKeyCountsLocked(ctx context.Context, localPathPrefix
 }
 
 func (c *Core) GetBillingSubView() (*BarrierView, bool) {
-	c.mountsLock.RLock()
-	view := c.systemBarrierView
-	c.mountsLock.RUnlock()
-
-	if view == nil {
-		return nil, false
+	c.consumptionBillingLock.RLock()
+	defer c.consumptionBillingLock.RUnlock()
+	if c.consumptionBillingSubView == nil {
+		// Initialize the consumption billing sub view
+		c.consumptionBillingSubView = c.systemBarrierView.SubView(billing.BillingSubPath)
 	}
-	return view.SubView(billing.BillingSubPath), true
+	return c.consumptionBillingSubView, true
+}
+
+func (c *Core) GetBillingRetentionMonths(ctx context.Context) (int, error) {
+	c.billingConfigLock.RLock()
+	defer c.billingConfigLock.RUnlock()
+
+	view, ok := c.GetBillingSubView()
+	if !ok {
+		return billing.DefaultBillingRetentionMonths, nil
+	}
+
+	entry, err := view.Get(ctx, billing.BillingConfigPath)
+	if err != nil {
+		return 0, fmt.Errorf("failed to read billing config: %w", err)
+	}
+	if entry == nil {
+		// No config stored, return default
+		return billing.DefaultBillingRetentionMonths, nil
+	}
+
+	retentionMonths, err := strconv.Atoi(string(entry.Value))
+	if err != nil {
+		return 0, err
+	}
+
+	return retentionMonths, nil
+}
+
+func (c *Core) UpdateBillingRetentionMonths(ctx context.Context, retentionMonths int) error {
+	c.billingConfigLock.Lock()
+	defer c.billingConfigLock.Unlock()
+
+	view, ok := c.GetBillingSubView()
+	if !ok {
+		return fmt.Errorf("billing sub view not available")
+	}
+
+	entry := &logical.StorageEntry{
+		Key:   billing.BillingConfigPath,
+		Value: []byte(strconv.Itoa(retentionMonths)),
+	}
+
+	if err := view.Put(ctx, entry); err != nil {
+		return fmt.Errorf("failed to store billing config: %w", err)
+	}
+
+	return nil
 }
 
 // storeTransitCallCountsLocked must be called with BillingStorageLock held
@@ -519,6 +576,83 @@ func (c *Core) UpdateTransitCallCounts(ctx context.Context, currentMonth time.Ti
 	return transitCount, nil
 }
 
+func (c *Core) UpdateGcpKmsCallCounts(ctx context.Context, currentMonth time.Time) (uint64, error) {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb == nil {
+		return 0, ErrConsumptionBillingNotInitialized
+	}
+	cb.BillingStorageLock.Lock()
+	defer cb.BillingStorageLock.Unlock()
+	storedGcpKmsCount, err := c.getStoredGcpKmsCallCountsLocked(ctx, billing.LocalPrefix, currentMonth)
+	if err != nil {
+		return 0, err
+	}
+
+	// Sum the current count with the stored count
+	gcpKmsCount := cb.DataProtectionCallCounts.GcpKms.Swap(0) + storedGcpKmsCount
+
+	err = c.storeGcpKmsCallCountsLocked(ctx, gcpKmsCount, billing.LocalPrefix, currentMonth)
+	if err != nil {
+		return 0, err
+	}
+
+	return gcpKmsCount, nil
+}
+
+// storeGcpKmsCallCountsLocked must be called with BillingStorageLock held
+func (c *Core) storeGcpKmsCallCountsLocked(ctx context.Context, gcpKmsCount uint64, localPathPrefix string, month time.Time) error {
+	// Store count for each data protection type separately because they are atomic counters
+	billingPath := billing.GetMonthlyBillingMetricPath(localPathPrefix, month, billing.GcpKmsDataProtectionCallCountsPrefix)
+	entry := &logical.StorageEntry{
+		Key:   billingPath,
+		Value: []byte(strconv.FormatUint(gcpKmsCount, 10)),
+	}
+	view, ok := c.GetBillingSubView()
+	if !ok {
+		return nil
+	}
+	return view.Put(ctx, entry)
+}
+
+// getStoredGcpKmsCallCountsLocked must be called with BillingStorageLock held
+func (c *Core) getStoredGcpKmsCallCountsLocked(ctx context.Context, localPathPrefix string, month time.Time) (uint64, error) {
+	// Retrieve count for each data protection type separately because they are atomic counters
+	billingPath := billing.GetMonthlyBillingMetricPath(localPathPrefix, month, billing.GcpKmsDataProtectionCallCountsPrefix)
+	view, ok := c.GetBillingSubView()
+	if !ok {
+		return 0, nil
+	}
+	entry, err := view.Get(ctx, billingPath)
+	if err != nil {
+		return 0, err
+	}
+	if entry == nil {
+		return 0, nil
+	}
+	gcpKmsCount, err := strconv.ParseUint(string(entry.Value), 10, 64)
+	if err != nil {
+		return 0, err
+	}
+	return gcpKmsCount, nil
+}
+
+func (c *Core) GetStoredGcpKmsCallCounts(ctx context.Context, month time.Time) (uint64, error) {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb == nil {
+		return 0, ErrConsumptionBillingNotInitialized
+	}
+
+	cb.BillingStorageLock.RLock()
+	defer cb.BillingStorageLock.RUnlock()
+	return c.getStoredGcpKmsCallCountsLocked(ctx, billing.LocalPrefix, month)
+}
+
 func (c *Core) storeKmipEnabledLocked(ctx context.Context, localPathPrefix string, currentMonth time.Time, kmipEnabled bool) error {
 	billingPath := billing.GetMonthlyBillingMetricPath(localPathPrefix, currentMonth, billing.KmipEnabledPrefix)
 	entry, err := logical.StorageEntryJSON(billingPath, kmipEnabled)
@@ -681,3 +815,379 @@ func (c *Core) storePkiDurationAdjustedCountLocked(ctx context.Context, localPat
 
 	return nil
 }
+
+// storeMetricsLastUpdateTimeLocked must be called with BillingStorageLock held
+func (c *Core) storeMetricsLastUpdateTimeLocked(ctx context.Context, localPathPrefix string, currentMonth time.Time, updateTime time.Time) error {
+	billingPath := billing.GetMonthlyBillingMetricPath(localPathPrefix, currentMonth, billing.MetricsLastUpdatedAtPrefix)
+	entry := &logical.StorageEntry{
+		Key:   billingPath,
+		Value: []byte(updateTime.Format(time.RFC3339)),
+	}
+	view, ok := c.GetBillingSubView()
+	if !ok {
+		return nil
+	}
+	return view.Put(ctx, entry)
+}
+
+// getMetricsLastUpdateTimeLocked retrieves timestamp of the last billing metrics update for the given month. If the value does not exist, the 0 timestamp will be returned.
+func (c *Core) getMetricsLastUpdateTimeLocked(ctx context.Context, localPathPrefix string, currentMonth time.Time) (time.Time, error) {
+	billingPath := billing.GetMonthlyBillingMetricPath(localPathPrefix, currentMonth, billing.MetricsLastUpdatedAtPrefix)
+	view, ok := c.GetBillingSubView()
+	if !ok {
+		return time.Time{}, nil
+	}
+	entry, err := view.Get(ctx, billingPath)
+	if err != nil {
+		return time.Time{}, err
+	}
+	if entry == nil {
+		return time.Time{}, nil
+	}
+	updateTime, err := time.Parse(time.RFC3339, string(entry.Value))
+	if err != nil {
+		return time.Time{}, err
+	}
+	return updateTime, nil
+}
+
+func (c *Core) GetMetricsLastUpdateTime(ctx context.Context, currentMonth time.Time) (time.Time, error) {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb == nil {
+		return time.Time{}, ErrConsumptionBillingNotInitialized
+	}
+
+	// Normalize month to UTC start-of-month to avoid timezone/midnight mismatches
+	normalizedMonth := timeutil.StartOfMonth(currentMonth.UTC())
+
+	cb.BillingStorageLock.RLock()
+	defer cb.BillingStorageLock.RUnlock()
+	return c.getMetricsLastUpdateTimeLocked(ctx, billing.LocalPrefix, normalizedMonth)
+}
+
+// UpdateMetricsLastUpdateTime updates the last update time for billing metrics for the given month, and returns the value that was stored.
+// Note that this last metrics update time is per cluster. It does NOT de-duplicate across clusters. For that reason,
+// we will always store the time at the "local" prefix.
+func (c *Core) UpdateMetricsLastUpdateTime(ctx context.Context, currentMonth, updateTime time.Time) error {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb == nil {
+		return ErrConsumptionBillingNotInitialized
+	}
+
+	// Normalize month to UTC start-of-month and ensure updateTime is in UTC
+	normalizedMonth := timeutil.StartOfMonth(currentMonth.UTC())
+	updateTime = updateTime.UTC()
+
+	cb.BillingStorageLock.Lock()
+	defer cb.BillingStorageLock.Unlock()
+
+	return c.storeMetricsLastUpdateTimeLocked(ctx, billing.LocalPrefix, normalizedMonth, updateTime)
+}
+
+// GetStoredSSHDurationAdjustedCertCount retrieves the stored SSH duration-adjusted certificate count
+// for the specified month. The count is stored as a float64.
+// Returns 0 if no count has been stored for the given month.
+func (c *Core) GetStoredSSHDurationAdjustedCertCount(ctx context.Context, currentMonth time.Time) (float64, error) {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb == nil {
+		return 0, errors.New("consumption billing is not initialized")
+	}
+
+	cb.BillingStorageLock.RLock()
+	defer cb.BillingStorageLock.RUnlock()
+
+	return c.getStoredSSHDurationAdjustedCertCountLocked(ctx, billing.LocalPrefix, currentMonth)
+}
+
+func (c *Core) getStoredSSHDurationAdjustedCertCountLocked(ctx context.Context, localPathPrefix string, currentMonth time.Time) (float64, error) {
+	billingPath := billing.GetMonthlyBillingMetricPath(localPathPrefix, currentMonth, billing.SSHCertificateMetric)
+
+	view, ok := c.GetBillingSubView()
+	if !ok {
+		return 0, errors.New("error reading SSH duration-adjusted count: billing subview not available")
+	}
+
+	se, err := view.Get(ctx, billingPath)
+	if se == nil || err != nil {
+		return 0, err
+	}
+
+	var certCount float64
+	err = se.DecodeJSON(&certCount)
+	if err != nil {
+		return 0, fmt.Errorf("error decoding current SSH duration adjusted cert count: %w", err)
+	}
+
+	return certCount, nil
+}
+
+func (c *Core) UpdateStoredSSHDurationAdjustedCertCount(ctx context.Context, currentMonth time.Time, certCount float64) (float64, error) {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb == nil {
+		return 0, ErrConsumptionBillingNotInitialized
+	}
+	cb.BillingStorageLock.Lock()
+	defer cb.BillingStorageLock.Unlock()
+	storedCertCount, err := c.getStoredSSHDurationAdjustedCertCountLocked(ctx, billing.LocalPrefix, currentMonth)
+	if err != nil {
+		return 0, err
+	}
+
+	err = c.storeSSHDurationAdjustedCertCountLocked(ctx, billing.LocalPrefix, currentMonth, certCount+storedCertCount)
+	if err != nil {
+		return 0, err
+	}
+
+	return certCount, nil
+}
+
+func (c *Core) storeSSHDurationAdjustedCertCountLocked(ctx context.Context, localPathPrefix string, currentMonth time.Time, certCount float64) error {
+	billingPath := billing.GetMonthlyBillingMetricPath(localPathPrefix, currentMonth, billing.SSHCertificateMetric)
+
+	countBytes, err := jsonutil.EncodeJSON(certCount)
+	if err != nil {
+		return err
+	}
+
+	entry := &logical.StorageEntry{
+		Key:   billingPath,
+		Value: countBytes,
+	}
+
+	view, ok := c.GetBillingSubView()
+	if !ok {
+		return nil
+	}
+	return view.Put(ctx, entry)
+}
+
+// GetStoredSSHOTPCount retrieves the stored SSH OTP count
+// for the specified month. The count is stored as a uint64.
+// Returns 0 if no count has been stored for the given month.
+func (c *Core) GetStoredSSHOTPCount(ctx context.Context, currentMonth time.Time) (float64, error) {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb == nil {
+		return 0, errors.New("consumption billing is not initialized")
+	}
+
+	cb.BillingStorageLock.RLock()
+	defer cb.BillingStorageLock.RUnlock()
+
+	return c.getStoredSSHOTPCountLocked(ctx, billing.LocalPrefix, currentMonth)
+}
+
+func (c *Core) getStoredSSHOTPCountLocked(ctx context.Context, localPathPrefix string, currentMonth time.Time) (float64, error) {
+	billingPath := billing.GetMonthlyBillingMetricPath(localPathPrefix, currentMonth, billing.SSHOTPMetric)
+
+	view, ok := c.GetBillingSubView()
+	if !ok {
+		return 0, errors.New("error reading SSH OTP count: billing subview not available")
+	}
+
+	se, err := view.Get(ctx, billingPath)
+	if se == nil || err != nil {
+		return 0, err
+	}
+
+	var otpCount float64
+	err = se.DecodeJSON(&otpCount)
+	if err != nil {
+		return 0, fmt.Errorf("error decoding current OTP cert count: %w", err)
+	}
+
+	return otpCount, nil
+}
+
+func (c *Core) UpdateStoredSSHOTPCount(ctx context.Context, currentMonth time.Time, otpCount float64) (float64, error) {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb == nil {
+		return 0, ErrConsumptionBillingNotInitialized
+	}
+	cb.BillingStorageLock.Lock()
+	defer cb.BillingStorageLock.Unlock()
+	storedOTPCount, err := c.getStoredSSHOTPCountLocked(ctx, billing.LocalPrefix, currentMonth)
+	if err != nil {
+		return 0, err
+	}
+
+	err = c.storeSSHOTPCountLocked(ctx, billing.LocalPrefix, currentMonth, otpCount+storedOTPCount)
+	if err != nil {
+		return 0, err
+	}
+
+	return otpCount, nil
+}
+
+func (c *Core) storeSSHOTPCountLocked(ctx context.Context, localPathPrefix string, currentMonth time.Time, otpCount float64) error {
+	billingPath := billing.GetMonthlyBillingMetricPath(localPathPrefix, currentMonth, billing.SSHOTPMetric)
+
+	countBytes, err := jsonutil.EncodeJSON(otpCount)
+	if err != nil {
+		return err
+	}
+
+	entry := &logical.StorageEntry{
+		Key:   billingPath,
+		Value: countBytes,
+	}
+
+	view, ok := c.GetBillingSubView()
+	if !ok {
+		return nil
+	}
+	return view.Put(ctx, entry)
+}
+
+// GetStoredOidcDurationAdjustedCount retrieves the stored OIDC duration-adjusted token count
+// for the specified month. The count is stored as a float64 string with 4 decimal places of precision.
+// Returns 0 if no count has been stored for the given month.
+func (c *Core) GetStoredOidcDurationAdjustedCount(ctx context.Context, currentMonth time.Time) (float64, error) {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb == nil {
+		return 0, errors.New("consumption billing is not initialized")
+	}
+
+	cb.BillingStorageLock.RLock()
+	defer cb.BillingStorageLock.RUnlock()
+
+	return c.getStoredOidcDurationAdjustedCountLocked(ctx, currentMonth)
+}
+
+func (c *Core) getStoredOidcDurationAdjustedCountLocked(ctx context.Context, currentMonth time.Time) (float64, error) {
+	billingPath := billing.GetMonthlyBillingMetricPath(billing.LocalPrefix, currentMonth, billing.OidcDurationAdjustedCountPrefix)
+
+	view, ok := c.GetBillingSubView()
+	if !ok {
+		return 0, errors.New("error reading OIDC duration-adjusted token count: billing subview not available")
+	}
+
+	se, err := view.Get(ctx, billingPath)
+	if se == nil || err != nil {
+		return 0, err
+	}
+
+	currentCount, err := strconv.ParseFloat(string(se.Value), 64)
+	if err != nil {
+		return 0, fmt.Errorf("error decoding current OIDC duration-adjusted token count: %w", err)
+	}
+
+	return currentCount, nil
+}
+
+// IncrementOidcTokenCount increments the in-memory OIDC token count and total duration hours.
+// This is called each time an OIDC token is created. The counts are flushed to storage
+// periodically by the consumption billing metrics worker.
+// Note: OidcTokenDuration is not normalized and is duration-adjusted during flush to storage in UpdateOidcDurationAdjustedCount.
+func (c *Core) IncrementOidcTokenCount(durationSeconds float64) {
+	c.consumptionBillingLock.Lock()
+	defer c.consumptionBillingLock.Unlock()
+
+	cb := c.consumptionBilling
+
+	if cb == nil {
+		return
+	}
+
+	// Update raw token duration
+	cb.IdentityTokenUnits.OidcTokenDuration.Add(durationSeconds)
+}
+
+// UpdateOidcDurationAdjustedCountFromMemory reads the in-memory OIDC token counts and duration,
+// normalizes them to duration-adjusted counts, and flushes them to storage.
+// This is called periodically by the consumption billing metrics worker.
+func (c *Core) UpdateOidcDurationAdjustedCount(ctx context.Context, currentMonth time.Time) error {
+	c.consumptionBillingLock.RLock()
+	cb := c.consumptionBilling
+	c.consumptionBillingLock.RUnlock()
+
+	if cb == nil {
+		return ErrConsumptionBillingNotInitialized
+	}
+
+	cb.BillingStorageLock.Lock()
+	defer cb.BillingStorageLock.Unlock()
+
+	// Get in-memory raw token duration and reset value in memory
+	// Using Swap to atomically reset the value. If Vault crashes after a successful storage update but before reset, this prevents double counting.
+	totalTokenDurationSecondsFromMemory := cb.IdentityTokenUnits.OidcTokenDuration.Swap(0)
+
+	// Calculate duration-adjusted count from raw data
+	durationAdjustedCountMemory := DurationAdjustedTokenCount(totalTokenDurationSecondsFromMemory)
+
+	return c.storeOidcDurationAdjustedCountLocked(ctx, currentMonth, durationAdjustedCountMemory)
+}
+
+func (c *Core) storeOidcDurationAdjustedCountLocked(ctx context.Context, currentMonth time.Time, inc float64) error {
+	if inc < 0 {
+		return fmt.Errorf("OIDC duration-adjusted increment must be non-negative, got %f", inc)
+	}
+
+	// Get stored count from previous flush
+	// this is duration-adjusted token count from storage
+	currentCount, err := c.getStoredOidcDurationAdjustedCountLocked(ctx, currentMonth)
+	if err != nil {
+		return err
+	}
+
+	// Sum the inc with the stored count which is the updated count
+	newCount := inc + currentCount
+
+	billingPath := billing.GetMonthlyBillingMetricPath(billing.LocalPrefix, currentMonth, billing.OidcDurationAdjustedCountPrefix)
+	view, ok := c.GetBillingSubView()
+	if !ok {
+		return errors.New("error storing OIDC duration-adjusted token count: billing subview not available")
+	}
+
+	// Write new value
+	entry := &logical.StorageEntry{
+		Key:   billingPath,
+		Value: []byte(strconv.FormatFloat(newCount, 'f', 4, 64)),
+	}
+
+	if err := view.Put(ctx, entry); err != nil {
+		return fmt.Errorf("error writing OIDC duration-adjusted token count: %w", err)
+	}
+
+	return nil
+}
+
+// DurationAdjustedTokenCount calculates the billable units for a token based on its
+// validity duration.
+// WARNING: Beware the maximum value for time.Duration (approximately 290 years).
+// The calculation follows the billing specification:
+// - Standard duration is 730 hours (1 month)
+// - Units = (Validity Hours ÷ 730), rounded to 4 decimal places
+// - Example: 1-year cert (8760 hours) = 12.0000 units
+// - Example: 1-day cert (24 hours) = 0.0329 units
+func DurationAdjustedTokenCount(tokenDurationSeconds float64) float64 {
+	validityHours := tokenDurationSeconds / (time.Hour.Seconds())
+	units := validityHours / DurationAdjustedStandardDuration
+	// Round to 4 decimal places
+	ret := math.Round(units*DecimalPrecisionMultiplier) / DecimalPrecisionMultiplier
+	if ret == 0.0 && tokenDurationSeconds > 0 {
+		// Ensure we don't return 0.0, which would be interpreted as no billable units.
+		return MinBillableUnits
+	}
+	return ret
+}
diff --git a/vault/consumption_billing_util_stubs_oss.go b/vault/consumption_billing_util_stubs_oss.go
index 61eb262561..0ae10e9c8f 100644
--- a/vault/consumption_billing_util_stubs_oss.go
+++ b/vault/consumption_billing_util_stubs_oss.go
@@ -18,3 +18,23 @@ func (c *Core) UpdateTransformCallCounts(ctx context.Context, currentMonth time.
 func (c *Core) GetStoredTransformCallCounts(ctx context.Context, month time.Time) (uint64, error) {
 	return 0, nil
 }
+
+func (c *Core) GetStoredSpiffeJwtTokenUnits(ctx context.Context, currentMonth time.Time) (float64, error) {
+	// No-op in OSS
+	return 0, nil
+}
+
+func (c *Core) UpdateSpiffeJwtTokenUnits(ctx context.Context, currentMonth time.Time) (float64, error) {
+	// No-op in OSS
+	return 0, nil
+}
+
+func (c *Core) GetStoredExternalCaCertUnits(ctx context.Context, currentMonth time.Time) (float64, error) {
+	// No-op in OSS
+	return 0, nil
+}
+
+func (c *Core) UpdateExternalCaCertUnits(ctx context.Context, currentMonth time.Time) (float64, error) {
+	// No-op in OSS
+	return 0, nil
+}
diff --git a/vault/consumption_billing_util_test.go b/vault/consumption_billing_util_test.go
index 094b48cbcb..10fd9d7851 100644
--- a/vault/consumption_billing_util_test.go
+++ b/vault/consumption_billing_util_test.go
@@ -6,6 +6,7 @@ package vault
 import (
 	"context"
 	"fmt"
+	"math"
 	"testing"
 	"time"
 
@@ -23,6 +24,7 @@ import (
 	logicalDatabase "github.com/hashicorp/vault/builtin/logical/database"
 	logicalNomad "github.com/hashicorp/vault/builtin/logical/nomad"
 	logicalRabbitMQ "github.com/hashicorp/vault/builtin/logical/rabbitmq"
+	"github.com/hashicorp/vault/builtin/logical/ssh"
 	"github.com/hashicorp/vault/builtin/logical/totp"
 	"github.com/hashicorp/vault/builtin/logical/transit"
 	"github.com/hashicorp/vault/helper/namespace"
@@ -279,7 +281,8 @@ func TestHWMRoleCounts(t *testing.T) {
 	firstCounts := core.GetRoleCounts()
 	verifyExpectedRoleCounts(t, firstCounts, 5)
 
-	counts, _, err := core.UpdateMaxRoleAndManagedKeyCounts(context.Background(), billing.ReplicatedPrefix, time.Now())
+	roles, keys := core.GetRoleAndManagedKeyCounts(billing.ReplicatedPrefix)
+	counts, _, err := core.UpdateMaxRoleAndManagedKeyCounts(context.Background(), billing.ReplicatedPrefix, time.Now(), roles, keys)
 	require.NoError(t, err)
 
 	verifyExpectedRoleCounts(t, counts, 5)
@@ -295,7 +298,8 @@ func TestHWMRoleCounts(t *testing.T) {
 		addRoleToStorage(t, core, tc.mount, tc.key, 2)
 	}
 
-	counts, _, err = core.UpdateMaxRoleAndManagedKeyCounts(context.Background(), billing.ReplicatedPrefix, time.Now())
+	roles, keys = core.GetRoleAndManagedKeyCounts(billing.ReplicatedPrefix)
+	counts, _, err = core.UpdateMaxRoleAndManagedKeyCounts(context.Background(), billing.ReplicatedPrefix, time.Now(), roles, keys)
 	require.NoError(t, err)
 
 	verifyExpectedRoleCounts(t, counts, 5)
@@ -311,7 +315,8 @@ func TestHWMRoleCounts(t *testing.T) {
 		addRoleToStorage(t, core, tc.mount, tc.key, 8)
 	}
 
-	counts, _, err = core.UpdateMaxRoleAndManagedKeyCounts(context.Background(), billing.ReplicatedPrefix, time.Now())
+	roles, keys = core.GetRoleAndManagedKeyCounts(billing.ReplicatedPrefix)
+	counts, _, err = core.UpdateMaxRoleAndManagedKeyCounts(context.Background(), billing.ReplicatedPrefix, time.Now(), roles, keys)
 	require.NoError(t, err)
 
 	verifyExpectedRoleCounts(t, counts, 8)
@@ -327,7 +332,8 @@ func TestHWMRoleCounts(t *testing.T) {
 		addRoleToStorage(t, core, tc.mount, tc.key, 5)
 	}
 
-	counts, _, err = core.UpdateMaxRoleAndManagedKeyCounts(context.Background(), billing.ReplicatedPrefix, time.Now())
+	roles, keys = core.GetRoleAndManagedKeyCounts(billing.ReplicatedPrefix)
+	counts, _, err = core.UpdateMaxRoleAndManagedKeyCounts(context.Background(), billing.ReplicatedPrefix, time.Now(), roles, keys)
 	require.NoError(t, err)
 
 	verifyExpectedRoleCounts(t, counts, 8)
@@ -399,6 +405,51 @@ func TestHWMKvSecretsCounts(t *testing.T) {
 	require.Equal(t, 5, counts)
 }
 
+// TestStoreAndGetMetricsLastUpdateTimeLocked tests the store/get helpers
+// that operate under the BillingStorageLock
+func TestStoreAndGetMetricsLastUpdateTimeLocked(t *testing.T) {
+	coreConfig := &CoreConfig{}
+	core, _, _ := TestCoreUnsealedWithConfig(t, coreConfig)
+
+	ctx := namespace.RootContext(context.Background())
+	month := time.Now()
+	updateTime := time.Now().UTC().Truncate(time.Second)
+
+	// Acquire billing storage lock as required by the helper contract
+	core.consumptionBilling.BillingStorageLock.Lock()
+	defer core.consumptionBilling.BillingStorageLock.Unlock()
+
+	// Store under local prefix and verify
+	err := core.storeMetricsLastUpdateTimeLocked(ctx, billing.LocalPrefix, month, updateTime)
+	require.NoError(t, err)
+
+	got, err := core.getMetricsLastUpdateTimeLocked(ctx, billing.LocalPrefix, month)
+	require.NoError(t, err)
+	require.Equal(t, updateTime.Format(time.RFC3339), got.Format(time.RFC3339))
+
+	// Ensure other prefix returns zero when not set
+	gotReplicated, err := core.getMetricsLastUpdateTimeLocked(ctx, billing.ReplicatedPrefix, month)
+	require.NoError(t, err)
+	require.True(t, gotReplicated.IsZero(), "replicated prefix should have no stored timestamp")
+}
+
+// TestUpdateAndGetMetricsLastUpdateTime tests the public Update/Get helpers for the metrics last update time
+func TestUpdateAndGetMetricsLastUpdateTime(t *testing.T) {
+	coreConfig := &CoreConfig{}
+	core, _, _ := TestCoreUnsealedWithConfig(t, coreConfig)
+
+	ctx := namespace.RootContext(context.Background())
+	month := time.Now()
+	updateTime := time.Now().UTC().Truncate(time.Second)
+
+	err := core.UpdateMetricsLastUpdateTime(ctx, month, updateTime)
+	require.NoError(t, err)
+
+	got, err := core.GetMetricsLastUpdateTime(ctx, month)
+	require.NoError(t, err)
+	require.Equal(t, updateTime.Format(time.RFC3339), got.Format(time.RFC3339))
+}
+
 // TestStoreAndGetMaxTotpKeyCounts verifies that we can store and retrieve the HWM totp key counts correctly
 func TestStoreAndGetMaxTotpKeyCounts(t *testing.T) {
 	coreConfig := &CoreConfig{
@@ -519,7 +570,6 @@ func TestHWMTotpKeyCounts(t *testing.T) {
 
 // TestTransitDataProtectionCallCounts tests that we correctly store and track the transit data protection call counts
 func TestTransitDataProtectionCallCounts(t *testing.T) {
-	t.Parallel()
 	coreConfig := &CoreConfig{
 		LogicalBackends: map[string]logical.Factory{
 			"transit": transit.Factory,
@@ -764,6 +814,265 @@ func TestTransitDataProtectionCallCounts(t *testing.T) {
 	require.Equal(t, uint64(0), core.GetInMemoryTransitDataProtectionCallCounts(), "Counter should still be 0")
 }
 
+// TestSSHCertCounts tests that we correctly store and track the SSH certificate counts
+func TestSSHCertCounts(t *testing.T) {
+	standardDuration := 730.0
+	validityHours := float64(60*60*24) / 3600.0
+	units := validityHours / standardDuration
+	// Round to 4 decimal places
+	expectedCertUnit := math.Round(units*10000) / 10000
+
+	coreConfig := &CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"ssh": ssh.Factory,
+		},
+	}
+
+	core, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+
+	// Mount SSH backend
+	req := logical.TestRequest(t, logical.CreateOperation, "sys/mounts/ssh")
+	req.Data["type"] = "ssh"
+	req.ClientToken = root
+	ctx := namespace.RootContext(context.Background())
+	_, err := core.HandleRequest(ctx, req)
+	require.NoError(t, err)
+
+	// Create a certificate
+	req = logical.TestRequest(t, logical.CreateOperation, "ssh/config/ca")
+	req.ClientToken = root
+	_, err = core.HandleRequest(ctx, req)
+	require.NoError(t, err)
+
+	req = logical.TestRequest(t, logical.CreateOperation, "ssh/roles/test")
+	req.ClientToken = root
+	req.Data["key_type"] = "ca"
+	req.Data["allow_user_certificates"] = true
+	req.Data["allow_empty_principals"] = true
+	req.Data["ttl"] = "1d"
+	_, err = core.HandleRequest(ctx, req)
+	require.NoError(t, err)
+
+	req = logical.TestRequest(t, logical.UpdateOperation, "ssh/issue/test")
+	req.ClientToken = root
+	resp, err := core.HandleRequest(ctx, req)
+	require.NoError(t, err)
+	require.Nil(t, resp.Error())
+
+	// Verify that the SSH counter is incremented
+	require.Equal(t, expectedCertUnit, core.certCountManager.GetCounts().SSHIssuedCerts)
+
+	// Test sign endpoint
+	req = logical.TestRequest(t, logical.UpdateOperation, "ssh/sign/test")
+	req.Data["public_key"] = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBp4mozY/snvG/+pkgv4xYifIFB2ov3gAvAqXgFqNpj vault-enterprise-key"
+	req.ClientToken = root
+	resp, err = core.HandleRequest(ctx, req)
+	require.NoError(t, err)
+	require.Nil(t, resp.Error())
+
+	// Verify that the SSH counter is incremented
+	require.Equal(t, expectedCertUnit*2, core.certCountManager.GetCounts().SSHIssuedCerts)
+
+	// Now test persisting the summed counts - store and retrieve counts
+	// First, update the SSH cert counts (this will sum current counter with stored value)
+	currentCount := core.certCountManager.GetCounts().SSHIssuedCerts
+	core.certCountManager.StopConsumerJob()
+
+	time.Sleep(20 * time.Millisecond)
+
+	// Verify the counter was reset after update
+	require.Equal(t, float64(0), core.certCountManager.GetCounts().SSHIssuedCerts, "Counter should be reset after update")
+
+	// Retrieve the stored counts
+	storedCounts, err := core.GetStoredSSHDurationAdjustedCertCount(ctx, time.Now())
+	require.NoError(t, err)
+	require.Equal(t, currentCount, storedCounts)
+
+	core.certCountManager.StartConsumerJob(core.consumeCertCounts)
+
+	// Perform more operations to increase the counter
+	req = logical.TestRequest(t, logical.UpdateOperation, "ssh/issue/test")
+	req.ClientToken = root
+	resp, err = core.HandleRequest(ctx, req)
+	require.NoError(t, err)
+	require.Nil(t, resp.Error())
+
+	// Counter should now be 1 cert
+	require.Equal(t, expectedCertUnit, core.certCountManager.GetCounts().SSHIssuedCerts)
+
+	// Update counts again - should sum the new count with the stored count
+	core.certCountManager.StopConsumerJob()
+	time.Sleep(20 * time.Millisecond)
+
+	// Verify the counter was reset after update
+	require.Equal(t, float64(0), core.certCountManager.GetCounts().SSHIssuedCerts, "Counter should be reset after update")
+
+	// Verify stored counts are now the sum
+	summedCounts, err := core.GetStoredSSHDurationAdjustedCertCount(ctx, time.Now())
+	require.NoError(t, err)
+
+	expectedSum := currentCount + expectedCertUnit
+	require.Equal(t, expectedSum, summedCounts, "Count should be sum of stored and current")
+
+	core.certCountManager.StartConsumerJob(core.consumeCertCounts)
+
+	// Add more operations without manually resetting
+	for i := 0; i < 3; i++ {
+		req = logical.TestRequest(t, logical.UpdateOperation, "ssh/sign/test")
+		req.Data["public_key"] = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBp4mozY/snvG/+pkgv4xYifIFB2ov3gAvAqXgFqNpj vault-enterprise-key"
+		req.ClientToken = root
+		resp, err = core.HandleRequest(ctx, req)
+		require.NoError(t, err)
+		require.Nil(t, resp.Error())
+	}
+
+	// Counter should be 3 certs
+	require.Equal(t, expectedCertUnit*3, core.certCountManager.GetCounts().SSHIssuedCerts)
+
+	// Update counts - should sum 3 with the previous stored sum
+	core.certCountManager.StopConsumerJob()
+	time.Sleep(20 * time.Millisecond)
+
+	// Verify the counter was reset after update
+	require.Equal(t, float64(0), core.certCountManager.GetCounts().SSHIssuedCerts, "Counter should be reset after update")
+
+	// Verify stored counts
+	storedCounts, err = core.GetStoredSSHDurationAdjustedCertCount(ctx, time.Now())
+	require.NoError(t, err)
+	expectedSum += expectedCertUnit * 3
+	require.Equal(t, expectedSum, storedCounts)
+}
+
+// TestSSHOTPCounts tests that we correctly store and track the SSH OTP counts
+func TestSSHOTPCounts(t *testing.T) {
+	expectedOTPUnit := 0.0014
+
+	coreConfig := &CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"ssh": ssh.Factory,
+		},
+	}
+
+	core, _, root := TestCoreUnsealedWithConfig(t, coreConfig)
+
+	// Mount SSH backend
+	req := logical.TestRequest(t, logical.CreateOperation, "sys/mounts/ssh")
+	req.Data["type"] = "ssh"
+	req.ClientToken = root
+	ctx := namespace.RootContext(context.Background())
+	_, err := core.HandleRequest(ctx, req)
+	require.NoError(t, err)
+
+	// Create a certificate
+	req = logical.TestRequest(t, logical.CreateOperation, "ssh/config/ca")
+	req.ClientToken = root
+	_, err = core.HandleRequest(ctx, req)
+	require.NoError(t, err)
+
+	req = logical.TestRequest(t, logical.CreateOperation, "ssh/roles/test")
+	req.ClientToken = root
+	req.Data["key_type"] = "otp"
+	req.Data["default_user"] = "user"
+	_, err = core.HandleRequest(ctx, req)
+	require.NoError(t, err)
+
+	req = logical.TestRequest(t, logical.CreateOperation, "ssh/config/zeroaddress")
+	req.ClientToken = root
+	req.Data["roles"] = "test"
+	_, err = core.HandleRequest(ctx, req)
+	require.NoError(t, err)
+
+	req = logical.TestRequest(t, logical.UpdateOperation, "ssh/creds/test")
+	req.ClientToken = root
+	req.Data["ip"] = "1.2.3.4"
+	resp, err := core.HandleRequest(ctx, req)
+	require.NoError(t, err)
+	require.Nil(t, resp.Error())
+
+	// Verify that the SSH counter is incremented
+	require.Equal(t, expectedOTPUnit, core.certCountManager.GetCounts().SSHIssuedOTPs)
+
+	req = logical.TestRequest(t, logical.UpdateOperation, "ssh/creds/test")
+	req.ClientToken = root
+	req.Data["ip"] = "1.2.3.4"
+	resp, err = core.HandleRequest(ctx, req)
+	require.NoError(t, err)
+	require.Nil(t, resp.Error())
+
+	// Verify that the SSH counter is incremented
+	require.Equal(t, expectedOTPUnit*2, core.certCountManager.GetCounts().SSHIssuedOTPs)
+
+	// Now test persisting the summed counts - store and retrieve counts
+	// First, update the SSH cert counts (this will sum current counter with stored value)
+	currentCount := core.certCountManager.GetCounts().SSHIssuedOTPs
+	core.certCountManager.StopConsumerJob()
+
+	time.Sleep(20 * time.Millisecond)
+
+	// Verify the counter was reset after update
+	require.Equal(t, float64(0), core.certCountManager.GetCounts().SSHIssuedOTPs, "Counter should be reset after update")
+
+	// Retrieve the stored counts
+	storedCounts, err := core.GetStoredSSHOTPCount(ctx, time.Now())
+	require.NoError(t, err)
+	require.Equal(t, currentCount, storedCounts)
+
+	core.certCountManager.StartConsumerJob(core.consumeCertCounts)
+
+	// Perform more operations to increase the counter
+	req = logical.TestRequest(t, logical.UpdateOperation, "ssh/creds/test")
+	req.ClientToken = root
+	req.Data["ip"] = "1.2.3.4"
+	resp, err = core.HandleRequest(ctx, req)
+	require.NoError(t, err)
+	require.Nil(t, resp.Error())
+
+	// Counter should now be 1 unit
+	require.Equal(t, expectedOTPUnit, core.certCountManager.GetCounts().SSHIssuedOTPs)
+
+	// Update counts again - should sum the new count with the stored count
+	core.certCountManager.StopConsumerJob()
+	time.Sleep(20 * time.Millisecond)
+
+	// Verify the counter was reset after update
+	require.Equal(t, float64(0), core.certCountManager.GetCounts().SSHIssuedOTPs, "Counter should be reset after update")
+
+	// Verify stored counts are now the sum
+	summedCounts, err := core.GetStoredSSHOTPCount(ctx, time.Now())
+	require.NoError(t, err)
+
+	expectedSum := currentCount + expectedOTPUnit
+	require.Equal(t, expectedSum, summedCounts, "Count should be sum of stored and current")
+
+	core.certCountManager.StartConsumerJob(core.consumeCertCounts)
+
+	// Add more operations without manually resetting
+	for i := 0; i < 3; i++ {
+		req = logical.TestRequest(t, logical.UpdateOperation, "ssh/creds/test")
+		req.ClientToken = root
+		req.Data["ip"] = "1.2.3.4"
+		resp, err = core.HandleRequest(ctx, req)
+		require.NoError(t, err)
+		require.Nil(t, resp.Error())
+	}
+
+	// Counter should be 3 units
+	require.Equal(t, expectedOTPUnit*3, core.certCountManager.GetCounts().SSHIssuedOTPs)
+
+	// Update counts - should sum 3 with the previous stored sum
+	core.certCountManager.StopConsumerJob()
+	time.Sleep(20 * time.Millisecond)
+
+	// Verify the counter was reset after update
+	require.Equal(t, float64(0), core.certCountManager.GetCounts().SSHIssuedOTPs, "Counter should be reset after update")
+
+	// Verify stored counts
+	storedCounts, err = core.GetStoredSSHOTPCount(ctx, time.Now())
+	require.NoError(t, err)
+	expectedSum += 3 * expectedOTPUnit
+	require.Equal(t, expectedSum, storedCounts)
+}
+
 func addRoleToStorage(t *testing.T, core *Core, mount string, key string, numberOfKeys int) {
 	raw, ok := core.router.root.Get(mount + "/")
 	if !ok {
@@ -880,3 +1189,476 @@ func deleteTotpKeyFromStorage(t *testing.T, ctx context.Context, core *Core, mou
 	_, err := core.HandleRequest(ctx, req)
 	require.NoError(t, err)
 }
+
+// TestGetStoredOidcDurationAdjustedCount tests reading OIDC duration-adjusted token counts from storage
+func TestGetStoredOidcDurationAdjustedCount(t *testing.T) {
+	tests := []struct {
+		name          string
+		storedData    map[time.Time]float64 // month -> duration-adjusted token count to store before test
+		queryMonth    time.Time
+		expectedCount float64
+	}{
+		{
+			name:          "returns zero when no data exists",
+			storedData:    nil,
+			queryMonth:    time.Date(2026, 2, 1, 0, 0, 0, 0, time.UTC),
+			expectedCount: 0,
+		},
+		{
+			name: "returns stored count when data exists",
+			storedData: map[time.Time]float64{
+				time.Date(2026, 2, 1, 0, 0, 0, 0, time.UTC): 42.5,
+			},
+			queryMonth:    time.Date(2026, 2, 1, 0, 0, 0, 0, time.UTC),
+			expectedCount: 42.5,
+		},
+		{
+			name: "returns correct count for first month when multiple months exist",
+			storedData: map[time.Time]float64{
+				time.Date(2026, 1, 1, 0, 0, 0, 0, time.UTC): 10.5,
+				time.Date(2026, 3, 1, 0, 0, 0, 0, time.UTC): 20.5,
+			},
+			queryMonth:    time.Date(2026, 1, 1, 0, 0, 0, 0, time.UTC),
+			expectedCount: 10.5,
+		},
+		{
+			name: "returns correct count for second month when multiple months exist",
+			storedData: map[time.Time]float64{
+				time.Date(2026, 1, 1, 0, 0, 0, 0, time.UTC): 10.5,
+				time.Date(2026, 3, 1, 0, 0, 0, 0, time.UTC): 20.5,
+			},
+			queryMonth:    time.Date(2026, 3, 1, 0, 0, 0, 0, time.UTC),
+			expectedCount: 20.5,
+		},
+		{
+			name:          "returns zero for non-existent month",
+			storedData:    nil,
+			queryMonth:    time.Date(2027, 12, 1, 0, 0, 0, 0, time.UTC),
+			expectedCount: 0,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Create fresh core instance for test isolation
+			core, _, _ := TestCoreUnsealed(t)
+			ctx := context.Background()
+
+			// Store test data if provided
+			for month, count := range tt.storedData {
+				err := core.storeOidcDurationAdjustedCountLocked(ctx, month, count)
+				require.NoError(t, err)
+			}
+
+			// Execute test and verify
+			count, err := core.GetStoredOidcDurationAdjustedCount(ctx, tt.queryMonth)
+			require.NoError(t, err)
+			require.Equal(t, tt.expectedCount, count)
+		})
+	}
+}
+
+// TestUpdateOidcDurationAdjustedCount tests storing and incrementing OIDC duration-adjusted token counts
+func TestUpdateOidcDurationAdjustedCount(t *testing.T) {
+	tests := []struct {
+		name          string
+		month         time.Time
+		increments    []float64 // sequence of increments to apply
+		expectedCount float64   // expected final duration-adjusted token count
+		errorContains string
+		delta         float64 // delta value for InDelta
+	}{
+		{
+			name:          "stores initial count",
+			month:         time.Date(2026, 2, 1, 0, 0, 0, 0, time.UTC),
+			increments:    []float64{15.5},
+			expectedCount: 15.5,
+		},
+		{
+			name:          "increments existing count",
+			month:         time.Date(2026, 4, 1, 0, 0, 0, 0, time.UTC),
+			increments:    []float64{10.0, 5.5},
+			expectedCount: 15.5,
+		},
+		{
+			name:          "handles multiple increments",
+			month:         time.Date(2026, 5, 1, 0, 0, 0, 0, time.UTC),
+			increments:    []float64{1.5, 2.5, 3.0, 4.5},
+			expectedCount: 11.5,
+		},
+		{
+			name:          "rejects negative increments",
+			month:         time.Date(2026, 6, 1, 0, 0, 0, 0, time.UTC),
+			increments:    []float64{100.0, -25.5},
+			expectedCount: 100.0,
+			errorContains: "must be non-negative",
+		},
+		{
+			name:          "handles zero increment",
+			month:         time.Date(2026, 7, 1, 0, 0, 0, 0, time.UTC),
+			increments:    []float64{30.0, 0.0},
+			expectedCount: 30.0,
+		},
+		{
+			name:          "handles fractional increments accurately",
+			month:         time.Date(2026, 8, 1, 0, 0, 0, 0, time.UTC),
+			increments:    []float64{0.1, 0.2, 0.3},
+			expectedCount: 0.6,
+			// This uses a larger delta because adding small decimals like 0.1, 0.2, 0.3 can introduce floating-point rounding errors
+			// The expected result is 0.6, but due to binary floating-point representation, the actual sum might be 0.5999999999999999 or 0.6000000000000001
+			delta: 0.0001,
+		},
+		{
+			name:          "updates count through public method",
+			month:         time.Date(2026, 9, 1, 0, 0, 0, 0, time.UTC),
+			increments:    []float64{25.5},
+			expectedCount: 25.5,
+		},
+		{
+			name:          "handles minimum increment of 0.0001",
+			month:         time.Date(2026, 11, 1, 0, 0, 0, 0, time.UTC),
+			increments:    []float64{1.0, 0.0001},
+			expectedCount: 1.0001,
+			// This uses a smaller, more precise delta because:
+			// 1.0 is exactly representable in binary floating-point
+			// 0.0001 is the minimum precision we support (4 decimal places)
+			// The sum 1.0001 should be very close to exact
+			// We need to verify that the 4-decimal precision is maintained, so we use a tighter tolerance (0.00001)
+			delta: 0.00001,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			core, _, _ := TestCoreUnsealed(t)
+			ctx := context.Background()
+
+			// Apply increments sequentially
+			var lastErr error
+			for _, increment := range tt.increments {
+				err := core.storeOidcDurationAdjustedCountLocked(ctx, tt.month, increment)
+				if err != nil {
+					lastErr = err
+					break
+				}
+			}
+
+			// Verify error expectations
+			if tt.errorContains != "" {
+				require.ErrorContains(t, lastErr, tt.errorContains)
+			} else {
+				require.NoError(t, lastErr)
+			}
+
+			// Verify the final count
+			count, err := core.GetStoredOidcDurationAdjustedCount(ctx, tt.month)
+			require.NoError(t, err)
+
+			if tt.delta > 0 {
+				require.InDelta(t, tt.expectedCount, count, tt.delta)
+			} else {
+				require.Equal(t, tt.expectedCount, count)
+			}
+		})
+	}
+}
+
+// TestIncrementOidcTokenCount tests incrementing in-memory OIDC token counts
+func TestIncrementOidcTokenCount(t *testing.T) {
+	tests := []struct {
+		name                       string
+		durations                  []float64 // sequence of token durations in seconds to increment
+		expectedInMemTokenCount    uint64
+		expectedInMemTotalDuration float64
+	}{
+		{
+			name:                       "increments single token",
+			durations:                  []float64{3600.0}, // 1 hour
+			expectedInMemTokenCount:    1,
+			expectedInMemTotalDuration: 3600.0,
+		},
+		{
+			name:                       "increments multiple tokens",
+			durations:                  []float64{3600.0, 7200.0, 1800.0}, // 1h, 2h, 30m
+			expectedInMemTokenCount:    3,
+			expectedInMemTotalDuration: 12600.0,
+		},
+		{
+			name:                       "handles zero duration",
+			durations:                  []float64{3600.0, 0.0, 1800.0},
+			expectedInMemTokenCount:    3,
+			expectedInMemTotalDuration: 5400.0,
+		},
+		{
+			name:                       "handles fractional durations",
+			durations:                  []float64{100.5, 200.3, 300.7},
+			expectedInMemTokenCount:    3,
+			expectedInMemTotalDuration: 601.5,
+		},
+		{
+			name:                       "handles very small durations",
+			durations:                  []float64{0.001, 0.002, 0.003},
+			expectedInMemTokenCount:    3,
+			expectedInMemTotalDuration: 0.006,
+		},
+		{
+			name:                       "handles large number of increments",
+			durations:                  []float64{60.0, 60.0, 60.0, 60.0, 60.0, 60.0, 60.0, 60.0, 60.0, 60.0}, // 10 tokens of 1 min each
+			expectedInMemTokenCount:    10,
+			expectedInMemTotalDuration: 600.0,
+		},
+		{
+			name:                       "handles mixed duration values",
+			durations:                  []float64{1.5, 3600.5, 0.5, 7200.25, 86400.75}, // mix of small and large
+			expectedInMemTokenCount:    5,
+			expectedInMemTotalDuration: 97203.5,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Create fresh core instance for test isolation
+			core, _, _ := TestCoreUnsealed(t)
+
+			// Apply increments sequentially
+			for _, duration := range tt.durations {
+				core.IncrementOidcTokenCount(duration)
+			}
+
+			// Verify in-memory counters
+			core.consumptionBillingLock.RLock()
+			actualTotalDuration := core.consumptionBilling.IdentityTokenUnits.OidcTokenDuration.Load()
+			core.consumptionBillingLock.RUnlock()
+			require.Equal(t, tt.expectedInMemTotalDuration, actualTotalDuration)
+		})
+	}
+}
+
+// TestDurationAdjustedTokenCount tests the duration-adjusted token count calculation
+func TestDurationAdjustedTokenCount(t *testing.T) {
+	tests := []struct {
+		name          string
+		tokenDuration float64 // duration in seconds
+		expectedUnits float64 // expected billing units
+	}{
+		{
+			name:          "zero duration returns zero",
+			tokenDuration: 0.0,
+			expectedUnits: 0.0,
+		},
+		{
+			name:          "very small duration returns minimum 0.0001 (MinBillableUnits)",
+			tokenDuration: 1.0, // 1 second
+			expectedUnits: MinBillableUnits,
+		},
+		{
+			name:          "one hour token",
+			tokenDuration: time.Hour.Seconds(), // 1 hour
+			expectedUnits: 0.0014,              // 1/730 rounded to 4 decimals
+		},
+		{
+			name:          "one day token",
+			tokenDuration: 24 * time.Hour.Seconds(), // 24 hours
+			expectedUnits: 0.0329,                   // 24/730 rounded to 4 decimals
+		},
+		{
+			name:          "one week token",
+			tokenDuration: 7 * 24 * time.Hour.Seconds(), // 168 hours
+			expectedUnits: 0.2301,                       // 168/730 rounded to 4 decimals
+		},
+		{
+			name:          "30 day token",
+			tokenDuration: 30 * 24 * time.Hour.Seconds(), // 720 hours
+			expectedUnits: 0.9863,                        // 720/730 rounded to 4 decimals
+		},
+		{
+			name:          "standard duration token (730 hours)",
+			tokenDuration: DurationAdjustedStandardDuration * time.Hour.Seconds(), // 730 hours in seconds
+			expectedUnits: 1.0,
+		},
+		{
+			name:          "90 day token",
+			tokenDuration: 90 * 24 * time.Hour.Seconds(), // 2160 hours
+			expectedUnits: 2.9589,                        // 2160/730 rounded to 4 decimals
+		},
+		{
+			name:          "one year token",
+			tokenDuration: 365 * 24 * time.Hour.Seconds(), // 8760 hours
+			expectedUnits: 12.0,                           // 8760/730 = 12
+		},
+		{
+			name:          "fractional hour token",
+			tokenDuration: 1800.0, // 0.5 hours
+			expectedUnits: 0.0007, // 0.5/730 rounded to 4 decimals
+		},
+		{
+			name:          "rounds to 4 decimal places",
+			tokenDuration: 3650.0, // ~1.014 hours
+			expectedUnits: 0.0014, // 1.014/730 = 0.00138904... rounds to 0.0014
+		},
+		{
+			name:          "minimum non-zero value",
+			tokenDuration: 100.0,  // very small duration
+			expectedUnits: 0.0001, // rounds to 0 but returns minimum 0.0001
+		},
+		{
+			name:          "large duration value",
+			tokenDuration: 315360000.0, // 10 years in seconds
+			expectedUnits: 120.0,       // 87600/730 = 120
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			result := DurationAdjustedTokenCount(tt.tokenDuration)
+			require.Equal(t, tt.expectedUnits, result)
+		})
+	}
+}
+
+// TestConcurrentOidcDurationAdjustedCount tests concurrent updates to OIDC duration-adjusted counts
+func TestConcurrentOidcDurationAdjustedCount(t *testing.T) {
+	core, _, _ := TestCoreUnsealed(t)
+	ctx := context.Background()
+
+	month := time.Date(2026, 10, 1, 0, 0, 0, 0, time.UTC)
+	numGoroutines := 10
+	incrementPerGoroutine := 1.0
+
+	// Launch concurrent updates
+	done := make(chan bool, numGoroutines)
+	for i := 0; i < numGoroutines; i++ {
+		go func() {
+			// Acquire lock before calling the locked function
+			core.consumptionBilling.BillingStorageLock.Lock()
+			err := core.storeOidcDurationAdjustedCountLocked(ctx, month, incrementPerGoroutine)
+			core.consumptionBilling.BillingStorageLock.Unlock()
+			require.NoError(t, err)
+			done <- true
+		}()
+	}
+
+	// Wait for all goroutines to complete
+	for i := 0; i < numGoroutines; i++ {
+		<-done
+	}
+
+	// Verify the total count
+	count, err := core.GetStoredOidcDurationAdjustedCount(ctx, month)
+	require.NoError(t, err)
+	require.Equal(t, float64(numGoroutines)*incrementPerGoroutine, count)
+}
+
+// TestGcpKmsDataProtectionCallCounts tests that we correctly store and track the GCP KMS data protection call counts
+func TestGcpKmsDataProtectionCallCounts(t *testing.T) {
+	t.Parallel()
+
+	coreConfig := &CoreConfig{
+		BillingConfig: billing.BillingConfig{
+			MetricsUpdateCadence: 3 * time.Second,
+		},
+	}
+	core, _, _, _ := TestCoreUnsealedWithMetricsAndConfig(t, coreConfig)
+
+	ctx := context.Background()
+	currentMonth := time.Now()
+
+	// Simulate GCP KMS plugin writing billing data (this is what the plugin does when operations occur)
+	// In a real scenario, this would be triggered by actual encrypt/decrypt/sign/verify operations
+	err := core.consumptionBilling.WriteBillingData(ctx, "gcpkms", map[string]interface{}{
+		"count": uint64(1),
+	})
+	require.NoError(t, err)
+
+	// Verify that the GCP KMS counter is incremented
+	require.Equal(t, uint64(1), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+
+	// Wait until the data protection calls are updated and verify that the value in storage is correct
+	require.Eventually(t, func() bool {
+		counts, err := core.GetStoredGcpKmsCallCounts(ctx, currentMonth)
+		return err == nil && counts == 1
+	}, 5*time.Second, 100*time.Millisecond)
+
+	// The in memory counter should be reset after the update
+	require.Equal(t, uint64(0), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+
+	// Simulate more operations
+	err = core.consumptionBilling.WriteBillingData(ctx, "gcpkms", map[string]interface{}{
+		"count": uint64(1),
+	})
+	require.NoError(t, err)
+	err = core.consumptionBilling.WriteBillingData(ctx, "gcpkms", map[string]interface{}{
+		"count": uint64(1),
+	})
+	require.NoError(t, err)
+
+	// Verify that the GCP KMS counter is incremented
+	require.Equal(t, uint64(2), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+
+	// Wait until the data protection calls are updated and verify that the value in storage is correct
+	require.Eventually(t, func() bool {
+		counts, err := core.GetStoredGcpKmsCallCounts(ctx, currentMonth)
+		return err == nil && counts == 3
+	}, 5*time.Second, 100*time.Millisecond)
+
+	// The in memory counter should be reset after the update
+	require.Equal(t, uint64(0), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+
+	// Run update again and make sure the value in storage is still 3
+	counts, err := core.UpdateGcpKmsCallCounts(ctx, currentMonth)
+	require.NoError(t, err)
+	require.Equal(t, uint64(3), counts)
+
+	// Verify the value in storage is still 3
+	counts, err = core.GetStoredGcpKmsCallCounts(ctx, currentMonth)
+	require.NoError(t, err)
+	require.Equal(t, uint64(3), counts)
+}
+
+// TestCore_BillingRetentionMonths tests the GetBillingRetentionMonths and UpdateBillingRetentionMonths methods.
+func TestCore_BillingRetentionMonths(t *testing.T) {
+	core, _, _ := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(context.Background())
+
+	// When no configuration is stored, should return default value
+	retentionMonths, err := core.GetBillingRetentionMonths(ctx)
+	require.NoError(t, err)
+	require.Equal(t, billing.DefaultBillingRetentionMonths, retentionMonths)
+
+	// Update to minimum value and verify
+	err = core.UpdateBillingRetentionMonths(ctx, billing.MinBillingRetentionMonths)
+	require.NoError(t, err)
+	retentionMonths, err = core.GetBillingRetentionMonths(ctx)
+	require.NoError(t, err)
+	require.Equal(t, billing.MinBillingRetentionMonths, retentionMonths)
+
+	// Update to maximum value and verify
+	err = core.UpdateBillingRetentionMonths(ctx, billing.MaxBillingRetentionMonths)
+	require.NoError(t, err)
+	retentionMonths, err = core.GetBillingRetentionMonths(ctx)
+	require.NoError(t, err)
+	require.Equal(t, billing.MaxBillingRetentionMonths, retentionMonths)
+
+	// Update to custom value and verify persistence
+	customRetention := 48
+	err = core.UpdateBillingRetentionMonths(ctx, customRetention)
+	require.NoError(t, err)
+	retentionMonths, err = core.GetBillingRetentionMonths(ctx)
+	require.NoError(t, err)
+	require.Equal(t, customRetention, retentionMonths)
+
+	// Update to a different custom value and verify persistence
+	newRetention := 60
+	err = core.UpdateBillingRetentionMonths(ctx, newRetention)
+	require.NoError(t, err)
+	retentionMonths, err = core.GetBillingRetentionMonths(ctx)
+	require.NoError(t, err)
+	require.Equal(t, newRetention, retentionMonths)
+}
diff --git a/vault/core.go b/vault/core.go
index 5e71829661..c0b4cd9e08 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -274,6 +274,21 @@ type Core struct {
 	// the generate-root process simply to talk to the new follower cluster.
 	devToken string
 
+	// enableUnauthRekey controls whether rekey endpoints are registered as
+	// unauthenticated endpoints (true) or as authenticated sys backend
+	// endpoints (false, default).
+	enableUnauthRekey *atomic.Bool
+
+	// enableUnauthGenerateRoot controls whether generate-root endpoints are registered as
+	// unauthenticated endpoints (true) or as authenticated sys backend
+	// endpoints (false, default).
+	enableUnauthGenerateRoot *atomic.Bool
+
+	// enableUnauthDROperationToken controls whether DR operation token endpoints are registered as
+	// unauthenticated endpoints (true) or as authenticated sys backend
+	// endpoints (false, default).
+	enableUnauthDROperationToken *atomic.Bool
+
 	// HABackend may be available depending on the physical backend
 	ha physical.HABackend
 
@@ -452,6 +467,12 @@ type Core struct {
 	// consumptionBillingLock protects the consumptionBilling struct
 	consumptionBillingLock sync.RWMutex
 
+	// billingConfigLock protects billing configuration reads and writes
+	billingConfigLock sync.RWMutex
+
+	// consumptionBillingSubView is the sub-view of the system barrier view that is used to store consumption billing metrics
+	consumptionBillingSubView *BarrierView
+
 	// metricsCh is used to stop the metrics streaming
 	metricsCh chan struct{}
 
@@ -583,6 +604,10 @@ type Core struct {
 	// pluginFilePermissions is the permissions of the plugin files and directory
 	pluginFilePermissions int
 
+	// devPluginPGPKey is either a raw PGP public key or a path to a PGP public
+	// key file to use for plugin signature verification in dev mode.
+	devPluginPGPKey string
+
 	// pluginCatalog is used to manage plugin configurations
 	pluginCatalog *plugincatalog.PluginCatalog
 
@@ -653,6 +678,8 @@ type Core struct {
 	pendingRaftPeers *lru.Cache[string, *raftBootstrapChallenge]
 	// holds the lock for modifying pendingRaftPeers
 	pendingRaftPeersLock sync.RWMutex
+	// Limits the number of concurrent retrying raft join background workers.
+	raftJoinRetryLimiter chan struct{}
 
 	// rawConfig stores the config as-is from the provided server configuration.
 	rawConfig *atomic.Value
@@ -888,6 +915,11 @@ type CoreConfig struct {
 	PluginDirectory string
 	PluginTmpdir    string
 
+	// DevPluginPGPKey is either a raw PGP public key or a path to a PGP public
+	// key file to use for plugin signature verification in dev mode. This allows
+	// testing enterprise plugins with custom signatures without rebuilding Vault.
+	DevPluginPGPKey string
+
 	PluginFileUid int
 
 	PluginFilePermissions int
@@ -968,6 +1000,12 @@ type CoreConfig struct {
 
 	// ReportingScanDirectory is where files generated by /sys/reporting/scan will go.
 	ReportingScanDirectory string
+
+	// EnableUnauthenticatedAccess is a list of endpoint names that should be
+	// accessible without authentication, despite them being by default authenticated.
+	// These aren't the actual paths to endpoints, but rather specific values that
+	// identify groups of endpoints, e.g. "rekey" refers to the sys/rekey/* endpoints.
+	EnableUnauthenticatedAccess []string
 }
 
 // GetServiceRegistration returns the config's ServiceRegistration, or nil if it does
@@ -1125,6 +1163,7 @@ func CreateCore(conf *CoreConfig) (*Core, error) {
 		postUnsealStarted:              new(uint32),
 		raftInfo:                       new(atomic.Value),
 		raftJoinDoneCh:                 make(chan struct{}),
+		raftJoinRetryLimiter:           make(chan struct{}, raftMaxConcurrentRetryJoins),
 		clusterHeartbeatInterval:       clusterHeartbeatInterval,
 		activityLogConfig:              conf.ActivityLogConfig,
 		billingConfig:                  conf.BillingConfig,
@@ -1152,6 +1191,9 @@ func CreateCore(conf *CoreConfig) (*Core, error) {
 		periodicLeaderRefreshInterval:  conf.PeriodicLeaderRefreshInterval,
 		rpcLastSuccessfulHeartbeat:     new(atomic.Value),
 		reportingScanDirectory:         conf.ReportingScanDirectory,
+		enableUnauthRekey:              new(atomic.Bool),
+		enableUnauthGenerateRoot:       new(atomic.Bool),
+		enableUnauthDROperationToken:   new(atomic.Bool),
 	}
 
 	c.certCountManager = cert_count.InitCertificateCountManager(c.logger)
@@ -1297,7 +1339,7 @@ func NewCore(conf *CoreConfig) (*Core, error) {
 
 	// For recovery mode we've now configured enough to return early.
 	if c.recoveryMode {
-		checkResult, err := c.checkForSealMigration(context.Background(), conf.UnwrapSeal)
+		checkResult, _, err := c.checkForSealMigration(context.Background(), conf.UnwrapSeal)
 		if err != nil {
 			return nil, fmt.Errorf("error checking if a seal migration is needed: %w", err)
 		}
@@ -1327,6 +1369,25 @@ func NewCore(conf *CoreConfig) (*Core, error) {
 		c.pluginFilePermissions = conf.PluginFilePermissions
 	}
 
+	if conf.DevPluginPGPKey != "" {
+		// Check if it's a raw PGP key or a file path
+		if strings.HasPrefix(strings.TrimSpace(conf.DevPluginPGPKey), "-----BEGIN PGP PUBLIC KEY BLOCK-----") {
+			// It's a raw PGP key, use it directly
+			c.devPluginPGPKey = conf.DevPluginPGPKey
+		} else {
+			// It's a file path, validate and convert to absolute path
+			c.devPluginPGPKey, err = filepath.Abs(conf.DevPluginPGPKey)
+			if err != nil {
+				return nil, fmt.Errorf("core setup failed, could not verify dev plugin PGP key path: %w", err)
+			}
+
+			// Validate file exists at startup
+			if _, err := os.Stat(c.devPluginPGPKey); err != nil {
+				return nil, fmt.Errorf("core setup failed, dev plugin PGP key file does not exist: %w", err)
+			}
+		}
+	}
+
 	// Create secondaries (this will only impact Enterprise versions of Vault)
 	c.createSecondaries(conf.Logger)
 
@@ -1434,6 +1495,19 @@ func NewCore(conf *CoreConfig) (*Core, error) {
 
 	c.clusterAddrBridge = conf.ClusterAddrBridge
 	c.licenseReloadCh = conf.LicenseReload
+
+	// Check if endpoints are in the EnableUnauthenticatedAccess list
+	for _, endpoint := range conf.EnableUnauthenticatedAccess {
+		switch endpoint {
+		case "rekey":
+			c.enableUnauthRekey.Store(true)
+		case "generate-root":
+			c.enableUnauthGenerateRoot.Store(true)
+		case "generate-operation-token":
+			c.enableUnauthDROperationToken.Store(true)
+		}
+	}
+
 	return c, nil
 }
 
@@ -1768,7 +1842,7 @@ func (c *Core) unsealFragment(key []byte, migrate bool) error {
 		return fmt.Errorf("can't perform a seal migration while joining a raft cluster")
 	}
 	if !migrate && c.migrationInfo != nil {
-		done, err := c.sealMigrated(ctx)
+		done, _, err := c.sealMigrated(ctx)
 		if err != nil {
 			return fmt.Errorf("error checking to see if seal is migrated: %w", err)
 		}
@@ -1804,6 +1878,10 @@ func (c *Core) unsealFragment(key []byte, migrate bool) error {
 		return nil
 	}
 
+	if err := c.ValidateMultiSealConfig(ctx, false); err != nil {
+		return err
+	}
+
 	sealToUse := c.seal
 	if migrate {
 		c.logger.Info("unsealing using migration seal")
@@ -1828,15 +1906,25 @@ func (c *Core) unsealFragment(key []byte, migrate bool) error {
 	if c.isRaftUnseal() {
 		return c.unsealWithRaft(combinedKey)
 	}
+	if !migrate {
+		defer memzero(combinedKey)
+	}
 	masterKey, err := c.unsealKeyToMasterKeyPreUnseal(ctx, sealToUse, combinedKey)
 	if err != nil {
 		return err
 	}
+	defer memzero(masterKey)
 	return c.unsealInternal(ctx, masterKey)
 }
 
 func (c *Core) unsealWithRaft(combinedKey []byte) error {
 	ctx := context.Background()
+	zeroCombinedKey := true
+	defer func() {
+		if zeroCombinedKey {
+			memzero(combinedKey)
+		}
+	}()
 
 	if c.seal.BarrierSealConfigType() == SealConfigTypeShamir {
 		// If this is a legacy shamir seal this serves no purpose but it
@@ -1869,9 +1957,14 @@ func (c *Core) unsealWithRaft(combinedKey []byte) error {
 		// Reset the state
 		c.raftInfo.Store((*raftInformation)(nil))
 	}
+	zeroCombinedKey = false
 
 	go func() {
 		var masterKey []byte
+		defer func() {
+			memzero(combinedKey)
+			memzero(masterKey)
+		}()
 		keyringFound := false
 
 		// Wait until we at least have the keyring before we attempt to
@@ -2000,26 +2093,28 @@ func (c *Core) getUnsealKey(ctx context.Context, seal Seal) ([]byte, error) {
 // For the auto->auto same seal migration scenario, it will return false even
 // if the preceding conditions are true but we cannot decrypt the master key
 // in storage using the configured seal.
-func (c *Core) sealMigrated(ctx context.Context) (bool, error) {
+// When no error is returned, returns a string that gives more information about
+// why the bool return value is set as it is.
+func (c *Core) sealMigrated(ctx context.Context) (bool, string, error) {
 	sealMigDone := c.sealMigrationDone.Load()
 	if sealMigDone != nil && !sealMigDone.IsZero() {
-		return true, nil
+		return true, "sealMigrationDone nonzero", nil
 	}
 
 	existBarrierSealConfig, existRecoverySealConfig, err := c.PhysicalSealConfigs(ctx)
 	if err != nil {
-		return false, err
+		return false, "", err
 	}
 
 	if !c.seal.BarrierSealConfigType().IsSameAs(existBarrierSealConfig.Type) {
-		return false, nil
+		return false, "barrier seal config type in seal matches what's in storage", nil
 	}
 	if c.seal.RecoveryKeySupported() && !SealConfigTypeRecovery.IsSameAs(existRecoverySealConfig.Type) {
-		return false, nil
+		return false, "recovery seal config type in seal matches what's in storage", nil
 	}
 
 	if c.seal.BarrierSealConfigType() != c.migrationInfo.seal.BarrierSealConfigType() {
-		return true, nil
+		return true, "barrier seal config type in seal doesn't match what's in storage", nil
 	}
 
 	// The above checks can handle the auto->shamir and shamir->auto
@@ -2031,13 +2126,13 @@ func (c *Core) sealMigrated(ctx context.Context) (bool, error) {
 
 	switch {
 	case len(keys) > 0 && err == nil:
-		return true, nil
+		return true, "seal has stored keys", nil
 	case len(keysMig) > 0 && errMig == nil:
-		return false, nil
+		return false, "migration seal has stored keys", nil
 	case errors.Is(err, &ErrDecrypt{}) && errors.Is(errMig, &ErrDecrypt{}):
-		return false, fmt.Errorf("decrypt error, neither the old nor new seal can read stored keys: old seal err=%v, new seal err=%v", errMig, err)
+		return false, "", fmt.Errorf("decrypt error, neither the old nor new seal can read stored keys: old seal err=%v, new seal err=%v", errMig, err)
 	default:
-		return false, fmt.Errorf("neither the old nor new seal can read stored keys: old seal err=%v, new seal err=%v", errMig, err)
+		return false, "", fmt.Errorf("neither the old nor new seal can read stored keys: old seal err=%v, new seal err=%v", errMig, err)
 	}
 }
 
@@ -2049,17 +2144,17 @@ func (c *Core) migrateSeal(ctx context.Context) error {
 		return c.migrateMultiSealConfig(ctx)
 	}
 
-	ok, err := c.sealMigrated(ctx)
+	ok, info, err := c.sealMigrated(ctx)
 	if err != nil {
 		return fmt.Errorf("error checking if seal is migrated or not: %w", err)
 	}
 
 	if ok {
-		c.logger.Info("migration is already performed")
+		c.logger.Info("migration is already performed", "info", info)
 		return nil
 	}
 
-	c.logger.Info("seal migration initiated")
+	c.logger.Info("seal migration initiated", "info", info)
 
 	switch {
 	case c.migrationInfo.seal.RecoveryKeySupported() && c.seal.RecoveryKeySupported():
@@ -2116,6 +2211,11 @@ func (c *Core) migrateSeal(ctx context.Context) error {
 		if err := c.seal.SetRecoveryKey(ctx, c.migrationInfo.unsealKey); err != nil {
 			return fmt.Errorf("error setting new recovery key information: %w", err)
 		}
+		// migrationInfo.unsealKey is single-use and is repopulated by a new migrate
+		// unseal flow if migration is retried; clear it now to reduce key material
+		// residency in process memory.
+		memzero(c.migrationInfo.unsealKey)
+		c.migrationInfo.unsealKey = nil
 
 		// Generate a new master key
 		newMasterKey, err := c.barrier.GenerateKey(c.secureRandomReader)
@@ -2705,6 +2805,7 @@ func (c *Core) setupPluginCatalog(ctx context.Context) error {
 		Tmpdir:               c.containerPluginTmpdir,
 		EnableMlock:          c.enableMlock,
 		PluginRuntimeCatalog: c.pluginRuntimeCatalog,
+		PluginPGPKey:         c.devPluginPGPKey,
 	})
 	if err != nil {
 		return err
@@ -3112,6 +3213,10 @@ func (c *Core) preSeal() error {
 		result = multierror.Append(result, err)
 	}
 
+	if c.identityStore != nil {
+		c.identityStore.stopSCIMDeletingClientCleanup()
+	}
+
 	if c.autoRotateCancel != nil {
 		c.autoRotateCancel()
 		c.autoRotateCancel = nil
@@ -3268,16 +3373,16 @@ const (
 	sealMigrationCheckDoNotAjust
 )
 
-func (c *Core) checkForSealMigration(ctx context.Context, unwrapSeal Seal) (sealMigrationCheckResult, error) {
+func (c *Core) checkForSealMigration(ctx context.Context, unwrapSeal Seal) (sealMigrationCheckResult, string, error) {
 	existBarrierSealConfig, _, err := c.PhysicalSealConfigs(ctx)
 	if err != nil {
-		return sealMigrationCheckError, fmt.Errorf("Error checking for existing seal: %s", err)
+		return sealMigrationCheckError, "", fmt.Errorf("Error checking for existing seal: %s", err)
 	}
 
 	// If we don't have an existing config or if it's the deprecated auto seal
 	// which needs an upgrade, skip out
 	if existBarrierSealConfig == nil || existBarrierSealConfig.Type == WrapperTypeHsmAutoDeprecated.String() {
-		return sealMigrationCheckSkip, nil
+		return sealMigrationCheckSkip, "no seal config or deprecated", nil
 	}
 
 	if unwrapSeal == nil {
@@ -3291,28 +3396,28 @@ func (c *Core) checkForSealMigration(ctx context.Context, unwrapSeal Seal) (seal
 		case storedType == configuredType:
 			// We have the same barrier type and the unwrap seal is nil so we're not
 			// migrating from same to same, IOW we assume it's not a migration.
-			return sealMigrationCheckDoNotAjust, nil
+			return sealMigrationCheckDoNotAjust, "same barrier and unwrap seal is nil", nil
 		case configuredType == SealConfigTypeShamir:
 			// The stored barrier config is not shamir, there is no disabled seal
 			// in config, and either no configured seal (which equates to Shamir)
 			// or an explicitly configured Shamir seal.
-			return sealMigrationCheckError, fmt.Errorf("cannot seal migrate from %q to Shamir, no disabled seal in configuration",
+			return sealMigrationCheckError, "", fmt.Errorf("cannot seal migrate from %q to Shamir, no disabled seal in configuration",
 				existBarrierSealConfig.Type)
 		case storedType == SealConfigTypeShamir:
 			// The configured seal is not Shamir, the stored seal config is Shamir.
 			// This is a migration away from Shamir.
 
-			return sealMigrationCheckAdjust, nil
+			return sealMigrationCheckAdjust, "configured seal is not shamir and stored seal config is", nil
 		case configuredType == SealConfigTypeMultiseal && c.IsMultisealEnabled():
 			// We are going from a single non-shamir seal to multiseal, and multi seal is supported.
 			// This scenario is not considered a migration in the sense of requiring an unwrapSeal,
 			// but we will update the stored SealConfig later (see Core.migrateMultiSealConfig).
 
-			return sealMigrationCheckDoNotAjust, nil
+			return sealMigrationCheckDoNotAjust, "single non-shamir to multiseal", nil
 		case configuredType == SealConfigTypeMultiseal:
 			// The configured seal is multiseal and we know the stored type is not shamir, thus
 			// we are going from auto seal to multiseal.
-			return sealMigrationCheckError, fmt.Errorf("cannot seal migrate from %q to %q, multiple seals are not supported",
+			return sealMigrationCheckError, "", fmt.Errorf("cannot seal migrate from %q to %q, multiple seals are not supported",
 				existBarrierSealConfig.Type, c.seal.BarrierSealConfigType())
 		case storedType == SealConfigTypeMultiseal:
 			// The stored type is multiseal and we know the type the configured type is not shamir,
@@ -3321,12 +3426,12 @@ func (c *Core) checkForSealMigration(ctx context.Context, unwrapSeal Seal) (seal
 			// This scenario is not considered a migration in the sense of requiring an unwrapSeal,
 			// but we will update the stored SealConfig later (see Core.migrateMultiSealConfig).
 
-			return sealMigrationCheckDoNotAjust, nil
+			return sealMigrationCheckDoNotAjust, "multiseal to autoseal", nil
 		default:
 			// We know at this point that there is a configured non-Shamir seal,
 			// that it does not match the stored non-Shamir seal config, and that
 			// there is no explicitly disabled seal stanza.
-			return sealMigrationCheckError, fmt.Errorf("cannot seal migrate from %q to %q, no disabled seal in configuration",
+			return sealMigrationCheckError, "", fmt.Errorf("cannot seal migrate from %q to %q, no disabled seal in configuration",
 				existBarrierSealConfig.Type, c.seal.BarrierSealConfigType())
 		}
 	} else {
@@ -3334,9 +3439,9 @@ func (c *Core) checkForSealMigration(ctx context.Context, unwrapSeal Seal) (seal
 		// in the config and disabled.
 
 		if unwrapSeal.BarrierSealConfigType() == SealConfigTypeShamir {
-			return sealMigrationCheckError, errors.New("Shamir seals cannot be set disabled (they should simply not be set)")
+			return sealMigrationCheckError, "", errors.New("Shamir seals cannot be set disabled (they should simply not be set)")
 		}
-		return sealMigrationCheckDoNotAjust, nil
+		return sealMigrationCheckDoNotAjust, "unchanged", nil
 	}
 }
 
@@ -3362,7 +3467,7 @@ func (c *Core) checkForSealMigration(ctx context.Context, unwrapSeal Seal) (seal
 func (c *Core) adjustForSealMigration(unwrapSeal Seal) error {
 	ctx := context.Background()
 
-	checkResult, err := c.checkForSealMigration(ctx, unwrapSeal)
+	checkResult, _, err := c.checkForSealMigration(ctx, unwrapSeal)
 	if err != nil {
 		return err
 	}
@@ -3646,7 +3751,7 @@ func (c *Core) IsSealMigrated(lock bool) bool {
 		c.stateLock.RLock()
 		defer c.stateLock.RUnlock()
 	}
-	done, _ := c.sealMigrated(context.Background())
+	done, _, _ := c.sealMigrated(context.Background())
 	return done
 }
 
@@ -4427,6 +4532,32 @@ func (c *Core) ReloadIntrospectionEndpointEnabled() {
 	c.introspectionEnabled = conf.(*server.Config).EnableIntrospectionEndpoint
 }
 
+func (c *Core) ReloadEnableUnauthenticatedAccess() {
+	conf := c.rawConfig.Load()
+	if conf == nil {
+		return
+	}
+
+	// Check which endpoints are in the EnableUnauthenticatedAccess list
+	enableRekey := false
+	enableGenerateRoot := false
+	enableDROperationToken := false
+	for _, endpoint := range conf.(*server.Config).EnableUnauthenticatedAccess {
+		switch endpoint {
+		case "rekey":
+			enableRekey = true
+		case "generate-root":
+			enableGenerateRoot = true
+		case "generate-operation-token":
+			enableDROperationToken = true
+		}
+	}
+
+	c.enableUnauthRekey.Store(enableRekey)
+	c.enableUnauthGenerateRoot.Store(enableGenerateRoot)
+	c.enableUnauthDROperationToken.Store(enableDROperationToken)
+}
+
 type PeerNode struct {
 	Hostname                    string        `json:"hostname"`
 	APIAddress                  string        `json:"api_address"`
@@ -4911,3 +5042,27 @@ var errRemovedHANode = errors.New("node has been removed from the HA cluster")
 func (c *Core) CoreNumber() int {
 	return c.coreNumber
 }
+
+func (c *Core) GetEnableUnauthRekey() bool {
+	return c.enableUnauthRekey.Load()
+}
+
+func (c *Core) SetEnableUnauthRekey(val bool) {
+	c.enableUnauthRekey.Store(val)
+}
+
+func (c *Core) GetEnableUnauthGenerateRoot() bool {
+	return c.enableUnauthGenerateRoot.Load()
+}
+
+func (c *Core) SetEnableUnauthGenerateRoot(val bool) {
+	c.enableUnauthGenerateRoot.Store(val)
+}
+
+func (c *Core) GetEnableUnauthDROperationToken() bool {
+	return c.enableUnauthDROperationToken.Load()
+}
+
+func (c *Core) SetEnableUnauthDROperationToken(val bool) {
+	c.enableUnauthDROperationToken.Store(val)
+}
diff --git a/vault/core_metrics.go b/vault/core_metrics.go
index 54263197f4..2aa5d0f322 100644
--- a/vault/core_metrics.go
+++ b/vault/core_metrics.go
@@ -424,7 +424,7 @@ type kvMount struct {
 // or externally compiled KV mounts that are still of type KV.
 // It's a simple function that's slightly reimplemented to prevent needing a context
 // in findKvMounts.
-func (c *Core) findOfficialKvMounts(ctx context.Context) []*kvMount {
+func (c *Core) findOfficialKvMounts(ctx context.Context, includeLocal, includeReplicated bool, kvVersion string) []*kvMount {
 	mounts := make([]*kvMount, 0)
 
 	c.mountsLock.RLock()
@@ -438,12 +438,23 @@ func (c *Core) findOfficialKvMounts(ctx context.Context) []*kvMount {
 	}
 
 	for _, entry := range c.mounts.Entries {
+		if !includeLocal && entry.Local {
+			continue
+		}
+		if !includeReplicated && !entry.Local {
+			continue
+		}
+
 		if entry.Type == pluginconsts.SecretEngineKV || entry.Type == pluginconsts.SecretEngineGeneric {
 			version, ok := entry.Options["version"]
 			if !ok || version == "" {
 				version = "1"
 			}
 
+			if kvVersion != "0" && version != kvVersion {
+				continue
+			}
+
 			pluginName := getAdjustedPluginType(entry)
 			if pluginName == "" {
 				continue
@@ -473,7 +484,8 @@ func (c *Core) findOfficialKvMounts(ctx context.Context) []*kvMount {
 	return mounts
 }
 
-func (c *Core) findKvMounts() []*kvMount {
+// findKvMounts finds all KV mounts. If kvVersion is "0", all versions of KV are included.
+func (c *Core) findKvMounts(includeLocal, includeReplicated bool, kvVersion string) []*kvMount {
 	mounts := make([]*kvMount, 0)
 
 	c.mountsLock.RLock()
@@ -487,11 +499,24 @@ func (c *Core) findKvMounts() []*kvMount {
 	}
 
 	for _, entry := range c.mounts.Entries {
+		if !includeLocal && entry.Local {
+			continue
+		}
+		if !includeReplicated && !entry.Local {
+			continue
+		}
+
 		if entry.Type == pluginconsts.SecretEngineKV || entry.Type == pluginconsts.SecretEngineGeneric {
 			version, ok := entry.Options["version"]
 			if !ok || version == "" {
 				version = "1"
 			}
+
+			// If kvVersion is "0", all versions of KV are included.
+			if kvVersion != "0" && version != kvVersion {
+				continue
+			}
+
 			mounts = append(mounts, &kvMount{
 				Namespace:            entry.namespace,
 				MountPoint:           entry.Path,
@@ -658,7 +683,7 @@ func (c *Core) walkKvMountSecrets(ctx context.Context, m *kvMount) {
 
 func (c *Core) kvSecretGaugeCollector(ctx context.Context) ([]metricsutil.GaugeLabelValues, error) {
 	// Find all KV mounts
-	mounts := c.findKvMounts()
+	mounts := c.findKvMounts(true, true, "0")
 	results := make([]metricsutil.GaugeLabelValues, len(mounts))
 
 	// Use a root namespace, so include namespace path
@@ -840,6 +865,7 @@ type RoleCounts struct {
 	KubernetesDynamicRoles     int `json:"kubernetes_dynamic_roles"`
 	MongoDBAtlasDynamicRoles   int `json:"mongodb_atlas_dynamic_roles"`
 	TerraformCloudDynamicRoles int `json:"terraformcloud_dynamic_roles"`
+	OSLocalAccountRoles        int `json:"os_local_account_static_roles"`
 }
 
 type ManagedKeyCounts struct {
@@ -847,158 +873,17 @@ type ManagedKeyCounts struct {
 	KmseKeys int `json:"kmse_keys"`
 }
 
-// getRoleAndManagedKeyCountsInternal gets the role counts for plugins and managed key counts
-// includeLocal determines if local mounts are included
-// includeReplicated determines if replicated mounts are included
-// officialPluginsOnly determines if this function should include only plugins that are official,
-// which would exclude, for example, a custom built version of these plugins.
-func (c *Core) getRoleAndManagedKeyCountsInternal(includeLocal bool, includeReplicated bool, officialPluginsOnly bool) (*RoleCounts, *ManagedKeyCounts) {
-	if c.Sealed() {
-		c.logger.Debug("core is sealed, cannot access mounts table")
-		return nil, nil
-	}
-
-	ctx := namespace.RootContext(c.activeContext)
-	apiList := func(entry *MountEntry, apiPath string) []string {
-		listRequest := &logical.Request{
-			Operation: logical.ListOperation,
-			Path:      entry.namespace.Path + entry.Path + apiPath,
-		}
-
-		resp, err := c.router.Route(ctx, listRequest)
-		if err != nil || resp == nil {
-			return nil
-		}
-		rawKeys, ok := resp.Data["keys"]
-		if !ok {
-			return nil
-		}
-		keys, ok := rawKeys.([]string)
-		if !ok {
-			return nil
-		}
-		return keys
-	}
-
-	c.mountsLock.RLock()
-	defer c.mountsLock.RUnlock()
-
-	var roles RoleCounts
-	var keyCounts ManagedKeyCounts
-	for _, entry := range c.mounts.Entries {
-		if !entry.Local && !includeReplicated {
-			continue
-		}
-		if entry.Local && !includeLocal {
-			continue
-		}
-
-		pluginName := getAdjustedPluginType(entry)
-		if pluginName == "" {
-			continue
-		}
-
-		pluginVersion := entry.RunningVersion
-
-		if officialPluginsOnly {
-			runner, err := c.pluginCatalog.Get(ctx, pluginName, consts.PluginTypeSecrets, pluginVersion)
-			if err != nil {
-				continue
-			}
-
-			if !(isOfficialOrBuiltin(runner)) {
-				continue
-			}
-		}
-
-		switch pluginName {
-		case pluginconsts.SecretEngineAWS:
-			dynamicRoles := apiList(entry, "roles")
-			roles.AWSDynamicRoles += len(dynamicRoles)
-			staticRoles := apiList(entry, "static-roles")
-			roles.AWSStaticRoles += len(staticRoles)
-
-		case pluginconsts.SecretEngineAzure:
-			dynamicRoles := apiList(entry, "roles")
-			roles.AzureDynamicRoles += len(dynamicRoles)
-			staticRoles := apiList(entry, "static-roles")
-			roles.AzureStaticRoles += len(staticRoles)
-
-		case pluginconsts.SecretEngineDatabase:
-			dynamicRoles := apiList(entry, "roles")
-			roles.DatabaseDynamicRoles += len(dynamicRoles)
-			staticRoles := apiList(entry, "static-roles")
-			roles.DatabaseStaticRoles += len(staticRoles)
-
-		case pluginconsts.SecretEngineGCP:
-			rolesets := apiList(entry, "rolesets")
-			roles.GCPRolesets += len(rolesets)
-			staticAccounts := apiList(entry, "static-accounts")
-			roles.GCPStaticAccounts += len(staticAccounts)
-			impersonatedAccounts := apiList(entry, "impersonated-accounts")
-			roles.GCPImpersonatedAccounts += len(impersonatedAccounts)
-
-		case pluginconsts.SecretEngineLDAP:
-			dynamicRoles := apiList(entry, "role")
-			roles.LDAPDynamicRoles += len(dynamicRoles)
-			staticRoles := apiList(entry, "static-role")
-			roles.LDAPStaticRoles += len(staticRoles)
-
-		case pluginconsts.SecretEngineOpenLDAP:
-			dynamicRoles := apiList(entry, "role")
-			roles.OpenLDAPDynamicRoles += len(dynamicRoles)
-			staticRoles := apiList(entry, "static-role")
-			roles.OpenLDAPStaticRoles += len(staticRoles)
-
-		case pluginconsts.SecretEngineAlicloud:
-			dynamicRoles := apiList(entry, "role")
-			roles.AlicloudDynamicRoles += len(dynamicRoles)
-
-		case pluginconsts.SecretEngineRabbitMQ:
-			dynamicRoles := apiList(entry, "roles")
-			roles.RabbitMQDynamicRoles += len(dynamicRoles)
-
-		case pluginconsts.SecretEngineConsul:
-			dynamicRoles := apiList(entry, "roles")
-			roles.ConsulDynamicRoles += len(dynamicRoles)
-
-		case pluginconsts.SecretEngineNomad:
-			dynamicRoles := apiList(entry, "role")
-			roles.NomadDynamicRoles += len(dynamicRoles)
-
-		case pluginconsts.SecretEngineKubernetes:
-			dynamicRoles := apiList(entry, "roles")
-			roles.KubernetesDynamicRoles += len(dynamicRoles)
-
-		case pluginconsts.SecretEngineMongoDBAtlas:
-			dynamicRoles := apiList(entry, "roles")
-			roles.MongoDBAtlasDynamicRoles += len(dynamicRoles)
-
-		case pluginconsts.SecretEngineTerraform:
-			dynamicRoles := apiList(entry, "role")
-			roles.TerraformCloudDynamicRoles += len(dynamicRoles)
-
-		case pluginconsts.SecretEngineTOTP:
-			keyCountPerEntry := apiList(entry, "keys")
-			keyCounts.TotpKeys += len(keyCountPerEntry)
-
-		case pluginconsts.SecretEngineKeymgmt:
-			keyCountPerEntry := apiList(entry, "key")
-			keyCounts.KmseKeys += len(keyCountPerEntry)
-		}
-	}
-
-	return &roles, &keyCounts
-}
-
-func (c *Core) GetRoleCounts() *RoleCounts {
-	roleCounts, _ := c.getRoleAndManagedKeyCountsInternal(true, true, false)
-	return roleCounts
-}
-
+// GetRoleCountsForCluster returns the total role counts across all mounts for a primary or secondary cluster
+// For use in tests only
 func (c *Core) GetRoleCountsForCluster() *RoleCounts {
-	roleCounts, _ := c.getRoleAndManagedKeyCountsInternal(true, c.isPrimary(), false)
-	return roleCounts
+	m, err := c.CountMetricsFromMounts(false)
+	if err != nil {
+		return nil
+	}
+	if c.isPrimary() {
+		return combineRoleCounts(m.LocalRoleCounts, m.ReplicatedRoleCounts)
+	}
+	return m.LocalRoleCounts
 }
 
 // GetKvUsageMetrics returns a map of namespace paths to KV secret counts.
@@ -1008,32 +893,18 @@ func (c *Core) GetKvUsageMetrics(ctx context.Context, kvVersion string) (map[str
 
 // GetKvUsageMetricsByNamespace returns a map of namespace paths to KV secret counts within a specific namespace.
 func (c *Core) GetKvUsageMetricsByNamespace(ctx context.Context, kvVersion string, nsPath string, includeLocal bool, includeReplicated bool, includeUnofficial bool) (map[string]int, error) {
-	mounts := c.findKvMounts()
+	if kvVersion != "0" && kvVersion != "1" && kvVersion != "2" {
+		return nil, fmt.Errorf("kv version %s not supported, must be 0, 1, or 2", kvVersion)
+	}
+	var mounts []*kvMount
 	if !includeUnofficial {
-		mounts = c.findOfficialKvMounts(ctx)
+		mounts = c.findOfficialKvMounts(ctx, includeLocal, includeReplicated, kvVersion)
+	} else {
+		mounts = c.findKvMounts(includeLocal, includeReplicated, kvVersion)
 	}
 	results := make(map[string]int)
 
-	if kvVersion == "1" || kvVersion == "2" {
-		var newMounts []*kvMount
-		for _, mount := range mounts {
-			if mount.Version == kvVersion {
-				newMounts = append(newMounts, mount)
-			}
-		}
-		mounts = newMounts
-	} else if kvVersion != "0" {
-		return results, fmt.Errorf("kv version %s not supported, must be 0, 1, or 2", kvVersion)
-	}
-
 	for _, m := range mounts {
-		if !includeLocal && m.Local {
-			continue
-		}
-		if !includeReplicated && !m.Local {
-			continue
-		}
-
 		if nsPath != "" && !strings.HasPrefix(m.Namespace.Path, nsPath) {
 			continue
 		}
diff --git a/vault/core_metrics_test.go b/vault/core_metrics_test.go
index fc9d31502d..9e9a1d9d32 100644
--- a/vault/core_metrics_test.go
+++ b/vault/core_metrics_test.go
@@ -413,8 +413,8 @@ func TestCoreMetrics_AvailablePolicies(t *testing.T) {
 				},
 			},
 			ExpectedValues: map[string]float32{
-				// The "default" policy will always be included
-				"acl": 2,
+				// The built-in ACL policies are always included.
+				"acl": 3,
 				"egp": 0,
 				"rgp": 0,
 			},
@@ -429,8 +429,8 @@ func TestCoreMetrics_AvailablePolicies(t *testing.T) {
 				},
 			},
 			ExpectedValues: map[string]float32{
-				// The "default" policy will always be included
-				"acl": 3,
+				// The built-in ACL policies are always included.
+				"acl": 4,
 				"egp": 0,
 				"rgp": 0,
 			},
diff --git a/vault/dynamic_system_view.go b/vault/dynamic_system_view.go
index 012368452b..157522cc7a 100644
--- a/vault/dynamic_system_view.go
+++ b/vault/dynamic_system_view.go
@@ -383,6 +383,9 @@ func (d dynamicSystemView) RegisterRotationJobWithResponse(ctx context.Context,
 		return nil, fmt.Errorf("error configuring rotation job: %s", err)
 	}
 
+	// Set the MountPoint here from the mountEntry so plugins cannot force-set a mount point other than its own
+	job.MountPoint = mountEntry.APIPath()
+
 	resp, err := d.core.RegisterRotationJob(nsCtx, job)
 	if err != nil {
 		return nil, fmt.Errorf("error registering rotation job: %s", err)
diff --git a/vault/dynamic_system_view_test.go b/vault/dynamic_system_view_test.go
index 8c029a63f3..e2df352bb4 100644
--- a/vault/dynamic_system_view_test.go
+++ b/vault/dynamic_system_view_test.go
@@ -47,9 +47,6 @@ func TestIdentity_BackendTemplating(t *testing.T) {
 
 	cluster := NewTestCluster(t, coreConfig, &TestClusterOptions{})
 
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	core := cluster.Cores[0].Core
 
 	TestWaitActive(t, core)
@@ -181,9 +178,6 @@ func TestDynamicSystemView_GeneratePasswordFromPolicy_successful(t *testing.T) {
 
 	cluster := NewTestCluster(t, coreConfig, &TestClusterOptions{})
 
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	core := cluster.Cores[0].Core
 	TestWaitActive(t, core)
 
@@ -296,9 +290,6 @@ func TestDynamicSystemView_PluginEnv_successful(t *testing.T) {
 
 	cluster := NewTestCluster(t, coreConfig, &TestClusterOptions{})
 
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	core := cluster.Cores[0].Core
 	TestWaitActive(t, core)
 
diff --git a/vault/enterprise_token_lookup_ce.go b/vault/enterprise_token_lookup_ce.go
new file mode 100644
index 0000000000..0bca3dd7f4
--- /dev/null
+++ b/vault/enterprise_token_lookup_ce.go
@@ -0,0 +1,12 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise
+
+package vault
+
+import "errors"
+
+func resolveEnterpriseTokenIDForLookup(_ string) (string, error) {
+	return "", errors.New("enterprise build required")
+}
diff --git a/vault/eventbus/bus.go b/vault/eventbus/bus.go
index 4952c40679..7903341d1d 100644
--- a/vault/eventbus/bus.go
+++ b/vault/eventbus/bus.go
@@ -288,7 +288,9 @@ func (bus *EventBus) subscribeInternal(ctx context.Context, namespacePathPattern
 		if err != nil {
 			return nil, nil, err
 		}
-		bus.filters.addPattern(bus.filters.self, namespacePathPatterns, pattern)
+		// use filterNodeID as the "subscription id" when storing a subscriber
+		// pattern
+		bus.filters.addPattern(bus.filters.self, namespacePathPatterns, pattern, filterNodeID)
 		bus.filters.addClusterWidePattern(namespacePathPatterns, pattern)
 	}
 	err = bus.broker.RegisterNode(eventlogger.NodeID(filterNodeID), filterNode)
@@ -304,8 +306,10 @@ func (bus *EventBus) subscribeInternal(ctx context.Context, namespacePathPattern
 	ctx, cancel := context.WithCancel(ctx)
 	asyncNode := newAsyncNode(ctx, bus.logger, bus.broker, func() {
 		if clusterNode == nil {
-			bus.filters.removePattern(bus.filters.self, namespacePathPatterns, pattern)
-			bus.filters.removeClusterWidePattern(namespacePathPatterns, pattern)
+			// use filterNodeID as the "subscription id" when removing a
+			// subscriber pattern
+			bus.filters.removePattern(bus.filters.self, namespacePathPatterns, pattern, filterNodeID)
+			bus.filters.makeClusterWideFilters()
 		}
 	})
 	err = bus.broker.RegisterNode(eventlogger.NodeID(sinkNodeID), asyncNode)
diff --git a/vault/eventbus/bus_test.go b/vault/eventbus/bus_test.go
index f9da6df963..a4e6fe7d29 100644
--- a/vault/eventbus/bus_test.go
+++ b/vault/eventbus/bus_test.go
@@ -832,7 +832,7 @@ func TestSubscribeClusterNode(t *testing.T) {
 
 	bus.Start()
 
-	bus.filters.addPattern("somecluster", []string{""}, "abc*")
+	bus.filters.addPattern("somecluster", []string{""}, "abc*", "uuid")
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	t.Cleanup(cancelFunc)
 	ch, cancel2, err := bus.NewClusterNodeSubscription(ctx, "somecluster")
diff --git a/vault/eventbus/filter.go b/vault/eventbus/filter.go
index ed914cccda..a511d27f64 100644
--- a/vault/eventbus/filter.go
+++ b/vault/eventbus/filter.go
@@ -6,15 +6,16 @@ package eventbus
 import (
 	"context"
 	"fmt"
+	"maps"
 	"slices"
 	"sort"
 	"strings"
 	"sync"
 
+	"github.com/hashicorp/go-secure-stdlib/strutil"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/ryanuber/go-glob"
-	"k8s.io/apimachinery/pkg/util/sets"
 )
 
 // clusterWide is used to collect and keep track of subscriber patterns from all
@@ -48,9 +49,65 @@ func (p pattern) isEmpty() bool {
 	return p.namespacePatterns == "" && p.eventTypePattern == ""
 }
 
+// patternSet is a map of patterns to subscription id's
+type patternSet map[pattern][]string
+
+func newPatternSet() patternSet {
+	return make(patternSet)
+}
+
+// Insert a pattern into the pattern set for the given subscription ID,
+// maintaining subscription IDs in sorted order for search efficiency when
+// inserting.
+func (ps patternSet) Insert(p pattern, subscriptionID string) patternSet {
+	position, found := slices.BinarySearch(ps[p], subscriptionID)
+	if !found {
+		ps[p] = slices.Insert(ps[p], position, subscriptionID)
+	}
+	return ps
+}
+
+// Delete removes the given subscriptionID from the pattern, if that association
+// exists.
+func (ps patternSet) Delete(p pattern, subscriptionID string) patternSet {
+	if ps == nil {
+		return nil
+	}
+	if ids, ok := ps[p]; ok {
+		if i := slices.Index(ids, subscriptionID); i >= 0 {
+			ps[p] = append(ids[:i], ids[i+1:]...)
+		}
+		if len(ps[p]) == 0 {
+			delete(ps, p)
+		}
+	}
+	return ps
+}
+
+func (ps patternSet) Clear() {
+	clear(ps)
+}
+
+// Difference returns the set of patterns from ps not in check. The subscriber
+// ID slices are also considered when checking for differences.
+func (ps patternSet) Difference(check patternSet) patternSet {
+	diff := newPatternSet()
+	for p := range ps {
+		if _, ok := check[p]; !ok {
+			diff[p] = ps[p]
+		} else {
+			subIDdiff := strutil.Difference(ps[p], check[p], false)
+			if len(subIDdiff) > 0 {
+				diff[p] = subIDdiff
+			}
+		}
+	}
+	return diff
+}
+
 // ClusterNodeFilter keeps track of all patterns that a particular cluster node is interested in.
 type ClusterNodeFilter struct {
-	patterns sets.Set[pattern]
+	patterns patternSet
 }
 
 // match checks if the given ns and eventType matches any pattern in the cluster node's filter.
@@ -93,20 +150,19 @@ func (f *Filters) String() string {
 
 func (nf *ClusterNodeFilter) String() string {
 	var x []string
-	l := nf.patterns.UnsortedList()
-	for _, v := range l {
-		x = append(x, v.String())
+	for p, subscriberIDs := range nf.patterns {
+		x = append(x, fmt.Sprintf("%s: %v", p.String(), subscriberIDs))
 	}
 	slices.Sort(x)
 	return strings.Join(x, ",")
 }
 
 func (f *Filters) addClusterWidePattern(namespacePatterns []string, eventTypePattern string) {
-	f.addPattern(clusterWide, namespacePatterns, eventTypePattern)
+	f.addPattern(clusterWide, namespacePatterns, eventTypePattern, clusterWide)
 }
 
 func (f *Filters) removeClusterWidePattern(namespacePatterns []string, eventTypePattern string) {
-	f.removePattern(clusterWide, namespacePatterns, eventTypePattern)
+	f.removePattern(clusterWide, namespacePatterns, eventTypePattern, clusterWide)
 }
 
 func (f *Filters) clearClusterWidePatterns() {
@@ -155,9 +211,12 @@ func (f *Filters) clearClusterNodePatterns(c clusterNodeID) {
 func (f *Filters) copyPatternWithLock(c clusterNodeID) *ClusterNodeFilter {
 	filters := &ClusterNodeFilter{}
 	if got, ok := f.filters[c]; ok {
-		filters.patterns = got.patterns.Clone()
+		filters.patterns = maps.Clone(got.patterns)
+		for key, slice := range filters.patterns {
+			filters.patterns[key] = slices.Clone(slice)
+		}
 	} else {
-		filters.patterns = sets.New[pattern]()
+		filters.patterns = newPatternSet()
 	}
 	return filters
 }
@@ -166,13 +225,15 @@ func (f *Filters) makeClusterWideFilters() {
 	defer f.notify(clusterWide)
 	f.lock.Lock()
 	defer f.lock.Unlock()
-	newPatterns := sets.New[pattern]()
+	newPatterns := newPatternSet()
 	for c, cf := range f.filters {
 		if c == clusterWide {
 			continue
 		}
 		for p := range cf.patterns {
-			newPatterns.Insert(p)
+			// The set of cluster-wide patterns doesn't need to keep track of all
+			// the subscription id's, so we just use the cluster-wide pattern uuid
+			newPatterns.Insert(p, clusterWide)
 		}
 	}
 	f.filters[clusterWide] = &ClusterNodeFilter{patterns: newPatterns}
@@ -183,11 +244,11 @@ func (f *Filters) applyChanges(c clusterNodeID, changes []FilterChange) {
 	defer f.notify(c)
 	f.lock.Lock()
 	defer f.lock.Unlock()
-	var newPatterns sets.Set[pattern]
+	var newPatterns patternSet
 	if existing, ok := f.filters[c]; ok {
 		newPatterns = existing.patterns
 	} else {
-		newPatterns = sets.New[pattern]()
+		newPatterns = newPatternSet()
 	}
 	for _, change := range changes {
 		applyChange(newPatterns, &change)
@@ -196,18 +257,18 @@ func (f *Filters) applyChanges(c clusterNodeID, changes []FilterChange) {
 }
 
 // applyChange applies a single filter change to the given set.
-func applyChange(s sets.Set[pattern], change *FilterChange) {
+func applyChange(s patternSet, change *FilterChange) {
 	switch change.Operation {
 	case FilterChangeAdd:
 		nsPatterns := slices.Clone(change.NamespacePatterns)
 		sort.Strings(nsPatterns)
 		p := pattern{eventTypePattern: change.EventTypePattern, namespacePatterns: cleanJoinNamespaces(nsPatterns)}
-		s.Insert(p)
+		s.Insert(p, change.SubscriberID)
 	case FilterChangeRemove:
 		nsPatterns := slices.Clone(change.NamespacePatterns)
 		sort.Strings(nsPatterns)
 		check := pattern{eventTypePattern: change.EventTypePattern, namespacePatterns: cleanJoinNamespaces(nsPatterns)}
-		s.Delete(check)
+		s.Delete(check, change.SubscriberID)
 	case FilterChangeClear:
 		s.Clear()
 	}
@@ -219,28 +280,32 @@ func cleanJoinNamespaces(nsPatterns []string) string {
 		trimmed[i] = strings.TrimSpace(nsPatterns[i])
 	}
 	// sort and uniq
-	trimmed = sets.NewString(trimmed...).List()
+	sort.Strings(trimmed)
+	trimmed = slices.Compact(trimmed)
 	return strings.Join(trimmed, " ")
 }
 
 // addPattern adds a pattern to a cluster node's list.
-func (f *Filters) addPattern(c clusterNodeID, namespacePatterns []string, eventTypePattern string) {
+func (f *Filters) addPattern(c clusterNodeID, namespacePatterns []string, eventTypePattern string, subscriptionID string) {
 	defer f.notify(c)
 	f.lock.Lock()
 	defer f.lock.Unlock()
 	if _, ok := f.filters[c]; !ok {
 		f.filters[c] = &ClusterNodeFilter{
-			patterns: sets.New[pattern](),
+			patterns: newPatternSet(),
 		}
 	}
 	nsPatterns := slices.Clone(namespacePatterns)
 	sort.Strings(nsPatterns)
-	p := pattern{eventTypePattern: eventTypePattern, namespacePatterns: cleanJoinNamespaces(namespacePatterns)}
-	f.filters[c].patterns.Insert(p)
+	p := pattern{
+		eventTypePattern:  eventTypePattern,
+		namespacePatterns: cleanJoinNamespaces(nsPatterns),
+	}
+	f.filters[c].patterns.Insert(p, subscriptionID)
 }
 
 // removePattern removes a pattern from a cluster node's list.
-func (f *Filters) removePattern(c clusterNodeID, namespacePatterns []string, eventTypePattern string) {
+func (f *Filters) removePattern(c clusterNodeID, namespacePatterns []string, eventTypePattern, subscriptionID string) {
 	defer f.notify(c)
 	nsPatterns := slices.Clone(namespacePatterns)
 	sort.Strings(nsPatterns)
@@ -251,7 +316,7 @@ func (f *Filters) removePattern(c clusterNodeID, namespacePatterns []string, eve
 	if !ok {
 		return
 	}
-	filters.patterns.Delete(check)
+	filters.patterns.Delete(check, subscriptionID)
 }
 
 // anyMatch returns true if any cluster node's pattern list matches the arguments.
@@ -338,6 +403,10 @@ func (f *Filters) watch(ctx context.Context, clusterNode clusterNodeID) (<-chan
 				return
 			}
 			changes := calculateChanges(current, next)
+			if len(changes) == 0 {
+				// If there are no changes, don't notify
+				continue
+			}
 			current = next
 			// check if the context is finished before sending
 			select {
@@ -357,6 +426,7 @@ type FilterChange struct {
 	Operation         int
 	NamespacePatterns []string
 	EventTypePattern  string
+	SubscriberID      string
 }
 
 const (
@@ -376,34 +446,43 @@ func calculateChanges(from *ClusterNodeFilter, to *ClusterNodeFilter) []FilterCh
 		changes = append(changes, FilterChange{
 			Operation: FilterChangeClear,
 		})
-		for pattern := range to.patterns {
+		for pattern, subscriberIDs := range to.patterns {
 			if !pattern.isEmpty() {
-				changes = append(changes, FilterChange{
-					Operation:         FilterChangeAdd,
-					NamespacePatterns: strings.Split(pattern.namespacePatterns, " "),
-					EventTypePattern:  pattern.eventTypePattern,
-				})
+				for _, subscriberID := range subscriberIDs {
+					changes = append(changes, FilterChange{
+						Operation:         FilterChangeAdd,
+						NamespacePatterns: strings.Split(pattern.namespacePatterns, " "),
+						EventTypePattern:  pattern.eventTypePattern,
+						SubscriberID:      subscriberID,
+					})
+				}
 			}
 		}
 	} else {
 		additions := to.patterns.Difference(from.patterns)
 		subtractions := from.patterns.Difference(to.patterns)
-		for add := range additions {
+		for add, subscriberIDs := range additions {
 			if !add.isEmpty() {
-				changes = append(changes, FilterChange{
-					Operation:         FilterChangeAdd,
-					NamespacePatterns: strings.Split(add.namespacePatterns, " "),
-					EventTypePattern:  add.eventTypePattern,
-				})
+				for _, subscriberID := range subscriberIDs {
+					changes = append(changes, FilterChange{
+						Operation:         FilterChangeAdd,
+						NamespacePatterns: strings.Split(add.namespacePatterns, " "),
+						EventTypePattern:  add.eventTypePattern,
+						SubscriberID:      subscriberID,
+					})
+				}
 			}
 		}
-		for sub := range subtractions {
+		for sub, subscriberIDs := range subtractions {
 			if !sub.isEmpty() {
-				changes = append(changes, FilterChange{
-					Operation:         FilterChangeRemove,
-					NamespacePatterns: strings.Split(sub.namespacePatterns, " "),
-					EventTypePattern:  sub.eventTypePattern,
-				})
+				for _, subscriberID := range subscriberIDs {
+					changes = append(changes, FilterChange{
+						Operation:         FilterChangeRemove,
+						NamespacePatterns: strings.Split(sub.namespacePatterns, " "),
+						EventTypePattern:  sub.eventTypePattern,
+						SubscriberID:      subscriberID,
+					})
+				}
 			}
 		}
 	}
diff --git a/vault/eventbus/filter_test.go b/vault/eventbus/filter_test.go
index 2621ac0827..c2f0a36591 100644
--- a/vault/eventbus/filter_test.go
+++ b/vault/eventbus/filter_test.go
@@ -35,12 +35,12 @@ func TestFilters_AddRemoveMatchLocal(t *testing.T) {
 
 	assert.False(t, f.localMatch(ns, "abc"))
 	assert.False(t, f.anyMatch(ns, "abc"))
-	f.addPattern("self", []string{ns.Path}, "abc")
+	f.addPattern("self", []string{ns.Path}, "abc", "uuid")
 	assert.True(t, f.localMatch(ns, "abc"))
 	assert.False(t, f.localMatch(ns, "abcd"))
 	assert.True(t, f.anyMatch(ns, "abc"))
 	assert.False(t, f.anyMatch(ns, "abcd"))
-	f.removePattern("self", []string{ns.Path}, "abc")
+	f.removePattern("self", []string{ns.Path}, "abc", "uuid")
 	assert.False(t, f.localMatch(ns, "abc"))
 	assert.False(t, f.anyMatch(ns, "abc"))
 }
@@ -51,7 +51,7 @@ func TestFilters_Watch(t *testing.T) {
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	t.Cleanup(cancelFunc)
 	f := NewFilters("self")
-	f.addPattern("self", []string{"ns1"}, "e3")
+	f.addPattern("self", []string{"ns1"}, "e3", "uuid")
 	ch, cancelFunc2 := f.watch(ctx, "self")
 	t.Cleanup(cancelFunc2)
 	initial := <-ch // we always get one immediately for the current state
@@ -60,24 +60,60 @@ func TestFilters_Watch(t *testing.T) {
 	assert.Equal(t, FilterChangeAdd, initial[1].Operation)
 	assert.Equal(t, []string{"ns1"}, initial[1].NamespacePatterns)
 	assert.Equal(t, "e3", initial[1].EventTypePattern)
+	assert.Equal(t, "uuid", initial[1].SubscriberID)
 
 	go func() {
-		f.addPattern("self", []string{"ns1"}, "e2")
+		f.addPattern("self", []string{"ns1"}, "e2", "uuid1")
 	}()
 	changes := waitForChanges(t, ch)
 	assert.Equal(t, []FilterChange{{
 		Operation:         FilterChangeAdd,
 		NamespacePatterns: []string{"ns1"},
 		EventTypePattern:  "e2",
+		SubscriberID:      "uuid1",
 	}}, changes)
 	go func() {
-		f.removePattern("self", []string{"ns1"}, "e3")
+		f.addPattern("self", []string{"ns1"}, "e2", "uuid2")
+	}()
+	changes = waitForChanges(t, ch)
+	assert.Equal(t, []FilterChange{{
+		Operation:         FilterChangeAdd,
+		NamespacePatterns: []string{"ns1"},
+		EventTypePattern:  "e2",
+		SubscriberID:      "uuid2",
+	}}, changes)
+	go func() {
+		f.removePattern("self", []string{"ns1"}, "e3", "uuid")
 	}()
 	changes = waitForChanges(t, ch)
 	assert.Equal(t, []FilterChange{{
 		Operation:         FilterChangeRemove,
 		NamespacePatterns: []string{"ns1"},
 		EventTypePattern:  "e3",
+		SubscriberID:      "uuid",
+	}}, changes)
+
+	// Remove and add one of the e2 patterns to test the copyPatternWithLock
+	// logic
+	go func() {
+		f.removePattern("self", []string{"ns1"}, "e2", "uuid1")
+	}()
+	changes = waitForChanges(t, ch)
+	assert.Equal(t, []FilterChange{{
+		Operation:         FilterChangeRemove,
+		NamespacePatterns: []string{"ns1"},
+		EventTypePattern:  "e2",
+		SubscriberID:      "uuid1",
+	}}, changes)
+	go func() {
+		f.addPattern("self", []string{"ns1"}, "e2", "uuid1")
+	}()
+	changes = waitForChanges(t, ch)
+	assert.Equal(t, []FilterChange{{
+		Operation:         FilterChangeAdd,
+		NamespacePatterns: []string{"ns1"},
+		EventTypePattern:  "e2",
+		SubscriberID:      "uuid1",
 	}}, changes)
 }
 
@@ -96,7 +132,7 @@ func waitForChanges(t *testing.T, ch <-chan []FilterChange) []FilterChange {
 // TestFilters_WatchCancel checks that calling the cancel function will clean up the channel.
 func TestFilters_WatchCancel(t *testing.T) {
 	f := NewFilters("self")
-	f.addPattern("self", []string{"ns1"}, "e3")
+	f.addPattern("self", []string{"ns1"}, "e3", "uuid")
 	ch, cancelFunc := f.watch(context.Background(), "self")
 	t.Cleanup(cancelFunc)
 	initial := <-ch // we always get one immediately for the current state
@@ -128,18 +164,18 @@ func TestFilters_WatchCancel(t *testing.T) {
 // TestFilters_AddRemoveClear tests that add/remove/clear works as expected.
 func TestFilters_AddRemoveClear(t *testing.T) {
 	f := NewFilters("self")
-	f.addPattern("somecluster", []string{"ns1"}, "abc")
-	f.removePattern("somecluster", []string{"ns1"}, "abcd")
-	assert.Equal(t, "{ns=ns1,ev=abc}", f.filters["somecluster"].String())
-	f.removePattern("somecluster", []string{"ns1"}, "abc")
+	f.addPattern("somecluster", []string{"ns1"}, "abc", "uuid")
+	f.removePattern("somecluster", []string{"ns1"}, "abcd", "uuid")
+	assert.Equal(t, "{ns=ns1,ev=abc}: [uuid]", f.filters["somecluster"].String())
+	f.removePattern("somecluster", []string{"ns1"}, "abc", "uuid")
 	assert.Equal(t, "", f.filters["somecluster"].String())
-	f.addPattern("somecluster", []string{"ns1"}, "abc")
+	f.addPattern("somecluster", []string{"ns1"}, "abc", "uuid")
 	f.clearClusterNodePatterns("somecluster")
 	assert.NotContains(t, f.filters, "somecluster")
 
 	f.addClusterWidePattern([]string{"ns1"}, "abc")
 	f.removeClusterWidePattern([]string{"ns1"}, "abcd")
-	assert.Equal(t, "{ns=ns1,ev=abc}", f.filters[clusterWide].String())
+	assert.Equal(t, "{ns=ns1,ev=abc}: [__cluster_wide__]", f.filters[clusterWide].String())
 	f.removeClusterWidePattern([]string{"ns1"}, "abc")
 	assert.Equal(t, "", f.filters[clusterWide].String())
 	f.addClusterWidePattern([]string{"ns1"}, "abc")
@@ -151,12 +187,376 @@ func TestFilters_AddRemoveClear(t *testing.T) {
 // works as expected.
 func TestFilters_makeClusterWideFilters(t *testing.T) {
 	f := NewFilters("self")
-	f.addPattern("node1", []string{"ns1"}, "abc")
-	f.addPattern("node2", []string{"ns1"}, "abc")
+	f.addPattern("node1", []string{"ns1"}, "abc", "uuid")
+	f.addPattern("node2", []string{"ns1"}, "abc", "uuid")
 	f.makeClusterWideFilters()
-	assert.Equal(t, "{ns=ns1,ev=abc}", f.filters[clusterWide].String())
+	assert.Equal(t, "{ns=ns1,ev=abc}: [__cluster_wide__]", f.filters[clusterWide].String())
 
-	f.addPattern("node3", []string{"ns3"}, "def")
+	f.addPattern("node3", []string{"ns3"}, "def", "uuid")
 	f.makeClusterWideFilters()
-	assert.Equal(t, "{ns=ns1,ev=abc},{ns=ns3,ev=def}", f.filters[clusterWide].String())
+	assert.Equal(t, "{ns=ns1,ev=abc}: [__cluster_wide__],{ns=ns3,ev=def}: [__cluster_wide__]", f.filters[clusterWide].String())
+}
+
+// TestFilters_duplicate_filters tests the underpinnings of the scenario where
+// two subscribers subscribe to the same standby node using the same event
+// filters, then one disconnects. The filter should still be present for the
+// remaining subscriber (so that the active node knows to keep forwarding
+// matching events, for example).
+func TestFilters_duplicate_filters(t *testing.T) {
+	f := NewFilters("self")
+	expectedPattern := pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}
+
+	f.addPattern("node1", []string{expectedPattern.namespacePatterns}, expectedPattern.eventTypePattern, "uuid1")
+	f.addPattern("node1", []string{expectedPattern.namespacePatterns}, expectedPattern.eventTypePattern, "uuid2")
+	assert.Equal(t, 1, len(f.filters["node1"].patterns))
+	assert.Equal(t, []string{"uuid1", "uuid2"}, f.filters["node1"].patterns[expectedPattern])
+
+	f.removePattern("node1", []string{"ns1"}, "abc", "uuid1")
+	assert.Equal(t, 1, len(f.filters["node1"].patterns))
+	assert.Equal(t, []string{"uuid2"}, f.filters["node1"].patterns[expectedPattern])
+
+	f.removePattern("node1", []string{"ns1"}, "abc", "uuid2")
+	assert.Empty(t, f.filters["node1"].patterns)
+}
+
+// TestPatternSet_basics tests the basic functionality of the patternSet type.
+func TestPatternSet_basics(t *testing.T) {
+	ps := newPatternSet()
+	ps.Insert(pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}, "uuid_def")
+	ps.Insert(pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}, "uuid_abc")
+	ps.Insert(pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}, "uuid_ghi")
+	// The subscriber id's should be sorted
+	assert.Equal(t,
+		patternSet{
+			pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid_abc", "uuid_def", "uuid_ghi"},
+		},
+		ps,
+	)
+
+	// Duplicate uuids should be ignored
+	ps.Insert(pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}, "uuid_abc")
+	assert.Equal(t,
+		patternSet{
+			pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid_abc", "uuid_def", "uuid_ghi"},
+		},
+		ps,
+	)
+
+	ps.Insert(pattern{eventTypePattern: "def", namespacePatterns: "ns2"}, "uuid")
+	assert.Equal(t,
+		patternSet{
+			pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid_abc", "uuid_def", "uuid_ghi"},
+			pattern{eventTypePattern: "def", namespacePatterns: "ns2"}: []string{"uuid"},
+		},
+		ps,
+	)
+
+	ps.Delete(pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}, "uuid_abc")
+	assert.Equal(t,
+		patternSet{
+			pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid_def", "uuid_ghi"},
+			pattern{eventTypePattern: "def", namespacePatterns: "ns2"}: []string{"uuid"},
+		},
+		ps,
+	)
+
+	ps.Delete(pattern{eventTypePattern: "def", namespacePatterns: "ns2"}, "uuid")
+	assert.Equal(t,
+		patternSet{
+			pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid_def", "uuid_ghi"},
+		},
+		ps,
+	)
+
+	// subscriber id isn't present, nothing deleted
+	ps.Delete(pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}, "uuid_abc")
+	assert.Equal(t,
+		patternSet{
+			pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid_def", "uuid_ghi"},
+		},
+		ps,
+	)
+
+	// Delete all patterns
+	ps.Delete(pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}, "uuid_def")
+	assert.Equal(t,
+		patternSet{
+			pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid_ghi"},
+		},
+		ps,
+	)
+	ps.Delete(pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}, "uuid_ghi")
+	assert.Empty(t, ps)
+
+	// Insert again
+	ps.Insert(pattern{eventTypePattern: "ghi", namespacePatterns: "ns1"}, "uuid")
+	assert.Len(t, ps, 1)
+	assert.Equal(t,
+		patternSet{
+			pattern{eventTypePattern: "ghi", namespacePatterns: "ns1"}: []string{"uuid"},
+		},
+		ps,
+	)
+	ps.Insert(pattern{eventTypePattern: "jkl", namespacePatterns: "ns2"}, "uuid")
+	assert.Equal(t,
+		patternSet{
+			pattern{eventTypePattern: "ghi", namespacePatterns: "ns1"}: []string{"uuid"},
+			pattern{eventTypePattern: "jkl", namespacePatterns: "ns2"}: []string{"uuid"},
+		},
+		ps,
+	)
+	ps.Delete(pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}, "uuid")
+	// should have deleted nothing
+	assert.Equal(t,
+		patternSet{
+			pattern{eventTypePattern: "ghi", namespacePatterns: "ns1"}: []string{"uuid"},
+			pattern{eventTypePattern: "jkl", namespacePatterns: "ns2"}: []string{"uuid"},
+		},
+		ps,
+	)
+	ps.Delete(pattern{eventTypePattern: "ghi", namespacePatterns: "ns1"}, "uuid")
+	assert.Len(t, ps, 1)
+	assert.Equal(t,
+		patternSet{
+			pattern{eventTypePattern: "jkl", namespacePatterns: "ns2"}: []string{"uuid"},
+		},
+		ps,
+	)
+
+	ps.Clear()
+	assert.Empty(t, ps)
+}
+
+// TestPatternSetDelete does more in-depth testing of the patternSet Delete()
+func TestPatternSetDelete(t *testing.T) {
+	testCases := map[string]struct {
+		ps             patternSet
+		pattern        pattern
+		subscriptionID string
+		expected       patternSet
+	}{
+		"empty ps": {
+			ps:             newPatternSet(),
+			pattern:        pattern{eventTypePattern: "abc", namespacePatterns: "ns1"},
+			subscriptionID: "uuid",
+			expected:       patternSet{},
+		},
+		"remove one full pattern": {
+			ps: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1"},
+				pattern{eventTypePattern: "def", namespacePatterns: "ns2"}: []string{"uuid1", "uuid2"},
+			},
+			pattern:        pattern{eventTypePattern: "abc", namespacePatterns: "ns1"},
+			subscriptionID: "uuid1",
+			expected: patternSet{
+				pattern{eventTypePattern: "def", namespacePatterns: "ns2"}: []string{"uuid1", "uuid2"},
+			},
+		},
+		"remove first subscription id": {
+			ps: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1", "uuid2", "uuid3"},
+			},
+			pattern:        pattern{eventTypePattern: "abc", namespacePatterns: "ns1"},
+			subscriptionID: "uuid1",
+			expected: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid2", "uuid3"},
+			},
+		},
+		"remove last subscription id": {
+			ps: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1", "uuid2"},
+			},
+			pattern:        pattern{eventTypePattern: "abc", namespacePatterns: "ns1"},
+			subscriptionID: "uuid2",
+			expected: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1"},
+			},
+		},
+		"remove only pattern": {
+			ps: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1"},
+			},
+			pattern:        pattern{eventTypePattern: "abc", namespacePatterns: "ns1"},
+			subscriptionID: "uuid1",
+			expected:       patternSet{},
+		},
+	}
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			result := tc.ps.Delete(tc.pattern, tc.subscriptionID)
+			assert.Equal(t, tc.expected, result)
+		})
+	}
+}
+
+// TestPatternSetDifference tests the Difference method of the patternSet type.
+func TestPatternSetDifference(t *testing.T) {
+	testCases := map[string]struct {
+		ps1          patternSet
+		ps2          patternSet
+		expectedDiff patternSet
+	}{
+		"empty ps1": {
+			ps1: newPatternSet(),
+			ps2: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1"},
+				pattern{eventTypePattern: "def", namespacePatterns: "ns2"}: []string{"uuid1", "uuid2"},
+			},
+			expectedDiff: newPatternSet(),
+		},
+		"empty ps2": {
+			ps1: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1"},
+				pattern{eventTypePattern: "def", namespacePatterns: "ns2"}: []string{"uuid1", "uuid2"},
+			},
+			ps2: newPatternSet(),
+			expectedDiff: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1"},
+				pattern{eventTypePattern: "def", namespacePatterns: "ns2"}: []string{"uuid1", "uuid2"},
+			},
+		},
+		"both empty": {
+			ps1:          newPatternSet(),
+			ps2:          newPatternSet(),
+			expectedDiff: newPatternSet(),
+		},
+		"regular diff": {
+			ps1: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1", "uuid2"},
+				pattern{eventTypePattern: "def", namespacePatterns: "ns2"}: []string{"uuid1"},
+			},
+			ps2: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1"},
+				pattern{eventTypePattern: "xyz", namespacePatterns: ""}:    []string{"uuid1"},
+			},
+			expectedDiff: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid2"},
+				pattern{eventTypePattern: "def", namespacePatterns: "ns2"}: []string{"uuid1"},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		diff := tc.ps1.Difference(tc.ps2)
+		assert.Equal(t, tc.expectedDiff, diff)
+	}
+}
+
+// Test_calculateChanges exercises the logic for calculating changes in the form
+// of []FilterChange between two patternSets
+func Test_calculateChanges(t *testing.T) {
+	type testCase struct {
+		from            patternSet
+		to              patternSet
+		expectedChanges []FilterChange
+	}
+	testCases := map[string]testCase{
+		"remove one pattern": {
+			from: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1"},
+				pattern{eventTypePattern: "def", namespacePatterns: "ns2"}: []string{"uuid1"},
+			},
+			to: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1"},
+			},
+			expectedChanges: []FilterChange{
+				{
+					Operation:         FilterChangeRemove,
+					NamespacePatterns: []string{"ns2"},
+					EventTypePattern:  "def",
+					SubscriberID:      "uuid1",
+				},
+			},
+		},
+		"remove one uuid": {
+			from: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1", "uuid2"},
+				pattern{eventTypePattern: "def", namespacePatterns: "ns2"}: []string{"uuid1"},
+			},
+			to: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid2"},
+				pattern{eventTypePattern: "def", namespacePatterns: "ns2"}: []string{"uuid1"},
+			},
+			expectedChanges: []FilterChange{
+				{
+					Operation:         FilterChangeRemove,
+					NamespacePatterns: []string{"ns1"},
+					EventTypePattern:  "abc",
+					SubscriberID:      "uuid1",
+				},
+			},
+		},
+		"remove all uuids": {
+			from: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1", "uuid2"},
+				pattern{eventTypePattern: "def", namespacePatterns: "ns2"}: []string{"uuid1"},
+			},
+			to: patternSet{},
+			expectedChanges: []FilterChange{
+				{
+					Operation:         FilterChangeRemove,
+					NamespacePatterns: []string{"ns1"},
+					EventTypePattern:  "abc",
+					SubscriberID:      "uuid1",
+				},
+				{
+					Operation:         FilterChangeRemove,
+					NamespacePatterns: []string{"ns1"},
+					EventTypePattern:  "abc",
+					SubscriberID:      "uuid2",
+				},
+				{
+					Operation:         FilterChangeRemove,
+					NamespacePatterns: []string{"ns2"},
+					EventTypePattern:  "def",
+					SubscriberID:      "uuid1",
+				},
+			},
+		},
+		"add one pattern": {
+			from: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1"},
+			},
+			to: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1"},
+				pattern{eventTypePattern: "def", namespacePatterns: "ns2"}: []string{"uuid1"},
+			},
+			expectedChanges: []FilterChange{
+				{
+					Operation:         FilterChangeAdd,
+					NamespacePatterns: []string{"ns2"},
+					EventTypePattern:  "def",
+					SubscriberID:      "uuid1",
+				},
+			},
+		},
+		"add one uuid": {
+			from: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1"},
+			},
+			to: patternSet{
+				pattern{eventTypePattern: "abc", namespacePatterns: "ns1"}: []string{"uuid1", "uuid2"},
+			},
+			expectedChanges: []FilterChange{
+				{
+					Operation:         FilterChangeAdd,
+					NamespacePatterns: []string{"ns1"},
+					EventTypePattern:  "abc",
+					SubscriberID:      "uuid2",
+				},
+			},
+		},
+	}
+	for name, tt := range testCases {
+		t.Run(name, func(t *testing.T) {
+			fromCNF := ClusterNodeFilter{
+				patterns: tt.from,
+			}
+			toCNF := ClusterNodeFilter{
+				patterns: tt.to,
+			}
+			got := calculateChanges(&fromCNF, &toCNF)
+			assert.ElementsMatch(t, tt.expectedChanges, got)
+		})
+	}
 }
diff --git a/vault/expiration.go b/vault/expiration.go
index 7d7f94b354..b6e83c5ee0 100644
--- a/vault/expiration.go
+++ b/vault/expiration.go
@@ -33,9 +33,11 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/helper/locksutil"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault/eventbus"
 	"github.com/hashicorp/vault/vault/observations"
 	"github.com/hashicorp/vault/vault/quotas"
 	uberAtomic "go.uber.org/atomic"
+	"google.golang.org/protobuf/types/known/structpb"
 )
 
 const (
@@ -80,6 +82,23 @@ const (
 
 	outOfRetriesMessage = "out of retries"
 
+	// event notification types for leases
+	leaseEventTypeExpired      = "lease/expired"
+	leaseEventTypeRevokeFailed = "lease/revoke_failed"
+	leaseEventTypeRevoked      = "lease/revoked"
+	leaseEventTypeRenewFailed  = "lease/renew_failed"
+	leaseEventTypeRenewed      = "lease/renewed"
+	leaseEventTypeIssued       = "lease/issued"
+
+	// event notification operations for leases
+	leaseOperationExpire = "expire"
+	leaseOperationRevoke = "revoke"
+	leaseOperationRenew  = "renew"
+	leaseOperationIssue  = "issue"
+
+	// lease metadata
+	leaseMetadataLeaseID = "lease_id"
+
 	// maximum number of irrevocable leases we return to the irrevocable lease
 	// list API **without** the `force` flag set
 	MaxIrrevocableLeasesToReturn = 10000
@@ -233,8 +252,16 @@ func (r *revocationJob) Execute() error {
 	default:
 	}
 
+	// send a lease event for expiration
+	le, err := r.m.loadEntry(revokeCtx, r.leaseID)
+	if err != nil {
+		r.m.logger.Error("failed to load lease for expiration event", "error", err)
+	} else if le != nil {
+		r.m.sendLeaseEvent(revokeCtx, le, leaseEventTypeExpired, leaseOperationExpire, false)
+	}
+
 	r.m.coreStateLock.RLock()
-	err := r.m.Revoke(revokeCtx, r.leaseID)
+	err = r.m.Revoke(revokeCtx, r.leaseID)
 	r.m.coreStateLock.RUnlock()
 
 	return err
@@ -1045,6 +1072,7 @@ func (m *ExpirationManager) revokeCommon(ctx context.Context, leaseID string, fo
 	// Revoke the entry
 	if !skipToken || le.Auth == nil {
 		if err := m.revokeEntry(ctx, le); err != nil {
+			m.sendLeaseEvent(ctx, le, leaseEventTypeRevokeFailed, leaseOperationRevoke, false)
 			if !force {
 				return err
 			}
@@ -1066,7 +1094,7 @@ func (m *ExpirationManager) revokeCommon(ctx context.Context, leaseID string, fo
 	// Delete the secondary index, but only if it's a leased secret (not auth)
 	if le.Secret != nil {
 		var indexToken string
-		// Maintain secondary index by token, except for orphan batch tokens
+		// Maintain secondary index by token, except for orphan batch tokens and enterprise tokens
 		switch le.ClientTokenType {
 		case logical.TokenTypeBatch:
 			te, err := m.tokenStore.lookupBatchTokenInternal(ctx, le.ClientToken)
@@ -1080,6 +1108,9 @@ func (m *ExpirationManager) revokeCommon(ctx context.Context, leaseID string, fo
 				// parent
 				indexToken = te.Parent
 			}
+		case logical.TokenTypeEnt:
+			// ent tokens don't maintain parent relationships; just use the token itself
+			indexToken = le.ClientToken
 		default:
 			indexToken = le.ClientToken
 		}
@@ -1115,6 +1146,10 @@ func (m *ExpirationManager) revokeCommon(ctx context.Context, leaseID string, fo
 		}
 	}
 
+	if !skipToken {
+		m.sendLeaseEvent(ctx, le, leaseEventTypeRevoked, leaseOperationRevoke, true)
+	}
+
 	if m.logger.IsInfo() && !skipToken && m.logLeaseExpirations {
 		m.logger.Info("revoked lease", "lease_id", leaseID)
 	}
@@ -1276,6 +1311,7 @@ func (m *ExpirationManager) Renew(ctx context.Context, leaseID string, increment
 
 	// Check if the lease is renewable
 	if _, err := le.renewable(); err != nil {
+		m.sendLeaseEvent(ctx, le, leaseEventTypeRenewFailed, leaseOperationRenew, false)
 		return nil, err
 	}
 
@@ -1303,12 +1339,14 @@ func (m *ExpirationManager) Renew(ctx context.Context, leaseID string, increment
 	// Attempt to renew the entry
 	resp, err := m.renewEntry(ctx, le, increment)
 	if err != nil {
+		m.sendLeaseEvent(ctx, le, leaseEventTypeRenewFailed, leaseOperationRenew, false)
 		return nil, err
 	}
 	if resp == nil {
 		return nil, nil
 	}
 	if resp.IsError() {
+		m.sendLeaseEvent(ctx, le, leaseEventTypeRenewFailed, leaseOperationRenew, false)
 		return &logical.Response{
 			Data: resp.Data,
 		}, nil
@@ -1377,6 +1415,8 @@ func (m *ExpirationManager) Renew(ctx context.Context, leaseID string, increment
 	// Update the expiration time
 	m.updatePending(le)
 
+	m.sendLeaseEvent(ctx, le, leaseEventTypeRenewed, leaseOperationRenew, true)
+
 	// Return the response
 	return resp, nil
 }
@@ -1433,18 +1473,21 @@ func (m *ExpirationManager) RenewToken(ctx context.Context, req *logical.Request
 	// Check if the lease is renewable. Note that this also checks for a nil
 	// lease and errors in that case as well.
 	if _, err := le.renewable(); err != nil {
+		m.sendLeaseEvent(ctx, le, leaseEventTypeRenewFailed, leaseOperationRenew, false)
 		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
 	}
 
 	// Attempt to renew the auth entry
 	resp, err := m.renewAuthEntry(ctx, req, le, increment)
 	if err != nil {
+		m.sendLeaseEvent(ctx, le, leaseEventTypeRenewFailed, leaseOperationRenew, false)
 		return nil, err
 	}
 	if resp == nil {
 		return nil, nil
 	}
 	if resp.IsError() {
+		m.sendLeaseEvent(ctx, le, leaseEventTypeRenewFailed, leaseOperationRenew, false)
 		return &logical.Response{
 			Data: resp.Data,
 		}, nil
@@ -1506,6 +1549,8 @@ func (m *ExpirationManager) RenewToken(ctx context.Context, req *logical.Request
 		return nil, err
 	}
 
+	m.sendLeaseEvent(ctx, le, leaseEventTypeRenewed, leaseOperationRenew, true)
+
 	retResp.Auth = resp.Auth
 	return retResp, nil
 }
@@ -1513,6 +1558,9 @@ func (m *ExpirationManager) RenewToken(ctx context.Context, req *logical.Request
 // Register is used to take a request and response with an associated
 // lease. The secret gets assigned a LeaseID and the management of
 // the lease is assumed by the expiration manager.
+//
+// For enterprise tokens, Register uses the token entry ID for indexing and
+// caps secret leases at token expiration, marking them non-renewable.
 func (m *ExpirationManager) Register(ctx context.Context, req *logical.Request, resp *logical.Response, loginRole string) (id string, retErr error) {
 	defer metrics.MeasureSince([]string{"expire", "register"}, time.Now())
 
@@ -1561,6 +1609,9 @@ func (m *ExpirationManager) Register(ctx context.Context, req *logical.Request,
 		namespace:       ns,
 		Version:         1,
 	}
+	if te.Type == logical.TokenTypeEnt {
+		le.ClientToken = te.ID
+	}
 
 	var indexToken string
 	// Maintain secondary index by token, except for orphan batch tokens
@@ -1613,6 +1664,20 @@ func (m *ExpirationManager) Register(ctx context.Context, req *logical.Request,
 			le.ExpireTime = tokenLeaseTimes.ExpireTime
 		}
 	}
+	if te.Type == logical.TokenTypeEnt {
+		tokenExpireTime := deriveExpireTimeFromEntToken(te)
+		if tokenExpireTime.IsZero() && te.TTL > 0 {
+			tokenExpireTime = time.Unix(te.CreationTime, 0).Add(te.TTL)
+		}
+		if !tokenExpireTime.IsZero() && (le.ExpireTime.IsZero() || le.ExpireTime.After(tokenExpireTime)) {
+			le.ExpireTime = tokenExpireTime
+			le.Secret.TTL = le.ExpireTime.Sub(le.IssueTime)
+			if le.Secret.TTL < 0 {
+				le.Secret.TTL = 0
+			}
+		}
+		le.Secret.Renewable = false
+	}
 
 	// Acquire the lock here so persistEntry and updatePending are atomic,
 	// although it is *very unlikely* that anybody could grab the lease ID
@@ -1646,6 +1711,8 @@ func (m *ExpirationManager) Register(ctx context.Context, req *logical.Request,
 	// Setup revocation timer if there is a lease
 	m.updatePending(le)
 
+	m.sendLeaseEvent(ctx, le, leaseEventTypeIssued, leaseOperationIssue, true)
+
 	// We round here because the clock will have already started
 	// ticking, so we'll end up always returning 299 instead of 300 or
 	// 26399 instead of 26400, say, even if it's just a few
@@ -1670,6 +1737,14 @@ func (m *ExpirationManager) RegisterAuth(ctx context.Context, te *logical.TokenE
 
 	authExpirationTime := auth.ExpirationTime()
 
+	// For ent tokens, derive expiration from ent token
+	if te.Type == logical.TokenTypeEnt {
+		entTokenExpireTime := deriveExpireTimeFromEntToken(te)
+		if !entTokenExpireTime.IsZero() {
+			authExpirationTime = entTokenExpireTime
+		}
+	}
+
 	if te.TTL == 0 && authExpirationTime.IsZero() && (len(te.Policies) != 1 || te.Policies[0] != "root") {
 		return errors.New("refusing to register a lease for a non-root token with no TTL")
 	}
@@ -1746,6 +1821,8 @@ func (m *ExpirationManager) RegisterAuth(ctx context.Context, te *logical.TokenE
 		te.ExternalID = tok
 	}
 
+	m.sendLeaseEvent(ctx, &le, leaseEventTypeIssued, leaseOperationIssue, true)
+
 	return nil
 }
 
@@ -1769,6 +1846,19 @@ func (m *ExpirationManager) FetchLeaseTimesByToken(ctx context.Context, te *logi
 		}, nil
 	}
 
+	if te.Type == logical.TokenTypeEnt {
+		entTokenExpireTime := deriveExpireTimeFromEntToken(te)
+		if !entTokenExpireTime.IsZero() {
+			issueTime := time.Unix(te.CreationTime, 0)
+			return &leaseEntry{
+				IssueTime:       issueTime,
+				ExpireTime:      entTokenExpireTime,
+				ClientTokenType: logical.TokenTypeEnt,
+			}, nil
+		}
+		return nil, errors.New("enterprise token has no valid expiration time")
+	}
+
 	tokenNS, err := NamespaceByID(ctx, te.NamespaceID, m.core)
 	if err != nil {
 		return nil, err
@@ -1921,6 +2011,36 @@ func (m *ExpirationManager) updatePending(le *leaseEntry) {
 	m.updatePendingInternal(le)
 }
 
+// sendLeaseEvent sends an event notification for a lease operations
+func (m *ExpirationManager) sendLeaseEvent(ctx context.Context, le *leaseEntry, eventType string, operation string, modified bool) {
+	if le == nil || le.namespace == nil || m.core == nil || m.core.events == nil {
+		return
+	}
+
+	ev, err := logical.NewEvent()
+	if err != nil {
+		m.logger.Error("Error creating lease event", "error", err)
+		return
+	}
+
+	metadata := map[string]string{
+		logical.EventMetadataPath:      le.Path,
+		logical.EventMetadataOperation: operation,
+		logical.EventMetadataModified:  strconv.FormatBool(modified),
+		leaseMetadataLeaseID:           le.LeaseID,
+	}
+
+	ev.Metadata = &structpb.Struct{Fields: make(map[string]*structpb.Value, len(metadata))}
+	for key, value := range metadata {
+		ev.Metadata.Fields[key] = structpb.NewStringValue(value)
+	}
+
+	err = m.core.events.SendEventInternal(ctx, le.namespace, nil, logical.EventType(eventType), false, ev)
+	if err != nil && !errors.Is(err, eventbus.ErrNotStarted) {
+		m.logger.Error("Error sending lease event", "path", le.Path, "operation", operation, "error", err)
+	}
+}
+
 // updatePendingInternal is the locked version of updatePending; do not call
 // this without a write lock on m.pending
 func (m *ExpirationManager) updatePendingInternal(le *leaseEntry) {
@@ -2033,6 +2153,11 @@ func (m *ExpirationManager) revokeEntry(ctx context.Context, le *leaseEntry) err
 			return errors.New("batch tokens cannot be revoked")
 		}
 
+		// ent tokens are managed by external IdPs and should not be revoked through Vault backends
+		if le.ClientTokenType == logical.TokenTypeEnt {
+			return errors.New("enterprise tokens are managed by external IdPs and cannot be revoked by Vault")
+		}
+
 		if err := m.tokenStore.revokeTree(ctx, le); err != nil {
 			return fmt.Errorf("failed to revoke token: %w", err)
 		}
@@ -2083,6 +2208,10 @@ func (m *ExpirationManager) renewAuthEntry(ctx context.Context, req *logical.Req
 		return logical.ErrorResponse("batch tokens cannot be renewed"), nil
 	}
 
+	if le.ClientTokenType == logical.TokenTypeEnt {
+		return logical.ErrorResponse("enterprise tokens cannot be renewed"), nil
+	}
+
 	auth := *le.Auth
 	auth.IssueTime = le.IssueTime
 	auth.Increment = increment
@@ -2223,15 +2352,26 @@ func (m *ExpirationManager) deleteEntry(ctx context.Context, le *leaseEntry) err
 func (m *ExpirationManager) createIndexByToken(ctx context.Context, le *leaseEntry, token string) error {
 	tokenNS := namespace.RootNamespace
 	saltCtx := namespace.ContextWithNamespace(ctx, namespace.RootNamespace)
-	_, nsID := namespace.SplitIDFromString(token)
-	if nsID != "" {
-		var err error
-		tokenNS, err = NamespaceByID(ctx, nsID, m.core)
+	// For enterprise token IDs, derive namespace context from the lease rather than
+	// parsing token segments.
+	if IsEnterpriseTokenId(token) {
+		ns, err := m.getNamespaceFromLeaseID(ctx, le.LeaseID)
 		if err != nil {
 			return err
 		}
-		if tokenNS != nil {
-			saltCtx = namespace.ContextWithNamespace(ctx, tokenNS)
+		tokenNS = ns
+		saltCtx = namespace.ContextWithNamespace(ctx, tokenNS)
+	} else {
+		_, nsID := namespace.SplitIDFromString(token)
+		if nsID != "" {
+			var err error
+			tokenNS, err = NamespaceByID(ctx, nsID, m.core)
+			if err != nil {
+				return err
+			}
+			if tokenNS != nil {
+				saltCtx = namespace.ContextWithNamespace(ctx, tokenNS)
+			}
 		}
 	}
 
@@ -2260,15 +2400,24 @@ func (m *ExpirationManager) createIndexByToken(ctx context.Context, le *leaseEnt
 func (m *ExpirationManager) indexByToken(ctx context.Context, le *leaseEntry) (*logical.StorageEntry, error) {
 	tokenNS := namespace.RootNamespace
 	saltCtx := namespace.ContextWithNamespace(ctx, tokenNS)
-	_, nsID := namespace.SplitIDFromString(le.ClientToken)
-	if nsID != "" {
-		var err error
-		tokenNS, err = NamespaceByID(ctx, nsID, m.core)
+	if IsEnterpriseTokenId(le.ClientToken) {
+		ns, err := m.getNamespaceFromLeaseID(ctx, le.LeaseID)
 		if err != nil {
 			return nil, err
 		}
-		if tokenNS != nil {
-			saltCtx = namespace.ContextWithNamespace(ctx, tokenNS)
+		tokenNS = ns
+		saltCtx = namespace.ContextWithNamespace(ctx, tokenNS)
+	} else {
+		_, nsID := namespace.SplitIDFromString(le.ClientToken)
+		if nsID != "" {
+			var err error
+			tokenNS, err = NamespaceByID(ctx, nsID, m.core)
+			if err != nil {
+				return nil, err
+			}
+			if tokenNS != nil {
+				saltCtx = namespace.ContextWithNamespace(ctx, tokenNS)
+			}
 		}
 	}
 
@@ -2295,24 +2444,33 @@ func (m *ExpirationManager) indexByToken(ctx context.Context, le *leaseEntry) (*
 func (m *ExpirationManager) removeIndexByToken(ctx context.Context, le *leaseEntry, token string) error {
 	tokenNS := namespace.RootNamespace
 	saltCtx := namespace.ContextWithNamespace(ctx, namespace.RootNamespace)
-	_, nsID := namespace.SplitIDFromString(token)
-	if nsID != "" {
-		var err error
-		tokenNS, err = NamespaceByID(ctx, nsID, m.core)
+	if IsEnterpriseTokenId(token) {
+		ns, err := m.getNamespaceFromLeaseID(ctx, le.LeaseID)
 		if err != nil {
 			return err
 		}
-		if tokenNS != nil {
-			saltCtx = namespace.ContextWithNamespace(ctx, tokenNS)
-		}
+		tokenNS = ns
+		saltCtx = namespace.ContextWithNamespace(ctx, tokenNS)
+	} else {
+		_, nsID := namespace.SplitIDFromString(token)
+		if nsID != "" {
+			var err error
+			tokenNS, err = NamespaceByID(ctx, nsID, m.core)
+			if err != nil {
+				return err
+			}
+			if tokenNS != nil {
+				saltCtx = namespace.ContextWithNamespace(ctx, tokenNS)
+			}
 
-		// Downgrade logic for old-style (V0) namespace leases that had its
-		// secondary index live in the root namespace. This reverts to the old
-		// behavior of looking for the secondary index on these leases in the
-		// root namespace to be cleaned up properly. We set it here because the
-		// old behavior used the namespace's token store salt for its saltCtx.
-		if le.Version < 1 {
-			tokenNS = namespace.RootNamespace
+			// Downgrade logic for old-style (V0) namespace leases that had its
+			// secondary index live in the root namespace. This reverts to the old
+			// behavior of looking for the secondary index on these leases in the
+			// root namespace to be cleaned up properly. We set it here because the
+			// old behavior used the namespace's token store salt for its saltCtx.
+			if le.Version < 1 {
+				tokenNS = namespace.RootNamespace
+			}
 		}
 	}
 
@@ -2688,6 +2846,11 @@ func (m *ExpirationManager) markLeaseIrrevocable(ctx context.Context, le *leaseE
 	m.nonexpiring.Delete(le.LeaseID)
 }
 
+// getNamespaceFromLeaseID resolves the namespace encoded in a lease ID suffix.
+// Lease IDs are generated by the expiration manager and include ".<nsID>" for
+// non-root namespaces; root-namespace lease IDs have no namespace suffix.
+// For persisted leaseEntry records, LeaseID is always set at creation, so
+// namespace derivation from LeaseID is expected to be stable.
 func (m *ExpirationManager) getNamespaceFromLeaseID(ctx context.Context, leaseID string) (*namespace.Namespace, error) {
 	_, nsID := namespace.SplitIDFromString(leaseID)
 
@@ -2898,6 +3061,9 @@ func (le *leaseEntry) renewable() (bool, error) {
 	case le.ClientTokenType == logical.TokenTypeBatch:
 		return false, nil
 
+	case le.ClientTokenType == logical.TokenTypeEnt:
+		return false, fmt.Errorf("enterprise tokens cannot be renewed")
+
 	// Determine if the lease is expired
 	case le.ExpireTime.Before(time.Now()):
 		return false, fmt.Errorf("lease expired")
diff --git a/vault/expiration_test.go b/vault/expiration_test.go
index 1800596809..7977dd1626 100644
--- a/vault/expiration_test.go
+++ b/vault/expiration_test.go
@@ -18,6 +18,7 @@ import (
 	"time"
 
 	"github.com/armon/go-metrics"
+	"github.com/hashicorp/eventlogger"
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/helper/metricsutil"
@@ -1832,6 +1833,13 @@ func TestExpiration_RenewToken_NotRenewable(t *testing.T) {
 
 func TestExpiration_Renew(t *testing.T) {
 	exp := mockExpiration(t)
+	ctx := namespace.RootContext(nil)
+	ch, cancel, err := exp.core.events.Subscribe(ctx, namespace.RootNamespace, leaseEventTypeRenewed, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cancel()
+
 	noop := &NoopBackend{}
 	_, barrier, _ := mockBarrier(t)
 	view := NewBarrierView(barrier, "logical/")
@@ -1885,6 +1893,8 @@ func TestExpiration_Renew(t *testing.T) {
 		t.Fatalf("err: %v", err)
 	}
 
+	expectedPath := req.Path
+
 	noop.Lock()
 	defer noop.Unlock()
 
@@ -1899,10 +1909,24 @@ func TestExpiration_Renew(t *testing.T) {
 	if req.Operation != logical.RenewOperation {
 		t.Fatalf("Bad: %v", req)
 	}
+
+	select {
+	case receivedEvent := <-ch:
+		assertLeaseRenewEvent(t, receivedEvent, leaseEventTypeRenewed, expectedPath, id)
+	case <-time.After(5 * time.Second):
+		t.Fatalf("timeout waiting for %s event", leaseEventTypeRenewed)
+	}
 }
 
 func TestExpiration_Renew_NotRenewable(t *testing.T) {
 	exp := mockExpiration(t)
+	ctx := namespace.RootContext(nil)
+	ch, cancel, err := exp.core.events.Subscribe(ctx, namespace.RootNamespace, leaseEventTypeRenewFailed, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cancel()
+
 	noop := &NoopBackend{}
 	_, barrier, _ := mockBarrier(t)
 	view := NewBarrierView(barrier, "logical/")
@@ -1950,6 +1974,13 @@ func TestExpiration_Renew_NotRenewable(t *testing.T) {
 	if len(noop.Requests) != 0 {
 		t.Fatalf("Bad: %#v", noop.Requests)
 	}
+
+	select {
+	case receivedEvent := <-ch:
+		assertLeaseRenewEvent(t, receivedEvent, leaseEventTypeRenewFailed, req.Path, "")
+	case <-time.After(5 * time.Second):
+		t.Fatalf("timeout waiting for %s event", leaseEventTypeRenewFailed)
+	}
 }
 
 func TestExpiration_Renew_RevokeOnExpire(t *testing.T) {
@@ -3507,3 +3538,33 @@ func TestExpiration_listIrrevocableLeases_includeAll(t *testing.T) {
 		t.Errorf("bad lease count. expected %d, got %d", expectedNumLeases, numLeases)
 	}
 }
+
+func assertLeaseRenewEvent(t *testing.T, receivedEvent *eventlogger.Event, expectedEventType, expectedPath, expectedLeaseID string) {
+	t.Helper()
+
+	if receivedEvent == nil || receivedEvent.Payload == nil {
+		t.Fatal("missing event payload")
+	}
+
+	received, ok := receivedEvent.Payload.(*logical.EventReceived)
+	if !ok || received == nil {
+		t.Fatalf("unexpected payload type: %T", receivedEvent.Payload)
+	}
+	if received.EventType != expectedEventType {
+		t.Fatalf("unexpected event type: %s", received.EventType)
+	}
+	if received.Event == nil || received.Event.Metadata == nil {
+		t.Fatal("missing event metadata")
+	}
+
+	metadata := received.Event.Metadata.Fields
+	if metadata[logical.EventMetadataOperation].GetStringValue() != leaseOperationRenew {
+		t.Fatalf("unexpected operation: %s", metadata[logical.EventMetadataOperation].GetStringValue())
+	}
+	if metadata[logical.EventMetadataPath].GetStringValue() != expectedPath {
+		t.Fatalf("unexpected path: %s", metadata[logical.EventMetadataPath].GetStringValue())
+	}
+	if expectedLeaseID != "" && metadata[leaseMetadataLeaseID].GetStringValue() != expectedLeaseID {
+		t.Fatalf("unexpected lease id: %s", metadata[leaseMetadataLeaseID].GetStringValue())
+	}
+}
diff --git a/vault/expiration_util_ce.go b/vault/expiration_util_ce.go
index 18d5b4f66c..38221ba1a2 100644
--- a/vault/expiration_util_ce.go
+++ b/vault/expiration_util_ce.go
@@ -7,6 +7,7 @@ package vault
 
 import (
 	"fmt"
+	"time"
 
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -35,3 +36,7 @@ func (m *ExpirationManager) collectLeases() (map[*namespace.Namespace][]string,
 func (m *ExpirationManager) removeIrrevocableLeasesEnabled(c *Core) bool {
 	return false
 }
+
+func deriveExpireTimeFromEntToken(_ *logical.TokenEntry) time.Time {
+	return time.Time{}
+}
diff --git a/vault/extended_system_view.go b/vault/extended_system_view.go
index 12c20bb7e0..e9b1b2fda1 100644
--- a/vault/extended_system_view.go
+++ b/vault/extended_system_view.go
@@ -13,7 +13,10 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
-var _ logical.ExtendedSystemView = (*extendedSystemViewImpl)(nil)
+var (
+	_ logical.ExtendedSystemView         = (*extendedSystemViewImpl)(nil)
+	_ logical.CertificateCountSystemView = (*extendedSystemViewImpl)(nil)
+)
 
 type extendedSystemViewImpl struct {
 	dynamicSystemView
@@ -152,3 +155,7 @@ func (e extendedSystemViewImpl) DeregisterWellKnownRedirect(ctx context.Context,
 func (e extendedSystemViewImpl) GetPinnedPluginVersion(ctx context.Context, pluginType consts.PluginType, pluginName string) (*pluginutil.PinnedVersion, error) {
 	return e.core.pluginCatalog.GetPinnedVersion(ctx, pluginType, pluginName)
 }
+
+func (e extendedSystemViewImpl) GetCertificateCounter() logical.CertificateCounter {
+	return e.core.GetCertificateCounter()
+}
diff --git a/vault/external_plugin_container_test.go b/vault/external_plugin_container_test.go
index 3aa429c8ad..230dccb9a8 100644
--- a/vault/external_plugin_container_test.go
+++ b/vault/external_plugin_container_test.go
@@ -43,9 +43,6 @@ func testClusterWithContainerPlugins(t *testing.T, types []consts.PluginType) (*
 		Plugins: plugins,
 	})
 
-	cluster.Start()
-	t.Cleanup(cluster.Cleanup)
-
 	core := cluster.Cores[0]
 	TestWaitActive(t, core.Core)
 
diff --git a/vault/external_plugin_test.go b/vault/external_plugin_test.go
index ca13d7464a..25f51be4d8 100644
--- a/vault/external_plugin_test.go
+++ b/vault/external_plugin_test.go
@@ -75,9 +75,6 @@ func TestCore_EnableExternalPlugin(t *testing.T) {
 				},
 			})
 
-			cluster.Start()
-			defer cluster.Cleanup()
-
 			c := cluster.Cores[0].Core
 			TestWaitActive(t, c)
 
diff --git a/vault/external_tests/activity_testonly/activity_testonly_oss_test.go b/vault/external_tests/activity_testonly/activity_testonly_oss_test.go
index 70018c3122..3e51c03317 100644
--- a/vault/external_tests/activity_testonly/activity_testonly_oss_test.go
+++ b/vault/external_tests/activity_testonly/activity_testonly_oss_test.go
@@ -79,8 +79,6 @@ func Test_ActivityLog_LoseLeadership(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 		NumCores:    2,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	active := testhelpers.DeriveStableActiveCore(t, cluster)
 	client := active.Client
diff --git a/vault/external_tests/api/api_integration_test.go b/vault/external_tests/api/api_integration_test.go
index c1f6c54681..94f604cc86 100644
--- a/vault/external_tests/api/api_integration_test.go
+++ b/vault/external_tests/api/api_integration_test.go
@@ -59,7 +59,6 @@ func testVaultServerCoreConfig(t testing.TB, coreConfig *vault.CoreConfig) (*api
 		HandlerFunc: http.Handler,
 		NumCores:    1,
 	})
-	cluster.Start()
 
 	// Make it easy to get access to the active
 	core := cluster.Cores[0].Core
@@ -76,5 +75,5 @@ func testVaultServerCoreConfig(t testing.TB, coreConfig *vault.CoreConfig) (*api
 		unsealKeys[i] = base64.StdEncoding.EncodeToString(cluster.BarrierKeys[i])
 	}
 
-	return client, unsealKeys, func() { defer cluster.Cleanup() }
+	return client, unsealKeys, func() {}
 }
diff --git a/vault/external_tests/api/feature_flag_ext_test.go b/vault/external_tests/api/feature_flag_ext_test.go
index 3c7f0216ba..765ac17c70 100644
--- a/vault/external_tests/api/feature_flag_ext_test.go
+++ b/vault/external_tests/api/feature_flag_ext_test.go
@@ -22,12 +22,6 @@ func TestFeatureFlags(t *testing.T) {
 		HandlerFunc:             vaulthttp.Handler,
 		RequestResponseCallback: schema.ResponseValidatingCallback(t),
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	// Wait for core to start
-	core := cluster.Cores[0].Core
-	vault.TestWaitActive(t, core)
 	client := cluster.Cores[0].Client
 
 	// Create a raw http connection copying the configuration
diff --git a/vault/external_tests/api/kv_helpers_test.go b/vault/external_tests/api/kv_helpers_test.go
index f0f1714291..7388450865 100644
--- a/vault/external_tests/api/kv_helpers_test.go
+++ b/vault/external_tests/api/kv_helpers_test.go
@@ -63,9 +63,6 @@ func TestKVHelpers(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 	})
 
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
 	core := cores[0].Core
 	client := cluster.Cores[0].Client
diff --git a/vault/external_tests/api/passthrough_headers_test.go b/vault/external_tests/api/passthrough_headers_test.go
new file mode 100644
index 0000000000..ebe32f44b3
--- /dev/null
+++ b/vault/external_tests/api/passthrough_headers_test.go
@@ -0,0 +1,113 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package api
+
+import (
+	"context"
+	"net/http"
+	"net/url"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/testhelpers/minimal"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault"
+	"github.com/stretchr/testify/require"
+)
+
+// TestPassthroughHeaders_Authorization tests that vault tokens are removed from the Authorization
+// header before it is passed through to the backend
+func TestPassthroughHeaders_Authorization(t *testing.T) {
+	secretNoop := &vault.NoopBackend{
+		Response: &logical.Response{Data: map[string]interface{}{}},
+	}
+	authNoop := &vault.NoopBackend{
+		Login:       []string{"login"},
+		Response:    &logical.Response{},
+		BackendType: logical.TypeCredential,
+	}
+	coreConfig := &vault.CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"noop": func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) {
+				return secretNoop, nil
+			},
+		},
+		CredentialBackends: map[string]logical.Factory{
+			"noop": func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) {
+				return authNoop, nil
+			},
+		},
+	}
+	cluster := minimal.NewTestSoloCluster(t, coreConfig)
+	client := cluster.Cores[0].Client
+
+	// Enable logical backend with Authorization passthrough.
+	err := client.Sys().Mount("foo", &api.MountInput{
+		Type: "noop",
+		Config: api.MountConfigInput{
+			PassthroughRequestHeaders: []string{"Authorization"},
+		},
+	})
+	require.NoError(t, err)
+
+	// Enable credential backend with Authorization passthrough.
+	err = client.Sys().EnableAuthWithOptions("bar", &api.EnableAuthOptions{
+		Type: "noop",
+		Config: api.AuthConfigInput{
+			PassthroughRequestHeaders: []string{"Authorization"},
+		},
+	})
+	require.NoError(t, err)
+
+	token := cluster.RootToken
+	httpClient := client.CloneConfig().HttpClient
+	address := client.Address()
+	u, err := url.Parse(address)
+	require.NoError(t, err)
+	doRequest := func(path string, operation logical.Operation, authHeaderValue []string) error {
+		httpOp := "PUT"
+		if operation == logical.ReadOperation {
+			httpOp = "GET"
+		}
+		u.Path = "/v1/" + path
+		req := &http.Request{
+			Method: httpOp,
+			URL:    u,
+			Header: map[string][]string{
+				"Authorization": authHeaderValue,
+			},
+		}
+
+		resp, err := httpClient.Do(req)
+		if resp != nil && resp.Body != nil {
+			resp.Body.Close()
+		}
+		return err
+	}
+	t.Run("authenticated request strips bearer from authz header", func(t *testing.T) {
+		err := doRequest("foo/test", logical.ReadOperation, []string{"Bearer " + token, "Basic dXNlcjpwYXNz"})
+		require.NoError(t, err)
+		require.NotEmpty(t, secretNoop.Requests)
+		headers := secretNoop.Requests[len(secretNoop.Requests)-1].Headers
+		require.Equal(t, []string{"Basic dXNlcjpwYXNz"}, headers["Authorization"])
+	})
+
+	t.Run("login request with valid token strips bearer", func(t *testing.T) {
+		err = doRequest("auth/bar/login", logical.UpdateOperation, []string{"Bearer " + token, "Basic dXNlcjpwYXNz"})
+		require.NoError(t, err)
+		require.NotEmpty(t, authNoop.Requests)
+
+		headers := authNoop.Requests[len(authNoop.Requests)-1].Headers
+		require.Equal(t, []string{"Basic dXNlcjpwYXNz"}, headers["Authorization"])
+	})
+
+	t.Run("login request with non-vault bearer keeps header", func(t *testing.T) {
+		err = doRequest("auth/bar/login", logical.UpdateOperation, []string{"Bearer not-a-valid-vault-token", "Basic dXNlcjpwYXNz"})
+		require.NoError(t, err)
+		require.NotEmpty(t, authNoop.Requests)
+
+		headers := authNoop.Requests[len(authNoop.Requests)-1].Headers
+		require.Equal(t, []string{"Bearer not-a-valid-vault-token", "Basic dXNlcjpwYXNz"}, headers["Authorization"])
+	})
+}
diff --git a/vault/external_tests/api/sys_billing_test.go b/vault/external_tests/api/sys_billing_test.go
index 11078b8db8..bf9d8ed6c5 100644
--- a/vault/external_tests/api/sys_billing_test.go
+++ b/vault/external_tests/api/sys_billing_test.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"encoding/json"
 	"testing"
+	"time"
 
 	"github.com/hashicorp/vault/api"
 	logicalAws "github.com/hashicorp/vault/builtin/logical/aws"
@@ -16,6 +17,7 @@ import (
 	"github.com/hashicorp/vault/helper/testhelpers/minimal"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/vault/vault/billing"
 	"github.com/stretchr/testify/require"
 )
 
@@ -81,7 +83,7 @@ func Test_BillingOverview(t *testing.T) {
 
 	// Validate response structure
 	require.NotNil(t, resp.Months)
-	require.Len(t, resp.Months, 2, "should have current and previous month")
+	require.Len(t, resp.Months, billing.DefaultBillingRetentionMonths, "should have billing.DefaultBillingRetentionMonths months")
 
 	// Check current month data
 	currentMonth := resp.Months[0]
@@ -130,7 +132,7 @@ func Test_BillingOverview_WithoutUpdateCounts(t *testing.T) {
 
 	// Validate basic response structure
 	require.NotNil(t, resp.Months)
-	require.Len(t, resp.Months, 2, "should have current and previous month")
+	require.Len(t, resp.Months, billing.DefaultBillingRetentionMonths, "should have billing.DefaultBillingRetentionMonths months")
 
 	// Check that months are properly formatted
 	for _, month := range resp.Months {
@@ -153,7 +155,7 @@ func Test_BillingOverview_EmptyCluster(t *testing.T) {
 	require.NotNil(t, resp)
 
 	require.NotNil(t, resp.Months)
-	require.Len(t, resp.Months, 2)
+	require.Len(t, resp.Months, billing.DefaultBillingRetentionMonths)
 
 	currentMonth := resp.Months[0]
 	require.NotEmpty(t, currentMonth.Month)
@@ -172,6 +174,9 @@ func Test_BillingOverview_EmptyCluster(t *testing.T) {
 		"data_protection_calls": false,
 		"pki_units":             false,
 		"managed_keys":          false,
+		"ssh_units":             false,
+		"id_token_units":        false,
+		"external_ca_pki_units": false,
 	}
 
 	for _, metric := range currentMonth.UsageMetrics {
@@ -204,6 +209,123 @@ func Test_BillingOverview_MonthFormat(t *testing.T) {
 		require.Regexp(t, `^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}`, month.UpdatedAt, "updated_at should be in ISO 8601 format")
 	}
 
-	// Verify months are in descending order (current, then previous)
+	// Verify months are in descending order (current, then previous months)
 	require.Greater(t, resp.Months[0].Month, resp.Months[1].Month, "first month should be more recent than second")
+	// Verify we have billing.DefaultBillingRetentionMonths months
+	require.Len(t, resp.Months, billing.DefaultBillingRetentionMonths)
+
+	// Verify the oldest month is exactly (billing.DefaultBillingRetentionMonths - 1) months before the current month
+	currentMonthTime, err := time.Parse("2006-01", resp.Months[0].Month)
+	require.NoError(t, err, "should parse current month")
+	oldestMonthTime, err := time.Parse("2006-01", resp.Months[billing.DefaultBillingRetentionMonths-1].Month)
+	require.NoError(t, err, "should parse oldest month")
+
+	expectedOldestMonth := currentMonthTime.AddDate(0, -(billing.DefaultBillingRetentionMonths - 1), 0)
+	require.Equal(t, expectedOldestMonth.Format("2006-01"), oldestMonthTime.Format("2006-01"),
+		"oldest month should be exactly %d months before current month", billing.DefaultBillingRetentionMonths-1)
+}
+
+// Test_BillingConfig tests the GetBillingConfig and SetBillingConfig API methods
+func Test_BillingConfig(t *testing.T) {
+	t.Parallel()
+
+	cluster := minimal.NewTestSoloCluster(t, nil)
+	client := cluster.Cores[0].Client
+
+	// Test GetBillingConfig - should return default value
+	config, err := client.Sys().GetBillingConfig()
+	require.NoError(t, err)
+	require.NotNil(t, config)
+	require.Equal(t, billing.DefaultBillingRetentionMonths, config.RetentionMonths)
+
+	// Test SetBillingConfig with valid value
+	err = client.Sys().SetBillingConfig(24)
+	require.NoError(t, err)
+
+	// Verify the value was updated
+	config, err = client.Sys().GetBillingConfig()
+	require.NoError(t, err)
+	require.Equal(t, 24, config.RetentionMonths)
+
+	// Test SetBillingConfig with minimum value
+	err = client.Sys().SetBillingConfig(billing.MinBillingRetentionMonths)
+	require.NoError(t, err)
+
+	config, err = client.Sys().GetBillingConfig()
+	require.NoError(t, err)
+	require.Equal(t, billing.MinBillingRetentionMonths, config.RetentionMonths)
+
+	// Test SetBillingConfig with maximum value
+	err = client.Sys().SetBillingConfig(billing.MaxBillingRetentionMonths)
+	require.NoError(t, err)
+
+	config, err = client.Sys().GetBillingConfig()
+	require.NoError(t, err)
+	require.Equal(t, billing.MaxBillingRetentionMonths, config.RetentionMonths)
+}
+
+// Test_BillingConfig_InvalidValues tests that invalid retention values are rejected
+func Test_BillingConfig_InvalidValues(t *testing.T) {
+	t.Parallel()
+
+	cluster := minimal.NewTestSoloCluster(t, nil)
+	client := cluster.Cores[0].Client
+
+	// Test below minimum
+	err := client.Sys().SetBillingConfig(billing.MinBillingRetentionMonths - 1)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "must be between")
+
+	// Test above maximum
+	err = client.Sys().SetBillingConfig(billing.MaxBillingRetentionMonths + 1)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "must be between")
+
+	// Test zero
+	err = client.Sys().SetBillingConfig(0)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "must be between")
+
+	// Test negative
+	err = client.Sys().SetBillingConfig(-1)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "must be between")
+}
+
+// Test_BillingConfig_AffectsOverview tests that config changes affect billing overview
+func Test_BillingConfig_AffectsOverview(t *testing.T) {
+	t.Parallel()
+
+	cluster := minimal.NewTestSoloCluster(t, nil)
+	client := cluster.Cores[0].Client
+
+	// Set retention to minimum
+	err := client.Sys().SetBillingConfig(billing.MinBillingRetentionMonths)
+	require.NoError(t, err)
+
+	// Get billing overview
+	resp, err := client.Sys().BillingOverview(false)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.Len(t, resp.Months, billing.MinBillingRetentionMonths)
+
+	// Set retention to maximum
+	err = client.Sys().SetBillingConfig(billing.MaxBillingRetentionMonths)
+	require.NoError(t, err)
+
+	// Get billing overview again
+	resp, err = client.Sys().BillingOverview(false)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.Len(t, resp.Months, billing.MaxBillingRetentionMonths)
+
+	// Set back to default
+	err = client.Sys().SetBillingConfig(billing.DefaultBillingRetentionMonths)
+	require.NoError(t, err)
+
+	// Verify default is restored
+	resp, err = client.Sys().BillingOverview(false)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.Len(t, resp.Months, billing.DefaultBillingRetentionMonths)
 }
diff --git a/vault/external_tests/api/sys_rekey_ext_test.go b/vault/external_tests/api/sys_rekey_ext_test.go
index 0a584ed247..de323151c8 100644
--- a/vault/external_tests/api/sys_rekey_ext_test.go
+++ b/vault/external_tests/api/sys_rekey_ext_test.go
@@ -40,6 +40,7 @@ func TestSysRekey_Verification(t *testing.T) {
 func testSysRekey_Verification(t *testing.T, recovery bool, legacyShamir bool) {
 	opts := &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
+		NumCores:    1,
 	}
 	switch {
 	case recovery:
@@ -66,10 +67,7 @@ func testSysRekey_Verification(t *testing.T, recovery bool, legacyShamir bool) {
 		Physical: inm,
 	}
 	cluster := vault.NewTestCluster(t, &conf, opts)
-	cluster.Start()
-	defer cluster.Cleanup()
 
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	client := cluster.Cores[0].Client
 	client.SetMaxRetries(0)
 
@@ -220,7 +218,6 @@ func testSysRekey_Verification(t *testing.T, recovery bool, legacyShamir bool) {
 		// still be the old keys (which are still currently set)
 		cluster.EnsureCoresSealed(t)
 		cluster.UnsealCores(t)
-		vault.TestWaitActive(t, cluster.Cores[0].Core)
 
 		// Should be able to init again and get back to where we were
 		doRekeyInitialSteps()
@@ -256,8 +253,6 @@ func testSysRekey_Verification(t *testing.T, recovery bool, legacyShamir bool) {
 		opts.SealFunc = nil // post rekey we should use the barrier config on disk
 		cluster = vault.NewTestCluster(t, &conf, opts)
 		cluster.BarrierKeys = oldKeys
-		cluster.Start()
-		defer cluster.Cleanup()
 
 		if err := cluster.UnsealCoresWithError(t, false); err == nil {
 			t.Fatal("expected error")
diff --git a/vault/external_tests/audit/audit_test.go b/vault/external_tests/audit/audit_test.go
index f06aa6a4b4..4f825f6a16 100644
--- a/vault/external_tests/audit/audit_test.go
+++ b/vault/external_tests/audit/audit_test.go
@@ -17,6 +17,7 @@ import (
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/api/auth/userpass"
 	"github.com/hashicorp/vault/helper/testhelpers"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
 	"github.com/hashicorp/vault/helper/testhelpers/minimal"
 	vaulthttp "github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/sdk/framework"
@@ -356,7 +357,6 @@ func TestAudit_BeforePostUnseal(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 		NumCores:    1,
 	})
-	defer cluster.Cleanup()
 
 	testhelpers.WaitForActiveNode(t, cluster)
 	err := cluster.Cores[0].Client.Sys().Mount("test", &api.MountInput{
@@ -369,3 +369,45 @@ func TestAudit_BeforePostUnseal(t *testing.T) {
 	testhelpers.WaitForActiveNode(t, cluster)
 	require.False(t, didPanic.Load())
 }
+
+// TestAudit_PluginDirectorySecurityCheck_WithPathOrFilePath validates that
+// the audit security check runs when either 'path' or 'file_path' is used.
+func TestAudit_PluginDirectorySecurityCheck_WithPathOrFilePath(t *testing.T) {
+	pluginDir := corehelpers.MakeTestPluginDir(t)
+	cluster := minimal.NewTestSoloCluster(t, &vault.CoreConfig{
+		PluginDirectory: pluginDir,
+	})
+	client := cluster.Cores[0].Client
+
+	auditPluginFilePath := pluginDir + "/audit.log"
+
+	// Try to enable audit device using 'path'
+	devicePath := "file"
+	deviceData := map[string]any{
+		"type":        "file",
+		"description": "Test audit device with path in plugin directory",
+		"local":       false,
+		"options": map[string]any{
+			"path": auditPluginFilePath,
+		},
+	}
+
+	// This should fail because path points to plugin directory
+	_, err := client.Logical().Write("sys/audit/"+devicePath, deviceData)
+	require.ErrorContains(t, err, "audit file target may not be in the plugin directory")
+
+	// Try to enable audit device using 'file_path'
+	devicePathFilePath := "file_path"
+	deviceDataFilePath := map[string]any{
+		"type":        "file",
+		"description": "Test audit device with file_path in plugin directory",
+		"local":       false,
+		"options": map[string]any{
+			"file_path": auditPluginFilePath,
+		},
+	}
+
+	// This should fail because file_path points to plugin directory
+	_, err = client.Logical().Write("sys/audit/"+devicePathFilePath, deviceDataFilePath)
+	require.ErrorContains(t, err, "audit file target may not be in the plugin directory")
+}
diff --git a/vault/external_tests/billing/billing_test.go b/vault/external_tests/billing/billing_test.go
new file mode 100644
index 0000000000..2937d7658a
--- /dev/null
+++ b/vault/external_tests/billing/billing_test.go
@@ -0,0 +1,304 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: MPL-2.0
+
+package billing
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/builtin/credential/userpass"
+	"github.com/hashicorp/vault/helper/namespace"
+	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault"
+	"github.com/hashicorp/vault/vault/billing"
+	"github.com/stretchr/testify/require"
+)
+
+// TestGcpKmsDataProtectionCallCounts tests that we correctly store and track
+// the GCP KMS data protection call counts by simulating billing operations.
+func TestGcpKmsDataProtectionCallCounts(t *testing.T) {
+	coreConfig := &vault.CoreConfig{
+		BillingConfig: billing.BillingConfig{
+			MetricsUpdateCadence: 3 * time.Second,
+		},
+	}
+	core, _, _, _ := vault.TestCoreUnsealedWithMetricsAndConfig(t, coreConfig)
+
+	currentMonth := time.Now()
+	ctx := namespace.RootContext(context.Background())
+
+	// Get the consumption billing manager
+	cbm := core.GetConsumptionBillingManager()
+	require.NotNil(t, cbm)
+
+	// Simulate GCP KMS operations by directly calling the billing manager
+	// This tests the Vault-side tracking without needing the actual plugin
+
+	// Simulate encrypt operation
+	err := cbm.WriteBillingData(ctx, "gcpkms", map[string]interface{}{"count": uint64(1)})
+	require.NoError(t, err)
+	require.Equal(t, uint64(1), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+
+	// Wait for storage update
+	require.Eventually(t, func() bool {
+		counts, err := core.GetStoredGcpKmsCallCounts(context.Background(), currentMonth)
+		return err == nil && counts == 1
+	}, 5*time.Second, 100*time.Millisecond)
+	require.Equal(t, uint64(0), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+
+	// Simulate decrypt operation
+	err = cbm.WriteBillingData(ctx, "gcpkms", map[string]interface{}{"count": uint64(1)})
+	require.NoError(t, err)
+	require.Equal(t, uint64(1), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+
+	// Wait for storage update
+	require.Eventually(t, func() bool {
+		counts, err := core.GetStoredGcpKmsCallCounts(context.Background(), currentMonth)
+		return err == nil && counts == 2
+	}, 5*time.Second, 100*time.Millisecond)
+	require.Equal(t, uint64(0), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+
+	// Simulate reencrypt operation
+	err = cbm.WriteBillingData(ctx, "gcpkms", map[string]interface{}{"count": uint64(1)})
+	require.NoError(t, err)
+	require.Equal(t, uint64(1), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+
+	// Wait for storage update
+	require.Eventually(t, func() bool {
+		counts, err := core.GetStoredGcpKmsCallCounts(context.Background(), currentMonth)
+		return err == nil && counts == 3
+	}, 5*time.Second, 100*time.Millisecond)
+	require.Equal(t, uint64(0), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+
+	// Simulate sign operation
+	err = cbm.WriteBillingData(ctx, "gcpkms", map[string]interface{}{"count": uint64(1)})
+	require.NoError(t, err)
+	require.Equal(t, uint64(1), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+
+	// Wait for storage update
+	require.Eventually(t, func() bool {
+		counts, err := core.GetStoredGcpKmsCallCounts(context.Background(), currentMonth)
+		return err == nil && counts == 4
+	}, 5*time.Second, 100*time.Millisecond)
+	require.Equal(t, uint64(0), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+
+	// Simulate verify operation
+	err = cbm.WriteBillingData(ctx, "gcpkms", map[string]interface{}{"count": uint64(1)})
+	require.NoError(t, err)
+	require.Equal(t, uint64(1), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+
+	// Wait for storage update
+	require.Eventually(t, func() bool {
+		counts, err := core.GetStoredGcpKmsCallCounts(context.Background(), currentMonth)
+		return err == nil && counts == 5
+	}, 5*time.Second, 100*time.Millisecond)
+	require.Equal(t, uint64(0), core.GetInMemoryGcpKmsDataProtectionCallCounts())
+
+	// Run update again and make sure the value in storage is still 5
+	counts, err := core.UpdateGcpKmsCallCounts(context.Background(), currentMonth)
+	require.NoError(t, err)
+	require.Equal(t, uint64(5), counts)
+
+	// Verify the value in storage is still 5
+	counts, err = core.GetStoredGcpKmsCallCounts(context.Background(), currentMonth)
+	require.NoError(t, err)
+	require.Equal(t, uint64(5), counts)
+}
+
+// TestOidcTokenBillingBothMethods tests OIDC token billing for both token creation methods:
+// 1. Simple role-based tokens via identity/oidc/token/{role}
+// 2. Provider-based tokens via the full authorization code flow (pathOIDCToken)
+// This test runs on a single primary cluster and verifies that both methods correctly
+// track duration-adjusted billing counts.
+func TestOidcTokenBillingBothMethods(t *testing.T) {
+	coreConfig := &vault.CoreConfig{
+		CredentialBackends: map[string]logical.Factory{
+			"userpass": userpass.Factory,
+		},
+		BillingConfig: billing.BillingConfig{
+			MetricsUpdateCadence: 5 * time.Second,
+		},
+	}
+	clusterOpts := &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+		DefaultHandlerProperties: vault.HandlerProperties{
+			ListenerConfig: &configutil.Listener{},
+		},
+		NumCores: 1,
+	}
+	cluster := vault.NewTestCluster(t, coreConfig, clusterOpts)
+	defer cluster.Cleanup()
+
+	core := cluster.Cores[0].Core
+	vault.TestWaitActive(t, core)
+	client := cluster.Cores[0].Client
+	ctx := context.Background()
+
+	// Create a policy that allows reading OIDC tokens
+	oidcPolicy := `path "identity/oidc/token/*" { capabilities = ["read"] }`
+	_, err := client.Logical().Write("sys/policy/oidc-reader", map[string]interface{}{
+		"policy": oidcPolicy,
+	})
+	require.NoError(t, err)
+
+	// Enable userpass for entity creation
+	err = client.Sys().EnableAuthWithOptions("userpass", &api.EnableAuthOptions{
+		Type: "userpass",
+	})
+	require.NoError(t, err)
+
+	// Create a userpass user with the OIDC reader policy
+	_, err = client.Logical().Write("auth/userpass/users/testuser", map[string]interface{}{
+		"password": "testpass",
+		"policies": "oidc-reader",
+	})
+	require.NoError(t, err)
+
+	// Login to create entity
+	loginResp, err := client.Logical().Write("auth/userpass/login/testuser", map[string]interface{}{
+		"password": "testpass",
+	})
+	require.NoError(t, err)
+	userToken := loginResp.Auth.ClientToken
+
+	// METHOD 1: Configure simple role-based OIDC tokens (identity/oidc/token/{role})
+	// Create OIDC key
+	_, err = client.Logical().Write("identity/oidc/key/role-key", map[string]interface{}{})
+	require.NoError(t, err)
+
+	// Create OIDC role with 1-hour TTL
+	_, err = client.Logical().Write("identity/oidc/role/test-role", map[string]interface{}{
+		"key": "role-key",
+		"ttl": "1h",
+	})
+	require.NoError(t, err)
+
+	// Get the auto-generated client_id for the role
+	secret, err := client.Logical().Read("identity/oidc/role/test-role")
+	require.NoError(t, err)
+	roleClientID := secret.Data["client_id"].(string)
+
+	// Configure the key to allow this role's client_id
+	_, err = client.Logical().Write("identity/oidc/key/role-key", map[string]interface{}{
+		"allowed_client_ids": roleClientID,
+	})
+	require.NoError(t, err)
+
+	// METHOD 2: Configure OIDC provider for authorization code flow (pathOIDCToken)
+	// Create OIDC client with 2-hour ID token TTL and 1-hour access token TTL
+	_, err = client.Logical().Write("identity/oidc/client/provider-client", map[string]interface{}{
+		"redirect_uris":    []string{"https://localhost:8251/callback"},
+		"assignments":      []string{"allow_all"},
+		"id_token_ttl":     "2h",
+		"access_token_ttl": "1h",
+	})
+	require.NoError(t, err)
+
+	// Read the client to get client_id and client_secret
+	clientResp, err := client.Logical().Read("identity/oidc/client/provider-client")
+	require.NoError(t, err)
+	providerClientID := clientResp.Data["client_id"].(string)
+	providerClientSecret := clientResp.Data["client_secret"].(string)
+
+	// Create OIDC provider
+	_, err = client.Logical().Write("identity/oidc/provider/test-provider", map[string]interface{}{
+		"allowed_client_ids": []string{providerClientID},
+	})
+	require.NoError(t, err)
+
+	// Generate tokens using METHOD 1: role-based (identity/oidc/token/{role})
+	// 2 tokens × 1 hour = 2 hours
+	client.SetToken(userToken)
+	for i := 0; i < 2; i++ {
+		_, err := client.Logical().Read("identity/oidc/token/test-role")
+		require.NoError(t, err)
+	}
+
+	// Generate tokens using METHOD 2: provider-based (authorization code flow)
+	// 3 tokens × 2 hours (max of 2h ID token and 1h access token) = 6 hours
+	client.SetToken(client.Token()) // Reset to root token
+	for i := 0; i < 3; i++ {
+		code := getAuthorizationCode(t, ctx, client, "test-provider", providerClientID, userToken)
+		exchangeCodeForToken(t, ctx, client, "test-provider", code, providerClientID, providerClientSecret)
+	}
+
+	currentMonth := time.Now().UTC()
+
+	// Total expected: 2 hours (role-based) + 6 hours (provider-based) = 8 hours
+	expectedDurationAdjustedCount := vault.DurationAdjustedTokenCount(8 * time.Hour.Seconds())
+	delta := 0.0001
+
+	require.Eventually(t, func() bool {
+		count, err := core.GetStoredOidcDurationAdjustedCount(ctx, currentMonth)
+		if err != nil {
+			return false
+		}
+		return count >= (expectedDurationAdjustedCount-delta) && count <= (expectedDurationAdjustedCount+delta)
+	}, 10*time.Second, 500*time.Millisecond, "OIDC count not flushed to storage within timeout")
+
+	// Verify exact value
+	count, err := core.GetStoredOidcDurationAdjustedCount(ctx, currentMonth)
+	require.NoError(t, err)
+	require.InDelta(t, expectedDurationAdjustedCount, count, delta,
+		"Expected 8 hours total: 2 hours from role-based tokens (2×1h) + 6 hours from provider tokens (3×2h)")
+}
+
+// exchangeCodeForToken is a test helper function to exchange authorization code for tokens via the OIDC provider token endpoint
+func exchangeCodeForToken(t *testing.T, ctx context.Context, client *api.Client, providerName, code, clientID, clientSecret string) {
+	// Prepare the token request with basic auth
+	req := client.NewRequest("POST", "/v1/identity/oidc/provider/"+providerName+"/token")
+	req.Headers.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte(clientID+":"+clientSecret)))
+	req.BodyBytes = []byte(fmt.Sprintf(`{"code":"%s","grant_type":"authorization_code","redirect_uri":"https://localhost:8251/callback"}`, code))
+	req.Headers.Set("Content-Type", "application/json")
+
+	resp, err := client.RawRequestWithContext(ctx, req)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+	require.Equal(t, 200, resp.StatusCode)
+}
+
+// getAuthorizationCode is a test helper function to get authorization code from the OIDC provider authorize endpoint
+func getAuthorizationCode(t *testing.T, ctx context.Context, client *api.Client, providerName, clientID, userToken string) string {
+	// Save the original token
+	originalToken := client.Token()
+
+	// Use the user token (from userpass login) to authorize
+	client.SetToken(userToken)
+
+	// Use RawRequestWithContext to make the authorize request
+	req := client.NewRequest("POST", "/v1/identity/oidc/provider/"+providerName+"/authorize")
+	req.BodyBytes, _ = json.Marshal(map[string]interface{}{
+		"client_id":     clientID,
+		"scope":         "openid",
+		"redirect_uri":  "https://localhost:8251/callback",
+		"response_type": "code",
+		"state":         "test-state",
+		"nonce":         "test-nonce",
+	})
+
+	resp, err := client.RawRequestWithContext(ctx, req)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	// Restore the original token
+	client.SetToken(originalToken)
+
+	// Parse the JSON response
+	var authResult struct {
+		Code  string `json:"code"`
+		State string `json:"state"`
+	}
+	err = json.NewDecoder(resp.Body).Decode(&authResult)
+	require.NoError(t, err)
+	require.NotEmpty(t, authResult.Code)
+
+	return authResult.Code
+}
diff --git a/vault/external_tests/blackbox/auth/auth_engines_test.go b/vault/external_tests/blackbox/auth/auth_engines_test.go
new file mode 100644
index 0000000000..4b506b7e4e
--- /dev/null
+++ b/vault/external_tests/blackbox/auth/auth_engines_test.go
@@ -0,0 +1,118 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package auth
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestAuthEngineCreate tests creation/setup of various auth engines
+func TestAuthEngineCreate(t *testing.T) {
+	v := blackbox.New(t)
+
+	// Verify we have a healthy cluster first
+	v.AssertClusterHealthy()
+
+	t.Run("UserpassAuth", func(t *testing.T) {
+		testUserpassAuthCreate(t, v)
+	})
+
+	t.Run("LDAPAuth", func(t *testing.T) {
+		t.Skip("LDAP auth engine create test - implementation pending")
+	})
+
+	t.Run("OIDCAuth", func(t *testing.T) {
+		t.Skip("OIDC auth engine create test - implementation pending")
+	})
+
+	t.Run("AWSAuth", func(t *testing.T) {
+		t.Skip("AWS auth engine create test - implementation pending")
+	})
+
+	t.Run("KubernetesAuth", func(t *testing.T) {
+		t.Skip("Kubernetes auth engine create test - implementation pending")
+	})
+
+	t.Run("AppRoleAuth", func(t *testing.T) {
+		t.Skip("AppRole auth engine create test - implementation pending")
+	})
+
+	t.Run("CertAuth", func(t *testing.T) {
+		t.Skip("Cert auth engine create test - implementation pending")
+	})
+}
+
+// TestAuthEngineRead tests read operations for various auth engines
+func TestAuthEngineRead(t *testing.T) {
+	v := blackbox.New(t)
+
+	// Verify we have a healthy cluster first
+	v.AssertClusterHealthy()
+
+	t.Run("UserpassAuth", func(t *testing.T) {
+		testUserpassAuthRead(t, v)
+	})
+
+	t.Run("LDAPAuth", func(t *testing.T) {
+		t.Skip("LDAP auth engine read test - implementation pending")
+	})
+
+	t.Run("OIDCAuth", func(t *testing.T) {
+		t.Skip("OIDC auth engine read test - implementation pending")
+	})
+
+	t.Run("AWSAuth", func(t *testing.T) {
+		t.Skip("AWS auth engine read test - implementation pending")
+	})
+
+	t.Run("KubernetesAuth", func(t *testing.T) {
+		t.Skip("Kubernetes auth engine read test - implementation pending")
+	})
+
+	t.Run("AppRoleAuth", func(t *testing.T) {
+		t.Skip("AppRole auth engine read test - implementation pending")
+	})
+
+	t.Run("CertAuth", func(t *testing.T) {
+		t.Skip("Cert auth engine read test - implementation pending")
+	})
+}
+
+// TestAuthEngineDelete tests delete operations for various auth engines
+func TestAuthEngineDelete(t *testing.T) {
+	v := blackbox.New(t)
+
+	// Verify we have a healthy cluster first
+	v.AssertClusterHealthy()
+
+	t.Run("UserpassAuth", func(t *testing.T) {
+		testUserpassAuthDelete(t, v)
+	})
+
+	t.Run("LDAPAuth", func(t *testing.T) {
+		t.Skip("LDAP auth engine delete test - implementation pending")
+	})
+
+	t.Run("OIDCAuth", func(t *testing.T) {
+		t.Skip("OIDC auth engine delete test - implementation pending")
+	})
+
+	t.Run("AWSAuth", func(t *testing.T) {
+		t.Skip("AWS auth engine delete test - implementation pending")
+	})
+
+	t.Run("KubernetesAuth", func(t *testing.T) {
+		t.Skip("Kubernetes auth engine delete test - implementation pending")
+	})
+
+	t.Run("AppRoleAuth", func(t *testing.T) {
+		t.Skip("AppRole auth engine delete test - implementation pending")
+	})
+
+	t.Run("CertAuth", func(t *testing.T) {
+		t.Skip("Cert auth engine delete test - implementation pending")
+	})
+}
diff --git a/vault/external_tests/blackbox/auth/auth_userpass_test.go b/vault/external_tests/blackbox/auth/auth_userpass_test.go
new file mode 100644
index 0000000000..9985f85a92
--- /dev/null
+++ b/vault/external_tests/blackbox/auth/auth_userpass_test.go
@@ -0,0 +1,106 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package auth
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+	helpers "github.com/hashicorp/vault/vault/external_tests/blackbox"
+)
+
+// testUserpassAuthCreate tests userpass auth engine creation
+func testUserpassAuthCreate(t *testing.T, v *blackbox.Session) {
+	// Create a policy for our test user
+	userPolicy := `
+		path "*" {
+			capabilities = ["read", "list"]
+		}
+	`
+
+	// Use common utility to setup userpass auth
+	userClient := helpers.SetupUserpassAuth(v, "testuser", "passtestuser1", "reguser", userPolicy)
+
+	// Verify the auth method was enabled by reading auth mounts
+	authMounts := v.MustRead("sys/auth")
+	if authMounts.Data == nil {
+		t.Fatal("Could not read auth mounts")
+	}
+
+	// Verify userpass auth method is enabled
+	if userpassAuth, ok := authMounts.Data["userpass/"]; !ok {
+		t.Fatal("userpass auth method not found in sys/auth")
+	} else {
+		userpassMap := userpassAuth.(map[string]any)
+		if userpassMap["type"] != "userpass" {
+			t.Fatalf("Expected userpass auth method type to be 'userpass', got: %v", userpassMap["type"])
+		}
+	}
+
+	// Test that the user session was created successfully
+	if userClient != nil {
+		// Login successful, verify we can read basic info
+		tokenInfo := userClient.MustRead("auth/token/lookup-self")
+		if tokenInfo.Data == nil {
+			t.Fatal("Expected user to be able to read own token info after login")
+		}
+		t.Log("Userpass login test successful")
+	} else {
+		t.Log("Userpass login not available (likely managed environment)")
+	}
+
+	t.Log("Successfully created userpass auth with user: testuser")
+}
+
+// testUserpassAuthRead tests userpass auth engine read operations
+func testUserpassAuthRead(t *testing.T, v *blackbox.Session) {
+	// Use common utility to setup userpass auth with default policy
+	userClient := helpers.SetupUserpassAuth(v, "readuser", "readpass123", "default", "")
+
+	// Read the user configuration
+	userConfig := v.MustRead("auth/userpass/users/readuser")
+	if userConfig.Data == nil {
+		t.Fatal("Expected to read user configuration")
+	}
+
+	// Test that the user session was created successfully
+	if userClient != nil {
+		// Login successful, verify we can read basic info
+		tokenInfo := userClient.MustRead("auth/token/lookup-self")
+		if tokenInfo.Data == nil {
+			t.Fatal("Expected user to be able to read own token info after login")
+		}
+		t.Log("Userpass login test successful")
+	} else {
+		t.Log("Userpass login not available (likely managed environment)")
+	}
+
+	t.Log("Successfully read userpass auth config for user: readuser")
+}
+
+// testUserpassAuthDelete tests userpass auth engine delete operations
+func testUserpassAuthDelete(t *testing.T, v *blackbox.Session) {
+	// Enable userpass auth method with unique mount for delete test
+	v.MustEnableAuth("userpass-delete", &api.EnableAuthOptions{Type: "userpass"})
+
+	// Create a user to delete
+	userName := "deleteuser"
+	userPassword := "deletepass123"
+	v.MustWrite("auth/userpass-delete/users/"+userName, map[string]any{
+		"password": userPassword,
+		"policies": "default",
+	})
+
+	// Verify the user exists
+	userConfig := v.MustRead("auth/userpass-delete/users/" + userName)
+	if userConfig.Data == nil {
+		t.Fatal("Expected user to exist before deletion")
+	}
+
+	// Delete the user
+	v.MustWrite("auth/userpass-delete/users/"+userName, nil)
+
+	t.Logf("Successfully deleted userpass auth user: %s", userName)
+}
diff --git a/vault/external_tests/blackbox/auth_engines_test.go b/vault/external_tests/blackbox/auth_engines_test.go
deleted file mode 100644
index 7cc91b5b8a..0000000000
--- a/vault/external_tests/blackbox/auth_engines_test.go
+++ /dev/null
@@ -1,218 +0,0 @@
-// Copyright IBM Corp. 2025, 2026
-// SPDX-License-Identifier: BUSL-1.1
-
-package blackbox
-
-import (
-	"testing"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
-)
-
-// TestAuthEngineCreate tests creation/setup of various auth engines
-func TestAuthEngineCreate(t *testing.T) {
-	v := blackbox.New(t)
-
-	// Verify we have a healthy cluster first
-	v.AssertClusterHealthy()
-
-	// Test userpass auth engine
-	t.Run("UserpassAuth", func(t *testing.T) {
-		testUserpassAuthCreate(t, v)
-	})
-
-	// Stub out remaining auth engine creation tests
-	t.Run("LDAPAuth", func(t *testing.T) {
-		t.Skip("LDAP auth engine create test - implementation pending")
-	})
-
-	t.Run("OIDCAuth", func(t *testing.T) {
-		t.Skip("OIDC auth engine create test - implementation pending")
-	})
-
-	t.Run("AWSAuth", func(t *testing.T) {
-		t.Skip("AWS auth engine create test - implementation pending")
-	})
-
-	t.Run("KubernetesAuth", func(t *testing.T) {
-		t.Skip("Kubernetes auth engine create test - implementation pending")
-	})
-
-	t.Run("AppRoleAuth", func(t *testing.T) {
-		t.Skip("AppRole auth engine create test - implementation pending")
-	})
-
-	t.Run("CertAuth", func(t *testing.T) {
-		t.Skip("Cert auth engine create test - implementation pending")
-	})
-}
-
-// TestAuthEngineRead tests read operations for various auth engines
-func TestAuthEngineRead(t *testing.T) {
-	v := blackbox.New(t)
-
-	// Verify we have a healthy cluster first
-	v.AssertClusterHealthy()
-
-	// Test userpass auth engine read operations
-	t.Run("UserpassAuth", func(t *testing.T) {
-		testUserpassAuthRead(t, v)
-	})
-
-	// Stub out remaining auth engine read tests
-	t.Run("LDAPAuth", func(t *testing.T) {
-		t.Skip("LDAP auth engine read test - implementation pending")
-	})
-
-	t.Run("OIDCAuth", func(t *testing.T) {
-		t.Skip("OIDC auth engine read test - implementation pending")
-	})
-
-	t.Run("AWSAuth", func(t *testing.T) {
-		t.Skip("AWS auth engine read test - implementation pending")
-	})
-
-	t.Run("KubernetesAuth", func(t *testing.T) {
-		t.Skip("Kubernetes auth engine read test - implementation pending")
-	})
-
-	t.Run("AppRoleAuth", func(t *testing.T) {
-		t.Skip("AppRole auth engine read test - implementation pending")
-	})
-
-	t.Run("CertAuth", func(t *testing.T) {
-		t.Skip("Cert auth engine read test - implementation pending")
-	})
-}
-
-// TestAuthEngineDelete tests delete operations for various auth engines
-func TestAuthEngineDelete(t *testing.T) {
-	v := blackbox.New(t)
-
-	// Verify we have a healthy cluster first
-	v.AssertClusterHealthy()
-
-	// Test userpass auth engine delete operations
-	t.Run("UserpassAuth", func(t *testing.T) {
-		testUserpassAuthDelete(t, v)
-	})
-
-	// Stub out remaining auth engine delete tests
-	t.Run("LDAPAuth", func(t *testing.T) {
-		t.Skip("LDAP auth engine delete test - implementation pending")
-	})
-
-	t.Run("OIDCAuth", func(t *testing.T) {
-		t.Skip("OIDC auth engine delete test - implementation pending")
-	})
-
-	t.Run("AWSAuth", func(t *testing.T) {
-		t.Skip("AWS auth engine delete test - implementation pending")
-	})
-
-	t.Run("KubernetesAuth", func(t *testing.T) {
-		t.Skip("Kubernetes auth engine delete test - implementation pending")
-	})
-
-	t.Run("AppRoleAuth", func(t *testing.T) {
-		t.Skip("AppRole auth engine delete test - implementation pending")
-	})
-
-	t.Run("CertAuth", func(t *testing.T) {
-		t.Skip("Cert auth engine delete test - implementation pending")
-	})
-}
-
-// Userpass Auth Engine Test Implementation Functions
-
-func testUserpassAuthCreate(t *testing.T, v *blackbox.Session) {
-	// Create a policy for our test user
-	userPolicy := `
-		path "*" {
-			capabilities = ["read", "list"]
-		}
-	`
-
-	// Use common utility to setup userpass auth
-	userClient := SetupUserpassAuth(v, "testuser", "passtestuser1", "reguser", userPolicy)
-
-	// Verify the auth method was enabled by reading auth mounts
-	authMounts := v.MustRead("sys/auth")
-	if authMounts.Data == nil {
-		t.Fatal("Could not read auth mounts")
-	}
-
-	// Verify userpass auth method is enabled
-	if userpassAuth, ok := authMounts.Data["userpass/"]; !ok {
-		t.Fatal("userpass auth method not found in sys/auth")
-	} else {
-		userpassMap := userpassAuth.(map[string]any)
-		if userpassMap["type"] != "userpass" {
-			t.Fatalf("Expected userpass auth method type to be 'userpass', got: %v", userpassMap["type"])
-		}
-	}
-
-	// Test that the user session was created successfully
-	if userClient != nil {
-		// Login successful, verify we can read basic info
-		tokenInfo := userClient.MustRead("auth/token/lookup-self")
-		if tokenInfo.Data == nil {
-			t.Fatal("Expected user to be able to read own token info after login")
-		}
-		t.Log("Userpass login test successful")
-	} else {
-		t.Log("Userpass login not available (likely managed environment)")
-	}
-
-	t.Log("Successfully created userpass auth with user: testuser")
-}
-
-func testUserpassAuthRead(t *testing.T, v *blackbox.Session) {
-	// Use common utility to setup userpass auth with default policy
-	userClient := SetupUserpassAuth(v, "readuser", "readpass123", "default", "")
-
-	// Read the user configuration
-	userConfig := v.MustRead("auth/userpass/users/readuser")
-	if userConfig.Data == nil {
-		t.Fatal("Expected to read user configuration")
-	}
-
-	// Test that the user session was created successfully
-	if userClient != nil {
-		// Login successful, verify we can read basic info
-		tokenInfo := userClient.MustRead("auth/token/lookup-self")
-		if tokenInfo.Data == nil {
-			t.Fatal("Expected user to be able to read own token info after login")
-		}
-		t.Log("Userpass login test successful")
-	} else {
-		t.Log("Userpass login not available (likely managed environment)")
-	}
-
-	t.Log("Successfully read userpass auth config for user: readuser")
-}
-
-func testUserpassAuthDelete(t *testing.T, v *blackbox.Session) {
-	// Enable userpass auth method with unique mount for delete test
-	v.MustEnableAuth("userpass-delete", &api.EnableAuthOptions{Type: "userpass"})
-
-	// Create a user to delete
-	userName := "deleteuser"
-	userPassword := "deletepass123"
-	v.MustWrite("auth/userpass-delete/users/"+userName, map[string]any{
-		"password": userPassword,
-		"policies": "default",
-	})
-
-	// Verify the user exists
-	userConfig := v.MustRead("auth/userpass-delete/users/" + userName)
-	if userConfig.Data == nil {
-		t.Fatal("Expected user to exist before deletion")
-	}
-
-	// Delete the user
-	v.MustWrite("auth/userpass-delete/users/"+userName, nil)
-
-	t.Logf("Successfully deleted userpass auth user: %s", userName)
-}
diff --git a/vault/external_tests/blackbox/core/license_test.go b/vault/external_tests/blackbox/core/license_test.go
new file mode 100644
index 0000000000..e1472caabd
--- /dev/null
+++ b/vault/external_tests/blackbox/core/license_test.go
@@ -0,0 +1,25 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package core
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestVaultLicenseStatus verifies Vault license status response
+func TestVaultLicenseStatus(t *testing.T) {
+	v := blackbox.New(t)
+
+	// Read the sys/license/status endpoint which should contain license info
+	licenseStatus := v.MustRead("sys/license/status")
+	if licenseStatus.Data["autoloaded"] == nil {
+		t.Fatal("Could not get license details from sys/license/status")
+	}
+	autoloaded := licenseStatus.Data["autoloaded"].(map[string]interface{})
+	if autoloaded["license_id"].(string) == "" {
+		t.Fatal("Could not retrieve license_id from sys/license/status")
+	}
+}
diff --git a/vault/external_tests/blackbox/core/ui_test.go b/vault/external_tests/blackbox/core/ui_test.go
new file mode 100644
index 0000000000..2c4d73ce49
--- /dev/null
+++ b/vault/external_tests/blackbox/core/ui_test.go
@@ -0,0 +1,24 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package core
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestUIAssets verifies that the Vault UI is accessible
+func TestUIAssets(t *testing.T) {
+	v := blackbox.New(t)
+
+	// This is a stub - in a real implementation, you would verify UI assets are accessible
+	// For now, just verify the UI endpoint is available by checking sys/internal/ui/mounts
+	uiMounts := v.MustRead("sys/internal/ui/mounts")
+	if uiMounts == nil || uiMounts.Data == nil {
+		t.Fatal("Could not access UI mounts endpoint")
+	}
+
+	t.Log("Successfully verified UI assets are accessible")
+}
diff --git a/vault/external_tests/blackbox/core/unsealed_test.go b/vault/external_tests/blackbox/core/unsealed_test.go
new file mode 100644
index 0000000000..accea7ecff
--- /dev/null
+++ b/vault/external_tests/blackbox/core/unsealed_test.go
@@ -0,0 +1,21 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package core
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestUnsealedStatus verifies that the Vault cluster is unsealed (not sealed).
+// This test only checks seal status, not general cluster health.
+func TestUnsealedStatus(t *testing.T) {
+	v := blackbox.New(t)
+
+	// Verify the cluster is unsealed
+	v.AssertUnsealedAny()
+
+	t.Log("Successfully verified Vault cluster is unsealed")
+}
diff --git a/vault/external_tests/blackbox/core/version_test.go b/vault/external_tests/blackbox/core/version_test.go
new file mode 100644
index 0000000000..0d82faa68c
--- /dev/null
+++ b/vault/external_tests/blackbox/core/version_test.go
@@ -0,0 +1,23 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package core
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestVaultVersion verifies Vault version endpoint accessibility and response
+func TestVaultVersion(t *testing.T) {
+	v := blackbox.New(t)
+
+	// Read the sys/seal-status endpoint which should contain version info
+	sealStatus := v.MustRead("sys/seal-status")
+	if sealStatus.Data["version"] == nil {
+		t.Fatal("Could not retrieve version from sys/seal-status")
+	}
+
+	t.Logf("Vault version: %v", sealStatus.Data["version"])
+}
diff --git a/vault/external_tests/blackbox/doc.go b/vault/external_tests/blackbox/doc.go
new file mode 100644
index 0000000000..c348460fcb
--- /dev/null
+++ b/vault/external_tests/blackbox/doc.go
@@ -0,0 +1,6 @@
+// Copyright IBM Corp. 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+// Package blackbox includes external integration tests for testing Vault at the
+// API level.
+package blackbox
diff --git a/vault/external_tests/blackbox/integration/smoke_test.go b/vault/external_tests/blackbox/integration/smoke_test.go
new file mode 100644
index 0000000000..27bd8ae51f
--- /dev/null
+++ b/vault/external_tests/blackbox/integration/smoke_test.go
@@ -0,0 +1,53 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package integration
+
+import (
+	"testing"
+	"time"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+	"github.com/stretchr/testify/require"
+)
+
+// TestStepdownAndLeaderElection tests raft leadership changes by forcing the
+// current leader to step down and verifying that a new leader is elected
+// successfully, while ensuring the cluster remains healthy throughout the
+// process.
+//
+// NOTE: We do not run this test in parallel to avoid making other tests flaky
+// during leader elections.
+func TestStepdownAndLeaderElection(t *testing.T) {
+	v := blackbox.New(t)
+
+	// Wait for a healthy cluster
+	v.EventuallyClusterHealthyUnsealed(15 * time.Second)
+
+	// Check cluster size to determine expected behavior
+	nodeCount := v.MustGetClusterNodeCount()
+	t.Logf("Cluster has %d nodes", nodeCount)
+
+	// Get current leader before step down
+	initialLeader := v.MustGetCurrentLeader()
+	t.Logf("Initial leader: %s", initialLeader)
+
+	// Force leader to step down
+	v.MustStepDownLeader()
+
+	// Wait for a new leader to be active and the cluster to be healthy
+	v.EventuallyClusterHealthyUnsealed(1 * time.Minute)
+
+	// Get current leader before step down
+	newLeader := v.MustGetCurrentLeader()
+	t.Logf("New leader: %s", initialLeader)
+
+	// For multi-node clusters, verify new leader is different from initial leader
+	// For single-node clusters, just verify it's healthy again
+	if nodeCount > 1 {
+		require.NotEqual(t, initialLeader, newLeader, "Expected new leader to be different from initial leader")
+		t.Logf("Successfully elected new leader: %s (was: %s)", newLeader, initialLeader)
+	} else {
+		t.Logf("Single-node cluster successfully recovered with leader: %s", newLeader)
+	}
+}
diff --git a/vault/external_tests/blackbox/token_test.go b/vault/external_tests/blackbox/integration/token_test.go
similarity index 53%
rename from vault/external_tests/blackbox/token_test.go
rename to vault/external_tests/blackbox/integration/token_test.go
index 199fb73477..0112c30070 100644
--- a/vault/external_tests/blackbox/token_test.go
+++ b/vault/external_tests/blackbox/integration/token_test.go
@@ -1,31 +1,44 @@
 // Copyright IBM Corp. 2025, 2026
 // SPDX-License-Identifier: BUSL-1.1
 
-package blackbox
+package integration
 
 import (
 	"testing"
 
 	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+	helpers "github.com/hashicorp/vault/vault/external_tests/blackbox"
 )
 
-// TestToken_OrphanedWithPolicy verifies token creation with policy assignment,
-// validates token authentication, and tests policy enforcement by attempting
-// both allowed and denied operations on KV secrets.
-func TestToken_OrphanedWithPolicy(t *testing.T) {
+// TestAuthTokenIntegration tests token operations requiring elevated permissions
+// These tests are excluded from cloud environments (HCP/Docker) which don't have
+// the necessary permissions to create orphaned tokens.
+func TestAuthTokenIntegration(t *testing.T) {
 	v := blackbox.New(t)
 
+	// Verify we have a healthy cluster first
+	v.AssertClusterHealthy()
+
+	t.Run("OrphanedWithPolicy", func(t *testing.T) {
+		testTokenOrphanedWithPolicy(t, v)
+	})
+}
+
+// testTokenOrphanedWithPolicy verifies token creation with policy assignment,
+// validates token authentication, and tests policy enforcement by attempting
+// both allowed and denied operations on KV secrets.
+func testTokenOrphanedWithPolicy(t *testing.T, v *blackbox.Session) {
 	// Use common utility to create token with read-only policy
 	policyName := "read-secret-only"
-	v.MustWritePolicy(policyName, ReadOnlyPolicy)
+	v.MustWritePolicy(policyName, helpers.ReadOnlyPolicy)
 
-	token := CreateTestToken(v, []string{policyName}, "15m")
+	token := helpers.CreateTestToken(v, []string{policyName}, "15m")
 	t.Logf("Generated Token: %s...", token[:5])
 
 	v.AssertTokenIsValid(token, policyName)
 
 	// Setup KV engine and seed test data
-	SetupKVEngine(v, "secret")
+	helpers.SetupKVEngine(v, "secret")
 	v.MustWriteKV2("secret", "allowed/test", map[string]any{"val": "allowed"})
 	v.MustWriteKV2("secret", "denied/test", map[string]any{"val": "denied"})
 
diff --git a/vault/external_tests/blackbox/plugins/aws/helpers.go b/vault/external_tests/blackbox/plugins/aws/helpers.go
new file mode 100644
index 0000000000..e9852ed715
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/aws/helpers.go
@@ -0,0 +1,290 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package aws
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/iam"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+)
+
+var ErrPolicyNotFound = errors.New("policy not found")
+
+// getPolicyArnByName returns the ARN for a policy with the given name.
+func getPolicyArnByName(ctx context.Context, iamClient *iam.Client, policyName string) (string, error) {
+	paginator := iam.NewListPoliciesPaginator(iamClient, &iam.ListPoliciesInput{Scope: "All"})
+	for paginator.HasMorePages() {
+		page, err := paginator.NextPage(ctx)
+		if err != nil {
+			return "", err
+		}
+		for _, p := range page.Policies {
+			if aws.ToString(p.PolicyName) == policyName {
+				return aws.ToString(p.Arn), nil
+			}
+		}
+	}
+	return "", ErrPolicyNotFound
+}
+
+// getRoleArnByName returns the ARN for a role with the given name.
+func getRoleArnByName(ctx context.Context, iamClient *iam.Client, roleName string) (string, error) {
+	paginator := iam.NewListRolesPaginator(iamClient, &iam.ListRolesInput{})
+	for paginator.HasMorePages() {
+		page, err := paginator.NextPage(ctx)
+		if err != nil {
+			return "", err
+		}
+		for _, r := range page.Roles {
+			if aws.ToString(r.RoleName) == roleName {
+				return aws.ToString(r.Arn), nil
+			}
+		}
+	}
+	return "", fmt.Errorf("role %s not found", roleName)
+}
+
+// hasDemoUserPolicy determines whether or not the DemoUser policy has been
+// assigned to the AWS credential idendity being used.
+func hasDemoUserPolicy(ctx context.Context) (bool, error) {
+	cfg, err := config.LoadDefaultConfig(ctx)
+	if err != nil {
+		return false, err
+	}
+	iamClient := iam.NewFromConfig(cfg)
+
+	// Lookup DemoUser policy ARN
+	_, err = getPolicyArnByName(ctx, iamClient, "DemoUser")
+	if err == nil {
+		return true, nil
+	}
+
+	if errors.Is(err, ErrPolicyNotFound) {
+		return false, nil
+	}
+
+	return false, err
+}
+
+// createTestIAMUser creates a new IAM user with a unique name, attaches the DemoUser policy, and returns the user/access key info and AWS region.
+func createTestIAMUser(t *testing.T) (
+	userName string,
+	accessKeyID string,
+	secretAccessKey string,
+	demoUserPolicyArn string,
+	assumedRoleArn string,
+	awsRegion string,
+) {
+	t.Helper()
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+	defer cancel()
+
+	cfg, err := config.LoadDefaultConfig(ctx)
+	if err != nil {
+		t.Fatalf("failed to load AWS config: %v", err)
+	}
+	awsRegion = cfg.Region
+	if awsRegion == "" {
+		t.Fatalf("AWS region is empty in config")
+	}
+	iamClient := iam.NewFromConfig(cfg)
+	stsClient := sts.NewFromConfig(cfg)
+
+	// Get current AWS account identity (for unique name)
+	caller, err := stsClient.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
+	if err != nil {
+		t.Fatalf("failed to get caller identity: %v", err)
+	}
+	accountID := aws.ToString(caller.Account)
+
+	// Generate a random hex suffix for uniqueness
+	const randomSuffixByteLength = 4
+	suffix := make([]byte, randomSuffixByteLength)
+	if _, err := rand.Read(suffix); err != nil {
+		t.Fatalf("failed to generate random suffix: %v", err)
+	}
+	hexSuffix := hex.EncodeToString(suffix)
+	userName = fmt.Sprintf("demo-GitHubActions-%s-%s", accountID, hexSuffix)
+
+	// Lookup DemoUser policy ARN
+	demoUserPolicyArn, err = getPolicyArnByName(ctx, iamClient, "DemoUser")
+	if err != nil {
+		t.Fatalf("DemoUser policy not found: %v", err)
+	}
+
+	// Lookup vault-assumed-role-credentials-demo role ARN
+	assumedRoleArn, err = getRoleArnByName(ctx, iamClient, "vault-assumed-role-credentials-demo")
+	if err != nil {
+		t.Fatalf("vault-assumed-role-credentials-demo role not found: %v", err)
+	}
+
+	// Create IAM user
+	_, err = iamClient.CreateUser(ctx, &iam.CreateUserInput{
+		UserName:            aws.String(userName),
+		PermissionsBoundary: aws.String(demoUserPolicyArn),
+	})
+	if err != nil {
+		t.Fatalf("failed to create IAM user: %v", err)
+	}
+
+	// Attach policy to user
+	_, err = iamClient.AttachUserPolicy(ctx, &iam.AttachUserPolicyInput{
+		UserName:  aws.String(userName),
+		PolicyArn: aws.String(demoUserPolicyArn),
+	})
+	if err != nil {
+		t.Fatalf("failed to attach policy: %v", err)
+	}
+
+	// Create access key
+	keyOut, err := iamClient.CreateAccessKey(ctx, &iam.CreateAccessKeyInput{
+		UserName: aws.String(userName),
+	})
+	if err != nil {
+		t.Fatalf("failed to create access key: %v", err)
+	}
+	accessKeyID = aws.ToString(keyOut.AccessKey.AccessKeyId)
+	secretAccessKey = aws.ToString(keyOut.AccessKey.SecretAccessKey)
+
+	// IAM is eventually consistent; wait briefly before verifying the user is readable.
+	t.Logf("Verifying IAM user %s exists...", userName)
+	waitTime := 10 * time.Second
+	verifyDeadline := time.Now().Add(waitTime * 2)
+	var lastErr error
+	for time.Now().Before(verifyDeadline) {
+		time.Sleep(waitTime)
+		_, lastErr = iamClient.GetUser(ctx, &iam.GetUserInput{UserName: aws.String(userName)})
+		if lastErr == nil {
+			break
+		}
+		t.Logf("IAM user %q not readable yet; retrying: %v", userName, lastErr)
+	}
+	if lastErr != nil {
+		t.Fatalf("failed to verify IAM user %q: %v", userName, lastErr)
+	}
+
+	return userName, accessKeyID, secretAccessKey, demoUserPolicyArn, assumedRoleArn, awsRegion
+}
+
+// getAwsUsernameTemplate returns the username template string for Vault AWS config.
+func getAwsUsernameTemplate(awsUserName string) string {
+	const prefix = `{{ if (eq .Type "STS") }}{{ printf "`
+	const stsSuffix = `-%s-%s" (random 20) (unix_time) | truncate 32 }}{{ else }}{{ printf "`
+	const iamUserSuffix = `-%s-%s" (unix_time) (random 20) | truncate 60 }}{{ end }}`
+	return prefix + awsUserName + stsSuffix + awsUserName + iamUserSuffix
+}
+
+// getAllowDescribeRegionsPolicy returns a policy document allowing ec2:DescribeRegions.
+func getAllowDescribeRegionsPolicy() string {
+	return `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": ["ec2:DescribeRegions"],
+      "Resource": ["*"]
+    }
+  ]
+}`
+}
+
+// deleteIAMUserByAccessKey deletes the IAM user that owns the given access key.
+func deleteIAMUserByAccessKey(t *testing.T, targetAccessKeyID string) {
+	t.Helper()
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+	defer cancel()
+
+	cfg, err := config.LoadDefaultConfig(ctx)
+	if err != nil {
+		t.Fatalf("failed to load AWS config: %v", err)
+	}
+	iamClient := iam.NewFromConfig(cfg)
+
+	paginator := iam.NewListUsersPaginator(iamClient, &iam.ListUsersInput{})
+	for paginator.HasMorePages() {
+		page, err := paginator.NextPage(ctx)
+		if err != nil {
+			t.Fatalf("failed to list IAM users: %v", err)
+		}
+		for _, user := range page.Users {
+			userName := aws.ToString(user.UserName)
+			if !strings.Contains(userName, "demo-GitHubActions") {
+				continue
+			}
+			// List all access keys for this user
+			keyPaginator := iam.NewListAccessKeysPaginator(iamClient, &iam.ListAccessKeysInput{
+				UserName: &userName,
+			})
+			for keyPaginator.HasMorePages() {
+				keyPage, err := keyPaginator.NextPage(ctx)
+				if err != nil {
+					t.Logf("warning: failed to list access keys for user %q: %v", userName, err)
+					continue
+				}
+				for _, key := range keyPage.AccessKeyMetadata {
+					accessKeyId := aws.ToString(key.AccessKeyId)
+					if accessKeyId == targetAccessKeyID {
+						// Found the user with the target access key. Detach managed policies first,
+						// then delete all access keys, then delete the user.
+						policyPaginator := iam.NewListAttachedUserPoliciesPaginator(iamClient, &iam.ListAttachedUserPoliciesInput{
+							UserName: &userName,
+						})
+						for policyPaginator.HasMorePages() {
+							policyPage, err := policyPaginator.NextPage(ctx)
+							if err != nil {
+								t.Logf("warning: failed to list attached policies for user %q: %v", userName, err)
+								continue
+							}
+							for _, policy := range policyPage.AttachedPolicies {
+								policyArn := aws.ToString(policy.PolicyArn)
+								if _, err := iamClient.DetachUserPolicy(ctx, &iam.DetachUserPolicyInput{
+									UserName:  &userName,
+									PolicyArn: &policyArn,
+								}); err != nil {
+									t.Logf("warning: failed to detach policy %q from user %q: %v", policyArn, userName, err)
+								}
+							}
+						}
+						keyPaginator2 := iam.NewListAccessKeysPaginator(iamClient, &iam.ListAccessKeysInput{
+							UserName: &userName,
+						})
+						for keyPaginator2.HasMorePages() {
+							keyPage2, err := keyPaginator2.NextPage(ctx)
+							if err != nil {
+								t.Logf("warning: failed to list access keys for cleanup on user %q: %v", userName, err)
+								continue
+							}
+							for _, key2 := range keyPage2.AccessKeyMetadata {
+								accessKeyId2 := aws.ToString(key2.AccessKeyId)
+								if _, err := iamClient.DeleteAccessKey(ctx, &iam.DeleteAccessKeyInput{
+									UserName:    &userName,
+									AccessKeyId: &accessKeyId2,
+								}); err != nil {
+									t.Logf("warning: failed to delete access key %q for user %q: %v", accessKeyId2, userName, err)
+								}
+							}
+						}
+						// Delete the user
+						if _, err := iamClient.DeleteUser(ctx, &iam.DeleteUserInput{
+							UserName: &userName,
+						}); err != nil {
+							t.Logf("warning: failed to delete user %q: %v", userName, err)
+						}
+						return
+					}
+				}
+			}
+		}
+	}
+}
diff --git a/vault/external_tests/blackbox/plugins/aws/secrets_aws_test.go b/vault/external_tests/blackbox/plugins/aws/secrets_aws_test.go
new file mode 100644
index 0000000000..1ad9dd3845
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/aws/secrets_aws_test.go
@@ -0,0 +1,113 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package aws
+
+import (
+	"fmt"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestAWS_GenerateNewUser verifies AWS secrets engine can generate IAM user credentials.
+func TestAWS_GenerateNewUser(t *testing.T) {
+	t.Parallel()
+	v := blackbox.New(t)
+
+	accessKey := os.Getenv("AWS_ACCESS_KEY_ID")
+	secretKey := os.Getenv("AWS_SECRET_ACCESS_KEY")
+	if accessKey == "" || secretKey == "" {
+		t.Log("AWS credentials not available - skipping AWS secrets engine test")
+		t.Skip("AWS credentials not available - skipping AWS secrets engine test")
+	}
+
+	hasDUP, err := hasDemoUserPolicy(t.Context())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !hasDUP {
+		// TODO: We can probably check for IAM permission instead of a policy. That
+		// would require rewriting the whole test though.
+		t.Skip("Skipping test as it requires a special DemoUser policy that is not assigned to the current AWS credentials")
+	}
+
+	t.Logf("Creating test IAM user via helpers.go...")
+	userName, tempAccessKeyId, tempSecretAccessKey, demoUserPolicyArn, _, _ := createTestIAMUser(t)
+	t.Logf("Created test IAM user: %s", userName)
+	var newAccessKey string
+	t.Cleanup(func() {
+		if newAccessKey != "" {
+			t.Logf("Cleanup: deleting IAM user created by Vault with access key: %s", newAccessKey)
+			deleteIAMUserByAccessKey(t, newAccessKey)
+		}
+
+		t.Logf("Cleanup: deleting IAM user by initial access key: %s", tempAccessKeyId)
+		deleteIAMUserByAccessKey(t, tempAccessKeyId)
+	})
+
+	path := fmt.Sprintf("aws-test-%d", time.Now().UnixNano())
+	t.Logf("Enabling AWS secrets engine at path: %s", path)
+	v.MustEnableSecretsEngine(path, &api.MountInput{Type: "aws"})
+
+	t.Logf("Configuring AWS secrets engine with root credentials and username template for user: %s", userName)
+	v.MustWrite(fmt.Sprintf("%s/config/root", path), map[string]any{
+		"access_key":        tempAccessKeyId,
+		"secret_key":        tempSecretAccessKey,
+		"region":            "us-east-1",
+		"username_template": getAwsUsernameTemplate(userName),
+	})
+
+	roleName := "aws-enos-role"
+	t.Logf("Creating Vault AWS role: %s", roleName)
+	v.MustWrite(fmt.Sprintf("%s/roles/%s", path, roleName), map[string]any{
+		"credential_type":          "iam_user",
+		"permissions_boundary_arn": demoUserPolicyArn,
+		"policy_document":          getAllowDescribeRegionsPolicy(),
+	})
+
+	t.Logf("Reading and verifying AWS role configuration for role: %s", roleName)
+	roleResp := v.MustRead(fmt.Sprintf("%s/roles/%s", path, roleName))
+	if roleResp.Data == nil {
+		t.Fatal("Expected to read AWS role configuration")
+	}
+
+	t.Logf("Listing AWS roles at path: %s/roles", path)
+	rolesList := v.MustList(fmt.Sprintf("%s/roles", path))
+	if rolesList == nil || rolesList.Data == nil {
+		t.Fatal("No AWS roles created! (rolesList is nil or Data is nil)")
+	}
+	roleKeys, ok := rolesList.Data["keys"].([]interface{})
+	if !ok || len(roleKeys) == 0 {
+		t.Fatal("No AWS roles created! (rolesList.Data['keys'] is empty or not a slice)")
+	}
+	t.Logf("Found AWS roles: %v", roleKeys)
+
+	t.Logf("Reading root config to verify username template is set correctly")
+	rootUser := v.MustRead(fmt.Sprintf("%s/config/root", path))
+	if rootUser == nil || rootUser.Data == nil {
+		t.Fatalf("Expected to read root config, got nil: %#v", rootUser)
+	}
+	if val, ok := rootUser.Data["username_template"]; !ok || val == nil {
+		t.Fatalf("username_template missing in root config: %#v", rootUser)
+	}
+
+	t.Logf("Generating new credentials for IAM user using role: %s", roleName)
+	newUser := v.MustRead(fmt.Sprintf("%s/creds/%s", path, roleName))
+	if newUser == nil || newUser.Data == nil {
+		t.Fatalf("Failed to generate new credentials for IAM user: %s", roleName)
+	}
+	if val, ok := newUser.Data["access_key"]; !ok || val == nil || val == tempAccessKeyId {
+		t.Fatalf("The new access key is empty or is matching the old one: %v", val)
+	}
+
+	newAccessKey, ok = newUser.Data["access_key"].(string)
+	if !ok || newAccessKey == "" {
+		t.Fatalf("Could not extract access_key from new credentials: %v", newUser.Data["access_key"])
+	}
+	t.Logf("Captured Vault-created access key for cleanup: %s", newAccessKey)
+}
diff --git a/vault/external_tests/blackbox/plugins/database/mongodb/secret_mongodb_connection_config_test.go b/vault/external_tests/blackbox/plugins/database/mongodb/secret_mongodb_connection_config_test.go
new file mode 100644
index 0000000000..219b3789d4
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/database/mongodb/secret_mongodb_connection_config_test.go
@@ -0,0 +1,52 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package mongodb
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestMongoDBConnectionConfigCRUDWorkflows runs all MongoDB connection
+// config CRUD workflow tests.
+func TestMongoDBConnectionConfigCRUDWorkflows(t *testing.T) {
+	t.Run("CreateBasic", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testMongoDBConnectionConfigCreateBasic(t, v)
+	})
+
+	// TODO: Additional tests for future implementation:
+	// - ListReturnsNamesOnly: Verify listing returns only connection names
+	// - ReadRedactsSensitiveFields: Verify passwords are redacted in read operations
+	// - ResetConnection: Verify connection reset preserves configuration
+	// - DeleteConnection: Verify connection deletion and idempotency
+}
+
+// TODO: TestMongoDBConnectionConfigValidationWorkflows
+// Future implementation should test:
+// - VerifyConnectionValid: Test with verify_connection=true and valid credentials
+// - VerifyConnectionInvalid: Test with verify_connection=true and invalid credentials
+
+// testMongoDBConnectionConfigCreateBasic verifies that configuring a
+// MongoDB database connection succeeds at database/config/{name}.
+func testMongoDBConnectionConfigCreateBasic(t *testing.T, v *blackbox.Session) {
+	requireVaultEnv(t)
+	cleanup, connURL, _, _ := PrepareTestContainer(t)
+	defer cleanup()
+
+	mount := fmt.Sprintf("database-%s", sanitize(t.Name()))
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "database"})
+
+	v.MustWrite(
+		mount+"/config/my-mongodb-db",
+		mongoConnectionConfigPayload(connURL, "*", false),
+	)
+
+	config := v.MustReadRequired(mount + "/config/my-mongodb-db")
+	v.AssertSecret(config).Data().HasKey("plugin_name", "mongodb-database-plugin")
+}
diff --git a/vault/external_tests/blackbox/plugins/database/mongodb/secret_mongodb_static_roles_delete_test.go b/vault/external_tests/blackbox/plugins/database/mongodb/secret_mongodb_static_roles_delete_test.go
new file mode 100644
index 0000000000..e26bd8876b
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/database/mongodb/secret_mongodb_static_roles_delete_test.go
@@ -0,0 +1,164 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package mongodb
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+const (
+	deleteTestUsername = "deletetestuser"
+	deleteTestRoleName = "delete-test-role"
+)
+
+// TestMongoDBStaticRoleDeleteWorkflows runs all MongoDB static role delete workflow tests.
+func TestMongoDBStaticRoleDeleteWorkflows(t *testing.T) {
+	t.Run("DeleteExistingRole", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testMongoDBStaticRoleDeleteExistingRole(t, v)
+	})
+
+	t.Run("DeletePreventsCredentialAccess", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testMongoDBStaticRoleDeletePreventsCredentialAccess(t, v)
+	})
+
+	t.Run("DeleteIsIdempotent", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testMongoDBStaticRoleDeleteIsIdempotent(t, v)
+	})
+
+	t.Run("DeleteNonExistentRole", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testMongoDBStaticRoleDeleteNonExistentRole(t, v)
+	})
+}
+
+// testMongoDBStaticRoleDeleteExistingRole verifies deleting an existing
+// static role succeeds and removes it from the list.
+func testMongoDBStaticRoleDeleteExistingRole(t *testing.T, v *blackbox.Session) {
+	mount, _, dbName, client := setupMongoDBTest(t, v)
+
+	createMongoDBUser(t, client, dbName, deleteTestUsername, testInitialPassword)
+
+	v.MustWrite(mount+"/static-roles/"+deleteTestRoleName, map[string]any{
+		"db_name":         testConnectionName,
+		"username":        deleteTestUsername,
+		"rotation_period": testRotationPeriod,
+	})
+
+	// Verify role exists
+	role := v.MustReadRequired(mount + "/static-roles/" + deleteTestRoleName)
+	v.AssertSecret(role).Data().HasKey("username", deleteTestUsername)
+
+	// Delete the role
+	v.MustDelete(mount + "/static-roles/" + deleteTestRoleName)
+
+	// Verify role is gone - Read returns nil secret for non-existent paths
+	secret, err := v.Read(mount + "/static-roles/" + deleteTestRoleName)
+	if err != nil {
+		// Error is acceptable
+	} else if secret != nil {
+		t.Fatal("expected nil secret when reading deleted role")
+	}
+
+	// Verify role is not in list
+	list := v.MustList(mount + "/static-roles")
+	if list == nil || list.Data == nil || list.Data["keys"] == nil {
+		return
+	}
+
+	keys := list.Data["keys"].([]interface{})
+	for _, k := range keys {
+		if k.(string) == deleteTestRoleName {
+			t.Fatalf("deleted role %s should not appear in list", deleteTestRoleName)
+		}
+	}
+}
+
+// testMongoDBStaticRoleDeletePreventsCredentialAccess verifies that after
+// deleting a static role, credentials can no longer be read.
+func testMongoDBStaticRoleDeletePreventsCredentialAccess(t *testing.T, v *blackbox.Session) {
+	mount, _, dbName, client := setupMongoDBTest(t, v)
+
+	createMongoDBUser(t, client, dbName, deleteTestUsername, testInitialPassword)
+
+	v.MustWrite(mount+"/static-roles/"+deleteTestRoleName, map[string]any{
+		"db_name":         testConnectionName,
+		"username":        deleteTestUsername,
+		"rotation_period": testRotationPeriod,
+	})
+
+	// Verify credentials can be read before deletion
+	creds := v.MustReadRequired(mount + "/static-creds/" + deleteTestRoleName)
+	v.AssertSecret(creds).Data().HasKeyExists("username")
+	v.AssertSecret(creds).Data().HasKeyExists("password")
+
+	// Delete the role
+	v.MustDelete(mount + "/static-roles/" + deleteTestRoleName)
+
+	// Verify credentials can no longer be read - Read returns nil secret for deleted roles
+	secret, err := v.Read(mount + "/static-creds/" + deleteTestRoleName)
+	if err != nil {
+		// Error is acceptable
+	} else if secret != nil {
+		t.Fatal("expected nil secret when reading credentials for deleted role")
+	}
+}
+
+// testMongoDBStaticRoleDeleteIsIdempotent verifies that deleting a role
+// multiple times succeeds without error.
+func testMongoDBStaticRoleDeleteIsIdempotent(t *testing.T, v *blackbox.Session) {
+	mount, _, dbName, client := setupMongoDBTest(t, v)
+
+	createMongoDBUser(t, client, dbName, deleteTestUsername, testInitialPassword)
+
+	v.MustWrite(mount+"/static-roles/"+deleteTestRoleName, map[string]any{
+		"db_name":         testConnectionName,
+		"username":        deleteTestUsername,
+		"rotation_period": testRotationPeriod,
+	})
+
+	// Delete the role first time
+	v.MustDelete(mount + "/static-roles/" + deleteTestRoleName)
+
+	// Verify role is gone - Read returns nil secret for non-existent paths
+	secret, err := v.Read(mount + "/static-roles/" + deleteTestRoleName)
+	if err != nil {
+		// Error is acceptable
+	} else if secret != nil {
+		t.Fatal("expected nil secret when reading deleted role")
+	}
+
+	// Delete the role again - should succeed (idempotent)
+	v.MustDelete(mount + "/static-roles/" + deleteTestRoleName)
+
+	// Delete a third time to ensure consistent behavior
+	v.MustDelete(mount + "/static-roles/" + deleteTestRoleName)
+}
+
+// testMongoDBStaticRoleDeleteNonExistentRole verifies that attempting to
+// delete a non-existent role succeeds (idempotent behavior).
+func testMongoDBStaticRoleDeleteNonExistentRole(t *testing.T, v *blackbox.Session) {
+	mount, _, _, _ := setupMongoDBTest(t, v)
+
+	// Attempt to delete a role that was never created
+	v.MustDelete(mount + "/static-roles/never-existed-role")
+
+	// Verify it's still not there - Read returns nil secret for non-existent paths
+	secret, err := v.Read(mount + "/static-roles/never-existed-role")
+	if err != nil {
+		// Error is acceptable
+		return
+	}
+	if secret != nil {
+		t.Fatal("expected nil secret when reading non-existent role")
+	}
+}
diff --git a/vault/external_tests/blackbox/plugins/database/mongodb/secret_mongodb_static_roles_read_test.go b/vault/external_tests/blackbox/plugins/database/mongodb/secret_mongodb_static_roles_read_test.go
new file mode 100644
index 0000000000..2e59f9e244
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/database/mongodb/secret_mongodb_static_roles_read_test.go
@@ -0,0 +1,165 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package mongodb
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+const (
+	readTestUsername = "readtestuser"
+	readTestRoleName = "read-test-role"
+)
+
+// TestMongoDBStaticRoleReadWorkflows runs all MongoDB static role read workflow tests.
+func TestMongoDBStaticRoleReadWorkflows(t *testing.T) {
+	t.Run("ReadReturnsConfiguration", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testMongoDBStaticRoleReadReturnsConfiguration(t, v)
+	})
+
+	t.Run("ReadNonExistentRole", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testMongoDBStaticRoleReadNonExistentRole(t, v)
+	})
+
+	t.Run("ReadAfterUpdate", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testMongoDBStaticRoleReadAfterUpdate(t, v)
+	})
+
+	t.Run("ListMultipleRoles", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testMongoDBStaticRoleListMultipleRoles(t, v)
+	})
+}
+
+// testMongoDBStaticRoleReadReturnsConfiguration verifies reading a static role
+// returns its configuration without sensitive data.
+func testMongoDBStaticRoleReadReturnsConfiguration(t *testing.T, v *blackbox.Session) {
+	mount, _, dbName, client := setupMongoDBTest(t, v)
+
+	createMongoDBUser(t, client, dbName, readTestUsername, testInitialPassword)
+
+	v.MustWrite(mount+"/static-roles/"+readTestRoleName, map[string]any{
+		"db_name":         testConnectionName,
+		"username":        readTestUsername,
+		"rotation_period": testRotationPeriod,
+	})
+
+	role := v.MustReadRequired(mount + "/static-roles/" + readTestRoleName)
+	v.AssertSecret(role).
+		Data().
+		HasKey("username", readTestUsername).
+		HasKey("rotation_period", float64(testRotationPeriod)).
+		HasKey("db_name", testConnectionName)
+
+	// Verify password is not returned in role configuration
+	if _, ok := role.Data["password"]; ok {
+		t.Fatal("password should not be returned in role read")
+	}
+
+	// Verify last_vault_rotation is present
+	v.AssertSecret(role).Data().HasKeyExists("last_vault_rotation")
+}
+
+// testMongoDBStaticRoleReadNonExistentRole verifies reading a non-existent
+// static role returns nil secret.
+func testMongoDBStaticRoleReadNonExistentRole(t *testing.T, v *blackbox.Session) {
+	mount, _, _, _ := setupMongoDBTest(t, v)
+
+	secret, err := v.Read(mount + "/static-roles/nonexistent-role")
+	if err != nil {
+		// Error is acceptable
+		return
+	}
+	if secret != nil {
+		t.Fatal("expected nil secret when reading non-existent role")
+	}
+}
+
+// testMongoDBStaticRoleReadAfterUpdate verifies reading a static role after
+// updating it returns the updated configuration.
+func testMongoDBStaticRoleReadAfterUpdate(t *testing.T, v *blackbox.Session) {
+	mount, _, dbName, client := setupMongoDBTest(t, v)
+
+	createMongoDBUser(t, client, dbName, readTestUsername, testInitialPassword)
+
+	v.MustWrite(mount+"/static-roles/"+readTestRoleName, map[string]any{
+		"db_name":         testConnectionName,
+		"username":        readTestUsername,
+		"rotation_period": testRotationPeriod,
+	})
+
+	role1 := v.MustReadRequired(mount + "/static-roles/" + readTestRoleName)
+	v.AssertSecret(role1).Data().HasKey("rotation_period", float64(testRotationPeriod))
+
+	// Update rotation period. Static role updates must continue to include the
+	// existing username to avoid being treated as a username mutation.
+	newRotationPeriod := 7200
+	v.MustWrite(mount+"/static-roles/"+readTestRoleName, map[string]any{
+		"db_name":         testConnectionName,
+		"username":        readTestUsername,
+		"rotation_period": newRotationPeriod,
+	})
+
+	role2 := v.MustReadRequired(mount + "/static-roles/" + readTestRoleName)
+	v.AssertSecret(role2).Data().HasKey("rotation_period", float64(newRotationPeriod))
+
+	// Verify username is still the same
+	v.AssertSecret(role2).Data().HasKey("username", readTestUsername)
+}
+
+// testMongoDBStaticRoleListMultipleRoles verifies LIST /static-roles
+// returns all configured role names.
+func testMongoDBStaticRoleListMultipleRoles(t *testing.T, v *blackbox.Session) {
+	mount, _, dbName, client := setupMongoDBTest(t, v)
+
+	// Create multiple static roles
+	roles := []string{"read-role-1", "read-role-2", "read-role-3"}
+	for i, roleName := range roles {
+		username := fmt.Sprintf("listuser%d", i+1)
+		createMongoDBUser(t, client, dbName, username, testInitialPassword)
+
+		v.MustWrite(mount+"/static-roles/"+roleName, map[string]any{
+			"db_name":         testConnectionName,
+			"username":        username,
+			"rotation_period": testRotationPeriod,
+		})
+	}
+
+	list := v.MustList(mount + "/static-roles")
+	v.AssertSecret(list).Data().HasKeyExists("keys")
+
+	keys := list.Data["keys"].([]interface{})
+	if len(keys) != 3 {
+		t.Fatalf("expected 3 roles, got %d", len(keys))
+	}
+
+	// Verify all role names are present
+	keyMap := make(map[string]bool)
+	for _, k := range keys {
+		keyMap[k.(string)] = true
+	}
+	for _, roleName := range roles {
+		if !keyMap[roleName] {
+			t.Fatalf("expected role %s in list", roleName)
+		}
+	}
+
+	// Verify list doesn't contain sensitive data
+	for _, k := range keys {
+		roleName := k.(string)
+		if roleName == "password" || roleName == "connection_url" {
+			t.Fatalf("list should not contain sensitive field: %s", roleName)
+		}
+	}
+}
diff --git a/vault/external_tests/blackbox/plugins/database/mongodb/secret_mongodb_static_roles_test.go b/vault/external_tests/blackbox/plugins/database/mongodb/secret_mongodb_static_roles_test.go
new file mode 100644
index 0000000000..0ccfa20b67
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/database/mongodb/secret_mongodb_static_roles_test.go
@@ -0,0 +1,158 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package mongodb
+
+import (
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+const (
+	testStaticRoleName  = "my-static-role"
+	testUsername        = "staticuser1"
+	mongoConnectTimeout = 10 * time.Second
+)
+
+// TestMongoDBStaticRoleWorkflows runs all MongoDB static role workflow tests.
+func TestMongoDBStaticRoleWorkflows(t *testing.T) {
+	t.Parallel()
+
+	t.Run("CreateBasic", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testMongoDBStaticRoleCreateBasic(t, v)
+	})
+
+	t.Run("ReadCredentials", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testMongoDBStaticRoleReadCredentials(t, v)
+	})
+
+	t.Run("ManualRotation", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testMongoDBStaticRoleManualRotation(t, v)
+	})
+}
+
+// TODO: TestMongoDBStaticRoleValidationWorkflows
+// Future implementation should test:
+// - RequiresUsername: Verify error when username is missing
+// - RequiresRotationPeriodOrSchedule: Verify error without rotation config
+// - RejectsInvalidRotationPeriod: Verify error with period < 5 seconds
+// - RejectsMutuallyExclusiveFields: Verify error with both period and schedule
+
+// testMongoDBStaticRoleCreateBasic verifies that creating a basic static role
+// succeeds with required fields.
+func testMongoDBStaticRoleCreateBasic(t *testing.T, v *blackbox.Session) {
+	mount, _, dbName, client := setupMongoDBTest(t, v)
+
+	createMongoDBUser(t, client, dbName, testUsername, testInitialPassword)
+
+	v.MustWrite(mount+"/static-roles/"+testStaticRoleName, map[string]any{
+		"db_name":         testConnectionName,
+		"username":        testUsername,
+		"rotation_period": testRotationPeriod,
+	})
+
+	role := v.MustReadRequired(mount + "/static-roles/" + testStaticRoleName)
+	v.AssertSecret(role).
+		Data().
+		HasKey("username", testUsername).
+		HasKey("rotation_period", float64(testRotationPeriod)).
+		HasKey("db_name", testConnectionName)
+}
+
+// TODO: Additional test implementations for future teams
+// - testMongoDBStaticRoleCreateWithRotationSchedule: Test rotation_schedule instead of rotation_period
+// - testMongoDBStaticRoleListReturnsNamesOnly: Test listing multiple static roles
+// - testMongoDBStaticRoleReadReturnsConfiguration: Test reading role config without sensitive data
+// - testMongoDBStaticRoleUpdateRotationPeriod: Test updating rotation period
+// - testMongoDBStaticRoleDeleteRole: Test deleting a static role
+
+// testMongoDBStaticRoleManualRotation verifies manually rotating a static
+// role's credentials succeeds.
+func testMongoDBStaticRoleManualRotation(t *testing.T, v *blackbox.Session) {
+	mount, credVerifyURL, dbName, client := setupMongoDBTest(t, v)
+
+	createMongoDBUser(t, client, dbName, testUsername, testInitialPassword)
+
+	v.MustWrite(mount+"/static-roles/"+testStaticRoleName, map[string]any{
+		"db_name":         testConnectionName,
+		"username":        testUsername,
+		"rotation_period": testRotationPeriod,
+	})
+
+	creds1 := v.MustReadRequired(mount + "/static-creds/" + testStaticRoleName)
+	password1 := creds1.Data["password"].(string)
+
+	if password1 == testInitialPassword {
+		t.Fatal("expected password to be rotated on role creation")
+	}
+
+	v.MustWrite(mount+"/rotate-role/"+testStaticRoleName, nil)
+
+	creds2 := v.MustReadRequired(mount + "/static-creds/" + testStaticRoleName)
+	password2 := creds2.Data["password"].(string)
+
+	if password1 == password2 {
+		t.Fatal("expected password to change after rotation")
+	}
+
+	verifyMongoDBCredentials(t, credVerifyURL, testUsername, password2)
+}
+
+// TODO: testMongoDBStaticRoleAutomaticRotation - Test automatic rotation with short period
+// This test requires waiting for rotation to occur, which may be time-consuming
+// Pattern: Create role with short rotation_period, wait, verify password changed
+
+// testMongoDBStaticRoleReadCredentials verifies reading static credentials
+// returns the current password.
+func testMongoDBStaticRoleReadCredentials(t *testing.T, v *blackbox.Session) {
+	mount, credVerifyURL, dbName, client := setupMongoDBTest(t, v)
+
+	createMongoDBUser(t, client, dbName, testUsername, testInitialPassword)
+
+	v.MustWrite(mount+"/static-roles/"+testStaticRoleName, map[string]any{
+		"db_name":         testConnectionName,
+		"username":        testUsername,
+		"rotation_period": testRotationPeriod,
+	})
+
+	creds := v.MustReadRequired(mount + "/static-creds/" + testStaticRoleName)
+	v.AssertSecret(creds).
+		Data().
+		HasKey("username", testUsername).
+		HasKey("password", creds.Data["password"])
+
+	password := creds.Data["password"].(string)
+	if password == "" {
+		t.Fatal("expected non-empty password")
+	}
+
+	verifyMongoDBCredentials(t, credVerifyURL, testUsername, password)
+}
+
+// testMongoDBStaticRoleRequiresUsername verifies creating a static role
+// without username fails.
+func testMongoDBStaticRoleRequiresUsername(t *testing.T, v *blackbox.Session) {
+	mount, _, _, _ := setupMongoDBTest(t, v)
+
+	_, err := v.Client.Logical().Write(mount+"/static-roles/"+testStaticRoleName, map[string]any{
+		"db_name":         testConnectionName,
+		"rotation_period": testRotationPeriod,
+	})
+
+	if err == nil {
+		t.Fatal("expected error when creating static role without username")
+	}
+
+	if !strings.Contains(err.Error(), "username") {
+		t.Fatalf("expected error message to mention 'username', got: %v", err)
+	}
+}
diff --git a/vault/external_tests/blackbox/plugins/database/mongodb/secret_mongodb_test_helper.go b/vault/external_tests/blackbox/plugins/database/mongodb/secret_mongodb_test_helper.go
new file mode 100644
index 0000000000..1aa1272879
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/database/mongodb/secret_mongodb_test_helper.go
@@ -0,0 +1,520 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package mongodb
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"net/url"
+	"os"
+	"regexp"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/docker"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/mongo"
+	"go.mongodb.org/mongo-driver/mongo/options"
+)
+
+const (
+	defaultMongoImage   = "docker.mirror.hashicorp.services/mongo"
+	defaultMongoVersion = "7.0"
+	defaultMongoUser    = "admin"
+	defaultMongoPass    = "secret"
+
+	testConnectionName  = "my-mongodb-db"
+	testInitialPassword = "initialpass"
+	testRotationPeriod  = 86400 // 24 hours in seconds
+)
+
+// defaultRunOpts returns default Docker run options for MongoDB container
+// Uses test name to ensure unique container names for parallel execution
+func defaultRunOpts(t *testing.T) docker.RunOptions {
+	return docker.RunOptions{
+		ContainerName: fmt.Sprintf("mongo-%s", sanitize(t.Name())),
+		ImageRepo:     defaultMongoImage,
+		ImageTag:      defaultMongoVersion,
+		Env: []string{
+			"MONGO_INITDB_ROOT_USERNAME=" + defaultMongoUser,
+			"MONGO_INITDB_ROOT_PASSWORD=" + defaultMongoPass,
+			"MONGO_INITDB_DATABASE=admin",
+		},
+		Ports:             []string{"27017/tcp"},
+		DoNotAutoRemove:   false,
+		PreDelete:         true,
+		OmitLogTimestamps: true,
+		LogConsumer: func(s string) {
+			if t.Failed() {
+				t.Logf("container logs: %s", s)
+			}
+		},
+	}
+}
+
+// requireVaultEnv skips the test if required Vault environment variables are not set
+func requireVaultEnv(t *testing.T) {
+	t.Helper()
+
+	if os.Getenv("VAULT_ADDR") == "" || os.Getenv("VAULT_TOKEN") == "" {
+		t.Skip("skipping blackbox test: VAULT_ADDR and VAULT_TOKEN are required")
+	}
+}
+
+var sanitizeRegex = regexp.MustCompile(`[^a-z0-9]+`)
+
+// sanitize converts test name to a valid identifier with smart truncation
+// Replaces non-alphanumeric characters with dashes and truncates long names
+// with a hash suffix for uniqueness
+func sanitize(name string) string {
+	lower := strings.ToLower(name)
+	out := sanitizeRegex.ReplaceAllString(lower, "-")
+	out = strings.Trim(out, "-")
+
+	if out == "" {
+		return "test"
+	}
+
+	// Truncate long names with hash suffix for uniqueness
+	if len(out) > 54 {
+		const hashLen = 8
+		sum := sha256.Sum256([]byte(out))
+		hash := hex.EncodeToString(sum[:])[:hashLen]
+		prefixLen := 54 - 1 - hashLen
+		out = out[:prefixLen] + "-" + hash
+	}
+
+	return out
+}
+
+// PrepareTestContainer starts a MongoDB container for testing.
+// Returns cleanup function, Vault connection URL, test runner connection URL,
+// and the generated per-test database name.
+// If MONGO_URL environment variable is set, uses that instead of starting a container.
+// In CI: vaultURL is private (same VPC), testRunnerURL is public (different VPC)
+func PrepareTestContainer(t *testing.T) (func(), string, string, string) {
+	_, cleanup, vaultURL, testRunnerURL, dbName := prepareTestContainer(t, defaultRunOpts(t), defaultMongoPass, false, true)
+	return cleanup, vaultURL, testRunnerURL, dbName
+}
+
+// prepareTestContainer is the internal function that handles container setup
+// Supports both Docker container creation and external MongoDB via environment variable
+func prepareTestContainer(
+	t *testing.T,
+	runOpts docker.RunOptions,
+	password string,
+	addSuffix bool,
+	forceLocalAddr bool,
+) (*docker.Runner, func(), string, string, string) {
+	requireVaultEnv(t)
+
+	// Check for external MongoDB URL
+	if os.Getenv("MONGO_URL") != "" {
+		envMongoURL := os.Getenv("MONGO_URL")
+
+		// Use private URL for Vault, fall back to public
+		vaultMongoURL := os.Getenv("MONGO_URL_PRIVATE")
+		if vaultMongoURL == "" {
+			vaultMongoURL = envMongoURL
+		}
+
+		// Create unique database for this test (max 63 chars for MongoDB)
+		sanitized := sanitize(t.Name())
+		timestamp := time.Now().Unix()
+		// Format: test_{name}_{ts} - ensure total length <= 63
+		// Reserve 5 for "test_", 10 for timestamp, 1 for underscore = 16 chars overhead
+		maxNameLen := 63 - 16
+		if len(sanitized) > maxNameLen {
+			sanitized = sanitized[:maxNameLen]
+		}
+		dbName := fmt.Sprintf("test_%s_%d", sanitized, timestamp)
+
+		// Vault uses private URL (same VPC), test runner uses public URL (different VPC)
+		vaultURL := replaceDatabase(vaultMongoURL, dbName)
+		testRunnerURL := replaceDatabase(envMongoURL, dbName)
+
+		// Create the database (test runner uses public URL)
+		if err := createDatabase(t, envMongoURL, dbName); err != nil {
+			t.Fatalf("Failed to create test database: %v", err)
+		}
+
+		cleanup := func() {
+			dropDatabase(t, envMongoURL, dbName)
+		}
+
+		return nil, cleanup, vaultURL, testRunnerURL, dbName
+	}
+
+	// Start Docker container
+	runner, err := docker.NewServiceRunner(runOpts)
+	if err != nil {
+		if strings.Contains(err.Error(), "Cannot connect to the Docker daemon") {
+			t.Fatalf("skipping blackbox test: docker daemon not available: %v", err)
+		}
+		t.Fatalf("Could not start docker MongoDB: %s", err)
+	}
+
+	// Retry StartNewService with small delays to handle port mapping timing
+	var svc *docker.Service
+	for attempt := 0; attempt < 5; attempt++ {
+		if attempt > 0 {
+			time.Sleep(time.Duration(attempt) * 500 * time.Millisecond)
+		}
+
+		svc, _, err = runner.StartNewService(context.Background(), addSuffix, forceLocalAddr, connectMongoDB(password))
+		if err == nil {
+			break
+		}
+
+		if !strings.Contains(err.Error(), "no port mapping found") {
+			break
+		}
+	}
+
+	if err != nil {
+		if strings.Contains(err.Error(), "Cannot connect to the Docker daemon") {
+			t.Fatalf("skipping blackbox test: docker daemon not available: %v", err)
+		}
+		t.Fatalf("Could not start docker MongoDB: %s", err)
+	}
+
+	connURL := svc.Config.URL().String()
+
+	// Create unique database for this test (max 63 chars for MongoDB)
+	sanitized := sanitize(t.Name())
+	timestamp := time.Now().Unix()
+	// Format: test_{name}_{ts} - ensure total length <= 63
+	// Reserve 5 for "test_", 10 for timestamp, 1 for underscore = 16 chars overhead
+	maxNameLen := 63 - 16
+	if len(sanitized) > maxNameLen {
+		sanitized = sanitized[:maxNameLen]
+	}
+	dbName := fmt.Sprintf("test_%s_%d", sanitized, timestamp)
+	testURL := replaceDatabase(connURL, dbName)
+
+	// Create the database
+	if err := createDatabase(t, connURL, dbName); err != nil {
+		svc.Cleanup()
+		t.Fatalf("Failed to create test database: %v", err)
+	}
+
+	cleanup := func() {
+		dropDatabase(t, connURL, dbName)
+		svc.Cleanup()
+	}
+
+	// For Docker, both Vault and test runner use the same URL (localhost)
+	return runner, cleanup, testURL, testURL, dbName
+}
+
+// connectMongoDB returns a ServiceAdapter that connects to MongoDB
+// Includes retry logic with 30-second timeout for container startup
+func connectMongoDB(password string) docker.ServiceAdapter {
+	return func(ctx context.Context, host string, port int) (docker.ServiceConfig, error) {
+		u := url.URL{
+			Scheme: "mongodb",
+			User:   url.UserPassword(defaultMongoUser, password),
+			Host:   fmt.Sprintf("%s:%d", host, port),
+			Path:   "/admin",
+		}
+
+		// Retry connection with timeout
+		deadline := time.Now().Add(30 * time.Second)
+		var lastErr error
+
+		for time.Now().Before(deadline) {
+			client, err := mongo.Connect(ctx, options.Client().ApplyURI(u.String()))
+			if err != nil {
+				lastErr = err
+				time.Sleep(1 * time.Second)
+				continue
+			}
+
+			// Ping to verify connection
+			if err = client.Ping(ctx, nil); err != nil {
+				client.Disconnect(ctx)
+				lastErr = err
+				time.Sleep(1 * time.Second)
+				continue
+			}
+
+			// Connection successful
+			client.Disconnect(ctx)
+			return docker.NewServiceURL(u), nil
+		}
+
+		return nil, fmt.Errorf("mongodb not ready after 30s: %w", lastErr)
+	}
+}
+
+// replaceDatabase replaces the database name in a MongoDB connection URL
+func replaceDatabase(connURL, dbName string) string {
+	u, err := url.Parse(connURL)
+	if err != nil {
+		return connURL
+	}
+
+	u.Path = dbName
+
+	// Ensure authSource=admin so authentication works against admin database
+	// even when connecting to a different database
+	q := u.Query()
+	if q.Get("authSource") == "" {
+		q.Set("authSource", "admin")
+		u.RawQuery = q.Encode()
+	}
+
+	return u.String()
+}
+
+// createDatabase creates a new database in MongoDB
+// MongoDB creates databases lazily, so we create a collection to ensure it exists
+// Uses 60-second timeout with retry logic for CI environments with network latency.
+func createDatabase(t *testing.T, connURL, dbName string) error {
+	t.Helper()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	defer cancel()
+
+	// Retry connection with backoff for CI network latency
+	var client *mongo.Client
+	var err error
+	deadline := time.Now().Add(60 * time.Second)
+
+	for time.Now().Before(deadline) {
+		// Set shorter server selection timeout (10s) to allow multiple retries within 60s window
+		clientOpts := options.Client().
+			ApplyURI(connURL).
+			SetServerSelectionTimeout(10 * time.Second).
+			SetConnectTimeout(10 * time.Second)
+
+		client, err = mongo.Connect(ctx, clientOpts)
+		if err != nil {
+			time.Sleep(2 * time.Second)
+			continue
+		}
+
+		// Verify connection with ping
+		if err = client.Ping(ctx, nil); err != nil {
+			client.Disconnect(ctx)
+			time.Sleep(2 * time.Second)
+			continue
+		}
+
+		break
+	}
+
+	if err != nil {
+		return fmt.Errorf("failed to connect to MongoDB after retries: %w", err)
+	}
+	defer client.Disconnect(ctx)
+
+	// Create a collection to ensure database exists
+	db := client.Database(dbName)
+	if err := db.CreateCollection(ctx, "_init"); err != nil {
+		return fmt.Errorf("failed to create database: %w", err)
+	}
+
+	t.Logf("Created test database: %s", dbName)
+	return nil
+}
+
+// dropDatabase drops a database from MongoDB
+// Uses 60-second timeout with retry logic for CI environments with network latency.
+func dropDatabase(t *testing.T, connURL, dbName string) {
+	t.Helper()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	defer cancel()
+
+	// Retry connection with backoff for CI network latency
+	var client *mongo.Client
+	var err error
+	deadline := time.Now().Add(60 * time.Second)
+
+	for time.Now().Before(deadline) {
+		// Set shorter server selection timeout (10s) to allow multiple retries within 60s window
+		clientOpts := options.Client().
+			ApplyURI(connURL).
+			SetServerSelectionTimeout(10 * time.Second).
+			SetConnectTimeout(10 * time.Second)
+
+		client, err = mongo.Connect(ctx, clientOpts)
+		if err != nil {
+			time.Sleep(2 * time.Second)
+			continue
+		}
+
+		// Verify connection with ping
+		if err = client.Ping(ctx, nil); err != nil {
+			client.Disconnect(ctx)
+			time.Sleep(2 * time.Second)
+			continue
+		}
+
+		break
+	}
+
+	if err != nil {
+		t.Logf("Warning: failed to connect for cleanup after retries: %v", err)
+		return
+	}
+	defer client.Disconnect(ctx)
+
+	if err := client.Database(dbName).Drop(ctx); err != nil {
+		t.Logf("Warning: failed to drop database %s: %v", dbName, err)
+		return
+	}
+
+	t.Logf("Dropped test database: %s", dbName)
+}
+
+// mongoConnectionConfigPayload returns a standard MongoDB connection configuration payload
+func mongoConnectionConfigPayload(connURL, allowedRoles string, verifyConnection bool) map[string]any {
+	return map[string]any{
+		"plugin_name":       "mongodb-database-plugin",
+		"connection_url":    connURL,
+		"allowed_roles":     allowedRoles,
+		"verify_connection": verifyConnection,
+	}
+}
+
+// setupMongoDBTest performs common test setup: creates container, enables mount, configures connection.
+// Returns mount path, connection URL for verifying credentials, the generated
+// per-test database name, and a reusable MongoDB client for test operations.
+// In CI: Vault uses private URL (same VPC), test runner uses public URL (different VPC)
+func setupMongoDBTest(t *testing.T, v *blackbox.Session) (string, string, string, *mongo.Client) {
+	t.Helper()
+
+	requireVaultEnv(t)
+	cleanup, vaultURL, testRunnerURL, dbName := PrepareTestContainer(t)
+	t.Cleanup(cleanup)
+
+	mount := fmt.Sprintf("database-%s", sanitize(t.Name()))
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "database"})
+
+	// Vault uses private URL (same VPC as MongoDB in CI)
+	v.MustWrite(
+		mount+"/config/"+testConnectionName,
+		mongoConnectionConfigPayload(vaultURL, "*", false),
+	)
+
+	// Test runner uses public URL (different VPC in CI, needs public access)
+	client := getMongoClient(t, testRunnerURL)
+	t.Cleanup(func() {
+		if err := client.Disconnect(context.Background()); err != nil {
+			t.Logf("Warning: failed to disconnect MongoDB client: %v", err)
+		}
+	})
+
+	// Return testRunnerURL for credential verification (test runner needs public access)
+	return mount, testRunnerURL, dbName, client
+}
+
+// getMongoClient creates a MongoDB client with optimized settings for CI environments.
+// Uses connection pooling and shorter timeouts for faster failure detection.
+func getMongoClient(t *testing.T, connURL string) *mongo.Client {
+	t.Helper()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	clientOpts := options.Client().
+		ApplyURI(connURL).
+		SetServerSelectionTimeout(10 * time.Second).
+		SetConnectTimeout(10 * time.Second).
+		SetMaxPoolSize(10).
+		SetMinPoolSize(2)
+
+	client, err := mongo.Connect(ctx, clientOpts)
+	if err != nil {
+		t.Fatalf("failed to create MongoDB client: %v", err)
+	}
+
+	// Verify connection
+	if err := client.Ping(ctx, nil); err != nil {
+		client.Disconnect(ctx)
+		t.Fatalf("failed to ping MongoDB: %v", err)
+	}
+
+	return client
+}
+
+// createMongoDBUser creates a MongoDB user for testing static roles.
+// Uses the provided client connection to avoid connection overhead.
+// The user is created in the database identified by dbName, while auth
+// continues to use authSource=admin.
+func createMongoDBUser(t *testing.T, client *mongo.Client, dbName, username, password string) {
+	t.Helper()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	db := client.Database(dbName)
+
+	// First, try to drop the user if it exists (for test cleanup/retry scenarios).
+	_ = db.RunCommand(ctx, bson.D{{Key: "dropUser", Value: username}}).Err()
+
+	err := db.RunCommand(ctx, bson.D{
+		{Key: "createUser", Value: username},
+		{Key: "pwd", Value: password},
+		{Key: "roles", Value: bson.A{
+			bson.D{
+				{Key: "role", Value: "readWrite"},
+				{Key: "db", Value: dbName},
+			},
+		}},
+	}).Err()
+	if err != nil {
+		t.Fatalf("failed to create MongoDB user: %v", err)
+	}
+
+	t.Logf("Created MongoDB user: %s in database %s", username, dbName)
+}
+
+// verifyMongoDBCredentials verifies that the given credentials work for MongoDB.
+// Creates a new client with the provided credentials to test authentication.
+func verifyMongoDBCredentials(t *testing.T, connURL, username, password string) {
+	t.Helper()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	// Replace credentials in connection URL
+	u, err := url.Parse(connURL)
+	if err != nil {
+		t.Fatalf("failed to parse connection URL: %v", err)
+	}
+	u.User = url.UserPassword(username, password)
+
+	// Remove the auth source so we verify with the default database
+	values := u.Query()
+	if values.Get("authSource") != "" {
+		values.Del("authSource")
+		u.RawQuery = values.Encode()
+	}
+
+	// Create client with new credentials
+	clientOpts := options.Client().
+		ApplyURI(u.String()).
+		SetServerSelectionTimeout(10 * time.Second).
+		SetConnectTimeout(10 * time.Second)
+
+	client, err := mongo.Connect(ctx, clientOpts)
+	if err != nil {
+		t.Fatalf("failed to connect to mongodb: %v: url %s", err, u.String())
+	}
+	defer client.Disconnect(ctx)
+
+	if err := client.Ping(ctx, nil); err != nil {
+		t.Fatalf("failed to ping mongodb: %v: url %s", err, u.String())
+	}
+
+	t.Logf("Verified MongoDB credentials for user: %s", username)
+}
diff --git a/vault/external_tests/blackbox/plugins/database/postgres/secret_postgresql_connection_config_dsn_test.go b/vault/external_tests/blackbox/plugins/database/postgres/secret_postgresql_connection_config_dsn_test.go
new file mode 100644
index 0000000000..f68d0f0d77
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/database/postgres/secret_postgresql_connection_config_dsn_test.go
@@ -0,0 +1,74 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package postgres
+
+import (
+	"fmt"
+	"net"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+	"github.com/stretchr/testify/require"
+)
+
+// testPostgreSQLConnectionConfigCreateWithDSN verifies that configuring a
+// PostgreSQL database connection succeeds using DSN key-value format at
+// database/config/{name}.
+func testPostgreSQLConnectionConfigCreateWithDSN(t *testing.T, v *blackbox.Session) {
+	requireVaultEnv(t)
+	cleanup, connURL := PrepareTestContainer(t)
+	defer cleanup()
+
+	dsnConnectionURL := dsnConnectionURLFromConnURL(t, connURL)
+
+	mount := fmt.Sprintf("database-%s", sanitize(t.Name()))
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "database"})
+	path := mount + "/config/postgres-dsn-basic"
+
+	v.MustWrite(path, postgresConnectionConfigPayload(dsnConnectionURL, "*", "secret", true))
+
+	config := v.MustReadRequired(path)
+	v.AssertSecret(config).Data().
+		HasKey("plugin_name", "postgresql-database-plugin").
+		HasKeyExists("allowed_roles")
+}
+
+func dsnConnectionURLFromConnURL(t *testing.T, connURL string) string {
+	t.Helper()
+
+	parsedConnURL, err := url.Parse(connURL)
+	require.NoError(t, err)
+	require.NotEmpty(t, parsedConnURL.Host)
+
+	host := parsedConnURL.Hostname()
+	require.NotEmpty(t, host)
+
+	port := parsedConnURL.Port()
+	if port == "" {
+		_, parsedPort, splitErr := net.SplitHostPort(parsedConnURL.Host)
+		require.NoError(t, splitErr)
+		port = parsedPort
+	}
+
+	dbName := strings.TrimPrefix(parsedConnURL.Path, "/")
+	if dbName == "" {
+		dbName = "postgres"
+	}
+
+	sslMode := parsedConnURL.Query().Get("sslmode")
+	if sslMode == "" {
+		sslMode = "disable"
+	}
+
+	return fmt.Sprintf(
+		"host=%s port=%s dbname=%s user={{username}} password={{password}} sslmode=%s",
+		host,
+		port,
+		dbName,
+		sslMode,
+	)
+}
diff --git a/vault/external_tests/blackbox/plugins/database/postgres/secret_postgresql_connection_config_failover_test.go b/vault/external_tests/blackbox/plugins/database/postgres/secret_postgresql_connection_config_failover_test.go
new file mode 100644
index 0000000000..cdd2e84df6
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/database/postgres/secret_postgresql_connection_config_failover_test.go
@@ -0,0 +1,86 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package postgres
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestPostgreSQLConnectionConfigFailoverWorkflows runs all PostgreSQL
+// connection failover workflow tests.
+func TestPostgreSQLConnectionConfigFailoverWorkflows(t *testing.T) {
+	t.Run("MultiHostPrimaryAvailable", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testPostgreSQLConnectionConfigCreateMultiHostPrimaryAvailable(t, v)
+	})
+
+	t.Run("MultiHostPrimaryUnavailable", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testPostgreSQLConnectionConfigCreateMultiHostPrimaryUnavailable(t, v)
+	})
+}
+
+// testPostgreSQLConnectionConfigCreateMultiHostPrimaryAvailable verifies
+// that a multi-host PostgreSQL connection succeeds when the primary host is
+// available.
+func testPostgreSQLConnectionConfigCreateMultiHostPrimaryAvailable(t *testing.T, v *blackbox.Session) {
+	requireVaultEnv(t)
+
+	cleanupPrimary, primaryConnURL := PrepareTestContainer(t)
+	defer cleanupPrimary()
+
+	mount := fmt.Sprintf("database-%s", sanitize(t.Name()))
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "database"})
+
+	primaryPreferredURL := strings.Replace(
+		primaryConnURL,
+		"/postgres?sslmode=disable",
+		",localhost:55/postgres?sslmode=disable",
+		1,
+	)
+	if primaryPreferredURL == primaryConnURL {
+		t.Fatalf("failed to construct primary-preferred multi-host URL from %q", primaryConnURL)
+	}
+
+	path := mount + "/config/postgres-multihost-primary"
+	writeAndAssertPostgresConfig(t, v, path, templatedConnectionURL(primaryPreferredURL))
+}
+
+// testPostgreSQLConnectionConfigCreateMultiHostPrimaryUnavailable verifies
+// that a multi-host PostgreSQL connection succeeds when the primary host is
+// down and the driver falls back to a secondary host.
+func testPostgreSQLConnectionConfigCreateMultiHostPrimaryUnavailable(t *testing.T, v *blackbox.Session) {
+	requireVaultEnv(t)
+
+	cleanupFailover, failoverConnURL := PrepareTestContainerMultiHost(t)
+	defer cleanupFailover()
+
+	mount := fmt.Sprintf("database-%s", sanitize(t.Name()))
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "database"})
+
+	if !strings.Contains(failoverConnURL, "localhost:55,") {
+		t.Fatalf("expected failover URL with unreachable first host, got %q", failoverConnURL)
+	}
+
+	path := mount + "/config/postgres-multihost-ports"
+	writeAndAssertPostgresConfig(t, v, path, templatedConnectionURL(failoverConnURL))
+}
+
+func writeAndAssertPostgresConfig(t *testing.T, v *blackbox.Session, path, connURL string) {
+	t.Helper()
+
+	v.MustWrite(path, postgresConnectionConfigPayload(connURL, "*", "secret", true))
+
+	config := v.MustReadRequired(path)
+	v.AssertSecret(config).Data().
+		HasKey("plugin_name", "postgresql-database-plugin").
+		HasKeyExists("allowed_roles")
+}
diff --git a/vault/external_tests/blackbox/plugins/database/postgres/secret_postgresql_connection_config_test.go b/vault/external_tests/blackbox/plugins/database/postgres/secret_postgresql_connection_config_test.go
new file mode 100644
index 0000000000..cc48f3fdeb
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/database/postgres/secret_postgresql_connection_config_test.go
@@ -0,0 +1,323 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package postgres
+
+import (
+	"fmt"
+	"slices"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+	"github.com/stretchr/testify/require"
+)
+
+// TestPostgreSQLConnectionConfigCRUDWorkflows runs all PostgreSQL connection
+// config CRUD workflow tests.
+func TestPostgreSQLConnectionConfigCRUDWorkflows(t *testing.T) {
+	t.Run("CreateBasic", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testPostgreSQLConnectionConfigCreateBasic(t, v)
+	})
+
+	t.Run("ListReturnsNamesOnly", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testPostgreSQLConnectionConfigListReturnsNamesOnly(t, v)
+	})
+
+	t.Run("ReadRedactsSensitiveFields", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testPostgreSQLConnectionConfigReadRedactsSensitiveFields(t, v)
+	})
+
+	t.Run("ResetConnectionSuccess", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testPostgreSQLConnectionConfigResetConnectionSuccess(t, v)
+	})
+
+	t.Run("DeleteConnectionSuccess", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testPostgreSQLConnectionConfigDeleteConnectionSuccess(t, v)
+	})
+}
+
+// TestPostgreSQLConnectionConfigValidationWorkflows runs all PostgreSQL
+// connection config validation workflow tests.
+func TestPostgreSQLConnectionConfigValidationWorkflows(t *testing.T) {
+	t.Run("CreateWithDSN", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testPostgreSQLConnectionConfigCreateWithDSN(t, v)
+	})
+
+	t.Run("ConnectionVerificationValid", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testPostgreSQLConnectionConfigUpdateVerifyConnectionValidConnection(t, v)
+	})
+
+	t.Run("ConnectionVerificationInvalid", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testPostgreSQLConnectionConfigUpdateVerifyConnectionInvalidCredentials(t, v)
+	})
+}
+
+// testPostgreSQLConnectionConfigCreateBasic verifies that configuring a
+// PostgreSQL database connection succeeds at database/config/{name}.
+func testPostgreSQLConnectionConfigCreateBasic(t *testing.T, v *blackbox.Session) {
+	requireVaultEnv(t)
+
+	cleanup, connURL := PrepareTestContainer(t)
+	defer cleanup()
+
+	mount := fmt.Sprintf("database-%s", sanitize(t.Name()))
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "database"})
+
+	path := mount + "/config/my-postgres-db"
+
+	v.MustWrite(path, postgresConnectionConfigPayload(
+		templatedConnectionURL(connURL),
+		"my-role",
+		"secret",
+		false,
+	))
+
+	config := v.MustReadRequired(path)
+	v.AssertSecret(config).Data().
+		HasKey("plugin_name", "postgresql-database-plugin").
+		HasKeyExists("allowed_roles")
+}
+
+// testPostgreSQLConnectionConfigListReturnsNamesOnly verifies LIST
+// /database/config returns configured connection names only, without
+// sensitive config details.
+func testPostgreSQLConnectionConfigListReturnsNamesOnly(t *testing.T, v *blackbox.Session) {
+	requireVaultEnv(t)
+
+	cleanup, connURL := PrepareTestContainer(t)
+	defer cleanup()
+
+	mount := fmt.Sprintf("database-%s", sanitize(t.Name()))
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "database"})
+
+	configPath := mount + "/config"
+
+	firstName := "postgres-list-config-one"
+	secondName := "postgres-list-config-two"
+
+	writeConfig := func(name string) {
+		t.Helper()
+
+		v.MustWrite(configPath+"/"+name, postgresConnectionConfigPayload(connURL, "*", "secret", false))
+	}
+
+	writeConfig(firstName)
+	writeConfig(secondName)
+
+	listResp, err := v.Client.Logical().List(configPath)
+	require.NoError(t, err)
+	require.NotNil(t, listResp)
+	require.NotNil(t, listResp.Data)
+
+	keysAny, ok := listResp.Data["keys"].([]any)
+	require.True(t, ok, "expected keys list in LIST response")
+
+	keys := make([]string, 0, len(keysAny))
+	for _, raw := range keysAny {
+		k, ok := raw.(string)
+		require.True(t, ok, "expected string key in LIST response")
+		keys = append(keys, k)
+	}
+
+	require.True(t, slices.Contains(keys, firstName), "expected first connection name in list")
+	require.True(t, slices.Contains(keys, secondName), "expected second connection name in list")
+
+	require.NotContains(t, listResp.Data, "connection_details")
+	require.NotContains(t, listResp.Data, "connection_url")
+	require.NotContains(t, listResp.Data, "username")
+	require.NotContains(t, listResp.Data, "password")
+	require.NotContains(t, listResp.Data, "private_key")
+	require.NotContains(t, listResp.Data, "service_account_json")
+}
+
+// testPostgreSQLConnectionConfigReadRedactsSensitiveFields verifies that reading
+// a PostgreSQL connection config returns sanitized connection details.
+func testPostgreSQLConnectionConfigReadRedactsSensitiveFields(t *testing.T, v *blackbox.Session) {
+	requireVaultEnv(t)
+
+	cleanup, connURL := PrepareTestContainer(t)
+	defer cleanup()
+
+	mount := fmt.Sprintf("database-%s", sanitize(t.Name()))
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "database"})
+
+	path := mount + "/config/postgres-read-config-redaction"
+	v.MustWrite(path, postgresConnectionConfigPayload(connURL, "*", "secret", false))
+
+	config := v.MustReadRequired(path)
+	v.AssertSecret(config).Data().
+		HasKey("plugin_name", "postgresql-database-plugin").
+		HasKeyExists("connection_details")
+
+	connectionDetails, ok := config.Data["connection_details"].(map[string]any)
+	require.True(t, ok, "expected connection_details in response")
+
+	if _, exists := connectionDetails["password"]; exists {
+		t.Fatal("password should NOT be found in the returned config")
+	}
+	if _, exists := connectionDetails["private_key"]; exists {
+		t.Fatal("private_key should NOT be found in the returned config")
+	}
+	if _, exists := connectionDetails["service_account_json"]; exists {
+		t.Fatal("service_account_json should NOT be found in the returned config")
+	}
+
+	returnedConnURL, ok := connectionDetails["connection_url"].(string)
+	require.True(t, ok, "expected connection_url in connection_details")
+	require.NotContains(t, returnedConnURL, "secret", "connection_url should be redacted")
+}
+
+// testPostgreSQLConnectionConfigUpdateVerifyConnectionValidConnection verifies
+// that configuration succeeds with verify_connection=true when credentials are
+// valid.
+func testPostgreSQLConnectionConfigUpdateVerifyConnectionValidConnection(t *testing.T, v *blackbox.Session) {
+	requireVaultEnv(t)
+
+	cleanup, connURL := PrepareTestContainer(t)
+	defer cleanup()
+
+	mount := fmt.Sprintf("database-%s", sanitize(t.Name()))
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "database"})
+
+	templatedConnURL := strings.Replace(connURL, "postgres:secret@", "{{username}}:{{password}}@", 1)
+	if templatedConnURL == connURL {
+		t.Fatalf("failed to templatize postgres connection URL: %q", connURL)
+	}
+
+	path := mount + "/config/postgres-verify-enabled"
+	v.MustWrite(path, postgresConnectionConfigPayload(templatedConnURL, "*", "secret", true))
+
+	config := v.MustReadRequired(path)
+	v.AssertSecret(config).Data().
+		HasKey("plugin_name", "postgresql-database-plugin").
+		HasKeyExists("allowed_roles")
+}
+
+// testPostgreSQLConnectionConfigUpdateVerifyConnectionInvalidCredentials
+// verifies that configuration fails with verify_connection=true when
+// credentials are intentionally invalid.
+func testPostgreSQLConnectionConfigUpdateVerifyConnectionInvalidCredentials(t *testing.T, v *blackbox.Session) {
+	requireVaultEnv(t)
+
+	cleanup, connURL := PrepareTestContainer(t)
+	defer cleanup()
+
+	mount := fmt.Sprintf("database-%s", sanitize(t.Name()))
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "database"})
+
+	templatedConnURL := strings.Replace(connURL, "postgres:secret@", "{{username}}:{{password}}@", 1)
+	if templatedConnURL == connURL {
+		t.Fatalf("failed to templatize postgres connection URL: %q", connURL)
+	}
+
+	path := mount + "/config/postgres-verify-enabled-invalid"
+	secret, err := v.Client.Logical().Write(path, postgresConnectionConfigPayload(templatedConnURL, "*", "intentionally-invalid-password", true))
+
+	require.Error(t, err)
+	require.Nil(t, secret)
+}
+
+// testPostgreSQLConnectionConfigResetConnectionSuccess verifies that resetting a
+// PostgreSQL database connection succeeds and preserves the stored connection
+// configuration.
+func testPostgreSQLConnectionConfigResetConnectionSuccess(t *testing.T, v *blackbox.Session) {
+	requireVaultEnv(t)
+
+	cleanup, connURL := PrepareTestContainer(t)
+	defer cleanup()
+
+	mount := fmt.Sprintf("database-%s", sanitize(t.Name()))
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "database"})
+
+	connectionName := "my-postgres-db"
+	configPath := fmt.Sprintf("%s/config/%s", mount, connectionName)
+	resetPath := fmt.Sprintf("%s/reset/%s", mount, connectionName)
+
+	templatedConnURL := strings.Replace(connURL, "postgres:secret@", "{{username}}:{{password}}@", 1)
+	if templatedConnURL == connURL {
+		t.Fatalf("failed to templatize postgres connection URL: %q", connURL)
+	}
+
+	v.MustWrite(configPath, postgresConnectionConfigPayload(templatedConnURL, "*", "secret", true))
+
+	configBeforeReset := v.MustReadRequired(configPath)
+
+	_, err := v.Client.Logical().Write(resetPath, nil)
+	require.NoError(t, err)
+
+	configAfterReset := v.MustReadRequired(configPath)
+	require.Equal(t, configBeforeReset.Data, configAfterReset.Data)
+}
+
+// testPostgreSQLConnectionConfigDeleteConnectionSuccess verifies that deleting
+// a PostgreSQL database connection removes it, prevents new credential
+// generation,
+// and remains idempotent when deleted again.
+func testPostgreSQLConnectionConfigDeleteConnectionSuccess(t *testing.T, v *blackbox.Session) {
+	requireVaultEnv(t)
+
+	cleanup, connURL := PrepareTestContainer(t)
+	defer cleanup()
+
+	mount := fmt.Sprintf("database-%s", sanitize(t.Name()))
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "database"})
+
+	connectionName := "postgres-secondary"
+	configPath := fmt.Sprintf("%s/config/%s", mount, connectionName)
+	roleName := "postgres-delete-connection-role"
+
+	v.MustWrite(configPath, postgresConnectionConfigPayload(connURL, "*", "secret", true))
+
+	creationSQL := `CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';`
+	v.MustCreateDBRole(mount, roleName, connectionName, creationSQL)
+
+	baselineCredsPath := fmt.Sprintf("%s/creds/%s", mount, roleName)
+	baselineCreds, err := v.Client.Logical().Read(baselineCredsPath)
+	require.NoError(t, err)
+	require.NotNil(t, baselineCreds)
+
+	_, err = v.Client.Logical().Delete(configPath)
+	require.NoError(t, err)
+
+	configAfterDelete, err := v.Client.Logical().Read(configPath)
+	require.NoError(t, err)
+	require.Nil(t, configAfterDelete, "config should be deleted")
+
+	credsAfterDelete, err := v.Client.Logical().Read(baselineCredsPath)
+	require.Error(t, err)
+	if credsAfterDelete != nil {
+		require.Empty(t, credsAfterDelete.Data)
+	}
+
+	_, err = v.Client.Logical().Delete(configPath)
+	require.NoError(t, err)
+}
+
+func postgresConnectionConfigPayload(connURL, allowedRoles, password string, verifyConnection bool) map[string]any {
+	return map[string]any{
+		"plugin_name":       "postgresql-database-plugin",
+		"connection_url":    connURL,
+		"username":          "postgres",
+		"password":          password,
+		"allowed_roles":     allowedRoles,
+		"verify_connection": verifyConnection,
+	}
+}
diff --git a/vault/external_tests/blackbox/plugins/database/postgres/secret_postgresql_connection_test_helper.go b/vault/external_tests/blackbox/plugins/database/postgres/secret_postgresql_connection_test_helper.go
new file mode 100644
index 0000000000..c8f7fc4e8a
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/database/postgres/secret_postgresql_connection_test_helper.go
@@ -0,0 +1,180 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package postgres
+
+import (
+	"context"
+	"crypto/sha256"
+	"database/sql"
+	"encoding/hex"
+	"fmt"
+	"net/url"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/docker"
+	_ "github.com/jackc/pgx/v5/stdlib"
+)
+
+const (
+	defaultPGImage   = "docker.mirror.hashicorp.services/postgres"
+	defaultPGVersion = "16-alpine"
+	defaultPGPass    = "secret"
+)
+
+func defaultRunOpts(t *testing.T) docker.RunOptions {
+	return docker.RunOptions{
+		ContainerName: fmt.Sprintf("postgres-%s", sanitize(t.Name())),
+		ImageRepo:     defaultPGImage,
+		ImageTag:      defaultPGVersion,
+		Env: []string{
+			"POSTGRES_PASSWORD=" + defaultPGPass,
+			"POSTGRES_DB=database",
+		},
+		Ports:             []string{"5432/tcp"},
+		DoNotAutoRemove:   false,
+		OmitLogTimestamps: true,
+		LogConsumer: func(s string) {
+			if t.Failed() {
+				t.Logf("container logs: %s", s)
+			}
+		},
+	}
+}
+
+func requireVaultEnv(t *testing.T) {
+	t.Helper()
+
+	if os.Getenv("VAULT_ADDR") == "" || os.Getenv("VAULT_TOKEN") == "" {
+		t.Skip("skipping blackbox test: VAULT_ADDR and VAULT_TOKEN are required")
+	}
+}
+
+func PrepareTestContainer(t *testing.T) (func(), string) {
+	_, cleanup, connURL, _ := prepareTestContainer(t, defaultRunOpts(t), defaultPGPass, false, false, false)
+
+	return cleanup, connURL
+}
+
+func PrepareTestContainerMultiHost(t *testing.T) (func(), string) {
+	_, cleanup, connURL, _ := prepareTestContainer(t, defaultRunOpts(t), defaultPGPass, false, false, true)
+
+	return cleanup, connURL
+}
+
+func prepareTestContainer(t *testing.T, runOpts docker.RunOptions, password string, addSuffix, forceLocalAddr, useFallback bool,
+) (*docker.Runner, func(), string, string) {
+	requireVaultEnv(t)
+
+	if os.Getenv("PG_URL") != "" {
+		envPGURL := os.Getenv("PG_URL")
+		if useFallback {
+			envPGURL = withFallbackHost(envPGURL)
+		}
+		return nil, func() {}, envPGURL, ""
+	}
+
+	runner, err := docker.NewServiceRunner(runOpts)
+	if err != nil {
+		if strings.Contains(err.Error(), "Cannot connect to the Docker daemon") {
+			t.Fatalf("skipping blackbox test: docker daemon not available: %v", err)
+		}
+		t.Fatalf("Could not start docker Postgres: %s", err)
+	}
+
+	svc, containerID, err := runner.StartNewService(context.Background(), addSuffix, forceLocalAddr, connectPostgres(password, useFallback))
+	if err != nil {
+		if strings.Contains(err.Error(), "Cannot connect to the Docker daemon") {
+			t.Fatalf("skipping blackbox test: docker daemon not available: %v", err)
+		}
+		t.Fatalf("Could not start docker Postgres: %s", err)
+	}
+
+	return runner, svc.Cleanup, svc.Config.URL().String(), containerID
+}
+
+func withFallbackHost(connURL string) string {
+	u, err := url.Parse(connURL)
+	if err != nil || u.Host == "" {
+		return connURL
+	}
+
+	if strings.Contains(u.Host, "localhost:55,") {
+		return connURL
+	}
+
+	u.Host = "localhost:55," + u.Host
+	return u.String()
+}
+
+func sanitize(name string) string {
+	lower := strings.ToLower(name)
+	var b strings.Builder
+	b.Grow(len(lower))
+
+	lastDash := false
+	for _, r := range lower {
+		if (r >= 'a' && r <= 'z') || (r >= '0' && r <= '9') {
+			b.WriteRune(r)
+			lastDash = false
+			continue
+		}
+
+		if !lastDash {
+			b.WriteByte('-')
+			lastDash = true
+		}
+	}
+
+	out := strings.Trim(b.String(), "-")
+	if out == "" {
+		return "test"
+	}
+
+	if len(out) > 54 {
+		const hashLen = 8
+		sum := sha256.Sum256([]byte(out))
+		hash := hex.EncodeToString(sum[:])[:hashLen]
+		prefixLen := 54 - 1 - hashLen
+		out = out[:prefixLen] + "-" + hash
+	}
+
+	return out
+}
+
+func connectPostgres(password string, useFallback bool) docker.ServiceAdapter {
+	return func(ctx context.Context, host string, port int) (docker.ServiceConfig, error) {
+		hostAddr := fmt.Sprintf("%s:%d", host, port)
+		if useFallback {
+			// Use an unreachable first host to exercise driver fallback behavior.
+			hostAddr = "localhost:55," + hostAddr
+		}
+
+		u := url.URL{
+			Scheme:   "postgres",
+			User:     url.UserPassword("postgres", password),
+			Host:     hostAddr,
+			Path:     "postgres",
+			RawQuery: "sslmode=disable",
+		}
+
+		db, err := sql.Open("pgx", u.String())
+		if err != nil {
+			return nil, err
+		}
+		defer db.Close()
+
+		if err = db.Ping(); err != nil {
+			db.Close() // Explicit close on error
+			return nil, err
+		}
+
+		return docker.NewServiceURL(u), nil
+	}
+}
+
+func templatedConnectionURL(connURL string) string {
+	return strings.Replace(connURL, "postgres:secret@", "{{username}}:{{password}}@", 1)
+}
diff --git a/vault/external_tests/blackbox/plugins/ldap/helpers.go b/vault/external_tests/blackbox/plugins/ldap/helpers.go
new file mode 100644
index 0000000000..a2ce8f313a
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/ldap/helpers.go
@@ -0,0 +1,560 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package ldap
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// LDAPDomainConfig holds configuration for an isolated LDAP domain
+type LDAPDomainConfig struct {
+	URL      string // LDAP server URL (private IP for Vault operations)
+	SetupURL string // LDAP server URL (public IP for setup operations from GitHub runner)
+	BindDN   string // Admin bind DN
+	BindPass string // Admin bind password
+	BaseDN   string // Base DN for this domain (e.g., dc=bbsdk-xxx,dc=test,dc=enos,dc=com)
+	UserDN   string // User DN (e.g., ou=users,dc=bbsdk-xxx,dc=test,dc=enos,dc=com)
+	GroupDN  string // Group DN (e.g., ou=groups,dc=bbsdk-xxx,dc=test,dc=enos,dc=com)
+}
+
+// setupLDAPSecretsEngine configures the LDAP secrets engine with environment variables
+// Deprecated: Use SetupLDAPSecretsEngineWithConfig for isolated domain support
+func setupLDAPSecretsEngine(t *testing.T, v *blackbox.Session, mount string) {
+	// Enable LDAP secrets engine
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "ldap"})
+
+	// Configure using environment variables set by ldap.tf
+	ldapURLPrivate := os.Getenv("LDAP_URL_PRIVATE")
+	ldapBindDN := os.Getenv("LDAP_BIND_DN")
+	ldapBindPass := os.Getenv("LDAP_BIND_PASS")
+	ldapUsername := os.Getenv("LDAP_USERNAME") // "enos"
+
+	if ldapURLPrivate == "" || ldapBindDN == "" || ldapBindPass == "" || ldapUsername == "" {
+		t.Fatal("Required LDAP environment variables not set")
+	}
+
+	v.MustWrite(mount+"/config", map[string]any{
+		"binddn":   ldapBindDN,
+		"bindpass": ldapBindPass,
+		"url":      ldapURLPrivate,
+		"userdn":   "ou=users,dc=" + ldapUsername + ",dc=com",
+	})
+}
+
+// SetupLDAPSecretsEngineWithConfig configures the LDAP secrets engine with an isolated domain config
+func SetupLDAPSecretsEngineWithConfig(t *testing.T, v *blackbox.Session, mount string, config *LDAPDomainConfig) {
+	t.Helper()
+
+	// Enable LDAP secrets engine
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "ldap"})
+
+	// Configure using isolated domain config
+	v.MustWrite(mount+"/config", map[string]any{
+		"binddn":   config.BindDN,
+		"bindpass": config.BindPass,
+		"url":      config.URL,
+		"userdn":   config.UserDN,
+		"groupdn":  config.GroupDN,
+	})
+
+	t.Logf("Configured LDAP secrets engine at %s with isolated domain %s", mount, config.BaseDN)
+	t.Logf("DEBUG: LDAP Configuration:")
+	t.Logf("  URL: %s", config.URL)
+	t.Logf("  BindDN: %s", config.BindDN)
+	t.Logf("  UserDN: %s", config.UserDN)
+	t.Logf("  GroupDN: %s", config.GroupDN)
+	t.Logf("DEBUG: To test LDAP connection manually, run:")
+	t.Logf("  ldapsearch -x -H %s -b \"%s\" -D %s -w %s",
+		config.URL, config.BaseDN, config.BindDN, config.BindPass)
+}
+
+// WriteLibrarySetWithRetry writes an LDAP library set configuration with retry logic
+// LDAP library operations can take time as Vault verifies service accounts exist in LDAP
+// Uses a 60-second timeout to accommodate LDAP verification delays
+func WriteLibrarySetWithRetry(t *testing.T, v *blackbox.Session, path string, data map[string]any) {
+	t.Helper()
+
+	// Log debug information about what we're trying to create
+	t.Logf("DEBUG: Creating LDAP library set at path: %s", path)
+	t.Logf("DEBUG: Library set configuration: %+v", data)
+
+	// Extract service account names for debugging
+	if serviceAccounts, ok := data["service_account_names"].([]string); ok {
+		t.Logf("DEBUG: Vault will verify these service accounts exist in LDAP: %v", serviceAccounts)
+		t.Logf("DEBUG: If this times out, manually verify accounts exist with the ldapsearch commands logged above")
+	}
+
+	v.EventuallyWithTimeout(func() error {
+		_, err := v.Client.Logical().Write(path, data)
+		if err != nil {
+			t.Logf("DEBUG: Library set creation attempt failed: %v", err)
+		}
+		return err
+	}, 60*time.Second)
+
+	t.Logf("DEBUG: Successfully created LDAP library set at %s", path)
+}
+
+// checkLDAPUserExists verifies if a user exists in the LDAP directory
+func checkLDAPUserExists(t *testing.T, username string) bool {
+	ldapURLPrivate := os.Getenv("LDAP_URL_PRIVATE")
+	ldapUsername := os.Getenv("LDAP_USERNAME")
+	ldapAdminPw := os.Getenv("LDAP_ADMIN_PW")
+
+	cmd := exec.Command(
+		"ldapsearch",
+		"-x",
+		"-H", ldapURLPrivate,
+		"-b", "ou=users,dc="+ldapUsername+",dc=com",
+		"-D", "cn=admin,dc="+ldapUsername+",dc=com",
+		"-w", ldapAdminPw,
+		"(uid="+username+")",
+	)
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Logf("LDAP search command failed: %v", err)
+		return false
+	}
+
+	return strings.Contains(string(output), "dn:")
+}
+
+// getLDIFPath returns the full path to an LDIF file in testdata
+func getLDIFPath(filename string) string {
+	_, currentFile, _, _ := runtime.Caller(0)
+	dir := filepath.Dir(currentFile)
+	return filepath.Join(dir, "testdata", filename)
+}
+
+// skipIfLDAPNotAvailable skips the test if LDAP configuration is not available
+func skipIfLDAPNotAvailable(t *testing.T) {
+	if os.Getenv("LDAP_URL_PRIVATE") == "" {
+		t.Skip("LDAP configuration not available - skipping LDAP test")
+	}
+}
+
+// isCI returns true if running in a CI environment
+func isCI() bool {
+	return os.Getenv("CI") != "" ||
+		os.Getenv("GITHUB_ACTIONS") != "" ||
+		os.Getenv("ENOS_VAR_ci") != ""
+}
+
+// maskPassword masks a password for logging, showing only first 2 and last 2 characters
+func maskPassword(password string) string {
+	if len(password) <= 4 {
+		return "****"
+	}
+	return password[:2] + "****" + password[len(password)-2:]
+}
+
+// waitForLDAP waits for the LDAP server to be ready by repeatedly attempting to connect
+func waitForLDAP(t *testing.T, config *LDAPDomainConfig, timeout time.Duration) {
+	t.Helper()
+
+	deadline := time.Now().Add(timeout)
+	attempt := 0
+
+	for time.Now().Before(deadline) {
+		attempt++
+		cmd := exec.Command(
+			"ldapsearch",
+			"-x",
+			"-H", config.SetupURL, // Use public IP for connectivity checks from GitHub runner
+			"-D", config.BindDN,
+			"-w", config.BindPass,
+			"-b", "",
+			"-s", "base",
+			"objectClass=*",
+		)
+
+		if output, err := cmd.CombinedOutput(); err == nil {
+			t.Logf("LDAP server ready after %d attempts", attempt)
+			return
+		} else {
+			if attempt == 1 || attempt%5 == 0 {
+				t.Logf("LDAP connectivity check attempt %d failed, retrying... (output: %s)", attempt, string(output))
+			}
+		}
+
+		time.Sleep(1 * time.Second)
+	}
+
+	t.Fatalf("LDAP server at %s did not become ready within %v", config.SetupURL, timeout)
+}
+
+// PrepareTestLDAPDomain creates an isolated LDAP domain for the test session.
+// Uses the session's namespace to create a unique domain within the existing LDAP server.
+//
+// Parameters:
+//   - t: The test instance
+//   - session: The blackbox test session (provides unique namespace)
+//   - requireIsolation: If true (CI mode), fails test if domain creation fails.
+//     If false (dev mode), skips test if domain creation fails.
+//
+// Returns:
+//   - cleanup: Function to delete the domain and all its contents
+//   - config: LDAP config with domain-specific settings
+//   - error: Non-nil if domain creation failed
+func PrepareTestLDAPDomain(
+	t *testing.T,
+	session *blackbox.Session,
+	requireIsolation bool,
+) (cleanup func(), config *LDAPDomainConfig, err error) {
+	t.Helper()
+
+	// Get LDAP connection info from environment (set by Enos)
+	// LDAP_URL_PRIVATE: ldap url to ldap internal listerning Vault operations (runs on Vault leader)
+	// LDAP_SERVER_PUBLIC: public URL ldap external listener for setup operations (runs from GitHub runner)
+	ldapURLPrivate := os.Getenv("LDAP_URL_PRIVATE")
+	ldapURLPublic := os.Getenv("LDAP_URL_PUBLIC")
+	ldapBindDN := os.Getenv("LDAP_BIND_DN")
+	ldapBindPass := os.Getenv("LDAP_BIND_PASS")
+
+	t.Logf("LDAP Environment: LDAP_URL_PRIVATE=%s LDAP_URL_PUBLIC=%s LDAP_BIND_DN=%s LDAP_BIND_PASS=%s",
+		ldapURLPrivate, ldapURLPublic, ldapBindDN, maskPassword(ldapBindPass))
+
+	if ldapURLPrivate == "" || ldapURLPublic == "" || ldapBindDN == "" || ldapBindPass == "" {
+		err := fmt.Errorf("LDAP environment variables not set")
+		if requireIsolation {
+			return nil, nil, fmt.Errorf("%w - required in CI", err)
+		}
+		return nil, nil, fmt.Errorf("%w - skipping in dev", err)
+	}
+
+	// Create unique organizational units under the existing dc=enos,dc=com domain
+	// This avoids needing to create intermediate domain components
+	domainName := session.Namespace // e.g., "bbsdk-a1b2c3d4"
+	baseDN := "dc=enos,dc=com"      // Use existing base domain
+
+	config = &LDAPDomainConfig{
+		URL:      ldapURLPrivate,
+		BindDN:   ldapBindDN,
+		BindPass: ldapBindPass,
+		BaseDN:   baseDN,
+		UserDN:   fmt.Sprintf("ou=%s-users,%s", domainName, baseDN),
+		GroupDN:  fmt.Sprintf("ou=%s-groups,%s", domainName, baseDN),
+	}
+
+	// Store public IP for setup operations (ldapadd commands from GitHub runner)
+	config.SetupURL = ldapURLPublic
+
+	// Create domain structure
+	if err := createDomain(t, session, config); err != nil {
+		if requireIsolation {
+			return nil, nil, fmt.Errorf("failed to create LDAP domain in CI: %w", err)
+		}
+		return nil, nil, fmt.Errorf("failed to create LDAP domain: %w", err)
+	}
+
+	cleanup = func() {
+		deleteDomain(t, config)
+	}
+
+	return cleanup, config, nil
+}
+
+// createDomain creates isolated organizational units for the test session
+// Uses Eventually to retry the operation until LDAP server is ready
+func createDomain(t *testing.T, session *blackbox.Session, config *LDAPDomainConfig) error {
+	t.Helper()
+
+	// Extract OU names from UserDN and GroupDN
+	// e.g., "ou=bbsdk-xxx-users,dc=enos,dc=com" -> "bbsdk-xxx-users"
+	userOU := strings.TrimPrefix(strings.Split(config.UserDN, ",")[0], "ou=")
+	groupOU := strings.TrimPrefix(strings.Split(config.GroupDN, ",")[0], "ou=")
+
+	// Create LDIF for isolated organizational units only
+	// The base domain dc=enos,dc=com already exists
+	ldif := fmt.Sprintf(`dn: %s
+objectClass: top
+objectClass: organizationalUnit
+ou: %s
+
+dn: %s
+objectClass: top
+objectClass: organizationalUnit
+ou: %s
+`, config.UserDN, userOU, config.GroupDN, groupOU)
+
+	// Log the exact command for debugging (using SetupURL for public IP)
+	t.Logf("DEBUG: Creating LDAP domain OUs with command:")
+	t.Logf("  echo '%s' | ldapadd -x -H %s -D %s -w %s",
+		strings.ReplaceAll(ldif, "\n", "\\n"), config.SetupURL, config.BindDN, config.BindPass)
+	t.Logf("DEBUG: To verify OUs exist, run:")
+	t.Logf("  ldapsearch -x -H %s -b \"dc=enos,dc=com\" -D %s -w %s \"(objectClass=organizationalUnit)\"",
+		config.SetupURL, config.BindDN, config.BindPass)
+
+	// Wait for LDAP server to be ready with extended timeout (30 seconds)
+	// LDAP containers can take time to fully initialize, especially in CI environments
+	t.Logf("Waiting for LDAP server to be ready at %s", config.SetupURL)
+
+	waitForLDAP(t, config, 30*time.Second)
+
+	// Use Eventually to retry ldapadd until LDAP server is ready
+	session.Eventually(func() error {
+		cmd := exec.Command(
+			"ldapadd",
+			"-x",
+			"-H", config.SetupURL, // Use public IP for setup operations from GitHub runner
+			"-D", config.BindDN,
+			"-w", config.BindPass,
+		)
+		cmd.Stdin = strings.NewReader(ldif)
+
+		var stderr bytes.Buffer
+		cmd.Stderr = &stderr
+
+		if err := cmd.Run(); err != nil {
+			t.Logf("ldapadd attempt failed: %v, stderr: %s", err, stderr.String())
+			return fmt.Errorf("ldapadd failed: %w, stderr: %s", err, stderr.String())
+		}
+		return nil
+	})
+
+	t.Logf("Created isolated LDAP domain: %s", config.BaseDN)
+	return nil
+}
+
+// deleteDomain recursively deletes the isolated organizational units
+func deleteDomain(t *testing.T, config *LDAPDomainConfig) {
+	t.Helper()
+
+	// Delete both user and group OUs
+	for _, dn := range []string{config.UserDN, config.GroupDN} {
+		cmd := exec.Command(
+			"ldapdelete",
+			"-x",
+			"-r",                  // recursive
+			"-H", config.SetupURL, // Use public IP for cleanup operations from GitHub runner
+			"-D", config.BindDN,
+			"-w", config.BindPass,
+			dn,
+		)
+
+		var stderr bytes.Buffer
+		cmd.Stderr = &stderr
+
+		if err := cmd.Run(); err != nil {
+			t.Logf("Warning: Failed to delete LDAP OU %s: %v, stderr: %s", dn, err, stderr.String())
+		} else {
+			t.Logf("Deleted isolated LDAP OU: %s", dn)
+		}
+	}
+}
+
+// CreateLDAPUser creates a user in the isolated domain
+func CreateLDAPUser(t *testing.T, config *LDAPDomainConfig, username, password string) error {
+	t.Helper()
+
+	// Create LDIF for user
+	userDN := fmt.Sprintf("uid=%s,%s", username, config.UserDN)
+	ldif := fmt.Sprintf(`dn: %s
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+uid: %s
+cn: %s
+sn: %s
+userPassword: %s
+`, userDN, username, username, username, password)
+
+	// Log the exact command for debugging (using SetupURL for public IP)
+	t.Logf("DEBUG: Creating LDAP user with command:")
+	t.Logf("  echo '%s' | ldapadd -x -H %s -D %s -w %s",
+		strings.ReplaceAll(ldif, "\n", "\\n"), config.SetupURL, config.BindDN, config.BindPass)
+	t.Logf("DEBUG: To verify user exists, run:")
+	t.Logf("  ldapsearch -x -H %s -b \"%s\" -D %s -w %s \"(uid=%s)\"",
+		config.SetupURL, config.UserDN, config.BindDN, config.BindPass, username)
+	t.Logf("DEBUG: To test bind as user, run:")
+	t.Logf("  ldapsearch -x -H %s -b \"dc=enos,dc=com\" -D \"%s\" -w \"%s\" -s base",
+		config.SetupURL, userDN, password)
+
+	cmd := exec.Command(
+		"ldapadd",
+		"-x",
+		"-H", config.SetupURL, // Use public IP for setup operations from GitHub runner
+		"-D", config.BindDN,
+		"-w", config.BindPass,
+	)
+	cmd.Stdin = strings.NewReader(ldif)
+
+	var stderr bytes.Buffer
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed to create user %s: %w, stderr: %s", username, err, stderr.String())
+	}
+
+	t.Logf("Created LDAP user: %s", userDN)
+	return nil
+}
+
+// CreateLDAPGroup creates a group in the isolated domain
+func CreateLDAPGroup(t *testing.T, config *LDAPDomainConfig, groupName string, members []string) error {
+	t.Helper()
+
+	groupDN := fmt.Sprintf("cn=%s,%s", groupName, config.GroupDN)
+
+	// Build member DNs
+	var memberDNs []string
+	for _, member := range members {
+		memberDN := fmt.Sprintf("uid=%s,%s", member, config.UserDN)
+		memberDNs = append(memberDNs, fmt.Sprintf("member: %s", memberDN))
+	}
+
+	// Create LDIF for group
+	ldif := fmt.Sprintf(`dn: %s
+objectClass: top
+objectClass: groupOfNames
+cn: %s
+%s
+`, groupDN, groupName, strings.Join(memberDNs, "\n"))
+
+	cmd := exec.Command(
+		"ldapadd",
+		"-x",
+		"-H", config.URL,
+		"-D", config.BindDN,
+		"-w", config.BindPass,
+	)
+	cmd.Stdin = strings.NewReader(ldif)
+
+	var stderr bytes.Buffer
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed to create group %s: %w, stderr: %s", groupName, err, stderr.String())
+	}
+
+	t.Logf("Created LDAP group: %s with %d members", groupDN, len(members))
+	return nil
+}
+
+// AddUserToGroup adds a user to a group in the isolated domain
+func AddUserToGroup(t *testing.T, config *LDAPDomainConfig, username, groupName string) error {
+	t.Helper()
+
+	groupDN := fmt.Sprintf("cn=%s,%s", groupName, config.GroupDN)
+	userDN := fmt.Sprintf("uid=%s,%s", username, config.UserDN)
+
+	// Create LDIF for adding member
+	ldif := fmt.Sprintf(`dn: %s
+changetype: modify
+add: member
+member: %s
+`, groupDN, userDN)
+
+	cmd := exec.Command(
+		"ldapmodify",
+		"-x",
+		"-H", config.URL,
+		"-D", config.BindDN,
+		"-w", config.BindPass,
+	)
+	cmd.Stdin = strings.NewReader(ldif)
+
+	var stderr bytes.Buffer
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed to add user %s to group %s: %w, stderr: %s", username, groupName, err, stderr.String())
+	}
+
+	t.Logf("Added user %s to group %s", username, groupName)
+	return nil
+}
+
+// RemoveUserFromGroup removes a user from a group in the isolated domain
+func RemoveUserFromGroup(t *testing.T, config *LDAPDomainConfig, username, groupName string) error {
+	t.Helper()
+
+	groupDN := fmt.Sprintf("cn=%s,%s", groupName, config.GroupDN)
+	userDN := fmt.Sprintf("uid=%s,%s", username, config.UserDN)
+
+	// Create LDIF for removing member
+	ldif := fmt.Sprintf(`dn: %s
+changetype: modify
+delete: member
+member: %s
+`, groupDN, userDN)
+
+	cmd := exec.Command(
+		"ldapmodify",
+		"-x",
+		"-H", config.URL,
+		"-D", config.BindDN,
+		"-w", config.BindPass,
+	)
+	cmd.Stdin = strings.NewReader(ldif)
+
+	var stderr bytes.Buffer
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed to remove user %s from group %s: %w, stderr: %s", username, groupName, err, stderr.String())
+	}
+
+	t.Logf("Removed user %s from group %s", username, groupName)
+	return nil
+}
+
+// CheckLDAPUserExistsInDomain verifies if a user exists in the isolated domain
+func CheckLDAPUserExistsInDomain(t *testing.T, config *LDAPDomainConfig, username string) bool {
+	t.Helper()
+
+	cmd := exec.Command(
+		"ldapsearch",
+		"-x",
+		"-H", config.URL,
+		"-b", config.UserDN,
+		"-D", config.BindDN,
+		"-w", config.BindPass,
+		fmt.Sprintf("(uid=%s)", username),
+	)
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Logf("LDAP search command failed: %v", err)
+		return false
+	}
+
+	return strings.Contains(string(output), "dn:")
+}
+
+// createDynamicRole creates a dynamic role with standard configuration
+func createDynamicRole(v *blackbox.Session, mount, roleName string, config map[string]any) {
+	defaultConfig := map[string]any{
+		"username_template": "v-test-{{random 8}}",
+		"default_ttl":       "1h",
+		"max_ttl":           "24h",
+	}
+
+	// Merge provided config with defaults
+	for k, v := range config {
+		defaultConfig[k] = v
+	}
+
+	v.MustWrite(mount+"/role/"+roleName, defaultConfig)
+}
+
+// TODO: Add more helper functions as needed for common LDAP operations
+// - verifyRoleExists(v, mount, roleName)
+// - deleteRole(v, mount, roleName)
+// - generateCredentials(v, mount, roleName)
+// - parseAuditLog(logPath)
+// - waitForLDAPOperation(timeout)
diff --git a/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_dynamic_audit_test.go b/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_dynamic_audit_test.go
new file mode 100644
index 0000000000..5833bcbc10
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_dynamic_audit_test.go
@@ -0,0 +1,49 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package ldap
+
+import (
+	"testing"
+)
+
+// TestLDAPDynamicRoleAuditTrail tests audit logging for dynamic roles
+// Converts: dynamic-roles-audit.sh
+// TODO: Implement with isolated domain support when ready
+func TestLDAPDynamicRoleAuditTrail(t *testing.T) {
+	t.Skip("Test implementation pending - skipping dynamic role audit test")
+
+	// When implementing, use this pattern:
+	// v := blackbox.New(t)
+	// cleanup, ldapConfig, err := PrepareTestLDAPDomain(t, v, isCI())
+	// if err != nil {
+	//     if isCI() {
+	//         t.Fatalf("Failed to create LDAP domain in CI: %v", err)
+	//     }
+	//     t.Skipf("LDAP domain creation not available: %v", err)
+	// }
+	// defer cleanup()
+	//
+	// SetupLDAPSecretsEngineWithConfig(t, v, "ldap", ldapConfig)
+	// ... rest of test implementation
+}
+
+// TestLDAPDynamicRoleAuditSensitiveData tests handling of sensitive data in audit logs
+// TODO: Implement with isolated domain support when ready
+func TestLDAPDynamicRoleAuditSensitiveData(t *testing.T) {
+	t.Skip("Test implementation pending - skipping audit sensitive data test")
+
+	// When implementing, use this pattern:
+	// v := blackbox.New(t)
+	// cleanup, ldapConfig, err := PrepareTestLDAPDomain(t, v, isCI())
+	// if err != nil {
+	//     if isCI() {
+	//         t.Fatalf("Failed to create LDAP domain in CI: %v", err)
+	//     }
+	//     t.Skipf("LDAP domain creation not available: %v", err)
+	// }
+	// defer cleanup()
+	//
+	// SetupLDAPSecretsEngineWithConfig(t, v, "ldap", ldapConfig)
+	// ... rest of test implementation
+}
diff --git a/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_dynamic_deletion_test.go b/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_dynamic_deletion_test.go
new file mode 100644
index 0000000000..41d6afa4bd
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_dynamic_deletion_test.go
@@ -0,0 +1,69 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package ldap
+
+import (
+	"testing"
+)
+
+// TestLDAPDynamicRoleDeletion tests dynamic role deletion scenarios
+// Converts: dynamic-roles-deletion.sh
+// TODO: Implement with isolated domain support when ready
+func TestLDAPDynamicRoleDeletion(t *testing.T) {
+	t.Skip("Test implementation pending - skipping dynamic role deletion test")
+
+	// When implementing, use this pattern:
+	// v := blackbox.New(t)
+	// cleanup, ldapConfig, err := PrepareTestLDAPDomain(t, v, isCI())
+	// if err != nil {
+	//     if isCI() {
+	//         t.Fatalf("Failed to create LDAP domain in CI: %v", err)
+	//     }
+	//     t.Skipf("LDAP domain creation not available: %v", err)
+	// }
+	// defer cleanup()
+	//
+	// SetupLDAPSecretsEngineWithConfig(t, v, "ldap", ldapConfig)
+	// ... rest of test implementation
+}
+
+// TestLDAPDynamicRoleDeletionWithActiveCredentials tests deletion when credentials exist
+// TODO: Implement with isolated domain support when ready
+func TestLDAPDynamicRoleDeletionWithActiveCredentials(t *testing.T) {
+	t.Skip("Test implementation pending - skipping deletion with active credentials test")
+
+	// When implementing, use this pattern:
+	// v := blackbox.New(t)
+	// cleanup, ldapConfig, err := PrepareTestLDAPDomain(t, v, isCI())
+	// if err != nil {
+	//     if isCI() {
+	//         t.Fatalf("Failed to create LDAP domain in CI: %v", err)
+	//     }
+	//     t.Skipf("LDAP domain creation not available: %v", err)
+	// }
+	// defer cleanup()
+	//
+	// SetupLDAPSecretsEngineWithConfig(t, v, "ldap", ldapConfig)
+	// ... rest of test implementation
+}
+
+// TestLDAPDynamicRoleBulkDeletion tests deletion of multiple roles
+// TODO: Implement with isolated domain support when ready
+func TestLDAPDynamicRoleBulkDeletion(t *testing.T) {
+	t.Skip("Test implementation pending - skipping bulk deletion test")
+
+	// When implementing, use this pattern:
+	// v := blackbox.New(t)
+	// cleanup, ldapConfig, err := PrepareTestLDAPDomain(t, v, isCI())
+	// if err != nil {
+	//     if isCI() {
+	//         t.Fatalf("Failed to create LDAP domain in CI: %v", err)
+	//     }
+	//     t.Skipf("LDAP domain creation not available: %v", err)
+	// }
+	// defer cleanup()
+	//
+	// SetupLDAPSecretsEngineWithConfig(t, v, "ldap", ldapConfig)
+	// ... rest of test implementation
+}
diff --git a/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_dynamic_roles_test.go b/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_dynamic_roles_test.go
new file mode 100644
index 0000000000..60385f60e7
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_dynamic_roles_test.go
@@ -0,0 +1,71 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package ldap
+
+import (
+	"testing"
+)
+
+// TestLDAPDynamicRoleBasicOperations tests basic dynamic role CRUD operations
+// Converts: dynamic-roles.sh
+// TODO: Implement with isolated domain support when ready
+func TestLDAPDynamicRoleBasicOperations(t *testing.T) {
+	t.Skip("Test implementation pending - skipping dynamic role test")
+
+	// When implementing, use this pattern:
+	// v := blackbox.New(t)
+	// cleanup, ldapConfig, err := PrepareTestLDAPDomain(t, v, isCI())
+	// if err != nil {
+	//     if isCI() {
+	//         t.Fatalf("Failed to create LDAP domain in CI: %v", err)
+	//     }
+	//     t.Skipf("LDAP domain creation not available: %v", err)
+	// }
+	// defer cleanup()
+	//
+	// SetupLDAPSecretsEngineWithConfig(t, v, "ldap", ldapConfig)
+	// ... rest of test implementation
+}
+
+// TestLDAPDynamicRoleListing tests role listing operations
+// Converts: dynamic-roles-listing.sh
+// TODO: Implement with isolated domain support when ready
+func TestLDAPDynamicRoleListing(t *testing.T) {
+	t.Skip("Test implementation pending - skipping dynamic role listing test")
+
+	// When implementing, use this pattern:
+	// v := blackbox.New(t)
+	// cleanup, ldapConfig, err := PrepareTestLDAPDomain(t, v, isCI())
+	// if err != nil {
+	//     if isCI() {
+	//         t.Fatalf("Failed to create LDAP domain in CI: %v", err)
+	//     }
+	//     t.Skipf("LDAP domain creation not available: %v", err)
+	// }
+	// defer cleanup()
+	//
+	// SetupLDAPSecretsEngineWithConfig(t, v, "ldap", ldapConfig)
+	// ... rest of test implementation
+}
+
+// TestLDAPDynamicRoleValidation tests role validation scenarios
+// Converts: dynamic-roles-validation.sh
+// TODO: Implement with isolated domain support when ready
+func TestLDAPDynamicRoleValidation(t *testing.T) {
+	t.Skip("Test implementation pending - skipping dynamic role validation test")
+
+	// When implementing, use this pattern:
+	// v := blackbox.New(t)
+	// cleanup, ldapConfig, err := PrepareTestLDAPDomain(t, v, isCI())
+	// if err != nil {
+	//     if isCI() {
+	//         t.Fatalf("Failed to create LDAP domain in CI: %v", err)
+	//     }
+	//     t.Skipf("LDAP domain creation not available: %v", err)
+	// }
+	// defer cleanup()
+	//
+	// SetupLDAPSecretsEngineWithConfig(t, v, "ldap", ldapConfig)
+	// ... rest of test implementation
+}
diff --git a/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_dynamic_rollback_test.go b/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_dynamic_rollback_test.go
new file mode 100644
index 0000000000..3562f0ebbd
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_dynamic_rollback_test.go
@@ -0,0 +1,49 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package ldap
+
+import (
+	"testing"
+)
+
+// TestLDAPDynamicRoleRollbackOnCreationFailure tests rollback scenarios
+// Converts: dynamic-roles-rollback.sh
+// TODO: Implement with isolated domain support when ready
+func TestLDAPDynamicRoleRollbackOnCreationFailure(t *testing.T) {
+	t.Skip("Test implementation pending - skipping dynamic role rollback test")
+
+	// When implementing, use this pattern:
+	// v := blackbox.New(t)
+	// cleanup, ldapConfig, err := PrepareTestLDAPDomain(t, v, isCI())
+	// if err != nil {
+	//     if isCI() {
+	//         t.Fatalf("Failed to create LDAP domain in CI: %v", err)
+	//     }
+	//     t.Skipf("LDAP domain creation not available: %v", err)
+	// }
+	// defer cleanup()
+	//
+	// SetupLDAPSecretsEngineWithConfig(t, v, "ldap", ldapConfig)
+	// ... rest of test implementation
+}
+
+// TestLDAPDynamicRoleRollbackOnDeletionFailure tests deletion rollback
+// TODO: Implement with isolated domain support when ready
+func TestLDAPDynamicRoleRollbackOnDeletionFailure(t *testing.T) {
+	t.Skip("Test implementation pending - skipping dynamic role deletion rollback test")
+
+	// When implementing, use this pattern:
+	// v := blackbox.New(t)
+	// cleanup, ldapConfig, err := PrepareTestLDAPDomain(t, v, isCI())
+	// if err != nil {
+	//     if isCI() {
+	//         t.Fatalf("Failed to create LDAP domain in CI: %v", err)
+	//     }
+	//     t.Skipf("LDAP domain creation not available: %v", err)
+	// }
+	// defer cleanup()
+	//
+	// SetupLDAPSecretsEngineWithConfig(t, v, "ldap", ldapConfig)
+	// ... rest of test implementation
+}
diff --git a/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_root_credential_rollback_test.go b/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_root_credential_rollback_test.go
new file mode 100644
index 0000000000..0d7acc82e0
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_root_credential_rollback_test.go
@@ -0,0 +1,316 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package ldap
+
+import (
+	"fmt"
+	"os/exec"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestLDAPRootCredentialRollbackWorkflows runs all rollback workflow tests
+// This is the main test function that gets triggered by enos-scenario-plugin.hcl
+func TestLDAPRootCredentialRollbackWorkflows(t *testing.T) {
+	t.Run("RollbackSuccess", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testLDAPRootCredentialRollbackSuccess(t, v)
+	})
+
+	t.Run("RollbackFailure", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testLDAPRootCredentialRollbackFailure(t, v)
+	})
+
+	t.Run("AutomaticRollback", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testLDAPRootCredentialAutomaticRollbackOnFailure(t, v)
+	})
+}
+
+// testLDAPRootCredentialRollbackSuccess tests successful rollback when rotation fails
+// Converts: secrets-rollback-invalid-config.sh
+// Scenario: Rotation fails with invalid LDAP endpoint, old password is preserved
+func testLDAPRootCredentialRollbackSuccess(t *testing.T, v *blackbox.Session) {
+	// Create isolated LDAP domain for this test
+	cleanup, ldapConfig, err := PrepareTestLDAPDomain(t, v, isCI())
+	if err != nil {
+		if isCI() {
+			t.Fatalf("LDAP domain creation failed in CI: %v", err)
+		}
+		t.Skipf("LDAP domain creation not available: %v", err)
+	}
+	defer cleanup()
+
+	// Create admin user in isolated domain
+	adminUser := "admin-rollback-success"
+	adminPassword := "initial-password-123"
+	if err := CreateLDAPUser(t, ldapConfig, adminUser, adminPassword); err != nil {
+		t.Fatalf("Failed to create admin user: %v", err)
+	}
+
+	// Configure LDAP secrets engine with valid config
+	mount := "ldap-rollback-success"
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "ldap"})
+
+	adminDN := fmt.Sprintf("uid=%s,%s", adminUser, ldapConfig.UserDN)
+	v.MustWrite(mount+"/config", map[string]any{
+		"binddn":   adminDN,
+		"bindpass": adminPassword,
+		"url":      ldapConfig.URL,
+		"userdn":   ldapConfig.UserDN,
+	})
+
+	// Verify baseline LDAP authentication works
+	if !verifyLDAPAuth(t, ldapConfig, adminDN, adminPassword) {
+		t.Fatal("Baseline LDAP authentication failed")
+	}
+	t.Log("✓ Baseline LDAP authentication successful")
+
+	// Poison Vault config with unreachable LDAP endpoint (port 9999)
+	badURL := strings.Replace(ldapConfig.URL, ldapConfig.URL[strings.LastIndex(ldapConfig.URL, ":")+1:], "9999", 1)
+	v.MustWrite(mount+"/config", map[string]any{
+		"binddn":   adminDN,
+		"bindpass": adminPassword,
+		"url":      badURL,
+		"userdn":   ldapConfig.UserDN,
+	})
+	t.Logf("Poisoned config with unreachable endpoint: %s", badURL)
+
+	// Attempt rotation (should fail)
+	_, err = v.Client.Logical().Write(mount+"/rotate-root", nil)
+	if err == nil {
+		t.Fatal("Expected rotation to fail with invalid endpoint, but it succeeded")
+	}
+	t.Logf("✓ Rotation failed as expected: %v", err)
+
+	// Restore valid config
+	v.MustWrite(mount+"/config", map[string]any{
+		"binddn":   adminDN,
+		"bindpass": adminPassword,
+		"url":      ldapConfig.URL,
+		"userdn":   ldapConfig.UserDN,
+	})
+
+	// Verify old password still works (rollback success) with retry
+	v.Eventually(func() error {
+		if !verifyLDAPAuth(t, ldapConfig, adminDN, adminPassword) {
+			return fmt.Errorf("LDAP authentication failed")
+		}
+		return nil
+	})
+	t.Log("✓ ROLLBACK SUCCESS: Old password preserved after failed rotation")
+
+	// Verify Vault can read LDAP config
+	configResp := v.MustRead(mount + "/config")
+	if configResp.Data == nil {
+		t.Fatal("Failed to read LDAP config after recovery")
+	}
+	t.Log("✓ Vault reconnected successfully")
+}
+
+// testLDAPRootCredentialRollbackFailure tests critical failure scenarios
+// Converts: secrets-rollback-creds-mismatch.sh
+// Scenario: Rotation with wrong binddn AND wrong password (credential mismatch)
+func testLDAPRootCredentialRollbackFailure(t *testing.T, v *blackbox.Session) {
+	// Create isolated LDAP domain for this test
+	cleanup, ldapConfig, err := PrepareTestLDAPDomain(t, v, isCI())
+	if err != nil {
+		if isCI() {
+			t.Fatalf("LDAP domain creation failed in CI: %v", err)
+		}
+		t.Skipf("LDAP domain creation not available: %v", err)
+	}
+	defer cleanup()
+
+	// Create admin user in isolated domain
+	adminUser := "admin-rollback-failure"
+	adminPassword := "initial-password-456"
+	if err := CreateLDAPUser(t, ldapConfig, adminUser, adminPassword); err != nil {
+		t.Fatalf("Failed to create admin user: %v", err)
+	}
+
+	// Configure LDAP secrets engine with valid config
+	mount := "ldap-rollback-failure"
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "ldap"})
+
+	adminDN := fmt.Sprintf("uid=%s,%s", adminUser, ldapConfig.UserDN)
+	v.MustWrite(mount+"/config", map[string]any{
+		"binddn":   adminDN,
+		"bindpass": adminPassword,
+		"url":      ldapConfig.URL,
+		"userdn":   ldapConfig.UserDN,
+	})
+
+	// Verify baseline LDAP authentication works
+	if !verifyLDAPAuth(t, ldapConfig, adminDN, adminPassword) {
+		t.Fatal("Baseline LDAP authentication failed")
+	}
+	t.Log("✓ Baseline LDAP authentication successful")
+
+	// Poison Vault config with wrong binddn AND wrong password (credential mismatch)
+	badBindDN := fmt.Sprintf("cn=nonexistent-admin,%s", ldapConfig.BaseDN)
+	v.MustWrite(mount+"/config", map[string]any{
+		"binddn":   badBindDN,
+		"bindpass": "intentionally-wrong-password",
+		"url":      ldapConfig.URL,
+		"userdn":   ldapConfig.UserDN,
+	})
+	t.Logf("Poisoned config with bad credentials: binddn=%s", badBindDN)
+
+	// Attempt rotation (should fail with credential mismatch)
+	_, rotationErr := v.Client.Logical().Write(mount+"/rotate-root", nil)
+	if rotationErr == nil {
+		t.Fatal("Expected rotation to fail with credential mismatch, but it succeeded")
+	}
+	t.Logf("✓ Rotation failed as expected with credential mismatch: %v", rotationErr)
+
+	// Restore correct config for recovery
+	v.MustWrite(mount+"/config", map[string]any{
+		"binddn":   adminDN,
+		"bindpass": adminPassword,
+		"url":      ldapConfig.URL,
+		"userdn":   ldapConfig.UserDN,
+	})
+
+	// Post-recovery validation
+	configResp := v.MustRead(mount + "/config")
+	if configResp.Data == nil {
+		t.Fatal("CRITICAL: Vault failed to reconnect after recovery")
+	}
+	t.Log("✓ Vault reconnected after recovery")
+
+	// Verify LDAP authentication after recovery
+	if !verifyLDAPAuth(t, ldapConfig, adminDN, adminPassword) {
+		t.Fatal("CRITICAL: LDAP authentication failed after recovery")
+	}
+	t.Log("✓ LDAP authentication successful after recovery")
+}
+
+// testLDAPRootCredentialAutomaticRollbackOnFailure tests automatic rollback mechanism
+// Converts: secrets-rollback-transactional.sh
+// Scenario: System consistency after mid-rotation failure with automatic rollback
+func testLDAPRootCredentialAutomaticRollbackOnFailure(t *testing.T, v *blackbox.Session) {
+	// Create isolated LDAP domain for this test
+	cleanup, ldapConfig, err := PrepareTestLDAPDomain(t, v, isCI())
+	if err != nil {
+		if isCI() {
+			t.Fatalf("LDAP domain creation failed in CI: %v", err)
+		}
+		t.Skipf("LDAP domain creation not available: %v", err)
+	}
+	defer cleanup()
+
+	// Create admin user in isolated domain
+	adminUser := "admin-auto-rollback"
+	adminPassword := "initial-password-789"
+	if err := CreateLDAPUser(t, ldapConfig, adminUser, adminPassword); err != nil {
+		t.Fatalf("Failed to create admin user: %v", err)
+	}
+
+	// Configure LDAP secrets engine with valid config
+	mount := "ldap-auto-rollback"
+	v.MustEnableSecretsEngine(mount, &api.MountInput{Type: "ldap"})
+
+	adminDN := fmt.Sprintf("uid=%s,%s", adminUser, ldapConfig.UserDN)
+	v.MustWrite(mount+"/config", map[string]any{
+		"binddn":   adminDN,
+		"bindpass": adminPassword,
+		"url":      ldapConfig.URL,
+		"userdn":   ldapConfig.UserDN,
+	})
+
+	// Verify baseline LDAP health
+	if !verifyLDAPAuth(t, ldapConfig, adminDN, adminPassword) {
+		t.Fatal("Baseline LDAP authentication failed")
+	}
+	t.Log("✓ Baseline LDAP authentication successful")
+
+	// Verify LDAP config is readable before rotation
+	configResp := v.MustRead(mount + "/config")
+	if configResp.Data == nil {
+		t.Fatal("LDAP config not readable before rotation")
+	}
+	t.Log("✓ LDAP config readable before rotation")
+
+	// Pre-poison config BEFORE rotation attempt (deterministic test)
+	badBindDN := fmt.Sprintf("cn=nonexistent,%s", ldapConfig.BaseDN)
+	v.MustWrite(mount+"/config", map[string]any{
+		"binddn":   badBindDN,
+		"bindpass": "wrong-password",
+		"url":      ldapConfig.URL,
+		"userdn":   ldapConfig.UserDN,
+	})
+	t.Log("Pre-poisoned config with invalid credentials before rotation")
+
+	// Attempt rotation with poisoned config (should fail immediately)
+	_, rotationErr := v.Client.Logical().Write(mount+"/rotate-root", nil)
+	if rotationErr == nil {
+		t.Fatal("Expected rotation to fail with poisoned config, but it succeeded")
+	}
+	t.Logf("✓ Rotation failed as expected with poisoned config: %v", rotationErr)
+
+	// Restore valid config for recovery
+	v.MustWrite(mount+"/config", map[string]any{
+		"binddn":   adminDN,
+		"bindpass": adminPassword,
+		"url":      ldapConfig.URL,
+		"userdn":   ldapConfig.UserDN,
+	})
+	t.Log("Restored valid config after failed rotation")
+
+	// Verify old password still works (rollback success) with retry
+	v.Eventually(func() error {
+		if !verifyLDAPAuth(t, ldapConfig, adminDN, adminPassword) {
+			return fmt.Errorf("LDAP authentication failed")
+		}
+		return nil
+	})
+	t.Log("✓ AUTOMATIC ROLLBACK SUCCESS: Old password still works after failed rotation")
+
+	// Verify Vault is operational after recovery
+	v.Eventually(func() error {
+		resp, err := v.Client.Logical().Read(mount + "/config")
+		if err != nil {
+			return fmt.Errorf("cannot read LDAP config: %w", err)
+		}
+		if resp == nil || resp.Data == nil {
+			return fmt.Errorf("LDAP config data is nil")
+		}
+		return nil
+	})
+	t.Log("✓ Vault operational: Can read LDAP config after recovery")
+}
+
+// verifyLDAPAuth verifies LDAP authentication using ldapwhoami
+// Returns true if authentication succeeds, false otherwise
+// Note: Callers should use v.Eventually() for retry logic
+func verifyLDAPAuth(t *testing.T, config *LDAPDomainConfig, bindDN, password string) bool {
+	t.Helper()
+
+	// Use SetupURL (public IP) for authentication checks from GitHub runner
+	// config.URL contains private IP which is only accessible from Vault cluster
+
+	cmd := exec.Command(
+		"ldapwhoami",
+		"-x",
+		"-H", config.SetupURL,
+		"-D", bindDN,
+		"-w", password,
+	)
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Logf("LDAP authentication failed for %s: %v, output: %s", bindDN, err, string(output))
+		return false
+	}
+
+	return true
+}
diff --git a/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_test.go b/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_test.go
new file mode 100644
index 0000000000..f571d2b6f7
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/ldap/secrets_ldap_test.go
@@ -0,0 +1,168 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package ldap
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// testLDAPSecretsCreate tests LDAP secrets engine creation with isolated domain
+func testLDAPSecretsCreate(t *testing.T, v *blackbox.Session) {
+	// Create isolated LDAP domain for this test
+	cleanup, ldapConfig, err := PrepareTestLDAPDomain(t, v, isCI())
+	if err != nil {
+		if isCI() {
+			t.Fatalf("LDAP domain creation failed in CI: %v", err)
+		}
+		t.Skipf("LDAP domain creation not available: %v", err)
+	}
+	defer cleanup()
+
+	// Create test user in isolated domain
+	if err := CreateLDAPUser(t, ldapConfig, "enos", "password123"); err != nil {
+		t.Fatalf("Failed to create test user: %v", err)
+	}
+
+	// Configure LDAP secrets engine with isolated domain
+	SetupLDAPSecretsEngineWithConfig(t, v, "ldap-create", ldapConfig)
+
+	// Create a static role for password rotation using the user in our isolated domain
+	v.MustWrite("ldap-create/static-role/test-role", map[string]any{
+		"username":        "enos",
+		"dn":              "uid=enos," + ldapConfig.UserDN,
+		"rotation_period": "24h",
+	})
+
+	// Verify role was created by reading it
+	roleResp := v.MustRead("ldap-create/static-role/test-role")
+	if roleResp.Data == nil {
+		t.Fatal("Expected to read LDAP static role configuration")
+	}
+
+	t.Log("Successfully created LDAP secrets engine with static role in isolated domain")
+}
+
+// testLDAPSecretsRead tests LDAP secrets engine read operations with isolated domain
+func testLDAPSecretsRead(t *testing.T, v *blackbox.Session) {
+	// Create isolated LDAP domain for this test
+	cleanup, ldapConfig, err := PrepareTestLDAPDomain(t, v, isCI())
+	if err != nil {
+		if isCI() {
+			t.Fatalf("LDAP domain creation failed in CI: %v", err)
+		}
+		t.Skipf("LDAP domain creation not available: %v", err)
+	}
+	defer cleanup()
+
+	// Create service account users in isolated domain
+	if err := CreateLDAPUser(t, ldapConfig, "svc-account-1", "password1"); err != nil {
+		t.Fatalf("Failed to create service account 1: %v", err)
+	}
+	if err := CreateLDAPUser(t, ldapConfig, "svc-account-2", "password2"); err != nil {
+		t.Fatalf("Failed to create service account 2: %v", err)
+	}
+
+	// Configure LDAP secrets engine with isolated domain
+	SetupLDAPSecretsEngineWithConfig(t, v, "ldap-read", ldapConfig)
+
+	// Create a library set for service account management
+	// Use Eventually wrapper since Vault needs to verify service accounts exist in LDAP
+	WriteLibrarySetWithRetry(t, v, "ldap-read/library/test-set", map[string]any{
+		"service_account_names":        []string{"svc-account-1", "svc-account-2"},
+		"ttl":                          "10h",
+		"max_ttl":                      "20h",
+		"disable_check_in_enforcement": false,
+	})
+
+	// Read the library set configuration
+	libraryResp := v.MustRead("ldap-read/library/test-set")
+	if libraryResp.Data == nil {
+		t.Fatal("Expected to read LDAP library set configuration")
+	}
+
+	// Verify library set properties
+	assertions := v.AssertSecret(libraryResp)
+	assertions.Data().
+		HasKeyExists("service_account_names").
+		HasKeyExists("ttl").
+		HasKeyExists("max_ttl")
+
+	// Read configuration (should not expose bind password)
+	configResp := v.MustRead("ldap-read/config")
+	if configResp.Data == nil {
+		t.Fatal("Expected to read LDAP configuration")
+	}
+
+	t.Log("Successfully read LDAP secrets engine configuration in isolated domain")
+}
+
+// testLDAPSecretsDelete tests LDAP secrets engine delete operations with isolated domain
+func testLDAPSecretsDelete(t *testing.T, v *blackbox.Session) {
+	// Create isolated LDAP domain for this test
+	cleanup, ldapConfig, err := PrepareTestLDAPDomain(t, v, isCI())
+	if err != nil {
+		if isCI() {
+			t.Fatalf("LDAP domain creation failed in CI: %v", err)
+		}
+		t.Skipf("LDAP domain creation not available: %v", err)
+	}
+	defer cleanup()
+
+	// Create service account user in isolated domain
+	if err := CreateLDAPUser(t, ldapConfig, "svc-delete", "password"); err != nil {
+		t.Fatalf("Failed to create service account: %v", err)
+	}
+
+	// Configure LDAP secrets engine with isolated domain
+	SetupLDAPSecretsEngineWithConfig(t, v, "ldap-delete", ldapConfig)
+
+	// Create a library set
+	// Use Eventually wrapper since Vault needs to verify service accounts exist in LDAP
+	WriteLibrarySetWithRetry(t, v, "ldap-delete/library/delete-set", map[string]any{
+		"service_account_names": []string{"svc-delete"},
+		"ttl":                   "1h",
+	})
+
+	// Verify library set exists
+	libraryResp := v.MustRead("ldap-delete/library/delete-set")
+	if libraryResp.Data == nil {
+		t.Fatal("Expected library set to exist before deletion")
+	}
+
+	// Delete the library set
+	_, err = v.Client.Logical().Delete("ldap-delete/library/delete-set")
+	if err != nil {
+		t.Fatalf("Failed to delete LDAP library set: %v", err)
+	}
+
+	// Verify library set is deleted
+	deletedResp, err := v.Client.Logical().Read("ldap-delete/library/delete-set")
+	if err == nil && deletedResp != nil {
+		t.Fatal("Expected library set to be deleted, but it still exists")
+	}
+
+	t.Log("Successfully deleted LDAP library set in isolated domain")
+}
+
+// TestLDAPSecretsEngineComprehensive runs comprehensive LDAP secrets engine tests
+// Each subtest now uses isolated domains and can run in parallel
+func TestLDAPSecretsEngineComprehensive(t *testing.T) {
+	t.Run("Create", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testLDAPSecretsCreate(t, v)
+	})
+	t.Run("Read", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testLDAPSecretsRead(t, v)
+	})
+	t.Run("Delete", func(t *testing.T) {
+		t.Parallel()
+		v := blackbox.New(t)
+		testLDAPSecretsDelete(t, v)
+	})
+}
diff --git a/vault/external_tests/blackbox/plugins/ldap/testdata/dynamic_deletion.ldif b/vault/external_tests/blackbox/plugins/ldap/testdata/dynamic_deletion.ldif
new file mode 100644
index 0000000000..d548d50018
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/ldap/testdata/dynamic_deletion.ldif
@@ -0,0 +1,2 @@
+dn: cn={{.Username}},ou=users,dc=enos,dc=com
+changetype: delete
diff --git a/vault/external_tests/blackbox/plugins/ldap/testdata/dynamic_rollback.ldif b/vault/external_tests/blackbox/plugins/ldap/testdata/dynamic_rollback.ldif
new file mode 100644
index 0000000000..fb4f67117d
--- /dev/null
+++ b/vault/external_tests/blackbox/plugins/ldap/testdata/dynamic_rollback.ldif
@@ -0,0 +1,5 @@
+dn: uid={{.Username}},ou=users,dc=enos,dc=com
+changetype: delete
+
+dn: cn={{.Username}},ou=users,dc=enos,dc=com
+changetype: delete
diff --git a/vault/external_tests/blackbox/raft/node_operations_test.go b/vault/external_tests/blackbox/raft/node_operations_test.go
new file mode 100644
index 0000000000..dad9346146
--- /dev/null
+++ b/vault/external_tests/blackbox/raft/node_operations_test.go
@@ -0,0 +1,21 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package raft
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestNodeRemovalAndRejoin tests raft node removal and rejoin capabilities
+func TestNodeRemovalAndRejoin(t *testing.T) {
+	v := blackbox.New(t)
+
+	// This is a stub for node removal and rejoin testing
+	// In a real implementation, you would test raft node removal and rejoin
+	v.AssertClusterHealthy()
+
+	t.Log("Successfully verified raft cluster stability for node operations")
+}
diff --git a/vault/external_tests/blackbox/raft/raft_node_removal_test.go b/vault/external_tests/blackbox/raft/raft_node_removal_test.go
new file mode 100644
index 0000000000..172887ae79
--- /dev/null
+++ b/vault/external_tests/blackbox/raft/raft_node_removal_test.go
@@ -0,0 +1,223 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package raft
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestRaft_ClusterHealthVerification verifies raft cluster health
+// Note: This test does NOT perform node removal. Node removal is handled by the
+// enos scenario infrastructure. This test simply verifies the cluster is healthy
+// and using raft storage, similar to other raft tests in this package.
+func TestRaft_ClusterHealthVerification(t *testing.T) {
+	t.Parallel()
+	v := blackbox.New(t)
+
+	// Wait for a healthy cluster
+	v.EventuallyClusterHealthyUnsealed(15 * time.Second)
+
+	// Check if using raft storage
+	storage := v.MustGetConfigStorageType()
+	if storage != "raft" {
+		t.Log("skipping as cluster is not using integrated storage")
+		return
+	}
+
+	// Verify raft cluster is healthy
+	v.EventuallyRaftClusterHealthy(5 * time.Second)
+
+	t.Log("Successfully verified raft cluster is healthy")
+}
+
+// TestRaft_RemovedNodeStatus tests the status of a removed node
+// This test should ONLY be run ON a removed node itself (via enos scenario)
+// It verifies that the removed node correctly reports its status
+// If the node is not removed, the test is skipped
+func TestRaft_RemovedNodeStatus(t *testing.T) {
+	v := setupRemovedNodeTest(t)
+
+	testRemovedNodeStatus(t, v)
+}
+
+// testRemovedNodeStatus runs all removed node status checks
+func testRemovedNodeStatus(t *testing.T, v *blackbox.Session) {
+	t.Helper()
+	verifyRemovedStatus(t, v)
+	verifyRemovedHealth(t, v)
+	verifyManualRejoinFails(t, v)
+}
+
+// TestRaft_RemovedNodeAfterRestart verifies removed status persists after restart
+// This test should ONLY be run ON a removed node after it has been restarted
+// If the node is not removed, the test is skipped
+func TestRaft_RemovedNodeAfterRestart(t *testing.T) {
+	v := setupRemovedNodeTest(t)
+
+	testRemovedNodeAfterRestart(t, v)
+}
+
+// testRemovedNodeAfterRestart verifies removed status persists after restart
+func testRemovedNodeAfterRestart(t *testing.T, v *blackbox.Session) {
+	t.Helper()
+	verifyRemovedStatus(t, v)
+	verifyRemovedHealth(t, v)
+}
+
+// setupRemovedNodeTest sets up a test for a removed node
+// It checks if the node is removed and skips if not
+func setupRemovedNodeTest(t *testing.T) *blackbox.Session {
+	t.Helper()
+	t.Parallel()
+	v := blackbox.New(t)
+	if !isNodeRemoved(t, v) {
+		t.Skip("Skipping - node not removed")
+	}
+	return v
+}
+
+// isNodeRemoved checks if the current node has been removed from the cluster
+// Returns true if the node is removed, fails the test on error
+func isNodeRemoved(t *testing.T, v *blackbox.Session) bool {
+	t.Helper()
+
+	// Get vault status
+	resp, err := v.Client.Sys().SealStatus()
+	if err != nil {
+		t.Fatalf("Failed to get seal status: %v", err)
+	}
+
+	// Check if removed_from_cluster is set and true
+	return resp.RemovedFromCluster != nil && *resp.RemovedFromCluster
+}
+
+// verifyRemovedStatus verifies that vault status shows removed_from_cluster=true
+func verifyRemovedStatus(t *testing.T, v *blackbox.Session) {
+	t.Helper()
+
+	v.EventuallyWithTimeout(func() error {
+		// Get vault status
+		resp, err := v.Client.Sys().SealStatus()
+		if err != nil {
+			return fmt.Errorf("failed to get vault status: %w", err)
+		}
+
+		// Check if removed_from_cluster is true
+		if resp.RemovedFromCluster == nil || !*resp.RemovedFromCluster {
+			return fmt.Errorf("status shows removed_from_cluster=%v, expected true", resp.RemovedFromCluster)
+		}
+
+		t.Log("✓ Vault status shows removed_from_cluster=true")
+		return nil
+	}, 15*time.Second)
+}
+
+// verifyRemovedHealth verifies that sys/health shows removed_from_cluster=true
+func verifyRemovedHealth(t *testing.T, v *blackbox.Session) {
+	t.Helper()
+
+	v.EventuallyWithTimeout(func() error {
+		// Query sys/health with custom status codes to avoid errors
+		req := v.Client.NewRequest("GET", "/v1/sys/health")
+		req.Params.Set("sealedcode", "299")
+		req.Params.Set("uninitcode", "299")
+		req.Params.Set("removedcode", "299")
+
+		resp, err := v.Client.RawRequest(req)
+		if err != nil {
+			return fmt.Errorf("failed to get health status: %w", err)
+		}
+		defer resp.Body.Close()
+
+		var healthResp api.HealthResponse
+		if err := resp.DecodeJSON(&healthResp); err != nil {
+			return fmt.Errorf("failed to decode health response: %w", err)
+		}
+
+		// Check if removed_from_cluster is true
+		if healthResp.RemovedFromCluster == nil || !*healthResp.RemovedFromCluster {
+			return fmt.Errorf("health shows removed_from_cluster=%v, expected true", healthResp.RemovedFromCluster)
+		}
+
+		t.Log("✓ Health endpoint shows removed_from_cluster=true")
+		return nil
+	}, 15*time.Second)
+}
+
+// verifyManualRejoinFails verifies that manual raft join attempts fail on removed nodes
+func verifyManualRejoinFails(t *testing.T, v *blackbox.Session) {
+	t.Helper()
+
+	// Get the leader address - in enos this would be passed via environment
+	leaderAddr := v.Client.Address()
+	if leaderAddr == "" {
+		t.Skip("Leader address not available, skipping manual rejoin test")
+	}
+
+	// Attempt to join the raft cluster - this should fail
+	req := v.Client.NewRequest("POST", "/v1/sys/storage/raft/join")
+	req.BodyBytes = []byte(fmt.Sprintf(`{"leader_api_addr": "%s"}`, leaderAddr))
+
+	resp, err := v.Client.RawRequest(req)
+	if err == nil {
+		defer resp.Body.Close()
+		// If no error, check the status code - should not be 2xx
+		if resp.StatusCode >= 200 && resp.StatusCode < 300 {
+			t.Fatal("Expected raft join to fail, but it succeeded")
+		}
+		t.Logf("✓ Raft join failed as expected with status code: %d", resp.StatusCode)
+		return
+	}
+
+	// Error is expected - verify it mentions removed node
+	if !strings.Contains(err.Error(), "removed") {
+		t.Fatalf("Expected error about removed node, got: %v", err)
+	}
+	t.Logf("✓ Raft join failed as expected with error: %v", err)
+}
+
+// TestRaft_UnsealFailsOnRemovedNode verifies that unseal fails on removed nodes (Shamir seal only)
+// This test should ONLY be run ON a removed node (via enos scenario)
+// If the node is not removed, the test is skipped
+func TestRaft_UnsealFailsOnRemovedNode(t *testing.T) {
+	v := setupRemovedNodeTest(t)
+
+	// Check if this is a Shamir seal
+	status, err := v.Client.Sys().SealStatus()
+	if err != nil {
+		t.Fatalf("Failed to get seal status: %v", err)
+	}
+
+	if status.Type != "shamir" {
+		t.Skip("Skipping unseal test - only applicable for Shamir seal")
+	}
+
+	// Attempt to unseal - this should fail on a removed node
+	// Note: We use a dummy key since we don't have the actual unseal keys
+	req := v.Client.NewRequest("POST", "/v1/sys/unseal")
+	req.BodyBytes = []byte(`{"key": "dummy-key-for-testing"}`)
+
+	resp, err := v.Client.RawRequest(req)
+	if err == nil {
+		defer resp.Body.Close()
+		// Check if the response indicates failure
+		if resp.StatusCode >= 200 && resp.StatusCode < 300 {
+			t.Fatal("Expected unseal to fail on removed node, but it succeeded")
+		}
+		t.Logf("✓ Unseal failed as expected with status code: %d", resp.StatusCode)
+		return
+	}
+
+	// Error is expected - verify it mentions removed node
+	if !strings.Contains(err.Error(), "removed") {
+		t.Fatalf("Expected error about removed node, got: %v", err)
+	}
+	t.Logf("✓ Unseal failed as expected with error: %v", err)
+}
diff --git a/vault/external_tests/blackbox/raft/voters_test.go b/vault/external_tests/blackbox/raft/voters_test.go
new file mode 100644
index 0000000000..91e07a97e8
--- /dev/null
+++ b/vault/external_tests/blackbox/raft/voters_test.go
@@ -0,0 +1,29 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package raft
+
+import (
+	"testing"
+	"time"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestRaftVoters verifies that all nodes in the raft cluster are voters
+func TestRaftVoters(t *testing.T) {
+	v := blackbox.New(t)
+
+	// Wait for a healthy cluster
+	v.EventuallyClusterHealthyUnsealed(15 * time.Second)
+
+	storage := v.MustGetConfigStorageType()
+	if storage != "raft" {
+		t.Log("skipping as cluster is not using integrated storage")
+		return
+	}
+
+	v.EventuallyRaftClusterHealthy(5 * time.Second)
+
+	t.Log("Successfully verified raft cluster is healthy with at least one voter")
+}
diff --git a/vault/external_tests/blackbox/replication/status_test.go b/vault/external_tests/blackbox/replication/status_test.go
new file mode 100644
index 0000000000..40a5bd5885
--- /dev/null
+++ b/vault/external_tests/blackbox/replication/status_test.go
@@ -0,0 +1,40 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package replication
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestReplicationStatus verifies replication status for both DR and performance replication
+func TestReplicationStatus(t *testing.T) {
+	v := blackbox.New(t)
+
+	// Read replication status with proper nil checks
+	drStatus := v.MustRead("sys/replication/dr/status")
+	if drStatus == nil || drStatus.Data == nil {
+		t.Log("DR replication not available or not configured - skipping DR replication check")
+	} else {
+		if drMode, ok := drStatus.Data["mode"]; ok {
+			t.Logf("DR replication mode: %v", drMode)
+		} else {
+			t.Log("DR replication mode not available")
+		}
+	}
+
+	prStatus := v.MustRead("sys/replication/performance/status")
+	if prStatus == nil || prStatus.Data == nil {
+		t.Log("Performance replication not available or not configured - skipping performance replication check")
+	} else {
+		if prMode, ok := prStatus.Data["mode"]; ok {
+			t.Logf("Performance replication mode: %v", prMode)
+		} else {
+			t.Log("Performance replication mode not available")
+		}
+	}
+
+	t.Log("Successfully verified replication status endpoints are accessible")
+}
diff --git a/vault/external_tests/blackbox/secrets/engines_test.go b/vault/external_tests/blackbox/secrets/engines_test.go
new file mode 100644
index 0000000000..af88e6b312
--- /dev/null
+++ b/vault/external_tests/blackbox/secrets/engines_test.go
@@ -0,0 +1,97 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package secrets
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestSecretsEngineCreate tests creation/setup of various secrets engines
+// This test covers secrets engines that work in cloud environments (HCP/Docker)
+func TestSecretsEngineCreate(t *testing.T) {
+	v := blackbox.New(t)
+
+	// Verify we have a healthy cluster first
+	v.AssertClusterHealthy()
+
+	t.Run("KVSecrets", func(t *testing.T) {
+		testKVSecretsCreate(t, v)
+	})
+
+	t.Run("PKISecrets", func(t *testing.T) {
+		testPKISecretsCreate(t, v)
+	})
+
+	t.Run("SSHSecrets", func(t *testing.T) {
+		testSSHSecretsCreate(t, v)
+	})
+
+	t.Run("IdentitySecrets", func(t *testing.T) {
+		testIdentitySecretsCreate(t, v)
+	})
+
+	t.Run("TransitSecrets", func(t *testing.T) {
+		testTransitSecretsCreate(t, v)
+	})
+}
+
+// TestSecretsEngineRead tests read operations for various secrets engines
+// This test covers secrets engines that work in cloud environments (HCP/Docker)
+func TestSecretsEngineRead(t *testing.T) {
+	v := blackbox.New(t)
+
+	// Verify we have a healthy cluster first
+	v.AssertClusterHealthy()
+
+	t.Run("KVSecrets", func(t *testing.T) {
+		testKVSecretsRead(t, v)
+	})
+
+	t.Run("PKISecrets", func(t *testing.T) {
+		testPKISecretsRead(t, v)
+	})
+
+	t.Run("SSHSecrets", func(t *testing.T) {
+		testSSHSecretsRead(t, v)
+	})
+
+	t.Run("IdentitySecrets", func(t *testing.T) {
+		testIdentitySecretsRead(t, v)
+	})
+
+	t.Run("TransitSecrets", func(t *testing.T) {
+		testTransitSecretsRead(t, v)
+	})
+}
+
+// TestSecretsEngineDelete tests delete operations for various secrets engines
+// This test covers secrets engines that work in cloud environments (HCP/Docker)
+func TestSecretsEngineDelete(t *testing.T) {
+	v := blackbox.New(t)
+
+	// Verify we have a healthy cluster first
+	v.AssertClusterHealthy()
+
+	t.Run("KVSecrets", func(t *testing.T) {
+		testKVSecretsDelete(t, v)
+	})
+
+	t.Run("PKISecrets", func(t *testing.T) {
+		testPKISecretsDelete(t, v)
+	})
+
+	t.Run("SSHSecrets", func(t *testing.T) {
+		testSSHSecretsDelete(t, v)
+	})
+
+	t.Run("IdentitySecrets", func(t *testing.T) {
+		testIdentitySecretsDelete(t, v)
+	})
+
+	t.Run("TransitSecrets", func(t *testing.T) {
+		testTransitSecretsDelete(t, v)
+	})
+}
diff --git a/vault/external_tests/blackbox/secrets/secrets_aws_test.go b/vault/external_tests/blackbox/secrets/secrets_aws_test.go
new file mode 100644
index 0000000000..829cfd2066
--- /dev/null
+++ b/vault/external_tests/blackbox/secrets/secrets_aws_test.go
@@ -0,0 +1,116 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package secrets
+
+import (
+	"os"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// testAWSSecretsCreate tests AWS secrets engine creation
+func testAWSSecretsCreate(t *testing.T, v *blackbox.Session) {
+	// Check if AWS credentials are available
+	accessKey := os.Getenv("AWS_ACCESS_KEY_ID")
+	secretKey := os.Getenv("AWS_SECRET_ACCESS_KEY")
+
+	if accessKey == "" || secretKey == "" {
+		t.Skip("AWS credentials not available - skipping AWS secrets engine test")
+	}
+
+	// Enable AWS secrets engine
+	v.MustEnableSecretsEngine("aws-create", &api.MountInput{Type: "aws"})
+
+	// Configure AWS secrets engine with root credentials
+	v.MustWrite("aws-create/config/root", map[string]any{
+		"access_key": accessKey,
+		"secret_key": secretKey,
+		"region":     "us-east-1",
+	})
+
+	// Create a role for generating credentials
+	v.MustWrite("aws-create/roles/test-role", map[string]any{
+		"credential_type": "iam_user",
+		"policy_document": `{
+			"Version": "2012-10-17",
+			"Statement": [
+				{
+					"Effect": "Allow",
+					"Action": "ec2:Describe*",
+					"Resource": "*"
+				}
+			]
+		}`,
+	})
+
+	// Verify role was created by reading it
+	roleResp := v.MustRead("aws-create/roles/test-role")
+	if roleResp.Data == nil {
+		t.Fatal("Expected to read AWS role configuration")
+	}
+
+	t.Log("Successfully created AWS secrets engine with role")
+}
+
+// testAWSSecretsRead tests AWS secrets engine read operations
+func testAWSSecretsRead(t *testing.T, v *blackbox.Session) {
+	// Check if AWS credentials are available
+	accessKey := os.Getenv("AWS_ACCESS_KEY_ID")
+	secretKey := os.Getenv("AWS_SECRET_ACCESS_KEY")
+
+	if accessKey == "" || secretKey == "" {
+		t.Skip("AWS credentials not available - skipping AWS secrets engine test")
+	}
+
+	// Enable AWS secrets engine
+	v.MustEnableSecretsEngine("aws-read", &api.MountInput{Type: "aws"})
+
+	// Configure AWS secrets engine
+	v.MustWrite("aws-read/config/root", map[string]any{
+		"access_key": accessKey,
+		"secret_key": secretKey,
+		"region":     "us-west-2",
+	})
+
+	// Create a role
+	v.MustWrite("aws-read/roles/read-role", map[string]any{
+		"credential_type": "iam_user",
+		"policy_document": `{
+			"Version": "2012-10-17",
+			"Statement": [
+				{
+					"Effect": "Allow",
+					"Action": "s3:ListBucket",
+					"Resource": "*"
+				}
+			]
+		}`,
+	})
+
+	// Read the role configuration
+	roleResp := v.MustRead("aws-read/roles/read-role")
+	if roleResp.Data == nil {
+		t.Fatal("Expected to read AWS role configuration")
+	}
+
+	// Verify role properties
+	assertions := v.AssertSecret(roleResp)
+	assertions.Data().
+		HasKey("credential_type", "iam_user").
+		HasKeyExists("policy_document")
+
+	// Read root configuration (should not expose credentials)
+	configResp := v.MustRead("aws-read/config/root")
+	if configResp.Data == nil {
+		t.Fatal("Expected to read AWS root configuration")
+	}
+
+	// Verify config properties (credentials should not be returned)
+	configAssertions := v.AssertSecret(configResp)
+	configAssertions.Data().HasKey("region", "us-west-2")
+
+	t.Log("Successfully read AWS secrets engine configuration")
+}
diff --git a/vault/external_tests/blackbox/secrets/secrets_identity_test.go b/vault/external_tests/blackbox/secrets/secrets_identity_test.go
new file mode 100644
index 0000000000..6c91c42e78
--- /dev/null
+++ b/vault/external_tests/blackbox/secrets/secrets_identity_test.go
@@ -0,0 +1,132 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package secrets
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// testIdentitySecretsCreate tests Identity secrets engine creation
+func testIdentitySecretsCreate(t *testing.T, v *blackbox.Session) {
+	// Identity is a built-in secrets engine, no need to enable it
+	// Create an entity
+	entityResp := v.MustWrite("identity/entity", map[string]any{
+		"name":     "test-entity",
+		"policies": []string{"default"},
+		"metadata": map[string]string{
+			"team": "engineering",
+			"env":  "test",
+		},
+	})
+
+	if entityResp.Data == nil {
+		t.Fatal("Expected entity creation response")
+	}
+
+	// Verify entity was created
+	assertions := v.AssertSecret(entityResp)
+	assertions.Data().HasKeyExists("id")
+
+	entityID := entityResp.Data["id"].(string)
+
+	// Create an entity alias (requires an auth mount)
+	v.MustEnableAuth("userpass-identity", &api.EnableAuthOptions{Type: "userpass"})
+
+	// Get the accessor for the auth mount
+	authsResp := v.MustRead("sys/auth")
+	if authsResp.Data == nil {
+		t.Fatal("Expected to read auth mounts")
+	}
+
+	var accessor string
+	if authData, ok := authsResp.Data["userpass-identity/"]; ok {
+		if authMap, ok := authData.(map[string]any); ok {
+			accessor = authMap["accessor"].(string)
+		}
+	}
+
+	if accessor == "" {
+		t.Fatal("Failed to get auth mount accessor")
+	}
+
+	// Create entity alias
+	aliasResp := v.MustWrite("identity/entity-alias", map[string]any{
+		"name":           "test-user",
+		"canonical_id":   entityID,
+		"mount_accessor": accessor,
+	})
+
+	if aliasResp.Data == nil {
+		t.Fatal("Expected entity alias creation response")
+	}
+
+	aliasAssertions := v.AssertSecret(aliasResp)
+	aliasAssertions.Data().HasKeyExists("id")
+
+	t.Log("Successfully created identity entity and alias")
+}
+
+// testIdentitySecretsRead tests Identity secrets engine read operations
+func testIdentitySecretsRead(t *testing.T, v *blackbox.Session) {
+	// Create an entity
+	entityResp := v.MustWrite("identity/entity", map[string]any{
+		"name":     "read-entity",
+		"policies": []string{"default"},
+		"metadata": map[string]string{
+			"purpose": "testing",
+		},
+	})
+
+	entityID := entityResp.Data["id"].(string)
+
+	// Read the entity by ID
+	readResp := v.MustRead("identity/entity/id/" + entityID)
+	if readResp.Data == nil {
+		t.Fatal("Expected to read entity")
+	}
+
+	// Verify entity properties
+	assertions := v.AssertSecret(readResp)
+	assertions.Data().
+		HasKey("name", "read-entity").
+		HasKeyExists("id").
+		HasKeyExists("policies")
+
+	// Read entity by name
+	nameResp := v.MustRead("identity/entity/name/read-entity")
+	if nameResp.Data == nil {
+		t.Fatal("Expected to read entity by name")
+	}
+
+	nameAssertions := v.AssertSecret(nameResp)
+	nameAssertions.Data().
+		HasKey("name", "read-entity").
+		HasKey("id", entityID)
+
+	t.Log("Successfully read identity entity by ID and name")
+}
+
+// testIdentitySecretsDelete tests Identity secrets engine delete operations
+func testIdentitySecretsDelete(t *testing.T, v *blackbox.Session) {
+	entityResp := v.MustWrite("identity/entity", map[string]any{
+		"name": "delete-entity",
+	})
+	entityID := entityResp.Data["id"].(string)
+	readResp := v.MustRead("identity/entity/id/" + entityID)
+	if readResp.Data == nil {
+		t.Fatal("Expected entity to exist before deletion")
+	}
+	_, err := v.Client.Logical().Delete("identity/entity/id/" + entityID)
+	if err != nil {
+		t.Fatalf("Failed to delete entity: %v", err)
+	}
+	deletedResp, err := v.Client.Logical().Read("identity/entity/id/" + entityID)
+	if err == nil && deletedResp != nil {
+		t.Fatal("Expected entity to be deleted, but it still exists")
+	}
+	t.Logf("Successfully deleted identity entity: %s", entityID)
+}
diff --git a/vault/external_tests/blackbox/secrets/secrets_kmip_test.go b/vault/external_tests/blackbox/secrets/secrets_kmip_test.go
new file mode 100644
index 0000000000..3ee092683c
--- /dev/null
+++ b/vault/external_tests/blackbox/secrets/secrets_kmip_test.go
@@ -0,0 +1,99 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package secrets
+
+import (
+	"os"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// testKMIPSecretsCreate tests KMIP secrets engine creation
+func testKMIPSecretsCreate(t *testing.T, v *blackbox.Session) {
+	// Check if this is Vault Enterprise (KMIP is enterprise-only)
+	edition := os.Getenv("VAULT_EDITION")
+	if edition == "ce" || edition == "" {
+		t.Skip("KMIP secrets engine is only available in Vault Enterprise")
+	}
+
+	// Enable KMIP secrets engine
+	v.MustEnableSecretsEngine("kmip-create", &api.MountInput{Type: "kmip"})
+
+	// Configure KMIP secrets engine
+	v.MustWrite("kmip-create/config", map[string]any{
+		"listen_addrs":           []string{"0.0.0.0:5696"},
+		"server_hostnames":       []string{"localhost"},
+		"default_tls_client_ttl": "24h",
+	})
+
+	// Create a KMIP scope
+	v.MustWrite("kmip-create/scope/test-scope", map[string]any{})
+
+	// Create a KMIP role within the scope
+	v.MustWrite("kmip-create/scope/test-scope/role/test-role", map[string]any{
+		"operation_all": true,
+	})
+
+	// Verify role was created by reading it
+	roleResp := v.MustRead("kmip-create/scope/test-scope/role/test-role")
+	if roleResp.Data == nil {
+		t.Fatal("Expected to read KMIP role configuration")
+	}
+
+	t.Log("Successfully created KMIP secrets engine with scope and role")
+}
+
+// testKMIPSecretsRead tests KMIP secrets engine read operations
+func testKMIPSecretsRead(t *testing.T, v *blackbox.Session) {
+	// Check if this is Vault Enterprise (KMIP is enterprise-only)
+	edition := os.Getenv("VAULT_EDITION")
+	if edition == "ce" || edition == "" {
+		t.Skip("KMIP secrets engine is only available in Vault Enterprise")
+	}
+
+	// Enable KMIP secrets engine
+	v.MustEnableSecretsEngine("kmip-read", &api.MountInput{Type: "kmip"})
+
+	// Configure KMIP secrets engine
+	v.MustWrite("kmip-read/config", map[string]any{
+		"listen_addrs":     []string{"0.0.0.0:5697"},
+		"server_hostnames": []string{"localhost"},
+	})
+
+	// Create a scope
+	v.MustWrite("kmip-read/scope/read-scope", map[string]any{})
+
+	// Create a role
+	v.MustWrite("kmip-read/scope/read-scope/role/read-role", map[string]any{
+		"operation_activate": true,
+		"operation_create":   true,
+		"operation_get":      true,
+	})
+
+	// Read the role configuration
+	roleResp := v.MustRead("kmip-read/scope/read-scope/role/read-role")
+	if roleResp.Data == nil {
+		t.Fatal("Expected to read KMIP role configuration")
+	}
+
+	// Verify role properties
+	assertions := v.AssertSecret(roleResp)
+	assertions.Data().
+		HasKey("operation_activate", true).
+		HasKey("operation_create", true).
+		HasKey("operation_get", true)
+
+	// Note: Reading individual scopes is not supported (returns 405)
+	// The KMIP API only supports listing scopes, not reading them individually
+
+	// Read KMIP configuration
+	configResp := v.MustRead("kmip-read/config")
+	if configResp.Data == nil {
+		t.Fatal("Expected to read KMIP configuration")
+	}
+
+	t.Log("Successfully read KMIP secrets engine configuration")
+}
diff --git a/vault/external_tests/blackbox/secrets/secrets_kv_test.go b/vault/external_tests/blackbox/secrets/secrets_kv_test.go
new file mode 100644
index 0000000000..af99c8c979
--- /dev/null
+++ b/vault/external_tests/blackbox/secrets/secrets_kv_test.go
@@ -0,0 +1,47 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package secrets
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+	helpers "github.com/hashicorp/vault/vault/external_tests/blackbox"
+)
+
+// testKVSecretsCreate tests KV secrets engine creation
+func testKVSecretsCreate(t *testing.T, v *blackbox.Session) {
+	// KV secrets engine tests are now in kvv2_test.go - just test basic enablement here
+	helpers.SetupKVEngine(v, "kv-create")
+
+	// Write and read test data to verify engine works
+	v.MustWriteKV2("kv-create", "test/path", helpers.StandardKVData)
+	secret := v.MustReadKV2("kv-create", "test/path")
+	helpers.AssertKVData(t, v, secret, helpers.StandardKVData)
+
+	t.Log("Successfully created and tested KV secrets engine")
+}
+
+// testKVSecretsRead tests KV secrets engine read operations
+func testKVSecretsRead(t *testing.T, v *blackbox.Session) {
+	// KV read tests are in kvv2_test.go - test basic read functionality here
+	helpers.SetupKVEngine(v, "kv-read")
+	v.MustWriteKV2("kv-read", "read/test", helpers.AltKVData)
+	secret := v.MustReadKV2("kv-read", "read/test")
+	helpers.AssertKVData(t, v, secret, helpers.AltKVData)
+
+	t.Log("Successfully read KV secrets engine data")
+}
+
+// testKVSecretsDelete tests KV secrets engine delete operations
+func testKVSecretsDelete(t *testing.T, v *blackbox.Session) {
+	helpers.SetupKVEngine(v, "kv-delete")
+	v.MustWriteKV2("kv-delete", "delete/test", helpers.StandardKVData)
+	secret := v.MustReadKV2("kv-delete", "delete/test")
+	helpers.AssertKVData(t, v, secret, helpers.StandardKVData)
+	v.MustWrite("kv-delete/delete/delete/test", map[string]any{
+		"versions": []int{1},
+	})
+	t.Log("Successfully deleted KV secrets engine data")
+}
diff --git a/vault/external_tests/blackbox/secrets/secrets_ldap_test.go b/vault/external_tests/blackbox/secrets/secrets_ldap_test.go
new file mode 100644
index 0000000000..c8897a9cf3
--- /dev/null
+++ b/vault/external_tests/blackbox/secrets/secrets_ldap_test.go
@@ -0,0 +1,191 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package secrets
+
+import (
+	"net"
+	"net/url"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// requireLDAPAvailable verifies LDAP server connectivity using testify Eventually
+func requireLDAPAvailable(t *testing.T, timeout, interval time.Duration) {
+	t.Helper()
+
+	// Use public IP for external connectivity testing
+	ldapServerPublic := os.Getenv("LDAP_URL_PUBLIC")
+	require.NotEmpty(t, ldapServerPublic, "LDAP_URL_PUBLIC environment variable not set")
+
+	u, err := url.Parse(ldapServerPublic)
+	require.NoError(t, err, "Failed to parse LDAP URL: %s", ldapServerPublic)
+
+	require.EventuallyWithT(t, func(ct *assert.CollectT) {
+		d := &net.Dialer{}
+		conn, err := d.DialContext(t.Context(), "tcp", u.Host)
+		require.NoError(ct, err)
+		require.NoError(ct, conn.Close())
+	}, timeout, interval, "LDAP server not available at %s", u.Host)
+
+	t.Logf("LDAP server connectivity verified at %s", u.Host)
+}
+
+// testLDAPSecretsCreate tests LDAP secrets engine creation
+func testLDAPSecretsCreate(t *testing.T, v *blackbox.Session) {
+	// Check if LDAP server configuration is available from integration host
+	ldapServer := os.Getenv("LDAP_URL_PRIVATE")
+	ldapBindDN := os.Getenv("LDAP_BIND_DN")
+	ldapBindPass := os.Getenv("LDAP_BIND_PASS")
+
+	if ldapServer == "" || ldapBindDN == "" || ldapBindPass == "" {
+		t.Skip("LDAP server configuration not available - skipping LDAP secrets engine test")
+	}
+
+	// Verify LDAP server is ready before proceeding
+	requireLDAPAvailable(t, 1*time.Minute, 2*time.Second)
+
+	// Enable LDAP secrets engine
+	v.MustEnableSecretsEngine("ldap-create", &api.MountInput{Type: "ldap"})
+
+	// Configure LDAP secrets engine with integration server details
+	v.MustWrite("ldap-create/config", map[string]any{
+		"binddn":   ldapBindDN,
+		"bindpass": ldapBindPass,
+		"url":      ldapServer,
+		"userdn":   "ou=users,dc=enos,dc=com",
+		"userattr": "uid",
+	})
+
+	// Create a static role for password rotation using the user created by the integration setup
+	v.MustWrite("ldap-create/static-role/test-role", map[string]any{
+		"username":        "enos",
+		"dn":              "uid=enos,ou=users,dc=enos,dc=com",
+		"rotation_period": "24h",
+	})
+
+	// Verify role was created by reading it
+	roleResp := v.MustRead("ldap-create/static-role/test-role")
+	if roleResp.Data == nil {
+		t.Fatal("Expected to read LDAP static role configuration")
+	}
+
+	t.Log("Successfully created LDAP secrets engine with static role")
+}
+
+// testLDAPSecretsRead tests LDAP secrets engine read operations
+func testLDAPSecretsRead(t *testing.T, v *blackbox.Session) {
+	// Check if LDAP server configuration is available from integration host
+	ldapServer := os.Getenv("LDAP_URL_PRIVATE")
+	ldapBindDN := os.Getenv("LDAP_BIND_DN")
+	ldapBindPass := os.Getenv("LDAP_BIND_PASS")
+
+	if ldapServer == "" || ldapBindDN == "" || ldapBindPass == "" {
+		t.Skip("LDAP server configuration not available - skipping LDAP secrets engine test")
+	}
+
+	// Verify LDAP server is ready before proceeding
+	requireLDAPAvailable(t, 1*time.Minute, 2*time.Second)
+	serviceAccounts := []string{"svc-account-1", "svc-account-2"}
+
+	// Enable LDAP secrets engine
+	v.MustEnableSecretsEngine("ldap-read", &api.MountInput{Type: "ldap"})
+
+	// Configure LDAP secrets engine with integration server details
+	v.MustWrite("ldap-read/config", map[string]any{
+		"binddn":   ldapBindDN,
+		"bindpass": ldapBindPass,
+		"url":      ldapServer,
+		"userdn":   "ou=users,dc=enos,dc=com",
+		"userattr": "uid",
+	})
+
+	// Create a library set for service account management
+	v.MustWrite("ldap-read/library/test-set", map[string]any{
+		"service_account_names":        serviceAccounts,
+		"ttl":                          "10h",
+		"max_ttl":                      "20h",
+		"disable_check_in_enforcement": false,
+	})
+
+	// Read the library set configuration
+	libraryResp := v.MustRead("ldap-read/library/test-set")
+	if libraryResp.Data == nil {
+		t.Fatal("Expected to read LDAP library set configuration")
+	}
+
+	// Verify library set properties
+	assertions := v.AssertSecret(libraryResp)
+	assertions.Data().
+		HasKeyExists("service_account_names").
+		HasKeyExists("ttl").
+		HasKeyExists("max_ttl")
+
+	// Read configuration (should not expose bind password)
+	configResp := v.MustRead("ldap-read/config")
+	if configResp.Data == nil {
+		t.Fatal("Expected to read LDAP configuration")
+	}
+
+	t.Log("Successfully read LDAP secrets engine configuration")
+}
+
+// testLDAPSecretsDelete tests LDAP secrets engine delete operations
+func testLDAPSecretsDelete(t *testing.T, v *blackbox.Session) {
+	// Check if LDAP server configuration is available from integration host
+	ldapServer := os.Getenv("LDAP_URL_PRIVATE")
+	ldapBindDN := os.Getenv("LDAP_BIND_DN")
+	ldapBindPass := os.Getenv("LDAP_BIND_PASS")
+
+	if ldapServer == "" || ldapBindDN == "" || ldapBindPass == "" {
+		t.Skip("LDAP server configuration not available - skipping LDAP secrets engine test")
+	}
+
+	// Verify LDAP server is ready before proceeding
+	requireLDAPAvailable(t, 1*time.Minute, 2*time.Second)
+	serviceAccounts := []string{"svc-delete"}
+
+	// Enable LDAP secrets engine
+	v.MustEnableSecretsEngine("ldap-delete", &api.MountInput{Type: "ldap"})
+
+	// Configure LDAP secrets engine with integration server details
+	v.MustWrite("ldap-delete/config", map[string]any{
+		"binddn":   ldapBindDN,
+		"bindpass": ldapBindPass,
+		"url":      ldapServer,
+		"userdn":   "ou=users,dc=enos,dc=com",
+		"userattr": "uid",
+	})
+
+	// Create a library set
+	v.MustWrite("ldap-delete/library/delete-set", map[string]any{
+		"service_account_names": serviceAccounts,
+		"ttl":                   "1h",
+	})
+
+	// Verify library set exists
+	libraryResp := v.MustRead("ldap-delete/library/delete-set")
+	if libraryResp.Data == nil {
+		t.Fatal("Expected library set to exist before deletion")
+	}
+
+	// Delete the library set
+	_, err := v.Client.Logical().Delete("ldap-delete/library/delete-set")
+	if err != nil {
+		t.Fatalf("Failed to delete LDAP library set: %v", err)
+	}
+
+	// Verify library set is deleted
+	deletedResp, err := v.Client.Logical().Read("ldap-delete/library/delete-set")
+	if err == nil && deletedResp != nil {
+		t.Fatal("Expected library set to be deleted, but it still exists")
+	}
+
+	t.Log("Successfully deleted LDAP library set")
+}
diff --git a/vault/external_tests/blackbox/secrets/secrets_pki_test.go b/vault/external_tests/blackbox/secrets/secrets_pki_test.go
new file mode 100644
index 0000000000..0e0ff4d21e
--- /dev/null
+++ b/vault/external_tests/blackbox/secrets/secrets_pki_test.go
@@ -0,0 +1,109 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package secrets
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// testPKISecretsCreate tests PKI secrets engine creation
+func testPKISecretsCreate(t *testing.T, v *blackbox.Session) {
+	// Enable PKI secrets engine
+	v.MustEnableSecretsEngine("pki-create", &api.MountInput{Type: "pki"})
+
+	// Configure max TTL for the mount
+	err := v.Client.Sys().TuneMountAllowNilWithContext(t.Context(), "pki-create", api.TuneMountConfigInput{
+		MaxLeaseTTL: new(string("87600h")),
+	})
+	if err != nil {
+		t.Fatalf("Failed to tune PKI mount: %v: %v", err, v.Client.Address())
+	}
+
+	// Generate root CA
+	rootResp := v.MustWrite("pki-create/root/generate/internal", map[string]any{
+		"common_name": "test-root-ca.example.com",
+		"ttl":         "8760h",
+		"key_type":    "rsa",
+		"key_bits":    2048,
+	})
+
+	if rootResp.Data == nil {
+		t.Fatal("Expected root CA generation response")
+	}
+
+	// Verify root CA was created
+	assertions := v.AssertSecret(rootResp)
+	assertions.Data().
+		HasKeyExists("certificate").
+		HasKeyExists("issuing_ca").
+		HasKeyExists("serial_number")
+
+	// Create a role for issuing certificates
+	v.MustWrite("pki-create/roles/test-role", map[string]any{
+		"allowed_domains":  []string{"example.com"},
+		"allow_subdomains": true,
+		"max_ttl":          "72h",
+		"key_type":         "rsa",
+		"key_bits":         2048,
+	})
+
+	// Verify role was created by reading it
+	roleResp := v.MustRead("pki-create/roles/test-role")
+	if roleResp.Data == nil {
+		t.Fatal("Expected to read role configuration")
+	}
+
+	t.Log("Successfully created PKI secrets engine with root CA and role")
+}
+
+// testPKISecretsRead tests PKI secrets engine read operations
+func testPKISecretsRead(t *testing.T, v *blackbox.Session) {
+	// Setup PKI engine with root CA
+	roleName := v.MustSetupPKIRoot("pki-read")
+
+	// Read the role configuration
+	roleResp := v.MustRead("pki-read/roles/" + roleName)
+	if roleResp.Data == nil {
+		t.Fatal("Expected to read role configuration")
+	}
+
+	// Verify role properties
+	assertions := v.AssertSecret(roleResp)
+	assertions.Data().
+		HasKey("allow_subdomains", true).
+		HasKeyExists("max_ttl").
+		HasKeyExists("allowed_domains")
+
+	// Read CA certificate
+	caResp := v.MustRead("pki-read/cert/ca")
+	if caResp.Data == nil {
+		t.Fatal("Expected to read CA certificate")
+	}
+
+	assertions = v.AssertSecret(caResp)
+	assertions.Data().HasKeyExists("certificate")
+
+	t.Log("Successfully read PKI secrets engine configuration and certificates")
+}
+
+// testPKISecretsDelete tests PKI secrets engine delete operations
+func testPKISecretsDelete(t *testing.T, v *blackbox.Session) {
+	roleName := v.MustSetupPKIRoot("pki-delete")
+	roleResp := v.MustRead("pki-delete/roles/" + roleName)
+	if roleResp.Data == nil {
+		t.Fatal("Expected role to exist before deletion")
+	}
+	_, err := v.Client.Logical().Delete("pki-delete/roles/" + roleName)
+	if err != nil {
+		t.Fatalf("Failed to delete PKI role: %v", err)
+	}
+	deletedResp, err := v.Client.Logical().Read("pki-delete/roles/" + roleName)
+	if err == nil && deletedResp != nil {
+		t.Fatal("Expected role to be deleted, but it still exists")
+	}
+	t.Logf("Successfully deleted PKI role: %s", roleName)
+}
diff --git a/vault/external_tests/blackbox/secrets/secrets_ssh_test.go b/vault/external_tests/blackbox/secrets/secrets_ssh_test.go
new file mode 100644
index 0000000000..716c87cc25
--- /dev/null
+++ b/vault/external_tests/blackbox/secrets/secrets_ssh_test.go
@@ -0,0 +1,139 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package secrets
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// testSSHSecretsCreate tests SSH secrets engine creation
+func testSSHSecretsCreate(t *testing.T, v *blackbox.Session) {
+	// Enable SSH secrets engine
+	v.MustEnableSecretsEngine("ssh-create", &api.MountInput{Type: "ssh"})
+
+	// Generate CA key pair
+	caResp := v.MustWrite("ssh-create/config/ca", map[string]any{
+		"generate_signing_key": true,
+	})
+
+	if caResp.Data == nil {
+		t.Fatal("Expected CA generation response")
+	}
+
+	// Verify CA was created
+	assertions := v.AssertSecret(caResp)
+	assertions.Data().HasKeyExists("public_key")
+
+	// Create an SSH role for signing certificates
+	v.MustWrite("ssh-create/roles/test-role", map[string]any{
+		"key_type":                "ca",
+		"allow_user_certificates": true,
+		"allowed_users":           "*",
+		"default_user":            "ubuntu",
+		"ttl":                     "30m",
+		"max_ttl":                 "24h",
+	})
+
+	// Verify role was created by reading it
+	roleResp := v.MustRead("ssh-create/roles/test-role")
+	if roleResp.Data == nil {
+		t.Fatal("Expected to read SSH role configuration")
+	}
+
+	// Verify role properties
+	roleAssertions := v.AssertSecret(roleResp)
+	roleAssertions.Data().
+		HasKey("key_type", "ca").
+		HasKey("allow_user_certificates", true).
+		HasKey("default_user", "ubuntu")
+
+	t.Log("Successfully created SSH secrets engine with CA and role")
+}
+
+// testSSHSecretsRead tests SSH secrets engine read operations
+func testSSHSecretsRead(t *testing.T, v *blackbox.Session) {
+	// Enable SSH secrets engine
+	v.MustEnableSecretsEngine("ssh-read", &api.MountInput{Type: "ssh"})
+
+	// Generate CA
+	v.MustWrite("ssh-read/config/ca", map[string]any{
+		"generate_signing_key": true,
+	})
+
+	// Create a role
+	v.MustWrite("ssh-read/roles/read-role", map[string]any{
+		"key_type":                "ca",
+		"allow_user_certificates": true,
+		"allowed_users":           "testuser",
+		"default_user":            "testuser",
+		"ttl":                     "1h",
+	})
+
+	// Read the role configuration
+	roleResp := v.MustRead("ssh-read/roles/read-role")
+	if roleResp.Data == nil {
+		t.Fatal("Expected to read SSH role configuration")
+	}
+
+	// Verify role properties
+	assertions := v.AssertSecret(roleResp)
+	assertions.Data().
+		HasKey("key_type", "ca").
+		HasKey("allow_user_certificates", true).
+		HasKey("allowed_users", "testuser").
+		HasKey("default_user", "testuser")
+
+	// Read CA public key
+	publicKeyResp := v.MustRead("ssh-read/config/ca")
+	if publicKeyResp.Data == nil {
+		t.Fatal("Expected to read CA public key")
+	}
+
+	assertions = v.AssertSecret(publicKeyResp)
+	assertions.Data().HasKeyExists("public_key")
+
+	t.Log("Successfully read SSH secrets engine configuration")
+}
+
+// testSSHSecretsDelete tests SSH secrets engine delete operations
+func testSSHSecretsDelete(t *testing.T, v *blackbox.Session) {
+	// Enable SSH secrets engine
+	v.MustEnableSecretsEngine("ssh-delete", &api.MountInput{Type: "ssh"})
+
+	// Generate CA
+	v.MustWrite("ssh-delete/config/ca", map[string]any{
+		"generate_signing_key": true,
+	})
+
+	// Create a role
+	v.MustWrite("ssh-delete/roles/delete-role", map[string]any{
+		"key_type":                "ca",
+		"allow_user_certificates": true,
+		"allowed_users":           "*",
+		"default_user":            "ubuntu",
+	})
+
+	// Verify role exists
+	roleResp := v.MustRead("ssh-delete/roles/delete-role")
+	if roleResp.Data == nil {
+		t.Fatal("Expected role to exist before deletion")
+	}
+
+	// Delete the role
+	_, err := v.Client.Logical().Delete("ssh-delete/roles/delete-role")
+	if err != nil {
+		t.Fatalf("Failed to delete SSH role: %v", err)
+	}
+
+	// Verify role is deleted
+	deletedResp, err := v.Client.Logical().Read("ssh-delete/roles/delete-role")
+	if err == nil && deletedResp != nil {
+		t.Fatal("Expected role to be deleted, but it still exists")
+	}
+
+	t.Log("Successfully deleted SSH role")
+}
diff --git a/vault/external_tests/blackbox/secrets/secrets_transit_test.go b/vault/external_tests/blackbox/secrets/secrets_transit_test.go
new file mode 100644
index 0000000000..8130366128
--- /dev/null
+++ b/vault/external_tests/blackbox/secrets/secrets_transit_test.go
@@ -0,0 +1,158 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package secrets
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestTransitSecretsEngineCreate tests Transit secrets engine creation and basic operations
+func TestTransitSecretsEngineCreate(t *testing.T) {
+	v := blackbox.New(t)
+
+	// Verify we have a healthy cluster first
+	v.AssertClusterHealthy()
+
+	testTransitSecretsCreate(t, v)
+}
+
+// TestTransitSecretsEngineRead tests Transit secrets engine read operations
+func TestTransitSecretsEngineRead(t *testing.T) {
+	v := blackbox.New(t)
+
+	// Verify we have a healthy cluster first
+	v.AssertClusterHealthy()
+
+	testTransitSecretsRead(t, v)
+}
+
+// TestTransitSecretsEngineDelete tests Transit secrets engine delete operations
+func TestTransitSecretsEngineDelete(t *testing.T) {
+	v := blackbox.New(t)
+
+	// Verify we have a healthy cluster first
+	v.AssertClusterHealthy()
+
+	testTransitSecretsDelete(t, v)
+}
+
+// Transit Secrets Engine Test Implementation Functions
+
+func testTransitSecretsCreate(t *testing.T, v *blackbox.Session) {
+	// Enable transit secrets engine
+	v.MustEnableSecretsEngine("transit", &api.MountInput{Type: "transit"})
+
+	// Create an encryption key
+	keyName := "test-key"
+	v.MustWrite("transit/keys/"+keyName, map[string]any{
+		"type": "aes256-gcm96",
+	})
+
+	// Verify the key was created by reading it
+	keyInfo := v.MustRead("transit/keys/" + keyName)
+	if keyInfo.Data == nil {
+		t.Fatal("Expected to read key configuration")
+	}
+
+	// Verify key type
+	if keyType, ok := keyInfo.Data["type"]; !ok || keyType != "aes256-gcm96" {
+		t.Fatalf("Expected key type 'aes256-gcm96', got: %v", keyInfo.Data["type"])
+	}
+
+	// Test encryption
+	plaintext := "dGhlIHF1aWNrIGJyb3duIGZveA==" // base64 encoded "the quick brown fox"
+	encryptResp := v.MustWrite("transit/encrypt/"+keyName, map[string]any{
+		"plaintext": plaintext,
+	})
+
+	if encryptResp.Data == nil || encryptResp.Data["ciphertext"] == nil {
+		t.Fatal("Expected ciphertext in encryption response")
+	}
+
+	ciphertext := encryptResp.Data["ciphertext"].(string)
+	t.Logf("Encrypted ciphertext: %s", ciphertext[:20]+"...")
+
+	// Test decryption
+	decryptResp := v.MustWrite("transit/decrypt/"+keyName, map[string]any{
+		"ciphertext": ciphertext,
+	})
+
+	if decryptResp.Data == nil || decryptResp.Data["plaintext"] == nil {
+		t.Fatal("Expected plaintext in decryption response")
+	}
+
+	decryptedText := decryptResp.Data["plaintext"].(string)
+	if decryptedText != plaintext {
+		t.Fatalf("Decrypted text doesn't match original. Expected: %s, Got: %s", plaintext, decryptedText)
+	}
+
+	t.Log("Successfully created transit secrets engine and tested encryption/decryption")
+}
+
+func testTransitSecretsRead(t *testing.T, v *blackbox.Session) {
+	// Enable transit secrets engine with unique mount
+	v.MustEnableSecretsEngine("transit-read", &api.MountInput{Type: "transit"})
+
+	// Create an encryption key
+	keyName := "read-test-key"
+	v.MustWrite("transit-read/keys/"+keyName, map[string]any{
+		"type":       "aes256-gcm96",
+		"exportable": false,
+	})
+
+	// Read the key configuration
+	keyInfo := v.MustRead("transit-read/keys/" + keyName)
+	if keyInfo.Data == nil {
+		t.Fatal("Expected to read key configuration")
+	}
+
+	// Verify key properties
+	assertions := v.AssertSecret(keyInfo)
+	assertions.Data().
+		HasKey("type", "aes256-gcm96").
+		HasKey("exportable", false).
+		HasKeyExists("keys").
+		HasKeyExists("latest_version")
+
+	t.Log("Successfully read transit secrets engine key configuration")
+}
+
+func testTransitSecretsDelete(t *testing.T, v *blackbox.Session) {
+	// Enable transit secrets engine with unique mount
+	v.MustEnableSecretsEngine("transit-delete", &api.MountInput{Type: "transit"})
+
+	// Create an encryption key
+	keyName := "delete-test-key"
+	v.MustWrite("transit-delete/keys/"+keyName, map[string]any{
+		"type": "aes256-gcm96",
+	})
+
+	// Verify the key exists
+	keyInfo := v.MustRead("transit-delete/keys/" + keyName)
+	if keyInfo.Data == nil {
+		t.Fatal("Expected key to exist before deletion")
+	}
+
+	// Configure the key to allow deletion (transit keys require this)
+	v.MustWrite("transit-delete/keys/"+keyName+"/config", map[string]any{
+		"deletion_allowed": true,
+	})
+
+	// Delete the key
+	_, err := v.Client.Logical().Delete("transit-delete/keys/" + keyName)
+	if err != nil {
+		t.Fatalf("Failed to delete transit key: %v", err)
+	}
+
+	// Verify the key is deleted by attempting to read it
+	readSecret, err := v.Client.Logical().Read("transit-delete/keys/" + keyName)
+	if err == nil && readSecret != nil {
+		t.Fatal("Expected key to be deleted, but it still exists")
+	}
+
+	t.Logf("Successfully deleted transit key: %s", keyName)
+}
diff --git a/vault/external_tests/blackbox/secrets_engines_test.go b/vault/external_tests/blackbox/secrets_engines_test.go
deleted file mode 100644
index 72f1d7edd3..0000000000
--- a/vault/external_tests/blackbox/secrets_engines_test.go
+++ /dev/null
@@ -1,289 +0,0 @@
-// Copyright IBM Corp. 2025, 2026
-// SPDX-License-Identifier: BUSL-1.1
-
-package blackbox
-
-import (
-	"testing"
-
-	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
-)
-
-// TestSecretsEngineCreate tests creation/setup of various secrets engines
-func TestSecretsEngineCreate(t *testing.T) {
-	v := blackbox.New(t)
-
-	// Verify we have a healthy cluster first
-	v.AssertClusterHealthy()
-
-	// KV secrets engine tests are now in kvv2_test.go - just test basic enablement here
-	t.Run("KVSecrets", func(t *testing.T) {
-		SetupKVEngine(v, "kv-create")
-		// Write and read test data to verify engine works
-		v.MustWriteKV2("kv-create", "test/path", StandardKVData)
-		secret := v.MustReadKV2("kv-create", "test/path")
-		AssertKVData(t, v, secret, StandardKVData)
-		t.Log("Successfully created and tested KV secrets engine")
-	})
-
-	// Stub out remaining secret engine creation tests
-	t.Run("PKISecrets", func(t *testing.T) {
-		t.Skip("PKI secrets engine create test - implementation pending")
-	})
-
-	t.Run("SSHSecrets", func(t *testing.T) {
-		t.Skip("SSH secrets engine create test - implementation pending")
-	})
-
-	t.Run("IdentitySecrets", func(t *testing.T) {
-		t.Skip("Identity secrets engine create test - implementation pending")
-	})
-
-	t.Run("AWSSecrets", func(t *testing.T) {
-		t.Skip("AWS secrets engine create test - implementation pending")
-	})
-
-	t.Run("LDAPSecrets", func(t *testing.T) {
-		t.Skip("LDAP secrets engine create test - implementation pending")
-	})
-
-	t.Run("KMIPSecrets", func(t *testing.T) {
-		t.Skip("KMIP secrets engine create test - implementation pending")
-	})
-
-	t.Run("DatabaseSecrets", func(t *testing.T) {
-		t.Skip("Database secrets engine create test - implementation pending")
-	})
-
-	t.Run("TransitSecrets", func(t *testing.T) {
-		testTransitSecretsCreate(t, v)
-	})
-}
-
-// TestSecretsEngineRead tests read operations for various secrets engines
-func TestSecretsEngineRead(t *testing.T) {
-	v := blackbox.New(t)
-
-	// Verify we have a healthy cluster first
-	v.AssertClusterHealthy()
-
-	// KV read tests are in kvv2_test.go - test basic read functionality here
-	t.Run("KVSecrets", func(t *testing.T) {
-		SetupKVEngine(v, "kv-read")
-		v.MustWriteKV2("kv-read", "read/test", AltKVData)
-		secret := v.MustReadKV2("kv-read", "read/test")
-		AssertKVData(t, v, secret, AltKVData)
-		t.Log("Successfully read KV secrets engine data")
-	})
-
-	// Stub out remaining secret engine read tests
-	t.Run("PKISecrets", func(t *testing.T) {
-		t.Skip("PKI secrets engine read test - implementation pending")
-	})
-
-	t.Run("SSHSecrets", func(t *testing.T) {
-		t.Skip("SSH secrets engine read test - implementation pending")
-	})
-
-	t.Run("IdentitySecrets", func(t *testing.T) {
-		t.Skip("Identity secrets engine read test - implementation pending")
-	})
-
-	t.Run("AWSSecrets", func(t *testing.T) {
-		t.Skip("AWS secrets engine read test - implementation pending")
-	})
-
-	t.Run("LDAPSecrets", func(t *testing.T) {
-		t.Skip("LDAP secrets engine read test - implementation pending")
-	})
-
-	t.Run("KMIPSecrets", func(t *testing.T) {
-		t.Skip("KMIP secrets engine read test - implementation pending")
-	})
-
-	t.Run("DatabaseSecrets", func(t *testing.T) {
-		t.Skip("Database secrets engine read test - implementation pending")
-	})
-
-	t.Run("TransitSecrets", func(t *testing.T) {
-		t.Skip("Transit secrets engine read test - implementation pending")
-	})
-}
-
-// TestSecretsEngineDelete tests delete operations for various secrets engines
-func TestSecretsEngineDelete(t *testing.T) {
-	v := blackbox.New(t)
-
-	// Verify we have a healthy cluster first
-	v.AssertClusterHealthy()
-
-	// KV delete tests are in kvv2_test.go - test basic delete functionality here
-	t.Run("KVSecrets", func(t *testing.T) {
-		SetupKVEngine(v, "kv-delete")
-
-		// Write test data
-		v.MustWriteKV2("kv-delete", "delete/test", StandardKVData)
-
-		// Verify it exists
-		secret := v.MustReadKV2("kv-delete", "delete/test")
-		AssertKVData(t, v, secret, StandardKVData)
-
-		// Delete using KV v2 delete endpoint
-		v.MustWrite("kv-delete/delete/delete/test", map[string]any{
-			"versions": []int{1},
-		})
-
-		t.Log("Successfully deleted KV secrets engine data")
-	})
-
-	// Stub out remaining secret engine delete tests
-	t.Run("PKISecrets", func(t *testing.T) {
-		t.Skip("PKI secrets engine delete test - implementation pending")
-	})
-
-	t.Run("SSHSecrets", func(t *testing.T) {
-		t.Skip("SSH secrets engine delete test - implementation pending")
-	})
-
-	t.Run("IdentitySecrets", func(t *testing.T) {
-		t.Skip("Identity secrets engine delete test - implementation pending")
-	})
-
-	t.Run("AWSSecrets", func(t *testing.T) {
-		t.Skip("AWS secrets engine delete test - implementation pending")
-	})
-
-	t.Run("LDAPSecrets", func(t *testing.T) {
-		t.Skip("LDAP secrets engine delete test - implementation pending")
-	})
-
-	t.Run("KMIPSecrets", func(t *testing.T) {
-		t.Skip("KMIP secrets engine delete test - implementation pending")
-	})
-
-	t.Run("DatabaseSecrets", func(t *testing.T) {
-		t.Skip("Database secrets engine delete test - implementation pending")
-	})
-
-	t.Run("TransitSecrets", func(t *testing.T) {
-		testTransitSecretsDelete(t, v)
-	})
-}
-
-// Transit Secrets Engine Test Implementation Functions
-
-func testTransitSecretsCreate(t *testing.T, v *blackbox.Session) {
-	// Enable transit secrets engine
-	v.MustEnableSecretsEngine("transit", &api.MountInput{Type: "transit"})
-
-	// Create an encryption key
-	keyName := "test-key"
-	v.MustWrite("transit/keys/"+keyName, map[string]any{
-		"type": "aes256-gcm96",
-	})
-
-	// Verify the key was created by reading it
-	keyInfo := v.MustRead("transit/keys/" + keyName)
-	if keyInfo.Data == nil {
-		t.Fatal("Expected to read key configuration")
-	}
-
-	// Verify key type
-	if keyType, ok := keyInfo.Data["type"]; !ok || keyType != "aes256-gcm96" {
-		t.Fatalf("Expected key type 'aes256-gcm96', got: %v", keyInfo.Data["type"])
-	}
-
-	// Test encryption
-	plaintext := "dGhlIHF1aWNrIGJyb3duIGZveA==" // base64 encoded "the quick brown fox"
-	encryptResp := v.MustWrite("transit/encrypt/"+keyName, map[string]any{
-		"plaintext": plaintext,
-	})
-
-	if encryptResp.Data == nil || encryptResp.Data["ciphertext"] == nil {
-		t.Fatal("Expected ciphertext in encryption response")
-	}
-
-	ciphertext := encryptResp.Data["ciphertext"].(string)
-	t.Logf("Encrypted ciphertext: %s", ciphertext[:20]+"...")
-
-	// Test decryption
-	decryptResp := v.MustWrite("transit/decrypt/"+keyName, map[string]any{
-		"ciphertext": ciphertext,
-	})
-
-	if decryptResp.Data == nil || decryptResp.Data["plaintext"] == nil {
-		t.Fatal("Expected plaintext in decryption response")
-	}
-
-	decryptedText := decryptResp.Data["plaintext"].(string)
-	if decryptedText != plaintext {
-		t.Fatalf("Decrypted text doesn't match original. Expected: %s, Got: %s", plaintext, decryptedText)
-	}
-
-	t.Log("Successfully created transit secrets engine and tested encryption/decryption")
-}
-
-func testTransitSecretsRead(t *testing.T, v *blackbox.Session) {
-	// Enable transit secrets engine with unique mount
-	v.MustEnableSecretsEngine("transit-read", &api.MountInput{Type: "transit"})
-
-	// Create an encryption key
-	keyName := "read-test-key"
-	v.MustWrite("transit-read/keys/"+keyName, map[string]any{
-		"type":       "aes256-gcm96",
-		"exportable": false,
-	})
-
-	// Read the key configuration
-	keyInfo := v.MustRead("transit-read/keys/" + keyName)
-	if keyInfo.Data == nil {
-		t.Fatal("Expected to read key configuration")
-	}
-
-	// Verify key properties
-	assertions := v.AssertSecret(keyInfo)
-	assertions.Data().
-		HasKey("type", "aes256-gcm96").
-		HasKey("exportable", false).
-		HasKeyExists("keys").
-		HasKeyExists("latest_version")
-
-	t.Log("Successfully read transit secrets engine key configuration")
-}
-
-func testTransitSecretsDelete(t *testing.T, v *blackbox.Session) {
-	// Enable transit secrets engine with unique mount
-	v.MustEnableSecretsEngine("transit-delete", &api.MountInput{Type: "transit"})
-
-	// Create an encryption key
-	keyName := "delete-test-key"
-	v.MustWrite("transit-delete/keys/"+keyName, map[string]any{
-		"type": "aes256-gcm96",
-	})
-
-	// Verify the key exists
-	keyInfo := v.MustRead("transit-delete/keys/" + keyName)
-	if keyInfo.Data == nil {
-		t.Fatal("Expected key to exist before deletion")
-	}
-
-	// Configure the key to allow deletion (transit keys require this)
-	v.MustWrite("transit-delete/keys/"+keyName+"/config", map[string]any{
-		"deletion_allowed": true,
-	})
-
-	// Delete the key
-	_, err := v.Client.Logical().Delete("transit-delete/keys/" + keyName)
-	if err != nil {
-		t.Fatalf("Failed to delete transit key: %v", err)
-	}
-
-	// Verify the key is deleted by attempting to read it
-	readSecret, err := v.Client.Logical().Read("transit-delete/keys/" + keyName)
-	if err == nil && readSecret != nil {
-		t.Fatal("Expected key to be deleted, but it still exists")
-	}
-
-	t.Logf("Successfully deleted transit key: %s", keyName)
-}
diff --git a/vault/external_tests/blackbox/smoke_test.go b/vault/external_tests/blackbox/smoke_test.go
deleted file mode 100644
index 461cab6d32..0000000000
--- a/vault/external_tests/blackbox/smoke_test.go
+++ /dev/null
@@ -1,71 +0,0 @@
-// Copyright IBM Corp. 2025, 2026
-// SPDX-License-Identifier: BUSL-1.1
-
-package blackbox
-
-import (
-	"testing"
-
-	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
-)
-
-// TestEnosSmoke performs comprehensive smoke testing for Enos scenarios,
-// verifying cluster health, replication status, raft stability, and basic
-// KV operations with authentication. This test validates core functionality.
-func TestEnosSmoke(t *testing.T) {
-	v := blackbox.New(t)
-
-	v.AssertUnsealedAny()
-	v.AssertDRReplicationStatus("primary")
-	v.AssertPerformanceReplicationStatus("disabled")
-	v.AssertRaftStable(3, false)
-	v.AssertRaftHealthy()
-
-	// Setup using common utilities
-	bob := SetupStandardKVUserpass(v, "secret", "bob", "lol")
-
-	// Write and verify standard test data
-	v.MustWriteKV2("secret", "app-config", StandardKVData)
-
-	secret := bob.MustReadKV2("secret", "app-config")
-	AssertKVData(t, bob, secret, StandardKVData)
-}
-
-// TestStepdownAndLeaderElection tests raft leadership changes by forcing the current
-// leader to step down and verifying that a new leader is elected successfully,
-// while ensuring the cluster remains healthy throughout the process.
-func TestStepdownAndLeaderElection(t *testing.T) {
-	v := blackbox.New(t)
-
-	// Verify we have a healthy raft cluster first
-	v.AssertRaftClusterHealthy()
-
-	// Check cluster size to determine expected behavior
-	nodeCount := v.GetClusterNodeCount()
-	t.Logf("Cluster has %d nodes", nodeCount)
-
-	// Get current leader before step down
-	initialLeader := v.MustGetCurrentLeader()
-	t.Logf("Initial leader: %s", initialLeader)
-
-	// Force leader to step down
-	v.MustStepDownLeader()
-
-	// Wait for new leader election (with timeout)
-	v.WaitForNewLeader(initialLeader, 120)
-
-	// Verify cluster is still healthy after leader change/recovery
-	v.AssertRaftClusterHealthy()
-
-	// For multi-node clusters, verify new leader is different from initial leader
-	// For single-node clusters, just verify it's healthy again
-	newLeader := v.MustGetCurrentLeader()
-	if nodeCount > 1 {
-		if newLeader == initialLeader {
-			t.Fatalf("Expected new leader to be different from initial leader %s, got %s", initialLeader, newLeader)
-		}
-		t.Logf("Successfully elected new leader: %s (was: %s)", newLeader, initialLeader)
-	} else {
-		t.Logf("Single-node cluster successfully recovered with leader: %s", newLeader)
-	}
-}
diff --git a/vault/external_tests/blackbox/system/billing_test.go b/vault/external_tests/blackbox/system/billing_test.go
new file mode 100644
index 0000000000..47cfb701e3
--- /dev/null
+++ b/vault/external_tests/blackbox/system/billing_test.go
@@ -0,0 +1,65 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package system
+
+import (
+	"context"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+	"github.com/stretchr/testify/require"
+)
+
+// TestBillingOverviewNamespaceRestrictions verifies that sys/billing/overview
+// returns appropriate errors when called from different namespace levels in HVD.
+// In HVD, tests run in admin/bbsdk-xxxxx, and this test verifies:
+// - Calling from base namespace (admin) works
+// - Calling from root namespace (empty) returns "permission denied"
+func TestBillingOverviewNamespaceRestrictions(t *testing.T) {
+	v := blackbox.New(t)
+
+	// Check if we're in HVD (has base namespace from VAULT_NAMESPACE)
+	baseNS := v.GetParentNamespace()
+	if baseNS == "" {
+		t.Skip("Skipping namespace restriction tests - no base namespace configured (not in HVD)")
+	}
+
+	// Verify cluster stability first
+	v.AssertClusterHealthy()
+
+	testCases := map[string]struct {
+		namespaceSwitcher func(func() (*api.Secret, error)) (*api.Secret, error)
+		expectedError     string
+	}{
+		"base_namespace_supported": {
+			namespaceSwitcher: v.WithParentNamespace,
+		},
+		"root_namespace_supported": {
+			namespaceSwitcher: v.WithRootNamespace,
+			expectedError:     "permission denied",
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			var rawResp *api.Response
+			var err error
+			_, err = tc.namespaceSwitcher(func() (*api.Secret, error) {
+				var readErr error
+				rawResp, readErr = v.Client.Logical().ReadRawWithContext(context.Background(), "sys/billing/overview")
+				if readErr != nil {
+					return nil, readErr
+				}
+				// Parse the raw response to get the error
+				return v.Client.Logical().ParseRawResponseAndCloseBody(rawResp, nil)
+			})
+			if tc.expectedError != "" {
+				require.ErrorContains(t, err, tc.expectedError)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
diff --git a/vault/external_tests/blackbox/system_test.go b/vault/external_tests/blackbox/system_test.go
deleted file mode 100644
index 70433696c7..0000000000
--- a/vault/external_tests/blackbox/system_test.go
+++ /dev/null
@@ -1,105 +0,0 @@
-// Copyright IBM Corp. 2025, 2026
-// SPDX-License-Identifier: BUSL-1.1
-
-package blackbox
-
-import (
-	"testing"
-
-	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
-)
-
-// TestUnsealedStatus verifies that the Vault cluster is unsealed and healthy
-func TestUnsealedStatus(t *testing.T) {
-	v := blackbox.New(t)
-
-	// Verify the cluster is unsealed
-	v.AssertUnsealedAny()
-
-	t.Log("Successfully verified Vault cluster is unsealed")
-}
-
-// TestVaultVersion verifies Vault version endpoint accessibility and response
-func TestVaultVersion(t *testing.T) {
-	v := blackbox.New(t)
-
-	// Read the sys/seal-status endpoint which should contain version info
-	sealStatus := v.MustRead("sys/seal-status")
-	if sealStatus.Data["version"] == nil {
-		t.Fatal("Could not retrieve version from sys/seal-status")
-	}
-
-	t.Logf("Vault version: %v", sealStatus.Data["version"])
-}
-
-// TestRaftVoters verifies that all nodes in the raft cluster are voters
-func TestRaftVoters(t *testing.T) {
-	v := blackbox.New(t)
-
-	// Verify we have a healthy cluster regardless of node count
-	v.AssertClusterHealthy()
-
-	t.Log("Successfully verified raft cluster is healthy with at least one voter")
-}
-
-// TestReplicationStatus verifies replication status for both DR and performance replication
-func TestReplicationStatus(t *testing.T) {
-	v := blackbox.New(t)
-
-	// Read replication status with proper nil checks
-	drStatus := v.MustRead("sys/replication/dr/status")
-	if drStatus == nil || drStatus.Data == nil {
-		t.Log("DR replication not available or not configured - skipping DR replication check")
-	} else {
-		if drMode, ok := drStatus.Data["mode"]; ok {
-			t.Logf("DR replication mode: %v", drMode)
-		} else {
-			t.Log("DR replication mode not available")
-		}
-	}
-
-	prStatus := v.MustRead("sys/replication/performance/status")
-	if prStatus == nil || prStatus.Data == nil {
-		t.Log("Performance replication not available or not configured - skipping performance replication check")
-	} else {
-		if prMode, ok := prStatus.Data["mode"]; ok {
-			t.Logf("Performance replication mode: %v", prMode)
-		} else {
-			t.Log("Performance replication mode not available")
-		}
-	}
-
-	t.Log("Successfully verified replication status endpoints are accessible")
-}
-
-// TestUIAssets verifies that the Vault UI is accessible
-func TestUIAssets(t *testing.T) {
-	v := blackbox.New(t)
-
-	// This is a stub - in a real implementation, you would verify UI assets are accessible
-	// For now, just verify the UI endpoint is available by checking sys/internal/ui/mounts
-	uiMounts := v.MustRead("sys/internal/ui/mounts")
-	if uiMounts == nil || uiMounts.Data == nil {
-		t.Fatal("Could not access UI mounts endpoint")
-	}
-
-	t.Log("Successfully verified UI assets are accessible")
-}
-
-// TestLogSecrets is a stub for log secrets verification
-func TestLogSecrets(t *testing.T) {
-	// This is a stub for log secrets verification
-	// In a real implementation, you would check audit logs for proper secret handling
-	t.Skip("Log secrets verification - implementation pending")
-}
-
-// TestNodeRemovalAndRejoin tests raft node removal and rejoin capabilities
-func TestNodeRemovalAndRejoin(t *testing.T) {
-	v := blackbox.New(t)
-
-	// This is a stub for node removal and rejoin testing
-	// In a real implementation, you would test raft node removal and rejoin
-	v.AssertClusterHealthy()
-
-	t.Log("Successfully verified raft cluster stability for node operations")
-}
diff --git a/vault/external_tests/blackbox/verify/replication_test.go b/vault/external_tests/blackbox/verify/replication_test.go
new file mode 100644
index 0000000000..d451670fd8
--- /dev/null
+++ b/vault/external_tests/blackbox/verify/replication_test.go
@@ -0,0 +1,71 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build testonly
+
+package verify
+
+import (
+	"os"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestReplicationAvailability verifies replication status based on Vault edition.
+// For CE: replication mode should be "disabled"
+// For ENT: DR and performance replication should be available
+func TestReplicationAvailability(t *testing.T) {
+	v := blackbox.New(t)
+
+	edition := os.Getenv("VAULT_EDITION")
+	if edition == "" {
+		t.Skip("VAULT_EDITION not set, skipping edition-specific replication checks")
+	}
+
+	// Read overall replication status (must use root namespace)
+	status, err := v.WithRootNamespace(func() (*api.Secret, error) {
+		return v.Client.Logical().Read("sys/replication/status")
+	})
+	if err != nil {
+		t.Fatalf("Failed to read replication status: %v", err)
+	}
+	if status == nil || status.Data == nil {
+		t.Fatal("Failed to read replication status: response was nil")
+	}
+
+	// Log the full status for debugging
+	t.Logf("Replication status for edition %s: %+v", edition, status.Data)
+
+	if edition == "ce" {
+		// For CE, replication mode should be disabled
+		mode, ok := status.Data["mode"].(string)
+		if !ok {
+			t.Fatal("replication mode field not found or not a string")
+		}
+		if mode != "disabled" {
+			t.Fatalf("replication data mode is not disabled for CE release! Got: %s", mode)
+		}
+		t.Log("Successfully verified replication is disabled for CE edition")
+	} else {
+		// For ENT, DR and performance replication should be available
+		drData, drOk := status.Data["dr"]
+		if !drOk {
+			t.Fatalf("DR replication field not found for ENT release %s! Full status: %+v", edition, status.Data)
+		}
+		if drData == nil {
+			t.Fatalf("DR replication data is nil for ENT release %s! Full status: %+v", edition, status.Data)
+		}
+
+		perfData, perfOk := status.Data["performance"]
+		if !perfOk {
+			t.Fatalf("Performance replication field not found for ENT release %s! Full status: %+v", edition, status.Data)
+		}
+		if perfData == nil {
+			t.Fatalf("Performance replication data is nil for ENT release %s! Full status: %+v", edition, status.Data)
+		}
+
+		t.Logf("Successfully verified DR and performance replication are available for %s edition", edition)
+	}
+}
diff --git a/vault/external_tests/blackbox/verify/undo_logs_test.go b/vault/external_tests/blackbox/verify/undo_logs_test.go
new file mode 100644
index 0000000000..a4b29ceeae
--- /dev/null
+++ b/vault/external_tests/blackbox/verify/undo_logs_test.go
@@ -0,0 +1,63 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package verify
+
+import (
+	"os"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+)
+
+// TestVaultUndoLogsMetric verifies the vault.core.replication.write_undo_logs gauge metric
+// This test runs from CI/GitHub runners and connects to the Vault cluster via API
+func TestVaultUndoLogsMetric(t *testing.T) {
+	t.Parallel()
+
+	// Read required environment variables
+	expectedStateStr := os.Getenv("EXPECTED_STATE")
+	if expectedStateStr == "" {
+		t.Fatal("EXPECTED_STATE environment variable is required")
+	}
+
+	expectedState, err := strconv.ParseFloat(expectedStateStr, 64)
+	if err != nil {
+		t.Fatalf("Failed to parse EXPECTED_STATE: %v", err)
+	}
+
+	// Validate expected state is 0 or 1
+	if expectedState != 0 && expectedState != 1 {
+		t.Fatalf("EXPECTED_STATE must be 0 or 1, got: %.0f", expectedState)
+	}
+
+	timeoutStr := os.Getenv("TIMEOUT_SECONDS")
+	if timeoutStr == "" {
+		t.Fatal("TIMEOUT_SECONDS environment variable is required")
+	}
+
+	timeoutSeconds, err := strconv.Atoi(timeoutStr)
+	if err != nil {
+		t.Fatalf("Failed to parse TIMEOUT_SECONDS: %v", err)
+	}
+
+	retryIntervalStr := os.Getenv("RETRY_INTERVAL")
+	if retryIntervalStr == "" {
+		t.Fatal("RETRY_INTERVAL environment variable is required")
+	}
+
+	retryIntervalSeconds, err := strconv.Atoi(retryIntervalStr)
+	if err != nil {
+		t.Fatalf("Failed to parse RETRY_INTERVAL: %v", err)
+	}
+
+	timeout := time.Duration(timeoutSeconds) * time.Second
+	retryInterval := time.Duration(retryIntervalSeconds) * time.Second
+
+	v := blackbox.New(t)
+
+	// Verify the undo logs metric has the expected value
+	v.AssertMetricGaugeValue("vault.core.replication.write_undo_logs", expectedState, timeout, retryInterval)
+}
diff --git a/vault/external_tests/blackbox/verify/version_verification_test.go b/vault/external_tests/blackbox/verify/version_verification_test.go
new file mode 100644
index 0000000000..e5557b66fe
--- /dev/null
+++ b/vault/external_tests/blackbox/verify/version_verification_test.go
@@ -0,0 +1,40 @@
+// Copyright IBM Corp. 2025, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package verify
+
+import (
+	"os"
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/testcluster/blackbox"
+	"github.com/stretchr/testify/require"
+)
+
+// TestVaultServerVersion verifies the Vault server version via sys/version-history API
+// This test runs from CI/GitHub runners and connects to the Vault cluster via API
+func TestVaultServerVersion(t *testing.T) {
+	t.Parallel()
+
+	version := os.Getenv("VAULT_VERSION")
+	if version == "" {
+		t.Fatal("VAULT_VERSION environment variable is required")
+	}
+
+	buildDate := os.Getenv("VAULT_BUILD_DATE")
+	if buildDate == "" {
+		t.Fatal("VAULT_BUILD_DATE environment variable is required")
+	}
+
+	v := blackbox.New(t)
+	replicationMode, err := v.GetDRReplicationMode()
+	require.NoError(t, err)
+	t.Logf("Found DR Replication mode: %s", replicationMode)
+	switch replicationMode {
+	case "primary", "secondary":
+		t.Skip("Skipping server version check on DR cluster as path is not available in that mode")
+	default:
+		v.AssertVersion(version)
+		v.AssertBuildDate(version, buildDate)
+	}
+}
diff --git a/vault/external_tests/consul_fencing_binary/consul_fencing_test.go b/vault/external_tests/consul_fencing_binary/consul_fencing_test.go
index 3faf0039b5..793f9434df 100644
--- a/vault/external_tests/consul_fencing_binary/consul_fencing_test.go
+++ b/vault/external_tests/consul_fencing_binary/consul_fencing_test.go
@@ -15,7 +15,7 @@ import (
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/helper/testhelpers/consul"
-	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	"github.com/hashicorp/vault/helper/testhelpers/testimages"
 	"github.com/hashicorp/vault/sdk/helper/testcluster"
 	"github.com/hashicorp/vault/sdk/helper/testcluster/docker"
 	"github.com/stretchr/testify/require"
@@ -34,27 +34,19 @@ func TestConsulFencing_PartitionedLeaderCantWrite(t *testing.T) {
 
 	consulStorage := consul.NewClusterStorage()
 
-	// Create  cluster logger that will write cluster logs to a file in CI.
-	logger := corehelpers.NewTestLogger(t)
-	logger.SetLevel(hclog.Trace)
-
 	clusterOpts := docker.DefaultOptions(t)
-	// We can use an enterprise image here because we are swapping out the binary anyway.
-	clusterOpts.ImageRepo = "hashicorp/vault-enterprise"
-	clusterOpts.ClusterOptions.Logger = logger
+	clusterOpts.VaultBinary = ""
+	clusterOpts.ImageRepo, clusterOpts.ImageTag = testimages.GetImageRepoAndTag(t, false)
 
 	clusterOpts.Storage = consulStorage
 
-	logger.Info("==> starting cluster")
 	c, err := docker.NewDockerCluster(ctx, clusterOpts)
 	require.NoError(t, err)
-	logger.Info("  ✅ done.", "root_token", c.GetRootToken(),
-		"consul_token", consulStorage.Config().Token)
-
-	logger.Info("==> waiting for leader")
 	leaderIdx, err := testcluster.WaitForActiveNode(ctx, c)
 	require.NoError(t, err)
 
+	logger := c.Logger.Named("test")
+
 	leader := c.Nodes()[leaderIdx]
 	leaderClient := leader.APIClient()
 
@@ -64,7 +56,6 @@ func TestConsulFencing_PartitionedLeaderCantWrite(t *testing.T) {
 	}
 
 	// Mount a KV v2 backend
-	logger.Info("==> mounting KV")
 	err = leaderClient.Sys().Mount("/test", &api.MountInput{
 		Type: "kv-v2",
 	})
@@ -300,7 +291,6 @@ func waitForKVv2Upgrade(t *testing.T, ctx context.Context, client *api.Client, p
 		if err == nil {
 			return
 		}
-		t.Logf("waitForKVv2Upgrade: write failed: %s", err)
 		select {
 		case <-ctx.Done():
 			t.Fatalf("context cancelled waiting for KVv2 (%s) upgrade to complete: %s",
diff --git a/vault/external_tests/delegated_auth/delegated_auth_test.go b/vault/external_tests/delegated_auth/delegated_auth_test.go
index c33914997f..407ee1f811 100644
--- a/vault/external_tests/delegated_auth/delegated_auth_test.go
+++ b/vault/external_tests/delegated_auth/delegated_auth_test.go
@@ -139,8 +139,6 @@ func TestDelegatedAuth(t *testing.T) {
 	}
 
 	cluster := minimal.NewTestSoloCluster(t, coreConfig)
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	client := testhelpers.WaitForActiveNode(t, cluster).Client
 
diff --git a/vault/external_tests/hcp_link/hcp_link_test.go b/vault/external_tests/hcp_link/hcp_link_test.go
index 66632eb61b..43e188a2d2 100644
--- a/vault/external_tests/hcp_link/hcp_link_test.go
+++ b/vault/external_tests/hcp_link/hcp_link_test.go
@@ -12,7 +12,6 @@ import (
 
 func TestHCPLinkConnected(t *testing.T) {
 	cluster := getTestCluster(t, 2)
-	defer cluster.Cleanup()
 
 	vaultHCPLink, _ := TestClusterWithHCPLinkEnabled(t, cluster, false, false)
 	defer vaultHCPLink.Cleanup()
@@ -25,9 +24,7 @@ func TestHCPLinkConnected(t *testing.T) {
 func TestHCPLinkNotConfigured(t *testing.T) {
 	t.Parallel()
 	cluster := getTestCluster(t, 2)
-	defer cluster.Cleanup()
 
-	cluster.Start()
 	core := cluster.Cores[0].Core
 	vault.TestWaitActive(t, core)
 
diff --git a/vault/external_tests/hcp_link/test_helpers.go b/vault/external_tests/hcp_link/test_helpers.go
index 3befd86d4e..14111e7bb8 100644
--- a/vault/external_tests/hcp_link/test_helpers.go
+++ b/vault/external_tests/hcp_link/test_helpers.go
@@ -103,8 +103,6 @@ func TestClusterWithHCPLinkEnabled(t *testing.T, cluster *vault.TestCluster, ena
 	}
 	hcpLinkIns := NewVaultHCPLinkInstances()
 
-	cluster.Start()
-
 	core := cluster.Cores[0].Core
 	vault.TestWaitActive(t, core)
 
diff --git a/vault/external_tests/identity/entities_test.go b/vault/external_tests/identity/entities_test.go
index 5d905d6d93..760b7cbd9b 100644
--- a/vault/external_tests/identity/entities_test.go
+++ b/vault/external_tests/identity/entities_test.go
@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/helper/testhelpers/minimal"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/stretchr/testify/require"
 )
 
 func TestIdentityStore_EntityDisabled(t *testing.T) {
@@ -353,3 +354,79 @@ func TestIdentityStore_EntityPoliciesInInitialAuth(t *testing.T) {
 		t.Fatalf("policy mismatch, got policies: %v", policies)
 	}
 }
+
+// TestIdentity_EntityMerge_RequiresSudo verifies the identity entity merge API endpoint requires the sudo capability (in addition to update) when called via the HTTP API.
+func TestIdentity_EntityMerge_RequiresSudo(t *testing.T) {
+	t.Parallel()
+
+	cluster := minimal.NewTestSoloCluster(t, nil)
+	client := cluster.Cores[0].Client
+	rootToken := client.Token()
+
+	// Create two entities as root to merge.
+	toEnt, err := client.Logical().Write("identity/entity", nil)
+	require.NoError(t, err)
+	require.NotNil(t, toEnt)
+	toID, ok := toEnt.Data["id"].(string)
+	require.True(t, ok)
+	require.NotEmpty(t, toID)
+
+	fromEnt, err := client.Logical().Write("identity/entity", nil)
+	require.NoError(t, err)
+	require.NotNil(t, fromEnt)
+	fromID, ok := fromEnt.Data["id"].(string)
+	require.True(t, ok)
+	require.NotEmpty(t, fromID)
+
+	// Token with update but without sudo should be denied.
+	require.NoError(t, client.Sys().PutPolicy("identity-merge-no-sudo", `
+path "identity/entity/merge" {
+  capabilities = ["update"]
+}
+`))
+
+	noSudoTok, err := client.Auth().Token().Create(&api.TokenCreateRequest{
+		Policies: []string{"identity-merge-no-sudo"},
+	})
+	require.NoError(t, err)
+	require.NotNil(t, noSudoTok)
+	require.NotNil(t, noSudoTok.Auth)
+	require.NotEmpty(t, noSudoTok.Auth.ClientToken)
+
+	client.SetToken(noSudoTok.Auth.ClientToken)
+	_, err = client.Logical().Write("identity/entity/merge", map[string]interface{}{
+		"to_entity_id":    toID,
+		"from_entity_ids": []string{fromID},
+	})
+	require.Error(t, err)
+	require.ErrorContains(t, err, logical.ErrPermissionDenied.Error())
+
+	// Token with update+sudo should succeed.
+	client.SetToken(rootToken)
+	require.NoError(t, client.Sys().PutPolicy("identity-merge-with-sudo", `
+path "identity/entity/merge" {
+  capabilities = ["update", "sudo"]
+}
+`))
+
+	sudoTok, err := client.Auth().Token().Create(&api.TokenCreateRequest{
+		Policies: []string{"identity-merge-with-sudo"},
+	})
+	require.NoError(t, err)
+	require.NotNil(t, sudoTok)
+	require.NotNil(t, sudoTok.Auth)
+	require.NotEmpty(t, sudoTok.Auth.ClientToken)
+
+	client.SetToken(sudoTok.Auth.ClientToken)
+	_, err = client.Logical().Write("identity/entity/merge", map[string]interface{}{
+		"to_entity_id":    toID,
+		"from_entity_ids": []string{fromID},
+	})
+	require.NoError(t, err)
+
+	// Verify the merge happened by checking the from entity was deleted.
+	client.SetToken(rootToken)
+	deleted, err := client.Logical().Read("identity/entity/id/" + fromID)
+	require.NoError(t, err)
+	require.Nil(t, deleted)
+}
diff --git a/vault/external_tests/identity/groups_test.go b/vault/external_tests/identity/groups_test.go
index e86709435e..aa0803d68a 100644
--- a/vault/external_tests/identity/groups_test.go
+++ b/vault/external_tests/identity/groups_test.go
@@ -7,8 +7,8 @@ import (
 	"testing"
 
 	"github.com/hashicorp/vault/api"
-	ldaphelper "github.com/hashicorp/vault/helper/testhelpers/ldap"
 	"github.com/hashicorp/vault/helper/testhelpers/minimal"
+	"github.com/hashicorp/vault/sdk/helper/docker"
 )
 
 func TestIdentityStore_ListGroupAlias(t *testing.T) {
@@ -153,7 +153,7 @@ func TestIdentityStore_ExternalGroupMembershipsAcrossMounts(t *testing.T) {
 	}
 	ldapMountAccessor1 := auths["ldap/"].Accessor
 
-	cleanup, cfg := ldaphelper.PrepareTestContainer(t, ldaphelper.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 
 	// Configure LDAP auth
@@ -255,7 +255,7 @@ func TestIdentityStore_ExternalGroupMembershipsAcrossMounts(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	cleanup2, cfg2 := ldaphelper.PrepareTestContainer(t, ldaphelper.DefaultVersion)
+	cleanup2, cfg2 := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup2()
 
 	// Configure LDAP auth
diff --git a/vault/external_tests/identity/identity_test.go b/vault/external_tests/identity/identity_test.go
index 7f45a8325a..1cf90eff14 100644
--- a/vault/external_tests/identity/identity_test.go
+++ b/vault/external_tests/identity/identity_test.go
@@ -4,7 +4,10 @@
 package identity
 
 import (
+	"context"
 	"fmt"
+	"maps"
+	"sync"
 	"testing"
 
 	"github.com/go-ldap/ldap/v3"
@@ -13,13 +16,38 @@ import (
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/helper/identity"
 	"github.com/hashicorp/vault/helper/namespace"
-	ldaphelper "github.com/hashicorp/vault/helper/testhelpers/ldap"
 	"github.com/hashicorp/vault/helper/testhelpers/minimal"
+	"github.com/hashicorp/vault/sdk/helper/docker"
 	"github.com/hashicorp/vault/sdk/helper/ldaputil"
+	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/vault"
 	"github.com/stretchr/testify/require"
 )
 
+func testIdentityStoreWithGithubUserpassAuth(ctx context.Context, t *testing.T) (*vault.IdentityStore, string, string, *vault.TestClusterCore) {
+	t.Helper()
+
+	cluster := minimal.NewTestSoloCluster(t, nil)
+	client := cluster.Cores[0].Client
+
+	err := client.Sys().EnableAuthWithOptions("github", &api.EnableAuthOptions{Type: "github"})
+	require.NoError(t, err)
+
+	err = client.Sys().EnableAuthWithOptions("userpass", &api.EnableAuthOptions{Type: "userpass"})
+	require.NoError(t, err)
+
+	auth, err := client.Sys().ListAuth()
+	require.NoError(t, err)
+
+	githubAccessor := auth["github/"].Accessor
+	require.NotEmpty(t, githubAccessor)
+
+	userpassAccessor := auth["userpass/"].Accessor
+	require.NotEmpty(t, userpassAccessor)
+
+	return cluster.Cores[0].IdentityStore(), githubAccessor, userpassAccessor, cluster.Cores[0]
+}
+
 func TestIdentityStore_ExternalGroupMemberships_DifferentMounts(t *testing.T) {
 	t.Parallel()
 	cluster := minimal.NewTestSoloCluster(t, nil)
@@ -32,10 +60,10 @@ func TestIdentityStore_ExternalGroupMemberships_DifferentMounts(t *testing.T) {
 	require.NoError(t, err)
 	entityID := secret.Data["id"].(string)
 
-	cleanup, config1 := ldaphelper.PrepareTestContainer(t, ldaphelper.DefaultVersion)
+	cleanup, config1 := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 
-	cleanup2, config2 := ldaphelper.PrepareTestContainer(t, ldaphelper.DefaultVersion)
+	cleanup2, config2 := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup2()
 
 	setupFunc := func(path string, cfg *ldaputil.ConfigEntry) string {
@@ -224,7 +252,7 @@ func TestIdentityStore_Integ_GroupAliases(t *testing.T) {
 		t.Fatalf("bad: group alias: %#v\n", aliasMap)
 	}
 
-	cleanup, cfg := ldaphelper.PrepareTestContainer(t, ldaphelper.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 
 	// Configure LDAP auth
@@ -459,7 +487,7 @@ func TestIdentityStore_Integ_RemoveFromExternalGroup(t *testing.T) {
 		t.Fatalf("bad: group alias: %#v\n", aliasMap)
 	}
 
-	cleanup, cfg := ldaphelper.PrepareTestContainer(t, ldaphelper.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 
 	// Configure LDAP auth
@@ -665,3 +693,195 @@ func findEntityFromDuplicateSet(t *testing.T, c *vault.TestClusterCore, entityID
 		"node %s does not have exactly one duplicate from the set", c.NodeID)
 	return entity
 }
+
+// TestIdentityStore_CreateOrFetchEntity_ConcurrentFastPath verifies concurrent
+// callers on the fast path all read the existing entity without creating new
+// entities or mutating alias metadata.
+func TestIdentityStore_CreateOrFetchEntity_ConcurrentFastPath(t *testing.T) {
+	ctx := namespace.RootContext(nil)
+	is, ghAccessor, _, _ := testIdentityStoreWithGithubUserpassAuth(ctx, t)
+
+	alias := &logical.Alias{
+		MountType:     "github",
+		MountAccessor: ghAccessor,
+		Name:          "githubuser",
+		Metadata: map[string]string{
+			"foo": "a",
+		},
+	}
+
+	entity, _, err := is.CreateOrFetchEntity(ctx, alias)
+	require.NoError(t, err)
+	require.NotNil(t, entity)
+
+	const workers = 16
+	var wg sync.WaitGroup
+	errCh := make(chan error, workers)
+
+	for range workers {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+
+			got, created, err := is.CreateOrFetchEntity(ctx, alias)
+			if err != nil {
+				errCh <- err
+				return
+			}
+			if created {
+				errCh <- fmt.Errorf("unexpected entity creation on fast path")
+				return
+			}
+			if got == nil {
+				errCh <- fmt.Errorf("expected entity on fast path")
+				return
+			}
+			if len(got.Aliases) != 1 {
+				errCh <- fmt.Errorf("expected 1 alias, got %d", len(got.Aliases))
+				return
+			}
+			if !maps.Equal(got.Aliases[0].Metadata, alias.Metadata) {
+				errCh <- fmt.Errorf("unexpected alias metadata: %#v", got.Aliases[0].Metadata)
+			}
+		}()
+	}
+
+	wg.Wait()
+	close(errCh)
+
+	for err := range errCh {
+		require.NoError(t, err)
+	}
+}
+
+// TestIdentityStore_CreateOrFetchEntity_ConcurrentMetadataUpdates verifies
+// concurrent readers and metadata updates for the same alias remain stable and
+// return a single-entity view.
+func TestIdentityStore_CreateOrFetchEntity_ConcurrentMetadataUpdates(t *testing.T) {
+	ctx := namespace.RootContext(nil)
+	is, ghAccessor, _, _ := testIdentityStoreWithGithubUserpassAuth(ctx, t)
+
+	newAlias := func(metadataValue string) *logical.Alias {
+		return &logical.Alias{
+			MountType:     "github",
+			MountAccessor: ghAccessor,
+			Name:          "githubuser",
+			Metadata: map[string]string{
+				"foo": metadataValue,
+			},
+		}
+	}
+
+	entity, _, err := is.CreateOrFetchEntity(ctx, newAlias("a"))
+	require.NoError(t, err)
+	require.NotNil(t, entity)
+
+	const workers = 8
+	const iterations = 100
+
+	start := make(chan struct{})
+	var wg sync.WaitGroup
+	errCh := make(chan error, workers*2)
+
+	for range workers {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			<-start
+
+			for range iterations {
+				got, _, err := is.CreateOrFetchEntity(ctx, newAlias("a"))
+				if err != nil {
+					errCh <- err
+					return
+				}
+				if got == nil {
+					errCh <- fmt.Errorf("expected entity from read path")
+					return
+				}
+				if len(got.Aliases) != 1 {
+					errCh <- fmt.Errorf("expected 1 alias, got %d", len(got.Aliases))
+					return
+				}
+			}
+		}()
+
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			<-start
+
+			for i := range iterations {
+				metadataValue := "b"
+				if i%2 == 0 {
+					metadataValue = "a"
+				}
+
+				got, _, err := is.CreateOrFetchEntity(ctx, newAlias(metadataValue))
+				if err != nil {
+					errCh <- err
+					return
+				}
+				if got == nil {
+					errCh <- fmt.Errorf("expected entity from update path")
+					return
+				}
+				if len(got.Aliases) != 1 {
+					errCh <- fmt.Errorf("expected 1 alias, got %d", len(got.Aliases))
+					return
+				}
+			}
+		}()
+	}
+
+	close(start)
+	wg.Wait()
+	close(errCh)
+
+	for err := range errCh {
+		require.NoError(t, err)
+	}
+}
+
+// TestIdentityStore_EntityByAliasFactors_BlackBoxCloneBehavior verifies
+// alias-based lookup and clone behavior using only exported identity store APIs.
+func TestIdentityStore_EntityByAliasFactors_BlackBoxCloneBehavior(t *testing.T) {
+	ctx := namespace.RootContext(nil)
+	is, ghAccessor, _, _ := testIdentityStoreWithGithubUserpassAuth(ctx, t)
+
+	loginAlias := &logical.Alias{
+		MountType:     "github",
+		MountAccessor: ghAccessor,
+		Name:          "githubuser",
+		Metadata: map[string]string{
+			"foo": "a",
+		},
+	}
+
+	createdEntity, _, err := is.CreateOrFetchEntity(ctx, loginAlias)
+	require.NoError(t, err)
+	require.NotNil(t, createdEntity)
+
+	matchedAlias, err := is.MemDBAliasByFactors(ghAccessor, loginAlias.Name, true, false)
+	require.NoError(t, err)
+	require.NotNil(t, matchedAlias)
+	require.True(t, maps.Equal(matchedAlias.Metadata, loginAlias.Metadata))
+
+	matchedEntity, err := is.MemDBEntityByID(matchedAlias.CanonicalID, true)
+	require.NoError(t, err)
+	require.NotNil(t, matchedEntity)
+	require.Equal(t, createdEntity.ID, matchedEntity.ID)
+
+	// Clone reads should not mutate MemDB state.
+	matchedEntity.Name = "mutated-name"
+	freshAlias, err := is.MemDBAliasByFactors(ghAccessor, loginAlias.Name, true, false)
+	require.NoError(t, err)
+	require.NotNil(t, freshAlias)
+
+	freshEntity, err := is.MemDBEntityByID(freshAlias.CanonicalID, true)
+	require.NoError(t, err)
+	require.NotNil(t, freshEntity)
+	require.NotEqual(t, "mutated-name", freshEntity.Name)
+
+	require.False(t, maps.Equal(freshAlias.Metadata, map[string]string{"foo": "does-not-match"}))
+}
diff --git a/vault/external_tests/identity/login_mfa_totp_test.go b/vault/external_tests/identity/login_mfa_totp_test.go
index 2fe798fbc1..4616609444 100644
--- a/vault/external_tests/identity/login_mfa_totp_test.go
+++ b/vault/external_tests/identity/login_mfa_totp_test.go
@@ -70,9 +70,6 @@ func TestLoginMfaGenerateTOTPTestAuditIncluded(t *testing.T) {
 			HandlerFunc: vaulthttp.Handler,
 		})
 
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	client := cluster.Cores[0].Client
 
 	// Enable the audit backend
diff --git a/vault/external_tests/identity/oidc_provider_test.go b/vault/external_tests/identity/oidc_provider_test.go
index 7880ea6ba8..78d2814a3c 100644
--- a/vault/external_tests/identity/oidc_provider_test.go
+++ b/vault/external_tests/identity/oidc_provider_test.go
@@ -48,7 +48,6 @@ const (
 // an initial setup of Vault.
 func TestOIDC_Auth_Code_Flow_Default_Resources(t *testing.T) {
 	cluster := setupOIDCTestCluster(t, 2)
-	defer cluster.Cleanup()
 	active := cluster.Cores[0].Client
 	standby := cluster.Cores[1].Client
 
@@ -271,7 +270,6 @@ func TestOIDC_Auth_Code_Flow_Default_Resources(t *testing.T) {
 // a client secret and authenticates to the token endpoint.
 func TestOIDC_Auth_Code_Flow_Confidential_CAP_Client(t *testing.T) {
 	cluster := setupOIDCTestCluster(t, 2)
-	defer cluster.Cleanup()
 	active := cluster.Cores[0].Client
 	standby := cluster.Cores[1].Client
 
@@ -621,7 +619,6 @@ func TestOIDC_Auth_Code_Flow_Confidential_CAP_Client(t *testing.T) {
 // and always uses proof key for code exchange (PKCE).
 func TestOIDC_Auth_Code_Flow_Public_CAP_Client(t *testing.T) {
 	cluster := setupOIDCTestCluster(t, 2)
-	defer cluster.Cleanup()
 	active := cluster.Cores[0].Client
 	standby := cluster.Cores[1].Client
 
@@ -963,8 +960,6 @@ func setupOIDCTestCluster(t *testing.T, numCores int) *vault.TestCluster {
 		HandlerFunc: vaulthttp.Handler,
 	}
 	cluster := vault.NewTestCluster(t, coreConfig, clusterOptions)
-	cluster.Start()
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 
 	return cluster
 }
diff --git a/vault/external_tests/identity/userlockouts_test.go b/vault/external_tests/identity/userlockouts_test.go
index 091e03068d..4d9df9af7c 100644
--- a/vault/external_tests/identity/userlockouts_test.go
+++ b/vault/external_tests/identity/userlockouts_test.go
@@ -38,8 +38,6 @@ func TestIdentityStore_DisableUserLockoutTest(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	// standby client
 	client := cluster.Cores[1].Client
diff --git a/vault/external_tests/kv/kv_path_traversal_test.go b/vault/external_tests/kv/kv_path_traversal_test.go
new file mode 100644
index 0000000000..0e43de9d65
--- /dev/null
+++ b/vault/external_tests/kv/kv_path_traversal_test.go
@@ -0,0 +1,210 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package kv
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/testhelpers/minimal"
+	"github.com/stretchr/testify/require"
+)
+
+// rawVaultRequest sends an HTTP request to Vault using the exact rawPath
+// provided, bypassing the Go API client's path normalization. This is necessary
+// for testing URL-encoded path traversal sequences like %2e%2e that would
+// otherwise be resolved by path.Join in the standard client.
+func rawVaultRequest(t *testing.T, c *api.Client, token, method, rawPath, body, redirectsTo string) *http.Response {
+	t.Helper()
+
+	baseAddr := c.Address()
+	fullURL := baseAddr + rawPath
+
+	// Parse the URL and set Opaque to prevent Go from decoding %2e%2e
+	parsed, err := url.Parse(fullURL)
+	require.NoError(t, err, "failed to parse URL %q", fullURL)
+	parsed.Opaque = fmt.Sprintf("//%s%s", parsed.Host, rawPath)
+
+	var reqBody *strings.Reader
+	if body != "" {
+		reqBody = strings.NewReader(body)
+	}
+
+	var req *http.Request
+	if reqBody != nil {
+		req, err = http.NewRequest(method, parsed.String(), reqBody)
+	} else {
+		req, err = http.NewRequest(method, parsed.String(), nil)
+	}
+	require.NoError(t, err, "failed to create request")
+
+	req.Header.Set("X-Vault-Token", token)
+	if body != "" {
+		req.Header.Set("Content-Type", "application/json")
+	}
+
+	// Use the same HTTP client as the Vault API client to inherit TLS config
+	httpClient := c.CloneConfig().HttpClient
+	httpClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+		pathWithoutPrefix := strings.TrimPrefix(req.URL.Path, "/v1/")
+		if redirectsTo != "" && pathWithoutPrefix != redirectsTo {
+			return fmt.Errorf("redirect expected to %s but got %s", redirectsTo, pathWithoutPrefix)
+		}
+		if len(via) == 10 {
+			return errors.New("too many redirects")
+		}
+		return nil
+	}
+	resp, err := httpClient.Do(req)
+	require.NoError(t, err, "failed to execute request %s %s", method, rawPath)
+
+	return resp
+}
+
+// TestKV_PathTraversal tests a variety of paths to ensure that path traversals
+// are not allowed and return the proper error code.
+func TestKV_PathTraversal(t *testing.T) {
+	t.Parallel()
+	cluster := minimal.NewTestSoloCluster(t, nil)
+	c := cluster.Cores[0].Client
+
+	// Mount a KVv2 backend
+	err := c.Sys().Mount("kv-v2", &api.MountInput{
+		Type: "kv-v2",
+	})
+	require.NoError(t, err)
+
+	// Write a protected secret
+	kvData := map[string]interface{}{
+		"data": map[string]interface{}{
+			"password": "THIS IS A SECRET",
+		},
+	}
+
+	_, err = kvRequestWithRetry(t, func() (interface{}, error) {
+		return c.Logical().Write("kv-v2/data/team/protected/dbcreds", kvData)
+	})
+	require.NoError(t, err)
+	// Create a restrictive policy that only allows access to team/public/* paths
+	err = c.Sys().PutPolicy("public-policy", `
+		path "kv-v2/metadata/team/public/*" { capabilities = ["read", "list"] }
+		path "kv-v2/data/team/public/*" { capabilities = ["read", "list"] }
+		path "kv-v2/destroy/team/public/*" { capabilities = ["update"] }
+		path "kv-v2/team/public/*" { capabilities = ["read"] }
+	`)
+	require.NoError(t, err)
+
+	// Create an attacker token with only the public-policy and no default policy
+	attackerSecret, err := c.Auth().Token().Create(&api.TokenCreateRequest{
+		Policies:        []string{"public-policy"},
+		NoDefaultPolicy: true,
+	})
+	require.NoError(t, err)
+	attackerToken := attackerSecret.Auth.ClientToken
+
+	// Verify the attacker cannot read protected metadata via canonical path
+	attackerClient, err := api.NewClient(c.CloneConfig())
+	require.NoError(t, err)
+	attackerClient.SetToken(attackerToken)
+
+	testCases := []struct {
+		name              string
+		path              string
+		operation         string
+		body              []byte
+		expectCode        int
+		expectRedirectsTo string
+	}{
+		{
+			name:              "read secret",
+			path:              "kv-v2/data/team/public/../protected/dbcreds",
+			operation:         "GET",
+			expectCode:        403,
+			expectRedirectsTo: "kv-v2/data/team/protected/dbcreds",
+		},
+		{
+			name:              "read encoded",
+			path:              "kv-v2/data/team/public/%2e%2e/protected/dbcreds",
+			operation:         "GET",
+			expectCode:        403,
+			expectRedirectsTo: "kv-v2/data/team/protected/dbcreds",
+		},
+		{
+			name:              "destroy",
+			path:              "kv-v2/destroy/team/public/../protected/dbcreds",
+			body:              []byte(`{"versions":[1]}`),
+			operation:         "PUT",
+			expectCode:        403,
+			expectRedirectsTo: "kv-v2/destroy/team/protected/dbcreds",
+		},
+		{
+			name:              "destroy encoded",
+			path:              "kv-v2/destroy/team/public/%2e%2e/protected/dbcreds",
+			body:              []byte(`{"versions":[1]}`),
+			operation:         "PUT",
+			expectCode:        403,
+			expectRedirectsTo: "kv-v2/destroy/team/protected/dbcreds",
+		},
+		{
+			name:              "metadata read",
+			path:              "kv-v2/metadata/team/public/../protected/dbcreds",
+			operation:         "GET",
+			expectCode:        403,
+			expectRedirectsTo: "kv-v2/metadata/team/protected/dbcreds",
+		},
+		{
+			name:              "metadata read encoded",
+			path:              "kv-v2/metadata/team/public/%2e%2e/protected/dbcreds",
+			operation:         "GET",
+			expectCode:        403,
+			expectRedirectsTo: "kv-v2/metadata/team/protected/dbcreds",
+		},
+		{
+			name:       "metadata read double encoded",
+			path:       "kv-v2/metadata/team/public/%252e%252e/protected/dbcreds",
+			operation:  "GET",
+			expectCode: 404,
+		},
+		{
+			name:              "metadata read double slash",
+			path:              "kv-v2/metadata/team/public////protected/dbcreds",
+			operation:         "GET",
+			expectCode:        404,
+			expectRedirectsTo: "kv-v2/metadata/team/public/protected/dbcreds",
+		},
+		{
+			name:              "metadata read double slash encoded",
+			path:              "kv-v2/metadata/team/public/%2F%2F/protected/dbcreds",
+			operation:         "GET",
+			expectCode:        404,
+			expectRedirectsTo: "kv-v2/metadata/team/public/protected/dbcreds",
+		},
+		{
+			name:              "metadata read empty path piece",
+			path:              "kv-v2/metadata/team/public//protected/dbcreds",
+			operation:         "GET",
+			expectCode:        404,
+			expectRedirectsTo: "kv-v2/metadata/team/public/protected/dbcreds",
+		},
+		{
+			name:       "ending slash",
+			path:       "kv-v2/metadata/team/public/dbcreds/",
+			operation:  "GET",
+			expectCode: 404,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			rawResp := rawVaultRequest(t, c, attackerToken, tc.operation,
+				"/v1/"+tc.path, string(tc.body), tc.expectRedirectsTo)
+			defer rawResp.Body.Close()
+			require.Equal(t, tc.expectCode, rawResp.StatusCode)
+		})
+	}
+}
diff --git a/vault/external_tests/kv/kvv2_upgrade_test.go b/vault/external_tests/kv/kvv2_upgrade_test.go
index 04a4e7f7e5..d96d381077 100644
--- a/vault/external_tests/kv/kvv2_upgrade_test.go
+++ b/vault/external_tests/kv/kvv2_upgrade_test.go
@@ -42,11 +42,8 @@ func TestKVv2_UpgradePaths(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	core := cluster.Cores[0]
-	vault.TestWaitActive(t, core.Core)
 	client := core.Client
 
 	// Enable KVv2
diff --git a/vault/external_tests/metrics/core_metrics_int_test.go b/vault/external_tests/metrics/core_metrics_int_test.go
index 5153405b98..efcf1cc5cb 100644
--- a/vault/external_tests/metrics/core_metrics_int_test.go
+++ b/vault/external_tests/metrics/core_metrics_int_test.go
@@ -30,13 +30,7 @@ func TestMountTableMetrics(t *testing.T) {
 		NumCores:               2,
 		CoreMetricSinkProvider: testhelpers.TestMetricSinkProvider(time.Minute),
 	})
-
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	// Wait for core to become active
 	cores := cluster.Cores
-	vault.TestWaitActive(t, cores[0].Core)
 
 	client := cores[0].Client
 
@@ -120,13 +114,7 @@ func TestLeaderReElectionMetrics(t *testing.T) {
 		NumCores:               2,
 		CoreMetricSinkProvider: testhelpers.TestMetricSinkProvider(time.Minute),
 	})
-
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	// Wait for core to become active
 	cores := cluster.Cores
-	vault.TestWaitActive(t, cores[0].Core)
 
 	client := cores[0].Client
 	standbyClient := cores[1].Client
diff --git a/vault/external_tests/mfa/login_mfa_test.go b/vault/external_tests/mfa/login_mfa_test.go
index 97e9c9c631..3dc26b205b 100644
--- a/vault/external_tests/mfa/login_mfa_test.go
+++ b/vault/external_tests/mfa/login_mfa_test.go
@@ -327,11 +327,6 @@ func TestLoginMFA_ListAllMFAConfigsGlobally(t *testing.T) {
 	}, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	core := cluster.Cores[0].Core
-	vault.TestWaitActive(t, core)
 	client := cluster.Cores[0].Client
 
 	// Enable userpass authentication
diff --git a/vault/external_tests/misc/misc_binary/recovery_test.go b/vault/external_tests/misc/misc_binary/recovery_test.go
index bcef667ea4..ee0f73a6e9 100644
--- a/vault/external_tests/misc/misc_binary/recovery_test.go
+++ b/vault/external_tests/misc/misc_binary/recovery_test.go
@@ -5,12 +5,12 @@ package misc
 
 import (
 	"context"
-	"os"
 	"path"
 	"testing"
 
 	"github.com/go-test/deep"
 	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/testhelpers/testimages"
 	"github.com/hashicorp/vault/sdk/helper/testcluster"
 	"github.com/hashicorp/vault/sdk/helper/testcluster/docker"
 	"github.com/mitchellh/mapstructure"
@@ -26,26 +26,20 @@ func TestRecovery_Docker(t *testing.T) {
 	ctx := context.TODO()
 
 	t.Parallel()
-	binary := os.Getenv("VAULT_BINARY")
-	if binary == "" {
-		t.Skip("only running docker test when $VAULT_BINARY present")
-	}
+	repo, tag := testimages.GetImageRepoAndTag(t, false)
 	opts := &docker.DockerClusterOptions{
-		ImageRepo:    "hashicorp/vault",
+		ImageRepo:    repo,
 		DisableMlock: true,
 		// We're replacing the binary anyway, so we're not too particular about
 		// the docker image version tag.
-		ImageTag:    "latest",
-		VaultBinary: binary,
+		ImageTag: tag,
 		ClusterOptions: testcluster.ClusterOptions{
 			NumCores: 1,
 			VaultNodeConfig: &testcluster.VaultNodeConfig{
 				LogLevel: "TRACE",
-				// If you want the test to run faster locally, you could
-				// uncomment this performance_multiplier change.
-				//StorageOptions: map[string]string{
-				//	"performance_multiplier": "1",
-				//},
+				StorageOptions: map[string]string{
+					"performance_multiplier": "1",
+				},
 			},
 		},
 	}
@@ -130,6 +124,7 @@ func TestRecovery_Docker(t *testing.T) {
 		newOpts := *opts
 		opts := &newOpts
 		opts.Args = []string{"-recovery"}
+		opts.SkipUnsealWaitActiveNode = true
 		opts.StartProbe = func(client *api.Client) error {
 			// In recovery mode almost no paths are supported, and pretty much
 			// the only ones that don't require a recovery token are the ones used
diff --git a/vault/external_tests/misc/recover_from_panic_test.go b/vault/external_tests/misc/recover_from_panic_test.go
index c0f0277016..64f6a91146 100644
--- a/vault/external_tests/misc/recover_from_panic_test.go
+++ b/vault/external_tests/misc/recover_from_panic_test.go
@@ -25,11 +25,8 @@ func TestRecoverFromPanic(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	core := cluster.Cores[0]
-	vault.TestWaitActive(t, core.Core)
 	client := core.Client
 
 	err := client.Sys().Mount("noop", &api.MountInput{
diff --git a/vault/external_tests/misc/recovery_test.go b/vault/external_tests/misc/recovery_test.go
index 8904c90a15..dfcf29033c 100644
--- a/vault/external_tests/misc/recovery_test.go
+++ b/vault/external_tests/misc/recovery_test.go
@@ -36,8 +36,6 @@ func TestRecovery(t *testing.T) {
 		}
 
 		cluster := vault.NewTestCluster(t, &conf, &opts)
-		cluster.Start()
-		defer cluster.Cleanup()
 
 		client := cluster.Cores[0].Client
 		rootToken = client.Token()
@@ -84,8 +82,6 @@ func TestRecovery(t *testing.T) {
 		}
 		cluster := vault.NewTestCluster(t, &conf, &opts)
 		cluster.BarrierKeys = keys
-		cluster.Start()
-		defer cluster.Cleanup()
 
 		client := cluster.Cores[0].Client
 		recoveryToken := testhelpers.GenerateRoot(t, cluster, testhelpers.GenerateRecovery)
@@ -122,8 +118,6 @@ func TestRecovery(t *testing.T) {
 		}
 		cluster := vault.NewTestCluster(t, &conf, &opts)
 		cluster.BarrierKeys = keys
-		cluster.Start()
-		defer cluster.Cleanup()
 
 		testhelpers.EnsureCoresUnsealed(t, cluster)
 		vault.TestWaitActive(t, cluster.Cores[0].Core)
diff --git a/vault/external_tests/mountsauthtune/mounts_auth_tune_sudo_test.go b/vault/external_tests/mountsauthtune/mounts_auth_tune_sudo_test.go
new file mode 100644
index 0000000000..4a556d6fc1
--- /dev/null
+++ b/vault/external_tests/mountsauthtune/mounts_auth_tune_sudo_test.go
@@ -0,0 +1,105 @@
+// Copyright IBM Corp. 2016, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package mountsauthtune
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
+	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault"
+	"github.com/stretchr/testify/require"
+)
+
+// TestMountsAuthTuneRequiresSudo ensures sys/mounts/auth/<path>/tune requires
+// sudo-equivalent privilege while sys/mounts/auth/<path> remains readable
+// without sudo when ACL allows it.
+func TestMountsAuthTuneRequiresSudo(t *testing.T) {
+	t.Parallel()
+
+	cluster := vault.NewTestCluster(t, &vault.CoreConfig{
+		CredentialBackends: map[string]logical.Factory{
+			"userpass": credUserpass.Factory,
+		},
+	}, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+		NumCores:    1,
+	})
+
+	client := cluster.Cores[0].Client
+	rootToken := cluster.RootToken
+
+	require.NoError(t, client.Sys().EnableAuthWithOptions("userpass", &api.EnableAuthOptions{
+		Type: "userpass",
+	}))
+
+	noSudoPolicy := `
+path "sys/mounts/auth/userpass/tune" {
+	capabilities = ["read", "update"]
+}
+path "sys/mounts/auth/userpass*" {
+	capabilities = ["read"]
+}
+`
+	require.NoError(t, client.Sys().PutPolicy("mounts-auth-tune-no-sudo", noSudoPolicy))
+
+	noSudoTokenResp, err := client.Auth().Token().Create(&api.TokenCreateRequest{
+		Policies: []string{"mounts-auth-tune-no-sudo"},
+	})
+	require.NoError(t, err)
+	require.NotNil(t, noSudoTokenResp)
+	require.NotNil(t, noSudoTokenResp.Auth)
+	require.NotEmpty(t, noSudoTokenResp.Auth.ClientToken)
+
+	client.SetToken(noSudoTokenResp.Auth.ClientToken)
+
+	// Non-tune path should remain readable without sudo.
+	nonTuneResp, err := client.Logical().Read("sys/mounts/auth/userpass")
+	require.NoError(t, err)
+	require.NotNil(t, nonTuneResp)
+
+	// Tune endpoints should fail without sudo.
+	_, err = client.Logical().Write("sys/mounts/auth/userpass/tune", map[string]interface{}{
+		"max_lease_ttl": "2h",
+	})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), logical.ErrPermissionDenied.Error())
+
+	_, err = client.Logical().Read("sys/mounts/auth/userpass/tune")
+	require.Error(t, err)
+	require.Contains(t, err.Error(), logical.ErrPermissionDenied.Error())
+
+	client.SetToken(rootToken)
+
+	sudoPolicy := `
+path "sys/mounts/auth/userpass/tune" {
+	capabilities = ["sudo", "read", "update"]
+}
+`
+	require.NoError(t, client.Sys().PutPolicy("mounts-auth-tune-with-sudo", sudoPolicy))
+
+	withSudoTokenResp, err := client.Auth().Token().Create(&api.TokenCreateRequest{
+		Policies: []string{"mounts-auth-tune-with-sudo"},
+	})
+	require.NoError(t, err)
+	require.NotNil(t, withSudoTokenResp)
+	require.NotNil(t, withSudoTokenResp.Auth)
+	require.NotEmpty(t, withSudoTokenResp.Auth.ClientToken)
+
+	client.SetToken(withSudoTokenResp.Auth.ClientToken)
+
+	_, err = client.Logical().Write("sys/mounts/auth/userpass/tune", map[string]interface{}{
+		"max_lease_ttl": "3h",
+	})
+	require.NoError(t, err)
+
+	tuneResp, err := client.Logical().Read("sys/mounts/auth/userpass/tune")
+	require.NoError(t, err)
+	require.NotNil(t, tuneResp)
+	require.Contains(t, tuneResp.Data, "max_lease_ttl")
+	require.Equal(t, "10800", fmt.Sprint(tuneResp.Data["max_lease_ttl"]))
+}
diff --git a/vault/external_tests/plugin/external_plugin_test.go b/vault/external_tests/plugin/external_plugin_test.go
index f72a2c030b..9f9009aca9 100644
--- a/vault/external_tests/plugin/external_plugin_test.go
+++ b/vault/external_tests/plugin/external_plugin_test.go
@@ -27,7 +27,7 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/pluginutil"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/vault"
-	_ "github.com/jackc/pgx/v4/stdlib"
+	_ "github.com/jackc/pgx/v5/stdlib"
 	"github.com/stretchr/testify/require"
 )
 
@@ -59,9 +59,6 @@ func getCluster(t *testing.T, numCores int, types ...consts.PluginType) *vault.T
 		HandlerFunc: vaulthttp.Handler,
 	})
 
-	cluster.Start()
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-
 	return cluster
 }
 
@@ -88,9 +85,6 @@ func TestExternalPlugin_RollbackAndReload(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 	})
 
-	cluster.Start()
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-
 	core := cluster.Cores[0]
 	plugin := cluster.Plugins[0]
 	client := core.Client
@@ -183,7 +177,6 @@ func TestExternalPlugin_ContinueOnError(t *testing.T) {
 
 func testExternalPlugin_ContinueOnError(t *testing.T, mismatch bool, pluginType consts.PluginType) {
 	cluster := getCluster(t, 1, pluginType)
-	t.Cleanup(cluster.Cleanup)
 
 	core := cluster.Cores[0]
 	plugin := cluster.Plugins[0]
@@ -293,7 +286,6 @@ func TestExternalPlugin_AuthMethod(t *testing.T) {
 	// getCluster calls pluginhelper.CompilePlugin which builds the approle
 	// auth method as a stand-in for the PluginTypeCredential
 	cluster := getCluster(t, 5, consts.PluginTypeCredential)
-	t.Cleanup(cluster.Cleanup)
 
 	plugin := cluster.Plugins[0]
 	client := cluster.Cores[0].Client
@@ -412,7 +404,6 @@ func TestExternalPlugin_AuthMethod(t *testing.T) {
 // method after reload
 func TestExternalPlugin_AuthMethodReload(t *testing.T) {
 	cluster := getCluster(t, 1, consts.PluginTypeCredential)
-	t.Cleanup(cluster.Cleanup)
 
 	plugin := cluster.Plugins[0]
 	client := cluster.Cores[0].Client
@@ -494,7 +485,6 @@ func TestExternalPlugin_SecretsEngine(t *testing.T) {
 	// getCluster calls pluginhelper.CompilePlugin which builds the consul
 	// secrets engine as a stand-in for the PluginTypeSecrets
 	cluster := getCluster(t, 1, consts.PluginTypeSecrets)
-	t.Cleanup(cluster.Cleanup)
 
 	plugin := cluster.Plugins[0]
 	client := cluster.Cores[0].Client
@@ -598,7 +588,6 @@ func TestExternalPlugin_SecretsEngine(t *testing.T) {
 func TestExternalPlugin_SecretsEngineReload(t *testing.T) {
 	t.Parallel()
 	cluster := getCluster(t, 1, consts.PluginTypeSecrets)
-	t.Cleanup(cluster.Cleanup)
 
 	plugin := cluster.Plugins[0]
 	client := cluster.Cores[0].Client
@@ -671,7 +660,6 @@ func TestExternalPlugin_Database(t *testing.T) {
 	// getCluster calls pluginhelper.CompilePlugin which builds the postgres
 	// database engine as a stand-in for the PluginTypeSecrets
 	cluster := getCluster(t, 1, consts.PluginTypeDatabase)
-	t.Cleanup(cluster.Cleanup)
 
 	plugin := cluster.Plugins[0]
 	client := cluster.Cores[0].Client
@@ -805,7 +793,6 @@ func TestExternalPlugin_Database(t *testing.T) {
 func TestExternalPlugin_DatabaseReload(t *testing.T) {
 	t.Parallel()
 	cluster := getCluster(t, 1, consts.PluginTypeDatabase)
-	t.Cleanup(cluster.Cleanup)
 
 	plugin := cluster.Plugins[0]
 	client := cluster.Cores[0].Client
@@ -940,7 +927,6 @@ func testExternalPluginMetadataAuditLog(t *testing.T, log map[string]interface{}
 // in audit log when it is enabled
 func TestExternalPlugin_AuditEnabled_ShouldLogPluginMetadata_Auth(t *testing.T) {
 	cluster := getCluster(t, 1, consts.PluginTypeCredential)
-	t.Cleanup(cluster.Cleanup)
 
 	plugin := cluster.Plugins[0]
 	client := cluster.Cores[0].Client
@@ -1018,7 +1004,6 @@ func TestExternalPlugin_AuditEnabled_ShouldLogPluginMetadata_Auth(t *testing.T)
 // in audit log when it is enabled
 func TestExternalPlugin_AuditEnabled_ShouldLogPluginMetadata_Secret(t *testing.T) {
 	cluster := getCluster(t, 1, consts.PluginTypeSecrets)
-	t.Cleanup(cluster.Cleanup)
 
 	plugin := cluster.Plugins[0]
 	client := cluster.Cores[0].Client
@@ -1174,7 +1159,6 @@ func expectRunningVersion(t *testing.T, client *api.Client, plugin pluginhelpers
 // of upgrading an external plugin gated by pinned versions.
 func TestCore_UpgradePluginUsingPinnedVersion_AuthAndSecret(t *testing.T) {
 	cluster := getCluster(t, 1, consts.PluginTypeCredential, consts.PluginTypeSecrets)
-	t.Cleanup(cluster.Cleanup)
 
 	client := cluster.Cores[0].Client
 
@@ -1226,7 +1210,6 @@ func TestCore_UpgradePluginUsingPinnedVersion_AuthAndSecret(t *testing.T) {
 // of upgrading an external database plugin gated by pinned versions.
 func TestCore_UpgradePluginUsingPinnedVersion_Database(t *testing.T) {
 	cluster := getCluster(t, 3, consts.PluginTypeDatabase)
-	t.Cleanup(cluster.Cleanup)
 
 	client := cluster.Cores[0].Client
 	plugin := cluster.Plugins[0]
diff --git a/vault/external_tests/plugin/plugin_test.go b/vault/external_tests/plugin/plugin_test.go
index c343a5140a..1049ee6515 100644
--- a/vault/external_tests/plugin/plugin_test.go
+++ b/vault/external_tests/plugin/plugin_test.go
@@ -62,7 +62,6 @@ func TestSystemBackend_Plugin_secret(t *testing.T) {
 		t.Run(tc.pluginVersion, func(t *testing.T) {
 			t.Parallel()
 			cluster := testSystemBackendMock(t, 1, 1, logical.TypeLogical, tc.pluginVersion)
-			defer cluster.Cleanup()
 
 			core := cluster.Cores[0]
 
@@ -132,7 +131,6 @@ func TestSystemBackend_Plugin_auth(t *testing.T) {
 		t.Run(tc.pluginVersion, func(t *testing.T) {
 			t.Parallel()
 			cluster := testSystemBackendMock(t, 1, 1, logical.TypeCredential, tc.pluginVersion)
-			defer cluster.Cleanup()
 
 			core := cluster.Cores[0]
 
@@ -162,9 +160,6 @@ func TestSystemBackend_Plugin_auth(t *testing.T) {
 				if core.Sealed() {
 					t.Fatal("should not be sealed")
 				}
-				// Wait for active so post-unseal takes place
-				// If it fails, it means unseal process failed
-				vault.TestWaitActive(t, core.Core)
 			}
 		})
 	}
@@ -190,7 +185,6 @@ func TestSystemBackend_Plugin_MissingBinary(t *testing.T) {
 		t.Run(tc.pluginVersion, func(t *testing.T) {
 			t.Parallel()
 			cluster := testSystemBackendMock(t, 1, 1, logical.TypeLogical, tc.pluginVersion)
-			defer cluster.Cleanup()
 
 			core := cluster.Cores[0]
 
@@ -250,7 +244,6 @@ func TestSystemBackend_Plugin_MismatchType(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.pluginVersion, func(t *testing.T) {
 			cluster := testSystemBackendMock(t, 1, 1, logical.TypeLogical, tc.pluginVersion)
-			defer cluster.Cleanup()
 
 			core := cluster.Cores[0]
 
@@ -310,7 +303,6 @@ func testPlugin_CatalogRemoved(t *testing.T, btype logical.BackendType, testMoun
 		t.Run(tc.pluginVersion, func(t *testing.T) {
 			t.Parallel()
 			cluster := testSystemBackendMock(t, 1, 1, logical.TypeLogical, tc.pluginVersion)
-			defer cluster.Cleanup()
 
 			core := cluster.Cores[0]
 
@@ -389,7 +381,6 @@ func TestSystemBackend_Plugin_autoReload(t *testing.T) {
 		t.Run(tc.pluginVersion, func(t *testing.T) {
 			t.Parallel()
 			cluster := testSystemBackendMock(t, 1, 1, logical.TypeLogical, tc.pluginVersion)
-			defer cluster.Cleanup()
 
 			core := cluster.Cores[0]
 
@@ -449,7 +440,6 @@ func TestSystemBackend_Plugin_SealUnseal(t *testing.T) {
 		t.Run(tc.pluginVersion, func(t *testing.T) {
 			t.Parallel()
 			cluster := testSystemBackendMock(t, 1, 1, logical.TypeLogical, tc.pluginVersion)
-			defer cluster.Cleanup()
 
 			// Seal the cluster
 			cluster.EnsureCoresSealed(t)
@@ -563,7 +553,6 @@ func testSystemBackend_PluginReload(t *testing.T, path string, reqData map[strin
 	for _, tc := range testCases {
 		t.Run(tc.pluginVersion, func(t *testing.T) {
 			cluster := testSystemBackendMock(t, 1, 2, backendType, tc.pluginVersion)
-			defer cluster.Cleanup()
 
 			core := cluster.Cores[0]
 			client := core.Client
@@ -610,7 +599,6 @@ func testSystemBackend_PluginReload(t *testing.T, path string, reqData map[strin
 
 func TestSystemBackend_PluginReload_WarningIfNoneReloaded(t *testing.T) {
 	cluster := testSystemBackendMock(t, 1, 2, logical.TypeLogical, "v5")
-	defer cluster.Cleanup()
 
 	core := cluster.Cores[0]
 	client := core.Client
@@ -662,7 +650,6 @@ func testSystemBackendMock(t *testing.T, numCores, numMounts int, backendType lo
 	cluster := vault.NewTestCluster(t, conf, opts)
 
 	core := cluster.Cores[0]
-	vault.TestWaitActive(t, core.Core)
 	client := core.Client
 
 	env := []string{pluginutil.PluginCACertPEMEnv + "=" + cluster.CACertPEMFile}
@@ -720,11 +707,8 @@ func TestSystemBackend_Plugin_Env(t *testing.T) {
 		NumCores:    1,
 		TempDir:     pluginDir,
 	})
-	cluster.Start()
-	t.Cleanup(cluster.Cleanup)
 
 	core := cluster.Cores[0]
-	vault.TestWaitActive(t, core.Core)
 	client := core.Client
 
 	key := t.Name() + "_FOO"
diff --git a/vault/external_tests/policy/policy_test.go b/vault/external_tests/policy/policy_test.go
index e87b32f063..c095d5a439 100644
--- a/vault/external_tests/policy/policy_test.go
+++ b/vault/external_tests/policy/policy_test.go
@@ -12,9 +12,9 @@ import (
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/builtin/credential/ldap"
 	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
-	ldaphelper "github.com/hashicorp/vault/helper/testhelpers/ldap"
 	"github.com/hashicorp/vault/helper/testhelpers/minimal"
 	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/sdk/helper/docker"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/vault"
 )
@@ -31,9 +31,6 @@ func TestPolicy_NoDefaultPolicy(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 	})
 
-	cluster.Start()
-	defer cluster.Cleanup()
-
 	cores := cluster.Cores
 
 	vault.TestWaitActive(t, cores[0].Core)
@@ -48,7 +45,7 @@ func TestPolicy_NoDefaultPolicy(t *testing.T) {
 	}
 
 	// Configure LDAP auth backend
-	cleanup, cfg := ldaphelper.PrepareTestContainer(t, ldaphelper.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 
 	_, err = client.Logical().Write("auth/ldap/config", map[string]interface{}{
@@ -106,7 +103,7 @@ func TestPolicy_NoConfiguredPolicy(t *testing.T) {
 	}
 
 	// Configure LDAP auth backend
-	cleanup, cfg := ldaphelper.PrepareTestContainer(t, ldaphelper.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 
 	_, err = client.Logical().Write("auth/ldap/config", map[string]interface{}{
@@ -203,8 +200,6 @@ func TestPolicy_TokenRenewal(t *testing.T) {
 			cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 				HandlerFunc: vaulthttp.Handler,
 			})
-			cluster.Start()
-			defer cluster.Cleanup()
 
 			core := cluster.Cores[0].Core
 			vault.TestWaitActive(t, core)
diff --git a/vault/external_tests/pprof/pprof_binary/pprof_test.go b/vault/external_tests/pprof/pprof_binary/pprof_test.go
index 2dd48004e7..d89bda1a90 100644
--- a/vault/external_tests/pprof/pprof_binary/pprof_test.go
+++ b/vault/external_tests/pprof/pprof_binary/pprof_test.go
@@ -28,7 +28,6 @@ func TestSysPprof_Exec(t *testing.T) {
 		BinaryPath:        binary,
 		BaseListenAddress: "127.0.0.1:8208",
 	})
-	defer cluster.Cleanup()
 
 	pprof.SysPprof_Test(t, cluster)
 }
diff --git a/vault/external_tests/pprof/pprof_test.go b/vault/external_tests/pprof/pprof_test.go
index afcad849f2..95414ed369 100644
--- a/vault/external_tests/pprof/pprof_test.go
+++ b/vault/external_tests/pprof/pprof_test.go
@@ -37,8 +37,6 @@ func TestSysPprof(t *testing.T) {
 		HandlerFunc:             vaulthttp.Handler,
 		RequestResponseCallback: schema.ResponseValidatingCallback(t),
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	core := cluster.Cores[0].Core
 	vault.TestWaitActive(t, core)
@@ -58,8 +56,6 @@ func TestSysPprof_MaxRequestDuration(t *testing.T) {
 	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 	client := cluster.Cores[0].Client
 
 	transport := cleanhttp.DefaultPooledTransport()
diff --git a/vault/external_tests/quotas/quotas_test.go b/vault/external_tests/quotas/quotas_test.go
index 40fbbff45f..f4e7331556 100644
--- a/vault/external_tests/quotas/quotas_test.go
+++ b/vault/external_tests/quotas/quotas_test.go
@@ -161,11 +161,7 @@ func TestQuotas_RateLimit_DupName(t *testing.T) {
 	opts.NoDefaultQuotas = true
 	opts.RequestResponseCallback = schema.ResponseValidatingCallback(t)
 	cluster := vault.NewTestCluster(t, conf, opts)
-	cluster.Start()
-	defer cluster.Cleanup()
-	core := cluster.Cores[0].Core
 	client := cluster.Cores[0].Client
-	vault.TestWaitActive(t, core)
 
 	// create a rate limit quota w/ 'secret' path
 	_, err := client.Logical().Write("sys/quotas/rate-limit/secret-rlq", map[string]interface{}{
@@ -197,12 +193,8 @@ func TestQuotas_RateLimit_DupPath(t *testing.T) {
 	opts.NoDefaultQuotas = true
 	opts.RequestResponseCallback = schema.ResponseValidatingCallback(t)
 	cluster := vault.NewTestCluster(t, conf, opts)
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	core := cluster.Cores[0].Core
 	client := cluster.Cores[0].Client
-	vault.TestWaitActive(t, core)
+
 	// create a global rate limit quota
 	_, err := client.Logical().Write("sys/quotas/rate-limit/global-rlq", map[string]interface{}{
 		"rate": 10,
@@ -237,12 +229,7 @@ func TestQuotas_RateLimitQuota_ExemptPaths(t *testing.T) {
 	opts.NoDefaultQuotas = true
 	opts.RequestResponseCallback = schema.ResponseValidatingCallback(t)
 	cluster := vault.NewTestCluster(t, conf, opts)
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	core := cluster.Cores[0].Core
 	client := cluster.Cores[0].Client
-	vault.TestWaitActive(t, core)
 
 	_, err := client.Logical().Write("sys/quotas/rate-limit/rlq", map[string]interface{}{
 		"rate": 7.7,
@@ -289,12 +276,7 @@ func TestQuotas_RateLimitQuota_DefaultExemptPaths(t *testing.T) {
 	opts.NoDefaultQuotas = true
 	opts.RequestResponseCallback = schema.ResponseValidatingCallback(t)
 	cluster := vault.NewTestCluster(t, conf, opts)
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	core := cluster.Cores[0].Core
 	client := cluster.Cores[0].Client
-	vault.TestWaitActive(t, core)
 
 	_, err := client.Logical().Write("sys/quotas/rate-limit/rlq", map[string]interface{}{
 		"rate": 1,
@@ -318,12 +300,7 @@ func TestQuotas_RateLimitQuota_DefaultExemptPaths(t *testing.T) {
 func TestQuotas_RateLimitQuota_Mount(t *testing.T) {
 	conf, opts := teststorage.ClusterSetup(coreConfig, nil, nil)
 	cluster := vault.NewTestCluster(t, conf, opts)
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	core := cluster.Cores[0].Core
 	client := cluster.Cores[0].Client
-	vault.TestWaitActive(t, core)
 
 	err := client.Sys().Mount("pki", &api.MountInput{
 		Type: "pki",
@@ -407,14 +384,8 @@ func TestQuotas_RateLimitQuota_MountPrecedence(t *testing.T) {
 	conf, opts := teststorage.ClusterSetup(coreConfig, nil, nil)
 	opts.NoDefaultQuotas = true
 	cluster := vault.NewTestCluster(t, conf, opts)
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	core := cluster.Cores[0].Core
 	client := cluster.Cores[0].Client
 
-	vault.TestWaitActive(t, core)
-
 	// create PKI mount
 	err := client.Sys().Mount("pki", &api.MountInput{
 		Type: "pki",
@@ -494,14 +465,8 @@ func TestQuotas_RateLimitQuota(t *testing.T) {
 	conf, opts := teststorage.ClusterSetup(coreConfig, nil, nil)
 	opts.NoDefaultQuotas = true
 	cluster := vault.NewTestCluster(t, conf, opts)
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	core := cluster.Cores[0].Core
 	client := cluster.Cores[0].Client
 
-	vault.TestWaitActive(t, core)
-
 	err := client.Sys().EnableAuthWithOptions("userpass", &api.EnableAuthOptions{
 		Type: "userpass",
 	})
@@ -573,14 +538,8 @@ func TestQuotas_RateLimitQuota_GroupByConfig(t *testing.T) {
 	conf, opts := teststorage.ClusterSetup(coreConfig, nil, nil)
 	opts.NoDefaultQuotas = true
 	cluster := vault.NewTestCluster(t, conf, opts)
-	cluster.Start()
-	t.Cleanup(cluster.Cleanup)
-
-	core := cluster.Cores[0].Core
 	client := cluster.Cores[0].Client
 
-	vault.TestWaitActive(t, core)
-
 	testCases := map[string]struct {
 		reqData              map[string]interface{}
 		expectedErr          string
@@ -757,8 +716,6 @@ func TestQuotas_RateLimitQuota_GroupByConfig(t *testing.T) {
 func TestQuotas_RateLimit_ZeroRetryRegression(t *testing.T) {
 	conf, opts := teststorage.ClusterSetup(coreConfig, nil, nil)
 	cluster := vault.NewTestCluster(t, conf, opts)
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	testhelpers.WaitForActiveNode(t, cluster)
 	client := cluster.Cores[0].Client
@@ -799,7 +756,6 @@ func TestQuotas_RateLimit_NilStorage_ResolveRole(t *testing.T) {
 		NumCores:    1,
 	}, nil)
 	cluster := vault.NewTestCluster(t, conf, opts)
-	defer cluster.Cleanup()
 	client := cluster.Cores[0].Client
 
 	// Enable our custom panic auth method which will panic on nil storage
diff --git a/vault/external_tests/raft/raft_autopilot_test.go b/vault/external_tests/raft/raft_autopilot_test.go
index 01ae5111c2..27672b8384 100644
--- a/vault/external_tests/raft/raft_autopilot_test.go
+++ b/vault/external_tests/raft/raft_autopilot_test.go
@@ -33,7 +33,6 @@ func TestRaft_Autopilot_Disable(t *testing.T) {
 		InmemCluster:         true,
 		// Not setting EnableAutopilot here.
 	})
-	defer cluster.Cleanup()
 
 	cli := cluster.Cores[0].Client
 	state, err := cli.Sys().RaftAutopilotState()
@@ -62,7 +61,6 @@ func TestRaft_Autopilot_BinaryVersionPlumbing(t *testing.T) {
 	require.Empty(t, coreCfg.EffectiveSDKVersion)
 
 	c := vault.NewTestCluster(t, coreCfg, &clusterOpts)
-	defer c.Cleanup()
 
 	// Wait for follower to be perf standby (in Ent, in CE it will only wait for
 	// active). In either Enterprise or CE case, this should pass if we've plumbed
@@ -89,7 +87,6 @@ func TestRaft_Autopilot_Stabilization_And_State(t *testing.T) {
 			"performance_multiplier": "5",
 		},
 	})
-	defer cluster.Cleanup()
 
 	// Check that autopilot execution state is running
 	client := cluster.Cores[0].Client
@@ -160,7 +157,6 @@ func TestRaft_Autopilot_Configuration(t *testing.T) {
 		InmemCluster:         true,
 		EnableAutopilot:      true,
 	})
-	defer cluster.Cleanup()
 
 	client := cluster.Cores[0].Client
 	configCheckFunc := func(config *api.AutopilotConfig) {
@@ -267,7 +263,6 @@ func TestRaft_Autopilot_Stabilization_Delay(t *testing.T) {
 	})
 
 	cluster := vault.NewTestCluster(t, conf, &opts)
-	defer cluster.Cleanup()
 	testhelpers.WaitForActiveNode(t, cluster)
 
 	// Check that autopilot execution state is running
@@ -363,7 +358,6 @@ func TestRaft_AutoPilot_Peersets_Equivalent(t *testing.T) {
 		EnableAutopilot:      true,
 		DisableFollowerJoins: true,
 	})
-	defer cluster.Cleanup()
 	testhelpers.WaitForActiveNode(t, cluster)
 
 	// Create a very large stabilization time so we can test the state between
@@ -423,7 +417,6 @@ func TestRaft_VotersStayVoters(t *testing.T) {
 			2: version.Version,
 		},
 	})
-	defer cluster.Cleanup()
 	testhelpers.WaitForActiveNode(t, cluster)
 
 	client := cluster.Cores[0].Client
@@ -472,7 +465,6 @@ func TestRaft_Autopilot_DeadServerCleanup(t *testing.T) {
 		EnableAutopilot:      true,
 		NumCores:             4,
 	})
-	defer cluster.Cleanup()
 	testhelpers.WaitForActiveNode(t, cluster)
 
 	// Join 2 extra nodes manually, store the 3rd for later
diff --git a/vault/external_tests/raft/raft_binary/raft_test.go b/vault/external_tests/raft/raft_binary/raft_test.go
index f278df6a4c..d86f4f2712 100644
--- a/vault/external_tests/raft/raft_binary/raft_test.go
+++ b/vault/external_tests/raft/raft_binary/raft_test.go
@@ -17,6 +17,8 @@ import (
 	autopilot "github.com/hashicorp/raft-autopilot"
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/helper/testhelpers"
+	sealhelper "github.com/hashicorp/vault/helper/testhelpers/seal"
+	"github.com/hashicorp/vault/helper/testhelpers/testimages"
 	"github.com/hashicorp/vault/sdk/helper/testcluster"
 	"github.com/hashicorp/vault/sdk/helper/testcluster/docker"
 	rafttest "github.com/hashicorp/vault/vault/external_tests/raft"
@@ -27,36 +29,42 @@ import (
 // uses docker containers for the vault nodes.
 func TestRaft_Configuration_Docker(t *testing.T) {
 	t.Parallel()
-	binary := os.Getenv("VAULT_BINARY")
-	if binary == "" {
-		t.Skip("only running docker test when $VAULT_BINARY present")
-	}
-	opts := &docker.DockerClusterOptions{
-		ImageRepo:    "hashicorp/vault",
-		DisableMlock: true,
-		// We're replacing the binary anyway, so we're not too particular about
-		// the docker image version tag.
-		ImageTag:    "latest",
-		VaultBinary: binary,
-		ClusterOptions: testcluster.ClusterOptions{
-			VaultNodeConfig: &testcluster.VaultNodeConfig{
-				LogLevel: "TRACE",
-				// If you want the test to run faster locally, you could
-				// uncomment this performance_multiplier change.
-				//StorageOptions: map[string]string{
-				//	"performance_multiplier": "1",
-				//},
-			},
-		},
-	}
-	cluster := docker.NewTestDockerCluster(t, opts)
-	defer cluster.Cleanup()
-	rafttest.Raft_Configuration_Test(t, cluster)
+	repo, tag := testimages.GetImageRepoAndTag(t, false)
 
-	if err := cluster.AddNode(context.TODO(), opts); err != nil {
-		t.Fatal(err)
+	transit := sealhelper.NewTransitDockerSealServer(t)
+
+	for _, tc := range []struct {
+		name  string
+		seals []testcluster.VaultNodeSealConfig
+	}{
+		{"shamir", nil},
+		{"autoseal", []testcluster.VaultNodeSealConfig{transit.Seal("test", 1)}},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			binary := os.Getenv("VAULT_BINARY")
+			if binary == "" {
+				t.Skip("only running docker test when $VAULT_BINARY present")
+			}
+			opts := &docker.DockerClusterOptions{
+				DisableMlock: true,
+				ImageRepo:    repo,
+				ImageTag:     tag,
+				ClusterOptions: testcluster.ClusterOptions{
+					VaultNodeConfig: &testcluster.VaultNodeConfig{
+						Seal:     tc.seals,
+						LogLevel: "TRACE",
+					},
+				},
+			}
+			cluster := docker.NewTestDockerCluster(t, opts)
+			rafttest.Raft_Configuration_Test(t, cluster)
+
+			if err := cluster.AddNode(context.Background(), opts); err != nil {
+				t.Fatal(err)
+			}
+			rafttest.Raft_Configuration_Test(t, cluster)
+		})
 	}
-	rafttest.Raft_Configuration_Test(t, cluster)
 }
 
 // removeRaftNode removes a node from the raft configuration using the leader client
@@ -134,17 +142,11 @@ func stabilize(t *testing.T, client *api.Client) {
 // nodes that use raft-wal (and vice-versa)
 // Having a cluster of mixed nodes, some using raft-boltdb and some using raft-wal, is not a problem.
 func TestDocker_LogStore_Boltdb_To_Raftwal_And_Back(t *testing.T) {
-	binary := os.Getenv("VAULT_BINARY")
-	if binary == "" {
-		t.Skip("only running docker test when $VAULT_BINARY present")
-	}
+	repo, tag := testimages.GetImageRepoAndTag(t, false)
 	opts := &docker.DockerClusterOptions{
-		ImageRepo:    "hashicorp/vault",
 		DisableMlock: true,
-		// We're replacing the binary anyway, so we're not too particular about
-		// the docker image version tag.
-		ImageTag:    "latest",
-		VaultBinary: binary,
+		ImageRepo:    repo,
+		ImageTag:     tag,
 		ClusterOptions: testcluster.ClusterOptions{
 			VaultNodeConfig: &testcluster.VaultNodeConfig{
 				LogLevel: "TRACE",
@@ -329,17 +331,11 @@ func TestDocker_LogStore_Boltdb_To_Raftwal_And_Back(t *testing.T) {
 // by performing a snapshot restore from one cluster to another, and checking no data loss
 func TestRaft_LogStore_Migration_Snapshot(t *testing.T) {
 	t.Parallel()
-	binary := os.Getenv("VAULT_BINARY")
-	if binary == "" {
-		t.Skip("only running docker test when $VAULT_BINARY present")
-	}
+	repo, tag := testimages.GetImageRepoAndTag(t, false)
 	opts := &docker.DockerClusterOptions{
-		ImageRepo:    "hashicorp/vault",
 		DisableMlock: true,
-		// We're replacing the binary anyway, so we're not too particular about
-		// the docker image version tag.
-		ImageTag:    "latest",
-		VaultBinary: binary,
+		ImageRepo:    repo,
+		ImageTag:     tag,
 		ClusterOptions: testcluster.ClusterOptions{
 			NumCores: 1,
 			VaultNodeConfig: &testcluster.VaultNodeConfig{
@@ -405,6 +401,7 @@ func TestRaft_LogStore_Migration_Snapshot(t *testing.T) {
 
 	// caching the old cluster's barrier keys
 	oldBarrierKeys := cluster.GetBarrierKeys()
+	oldRootToken := cluster.GetRootToken()
 	// clean up the old cluster as there is no further use to it
 	cluster.Cleanup()
 
@@ -432,6 +429,7 @@ func TestRaft_LogStore_Migration_Snapshot(t *testing.T) {
 	testcluster.WaitForActiveNode(ctx, newCluster)
 
 	// generate a root token as the unseal keys have changed
+	newCluster.SetRootToken(oldRootToken)
 	rootToken, err := testcluster.GenerateRoot(newCluster, testcluster.GenerateRootRegular)
 	if err != nil {
 		t.Fatal(err)
diff --git a/vault/external_tests/raft/raft_test.go b/vault/external_tests/raft/raft_test.go
index 2764f3f9f0..40b6533db2 100644
--- a/vault/external_tests/raft/raft_test.go
+++ b/vault/external_tests/raft/raft_test.go
@@ -27,6 +27,7 @@ import (
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/helper/testhelpers"
 	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	"github.com/hashicorp/vault/helper/testhelpers/minimal"
 	"github.com/hashicorp/vault/helper/testhelpers/teststorage"
 	vaulthttp "github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/internalshared/configutil"
@@ -56,6 +57,36 @@ type RaftClusterOpts struct {
 	DisableMlock                   bool
 }
 
+// TestRaft_Retry_JoinLimiter verifies that only 20 concurrent retry joins are allowed.
+func TestRaft_Retry_JoinLimiter(t *testing.T) {
+	t.Parallel()
+	const maxConcurrentRetryJoins = 20
+
+	cluster, _ := raftCluster(t, &RaftClusterOpts{
+		InmemCluster:         true,
+		DisableFollowerJoins: true,
+		NumCores:             2, // 1 leader + 1 follower; limiter is per-core, so test repeated joins on one core
+	})
+
+	leaderInfos := []*raft.LeaderJoinInfo{
+		{
+			LeaderAPIAddr: "https://127.0.0.1:1",
+			Retry:         true,
+		},
+	}
+
+	ctx, cancel := context.WithCancel(namespace.RootContext(context.Background()))
+	defer cancel()
+	followerCore := cluster.Cores[1]
+	for i := 0; i < maxConcurrentRetryJoins; i++ {
+		_, err := followerCore.JoinRaftCluster(ctx, leaderInfos, false)
+		require.NoError(t, err)
+	}
+	_, err := followerCore.JoinRaftCluster(ctx, leaderInfos, false)
+	require.Error(t, err)
+	require.ErrorContains(t, err, "too many concurrent raft retry joins in progress")
+}
+
 func raftClusterBuilder(t testing.TB, ropts *RaftClusterOpts) (*vault.CoreConfig, vault.TestClusterOptions) {
 	if ropts == nil {
 		ropts = &RaftClusterOpts{
@@ -113,7 +144,6 @@ func raftClusterBuilder(t testing.TB, ropts *RaftClusterOpts) (*vault.CoreConfig
 func raftCluster(t testing.TB, ropts *RaftClusterOpts) (*vault.TestCluster, *vault.TestClusterOptions) {
 	conf, opts := raftClusterBuilder(t, ropts)
 	cluster := vault.NewTestCluster(t, conf, &opts)
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	return cluster, &opts
 }
 
@@ -132,9 +162,6 @@ func TestRaft_BoltDBMetrics(t *testing.T) {
 		},
 	}
 	cluster := vault.NewTestCluster(t, conf, &opts)
-	defer cluster.Cleanup()
-
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 	leaderClient := cluster.Cores[0].Client
 
 	// Write a few keys
@@ -176,7 +203,6 @@ func TestRaft_RetryAutoJoin(t *testing.T) {
 		InmemCluster:         true,
 		DisableFollowerJoins: true,
 	})
-	defer cluster.Cleanup()
 
 	leaderCore := cluster.Cores[0]
 
@@ -210,7 +236,6 @@ func TestRaft_Retry_Join(t *testing.T) {
 		InmemCluster:         true,
 		DisableFollowerJoins: true,
 	})
-	defer cluster.Cleanup()
 
 	leaderCore := cluster.Cores[0]
 	leaderAPI := leaderCore.Client.Address()
@@ -244,7 +269,6 @@ func TestRaft_Retry_Join(t *testing.T) {
 	// Unseal the leader and wait for the other cores to unseal
 	cluster.UnsealCore(t, leaderCore)
 	wg.Wait()
-
 	vault.TestWaitActive(t, leaderCore.Core)
 
 	corehelpers.RetryUntil(t, 10*time.Second, func() error {
@@ -266,7 +290,6 @@ func TestRaftChallenge_sameAnswerSameID_concurrent(t *testing.T) {
 		DisableFollowerJoins: true,
 		NumCores:             1,
 	})
-	defer cluster.Cleanup()
 	client := cluster.Cores[0].Client
 
 	challenges := make(chan string, 15)
@@ -303,7 +326,6 @@ func TestRaftChallenge_sameAnswerSameID(t *testing.T) {
 		DisableFollowerJoins: true,
 		NumCores:             1,
 	})
-	defer cluster.Cleanup()
 	client := cluster.Cores[0].Client
 	res, err := client.Logical().Write("sys/storage/raft/bootstrap/challenge", map[string]interface{}{
 		"server_id": "node1",
@@ -335,7 +357,6 @@ func TestRaftChallenge_evicted(t *testing.T) {
 		DisableFollowerJoins: true,
 		NumCores:             1,
 	})
-	defer cluster.Cleanup()
 	firstResponse := map[string]interface{}{}
 	client := cluster.Cores[0].Client
 	for i := 0; i < vault.RaftInitialChallengeLimit+1; i++ {
@@ -391,7 +412,6 @@ func TestRaft_ChallengeSpam(t *testing.T) {
 	cluster, _ := raftCluster(t, &RaftClusterOpts{
 		DisableFollowerJoins: true,
 	})
-	defer cluster.Cleanup()
 
 	// Execute 2 * MaxInFlightRequests, over a period that should allow some to proceed as the token bucket
 	// refills.
@@ -424,7 +444,6 @@ func TestRaft_Join(t *testing.T) {
 	cluster, _ := raftCluster(t, &RaftClusterOpts{
 		DisableFollowerJoins: true,
 	})
-	defer cluster.Cleanup()
 
 	leaderCore := cluster.Cores[0]
 	leaderAPI := leaderCore.Client.Address()
@@ -471,7 +490,6 @@ func TestRaft_Join(t *testing.T) {
 func TestRaft_RemovePeer(t *testing.T) {
 	t.Parallel()
 	cluster, _ := raftCluster(t, nil)
-	defer cluster.Cleanup()
 
 	for i, c := range cluster.Cores {
 		if c.Core.Sealed() {
@@ -545,7 +563,6 @@ func TestRaft_NodeIDHeader(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
 			cluster, _ := raftCluster(t, tc.ropts)
-			defer cluster.Cleanup()
 
 			for i, c := range cluster.Cores {
 				if c.Core.Sealed() {
@@ -582,14 +599,12 @@ func TestRaft_NodeIDHeader(t *testing.T) {
 func TestRaft_Configuration(t *testing.T) {
 	t.Parallel()
 	cluster, _ := raftCluster(t, nil)
-	defer cluster.Cleanup()
 	Raft_Configuration_Test(t, cluster)
 }
 
 func TestRaft_ShamirUnseal(t *testing.T) {
 	t.Parallel()
 	cluster, _ := raftCluster(t, nil)
-	defer cluster.Cleanup()
 
 	for i, c := range cluster.Cores {
 		if c.Core.Sealed() {
@@ -601,7 +616,6 @@ func TestRaft_ShamirUnseal(t *testing.T) {
 func TestRaft_SnapshotAPI(t *testing.T) {
 	t.Parallel()
 	cluster, _ := raftCluster(t, nil)
-	defer cluster.Cleanup()
 
 	leaderClient := cluster.Cores[0].Client
 
@@ -665,7 +679,6 @@ func TestRaft_SnapshotAPI_MidstreamFailure(t *testing.T) {
 		NumCores: 1,
 		Seal:     autoSeal,
 	})
-	defer cluster.Cleanup()
 
 	leaderClient := cluster.Cores[0].Client
 
@@ -770,7 +783,6 @@ func TestRaft_SnapshotAPI_RekeyRotate_Backward(t *testing.T) {
 			cluster, _ := raftCluster(t, &RaftClusterOpts{
 				DisablePerfStandby: tCaseLocal.DisablePerfStandby,
 			})
-			defer cluster.Cleanup()
 
 			leaderClient := cluster.Cores[0].Client
 
@@ -974,7 +986,6 @@ func TestRaft_SnapshotAPI_RekeyRotate_Forward(t *testing.T) {
 			cluster, _ := raftCluster(t, &RaftClusterOpts{
 				DisablePerfStandby: tCaseLocal.DisablePerfStandby,
 			})
-			defer cluster.Cleanup()
 
 			leaderClient := cluster.Cores[0].Client
 
@@ -1161,7 +1172,6 @@ func TestRaft_SnapshotAPI_RekeyRotate_Forward(t *testing.T) {
 func TestRaft_SnapshotAPI_DifferentCluster(t *testing.T) {
 	t.Parallel()
 	cluster, _ := raftCluster(t, nil)
-	defer cluster.Cleanup()
 
 	leaderClient := cluster.Cores[0].Client
 
@@ -1207,7 +1217,6 @@ func TestRaft_SnapshotAPI_DifferentCluster(t *testing.T) {
 	// Cluster 2
 	{
 		cluster2, _ := raftCluster(t, nil)
-		defer cluster2.Cleanup()
 
 		leaderClient := cluster2.Cores[0].Client
 
@@ -1254,7 +1263,6 @@ func TestRaft_SnapshotAPI_DifferentCluster(t *testing.T) {
 
 func BenchmarkRaft_SingleNode(b *testing.B) {
 	cluster, _ := raftCluster(b, nil)
-	defer cluster.Cleanup()
 
 	leaderClient := cluster.Cores[0].Client
 
@@ -1288,7 +1296,6 @@ func TestRaft_Join_InitStatus(t *testing.T) {
 		InmemCluster:         true,
 		DisableFollowerJoins: true,
 	})
-	defer cluster.Cleanup()
 
 	leaderCore := cluster.Cores[0]
 	leaderAPI := leaderCore.Client.Address()
@@ -1372,7 +1379,6 @@ func TestRaft_Join_InitStatus(t *testing.T) {
 func TestRaftCluster_Removed(t *testing.T) {
 	t.Parallel()
 	cluster, _ := raftCluster(t, nil)
-	defer cluster.Cleanup()
 
 	follower := cluster.Cores[2]
 	followerClient := follower.Client
@@ -1417,7 +1423,6 @@ func TestRaftCluster_Removed_RaftConfig(t *testing.T) {
 	conf, opts := raftClusterBuilder(t, nil)
 	conf.ClusterHeartbeatInterval = 5 * time.Minute
 	cluster := vault.NewTestCluster(t, conf, &opts)
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 
 	follower := cluster.Cores[2]
 	followerClient := follower.Client
@@ -1458,7 +1463,6 @@ func TestSysHealth_Raft(t *testing.T) {
 		ClusterHeartbeatInterval: heartbeat,
 	}
 	vaultCluster := vault.NewTestCluster(t, conf, opts)
-	defer vaultCluster.Cleanup()
 	testhelpers.WaitForActiveNodeAndStandbys(t, vaultCluster)
 	followerClient := vaultCluster.Cores[1].Client
 
@@ -1565,7 +1569,6 @@ func TestSysHealth_Raft(t *testing.T) {
 func TestRaftCluster_Removed_ReAdd(t *testing.T) {
 	t.Parallel()
 	cluster, _ := raftCluster(t, nil)
-	defer cluster.Cleanup()
 
 	leader := cluster.Cores[0]
 	follower := cluster.Cores[2]
@@ -1589,7 +1592,6 @@ func TestCore_RaftDataDirPath(t *testing.T) {
 	t.Run("raft", func(t *testing.T) {
 		t.Parallel()
 		cluster, _ := raftCluster(t, nil)
-		defer cluster.Cleanup()
 		path, ok := cluster.Cores[0].RaftDataDirPath()
 		require.True(t, ok)
 		require.NotEmpty(t, path)
@@ -1608,7 +1610,6 @@ func TestCore_RaftDataDirPath(t *testing.T) {
 		opts := vault.TestClusterOptions{HandlerFunc: vaulthttp.Handler}
 		teststorage.RaftHASetup(&conf, &opts, teststorage.MakeFileBackend)
 		cluster := vault.NewTestCluster(t, &conf, &opts)
-		defer cluster.Cleanup()
 		path, ok := cluster.Cores[0].RaftDataDirPath()
 		require.False(t, ok)
 		require.Empty(t, path)
@@ -1631,9 +1632,6 @@ func TestRaft_SnapshotLargerMaxRequestSize(t *testing.T) {
 	}
 
 	cluster := vault.NewTestCluster(t, conf, &opts)
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
-	defer cluster.Cleanup()
-
 	client := cluster.Cores[0].Client
 	for i := 0; i < 4096; i++ {
 		path, err := uuid.GenerateUUID()
@@ -1659,3 +1657,14 @@ func TestRaft_SnapshotLargerMaxRequestSize(t *testing.T) {
 	require.NoError(t, err)
 	testhelpers.WaitForActiveNode(t, cluster)
 }
+
+// TestRaft_BootstrapWhenSealed ensures raft does not attempt to bootstrap when sealed.
+func TestRaft_BootstrapWhenSealed(t *testing.T) {
+	t.Parallel()
+	cluster := minimal.NewTestSoloCluster(t, nil)
+	client := cluster.Cores[0].Client
+	cluster.EnsureCoresSealed(t)
+
+	_, err := client.Logical().Write("sys/storage/raft/bootstrap", nil)
+	require.ErrorContains(t, err, "node must be unsealed to bootstrap")
+}
diff --git a/vault/external_tests/raftha/raft_ha_test.go b/vault/external_tests/raftha/raft_ha_test.go
index d52b01b87f..3f836586cf 100644
--- a/vault/external_tests/raftha/raft_ha_test.go
+++ b/vault/external_tests/raftha/raft_ha_test.go
@@ -78,7 +78,6 @@ func testRaftHANewCluster(t *testing.T, bundler teststorage.PhysicalBackendBundl
 
 	teststorage.RaftHASetup(&conf, &opts, bundler)
 	cluster := vault.NewTestCluster(t, &conf, &opts)
-	defer cluster.Cleanup()
 
 	joinFunc := func(client *api.Client, addClientCerts bool) {
 		req := &api.RaftJoinRequest{
@@ -223,7 +222,6 @@ func testRaftHARecoverCluster(t *testing.T, physBundle *vault.PhysicalBackendBun
 	// Ensure no writes are happening before we try to clean it up, to prevent
 	// issues deleting the files.
 	clusterRestored.EnsureCoresSealed(t)
-	clusterRestored.Cleanup()
 }
 
 func TestRaft_HA_ExistingCluster(t *testing.T) {
@@ -249,8 +247,6 @@ func TestRaft_HA_ExistingCluster(t *testing.T) {
 		clusterRootToken   string
 	)
 	createCluster := func(t *testing.T) {
-		t.Log("simulating cluster creation without raft as HABackend")
-
 		storage.Setup(&conf, &opts)
 
 		cluster := vault.NewTestCluster(t, &conf, &opts)
@@ -269,8 +265,6 @@ func TestRaft_HA_ExistingCluster(t *testing.T) {
 	defer haCleanup()
 
 	updateCluster := func(t *testing.T) {
-		t.Log("simulating cluster update with raft as HABackend")
-
 		opts.SkipInit = true
 		haStorage.Setup(&conf, &opts)
 
@@ -342,8 +336,6 @@ func TestRaftHACluster_Removed_ReAdd(t *testing.T) {
 	opts := vault.TestClusterOptions{HandlerFunc: vaulthttp.Handler}
 	teststorage.RaftHASetup(&conf, &opts, teststorage.MakeFileBackend)
 	cluster := vault.NewTestCluster(t, &conf, &opts)
-	defer cluster.Cleanup()
-	vault.TestWaitActive(t, cluster.Cores[0].Core)
 
 	leader := cluster.Cores[0]
 	follower := cluster.Cores[2]
diff --git a/vault/external_tests/response/allowed_response_headers_test.go b/vault/external_tests/response/allowed_response_headers_test.go
index 4225ad1b2a..624dacb673 100644
--- a/vault/external_tests/response/allowed_response_headers_test.go
+++ b/vault/external_tests/response/allowed_response_headers_test.go
@@ -67,11 +67,6 @@ func TestIdentityStore_EntityDisabled(t *testing.T) {
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
 		HandlerFunc: vaulthttp.Handler,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
-
-	core := cluster.Cores[0].Core
-	vault.TestWaitActive(t, core)
 	client := cluster.Cores[0].Client
 
 	// Mount the auth backend
diff --git a/vault/external_tests/seal_binary/seal_docker_util.go b/vault/external_tests/seal_binary/seal_docker_util.go
index 2b16cb7677..ec596b0b52 100644
--- a/vault/external_tests/seal_binary/seal_docker_util.go
+++ b/vault/external_tests/seal_binary/seal_docker_util.go
@@ -4,242 +4,47 @@
 package seal_binary
 
 import (
-	"context"
+	"bufio"
 	"fmt"
 	"io"
-	"net/url"
+	"maps"
 	"os"
-	"path"
+	"strconv"
+	"strings"
+	"sync"
+	"testing"
 
-	"github.com/docker/docker/api/types/container"
-	"github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/api"
-	dockhelper "github.com/hashicorp/vault/sdk/helper/docker"
+	"github.com/hashicorp/vault/sdk/helper/testcluster"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/docker"
 )
 
-const (
-	containerConfig = `
-{
-	"storage": {
-		"file": {
-			"path": "/tmp"
-		}
-	},
-
-	"disable_mlock": true,
-
-	"listener": [{
-		"tcp": {
-			"address": "0.0.0.0:8200",
-			"tls_disable": "true"
-		}
-	}],
-
-	"api_addr": "http://0.0.0.0:8200",
-	"cluster_addr": "http://0.0.0.0:8201",
-	%s
-}`
-
-	sealConfig = `
-"seal": [
-	%s
-]
-`
-
-	transitParameters = `
-  "address": "%s",
-  "token": "%s",
-  "mount_path": "%s",
-  "key_name": "%s",
-  "name": "%s"
-`
-
-	transitStanza = `
-{
-	"transit": {
-	  %s,
-	  "priority": %d,
-	  "disabled": %s
-	}
-}
-`
-	// recoveryModeFileName serves as a signal for the softhsmSetupScript to add the `-recovery` flag
-	// when launching Vault.
-	recoveryModeFileName     = "start-in-recovery-mode"
-	recoveryModeFileDir      = "/root/"
-	recoveryModeFileContents = "Script setup-softhsm.sh looks for this file and starts vault in recovery mode if it sees it"
-)
-
-type transitContainerConfig struct {
-	Address    string
-	Token      string
-	MountPaths []string
-	KeyNames   []string
-}
-
-func createBuildContextWithBinary(vaultBinary string) (dockhelper.BuildContext, error) {
-	f, err := os.Open(vaultBinary)
-	if err != nil {
-		return nil, fmt.Errorf("error opening vault binary file: %w", err)
-	}
-	data, err := io.ReadAll(f)
-	if err != nil {
-		return nil, fmt.Errorf("error reading vault binary file: %w", err)
-	}
-
-	bCtx := dockhelper.NewBuildContext()
-	bCtx["vault"] = &dockhelper.FileContents{
-		Data: data,
-		Mode: 0o755,
-	}
-
-	return bCtx, nil
-}
-
-func createDockerImage(imageRepo, imageTag, containerFile string, bCtx dockhelper.BuildContext) error {
-	runner, err := dockhelper.NewServiceRunner(dockhelper.RunOptions{
-		ContainerName: "vault",
-		ImageRepo:     imageRepo,
-		ImageTag:      "latest",
-	})
-	if err != nil {
-		return fmt.Errorf("error creating runner: %w", err)
-	}
-
-	_, err = runner.BuildImage(context.Background(), containerFile, bCtx,
-		dockhelper.BuildRemove(true),
-		dockhelper.BuildForceRemove(true),
-		dockhelper.BuildPullParent(true),
-		dockhelper.BuildTags([]string{fmt.Sprintf("%s:%s", imageRepo, imageTag)}))
-	if err != nil {
-		return fmt.Errorf("error building docker image: %w", err)
-	}
-
-	return nil
-}
-
-// This passes the config in an environment variable, so any changes to local.json
-// on the container will be overwritten if the container restarts
-func createContainerWithConfig(config string, imageRepo, imageTag string, logConsumer func(s string)) (*dockhelper.Service, *dockhelper.Runner, error) {
-	runner, err := dockhelper.NewServiceRunner(dockhelper.RunOptions{
-		ContainerName: "vault",
-		ImageRepo:     imageRepo,
-		ImageTag:      imageTag,
-		Cmd: []string{
-			"server", "-log-level=trace",
-		},
-		Ports:           []string{"8200/tcp"},
-		Env:             []string{fmt.Sprintf("VAULT_LICENSE=%s", os.Getenv("VAULT_LICENSE")), fmt.Sprintf("VAULT_LOCAL_CONFIG=%s", config)},
-		LogConsumer:     logConsumer,
-		DoNotAutoRemove: true,
-	})
-	if err != nil {
-		return nil, nil, fmt.Errorf("error creating runner: %w", err)
-	}
-
-	svc, err := runner.StartService(context.Background(), func(ctx context.Context, host string, port int) (dockhelper.ServiceConfig, error) {
-		return *dockhelper.NewServiceURL(url.URL{Scheme: "http", Host: fmt.Sprintf("%s:%d", host, port)}), nil
-	})
-	if err != nil {
-		return nil, nil, fmt.Errorf("could not start docker vault: %w", err)
-	}
-
-	return svc, runner, nil
-}
-
-func createContainerFromImage(imageRepo, imageTag string, logConsumer func(s string)) (*dockhelper.Service, *dockhelper.Runner, error) {
-	return createContainerWithConfig("", imageRepo, imageTag, logConsumer)
-}
-
-func createTransitTestContainer(imageRepo, imageTag string, numKeys int) (*dockhelper.Service, *transitContainerConfig, error) {
-	rootToken, err := uuid.GenerateUUID()
-	if err != nil {
-		return nil, nil, fmt.Errorf("error generating UUID: %w", err)
-	}
-
-	mountPaths := make([]string, numKeys)
-	keyNames := make([]string, numKeys)
-
-	for i := range mountPaths {
-		mountPaths[i], err = uuid.GenerateUUID()
-		if err != nil {
-			return nil, nil, fmt.Errorf("error generating UUID: %w", err)
-		}
-
-		keyNames[i], err = uuid.GenerateUUID()
-		if err != nil {
-			return nil, nil, fmt.Errorf("error generating UUID: %w", err)
+func init() {
+	if signed := os.Getenv("VAULT_LICENSE_CI"); signed != "" {
+		if err := os.Setenv("VAULT_LICENSE", signed); err != nil {
+			panic(err.Error())
 		}
 	}
+}
 
-	runner, err := dockhelper.NewServiceRunner(dockhelper.RunOptions{
-		ContainerName: "vault",
-		ImageRepo:     imageRepo,
-		ImageTag:      imageTag,
-		Cmd: []string{
-			"server", "-log-level=trace", "-dev", fmt.Sprintf("-dev-root-token-id=%s", rootToken),
-			"-dev-listen-address=0.0.0.0:8200",
-		},
-		Env:   []string{fmt.Sprintf("VAULT_LICENSE=%s", os.Getenv("VAULT_LICENSE"))},
-		Ports: []string{"8200/tcp"},
-	})
-	if err != nil {
-		return nil, nil, fmt.Errorf("could not create runner: %w", err)
-	}
+func withPriorityAndDisabled(priority int, disabled bool, seal testcluster.VaultNodeSealConfig) testcluster.VaultNodeSealConfig {
+	modified := seal
+	modified.Config = maps.Clone(seal.Config)
+	modified.Config["disabled"] = strconv.FormatBool(disabled)
+	modified.Config["priority"] = strconv.Itoa(priority)
+	return modified
+}
 
-	svc, err := runner.StartService(context.Background(), func(ctx context.Context, host string, port int) (dockhelper.ServiceConfig, error) {
-		c := *dockhelper.NewServiceURL(url.URL{Scheme: "http", Host: fmt.Sprintf("%s:%d", host, port)})
+type seal struct {
+	base     func(name string, idx int) testcluster.VaultNodeSealConfig
+	index    int
+	disabled bool
+	priority int
+}
 
-		clientConfig := api.DefaultConfig()
-		clientConfig.Address = c.URL().String()
-		vault, err := api.NewClient(clientConfig)
-		if err != nil {
-			return nil, err
-		}
-		vault.SetToken(rootToken)
-
-		// Set up transit mounts and keys
-		for i := range mountPaths {
-			if err := vault.Sys().Mount(mountPaths[i], &api.MountInput{
-				Type: "transit",
-			}); err != nil {
-				return nil, err
-			}
-
-			if _, err := vault.Logical().Write(path.Join(mountPaths[i], "keys", keyNames[i]), map[string]interface{}{}); err != nil {
-				return nil, err
-			}
-		}
-
-		return c, nil
-	})
-	if err != nil {
-		return nil, nil, fmt.Errorf("could not start docker vault: %w", err)
-	}
-
-	mapping, err := runner.GetNetworkAndAddresses(svc.Container.Name)
-	if err != nil {
-		svc.Cleanup()
-		return nil, nil, fmt.Errorf("failed to get container network information: %w", err)
-	}
-
-	if len(mapping) != 1 {
-		svc.Cleanup()
-		return nil, nil, fmt.Errorf("expected 1 network mapping, got %d", len(mapping))
-	}
-
-	var ip string
-	for _, ip = range mapping {
-		// capture the container IP address from the map
-	}
-
-	return svc,
-		&transitContainerConfig{
-			Address:    fmt.Sprintf("http://%s:8200", ip),
-			Token:      rootToken,
-			MountPaths: mountPaths,
-			KeyNames:   keyNames,
-		}, nil
+type step struct {
+	expectedSealType string
+	seals            []seal
 }
 
 func validateVaultStatusAndSealType(client *api.Client, expectedSealType string) error {
@@ -259,80 +64,134 @@ func validateVaultStatusAndSealType(client *api.Client, expectedSealType string)
 	return nil
 }
 
-func testClient(address string) (*api.Client, error) {
-	clientConfig := api.DefaultConfig()
-	clientConfig.Address = address
-	testClient, err := api.NewClient(clientConfig)
-	if err != nil {
-		return nil, err
+func dockerOptions(t *testing.T, repo, tag string) *docker.DockerClusterOptions {
+	opts := docker.DefaultOptions(t)
+	opts.NumCores = 1
+	opts.ImageRepo, opts.ImageTag = repo, tag
+	opts.VaultBinary = ""
+	// Probably not reliable in CI with multi-node clusters, but we're assuming callers
+	// of this func won't change NumCores to be >1.
+	opts.VaultNodeConfig.StorageOptions = map[string]string{
+		"performance_multiplier": "1",
 	}
-	return testClient, nil
+	return opts
 }
 
-func initializeVault(client *api.Client, sealType string) ([]string, string, error) {
-	var keys []string
-	var token string
+type logScanner struct {
+	wg   sync.WaitGroup
+	l    sync.Mutex
+	ch   chan string
+	pw   *io.PipeWriter
+	stop chan struct{}
+}
 
-	if sealType == "shamir" {
-		initResp, err := client.Sys().Init(&api.InitRequest{
-			SecretThreshold: 1,
-			SecretShares:    1,
-		})
-		if err != nil {
-			return nil, "", err
+func newLogScanner(t *testing.T, underlying io.Writer, bufLines int) (*logScanner, io.Writer) {
+	pr, pw := io.Pipe()
+	ls := &logScanner{
+		ch:   make(chan string, bufLines),
+		pw:   pw,
+		stop: make(chan struct{}),
+	}
+
+	ls.wg.Add(1)
+	go func() {
+		defer ls.wg.Done()
+		// bufio.Scanner is perfect here because hclog writes each log entry
+		// ending with a newline character.
+		scanner := bufio.NewScanner(pr)
+
+		// scanner.Scan() will block until a new line is written to the pipe,
+		// and it will exit automatically when pw.Close() is called.
+		for scanner.Scan() {
+			logLine := scanner.Text()
+			underlying.Write([]byte(logLine + "\n"))
+			select {
+			case <-ls.stop:
+				return
+			case ls.ch <- logLine:
+			}
 		}
 
-		keys = initResp.Keys
-		token = initResp.RootToken
-
-		_, err = client.Sys().Unseal(initResp.Keys[0])
-		if err != nil {
-			return nil, "", err
+		if err := scanner.Err(); err != nil {
+			t.Fatalf("Scanner error: %v", err)
 		}
-	} else {
-		initResp, err := client.Sys().Init(&api.InitRequest{
-			RecoveryShares:    1,
-			RecoveryThreshold: 1,
-		})
-		if err != nil {
-			return nil, "", err
+	}()
+
+	t.Cleanup(func() {
+		if err := ls.Close(); err != nil {
+			t.Logf("Error closing scanner: %v", err)
 		}
+	})
 
-		keys = initResp.RecoveryKeys
-		token = initResp.RootToken
-	}
-
-	return keys, token, nil
+	return ls, pw
 }
 
-func copyConfigToContainer(containerID string, bCtx dockhelper.BuildContext, runner *dockhelper.Runner) error {
-	tar, err := bCtx.ToTarball()
-	if err != nil {
-		return fmt.Errorf("error creating config tarball: %w", err)
-	}
-
-	err = runner.DockerAPI.CopyToContainer(context.Background(), containerID, "/vault/config", tar, container.CopyToContainerOptions{})
-	if err != nil {
-		return fmt.Errorf("error copying config to container: %w", err)
-	}
-
-	return nil
+func (ls *logScanner) Lines() <-chan string {
+	return ls.ch
 }
 
-func copyRecoveryModeTriggerToContainer(containerID string, runner *dockhelper.Runner) error {
-	bCtx := dockhelper.NewBuildContext()
-	bCtx[recoveryModeFileName] = &dockhelper.FileContents{
-		Data: []byte(recoveryModeFileContents),
-		Mode: 0o644,
+func (ls *logScanner) Close() error {
+	ls.l.Lock()
+	defer ls.l.Unlock()
+
+	close(ls.stop)
+	err := ls.pw.Close()
+	ls.wg.Wait()
+
+	return err
+}
+
+type logMatcher struct {
+	targets map[string]bool
+	lines   <-chan string
+	done    chan struct{}
+	l       sync.RWMutex
+}
+
+func newLogMatcher(lines <-chan string, targets []string) *logMatcher {
+	tmap := make(map[string]bool)
+	for _, target := range targets {
+		tmap[target] = false
 	}
-	tar, err := bCtx.ToTarball()
-	if err != nil {
-		return fmt.Errorf("error creating config tarball: %w", err)
+	lm := &logMatcher{
+		targets: tmap,
+		lines:   lines,
+		done:    make(chan struct{}),
 	}
 
-	err = runner.DockerAPI.CopyToContainer(context.Background(), containerID, recoveryModeFileDir, tar, container.CopyToContainerOptions{})
-	if err != nil {
-		return fmt.Errorf("error copying revovery mode trigger file to container: %w", err)
-	}
-	return nil
+	go func() {
+		for {
+			select {
+			case <-lm.done:
+				return
+			case line := <-lines:
+				for target, ok := range tmap {
+					if !ok && strings.Contains(line, target) {
+						lm.l.Lock()
+						tmap[target] = true
+						lm.l.Unlock()
+					}
+				}
+			}
+		}
+	}()
+
+	return lm
+}
+
+func (lm *logMatcher) stop() {
+	close(lm.done)
+}
+
+func (lm *logMatcher) missing() []string {
+	lm.l.RLock()
+	defer lm.l.RUnlock()
+
+	var ret []string
+	for target, found := range lm.targets {
+		if !found {
+			ret = append(ret, target)
+		}
+	}
+	return ret
 }
diff --git a/vault/external_tests/seal_binary/seal_docker_util_oss.go b/vault/external_tests/seal_binary/seal_docker_util_oss.go
new file mode 100644
index 0000000000..6f62b99afb
--- /dev/null
+++ b/vault/external_tests/seal_binary/seal_docker_util_oss.go
@@ -0,0 +1,24 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise
+
+package seal_binary
+
+import (
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/testcluster"
+	"github.com/stretchr/testify/assert"
+)
+
+func pkcsWrapper(string, int) testcluster.VaultNodeSealConfig {
+	return testcluster.VaultNodeSealConfig{}
+}
+
+func getRewrappedEntryCount(client *api.Client) (uint32, error) {
+	return 0, nil
+}
+
+func verifyRewrappedEntryCount(t *assert.CollectT, client *api.Client, initialProcessedEntries uint32) uint32 {
+	return 0
+}
diff --git a/vault/external_tests/seal_binary/seal_sighup_test.go b/vault/external_tests/seal_binary/seal_sighup_test.go
index 4a875940db..c6dcb85843 100644
--- a/vault/external_tests/seal_binary/seal_sighup_test.go
+++ b/vault/external_tests/seal_binary/seal_sighup_test.go
@@ -1,175 +1,269 @@
 // Copyright IBM Corp. 2016, 2025
 // SPDX-License-Identifier: BUSL-1.1
 
-//go:build !enterprise
-
 package seal_binary
 
 import (
-	"context"
-	"fmt"
-	"os"
+	"strconv"
 	"testing"
 	"time"
 
-	dockhelper "github.com/hashicorp/vault/sdk/helper/docker"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/constants"
+	sealhelper "github.com/hashicorp/vault/helper/testhelpers/seal"
+	"github.com/hashicorp/vault/helper/testhelpers/testimages"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/docker"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestSealReloadSIGHUP(t *testing.T) {
-	binary := os.Getenv("VAULT_BINARY")
-	if binary == "" {
-		t.Skip("only running docker test with $VAULT_BINARY present")
+	transit := sealhelper.NewTransitDockerSealServer(t)
+
+	repo, tag := testimages.GetImageRepoAndTag(t, constants.IsEnterprise)
+
+	type testCase struct {
+		name             string
+		steps            []step
+		disableMultiseal bool
 	}
 
-	transitContainer, transitConfig, err := createTransitTestContainer("hashicorp/vault", "latest", 2)
-	if err != nil {
-		t.Fatalf("error creating vault container: %s", err)
-	}
-	defer transitContainer.Cleanup()
-
-	firstTransitKeyConfig := fmt.Sprintf(transitParameters,
-		transitConfig.Address,
-		transitConfig.Token,
-		transitConfig.MountPaths[0],
-		transitConfig.KeyNames[0],
-		"transit-seal-1",
-	)
-
-	secondTransitKeyConfig := fmt.Sprintf(transitParameters,
-		transitConfig.Address,
-		transitConfig.Token,
-		transitConfig.MountPaths[1],
-		transitConfig.KeyNames[1],
-		"transit-seal-2",
-	)
-
-	testCases := map[string]struct {
-		sealStanzas       []string
-		expectedSealTypes []string
-	}{
-		"migrate transit to transit": {
-			sealStanzas: []string{
-				fmt.Sprintf(transitStanza, firstTransitKeyConfig, 1, "false"),
-				fmt.Sprintf(transitStanza, firstTransitKeyConfig, 2, "true") + "," +
-					fmt.Sprintf(transitStanza, secondTransitKeyConfig, 1, "false"),
-				fmt.Sprintf(transitStanza, secondTransitKeyConfig, 1, "false"),
+	testCases := []testCase{
+		{
+			name: "transit to transit",
+			steps: []step{
+				{
+					"transit", []seal{
+						{base: transit.Seal, index: 0, priority: 1},
+					},
+				}, {
+					"multiseal", []seal{
+						{base: transit.Seal, index: 0, priority: 2, disabled: true},
+						{base: transit.Seal, index: 1, priority: 1},
+					},
+				}, {
+					"transit", []seal{
+						{base: transit.Seal, index: 1, priority: 1},
+					},
+				},
 			},
-			expectedSealTypes: []string{
-				"transit",
-				"transit",
-				"transit",
+		}, {
+			name: "transit to transit no multiseal",
+			steps: []step{
+				{
+					"transit", []seal{
+						{base: transit.Seal, index: 0, priority: 1},
+					},
+				}, {
+					"transit", []seal{
+						{base: transit.Seal, index: 0, priority: 2, disabled: true},
+						{base: transit.Seal, index: 1, priority: 1},
+					},
+				}, {
+					"transit", []seal{
+						{base: transit.Seal, index: 1, priority: 1},
+					},
+				},
 			},
-		},
-		"migrate shamir to transit fails": {
-			sealStanzas: []string{
-				"",
-				fmt.Sprintf(transitStanza, firstTransitKeyConfig, 1, "false"),
+			disableMultiseal: true,
+		}, {
+			name: "transit to pkcs11",
+			steps: []step{
+				{
+					"transit", []seal{
+						{base: transit.Seal, priority: 1},
+					},
+				}, {
+					"multiseal", []seal{
+						{base: transit.Seal, priority: 1, disabled: true},
+						{base: pkcsWrapper, priority: 2},
+					},
+				}, {
+					"pkcs11", []seal{
+						{base: pkcsWrapper, priority: 1},
+					},
+				},
 			},
-			expectedSealTypes: []string{
-				"shamir",
-				"shamir",
+		}, {
+			name: "pkcs11 to transit",
+			steps: []step{
+				{
+					"pkcs11", []seal{
+						{base: pkcsWrapper, priority: 1},
+					},
+				}, {
+					"multiseal", []seal{
+						{base: pkcsWrapper, priority: 2, disabled: true},
+						{base: transit.Seal, priority: 1},
+					},
+				}, {
+					"transit", []seal{
+						{base: transit.Seal, priority: 1},
+					},
+				},
 			},
-		},
-		"migrate transit to shamir fails": {
-			sealStanzas: []string{
-				fmt.Sprintf(transitStanza, firstTransitKeyConfig, 1, "false"),
-				"",
+		}, {
+			name: "two transit seals",
+			steps: []step{
+				{
+					"transit", []seal{
+						{base: transit.Seal, priority: 1},
+					},
+				}, {
+					"multiseal", []seal{
+						{base: transit.Seal, index: 0, priority: 1},
+						{base: transit.Seal, index: 1, priority: 2},
+					},
+				},
 			},
-			expectedSealTypes: []string{
-				"transit",
-				"transit",
+		}, {
+			name: "pkcs11 seal and transit seal",
+			steps: []step{
+				{
+					"transit", []seal{
+						{base: transit.Seal, priority: 1},
+					},
+				}, {
+					"multiseal", []seal{
+						{base: transit.Seal, priority: 1},
+						{base: pkcsWrapper, priority: 2},
+					},
+				},
 			},
-		},
-		"replacing seal fails": {
-			sealStanzas: []string{
-				fmt.Sprintf(transitStanza, firstTransitKeyConfig, 1, "false"),
-				fmt.Sprintf(transitStanza, secondTransitKeyConfig, 1, "false"),
+		}, {
+			name: "three seals",
+			steps: []step{
+				{
+					"transit", []seal{
+						{base: transit.Seal, index: 0, priority: 1},
+					},
+				}, {
+					"multiseal", []seal{
+						{base: transit.Seal, index: 0, priority: 1},
+						{base: pkcsWrapper, priority: 2},
+					},
+				}, {
+					"multiseal", []seal{
+						{base: transit.Seal, index: 0, priority: 1},
+						{base: pkcsWrapper, priority: 2},
+						{base: transit.Seal, index: 1, priority: 3},
+					},
+				},
 			},
-			expectedSealTypes: []string{
-				"transit",
-				"transit",
+		}, {
+			name: "remove enabled seal",
+			steps: []step{
+				{
+					"transit", []seal{
+						{base: transit.Seal, priority: 1},
+					},
+				}, {
+					"multiseal", []seal{
+						{base: transit.Seal, priority: 1},
+						{base: pkcsWrapper, priority: 2},
+					},
+				}, {
+					"pkcs11", []seal{
+						{base: pkcsWrapper, priority: 2},
+					},
+				},
 			},
-		},
-		"more than one seal fails": {
-			sealStanzas: []string{
-				fmt.Sprintf(transitStanza, firstTransitKeyConfig, 1, "false"),
-				fmt.Sprintf(transitStanza, firstTransitKeyConfig, 1, "false") + "," +
-					fmt.Sprintf(transitStanza, secondTransitKeyConfig, 2, "false"),
+		}, {
+			name: "shamir to transit fails",
+			steps: []step{
+				{
+					"shamir", nil,
+				}, {
+					"shamir", []seal{
+						{base: transit.Seal, priority: 1},
+					},
+				},
 			},
-			expectedSealTypes: []string{
-				"transit",
-				"transit",
+		}, {
+			name: "transit to shamir fails",
+			steps: []step{
+				{
+					"transit", []seal{{base: transit.Seal, priority: 1}},
+				}, {
+					"transit", nil,
+				},
+			},
+		}, {
+			name: "replacing seal fails",
+			steps: []step{
+				{
+					"transit", []seal{{base: transit.Seal, index: 0, priority: 1}},
+				}, {
+					"transit", []seal{{base: transit.Seal, index: 1, priority: 1}},
+				},
 			},
 		},
 	}
 
-	containerFile := `
-FROM hashicorp/vault:latest
-COPY vault /bin/vault
-`
-	bCtx, err := createBuildContextWithBinary(os.Getenv("VAULT_BINARY"))
-	if err != nil {
-		t.Fatalf("error creating build context: %s", err)
-	}
-	err = createDockerImage("hashicorp/vault", "test-image", containerFile, bCtx)
-	if err != nil {
-		t.Fatalf("error creating docker image: %s", err)
+	isEnterpriseCase := func(tc testCase) bool {
+		for _, step := range tc.steps {
+			if step.expectedSealType == "multiseal" || step.expectedSealType == "pkcs11" {
+				return true
+			}
+		}
+		return false
 	}
 
-	for name, test := range testCases {
-		t.Run(name, func(t *testing.T) {
-			var sealList string
-			if test.sealStanzas[0] != "" {
-				sealList = fmt.Sprintf(sealConfig, test.sealStanzas[0])
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if isEnterpriseCase(tc) && !constants.IsEnterprise {
+				t.Skip("Skipping enterprise tests")
 			}
 
-			vaultConfig := fmt.Sprintf(containerConfig, sealList)
-
-			svc, runner, err := createContainerWithConfig(vaultConfig, "hashicorp/vault", "test-image", func(s string) { t.Log(s) })
-			if err != nil {
-				t.Fatalf("error creating container: %s", err)
+			opts := dockerOptions(t, repo, tag)
+			for _, seal := range tc.steps[0].seals {
+				vncseal := withPriorityAndDisabled(seal.priority, seal.disabled, seal.base(tc.name, seal.index))
+				opts.VaultNodeConfig.Seal = append(opts.VaultNodeConfig.Seal, vncseal)
 			}
-			defer svc.Cleanup()
-
-			time.Sleep(5 * time.Second)
-
-			client, err := testClient(svc.Config.URL().String())
-			if err != nil {
-				t.Fatalf("err: %s", err)
+			if tc.steps[0].expectedSealType != "shamir" && !tc.disableMultiseal {
+				opts.VaultNodeConfig.EnableMultiSeal = true
 			}
+			cluster := docker.NewTestDockerCluster(t, opts)
+			node := cluster.Nodes()[0].(*docker.DockerClusterNode)
+			client := node.APIClient()
+			lastRewrappedEntryCount, err := getRewrappedEntryCount(client)
+			require.NoError(t, err)
 
-			_, token, err := initializeVault(client, test.expectedSealTypes[0])
-			if err != nil {
-				t.Fatalf("error initializing vault: %s", err)
-			}
-			client.SetToken(token)
+			// kv mounts are sealwrapped.  In order to make sure that we don't get fooled
+			// by the rewrap status endpoint saying "not in progress" prior to a rewrap
+			// being started, we're going to arrange for there to be an extra key to wrap
+			// each iteration, by creating a new kv entry each iteration.
+			require.NoError(t, client.Sys().Mount("kv", &api.MountInput{
+				Type: "kv",
+			}))
+			client.Logical().Write("kv/0", map[string]any{"1": 1})
 
-			for i := range test.sealStanzas {
-				if test.sealStanzas[i] != "" {
-					sealList = fmt.Sprintf(sealList, test.sealStanzas[i])
+			expectFailure := len(tc.steps) < 3
+			for i := 1; i < len(tc.steps); i++ {
+				if tc.steps[i].expectedSealType != "shamir" && !tc.disableMultiseal {
+					opts.VaultNodeConfig.EnableMultiSeal = true
 				}
-
-				vaultConfig = fmt.Sprintf(containerConfig, sealList)
-				configCtx := dockhelper.NewBuildContext()
-				configCtx["local.json"] = &dockhelper.FileContents{
-					Data: []byte(vaultConfig),
-					Mode: 0o644,
+				opts.VaultNodeConfig.Seal = nil
+				for _, seal := range tc.steps[i].seals {
+					opts.VaultNodeConfig.Seal = append(opts.VaultNodeConfig.Seal,
+						withPriorityAndDisabled(seal.priority, seal.disabled, seal.base(tc.name, seal.index)))
 				}
+				require.NoError(t, node.UpdateConfig(t.Context(), opts))
+				require.NoError(t, node.Signal(t.Context(), "SIGHUP"))
 
-				err = copyConfigToContainer(svc.Container.ID, bCtx, runner)
-				if err != nil {
-					t.Fatalf("error copying over config file: %s", err)
-				}
+				require.EventuallyWithT(t, func(ct *assert.CollectT) {
+					if !tc.disableMultiseal && !expectFailure && tc.steps[i].expectedSealType != "shamir" {
+						lastRewrappedEntryCount = verifyRewrappedEntryCount(ct, client, lastRewrappedEntryCount+1)
+					}
 
-				err = runner.DockerAPI.ContainerKill(context.Background(), svc.Container.ID, "SIGHUP")
-				if err != nil {
-					t.Fatalf("error sending SIGHUP: %s", err)
-				}
+					resp, err := client.Sys().SealStatusWithContext(t.Context())
+					require.NoError(t, err)
+					assert.Equal(ct, resp.Type, tc.steps[i].expectedSealType)
+					assert.False(ct, resp.Sealed)
+				}, 20*time.Second, time.Second/2)
 
-				err = validateVaultStatusAndSealType(client, test.expectedSealTypes[i])
-				if err != nil {
-					t.Fatalf("seal type check failed: %s", err)
-				}
+				client.Logical().Write("kv/"+strconv.Itoa(i), map[string]any{"1": 1})
 			}
 		})
 	}
diff --git a/vault/external_tests/sealmigration/testshared.go b/vault/external_tests/sealmigration/testshared.go
index eb91379bec..eff73cf9b1 100644
--- a/vault/external_tests/sealmigration/testshared.go
+++ b/vault/external_tests/sealmigration/testshared.go
@@ -109,7 +109,6 @@ func ParamTestSealMigrationTransitToShamir_Post14(t *testing.T, logger hclog.Log
 	opts.SealFunc = func() vault.Seal { return nil }
 	leaderIdx := migratePost14(t, storage, cluster, opts, cluster.RecoveryKeys)
 	validateMigration(t, storage, cluster, leaderIdx, verifySealConfigShamir)
-
 	cluster.Cleanup()
 	storage.Cleanup(t, cluster)
 
@@ -218,7 +217,6 @@ func migrateFromTransitToShamir_Pre14(t *testing.T, logger hclog.Logger, storage
 	storage.Setup(&conf, &opts)
 	conf.DisableAutopilot = true
 	cluster := vault.NewTestCluster(t, &conf, &opts)
-	cluster.Start()
 	defer func() {
 		cluster.Cleanup()
 		storage.Cleanup(t, cluster)
@@ -299,7 +297,6 @@ func migrateFromShamirToTransit_Pre14(t *testing.T, logger hclog.Logger, storage
 	}
 	storage.Setup(&conf, &opts)
 	cluster := vault.NewTestCluster(t, &conf, &opts)
-	cluster.Start()
 	defer func() {
 		cluster.Cleanup()
 		storage.Cleanup(t, cluster)
@@ -591,7 +588,6 @@ func initializeShamir(t *testing.T, logger hclog.Logger, storage teststorage.Reu
 	}
 	storage.Setup(&conf, &opts)
 	cluster := vault.NewTestCluster(t, &conf, &opts)
-	cluster.Start()
 
 	leader := cluster.Cores[0]
 	client := leader.Client
@@ -645,7 +641,6 @@ func runShamir(t *testing.T, logger hclog.Logger, storage teststorage.ReusableSt
 	}
 	storage.Setup(&conf, &opts)
 	cluster := vault.NewTestCluster(t, &conf, &opts)
-	cluster.Start()
 	defer func() {
 		cluster.Cleanup()
 		storage.Cleanup(t, cluster)
@@ -723,7 +718,6 @@ func InitializeTransit(t *testing.T, logger hclog.Logger, storage teststorage.Re
 	}
 	storage.Setup(&conf, &opts)
 	cluster := vault.NewTestCluster(t, &conf, &opts)
-	cluster.Start()
 
 	leader := cluster.Cores[0]
 	client := leader.Client
@@ -777,7 +771,6 @@ func runAutoseal(t *testing.T, logger hclog.Logger, storage teststorage.Reusable
 	}
 	storage.Setup(&conf, &opts)
 	cluster := vault.NewTestCluster(t, &conf, &opts)
-	cluster.Start()
 	defer func() {
 		cluster.Cleanup()
 		storage.Cleanup(t, cluster)
diff --git a/vault/external_tests/standby/standby_test.go b/vault/external_tests/standby/standby_test.go
index 6fb4f832ca..26f6695550 100644
--- a/vault/external_tests/standby/standby_test.go
+++ b/vault/external_tests/standby/standby_test.go
@@ -47,7 +47,6 @@ func Test_Echo_Duration_Skew(t *testing.T) {
 			opts.Logger = logger
 			conf.DisablePerformanceStandby = !perfstandby
 			cluster := vault.NewTestCluster(t, conf, opts)
-			defer cluster.Cleanup()
 
 			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 			defer cancel()
diff --git a/vault/external_tests/system/system_binary/sys_rekey_config_reload_test.go b/vault/external_tests/system/system_binary/sys_rekey_config_reload_test.go
new file mode 100644
index 0000000000..644abe12e4
--- /dev/null
+++ b/vault/external_tests/system/system_binary/sys_rekey_config_reload_test.go
@@ -0,0 +1,183 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package system_binary
+
+import (
+	"testing"
+	"time"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/testhelpers/testimages"
+	"github.com/hashicorp/vault/sdk/helper/testcluster"
+	"github.com/hashicorp/vault/sdk/helper/testcluster/docker"
+	"github.com/stretchr/testify/require"
+)
+
+// waitForRekeyInConfig polls sys/config/state/sanitized until the rekey endpoint
+// appears or disappears from enable_unauthenticated_access based on shouldBePresent.
+func waitForRekeyInConfig(t *testing.T, client *api.Client, rootToken string, shouldBePresent bool) {
+	clientWithAuth, err := client.Clone()
+	require.NoError(t, err, "failed to clone client")
+	clientWithAuth.SetToken(rootToken)
+
+	require.Eventually(t, func() bool {
+		resp, err := clientWithAuth.Logical().Read("sys/config/state/sanitized")
+		if err != nil {
+			t.Logf("error reading config state: %v", err)
+			return false
+		}
+		if resp == nil || resp.Data == nil {
+			t.Logf("nil response or data from config state")
+			return false
+		}
+
+		override, ok := resp.Data["enable_unauthenticated_access"]
+		if !ok {
+			// If the field is not present, rekey is not in the override list
+			return !shouldBePresent
+		}
+
+		// Check if override contains "rekey"
+		rekeyFound := false
+		if overrideSlice, ok := override.([]interface{}); ok {
+			for _, v := range overrideSlice {
+				if str, ok := v.(string); ok && str == "rekey" {
+					rekeyFound = true
+					break
+				}
+			}
+		}
+
+		if shouldBePresent {
+			return rekeyFound
+		}
+		return !rekeyFound
+	}, 10*time.Second, 100*time.Millisecond, "rekey presence in enable_unauthenticated_access did not match expected state")
+}
+
+// TestSysRekey_ConfigReload tests that the rekey status endpoint can be toggled
+// between requiring authentication and not requiring authentication by using
+// the enable_unauthenticated_access config option and reloading the config.
+func TestSysRekey_ConfigReload(t *testing.T) {
+	repo, tag := testimages.GetImageRepoAndTag(t, false)
+
+	nodeConfig := &testcluster.VaultNodeConfig{
+		LogLevel: "TRACE",
+	}
+	opts := &docker.DockerClusterOptions{
+		DisableMlock: true,
+		ImageRepo:    repo,
+		ImageTag:     tag,
+		ClusterOptions: testcluster.ClusterOptions{
+			NumCores:        1,
+			VaultNodeConfig: nodeConfig,
+		},
+	}
+
+	cluster := docker.NewTestDockerCluster(t, opts)
+	defer cluster.Cleanup()
+
+	node := cluster.Nodes()[0].(*docker.DockerClusterNode)
+	client := node.APIClient()
+	rootToken := cluster.GetRootToken()
+
+	// Test 1: Without enable_unauthenticated_access, rekey status should require auth
+	t.Run("requires-auth-by-default", func(t *testing.T) {
+		// Try without token - should fail
+		clientNoAuth, err := client.Clone()
+		require.NoError(t, err, "failed to clone client")
+		clientNoAuth.SetToken("")
+
+		_, err = clientNoAuth.Logical().Read("sys/rekey/init")
+		require.Error(t, err, "expected error when accessing rekey status without token")
+		require.Contains(t, err.Error(), "permission denied", "error should indicate permission denied")
+
+		// Try with token - should succeed
+		clientWithAuth, err := client.Clone()
+		require.NoError(t, err, "failed to clone client")
+		clientWithAuth.SetToken(rootToken)
+
+		resp, err := clientWithAuth.Logical().Read("sys/rekey/init")
+		require.NoError(t, err, "should succeed with valid token")
+		require.NotNil(t, resp, "response should not be nil")
+		require.NotNil(t, resp.Data, "response data should not be nil")
+		require.False(t, resp.Data["started"].(bool), "rekey should not be started")
+	})
+
+	// Test 2: Update config to enable unauthenticated rekey and reload
+	t.Run("enable-unauthenticated-via-config-reload", func(t *testing.T) {
+		// Create updated config with enable_unauthenticated_access
+		nodeConfig.EnableUnauthenticatedAccess = []string{"rekey"}
+
+		// Update the config and copy it to the container
+		err := node.UpdateConfig(t.Context(), opts)
+		require.NoError(t, err, "failed to update config")
+
+		// Send SIGHUP to reload the configuration
+		err = node.Signal(t.Context(), "SIGHUP")
+		require.NoError(t, err, "failed to send SIGHUP")
+
+		// Wait for rekey to appear in enable_unauthenticated_access
+		waitForRekeyInConfig(t, client, rootToken, true)
+
+		// Now test that rekey status works without auth
+		clientNoAuth, err := client.Clone()
+		require.NoError(t, err, "failed to clone client")
+		clientNoAuth.SetToken("")
+
+		resp, err := clientNoAuth.Logical().Read("sys/rekey/init")
+		require.NoError(t, err, "should succeed without token after config reload")
+		require.NotNil(t, resp, "response should not be nil")
+		require.NotNil(t, resp.Data, "response data should not be nil")
+		require.False(t, resp.Data["started"].(bool), "rekey should not be started")
+
+		// Verify it still works with auth
+		clientWithAuth2, err := client.Clone()
+		require.NoError(t, err, "failed to clone client")
+		clientWithAuth2.SetToken(rootToken)
+
+		resp2, err := clientWithAuth2.Logical().Read("sys/rekey/init")
+		require.NoError(t, err, "should still succeed with valid token")
+		require.NotNil(t, resp2, "response should not be nil")
+		require.NotNil(t, resp2.Data, "response data should not be nil")
+		require.False(t, resp2.Data["started"].(bool), "rekey should not be started")
+	})
+
+	// Test 3: Remove the override and reload to restore auth requirement
+	t.Run("restore-auth-requirement-via-config-reload", func(t *testing.T) {
+		// Create config without enable_unauthenticated_access
+		nodeConfig.EnableUnauthenticatedAccess = nil
+
+		// Update the config and copy it to the container
+		err := node.UpdateConfig(t.Context(), opts)
+		require.NoError(t, err, "failed to update config")
+
+		// Send SIGHUP to reload the configuration
+		err = node.Signal(t.Context(), "SIGHUP")
+		require.NoError(t, err, "failed to send SIGHUP")
+
+		// Wait for rekey to be removed from enable_unauthenticated_access
+		waitForRekeyInConfig(t, client, rootToken, false)
+
+		// Now test that rekey status requires auth again
+		clientNoAuth, err := client.Clone()
+		require.NoError(t, err, "failed to clone client")
+		clientNoAuth.SetToken("")
+
+		_, err = clientNoAuth.Logical().Read("sys/rekey/init")
+		require.Error(t, err, "should fail without token after restoring auth requirement")
+		require.Contains(t, err.Error(), "permission denied", "error should indicate permission denied")
+
+		// Verify it still works with auth
+		clientWithAuth2, err := client.Clone()
+		require.NoError(t, err, "failed to clone client")
+		clientWithAuth2.SetToken(rootToken)
+
+		resp, err := clientWithAuth2.Logical().Read("sys/rekey/init")
+		require.NoError(t, err, "should succeed with valid token")
+		require.NotNil(t, resp, "response should not be nil")
+		require.NotNil(t, resp.Data, "response data should not be nil")
+		require.False(t, resp.Data["started"].(bool), "rekey should not be started")
+	})
+}
diff --git a/vault/external_tests/token/token_test.go b/vault/external_tests/token/token_test.go
index c609ce17da..bd11410e5a 100644
--- a/vault/external_tests/token/token_test.go
+++ b/vault/external_tests/token/token_test.go
@@ -13,8 +13,8 @@ import (
 
 	"github.com/go-test/deep"
 	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/helper/testhelpers/ldap"
 	"github.com/hashicorp/vault/helper/testhelpers/minimal"
+	"github.com/hashicorp/vault/sdk/helper/docker"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/vault"
@@ -102,7 +102,7 @@ func TestTokenStore_IdentityPolicies(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	cleanup, cfg := ldap.PrepareTestContainer(t, ldap.DefaultVersion)
+	cleanup, cfg := docker.PrepareLDAPTestContainer(t, docker.DefaultLDAPVersion)
 	defer cleanup()
 
 	// Configure LDAP auth
diff --git a/vault/generate_root.go b/vault/generate_root.go
index fb4da4380d..282c790b4d 100644
--- a/vault/generate_root.go
+++ b/vault/generate_root.go
@@ -7,9 +7,12 @@ import (
 	"bytes"
 	"context"
 	"encoding/base64"
+	"encoding/hex"
 	"errors"
 	"fmt"
+	"net/http"
 
+	"github.com/hashicorp/go-secure-stdlib/base62"
 	"github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/helper/pgpkeys"
 	"github.com/hashicorp/vault/sdk/helper/consts"
@@ -90,9 +93,11 @@ type GenerateRootResult struct {
 }
 
 // GenerateRootProgress is used to return the root generation progress (num shares)
-func (c *Core) GenerateRootProgress() (int, error) {
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
+func (c *Core) GenerateRootProgress(grabLock bool) (int, error) {
+	if grabLock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
 	if c.Sealed() && !c.recoveryMode {
 		return 0, consts.ErrSealed
 	}
@@ -108,9 +113,11 @@ func (c *Core) GenerateRootProgress() (int, error) {
 
 // GenerateRootConfiguration is used to read the root generation configuration
 // It stubbornly refuses to return the OTP if one is there.
-func (c *Core) GenerateRootConfiguration() (*GenerateRootConfig, error) {
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
+func (c *Core) GenerateRootConfiguration(grabLock bool) (*GenerateRootConfig, error) {
+	if grabLock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
 	if c.Sealed() && !c.recoveryMode {
 		return nil, consts.ErrSealed
 	}
@@ -133,7 +140,7 @@ func (c *Core) GenerateRootConfiguration() (*GenerateRootConfig, error) {
 }
 
 // GenerateRootInit is used to initialize the root generation settings
-func (c *Core) GenerateRootInit(otp, pgpKey string, strategy GenerateRootStrategy) error {
+func (c *Core) GenerateRootInit(otp, pgpKey string, strategy GenerateRootStrategy, grabLock bool) error {
 	var fingerprint string
 	switch {
 	case len(otp) > 0:
@@ -156,8 +163,10 @@ func (c *Core) GenerateRootInit(otp, pgpKey string, strategy GenerateRootStrateg
 		return fmt.Errorf("otp or pgp_key parameter must be provided")
 	}
 
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
+	if grabLock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
 	if c.Sealed() && !c.recoveryMode {
 		return consts.ErrSealed
 	}
@@ -209,7 +218,7 @@ func (c *Core) GenerateRootInit(otp, pgpKey string, strategy GenerateRootStrateg
 }
 
 // GenerateRootUpdate is used to provide a new key part
-func (c *Core) GenerateRootUpdate(ctx context.Context, key []byte, nonce string, strategy GenerateRootStrategy) (*GenerateRootResult, error) {
+func (c *Core) GenerateRootUpdate(ctx context.Context, key []byte, nonce string, strategy GenerateRootStrategy, grabLock bool) (*GenerateRootResult, error) {
 	// Verify the key length
 	min, max := c.barrier.KeyLength()
 	max += shamir.ShareOverhead
@@ -241,8 +250,10 @@ func (c *Core) GenerateRootUpdate(ctx context.Context, key []byte, nonce string,
 	}
 
 	// Ensure we are already unsealed
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
+	if grabLock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
 	if c.Sealed() && !c.recoveryMode {
 		return nil, consts.ErrSealed
 	}
@@ -310,6 +321,7 @@ func (c *Core) GenerateRootUpdate(ctx context.Context, key []byte, nonce string,
 			return nil, fmt.Errorf("failed to compute root key: %w", err)
 		}
 	}
+	defer memzero(combinedKey)
 
 	if err := strategy.authenticate(ctx, c, combinedKey); err != nil {
 		c.logger.Error("root generation aborted", "error", err.Error())
@@ -362,9 +374,11 @@ func (c *Core) GenerateRootUpdate(ctx context.Context, key []byte, nonce string,
 }
 
 // GenerateRootCancel is used to cancel an in-progress root generation
-func (c *Core) GenerateRootCancel() error {
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
+func (c *Core) GenerateRootCancel(grabLock bool) error {
+	if grabLock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
 	if c.Sealed() && !c.recoveryMode {
 		return consts.ErrSealed
 	}
@@ -380,3 +394,176 @@ func (c *Core) GenerateRootCancel() error {
 	c.generateRootProgress = nil
 	return nil
 }
+
+// GenerateRootStatusResponse is the response structure for generate root status
+type GenerateRootStatusResponse struct {
+	Nonce            string `json:"nonce"`
+	Started          bool   `json:"started"`
+	Progress         int    `json:"progress"`
+	Required         int    `json:"required"`
+	Complete         bool   `json:"complete"`
+	EncodedToken     string `json:"encoded_token"`
+	EncodedRootToken string `json:"encoded_root_token"`
+	PGPFingerprint   string `json:"pgp_fingerprint"`
+	OTP              string `json:"otp"`
+	OTPLength        int    `json:"otp_length"`
+}
+
+// GenerateRootInitRequest is the request structure for initializing generate root
+type GenerateRootInitRequest struct {
+	OTP    string `json:"otp"`
+	PGPKey string `json:"pgp_key"`
+}
+
+// GenerateRootUpdateRequest is the request structure for updating generate root
+type GenerateRootUpdateRequest struct {
+	Nonce string `json:"nonce"`
+	Key   string `json:"key"`
+}
+
+// HandleSysGenerateRootAttemptGet returns the status of a generate root attempt.
+// In the event of an error, we return both the error and the HTTP status code to
+// return that error with.
+func HandleSysGenerateRootAttemptGet(ctx context.Context, core *Core, otp string, grabLock bool) (*GenerateRootStatusResponse, int, error) {
+	// Get the current seal configuration
+	barrierConfig, err := core.SealAccess().BarrierConfig(ctx)
+	if err != nil {
+		return nil, http.StatusInternalServerError, err
+	}
+	if barrierConfig == nil {
+		return nil, http.StatusBadRequest, fmt.Errorf("server is not yet initialized")
+	}
+
+	sealConfig := barrierConfig
+	if core.SealAccess().RecoveryKeySupported() {
+		sealConfig, err = core.SealAccess().RecoveryConfig(ctx)
+		if err != nil {
+			return nil, http.StatusInternalServerError, err
+		}
+	}
+
+	// Get the generation configuration
+	generationConfig, err := core.GenerateRootConfiguration(grabLock)
+	if err != nil {
+		return nil, http.StatusInternalServerError, err
+	}
+
+	// Get the progress
+	progress, err := core.GenerateRootProgress(grabLock)
+	if err != nil {
+		return nil, http.StatusInternalServerError, err
+	}
+
+	var otpLength int
+	if core.DisableSSCTokens() {
+		otpLength = TokenLength + OldTokenPrefixLength
+	} else {
+		otpLength = TokenLength + TokenPrefixLength
+	}
+
+	// Format the status
+	status := &GenerateRootStatusResponse{
+		Started:   false,
+		Progress:  progress,
+		Required:  sealConfig.SecretThreshold,
+		Complete:  false,
+		OTPLength: otpLength,
+		OTP:       otp,
+	}
+	if generationConfig != nil {
+		status.Nonce = generationConfig.Nonce
+		status.Started = true
+		status.PGPFingerprint = generationConfig.PGPFingerprint
+	}
+
+	return status, 0, nil
+}
+
+// HandleSysGenerateRootAttemptPut initializes a new generate root attempt.
+// In the event of an error, we return both the error and the HTTP status code to
+// return that error with.
+func HandleSysGenerateRootAttemptPut(core *Core, strategy GenerateRootStrategy, req *GenerateRootInitRequest, grabLock bool) (string, int, error) {
+	var err error
+	var genned bool
+	otp := req.OTP
+
+	switch {
+	case len(req.PGPKey) > 0, len(req.OTP) > 0:
+	default:
+		genned = true
+		if core.DisableSSCTokens() {
+			otp, err = base62.Random(TokenLength + OldTokenPrefixLength)
+		} else {
+			otp, err = base62.Random(TokenLength + TokenPrefixLength)
+		}
+		if err != nil {
+			return "", http.StatusInternalServerError, err
+		}
+	}
+
+	// Initialize the generation
+	if err := core.GenerateRootInit(otp, req.PGPKey, strategy, grabLock); err != nil {
+		return "", http.StatusBadRequest, err
+	}
+
+	if genned {
+		return otp, 0, nil
+	}
+
+	return "", 0, nil
+}
+
+// HandleSysGenerateRootAttemptDelete cancels any in-progress generate root attempt.
+// In the event of an error, we return both the error and the HTTP status code to
+// return that error with.
+func HandleSysGenerateRootAttemptDelete(core *Core, grabLock bool) (int, error) {
+	err := core.GenerateRootCancel(grabLock)
+	if err != nil {
+		return http.StatusInternalServerError, err
+	}
+	return 0, nil
+}
+
+// HandleSysGenerateRootUpdate processes a key share for generate root.
+// In the event of an error, we return both the error and the HTTP status code to
+// return that error with.
+func HandleSysGenerateRootUpdate(ctx context.Context, core *Core, strategy GenerateRootStrategy, req *GenerateRootUpdateRequest, grabLock bool) (*GenerateRootStatusResponse, int, error) {
+	if req.Key == "" {
+		return nil, http.StatusBadRequest, fmt.Errorf("'key' must be specified in request body as JSON")
+	}
+
+	// Decode the key, which is base64 or hex encoded
+	min, max := core.BarrierKeyLength()
+	key, err := hex.DecodeString(req.Key)
+	// We check min and max here to ensure that a string that is base64
+	// encoded but also valid hex will not be valid and we instead base64
+	// decode it
+	if err != nil || len(key) < min || len(key) > max {
+		key, err = base64.StdEncoding.DecodeString(req.Key)
+		if err != nil {
+			return nil, http.StatusBadRequest, fmt.Errorf("'key' must be a valid hex or base64 string")
+		}
+	}
+
+	// Use the key to make progress on root generation
+	result, err := core.GenerateRootUpdate(ctx, key, req.Nonce, strategy, grabLock)
+	if err != nil {
+		return nil, http.StatusBadRequest, err
+	}
+
+	resp := &GenerateRootStatusResponse{
+		Complete:       result.Progress == result.Required,
+		Nonce:          req.Nonce,
+		Progress:       result.Progress,
+		Required:       result.Required,
+		Started:        true,
+		EncodedToken:   result.EncodedToken,
+		PGPFingerprint: result.PGPFingerprint,
+	}
+
+	if strategy == GenerateStandardRootTokenStrategy {
+		resp.EncodedRootToken = result.EncodedToken
+	}
+
+	return resp, 0, nil
+}
diff --git a/vault/generate_root_test.go b/vault/generate_root_test.go
index da1c75a1ba..bc15bbd156 100644
--- a/vault/generate_root_test.go
+++ b/vault/generate_root_test.go
@@ -20,12 +20,12 @@ func TestCore_GenerateRoot_Lifecycle(t *testing.T) {
 
 func testCore_GenerateRoot_Lifecycle_Common(t *testing.T, c *Core, keys [][]byte) {
 	// Verify update not allowed
-	if _, err := c.GenerateRootUpdate(namespace.RootContext(nil), keys[0], "", GenerateStandardRootTokenStrategy); err == nil {
+	if _, err := c.GenerateRootUpdate(namespace.RootContext(nil), keys[0], "", GenerateStandardRootTokenStrategy, true); err == nil {
 		t.Fatalf("no root generation in progress")
 	}
 
 	// Should be no progress
-	num, err := c.GenerateRootProgress()
+	num, err := c.GenerateRootProgress(true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -34,7 +34,7 @@ func testCore_GenerateRoot_Lifecycle_Common(t *testing.T, c *Core, keys [][]byte
 	}
 
 	// Should be no config
-	conf, err := c.GenerateRootConfiguration()
+	conf, err := c.GenerateRootConfiguration(true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -43,7 +43,7 @@ func testCore_GenerateRoot_Lifecycle_Common(t *testing.T, c *Core, keys [][]byte
 	}
 
 	// Cancel should be idempotent
-	err = c.GenerateRootCancel()
+	err = c.GenerateRootCancel(true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -54,25 +54,25 @@ func testCore_GenerateRoot_Lifecycle_Common(t *testing.T, c *Core, keys [][]byte
 	}
 
 	// Start a root generation
-	err = c.GenerateRootInit(otp, "", GenerateStandardRootTokenStrategy)
+	err = c.GenerateRootInit(otp, "", GenerateStandardRootTokenStrategy, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
 	// Should get config
-	conf, err = c.GenerateRootConfiguration()
+	conf, err = c.GenerateRootConfiguration(true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
 	// Cancel should be clear
-	err = c.GenerateRootCancel()
+	err = c.GenerateRootCancel(true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
 	// Should be no config
-	conf, err = c.GenerateRootConfiguration()
+	conf, err = c.GenerateRootConfiguration(true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -97,13 +97,13 @@ func testCore_GenerateRoot_Init_Common(t *testing.T, c *Core) {
 		t.Fatal(err)
 	}
 
-	err = c.GenerateRootInit(otp, "", GenerateStandardRootTokenStrategy)
+	err = c.GenerateRootInit(otp, "", GenerateStandardRootTokenStrategy, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
 	// Second should fail
-	err = c.GenerateRootInit("", pgpkeys.TestPubKey1, GenerateStandardRootTokenStrategy)
+	err = c.GenerateRootInit("", pgpkeys.TestPubKey1, GenerateStandardRootTokenStrategy, true)
 	if err == nil {
 		t.Fatalf("should fail")
 	}
@@ -122,13 +122,13 @@ func testCore_GenerateRoot_InvalidMasterNonce_Common(t *testing.T, c *Core, keys
 		t.Fatal(err)
 	}
 
-	err = c.GenerateRootInit(otp, "", GenerateStandardRootTokenStrategy)
+	err = c.GenerateRootInit(otp, "", GenerateStandardRootTokenStrategy, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
 	// Fetch new config with generated nonce
-	rgconf, err := c.GenerateRootConfiguration()
+	rgconf, err := c.GenerateRootConfiguration(true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -137,14 +137,14 @@ func testCore_GenerateRoot_InvalidMasterNonce_Common(t *testing.T, c *Core, keys
 	}
 
 	// Provide the nonce (invalid)
-	_, err = c.GenerateRootUpdate(namespace.RootContext(nil), keys[0], "abcd", GenerateStandardRootTokenStrategy)
+	_, err = c.GenerateRootUpdate(namespace.RootContext(nil), keys[0], "abcd", GenerateStandardRootTokenStrategy, true)
 	if err == nil {
 		t.Fatalf("expected error")
 	}
 
 	// Provide the master (invalid)
 	for _, key := range keys {
-		_, err = c.GenerateRootUpdate(namespace.RootContext(nil), key, rgconf.Nonce, GenerateStandardRootTokenStrategy)
+		_, err = c.GenerateRootUpdate(namespace.RootContext(nil), key, rgconf.Nonce, GenerateStandardRootTokenStrategy, true)
 	}
 	if err == nil {
 		t.Fatalf("expected error")
@@ -163,13 +163,13 @@ func testCore_GenerateRoot_Update_OTP_Common(t *testing.T, c *Core, keys [][]byt
 	}
 
 	// Start a root generation
-	err = c.GenerateRootInit(otp, "", GenerateStandardRootTokenStrategy)
+	err = c.GenerateRootInit(otp, "", GenerateStandardRootTokenStrategy, true)
 	if err != nil {
 		t.Fatal(err)
 	}
 
 	// Fetch new config with generated nonce
-	rkconf, err := c.GenerateRootConfiguration()
+	rkconf, err := c.GenerateRootConfiguration(true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -180,7 +180,7 @@ func testCore_GenerateRoot_Update_OTP_Common(t *testing.T, c *Core, keys [][]byt
 	// Provide the keys
 	var result *GenerateRootResult
 	for _, key := range keys {
-		result, err = c.GenerateRootUpdate(namespace.RootContext(nil), key, rkconf.Nonce, GenerateStandardRootTokenStrategy)
+		result, err = c.GenerateRootUpdate(namespace.RootContext(nil), key, rkconf.Nonce, GenerateStandardRootTokenStrategy, true)
 		if err != nil {
 			t.Fatalf("err: %v", err)
 		}
@@ -195,7 +195,7 @@ func testCore_GenerateRoot_Update_OTP_Common(t *testing.T, c *Core, keys [][]byt
 	encodedToken := result.EncodedToken
 
 	// Should be no progress
-	num, err := c.GenerateRootProgress()
+	num, err := c.GenerateRootProgress(true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -204,7 +204,7 @@ func testCore_GenerateRoot_Update_OTP_Common(t *testing.T, c *Core, keys [][]byt
 	}
 
 	// Should be no config
-	conf, err := c.GenerateRootConfiguration()
+	conf, err := c.GenerateRootConfiguration(true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -245,13 +245,13 @@ func TestCore_GenerateRoot_Update_PGP(t *testing.T) {
 
 func testCore_GenerateRoot_Update_PGP_Common(t *testing.T, c *Core, keys [][]byte) {
 	// Start a root generation
-	err := c.GenerateRootInit("", pgpkeys.TestPubKey1, GenerateStandardRootTokenStrategy)
+	err := c.GenerateRootInit("", pgpkeys.TestPubKey1, GenerateStandardRootTokenStrategy, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
 	// Fetch new config with generated nonce
-	rkconf, err := c.GenerateRootConfiguration()
+	rkconf, err := c.GenerateRootConfiguration(true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -262,7 +262,7 @@ func testCore_GenerateRoot_Update_PGP_Common(t *testing.T, c *Core, keys [][]byt
 	// Provide the keys
 	var result *GenerateRootResult
 	for _, key := range keys {
-		result, err = c.GenerateRootUpdate(namespace.RootContext(nil), key, rkconf.Nonce, GenerateStandardRootTokenStrategy)
+		result, err = c.GenerateRootUpdate(namespace.RootContext(nil), key, rkconf.Nonce, GenerateStandardRootTokenStrategy, true)
 		if err != nil {
 			t.Fatalf("err: %v", err)
 		}
@@ -277,7 +277,7 @@ func testCore_GenerateRoot_Update_PGP_Common(t *testing.T, c *Core, keys [][]byt
 	encodedToken := result.EncodedToken
 
 	// Should be no progress
-	num, err := c.GenerateRootProgress()
+	num, err := c.GenerateRootProgress(true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -286,7 +286,7 @@ func testCore_GenerateRoot_Update_PGP_Common(t *testing.T, c *Core, keys [][]byt
 	}
 
 	// Should be no config
-	conf, err := c.GenerateRootConfiguration()
+	conf, err := c.GenerateRootConfiguration(true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
diff --git a/vault/hcp_link/proto/go.mod b/vault/hcp_link/proto/go.mod
index 252e72193c..45190d248f 100644
--- a/vault/hcp_link/proto/go.mod
+++ b/vault/hcp_link/proto/go.mod
@@ -1,17 +1,15 @@
 module github.com/hashicorp/vault/vault/hcp_link/proto
 
-go 1.23.0
-
-toolchain go1.23.7
+go 1.25.0
 
 require (
-	google.golang.org/grpc v1.63.2
-	google.golang.org/protobuf v1.34.1
+	google.golang.org/grpc v1.79.3
+	google.golang.org/protobuf v1.36.10
 )
 
 require (
-	golang.org/x/net v0.37.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
+	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
 )
diff --git a/vault/hcp_link/proto/go.sum b/vault/hcp_link/proto/go.sum
index 1695d4747d..c01e2a1fc5 100644
--- a/vault/hcp_link/proto/go.sum
+++ b/vault/hcp_link/proto/go.sum
@@ -1,14 +1,38 @@
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
-golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:H4O17MA/PE9BsGx3w+a+W2VOLLD1Qf7oJneAoU6WktY=
-google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
-google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
-google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
-google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
+go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
+go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
+go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
+go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
+go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
+go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
+go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
+go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
+go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
+google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
diff --git a/vault/identity_store.go b/vault/identity_store.go
index f8e6b00bf0..a87c9b4e30 100644
--- a/vault/identity_store.go
+++ b/vault/identity_store.go
@@ -6,6 +6,7 @@ package vault
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"reflect"
 	"strings"
 	"time"
@@ -51,6 +52,9 @@ func (i *IdentityStore) GetDisableLowerCasedNames() bool {
 	return i.disableLowerCasedNames
 }
 
+// resetDB callers must hold the write lock on i.lock before calling, to ensure
+// that no other goroutine is reading from or writing to the database while it
+// gets reset.
 func (i *IdentityStore) resetDB() error {
 	var err error
 
@@ -64,22 +68,24 @@ func (i *IdentityStore) resetDB() error {
 
 func NewIdentityStore(ctx context.Context, core *Core, config *logical.BackendConfig, logger log.Logger) (*IdentityStore, error) {
 	iStore := &IdentityStore{
-		view:                   config.StorageView,
-		logger:                 logger,
-		router:                 core.router,
-		redirectAddr:           core.redirectAddr,
-		localNode:              core,
-		namespacer:             core,
-		metrics:                core.MetricSink(),
-		totpPersister:          core,
-		groupUpdater:           core,
-		tokenStorer:            core,
-		entityCreator:          core,
-		mountLister:            core,
-		mfaBackend:             core.loginMFABackend,
-		aliasLocks:             locksutil.CreateLocks(),
-		renameDuplicates:       core.FeatureActivationFlags,
-		activationErrorHandler: core,
+		view:                            config.StorageView,
+		logger:                          logger,
+		router:                          core.router,
+		redirectAddr:                    core.redirectAddr,
+		localNode:                       core,
+		namespacer:                      core,
+		metrics:                         core.MetricSink(),
+		totpPersister:                   core,
+		groupUpdater:                    core,
+		tokenStorer:                     core,
+		entityCreator:                   core,
+		mountLister:                     core,
+		syntheticAliasAccessorValidator: core,
+		billingCounter:                  core,
+		mfaBackend:                      core.loginMFABackend,
+		aliasLocks:                      locksutil.CreateLocks(),
+		activationManager:               core.FeatureActivationFlags,
+		activationErrorHandler:          core,
 	}
 
 	// Create a memdb instance, which by default, operates on lower cased
@@ -128,6 +134,11 @@ func NewIdentityStore(ctx context.Context, core *Core, config *logical.BackendCo
 		InitializeFunc: iStore.initialize,
 		ActivationFunc: iStore.activate,
 		PathsSpecial: &logical.Paths{
+			// Root paths require the token have sudo capability.
+			Root: []string{
+				// Entity merge is destructive and can operate on every entity, so requires a higher privilege as a result
+				"entity/merge*",
+			},
 			Unauthenticated: unauthenticatedPaths,
 			LocalStorage: []string{
 				localAliasesBucketsPrefix,
@@ -207,6 +218,23 @@ func mfaCommonPaths(i *IdentityStore) []*framework.Path {
 				logical.ListOperation: &framework.PathOperation{
 					Callback: i.handleMFAMethodListGlobal,
 					Summary:  "List MFA method configurations for all MFA methods",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"keys": {
+									Type:        framework.TypeStringSlice,
+									Description: `A list of mfa method configurations keys`,
+									Required:    true,
+								},
+								"key_info": {
+									Type:        framework.TypeMap,
+									Description: `MFA method configurations details keyed by the id`,
+									Required:    false,
+								},
+							},
+						}},
+					},
 				},
 			},
 		},
@@ -590,6 +618,23 @@ func mfaLoginEnforcementPaths(i *IdentityStore) []*framework.Path {
 				logical.ListOperation: &framework.PathOperation{
 					Callback: i.handleMFALoginEnforcementList,
 					Summary:  "List login enforcements",
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"keys": {
+									Type:        framework.TypeStringSlice,
+									Description: `A list of login enforcement keys`,
+									Required:    true,
+								},
+								"key_info": {
+									Type:        framework.TypeMap,
+									Description: `Login enforcement details keyed by the id`,
+									Required:    false,
+								},
+							},
+						}},
+					},
 				},
 			},
 		},
@@ -1296,6 +1341,51 @@ func (i *IdentityStore) entityByAliasFactorsInTxn(txn *memdb.Txn, mountAccessor,
 	return i.MemDBEntityByAliasIDInTxn(txn, alias.ID, clone)
 }
 
+// entityByAliasFactorsIf fetches and clones an entity by alias factors only when
+// shouldReturn evaluates to true for the matching alias.
+func (i *IdentityStore) entityByAliasFactorsIf(mountAccessor, aliasName string, shouldReturn func(*identity.Alias) bool) (*identity.Entity, error) {
+	if mountAccessor == "" {
+		return nil, fmt.Errorf("missing mount accessor")
+	}
+
+	if aliasName == "" {
+		return nil, fmt.Errorf("missing alias name")
+	}
+
+	txn := i.db.Txn(false)
+
+	return i.entityByAliasFactorsInTxnIf(txn, mountAccessor, aliasName, shouldReturn)
+}
+
+// entityByAliasFactorsInTxnIf fetches and clones an entity by alias factors only
+// when shouldReturn evaluates to true for the matching alias.
+func (i *IdentityStore) entityByAliasFactorsInTxnIf(txn *memdb.Txn, mountAccessor, aliasName string, shouldReturn func(*identity.Alias) bool) (*identity.Entity, error) {
+	var entity *identity.Entity
+
+	if txn == nil {
+		return nil, fmt.Errorf("nil txn")
+	}
+
+	if mountAccessor == "" {
+		return nil, fmt.Errorf("missing mount accessor")
+	}
+
+	if aliasName == "" {
+		return nil, fmt.Errorf("missing alias name")
+	}
+
+	alias, err := i.MemDBAliasByFactorsInTxn(txn, mountAccessor, aliasName, false, false)
+	if err != nil {
+		return nil, err
+	}
+
+	if alias == nil {
+		return entity, nil
+	}
+
+	return i.MemDBEntityByAliasIDInTxnClonePredicate(txn, alias.ID, shouldReturn)
+}
+
 // CreateEntity creates a new entity.
 func (i *IdentityStore) CreateEntity(ctx context.Context) (*identity.Entity, error) {
 	defer metrics.MeasureSince([]string{"identity", "create_entity"}, time.Now())
@@ -1354,21 +1444,15 @@ func (i *IdentityStore) CreateOrFetchEntity(ctx context.Context, alias *logical.
 		return nil, false, fmt.Errorf("mount accessor %q is not a mount of type %q", alias.MountAccessor, alias.MountType)
 	}
 
-	// Check if an entity already exists for the given alias.
-	// We don't clone here to avoid unnecessary allocations - if we need to
-	// return early, we'll clone at that point.
-	entity, err = i.entityByAliasFactors(alias.MountAccessor, alias.Name, false)
+	// Fast path: only clone and return the entity when alias metadata is unchanged.
+	entity, err = i.entityByAliasFactorsIf(alias.MountAccessor, alias.Name, func(existingAlias *identity.Alias) bool {
+		return strutil.EqualStringMaps(existingAlias.Metadata, alias.Metadata)
+	})
 	if err != nil {
 		return nil, false, err
 	}
-	if entity != nil && changedAliasIndex(entity, alias) == -1 {
-		// Entity exists and no metadata changes - clone before returning
-		// to avoid exposing internal MemDB state to callers.
-		clonedEntity, err := entity.Clone()
-		if err != nil {
-			return nil, false, err
-		}
-		return clonedEntity, false, nil
+	if entity != nil {
+		return entity, false, nil
 	}
 
 	i.lock.Lock()
diff --git a/vault/identity_store_aliases.go b/vault/identity_store_aliases.go
index 4bce45ac50..f47c54151c 100644
--- a/vault/identity_store_aliases.go
+++ b/vault/identity_store_aliases.go
@@ -5,6 +5,7 @@ package vault
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 
@@ -20,6 +21,10 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
+// ErrNoAliasFound is returned in some code paths to avoid returning nil, nil when an entity
+// is not found in memdb, and should be preferred in new code.
+var ErrNoAliasFound = errors.New("no alias found")
+
 // aliasPaths returns the API endpoints to operate on aliases.
 // Following are the paths supported:
 // entity-alias - To register/modify an alias
@@ -78,6 +83,14 @@ This field is deprecated, use canonical_id.`,
 					Type:        framework.TypeKVPairs,
 					Description: "User provided key-value pairs",
 				},
+				"external_id": {
+					Type:        framework.TypeString,
+					Description: "Unique external identifier from external IdP.",
+				},
+				"issuer": {
+					Type:        framework.TypeString,
+					Description: "Issuer name associated with this alias.",
+				},
 			},
 
 			Operations: map[logical.Operation]framework.OperationHandler{
@@ -123,6 +136,42 @@ This field is deprecated, use canonical_id.`,
 	}
 }
 
+// validateAliasMountAccessor validates mount_accessor values for entity aliases.
+//
+// It accepts either a real mounted backend accessor or a supported synthetic
+// accessor validated by the synthetic alias accessor validator extension point.
+//
+// For mounted backend accessors, this returns the matched mount entry. For
+// synthetic accessors, this returns a minimal entry carrying namespace/local
+// semantics used by alias create/update checks.
+func (i *IdentityStore) validateAliasMountAccessor(ctx context.Context, mountAccessor string) (*MountEntry, error) {
+	if mountAccessor == "" {
+		return nil, fmt.Errorf("invalid mount accessor %q", mountAccessor)
+	}
+	if mountEntry := i.router.MatchingMountByAccessor(mountAccessor); mountEntry != nil {
+		return mountEntry, nil
+	}
+
+	if i.syntheticAliasAccessorValidator == nil {
+		i.logger.Error("synthetic alias accessor validator is not configured", "mount_accessor", mountAccessor)
+		return nil, fmt.Errorf("failed to validate mount accessor %q due to internal configuration error", mountAccessor)
+	}
+
+	valid, err := i.syntheticAliasAccessorValidator.validateSyntheticAliasAccessor(ctx, mountAccessor)
+	if err != nil {
+		return nil, err
+	}
+	if !valid {
+		return nil, fmt.Errorf("invalid mount accessor %q", mountAccessor)
+	}
+
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &MountEntry{NamespaceID: ns.ID}, nil
+}
+
 func aliasFieldSchema() map[string]*framework.FieldSchema {
 	return map[string]*framework.FieldSchema{
 		"id": {
@@ -151,6 +200,14 @@ This field is deprecated, use canonical_id.`,
 			Type:        framework.TypeKVPairs,
 			Description: "User provided key-value pairs",
 		},
+		"external_id": {
+			Type:        framework.TypeString,
+			Description: "Unique external identifier from external IdP.",
+		},
+		"issuer": {
+			Type:        framework.TypeString,
+			Description: "Issuer name associated with this alias.",
+		},
 	}
 }
 
@@ -194,6 +251,12 @@ func (i *IdentityStore) handleAliasCreateUpdate() framework.OperationFunc {
 			}
 		}
 
+		// Get external_id if provided
+		externalID := d.Get("external_id").(string)
+
+		// Get issuer if provided
+		issuer := d.Get("issuer").(string)
+
 		i.lock.Lock()
 		defer i.lock.Unlock()
 
@@ -215,6 +278,16 @@ func (i *IdentityStore) handleAliasCreateUpdate() framework.OperationFunc {
 				if !customMetadataExists {
 					customMetadata = alias.CustomMetadata
 				}
+				if issuer != "" {
+					if alias.Issuer != issuer {
+						return logical.ErrorResponse("changes to issuer after alias creation are prohibited"), nil
+					}
+				}
+				if externalID != "" {
+					if alias.ExternalID != externalID {
+						return logical.ErrorResponse("changes to external_id after alias creation are prohibited"), nil
+					}
+				}
 				switch {
 				case mountAccessor == "" && name == "":
 					// Check if the canonicalID or the customMetadata are being
@@ -225,6 +298,10 @@ func (i *IdentityStore) handleAliasCreateUpdate() framework.OperationFunc {
 					}
 					name = alias.Name
 					mountAccessor = alias.MountAccessor
+					// Issuer can't be modified after initial creation
+					issuer = alias.Issuer
+					// ExternalID can't be modified after initial creation
+					externalID = alias.ExternalID
 				case mountAccessor == "":
 					// No change to mount accessor
 					mountAccessor = alias.MountAccessor
@@ -234,51 +311,74 @@ func (i *IdentityStore) handleAliasCreateUpdate() framework.OperationFunc {
 				default:
 					// mountAccessor, name and customMetadata  provided
 				}
-				return i.handleAliasUpdate(ctx, canonicalID, name, mountAccessor, alias, customMetadata)
+				return i.handleAliasUpdate(ctx, canonicalID, name, mountAccessor, externalID, issuer, alias, customMetadata)
 			}
 		}
 
+		// If they didn't provide an ID or Mount Accessor, but provided an issuer, validate that the issuer has been
+		// registered. Return error if issuer has not been registered.
+		if mountAccessor == "" && issuer != "" {
+			// Generate synthetic Mount Accessor
+			syntheticAccessor, err := i.syntheticAliasAccessorValidator.generateSyntheticAliasAccessor(ctx, issuer)
+			if err != nil {
+				return logical.ErrorResponse(err.Error()), nil
+			}
+			mountAccessor = syntheticAccessor
+		}
+
 		// If they didn't provide an ID, we must have both accessor and name provided
 		if mountAccessor == "" || name == "" {
 			return logical.ErrorResponse("'id' or 'mount_accessor' and 'name' must be provided"), nil
 		}
 
-		mountEntry := i.router.MatchingMountByAccessor(mountAccessor)
-		if mountEntry == nil {
-			return logical.ErrorResponse(fmt.Sprintf("invalid mount accessor %q", mountAccessor)), nil
+		mountEntry, err := i.validateAliasMountAccessor(ctx, mountAccessor)
+		if err != nil {
+			return logical.ErrorResponse(err.Error()), nil
 		}
-		if mountEntry.NamespaceID != ns.ID {
+		if mountEntry != nil && mountEntry.NamespaceID != ns.ID {
 			return logical.ErrorResponse("matching mount is in a different namespace than request"), logical.ErrPermissionDenied
 		}
 
-		localMount := mountEntry.Local
+		localMount := mountEntry != nil && mountEntry.Local
 
 		// Look up the alias by factors; if it's found it's an update
-		return i.handleAliasCreateUpdateCommon(ctx, ns, mountAccessor, name, canonicalID, customMetadata, localMount, "")
+		return i.handleAliasCreateUpdateCommon(ctx, ns, mountAccessor, name, canonicalID, externalID, issuer, customMetadata, localMount, "")
 	}
 }
 
-func (i *IdentityStore) handleAliasCreateUpdateCommon(ctx context.Context, ns *namespace.Namespace, mountAccessor string, name string, canonicalID string, customMetadata map[string]string, localMount bool, scimClientID string) (*logical.Response, error) {
+func (i *IdentityStore) handleAliasCreateUpdateCommon(ctx context.Context, ns *namespace.Namespace, mountAccessor string, name string, canonicalID string, externalID string, issuer string, customMetadata map[string]string, localMount bool, scimClientID string) (*logical.Response, error) {
 	alias, err := i.MemDBAliasByFactors(mountAccessor, name, true, false)
 	if err != nil {
 		return nil, err
 	}
+
 	if alias != nil {
 		if alias.NamespaceID != ns.ID {
 			return logical.ErrorResponse("cannot modify aliases across namespaces"), logical.ErrPermissionDenied
 		}
-		return i.handleAliasUpdate(ctx, canonicalID, name, mountAccessor, alias, customMetadata)
+		return i.handleAliasUpdate(ctx, canonicalID, name, mountAccessor, externalID, issuer, alias, customMetadata)
 	}
 	// At this point we know it's a new creation request
-	return i.handleAliasCreate(ctx, canonicalID, name, mountAccessor, localMount, customMetadata, scimClientID)
+	return i.handleAliasCreate(ctx, canonicalID, name, mountAccessor, externalID, issuer, localMount, customMetadata, scimClientID)
 }
 
-func (i *IdentityStore) handleAliasCreate(ctx context.Context, canonicalID, name, mountAccessor string, local bool, customMetadata map[string]string, scimClientID string) (*logical.Response, error) {
+// doesAliasHaveExternalIdIssuerMountAccessor returns true if the given alias has
+// the given externalId, issuer,and mount accessor, and they are not empty
+func (i *IdentityStore) doesAliasHaveExternalIdIssuerMountAccessor(alias *identity.Alias, externalId, issuer, mountAccessor string) bool {
+	aliasHasExternalIdAndIssuer := alias.ExternalID != "" && alias.Issuer != ""
+	mountAccessorExternalIdAndIssuerMatch := alias.MountAccessor == mountAccessor && alias.ExternalID == externalId && alias.Issuer == issuer
+	return aliasHasExternalIdAndIssuer && mountAccessorExternalIdAndIssuerMatch
+}
+
+func (i *IdentityStore) handleAliasCreate(ctx context.Context, canonicalID, name, mountAccessor, externalID, issuer string, local bool, customMetadata map[string]string, scimClientID string) (*logical.Response, error) {
 	ns, err := namespace.FromContext(ctx)
 	if err != nil {
 		return nil, err
 	}
 
+	if err := i.scimResourceCheck(ctx, &identity.Alias{ScimClientID: scimClientID}, "", true, nil); err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrPermissionDenied
+	}
 	var entity *identity.Entity
 	if canonicalID != "" {
 		entity, err = i.MemDBEntityByID(canonicalID, true)
@@ -293,6 +393,17 @@ func (i *IdentityStore) handleAliasCreate(ctx context.Context, canonicalID, name
 		}
 	}
 
+	// Validate that an alias doesn't already exist with passed in issuer and external_id
+	if issuer != "" && externalID != "" {
+		existingAlias, err := i.MemDBAliasByIssuerAndExternalId(issuer, externalID, ns.ID, false)
+		if err != nil && !errors.Is(err, ErrNoAliasFound) {
+			return nil, err
+		}
+		if existingAlias != nil {
+			return logical.ErrorResponse("alias already exists for issuer and external_id in this namespace"), nil
+		}
+	}
+
 	if entity == nil && local {
 		// Check to see if the entity creation should be forwarded.
 		entity, err = i.entityCreator.CreateEntity(ctx)
@@ -314,12 +425,17 @@ func (i *IdentityStore) handleAliasCreate(ctx context.Context, canonicalID, name
 	}
 
 	for _, currentAlias := range entity.Aliases {
+		if i.doesAliasHaveExternalIdIssuerMountAccessor(currentAlias, externalID, issuer, mountAccessor) {
+			return logical.ErrorResponse("alias already exists for requested entity, external ID, and issuer"), nil
+		}
+
 		if currentAlias.MountAccessor == mountAccessor {
-			return logical.ErrorResponse("Alias already exists for requested entity and mount accessor"), nil
+			return logical.ErrorResponse("alias already exists for requested entity and mount accessor"), nil
 		}
 	}
 
 	var alias *identity.Alias
+
 	switch local {
 	case true:
 		alias, err = i.processLocalAlias(ctx, &logical.Alias{
@@ -327,6 +443,8 @@ func (i *IdentityStore) handleAliasCreate(ctx context.Context, canonicalID, name
 			Name:           name,
 			Local:          local,
 			CustomMetadata: customMetadata,
+			Issuer:         issuer,
+			ExternalID:     externalID,
 		}, entity, false)
 		if err != nil {
 			return nil, err
@@ -338,6 +456,8 @@ func (i *IdentityStore) handleAliasCreate(ctx context.Context, canonicalID, name
 			CustomMetadata: customMetadata,
 			CanonicalID:    entity.ID,
 			ScimClientID:   scimClientID,
+			Issuer:         issuer,
+			ExternalID:     externalID,
 		}
 		err = i.sanitizeAlias(ctx, alias)
 		if err != nil {
@@ -362,14 +482,37 @@ func (i *IdentityStore) handleAliasCreate(ctx context.Context, canonicalID, name
 	}, nil
 }
 
-func (i *IdentityStore) handleAliasUpdate(ctx context.Context, canonicalID, name, mountAccessor string, alias *identity.Alias, customMetadata map[string]string) (*logical.Response, error) {
+func (i *IdentityStore) handleAliasUpdate(ctx context.Context, canonicalID, name, mountAccessor, externalID, issuer string, alias *identity.Alias, customMetadata map[string]string) (*logical.Response, error) {
+	// Fast return if nothing to be updated
 	if name == alias.Name &&
 		mountAccessor == alias.MountAccessor &&
-		(canonicalID == alias.CanonicalID || canonicalID == "") && (strutil.EqualStringMaps(customMetadata, alias.CustomMetadata)) {
+		(canonicalID == alias.CanonicalID || canonicalID == "") &&
+		(strutil.EqualStringMaps(customMetadata, alias.CustomMetadata)) &&
+		(externalID == alias.ExternalID) &&
+		(issuer == alias.Issuer) {
 		// Nothing to do; return nil to be idempotent
 		return nil, nil
 	}
 
+	// Build the list of fields being modified by this request.
+	var modifiedFields []string
+	if name != alias.Name {
+		modifiedFields = append(modifiedFields, "name")
+	}
+	if mountAccessor != alias.MountAccessor {
+		modifiedFields = append(modifiedFields, "mount_accessor")
+	}
+	if canonicalID != "" && canonicalID != alias.CanonicalID {
+		modifiedFields = append(modifiedFields, "canonical_id")
+	}
+	if !strutil.EqualStringMaps(customMetadata, alias.CustomMetadata) {
+		modifiedFields = append(modifiedFields, "custom_metadata")
+	}
+
+	// Check that only non-SCIM-managed fields are being modified via the API.
+	if err := i.scimResourceCheck(ctx, alias, alias.ScimClientID, false, modifiedFields); err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrPermissionDenied
+	}
 	alias.LastUpdateTime = timestamppb.Now()
 
 	// Get our current entity, which may be the same as the new one if the
@@ -391,20 +534,21 @@ func (i *IdentityStore) handleAliasUpdate(ctx context.Context, canonicalID, name
 	if mountAccessor != alias.MountAccessor && (canonicalID == "" || canonicalID == alias.CanonicalID) {
 		for _, currentAlias := range currentEntity.Aliases {
 			if currentAlias.MountAccessor == mountAccessor {
-				return logical.ErrorResponse("Alias cannot be updated as the entity already has an alias for the given 'mount_accessor' "), nil
+				return logical.ErrorResponse("alias cannot be updated as the entity already has an alias for the given 'mount_accessor' "), nil
 			}
 		}
 	}
-	// If we're changing one or the other or both of these, make sure that
-	// there isn't a matching alias already, and make sure it's in the same
-	// namespace.
-	if name != alias.Name || mountAccessor != alias.MountAccessor || !strutil.EqualStringMaps(customMetadata, alias.CustomMetadata) {
+	// If we're changing these, make sure that there isn't a matching alias already,
+	// and make sure it's in the same namespace.
+	if name != alias.Name || mountAccessor != alias.MountAccessor ||
+		!strutil.EqualStringMaps(customMetadata, alias.CustomMetadata) ||
+		issuer != alias.Issuer || externalID != alias.ExternalID {
 		// Check here to see if such an alias already exists, if so bail
-		mountEntry := i.router.MatchingMountByAccessor(mountAccessor)
-		if mountEntry == nil {
-			return logical.ErrorResponse(fmt.Sprintf("invalid mount accessor %q", mountAccessor)), nil
+		mountEntry, err := i.validateAliasMountAccessor(ctx, mountAccessor)
+		if err != nil {
+			return logical.ErrorResponse(err.Error()), nil
 		}
-		if mountEntry.NamespaceID != alias.NamespaceID {
+		if mountEntry != nil && mountEntry.NamespaceID != alias.NamespaceID {
 			return logical.ErrorResponse("given mount accessor is not in the same namespace as the existing alias"), logical.ErrPermissionDenied
 		}
 
@@ -418,21 +562,37 @@ func (i *IdentityStore) handleAliasUpdate(ctx context.Context, canonicalID, name
 			return logical.ErrorResponse("alias with combination of mount accessor and name already exists"), nil
 		}
 
+		if existingAlias != nil {
+			// Bail if issuer and/or external_id are provided and differ.
+			// These fields are not to be changed after alias creation.
+			if issuer != "" {
+				if existingAlias.Issuer != issuer {
+					return logical.ErrorResponse("changes to issuer after alias creation are prohibited"), nil
+				}
+			}
+			if externalID != "" {
+				if existingAlias.ExternalID != externalID {
+					return logical.ErrorResponse("changes to external_id after alias creation are prohibited"), nil
+				}
+			}
+		}
+
 		// Update the values in the alias
 		alias.Name = name
 		alias.MountAccessor = mountAccessor
 		alias.CustomMetadata = customMetadata
 	}
 
-	mountValidationResp := i.router.ValidateMountByAccessor(alias.MountAccessor)
-	if mountValidationResp == nil {
-		return nil, fmt.Errorf("invalid mount accessor %q", alias.MountAccessor)
+	mountEntry, err := i.validateAliasMountAccessor(ctx, alias.MountAccessor)
+	if err != nil {
+		return nil, err
 	}
+	mountIsLocal := mountEntry != nil && mountEntry.Local
 
 	newEntity := currentEntity
 	if canonicalID != "" && canonicalID != alias.CanonicalID {
 		// Don't allow moving local aliases between entities.
-		if mountValidationResp.MountLocal {
+		if mountIsLocal {
 			return logical.ErrorResponse("local aliases can't be moved between entities"), nil
 		}
 
@@ -450,7 +610,7 @@ func (i *IdentityStore) handleAliasUpdate(ctx context.Context, canonicalID, name
 		// Check if the entity the alias is being updated to, already has an alias for the mount
 		for _, alias := range newEntity.Aliases {
 			if alias.MountAccessor == mountAccessor {
-				return logical.ErrorResponse("Alias cannot be updated as the given entity already has an alias for this mount "), nil
+				return logical.ErrorResponse("alias cannot be updated as the given entity already has an alias for this mount "), nil
 			}
 		}
 
@@ -478,12 +638,14 @@ func (i *IdentityStore) handleAliasUpdate(ctx context.Context, canonicalID, name
 		currentEntity = nil
 	}
 
-	if mountValidationResp.MountLocal {
+	if mountIsLocal {
 		alias, err = i.processLocalAlias(ctx, &logical.Alias{
 			MountAccessor:  mountAccessor,
 			Name:           name,
-			Local:          mountValidationResp.MountLocal,
+			Local:          mountIsLocal,
 			CustomMetadata: customMetadata,
+			Issuer:         issuer,
+			ExternalID:     externalID,
 		}, newEntity, true)
 		if err != nil {
 			return nil, err
@@ -555,6 +717,12 @@ func (i *IdentityStore) handleAliasReadCommon(ctx context.Context, alias *identi
 	respData["merged_from_canonical_ids"] = alias.MergedFromCanonicalIDs
 	respData["namespace_id"] = alias.NamespaceID
 	respData["local"] = alias.Local
+	respData["issuer"] = alias.Issuer
+	respData["external_id"] = alias.ExternalID
+
+	if i.scimEnabled {
+		respData["scim_client_id"] = alias.ScimClientID
+	}
 
 	if mountValidationResp := i.router.ValidateMountByAccessor(alias.MountAccessor); mountValidationResp != nil {
 		respData["mount_path"] = mountValidationResp.MountPath
@@ -604,6 +772,11 @@ func (i *IdentityStore) pathAliasIDDelete() framework.OperationFunc {
 			return logical.ErrorResponse("request and alias are in different namespaces"), logical.ErrPermissionDenied
 		}
 
+		scimClientID := scimClientIDFromContext(ctx)
+		if alias.ScimClientID != scimClientID {
+			return logical.ErrorResponse("SCIM-managed resources must be modified through SCIM"), logical.ErrPermissionDenied
+		}
+
 		// Fetch the associated entity
 		entity, err := i.MemDBEntityByAliasIDInTxn(txn, alias.ID, true)
 		if err != nil {
diff --git a/vault/identity_store_aliases_stubs_oss.go b/vault/identity_store_aliases_stubs_oss.go
new file mode 100644
index 0000000000..122bef6485
--- /dev/null
+++ b/vault/identity_store_aliases_stubs_oss.go
@@ -0,0 +1,16 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise
+
+package vault
+
+import "context"
+
+func (c *Core) validateSyntheticAliasAccessor(context.Context, string) (bool, error) {
+	return false, nil
+}
+
+func (c *Core) generateSyntheticAliasAccessor(context.Context, string) (string, error) {
+	return "", nil
+}
diff --git a/vault/identity_store_conflicts.go b/vault/identity_store_conflicts.go
index 4541476aba..c0a593d59d 100644
--- a/vault/identity_store_conflicts.go
+++ b/vault/identity_store_conflicts.go
@@ -17,6 +17,8 @@ import (
 
 var errDuplicateIdentityName = errors.New("duplicate identity name")
 
+const duplicateCanonicalIDMetadataKey = "duplicate_of_canonical_id"
+
 // ConflictResolver defines the interface for resolving conflicts between
 // entities, groups, and aliases. All methods should implement a check for
 // existing=nil. This is an intentional design choice to allow the caller to
@@ -419,7 +421,7 @@ func (r *renameResolver) ResolveEntities(ctx context.Context, existing, duplicat
 	if duplicate.Metadata == nil {
 		duplicate.Metadata = make(map[string]string)
 	}
-	duplicate.Metadata["duplicate_of_canonical_id"] = existing.ID
+	duplicate.Metadata[duplicateCanonicalIDMetadataKey] = existing.ID
 
 	r.logger.Warn("renaming entity with duplicate name",
 		"namespace_id", duplicate.NamespaceID,
@@ -453,7 +455,7 @@ func (r *renameResolver) ResolveGroups(ctx context.Context, existing, duplicate
 	if duplicate.Metadata == nil {
 		duplicate.Metadata = make(map[string]string)
 	}
-	duplicate.Metadata["duplicate_of_canonical_id"] = existing.ID
+	duplicate.Metadata[duplicateCanonicalIDMetadataKey] = existing.ID
 	r.logger.Warn("renaming group with duplicate name",
 		"namespace_id", duplicate.NamespaceID,
 		"group_id", duplicate.ID,
diff --git a/vault/identity_store_entities.go b/vault/identity_store_entities.go
index b95e909c7f..0df5c0ce75 100644
--- a/vault/identity_store_entities.go
+++ b/vault/identity_store_entities.go
@@ -4,12 +4,17 @@
 package vault
 
 import (
+	"cmp"
 	"context"
 	"errors"
 	"fmt"
+	"maps"
+	"net/http"
+	"slices"
 	"strings"
 
 	"github.com/golang/protobuf/ptypes"
+	hclog "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
@@ -19,6 +24,7 @@ import (
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/logical"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
 func entityPathFields() map[string]*framework.FieldSchema {
@@ -203,6 +209,23 @@ func entityPaths(i *IdentityStore) []*framework.Path {
 			Operations: map[logical.Operation]framework.OperationHandler{
 				logical.ListOperation: &framework.PathOperation{
 					Callback: i.pathEntityIDList(),
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"keys": {
+									Type:        framework.TypeStringSlice,
+									Description: `A list of  entity ids`,
+									Required:    true,
+								},
+								"key_info": {
+									Type:        framework.TypeMap,
+									Description: `Entity details keyed by the entity id`,
+									Required:    false,
+								},
+							},
+						}},
+					},
 				},
 			},
 
@@ -393,6 +416,10 @@ func (i *IdentityStore) handleEntityReadCommon(ctx context.Context, entity *iden
 		aliasMap["local"] = alias.Local
 		aliasMap["custom_metadata"] = alias.CustomMetadata
 
+		if i.scimEnabled {
+			aliasMap["scim_client_id"] = alias.ScimClientID
+		}
+
 		if mountValidationResp := i.router.ValidateMountByAccessor(alias.MountAccessor); mountValidationResp != nil {
 			aliasMap["mount_type"] = mountValidationResp.MountType
 			aliasMap["mount_path"] = mountValidationResp.MountPath
@@ -405,6 +432,10 @@ func (i *IdentityStore) handleEntityReadCommon(ctx context.Context, entity *iden
 	// formats
 	respData["aliases"] = aliasesToReturn
 
+	if i.scimEnabled {
+		respData["scim_client_id"] = entity.ScimClientID
+	}
+
 	addExtraEntityDataToResponse(entity, respData)
 
 	// Fetch the groups this entity belongs to and return their identifiers
@@ -597,7 +628,10 @@ func (i *IdentityStore) handleEntityDeleteCommon(ctx context.Context, txn *memdb
 	if entity.NamespaceID != ns.ID {
 		return nil
 	}
-
+	scimClientID := scimClientIDFromContext(ctx)
+	if entity.ScimClientID != scimClientID {
+		return errors.New("SCIM-managed resources must be modified through SCIM")
+	}
 	// Remove entity ID as a member from all the groups it belongs, both
 	// internal and external
 	groups, err := i.MemDBGroupsByMemberEntityIDInTxn(txn, entity.ID, true, false)
@@ -1085,6 +1119,347 @@ func (i *IdentityStore) mergeEntity(ctx context.Context, txn *memdb.Txn, toEntit
 	return nil, nil, nil
 }
 
+// entityIntegrityCheck is the result of running checkEntityIntegrity() on an
+// entity.
+type entityIntegrityCheck struct {
+	// The entity that check refers to
+	entity *identity.Entity
+	// The entity has nil aliases
+	hasNilAliases bool
+	// The entity has dangling aliases
+	danglingAliases []*identity.Alias
+	// The entity has duplicate aliases by ID. This is _not_ the same as same-case
+	// duplicates.
+	duplicateAliases map[string][]*identity.Alias
+}
+
+// checkEntityIntegrity inspects the internal state of the entity and any
+// associated aliases. It returns an entityIntegrityCheck which includes details
+// about any issues that may have been discovered. An error is return if any
+// integrity errors are discovered.
+//
+// NOTE: We currently only check the integrity of the aliases associated with
+// the entity itself.
+func checkEntityIntegrity(entity *identity.Entity) (*entityIntegrityCheck, error) {
+	if entity == nil {
+		return nil, errors.New("no entity provided")
+	}
+
+	results := &entityIntegrityCheck{
+		entity:          entity,
+		hasNilAliases:   false,
+		danglingAliases: []*identity.Alias{},
+	}
+
+	hasDuplicateAliases := false
+	hasDanglingAliases := false
+	seenAliases := map[string][]*identity.Alias{}
+
+	for alias := range slices.Values(entity.Aliases) {
+		if alias == nil {
+			results.hasNilAliases = true
+			continue
+		}
+
+		if alias.CanonicalID != entity.ID {
+			hasDanglingAliases = true
+			results.danglingAliases = append(results.danglingAliases, alias)
+		}
+
+		if seenAliases[alias.ID] != nil {
+			hasDuplicateAliases = true
+			seenAliases[alias.ID] = append(seenAliases[alias.ID], alias)
+		} else {
+			seenAliases[alias.ID] = []*identity.Alias{alias}
+		}
+	}
+
+	if hasDuplicateAliases {
+		// Delete any seen aliases that don't have duplicates instances
+		maps.DeleteFunc(seenAliases, func(k string, v []*identity.Alias) bool {
+			return len(v) < 2
+		})
+		results.duplicateAliases = seenAliases
+	}
+
+	if results.hasNilAliases || hasDanglingAliases || hasDuplicateAliases {
+		return results, errors.New("failed entity integrity check")
+	}
+
+	return results, nil
+}
+
+// repairEntityIntegrity attempts to repair any errors encountered when the
+// entityIntegrityCheck was created. The entityIntegrityCheck must have a
+// reference to an entity.
+func (i *entityIntegrityCheck) repair(log hclog.Logger) error {
+	if i == nil {
+		return errors.New("entity integrity check is uninitialized")
+	}
+
+	if i.entity == nil {
+		return errors.New("no entity provided")
+	}
+
+	// Remove any nil aliases
+	if i.hasNilAliases {
+		i.entity.Aliases = slices.DeleteFunc(i.entity.Aliases, func(alias *identity.Alias) bool {
+			return alias == nil
+		})
+	}
+
+	// Delete duplicate instances of the same alias. We do this to ensure that
+	// only the most recently updated instances of the alias win.
+	for duplicateInstances := range maps.Values(i.duplicateAliases) {
+		if err := i.deleteDuplicateAliasInstances(log, duplicateInstances); err != nil {
+			return fmt.Errorf("deleting duplicate identity alias instances: %w", err)
+		}
+	}
+
+	// Now associate any dangling aliases that we might have. As associating and
+	// and resolving duplicate updates our modified time we always do this after
+	// deleting duplicates instances as that may use the unaltered modified time
+	// in determining which instance wins.
+	//
+	// Our list of danglingAliases is not guaranteed to reflect the current state
+	// of our entity, as we may have duplicate alias instances which are also
+	// dangling. We only need to resolve those which are still in our updated
+	// entity list.
+	for dangling := range slices.Values(i.danglingAliases) {
+		if !slices.Contains(i.entity.Aliases, dangling) {
+			continue
+		}
+		if err := i.resolveAndAssociateDanglingEntityAlias(log, dangling); err != nil {
+			return fmt.Errorf("resolving and associating dangling identity alias: %w", err)
+		}
+	}
+
+	slices.SortFunc(i.entity.Aliases, func(a, b *identity.Alias) int {
+		return cmp.Compare(a.GetID(), b.GetID())
+	})
+
+	return nil
+}
+
+// deleteDuplicateAliasInstances deletes duplicate alias instances where the
+// more than one instance of an alias (Same ID) has somehow been persisted into
+// storage. The most-recently updated alias will win. Given a tie the first
+// found wins.
+func (i *entityIntegrityCheck) deleteDuplicateAliasInstances(log hclog.Logger, aliases []*identity.Alias) error {
+	switch {
+	case i == nil:
+		return errors.New("entity integrity check unitialized")
+	case aliases == nil:
+		return errors.New("no reference to aliases was given")
+	case len(aliases) < 2:
+		return errors.New("no duplicates were detected")
+	case i.entity == nil:
+		return errors.New("entity integrity check is not associated with an entity")
+	}
+
+	// Do a sanity check that all aliases have the same ID before we go and delete
+	// things.
+	id := aliases[0].ID
+	for a := range slices.Values(aliases) {
+		if a == nil {
+			continue
+		}
+
+		if a.ID != id {
+			return errors.New("deleting duplicate alias instances: instance list contains different IDs")
+		}
+	}
+
+	// Determine the instance of the alias that we want to keep. Given how
+	// UpsertAlias() works, this ought to be the first instance we run into, which
+	// we default to here. The only exception is if somehow a newer instance was
+	// appended below. It ought not be possible but we'll enforce most-recent wins
+	// anyway.
+	var aliasToKeep *identity.Alias
+	for _, alias := range aliases {
+		if alias == nil {
+			continue
+		}
+
+		if aliasToKeep == nil {
+			aliasToKeep = alias
+			continue
+		}
+
+		if t := alias.GetLastUpdateTime().AsTime(); t.After(aliasToKeep.GetLastUpdateTime().AsTime()) {
+			aliasToKeep = alias
+		}
+	}
+
+	if aliasToKeep == nil {
+		return errors.New("no identity aliases to keep in deduplication")
+	}
+	log.Trace("deleting all but one duplicate identity alias instance",
+		"num_to_delete", len(aliases)-1,
+		"alias_to_keep", aliasToKeep,
+	)
+
+	i.entity.Aliases = slices.DeleteFunc(i.entity.Aliases, func(a *identity.Alias) bool {
+		if a == nil {
+			return true
+		}
+		if aliasToKeep.ID == a.ID && a != aliasToKeep {
+			return true
+		}
+
+		return false
+	})
+
+	return nil
+}
+
+// resolveAndAssociateDanglingEntityAlias determines how best to resolve a
+// dangling entity alias. Depending on the context of the entities aliases there
+// are several different approaches to resolution and association. The entity
+// alias will be updated in-place when there are no errors in resolution.
+// The implementation must be deterministic so that integrity resolution is the
+// same on all nodes.
+func (i *entityIntegrityCheck) resolveAndAssociateDanglingEntityAlias(log hclog.Logger, alias *identity.Alias) error {
+	switch {
+	case i == nil:
+		return errors.New("entity integrity check uninitialized")
+	case alias == nil:
+		return errors.New("no reference to an identity alias was given")
+	case i.entity == nil:
+		return errors.New("entity integrity check is not associated with an entity")
+	}
+
+	if alias.CanonicalID == i.entity.ID {
+		// The alias is not actually dangling.
+		return nil
+	}
+
+	if i.entity.ID == "" {
+		// Our entity doesn't actually have an ID to associate it with.
+		return errors.New("entity does not have an ID")
+	}
+
+	now := timestamppb.Now()
+
+	// Update our entity ID with the correct entity ID while also including our
+	// prior ID in the aliases merged from field.
+	resolveAliasID := func() {
+		log.Warn("associating dangling identity alias with entity",
+			"alias_id", alias.ID,
+			"dangling_canonical_id", alias.CanonicalID,
+			"new_canonical_id", i.entity.ID,
+		)
+
+		if cid := alias.CanonicalID; cid != "" {
+			alias.MergedFromCanonicalIDs = append(alias.MergedFromCanonicalIDs, cid)
+			if alias.Metadata == nil {
+				alias.Metadata = make(map[string]string)
+			}
+			alias.Metadata["dangling_canonical_id"] = cid
+		}
+		alias.CanonicalID = i.entity.ID
+		alias.LastUpdateTime = now
+	}
+
+	// Update our alias name with our old name and create a new name by appending
+	// the name and entity UUID together. This will allow users to choose whether
+	// or not to delete the rename or merge the dangling alias.
+	renameAlias := func() {
+		oldName := alias.Name
+		alias.Name = alias.Name + "-" + alias.ID
+		if alias.Metadata == nil {
+			alias.Metadata = make(map[string]string)
+		}
+		alias.Metadata["dangling_prior_name"] = oldName
+		alias.LastUpdateTime = now
+
+		log.Warn("renamed dangling duplicate identity alias",
+			"alias_id", alias.ID,
+			"name", alias.Name,
+			"old_name", oldName,
+		)
+	}
+
+	if len(i.entity.Aliases) == 1 {
+		// The alias is dangling but there are no other aliases with the same alias
+		// name and mount accessor.
+		resolveAliasID()
+
+		return nil
+	}
+
+	duplicateAliases := make([]*identity.Alias, 0)
+	for _, ea := range i.entity.Aliases {
+		if ea == nil {
+			continue
+		}
+		if alias.Name+alias.MountAccessor == ea.Name+ea.MountAccessor {
+			duplicateAliases = append(duplicateAliases, ea)
+		}
+	}
+
+	if len(duplicateAliases) < 1 {
+		// The alias is dangling but there are no other aliases with the same alias
+		// name and mount accessor. We only need to resolve the alias ID.
+		resolveAliasID()
+
+		return nil
+	}
+
+	// We have duplicate dangling aliases.
+	log.Warn("DUPLICATE DETECTED, dangling duplicate identity alias detected, see following logs for details and refer to " +
+		identityDuplicateReportUrl + " for resolution.")
+
+	// Our dangling alias is a duplicate. Determine whether or not all of the
+	// duplicates are dangling or not as that will determine whether or not
+	// we need to rename the alias to avoid a clash.
+	allDangling := true
+	for _, da := range duplicateAliases {
+		if i.entity.ID == da.CanonicalID {
+			allDangling = false
+			break
+		}
+	}
+	if !allDangling {
+		// The alias is dangling, a duplicate, and there is a duplicate that is not
+		// dangling. We'll rename our dangling duplicate and allow any other aliases
+		// that are not dangling inherit the name.
+		renameAlias()
+		resolveAliasID()
+
+		return nil
+	}
+
+	// We have duplicate aliases and all of them are dangling. If we're the most
+	// recently updated alias in that set then we'll keep our name, otherwise
+	// we'll rename to allow the most recently updated to keep the name.
+	var mostRecentlyUpdatedAlias *identity.Alias
+	for _, de := range duplicateAliases {
+		if de == nil {
+			continue
+		}
+		if mostRecentlyUpdatedAlias == nil {
+			mostRecentlyUpdatedAlias = de
+			continue
+		}
+
+		if t := de.GetLastUpdateTime().AsTime(); t.After(mostRecentlyUpdatedAlias.GetLastUpdateTime().AsTime()) {
+			mostRecentlyUpdatedAlias = de
+		}
+	}
+
+	if alias.GetLastUpdateTime().AsTime().Before(mostRecentlyUpdatedAlias.GetLastUpdateTime().AsTime()) {
+		// The alias is dangling, a duplicate, and is not most recently updated
+		// dangling duplicate. We'll rename our dangling duplicate and allow the
+		// the most recently updated duplicate to inherit the name.
+		renameAlias()
+	}
+
+	resolveAliasID()
+
+	return nil
+}
+
 var entityHelp = map[string][2]string{
 	"entity": {
 		"Create a new entity",
diff --git a/vault/identity_store_entities_test.go b/vault/identity_store_entities_test.go
index 4374ecc8e3..b20d4dce64 100644
--- a/vault/identity_store_entities_test.go
+++ b/vault/identity_store_entities_test.go
@@ -10,13 +10,17 @@ import (
 	"sort"
 	"strings"
 	"testing"
+	"time"
 
+	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-uuid"
 	credGithub "github.com/hashicorp/vault/builtin/credential/github"
 	"github.com/hashicorp/vault/helper/identity"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/helper/strutil"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
 func TestIdentityStore_EntityDeleteGroupMembershipUpdate(t *testing.T) {
@@ -1311,3 +1315,493 @@ func TestIdentityStore_MergeEntitiesByID_DuplicateFromEntityIDs(t *testing.T) {
 		t.Fatalf("invalid number of entity policies; expected: 2, actualL: %d", len(entity1Lookup.Policies))
 	}
 }
+
+// TestIdentityStore_ProcessLocalAliasWithSameIssuerAndExternalId tests that processLocalAlias doesn't
+// allow upserting an alias with the same issuer, external id, and namespace
+func TestIdentityStore_ProcessLocalAliasWithSameIssuerAndExternalId(t *testing.T) {
+	ctx := namespace.RootContext(nil)
+	is, githubAccessor, _, _ := testIdentityStoreWithLocalGithubAuth(ctx, t)
+
+	validateMountResp := is.router.ValidateMountByAccessor(githubAccessor)
+	require.NotNil(t, validateMountResp)
+
+	alias2 := &identity.Alias{
+		CanonicalID:   "testentityid",
+		ID:            "testaliasid2",
+		MountAccessor: validateMountResp.MountAccessor,
+		MountType:     validateMountResp.MountType,
+		Name:          "testaliasname2",
+		Metadata: map[string]string{
+			"testkey2": "testmetadatavalue2",
+			"testkey3": "testmetadatavalue3",
+		},
+		NamespaceID: "root",
+		Issuer:      "test-issuer",
+		ExternalID:  "test-external-id",
+	}
+
+	entity := &identity.Entity{
+		ID:   "testentityid",
+		Name: "testentityname",
+		Metadata: map[string]string{
+			"someusefulkey": "someusefulvalue",
+		},
+		Aliases: []*identity.Alias{
+			alias2,
+		},
+	}
+
+	entity.BucketKey = is.entityPacker.BucketKey(entity.ID)
+
+	localAlias := &logical.Alias{
+		ID:            "testaliasid",
+		MountAccessor: githubAccessor,
+		MountType:     validateMountResp.MountType,
+		Name:          "testaliasname",
+		Metadata: map[string]string{
+			"testkey1": "testmetadatavalue1",
+			"testkey2": "testmetadatavalue2",
+		},
+		NamespaceID: "root",
+		// NOTE: these are the same as in alias2!
+		Issuer:     "test-issuer",
+		ExternalID: "test-external-id",
+		Local:      true,
+	}
+
+	_, err := is.processLocalAlias(ctx, localAlias, entity, true)
+	// Should fail. Duplicates!
+	require.Error(t, err)
+
+	// Fetch the entity using its ID, expect nil
+	entityFetched, err := is.MemDBEntityByID(entity.ID, false)
+	require.NoError(t, err)
+	require.Nil(t, entityFetched)
+
+	// Upsert the initial entity:
+	txn := is.db.Txn(true)
+	defer txn.Abort()
+	err = is.MemDBUpsertEntityInTxn(txn, entity)
+	if err != nil {
+		t.Fatal(err)
+	}
+	txn.Commit()
+
+	// Ensure we still get an error trying to process the alias:
+	_, err = is.processLocalAlias(ctx, localAlias, entity, true)
+	// Should fail. Duplicates!
+	require.Error(t, err)
+
+	safeLocalAlias := &logical.Alias{
+		ID:            "testaliasid-safe",
+		MountAccessor: githubAccessor,
+		MountType:     validateMountResp.MountType,
+		Name:          "testaliasname",
+		Metadata: map[string]string{
+			"testkey1": "testmetadatavalue1",
+			"testkey2": "testmetadatavalue2",
+		},
+		NamespaceID: "root",
+		// NOTE: these are NOT the same as in alias2!
+		Issuer:     "test-issuer-2",
+		ExternalID: "test-external-id-2",
+		Local:      true,
+	}
+
+	// This one should be safe!
+	_, err = is.processLocalAlias(ctx, safeLocalAlias, entity, true)
+	require.NoError(t, err)
+
+	localAliasNoNamespaceId := &logical.Alias{
+		ID:            "testaliasid-no-nsid",
+		MountAccessor: githubAccessor,
+		MountType:     validateMountResp.MountType,
+		Name:          "testaliasname-no-nsid",
+		Metadata: map[string]string{
+			"testkey1": "testmetadatavalue1",
+			"testkey2": "testmetadatavalue2",
+		},
+		// NOTE: these are NOT the same as in alias2!
+		Issuer:     "test-issuer-3",
+		ExternalID: "test-external-id-3",
+		Local:      true,
+	}
+	_, err = is.processLocalAlias(ctx, localAliasNoNamespaceId, entity, true)
+	require.NoError(t, err)
+}
+
+// TestIdentityStore_checkAndRepairEntityIntegrity tests the
+// checkEntityIntegrity and entityIntegrityCheck's abiltiy to repair what it
+// found.
+func TestIdentityStore_checkAndRepairEntityIntegrity(t *testing.T) {
+	tests := map[string]struct {
+		setupEntity      func(t *testing.T) *identity.Entity
+		expectCheckError bool
+		expectNilAlias   bool
+		expectDangling   int
+		expectDuplicate  int
+	}{
+		"valid entity with no issues": {
+			setupEntity: func(t *testing.T) *identity.Entity {
+				entityID, err := uuid.GenerateUUID()
+				require.NoError(t, err)
+				return &identity.Entity{
+					ID:   entityID,
+					Name: "test-entity",
+					Aliases: []*identity.Alias{
+						{
+							ID:          "alias-1",
+							CanonicalID: entityID,
+							Name:        "test-alias",
+						},
+					},
+				}
+			},
+			expectCheckError: false,
+			expectNilAlias:   false,
+			expectDangling:   0,
+			expectDuplicate:  0,
+		},
+		"entity with nil alias": {
+			setupEntity: func(t *testing.T) *identity.Entity {
+				entityID, err := uuid.GenerateUUID()
+				require.NoError(t, err)
+				return &identity.Entity{
+					ID:   entityID,
+					Name: "test-entity",
+					Aliases: []*identity.Alias{
+						nil,
+						{
+							ID:          "alias-1",
+							CanonicalID: entityID,
+							Name:        "test-alias",
+						},
+					},
+				}
+			},
+			expectCheckError: true,
+			expectNilAlias:   true,
+			expectDangling:   0,
+			expectDuplicate:  0,
+		},
+		"entity with multiple nil aliases": {
+			setupEntity: func(t *testing.T) *identity.Entity {
+				entityID, err := uuid.GenerateUUID()
+				require.NoError(t, err)
+				return &identity.Entity{
+					ID:   entityID,
+					Name: "test-entity",
+					Aliases: []*identity.Alias{
+						nil,
+						{
+							ID:          "alias-1",
+							CanonicalID: entityID,
+							Name:        "test-alias",
+						},
+						nil,
+						nil,
+					},
+				}
+			},
+			expectCheckError: true,
+			expectNilAlias:   true,
+			expectDangling:   0,
+			expectDuplicate:  0,
+		},
+		"entity with dangling alias": {
+			setupEntity: func(t *testing.T) *identity.Entity {
+				entityID, err := uuid.GenerateUUID()
+				require.NoError(t, err)
+				return &identity.Entity{
+					ID:   entityID,
+					Name: "test-entity",
+					Aliases: []*identity.Alias{
+						{
+							ID:          "alias-1",
+							CanonicalID: "wrong-entity-id",
+							Name:        "dangling-alias",
+						},
+					},
+				}
+			},
+			expectCheckError: true,
+			expectNilAlias:   false,
+			expectDangling:   1,
+			expectDuplicate:  0,
+		},
+		"entity with multiple dangling aliases": {
+			setupEntity: func(t *testing.T) *identity.Entity {
+				entityID, err := uuid.GenerateUUID()
+				require.NoError(t, err)
+				return &identity.Entity{
+					ID:   entityID,
+					Name: "test-entity",
+					Aliases: []*identity.Alias{
+						{
+							ID:          "alias-1",
+							CanonicalID: "wrong-entity-id-1",
+							Name:        "dangling-alias-1",
+						},
+						{
+							ID:          "alias-2",
+							CanonicalID: "wrong-entity-id-2",
+							Name:        "dangling-alias-2",
+						},
+						{
+							ID:          "alias-3",
+							CanonicalID: "wrong-entity-id-3",
+							Name:        "dangling-alias-3",
+						},
+					},
+				}
+			},
+			expectCheckError: true,
+			expectNilAlias:   false,
+			expectDangling:   3,
+			expectDuplicate:  0,
+		},
+		"entity with duplicate alias instances same ID": {
+			setupEntity: func(t *testing.T) *identity.Entity {
+				entityID, err := uuid.GenerateUUID()
+				require.NoError(t, err)
+				now := time.Now()
+				return &identity.Entity{
+					ID:   entityID,
+					Name: "test-entity",
+					Aliases: []*identity.Alias{
+						{
+							ID:             "alias-1",
+							CanonicalID:    entityID,
+							Name:           "test-alias",
+							LastUpdateTime: timestamppb.New(now.Add(-1 * time.Hour)),
+						},
+						{
+							ID:             "alias-1",
+							CanonicalID:    entityID,
+							Name:           "test-alias",
+							LastUpdateTime: timestamppb.New(now),
+						},
+					},
+				}
+			},
+			expectCheckError: true,
+			expectNilAlias:   false,
+			expectDangling:   0,
+			expectDuplicate:  1,
+		},
+		"entity with multiple duplicate alias instances": {
+			setupEntity: func(t *testing.T) *identity.Entity {
+				entityID, err := uuid.GenerateUUID()
+				require.NoError(t, err)
+				now := time.Now()
+				return &identity.Entity{
+					ID:   entityID,
+					Name: "test-entity",
+					Aliases: []*identity.Alias{
+						{
+							ID:             "alias-1",
+							CanonicalID:    entityID,
+							Name:           "test-alias-1",
+							LastUpdateTime: timestamppb.New(now.Add(-3 * time.Hour)),
+						},
+						{
+							ID:             "alias-1",
+							CanonicalID:    entityID,
+							Name:           "test-alias-1",
+							LastUpdateTime: timestamppb.New(now.Add(-2 * time.Hour)),
+						},
+						{
+							ID:             "alias-1",
+							CanonicalID:    entityID,
+							Name:           "test-alias-1",
+							LastUpdateTime: timestamppb.New(now.Add(-1 * time.Hour)),
+						},
+					},
+				}
+			},
+			expectCheckError: true,
+			expectNilAlias:   false,
+			expectDangling:   0,
+			expectDuplicate:  1,
+		},
+		"entity with dangling and duplicate aliases": {
+			setupEntity: func(t *testing.T) *identity.Entity {
+				entityID, err := uuid.GenerateUUID()
+				require.NoError(t, err)
+				now := time.Now()
+				return &identity.Entity{
+					ID:   entityID,
+					Name: "test-entity",
+					Aliases: []*identity.Alias{
+						{
+							ID:             "alias-1",
+							CanonicalID:    "wrong-entity-id",
+							Name:           "dangling-alias",
+							LastUpdateTime: timestamppb.New(now.Add(-1 * time.Hour)),
+						},
+						{
+							ID:             "alias-2",
+							CanonicalID:    entityID,
+							Name:           "duplicate-alias",
+							LastUpdateTime: timestamppb.New(now.Add(-2 * time.Hour)),
+						},
+						{
+							ID:             "alias-2",
+							CanonicalID:    entityID,
+							Name:           "duplicate-alias",
+							LastUpdateTime: timestamppb.New(now),
+						},
+					},
+				}
+			},
+			expectCheckError: true,
+			expectNilAlias:   false,
+			expectDangling:   1,
+			expectDuplicate:  1,
+		},
+		"entity with nil, dangling, and duplicate aliases": {
+			setupEntity: func(t *testing.T) *identity.Entity {
+				entityID, err := uuid.GenerateUUID()
+				require.NoError(t, err)
+				now := time.Now()
+				return &identity.Entity{
+					ID:   entityID,
+					Name: "test-entity",
+					Aliases: []*identity.Alias{
+						nil,
+						{
+							ID:             "alias-1",
+							CanonicalID:    "wrong-entity-id",
+							Name:           "dangling-alias",
+							LastUpdateTime: timestamppb.New(now.Add(-1 * time.Hour)),
+						},
+						{
+							ID:             "alias-2",
+							CanonicalID:    entityID,
+							Name:           "duplicate-alias",
+							LastUpdateTime: timestamppb.New(now.Add(-2 * time.Hour)),
+						},
+						nil,
+						{
+							ID:             "alias-2",
+							CanonicalID:    entityID,
+							Name:           "duplicate-alias",
+							LastUpdateTime: timestamppb.New(now),
+						},
+					},
+				}
+			},
+			expectCheckError: true,
+			expectNilAlias:   true,
+			expectDangling:   1,
+			expectDuplicate:  1,
+		},
+		"entity with dangling duplicate aliases same mount and name": {
+			setupEntity: func(t *testing.T) *identity.Entity {
+				entityID, err := uuid.GenerateUUID()
+				require.NoError(t, err)
+				now := time.Now()
+				return &identity.Entity{
+					ID:   entityID,
+					Name: "test-entity",
+					Aliases: []*identity.Alias{
+						{
+							ID:             "alias-1",
+							CanonicalID:    "wrong-entity-id-1",
+							Name:           "test-alias",
+							MountAccessor:  "mount-1",
+							LastUpdateTime: timestamppb.New(now.Add(-2 * time.Hour)),
+						},
+						{
+							ID:             "alias-2",
+							CanonicalID:    "wrong-entity-id-2",
+							Name:           "test-alias",
+							MountAccessor:  "mount-1",
+							LastUpdateTime: timestamppb.New(now.Add(-1 * time.Hour)),
+						},
+					},
+				}
+			},
+			expectCheckError: true,
+			expectNilAlias:   false,
+			expectDangling:   2,
+			expectDuplicate:  0,
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			entity := test.setupEntity(t)
+
+			// Run checkEntityIntegrity
+			check, err := checkEntityIntegrity(entity)
+
+			if test.expectCheckError {
+				require.Error(t, err, "expected checkEntityIntegrity to return an error")
+				require.NotNil(t, check, "expected check to be non-nil even with error")
+			} else {
+				require.NoError(t, err, "expected checkEntityIntegrity to succeed")
+				require.NotNil(t, check, "expected check to be non-nil")
+			}
+
+			// Verify the check results
+			require.Equal(t, entity, check.entity, "check should reference the correct entity")
+			require.Equal(t, test.expectNilAlias, check.hasNilAliases, "hasNilAliases mismatch")
+			require.Len(t, check.danglingAliases, test.expectDangling, "danglingAliases count mismatch")
+			require.Len(t, check.duplicateAliases, test.expectDuplicate, "duplicateAliases count mismatch")
+
+			// If there are issues, test repair
+			if test.expectCheckError {
+				logger := hclog.NewNullLogger()
+
+				// Track which aliases were dangling before repair with their original names
+				danglingAliasInfo := make(map[string]struct {
+					canonicalID string
+					name        string
+				})
+				for _, alias := range check.danglingAliases {
+					danglingAliasInfo[alias.ID] = struct {
+						canonicalID string
+						name        string
+					}{
+						canonicalID: alias.CanonicalID,
+						name:        alias.Name,
+					}
+				}
+
+				err := check.repair(logger)
+				require.NoError(t, err, "repair should succeed")
+
+				// Verify repair fixed the issues
+				postRepairCheck, err := checkEntityIntegrity(entity)
+				require.NoError(t, err, "entity should be valid after repair")
+				require.NotNil(t, postRepairCheck)
+				require.False(t, postRepairCheck.hasNilAliases, "nil aliases should be removed")
+				require.Empty(t, postRepairCheck.danglingAliases, "dangling aliases should be resolved")
+				require.Empty(t, postRepairCheck.duplicateAliases, "duplicate aliases should be removed")
+
+				// Verify all remaining aliases are properly associated
+				for _, alias := range entity.Aliases {
+					require.NotNil(t, alias, "no nil aliases should remain")
+					require.Equal(t, entity.ID, alias.CanonicalID, "all aliases should have correct CanonicalID")
+
+					// If this alias was dangling, verify it was properly resolved
+					if info, wasDangling := danglingAliasInfo[alias.ID]; wasDangling {
+						// All dangling aliases should have dangling_canonical_id in metadata
+						require.NotNil(t, alias.Metadata, "dangling alias should have metadata")
+						require.Equal(t, info.canonicalID, alias.Metadata["dangling_canonical_id"],
+							"metadata should contain old canonical ID",
+						)
+
+						// If the alias name was changed (indicating it was renamed due to conflict)
+						if alias.Name != info.name {
+							require.Equal(t, info.name, alias.Metadata["dangling_prior_name"],
+								"metadata should contain prior name for renamed alias",
+							)
+						}
+					}
+				}
+			}
+		})
+	}
+}
diff --git a/vault/identity_store_entities_update.go b/vault/identity_store_entities_update.go
index 275f7f4ba0..b9f98f7a11 100644
--- a/vault/identity_store_entities_update.go
+++ b/vault/identity_store_entities_update.go
@@ -15,10 +15,12 @@ import (
 
 // EntityBuilder is used to construct or update an identity.Entity.
 type EntityBuilder struct {
-	store  *IdentityStore
-	entity *identity.Entity
-	isNew  bool
-	err    error
+	store          *IdentityStore
+	entity         *identity.Entity
+	isNew          bool
+	originalSCIMID string
+	modifiedFields []string
+	err            error
 }
 
 // NewEntityBuilder creates a new builder instance.
@@ -57,6 +59,7 @@ func (b *EntityBuilder) WithID(id string) *EntityBuilder {
 	}
 
 	b.entity = entity
+	b.originalSCIMID = b.entity.ScimClientID
 	b.isNew = false
 	return b
 }
@@ -76,10 +79,12 @@ func (b *EntityBuilder) WithExternalID(ctx context.Context, externalID string) *
 	if entityByExternalID != nil {
 		// An entity with this external ID already exists, so we'll update it.
 		b.entity = entityByExternalID
+		b.originalSCIMID = b.entity.ScimClientID
 		b.isNew = false
 	} else {
 		// No entity found, so we're just setting the external ID on the current one.
 		b.entity.ExternalID = externalID
+		b.modifiedFields = append(b.modifiedFields, "external_id")
 	}
 
 	return b
@@ -103,6 +108,7 @@ func (b *EntityBuilder) WithName(ctx context.Context, name string) *EntityBuilde
 	case b.isNew:
 		// We haven't loaded an entity yet, but one with this name exists. Let's update it.
 		b.entity = entityByName
+		b.originalSCIMID = b.entity.ScimClientID
 		b.isNew = false
 	case b.entity.ID == entityByName.ID:
 		// The loaded entity and the one found by name are the same. No-op.
@@ -112,6 +118,9 @@ func (b *EntityBuilder) WithName(ctx context.Context, name string) *EntityBuilde
 		return b
 	}
 
+	if b.entity.Name != name {
+		b.modifiedFields = append(b.modifiedFields, "name")
+	}
 	b.entity.Name = name
 	return b
 }
@@ -125,6 +134,10 @@ func (b *EntityBuilder) WithPolicies(policies []string) *EntityBuilder {
 		b.err = fmt.Errorf("policies cannot contain root")
 		return b
 	}
+	dedupedPolicies := strutil.RemoveDuplicates(policies, false)
+	if !strutil.EquivalentSlices(b.entity.Policies, dedupedPolicies) {
+		b.modifiedFields = append(b.modifiedFields, "policies")
+	}
 	b.entity.Policies = strutil.RemoveDuplicates(policies, false)
 	return b
 }
@@ -134,15 +147,25 @@ func (b *EntityBuilder) WithDisabled(disabled bool) *EntityBuilder {
 	if b.err != nil {
 		return b
 	}
+	if b.entity.Disabled != disabled {
+		b.modifiedFields = append(b.modifiedFields, "disabled")
+	}
 	b.entity.Disabled = disabled
 	return b
 }
 
 // WithMetadata sets the metadata for the entity.
+// The original entity's value for duplicate_of_canonical_id will be preserved.
 func (b *EntityBuilder) WithMetadata(metadata map[string]string) *EntityBuilder {
 	if b.err != nil {
 		return b
 	}
+	if value, ok := b.entity.Metadata[duplicateCanonicalIDMetadataKey]; ok {
+		metadata[duplicateCanonicalIDMetadataKey] = value
+	}
+	if !strutil.EqualStringMaps(b.entity.Metadata, metadata) {
+		b.modifiedFields = append(b.modifiedFields, "metadata")
+	}
 	b.entity.Metadata = metadata
 	return b
 }
@@ -163,6 +186,10 @@ func (b *EntityBuilder) Build(ctx context.Context) (*logical.Response, error) {
 		return logical.ErrorResponse(b.err.Error()), nil
 	}
 
+	if err := b.store.scimResourceCheck(ctx, b.entity, b.originalSCIMID, b.isNew, b.modifiedFields); err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrPermissionDenied
+	}
+
 	// Sanitize and persist the entity
 	if err := b.store.sanitizeEntity(ctx, b.entity); err != nil {
 		return nil, err
diff --git a/vault/identity_store_group_aliases_test.go b/vault/identity_store_group_aliases_test.go
index 8ea1900de8..032ed832ed 100644
--- a/vault/identity_store_group_aliases_test.go
+++ b/vault/identity_store_group_aliases_test.go
@@ -11,6 +11,7 @@ import (
 	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
 	"github.com/hashicorp/vault/helper/identity"
 	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/kr/pretty"
 )
@@ -91,17 +92,14 @@ func TestIdentityStore_CaseInsensitiveGroupAliasName(t *testing.T) {
 }
 
 func TestIdentityStore_EnsureNoDanglingGroupAlias(t *testing.T) {
-	err := AddTestCredentialBackend("userpass", credUserpass.Factory)
-	if err != nil {
-		t.Fatal(err)
+	conf := &CoreConfig{
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+		CredentialBackends: map[string]logical.Factory{
+			"ldap":     credLdap.Factory,
+			"userpass": credUserpass.Factory,
+		},
 	}
-
-	err = AddTestCredentialBackend("ldap", credLdap.Factory)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	c, _, _ := TestCoreUnsealed(t)
+	c, _, _ := TestCoreUnsealedWithConfig(t, conf)
 
 	ctx := namespace.RootContext(nil)
 
@@ -111,7 +109,7 @@ func TestIdentityStore_EnsureNoDanglingGroupAlias(t *testing.T) {
 		Type:        "userpass",
 		Description: "userpass",
 	}
-	err = c.enableCredential(ctx, userpassMe)
+	err := c.enableCredential(ctx, userpassMe)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/vault/identity_store_groups.go b/vault/identity_store_groups.go
index c475c566c6..c0f3893c3c 100644
--- a/vault/identity_store_groups.go
+++ b/vault/identity_store_groups.go
@@ -6,6 +6,7 @@ package vault
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"strings"
 
 	"github.com/golang/protobuf/ptypes"
@@ -130,8 +131,27 @@ func groupPaths(i *IdentityStore) []*framework.Path {
 				OperationSuffix: "by-id",
 			},
 
-			Callbacks: map[logical.Operation]framework.OperationFunc{
-				logical.ListOperation: i.pathGroupIDList(),
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ListOperation: &framework.PathOperation{
+					Callback: i.pathGroupIDList(),
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"keys": {
+									Type:        framework.TypeStringSlice,
+									Description: `A list of  entity ids`,
+									Required:    true,
+								},
+								"key_info": {
+									Type:        framework.TypeMap,
+									Description: `Entity details keyed by the entity id`,
+									Required:    false,
+								},
+							},
+						}},
+					},
+				},
 			},
 
 			HelpSynopsis:    strings.TrimSpace(groupHelp["group-id-list"][0]),
@@ -262,11 +282,15 @@ func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logica
 		group = new(identity.Group)
 		newGroup = true
 	}
-
+	var modifiedFields []string
 	// Update the policies if supplied
 	policiesRaw, ok := d.GetOk("policies")
 	if ok {
-		group.Policies = strutil.RemoveDuplicatesStable(policiesRaw.([]string), true)
+		dedupedPolicies := strutil.RemoveDuplicatesStable(policiesRaw.([]string), true)
+		if !strutil.EquivalentSlices(dedupedPolicies, group.Policies) {
+			modifiedFields = append(modifiedFields, "policies")
+		}
+		group.Policies = dedupedPolicies
 	}
 
 	if strutil.StrListContainsCaseInsensitive(group.Policies, "root") {
@@ -310,13 +334,16 @@ func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logica
 		case groupByName.ID != group.ID:
 			return logical.ErrorResponse("group name is already in use"), nil
 		}
+		if group.Name != groupName {
+			modifiedFields = append(modifiedFields, "name")
+		}
 		group.Name = groupName
 	}
 
-	_, ok = d.Schema["scim_client_id"]
+	originalSCIMID := group.ScimClientID
+	scimClientID, ok := d.GetOk("scim_client_id")
 	if ok {
-		entitSCIMClientID := d.Get("scim_client_id").(string)
-		group.ScimClientID = entitSCIMClientID
+		group.ScimClientID = scimClientID.(string)
 	}
 
 	metadata, ok, err := d.GetOkErr("metadata")
@@ -324,6 +351,10 @@ func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logica
 		return logical.ErrorResponse(fmt.Sprintf("failed to parse metadata: %v", err)), nil
 	}
 	if ok {
+		metadataMap := metadata.(map[string]string)
+		if !strutil.EqualStringMaps(group.Metadata, metadataMap) {
+			modifiedFields = append(modifiedFields, "metadata")
+		}
 		group.Metadata = metadata.(map[string]string)
 	}
 
@@ -332,6 +363,9 @@ func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logica
 		if group.Type == groupTypeExternal {
 			return logical.ErrorResponse("member entities can't be set manually for external groups"), nil
 		}
+		if !strutil.EquivalentSlices(group.MemberEntityIDs, memberEntityIDsRaw.([]string)) {
+			modifiedFields = append(modifiedFields, "member_entity_ids")
+		}
 		group.MemberEntityIDs = memberEntityIDsRaw.([]string)
 	}
 
@@ -342,8 +376,14 @@ func (i *IdentityStore) handleGroupUpdateCommon(ctx context.Context, req *logica
 			return logical.ErrorResponse("member groups can't be set for external groups"), nil
 		}
 		memberGroupIDs = memberGroupIDsRaw.([]string)
+		modifiedFields = append(modifiedFields, "member_group_ids")
 	}
 
+	// Build the list of fields being modified by this request.
+
+	if err := i.scimResourceCheck(ctx, group, originalSCIMID, newGroup, modifiedFields); err != nil {
+		return logical.ErrorResponse(err.Error()), nil
+	}
 	err = i.sanitizeAndUpsertGroup(ctx, group, nil, memberGroupIDs)
 	if err != nil {
 		if errStr := err.Error(); strings.HasPrefix(errStr, errCycleDetectedPrefix) {
@@ -430,6 +470,10 @@ func (i *IdentityStore) handleGroupReadCommon(ctx context.Context, group *identi
 	respData["type"] = group.Type
 	respData["namespace_id"] = group.NamespaceID
 
+	if i.scimEnabled {
+		respData["scim_client_id"] = group.ScimClientID
+	}
+
 	aliasMap := map[string]interface{}{}
 	if group.Alias != nil {
 		aliasMap["id"] = group.Alias.ID
@@ -525,6 +569,11 @@ func (i *IdentityStore) handleGroupDeleteCommon(ctx context.Context, key string,
 		return logical.ErrorResponse("request namespace is not the same as the group namespace"), logical.ErrPermissionDenied
 	}
 
+	scimID := scimClientIDFromContext(ctx)
+	if scimID != group.ScimClientID {
+		return logical.ErrorResponse("SCIM-managed resources must be modified through SCIM"), logical.ErrPermissionDenied
+	}
+
 	// Delete group alias from memdb
 	if group.Type == groupTypeExternal && group.Alias != nil {
 		err = i.MemDBDeleteAliasByIDInTxn(txn, group.Alias.ID, true)
diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go
index aeb9807d10..7ff7a8a5b7 100644
--- a/vault/identity_store_oidc.go
+++ b/vault/identity_store_oidc.go
@@ -1079,6 +1079,14 @@ func (i *IdentityStore) pathOIDCGenerateToken(ctx context.Context, req *logical.
 		"client_id": role.ClientID,
 		"ttl":       int64(role.TokenTTL.Seconds()),
 	}
+
+	// Track OIDC token generation for billing
+	// Store duration (seconds), normalize later during storage flush
+	validity := expiry.Seconds()
+	if i.billingCounter != nil {
+		i.billingCounter.IncrementOidcTokenCount(validity)
+	}
+
 	return retResp, nil
 }
 
diff --git a/vault/identity_store_oidc_provider.go b/vault/identity_store_oidc_provider.go
index 3d967443fe..5716a0331c 100644
--- a/vault/identity_store_oidc_provider.go
+++ b/vault/identity_store_oidc_provider.go
@@ -2157,6 +2157,12 @@ func (i *IdentityStore) pathOIDCToken(ctx context.Context, req *logical.Request,
 		return tokenResponse(nil, ErrTokenServerError, err.Error())
 	}
 
+	// Track OIDC token generated for billing
+	// Store duration (seconds), normalize later during storage flush
+	if i.billingCounter != nil {
+		i.billingCounter.IncrementOidcTokenCount(getMaxTokenTTL(client.AccessTokenTTL, client.IDTokenTTL).Seconds())
+	}
+
 	return tokenResponse(map[string]interface{}{
 		"token_type":   "Bearer",
 		"access_token": accessToken.ID,
@@ -2165,6 +2171,14 @@ func (i *IdentityStore) pathOIDCToken(ctx context.Context, req *logical.Request,
 	}, "", "")
 }
 
+// getMaxTokenTTL returns the maximum of the given access token and ID token
+func getMaxTokenTTL(accessTokenTTL, idTokenTTL time.Duration) time.Duration {
+	if accessTokenTTL > idTokenTTL {
+		return accessTokenTTL
+	}
+	return idTokenTTL
+}
+
 // tokenResponse returns the OIDC Token Response. An error response is
 // returned if the given error code is non-empty. For details, see spec at
 //   - https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
diff --git a/vault/identity_store_oidc_provider_test.go b/vault/identity_store_oidc_provider_test.go
index 7aa73c386d..0fda840cc3 100644
--- a/vault/identity_store_oidc_provider_test.go
+++ b/vault/identity_store_oidc_provider_test.go
@@ -3724,3 +3724,70 @@ func TestOIDC_Path_OpenIDProviderConfig_ProviderDoesNotExist(t *testing.T) {
 		t.Fatalf("expected empty response but got success; error:\n%v\nresp: %#v", err, resp)
 	}
 }
+
+// TestGetMaxTokenTTL tests the getMaxTokenTTL utility function
+func TestGetMaxTokenTTL(t *testing.T) {
+	tests := []struct {
+		name           string
+		accessTokenTTL time.Duration
+		idTokenTTL     time.Duration
+		expected       time.Duration
+	}{
+		{
+			name:           "access token TTL is greater",
+			accessTokenTTL: 2 * time.Hour,
+			idTokenTTL:     1 * time.Hour,
+			expected:       2 * time.Hour,
+		},
+		{
+			name:           "id token TTL is greater",
+			accessTokenTTL: 1 * time.Hour,
+			idTokenTTL:     2 * time.Hour,
+			expected:       2 * time.Hour,
+		},
+		{
+			name:           "both TTLs are equal",
+			accessTokenTTL: 1 * time.Hour,
+			idTokenTTL:     1 * time.Hour,
+			expected:       1 * time.Hour,
+		},
+		{
+			name:           "access token TTL is zero",
+			accessTokenTTL: 0,
+			idTokenTTL:     1 * time.Hour,
+			expected:       1 * time.Hour,
+		},
+		{
+			name:           "id token TTL is zero",
+			accessTokenTTL: 1 * time.Hour,
+			idTokenTTL:     0,
+			expected:       1 * time.Hour,
+		},
+		{
+			name:           "both TTLs are zero",
+			accessTokenTTL: 0,
+			idTokenTTL:     0,
+			expected:       0,
+		},
+		{
+			name:           "large TTL values",
+			accessTokenTTL: 24 * time.Hour,
+			idTokenTTL:     48 * time.Hour,
+			expected:       48 * time.Hour,
+		},
+		{
+			name:           "small TTL values",
+			accessTokenTTL: 30 * time.Second,
+			idTokenTTL:     15 * time.Second,
+			expected:       30 * time.Second,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := getMaxTokenTTL(tt.accessTokenTTL, tt.idTokenTTL)
+			require.Equal(t, tt.expected, result, "getMaxTokenTTL(%v, %v) = %v, want %v",
+				tt.accessTokenTTL, tt.idTokenTTL, result, tt.expected)
+		})
+	}
+}
diff --git a/vault/identity_store_schema.go b/vault/identity_store_schema.go
index 5fd2fe032c..f2824353d2 100644
--- a/vault/identity_store_schema.go
+++ b/vault/identity_store_schema.go
@@ -10,12 +10,14 @@ import (
 )
 
 const (
-	entitiesTable      = "entities"
-	entityAliasesTable = "entity_aliases"
-	groupsTable        = "groups"
-	groupAliasesTable  = "group_aliases"
-	oidcClientsTable   = "oidc_clients"
-	scimClientsTable   = "scim_clients"
+	entitiesTable              = "entities"
+	entityAliasesTable         = "entity_aliases"
+	groupsTable                = "groups"
+	groupAliasesTable          = "group_aliases"
+	oidcClientsTable           = "oidc_clients"
+	scimClientsTable           = "scim_clients"
+	factorsIndex               = "factors"
+	issuerAndExternalIdFactors = "issuer_externalid_factors"
 )
 
 func identityStoreSchema(lowerCaseName bool) *memdb.DBSchema {
@@ -54,8 +56,8 @@ func aliasesTableSchema(lowerCaseName bool) *memdb.TableSchema {
 					Field: "ID",
 				},
 			},
-			"factors": {
-				Name:   "factors",
+			factorsIndex: {
+				Name:   factorsIndex,
 				Unique: true,
 				Indexer: &memdb.CompoundIndex{
 					Indexes: []memdb.Indexer{
@@ -69,6 +71,23 @@ func aliasesTableSchema(lowerCaseName bool) *memdb.TableSchema {
 					},
 				},
 			},
+			issuerAndExternalIdFactors: {
+				Name: issuerAndExternalIdFactors,
+				Indexer: &memdb.CompoundIndex{
+					Indexes: []memdb.Indexer{
+						&memdb.StringFieldIndex{
+							Field: "Issuer",
+						},
+						&memdb.StringFieldIndex{
+							Field: "ExternalID",
+						},
+						&memdb.StringFieldIndex{
+							Field: "NamespaceID",
+						},
+					},
+				},
+				AllowMissing: true,
+			},
 			"namespace_id": {
 				Name: "namespace_id",
 				Indexer: &memdb.StringFieldIndex{
@@ -82,6 +101,16 @@ func aliasesTableSchema(lowerCaseName bool) *memdb.TableSchema {
 					Field: "LocalBucketKey",
 				},
 			},
+			"scim_client_id": {
+				Name:         "scim_client_id",
+				AllowMissing: true,
+				Indexer: &memdb.CompoundIndex{
+					Indexes: []memdb.Indexer{
+						&memdb.StringFieldIndex{Field: "NamespaceID"},
+						&memdb.StringFieldIndex{Field: "ScimClientID"},
+					},
+				},
+			},
 		},
 	}
 }
diff --git a/vault/identity_store_scim_oss.go b/vault/identity_store_scim_oss.go
index 5ddcd5344a..f54a2c3707 100644
--- a/vault/identity_store_scim_oss.go
+++ b/vault/identity_store_scim_oss.go
@@ -18,6 +18,15 @@ func (i *IdentityStore) loadSCIMClients(ctx context.Context) error {
 func (i *IdentityStore) invalidateSCIMClient(ctx context.Context, key string) {
 }
 
+func (i *IdentityStore) startSCIMDeletingClientCleanup(ctx context.Context, isActive bool) {
+}
+
+func (i *IdentityStore) stopSCIMDeletingClientCleanup() {
+}
+
+func (i *IdentityStore) enqueueSCIMCleanup(clientID string, namespaceID string) {
+}
+
 func scimPaths(_ *IdentityStore) []*framework.Path {
 	return []*framework.Path{}
 }
diff --git a/vault/identity_store_scim_schema.go b/vault/identity_store_scim_schema.go
index 9a9393f66a..203b1ca9e5 100644
--- a/vault/identity_store_scim_schema.go
+++ b/vault/identity_store_scim_schema.go
@@ -3,7 +3,15 @@
 
 package vault
 
-import "github.com/hashicorp/go-memdb"
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/go-memdb"
+	"github.com/hashicorp/vault/helper/identity"
+)
 
 // SCIM client storage prefix
 const scimClientStoragePrefix = "scim/client/"
@@ -19,19 +27,6 @@ func scimClientSchema(_ bool) *memdb.TableSchema {
 					Field: "ClientID",
 				},
 			},
-			"client_id": {
-				Name: "client_id",
-				Indexer: &memdb.CompoundIndex{
-					Indexes: []memdb.Indexer{
-						&memdb.StringFieldIndex{
-							Field: "NamespaceID",
-						},
-						&memdb.StringFieldIndex{
-							Field: "ClientID",
-						},
-					},
-				},
-			},
 			"client_name": {
 				Name:   "client_name",
 				Unique: true,
@@ -69,3 +64,113 @@ func scimClientSchema(_ bool) *memdb.TableSchema {
 		},
 	}
 }
+
+type scimClientRequest struct{}
+
+func addSCIMClientIDToContext(ctx context.Context, id string) context.Context {
+	return context.WithValue(ctx, scimClientRequest{}, id)
+}
+
+func scimClientIDFromContext(ctx context.Context) string {
+	val := ctx.Value(scimClientRequest{})
+	if val == nil {
+		return ""
+	}
+	return val.(string)
+}
+
+// scimResourceCheck performs a number of checks on the resource to ensure that the operation is allowed.
+// A new resource must only set a SCIM client ID if the request came through SCIM via the same client.
+// An updated resource must:
+// - not change the SCIM client ID
+// - not be modified by a different SCIM client than the one that owns it
+// - only update SCIM managed fields if the request came via the same SCIM client
+func (i *IdentityStore) scimResourceCheck(ctx context.Context, resource scimManaged, originalSCIMID string, isCreate bool, modifiedFields []string) error {
+	reqSCIMClientID := scimClientIDFromContext(ctx)
+	resourceSCIMClientID := resource.SCIMClientID()
+
+	switch isCreate {
+	case true:
+		// The request must have come via a SCIM API in order to set
+		// the SCIM client ID
+		if reqSCIMClientID == "" && resourceSCIMClientID != "" {
+			return errors.New("cannot set scim_client_id")
+		}
+		if reqSCIMClientID != "" && resourceSCIMClientID == "" {
+			// this shouldn't ever happen
+			return errors.New("cannot create a resource via SCIM without a SCIM client ID")
+		}
+		if reqSCIMClientID != resourceSCIMClientID {
+			// this also shouldn't ever happen
+			return errors.New("cannot create resource via SCIM with a different SCIM client ID")
+		}
+
+	default:
+		// if the resource is being updated, the SCIM client ID
+		// cannot be modified
+		if originalSCIMID != resourceSCIMClientID {
+			return errors.New("cannot update scim_client_id")
+		}
+		if originalSCIMID != "" && reqSCIMClientID != "" && originalSCIMID != reqSCIMClientID {
+			return errors.New("cannot update resource via SCIM with a different SCIM client ID")
+		}
+		if err := i.scimFieldGuard(ctx, resource, modifiedFields); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// scimFieldGuard checks whether an API request is allowed to modify the given
+// fields on a SCIM-managed resource. If the resource is not SCIM-managed
+// (scimClientID is empty), all modifications are allowed. If the request
+// comes from the owning SCIM client, all modifications are allowed. Otherwise,
+// only non-SCIM-managed fields may be modified.
+func (i *IdentityStore) scimFieldGuard(ctx context.Context, resource scimManaged, modifiedFields []string) error {
+	// If the resource is not SCIM-managed, no restrictions apply.
+	scimClientID := resource.SCIMClientID()
+	if scimClientID == "" {
+		return nil
+	}
+
+	// If the request comes from the owning SCIM client, all modifications are allowed.
+	if scimClientIDFromContext(ctx) == scimClientID {
+		return nil
+	}
+
+	// The request is from the API (not SCIM). Check whether any of the
+	// modified fields are SCIM-managed.
+	scimManagedFields := resource.SCIMFields()
+	managedSet := make(map[string]struct{}, len(scimManagedFields))
+	for _, f := range scimManagedFields {
+		managedSet[f] = struct{}{}
+	}
+
+	var blocked []string
+	for _, f := range modifiedFields {
+		if _, ok := managedSet[f]; ok {
+			blocked = append(blocked, f)
+		}
+	}
+
+	if len(blocked) > 0 {
+		return fmt.Errorf("cannot modify SCIM-managed field(s) %q through the API", strings.Join(blocked, ", "))
+	}
+
+	return nil
+}
+
+type scimManaged interface {
+	// SCIMClientID returns the SCIM client ID of the managed resource
+	SCIMClientID() string
+	// SCIMFields returns the list of fields that are managed by SCIM and cannot
+	// be modified through the API. This list does not need to include `scim_client_id`
+	// as that is verified separately
+	SCIMFields() []string
+}
+
+var (
+	_ scimManaged = (*identity.Entity)(nil)
+	_ scimManaged = (*identity.Group)(nil)
+	_ scimManaged = (*identity.Alias)(nil)
+)
diff --git a/vault/identity_store_structs.go b/vault/identity_store_structs.go
index bf4c1abb92..49f4359670 100644
--- a/vault/identity_store_structs.go
+++ b/vault/identity_store_structs.go
@@ -104,17 +104,19 @@ type IdentityStore struct {
 	// operated case insensitively
 	disableLowerCasedNames bool
 
-	router        *Router
-	redirectAddr  string
-	localNode     LocalNode
-	namespacer    Namespacer
-	metrics       metricsutil.Metrics
-	totpPersister TOTPPersister
-	groupUpdater  GroupUpdater
-	tokenStorer   TokenStorer
-	entityCreator EntityCreator
-	mountLister   MountLister
-	mfaBackend    *LoginMFABackend
+	router                          *Router
+	redirectAddr                    string
+	localNode                       LocalNode
+	namespacer                      Namespacer
+	metrics                         metricsutil.Metrics
+	totpPersister                   TOTPPersister
+	groupUpdater                    GroupUpdater
+	tokenStorer                     TokenStorer
+	entityCreator                   EntityCreator
+	mountLister                     MountLister
+	syntheticAliasAccessorValidator SyntheticAliasAccessorValidator
+	mfaBackend                      *LoginMFABackend
+	billingCounter                  BillingCounter
 
 	// aliasLocks is used to protect modifications to alias entries based on the uniqueness factor
 	// which is name + accessor
@@ -122,9 +124,9 @@ type IdentityStore struct {
 
 	conflictResolver ConflictResolver
 
-	// renameDuplicates holds the Core reference to feature activation flags, so
-	// we can set and query enablement of the deduplication feature.
-	renameDuplicates       activationflags.ActivationManager
+	// activationManager holds the Core reference to feature activation flags, so
+	// we can set and query enablement of the scim and deduplication feature.
+	activationManager      activationflags.ActivationManager
 	activationErrorHandler Sealer
 
 	// activateDeduplicationDone is a channel used for synchronization in testing
@@ -132,6 +134,12 @@ type IdentityStore struct {
 
 	// scimEnabled is used to indicate if SCIM paths are enabled and if SCIM operations can be performed.
 	scimEnabled bool
+
+	// scimCleanupCtx is the context shared by all SCIM client cleanup goroutines.
+	// It is derived from the active context and cancelled on seal/standby.
+	scimCleanupCtx context.Context
+	// scimCleanupCancel cancels all background SCIM client cleanup goroutines.
+	scimCleanupCancel context.CancelFunc
 }
 
 type groupDiff struct {
@@ -151,6 +159,12 @@ type LocalNode interface {
 
 var _ LocalNode = &Core{}
 
+type BillingCounter interface {
+	IncrementOidcTokenCount(validitySeconds float64)
+}
+
+var _ BillingCounter = &Core{}
+
 type Namespacer interface {
 	NamespaceByID(context.Context, string) (*namespace.Namespace, error)
 	ListNamespaces(includePath bool) []*namespace.Namespace
@@ -190,6 +204,13 @@ type MountLister interface {
 
 var _ MountLister = &Core{}
 
+type SyntheticAliasAccessorValidator interface {
+	validateSyntheticAliasAccessor(context.Context, string) (bool, error)
+	generateSyntheticAliasAccessor(context.Context, string) (string, error)
+}
+
+var _ SyntheticAliasAccessorValidator = &Core{}
+
 type Sealer interface {
 	Shutdown() error
 }
diff --git a/vault/identity_store_test.go b/vault/identity_store_test.go
index ffc1c799c5..34d8d8af63 100644
--- a/vault/identity_store_test.go
+++ b/vault/identity_store_test.go
@@ -6,6 +6,7 @@ package vault
 import (
 	"context"
 	"fmt"
+	"maps"
 	"math/rand"
 	"os"
 	"regexp"
@@ -34,6 +35,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/anypb"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
 func TestIdentityStore_DeleteEntityAlias(t *testing.T) {
@@ -69,7 +71,7 @@ func TestIdentityStore_DeleteEntityAlias(t *testing.T) {
 		BucketKey:   c.identityStore.entityPacker.BucketKey("testEntityID"),
 	}
 
-	_, err := c.identityStore.upsertEntityInTxn(context.Background(), txn, entity, nil, false, false)
+	_, err := c.identityStore.upsertEntityInTxn(t.Context(), txn, entity, nil, false, false)
 	require.NoError(t, err)
 
 	err = c.identityStore.deleteAliasesInEntityInTxn(txn, entity, []*identity.Alias{alias, alias2})
@@ -87,7 +89,6 @@ func TestIdentityStore_DeleteEntityAlias(t *testing.T) {
 
 	entity, err = c.identityStore.MemDBEntityByID("testEntityID", false)
 	require.NoError(t, err)
-
 	require.Len(t, entity.Aliases, 0)
 }
 
@@ -436,6 +437,49 @@ func TestIdentityStore_EntityByAliasFactors(t *testing.T) {
 	}
 }
 
+// TestIdentityStore_EntityByAliasFactorsInTxnIf verifies the predicate-gated
+// lookup returns cloned entities on match and nil when the predicate rejects.
+func TestIdentityStore_EntityByAliasFactorsInTxnIf(t *testing.T) {
+	ctx := namespace.RootContext(nil)
+	is, ghAccessor, _, _ := testIdentityStoreWithGithubUserpassAuth(ctx, t)
+
+	loginAlias := &logical.Alias{
+		MountType:     "github",
+		MountAccessor: ghAccessor,
+		Name:          "githubuser",
+		Metadata: map[string]string{
+			"foo": "a",
+		},
+	}
+
+	createdEntity, _, err := is.CreateOrFetchEntity(ctx, loginAlias)
+	require.NoError(t, err)
+	require.NotNil(t, createdEntity)
+
+	txn := is.db.Txn(false)
+	defer txn.Abort()
+
+	matchedEntity, err := is.entityByAliasFactorsInTxnIf(txn, ghAccessor, loginAlias.Name, func(existingAlias *identity.Alias) bool {
+		return maps.Equal(existingAlias.Metadata, loginAlias.Metadata)
+	})
+	require.NoError(t, err)
+	require.NotNil(t, matchedEntity)
+	require.Equal(t, createdEntity.ID, matchedEntity.ID)
+
+	// The conditional helper returns clones; mutating the result must not mutate MemDB state.
+	matchedEntity.Name = "mutated-name"
+	freshEntity, err := is.entityByAliasFactors(ghAccessor, loginAlias.Name, true)
+	require.NoError(t, err)
+	require.NotNil(t, freshEntity)
+	require.NotEqual(t, "mutated-name", freshEntity.Name)
+
+	notMatchedEntity, err := is.entityByAliasFactorsInTxnIf(txn, ghAccessor, loginAlias.Name, func(*identity.Alias) bool {
+		return false
+	})
+	require.NoError(t, err)
+	require.Nil(t, notMatchedEntity)
+}
+
 func TestIdentityStore_WrapInfoInheritance(t *testing.T) {
 	var err error
 	var resp *logical.Response
@@ -549,11 +593,13 @@ func TestIdentityStore_TokenEntityInheritance(t *testing.T) {
 }
 
 func TestIdentityStore_MergeConflictingAliases(t *testing.T) {
-	err := AddTestCredentialBackend("github", credGithub.Factory)
-	if err != nil {
-		t.Fatalf("err: %s", err)
+	conf := &CoreConfig{
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+		CredentialBackends: map[string]logical.Factory{
+			"github": credGithub.Factory,
+		},
 	}
-	c, _, _ := TestCoreUnsealed(t)
+	c, _, _ := TestCoreUnsealedWithConfig(t, conf)
 
 	meGH := &MountEntry{
 		Table:       credentialTableType,
@@ -562,7 +608,7 @@ func TestIdentityStore_MergeConflictingAliases(t *testing.T) {
 		Description: "github auth",
 	}
 
-	err = c.enableCredential(namespace.RootContext(nil), meGH)
+	err := c.enableCredential(namespace.RootContext(nil), meGH)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -666,13 +712,13 @@ func testIdentityStoreWithGithubAuth(ctx context.Context, t *testing.T) (*Identi
 // backend to assist with testing aliases and entities that require an valid
 // mount accessor of an auth backend.
 func testIdentityStoreWithGithubAuthRoot(ctx context.Context, t *testing.T) (*IdentityStore, string, *Core, string) {
-	// Add github credential factory to core config
-	err := AddTestCredentialBackend("github", credGithub.Factory)
-	if err != nil {
-		t.Fatalf("err: %s", err)
+	conf := &CoreConfig{
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+		CredentialBackends: map[string]logical.Factory{
+			"github": credGithub.Factory,
+		},
 	}
-
-	c, _, root := TestCoreUnsealed(t)
+	c, _, root := TestCoreUnsealedWithConfig(t, conf)
 
 	meGH := &MountEntry{
 		Table:       credentialTableType,
@@ -681,27 +727,44 @@ func testIdentityStoreWithGithubAuthRoot(ctx context.Context, t *testing.T) (*Id
 		Description: "github auth",
 	}
 
-	err = c.enableCredential(ctx, meGH)
-	if err != nil {
-		t.Fatal(err)
+	err := c.enableCredential(ctx, meGH)
+	require.NoError(t, err)
+
+	return c.identityStore, meGH.Accessor, c, root
+}
+
+// testIdentityStoreWithLocalGithubAuth returns an instance of identity store
+// which is mounted by default, and a mountedGitHub auth mount that is local.
+func testIdentityStoreWithLocalGithubAuth(ctx context.Context, t *testing.T) (*IdentityStore, string, *Core, string) {
+	// Add github credential factory to core config
+	err := AddTestCredentialBackend("github", credGithub.Factory)
+	require.NoError(t, err)
+
+	c, _, root := TestCoreUnsealed(t)
+
+	meGH := &MountEntry{
+		Table:       credentialTableType,
+		Path:        "github/",
+		Type:        "github",
+		Description: "github auth",
+		Local:       true,
 	}
 
+	err = c.enableCredential(ctx, meGH)
+	require.NoError(t, err)
+
 	return c.identityStore, meGH.Accessor, c, root
 }
 
 func testIdentityStoreWithGithubUserpassAuth(ctx context.Context, t *testing.T) (*IdentityStore, string, string, *Core) {
-	// Setup 2 auth backends, github and userpass
-	err := AddTestCredentialBackend("github", credGithub.Factory)
-	if err != nil {
-		t.Fatalf("err: %s", err)
+	conf := &CoreConfig{
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+		CredentialBackends: map[string]logical.Factory{
+			"github":   credGithub.Factory,
+			"userpass": credUserpass.Factory,
+		},
 	}
-
-	err = AddTestCredentialBackend("userpass", credUserpass.Factory)
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-
-	c, _, _ := TestCoreUnsealed(t)
+	c, _, _ := TestCoreUnsealedWithConfig(t, conf)
 
 	githubMe := &MountEntry{
 		Table:       credentialTableType,
@@ -710,7 +773,7 @@ func testIdentityStoreWithGithubUserpassAuth(ctx context.Context, t *testing.T)
 		Description: "github auth",
 	}
 
-	err = c.enableCredential(ctx, githubMe)
+	err := c.enableCredential(ctx, githubMe)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -774,13 +837,13 @@ func expectSingleCount(t *testing.T, sink *metrics.InmemSink, keyPrefix string)
 }
 
 func TestIdentityStore_NewEntityCounter(t *testing.T) {
-	// Add github credential factory to core config
-	err := AddTestCredentialBackend("github", credGithub.Factory)
-	if err != nil {
-		t.Fatalf("err: %s", err)
+	conf := &CoreConfig{
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+		CredentialBackends: map[string]logical.Factory{
+			"github": credGithub.Factory,
+		},
 	}
-
-	c, _, _, sink := TestCoreUnsealedWithMetrics(t)
+	c, _, _, sink := TestCoreUnsealedWithMetricsAndConfig(t, conf)
 
 	meGH := &MountEntry{
 		Table:       credentialTableType,
@@ -790,7 +853,7 @@ func TestIdentityStore_NewEntityCounter(t *testing.T) {
 	}
 
 	ctx := namespace.RootContext(nil)
-	err = c.enableCredential(ctx, meGH)
+	err := c.enableCredential(ctx, meGH)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1506,6 +1569,9 @@ func identityStoreLoadingIsDeterministic(t *testing.T, flags *determinismTestFla
 		CredentialBackends: map[string]logical.Factory{
 			"userpass": credUserpass.Factory,
 		},
+		ActivityLogConfig: ActivityLogCoreConfig{
+			DisableTimers: true,
+		},
 	}
 
 	c, sealKeys, rootToken := TestCoreUnsealedWithConfig(t, cfg)
@@ -1681,13 +1747,15 @@ func identityStoreLoadingIsDeterministic(t *testing.T, flags *determinismTestFla
 	var prevErr error
 
 	for i := 0; i < 10; i++ {
+		c.identityStore.lock.Lock()
 		err := c.identityStore.resetDB()
+		if err == nil {
+			logger.Info(" ==> BEGIN LOAD ARTIFACTS", "i", i)
+			err = c.identityStore.loadArtifacts(ctx, true)
+		}
+		c.identityStore.lock.Unlock()
 		require.NoError(t, err)
 
-		logger.Info(" ==> BEGIN LOAD ARTIFACTS", "i", i)
-
-		err = c.identityStore.loadArtifacts(ctx, true)
-
 		if i > 0 {
 			require.Equal(t, prevErr, err)
 		}
@@ -1806,7 +1874,6 @@ func TestIdentityStoreLoadingDuplicateReporting(t *testing.T) {
 			"userpass": credUserpass.Factory,
 		},
 	}
-
 	c, _, rootToken := TestCoreUnsealedWithConfig(t, cfg)
 
 	// Inject values into storage
@@ -1833,7 +1900,9 @@ func TestIdentityStoreLoadingDuplicateReporting(t *testing.T) {
 	// Setup a logger we can use to capture unseal logs
 	logBuf, stopCapture := startLogCapture(t, logger)
 
+	c.identityStore.lock.Lock()
 	err = c.identityStore.loadArtifacts(ctx, true)
+	c.identityStore.lock.Unlock()
 	stopCapture()
 
 	require.NoError(t, err)
@@ -1860,6 +1929,629 @@ func TestIdentityStoreLoadingDuplicateReporting(t *testing.T) {
 	require.Equal(t, wantGroups, numDupes["group"])
 }
 
+// TestIdentityStore_RepairEntityIntegrity tests repairing corrupted entities
+// during loading. The entity state in this test is derived from a pathological
+// case seen in the wild where an entity had 30+ duplicate aliases across two
+// different mounts, a dangling alias as the first in the list, and multiple
+// instances of the same entity somehow persisted in the list. We verify that
+// Vault is able to gracefully resolve integrity conflicts during load.
+//
+// When Vault encounters duplicate instances of the same alias it ougth to keep
+// a single reference.
+//
+// When Vault encounters the duplicate dangling alias now associate the dangling
+// alias with the correct alias and renames it to prevent it from becoming the
+// canonical source of the alias during reload.
+//
+// It's important to note that duplicate aliases are not actually resolved
+// automatically. Instead, we generate a report and log duplicate and renamed
+// dangling aliases and allow the caller to handle the duplicates in a way that
+// makes the most sense.
+func TestIdentityStore_RepairEntityIntegrity(t *testing.T) {
+	// Very the state of the cluster with and without forced deduplication
+	// enabled. While deduplication only matters for duplicate entities we still
+	// want to verify our aliases over this lifecycle.
+	ctx := namespace.RootContext(nil)
+	logger := corehelpers.NewTestLogger(t)
+	ims, err := inmem.NewTransactionalInmemHA(nil, logger)
+	require.NoError(t, err)
+	cfg := &CoreConfig{
+		Physical:        ims,
+		HAPhysical:      ims.(physical.HABackend),
+		Logger:          logger,
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+		CredentialBackends: map[string]logical.Factory{
+			"userpass": credUserpass.Factory,
+		},
+	}
+	c, sealKeys, rootToken := TestCoreUnsealedWithConfig(t, cfg)
+
+	// Our test relies on writing many duplication aliases that exist on
+	// multiple mounts with at least one dangling entity alias.
+	mount1 := &MountEntry{
+		Table:       credentialTableType,
+		Path:        "auth_mount_1/",
+		Type:        "userpass",
+		Description: "auth_mount_1",
+	}
+	require.NoError(t, c.enableCredential(ctx, mount1))
+	mount2 := &MountEntry{
+		Table:       credentialTableType,
+		Path:        "auth_mount_2/",
+		Type:        "userpass",
+		Description: "auth_mount_2",
+	}
+	require.NoError(t, c.enableCredential(ctx, mount2))
+
+	// Write our very broken entity to storage
+	entityID := "06d30817-e137-c76f-78e5-1750b6b77ada"
+	aliasName := "system:serviceaccount:myservice:myuser"
+
+	// Dangling alias
+	danglingPriorCanonicalID := "9637a1e3-0b80-1139-357a-1ab66608f16a"
+	danglingAliasID := "72644fce-d03b-0ca5-3fde-1ec176a6849f"
+	priorCanonicalID := "5ff709c8-9147-e7e2-1937-842ecc7b255e"
+
+	// Aliase IDs
+	alias1Mount1ID := "6f0da6bf-f148-55fa-4e07-5290780de250"
+	alias1Mount2ID := "314fe666-e409-6d0d-2f37-5d568d1cd3d2"
+	alias2Mount2ID := "8c7e39b4-1b1b-d02c-f442-76b81c4624c0"
+	alias3Mount2ID := "48e71b42-d20a-cef4-36a8-94ace554db1a"
+
+	entity := &identity.Entity{
+		ID:          entityID,
+		Name:        "myuser",
+		Policies:    []string{"myservice", "admin"},
+		NamespaceID: namespace.RootNamespaceID,
+		BucketKey:   c.identityStore.entityPacker.BucketKey("myuser"),
+	}
+
+	// These entity aliases and duplicates are nearly identical to a pathological
+	// case seen in the wild. That's why there are so many variations of the same
+	// duplicate alias enumerated here!
+	entity.Aliases = []*identity.Alias{
+		{
+			// This here is our dangling entity. It is the one we expect to be
+			// reassociated and renamed.
+			ID:                     danglingAliasID,
+			CanonicalID:            danglingPriorCanonicalID,
+			MountAccessor:          mount1.Accessor,
+			MountType:              mount1.Type,
+			Local:                  mount1.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697590310, 633394406)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1698014682, 763218270)),
+			MergedFromCanonicalIDs: []string{"9691a701-fb9d-e9db-4aa9-574d02a7b96b"},
+			NamespaceID:            mount1.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(danglingAliasID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{danglingPriorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{danglingPriorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias3Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1699849152, 946907725)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1699849152, 946907725)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias3Mount2ID),
+		},
+		{
+			ID:                     alias1Mount1ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount1.Accessor,
+			MountType:              mount1.Type,
+			Local:                  mount1.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1699845858, 939263738)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1699845858, 939263738)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount1.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount1ID),
+		},
+		{
+			ID:                     alias2Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1698105125, 809557511)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1698105125, 809557511)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias2Mount2ID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     danglingAliasID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount1.Accessor,
+			MountType:              mount1.Type,
+			Local:                  mount1.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697590310, 633394406)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1698014682, 763218270)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount1.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(danglingAliasID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias3Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1699849152, 946907725)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1699849152, 946907725)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias3Mount2ID),
+		},
+		{
+			ID:                     alias2Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1698105125, 809557511)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1698105125, 809557511)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias2Mount2ID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     danglingAliasID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount1.Accessor,
+			MountType:              mount1.Type,
+			Local:                  mount1.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697590310, 633394406)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1698014682, 763218270)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount1.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(danglingAliasID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias3Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1699849152, 946907725)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1699849152, 946907725)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias3Mount2ID),
+		},
+		{
+			ID:                     alias2Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1698105125, 809557511)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1698105125, 809557511)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias2Mount2ID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias3Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1699849152, 946907725)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1699849152, 946907725)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias3Mount2ID),
+		},
+		{
+			ID:                     danglingAliasID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount1.Accessor,
+			MountType:              mount1.Type,
+			Local:                  mount1.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697590310, 633394406)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1698014682, 763218270)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount1.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(danglingAliasID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias2Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1698105125, 809557511)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1698105125, 809557511)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias2Mount2ID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias3Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1699849152, 946907725)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1699849152, 946907725)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias3Mount2ID),
+		},
+		{
+			ID:                     danglingAliasID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount1.Accessor,
+			MountType:              mount1.Type,
+			Local:                  mount1.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697590310, 633394406)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1698014682, 763218270)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount1.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(danglingAliasID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias2Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1698105125, 809557511)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1698105125, 809557511)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+		{
+			ID:                     alias1Mount2ID,
+			CanonicalID:            entityID,
+			MountAccessor:          mount2.Accessor,
+			MountType:              mount2.Type,
+			Local:                  mount2.Local,
+			Name:                   aliasName,
+			CreationTime:           timestamppb.New(time.Unix(1697592308, 465326334)),
+			LastUpdateTime:         timestamppb.New(time.Unix(1697593548, 547367367)),
+			MergedFromCanonicalIDs: []string{priorCanonicalID},
+			NamespaceID:            mount2.NamespaceID,
+			LocalBucketKey:         c.identityStore.entityPacker.BucketKey(alias1Mount2ID),
+		},
+	}
+
+	// Persist the entity directly into storage, seal, and unseal to trigger
+	// our dangling alias resolver.
+	entityAny, err := anypb.New(entity)
+	require.NoError(t, err)
+	item := &storagepacker.Item{
+		ID:      entity.ID,
+		Message: entityAny,
+	}
+	require.NoError(t, c.identityStore.entityPacker.PutItem(ctx, item))
+
+	// Seal our cluster. During restore we'll verify our behavior.
+	require.NoError(t, c.Seal(rootToken))
+
+	var unsealed bool
+	for i := 0; i < 3; i++ {
+		unsealed, err = c.Unseal(sealKeys[i])
+		require.NoError(t, err)
+	}
+	require.Truef(t, unsealed, "expected clean unseal with complex duplicate entity aliases")
+
+	// Verify that the entity that we have in storage and membd matches a repaired
+	// copy of our entity.
+	expectedEntity, err := entity.Clone()
+	require.NoError(t, err)
+	integrityCheck, err := checkEntityIntegrity(expectedEntity)
+	require.Error(t, err)
+	require.NotNil(t, integrityCheck)
+	require.NoError(t, integrityCheck.repair(c.identityStore.logger))
+
+	// Make sure our expected entity is correct and that our entity matches it.
+	// We should have 5 total aliases by ID after repairing the integrity of the
+	// entity.
+	requireExpectedEntity := func(t *testing.T, expect, got *identity.Entity) {
+		require.Len(t, expect.Aliases, 5)
+		require.Len(t, got.Aliases, 5)
+		for entity := range slices.Values([]*identity.Entity{expect, got}) {
+			gotIDs := make([]string, 5)
+			for i, alias := range entity.Aliases {
+				gotIDs[i] = alias.ID
+			}
+			require.EqualValues(t, []string{
+				// NOTE: This order matters because repairing sorts the aliases by ID
+				alias1Mount2ID,  // "314fe666-e409-6d0d-2f37-5d568d1cd3d2"
+				alias3Mount2ID,  // "48e71b42-d20a-cef4-36a8-94ace554db1a"
+				alias1Mount1ID,  // "6f0da6bf-f148-55fa-4e07-5290780de250"
+				danglingAliasID, // "72644fce-d03b-0ca5-3fde-1ec176a6849f"
+				alias2Mount2ID,  // "8c7e39b4-1b1b-d02c-f442-76b81c4624c0"
+			}, gotIDs)
+		}
+
+		for i, ga := range got.Aliases {
+			oa := expect.Aliases[i]
+			require.Equal(t, oa.GetCanonicalID(), ga.GetCanonicalID())
+			require.Equal(t, oa.GetMountType(), ga.GetMountType())
+			require.Equal(t, oa.GetMountAccessor(), ga.GetMountAccessor())
+			require.Equal(t, oa.GetMountPath(), ga.GetMountPath())
+			require.True(t, oa.GetCreationTime().AsTime().Equal(ga.GetCreationTime().AsTime()))
+			require.Equal(t, oa.GetNamespaceID(), ga.GetNamespaceID())
+			require.EqualValues(t, oa.GetCustomMetadata(), ga.GetCustomMetadata())
+			require.Equal(t, oa.GetLocal(), ga.GetLocal())
+			require.Equal(t, oa.GetLocalBucketKey(), ga.GetLocalBucketKey())
+			require.Equal(t, oa.GetScimClientID(), ga.GetScimClientID())
+			require.Equal(t, oa.GetName(), ga.GetName())
+			require.EqualValues(t, oa.GetMetadata(), ga.GetMetadata())
+			require.EqualValues(t, oa.GetMergedFromCanonicalIDs(), ga.GetMergedFromCanonicalIDs())
+			require.EqualValues(t, slices.Sorted(maps.Keys(ga.GetMetadata())), slices.Sorted(maps.Keys(ga.GetMetadata())))
+			require.EqualValues(t, slices.Sorted(maps.Values(ga.GetMetadata())), slices.Sorted(maps.Values(ga.GetMetadata())))
+		}
+	}
+
+	// Check the entity from storage
+	packedEntity, err := c.identityStore.entityPacker.GetItem(entity.ID)
+	require.NoError(t, err)
+	newEntity := &identity.Entity{}
+	err = anypb.UnmarshalTo(packedEntity.GetMessage(), newEntity, proto.UnmarshalOptions{})
+	require.NoError(t, err)
+	requireExpectedEntity(t, expectedEntity, newEntity)
+
+	// Check the entity from memdb
+	newEntity, err = c.identityStore.MemDBEntityByID(entityID, false)
+	require.NoError(t, err)
+	requireExpectedEntity(t, expectedEntity, newEntity)
+}
+
 // logFn is a type we used to use here before concurrentLogBuffer was added.
 // It's used in other tests in Enterprise so we need to keep it around to avoid
 // breaking the build during merge
diff --git a/vault/identity_store_upgrade.go b/vault/identity_store_upgrade.go
index 20fe4c3417..a9dd38fdb7 100644
--- a/vault/identity_store_upgrade.go
+++ b/vault/identity_store_upgrade.go
@@ -156,6 +156,14 @@ vault <command> <path> metadata=key1=value1 metadata=key2=value2
 					Type:        framework.TypeString,
 					Description: "Name of the alias",
 				},
+				"external_id": {
+					Type:        framework.TypeString,
+					Description: "Unique external identifier from external IdP.",
+				},
+				"issuer": {
+					Type:        framework.TypeString,
+					Description: "Issuer name associated with this alias.",
+				},
 			},
 			Callbacks: map[logical.Operation]framework.OperationFunc{
 				logical.UpdateOperation: i.handleAliasCreateUpdate(),
diff --git a/vault/identity_store_util.go b/vault/identity_store_util.go
index 947cbef442..4c7ef2f6d5 100644
--- a/vault/identity_store_util.go
+++ b/vault/identity_store_util.go
@@ -7,7 +7,9 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"maps"
 	"math/rand"
+	"slices"
 	"sort"
 	"strings"
 	"sync"
@@ -40,7 +42,7 @@ var (
 )
 
 // loadArtifacts is responsible for loading entities, groups, and aliases from
-// storage into MemDB.
+// storage into MemDB. The caller should hold the identity store lock.
 func (i *IdentityStore) loadArtifacts(ctx context.Context, isActive bool) error {
 	if i == nil {
 		return nil
@@ -106,6 +108,8 @@ func (i *IdentityStore) loadArtifacts(ctx context.Context, isActive bool) error
 			return fmt.Errorf("failed to load SCIM clients: %w", err)
 		}
 
+		i.startSCIMDeletingClientCleanup(ctx, isActive)
+
 		return nil
 	}
 
@@ -119,10 +123,19 @@ func (i *IdentityStore) loadArtifacts(ctx context.Context, isActive bool) error
 	// If the identity deduplication cleanup flag is activated, instead
 	// deal with duplicate entities and groups by renaming with a -UUID
 	// suffix. N.B. *entity alias* duplicates will still be merged as before.
-	if i.renameDuplicates.IsActivationFlagEnabled(activationflags.IdentityDeduplication) {
+	if i.activationManager.IsActivationFlagEnabled(activationflags.IdentityDeduplication) {
 		i.conflictResolver = &renameResolver{i.logger}
 	}
 
+	// Restore the in-memory scimEnabled flag from the persisted activation
+	// flags. The ActivationFunc callback only fires on API writes and storage
+	// invalidations, not on startup, so we must explicitly check the flag here
+	// to ensure SCIM paths remain available after seal/unseal.
+	if i.activationManager.IsActivationFlagEnabled(activationflags.SCIMEnablement) {
+		i.logger.Info("restoring SCIM enablement from persisted activation flags")
+		i.scimEnabled = true
+	}
+
 	// Load everything when MemDB is set to operate on lower cased names.
 	// errDuplicateIdentityName below should only happen if we're using the
 	// errorResolver (i.e. identity deduplication is not activated) and we
@@ -636,6 +649,45 @@ LOOP:
 						}
 						continue
 					}
+
+					// Check and repair any integrity issues in the entity. Issues here
+					// ought to be extremely rare but have been seen in clusters where
+					// where bugs in older versions of Vault might have persisted
+					// corrupted entities. These corrupted entities may have duplicate
+					// and/or dangling aliases that need to be cleaned up before we
+					// proceed.
+					// NOTE: This only repairs the integrity of the persisted entity. Any
+					// duplicate aliases will still require resolution either by the
+					// operator via delete or merge.
+					integrityCheck, err := checkEntityIntegrity(entity)
+					if err != nil {
+						i.logger.Warn("identity entity integrity check failed; attempting to repair",
+							"entity_id", entity.ID,
+							"has_nil_aliases", integrityCheck.hasNilAliases,
+							"dangling_aliases", integrityCheck.danglingAliases,
+							"aliases_with_duplicate_instances", slices.Sorted(maps.Keys(integrityCheck.duplicateAliases)),
+						)
+
+						if integrityCheck == nil {
+							return fmt.Errorf("identity entity integrity check failed; no plan to repair was generated: %w", err)
+						}
+
+						if err = integrityCheck.repair(i.logger); err != nil {
+							return fmt.Errorf("repairing identity entity integrity: %w", err)
+						}
+
+						if !(i.localNode.ReplicationState().HasState(consts.ReplicationPerformanceSecondary) || i.localNode.HAState() == consts.PerfStandby) {
+							i.logger.Warn("persisting repaired identity entity",
+								"name", entity.Name,
+								"id", entity.ID,
+								"namespace_id", entity.NamespaceID,
+							)
+							if err = i.persistEntity(ctx, entity); err != nil {
+								return err
+							}
+						}
+					}
+
 					nsCtx := namespace.ContextWithNamespace(ctx, ns)
 
 					// Ensure that there are no entities with duplicate names
@@ -643,6 +695,7 @@ LOOP:
 					if err != nil {
 						return nil
 					}
+
 					modified, err := i.conflictResolver.ResolveEntities(ctx, entityByName, entity)
 					if err != nil && !i.disableLowerCasedNames {
 						return err
@@ -913,7 +966,6 @@ func (i *IdentityStore) upsertEntityInTxn(ctx context.Context, txn *memdb.Txn, e
 			// into merging. We don't need a namespace check here as existing
 			// checks when creating the aliases should ensure that all line up.
 			fallthrough
-
 		default:
 			// Though this is technically a conflict that should be resolved by the
 			// ConflictResolver implementation, the behavior here is a bit nuanced.
@@ -923,7 +975,8 @@ func (i *IdentityStore) upsertEntityInTxn(ctx context.Context, txn *memdb.Txn, e
 				"alias_id", alias.ID,
 				"other_entity_id", aliasByFactors.CanonicalID,
 				"entity_aliases", entity.Aliases,
-				"alias_by_factors", aliasByFactors)
+				"alias_by_factors", aliasByFactors,
+			)
 
 			persistMerge := persist || persistMerges
 			respErr, intErr := i.mergeEntityAsPartOfUpsert(ctx, txn, entity, aliasByFactors.CanonicalID, persistMerge)
@@ -1032,6 +1085,13 @@ func (i *IdentityStore) processLocalAlias(ctx context.Context, lAlias *logical.A
 		return nil, fmt.Errorf("alias is not local")
 	}
 
+	if lAlias.NamespaceID == "" {
+		ns, err := namespace.FromContext(ctx)
+		if err == nil {
+			lAlias.NamespaceID = ns.ID
+		}
+	}
+
 	mountValidationResp := i.router.ValidateMountByAccessor(lAlias.MountAccessor)
 	if mountValidationResp == nil {
 		return nil, fmt.Errorf("invalid mount accessor %q", lAlias.MountAccessor)
@@ -1046,6 +1106,37 @@ func (i *IdentityStore) processLocalAlias(ctx context.Context, lAlias *logical.A
 		return nil, err
 	}
 
+	if alias != nil {
+		// If it exists, we cannot modify external id and issuer
+		if lAlias.ExternalID != alias.ExternalID || lAlias.Issuer != alias.Issuer {
+			return nil, fmt.Errorf("modifying external_id and issuer is forbidden (alias %s)", alias.ID)
+		}
+	}
+
+	// validate alias does not have same external ID and issuer as any existing entity alias's
+	if lAlias.Issuer != "" && lAlias.ExternalID != "" && lAlias.NamespaceID != "" {
+		extAlias, err := i.MemDBAliasByIssuerAndExternalId(lAlias.Issuer, lAlias.ExternalID, lAlias.NamespaceID, false)
+		if err != nil && !errors.Is(err, ErrNoAliasFound) {
+			return nil, err
+		}
+
+		// Validate an alias with these factors doesn't exist anywhere else
+		if extAlias != nil {
+			if extAlias.ID != lAlias.ID {
+				return nil, fmt.Errorf("cannot insert alias with this issuer, external_id and namespace, as one already exists")
+			}
+		}
+
+		// Validate none of the existing aliases on the entity have the same factors
+		for _, a := range entity.Aliases {
+			if a.ID != lAlias.ID {
+				if lAlias.ExternalID == a.ExternalID && lAlias.Issuer == a.Issuer && lAlias.NamespaceID == a.NamespaceID {
+					return nil, fmt.Errorf("alias with this external id, issuer, and namespace already present in entity (alias %s)", lAlias.ID)
+				}
+			}
+		}
+	}
+
 	if alias == nil {
 		alias = &identity.Alias{}
 	}
@@ -1058,6 +1149,9 @@ func (i *IdentityStore) processLocalAlias(ctx context.Context, lAlias *logical.A
 	alias.MountType = mountValidationResp.MountType
 	alias.Local = lAlias.Local
 	alias.CustomMetadata = lAlias.CustomMetadata
+	alias.Issuer = lAlias.Issuer
+	alias.ExternalID = lAlias.ExternalID
+	alias.NamespaceID = lAlias.NamespaceID
 
 	if err := i.sanitizeAlias(ctx, alias); err != nil {
 		return nil, err
@@ -1445,6 +1539,55 @@ func (i *IdentityStore) MemDBAliases(ws memdb.WatchSet, groupAlias bool) (memdb.
 	return iter, nil
 }
 
+// MemDBAliasesByScimClientIDInTxn returns all entity aliases belonging to the
+// given SCIM client within the namespace derived from ctx.
+func (i *IdentityStore) MemDBAliasesByScimClientIDInTxn(ctx context.Context, txn *memdb.Txn, scimClientID string) ([]*identity.Alias, error) {
+	if txn == nil {
+		return nil, fmt.Errorf("nil txn")
+	}
+	if scimClientID == "" {
+		return nil, fmt.Errorf("empty scim client id")
+	}
+
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	iter, err := txn.Get(entityAliasesTable, "scim_client_id", ns.ID, scimClientID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to lookup aliases using scim client id: %w", err)
+	}
+
+	var aliases []*identity.Alias
+	for raw := iter.Next(); raw != nil; raw = iter.Next() {
+		alias, ok := raw.(*identity.Alias)
+		if !ok {
+			return nil, fmt.Errorf("failed to declare the type of fetched alias")
+		}
+		cloned, err := alias.Clone()
+		if err != nil {
+			return nil, err
+		}
+		aliases = append(aliases, cloned)
+	}
+
+	return aliases, nil
+}
+
+// MemDBAliasesByScimClientID returns all entity aliases belonging to the given
+// SCIM client within the namespace derived from ctx.
+func (i *IdentityStore) MemDBAliasesByScimClientID(ctx context.Context, scimClientID string) ([]*identity.Alias, error) {
+	if scimClientID == "" {
+		return nil, fmt.Errorf("empty scim client id")
+	}
+
+	txn := i.db.Txn(false)
+	defer txn.Abort()
+
+	return i.MemDBAliasesByScimClientIDInTxn(ctx, txn, scimClientID)
+}
+
 func (i *IdentityStore) MemDBUpsertEntityInTxn(txn *memdb.Txn, entity *identity.Entity) error {
 	if txn == nil {
 		return fmt.Errorf("nil txn")
@@ -1758,6 +1901,35 @@ func (i *IdentityStore) MemDBEntityByAliasIDInTxn(txn *memdb.Txn, aliasID string
 	return i.MemDBEntityByIDInTxn(txn, alias.CanonicalID, clone)
 }
 
+// MemDBEntityByAliasIDInTxnClonePredicate fetches and clones an entity by alias
+// ID only when shouldClone evaluates to true for the alias.
+func (i *IdentityStore) MemDBEntityByAliasIDInTxnClonePredicate(txn *memdb.Txn, aliasID string, shouldClone func(*identity.Alias) bool) (*identity.Entity, error) {
+	var entity *identity.Entity
+
+	if aliasID == "" {
+		return nil, fmt.Errorf("missing alias ID")
+	}
+
+	if txn == nil {
+		return nil, fmt.Errorf("txn is nil")
+	}
+
+	alias, err := i.MemDBAliasByIDInTxn(txn, aliasID, false, false)
+	if err != nil {
+		return nil, err
+	}
+
+	if alias == nil {
+		return entity, nil
+	}
+
+	if shouldClone != nil && !shouldClone(alias) {
+		return entity, nil
+	}
+
+	return i.MemDBEntityByIDInTxn(txn, alias.CanonicalID, true)
+}
+
 func (i *IdentityStore) MemDBEntityByAliasID(aliasID string, clone bool) (*identity.Entity, error) {
 	if aliasID == "" {
 		return nil, fmt.Errorf("missing alias ID")
diff --git a/vault/identity_store_util_stubs_oss.go b/vault/identity_store_util_stubs_oss.go
new file mode 100644
index 0000000000..4d06f09b9e
--- /dev/null
+++ b/vault/identity_store_util_stubs_oss.go
@@ -0,0 +1,19 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise
+
+package vault
+
+import (
+	"github.com/hashicorp/go-memdb"
+	"github.com/hashicorp/vault/helper/identity"
+)
+
+func (i *IdentityStore) MemDBAliasByIssuerAndExternalId(_, _, _ string, _ bool) (*identity.Alias, error) {
+	return nil, nil
+}
+
+func (i *IdentityStore) MemDBAliasByIssuerAndExternalIdInTxn(_ *memdb.Txn, _, _, _ string, _ bool) (*identity.Alias, error) {
+	return nil, nil
+}
diff --git a/vault/init.go b/vault/init.go
index f1cde33e4f..07960d7c95 100644
--- a/vault/init.go
+++ b/vault/init.go
@@ -163,6 +163,10 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
 		return nil, err
 	}
 
+	if err := c.ValidateMultiSealConfig(ctx, true); err != nil {
+		return nil, err
+	}
+
 	atomic.StoreUint32(&initInProgress, 1)
 	defer atomic.StoreUint32(&initInProgress, 0)
 	barrierConfig := initParams.BarrierConfig
@@ -443,6 +447,23 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
 	return results, nil
 }
 
+// ValidateMultiSealConfig is an utility method for verifying SealGenerationInfo.
+// Its purpose is to read the existing SealGenerationInfo from storage, if any,
+// and to determine whether there are partially wrapped paths.
+// Argument onInit indicates whether Vault is being initialized and thus creating
+// the initial barrier seal.
+func (c *Core) ValidateMultiSealConfig(ctx context.Context, onInit bool) error {
+	existingSgi, err := PhysicalSealGenInfo(ctx, c.PhysicalAccess())
+	if err != nil {
+		return fmt.Errorf("error reading existing seal generation info from storage: %w", err)
+	}
+	hasPartiallyWrappedPaths, err := HasPartiallyWrappedPaths(ctx, c.PhysicalAccess())
+	if err != nil {
+		return fmt.Errorf("cannot determine whether partially wrapped entries in storage: %w", err)
+	}
+	return seal.ValidateMultiSealGenerationInfo(onInit, c.seal.GetAccess().GetSealGenerationInfo(), existingSgi, hasPartiallyWrappedPaths)
+}
+
 // UnsealWithStoredKeys performs auto-unseal using stored keys. An error
 // return value of "nil" implies the Vault instance is unsealed.
 //
diff --git a/vault/logical_system.go b/vault/logical_system.go
index 56b290f3f7..7e1c3a2bae 100644
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@@ -4,6 +4,7 @@
 package vault
 
 import (
+	"bytes"
 	"context"
 	crand "crypto/rand"
 	"crypto/sha256"
@@ -14,6 +15,7 @@ import (
 	"errors"
 	"fmt"
 	"hash"
+	"io"
 	"math/rand"
 	"net/http"
 	"net/url"
@@ -43,6 +45,7 @@ import (
 	"github.com/hashicorp/vault/helper/metricsutil"
 	"github.com/hashicorp/vault/helper/monitor"
 	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/helper/pgpkeys"
 	"github.com/hashicorp/vault/helper/random"
 	"github.com/hashicorp/vault/helper/versions"
 	"github.com/hashicorp/vault/sdk/framework"
@@ -106,6 +109,59 @@ func NewSystemBackend(core *Core, logger log.Logger, config *logical.BackendConf
 		raftChallengeLimiter: rate.NewLimiter(rate.Limit(RaftChallengesPerSecond), RaftInitialChallengeLimit),
 	}
 
+	// Build the unauthenticated paths list.
+	unauthenticatedPaths := []string{
+		"wrapping/lookup",
+		"wrapping/pubkey",
+		"replication/status",
+		"internal/specs/openapi",
+		"internal/ui/authenticated-messages",
+		"internal/ui/unauthenticated-messages",
+		"internal/ui/mounts",
+		"internal/ui/mounts/*",
+		"internal/ui/namespaces",
+		"replication/performance/status",
+		"replication/dr/status",
+		"replication/dr/secondary/promote",
+		"replication/dr/secondary/disable",
+		"replication/dr/secondary/recover",
+		"replication/dr/secondary/update-primary",
+		"replication/dr/secondary/operation-token/delete",
+		"replication/dr/secondary/license",
+		"replication/dr/secondary/license/signed",
+		"replication/dr/secondary/license/status",
+		"replication/dr/secondary/sys/config/reload/license",
+		"replication/dr/secondary/reindex",
+		"storage/raft/bootstrap/challenge",
+		"storage/raft/bootstrap/answer",
+		"init",
+		"seal-status",
+		"unseal",
+		"leader",
+		"health",
+		"decode-token",
+		"mfa/validate",
+	}
+
+	// Note that while rekeyPaths and generateRootPaths are not part of unauthenticatedPaths, that's
+	// because they are defined both here and in http.handler.  The latter ones
+	// are unauthenticated and don't use the logical framework.  They are enabled
+	// only when Core.enableUnauthRekey or Core.enableUnauthGenerateRoot is true, and being more specific paths
+	// than the v1/sys mux path they take precedence when enabled.
+	rekeyPaths := []string{
+		"rekey/init",
+		"rekey/update",
+		"rekey/verify",
+		"rekey-recovery-key/init",
+		"rekey-recovery-key/update",
+		"rekey-recovery-key/verify",
+	}
+
+	generateRootPaths := []string{
+		"generate-root/attempt",
+		"generate-root/update",
+	}
+
 	b.Backend = &framework.Backend{
 		RunningVersion: versions.DefaultBuiltinVersion,
 		Help:           strings.TrimSpace(sysHelpRoot),
@@ -113,6 +169,7 @@ func NewSystemBackend(core *Core, logger log.Logger, config *logical.BackendConf
 		PathsSpecial: &logical.Paths{
 			Root: []string{
 				"auth/*",
+				"mounts/auth/+/tune",
 				"remount",
 				"audit",
 				"audit/*",
@@ -145,48 +202,12 @@ func NewSystemBackend(core *Core, logger log.Logger, config *logical.BackendConf
 				// to declare them here so that the generated OpenAPI spec gets their sudo status correct.
 				"seal",
 				"step-down",
+				"activation-flags/oauth-resource-server/activate",
+				"activation-flags/oauth-resource-server/deactivate",
+				"config/oauth-resource-server/*",
 			},
 
-			Unauthenticated: []string{
-				"wrapping/lookup",
-				"wrapping/pubkey",
-				"replication/status",
-				"internal/specs/openapi",
-				"internal/ui/authenticated-messages",
-				"internal/ui/unauthenticated-messages",
-				"internal/ui/mounts",
-				"internal/ui/mounts/*",
-				"internal/ui/namespaces",
-				"replication/performance/status",
-				"replication/dr/status",
-				"replication/dr/secondary/promote",
-				"replication/dr/secondary/disable",
-				"replication/dr/secondary/recover",
-				"replication/dr/secondary/update-primary",
-				"replication/dr/secondary/operation-token/delete",
-				"replication/dr/secondary/license",
-				"replication/dr/secondary/license/signed",
-				"replication/dr/secondary/license/status",
-				"replication/dr/secondary/sys/config/reload/license",
-				"replication/dr/secondary/reindex",
-				"storage/raft/bootstrap/challenge",
-				"storage/raft/bootstrap/answer",
-				"init",
-				"seal-status",
-				"unseal",
-				"leader",
-				"health",
-				"generate-root/attempt",
-				"generate-root/update",
-				"decode-token",
-				"rekey/init",
-				"rekey/update",
-				"rekey/verify",
-				"rekey-recovery-key/init",
-				"rekey-recovery-key/update",
-				"rekey-recovery-key/verify",
-				"mfa/validate",
-			},
+			Unauthenticated: unauthenticatedPaths,
 
 			LocalStorage: []string{
 				expirationSubPath,
@@ -199,6 +220,8 @@ func NewSystemBackend(core *Core, logger log.Logger, config *logical.BackendConf
 			SealWrapStorage: []string{
 				managedKeyRegistrySubPath,
 			},
+
+			Binary: append(append(rekeyPaths, generateRootPaths...), entBinaryPaths()...),
 		},
 	}
 	b.Backend.PathsSpecial.Unauthenticated = append(b.Backend.PathsSpecial.Unauthenticated, entUnauthenticatedPaths()...)
@@ -1373,6 +1396,519 @@ func (b *SystemBackend) handleRekeyDeleteRecovery(ctx context.Context, req *logi
 	return b.handleRekeyDelete(ctx, req, data, true)
 }
 
+type RekeyStatusResponse struct {
+	Nonce                string   `json:"nonce"`
+	Started              bool     `json:"started"`
+	T                    int      `json:"t"`
+	N                    int      `json:"n"`
+	Progress             int      `json:"progress"`
+	Required             int      `json:"required"`
+	PGPFingerprints      []string `json:"pgp_fingerprints"`
+	Backup               bool     `json:"backup"`
+	VerificationRequired bool     `json:"verification_required"`
+	VerificationNonce    string   `json:"verification_nonce,omitempty"`
+}
+
+func HandleSysRekeyInitGet(ctx context.Context, core *Core, recovery bool, grabLock bool) (*RekeyStatusResponse, int, error) {
+	barrierConfig, barrierConfErr := core.SealAccess().BarrierConfig(ctx)
+	if barrierConfErr != nil {
+		return nil, http.StatusInternalServerError, barrierConfErr
+	}
+	if barrierConfig == nil {
+		return nil, http.StatusBadRequest, fmt.Errorf("server is not yet initialized")
+	}
+
+	// Get the rekey configuration
+	rekeyConf, err := core.RekeyConfig(recovery, grabLock)
+	if err != nil {
+		return nil, err.Code(), err
+	}
+
+	sealThreshold, err := core.RekeyThreshold(ctx, recovery, grabLock)
+	if err != nil {
+		return nil, err.Code(), err
+	}
+
+	// Format the status
+	status := &RekeyStatusResponse{
+		Started:  false,
+		T:        0,
+		N:        0,
+		Required: sealThreshold,
+	}
+	if rekeyConf != nil {
+		// Get the progress
+		started, progress, err := core.RekeyProgress(recovery, false, grabLock)
+		if err != nil {
+			return nil, err.Code(), err
+		}
+
+		status.Nonce = rekeyConf.Nonce
+		status.Started = started
+		status.T = rekeyConf.SecretThreshold
+		status.N = rekeyConf.SecretShares
+		status.Progress = progress
+		status.VerificationRequired = rekeyConf.VerificationRequired
+		status.VerificationNonce = rekeyConf.VerificationNonce
+		if rekeyConf.PGPKeys != nil && len(rekeyConf.PGPKeys) != 0 {
+			pgpFingerprints, err := pgpkeys.GetFingerprints(rekeyConf.PGPKeys, nil)
+			if err != nil {
+				return nil, http.StatusInternalServerError, err
+			}
+			status.PGPFingerprints = pgpFingerprints
+			status.Backup = rekeyConf.Backup
+		}
+	}
+	return status, 0, nil
+}
+
+type RekeyRequest struct {
+	SecretShares        int      `json:"secret_shares"`
+	SecretThreshold     int      `json:"secret_threshold"`
+	StoredShares        int      `json:"stored_shares"`
+	PGPKeys             []string `json:"pgp_keys"`
+	Backup              bool     `json:"backup"`
+	RequireVerification bool     `json:"require_verification"`
+}
+
+func HandleSysRekeyInitPut(core *Core, recovery bool, req *RekeyRequest, grabLock bool) (int, error) {
+	if req.Backup && len(req.PGPKeys) == 0 {
+		return http.StatusBadRequest, fmt.Errorf("cannot request a backup of the new keys without providing PGP keys for encryption")
+	}
+
+	if len(req.PGPKeys) > 0 && len(req.PGPKeys) != req.SecretShares {
+		return http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys for rekey")
+	}
+
+	// Initialize the rekey
+	err := core.RekeyInit(&SealConfig{
+		SecretShares:         req.SecretShares,
+		SecretThreshold:      req.SecretThreshold,
+		StoredShares:         req.StoredShares,
+		PGPKeys:              req.PGPKeys,
+		Backup:               req.Backup,
+		VerificationRequired: req.RequireVerification,
+		Created:              time.Now().UTC(),
+	}, recovery, grabLock)
+	if err != nil {
+		return err.Code(), err
+	}
+	return http.StatusOK, nil
+}
+
+type RekeyUpdateRequest struct {
+	Nonce string
+	Key   string
+}
+
+type RekeyUpdateResponse struct {
+	Nonce                string   `json:"nonce"`
+	Complete             bool     `json:"complete"`
+	Keys                 []string `json:"keys"`
+	KeysB64              []string `json:"keys_base64"`
+	PGPFingerprints      []string `json:"pgp_fingerprints"`
+	Backup               bool     `json:"backup"`
+	VerificationRequired bool     `json:"verification_required"`
+	VerificationNonce    string   `json:"verification_nonce,omitempty"`
+}
+
+func HandleSysRekeyUpdatePut(ctx context.Context, core *Core, recovery bool, req *RekeyUpdateRequest, grabLock bool) (*RekeyUpdateResponse, int, error) {
+	if req.Key == "" {
+		return nil, http.StatusBadRequest, errors.New("'key' must be specified in request body as JSON")
+	}
+
+	// Decode the key, which is base64 or hex encoded
+	min, max := core.BarrierKeyLength()
+	key, err := hex.DecodeString(req.Key)
+	// We check min and max here to ensure that a string that is base64
+	// encoded but also valid hex will not be valid and we instead base64
+	// decode it
+	if err != nil || len(key) < min || len(key) > max {
+		key, err = base64.StdEncoding.DecodeString(req.Key)
+		if err != nil {
+			return nil, http.StatusBadRequest, errors.New("'key' must be a valid hex or base64 string")
+		}
+	}
+
+	// Use the key to make progress on rekey
+	result, rekeyErr := core.RekeyUpdate(ctx, key, req.Nonce, recovery, grabLock)
+
+	if rekeyErr != nil {
+		return nil, rekeyErr.Code(), rekeyErr
+	}
+
+	// Format the response
+	resp := &RekeyUpdateResponse{}
+	if result != nil {
+		resp.Complete = true
+		resp.Nonce = req.Nonce
+		resp.Backup = result.Backup
+		resp.PGPFingerprints = result.PGPFingerprints
+		resp.VerificationRequired = result.VerificationRequired
+		resp.VerificationNonce = result.VerificationNonce
+
+		// Encode the keys
+		keys := make([]string, 0, len(result.SecretShares))
+		keysB64 := make([]string, 0, len(result.SecretShares))
+		for _, k := range result.SecretShares {
+			keys = append(keys, hex.EncodeToString(k))
+			keysB64 = append(keysB64, base64.StdEncoding.EncodeToString(k))
+		}
+		resp.Keys = keys
+		resp.KeysB64 = keysB64
+		return resp, 0, nil
+	}
+	return nil, 0, nil
+}
+
+type RekeyVerifyStatusResponse struct {
+	Nonce    string `json:"nonce"`
+	Started  bool   `json:"started"`
+	T        int    `json:"t"`
+	N        int    `json:"n"`
+	Progress int    `json:"progress"`
+}
+
+func HandleSysRekeyVerifyGet(ctx context.Context, core *Core, recovery bool, grabLock bool) (*RekeyVerifyStatusResponse, int, error) {
+	barrierConfig, err := core.SealAccess().BarrierConfig(ctx)
+	if err != nil {
+		return nil, http.StatusInternalServerError, err
+	}
+	if barrierConfig == nil {
+		return nil, http.StatusBadRequest, fmt.Errorf("server is not yet initialized")
+	}
+
+	// Get the rekey configuration
+	rekeyConf, rekeyErr := core.RekeyConfig(recovery, grabLock)
+	if rekeyErr != nil {
+		return nil, rekeyErr.Code(), rekeyErr
+	}
+	if rekeyConf == nil {
+		return nil, http.StatusBadRequest, fmt.Errorf("no rekey configuration found")
+	}
+
+	// Get the progress
+	started, progress, rekeyErr := core.RekeyProgress(recovery, true, grabLock)
+	if rekeyErr != nil {
+		return nil, rekeyErr.Code(), rekeyErr
+	}
+
+	// Format the status
+	status := &RekeyVerifyStatusResponse{
+		Started:  started,
+		Nonce:    rekeyConf.VerificationNonce,
+		T:        rekeyConf.SecretThreshold,
+		N:        rekeyConf.SecretShares,
+		Progress: progress,
+	}
+	return status, 0, nil
+}
+
+type RekeyVerificationUpdateRequest struct {
+	Nonce string `json:"nonce"`
+	Key   string `json:"key"`
+}
+
+type RekeyVerificationUpdateResponse struct {
+	Nonce    string `json:"nonce"`
+	Complete bool   `json:"complete"`
+}
+
+func HandleSysRekeyVerifyPut(ctx context.Context, core *Core, recovery bool, grabLock bool, req *RekeyVerificationUpdateRequest) (*RekeyVerificationUpdateResponse, int, error) {
+	if req.Key == "" {
+		return nil, http.StatusBadRequest, errors.New("'key' must be specified in request body as JSON")
+	}
+
+	// Decode the key, which is base64 or hex encoded
+	min, max := core.BarrierKeyLength()
+	key, err := hex.DecodeString(req.Key)
+	// We check min and max here to ensure that a string that is base64
+	// encoded but also valid hex will not be valid and we instead base64
+	// decode it
+	if err != nil || len(key) < min || len(key) > max {
+		key, err = base64.StdEncoding.DecodeString(req.Key)
+		if err != nil {
+			return nil, http.StatusBadRequest, errors.New("'key' must be a valid hex or base64 string")
+		}
+	}
+
+	// Use the key to make progress on rekey
+	result, rekeyErr := core.RekeyVerify(ctx, key, req.Nonce, recovery, grabLock)
+	if rekeyErr != nil {
+		return nil, rekeyErr.Code(), rekeyErr
+	}
+	if result != nil {
+		return &RekeyVerificationUpdateResponse{
+			Nonce:    result.Nonce,
+			Complete: result.Complete,
+		}, http.StatusOK, nil
+	}
+	return nil, 0, nil
+}
+
+// handleRekeyInit handles the rekey/init endpoint for both barrier and recovery keys
+func (b *SystemBackend) handleRekeyInit(
+	ctx context.Context,
+	req *logical.Request,
+	recovery bool,
+) (*logical.Response, error) {
+	// Check replication state
+	repState := b.Core.ReplicationState()
+	if repState.HasState(consts.ReplicationPerformanceSecondary) {
+		return logical.ErrorResponse("rekeying can only be performed on the primary cluster when replication is activated"), nil
+	}
+
+	// Check if recovery key is supported
+	if recovery && !b.Core.SealAccess().RecoveryKeySupported() {
+		return logical.ErrorResponse("recovery rekeying not supported"), nil
+	}
+
+	switch req.Operation {
+	case logical.ReadOperation:
+		return b.handleRekeyInitGet(ctx, recovery)
+	case logical.UpdateOperation:
+		return b.handleRekeyInitPut(ctx, recovery)
+	case logical.DeleteOperation:
+		return b.handleRekeyInitDelete(ctx, recovery)
+	default:
+		return nil, logical.ErrUnsupportedOperation
+	}
+}
+
+// getJSONBody populates the out struct with the contents of the HTTP request body
+// and returns (nil, nil), or on error returns values that a handler can return
+// for failure.  This is intended for older APIs that don't use the framework.
+func getJSONBody(ctx context.Context, out any) (*logical.Response, error) {
+	body, ok := logical.ContextOriginalBodyValue(ctx)
+	if !ok {
+		return nonLogicalError(http.StatusInternalServerError, fmt.Errorf("failed to retrieve request body"))
+	}
+	err := jsonutil.DecodeJSONFromReader(body, out)
+	if err != nil && err != io.EOF {
+		return nonLogicalError(http.StatusBadRequest, fmt.Errorf("failed to parse JSON input: %w", err))
+	}
+	return nil, nil
+}
+
+// nonLogicalError creates an error response for older handlers that don't follow
+// current vault response conventions.
+func nonLogicalError(code int, err error) (*logical.Response, error) {
+	logical.AdjustErrorStatusCode(&code, err)
+	defer logical.IncrementResponseStatusCodeMetric(code)
+
+	var buf bytes.Buffer
+	json.NewEncoder(&buf).Encode(logical.GenerateNonLogicalErrorResponse(code, err))
+
+	resp, _ := logical.RespondWithStatusCode(nil, nil, code)
+	resp.Data[logical.HTTPRawBodyError] = buf.String()
+	return resp, err
+}
+
+// nonLogicalResponse takes the result of a request handler, and either returns
+// an error response if err is non nil, or serializes the val into the response.
+// It uses the HTTP raw body field in response data, since this is for older
+// APIs that don't follow our usual response format.
+func nonLogicalResponse(val any, code int, err error) (*logical.Response, error) {
+	if err != nil {
+		return nonLogicalError(code, err)
+	}
+
+	var buf bytes.Buffer
+	json.NewEncoder(&buf).Encode(val)
+	resp, _ := logical.RespondWithStatusCode(nil, nil, http.StatusOK)
+	resp.Data[logical.HTTPRawBody] = buf.String()
+	return resp, nil
+}
+
+func (b *SystemBackend) handleRekeyInitBarrier(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
+	return b.handleRekeyInit(ctx, req, false)
+}
+
+func (b *SystemBackend) handleRekeyInitRecovery(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
+	return b.handleRekeyInit(ctx, req, true)
+}
+
+func (b *SystemBackend) handleRekeyInitGet(ctx context.Context, recovery bool) (*logical.Response, error) {
+	status, code, err := HandleSysRekeyInitGet(ctx, b.Core, recovery, false)
+	return nonLogicalResponse(status, code, err)
+}
+
+func (b *SystemBackend) handleRekeyInitPut(ctx context.Context, recovery bool) (*logical.Response, error) {
+	var req RekeyRequest
+	resp, err := getJSONBody(ctx, &req)
+	if err != nil {
+		return resp, err
+	}
+
+	code, err := HandleSysRekeyInitPut(b.Core, recovery, &req, false)
+	if err != nil {
+		return nonLogicalError(code, err)
+	}
+
+	return b.handleRekeyInitGet(ctx, recovery)
+}
+
+type RekeyDeleteRequest struct {
+	Nonce string `json:"nonce"`
+	Key   string `json:"key"`
+}
+
+func (b *SystemBackend) handleRekeyInitDelete(ctx context.Context, recovery bool) (*logical.Response, error) {
+	var req RekeyDeleteRequest
+	resp, err := getJSONBody(ctx, &req)
+	if err != nil {
+		return resp, err
+	}
+
+	if err := b.Core.RekeyCancel(recovery, req.Nonce, 10*time.Minute, false); err != nil {
+		return nil, fmt.Errorf("failed to cancel rekey: %w", err)
+	}
+
+	return nil, nil
+}
+
+// handleRekeyUpdate handles the rekey/update endpoint for both barrier and recovery keys
+func (b *SystemBackend) handleRekeyUpdate(ctx context.Context, recovery bool) (*logical.Response, error) {
+	var req RekeyUpdateRequest
+	resp, err := getJSONBody(ctx, &req)
+	if err != nil {
+		return resp, err
+	}
+
+	// Use the key to make progress on rekey
+	result, code, err := HandleSysRekeyUpdatePut(ctx, b.Core, recovery, &req, false)
+	if err == nil && result == nil {
+		return b.handleRekeyInitGet(ctx, recovery)
+	}
+	return nonLogicalResponse(result, code, err)
+}
+
+func (b *SystemBackend) handleRekeyUpdateBarrier(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	return b.handleRekeyUpdate(ctx, false)
+}
+
+func (b *SystemBackend) handleRekeyUpdateRecovery(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	return b.handleRekeyUpdate(ctx, true)
+}
+
+// handleGenerateRootAttempt handles the generate-root/attempt endpoint
+func (b *SystemBackend) handleGenerateRootAttempt(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
+	switch req.Operation {
+	case logical.ReadOperation:
+		return b.handleGenerateRootAttemptGet(ctx)
+	case logical.UpdateOperation:
+		return b.handleGenerateRootAttemptPut(ctx)
+	case logical.DeleteOperation:
+		return b.handleGenerateRootAttemptDelete(ctx)
+	default:
+		return nil, logical.ErrUnsupportedOperation
+	}
+}
+
+func (b *SystemBackend) handleGenerateRootAttemptGet(ctx context.Context) (*logical.Response, error) {
+	status, code, err := HandleSysGenerateRootAttemptGet(ctx, b.Core, "", false)
+	return nonLogicalResponse(status, code, err)
+}
+
+func (b *SystemBackend) handleGenerateRootAttemptPut(ctx context.Context) (*logical.Response, error) {
+	var req GenerateRootInitRequest
+	resp, err := getJSONBody(ctx, &req)
+	if err != nil {
+		return resp, err
+	}
+
+	otp, code, err := HandleSysGenerateRootAttemptPut(b.Core, GenerateStandardRootTokenStrategy, &req, false)
+	if err != nil {
+		return nonLogicalError(code, err)
+	}
+
+	// Return status with OTP if generated
+	status, code, err := HandleSysGenerateRootAttemptGet(ctx, b.Core, otp, false)
+	return nonLogicalResponse(status, code, err)
+}
+
+func (b *SystemBackend) handleGenerateRootAttemptDelete(ctx context.Context) (*logical.Response, error) {
+	code, err := HandleSysGenerateRootAttemptDelete(b.Core, false)
+	if err != nil {
+		return nonLogicalError(code, err)
+	}
+	return nil, nil
+}
+
+// handleGenerateRootUpdate handles the generate-root/update endpoint
+func (b *SystemBackend) handleGenerateRootUpdate(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
+	var updateReq GenerateRootUpdateRequest
+	resp, err := getJSONBody(ctx, &updateReq)
+	if err != nil {
+		return resp, err
+	}
+
+	result, code, err := HandleSysGenerateRootUpdate(ctx, b.Core, GenerateStandardRootTokenStrategy, &updateReq, false)
+	return nonLogicalResponse(result, code, err)
+}
+
+// handleRekeyVerify handles the rekey/verify endpoint for both barrier and recovery keys
+func (b *SystemBackend) handleRekeyVerify(ctx context.Context, req *logical.Request, _ *framework.FieldData, recovery bool) (*logical.Response, error) {
+	repState := b.Core.ReplicationState()
+	if repState.HasState(consts.ReplicationPerformanceSecondary) {
+		return logical.ErrorResponse("rekeying can only be performed on the primary cluster when replication is activated"), nil
+	}
+
+	// Check if recovery key is supported
+	if recovery && !b.Core.SealAccess().RecoveryKeySupported() {
+		return logical.ErrorResponse("recovery rekeying not supported"), nil
+	}
+
+	switch req.Operation {
+	case logical.ReadOperation:
+		return b.handleRekeyVerifyGet(ctx, recovery)
+	case logical.UpdateOperation:
+		return b.handleRekeyVerifyPut(ctx, recovery)
+	case logical.DeleteOperation:
+		return b.handleRekeyVerifyDelete(ctx, recovery)
+	default:
+		return nil, logical.ErrUnsupportedOperation
+	}
+}
+
+func (b *SystemBackend) handleRekeyVerifyBarrier(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	return b.handleRekeyVerify(ctx, req, data, false)
+}
+
+func (b *SystemBackend) handleRekeyVerifyRecovery(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	return b.handleRekeyVerify(ctx, req, data, true)
+}
+
+func (b *SystemBackend) handleRekeyVerifyGet(ctx context.Context, recovery bool) (*logical.Response, error) {
+	status, code, err := HandleSysRekeyVerifyGet(ctx, b.Core, recovery, false)
+	return nonLogicalResponse(status, code, err)
+}
+
+func (b *SystemBackend) handleRekeyVerifyDelete(ctx context.Context, recovery bool) (*logical.Response, error) {
+	if err := b.Core.RekeyVerifyRestart(recovery, false); err != nil {
+		return nil, fmt.Errorf("failed to restart rekey verification: %w", err)
+	}
+
+	return b.handleRekeyVerifyGet(ctx, recovery)
+}
+
+func (b *SystemBackend) handleRekeyVerifyPut(ctx context.Context, recovery bool) (*logical.Response, error) {
+	var req RekeyVerificationUpdateRequest
+	resp, err := getJSONBody(ctx, &req)
+	if err != nil {
+		return resp, err
+	}
+
+	result, code, err := HandleSysRekeyVerifyPut(ctx, b.Core, recovery, false, &RekeyVerificationUpdateRequest{
+		Nonce: req.Nonce,
+		Key:   req.Key,
+	})
+	if err == nil && result == nil {
+		return b.handleRekeyVerifyGet(ctx, recovery)
+	}
+	return nonLogicalResponse(result, code, err)
+}
+
 func (b *SystemBackend) handleGenerateRootDecodeTokenUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	encodedToken := data.Get("encoded_token").(string)
 	otp := data.Get("otp").(string)
@@ -5490,29 +6026,32 @@ func (b *SystemBackend) pathInternalOpenAPI(ctx context.Context, req *logical.Re
 }
 
 type SealStatusResponse struct {
-	Type               string   `json:"type"`
-	Initialized        bool     `json:"initialized"`
-	Sealed             bool     `json:"sealed"`
-	T                  int      `json:"t"`
-	N                  int      `json:"n"`
-	Progress           int      `json:"progress"`
-	Nonce              string   `json:"nonce"`
-	Version            string   `json:"version"`
-	BuildDate          string   `json:"build_date"`
-	Migration          bool     `json:"migration"`
-	ClusterName        string   `json:"cluster_name,omitempty"`
-	ClusterID          string   `json:"cluster_id,omitempty"`
-	RecoverySeal       bool     `json:"recovery_seal"`
-	StorageType        string   `json:"storage_type,omitempty"`
-	HCPLinkStatus      string   `json:"hcp_link_status,omitempty"`
-	HCPLinkResourceID  string   `json:"hcp_link_resource_ID,omitempty"`
-	Warnings           []string `json:"warnings,omitempty"`
-	RecoverySealType   string   `json:"recovery_seal_type,omitempty"`
-	RemovedFromCluster *bool    `json:"removed_from_cluster,omitempty"`
+	Type                 string   `json:"type"`
+	Initialized          bool     `json:"initialized"`
+	Sealed               bool     `json:"sealed"`
+	T                    int      `json:"t"`
+	N                    int      `json:"n"`
+	Progress             int      `json:"progress"`
+	Nonce                string   `json:"nonce"`
+	Version              string   `json:"version"`
+	BuildDate            string   `json:"build_date"`
+	Migration            bool     `json:"migration"`
+	ClusterName          string   `json:"cluster_name,omitempty"`
+	ClusterID            string   `json:"cluster_id,omitempty"`
+	RecoverySeal         bool     `json:"recovery_seal"`
+	StorageType          string   `json:"storage_type,omitempty"`
+	HCPLinkStatus        string   `json:"hcp_link_status,omitempty"`
+	HCPLinkResourceID    string   `json:"hcp_link_resource_ID,omitempty"`
+	Warnings             []string `json:"warnings,omitempty"`
+	RecoverySealType     string   `json:"recovery_seal_type,omitempty"`
+	RemovedFromCluster   *bool    `json:"removed_from_cluster,omitempty"`
+	MigrationDoneAtEpoch int64    `json:"migration_done_at_epoch,omitempty"`
 }
 
 type SealBackendStatus struct {
 	Name           string `json:"name"`
+	Configured     bool   `json:"configured"`
+	Disabled       bool   `json:"disabled"`
 	Healthy        bool   `json:"healthy"`
 	UnhealthySince string `json:"unhealthy_since,omitempty"`
 }
@@ -5619,6 +6158,9 @@ func (core *Core) GetSealStatus(ctx context.Context, lock bool) (*SealStatusResp
 		RecoverySealType:   recoverySealType,
 		StorageType:        core.StorageType(),
 	}
+	if p := core.sealMigrationDone.Load(); p != nil {
+		s.MigrationDoneAtEpoch = p.Unix()
+	}
 
 	if resourceIDonHCP != "" {
 		s.HCPLinkStatus = hcpLinkStatus
@@ -5642,10 +6184,12 @@ func (c *Core) GetSealBackendStatus(ctx context.Context) (*SealBackendStatusResp
 	if a, ok := c.seal.(*autoSeal); ok {
 		r.Healthy = c.seal.Healthy()
 		var uhMin time.Time
-		for _, sealWrapper := range a.GetConfiguredSealWrappersByPriority() {
+		for _, sealWrapper := range a.GetAllSealWrappersByPriority() {
 			b := SealBackendStatus{
-				Name:    sealWrapper.Name,
-				Healthy: sealWrapper.IsHealthy(),
+				Name:       sealWrapper.Name,
+				Configured: sealWrapper.Configured,
+				Healthy:    sealWrapper.IsHealthy(),
+				Disabled:   sealWrapper.Disabled,
 			}
 			if !sealWrapper.IsHealthy() {
 				lastSeenHealthy := sealWrapper.LastSeenHealthy()
@@ -5661,11 +6205,21 @@ func (c *Core) GetSealBackendStatus(ctx context.Context) (*SealBackendStatusResp
 		if !uhMin.IsZero() {
 			r.UnhealthySince = uhMin.String()
 		}
+		if c.IsInSealMigrationMode(false) {
+			r.Backends = append(r.Backends, SealBackendStatus{
+				Name:       "shamir",
+				Configured: true,
+				Healthy:    true,
+				Disabled:   true,
+			})
+		}
 	} else {
 		r.Backends = []SealBackendStatus{
 			{
-				Name:    "shamir", // "default?"
-				Healthy: true,
+				Name:       "shamir",
+				Configured: true,
+				Healthy:    true,
+				Disabled:   false,
 			},
 		}
 		r.Healthy = true
diff --git a/vault/logical_system_helpers.go b/vault/logical_system_helpers.go
index 5b5dda1449..e0fb40fcda 100644
--- a/vault/logical_system_helpers.go
+++ b/vault/logical_system_helpers.go
@@ -134,6 +134,13 @@ var (
 			"config/group-policy-application$": {operations: []logical.Operation{logical.ReadOperation, logical.UpdateOperation}},
 		})...)
 
+		paths = append(paths, buildEnterpriseOnlyPaths(map[string]enterprisePathStub{
+			"activation-flags/oauth-resource-server/activate":                    {operations: []logical.Operation{logical.UpdateOperation}},
+			"activation-flags/oauth-resource-server/deactivate":                  {operations: []logical.Operation{logical.UpdateOperation}},
+			"config/oauth-resource-server/":                                      {operations: []logical.Operation{logical.ListOperation}},
+			"config/oauth-resource-server/" + framework.GenericNameRegex("name"): {parameters: []string{"name"}, operations: []logical.Operation{logical.DeleteOperation, logical.ReadOperation, logical.UpdateOperation}},
+		})...)
+
 		// reporting paths
 		paths = append(paths, buildEnterpriseOnlyPaths(map[string]enterprisePathStub{
 			"reporting/scan$": {operations: []logical.Operation{logical.UpdateOperation}},
@@ -332,6 +339,21 @@ func (c *Core) consumeCertCounts(inc logical.CertCount) {
 			unconsumed.PkiDurationAdjustedCerts = 0
 		}
 
+		c.logger.Info("storing SSH counts", "sshDurationAdjustedCount", inc.SSHIssuedCerts, "sshOTPCount", inc.SSHIssuedOTPs)
+		_, err = c.UpdateStoredSSHDurationAdjustedCertCount(c.activeContext, time.Now(), inc.SSHIssuedCerts)
+		if err != nil {
+			c.logger.Error("error storing SSH duration adjusted certificate count", "error", err)
+		} else {
+			unconsumed.SSHIssuedCerts = 0
+		}
+
+		_, err = c.UpdateStoredSSHOTPCount(c.activeContext, time.Now(), inc.SSHIssuedOTPs)
+		if err != nil {
+			c.logger.Error("error storing SSH OTP count", "error", err)
+		} else {
+			unconsumed.SSHIssuedOTPs = 0
+		}
+
 	default:
 		c.logger.Error("Unexpected HA state when consuming certificate counts", "ha_state", haState)
 	}
diff --git a/vault/logical_system_integ_test.go b/vault/logical_system_integ_test.go
index 42253cca28..428f9a3632 100644
--- a/vault/logical_system_integ_test.go
+++ b/vault/logical_system_integ_test.go
@@ -170,8 +170,6 @@ func TestSystemBackend_HAStatus(t *testing.T) {
 		HandlerFunc: vaulthttp.Handler,
 	}
 	cluster := vault.NewTestCluster(t, conf, opts)
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	corehelpers.RetryUntil(t, 15*time.Second, func() error {
 		// Use standby deliberately to make sure it forwards
diff --git a/vault/logical_system_paths.go b/vault/logical_system_paths.go
index 32f4405d65..a71f56e997 100644
--- a/vault/logical_system_paths.go
+++ b/vault/logical_system_paths.go
@@ -295,6 +295,8 @@ func (b *SystemBackend) configPaths() []*framework.Path {
 
 			Operations: map[logical.Operation]framework.OperationHandler{
 				logical.ReadOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleGenerateRootAttempt,
 					DisplayAttrs: &framework.DisplayAttributes{
 						OperationVerb:   "read",
 						OperationSuffix: "progress2|progress",
@@ -349,7 +351,9 @@ func (b *SystemBackend) configPaths() []*framework.Path {
 					},
 				},
 				logical.UpdateOperation: &framework.PathOperation{
-					Summary: "Initializes a new root generation attempt.",
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleGenerateRootAttempt,
+					Summary:                   "Initializes a new root generation attempt.",
 					DisplayAttrs: &framework.DisplayAttributes{
 						OperationVerb:   "initialize",
 						OperationSuffix: "2|",
@@ -404,6 +408,8 @@ func (b *SystemBackend) configPaths() []*framework.Path {
 					},
 				},
 				logical.DeleteOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleGenerateRootAttempt,
 					DisplayAttrs: &framework.DisplayAttributes{
 						OperationVerb:   "cancel",
 						OperationSuffix: "2|",
@@ -434,6 +440,8 @@ func (b *SystemBackend) configPaths() []*framework.Path {
 			},
 			Operations: map[logical.Operation]framework.OperationHandler{
 				logical.UpdateOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleGenerateRootUpdate,
 					DisplayAttrs: &framework.DisplayAttributes{
 						OperationPrefix: "root-token-generation",
 						OperationVerb:   "update",
@@ -769,7 +777,7 @@ func (b *SystemBackend) rekeyPaths() []*framework.Path {
 	respFields := map[string]*framework.FieldSchema{
 		"nonce": {
 			Type:     framework.TypeString,
-			Required: true,
+			Required: false,
 		},
 		"started": {
 			Type:     framework.TypeBool,
@@ -785,7 +793,7 @@ func (b *SystemBackend) rekeyPaths() []*framework.Path {
 		},
 		"progress": {
 			Type:     framework.TypeInt,
-			Required: true,
+			Required: false,
 		},
 		"required": {
 			Type:     framework.TypeInt,
@@ -793,11 +801,11 @@ func (b *SystemBackend) rekeyPaths() []*framework.Path {
 		},
 		"verification_required": {
 			Type:     framework.TypeBool,
-			Required: true,
+			Required: false,
 		},
 		"verification_nonce": {
 			Type:     framework.TypeString,
-			Required: true,
+			Required: false,
 		},
 		"backup": {
 			Type: framework.TypeBool,
@@ -815,6 +823,8 @@ func (b *SystemBackend) rekeyPaths() []*framework.Path {
 				OperationPrefix: "rekey-attempt",
 			},
 
+			// Note that since we're a binary path we don't actually use these fields, they exist solely for the sake
+			// of populating the openapi schema.
 			Fields: map[string]*framework.FieldSchema{
 				"secret_shares": {
 					Type:        framework.TypeInt,
@@ -824,6 +834,10 @@ func (b *SystemBackend) rekeyPaths() []*framework.Path {
 					Type:        framework.TypeInt,
 					Description: "Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.",
 				},
+				"stored_shares": {
+					Type:        framework.TypeInt,
+					Description: "Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as secret_shares.",
+				},
 				"pgp_keys": {
 					Type:        framework.TypeCommaStringSlice,
 					Description: "Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.",
@@ -836,10 +850,16 @@ func (b *SystemBackend) rekeyPaths() []*framework.Path {
 					Type:        framework.TypeBool,
 					Description: "Turns on verification functionality",
 				},
+				"nonce": {
+					Type:        framework.TypeString,
+					Description: "Specifies the nonce of the rekey operation. If the rekey was initialized within the last 10 minutes, you must provide the nonce to cancel the operation.",
+				},
 			},
 
 			Operations: map[logical.Operation]framework.OperationHandler{
 				logical.ReadOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleRekeyInitBarrier,
 					DisplayAttrs: &framework.DisplayAttributes{
 						OperationVerb:   "read",
 						OperationSuffix: "progress",
@@ -853,6 +873,8 @@ func (b *SystemBackend) rekeyPaths() []*framework.Path {
 					Summary: "Reads the configuration and progress of the current rekey attempt.",
 				},
 				logical.UpdateOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleRekeyInitBarrier,
 					DisplayAttrs: &framework.DisplayAttributes{
 						OperationVerb: "initialize",
 					},
@@ -866,6 +888,8 @@ func (b *SystemBackend) rekeyPaths() []*framework.Path {
 					Description: "Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce.",
 				},
 				logical.DeleteOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleRekeyInitBarrier,
 					DisplayAttrs: &framework.DisplayAttributes{
 						OperationVerb: "cancel",
 					},
@@ -991,6 +1015,8 @@ func (b *SystemBackend) rekeyPaths() []*framework.Path {
 		{
 			Pattern: "rekey/update",
 
+			// Note that since we're a binary path we don't actually use these fields, they exist solely for the sake
+			// of populating the openapi schema.
 			Fields: map[string]*framework.FieldSchema{
 				"key": {
 					Type:        framework.TypeString,
@@ -1004,6 +1030,8 @@ func (b *SystemBackend) rekeyPaths() []*framework.Path {
 
 			Operations: map[logical.Operation]framework.OperationHandler{
 				logical.UpdateOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleRekeyUpdateBarrier,
 					DisplayAttrs: &framework.DisplayAttributes{
 						OperationPrefix: "rekey-attempt",
 						OperationVerb:   "update",
@@ -1068,6 +1096,8 @@ func (b *SystemBackend) rekeyPaths() []*framework.Path {
 				OperationPrefix: "rekey-verification",
 			},
 
+			// Note that since we're a binary path we don't actually use these fields, they exist solely for the sake
+			// of populating the openapi schema.
 			Fields: map[string]*framework.FieldSchema{
 				"key": {
 					Type:        framework.TypeString,
@@ -1081,6 +1111,8 @@ func (b *SystemBackend) rekeyPaths() []*framework.Path {
 
 			Operations: map[logical.Operation]framework.OperationHandler{
 				logical.ReadOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleRekeyVerifyBarrier,
 					DisplayAttrs: &framework.DisplayAttributes{
 						OperationVerb:   "read",
 						OperationSuffix: "progress",
@@ -1115,6 +1147,8 @@ func (b *SystemBackend) rekeyPaths() []*framework.Path {
 					Summary: "Read the configuration and progress of the current rekey verification attempt.",
 				},
 				logical.DeleteOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleRekeyVerifyBarrier,
 					DisplayAttrs: &framework.DisplayAttributes{
 						OperationVerb: "cancel",
 					},
@@ -1149,6 +1183,8 @@ func (b *SystemBackend) rekeyPaths() []*framework.Path {
 					Description: "This clears any progress made and resets the nonce. Unlike a `DELETE` against `sys/rekey/init`, this only resets the current verification operation, not the entire rekey atttempt.",
 				},
 				logical.UpdateOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleRekeyVerifyBarrier,
 					DisplayAttrs: &framework.DisplayAttributes{
 						OperationVerb: "update",
 					},
@@ -1170,6 +1206,246 @@ func (b *SystemBackend) rekeyPaths() []*framework.Path {
 				},
 			},
 		},
+		{
+			Pattern: "rekey-recovery-key/init",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "rekey-recovery-key-attempt",
+			},
+
+			// Note that since we're a binary path we don't actually use these fields, they exist solely for the sake
+			// of populating the openapi schema.
+			Fields: map[string]*framework.FieldSchema{
+				"secret_shares": {
+					Type:        framework.TypeInt,
+					Description: "Specifies the number of shares to split the recovery key into.",
+				},
+				"stored_shares": {
+					Type:        framework.TypeInt,
+					Description: "Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as `secret_shares`.",
+				},
+				"secret_threshold": {
+					Type:        framework.TypeInt,
+					Description: "Specifies the number of shares required to reconstruct the recovery key.",
+				},
+				"pgp_keys": {
+					Type:        framework.TypeCommaStringSlice,
+					Description: "Specifies an array of PGP public keys used to encrypt the output recovery keys.",
+				},
+				"backup": {
+					Type:        framework.TypeBool,
+					Description: "Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys.",
+				},
+				"require_verification": {
+					Type:        framework.TypeBool,
+					Description: "Turns on verification functionality",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleRekeyInitRecovery,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "progress",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields:      respFields,
+						}},
+					},
+					Summary: "Reads the configuration and progress of the current recovery key rekey attempt.",
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleRekeyInitRecovery,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "initialize",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields:      respFields,
+						}},
+					},
+					Summary:     "Initializes a new recovery key rekey attempt.",
+					Description: "Only a single recovery key rekey attempt can take place at a time.",
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleRekeyInitRecovery,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "cancel",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+						}},
+					},
+					Summary:     "Cancels any in-progress recovery key rekey.",
+					Description: "This clears the recovery key rekey settings as well as any progress made.",
+				},
+			},
+		},
+		{
+			Pattern: "rekey-recovery-key/update",
+
+			// Note that since we're a binary path we don't actually use these fields, they exist solely for the sake
+			// of populating the openapi schema.
+			Fields: map[string]*framework.FieldSchema{
+				"key": {
+					Type:        framework.TypeString,
+					Description: "Specifies a single recovery key share.",
+				},
+				"nonce": {
+					Type:        framework.TypeString,
+					Description: "Specifies the nonce of the rekey attempt.",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.UpdateOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleRekeyUpdateRecovery,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationPrefix: "rekey-recovery-key-attempt",
+						OperationVerb:   "update",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"nonce": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"complete": {
+									Type: framework.TypeBool,
+								},
+								"keys": {
+									Type: framework.TypeCommaStringSlice,
+								},
+								"keys_base64": {
+									Type: framework.TypeCommaStringSlice,
+								},
+								"verification_required": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"verification_nonce": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"backup": {
+									Type: framework.TypeBool,
+								},
+								"pgp_fingerprints": {
+									Type: framework.TypeCommaStringSlice,
+								},
+							},
+						}},
+					},
+					Summary: "Enter a single recovery key share to progress the rekey of the Vault.",
+				},
+			},
+		},
+		{
+			Pattern: "rekey-recovery-key/verify",
+
+			DisplayAttrs: &framework.DisplayAttributes{
+				OperationPrefix: "rekey-recovery-key-verification",
+			},
+
+			// Note that since we're a binary path we don't actually use these fields, they exist solely for the sake
+			// of populating the openapi schema.
+			Fields: map[string]*framework.FieldSchema{
+				"key": {
+					Type:        framework.TypeString,
+					Description: "Specifies a single recovery key share from the new set of shares.",
+				},
+				"nonce": {
+					Type:        framework.TypeString,
+					Description: "Specifies the nonce of the rekey verification operation.",
+				},
+			},
+
+			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleRekeyVerifyRecovery,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb:   "read",
+						OperationSuffix: "progress",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"nonce": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"started": {
+									Type:     framework.TypeBool,
+									Required: true,
+								},
+								"t": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"n": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+								"progress": {
+									Type:     framework.TypeInt,
+									Required: true,
+								},
+							},
+						}},
+					},
+					Summary: "Read the configuration and progress of the current recovery key rekey verification attempt.",
+				},
+				logical.DeleteOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleRekeyVerifyRecovery,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "cancel",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+						}},
+					},
+					Summary:     "Cancel any in-progress recovery key rekey verification operation.",
+					Description: "This clears any progress made and resets the nonce.",
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					ForwardPerformanceStandby: true,
+					Callback:                  b.handleRekeyVerifyRecovery,
+					DisplayAttrs: &framework.DisplayAttributes{
+						OperationVerb: "update",
+					},
+					Responses: map[int][]framework.Response{
+						http.StatusOK: {{
+							Description: "OK",
+							Fields: map[string]*framework.FieldSchema{
+								"nonce": {
+									Type:     framework.TypeString,
+									Required: true,
+								},
+								"complete": {
+									Type: framework.TypeBool,
+								},
+							},
+						}},
+					},
+					Summary: "Enter a single new recovery key share to progress the rekey verification operation.",
+				},
+			},
+		},
 
 		{
 			Pattern: "seal$",
@@ -3739,7 +4015,7 @@ func (b *SystemBackend) authPaths() []*framework.Path {
 						OperationSuffix: "tuning-information",
 					},
 					Summary:     "Reads the given auth path's configuration.",
-					Description: "This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via `sys/mounts/auth/[auth-path]/tune`.",
+					Description: "This endpoint requires sudo capability on the final path. The equivalent endpoint at `sys/mounts/auth/[auth-path]/tune` also requires sudo capability.",
 					Responses: map[int][]framework.Response{
 						http.StatusOK: {{
 							Description: "OK",
@@ -3754,7 +4030,7 @@ func (b *SystemBackend) authPaths() []*framework.Path {
 						OperationSuffix: "configuration-parameters",
 					},
 					Summary:     "Tune configuration parameters for a given auth path.",
-					Description: "This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via `sys/mounts/auth/[auth-path]/tune`.",
+					Description: "This endpoint requires sudo capabilities on the final path. The equivalent endpoint at `sys/mounts/auth/[auth-path]/tune` also requires sudo capabilities.",
 					Responses: map[int][]framework.Response{
 						http.StatusNoContent: {{
 							Description: "OK",
@@ -4395,7 +4671,7 @@ func (b *SystemBackend) mountsPaths() []*framework.Path {
 						OperationSuffix: "tuning-information",
 					},
 					Summary:     "Reads the given auth path's configuration.",
-					Description: "This endpoint does NOT require sudo capability. For the sudo-required alternative, use the endpoint at `sys/auth/[auth-path]/tune`.",
+					Description: "This endpoint requires sudo capability on the final path. The equivalent endpoint at `sys/auth/[auth-path]/tune` also requires sudo capability.",
 					Responses: map[int][]framework.Response{
 						http.StatusOK: {{
 							Description: "OK",
@@ -4410,7 +4686,7 @@ func (b *SystemBackend) mountsPaths() []*framework.Path {
 						OperationSuffix: "configuration-parameters",
 					},
 					Summary:     "Tune configuration parameters for a given auth path.",
-					Description: "This endpoint does NOT require sudo capability. The same functionality can be achieved with sudo via the `sys/auth/[auth-path]/tune` endpoint.",
+					Description: "This endpoint requires sudo capability on the final path. The equivalent endpoint at `sys/auth/[auth-path]/tune` also requires sudo capability.",
 					Responses: map[int][]framework.Response{
 						http.StatusNoContent: {{
 							Description: "OK",
diff --git a/vault/logical_system_stubs_oss.go b/vault/logical_system_stubs_oss.go
index 900816c092..04e2d7cba7 100644
--- a/vault/logical_system_stubs_oss.go
+++ b/vault/logical_system_stubs_oss.go
@@ -22,6 +22,10 @@ func entUnauthenticatedPaths() []string {
 	return []string{}
 }
 
+func entBinaryPaths() []string {
+	return []string{}
+}
+
 func (s *SystemBackend) entInit() {}
 
 func (s *SystemBackend) makeSnapshotSource(ctx context.Context, _ *framework.FieldData) (snapshots.Source, error) {
diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go
index 0e658d51b1..aabb5dc26d 100644
--- a/vault/logical_system_test.go
+++ b/vault/logical_system_test.go
@@ -242,6 +242,7 @@ func TestSystemBackend_mounts(t *testing.T) {
 				"max_lease_ttl":               resp.Data["identity/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
 				"force_no_cache":              false,
 				"passthrough_request_headers": []string{"Authorization"},
+				"allowed_response_headers":    []string{"Location"},
 			},
 			"local":                  false,
 			"seal_wrap":              false,
@@ -399,6 +400,7 @@ func TestSystemBackend_mount(t *testing.T) {
 				"max_lease_ttl":               resp.Data["identity/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
 				"force_no_cache":              false,
 				"passthrough_request_headers": []string{"Authorization"},
+				"allowed_response_headers":    []string{"Location"},
 			},
 			"local":                  false,
 			"seal_wrap":              false,
@@ -2720,8 +2722,8 @@ func TestSystemBackend_policyList(t *testing.T) {
 	)
 
 	exp := map[string]interface{}{
-		"keys":     []string{"default", "root"},
-		"policies": []string{"default", "root"},
+		"keys":     []string{"default", "default-ceiling", "root"},
+		"policies": []string{"default", "default-ceiling", "root"},
 	}
 	if !reflect.DeepEqual(resp.Data, exp) {
 		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
@@ -2799,8 +2801,8 @@ func TestSystemBackend_policyCRUD(t *testing.T) {
 	}
 
 	exp = map[string]interface{}{
-		"keys":     []string{"default", "foo", "root"},
-		"policies": []string{"default", "foo", "root"},
+		"keys":     []string{"default", "default-ceiling", "foo", "root"},
+		"policies": []string{"default", "default-ceiling", "foo", "root"},
 	}
 	if !reflect.DeepEqual(resp.Data, exp) {
 		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
@@ -2842,8 +2844,8 @@ func TestSystemBackend_policyCRUD(t *testing.T) {
 	}
 
 	exp = map[string]interface{}{
-		"keys":     []string{"default", "root"},
-		"policies": []string{"default", "root"},
+		"keys":     []string{"default", "default-ceiling", "root"},
+		"policies": []string{"default", "default-ceiling", "root"},
 	}
 	if !reflect.DeepEqual(resp.Data, exp) {
 		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
@@ -4607,6 +4609,7 @@ func TestSystemBackend_InternalUIMounts(t *testing.T) {
 					"max_lease_ttl":               resp.Data["secret"].(map[string]interface{})["identity/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
 					"force_no_cache":              false,
 					"passthrough_request_headers": []string{"Authorization"},
+					"allowed_response_headers":    []string{"Location"},
 				},
 				"local":                  false,
 				"seal_wrap":              false,
@@ -7380,9 +7383,6 @@ func TestPathInternalUICustomMessagesCommon(t *testing.T) {
 func TestGetLeaderStatus_RedactionSettings(t *testing.T) {
 	testCluster := NewTestCluster(t, nil, nil)
 
-	testCluster.Start()
-	defer testCluster.Cleanup()
-
 	testCore := testCluster.Cores[0]
 
 	// Check with no redaction settings
@@ -7419,9 +7419,6 @@ func TestGetSealStatus_RedactionSettings(t *testing.T) {
 		ClusterName: "secret-cluster-name",
 	}, nil)
 
-	testCluster.Start()
-	defer testCluster.Cleanup()
-
 	testCore := testCluster.Cores[0]
 
 	// Check with no redaction settings
diff --git a/vault/logical_system_use_case_billing.go b/vault/logical_system_use_case_billing.go
index a877efc5ce..bf7b7d8f71 100644
--- a/vault/logical_system_use_case_billing.go
+++ b/vault/logical_system_use_case_billing.go
@@ -6,6 +6,7 @@ package vault
 import (
 	"context"
 	"fmt"
+	"math"
 	"net/http"
 	"time"
 
@@ -15,102 +16,306 @@ import (
 	"github.com/hashicorp/vault/vault/billing"
 )
 
-const pkiDurationAjustedCountMetricName = "pki_units"
+const (
+	WarningRefreshIgnoredOnStandby = "refresh_data parameter is supported only on the active node. " +
+		"Since this parameter was set on a performance standby, the billing data was not refreshed " +
+		"and retrieved from storage without update."
+
+	WarningStartEndMonthOutOfRetentionRange = "the specified start_month and/or end_month fall outside the range of the current billing data retention period." +
+		"Months that are not covered in the retention period will show a zero updated_at timestamp and no metrics."
+)
 
 func (b *SystemBackend) useCaseConsumptionBillingPaths() []*framework.Path {
 	return []*framework.Path{
-		{
-			Pattern: "billing/overview$",
-			Fields: map[string]*framework.FieldSchema{
-				"refresh_data": {
-					Type:        framework.TypeBool,
-					Description: "If set, updates the billing counts for the current month before returning. This is an expensive operation with potential performance impact and should be used sparingly.",
-					Query:       true,
-				},
+		b.billingOverviewPath(),
+		b.billingConfigPath(),
+	}
+}
+
+func (b *SystemBackend) billingOverviewPath() *framework.Path {
+	return &framework.Path{
+		Pattern: "billing/overview$",
+		Fields: map[string]*framework.FieldSchema{
+			"refresh_data": {
+				Type:        framework.TypeBool,
+				Description: "If set, updates the billing counts for the current month before returning. This is an expensive operation with potential performance impact and should be used sparingly.",
+				Query:       true,
 			},
-			Operations: map[logical.Operation]framework.OperationHandler{
-				logical.ReadOperation: &framework.PathOperation{
-					Callback: b.handleUseCaseConsumption,
-					Summary:  "Reports consumption billing metrics for the current and previous months.",
-					Responses: map[int][]framework.Response{
-						http.StatusOK: {{
-							Description: http.StatusText(http.StatusOK),
-							Fields: map[string]*framework.FieldSchema{
-								"months": {
-									Type:        framework.TypeSlice,
-									Description: "List of monthly billing data, including the current and previous months.",
-								},
+			"start_month": {
+				Type:        framework.TypeString,
+				Description: "Start month in YYYY-MM format (inclusive). If not specified, defaults to the oldest available month within BillingRetentionMonths.",
+				Query:       true,
+			},
+			"end_month": {
+				Type:        framework.TypeString,
+				Description: "End month in YYYY-MM format (inclusive). If not specified, defaults to the current month.",
+				Query:       true,
+			},
+		},
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.ReadOperation: &framework.PathOperation{
+				Callback: b.handleBillingOverview,
+				Summary:  "Reports consumption billing metrics on a monthly granularity.",
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: http.StatusText(http.StatusOK),
+						Fields: map[string]*framework.FieldSchema{
+							"months": {
+								Type:        framework.TypeSlice,
+								Description: "List of monthly billing data.",
 							},
-						}},
-						http.StatusNoContent: {{
-							Description: http.StatusText(http.StatusNoContent),
-						}},
-						http.StatusBadRequest: {{
-							Description: http.StatusText(http.StatusBadRequest),
-						}},
-						http.StatusInternalServerError: {{
-							Description: http.StatusText(http.StatusInternalServerError),
-						}},
-					},
+						},
+					}},
+					http.StatusNoContent: {{
+						Description: http.StatusText(http.StatusNoContent),
+					}},
+					http.StatusBadRequest: {{
+						Description: http.StatusText(http.StatusBadRequest),
+					}},
+					http.StatusInternalServerError: {{
+						Description: http.StatusText(http.StatusInternalServerError),
+					}},
 				},
 			},
 		},
 	}
 }
 
-func (b *SystemBackend) handleUseCaseConsumption(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	refreshData := data.Get("refresh_data").(bool)
-
-	currentMonth := time.Now()
-	previousMonth := timeutil.StartOfPreviousMonth(currentMonth)
-
-	// Refresh data only if explicitly requested and for current month
-	currentMonthData, err := b.buildMonthBillingData(ctx, currentMonth, refreshData)
-	if err != nil {
-		return nil, fmt.Errorf("error building current month billing data: %w", err)
-	}
-
-	previousMonthData, err := b.buildMonthBillingData(ctx, previousMonth, false)
-	if err != nil {
-		return nil, fmt.Errorf("error building previous month billing data: %w", err)
-	}
-
-	resp := map[string]interface{}{
-		"months": []interface{}{
-			currentMonthData,
-			previousMonthData,
+func (b *SystemBackend) billingConfigPath() *framework.Path {
+	return &framework.Path{
+		Pattern: "billing/config$",
+		Fields: map[string]*framework.FieldSchema{
+			"retention_months": {
+				Type:        framework.TypeInt,
+				Description: fmt.Sprintf("Number of months to retain billing data. Must be between %d and %d months. Defaults to %d months.", billing.MinBillingRetentionMonths, billing.MaxBillingRetentionMonths, billing.DefaultBillingRetentionMonths),
+			},
 		},
+		Operations: map[logical.Operation]framework.OperationHandler{
+			logical.ReadOperation: &framework.PathOperation{
+				Callback: b.handleBillingConfigRead,
+				Summary:  "Read the billing data retention configuration.",
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: http.StatusText(http.StatusOK),
+						Fields: map[string]*framework.FieldSchema{
+							"retention_months": {
+								Type:        framework.TypeInt,
+								Description: "Number of months of billing data to retain.",
+							},
+						},
+					}},
+					http.StatusNoContent: {{
+						Description: http.StatusText(http.StatusNoContent),
+					}},
+					http.StatusBadRequest: {{
+						Description: http.StatusText(http.StatusBadRequest),
+					}},
+					http.StatusInternalServerError: {{
+						Description: http.StatusText(http.StatusInternalServerError),
+					}},
+				},
+			},
+			logical.UpdateOperation: &framework.PathOperation{
+				Callback: b.handleBillingConfigWrite,
+				Summary:  "Configure the billing data retention period.",
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: http.StatusText(http.StatusOK),
+					}},
+					http.StatusNoContent: {{
+						Description: http.StatusText(http.StatusNoContent),
+					}},
+					http.StatusBadRequest: {{
+						Description: http.StatusText(http.StatusBadRequest),
+					}},
+					http.StatusInternalServerError: {{
+						Description: http.StatusText(http.StatusInternalServerError),
+					}},
+				},
+			},
+		},
+	}
+}
+
+func (b *SystemBackend) handleBillingConfigRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	retentionMonths, err := b.Core.GetBillingRetentionMonths(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get billing retention configuration: %w", err)
 	}
 
 	return &logical.Response{
-		Data: resp,
+		Data: map[string]interface{}{
+			"retention_months": retentionMonths,
+		},
 	}, nil
 }
 
+func (b *SystemBackend) handleBillingConfigWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	retentionMonths := data.Get("retention_months").(int)
+	if retentionMonths < billing.MinBillingRetentionMonths || retentionMonths > billing.MaxBillingRetentionMonths {
+		return logical.ErrorResponse(fmt.Sprintf("retention_months must be between %d and %d months", billing.MinBillingRetentionMonths, billing.MaxBillingRetentionMonths)), logical.ErrInvalidRequest
+	}
+
+	// Get current retention to check if it's being increased
+	currentRetention, err := b.Core.GetBillingRetentionMonths(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get current billing retention configuration: %w", err)
+	}
+
+	// Store the configuration
+	if err := b.Core.UpdateBillingRetentionMonths(ctx, retentionMonths); err != nil {
+		return nil, fmt.Errorf("failed to set billing retention configuration: %w", err)
+	}
+
+	resp := &logical.Response{}
+
+	// Add warning if retention period is being increased
+	if retentionMonths > currentRetention {
+		resp.Warnings = append(resp.Warnings, fmt.Sprintf(
+			"Retention period increased from %d to %d months. Historical data will only be available for months within the previous retention period. Older months outside the previous retention range will not have data.",
+			currentRetention, retentionMonths))
+	}
+
+	return resp, nil
+}
+
+func (b *SystemBackend) handleBillingOverview(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	refreshData := data.Get("refresh_data").(bool)
+
+	currentMonth := time.Now().UTC()
+
+	warnings := make([]string, 0)
+
+	// Check if this is a performance standby and if refreshData is true,
+	// and add a warning that refresh will be ignored in this case.
+	// We do not need to hold stateLock here since HandleRequest is already holding this lock.
+	if refreshData && b.Core.perfStandby {
+		warnings = append(warnings, WarningRefreshIgnoredOnStandby)
+		refreshData = false
+	}
+
+	// Get the configured retention period
+	retentionMonths, err := b.Core.GetBillingRetentionMonths(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get billing retention configuration: %w", err)
+	}
+
+	startMonth, endMonth, isOutOfRetention, err := parseStartEndMonths(data, currentMonth, retentionMonths)
+	if err != nil {
+		return nil, err
+	}
+
+	if isOutOfRetention {
+		warnings = append(warnings, WarningStartEndMonthOutOfRetentionRange)
+	}
+
+	// Build list of months to retrieve (from end to start, newest first)
+	monthsToRetrieve := []time.Time{}
+	for month := endMonth; !month.Before(startMonth); month = month.AddDate(0, -1, 0) {
+		monthsToRetrieve = append(monthsToRetrieve, month)
+	}
+
+	// Build billing data for requested months
+	months := make([]interface{}, 0, len(monthsToRetrieve))
+
+	for _, month := range monthsToRetrieve {
+		// Only refresh current month if refresh_data is true
+		shouldRefresh := refreshData && month.Equal(timeutil.StartOfMonth(currentMonth))
+
+		monthData, err := b.buildMonthBillingData(ctx, month, shouldRefresh)
+		if err != nil {
+			return nil, fmt.Errorf("error building billing data for month %s: %w", month.Format("2006-01"), err)
+		}
+
+		months = append(months, monthData)
+	}
+
+	resp := map[string]interface{}{
+		"months": months,
+	}
+
+	return &logical.Response{
+		Data:     resp,
+		Warnings: warnings,
+	}, nil
+}
+
+// parseStartEndMonths parses the start and end month parameters from the request and validates if they are valid.
+// If they are outside of the retention range, it returns a warning. If no parameter is specified,
+// the start and end defaults to the start of the retention range and the current month, respectively.
+func parseStartEndMonths(data *framework.FieldData, currentMonth time.Time, retentionMonths int) (time.Time, time.Time, bool, error) {
+	defaultStartMonth := timeutil.StartOfMonth(currentMonth).AddDate(0, -retentionMonths+1, 0)
+	defaultEndMonth := timeutil.StartOfMonth(currentMonth)
+
+	parseMonth := func(key string, defaultMonth time.Time) (time.Time, error) {
+		if monthStr := data.Get(key).(string); monthStr != "" {
+			return time.Parse("2006-01", monthStr)
+		}
+		return defaultMonth, nil
+	}
+
+	var startMonth, endMonth time.Time
+	var isOutOfRetention bool
+	var err error
+
+	startMonth, err = parseMonth("start_month", defaultStartMonth)
+	if err != nil {
+		return time.Time{}, time.Time{}, false, fmt.Errorf("invalid start_month format: %w", err)
+	}
+
+	endMonth, err = parseMonth("end_month", defaultEndMonth)
+	if err != nil {
+		return time.Time{}, time.Time{}, false, fmt.Errorf("invalid end_month format: %w", err)
+	}
+
+	if startMonth.After(endMonth) {
+		return time.Time{}, time.Time{}, false, fmt.Errorf("start_month is later than end_month")
+	}
+
+	// We don't need to check for startMonth after the current month because either an even later endMonth is
+	// specified which would be caught by the second condition, or no end was set and it defaulted to the current month,
+	// which would have been caught in the check above. Vice versa for endMonth before the default start month.
+	if startMonth.Before(defaultStartMonth) || endMonth.After(defaultEndMonth) {
+		isOutOfRetention = true
+	}
+
+	return startMonth, endMonth, isOutOfRetention, nil
+}
+
 // buildMonthBillingData constructs billing data for a specific month
 func (b *SystemBackend) buildMonthBillingData(ctx context.Context, month time.Time, refreshData bool) (map[string]interface{}, error) {
+	currentMonth := timeutil.StartOfMonth(time.Now().UTC())
+	// Check if the billing metrics need to be refreshed. We're running
+	// under the core stateLock during request handling,so call the no-lock helper to
+	// avoid recursive locking.
+	if refreshData {
+		if err := b.Core.updateBillingMetricsLocked(ctx, currentMonth); err != nil {
+			return nil, fmt.Errorf("error refreshing billing metrics: %w", err)
+		}
+	}
+
 	// Retrieve all billing metrics
-	combinedRoleCounts, combinedManagedKeyCounts, err := b.Core.getRoleAndManagedKeyCounts(ctx, month, refreshData)
+	combinedRoleCounts, combinedManagedKeyCounts, err := b.Core.getRoleAndManagedKeyCounts(ctx, month)
 	if err != nil {
 		return nil, err
 	}
 
-	combinedKvCounts, err := b.Core.getKvCounts(ctx, month, refreshData)
+	combinedKvCounts, err := b.Core.getKvCounts(ctx, month)
 	if err != nil {
 		return nil, err
 	}
 
-	transitCounts, transformCounts, err := b.Core.getDataProtectionCounts(ctx, month, refreshData)
+	transitCounts, transformCounts, gcpKmsCounts, err := b.Core.getDataProtectionCounts(ctx, month)
 	if err != nil {
 		return nil, err
 	}
 
-	kmipEnabled, err := b.Core.getKmipStatus(ctx, month, refreshData)
+	kmipEnabled, err := b.Core.getKmipStatus(ctx, month)
 	if err != nil {
 		return nil, err
 	}
 
-	thirdPartyPluginCounts, err := b.Core.getThirdPartyPluginCounts(ctx, month, refreshData)
+	thirdPartyPluginCounts, err := b.Core.getThirdPartyPluginCounts(ctx, month)
 	if err != nil {
 		return nil, err
 	}
@@ -118,9 +323,8 @@ func (b *SystemBackend) buildMonthBillingData(ctx context.Context, month time.Ti
 	// Build the usage metrics
 	usageMetrics := []map[string]interface{}{}
 
-	kvDetails := []map[string]interface{}{}
-	if combinedKvCounts > 0 {
-		kvDetails = append(kvDetails, map[string]interface{}{"type": "kv", "count": combinedKvCounts})
+	kvDetails := []map[string]interface{}{
+		{"type": "kv", "count": combinedKvCounts},
 	}
 	usageMetrics = append(usageMetrics, map[string]interface{}{
 		"metric_name": "static_secrets",
@@ -148,18 +352,16 @@ func (b *SystemBackend) buildMonthBillingData(ctx context.Context, month time.Ti
 		},
 	})
 
-	dataProtectionDetails := []map[string]interface{}{}
-	if transitCounts > 0 {
-		dataProtectionDetails = append(dataProtectionDetails, map[string]interface{}{"type": "transit", "count": transitCounts})
-	}
-	if transformCounts > 0 {
-		dataProtectionDetails = append(dataProtectionDetails, map[string]interface{}{"type": "transform", "count": transformCounts})
+	dataProtectionDetails := []map[string]interface{}{
+		{"type": "transit", "count": transitCounts},
+		{"type": "transform", "count": transformCounts},
+		{"type": "gcpkms", "count": gcpKmsCounts},
 	}
 
 	usageMetrics = append(usageMetrics, map[string]interface{}{
 		"metric_name": "data_protection_calls",
 		"metric_data": map[string]interface{}{
-			"total":          transitCounts + transformCounts,
+			"total":          transitCounts + transformCounts + gcpKmsCounts,
 			"metric_details": dataProtectionDetails,
 		},
 	})
@@ -170,12 +372,9 @@ func (b *SystemBackend) buildMonthBillingData(ctx context.Context, month time.Ti
 	}
 	usageMetrics = append(usageMetrics, pkiMetric)
 
-	managedKeysDetails := []map[string]interface{}{}
-	if combinedManagedKeyCounts.TotpKeys > 0 {
-		managedKeysDetails = append(managedKeysDetails, map[string]interface{}{"type": "totp", "count": combinedManagedKeyCounts.TotpKeys})
-	}
-	if combinedManagedKeyCounts.KmseKeys > 0 {
-		managedKeysDetails = append(managedKeysDetails, map[string]interface{}{"type": "kmse", "count": combinedManagedKeyCounts.KmseKeys})
+	managedKeysDetails := []map[string]interface{}{
+		{"type": "totp", "count": combinedManagedKeyCounts.TotpKeys},
+		{"type": "kmse", "count": combinedManagedKeyCounts.KmseKeys},
 	}
 	usageMetrics = append(usageMetrics, map[string]interface{}{
 		"metric_name": "managed_keys",
@@ -185,27 +384,30 @@ func (b *SystemBackend) buildMonthBillingData(ctx context.Context, month time.Ti
 		},
 	})
 
-	// Determine updated_at timestamp based on whether data was refreshed
-	var dataUpdatedAt time.Time
-	if refreshData {
-		// Data was just refreshed, use current time and update the stored timestamp
-		dataUpdatedAt = time.Now().UTC()
-		b.Core.consumptionBilling.LastMetricsUpdate.Store(dataUpdatedAt)
-	} else {
-		// Data was not refreshed, use the last time metrics were updated by the background worker
-		lastUpdate := b.Core.consumptionBilling.LastMetricsUpdate.Load()
-		if lastUpdate != nil {
-			if t, ok := lastUpdate.(time.Time); ok && !t.IsZero() {
-				dataUpdatedAt = t
-			} else {
-				// Fallback to end of month if timestamp not available
-				dataUpdatedAt = timeutil.StartOfMonth(month.AddDate(0, 1, 0)).Add(-time.Second).UTC()
-			}
-		} else {
-			// Fallback to end of month if timestamp not available
-			dataUpdatedAt = timeutil.StartOfMonth(month.AddDate(0, 1, 0)).Add(-time.Second).UTC()
-		}
+	sshCounts, err := b.buildSSHMetric(ctx, month)
+	if err != nil {
+		return nil, err
 	}
+	usageMetrics = append(usageMetrics, sshCounts)
+
+	idTokenUnitsMetric, err := b.buildIdTokenUnitsBillingMetric(ctx, month)
+	if err != nil {
+		return nil, err
+	}
+	usageMetrics = append(usageMetrics, idTokenUnitsMetric)
+
+	externalCaMetric, err := b.buildExternalCaBillingMetric(ctx, month)
+	if err != nil {
+		return nil, err
+	}
+	usageMetrics = append(usageMetrics, externalCaMetric)
+
+	// Round all float64 values in usageMetrics to 4 decimal places.
+	// Rounding time for usage metrics is insignificant, so we can keep it centralized here.
+	// This prevents us from having to do it in each individual metric.
+	roundUsageMetrics(usageMetrics)
+
+	dataUpdatedAt := b.Core.computeUpdatedAt(ctx, month, currentMonth)
 
 	monthStr := month.Format("2006-01")
 
@@ -216,66 +418,118 @@ func (b *SystemBackend) buildMonthBillingData(ctx context.Context, month time.Ti
 	}, nil
 }
 
+// roundUsageMetrics rounds all float64 values in the usage metrics to 4 decimal places
+func roundUsageMetrics(metrics []map[string]interface{}) {
+	for _, metric := range metrics {
+		if metricData, ok := metric["metric_data"].(map[string]interface{}); ok {
+			// Round the total if it's a float64
+			if total, ok := metricData["total"].(float64); ok {
+				metricData["total"] = roundToFour(total)
+			}
+
+			// Round values in metric_details if present
+			if details, ok := metricData["metric_details"].([]map[string]interface{}); ok {
+				for _, detail := range details {
+					if count, ok := detail["count"].(float64); ok {
+						detail["count"] = roundToFour(count)
+					}
+				}
+			}
+		}
+	}
+}
+
+// roundToFour takes a float64 and rounds it to 4 decimal places.
+func roundToFour(val float64) float64 {
+	ratio := math.Pow(10, 4)
+	return math.Round(val*ratio) / ratio
+}
+
+// computeUpdatedAt determines the appropriate updated_at timestamp for billing data
+func (c *Core) computeUpdatedAt(ctx context.Context, month, currentMonth time.Time) time.Time {
+	var dataUpdatedAt time.Time
+	isCurrentMonth := timeutil.StartOfMonth(month).Equal(currentMonth)
+	if isCurrentMonth {
+		// Use the last time metrics were updated. If it is zero, it means the data has not
+		// been updated yet for the current month.
+		lastUpdate, err := c.GetMetricsLastUpdateTime(ctx, currentMonth)
+		if err != nil {
+			// Avoid logging raw error contents which may include sensitive information.
+			c.logger.Error("error retrieving last metrics update time")
+			return time.Time{}
+		}
+		dataUpdatedAt = lastUpdate
+	} else {
+		// Check presence of a stored metrics timestamp for the requested month.
+		// If present, return the canonical end-of-month for the requested
+		// `month`. The stored timestamp acts strictly as a
+		// presence indicator.
+		requestedMonthStart := timeutil.StartOfMonth(month)
+		requestedMonthTimestamp, err := c.GetMetricsLastUpdateTime(ctx, requestedMonthStart)
+
+		// The requested month has not been updated yet.
+		if err != nil || requestedMonthTimestamp.IsZero() {
+			return time.Time{}
+		}
+
+		// Use requested month's canonical end-of-month.
+		dataUpdatedAt = timeutil.EndOfMonth(month).UTC()
+	}
+
+	return dataUpdatedAt
+}
+
 // buildDynamicRolesMetric creates the dynamic_roles metric from role counts.
 func buildDynamicRolesMetric(counts *RoleCounts) map[string]interface{} {
 	total := 0
+	awsCount := 0
+	azureCount := 0
+	databaseCount := 0
+	gcpCount := 0
+	ldapCount := 0
+	openldapCount := 0
+	alicloudCount := 0
+	rabbitmqCount := 0
+	consulCount := 0
+	nomadCount := 0
+	kubernetesCount := 0
+	mongodbatlasCount := 0
+	terraformCount := 0
+
 	if counts != nil {
-		total = counts.AWSDynamicRoles +
-			counts.AzureDynamicRoles +
-			counts.DatabaseDynamicRoles +
-			counts.GCPRolesets +
-			counts.LDAPDynamicRoles +
-			counts.OpenLDAPDynamicRoles +
-			counts.AlicloudDynamicRoles +
-			counts.RabbitMQDynamicRoles +
-			counts.ConsulDynamicRoles +
-			counts.NomadDynamicRoles +
-			counts.KubernetesDynamicRoles +
-			counts.MongoDBAtlasDynamicRoles +
-			counts.TerraformCloudDynamicRoles
+		awsCount = counts.AWSDynamicRoles
+		azureCount = counts.AzureDynamicRoles
+		databaseCount = counts.DatabaseDynamicRoles
+		gcpCount = counts.GCPRolesets
+		ldapCount = counts.LDAPDynamicRoles
+		openldapCount = counts.OpenLDAPDynamicRoles
+		alicloudCount = counts.AlicloudDynamicRoles
+		rabbitmqCount = counts.RabbitMQDynamicRoles
+		consulCount = counts.ConsulDynamicRoles
+		nomadCount = counts.NomadDynamicRoles
+		kubernetesCount = counts.KubernetesDynamicRoles
+		mongodbatlasCount = counts.MongoDBAtlasDynamicRoles
+		terraformCount = counts.TerraformCloudDynamicRoles
+
+		total = awsCount + azureCount + databaseCount + gcpCount + ldapCount +
+			openldapCount + alicloudCount + rabbitmqCount + consulCount +
+			nomadCount + kubernetesCount + mongodbatlasCount + terraformCount
 	}
 
-	details := []map[string]interface{}{}
-	if counts != nil {
-		if counts.AWSDynamicRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "aws_dynamic", "count": counts.AWSDynamicRoles})
-		}
-		if counts.AzureDynamicRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "azure_dynamic", "count": counts.AzureDynamicRoles})
-		}
-		if counts.DatabaseDynamicRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "database_dynamic", "count": counts.DatabaseDynamicRoles})
-		}
-		if counts.GCPRolesets > 0 {
-			details = append(details, map[string]interface{}{"type": "gcp_dynamic", "count": counts.GCPRolesets})
-		}
-		if counts.LDAPDynamicRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "ldap_dynamic", "count": counts.LDAPDynamicRoles})
-		}
-		if counts.OpenLDAPDynamicRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "openldap_dynamic", "count": counts.OpenLDAPDynamicRoles})
-		}
-		if counts.AlicloudDynamicRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "alicloud_dynamic", "count": counts.AlicloudDynamicRoles})
-		}
-		if counts.RabbitMQDynamicRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "rabbitmq_dynamic", "count": counts.RabbitMQDynamicRoles})
-		}
-		if counts.ConsulDynamicRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "consul_dynamic", "count": counts.ConsulDynamicRoles})
-		}
-		if counts.NomadDynamicRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "nomad_dynamic", "count": counts.NomadDynamicRoles})
-		}
-		if counts.KubernetesDynamicRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "kubernetes_dynamic", "count": counts.KubernetesDynamicRoles})
-		}
-		if counts.MongoDBAtlasDynamicRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "mongodbatlas_dynamic", "count": counts.MongoDBAtlasDynamicRoles})
-		}
-		if counts.TerraformCloudDynamicRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "terraform_dynamic", "count": counts.TerraformCloudDynamicRoles})
-		}
+	details := []map[string]interface{}{
+		{"type": "aws_dynamic", "count": awsCount},
+		{"type": "azure_dynamic", "count": azureCount},
+		{"type": "database_dynamic", "count": databaseCount},
+		{"type": "gcp_dynamic", "count": gcpCount},
+		{"type": "ldap_dynamic", "count": ldapCount},
+		{"type": "openldap_dynamic", "count": openldapCount},
+		{"type": "alicloud_dynamic", "count": alicloudCount},
+		{"type": "rabbitmq_dynamic", "count": rabbitmqCount},
+		{"type": "consul_dynamic", "count": consulCount},
+		{"type": "nomad_dynamic", "count": nomadCount},
+		{"type": "kubernetes_dynamic", "count": kubernetesCount},
+		{"type": "mongodbatlas_dynamic", "count": mongodbatlasCount},
+		{"type": "terraform_dynamic", "count": terraformCount},
 	}
 
 	return map[string]interface{}{
@@ -290,39 +544,38 @@ func buildDynamicRolesMetric(counts *RoleCounts) map[string]interface{} {
 // buildAutoRotatedRolesMetric creates the auto_rotated_roles metric from role counts.
 func buildAutoRotatedRolesMetric(counts *RoleCounts) map[string]interface{} {
 	total := 0
+	awsCount := 0
+	azureCount := 0
+	databaseCount := 0
+	gcpStaticCount := 0
+	gcpImpersonatedCount := 0
+	ldapCount := 0
+	openldapCount := 0
+	osLocalAccountCount := 0
+
 	if counts != nil {
-		total = counts.AWSStaticRoles +
-			counts.AzureStaticRoles +
-			counts.DatabaseStaticRoles +
-			counts.GCPStaticAccounts +
-			counts.GCPImpersonatedAccounts +
-			counts.LDAPStaticRoles +
-			counts.OpenLDAPStaticRoles
+		awsCount = counts.AWSStaticRoles
+		azureCount = counts.AzureStaticRoles
+		databaseCount = counts.DatabaseStaticRoles
+		gcpStaticCount = counts.GCPStaticAccounts
+		gcpImpersonatedCount = counts.GCPImpersonatedAccounts
+		ldapCount = counts.LDAPStaticRoles
+		openldapCount = counts.OpenLDAPStaticRoles
+		osLocalAccountCount = counts.OSLocalAccountRoles
+
+		total = awsCount + azureCount + databaseCount + gcpStaticCount +
+			gcpImpersonatedCount + ldapCount + openldapCount + osLocalAccountCount
 	}
 
-	details := []map[string]interface{}{}
-	if counts != nil {
-		if counts.AWSStaticRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "aws_static", "count": counts.AWSStaticRoles})
-		}
-		if counts.AzureStaticRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "azure_static", "count": counts.AzureStaticRoles})
-		}
-		if counts.DatabaseStaticRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "database_static", "count": counts.DatabaseStaticRoles})
-		}
-		if counts.GCPStaticAccounts > 0 {
-			details = append(details, map[string]interface{}{"type": "gcp_static", "count": counts.GCPStaticAccounts})
-		}
-		if counts.GCPImpersonatedAccounts > 0 {
-			details = append(details, map[string]interface{}{"type": "gcp_impersonated", "count": counts.GCPImpersonatedAccounts})
-		}
-		if counts.LDAPStaticRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "ldap_static", "count": counts.LDAPStaticRoles})
-		}
-		if counts.OpenLDAPStaticRoles > 0 {
-			details = append(details, map[string]interface{}{"type": "openldap_static", "count": counts.OpenLDAPStaticRoles})
-		}
+	details := []map[string]interface{}{
+		{"type": "aws_static", "count": awsCount},
+		{"type": "azure_static", "count": azureCount},
+		{"type": "database_static", "count": databaseCount},
+		{"type": "gcp_static", "count": gcpStaticCount},
+		{"type": "gcp_impersonated", "count": gcpImpersonatedCount},
+		{"type": "ldap_static", "count": ldapCount},
+		{"type": "openldap_static", "count": openldapCount},
+		{"type": "os_local_account_static", "count": osLocalAccountCount},
 	}
 
 	return map[string]interface{}{
@@ -342,7 +595,54 @@ func (b *SystemBackend) buildPkiBillingMetric(ctx context.Context, month time.Ti
 	}
 
 	return map[string]interface{}{
-		"metric_name": pkiDurationAjustedCountMetricName,
+		"metric_name": "pki_units",
+		"metric_data": map[string]interface{}{
+			"total": count,
+		},
+	}, nil
+}
+
+// buildIdTokenUnitsBillingMetric creates the billing metric for id token counts.
+func (b *SystemBackend) buildIdTokenUnitsBillingMetric(ctx context.Context, month time.Time) (map[string]interface{}, error) {
+	var totalTokens float64
+
+	oidcTokenCount, err := b.Core.GetStoredOidcDurationAdjustedCount(ctx, month)
+	if err != nil {
+		return nil, fmt.Errorf("error retrieving OIDC duration-adjusted token count for month: %w", err)
+	}
+
+	totalTokens += oidcTokenCount
+
+	spiffeJwtUnits, err := b.Core.GetStoredSpiffeJwtTokenUnits(ctx, month)
+	if err != nil {
+		return nil, fmt.Errorf("error retrieving JWT Spiffe duration-adjusted token count for month: %w", err)
+	}
+
+	totalTokens += spiffeJwtUnits
+
+	idTokenDetails := []map[string]interface{}{
+		{"type": "oidc", "count": oidcTokenCount},
+		{"type": "spiffe", "count": spiffeJwtUnits},
+	}
+
+	return map[string]interface{}{
+		"metric_name": "id_token_units",
+		"metric_data": map[string]interface{}{
+			"total":          totalTokens,
+			"metric_details": idTokenDetails,
+		},
+	}, nil
+}
+
+// buildExternalCaBillingMetric creates the billing metric for external CA certificate counts.
+func (b *SystemBackend) buildExternalCaBillingMetric(ctx context.Context, month time.Time) (map[string]interface{}, error) {
+	count, err := b.Core.GetStoredExternalCaCertUnits(ctx, month)
+	if err != nil {
+		return nil, fmt.Errorf("error retrieving external CA certificate units for month: %w", err)
+	}
+
+	return map[string]interface{}{
+		"metric_name": "external_ca_pki_units",
 		"metric_data": map[string]interface{}{
 			"total": count,
 		},
@@ -350,61 +650,38 @@ func (b *SystemBackend) buildPkiBillingMetric(ctx context.Context, month time.Ti
 }
 
 // getRoleCounts retrieves and combines role and managed key counts from replicated and local storage
-func (c *Core) getRoleAndManagedKeyCounts(ctx context.Context, month time.Time, updateCounts bool) (*RoleCounts, *ManagedKeyCounts, error) {
+func (c *Core) getRoleAndManagedKeyCounts(ctx context.Context, month time.Time) (*RoleCounts, *ManagedKeyCounts, error) {
 	var replicatedRoleCounts *RoleCounts
-	var replicatedManagedKeyCounts *ManagedKeyCounts
 	replicatedTotpHWMValue := 0
 	replicatedKmseHWMValue := 0
 	var err error
 
 	if c.isPrimary() {
-		if updateCounts {
-			replicatedRoleCounts, replicatedManagedKeyCounts, err = c.UpdateMaxRoleAndManagedKeyCounts(ctx, billing.ReplicatedPrefix, month)
-			if err != nil {
-				return nil, nil, fmt.Errorf("error updating replicated max role and managed key counts: %w", err)
-			}
-			replicatedTotpHWMValue = replicatedManagedKeyCounts.TotpKeys
-			replicatedKmseHWMValue = replicatedManagedKeyCounts.KmseKeys
-		} else {
-			replicatedRoleCounts, err = c.GetStoredHWMRoleCounts(ctx, billing.ReplicatedPrefix, month)
-			if err != nil {
-				return nil, nil, fmt.Errorf("error retrieving replicated max role counts: %w", err)
-			}
-			replicatedTotpHWMValue, err = c.GetStoredHWMTotpCounts(ctx, billing.ReplicatedPrefix, month)
-			if err != nil {
-				return nil, nil, fmt.Errorf("error retrieving replicated max managed key count: %w", err)
-			}
-			replicatedKmseHWMValue, err = c.GetStoredHWMKmseCounts(ctx, billing.ReplicatedPrefix, month)
-			if err != nil {
-				return nil, nil, fmt.Errorf("error retrieving replicated max kmse key count: %w", err)
-			}
+		replicatedRoleCounts, err = c.GetStoredHWMRoleCounts(ctx, billing.ReplicatedPrefix, month)
+		if err != nil {
+			return nil, nil, fmt.Errorf("error retrieving replicated max role counts: %w", err)
+		}
+		replicatedTotpHWMValue, err = c.GetStoredHWMTotpCounts(ctx, billing.ReplicatedPrefix, month)
+		if err != nil {
+			return nil, nil, fmt.Errorf("error retrieving replicated max managed key count: %w", err)
+		}
+		replicatedKmseHWMValue, err = c.GetStoredHWMKmseCounts(ctx, billing.ReplicatedPrefix, month)
+		if err != nil {
+			return nil, nil, fmt.Errorf("error retrieving replicated max kmse key count: %w", err)
 		}
 	}
 
-	var localRoleCounts *RoleCounts
-	var localManagedKeyCounts *ManagedKeyCounts
-	localTotpHWMValue := 0
-	localKmseHWMValue := 0
-	if updateCounts {
-		localRoleCounts, localManagedKeyCounts, err = c.UpdateMaxRoleAndManagedKeyCounts(ctx, billing.LocalPrefix, month)
-		if err != nil {
-			return nil, nil, fmt.Errorf("error updating local max role and managed key counts: %w", err)
-		}
-		localTotpHWMValue = localManagedKeyCounts.TotpKeys
-		localKmseHWMValue = localManagedKeyCounts.KmseKeys
-	} else {
-		localRoleCounts, err = c.GetStoredHWMRoleCounts(ctx, billing.LocalPrefix, month)
-		if err != nil {
-			return nil, nil, fmt.Errorf("error retrieving local max role counts: %w", err)
-		}
-		localTotpHWMValue, err = c.GetStoredHWMTotpCounts(ctx, billing.LocalPrefix, month)
-		if err != nil {
-			return nil, nil, fmt.Errorf("error retrieving local max totp key count: %w", err)
-		}
-		localKmseHWMValue, err = c.GetStoredHWMKmseCounts(ctx, billing.LocalPrefix, month)
-		if err != nil {
-			return nil, nil, fmt.Errorf("error retrieving local max kmse key count: %w", err)
-		}
+	localRoleCounts, err := c.GetStoredHWMRoleCounts(ctx, billing.LocalPrefix, month)
+	if err != nil {
+		return nil, nil, fmt.Errorf("error retrieving local max role counts: %w", err)
+	}
+	localTotpHWMValue, err := c.GetStoredHWMTotpCounts(ctx, billing.LocalPrefix, month)
+	if err != nil {
+		return nil, nil, fmt.Errorf("error retrieving local max totp key count: %w", err)
+	}
+	localKmseHWMValue, err := c.GetStoredHWMKmseCounts(ctx, billing.LocalPrefix, month)
+	if err != nil {
+		return nil, nil, fmt.Errorf("error retrieving local max kmse key count: %w", err)
 	}
 
 	combinedManagedKeyCounts := &ManagedKeyCounts{
@@ -416,106 +693,90 @@ func (c *Core) getRoleAndManagedKeyCounts(ctx context.Context, month time.Time,
 }
 
 // getKvCounts retrieves and combines KV secret counts from replicated and local storage
-func (c *Core) getKvCounts(ctx context.Context, month time.Time, updateCounts bool) (int, error) {
+func (c *Core) getKvCounts(ctx context.Context, month time.Time) (int, error) {
 	var replicatedKvCounts int
 	var err error
 
 	if c.isPrimary() {
-		if updateCounts {
-			replicatedKvCounts, err = c.UpdateMaxKvCounts(ctx, billing.ReplicatedPrefix, month)
-			if err != nil {
-				return 0, fmt.Errorf("error updating replicated max kv counts: %w", err)
-			}
-		} else {
-			replicatedKvCounts, err = c.GetStoredHWMKvCounts(ctx, billing.ReplicatedPrefix, month)
-			if err != nil {
-				return 0, fmt.Errorf("error retrieving replicated max kv counts: %w", err)
-			}
+		replicatedKvCounts, err = c.GetStoredHWMKvCounts(ctx, billing.ReplicatedPrefix, month)
+		if err != nil {
+			return 0, fmt.Errorf("error retrieving replicated max kv counts: %w", err)
 		}
 	}
 
-	var localKvCounts int
-	if updateCounts {
-		localKvCounts, err = c.UpdateMaxKvCounts(ctx, billing.LocalPrefix, month)
-		if err != nil {
-			return 0, fmt.Errorf("error updating local max kv counts: %w", err)
-		}
-	} else {
-		localKvCounts, err = c.GetStoredHWMKvCounts(ctx, billing.LocalPrefix, month)
-		if err != nil {
-			return 0, fmt.Errorf("error retrieving local max kv counts: %w", err)
-		}
+	localKvCounts, err := c.GetStoredHWMKvCounts(ctx, billing.LocalPrefix, month)
+	if err != nil {
+		return 0, fmt.Errorf("error retrieving local max kv counts: %w", err)
 	}
 
 	return replicatedKvCounts + localKvCounts, nil
 }
 
-// getDataProtectionCounts retrieves Transit and Transform call counts
+// getDataProtectionCounts retrieves Transit, Transform, and GCP KMS call counts
 // Data protection call counts are stored at local path only
 // Each cluster tracks its own total requests to avoid double counting
-func (c *Core) getDataProtectionCounts(ctx context.Context, month time.Time, updateCounts bool) (uint64, uint64, error) {
-	var transitCounts, transformCounts uint64
-	var err error
-
-	if updateCounts {
-		transitCounts, err = c.UpdateTransitCallCounts(ctx, month)
-		if err != nil {
-			return 0, 0, fmt.Errorf("error updating local transit call counts: %w", err)
-		}
-		transformCounts, err = c.UpdateTransformCallCounts(ctx, month)
-		if err != nil {
-			return 0, 0, fmt.Errorf("error updating local transform call counts: %w", err)
-		}
-	} else {
-		transitCounts, err = c.GetStoredTransitCallCounts(ctx, month)
-		if err != nil {
-			return 0, 0, fmt.Errorf("error retrieving local transit call counts: %w", err)
-		}
-		transformCounts, err = c.GetStoredTransformCallCounts(ctx, month)
-		if err != nil {
-			return 0, 0, fmt.Errorf("error retrieving local transform call counts: %w", err)
-		}
+func (c *Core) getDataProtectionCounts(ctx context.Context, month time.Time) (uint64, uint64, uint64, error) {
+	transitCounts, err := c.GetStoredTransitCallCounts(ctx, month)
+	if err != nil {
+		return 0, 0, 0, fmt.Errorf("error retrieving local transit call counts: %w", err)
+	}
+	transformCounts, err := c.GetStoredTransformCallCounts(ctx, month)
+	if err != nil {
+		return 0, 0, 0, fmt.Errorf("error retrieving local transform call counts: %w", err)
+	}
+	gcpKmsCounts, err := c.GetStoredGcpKmsCallCounts(ctx, month)
+	if err != nil {
+		return 0, 0, 0, fmt.Errorf("error retrieving local GCP KMS call counts: %w", err)
 	}
 
-	return transitCounts, transformCounts, nil
+	return transitCounts, transformCounts, gcpKmsCounts, nil
 }
 
 // getKmipStatus retrieves KMIP enabled status (always stored at local path)
-func (c *Core) getKmipStatus(ctx context.Context, month time.Time, updateCounts bool) (bool, error) {
-	var kmipEnabled bool
-	var err error
-
-	if updateCounts {
-		kmipEnabled, err = c.UpdateKmipEnabled(ctx, month)
-		if err != nil {
-			return false, fmt.Errorf("error updating KMIP enabled status: %w", err)
-		}
-	} else {
-		kmipEnabled, err = c.GetStoredKmipEnabled(ctx, month)
-		if err != nil {
-			return false, fmt.Errorf("error retrieving KMIP enabled status: %w", err)
-		}
+func (c *Core) getKmipStatus(ctx context.Context, month time.Time) (bool, error) {
+	kmipEnabled, err := c.GetStoredKmipEnabled(ctx, month)
+	if err != nil {
+		return false, fmt.Errorf("error retrieving KMIP enabled status: %w", err)
 	}
 
 	return kmipEnabled, nil
 }
 
 // getThirdPartyPluginCounts retrieves third-party plugin counts (always stored at local path)
-func (c *Core) getThirdPartyPluginCounts(ctx context.Context, month time.Time, updateCounts bool) (int, error) {
-	var thirdPartyPluginCounts int
-	var err error
-
-	if updateCounts {
-		thirdPartyPluginCounts, err = c.UpdateMaxThirdPartyPluginCounts(ctx, month)
-		if err != nil {
-			return 0, fmt.Errorf("error updating third-party plugin counts: %w", err)
-		}
-	} else {
-		thirdPartyPluginCounts, err = c.GetStoredThirdPartyPluginCounts(ctx, month)
-		if err != nil {
-			return 0, fmt.Errorf("error retrieving third-party plugin counts: %w", err)
-		}
+func (c *Core) getThirdPartyPluginCounts(ctx context.Context, month time.Time) (int, error) {
+	thirdPartyPluginCounts, err := c.GetStoredThirdPartyPluginCounts(ctx, month)
+	if err != nil {
+		return 0, fmt.Errorf("error retrieving third-party plugin counts: %w", err)
 	}
 
 	return thirdPartyPluginCounts, nil
 }
+
+func (b *SystemBackend) buildSSHMetric(ctx context.Context, month time.Time) (map[string]interface{}, error) {
+	certCounts, err := b.Core.GetStoredSSHDurationAdjustedCertCount(ctx, month)
+	if err != nil {
+		return nil, fmt.Errorf("error retrieving SSH duration-adjuested cert counts for current month: %w", err)
+	}
+
+	otpCounts, err := b.Core.GetStoredSSHOTPCount(ctx, month)
+	if err != nil {
+		return nil, fmt.Errorf("error retrieving SSH OTP counts for current month: %w", err)
+	}
+
+	return map[string]interface{}{
+		"metric_name": "ssh_units",
+		"metric_data": map[string]interface{}{
+			"total": certCounts + float64(otpCounts),
+			"metric_details": []map[string]interface{}{
+				{
+					"type":  "otp_units",
+					"count": otpCounts,
+				},
+				{
+					"type":  "certificate_units",
+					"count": certCounts,
+				},
+			},
+		},
+	}, nil
+}
diff --git a/vault/logical_system_use_case_billing_pki_test.go b/vault/logical_system_use_case_billing_pki_test.go
index 81748ed2ea..34aa98f741 100644
--- a/vault/logical_system_use_case_billing_pki_test.go
+++ b/vault/logical_system_use_case_billing_pki_test.go
@@ -90,8 +90,7 @@ func TestGeneratePkiBillingMetric(t *testing.T) {
 		overview, err := backend.buildPkiBillingMetric(ctx, month)
 		require.NoError(t, err)
 
-		// Verify it uses the constant pkiDurationAjustedCountMetricName
-		require.Equal(t, pkiDurationAjustedCountMetricName, overview["metric_name"])
+		// Verify it uses the right metric name
 		require.Equal(t, "pki_units", overview["metric_name"])
 	})
 }
diff --git a/vault/logical_system_use_case_billing_test.go b/vault/logical_system_use_case_billing_test.go
index c0bec91b18..38fa6fec34 100644
--- a/vault/logical_system_use_case_billing_test.go
+++ b/vault/logical_system_use_case_billing_test.go
@@ -11,6 +11,7 @@ import (
 	logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
 	logicalAws "github.com/hashicorp/vault/builtin/logical/aws"
 	logicalDatabase "github.com/hashicorp/vault/builtin/logical/database"
+	logicalSsh "github.com/hashicorp/vault/builtin/logical/ssh"
 	logicalTransit "github.com/hashicorp/vault/builtin/logical/transit"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/helper/pluginconsts"
@@ -20,11 +21,11 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-// TestSystemBackend_BillingOverview verifies that the billing overview endpoint
-// returns the correct response structure with current and previous month data.
+// TestSystemBackend_BillingOverviewMonthFormat verifies that the billing overview endpoint
+// returns the correct response structure with billing.BillingRetentionMonths of data.
 // It validates the response format, month strings (YYYY-MM), RFC3339 timestamps,
-// and ensures both months are present in the response.
-func TestSystemBackend_BillingOverview(t *testing.T) {
+// and ensures all months are present in the response with correct formatting.
+func TestSystemBackend_BillingOverviewMonthFormat(t *testing.T) {
 	_, b, _ := testCoreSystemBackend(t)
 	ctx := namespace.RootContext(nil)
 
@@ -38,47 +39,301 @@ func TestSystemBackend_BillingOverview(t *testing.T) {
 	// Verify the response structure
 	months, ok := resp.Data["months"].([]interface{})
 	require.True(t, ok, "months should be a slice")
-	require.Len(t, months, 2, "should have current and previous month")
+	require.Len(t, months, billing.DefaultBillingRetentionMonths, "should have billing.DefaultBillingRetentionMonths months")
 
-	// Verify current month structure
-	currentMonth, ok := months[0].(map[string]interface{})
-	require.True(t, ok, "current month should be a map")
-	require.Contains(t, currentMonth, "month")
-	require.Contains(t, currentMonth, "updated_at")
-	require.Contains(t, currentMonth, "usage_metrics")
-
-	// Verify month format (YYYY-MM)
-	monthStr, ok := currentMonth["month"].(string)
-	require.True(t, ok)
-	require.Regexp(t, `^\d{4}-\d{2}$`, monthStr)
-
-	// Verify updated_at format (RFC3339)
-	updatedAt, ok := currentMonth["updated_at"].(string)
-	require.True(t, ok)
-	_, err = time.Parse(time.RFC3339, updatedAt)
-	require.NoError(t, err, "updated_at should be valid RFC3339 timestamp")
-
-	// Verify usage_metrics is a slice
-	_, ok = currentMonth["usage_metrics"].([]map[string]interface{})
-	require.True(t, ok, "usage_metrics should be a slice of maps")
-
-	// Verify previous month structure
-	previousMonth, ok := months[1].(map[string]interface{})
-	require.True(t, ok, "previous month should be a map")
-	require.Contains(t, previousMonth, "month")
-	require.Contains(t, previousMonth, "updated_at")
-	require.Contains(t, previousMonth, "usage_metrics")
-
-	// Verify that current month is actually current
 	now := time.Now()
-	expectedCurrentMonth := now.Format("2006-01")
-	require.Equal(t, expectedCurrentMonth, monthStr)
+	currentMonthStart := timeutil.StartOfMonth(now)
 
-	// Verify that previous month is actually previous
-	prevMonthStr, ok := previousMonth["month"].(string)
-	require.True(t, ok)
-	expectedPreviousMonth := timeutil.StartOfPreviousMonth(now).Format("2006-01")
-	require.Equal(t, expectedPreviousMonth, prevMonthStr)
+	// Loop through all months and verify format
+	for i := 0; i < billing.DefaultBillingRetentionMonths; i++ {
+		monthData, ok := months[i].(map[string]interface{})
+		require.True(t, ok, "month %d should be a map", i)
+
+		// Verify all required fields are present
+		require.Contains(t, monthData, "month", "month %d should have 'month' field", i)
+		require.Contains(t, monthData, "updated_at", "month %d should have 'updated_at' field", i)
+		require.Contains(t, monthData, "usage_metrics", "month %d should have 'usage_metrics' field", i)
+
+		// Verify month format (YYYY-MM)
+		monthStr, ok := monthData["month"].(string)
+		require.True(t, ok, "month %d 'month' should be a string", i)
+		require.Regexp(t, `^\d{4}-\d{2}$`, monthStr, "month %d should match YYYY-MM format", i)
+
+		// Verify the month string matches expected value
+		expectedMonthTime := currentMonthStart.AddDate(0, -i, 0)
+		expectedMonth := expectedMonthTime.Format("2006-01")
+		require.Equal(t, expectedMonth, monthStr, "month %d should match expected format", i)
+
+		// Verify updated_at format
+		updatedAt, ok := monthData["updated_at"].(string)
+		require.True(t, ok, "month %d 'updated_at' should be a string", i)
+		_, err = time.Parse(time.RFC3339, updatedAt)
+		require.NoError(t, err, "month %d updated_at should be valid RFC3339 timestamp", i)
+
+		// Verify usage_metrics is a slice
+		_, ok = monthData["usage_metrics"].([]map[string]interface{})
+		require.True(t, ok, "month %d usage_metrics should be a slice of maps", i)
+	}
+}
+
+// TestSystemBackend_BillingOverview_StartEndMonthParams tests the billing overview
+// endpoint with different combinations of start_month and end_month parameters. It
+// verifies that the correct range of months is returned along with any expected warnings
+// or errors.
+func TestSystemBackend_BillingOverview_StartEndMonthParams(t *testing.T) {
+	now := time.Now().UTC()
+	currentMonth := now.Format("2006-01")
+	previousMonth := timeutil.StartOfPreviousMonth(now).Format("2006-01")
+	nextMonth := timeutil.StartOfNextMonth(now).Format("2006-01")
+	twoMonthsAfterCurrent := timeutil.StartOfMonth(now).AddDate(0, 2, 0).Format("2006-01")
+	retentionStart := timeutil.StartOfMonth(now).AddDate(0, -billing.DefaultBillingRetentionMonths+1, 0).Format("2006-01")
+	beforeRetentionStart := timeutil.StartOfMonth(now).AddDate(0, -billing.DefaultBillingRetentionMonths, 0).Format("2006-01")
+	twoMonthsBeforeRetentionStart := timeutil.StartOfMonth(now).AddDate(0, -billing.DefaultBillingRetentionMonths-1, 0).Format("2006-01")
+
+	testCases := []struct {
+		name            string
+		startMonth      interface{}
+		endMonth        interface{}
+		expectedMonths  int
+		expectedWarning string
+		expectedError   string
+	}{
+		{
+			name:           "start and end in retention period",
+			startMonth:     previousMonth,
+			endMonth:       currentMonth,
+			expectedMonths: 2,
+		},
+		{
+			name:            "start before retention period, default end",
+			startMonth:      beforeRetentionStart,
+			expectedMonths:  billing.DefaultBillingRetentionMonths + 1,
+			expectedWarning: WarningStartEndMonthOutOfRetentionRange,
+		},
+		{
+			name:            "end after retention period, default start",
+			endMonth:        nextMonth,
+			expectedMonths:  billing.DefaultBillingRetentionMonths + 1,
+			expectedWarning: WarningStartEndMonthOutOfRetentionRange,
+		},
+		{
+			name:           "start is exactly start of retention period",
+			startMonth:     retentionStart,
+			endMonth:       previousMonth,
+			expectedMonths: billing.DefaultBillingRetentionMonths - 1,
+		},
+		{
+			name:            "start and end after retention period",
+			startMonth:      nextMonth,
+			endMonth:        twoMonthsAfterCurrent,
+			expectedMonths:  2,
+			expectedWarning: WarningStartEndMonthOutOfRetentionRange,
+		},
+		{
+			name:            "start and end before retention period",
+			startMonth:      twoMonthsBeforeRetentionStart,
+			endMonth:        beforeRetentionStart,
+			expectedMonths:  2,
+			expectedWarning: WarningStartEndMonthOutOfRetentionRange,
+		},
+		{
+			name:          "start after retention period, default end",
+			startMonth:    nextMonth,
+			expectedError: "start_month is later than end_month",
+		},
+		{
+			name:           "no parameters, default start and end",
+			expectedMonths: billing.DefaultBillingRetentionMonths,
+		},
+		{
+			name:          "start after end",
+			startMonth:    previousMonth,
+			endMonth:      retentionStart,
+			expectedError: "start_month is later than end_month",
+		},
+		{
+			name:           "same month",
+			startMonth:     currentMonth,
+			endMonth:       currentMonth,
+			expectedMonths: 1,
+		},
+		{
+			name:          "invalid date format",
+			startMonth:    "2023/01",
+			endMonth:      previousMonth,
+			expectedError: "invalid start_month format",
+		},
+		{
+			name:          "invalid month",
+			startMonth:    "2023-13",
+			endMonth:      previousMonth,
+			expectedError: "invalid start_month format",
+		},
+		{
+			name:          "invalid data type",
+			startMonth:    previousMonth,
+			endMonth:      45,
+			expectedError: "invalid end_month format",
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			_, b, _ := testCoreSystemBackend(t)
+			ctx := namespace.RootContext(nil)
+
+			req := logical.TestRequest(t, logical.ReadOperation, "billing/overview")
+			req.Data["start_month"] = test.startMonth
+			req.Data["end_month"] = test.endMonth
+			resp, err := b.HandleRequest(ctx, req)
+
+			if test.expectedError != "" {
+				require.Nil(t, resp)
+				require.Error(t, err)
+				require.Contains(t, err.Error(), test.expectedError)
+				return
+			}
+
+			require.NoError(t, err)
+			require.NotNil(t, resp)
+
+			if test.expectedWarning != "" {
+				require.NotEmpty(t, resp.Warnings)
+				require.Contains(t, resp.Warnings, test.expectedWarning)
+			} else {
+				require.Empty(t, resp.Warnings)
+			}
+
+			// Verify the correct number of months are returned
+			months := resp.Data["months"].([]interface{})
+			require.Len(t, months, test.expectedMonths)
+
+			// expected start and end months are the test parameters if specified,
+			// or default to the retention start and current month
+			var expectedStartMonth, expectedEndMonth string
+			if test.startMonth != nil {
+				expectedStartMonth = test.startMonth.(string)
+			} else {
+				expectedStartMonth = retentionStart
+			}
+			if test.endMonth != nil {
+				expectedEndMonth = test.endMonth.(string)
+			} else {
+				expectedEndMonth = currentMonth
+			}
+
+			// Months are ordered from most recent to oldest, so the first month returned
+			// should be the expected endMonth and the last month the expected startMonth
+			firstMonth, ok := months[0].(map[string]interface{})
+			require.True(t, ok)
+			firstMonthStr, ok := firstMonth["month"].(string)
+			require.True(t, ok)
+			require.Equal(t, expectedEndMonth, firstMonthStr)
+
+			lastMonth, ok := months[len(months)-1].(map[string]interface{})
+			require.True(t, ok)
+			lastMonthStr, ok := lastMonth["month"].(string)
+			require.True(t, ok)
+			require.Equal(t, expectedStartMonth, lastMonthStr)
+		})
+	}
+}
+
+// TestSystemBackend_BillingOverview_StartEndMonthParams_CustomRetention tests that the
+// billing overview endpoint correctly validates start_month and end_month parameters
+// against a custom retention period. This verifies that the retention boundary logic
+// uses the configured retention period rather than the default.
+func TestSystemBackend_BillingOverview_StartEndMonthParams_CustomRetention(t *testing.T) {
+	c, b, _ := testCoreSystemBackend(t)
+	ctx := namespace.RootContext(nil)
+
+	// Set custom retention to 15 months
+	customRetention := 15
+	err := c.UpdateBillingRetentionMonths(ctx, customRetention)
+	require.NoError(t, err)
+
+	// Verify the custom retention was set
+	retentionMonths, err := c.GetBillingRetentionMonths(ctx)
+	require.NoError(t, err)
+	require.Equal(t, customRetention, retentionMonths)
+
+	now := time.Now().UTC()
+	currentMonth := now.Format("2006-01")
+	previousMonth := timeutil.StartOfPreviousMonth(now).Format("2006-01")
+
+	// With 15 months retention:
+	// - retentionStart is 14 months ago (oldest retained month)
+	// - beforeRetentionStart is 15 months ago (should trigger warning)
+	retentionStart := timeutil.StartOfMonth(now).AddDate(0, -(customRetention - 1), 0).Format("2006-01")
+	beforeRetentionStart := timeutil.StartOfMonth(now).AddDate(0, -customRetention, 0).Format("2006-01")
+	twoMonthsBeforeRetentionStart := timeutil.StartOfMonth(now).AddDate(0, -(customRetention + 1), 0).Format("2006-01")
+
+	testCases := []struct {
+		name            string
+		startMonth      interface{}
+		endMonth        interface{}
+		expectedMonths  int
+		expectedWarning string
+	}{
+		{
+			name:           "start and end within custom retention period",
+			startMonth:     previousMonth,
+			endMonth:       currentMonth,
+			expectedMonths: 2,
+		},
+		{
+			name:            "start before custom retention period",
+			startMonth:      beforeRetentionStart,
+			expectedMonths:  customRetention + 1,
+			expectedWarning: WarningStartEndMonthOutOfRetentionRange,
+		},
+		{
+			name:           "start is exactly start of custom retention period",
+			startMonth:     retentionStart,
+			endMonth:       previousMonth,
+			expectedMonths: customRetention - 1,
+		},
+		{
+			name:            "start and end before custom retention period",
+			startMonth:      twoMonthsBeforeRetentionStart,
+			endMonth:        beforeRetentionStart,
+			expectedMonths:  2,
+			expectedWarning: WarningStartEndMonthOutOfRetentionRange,
+		},
+		{
+			name:           "no parameters with custom retention",
+			expectedMonths: customRetention,
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.name, func(t *testing.T) {
+			req := logical.TestRequest(t, logical.ReadOperation, "billing/overview")
+			if test.startMonth != nil {
+				req.Data["start_month"] = test.startMonth
+			}
+			if test.endMonth != nil {
+				req.Data["end_month"] = test.endMonth
+			}
+
+			resp, err := b.HandleRequest(ctx, req)
+			require.NoError(t, err)
+			require.NotNil(t, resp)
+
+			// Check for expected warning
+			if test.expectedWarning != "" {
+				require.NotNil(t, resp.Warnings)
+				require.Contains(t, resp.Warnings, test.expectedWarning)
+			}
+
+			// Verify the number of months returned matches custom retention
+			months, ok := resp.Data["months"].([]interface{})
+			require.True(t, ok)
+			require.Len(t, months, test.expectedMonths,
+				"should return %d months with custom retention of %d", test.expectedMonths, customRetention)
+		})
+	}
 }
 
 // TestSystemBackend_BillingOverview_WithMetrics tests the billing overview endpoint
@@ -109,7 +364,8 @@ func TestSystemBackend_BillingOverview_WithMetrics(t *testing.T) {
 	require.NotNil(t, kvResp)
 
 	currentMonth := time.Now()
-	_, err = c.UpdateMaxKvCounts(ctx, billing.LocalPrefix, currentMonth)
+	kvCounts := c.GetKvCounts(billing.LocalPrefix)
+	_, err = c.UpdateMaxKvCounts(ctx, billing.LocalPrefix, currentMonth, kvCounts)
 	require.NoError(t, err)
 
 	req = logical.TestRequest(t, logical.ReadOperation, "billing/overview")
@@ -121,7 +377,7 @@ func TestSystemBackend_BillingOverview_WithMetrics(t *testing.T) {
 	// Verify the response contains metrics
 	months, ok := resp.Data["months"].([]interface{})
 	require.True(t, ok)
-	require.Len(t, months, 2)
+	require.Len(t, months, billing.DefaultBillingRetentionMonths)
 
 	currentMonthData, ok := months[0].(map[string]interface{})
 	require.True(t, ok)
@@ -161,17 +417,49 @@ func TestSystemBackend_BillingOverview_WithMetrics(t *testing.T) {
 		}
 	}
 	require.True(t, foundStaticSecrets, "static_secrets metric should be present")
+
+	// Verify that all previous months (without data) have empty usage_metrics
+	currentMonthStart := timeutil.StartOfMonth(currentMonth)
+	for i := 1; i < billing.DefaultBillingRetentionMonths; i++ {
+		monthData, ok := months[i].(map[string]interface{})
+		require.True(t, ok, "month %d should be a map", i)
+
+		// Verify month string format
+		monthStr, ok := monthData["month"].(string)
+		require.True(t, ok, "month %d should have month string", i)
+		expectedMonthTime := currentMonthStart.AddDate(0, -i, 0)
+		expectedMonth := expectedMonthTime.Format("2006-01")
+		require.Equal(t, expectedMonth, monthStr, "month %d should match expected format", i)
+
+		usageMetrics, ok := monthData["usage_metrics"].([]map[string]interface{})
+		require.True(t, ok, "month %d should have usage_metrics", i)
+
+		// Previous months without data should have empty metrics or all zeros
+		if len(usageMetrics) > 0 {
+			// If metrics exist, verify they are all zero
+			for _, metric := range usageMetrics {
+				metricData, ok := metric["metric_data"].(map[string]interface{})
+				if ok {
+					total, ok := metricData["total"].(int)
+					if ok {
+						require.Equal(t, 0, total, "month %d metric total should be 0", i)
+					}
+				}
+			}
+		}
+	}
 }
 
-// TestSystemBackend_BillingOverview_MetricFormats validates that different metric types
+// TestSystemBackend_BillingOverview_MetricTypeFormat validates that different metric types
 // in the billing overview response have the correct data structure.
-func TestSystemBackend_BillingOverview_MetricFormats(t *testing.T) {
+func TestSystemBackend_BillingOverview_MetricTypeFormat(t *testing.T) {
 	c, _, root, _ := TestCoreUnsealedWithMetricsAndConfig(t, &CoreConfig{
 		LogicalBackends: map[string]logical.Factory{
 			pluginconsts.SecretEngineKV:       logicalKv.Factory,
 			pluginconsts.SecretEngineAWS:      logicalAws.Factory,
 			pluginconsts.SecretEngineDatabase: logicalDatabase.Factory,
 			pluginconsts.SecretEngineTransit:  logicalTransit.Factory,
+			pluginconsts.SecretEngineSsh:      logicalSsh.Factory,
 		},
 	})
 	b := c.systemBackend
@@ -233,17 +521,79 @@ func TestSystemBackend_BillingOverview_MetricFormats(t *testing.T) {
 	_, err = c.HandleRequest(ctx, req)
 	require.NoError(t, err)
 
-	// Update all metrics
-	currentMonth := time.Now()
-	_, err = c.UpdateMaxKvCounts(ctx, billing.LocalPrefix, currentMonth)
+	// Create SSH certificate and OTP
+	req = logical.TestRequest(t, logical.CreateOperation, "sys/mounts/ssh")
+	req.Data["type"] = "ssh"
+	req.ClientToken = root
+	resp, err = c.HandleRequest(ctx, req)
 	require.NoError(t, err)
 
-	_, _, err = c.UpdateMaxRoleAndManagedKeyCounts(ctx, billing.LocalPrefix, currentMonth)
+	req = logical.TestRequest(t, logical.CreateOperation, "ssh/config/ca")
+	req.ClientToken = root
+	resp, err = c.HandleRequest(ctx, req)
+	require.NoError(t, err)
+
+	req = logical.TestRequest(t, logical.CreateOperation, "ssh/roles/test-cert")
+	req.ClientToken = root
+	req.Data["key_type"] = "ca"
+	req.Data["allow_user_certificates"] = true
+	req.Data["allow_empty_principals"] = true
+	req.Data["ttl"] = "1d"
+	_, err = c.HandleRequest(ctx, req)
+	require.NoError(t, err)
+
+	req = logical.TestRequest(t, logical.UpdateOperation, "ssh/issue/test-cert")
+	req.ClientToken = root
+	resp, err = c.HandleRequest(ctx, req)
+	require.NoError(t, err)
+	require.Nil(t, resp.Error())
+
+	req = logical.TestRequest(t, logical.CreateOperation, "ssh/roles/test-otp")
+	req.ClientToken = root
+	req.Data["key_type"] = "otp"
+	req.Data["default_user"] = "user"
+	_, err = c.HandleRequest(ctx, req)
+	require.NoError(t, err)
+
+	req = logical.TestRequest(t, logical.CreateOperation, "ssh/config/zeroaddress")
+	req.ClientToken = root
+	req.Data["roles"] = "test-otp"
+	_, err = c.HandleRequest(ctx, req)
+	require.NoError(t, err)
+
+	req = logical.TestRequest(t, logical.UpdateOperation, "ssh/creds/test-otp")
+	req.ClientToken = root
+	req.Data["ip"] = "1.2.3.4"
+	resp, err = c.HandleRequest(ctx, req)
+	require.NoError(t, err)
+	require.Nil(t, resp.Error())
+
+	// Update all metrics
+	currentMonth := time.Now()
+	// Collect metrics once before updating all max counts
+	metrics, err := c.CountMetricsFromMounts(true)
+	require.NoError(t, err)
+	_, err = c.UpdateMaxKvCounts(ctx, billing.LocalPrefix, currentMonth, metrics.LocalKvCounts)
+	require.NoError(t, err)
+
+	_, _, err = c.UpdateMaxRoleAndManagedKeyCounts(ctx, billing.LocalPrefix, currentMonth, metrics.LocalRoleCounts, metrics.LocalManagedKeys)
 	require.NoError(t, err)
 
 	_, err = c.UpdateTransitCallCounts(ctx, currentMonth)
 	require.NoError(t, err)
 
+	_, err = c.UpdateStoredSSHDurationAdjustedCertCount(ctx, currentMonth, c.certCountManager.GetCounts().SSHIssuedCerts)
+	require.NoError(t, err)
+
+	_, err = c.UpdateStoredSSHOTPCount(ctx, currentMonth, c.certCountManager.GetCounts().SSHIssuedOTPs)
+	require.NoError(t, err)
+
+	// Write GCP KMS count directly to storage
+	c.consumptionBilling.BillingStorageLock.Lock()
+	err = c.storeGcpKmsCallCountsLocked(ctx, uint64(5), billing.LocalPrefix, currentMonth)
+	c.consumptionBilling.BillingStorageLock.Unlock()
+	require.NoError(t, err)
+
 	// Make a request to the billing overview endpoint
 	req = logical.TestRequest(t, logical.ReadOperation, "billing/overview")
 	req.Data["refresh_data"] = true
@@ -253,7 +603,7 @@ func TestSystemBackend_BillingOverview_MetricFormats(t *testing.T) {
 
 	months, ok := resp.Data["months"].([]interface{})
 	require.True(t, ok)
-	require.Len(t, months, 2)
+	require.Len(t, months, billing.DefaultBillingRetentionMonths)
 
 	currentMonthData, ok := months[0].(map[string]interface{})
 	require.True(t, ok)
@@ -336,7 +686,7 @@ func TestSystemBackend_BillingOverview_MetricFormats(t *testing.T) {
 			require.Contains(t, metricData, "total")
 			total, ok := metricData["total"].(uint64)
 			require.True(t, ok)
-			require.Equal(t, total, uint64(1))
+			require.Equal(t, total, uint64(6)) // 1 transit + 5 gcpkms
 
 			require.Contains(t, metricData, "metric_details")
 			metricDetails, ok := metricData["metric_details"].([]map[string]interface{})
@@ -344,6 +694,7 @@ func TestSystemBackend_BillingOverview_MetricFormats(t *testing.T) {
 			require.NotEmpty(t, metricDetails)
 
 			foundTransit := false
+			foundGcpKms := false
 			for _, detail := range metricDetails {
 				if detail["type"] == "transit" {
 					foundTransit = true
@@ -351,8 +702,15 @@ func TestSystemBackend_BillingOverview_MetricFormats(t *testing.T) {
 					require.True(t, ok)
 					require.Equal(t, count, uint64(1))
 				}
+				if detail["type"] == "gcpkms" {
+					foundGcpKms = true
+					count, ok := detail["count"].(uint64)
+					require.True(t, ok)
+					require.Equal(t, count, uint64(5))
+				}
 			}
 			require.True(t, foundTransit, "should have transit type in metric_details")
+			require.True(t, foundGcpKms, "should have gcpkms type in metric_details")
 
 		case "pki_units":
 			require.Contains(t, metricData, "total")
@@ -366,6 +724,24 @@ func TestSystemBackend_BillingOverview_MetricFormats(t *testing.T) {
 			require.True(t, ok, "managed_keys total should be int")
 			require.GreaterOrEqual(t, total, 0)
 			require.Contains(t, metricData, "metric_details")
+
+		case "ssh_units":
+			require.Contains(t, metricData, "total")
+			total, ok := metricData["total"].(float64)
+			require.True(t, ok, "ssh_units total should be float64")
+			require.GreaterOrEqual(t, total, float64(0))
+
+			require.Contains(t, metricData, "metric_details")
+			metricDetails, ok := metricData["metric_details"].([]map[string]interface{})
+			require.True(t, ok, "metric_details should be []map[string]interface{}")
+			require.NotEmpty(t, metricDetails)
+			require.Equal(t, len(metricDetails), 2)
+
+			require.Equal(t, metricDetails[0]["type"], "otp_units")
+			require.GreaterOrEqual(t, metricDetails[0]["count"], float64(0))
+
+			require.Equal(t, metricDetails[1]["type"], "certificate_units")
+			require.GreaterOrEqual(t, metricDetails[1]["count"], float64(0))
 		}
 	}
 
@@ -376,19 +752,22 @@ func TestSystemBackend_BillingOverview_MetricFormats(t *testing.T) {
 	require.True(t, metricsFound["data_protection_calls"], "should have data_protection_calls metric")
 	require.True(t, metricsFound["pki_units"], "should have pki_units metric")
 	require.True(t, metricsFound["managed_keys"], "should have managed_keys metric")
+	require.True(t, metricsFound["ssh_units"], "should have ssh_units metric")
 }
 
-// TestSystemBackend_BillingOverview_PreviousMonth verifies that the billing overview
-// endpoint correctly retrieves and formats data for the previous month. It stores
-// billing data for the previous month, validates the previous month string format,
-// enures the updated_at timestamp is set to the end of the previous month, and confirms
-// the previous month data is included in the response.
-func TestSystemBackend_BillingOverview_PreviousMonth(t *testing.T) {
+// TestSystemBackend_BillingOverview_HistoricalMonths verifies that the billing overview
+// endpoint correctly retrieves and formats data for all months. It stores
+// billing data for the previous month, validates month string formats,
+// ensures the updated_at timestamp is set correctly for each month, and confirms
+// all month data is included in the response.
+func TestSystemBackend_BillingOverview_HistoricalMonths(t *testing.T) {
 	c, b, _ := testCoreSystemBackend(t)
 	ctx := namespace.RootContext(nil)
+	now := time.Now().UTC()
+	currentMonth := timeutil.StartOfMonth(now)
 
 	// Store some data for previous month
-	previousMonth := timeutil.StartOfPreviousMonth(time.Now())
+	previousMonth := timeutil.StartOfPreviousMonth(now)
 
 	// Manually store some counts for previous month
 	c.consumptionBilling.BillingStorageLock.Lock()
@@ -396,6 +775,16 @@ func TestSystemBackend_BillingOverview_PreviousMonth(t *testing.T) {
 	c.consumptionBilling.BillingStorageLock.Unlock()
 	require.NoError(t, err)
 
+	// Store metrics last update timestamp for previous month so it's detected as having data
+	testUpdateTime := time.Date(previousMonth.Year(), previousMonth.Month(), 15, 12, 0, 0, 0, time.UTC)
+	err = c.UpdateMetricsLastUpdateTime(ctx, previousMonth, testUpdateTime)
+	require.NoError(t, err)
+
+	// Store metrics last update timestamp for current month
+	currentMonthUpdateTime := time.Date(now.Year(), now.Month(), now.Day(), 10, 30, 0, 0, time.UTC)
+	err = c.UpdateMetricsLastUpdateTime(ctx, currentMonth, currentMonthUpdateTime)
+	require.NoError(t, err)
+
 	// Make a request to the billing overview endpoint
 	req := logical.TestRequest(t, logical.ReadOperation, "billing/overview")
 	resp, err := b.HandleRequest(ctx, req)
@@ -404,26 +793,40 @@ func TestSystemBackend_BillingOverview_PreviousMonth(t *testing.T) {
 
 	months, ok := resp.Data["months"].([]interface{})
 	require.True(t, ok)
-	require.Len(t, months, 2)
+	require.Len(t, months, billing.DefaultBillingRetentionMonths)
 
-	// Check previous month data
-	previousMonthData, ok := months[1].(map[string]interface{})
-	require.True(t, ok)
+	// Loop through all months and verify timestamps
+	for i := 0; i < billing.DefaultBillingRetentionMonths; i++ {
+		monthData, ok := months[i].(map[string]interface{})
+		require.True(t, ok, "month %d should be a map", i)
 
-	monthStr, ok := previousMonthData["month"].(string)
-	require.True(t, ok)
-	expectedMonth := previousMonth.Format("2006-01")
-	require.Equal(t, expectedMonth, monthStr)
+		// Verify month string format
+		monthStr, ok := monthData["month"].(string)
+		require.True(t, ok, "month %d should have month string", i)
+		expectedMonthTime := currentMonth.AddDate(0, -i, 0)
+		expectedMonth := expectedMonthTime.Format("2006-01")
+		require.Equal(t, expectedMonth, monthStr, "month %d should match expected format", i)
 
-	// Verify updated_at is end of previous month
-	updatedAt, ok := previousMonthData["updated_at"].(string)
-	require.True(t, ok)
-	parsedTime, err := time.Parse(time.RFC3339, updatedAt)
-	require.NoError(t, err)
+		// Verify updated_at timestamp
+		updatedAt, ok := monthData["updated_at"].(string)
+		require.True(t, ok, "month %d should have updated_at", i)
+		parsedTime, err := time.Parse(time.RFC3339, updatedAt)
+		require.NoError(t, err, "month %d updated_at should parse", i)
 
-	// The updated_at for previous month should be at the end of that month
-	expectedEndOfMonth := timeutil.StartOfMonth(previousMonth.AddDate(0, 1, 0)).Add(-time.Second)
-	require.WithinDuration(t, expectedEndOfMonth, parsedTime, time.Minute)
+		// Verify timestamps based on which month we're checking
+		if i == 0 {
+			// Current month should have the timestamp we set
+			require.Equal(t, currentMonthUpdateTime, parsedTime, "current month updated_at should match set time")
+		} else if i == 1 {
+			// Previous month should have timestamp at end of month
+			expectedEndOfMonth := timeutil.EndOfMonth(expectedMonthTime)
+			require.Equal(t, expectedEndOfMonth, parsedTime, "previous month updated_at should be end of month")
+		} else {
+			// Older months without data should have zero time
+			require.True(t, parsedTime.IsZero() || parsedTime.Equal(time.Time{}),
+				"month %d without data should have zero timestamp", i)
+		}
+	}
 }
 
 // TestSystemBackend_BillingOverview_EmptyMetrics verifies that the billing overview
@@ -442,7 +845,7 @@ func TestSystemBackend_BillingOverview_EmptyMetrics(t *testing.T) {
 	// Verify the response structure exists
 	months, ok := resp.Data["months"].([]interface{})
 	require.True(t, ok)
-	require.Len(t, months, 2)
+	require.Len(t, months, billing.DefaultBillingRetentionMonths)
 
 	// Check current month has all metrics with zero values
 	currentMonth, ok := months[0].(map[string]interface{})
@@ -464,6 +867,9 @@ func TestSystemBackend_BillingOverview_EmptyMetrics(t *testing.T) {
 		"data_protection_calls": false,
 		"pki_units":             false,
 		"managed_keys":          false,
+		"ssh_units":             false,
+		"id_token_units":        false,
+		"external_ca_pki_units": false,
 	}
 
 	for _, metric := range usageMetrics {
@@ -477,14 +883,33 @@ func TestSystemBackend_BillingOverview_EmptyMetrics(t *testing.T) {
 
 		// Verify each metric has appropriate zero value
 		switch metricName {
-		case "static_secrets", "dynamic_roles", "auto_rotated_roles":
+		case "static_secrets":
 			total, ok := metricData["total"].(int)
 			require.True(t, ok, "%s total should be int", metricName)
 			require.Equal(t, 0, total, "%s total should be 0", metricName)
 
 			details, ok := metricData["metric_details"].([]map[string]interface{})
 			require.True(t, ok, "%s metric_details should be array", metricName)
-			require.Empty(t, details, "%s metric_details should be empty when total is 0", metricName)
+			require.NotEmpty(t, details, "%s metric_details should always be present", metricName)
+			// Verify kv type is present with zero count
+			require.Len(t, details, 1)
+			require.Equal(t, "kv", details[0]["type"])
+			require.Equal(t, 0, details[0]["count"])
+
+		case "dynamic_roles", "auto_rotated_roles":
+			total, ok := metricData["total"].(int)
+			require.True(t, ok, "%s total should be int", metricName)
+			require.Equal(t, 0, total, "%s total should be 0", metricName)
+
+			details, ok := metricData["metric_details"].([]map[string]interface{})
+			require.True(t, ok, "%s metric_details should be array", metricName)
+			require.NotEmpty(t, details, "%s metric_details should always be present", metricName)
+			// Verify all role types are present with zero counts
+			for _, detail := range details {
+				require.Contains(t, detail, "type")
+				require.Contains(t, detail, "count")
+				require.Equal(t, 0, detail["count"])
+			}
 
 		case "kmip":
 			used, ok := metricData["used_in_month"].(bool)
@@ -503,20 +928,72 @@ func TestSystemBackend_BillingOverview_EmptyMetrics(t *testing.T) {
 
 			details, ok := metricData["metric_details"].([]map[string]interface{})
 			require.True(t, ok, "data_protection_calls metric_details should be array")
-			require.Empty(t, details, "data_protection_calls metric_details should be empty when total is 0")
+			require.NotEmpty(t, details, "data_protection_calls metric_details should always be present")
+			// Verify all data protection types are present with zero counts
+			require.Len(t, details, 3)
+			expectedTypes := map[string]bool{"transit": false, "transform": false, "gcpkms": false}
+			for _, detail := range details {
+				detailType := detail["type"].(string)
+				expectedTypes[detailType] = true
+				require.Equal(t, uint64(0), detail["count"])
+			}
+			for typeName, found := range expectedTypes {
+				require.True(t, found, "type %s should be present", typeName)
+			}
 
 		case "pki_units":
 			total, ok := metricData["total"].(float64)
 			require.True(t, ok, "pki_units total should be float64")
-			require.Equal(t, float64(0), total, "data_protection_calls total should be 0")
+			require.Equal(t, float64(0), total, "pki units total should be 0")
 
 		case "managed_keys":
 			total, ok := metricData["total"].(int)
-			require.True(t, ok, "managed_keys total should be float64")
-			require.Equal(t, int(0), total, "data_protection_calls total should be 0")
+			require.True(t, ok, "managed_keys total should be int")
+			require.Equal(t, int(0), total, "managed keys total should be 0")
 			details, ok := metricData["metric_details"].([]map[string]interface{})
 			require.True(t, ok, "%s metric_details should be array", metricName)
-			require.Empty(t, details, "%s metric_details should be empty when total is 0", metricName)
+			require.NotEmpty(t, details, "%s metric_details should always be present", metricName)
+			// Verify both managed key types are present with zero counts
+			require.Len(t, details, 2)
+			expectedTypes := map[string]bool{"totp": false, "kmse": false}
+			for _, detail := range details {
+				detailType := detail["type"].(string)
+				expectedTypes[detailType] = true
+				require.Equal(t, 0, detail["count"])
+			}
+			for typeName, found := range expectedTypes {
+				require.True(t, found, "type %s should be present", typeName)
+			}
+
+		case "ssh_units":
+			total, ok := metricData["total"].(float64)
+			require.True(t, ok, "ssh_units total should be float64")
+			require.Equal(t, float64(0), total, "ssh_units total should be 0")
+
+		case "id_token_units":
+			total, ok := metricData["total"].(float64)
+			require.True(t, ok, "id_token_units total should be float64")
+			require.Equal(t, float64(0), total, "id_token_units total should be 0")
+
+			details, ok := metricData["metric_details"].([]map[string]interface{})
+			require.True(t, ok, "id_token_units metric_details should be array")
+			require.NotEmpty(t, details, "id_token_units metric_details should always be present")
+			// Verify both token types are present with zero counts
+			require.Len(t, details, 2)
+			expectedTypes := map[string]bool{"oidc": false, "spiffe": false}
+			for _, detail := range details {
+				detailType := detail["type"].(string)
+				expectedTypes[detailType] = true
+				require.Equal(t, float64(0), detail["count"])
+			}
+			for typeName, found := range expectedTypes {
+				require.True(t, found, "type %s should be present", typeName)
+			}
+
+		case "external_ca_pki_units":
+			total, ok := metricData["total"].(float64)
+			require.True(t, ok, "external_ca_pki_units total should be float64")
+			require.Equal(t, float64(0), total, "external_ca_pki_units total should be 0")
 		}
 	}
 
@@ -524,6 +1001,64 @@ func TestSystemBackend_BillingOverview_EmptyMetrics(t *testing.T) {
 	for metricName, found := range expectedMetrics {
 		require.True(t, found, "metric %s should be present", metricName)
 	}
+
+	// Verify all previous months also have zero values
+	for i := 1; i < billing.DefaultBillingRetentionMonths; i++ {
+		monthData, ok := months[i].(map[string]interface{})
+		require.True(t, ok, "month %d should be a map", i)
+		require.Contains(t, monthData, "usage_metrics", "month %d should have usage_metrics", i)
+
+		usageMetrics, ok := monthData["usage_metrics"].([]map[string]interface{})
+		require.True(t, ok, "month %d usage_metrics should be array", i)
+		require.NotNil(t, usageMetrics, "month %d usage_metrics should not be nil", i)
+
+		// Verify all metrics in previous months have zero values
+		for _, metric := range usageMetrics {
+			metricName, ok := metric["metric_name"].(string)
+			require.True(t, ok, "month %d metric_name should be a string", i)
+
+			metricData, ok := metric["metric_data"].(map[string]interface{})
+			require.True(t, ok, "month %d metric_data should be a map", i)
+
+			// Verify each metric has appropriate zero value
+			switch metricName {
+			case "static_secrets", "dynamic_roles", "auto_rotated_roles":
+				total, ok := metricData["total"].(int)
+				require.True(t, ok)
+				require.Equal(t, 0, total)
+
+			case "kmip":
+				used, ok := metricData["used_in_month"].(bool)
+				require.True(t, ok)
+				require.False(t, used)
+
+			case "external_plugins":
+				total, ok := metricData["total"].(int)
+				require.True(t, ok)
+				require.Equal(t, 0, total)
+
+			case "data_protection_calls":
+				total, ok := metricData["total"].(uint64)
+				require.True(t, ok)
+				require.Equal(t, uint64(0), total)
+
+			case "pki_units":
+				total, ok := metricData["total"].(float64)
+				require.True(t, ok)
+				require.Equal(t, float64(0), total)
+
+			case "managed_keys":
+				total, ok := metricData["total"].(int)
+				require.True(t, ok)
+				require.Equal(t, 0, total)
+
+			case "ssh_units":
+				total, ok := metricData["total"].(float64)
+				require.True(t, ok)
+				require.Equal(t, float64(0), total)
+			}
+		}
+	}
 }
 
 // TestSystemBackend_BillingOverview_MultipleMetricTypes tests the billing overview
@@ -549,7 +1084,8 @@ func TestSystemBackend_BillingOverview_MultipleMetricTypes(t *testing.T) {
 	_, err = c.HandleRequest(ctx, kvReq)
 	require.NoError(t, err)
 
-	_, err = c.UpdateMaxKvCounts(ctx, billing.LocalPrefix, currentMonth)
+	kvCounts := c.GetKvCounts(billing.LocalPrefix)
+	_, err = c.UpdateMaxKvCounts(ctx, billing.LocalPrefix, currentMonth, kvCounts)
 	require.NoError(t, err)
 
 	// Make request to billing overview
@@ -561,7 +1097,7 @@ func TestSystemBackend_BillingOverview_MultipleMetricTypes(t *testing.T) {
 
 	months, ok := resp.Data["months"].([]interface{})
 	require.True(t, ok)
-	require.Len(t, months, 2)
+	require.Len(t, months, billing.DefaultBillingRetentionMonths)
 
 	currentMonthData, ok := months[0].(map[string]interface{})
 	require.True(t, ok)
@@ -598,7 +1134,7 @@ func TestSystemBackend_BillingOverview_UpdatedAtTimestamp(t *testing.T) {
 	c, b, _ := testCoreSystemBackend(t)
 	ctx := namespace.RootContext(nil)
 
-	// First, call with refresh_data set to set the LastMetricsUpdate timestamp
+	// First, call with refresh_data set to set the metrics last update timestamp
 	req := logical.TestRequest(t, logical.ReadOperation, "billing/overview")
 	req.Data["refresh_data"] = true
 	resp, err := b.HandleRequest(ctx, req)
@@ -607,23 +1143,36 @@ func TestSystemBackend_BillingOverview_UpdatedAtTimestamp(t *testing.T) {
 
 	months, ok := resp.Data["months"].([]interface{})
 	require.True(t, ok)
-	require.Len(t, months, 2)
+	require.Len(t, months, billing.DefaultBillingRetentionMonths)
 
 	currentMonth, ok := months[0].(map[string]interface{})
 	require.True(t, ok)
 
-	// Get the updated_at timestamp from the first call
+	// Get the updated_at timestamp from the first call (current month)
 	firstUpdatedAt, ok := currentMonth["updated_at"].(string)
 	require.True(t, ok)
 	firstTime, err := time.Parse(time.RFC3339, firstUpdatedAt)
 	require.NoError(t, err)
 
-	// Verify LastMetricsUpdate was set
-	lastUpdate := c.consumptionBilling.LastMetricsUpdate.Load()
-	require.NotNil(t, lastUpdate, "LastMetricsUpdate should be set after refresh")
-	storedTime, ok := lastUpdate.(time.Time)
-	require.True(t, ok)
-	require.WithinDuration(t, firstTime, storedTime, time.Second, "stored timestamp should match response timestamp")
+	// Verify the metrics last update time was set
+	lastUpdate, err := c.GetMetricsLastUpdateTime(ctx, time.Now().UTC())
+	require.NoError(t, err)
+	require.Equal(t, firstTime, lastUpdate, "stored timestamp should match response timestamp")
+
+	// Verify all previous months have zero timestamp (no data stored for them)
+	for i := 1; i < billing.DefaultBillingRetentionMonths; i++ {
+		prevMonth, ok := months[i].(map[string]interface{})
+		require.True(t, ok, "month %d should be a map", i)
+
+		prevMonthUpdatedAt, ok := prevMonth["updated_at"].(string)
+		require.True(t, ok, "month %d should have updated_at", i)
+		prevMonthTime, err := time.Parse(time.RFC3339, prevMonthUpdatedAt)
+		require.NoError(t, err, "month %d updated_at should parse", i)
+
+		// All previous months should be zero time since we haven't stored any data for them
+		require.True(t, prevMonthTime.IsZero(),
+			"month %d updated_at should be zero time when no data is stored", i)
+	}
 
 	// Wait a moment to ensure time difference
 	time.Sleep(100 * time.Millisecond)
@@ -637,22 +1186,669 @@ func TestSystemBackend_BillingOverview_UpdatedAtTimestamp(t *testing.T) {
 
 	months, ok = resp.Data["months"].([]interface{})
 	require.True(t, ok)
-	require.Len(t, months, 2)
+	require.Len(t, months, billing.DefaultBillingRetentionMonths)
 
 	currentMonth, ok = months[0].(map[string]interface{})
 	require.True(t, ok)
 
-	// Get the updated_at timestamp from the second call
+	// Get the updated_at timestamp from the second call (current month)
 	secondUpdatedAt, ok := currentMonth["updated_at"].(string)
 	require.True(t, ok)
 	secondTime, err := time.Parse(time.RFC3339, secondUpdatedAt)
 	require.NoError(t, err)
 
 	// The timestamp should be the same as the first call because we didn't refresh the data
-	require.WithinDuration(t, firstTime, secondTime, time.Second,
-		"updated_at without refresh should use stored LastMetricsUpdate timestamp")
+	require.Equal(t, firstTime, secondTime,
+		"updated_at without refresh should use stored metrics last update timestamp")
 
 	// Verify the timestamps are equal
 	require.Equal(t, firstUpdatedAt, secondUpdatedAt,
 		"updated_at without refresh should be identical to the stored timestamp")
+
+	// Verify all previous months' timestamps remain the same (zero time)
+	for i := 1; i < billing.DefaultBillingRetentionMonths; i++ {
+		prevMonth, ok := months[i].(map[string]interface{})
+		require.True(t, ok, "month %d should be a map", i)
+
+		secondPrevMonthUpdatedAt, ok := prevMonth["updated_at"].(string)
+		require.True(t, ok, "month %d should have updated_at", i)
+		secondPrevMonthTime, err := time.Parse(time.RFC3339, secondPrevMonthUpdatedAt)
+		require.NoError(t, err, "month %d updated_at should parse", i)
+
+		require.True(t, secondPrevMonthTime.IsZero(),
+			"month %d updated_at should remain zero time", i)
+	}
+}
+
+// TestSystemBackend_BillingOverview_UpdatedAtTimestamp_NoStoredTimestamp tests the behavior
+// when the metrics last update time is zero time (background worker hasn't run yet)
+func TestSystemBackend_BillingOverview_UpdatedAtTimestamp_NoStoredTimestamp(t *testing.T) {
+	c, b, _ := testCoreSystemBackend(t)
+	ctx := namespace.RootContext(nil)
+
+	// Verify the metrics last update time is zero time initially
+	lastUpdate, err := c.GetMetricsLastUpdateTime(ctx, time.Now().UTC())
+	require.NoError(t, err)
+	require.True(t, lastUpdate.IsZero(), "metrics last update time should be zero time initially")
+
+	// Call without refresh_data when timestamp is zero
+	req := logical.TestRequest(t, logical.ReadOperation, "billing/overview")
+	req.Data["refresh_data"] = false
+	resp, err := b.HandleRequest(ctx, req)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+
+	months, ok := resp.Data["months"].([]interface{})
+	require.True(t, ok)
+	require.Len(t, months, billing.DefaultBillingRetentionMonths)
+
+	currentMonth, ok := months[0].(map[string]interface{})
+	require.True(t, ok)
+
+	// Get the updated_at timestamp
+	updatedAt, ok := currentMonth["updated_at"].(string)
+	require.True(t, ok)
+	updatedTime, err := time.Parse(time.RFC3339, updatedAt)
+	require.NoError(t, err)
+
+	// Verify it's zero time to indicate data hasn't been updated yet
+	require.True(t, updatedTime.IsZero(),
+		"updated_at should be zero time when the metrics last update time is zero")
+
+	// Verify previous month is also zero time (no stored timestamp for previous month)
+	previousMonth, ok := months[1].(map[string]interface{})
+	require.True(t, ok)
+	prevMonthUpdatedAt, ok := previousMonth["updated_at"].(string)
+	require.True(t, ok)
+	prevMonthTime, err := time.Parse(time.RFC3339, prevMonthUpdatedAt)
+	require.NoError(t, err)
+
+	// Previous month should also be zero time since no timestamp is stored
+	require.True(t, prevMonthTime.IsZero(),
+		"previous month updated_at should be zero time when no stored timestamp exists")
+}
+
+// TestSystemBackend_BillingOverview_AllMetricTypesPresent verifies that all metric types
+// are always present in the response, even when their counts are zero. This test specifically
+// validates that metric_details arrays contain all expected types for each metric category.
+func TestSystemBackend_BillingOverview_AllMetricTypesPresent(t *testing.T) {
+	_, b, _ := testCoreSystemBackend(t)
+	ctx := namespace.RootContext(nil)
+
+	// Make a request without creating any billable resources
+	req := logical.TestRequest(t, logical.ReadOperation, "billing/overview")
+	resp, err := b.HandleRequest(ctx, req)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NotNil(t, resp.Data)
+
+	// Verify the response structure exists
+	months, ok := resp.Data["months"].([]interface{})
+	require.True(t, ok)
+	require.Len(t, months, billing.DefaultBillingRetentionMonths)
+
+	// Check current month has all metrics
+	currentMonth, ok := months[0].(map[string]interface{})
+	require.True(t, ok)
+	require.Contains(t, currentMonth, "usage_metrics")
+
+	usageMetrics, ok := currentMonth["usage_metrics"].([]map[string]interface{})
+	require.True(t, ok)
+	require.NotNil(t, usageMetrics)
+	require.NotEmpty(t, usageMetrics, "usage_metrics should contain all metrics even with zero values")
+
+	// Build a map of metrics for easy lookup
+	metricsMap := make(map[string]map[string]interface{})
+	for _, metric := range usageMetrics {
+		metricName, ok := metric["metric_name"].(string)
+		require.True(t, ok, "metric_name should be a string")
+		metricsMap[metricName] = metric
+	}
+
+	// Verify static_secrets has kv type
+	staticSecretsMetric, exists := metricsMap["static_secrets"]
+	require.True(t, exists, "static_secrets metric should be present")
+	staticSecretsData := staticSecretsMetric["metric_data"].(map[string]interface{})
+	staticSecretsDetails := staticSecretsData["metric_details"].([]map[string]interface{})
+	require.Len(t, staticSecretsDetails, 1, "static_secrets should have 1 type")
+	require.Equal(t, "kv", staticSecretsDetails[0]["type"])
+	require.Equal(t, 0, staticSecretsDetails[0]["count"])
+
+	// Verify dynamic_roles has all 13 types
+	dynamicRolesMetric, exists := metricsMap["dynamic_roles"]
+	require.True(t, exists, "dynamic_roles metric should be present")
+	dynamicRolesData := dynamicRolesMetric["metric_data"].(map[string]interface{})
+	dynamicRolesDetails := dynamicRolesData["metric_details"].([]map[string]interface{})
+	require.Len(t, dynamicRolesDetails, 13, "dynamic_roles should have 13 types")
+
+	expectedDynamicTypes := []string{
+		"aws_dynamic", "azure_dynamic", "database_dynamic", "gcp_dynamic",
+		"ldap_dynamic", "openldap_dynamic", "alicloud_dynamic", "rabbitmq_dynamic",
+		"consul_dynamic", "nomad_dynamic", "kubernetes_dynamic", "mongodbatlas_dynamic",
+		"terraform_dynamic",
+	}
+	for i, expectedType := range expectedDynamicTypes {
+		require.Equal(t, expectedType, dynamicRolesDetails[i]["type"], "dynamic role type at index %d should be %s", i, expectedType)
+		require.Equal(t, 0, dynamicRolesDetails[i]["count"], "dynamic role count at index %d should be 0", i)
+	}
+
+	// Verify auto_rotated_roles has all 8 types
+	autoRotatedMetric, exists := metricsMap["auto_rotated_roles"]
+	require.True(t, exists, "auto_rotated_roles metric should be present")
+	autoRotatedData := autoRotatedMetric["metric_data"].(map[string]interface{})
+	autoRotatedDetails := autoRotatedData["metric_details"].([]map[string]interface{})
+	require.Len(t, autoRotatedDetails, 8, "auto_rotated_roles should have 8 types")
+
+	expectedAutoRotatedTypes := []string{
+		"aws_static", "azure_static", "database_static", "gcp_static",
+		"gcp_impersonated", "ldap_static", "openldap_static", "os_local_account_static",
+	}
+	for i, expectedType := range expectedAutoRotatedTypes {
+		require.Equal(t, expectedType, autoRotatedDetails[i]["type"], "auto-rotated role type at index %d should be %s", i, expectedType)
+		require.Equal(t, 0, autoRotatedDetails[i]["count"], "auto-rotated role count at index %d should be 0", i)
+	}
+
+	// Verify data_protection_calls has all 3 types
+	dataProtectionMetric, exists := metricsMap["data_protection_calls"]
+	require.True(t, exists, "data_protection_calls metric should be present")
+	dataProtectionData := dataProtectionMetric["metric_data"].(map[string]interface{})
+	dataProtectionDetails := dataProtectionData["metric_details"].([]map[string]interface{})
+	require.Len(t, dataProtectionDetails, 3, "data_protection_calls should have 3 types")
+
+	expectedDataProtectionTypes := []string{"transit", "transform", "gcpkms"}
+	for i, expectedType := range expectedDataProtectionTypes {
+		require.Equal(t, expectedType, dataProtectionDetails[i]["type"], "data protection type at index %d should be %s", i, expectedType)
+		require.Equal(t, uint64(0), dataProtectionDetails[i]["count"], "data protection count at index %d should be 0", i)
+	}
+
+	// Verify managed_keys has both types
+	managedKeysMetric, exists := metricsMap["managed_keys"]
+	require.True(t, exists, "managed_keys metric should be present")
+	managedKeysData := managedKeysMetric["metric_data"].(map[string]interface{})
+	managedKeysDetails := managedKeysData["metric_details"].([]map[string]interface{})
+	require.Len(t, managedKeysDetails, 2, "managed_keys should have 2 types")
+
+	expectedManagedKeyTypes := []string{"totp", "kmse"}
+	for i, expectedType := range expectedManagedKeyTypes {
+		require.Equal(t, expectedType, managedKeysDetails[i]["type"], "managed key type at index %d should be %s", i, expectedType)
+		require.Equal(t, 0, managedKeysDetails[i]["count"], "managed key count at index %d should be 0", i)
+	}
+
+	// Verify ssh_units has both types
+	sshMetric, exists := metricsMap["ssh_units"]
+	require.True(t, exists, "ssh_units metric should be present")
+	sshData := sshMetric["metric_data"].(map[string]interface{})
+	sshDetails := sshData["metric_details"].([]map[string]interface{})
+	require.Len(t, sshDetails, 2, "ssh_units should have 2 types")
+	require.Equal(t, "otp_units", sshDetails[0]["type"])
+	require.Equal(t, "certificate_units", sshDetails[1]["type"])
+
+	// Verify id_token_units has both types
+	idTokenMetric, exists := metricsMap["id_token_units"]
+	require.True(t, exists, "id_token_units metric should be present")
+	idTokenData := idTokenMetric["metric_data"].(map[string]interface{})
+	idTokenDetails := idTokenData["metric_details"].([]map[string]interface{})
+	require.Len(t, idTokenDetails, 2, "id_token_units should have 2 types")
+
+	expectedIdTokenTypes := []string{"oidc", "spiffe"}
+	for i, expectedType := range expectedIdTokenTypes {
+		require.Equal(t, expectedType, idTokenDetails[i]["type"], "id token type at index %d should be %s", i, expectedType)
+		require.Equal(t, float64(0), idTokenDetails[i]["count"], "id token count at index %d should be 0", i)
+	}
+}
+
+// TestSystemBackend_BillingOverview_PreviousMonth_WithError tests the behavior
+// when retrieving the previous month's timestamp fails with an error.
+// This ensures the endpoint gracefully handles storage errors by returning zero time.
+func TestSystemBackend_BillingOverview_PreviousMonth_WithError(t *testing.T) {
+	c, b, _ := testCoreSystemBackend(t)
+	ctx := namespace.RootContext(nil)
+
+	// Store some data for previous month
+	previousMonth := timeutil.StartOfPreviousMonth(time.Now())
+
+	// Store counts but intentionally do NOT store the metrics last update timestamp
+	// This simulates a scenario where data exists but timestamp retrieval might fail
+	c.consumptionBilling.BillingStorageLock.Lock()
+	err := c.storeMaxKvCountsLocked(ctx, 5, "local/", previousMonth)
+	c.consumptionBilling.BillingStorageLock.Unlock()
+	require.NoError(t, err)
+
+	// Make a request to the billing overview endpoint
+	req := logical.TestRequest(t, logical.ReadOperation, "billing/overview")
+	resp, err := b.HandleRequest(ctx, req)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+
+	months, ok := resp.Data["months"].([]interface{})
+	require.True(t, ok)
+	require.Len(t, months, billing.DefaultBillingRetentionMonths)
+
+	// Check previous month data
+	previousMonthData, ok := months[1].(map[string]interface{})
+	require.True(t, ok)
+
+	// Verify updated_at is zero time when no timestamp is stored
+	updatedAt, ok := previousMonthData["updated_at"].(string)
+	require.True(t, ok)
+	parsedTime, err := time.Parse(time.RFC3339, updatedAt)
+	require.NoError(t, err)
+
+	// Should be zero time since no timestamp was stored for previous month
+	require.True(t, parsedTime.IsZero(),
+		"previous month updated_at should be zero time when timestamp is not stored")
+}
+
+// TestRoundToFour tests the roundToFour function
+func TestRoundToFour(t *testing.T) {
+	// Define test cases
+	tests := []struct {
+		name     string
+		input    float64
+		expected float64
+	}{
+		{"Round up", 1.23456, 1.2346},
+		{"Round down", 1.23454, 1.2345},
+		{"Exactly four decimals", 1.1111, 1.1111},
+		{"Fewer than four decimals", 1.2, 1.2000},
+		{"Zero value", 0.0, 0.0},
+		{"Large values", 0.189900000000, 0.1899},
+		{"Large values with round up", 0.189990000000, 0.1900},
+		{"Large values with round down", 0.189920000000, 0.1899},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := roundToFour(tt.input)
+			require.Equal(t, tt.expected, got)
+		})
+	}
+}
+
+// TestRoundUsageMetrics tests the roundUsageMetrics function.
+func TestRoundUsageMetrics(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    []map[string]interface{}
+		expected []map[string]interface{}
+	}{
+		{
+			name: "Round float64 totals and counts in metric_details",
+			input: []map[string]interface{}{
+				{
+					"metric_name": "pki_units",
+					"metric_data": map[string]interface{}{
+						"total": 123.456789,
+					},
+				},
+				{
+					"metric_name": "ssh_units",
+					"metric_data": map[string]interface{}{
+						"total": 98.765432,
+						"metric_details": []map[string]interface{}{
+							{"type": "otp_units", "count": 45.678901},
+							{"type": "certificate_units", "count": 53.086531},
+						},
+					},
+				},
+			},
+			expected: []map[string]interface{}{
+				{
+					"metric_name": "pki_units",
+					"metric_data": map[string]interface{}{
+						"total": 123.4568,
+					},
+				},
+				{
+					"metric_name": "ssh_units",
+					"metric_data": map[string]interface{}{
+						"total": 98.7654,
+						"metric_details": []map[string]interface{}{
+							{"type": "otp_units", "count": 45.6789},
+							{"type": "certificate_units", "count": 53.0865},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "Handle integer counts (should not be modified)",
+			input: []map[string]interface{}{
+				{
+					"metric_name": "static_secrets",
+					"metric_data": map[string]interface{}{
+						"total": 100,
+						"metric_details": []map[string]interface{}{
+							{"type": "kv", "count": 100},
+						},
+					},
+				},
+			},
+			expected: []map[string]interface{}{
+				{
+					"metric_name": "static_secrets",
+					"metric_data": map[string]interface{}{
+						"total": 100,
+						"metric_details": []map[string]interface{}{
+							{"type": "kv", "count": 100},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "Handle mixed float64 and integer values",
+			input: []map[string]interface{}{
+				{
+					"metric_name": "id_token_units",
+					"metric_data": map[string]interface{}{
+						"total": 150.123456,
+						"metric_details": []map[string]interface{}{
+							{"type": "oidc", "count": 100.987654},
+							{"type": "spiffe", "count": 49.135802},
+						},
+					},
+				},
+				{
+					"metric_name": "dynamic_roles",
+					"metric_data": map[string]interface{}{
+						"total": 50,
+						"metric_details": []map[string]interface{}{
+							{"type": "aws_dynamic", "count": 25},
+							{"type": "azure_dynamic", "count": 25},
+						},
+					},
+				},
+			},
+			expected: []map[string]interface{}{
+				{
+					"metric_name": "id_token_units",
+					"metric_data": map[string]interface{}{
+						"total": 150.1235,
+						"metric_details": []map[string]interface{}{
+							{"type": "oidc", "count": 100.9877},
+							{"type": "spiffe", "count": 49.1358},
+						},
+					},
+				},
+				{
+					"metric_name": "dynamic_roles",
+					"metric_data": map[string]interface{}{
+						"total": 50,
+						"metric_details": []map[string]interface{}{
+							{"type": "aws_dynamic", "count": 25},
+							{"type": "azure_dynamic", "count": 25},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "Handle metrics without metric_details",
+			input: []map[string]interface{}{
+				{
+					"metric_name": "kmip",
+					"metric_data": map[string]interface{}{
+						"used_in_month": true,
+					},
+				},
+				{
+					"metric_name": "external_plugins",
+					"metric_data": map[string]interface{}{
+						"total": 5,
+					},
+				},
+			},
+			expected: []map[string]interface{}{
+				{
+					"metric_name": "kmip",
+					"metric_data": map[string]interface{}{
+						"used_in_month": true,
+					},
+				},
+				{
+					"metric_name": "external_plugins",
+					"metric_data": map[string]interface{}{
+						"total": 5,
+					},
+				},
+			},
+		},
+		{
+			name:     "Handle empty metrics slice",
+			input:    []map[string]interface{}{},
+			expected: []map[string]interface{}{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Make a deep copy of input to avoid modifying the test case
+			inputCopy := make([]map[string]interface{}, len(tt.input))
+			for i, metric := range tt.input {
+				inputCopy[i] = make(map[string]interface{})
+				for k, v := range metric {
+					if k == "metric_data" {
+						metricData := v.(map[string]interface{})
+						metricDataCopy := make(map[string]interface{})
+						for mk, mv := range metricData {
+							if mk == "metric_details" {
+								details := mv.([]map[string]interface{})
+								detailsCopy := make([]map[string]interface{}, len(details))
+								for di, detail := range details {
+									detailsCopy[di] = make(map[string]interface{})
+									for dk, dv := range detail {
+										detailsCopy[di][dk] = dv
+									}
+								}
+								metricDataCopy[mk] = detailsCopy
+							} else {
+								metricDataCopy[mk] = mv
+							}
+						}
+						inputCopy[i][k] = metricDataCopy
+					} else {
+						inputCopy[i][k] = v
+					}
+				}
+			}
+
+			// Apply rounding
+			roundUsageMetrics(inputCopy)
+
+			// Verify the results
+			require.Equal(t, len(tt.expected), len(inputCopy))
+			for i, expectedMetric := range tt.expected {
+				actualMetric := inputCopy[i]
+				require.Equal(t, expectedMetric["metric_name"], actualMetric["metric_name"])
+
+				expectedData := expectedMetric["metric_data"].(map[string]interface{})
+				actualData := actualMetric["metric_data"].(map[string]interface{})
+
+				// Check total
+				if expectedTotal, ok := expectedData["total"]; ok {
+					require.Equal(t, expectedTotal, actualData["total"])
+				}
+
+				// Check metric_details
+				if expectedDetails, ok := expectedData["metric_details"].([]map[string]interface{}); ok {
+					actualDetails := actualData["metric_details"].([]map[string]interface{})
+					require.Equal(t, len(expectedDetails), len(actualDetails))
+					for j, expectedDetail := range expectedDetails {
+						actualDetail := actualDetails[j]
+						require.Equal(t, expectedDetail["type"], actualDetail["type"])
+						require.Equal(t, expectedDetail["count"], actualDetail["count"])
+					}
+				}
+
+				// Check other fields (like used_in_month)
+				for key, expectedValue := range expectedData {
+					if key != "total" && key != "metric_details" {
+						require.Equal(t, expectedValue, actualData[key])
+					}
+				}
+			}
+		})
+	}
+}
+
+// TestSystemBackend_BillingConfig_Read tests reading the billing retention configuration
+func TestSystemBackend_BillingConfig_Read(t *testing.T) {
+	_, b, _ := testCoreSystemBackend(t)
+	ctx := namespace.RootContext(nil)
+
+	// Read config when not set - should return default
+	req := logical.TestRequest(t, logical.ReadOperation, "billing/config")
+	resp, err := b.HandleRequest(ctx, req)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NotNil(t, resp.Data)
+	require.Equal(t, billing.DefaultBillingRetentionMonths, resp.Data["retention_months"])
+}
+
+// TestSystemBackend_BillingConfig_Write tests writing the billing retention configuration
+func TestSystemBackend_BillingConfig_Write(t *testing.T) {
+	_, b, _ := testCoreSystemBackend(t)
+	ctx := namespace.RootContext(nil)
+
+	testCases := []struct {
+		name            string
+		retentionMonths int
+		expectError     bool
+		errorContains   string
+		expectWarning   bool
+		warningContains string
+	}{
+		{
+			name:            "valid minimum value",
+			retentionMonths: billing.MinBillingRetentionMonths,
+			expectError:     false,
+			expectWarning:   false, // Less than default, no warning
+		},
+		{
+			name:            "valid maximum value",
+			retentionMonths: billing.MaxBillingRetentionMonths,
+			expectError:     false,
+			expectWarning:   true, // Greater than default (37), should warn
+			warningContains: "Retention period increased",
+		},
+		{
+			name:            "valid middle value below default",
+			retentionMonths: 24,
+			expectError:     false,
+			expectWarning:   false, // Less than default, no warning
+		},
+		{
+			name:            "valid middle value above default",
+			retentionMonths: 48,
+			expectError:     false,
+			expectWarning:   true, // Greater than default (37), should warn
+			warningContains: "Retention period increased",
+		},
+		{
+			name:            "below minimum",
+			retentionMonths: billing.MinBillingRetentionMonths - 1,
+			expectError:     true,
+			errorContains:   "must be between",
+		},
+		{
+			name:            "above maximum",
+			retentionMonths: billing.MaxBillingRetentionMonths + 1,
+			expectError:     true,
+			errorContains:   "must be between",
+		},
+		{
+			name:            "zero value",
+			retentionMonths: 0,
+			expectError:     true,
+			errorContains:   "must be between",
+		},
+		{
+			name:            "negative value",
+			retentionMonths: -1,
+			expectError:     true,
+			errorContains:   "must be between",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			req := logical.TestRequest(t, logical.UpdateOperation, "billing/config")
+			req.Data = map[string]interface{}{
+				"retention_months": tc.retentionMonths,
+			}
+
+			resp, err := b.HandleRequest(ctx, req)
+
+			if tc.expectError {
+				require.Equal(t, logical.ErrInvalidRequest, err)
+				require.NotNil(t, resp)
+				require.True(t, resp.IsError())
+				require.Contains(t, resp.Error().Error(), tc.errorContains)
+			} else {
+				require.NoError(t, err)
+				require.NotNil(t, resp)
+				require.False(t, resp.IsError())
+
+				// Check for warning when increasing retention
+				if tc.expectWarning {
+					require.Len(t, resp.Warnings, 1, "should have warning when increasing retention above default")
+					require.Contains(t, resp.Warnings[0], tc.warningContains)
+				} else {
+					require.Empty(t, resp.Warnings, "should not have warnings when not increasing retention")
+				}
+
+				// Verify the value was stored by reading it back
+				readReq := logical.TestRequest(t, logical.ReadOperation, "billing/config")
+				readResp, err := b.HandleRequest(ctx, readReq)
+				require.NoError(t, err)
+				require.NotNil(t, readResp)
+				require.Equal(t, tc.retentionMonths, readResp.Data["retention_months"])
+			}
+		})
+	}
+}
+
+// TestSystemBackend_BillingConfig_AffectsOverview tests that config affects billing overview
+func TestSystemBackend_BillingConfig_AffectsOverview(t *testing.T) {
+	_, b, _ := testCoreSystemBackend(t)
+	ctx := namespace.RootContext(nil)
+
+	// Set retention to minimum (13 months)
+	writeReq := logical.TestRequest(t, logical.UpdateOperation, "billing/config")
+	writeReq.Data = map[string]interface{}{
+		"retention_months": billing.MinBillingRetentionMonths,
+	}
+	_, err := b.HandleRequest(ctx, writeReq)
+	require.NoError(t, err)
+
+	// Request billing overview
+	overviewReq := logical.TestRequest(t, logical.ReadOperation, "billing/overview")
+	resp, err := b.HandleRequest(ctx, overviewReq)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+
+	// Verify we get 13 months of data
+	months, ok := resp.Data["months"].([]interface{})
+	require.True(t, ok)
+	require.Len(t, months, billing.MinBillingRetentionMonths)
+
+	// Set retention to maximum (72 months)
+	writeReq = logical.TestRequest(t, logical.UpdateOperation, "billing/config")
+	writeReq.Data = map[string]interface{}{
+		"retention_months": billing.MaxBillingRetentionMonths,
+	}
+	_, err = b.HandleRequest(ctx, writeReq)
+	require.NoError(t, err)
+
+	// Request billing overview again
+	overviewReq = logical.TestRequest(t, logical.ReadOperation, "billing/overview")
+	resp, err = b.HandleRequest(ctx, overviewReq)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+
+	// Verify we get 72 months of data
+	months, ok = resp.Data["months"].([]interface{})
+	require.True(t, ok)
+	require.Len(t, months, billing.MaxBillingRetentionMonths)
 }
diff --git a/vault/login_mfa.go b/vault/login_mfa.go
index b17ff938c0..3fd4de76ff 100644
--- a/vault/login_mfa.go
+++ b/vault/login_mfa.go
@@ -1097,13 +1097,13 @@ func (c *Core) PersistTOTPKey(ctx context.Context, methodID, entityID, key strin
 	}
 	val, err := jsonutil.EncodeJSON(ks)
 	if err != nil {
-		return err
+		return fmt.Errorf("error encoding TOTP key: %w", err)
 	}
-	if c.barrier.Put(ctx, &logical.StorageEntry{
+	if err := c.barrier.Put(ctx, &logical.StorageEntry{
 		Key:   fmt.Sprintf("%s%s/%s", mfaTOTPKeysPrefix, methodID, entityID),
 		Value: val,
 	}); err != nil {
-		return err
+		return fmt.Errorf("error persisting TOTP key to storage: %w", err)
 	}
 	return nil
 }
diff --git a/vault/mount.go b/vault/mount.go
index fb6a64c905..590cf34ef4 100644
--- a/vault/mount.go
+++ b/vault/mount.go
@@ -25,6 +25,7 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/sdk/physical"
 	"github.com/hashicorp/vault/vault/observations"
 	"github.com/hashicorp/vault/vault/plugincatalog"
 	"github.com/mitchellh/copystructure"
@@ -74,18 +75,19 @@ const (
 	mountPathCubbyhole     = "cubbyhole/"
 	mountPathAgentRegistry = "agent-registry/"
 
-	mountTypeSystem        = "system"
-	mountTypeNSSystem      = "ns_system"
-	mountTypeIdentity      = "identity"
-	mountTypeNSIdentity    = "ns_identity"
-	mountTypeCubbyhole     = "cubbyhole"
-	mountTypePlugin        = "plugin"
-	mountTypeKV            = "kv"
-	mountTypeNSCubbyhole   = "ns_cubbyhole"
-	mountTypeToken         = "token"
-	mountTypeNSToken       = "ns_token"
-	mountTypeDatabase      = "database"
-	mountTypeAgentRegistry = "agent_registry"
+	mountTypeSystem          = "system"
+	mountTypeNSSystem        = "ns_system"
+	mountTypeIdentity        = "identity"
+	mountTypeNSIdentity      = "ns_identity"
+	mountTypeCubbyhole       = "cubbyhole"
+	mountTypePlugin          = "plugin"
+	mountTypeKV              = "kv"
+	mountTypeNSCubbyhole     = "ns_cubbyhole"
+	mountTypeToken           = "token"
+	mountTypeNSToken         = "ns_token"
+	mountTypeDatabase        = "database"
+	mountTypeAgentRegistry   = "agent_registry"
+	mountTypeNSAgentRegistry = "ns_agent_registry"
 
 	MountTableUpdateStorage   = true
 	MountTableNoUpdateStorage = false
@@ -156,6 +158,18 @@ type MountTable struct {
 	Entries []*MountEntry `json:"entries"`
 }
 
+func (m *MountTable) Clone() (*MountTable, error) {
+	entries := make([]*MountEntry, 0, len(m.Entries))
+	for _, entry := range m.Entries {
+		clonedEntry, err := entry.Clone()
+		if err != nil {
+			return nil, err
+		}
+		entries = append(entries, clonedEntry)
+	}
+	return &MountTable{Type: m.Type, Entries: entries}, nil
+}
+
 //go:generate enumer -type=MountMigrationStatus -trimprefix=MigrationStatus -transform=kebab
 
 type MountMigrationStatus int
@@ -1359,7 +1373,17 @@ func (c *Core) loadMounts(ctx context.Context) error {
 	// If this node is a performance standby we do not want to attempt to
 	// upgrade the mount table, this will be the active node's responsibility.
 	if !c.perfStandby {
-		err := c.runMountUpdates(ctx, needPersist)
+		oldMounts, err := c.mounts.Clone()
+		if err != nil {
+			c.logger.Error("failed to clone mount table", "error", err)
+			return err
+		}
+		err = c.runMountUpdates(ctx, needPersist, true)
+		if errors.Is(err, physical.ErrValueSize) {
+			c.logger.Error("Cannot add default mounts because the mount table is too large to write to storage. If you are using integrated storage, increase the max_mount_and_namespace_table_entry_size in your Vault config file to add all default mounts to all namespaces. If you are using Consul storage, increase the txn_max_req_len in your Consul config file to add all default mounts to all namespaces. Continuing without default mounts")
+			c.mounts = oldMounts
+			err = c.runMountUpdates(ctx, needPersist, false)
+		}
 		if err != nil {
 			c.logger.Error("failed to run mount table upgrades", "error", err)
 			return err
@@ -1405,7 +1429,7 @@ func (c *Core) loadMounts(ctx context.Context) error {
 
 // Note that this is only designed to work with singletons, as it checks by
 // type only.
-func (c *Core) runMountUpdates(ctx context.Context, needPersist bool) error {
+func (c *Core) runMountUpdates(ctx context.Context, needPersist, tryAddingRequiredMounts bool) error {
 	// Upgrade to typed mount table
 	if c.mounts.Type == "" {
 		c.mounts.Type = mountTableType
@@ -1429,12 +1453,24 @@ func (c *Core) runMountUpdates(ctx context.Context, needPersist bool) error {
 		// ensure this comes over. If we upgrade first, we simply don't
 		// create the mount, so we won't conflict when we sync. If this is
 		// local (e.g. cubbyhole) we do still add it.
-		if !foundRequired && (!c.IsPerfSecondary() || requiredMount.Local) {
+		if !foundRequired && (!c.IsPerfSecondary() || requiredMount.Local) && tryAddingRequiredMounts {
 			c.mounts.Entries = append(c.mounts.Entries, requiredMount)
 			needPersist = true
 		}
 	}
 
+	if !c.IsPerfSecondary() && tryAddingRequiredMounts {
+		var modified bool
+		var err error
+		c.mounts.Entries, modified, err = c.addRequiredNamespaceMounts(c.mounts.Entries)
+		if err != nil {
+			return err
+		}
+		if modified {
+			needPersist = true
+		}
+	}
+
 	// Upgrade to table-scoped entries
 	for _, entry := range c.mounts.Entries {
 		if !c.PR1103disabled && entry.Type == mountTypeNSCubbyhole && !entry.Local && !c.ReplicationState().HasState(consts.ReplicationPerformanceSecondary|consts.ReplicationDRSecondary) {
@@ -1486,7 +1522,7 @@ func (c *Core) runMountUpdates(ctx context.Context, needPersist bool) error {
 	// Persist both mount tables
 	if err := c.persistMounts(ctx, c.mounts, nil); err != nil {
 		c.logger.Error("failed to persist mount table", "error", err)
-		return errLoadMountsFailed
+		return errors.Join(errLoadMountsFailed, err)
 	}
 	return nil
 }
@@ -2001,6 +2037,7 @@ func (c *Core) requiredMountTable() *MountTable {
 		BackendAwareUUID: identityBackendUUID,
 		Config: MountConfig{
 			PassthroughRequestHeaders: []string{"Authorization"},
+			AllowedResponseHeaders:    []string{"Location"},
 		},
 		RunningVersion: versions.DefaultBuiltinVersion,
 	}
@@ -2081,7 +2118,11 @@ func (c *Core) setCoreBackend(entry *MountEntry, backend logical.Backend, view *
 	case mountTypeIdentity:
 		c.identityStore = backend.(*IdentityStore)
 	case mountTypeAgentRegistry:
-		c.agentRegistry = backend.(*AgentRegistry)
+		// core should only have a reference to the root namespace's
+		// agent registry
+		if entry.NamespaceID == namespace.RootNamespaceID {
+			c.agentRegistry = backend.(*AgentRegistry)
+		}
 	}
 }
 
diff --git a/vault/mount_util.go b/vault/mount_util.go
index f4e6fa1255..17eb5da084 100644
--- a/vault/mount_util.go
+++ b/vault/mount_util.go
@@ -80,3 +80,7 @@ func (c *Core) entBuiltinPluginMetrics(ctx context.Context, entry *MountEntry, v
 func newSnapshotStorageRouter(c *Core, storage logical.Storage) logical.Storage {
 	return storage
 }
+
+func (c *Core) addRequiredNamespaceMounts(mountEntries []*MountEntry) ([]*MountEntry, bool, error) {
+	return mountEntries, false, nil
+}
diff --git a/vault/plugin_reload.go b/vault/plugin_reload.go
index 8ea7ccd925..bad9161ae1 100644
--- a/vault/plugin_reload.go
+++ b/vault/plugin_reload.go
@@ -158,20 +158,9 @@ func (c *Core) reloadMatchingPlugin(ctx context.Context, ns *namespace.Namespace
 	return reloaded, nil
 }
 
-// reloadBackendCommon is a generic method to reload a backend provided a
-// MountEntry.
-func (c *Core) reloadBackendCommon(ctx context.Context, entry *MountEntry, isAuth bool) error {
-	// Make sure our cache is up-to-date. Since some singleton mounts can be
-	// tuned, we do this before the below check.
-	entry.SyncCache()
-
-	// We don't want to reload the singleton mounts. They often have specific
-	// inmemory elements and we don't want to touch them here.
-	if strutil.StrListContains(singletonMounts, entry.Type) {
-		c.logger.Debug("skipping reload of singleton mount", "type", entry.Type)
-		return nil
-	}
-
+// forceReloadBackend reloads any backend, even a singleton. It does not update the cache. Most users
+// should use reloadBackendCommon.
+func (c *Core) forceReloadBackend(ctx context.Context, entry *MountEntry, isAuth bool) error {
 	path := entry.Path
 
 	if isAuth {
@@ -270,18 +259,22 @@ func (c *Core) reloadBackendCommon(ctx context.Context, entry *MountEntry, isAut
 		// Set paths as well
 		paths := backend.SpecialPaths()
 		if paths != nil {
-			re.rootPaths.Store(pathsToRadix(paths.Root))
-			loginPathsEntry, err := parseUnauthenticatedPaths(paths.Unauthenticated)
+			rootPathsEntry, err := parseSpecialPaths(paths.Root)
+			if err != nil {
+				return err
+			}
+			re.rootPaths.Store(rootPathsEntry)
+			loginPathsEntry, err := parseSpecialPaths(paths.Unauthenticated)
 			if err != nil {
 				return err
 			}
 			re.loginPaths.Store(loginPathsEntry)
-			binaryPathsEntry, err := parseUnauthenticatedPaths(paths.Binary)
+			binaryPathsEntry, err := parseSpecialPaths(paths.Binary)
 			if err != nil {
 				return err
 			}
 			re.binaryPaths.Store(binaryPathsEntry)
-			allowSnapshotReadPathsEntry, err := parseUnauthenticatedPaths(paths.AllowSnapshotRead)
+			allowSnapshotReadPathsEntry, err := parseSpecialPaths(paths.AllowSnapshotRead)
 			if err != nil {
 				return err
 			}
@@ -292,6 +285,23 @@ func (c *Core) reloadBackendCommon(ctx context.Context, entry *MountEntry, isAut
 	return nil
 }
 
+// reloadBackendCommon is a generic method to reload a backend provided a
+// MountEntry.
+func (c *Core) reloadBackendCommon(ctx context.Context, entry *MountEntry, isAuth bool) error {
+	// Make sure our cache is up-to-date. Since some singleton mounts can be
+	// tuned, we do this before the below check.
+	entry.SyncCache()
+
+	// We don't want to reload the singleton mounts. They often have specific
+	// inmemory elements and we don't want to touch them here.
+	if strutil.StrListContains(singletonMounts, entry.Type) {
+		c.logger.Debug("skipping reload of singleton mount", "type", entry.Type)
+		return nil
+	}
+
+	return c.forceReloadBackend(ctx, entry, isAuth)
+}
+
 func (c *Core) setupPluginReload() error {
 	return handleSetupPluginReload(c)
 }
diff --git a/vault/plugincatalog/plugin_artifact.go b/vault/plugincatalog/plugin_artifact.go
index 57d3d6545f..a966d67630 100644
--- a/vault/plugincatalog/plugin_artifact.go
+++ b/vault/plugincatalog/plugin_artifact.go
@@ -24,8 +24,11 @@ const (
 )
 
 var (
-	once     sync.Once
-	verifier crypto.PGPVerify
+	once        sync.Once
+	keyRing2030 *crypto.KeyRing
+	keyRing2026 *crypto.KeyRing
+	initErr     error
+	keyRingMu   sync.Mutex // Protects concurrent access to keyrings
 
 	errExtractedArtifactDirNotFound = errors.New("extracted artifact directory not found")
 	errReadMetadata                 = errors.New("failed to read metadata")
@@ -37,13 +40,21 @@ var (
 	errVerifyPluginSig              = errors.New("failed to verify plugin binary PGP signature")
 )
 
-func load() error {
-	var errs error
-	once.Do(func() {
-		// hashiCorpPGPPubKey is HashiCorp's PGP public key
-		// at https://www.hashicorp.com/.well-known/pgp-key.txt.
-		// This key is used to verify the authenticity of HashiCorp plugins.
-		const hashiCorpPGPPubKey = `
+// hashiCorpPGPPubKey2026 is HashiCorp's PGP public key used to verify the
+// authenticity of HashiCorp plugins.
+// Expired on 2026-04-18, and is valid for the following subkeys:
+//
+// sub   rsa4096/C820C6D5CD27AB87 2021-04-21 [S] [expired: 2026-04-18]
+//
+//	374EC75B485913604A831CC7C820C6D5CD27AB87
+//
+// DO NOT REMOVE: The 2026 key provides the original self-signature needed to
+// verify older plugin signatures
+// NOTE: New keys should not be appended to this variable. Instead, use the
+// loadWithKey function to load additional keys from a file or raw string
+// input. The gopenpgp library does not support multiple keys in a single
+// armored block, so each key must be loaded separately.
+var hashiCorpPGPPubKey2026 = `
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
 mQINBGB9+xkBEACabYZOWKmgZsHTdRDiyPJxhbuUiKX65GUWkyRMJKi/1dviVxOX
@@ -168,23 +179,227 @@ ZF5q4h4I33PSGDdSvGXn9UMY5Isjpg==
 -----END PGP PUBLIC KEY BLOCK-----
 `
 
-		pgp := crypto.PGP()
-		key, err := crypto.NewKeyFromArmored(hashiCorpPGPPubKey)
+// hashiCorpPGPPubKey2030 is HashiCorp's PGP public key at
+// https://www.hashicorp.com/.well-known/pgp-key.txt.
+// This key is used to verify the authenticity of HashiCorp plugins.
+// Expires on 2030-03-01, and is valid for the following subkeys:
+//
+// sub   rsa4096/C820C6D5CD27AB87 2021-04-21 [S] [expires: 2030-03-01]
+//
+//	374EC75B485913604A831CC7C820C6D5CD27AB87
+//
+// The 2030 key provides the renewed self-signature for current/future
+// signatures
+// NOTE: New keys should not be appended to this variable. Instead, use the
+// loadWithKey function to load additional keys from a file or raw string
+// input. The gopenpgp library does not support multiple keys in a single
+// armored block, so each key must be loaded separately.
+var hashiCorpPGPPubKey2030 = `
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGB9+xkBEACabYZOWKmgZsHTdRDiyPJxhbuUiKX65GUWkyRMJKi/1dviVxOX
+PG6hBPtF48IFnVgxKpIb7G6NjBousAV+CuLlv5yqFKpOZEGC6sBV+Gx8Vu1CICpl
+Zm+HpQPcIzwBpN+Ar4l/exCG/f/MZq/oxGgH+TyRF3XcYDjG8dbJCpHO5nQ5Cy9h
+QIp3/Bh09kET6lk+4QlofNgHKVT2epV8iK1cXlbQe2tZtfCUtxk+pxvU0UHXp+AB
+0xc3/gIhjZp/dePmCOyQyGPJbp5bpO4UeAJ6frqhexmNlaw9Z897ltZmRLGq1p4a
+RnWL8FPkBz9SCSKXS8uNyV5oMNVn4G1obCkc106iWuKBTibffYQzq5TG8FYVJKrh
+RwWB6piacEB8hl20IIWSxIM3J9tT7CPSnk5RYYCTRHgA5OOrqZhC7JefudrP8n+M
+pxkDgNORDu7GCfAuisrf7dXYjLsxG4tu22DBJJC0c/IpRpXDnOuJN1Q5e/3VUKKW
+mypNumuQpP5lc1ZFG64TRzb1HR6oIdHfbrVQfdiQXpvdcFx+Fl57WuUraXRV6qfb
+4ZmKHX1JEwM/7tu21QE4F1dz0jroLSricZxfaCTHHWNfvGJoZ30/MZUrpSC0IfB3
+iQutxbZrwIlTBt+fGLtm3vDtwMFNWM+Rb1lrOxEQd2eijdxhvBOHtlIcswARAQAB
+tERIYXNoaUNvcnAgU2VjdXJpdHkgKGhhc2hpY29ycC5jb20vc2VjdXJpdHkpIDxz
+ZWN1cml0eUBoYXNoaWNvcnAuY29tPokCVAQTAQoAPgIbAwULCQgHAgYVCgkICwIE
+FgIDAQIeAQIXgBYhBMh0AR8KtAURDQIQVTQ2XZRy10aPBQJplkfQBQkQrOy3AAoJ
+EDQ2XZRy10aPw6gP/3GUEMUa6mCRuuSOT9UnziPIvXYd63mcN6A6Jwmwj8JaB2qu
+OCijvJkw56UbZK3x1FZIbe0hA6VUAwNSNmSIxVJkilgwIYYFO0tnL79XhIeP7jYF
+ydXLZ4rTi1FDl8lltAujTNARdY8UGg4hGlcM9OrEeXEFLWugJNiChL15FVoxZqIS
+jeduaEqyxGfJnyVwy8z3pZfgODeFr7xs2NkUIMSfuRg24VcL4aW8Frt3jW8P45y3
+o/5fsi6Aw2tZ0wD9NSgkVc8VD1NRV9eSZ95Bv+Awf9IXa+Cn5OCjc8Jc+XF+nLfB
+oPswOO7E8dLiuBUw6/GzSLMbVs8qf8BNXB92dOe1VccVTqjCxK2sEpVaHh7e+co8
+d8lDGBIWMGh7NS6XlGORpFb/T6gxjjOYUV3SKd4QDebUUG8kMkb5juLljOoq+YOP
+vgNLDZLZteFpmH+zB9DpOY1YtHZB/OD+DtzLMaSl6VPF2Ln0j5aQGwNDt7sheyAe
+sXbu0qn2H5FxojSfvhT0kUDKZ0mgg5y3Oflg49MiAOhjLGY0JocFpBeMILw27fbw
+fpIBP7siQWFTFJ1O+l2NQiWAwC2x5fX2EakyCBJmrkPV2hr4nEogNqg9/RDskIUq
+cpcOOd/0BntiXMyUCCH2AoCt5acaTQ0WU6CAosZPojOYhtGGgOgeQSdflpMSuQIN
+BGB9+xkBEACoklYsfvWRCjOwS8TOKBTfl8myuP9V9uBNbyHufzNETbhYeT33Cj0M
+GCNd9GdoaknzBQLbQVSQogA+spqVvQPz1MND18GIdtmr0BXENiZE7SRvu76jNqLp
+KxYALoK2Pc3yK0JGD30HcIIgx+lOofrVPA2dfVPTj1wXvm0rbSGA4Wd4Ng3d2AoR
+G/wZDAQ7sdZi1A9hhfugTFZwfqR3XAYCk+PUeoFrkJ0O7wngaon+6x2GJVedVPOs
+2x/XOR4l9ytFP3o+5ILhVnsK+ESVD9AQz2fhDEU6RhvzaqtHe+sQccR3oVLoGcat
+ma5rbfzH0Fhj0JtkbP7WreQf9udYgXxVJKXLQFQgel34egEGG+NlbGSPG+qHOZtY
+4uWdlDSvmo+1P95P4VG/EBteqyBbDDGDGiMs6lAMg2cULrwOsbxWjsWka8y2IN3z
+1stlIJFvW2kggU+bKnQ+sNQnclq3wzCJjeDBfucR3a5WRojDtGoJP6Fc3luUtS7V
+5TAdOx4dhaMFU9+01OoH8ZdTRiHZ1K7RFeAIslSyd4iA/xkhOhHq89F4ECQf3Bt4
+ZhGsXDTaA/VgHmf3AULbrC94O7HNqOvTWzwGiWHLfcxXQsr+ijIEQvh6rHKmJK8R
+9NMHqc3L18eMO6bqrzEHW0Xoiu9W8Yj+WuB3IKdhclT3w0pO4Pj8gQARAQABiQI8
+BBgBCgAmAhsMFiEEyHQBHwq0BRENAhBVNDZdlHLXRo8FAmmWR+0FCRCs7NQACgkQ
+NDZdlHLXRo/R0A//QW1opBlzWSmWww1q9QuJA2WCIIs8tJKRDOsmgJPscNpzwZFU
+N1Df0wWNjqi1BDReei7lZTHwUk+ebBn0bkI3ANmmgYg7LBueAt5UWSingOc+rvKA
+N32BDzBYkMckRzJSQsmeC5hm3J3wLSy90uaIlrJJE9GJZkf/W2Ob+4SQZZ+dnnRP
+JokDdW1DuZS9PbxSLJKD5eIWHBxJnFM1CmHfOfrjTJ+MYvVGM5sxSY8R7E+GADj5
+L/i4N+tTFJLuTMYARGfA6d+KPKcMJtgpUPjSMAg8nGUhukctpuBs27mOKW0CBtmJ
+82X/qYROTL0+vGTvUYflYiuceVlhX/kw0JZnMaG5V/mpHq8SwD07pCGOf69j/mNa
+5EL3++Pmzg0s0stw3Ea5pCN0cL/nKkoWchHBfW15W4JOnKAIspyD1vH670P4WfeV
+E9B9d6tgKSbM/9JlXoQS5ZdG+kbdosieELhmVWmvojyK7K+Ry6C9wgd+UfnW5jXd
+iNwKW3KHuautQwlFhHRNMyDg08c+pI5emTMT3IUQyGWo+Gska3TqGujFcABx7Ip+
+mHNmMrCkSD+XC2bvzvRR7FcM0/B9fsjLX/Wttm5vRJ1d2oAoEPvw2IZnJIXpOt2z
+zo55sJTztNu4lWGgDVgtp9SXO5a0E5YvFHQNZN5QLeVTTFu6I7qG+ME1E/K5Ag0E
+YH3+JQEQALivllTjMolxUW2OxrXb+a2Pt6vjCBsiJzrUj0Pa63U+lT9jldbCCfgP
+wDpcDuO1O05Q8k1MoYZ6HddjWnqKG7S3eqkV5c3ct3amAXp513QDKZUfIDylOmhU
+qvxjEgvGjdRjz6kECFGYr6Vnj/p6AwWv4/FBRFlrq7cnQgPynbIH4hrWvewp3Tqw
+GVgqm5RRofuAugi8iZQVlAiQZJo88yaztAQ/7VsXBiHTn61ugQ8bKdAsr8w/ZZU5
+HScHLqRolcYg0cKN91c0EbJq9k1LUC//CakPB9mhi5+aUVUGusIM8ECShUEgSTCi
+KQiJUPZ2CFbbPE9L5o9xoPCxjXoX+r7L/WyoCPTeoS3YRUMEnWKvc42Yxz3meRb+
+BmaqgbheNmzOah5nMwPupJYmHrjWPkX7oyyHxLSFw4dtoP2j6Z7GdRXKa2dUYdk2
+x3JYKocrDoPHh3Q0TAZujtpdjFi1BS8pbxYFb3hHmGSdvz7T7KcqP7ChC7k2RAKO
+GiG7QQe4NX3sSMgweYpl4OwvQOn73t5CVWYp/gIBNZGsU3Pto8g27vHeWyH9mKr4
+cSepDhw+/X8FGRNdxNfpLKm7Vc0Sm9Sof8TRFrBTqX+vIQupYHRi5QQCuYaV6OVr
+ITeegNK3So4m39d6ajCR9QxRbmjnx9UcnSYYDmIB6fpBuwT0ogNtABEBAAGJBHIE
+GAEKACYCGwIWIQTIdAEfCrQFEQ0CEFU0Nl2UctdGjwUCYH4bgAUJAeFQ2wJAwXQg
+BBkBCgAdFiEEs2y6kaLAcwxDX8KAsLRBCXaFtnYFAmB9/iUACgkQsLRBCXaFtnYX
+BhAAlxejyFXoQwyGo9U+2g9N6LUb/tNtH29RHYxy4A3/ZUY7d/FMkArmh4+dfjf0
+p9MJz98Zkps20kaYP+2YzYmaizO6OA6RIddcEXQDRCPHmLts3097mJ/skx9qLAf6
+rh9J7jWeSqWO6VW6Mlx8j9m7sm3Ae1OsjOx/m7lGZOhY4UYfY627+Jf7WQ5103Qs
+lgQ09es/vhTCx0g34SYEmMW15Tc3eCjQ21b1MeJD/V26npeakV8iCZ1kHZHawPq/
+aCCuYEcCeQOOteTWvl7HXaHMhHIx7jjOd8XX9V+UxsGz2WCIxX/j7EEEc7CAxwAN
+nWp9jXeLfxYfjrUB7XQZsGCd4EHHzUyCf7iRJL7OJ3tz5Z+rOlNjSgci+ycHEccL
+YeFAEV+Fz+sj7q4cFAferkr7imY1XEI0Ji5P8p/uRYw/n8uUf7LrLw5TzHmZsTSC
+UaiL4llRzkDC6cVhYfqQWUXDd/r385OkE4oalNNE+n+txNRx92rpvXWZ5qFYfv7E
+95fltvpXc0iOugPMzyof3lwo3Xi4WZKc1CC/jEviKTQhfn3WZukuF5lbz3V1PQfI
+xFsYe9WYQmp25XGgezjXzp89C/OIcYsVB1KJAKihgbYdHyUN4fRCmOszmOUwEAKR
+3k5j4X8V5bk08sA69NVXPn2ofxyk3YYOMYWW8ouObnXoS8QJEDQ2XZRy10aPMpsQ
+AIbwX21erVqUDMPn1uONP6o4NBEq4MwG7d+fT85rc1U0RfeKBwjucAE/iStZDQoM
+ZKWvGhFR+uoyg1LrXNKuSPB82unh2bpvj4zEnJsJadiwtShTKDsikhrfFEK3aCK8
+Zuhpiu3jxMFDhpFzlxsSwaCcGJqcdwGhWUx0ZAVD2X71UCFoOXPjF9fNnpy80YNp
+flPjj2RnOZbJyBIM0sWIVMd8F44qkTASf8K5Qb47WFN5tSpePq7OCm7s8u+lYZGK
+wR18K7VliundR+5a8XAOyUXOL5UsDaQCK4Lj4lRaeFXunXl3DJ4E+7BKzZhReJL6
+EugV5eaGonA52TWtFdB8p+79wPUeI3KcdPmQ9Ll5Zi/jBemY4bzasmgKzNeMtwWP
+fk6WgrvBwptqohw71HDymGxFUnUP7XYYjic2sVKhv9AevMGycVgwWBiWroDCQ9Ja
+btKfxHhI2p+g+rcywmBobWJbZsujTNjhtme+kNn1mhJsD3bKPjKQfAxaTskBLb0V
+wgV21891TS1Dq9kdPLwoS4XNpYg2LLB4p9hmeG3fu9+OmqwY5oKXsHiWc43dei9Y
+yxZ1AAUOIaIdPkq+YG/PhlGE4YcQZ4RPpltAr0HfGgZhmXWigbGS+66pUj+Ojysc
+j0K5tCVxVu0fhhFpOlHv0LWaxCbnkgkQH9jfMEJkAWMOuQINBGCAXCYBEADW6RNr
+ZVGNXvHVBqSiOWaxl1XOiEoiHPt50Aijt25yXbG+0kHIFSoR+1g6Lh20JTCChgfQ
+kGGjzQvEuG1HTw07YhsvLc0pkjNMfu6gJqFox/ogc53mz69OxXauzUQ/TZ27GDVp
+UBu+EhDKt1s3OtA6Bjz/csop/Um7gT0+ivHyvJ/jGdnPEZv8tNuSE/Uo+hn/Q9hg
+8SbveZzo3C+U4KcabCESEFl8Gq6aRi9vAfa65oxD5jKaIz7cy+pwb0lizqlW7H9t
+Qlr3dBfdIcdzgR55hTFC5/XrcwJ6/nHVH/xGskEasnfCQX8RYKMuy0UADJy72TkZ
+bYaCx+XXIcVB8GTOmJVoAhrTSSVLAZspfCnjwnSxisDn3ZzsYrq3cV6sU8b+QlIX
+7VAjurE+5cZiVlaxgCjyhKqlGgmonnReWOBacCgL/UvuwMmMp5TTLmiLXLT7uxeG
+ojEyoCk4sMrqrU1jevHyGlDJH9Taux15GILDwnYFfAvPF9WCid4UZ4Ouwjcaxfys
+3LxNiZIlUsXNKwS3mhiMRL4TRsbs4k4QE+LIMOsauIvcvm8/frydvQ/kUwIhVTH8
+0XGOH909bYtJvY3fudK7ShIwm7ZFTduBJUG473E/Fn3VkhTmBX6+PjOC50HR/Hyb
+waRCzfDruMe3TAcE/tSP5CUOb9C7+P+hPzQcDwARAQABiQRyBBgBCgAmAhsCFiEE
+yHQBHwq0BRENAhBVNDZdlHLXRo8FAmmWSAoFCRCqi+QCQMF0IAQZAQoAHRYhBDdO
+x1tIWRNgSoMcx8ggxtXNJ6uHBQJggFwmAAoJEMggxtXNJ6uHRfAP/2CGdSyg0K7U
+66Vygl0dugxrMm8O3/Oe211BKdQsFUSWAznOTRTK/zvMUHO4LJAlYvdtZ6xDa4XH
+l9FYQ8MR9ZV0OuOlAZvU4IJDLPVCU09X/UzX/GEoZL0R5esvwPAXopMaRHCfXJeI
+/gEaB94UhAeYlwpcRn0eSuk1vyZx7GRE6/hog8DCf4hoT40dW20gGe58xcvJ+mRY
+lC0lr16WH08wuUcee6+dgu+4Cg6SG6+zt9cMyl8VnTUL5BK/V3MebnYZJK0RFDNn
+nXDhzStgOd5gOeIL+xBPXHd0/ld/rDM74SFExpuS+hNsyo+xMQ/HJavak21MFinu
+l9COwfGEmlAXTGMY30Lf3Pt/eAkbwgmGc966VSoRmOFEXJVlDr+yJR6ru+7j50z8
+lAv6Lsop7sun1Qysbo0swf6W1qgPf6VWbx91NTFLkw0+gD8jxwrU5ZMkeSuntX9d
+pjuZS29CflXXIRPlvhuiDPicwTpYuIUx37vHveAH5gnowZg247x780Urrsx8duTX
+8CI9MAnqzm4dFAiRlwE8bvLk+l9wekiXA9gIMZiVNqNlduXIqvAG21Wdgq8qyeXK
+y/XWCVKDQOmEbFAltfNam8E3KEw0fl199x+93d5ckDGcPzUYPbNkCuIwngC/ZN96
+pDafF3Z12fSNfhZUe0C8td8KAszYa96GCRA0Nl2UctdGj1gKD/4jOGhEGTg88Vyu
+PVjeK+zkwrTIZSvHdUHfTt/+rTLSNb/RQiBCUQuEZvafj6FrntS7bAEhccGqH894
+T3St5K0AXWkvsLd6K+cbIQdlnFA2zb6geJUCk6qx5NgWpRc3i0DS7CheGwl+Bwu7
++n9pNjNjiHV+rYDgqbQXG0dtGysB0/3qIRgEDHFO0HJu/dcte4oXrQIqrZrpOwe8
+WxqFqdU918JpSUcc8coiFp9YtwpgqQNxGVZ+rhgnTGdZzk1f/Yhhimh+2B0ReaFv
+k3UzVBj3HQ9C6+Ot3MyDEhSgdhjr9e25Tm9S5YfhwtWmghRw9RKPyLMSXSxm/Uc0
+mK1NucAp8TQBwKqKzNpCk5IdrBSWRUbjOoOFyzyCsY6gS285GCpSIzI39hTf+3gd
+wYPlE6fj+F2TZzdhx62DPnzBzBHnByYTVdJ649bx0FFp4Q+5TbIWtxu/AQkRDxmW
+NQfE+6GgeshlrhXWsh6+PGDzt+2raG6zUT913sdz7Ctw4fLjmsKOTdTz3Xa9pr8l
+xfI/JuukSgt9o/n3GirhTB3zE1w/I/Xt6k7oASiP3zQSuHtB/CYKYHDtOCWwjo7J
+PEGtb/FkreKNxsk/p20jnlrB8WZxxswdr2Vri9NmFeyMDVX7qF3WqT+8aCV9GtS1
+GCHx/5nGBdDwoxEsXqpI3IUqPb6FDg==
+=wtp+
+-----END PGP PUBLIC KEY BLOCK-----
+`
+
+func load() error {
+	return loadWithKey("")
+}
+
+func loadWithKey(customKeyOrPath string) error {
+	once.Do(func() {
+		// Load individual keys
+		key2030, err := crypto.NewKeyFromArmored(hashiCorpPGPPubKey2030)
 		if err != nil {
-			errs = errors.Join(errs, err)
+			initErr = fmt.Errorf("failed to parse HashiCorp PGP key 2030: %w", err)
+			return
 		}
 
-		verifier, err = pgp.Verify().VerificationKey(key).New()
+		key2026, err := crypto.NewKeyFromArmored(hashiCorpPGPPubKey2026)
 		if err != nil {
-			errs = errors.Join(errs, err)
+			initErr = fmt.Errorf("failed to parse HashiCorp PGP key 2026: %w", err)
+			return
+		}
+
+		// Create separate keyrings for fallback control
+		keyRing2030, err = crypto.NewKeyRing(key2030)
+		if err != nil {
+			initErr = fmt.Errorf("failed to create keyring for 2030 key: %w", err)
+			return
+		}
+
+		keyRing2026, err = crypto.NewKeyRing(key2026)
+		if err != nil {
+			initErr = fmt.Errorf("failed to create keyring for 2026 key: %w", err)
+			return
+		}
+
+		// If a custom key or path is provided, add it to both keyrings
+		if customKeyOrPath != "" {
+			var customKeyData string
+
+			// Check if the input is a raw PGP key (starts with PGP header)
+			if strings.HasPrefix(strings.TrimSpace(customKeyOrPath), "-----BEGIN PGP PUBLIC KEY BLOCK-----") {
+				// It's a raw PGP key, use it directly
+				customKeyData = customKeyOrPath
+			} else {
+				// It's a file path, read the key from the file
+				keyBytes, err := os.ReadFile(customKeyOrPath)
+				if err != nil {
+					initErr = fmt.Errorf("failed to read custom PGP key from file: %w", err)
+					return
+				}
+				customKeyData = string(keyBytes)
+			}
+
+			// Parse the custom key
+			customKey, err := crypto.NewKeyFromArmored(customKeyData)
+			if err != nil {
+				initErr = fmt.Errorf("failed to parse custom PGP key: %w", err)
+				return
+			}
+
+			// Add custom key to both keyrings so it's part of the allowlist
+			err = keyRing2030.AddKey(customKey)
+			if err != nil {
+				initErr = fmt.Errorf("failed to add custom key to 2030 keyring: %w", err)
+				return
+			}
+
+			err = keyRing2026.AddKey(customKey)
+			if err != nil {
+				initErr = fmt.Errorf("failed to add custom key to 2026 keyring: %w", err)
+				return
+			}
 		}
 	})
 
-	if verifier == nil {
-		errs = errors.Join(errs, errors.New("verifier is nil after initialization"))
+	// All callers (first or subsequent) check the result of the initialization
+	if initErr != nil {
+		return initErr
+	}
+	if keyRing2030 == nil || keyRing2026 == nil {
+		return errors.New("keyring initialization failed unexpectedly")
 	}
 
-	return errs
+	return nil
 }
 
 func GetExtractedArtifactDir(pluginName, pluginVersion string) string {
@@ -197,22 +412,90 @@ func GetExtractedArtifactDir(pluginName, pluginVersion string) string {
 
 type verifyFunc func(data, sig []byte) error
 
-func verifyPGPSignatureDetached(data, sig []byte) error {
-	if err := load(); err != nil {
+// verifyPGPSignatureDetachedWithKey verifies a detached PGP signature using either
+// the default HashiCorp keys or HashiCorp keys + custom key (when customKeyPath is provided).
+// The custom key is added to the allowlist of both keyrings.
+func verifyPGPSignatureDetachedWithKey(data, sig []byte, customKeyPath string) error {
+	if err := loadWithKey(customKeyPath); err != nil {
+		if customKeyPath != "" {
+			return fmt.Errorf("failed to load verifier with custom key: %w", err)
+		}
 		return fmt.Errorf("failed to load verifier: %w", err)
 	}
 
-	verifyResult, err := verifier.VerifyDetached(data, sig, crypto.Armor)
+	// Lock to prevent concurrent access to keyrings which can cause data races
+	// in the underlying go-crypto library
+	keyRingMu.Lock()
+	defer keyRingMu.Unlock()
+
+	pgp := crypto.PGP()
+
+	// Try 2030 keyring first (contains 2030 key + custom key if provided)
+	verifyHandle, err := pgp.Verify().VerificationKeys(keyRing2030).New()
 	if err != nil {
-		return fmt.Errorf("failed to verify data: %w", err)
+		return fmt.Errorf("failed to create verifier with 2030 keyring: %w", err)
 	}
-	if sigErr := verifyResult.SignatureError(); sigErr != nil {
-		return fmt.Errorf("unexpected signature error: %w", sigErr)
+
+	result, err := verifyHandle.VerifyDetached(data, sig, crypto.Armor)
+
+	// Check for "no valid self signature" error
+	if err != nil || (result != nil && result.SignatureError() != nil) {
+		var sigErr error
+		if result != nil {
+			sigErr = result.SignatureError()
+		}
+
+		// Check if we should fallback to 2026 keyring
+		// We only fallback on "no valid self signature" error
+		shouldFallback := false
+		if sigErr != nil {
+			if strings.Contains(sigErr.Error(), "no valid self signature") {
+				shouldFallback = true
+			}
+		}
+
+		if shouldFallback {
+			// Fallback to 2026 keyring (contains 2026 key + custom key if provided)
+			verifyHandle2026, err := pgp.Verify().VerificationKeys(keyRing2026).New()
+			if err != nil {
+				return fmt.Errorf("failed to create verifier with 2026 keyring: %w", err)
+			}
+
+			result, err = verifyHandle2026.VerifyDetached(data, sig, crypto.Armor)
+			if err != nil {
+				return fmt.Errorf("failed to verify data with 2026 keyring: %w", err)
+			}
+			if sigErr := result.SignatureError(); sigErr != nil {
+				fp := hex.EncodeToString(result.SignedByFingerprint())
+				return fmt.Errorf("signature verification failed for 2026 keyring with fingerprint %s: %w", fp, sigErr)
+			}
+			return nil
+		}
+
+		// If we didn't fallback, return the original error
+		if err != nil {
+			return fmt.Errorf("failed to verify data with 2030 keyring: %w", err)
+		}
+		if sigErr != nil {
+			fp := hex.EncodeToString(result.SignedByFingerprint())
+			return fmt.Errorf("signature verification failed for 2030 keyring with fingerprint %s: %w", fp, sigErr)
+		}
+	}
+
+	// Verification succeeded with 2030 keyring
+	if result.SignatureError() != nil {
+		fp := hex.EncodeToString(result.SignedByFingerprint())
+		return fmt.Errorf("signature verification failed for 2030 keyring with fingerprint %s: %w", fp, result.SignatureError())
 	}
 
 	return nil
 }
 
+// verifyPGPSignatureDetached verifies a detached PGP signature using the default HashiCorp key.
+func verifyPGPSignatureDetached(data, sig []byte) error {
+	return verifyPGPSignatureDetachedWithKey(data, sig, "")
+}
+
 func VerifyPlugin(pluginDir string, pluginName string, verifyFunc verifyFunc) (*PluginMetadata, error) {
 	if st, err := os.Stat(pluginDir); err != nil {
 		if os.IsNotExist(err) {
diff --git a/vault/plugincatalog/plugin_catalog.go b/vault/plugincatalog/plugin_catalog.go
index fb039c03be..73d657552b 100644
--- a/vault/plugincatalog/plugin_catalog.go
+++ b/vault/plugincatalog/plugin_catalog.go
@@ -69,6 +69,10 @@ type PluginCatalog struct {
 	wrapper pluginutil.RunnerUtil
 
 	runtimeCatalog *PluginRuntimeCatalog
+
+	// pluginPGPKey is the path to a PGP public key file to use for plugin
+	// signature verification.
+	pluginPGPKey string
 }
 
 // Only plugins running with identical PluginRunner config can be multiplexed,
@@ -151,6 +155,9 @@ type PluginCatalogInput struct {
 	Tmpdir               string
 	EnableMlock          bool
 	PluginRuntimeCatalog *PluginRuntimeCatalog
+	// PluginPGPKey is the path to a PGP public key file to use for plugin
+	// signature verification.
+	PluginPGPKey string
 }
 
 func SetupPluginCatalog(ctx context.Context, in *PluginCatalogInput) (*PluginCatalog, error) {
@@ -164,6 +171,7 @@ func SetupPluginCatalog(ctx context.Context, in *PluginCatalogInput) (*PluginCat
 		mlockPlugins:    in.EnableMlock,
 		wrapper:         logical.StaticSystemView{VersionString: version.GetVersion().Version},
 		runtimeCatalog:  in.PluginRuntimeCatalog,
+		pluginPGPKey:    in.PluginPGPKey,
 	}
 
 	// Run upgrade if untyped plugins exist
@@ -213,6 +221,14 @@ func SetupPluginCatalog(ctx context.Context, in *PluginCatalogInput) (*PluginCat
 	return catalog, nil
 }
 
+// getVerifyFunc returns the appropriate verification function based on whether
+// a custom plugin PGP key is configured.
+func (c *PluginCatalog) getVerifyFunc() verifyFunc {
+	return func(data, sig []byte) error {
+		return verifyPGPSignatureDetachedWithKey(data, sig, c.pluginPGPKey)
+	}
+}
+
 func envKeys(env []string) map[string]struct{} {
 	keys := make(map[string]struct{}, len(env))
 	for _, env := range env {
@@ -891,7 +907,7 @@ func (c *PluginCatalog) verifyOfficialPlugins(ctx context.Context) error {
 
 		hasOfficialPlugins = true
 		pluginDir := path.Join(c.directory, path.Dir(plugin.Command))
-		if _, err = VerifyPlugin(pluginDir, plugin.Name, verifyPGPSignatureDetached); err != nil {
+		if _, err = VerifyPlugin(pluginDir, plugin.Name, c.getVerifyFunc()); err != nil {
 			return fmt.Errorf("failed to verify plugin %q version %q: %w", plugin.Name, plugin.Version, err)
 		}
 	}
@@ -1052,7 +1068,7 @@ func (c *PluginCatalog) set(ctx context.Context, plugin pluginutil.SetPluginInpu
 			// e.g., plugins/vault-plugin-secrets-kv_0.24.0_linux_amd64/vault-plugin-secrets-kv
 			plugin.Command = path.Join(extractedArtifactDir, plugin.Name)
 
-			metadata, err := VerifyPlugin(expectedPluginDir, plugin.Name, verifyPGPSignatureDetached)
+			metadata, err := VerifyPlugin(expectedPluginDir, plugin.Name, c.getVerifyFunc())
 			if err != nil {
 				return nil, fmt.Errorf("failed to verify plugin plugin %q version %q: %w",
 					plugin.Name, plugin.Version, err)
diff --git a/vault/plugincatalog/plugin_catalog_custom_key_test.go b/vault/plugincatalog/plugin_catalog_custom_key_test.go
new file mode 100644
index 0000000000..0c00ca4666
--- /dev/null
+++ b/vault/plugincatalog/plugin_catalog_custom_key_test.go
@@ -0,0 +1,203 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package plugincatalog
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+
+	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/hashicorp/vault/sdk/helper/pluginutil"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestPluginCatalog_SetupWithCustomKey tests SetupPluginCatalog with a custom PGP key
+func TestPluginCatalog_SetupWithCustomKey(t *testing.T) {
+	t.Parallel()
+
+	// Generate a test PGP key pair
+	_, pubKeyArmored := generatePGPKeyPair(t)
+
+	// Create temporary directories
+	tmpDir := t.TempDir()
+	pluginDir := filepath.Join(tmpDir, "plugins")
+	err := os.MkdirAll(pluginDir, 0o755)
+	require.NoError(t, err)
+
+	keyPath := filepath.Join(tmpDir, "custom-key.asc")
+	err = os.WriteFile(keyPath, []byte(pubKeyArmored), 0o644)
+	require.NoError(t, err)
+
+	// Setup plugin catalog with custom key
+	catalog, err := SetupPluginCatalog(context.Background(), &PluginCatalogInput{
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+		CatalogView:     &logical.InmemStorage{},
+		PluginDirectory: pluginDir,
+		Logger:          log.NewNullLogger(),
+		PluginPGPKey:    keyPath,
+	})
+
+	require.NoError(t, err)
+	assert.NotNil(t, catalog)
+	assert.Equal(t, keyPath, catalog.pluginPGPKey, "custom key path should be set")
+
+	// Verify that getVerifyFunc returns a function that uses the custom key
+	verifyFunc := catalog.getVerifyFunc()
+	assert.NotNil(t, verifyFunc)
+}
+
+// TestPluginCatalog_verifyOfficialPlugins_WithCustomKey tests verifyOfficialPlugins with custom key
+func TestPluginCatalog_verifyOfficialPlugins_WithCustomKey(t *testing.T) {
+	t.Parallel()
+
+	// Generate a test PGP key pair
+	privKey, pubKeyArmored := generatePGPKeyPair(t)
+
+	// Create temporary directories
+	tmpDir := t.TempDir()
+	pluginDir := filepath.Join(tmpDir, "plugins")
+	err := os.MkdirAll(pluginDir, 0o755)
+	require.NoError(t, err)
+
+	keyPath := filepath.Join(tmpDir, "custom-key.asc")
+	err = os.WriteFile(keyPath, []byte(pubKeyArmored), 0o644)
+	require.NoError(t, err)
+
+	// Create a plugin artifact with proper signatures
+	pluginName := "vault-plugin-test"
+	pluginVersion := "1.0.0"
+	artifactDir := filepath.Join(pluginDir, GetExtractedArtifactDir(pluginName, pluginVersion))
+	err = os.MkdirAll(artifactDir, 0o755)
+	require.NoError(t, err)
+
+	contents := generatePluginArtifactContents(t, pluginName, pluginVersion, consts.PluginTypeSecrets, true, privKey)
+	for filename, data := range contents {
+		err := os.WriteFile(filepath.Join(artifactDir, filename), data, 0o644)
+		require.NoError(t, err)
+	}
+
+	storage := &logical.InmemStorage{}
+	// Setup plugin catalog with custom key
+	catalog, err := SetupPluginCatalog(context.Background(), &PluginCatalogInput{
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+		CatalogView:     storage,
+		PluginDirectory: pluginDir,
+		Logger:          log.NewNullLogger(),
+		PluginPGPKey:    keyPath,
+	})
+	require.NoError(t, err)
+
+	// Register the plugin as official
+	pluginEntry := &pluginutil.PluginRunner{
+		Name:    pluginName,
+		Type:    consts.PluginTypeSecrets,
+		Version: pluginVersion,
+		Command: filepath.Join(GetExtractedArtifactDir(pluginName, pluginVersion), pluginName),
+		Builtin: false,
+	}
+
+	// Store the plugin in catalog
+	entry, err := logical.StorageEntryJSON(pluginEntry.Name, pluginEntry)
+	require.NoError(t, err)
+	err = storage.Put(context.Background(), entry)
+	require.NoError(t, err)
+
+	// Verify official plugins - should succeed with custom key
+	err = catalog.verifyOfficialPlugins(context.Background())
+	require.NoError(t, err)
+}
+
+// TestPluginCatalog_SetupWithRawCustomKey tests SetupPluginCatalog with a raw PGP key (not a file path)
+func TestPluginCatalog_SetupWithRawCustomKey(t *testing.T) {
+	t.Parallel()
+
+	// Generate a test PGP key pair
+	_, pubKeyArmored := generatePGPKeyPair(t)
+
+	// Create temporary directories
+	tmpDir := t.TempDir()
+	pluginDir := filepath.Join(tmpDir, "plugins")
+	err := os.MkdirAll(pluginDir, 0o755)
+	require.NoError(t, err)
+
+	// Setup plugin catalog with raw PGP key (not a file path)
+	catalog, err := SetupPluginCatalog(context.Background(), &PluginCatalogInput{
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+		CatalogView:     &logical.InmemStorage{},
+		PluginDirectory: pluginDir,
+		Logger:          log.NewNullLogger(),
+		PluginPGPKey:    pubKeyArmored, // Pass raw key directly
+	})
+
+	require.NoError(t, err)
+	assert.NotNil(t, catalog)
+	assert.Equal(t, pubKeyArmored, catalog.pluginPGPKey, "raw custom key should be set")
+
+	// Verify that getVerifyFunc returns a function that uses the custom key
+	verifyFunc := catalog.getVerifyFunc()
+	assert.NotNil(t, verifyFunc)
+}
+
+// TestPluginCatalog_verifyOfficialPlugins_WithRawCustomKey tests verifyOfficialPlugins with raw custom key
+func TestPluginCatalog_verifyOfficialPlugins_WithRawCustomKey(t *testing.T) {
+	t.Parallel()
+
+	// Generate a test PGP key pair
+	privKey, pubKeyArmored := generatePGPKeyPair(t)
+
+	// Create temporary directories
+	tmpDir := t.TempDir()
+	pluginDir := filepath.Join(tmpDir, "plugins")
+	err := os.MkdirAll(pluginDir, 0o755)
+	require.NoError(t, err)
+
+	// Create a plugin artifact with proper signatures
+	pluginName := "vault-plugin-test-raw"
+	pluginVersion := "1.0.0"
+	artifactDir := filepath.Join(pluginDir, GetExtractedArtifactDir(pluginName, pluginVersion))
+	err = os.MkdirAll(artifactDir, 0o755)
+	require.NoError(t, err)
+
+	contents := generatePluginArtifactContents(t, pluginName, pluginVersion, consts.PluginTypeSecrets, true, privKey)
+	for filename, data := range contents {
+		err := os.WriteFile(filepath.Join(artifactDir, filename), data, 0o644)
+		require.NoError(t, err)
+	}
+
+	storage := &logical.InmemStorage{}
+	// Setup plugin catalog with raw PGP key (not a file path)
+	catalog, err := SetupPluginCatalog(context.Background(), &PluginCatalogInput{
+		BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
+		CatalogView:     storage,
+		PluginDirectory: pluginDir,
+		Logger:          log.NewNullLogger(),
+		PluginPGPKey:    pubKeyArmored, // Pass raw key directly
+	})
+	require.NoError(t, err)
+
+	// Register the plugin as official
+	pluginEntry := &pluginutil.PluginRunner{
+		Name:    pluginName,
+		Type:    consts.PluginTypeSecrets,
+		Version: pluginVersion,
+		Command: filepath.Join(GetExtractedArtifactDir(pluginName, pluginVersion), pluginName),
+		Builtin: false,
+	}
+
+	// Store the plugin in catalog
+	entry, err := logical.StorageEntryJSON(pluginEntry.Name, pluginEntry)
+	require.NoError(t, err)
+	err = storage.Put(context.Background(), entry)
+	require.NoError(t, err)
+
+	// Verify official plugins - should succeed with raw custom key
+	err = catalog.verifyOfficialPlugins(context.Background())
+	require.NoError(t, err)
+}
diff --git a/vault/policy_store.go b/vault/policy_store.go
index 06e4dd5197..253ebe81a2 100644
--- a/vault/policy_store.go
+++ b/vault/policy_store.go
@@ -36,6 +36,9 @@ const (
 	// defaultPolicyName is the name of the default policy
 	defaultPolicyName = "default"
 
+	// defaultCeilingPolicyName is the name of the default ceiling policy.
+	defaultCeilingPolicyName = "default-ceiling"
+
 	// responseWrappingPolicyName is the name of the fixed policy
 	responseWrappingPolicyName = "response-wrapping"
 
@@ -159,6 +162,22 @@ path "sys/control-group/request" {
 path "identity/oidc/provider/+/authorize" {
     capabilities = ["read", "update"]
 }
+`
+
+	// defaultCeilingPolicy is the default ceiling policy.
+	defaultCeilingPolicy = `
+# Allow an entity to inspect its own registration information
+path "agent-registry/registration/entity_id/{{identity.entity.id}}" {
+  capabilities = ["read"]
+}
+
+# Allow an entity to read the default policies
+path "policy/default" {
+  capabilities = ["read"]
+}
+path "policy/default-ceiling" {
+  capabilities = ["read"]
+}
 `
 )
 
@@ -280,6 +299,10 @@ func (c *Core) setupPolicyStore(ctx context.Context) error {
 	if err := c.policyStore.loadACLPolicy(ctx, defaultPolicyName, defaultPolicy); err != nil {
 		return err
 	}
+	// Ensure that the default ceiling policy exists, and if not, create it
+	if err := c.policyStore.loadACLPolicy(ctx, defaultCeilingPolicyName, defaultCeilingPolicy); err != nil {
+		return err
+	}
 	// Ensure that the response wrapping policy exists
 	if err := c.policyStore.loadACLPolicy(ctx, responseWrappingPolicyName, responseWrappingPolicy); err != nil {
 		return err
@@ -835,8 +858,8 @@ func (ps *PolicyStore) switchedDeletePolicy(ctx context.Context, name string, po
 			if strutil.StrListContains(immutablePolicies, name) {
 				return fmt.Errorf("cannot delete %q policy", name)
 			}
-			if name == "default" {
-				return fmt.Errorf("cannot delete default policy")
+			if name == defaultPolicyName || name == defaultCeilingPolicyName {
+				return fmt.Errorf("cannot delete %s policy", name)
 			}
 		}
 
diff --git a/vault/policy_store_test.go b/vault/policy_store_test.go
index 1f7dfa88cb..1542d43eb0 100644
--- a/vault/policy_store_test.go
+++ b/vault/policy_store_test.go
@@ -117,7 +117,8 @@ func testPolicyStoreCRUD(t *testing.T, ps *PolicyStore, ns *namespace.Namespace)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
-	if len(out) != 1 {
+	expected := []string{defaultPolicyName, defaultCeilingPolicyName}
+	if !reflect.DeepEqual(expected, out) {
 		t.Fatalf("bad: %v", out)
 	}
 
@@ -139,17 +140,17 @@ func testPolicyStoreCRUD(t *testing.T, ps *PolicyStore, ns *namespace.Namespace)
 		t.Fatalf("bad: %v", p)
 	}
 
-	// List should contain two elements
+	// List should contain the two built-in assignable policies plus the new policy.
 	ctx = namespace.ContextWithNamespace(context.Background(), ns)
 	out, err = ps.ListPolicies(ctx, PolicyTypeACL)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
-	if len(out) != 2 {
+	if len(out) != 3 {
 		t.Fatalf("bad: %v", out)
 	}
 
-	expected := []string{"default", "dev"}
+	expected = []string{defaultPolicyName, defaultCeilingPolicyName, "dev"}
 	if !reflect.DeepEqual(expected, out) {
 		t.Fatalf("expected: %v\ngot: %v", expected, out)
 	}
@@ -167,7 +168,8 @@ func testPolicyStoreCRUD(t *testing.T, ps *PolicyStore, ns *namespace.Namespace)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
-	if len(out) != 1 || out[0] != "default" {
+	expected = []string{defaultPolicyName, defaultCeilingPolicyName}
+	if !reflect.DeepEqual(expected, out) {
 		t.Fatalf("bad: %v", out)
 	}
 
@@ -191,17 +193,57 @@ func TestPolicyStore_Predefined(t *testing.T) {
 
 // Test predefined policy handling
 func testPolicyStorePredefined(t *testing.T, ps *PolicyStore, ns *namespace.Namespace) {
-	// List should be two elements
+	// List should contain the built-in assignable ACL policies.
 	ctx := namespace.ContextWithNamespace(context.Background(), ns)
 	out, err := ps.ListPolicies(ctx, PolicyTypeACL)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
-	// This shouldn't contain response-wrapping since it's non-assignable
-	if len(out) != 1 || out[0] != "default" {
+	// This shouldn't contain response-wrapping since it's non-assignable.
+	expected := []string{defaultPolicyName, defaultCeilingPolicyName}
+	if !reflect.DeepEqual(expected, out) {
 		t.Fatalf("bad: %v", out)
 	}
 
+	ctx = namespace.ContextWithNamespace(context.Background(), ns)
+	pDefaultCeiling, err := ps.GetPolicy(ctx, defaultCeilingPolicyName, PolicyTypeToken)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if pDefaultCeiling == nil {
+		t.Fatal("nil default ceiling policy")
+	}
+	if pDefaultCeiling.Raw != defaultCeilingPolicy {
+		t.Fatalf("bad: expected\n%s\ngot\n%s\n", defaultCeilingPolicy, pDefaultCeiling.Raw)
+	}
+	ctx = namespace.ContextWithNamespace(context.Background(), ns)
+	err = ps.DeletePolicy(ctx, pDefaultCeiling.Name, PolicyTypeACL)
+	if err == nil {
+		t.Fatalf("expected err deleting %s", pDefaultCeiling.Name)
+	}
+
+	ctx = namespace.ContextWithNamespace(context.Background(), ns)
+	updatedDefaultCeiling, err := ParseACLPolicy(ns, aclPolicy)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	updatedDefaultCeiling.Name = defaultCeilingPolicyName
+	err = ps.SetPolicy(ctx, updatedDefaultCeiling)
+	if err != nil {
+		t.Fatalf("expected err to be nil updating %s: %v", updatedDefaultCeiling.Name, err)
+	}
+	ctx = namespace.ContextWithNamespace(context.Background(), ns)
+	pDefaultCeiling, err = ps.GetPolicy(ctx, defaultCeilingPolicyName, PolicyTypeToken)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if pDefaultCeiling == nil {
+		t.Fatal("nil updated default ceiling policy")
+	}
+	if pDefaultCeiling.Raw != updatedDefaultCeiling.Raw {
+		t.Fatalf("bad: expected\n%s\ngot\n%s\n", updatedDefaultCeiling.Raw, pDefaultCeiling.Raw)
+	}
+
 	// Response-wrapping policy checks
 	ctx = namespace.ContextWithNamespace(context.Background(), ns)
 	pCubby, err := ps.GetPolicy(ctx, "response-wrapping", PolicyTypeToken)
@@ -353,7 +395,7 @@ func TestPolicyStore_PoliciesByNamespaces(t *testing.T) {
 		t.Fatalf("err: %v", err)
 	}
 
-	expectedResult := []string{"default", "dev"}
+	expectedResult := []string{defaultPolicyName, defaultCeilingPolicyName, "dev"}
 	if !reflect.DeepEqual(expectedResult, out) {
 		t.Fatalf("expected: %v\ngot: %v", expectedResult, out)
 	}
diff --git a/vault/policy_test.go b/vault/policy_test.go
index e1448fef7f..481a77df4e 100644
--- a/vault/policy_test.go
+++ b/vault/policy_test.go
@@ -4,12 +4,14 @@
 package vault
 
 import (
+	"context"
 	"strings"
 	"testing"
 	"time"
 
 	"github.com/go-test/deep"
 	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/sdk/logical"
 )
 
 var rawPolicy = strings.TrimSpace(`
@@ -254,7 +256,7 @@ func TestPolicy_Parse(t *testing.T) {
 			Path:         "test/patch",
 			Capabilities: []string{"patch"},
 			Permissions: &ACLPermissions{
-				CapabilitiesBitmap: (PatchCapabilityInt),
+				CapabilitiesBitmap: PatchCapabilityInt,
 			},
 		},
 		{
@@ -542,3 +544,67 @@ func TestPolicy_Recover(t *testing.T) {
 		t.Fatalf("Recover capability should be present in capabilities bitmap")
 	}
 }
+
+// TestPolicy_NamespaceRequired verifies that Policy objects require a namespace
+// to be set. When NewACL processes policies, it calls addGrantingPoliciesToMap
+// which accesses policy.namespace.ID and policy.namespace.Path. Without a namespace,
+// this would cause a nil pointer error.
+func TestPolicy_NamespaceRequired(t *testing.T) {
+	t.Parallel()
+
+	// Parse a policy with a namespace
+	policy, err := ParseACLPolicy(namespace.RootNamespace, strings.TrimSpace(`
+	path "secret/*" {
+		capabilities = ["read"]
+	}
+	`))
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Verify the namespace is set
+	if policy.namespace == nil {
+		t.Fatal("Policy namespace should be set by ParseACLPolicy")
+	}
+	if policy.namespace.ID != namespace.RootNamespaceID {
+		t.Fatalf("Expected root namespace ID, got: %s", policy.namespace.ID)
+	}
+
+	// Create an ACL from the policy - this exercises addGrantingPoliciesToMap
+	// which requires policy.namespace to be set
+	ctx := namespace.ContextWithNamespace(context.Background(), namespace.RootNamespace)
+	acl, err := NewACL(ctx, []*Policy{policy})
+	if err != nil {
+		t.Fatalf("NewACL should succeed with policy that has namespace set: %v", err)
+	}
+	if acl == nil {
+		t.Fatal("ACL should not be nil")
+	}
+
+	// Verify that AllowOperation works and includes namespace information in granting policies
+	req := &logical.Request{
+		Path:      "secret/test",
+		Operation: logical.ReadOperation,
+	}
+	result := acl.AllowOperation(ctx, req, false)
+	if result == nil {
+		t.Fatal("AllowOperation should return a result")
+	}
+	if !result.Allowed {
+		t.Fatal("Request should be allowed")
+	}
+
+	// Verify granting policies include namespace information
+	// This proves that policy.namespace was accessed successfully
+	if len(result.GrantingPolicies) == 0 {
+		t.Fatal("Should have granting policies")
+	}
+	for _, grantingPolicy := range result.GrantingPolicies {
+		if grantingPolicy.NamespaceId == "" {
+			t.Error("Granting policy should have namespace ID set")
+		}
+		if grantingPolicy.NamespaceId != namespace.RootNamespaceID {
+			t.Errorf("Expected root namespace ID in granting policy, got: %s", grantingPolicy.NamespaceId)
+		}
+	}
+}
diff --git a/vault/raft.go b/vault/raft.go
index 74bf14eae2..f8cff9e114 100644
--- a/vault/raft.go
+++ b/vault/raft.go
@@ -39,6 +39,10 @@ import (
 const (
 	RaftInitialChallengeLimit = 20 // allow an initial burst to 20
 	RaftChallengesPerSecond   = 5  // equating to an average 200ms min time
+	// Keep retry-join workers to a fixed bound so unauthenticated retry joins
+	// cannot grow goroutines without limit. 20 allows bounded parallel progress
+	// while capping memory/CPU impact from repeated requests.
+	raftMaxConcurrentRetryJoins = 20
 
 	// undoLogMonitorInterval is how often the leader checks to see
 	// if all the cluster members it knows about are new enough to support
@@ -1022,6 +1026,8 @@ func (c *Core) getRaftChallenge(leaderInfo *raft.LeaderJoinInfo) (*raftInformati
 		return nil, err
 	}
 
+	// We compare here the local seal configuration to that of the leader we are trying to join,
+	// thus there is no need to call ValidateSealGenerationInfo.
 	if !CompatibleSealTypes(sealConfig.Type, c.seal.BarrierSealConfigType().String()) {
 		return nil, fmt.Errorf("incompatible seal types between raft leader (%s) and follower (%s)", sealConfig.Type, c.seal.BarrierSealConfigType())
 	}
@@ -1245,7 +1251,15 @@ func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfos []*raft.LeaderJo
 
 	switch retryFailures {
 	case true:
+		select {
+		case c.raftJoinRetryLimiter <- struct{}{}:
+		default:
+			return false, errors.New("too many concurrent raft retry joins in progress")
+		}
 		go func() {
+			defer func() {
+				<-c.raftJoinRetryLimiter
+			}()
 			for {
 				select {
 				case <-ctx.Done():
diff --git a/vault/rekey.go b/vault/rekey.go
index e808e6c891..b6bc23ab31 100644
--- a/vault/rekey.go
+++ b/vault/rekey.go
@@ -63,9 +63,11 @@ type RekeyBackup struct {
 // the recovery key threshold, depending on whether rekey is being
 // performed on the recovery key, or whether the seal supports
 // recovery keys.
-func (c *Core) RekeyThreshold(ctx context.Context, recovery bool) (int, logical.HTTPCodedError) {
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
+func (c *Core) RekeyThreshold(ctx context.Context, recovery bool, grabLock bool) (int, logical.HTTPCodedError) {
+	if grabLock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
 	if c.Sealed() {
 		return 0, logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
 	}
@@ -97,9 +99,11 @@ func (c *Core) RekeyThreshold(ctx context.Context, recovery bool) (int, logical.
 }
 
 // RekeyProgress is used to return the rekey progress (num shares).
-func (c *Core) RekeyProgress(recovery, verification bool) (bool, int, logical.HTTPCodedError) {
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
+func (c *Core) RekeyProgress(recovery, verification, grabLock bool) (bool, int, logical.HTTPCodedError) {
+	if grabLock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
 	if c.Sealed() {
 		return false, 0, logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
 	}
@@ -128,9 +132,11 @@ func (c *Core) RekeyProgress(recovery, verification bool) (bool, int, logical.HT
 }
 
 // RekeyConfig is used to read the rekey configuration
-func (c *Core) RekeyConfig(recovery bool) (*SealConfig, logical.HTTPCodedError) {
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
+func (c *Core) RekeyConfig(recovery bool, grabLock bool) (*SealConfig, logical.HTTPCodedError) {
+	if grabLock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
 	if c.Sealed() {
 		return nil, logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
 	}
@@ -158,19 +164,19 @@ func (c *Core) RekeyConfig(recovery bool) (*SealConfig, logical.HTTPCodedError)
 
 // RekeyInit will either initialize the rekey of barrier or recovery key.
 // recovery determines whether this is a rekey on the barrier or recovery key.
-func (c *Core) RekeyInit(config *SealConfig, recovery bool) logical.HTTPCodedError {
+func (c *Core) RekeyInit(config *SealConfig, recovery bool, grabLock bool) logical.HTTPCodedError {
 	if config.SecretThreshold > config.SecretShares {
 		return logical.CodedError(http.StatusBadRequest, "provided threshold greater than the total shares")
 	}
 
 	if recovery {
-		return c.RecoveryRekeyInit(config)
+		return c.RecoveryRekeyInit(config, grabLock)
 	}
-	return c.BarrierRekeyInit(config)
+	return c.BarrierRekeyInit(config, grabLock)
 }
 
 // BarrierRekeyInit is used to initialize the rekey settings for the barrier key
-func (c *Core) BarrierRekeyInit(config *SealConfig) logical.HTTPCodedError {
+func (c *Core) BarrierRekeyInit(config *SealConfig, grabLock bool) logical.HTTPCodedError {
 	switch c.seal.BarrierSealConfigType() {
 	case SealConfigTypeShamir:
 		// As of Vault 1.3 all seals use StoredShares==1.  The one exception is
@@ -210,8 +216,10 @@ func (c *Core) BarrierRekeyInit(config *SealConfig) logical.HTTPCodedError {
 		return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("invalid rekey seal configuration: %w", err).Error())
 	}
 
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
+	if grabLock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
 	if c.Sealed() {
 		return logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
 	}
@@ -239,14 +247,14 @@ func (c *Core) BarrierRekeyInit(config *SealConfig) logical.HTTPCodedError {
 	c.barrierRekeyConfig.Nonce = nonce
 	c.barrierRekeyConfig.Created = time.Now().UTC()
 
-	if c.logger.IsInfo() {
-		c.logger.Info("rekey initialized", "nonce", c.barrierRekeyConfig.Nonce, "shares", c.barrierRekeyConfig.SecretShares, "threshold", c.barrierRekeyConfig.SecretThreshold, "validation_required", c.barrierRekeyConfig.VerificationRequired)
-	}
+	c.logger.Info("rekey initialized", "nonce", c.barrierRekeyConfig.Nonce,
+		"shares", c.barrierRekeyConfig.SecretShares, "threshold", c.barrierRekeyConfig.SecretThreshold,
+		"validation_required", c.barrierRekeyConfig.VerificationRequired, "backup", c.barrierRekeyConfig.Backup)
 	return nil
 }
 
 // RecoveryRekeyInit is used to initialize the rekey settings for the recovery key
-func (c *Core) RecoveryRekeyInit(config *SealConfig) logical.HTTPCodedError {
+func (c *Core) RecoveryRekeyInit(config *SealConfig, grabLock bool) logical.HTTPCodedError {
 	if config.StoredShares > 0 {
 		return logical.CodedError(http.StatusBadRequest, "stored shares not supported by recovery key")
 	}
@@ -261,8 +269,10 @@ func (c *Core) RecoveryRekeyInit(config *SealConfig) logical.HTTPCodedError {
 		return logical.CodedError(http.StatusBadRequest, "recovery keys not supported")
 	}
 
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
+	if grabLock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
 	if c.Sealed() {
 		return logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
 	}
@@ -297,11 +307,11 @@ func (c *Core) RecoveryRekeyInit(config *SealConfig) logical.HTTPCodedError {
 }
 
 // RekeyUpdate is used to provide a new key part for the barrier or recovery key.
-func (c *Core) RekeyUpdate(ctx context.Context, key []byte, nonce string, recovery bool) (*RekeyResult, logical.HTTPCodedError) {
+func (c *Core) RekeyUpdate(ctx context.Context, key []byte, nonce string, recovery bool, grabLock bool) (*RekeyResult, logical.HTTPCodedError) {
 	if recovery {
-		return c.RecoveryRekeyUpdate(ctx, key, nonce)
+		return c.RecoveryRekeyUpdate(ctx, key, nonce, grabLock)
 	}
-	return c.BarrierRekeyUpdate(ctx, key, nonce)
+	return c.BarrierRekeyUpdate(ctx, key, nonce, grabLock)
 }
 
 // BarrierRekeyUpdate is used to provide a new key part. Barrier rekey can be done
@@ -309,10 +319,12 @@ func (c *Core) RekeyUpdate(ctx context.Context, key []byte, nonce string, recove
 // key.
 //
 // N.B.: If recovery keys are used to rekey, the new barrier key shares are not returned.
-func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string) (*RekeyResult, logical.HTTPCodedError) {
+func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string, grabLock bool) (*RekeyResult, logical.HTTPCodedError) {
 	// Ensure we are already unsealed
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
+	if grabLock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
 	if c.Sealed() {
 		return nil, logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
 	}
@@ -597,10 +609,12 @@ func (c *Core) performBarrierRekey(ctx context.Context, newSealKey []byte) logic
 }
 
 // RecoveryRekeyUpdate is used to provide a new key part
-func (c *Core) RecoveryRekeyUpdate(ctx context.Context, key []byte, nonce string) (*RekeyResult, logical.HTTPCodedError) {
+func (c *Core) RecoveryRekeyUpdate(ctx context.Context, key []byte, nonce string, grabLock bool) (*RekeyResult, logical.HTTPCodedError) {
 	// Ensure we are already unsealed
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
+	if grabLock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
 	if c.Sealed() {
 		return nil, logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
 	}
@@ -798,10 +812,12 @@ func (c *Core) performRecoveryRekey(ctx context.Context, newRootKey []byte) logi
 	return nil
 }
 
-func (c *Core) RekeyVerify(ctx context.Context, key []byte, nonce string, recovery bool) (ret *RekeyVerifyResult, retErr logical.HTTPCodedError) {
+func (c *Core) RekeyVerify(ctx context.Context, key []byte, nonce string, recovery bool, grabLock bool) (ret *RekeyVerifyResult, retErr logical.HTTPCodedError) {
 	// Ensure we are already unsealed
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
+	if grabLock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
 	if c.Sealed() {
 		return nil, logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
 	}
@@ -913,9 +929,11 @@ func (c *Core) RekeyVerify(ctx context.Context, key []byte, nonce string, recove
 }
 
 // RekeyCancel is used to cancel an in-progress rekey
-func (c *Core) RekeyCancel(recovery bool, nonce string, requiresNonceDeadline time.Duration) logical.HTTPCodedError {
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
+func (c *Core) RekeyCancel(recovery bool, nonce string, requiresNonceDeadline time.Duration, grabLock bool) logical.HTTPCodedError {
+	if grabLock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
 	if c.Sealed() {
 		return logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
 	}
@@ -952,9 +970,11 @@ func (c *Core) RekeyCancel(recovery bool, nonce string, requiresNonceDeadline ti
 }
 
 // RekeyVerifyRestart is used to start the verification process over
-func (c *Core) RekeyVerifyRestart(recovery bool) logical.HTTPCodedError {
-	c.stateLock.RLock()
-	defer c.stateLock.RUnlock()
+func (c *Core) RekeyVerifyRestart(recovery bool, grabLock bool) logical.HTTPCodedError {
+	if grabLock {
+		c.stateLock.RLock()
+		defer c.stateLock.RUnlock()
+	}
 	if c.Sealed() {
 		return logical.CodedError(http.StatusServiceUnavailable, consts.ErrSealed.Error())
 	}
diff --git a/vault/rekey_test.go b/vault/rekey_test.go
index c99b25374a..08ca240ff8 100644
--- a/vault/rekey_test.go
+++ b/vault/rekey_test.go
@@ -36,7 +36,7 @@ func TestCore_Rekey_Lifecycle(t *testing.T) {
 func testCore_Rekey_Lifecycle_Common(t *testing.T, c *Core, recovery bool) {
 	min, _ := c.barrier.KeyLength()
 	// Verify update not allowed
-	_, err := c.RekeyUpdate(context.Background(), make([]byte, min), "", recovery)
+	_, err := c.RekeyUpdate(context.Background(), make([]byte, min), "", recovery, true)
 	expected := "no barrier rekey in progress"
 	if recovery {
 		expected = "no recovery rekey in progress"
@@ -46,12 +46,12 @@ func testCore_Rekey_Lifecycle_Common(t *testing.T, c *Core, recovery bool) {
 	}
 
 	// Should be no progress
-	if _, _, err := c.RekeyProgress(recovery, false); err == nil {
+	if _, _, err := c.RekeyProgress(recovery, false, true); err == nil {
 		t.Fatal("expected error from RekeyProgress")
 	}
 
 	// Should be no config
-	conf, err := c.RekeyConfig(recovery)
+	conf, err := c.RekeyConfig(recovery, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -60,7 +60,7 @@ func testCore_Rekey_Lifecycle_Common(t *testing.T, c *Core, recovery bool) {
 	}
 
 	// Cancel should be idempotent
-	err = c.RekeyCancel(false, "", 10*time.Minute)
+	err = c.RekeyCancel(false, "", 10*time.Minute, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -70,13 +70,13 @@ func testCore_Rekey_Lifecycle_Common(t *testing.T, c *Core, recovery bool) {
 		SecretThreshold: 3,
 		SecretShares:    5,
 	}
-	err = c.RekeyInit(newConf, recovery)
+	err = c.RekeyInit(newConf, recovery, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
 	// Should get config
-	conf, err = c.RekeyConfig(recovery)
+	conf, err = c.RekeyConfig(recovery, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -86,13 +86,13 @@ func testCore_Rekey_Lifecycle_Common(t *testing.T, c *Core, recovery bool) {
 	}
 
 	// Cancel should be clear
-	err = c.RekeyCancel(recovery, conf.Nonce, 10*time.Minute)
+	err = c.RekeyCancel(recovery, conf.Nonce, 10*time.Minute, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
 	// Should be no config
-	conf, err = c.RekeyConfig(recovery)
+	conf, err = c.RekeyConfig(recovery, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -114,7 +114,7 @@ func testCore_Rekey_Init_Common(t *testing.T, c *Core, recovery bool) {
 		SecretThreshold: 5,
 		SecretShares:    1,
 	}
-	err := c.RekeyInit(badConf, recovery)
+	err := c.RekeyInit(badConf, recovery, true)
 	if err == nil {
 		t.Fatalf("should fail")
 	}
@@ -131,13 +131,13 @@ func testCore_Rekey_Init_Common(t *testing.T, c *Core, recovery bool) {
 		newConf.Type = c.seal.RecoverySealConfigType().String()
 	}
 
-	err = c.RekeyInit(newConf, recovery)
+	err = c.RekeyInit(newConf, recovery, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
 	// Second should fail
-	err = c.RekeyInit(newConf, recovery)
+	err = c.RekeyInit(newConf, recovery, true)
 	if err == nil {
 		t.Fatalf("should fail")
 	}
@@ -171,13 +171,13 @@ func testCore_Rekey_Update_Common_Error(t *testing.T, c *Core, keys [][]byte, ro
 		SecretThreshold: 3,
 		SecretShares:    5,
 	}
-	hErr := c.RekeyInit(newConf, recovery)
+	hErr := c.RekeyInit(newConf, recovery, true)
 	if hErr != nil {
 		t.Fatalf("err: %v", hErr)
 	}
 
 	// Fetch new config with generated nonce
-	rkconf, hErr := c.RekeyConfig(recovery)
+	rkconf, hErr := c.RekeyConfig(recovery, true)
 	if hErr != nil {
 		t.Fatalf("err: %v", hErr)
 	}
@@ -188,7 +188,7 @@ func testCore_Rekey_Update_Common_Error(t *testing.T, c *Core, keys [][]byte, ro
 	// Provide the master/recovery keys
 	var result *RekeyResult
 	for _, key := range keys {
-		result, err = c.RekeyUpdate(context.Background(), key, rkconf.Nonce, recovery)
+		result, err = c.RekeyUpdate(context.Background(), key, rkconf.Nonce, recovery, true)
 		if err != nil {
 			if !wantRekeyUpdateError {
 				t.Fatalf("err: %v", err)
@@ -208,12 +208,12 @@ func testCore_Rekey_Update_Common_Error(t *testing.T, c *Core, keys [][]byte, ro
 	}
 
 	// Should be no progress
-	if _, _, err := c.RekeyProgress(recovery, false); err == nil {
+	if _, _, err := c.RekeyProgress(recovery, false, true); err == nil {
 		t.Fatal("expected error from RekeyProgress")
 	}
 
 	// Should be no config
-	conf, hErr := c.RekeyConfig(recovery)
+	conf, hErr := c.RekeyConfig(recovery, true)
 	if hErr != nil {
 		t.Fatalf("rekey config error: %v", hErr)
 	}
@@ -271,13 +271,13 @@ func testCore_Rekey_Update_Common_Error(t *testing.T, c *Core, keys [][]byte, ro
 		SecretThreshold: 1,
 		SecretShares:    1,
 	}
-	err = c.RekeyInit(newConf, recovery)
+	err = c.RekeyInit(newConf, recovery, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
 	// Fetch new config with generated nonce
-	rkconf, err = c.RekeyConfig(recovery)
+	rkconf, err = c.RekeyConfig(recovery, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -288,14 +288,14 @@ func testCore_Rekey_Update_Common_Error(t *testing.T, c *Core, keys [][]byte, ro
 	// Provide the parts master
 	oldResult := result
 	for i := 0; i < 3; i++ {
-		result, err = c.RekeyUpdate(context.Background(), TestKeyCopy(oldResult.SecretShares[i]), rkconf.Nonce, recovery)
+		result, err = c.RekeyUpdate(context.Background(), TestKeyCopy(oldResult.SecretShares[i]), rkconf.Nonce, recovery, true)
 		if err != nil {
 			t.Fatalf("err: %v", err)
 		}
 
 		// Should be progress
 		if i < 2 {
-			_, num, err := c.RekeyProgress(recovery, false)
+			_, num, err := c.RekeyProgress(recovery, false, true)
 			if err != nil {
 				t.Fatalf("err: %v", err)
 			}
@@ -367,13 +367,13 @@ func testCore_Rekey_Invalid_Common(t *testing.T, c *Core, keys [][]byte, recover
 		SecretThreshold: 3,
 		SecretShares:    5,
 	}
-	err := c.RekeyInit(newConf, recovery)
+	err := c.RekeyInit(newConf, recovery, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
 
 	// Fetch new config with generated nonce
-	rkconf, err := c.RekeyConfig(recovery)
+	rkconf, err := c.RekeyConfig(recovery, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -382,7 +382,7 @@ func testCore_Rekey_Invalid_Common(t *testing.T, c *Core, keys [][]byte, recover
 	}
 
 	// Provide the nonce (invalid)
-	_, err = c.RekeyUpdate(context.Background(), keys[0], "abcd", recovery)
+	_, err = c.RekeyUpdate(context.Background(), keys[0], "abcd", recovery, true)
 	if err == nil {
 		t.Fatalf("expected error")
 	}
@@ -392,13 +392,13 @@ func testCore_Rekey_Invalid_Common(t *testing.T, c *Core, keys [][]byte, recover
 	oldkeystr := fmt.Sprintf("%#v", key)
 	key[0]++
 	newkeystr := fmt.Sprintf("%#v", key)
-	ret, err := c.RekeyUpdate(context.Background(), key, rkconf.Nonce, recovery)
+	ret, err := c.RekeyUpdate(context.Background(), key, rkconf.Nonce, recovery, true)
 	if err == nil {
 		t.Fatalf("expected error, ret is %#v\noldkeystr: %s\nnewkeystr: %s", *ret, oldkeystr, newkeystr)
 	}
 
 	// Check progress has been reset
-	_, num, err := c.RekeyProgress(recovery, false)
+	_, num, err := c.RekeyProgress(recovery, false, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -466,12 +466,12 @@ func TestCore_Rekey_Standby(t *testing.T) {
 		SecretShares:    1,
 		SecretThreshold: 1,
 	}
-	err = core.RekeyInit(newConf, false)
+	err = core.RekeyInit(newConf, false, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
 	// Fetch new config with generated nonce
-	rkconf, err := core.RekeyConfig(false)
+	rkconf, err := core.RekeyConfig(false, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -480,7 +480,7 @@ func TestCore_Rekey_Standby(t *testing.T) {
 	}
 	var rekeyResult *RekeyResult
 	for _, key := range keys {
-		rekeyResult, err = core.RekeyUpdate(context.Background(), key, rkconf.Nonce, false)
+		rekeyResult, err = core.RekeyUpdate(context.Background(), key, rkconf.Nonce, false, true)
 		if err != nil {
 			t.Fatalf("err: %v", err)
 		}
@@ -499,12 +499,12 @@ func TestCore_Rekey_Standby(t *testing.T) {
 	TestWaitActive(t, core2)
 
 	// Rekey the master key again
-	err = core2.RekeyInit(newConf, false)
+	err = core2.RekeyInit(newConf, false, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
 	// Fetch new config with generated nonce
-	rkconf, err = core2.RekeyConfig(false)
+	rkconf, err = core2.RekeyConfig(false, true)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
@@ -513,7 +513,7 @@ func TestCore_Rekey_Standby(t *testing.T) {
 	}
 	var rekeyResult2 *RekeyResult
 	for _, key := range rekeyResult.SecretShares {
-		rekeyResult2, err = core2.RekeyUpdate(context.Background(), key, rkconf.Nonce, false)
+		rekeyResult2, err = core2.RekeyUpdate(context.Background(), key, rkconf.Nonce, false, true)
 		if err != nil {
 			t.Fatalf("err: %v", err)
 		}
@@ -542,7 +542,7 @@ func TestSysRekey_Verification_Invalid(t *testing.T) {
 	err := core.BarrierRekeyInit(&SealConfig{
 		VerificationRequired: true,
 		StoredShares:         1,
-	})
+	}, true)
 
 	if err == nil {
 		t.Fatal("expected error")
@@ -599,11 +599,11 @@ func TestCancelRekey_Nonce(t *testing.T) {
 				t.Skip(t, "recovery rekey not supported")
 			}
 
-			err := c.RekeyInit(tc.config, tc.recovery)
+			err := c.RekeyInit(tc.config, tc.recovery, true)
 			require.NoError(t, err, "rekey init failed")
 
 			// try to cancel without the nonce
-			err = c.RekeyCancel(tc.recovery, "", 10*time.Minute)
+			err = c.RekeyCancel(tc.recovery, "", 10*time.Minute, true)
 			require.Error(t, err, "cancel should have errored")
 
 			// retrieve the nonce
@@ -621,7 +621,7 @@ func TestCancelRekey_Nonce(t *testing.T) {
 			require.NotEmpty(t, nonce, "nonce missing")
 
 			// cancel successfully
-			err = c.RekeyCancel(tc.recovery, nonce, 10*time.Minute)
+			err = c.RekeyCancel(tc.recovery, nonce, 10*time.Minute, true)
 			require.NoError(t, err, "error on rekey cancel")
 		})
 	}
@@ -675,14 +675,14 @@ func TestCancelRekey_Regression(t *testing.T) {
 				wg.Add(1)
 				go func() {
 					defer wg.Done()
-					c.RekeyCancel(tc.recovery, "", 10*time.Minute)
+					c.RekeyCancel(tc.recovery, "", 10*time.Minute, true)
 				}()
 			}
-			err := c.RekeyInit(tc.config, tc.recovery)
+			err := c.RekeyInit(tc.config, tc.recovery, true)
 			require.NoError(t, err)
 
 			wg.Wait()
-			happening, keys, err := c.RekeyProgress(tc.recovery, false)
+			happening, keys, err := c.RekeyProgress(tc.recovery, false, true)
 			require.NoError(t, err)
 			require.True(t, happening)
 			require.Equal(t, 0, keys)
@@ -731,14 +731,14 @@ func TestCancelRekey_AfterDeadline(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.config.Type, func(t *testing.T) {
 			c := tc.core(t)
-			err := c.RekeyInit(tc.config, tc.recovery)
+			err := c.RekeyInit(tc.config, tc.recovery, true)
 			require.NoError(t, err)
 
 			// ensure that that 10 ms have passed before we cancel
 			time.Sleep(10 * time.Millisecond)
 			// set the deadline to a microsecond, which means we won't need a
 			// nonce to cancel the rekey
-			err = c.RekeyCancel(tc.recovery, "", time.Microsecond)
+			err = c.RekeyCancel(tc.recovery, "", time.Microsecond, true)
 			require.NoError(t, err)
 		})
 	}
diff --git a/vault/request_handling.go b/vault/request_handling.go
index 0ec4cc8a33..28dad843e7 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -101,8 +101,6 @@ func (c *Core) fetchEntityAndDerivedPolicies(ctx context.Context, tokenNS *names
 
 	policies := make(map[string][]string)
 	if !skipDeriveEntityPolicies {
-		// c.logger.Debug("entity successfully fetched; adding entity policies to token's policies to create ACL")
-
 		// Attach the policies on the entity
 		if len(entity.Policies) != 0 {
 			policies[entity.NamespaceID] = append(policies[entity.NamespaceID], entity.Policies...)
@@ -228,7 +226,10 @@ func (c *Core) getApplicableGroupPolicies(ctx context.Context, tokenNS *namespac
 
 func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Request) (*ACL, *logical.TokenEntry, *identity.Entity, map[string][]string, error) {
 	defer metrics.MeasureSince([]string{"core", "fetch_acl_and_token"}, time.Now())
-
+	if req == nil {
+		c.logger.Error("fetchACLTokenEntryAndEntity called with nil request")
+		return nil, nil, nil, nil, ErrInternalError
+	}
 	// Ensure there is a client token
 	if req.ClientToken == "" {
 		return nil, nil, nil, nil, logical.ErrPermissionDenied
@@ -239,12 +240,41 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
 		return nil, nil, nil, nil, ErrInternalError
 	}
 
+	var secondEntity *identity.Entity
+	if IsEnterpriseToken(req.ClientToken) {
+		isValidEnterpriseToken, tokenMetadataContainer, entity, actorEntity, chosenProfile, err := c.validateEnterpriseTokenAndFetchEntity(ctx, req.ClientToken)
+		if err != nil {
+			c.logger.Error("failed to validate enterprise token", "error", err)
+		}
+		if !isValidEnterpriseToken {
+			return nil, nil, nil, nil, logical.ErrPermissionDenied
+		}
+		req.EnterpriseTokenMetadata = getEnterpriseTokenMetadata(tokenMetadataContainer)
+		req.EnterpriseTokenIssuer = getEnterpriseTokenIssuer(tokenMetadataContainer)
+		req.EnterpriseTokenTransaction = getEnterpriseTokenTransaction(tokenMetadataContainer)
+		req.EnterpriseTokenAudience = getEnterpriseTokenAudience(tokenMetadataContainer)
+		_, req.EnterpriseTokenAuthorizationDetailsPresent = tokenMetadataContainer["authorization_details"]
+		req.EnterpriseTokenAuthorizationDetails = getEnterpriseTokenAuthorizationDetails(tokenMetadataContainer)
+		secondEntity = actorEntity
+		err = c.createAndStoreEnterpriseTokenEntry(ctx, req, tokenMetadataContainer, entity, actorEntity, chosenProfile)
+		if err != nil {
+			if c.perfStandby && errors.Is(err, logical.ErrReadOnly) {
+				return nil, nil, nil, nil, logical.ErrPerfStandbyPleaseForward
+			}
+			return nil, nil, nil, nil, multierror.Append(err, errors.New("failed in processing enterprise token"))
+		}
+	}
+
 	// Resolve the token policy
 	var te *logical.TokenEntry
 	switch req.TokenEntry() {
 	case nil:
 		var err error
-		te, err = c.tokenStore.Lookup(ctx, req.ClientToken)
+		if IsEnterpriseToken(req.ClientToken) {
+			te, err = c.tokenStore.Lookup(ctx, getEnterpriseTokenId(req.EnterpriseTokenMetadata))
+		} else {
+			te, err = c.tokenStore.Lookup(ctx, req.ClientToken)
+		}
 		if err != nil {
 			c.logger.Error("failed to lookup acl token", "error", err)
 			return nil, nil, nil, nil, ErrInternalError
@@ -260,9 +290,23 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
 		return nil, nil, nil, nil, multierror.Append(logical.ErrPermissionDenied, logical.ErrInvalidToken)
 	}
 
+	if secondEntity != nil {
+		if req.Auth == nil {
+			req.Auth = &logical.Auth{}
+		}
+		req.Auth.ActorEntityID = secondEntity.ID
+		req.Auth.ActorEntityName = secondEntity.Name
+	}
+
 	// CIDR checks bind all tokens except non-expiring root tokens
 	if te.TTL != 0 && len(te.BoundCIDRs) > 0 {
 		var valid bool
+
+		// Validate req for connection on CIDR
+		if req.Connection == nil || req.Connection.RemoteAddr == "" {
+			c.logger.Warn("token bound CIDRs found but no connection information available for validation")
+			return nil, nil, nil, nil, logical.ErrPermissionDenied
+		}
 		remoteSockAddr, err := sockaddr.NewSockAddr(req.Connection.RemoteAddr)
 		if err != nil {
 			if c.Logger().IsDebug() {
@@ -304,6 +348,27 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
 		policyNames[nsID] = policyutil.SanitizePolicies(append(policyNames[nsID], nsPolicies...), false)
 	}
 
+	var secondEntityPolicyNames map[string][]string
+	if secondEntity != nil {
+		c.logger.Debug("building separate ACL for second entity", "entity_id", secondEntity.ID)
+		secondEntityPolicyNames = make(map[string][]string)
+		secondEntityIdentityPolicies, err := c.fetchCeilingPolicies(ctx, secondEntity)
+		if err != nil {
+			return nil, nil, nil, nil, err
+		}
+		allowOnly, err := c.allPoliciesAllowOnly(ctx, secondEntityIdentityPolicies)
+		if err != nil {
+			return nil, nil, nil, nil, ErrInternalError
+		}
+		if !allowOnly {
+			return nil, nil, nil, nil, logical.ErrPermissionDenied
+		}
+		// Store second entity policies separately - do NOT merge with primary entity's policies
+		for nsID, nsPolicies := range secondEntityIdentityPolicies {
+			secondEntityPolicyNames[nsID] = policyutil.SanitizePolicies(nsPolicies, false)
+		}
+	}
+
 	// Attach token's namespace information to the context. Wrapping tokens by
 	// should be able to be used anywhere, so we also special case behavior.
 	var tokenCtx context.Context
@@ -344,9 +409,61 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
 		return nil, nil, nil, nil, ErrInternalError
 	}
 
+	if secondEntity != nil {
+		newAcl, err := c.performSecondaryEntityTokenChecks(tokenCtx, acl, secondEntity, secondEntityPolicyNames)
+		if err != nil {
+			return nil, nil, nil, nil, err
+		}
+		acl = newAcl
+	}
+
 	return acl, te, entity, identityPolicies, nil
 }
 
+// restoreForwardingTokenHeaders restores client token headers so forwarded
+// requests preserve the caller's original token representation on the active
+// node. It prefers Request.InboundSSCToken (captured before any token
+// normalization) and falls back to Request.ClientToken when no inbound value is
+// available.
+func restoreForwardingTokenHeaders(req *logical.Request) {
+	if req == nil {
+		return
+	}
+	tokenToForward := req.InboundSSCToken
+	if tokenToForward == "" {
+		tokenToForward = req.ClientToken
+	}
+	if tokenToForward == "" {
+		return
+	}
+	if req.Headers == nil {
+		req.Headers = make(map[string][]string)
+	}
+	switch req.ClientTokenSource {
+	case logical.ClientTokenFromVaultHeader:
+		req.Headers[consts.AuthHeaderName] = []string{tokenToForward}
+	case logical.ClientTokenFromAuthzHeader:
+		req.Headers["Authorization"] = append(req.Headers["Authorization"], fmt.Sprintf("Bearer %s", tokenToForward))
+	}
+}
+
+// requiresMaterializedTokenState reports whether the request path needs a
+// storage-backed token entry for enterprise token authentication flows.
+//
+// Token renew/revoke paths are intentionally excluded because token store
+// handlers reject enterprise tokens for those operations.
+func requiresMaterializedTokenState(path string) bool {
+	if path == "sys/leases/count" || path == "sys/leases" ||
+		path == "sys/leases/lookup" || strings.HasPrefix(path, "sys/leases/lookup/") {
+		return true
+	}
+	switch path {
+	case "auth/token/lookup-self", "auth/token/lookup":
+		return true
+	}
+	return strings.HasPrefix(path, "cubbyhole/")
+}
+
 // CheckTokenWithLock calls CheckToken after grabbing the internal stateLock,
 // and also checking that we aren't in the process of shutting down.
 func (c *Core) CheckTokenWithLock(ctx context.Context, req *logical.Request) (*logical.Auth, *logical.TokenEntry, error) {
@@ -467,7 +584,7 @@ func (c *Core) CheckToken(ctx context.Context, req *logical.Request, unauth bool
 	switch {
 	case req.ClientTokenSource == logical.ClientTokenFromVaultHeader:
 		delete(req.Headers, consts.AuthHeaderName)
-	case req.ClientTokenSource == logical.ClientTokenFromAuthzHeader && !unauth && te == nil:
+	case req.ClientTokenSource == logical.ClientTokenFromAuthzHeader && (!unauth || te != nil):
 		if headers, ok := req.Headers["Authorization"]; ok {
 			retHeaders := make([]string, 0, len(headers))
 			for _, v := range headers {
@@ -521,6 +638,13 @@ func (c *Core) CheckToken(ctx context.Context, req *logical.Request, unauth bool
 		req.ClientID = clientID
 	}
 
+	if req.Auth != nil {
+		auth.ActorEntityID = req.Auth.ActorEntityID
+		auth.ActorEntityName = req.Auth.ActorEntityName
+	}
+	// Copy authorization details from the request to auth so plugins can access them.
+	auth.AuthorizationDetails = req.EnterpriseTokenAuthorizationDetails
+
 	twoStepRecover := req.Operation == logical.RecoverOperation && req.RecoverSourcePath != "" && req.RecoverSourcePath != req.Path
 	var alternateRecoverCapability *logical.Operation
 	if twoStepRecover {
@@ -563,12 +687,7 @@ func (c *Core) CheckToken(ctx context.Context, req *logical.Request, unauth bool
 		// forward this request properly to the active node.
 		if retErr.ErrorOrNil() != nil && checkErrControlGroupTokenNeedsCreated(retErr) &&
 			c.perfStandby && len(req.ClientToken) != 0 {
-			switch req.ClientTokenSource {
-			case logical.ClientTokenFromVaultHeader:
-				req.Headers[consts.AuthHeaderName] = []string{req.ClientToken}
-			case logical.ClientTokenFromAuthzHeader:
-				req.Headers["Authorization"] = append(req.Headers["Authorization"], fmt.Sprintf("Bearer %s", req.ClientToken))
-			}
+			restoreForwardingTokenHeaders(req)
 			// We also return the appropriate error so that the caller can forward the
 			// request to the active node
 			return auth, te, logical.ErrPerfStandbyPleaseForward
@@ -803,8 +922,11 @@ func (c *Core) handleCancelableRequest(ctx context.Context, req *logical.Request
 			}
 			// We don't care if the token is a server side consistent token or not. Either way, we're going
 			// to be returning it for these paths instead of the short token stored in vault.
-			requestBodyToken = token.(string)
-			if IsSSCToken(token.(string)) {
+			requestBodyToken, ok = token.(string)
+			if !ok {
+				return logical.ErrorResponse("invalid token"), logical.ErrPermissionDenied
+			}
+			if IsSSCToken(token.(string)) && !IsEnterpriseToken(token.(string)) {
 				token, err = c.CheckSSCToken(ctx, token.(string), c.isLoginRequest(ctx, req), c.perfStandby)
 				// If we receive an error from CheckSSCToken, we can assume the token is bad somehow, and the client
 				// should receive a 403 bad token error like they do for all other invalid tokens, unless the error
@@ -1096,12 +1218,15 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
 		return
 	}
 
+	var auth *logical.Auth
+	var te *logical.TokenEntry
+	var ctErr error
 	// Validate the token
-	auth, te, ctErr := c.CheckToken(ctx, req, false)
-	if ctErr == logical.ErrRelativePath {
+	auth, te, ctErr = c.CheckToken(ctx, req, false)
+	if errors.Is(ctErr, logical.ErrRelativePath) {
 		return logical.ErrorResponse(ctErr.Error()), nil, ctErr
 	}
-	if ctErr == logical.ErrPerfStandbyPleaseForward {
+	if errors.Is(ctErr, logical.ErrPerfStandbyPleaseForward) {
 		return nil, nil, ctErr
 	}
 
@@ -1118,46 +1243,73 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
 		c.UpdateInFlightReqData(inFlightReqID, req.ClientID)
 	}
 
+	// Some request paths require a token store entry (for example token lookup
+	// endpoints and cubbyhole paths). Materialize token state on-demand for
+	// these requests.
+	if ctErr == nil && te != nil && te.Type == logical.TokenTypeEnt && !te.IsStorageBacked() &&
+		requiresMaterializedTokenState(req.Path) {
+		materializedReq, matErr := c.materializeEnterpriseTokenForUsage(ctx, req, auth, c.perfStandby)
+		if matErr != nil {
+			if errors.Is(matErr, logical.ErrPerfStandbyPleaseForward) {
+				restoreForwardingTokenHeaders(req)
+				return nil, nil, matErr
+			}
+			c.logger.Error("failed to materialize enterprise token for token endpoint", "request_path", req.Path, "error", matErr)
+			retErr = multierror.Append(retErr, ErrInternalError)
+			return nil, auth, retErr
+		}
+
+		// Preserve the returned request's token identity fields so downstream
+		// routing (notably cubbyhole) is keyed by the materialized token ID.
+		req.ClientToken = materializedReq.ClientToken
+		req.ClientTokenAccessor = materializedReq.ClientTokenAccessor
+		req.ClientTokenRemainingUses = materializedReq.ClientTokenRemainingUses
+		req.SetTokenEntry(materializedReq.TokenEntry())
+		te = req.TokenEntry()
+	}
+
 	// We run this logic first because we want to decrement the use count even
 	// in the case of an error (assuming we can successfully look up; if we
 	// need to forward, we exit before now)
 	if te != nil && !isControlGroupRun(req) {
-		// Attempt to use the token (decrement NumUses)
-		var err error
-		te, err = c.tokenStore.UseToken(ctx, te)
-		if err != nil {
-			c.logger.Error("failed to use token", "error", err)
-			retErr = multierror.Append(retErr, ErrInternalError)
-			return nil, nil, retErr
-		}
-		if te == nil {
-			// Token has been revoked by this point
-			retErr = multierror.Append(retErr, logical.ErrPermissionDenied, logical.ErrInvalidToken)
-			return nil, nil, retErr
-		}
-		if te.NumUses == tokenRevocationPending {
-			// We defer a revocation until after logic has run, since this is a
-			// valid request (this is the token's final use). We pass the ID in
-			// directly just to be safe in case something else modifies te later.
-			defer func(id string) {
-				nsActiveCtx := namespace.ContextWithNamespace(c.activeContext, ns)
-				leaseID, err := c.expiration.CreateOrFetchRevocationLeaseByToken(nsActiveCtx, te)
-				if err == nil {
-					err = c.expiration.LazyRevoke(ctx, leaseID)
-				}
-				if err != nil {
-					c.logger.Error("failed to revoke token", "error", err)
-					retResp = nil
-					retAuth = nil
-					retErr = multierror.Append(retErr, ErrInternalError)
-				}
-				if retResp != nil && retResp.Secret != nil &&
-					// Some backends return a TTL even without a Lease ID
-					retResp.Secret.LeaseID != "" {
-					retResp = logical.ErrorResponse("Secret cannot be returned; token had one use left, so leased credentials were immediately revoked.")
-					return
-				}
-			}(te.ID)
+		if te.IsStorageBacked() {
+			// Attempt to use the token (decrement NumUses)
+			var err error
+			te, err = c.tokenStore.UseToken(ctx, te)
+			if err != nil {
+				c.logger.Error("failed to use token", "request_path", req.Path, "error", err)
+				retErr = multierror.Append(retErr, ErrInternalError)
+				return nil, nil, retErr
+			}
+			if te == nil {
+				// Token has been revoked by this point
+				retErr = multierror.Append(retErr, logical.ErrPermissionDenied, logical.ErrInvalidToken)
+				return nil, nil, retErr
+			}
+			if te.NumUses == tokenRevocationPending {
+				// We defer a revocation until after logic has run, since this is a
+				// valid request (this is the token's final use). We pass the ID in
+				// directly just to be safe in case something else modifies te later.
+				defer func(id string) {
+					nsActiveCtx := namespace.ContextWithNamespace(c.activeContext, ns)
+					leaseID, err := c.expiration.CreateOrFetchRevocationLeaseByToken(nsActiveCtx, te)
+					if err == nil {
+						err = c.expiration.LazyRevoke(ctx, leaseID)
+					}
+					if err != nil {
+						c.logger.Error("failed to revoke token", "request_path", req.Path, "error", err)
+						retResp = nil
+						retAuth = nil
+						retErr = multierror.Append(retErr, ErrInternalError)
+					}
+					if retResp != nil && retResp.Secret != nil &&
+						// Some backends return a TTL even without a Lease ID
+						retResp.Secret.LeaseID != "" {
+						retResp = logical.ErrorResponse("Secret cannot be returned; token had one use left, so leased credentials were immediately revoked.")
+						return
+					}
+				}(te.ID)
+			}
 		}
 	}
 
@@ -1391,6 +1543,20 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
 		}
 
 		if registerLease {
+			registerReq := req
+			if te := req.TokenEntry(); te != nil && !te.IsStorageBacked() {
+				registerReq, err = c.materializeEnterpriseTokenForUsage(ctx, req, auth, c.perfStandby)
+				if err != nil {
+					if errors.Is(err, logical.ErrPerfStandbyPleaseForward) {
+						restoreForwardingTokenHeaders(req)
+						return nil, nil, err
+					}
+					c.logger.Error("failed to materialize enterprise token for lease", "request_path", req.Path, "error", err)
+					retErr = multierror.Append(retErr, ErrInternalError)
+					return nil, auth, retErr
+				}
+			}
+
 			if req.IsSnapshotReadOrList() {
 				return logical.ErrorResponse("cannot register lease for snapshot read or list"), nil, ErrInternalError
 			}
@@ -1415,7 +1581,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
 				return nil, auth, retErr
 			}
 
-			leaseID, err := registerFunc(ctx, req, resp, "")
+			leaseID, err := registerFunc(ctx, registerReq, resp, "")
 			if err != nil {
 				c.logger.Error("failed to register lease", "request_path", req.Path, "error", err)
 				retErr = multierror.Append(retErr, ErrInternalError)
@@ -2545,6 +2711,49 @@ func (c *Core) buildMfaEnforcementResponse(eConfig *mfa.MFAEnforcementConfig, en
 	return mfaAny, nil
 }
 
+func (c *Core) registerAuthLeaseForToken(ctx context.Context, te *logical.TokenEntry, auth *logical.Auth, role string) error {
+	// Populate the client token, accessor, and TTL
+	auth.ClientToken = te.ID
+	auth.Accessor = te.Accessor
+	auth.TTL = te.TTL
+	auth.Orphan = te.Parent == ""
+
+	switch auth.TokenType {
+	case logical.TokenTypeBatch:
+		// Ensure it's not marked renewable since it isn't
+		auth.Renewable = false
+	case logical.TokenTypeService, logical.TokenTypeEnt:
+		if auth.TokenType == logical.TokenTypeEnt {
+			// Ensure it's not marked renewable since enterprise tokens are not renewable
+			auth.Renewable = false
+		}
+		// Register with the expiration manager
+		if err := c.expiration.RegisterAuth(ctx, te, auth, role); err != nil {
+			return err
+		}
+		if te.ExternalID != "" {
+			auth.ClientToken = te.ExternalID
+		}
+		// Successful login, remove any entry from userFailedLoginInfo map
+		// if it exists. This is done for service tokens only.
+		if auth.TokenType == logical.TokenTypeService && auth.Alias != nil {
+			loginUserInfoKey := FailedLoginUser{
+				aliasName:     auth.Alias.Name,
+				mountAccessor: auth.Alias.MountAccessor,
+			}
+
+			// We don't need to try to delete the lockedUsers storage entry, since we're
+			// processing a login request. If a login attempt is allowed, it means the user is
+			// unlocked and we only add storage entry when the user gets locked.
+			if err := updateUserFailedLoginInfo(ctx, c, loginUserInfoKey, nil, true); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
 // RegisterAuth uses a logical.Auth object to create a token entry in the token
 // store, and registers a corresponding token lease to the expiration manager.
 // role is the login role used as part of the creation of the token entry. If not
@@ -2586,46 +2795,12 @@ func (c *Core) RegisterAuth(ctx context.Context, tokenTTL time.Duration, path st
 		c.logger.Error("failed to create token", "error", err)
 		return possiblyWrapOverloadedError("failed to create token", err)
 	}
-
-	// Populate the client token, accessor, and TTL
-	auth.ClientToken = te.ID
-	auth.Accessor = te.Accessor
-	auth.TTL = te.TTL
-	auth.Orphan = te.Parent == ""
-
-	switch auth.TokenType {
-	case logical.TokenTypeBatch:
-		// Ensure it's not marked renewable since it isn't
-		auth.Renewable = false
-	case logical.TokenTypeService:
-		// Register with the expiration manager
-		if err := c.expiration.RegisterAuth(ctx, &te, auth, role); err != nil {
-			if err := c.tokenStore.revokeOrphan(ctx, te.ID); err != nil {
-				c.logger.Warn("failed to clean up token lease during login request", "request_path", path, "error", err)
-			}
-			c.logger.Error("failed to register token lease during login request", "request_path", path, "error", err)
-			return possiblyWrapOverloadedError("failed to register token lease during login request", err)
-		}
-		if te.ExternalID != "" {
-			auth.ClientToken = te.ExternalID
-		}
-		// Successful login, remove any entry from userFailedLoginInfo map
-		// if it exists. This is done for service tokens (for oss) here.
-		// For ent it is taken care by registerAuth RPC calls.
-		if auth.Alias != nil {
-			loginUserInfoKey := FailedLoginUser{
-				aliasName:     auth.Alias.Name,
-				mountAccessor: auth.Alias.MountAccessor,
-			}
-
-			// We don't need to try to delete the lockedUsers storage entry, since we're
-			// processing a login request. If a login attempt is allowed, it means the user is
-			// unlocked and we only add storage entry when the user gets locked.
-			err = updateUserFailedLoginInfo(ctx, c, loginUserInfoKey, nil, true)
-			if err != nil {
-				return err
-			}
+	if err := c.registerAuthLeaseForToken(ctx, &te, auth, role); err != nil {
+		if revokeErr := c.tokenStore.revokeOrphan(ctx, te.ID); revokeErr != nil {
+			c.logger.Warn("failed to clean up token lease during login request", "request_path", path, "error", revokeErr)
 		}
+		c.logger.Error("failed to register token lease during login request", "request_path", path, "error", err)
+		return possiblyWrapOverloadedError("failed to register token lease during login request", err)
 	}
 	return nil
 }
@@ -2693,7 +2868,7 @@ func (c *Core) LocalUpdateUserFailedLoginInfo(ctx context.Context, userKey Faile
 
 // PopulateTokenEntry looks up req.ClientToken in the token store and uses
 // it to set other fields in req.  Does nothing if ClientToken is empty
-// or a JWT token, or for service tokens that don't exist in the token store.
+// or an Enterprise token, or for service tokens that don't exist in the token store.
 // Should be called with read stateLock held.
 func (c *Core) PopulateTokenEntry(ctx context.Context, req *logical.Request) error {
 	if req.ClientToken == "" {
@@ -2704,7 +2879,7 @@ func (c *Core) PopulateTokenEntry(ctx context.Context, req *logical.Request) err
 	// doesn't exist because the request may be to an unauthenticated
 	// endpoint/login endpoint where a bad current token doesn't matter, or
 	// a token from a Vault version pre-accessors. We ignore errors for
-	// JWTs.
+	// Enterprise tokens.
 	token := req.ClientToken
 	var err error
 	req.InboundSSCToken = token
@@ -2754,8 +2929,6 @@ func (c *Core) PopulateTokenEntry(ctx context.Context, req *logical.Request) err
 		if errors.Is(err, logical.ErrPerfStandbyPleaseForward) || errors.Is(err, logical.ErrMissingRequiredState) {
 			return err
 		}
-		// If we have two dots but the second char is a dot it's a vault
-		// token of the form s.SOMETHING.nsid, not a JWT
 		if !IsJWT(token) {
 			return fmt.Errorf("error performing token check: %w", err)
 		}
@@ -2907,3 +3080,69 @@ func (c *Core) checkSSCTokenInternal(ctx context.Context, token string, isPerfSt
 	// status code.
 	return "", logical.ErrMissingRequiredState
 }
+
+// allPoliciesAllowOnly is a helper function that checks if all policies in
+// a given set have only "allow" capabilities, and not "deny" or "sudo".
+//
+// Example of allow-only policy:
+//
+//	path "secret/data/team/public/*" {
+//	  capabilities = ["read"]
+//	}
+//
+// Example of a policy that is not allow-only:
+//
+//	path "secret/data/team/*" {
+//	  capabilities = ["read"]
+//	}
+//
+//	path "secret/data/team/private/*" {
+//	  capabilities = ["deny"]
+//	}
+func (c *Core) allPoliciesAllowOnly(ctx context.Context, policyNamesByNamespace map[string][]string) (bool, error) {
+	for nsID, policyNames := range policyNamesByNamespace {
+		policyNS, err := NamespaceByID(ctx, nsID, c)
+		if err != nil {
+			return false, err
+		}
+		if policyNS == nil {
+			return false, namespace.ErrNoNamespace
+		}
+
+		policyCtx := namespace.ContextWithNamespace(ctx, policyNS)
+		for _, policyName := range policyNames {
+			policy, err := c.policyStore.GetPolicy(policyCtx, policyName, PolicyTypeACL)
+			if err != nil {
+				return false, err
+			}
+			if policy == nil {
+				return false, fmt.Errorf("policy %q not found in namespace %q", policyName, policyNS.Path)
+			}
+			if !policyIsAllowOnly(policy) {
+				return false, nil
+			}
+		}
+	}
+
+	return true, nil
+}
+
+// policyIsAllowOnly is a helper function that checks if a policy has only "allow" capabilities, and not "deny" or "sudo".
+func policyIsAllowOnly(policy *Policy) bool {
+	if policy == nil || policy.Name == "root" {
+		return false
+	}
+
+	for _, pathRules := range policy.Paths {
+		if pathRules == nil || pathRules.Permissions == nil {
+			continue
+		}
+
+		capabilities := pathRules.Permissions.CapabilitiesBitmap
+		if capabilities&DenyCapabilityInt != 0 || capabilities&SudoCapabilityInt != 0 {
+			return false
+		}
+	}
+
+	return true
+}
diff --git a/vault/request_handling_ce.go b/vault/request_handling_ce.go
new file mode 100644
index 0000000000..487740fa98
--- /dev/null
+++ b/vault/request_handling_ce.go
@@ -0,0 +1,60 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise
+
+package vault
+
+import (
+	"context"
+	"errors"
+
+	"github.com/hashicorp/vault/helper/identity"
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+type OAuthResourceServerConfigProfile struct{}
+
+func (c *Core) validateEnterpriseTokenAndFetchEntity(ctx context.Context, tokenString string) (bool, map[string]interface{}, *identity.Entity, *identity.Entity, *OAuthResourceServerConfigProfile, error) {
+	return false, nil, nil, nil, nil, errors.New("not implemented")
+}
+
+func (c *Core) createAndStoreEnterpriseTokenEntry(ctx context.Context, req *logical.Request, allClaims map[string]interface{}, entity *identity.Entity, actorEntity *identity.Entity, chosenProfile *OAuthResourceServerConfigProfile) error {
+	return nil
+}
+
+func isActivationFlagEnabledForEnterpriseToken(c *Core) bool {
+	return false
+}
+
+func getEnterpriseTokenMetadata(_ map[string]interface{}) string {
+	return ""
+}
+
+func getEnterpriseTokenIssuer(_ map[string]interface{}) string {
+	return ""
+}
+
+func getEnterpriseTokenTransaction(_ map[string]interface{}) string {
+	return ""
+}
+
+func getEnterpriseTokenAudience(_ map[string]interface{}) []string {
+	return nil
+}
+
+func getEnterpriseTokenAuthorizationDetails(_ map[string]interface{}) []logical.AuthorizationDetail {
+	return nil
+}
+
+func (c *Core) materializeEnterpriseTokenForUsage(_ context.Context, req *logical.Request, _ *logical.Auth, _ bool) (*logical.Request, error) {
+	return req, nil
+}
+
+func (c *Core) performSecondaryEntityTokenChecks(_ context.Context, _ *ACL, _ *identity.Entity, _ map[string][]string) (*ACL, error) {
+	return nil, errors.New("not implemented")
+}
+
+func (c *Core) fetchCeilingPolicies(ctx context.Context, entity *identity.Entity) (map[string][]string, error) {
+	return nil, errors.New("not implemented")
+}
diff --git a/vault/request_handling_test.go b/vault/request_handling_test.go
index 1bff029633..fe74be094e 100644
--- a/vault/request_handling_test.go
+++ b/vault/request_handling_test.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/armon/go-metrics"
 	"github.com/go-test/deep"
+	"github.com/hashicorp/go-secure-stdlib/parseutil"
 	uuid "github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/builtin/credential/approle"
 	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
@@ -22,6 +23,87 @@ import (
 	"google.golang.org/grpc/status"
 )
 
+// TestRequiresMaterializedTokenState verifies token materialization path
+// requirements for enterprise token requests.
+func TestRequiresMaterializedTokenState(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name string
+		path string
+		want bool
+	}{
+		{name: "token lookup self", path: "auth/token/lookup-self", want: true},
+		{name: "token lookup", path: "auth/token/lookup", want: true},
+		{name: "leases lookup", path: "sys/leases/lookup", want: true},
+		{name: "leases lookup prefix", path: "sys/leases/lookup/secret/foo", want: true},
+		{name: "leases count", path: "sys/leases/count", want: true},
+		{name: "leases list", path: "sys/leases", want: true},
+		{name: "cubbyhole", path: "cubbyhole/test", want: true},
+		{name: "token renew self excluded", path: "auth/token/renew-self", want: false},
+		{name: "leases renew excluded", path: "sys/leases/renew", want: false},
+		{name: "unrelated", path: "secret/data/foo", want: false},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			require.Equal(t, tc.want, requiresMaterializedTokenState(tc.path))
+		})
+	}
+}
+
+// TestRestoreForwardingTokenHeaders_UsesInboundToken verifies Authorization
+// forwarding prefers the original inbound token when present.
+func TestRestoreForwardingTokenHeaders_UsesInboundToken(t *testing.T) {
+	t.Parallel()
+
+	req := &logical.Request{
+		ClientToken:       "jwt.internal-id",
+		InboundSSCToken:   "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.payload.sig",
+		ClientTokenSource: logical.ClientTokenFromAuthzHeader,
+		Headers: map[string][]string{
+			"Authorization": {"Basic abc123"},
+		},
+	}
+
+	restoreForwardingTokenHeaders(req)
+
+	require.Equal(t, []string{"Basic abc123", "Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.payload.sig"}, req.Headers["Authorization"])
+}
+
+// TestRestoreForwardingTokenHeaders_FallsBackToClientToken verifies fallback to
+// req.ClientToken when no inbound token is present.
+func TestRestoreForwardingTokenHeaders_FallsBackToClientToken(t *testing.T) {
+	t.Parallel()
+
+	req := &logical.Request{
+		ClientToken:       "jwt.jti-value",
+		ClientTokenSource: logical.ClientTokenFromVaultHeader,
+	}
+
+	restoreForwardingTokenHeaders(req)
+
+	require.Equal(t, []string{"jwt.jti-value"}, req.Headers["X-Vault-Token"])
+}
+
+// TestRestoreForwardingTokenHeaders_UsesInboundTokenForVaultHeader verifies
+// X-Vault-Token forwarding prefers the original inbound token.
+func TestRestoreForwardingTokenHeaders_UsesInboundTokenForVaultHeader(t *testing.T) {
+	t.Parallel()
+
+	req := &logical.Request{
+		ClientToken:       "jwt.jti-value",
+		InboundSSCToken:   "jwt.raw.value",
+		ClientTokenSource: logical.ClientTokenFromVaultHeader,
+	}
+
+	restoreForwardingTokenHeaders(req)
+
+	require.Equal(t, []string{"jwt.raw.value"}, req.Headers["X-Vault-Token"])
+}
+
 func TestRequestHandling_Wrapping(t *testing.T) {
 	core, _, root := TestCoreUnsealed(t)
 
@@ -628,3 +710,333 @@ func TestRequestHandling_TokenRenewal(t *testing.T) {
 		t.Fatalf("unexpected error: %v", err)
 	}
 }
+
+// TestRequestHandling_fetchACLTokenEntryAndEntity_NilRequest tests that
+// fetchACLTokenEntryAndEntity returns an error when called with a nil request
+func TestRequestHandling_fetchACLTokenEntryAndEntity_NilRequest(t *testing.T) {
+	core, _, _ := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(context.Background())
+
+	// Call with nil request - should return ErrInternalError
+	_, _, _, _, err := core.fetchACLTokenEntryAndEntity(ctx, nil)
+
+	require.Error(t, err)
+	require.Equal(t, ErrInternalError, err)
+}
+
+// Test_allPoliciesAllowOnly tests a helper function that checks if all policies in
+// a given set have only "allow" capabilities, and not "deny" or "sudo"
+func Test_allPoliciesAllowOnly(t *testing.T) {
+	t.Parallel()
+
+	c, _, _ := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(context.Background())
+
+	allowPolicy, err := ParseACLPolicy(namespace.RootNamespace, `
+path "secret/data/*" {
+	capabilities = ["read", "list"]
+}
+`)
+	require.NoError(t, err)
+	allowPolicy.Name = "allow-only"
+	require.NoError(t, c.policyStore.SetPolicy(ctx, allowPolicy))
+
+	denyPolicy, err := ParseACLPolicy(namespace.RootNamespace, `
+path "secret/data/*" {
+	capabilities = ["deny"]
+}
+`)
+	require.NoError(t, err)
+	denyPolicy.Name = "deny-policy"
+	require.NoError(t, c.policyStore.SetPolicy(ctx, denyPolicy))
+
+	sudoPolicy, err := ParseACLPolicy(namespace.RootNamespace, `
+path "secret/data/*" {
+	capabilities = ["read", "sudo"]
+}
+`)
+	require.NoError(t, err)
+	sudoPolicy.Name = "sudo-policy"
+	require.NoError(t, c.policyStore.SetPolicy(ctx, sudoPolicy))
+
+	tests := map[string]struct {
+		policyNamesByNamespace map[string][]string
+		expected               bool
+		wantErr                string
+	}{
+		"all allow only": {
+			policyNamesByNamespace: map[string][]string{
+				namespace.RootNamespaceID: {"allow-only"},
+			},
+			expected: true,
+		},
+		"deny policy": {
+			policyNamesByNamespace: map[string][]string{
+				namespace.RootNamespaceID: {"deny-policy"},
+			},
+			expected: false,
+		},
+		"sudo policy": {
+			policyNamesByNamespace: map[string][]string{
+				namespace.RootNamespaceID: {"sudo-policy"},
+			},
+			expected: false,
+		},
+		"root policy": {
+			policyNamesByNamespace: map[string][]string{
+				namespace.RootNamespaceID: {"root"},
+			},
+			expected: false,
+		},
+		"missing policy": {
+			policyNamesByNamespace: map[string][]string{
+				namespace.RootNamespaceID: {"missing-policy"},
+			},
+			expected: false,
+			wantErr:  "policy \"missing-policy\" not found",
+		},
+		"missing namespace": {
+			policyNamesByNamespace: map[string][]string{
+				"missing-namespace": {"allow-only"},
+			},
+			expected: false,
+			wantErr:  namespace.ErrNoNamespace.Error(),
+		},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			actual, err := c.allPoliciesAllowOnly(ctx, tc.policyNamesByNamespace)
+			if tc.wantErr != "" {
+				require.ErrorContains(t, err, tc.wantErr)
+			} else {
+				require.NoError(t, err)
+			}
+			require.Equal(t, tc.expected, actual)
+		})
+	}
+}
+
+// TestAuth_AuthorizationDetails_CopiedFromRequest verifies that logical.Auth.AuthorizationDetails
+// matches the authorization details already carried on the request.
+func TestAuth_AuthorizationDetails_CopiedFromRequest(t *testing.T) {
+	t.Parallel()
+
+	details := []logical.AuthorizationDetail{
+		{"type": "account_information", "scope": "read"},
+		{"type": "payment_initiation", "amount": "100"},
+	}
+
+	auth := &logical.Auth{}
+	req := &logical.Request{
+		EnterpriseTokenAuthorizationDetails: details,
+	}
+
+	// Simulate the assignment performed in CheckToken.
+	auth.AuthorizationDetails = req.EnterpriseTokenAuthorizationDetails
+
+	require.Equal(t, details, auth.AuthorizationDetails, "auth.AuthorizationDetails must equal req.EnterpriseTokenAuthorizationDetails")
+}
+
+// TestAuth_AuthorizationDetails_NilWhenAbsent verifies that auth.AuthorizationDetails is nil
+// when the request does not carry authorization details.
+func TestAuth_AuthorizationDetails_NilWhenAbsent(t *testing.T) {
+	t.Parallel()
+
+	auth := &logical.Auth{}
+	req := &logical.Request{}
+
+	auth.AuthorizationDetails = req.EnterpriseTokenAuthorizationDetails
+
+	require.Nil(t, auth.AuthorizationDetails)
+}
+
+// TestRequestHandling_fetchACLTokenEntryAndEntity_EmptyToken verifies that a
+// request with an empty ClientToken is rejected with ErrPermissionDenied.
+func TestRequestHandling_fetchACLTokenEntryAndEntity_EmptyToken(t *testing.T) {
+	core, _, _ := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(context.Background())
+
+	req := &logical.Request{ClientToken: ""}
+	_, _, _, _, err := core.fetchACLTokenEntryAndEntity(ctx, req)
+
+	require.Error(t, err)
+	require.Equal(t, logical.ErrPermissionDenied, err)
+}
+
+// TestRequestHandling_fetchACLTokenEntryAndEntity_UnknownToken verifies that a
+// non-existent token returns ErrPermissionDenied combined with ErrInvalidToken.
+func TestRequestHandling_fetchACLTokenEntryAndEntity_UnknownToken(t *testing.T) {
+	core, _, _ := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(context.Background())
+
+	req := &logical.Request{ClientToken: "hvs.nonexistent-token-id"}
+	_, _, _, _, err := core.fetchACLTokenEntryAndEntity(ctx, req)
+
+	require.Error(t, err)
+	require.ErrorIs(t, err, logical.ErrPermissionDenied)
+	require.ErrorIs(t, err, logical.ErrInvalidToken)
+}
+
+// TestRequestHandling_fetchACLTokenEntryAndEntity_ValidRootToken verifies the
+// happy path: a valid root token returns an ACL, the token entry, and no error.
+func TestRequestHandling_fetchACLTokenEntryAndEntity_ValidRootToken(t *testing.T) {
+	core, _, root := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(context.Background())
+
+	req := &logical.Request{ClientToken: root}
+	acl, te, _, _, err := core.fetchACLTokenEntryAndEntity(ctx, req)
+
+	require.NoError(t, err)
+	require.NotNil(t, acl)
+	require.NotNil(t, te)
+	require.Equal(t, root, te.ID)
+	require.Contains(t, te.Policies, "root")
+}
+
+// TestRequestHandling_fetchACLTokenEntryAndEntity_CachedTokenEntry verifies
+// that when a token entry is already cached on the request, the function uses
+// the cached entry instead of performing a lookup.
+func TestRequestHandling_fetchACLTokenEntryAndEntity_CachedTokenEntry(t *testing.T) {
+	core, _, root := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(context.Background())
+
+	// Look up the root token to get a valid entry
+	te, err := core.tokenStore.Lookup(ctx, root)
+	require.NoError(t, err)
+	require.NotNil(t, te)
+
+	// Pre-cache the entry on the request
+	req := &logical.Request{ClientToken: root}
+	req.SetTokenEntry(te)
+
+	acl, returnedTE, _, _, err := core.fetchACLTokenEntryAndEntity(ctx, req)
+
+	require.NoError(t, err)
+	require.NotNil(t, acl)
+	// The returned token entry should be the same object we cached
+	require.Same(t, te, returnedTE)
+}
+
+// TestRequestHandling_fetchACLTokenEntryAndEntity_BoundCIDR_NoConnection
+// verifies that a token with BoundCIDRs is rejected when the request has no
+// connection information. The token entry is pre-cached on the request to
+// isolate the CIDR check logic from token storage concerns.
+func TestRequestHandling_fetchACLTokenEntryAndEntity_BoundCIDR_NoConnection(t *testing.T) {
+	core, _, root := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(context.Background())
+
+	boundCIDRs, err := parseutil.ParseAddrs([]string{"10.0.0.0/8"})
+	require.NoError(t, err)
+
+	// Look up the root token to get a valid base entry, then add BoundCIDRs
+	te, err := core.tokenStore.Lookup(ctx, root)
+	require.NoError(t, err)
+	te.TTL = time.Hour
+	te.BoundCIDRs = boundCIDRs
+
+	req := &logical.Request{
+		ClientToken: root,
+		// No Connection field set
+	}
+	req.SetTokenEntry(te)
+
+	_, _, _, _, err = core.fetchACLTokenEntryAndEntity(ctx, req)
+
+	require.Error(t, err)
+	require.ErrorIs(t, err, logical.ErrPermissionDenied)
+}
+
+// TestRequestHandling_fetchACLTokenEntryAndEntity_BoundCIDR_OutOfRange
+// verifies that a token with BoundCIDRs is rejected when the request comes
+// from an IP outside the allowed range. The token entry is pre-cached on the
+// request to isolate the CIDR check logic from token storage concerns.
+func TestRequestHandling_fetchACLTokenEntryAndEntity_BoundCIDR_OutOfRange(t *testing.T) {
+	core, _, root := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(context.Background())
+
+	boundCIDRs, err := parseutil.ParseAddrs([]string{"10.0.0.0/8"})
+	require.NoError(t, err)
+
+	te, err := core.tokenStore.Lookup(ctx, root)
+	require.NoError(t, err)
+	te.TTL = time.Hour
+	te.BoundCIDRs = boundCIDRs
+
+	req := &logical.Request{
+		ClientToken: root,
+		Connection:  &logical.Connection{RemoteAddr: "192.168.1.1"},
+	}
+	req.SetTokenEntry(te)
+
+	_, _, _, _, err = core.fetchACLTokenEntryAndEntity(ctx, req)
+
+	require.Error(t, err)
+	require.ErrorIs(t, err, logical.ErrPermissionDenied)
+}
+
+// TestRequestHandling_fetchACLTokenEntryAndEntity_BoundCIDR_InRange verifies
+// that a token with BoundCIDRs succeeds when the request comes from an IP
+// within the allowed CIDR range. The token entry is pre-cached on the request
+// to isolate the CIDR check logic from token storage concerns.
+func TestRequestHandling_fetchACLTokenEntryAndEntity_BoundCIDR_InRange(t *testing.T) {
+	core, _, root := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(context.Background())
+
+	boundCIDRs, err := parseutil.ParseAddrs([]string{"10.0.0.0/8"})
+	require.NoError(t, err)
+
+	te, err := core.tokenStore.Lookup(ctx, root)
+	require.NoError(t, err)
+	te.TTL = time.Hour
+	te.BoundCIDRs = boundCIDRs
+
+	req := &logical.Request{
+		ClientToken: root,
+		Connection:  &logical.Connection{RemoteAddr: "10.1.2.3"},
+	}
+	req.SetTokenEntry(te)
+
+	acl, returnedTE, _, _, err := core.fetchACLTokenEntryAndEntity(ctx, req)
+
+	require.NoError(t, err)
+	require.NotNil(t, acl)
+	require.NotNil(t, returnedTE)
+	require.Equal(t, root, returnedTE.ID)
+}
+
+// TestRequestHandling_fetchACLTokenEntryAndEntity_NonExpiring_RootIgnoresCIDR
+// verifies that a non-expiring root token (TTL == 0) bypasses CIDR checks even
+// if BoundCIDRs is set, since the CIDR check is gated on TTL != 0.
+func TestRequestHandling_fetchACLTokenEntryAndEntity_NonExpiring_RootIgnoresCIDR(t *testing.T) {
+	core, _, root := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(context.Background())
+
+	// Root token has TTL == 0, so CIDR checks should not apply
+	req := &logical.Request{
+		ClientToken: root,
+		// No Connection, which would fail if CIDR checks ran
+	}
+	acl, te, _, _, err := core.fetchACLTokenEntryAndEntity(ctx, req)
+
+	require.NoError(t, err)
+	require.NotNil(t, acl)
+	require.NotNil(t, te)
+	require.Equal(t, time.Duration(0), te.TTL)
+}
+
+// TestRequestHandling_handleCancelableTestNumericToken tests that if a token
+// that is passed in, is somehow a number rather than a string (not currently
+// possible), then the handling will error, not panic.
+func TestRequestHandling_handleCancelableTestNumericToken(t *testing.T) {
+	core, _, _ := TestCoreUnsealed(t)
+	ctx := namespace.RootContext(context.Background())
+
+	data := map[string]interface{}{"token": 5}
+	req := &logical.Request{Data: data, Path: "auth/token/lookup"}
+
+	resp, err := core.handleCancelableRequest(ctx, req)
+	require.True(t, resp != nil && err != nil)
+	require.ErrorContains(t, err, logical.ErrPermissionDenied.Error())
+	require.ErrorContains(t, resp.Error(), "invalid token")
+}
diff --git a/vault/router.go b/vault/router.go
index d017cdbd8a..f53b34419c 100644
--- a/vault/router.go
+++ b/vault/router.go
@@ -208,26 +208,30 @@ func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *Mount
 		storageView:   storageView,
 	}
 	re.tainted.Store(mountEntry.Tainted)
-	re.rootPaths.Store(pathsToRadix(paths.Root))
-	loginPathsEntry, err := parseUnauthenticatedPaths(paths.Unauthenticated)
+	rootPathsEntry, err := parseSpecialPaths(paths.Root)
+	if err != nil {
+		return err
+	}
+	re.rootPaths.Store(rootPathsEntry)
+	loginPathsEntry, err := parseSpecialPaths(paths.Unauthenticated)
 	if err != nil {
 		return err
 	}
 	re.loginPaths.Store(loginPathsEntry)
 
-	binaryPathsEntry, err := parseUnauthenticatedPaths(paths.Binary)
+	binaryPathsEntry, err := parseSpecialPaths(paths.Binary)
 	if err != nil {
 		return err
 	}
 	re.binaryPaths.Store(binaryPathsEntry)
 
-	limitedPathsEntry, err := parseUnauthenticatedPaths(paths.Limited)
+	limitedPathsEntry, err := parseSpecialPaths(paths.Limited)
 	if err != nil {
 		return err
 	}
 	re.limitedPaths.Store(limitedPathsEntry)
 
-	allowSnapshotReadPathsEntry, err := parseUnauthenticatedPaths(paths.AllowSnapshotRead)
+	allowSnapshotReadPathsEntry, err := parseSpecialPaths(paths.AllowSnapshotRead)
 	if err != nil {
 		return err
 	}
@@ -677,8 +681,8 @@ func (r *Router) routeCommon(ctx context.Context, req *logical.Request, existenc
 			return nil, false, false, fmt.Errorf("nil token entry")
 		}
 
-		if te.Type != logical.TokenTypeService {
-			return logical.ErrorResponse(`cubbyhole operations are only supported by "service" type tokens`), false, false, nil
+		if te.Type != logical.TokenTypeService && te.Type != logical.TokenTypeEnt {
+			return logical.ErrorResponse(`cubbyhole operations are only supported by "service" or enterprise type tokens`), false, false, nil
 		}
 
 		switch {
@@ -886,20 +890,35 @@ func (r *Router) RootPath(ctx context.Context, path string) bool {
 	remain := strings.TrimPrefix(adjustedPath, mount)
 
 	// Check the rootPaths of this backend
-	rootPaths := re.rootPaths.Load().(*radix.Tree)
-	match, raw, ok := rootPaths.LongestPrefix(remain)
-	if !ok {
+	rootPaths := re.rootPaths.Load().(*specialPathsEntry)
+	match, raw, ok := rootPaths.paths.LongestPrefix(remain)
+	if !ok && len(rootPaths.wildcardPaths) == 0 {
 		return false
 	}
-	prefixMatch := raw.(bool)
 
-	// Handle the prefix match case
-	if prefixMatch {
-		return strings.HasPrefix(remain, match)
+	if ok {
+		prefixMatch := raw.(bool)
+
+		// Handle the prefix match case
+		if prefixMatch {
+			return strings.HasPrefix(remain, match)
+		}
+
+		// Handle the exact match case
+		if match == remain {
+			return true
+		}
 	}
 
-	// Handle the exact match case
-	return match == remain
+	// Check root paths containing wildcards
+	reqPathParts := strings.Split(remain, "/")
+	for _, w := range rootPaths.wildcardPaths {
+		if pathMatchesWildcardPath(reqPathParts, w.segments, w.isPrefix) {
+			return true
+		}
+	}
+
+	return false
 }
 
 // LoginPath checks if the given path is used for logins
@@ -1024,7 +1043,7 @@ func wildcardError(path, msg string) error {
 	return fmt.Errorf("path %q: invalid use of wildcards %s", path, msg)
 }
 
-func isValidUnauthenticatedPath(path string) (bool, error) {
+func isValidSpecialPath(path string) (bool, error) {
 	switch {
 	case strings.Count(path, "*") > 1:
 		return false, wildcardError(path, "(multiple '*' is forbidden)")
@@ -1038,13 +1057,13 @@ func isValidUnauthenticatedPath(path string) (bool, error) {
 	return true, nil
 }
 
-// parseUnauthenticatedPaths converts a list of special paths to a
+// parseSpecialPaths converts a list of special paths to a
 // specialPathsEntry
-func parseUnauthenticatedPaths(paths []string) (*specialPathsEntry, error) {
+func parseSpecialPaths(paths []string) (*specialPathsEntry, error) {
 	var tempPaths []string
 	tempWildcardPaths := make([]wildcardPath, 0)
 	for _, path := range paths {
-		if ok, err := isValidUnauthenticatedPath(path); !ok {
+		if ok, err := isValidSpecialPath(path); !ok {
 			return nil, err
 		}
 
diff --git a/vault/router_test.go b/vault/router_test.go
index 1eba959b70..25e0af008e 100644
--- a/vault/router_test.go
+++ b/vault/router_test.go
@@ -313,6 +313,7 @@ func TestRouter_RootPath(t *testing.T) {
 		Root: []string{
 			"root",
 			"policy/*",
+			"mounts/auth/+/tune",
 		},
 	}
 	err = r.Mount(n, "prod/aws/", &MountEntry{UUID: meUUID, Accessor: "awsaccessor", NamespaceID: namespace.RootNamespaceID, namespace: namespace.RootNamespace}, view)
@@ -332,6 +333,9 @@ func TestRouter_RootPath(t *testing.T) {
 		{"prod/aws/policy", false},
 		{"prod/aws/policy/", true},
 		{"prod/aws/policy/ops", true},
+		{"prod/aws/mounts/auth/userpass/tune", true},
+		{"prod/aws/mounts/auth/userpass", false},
+		{"prod/aws/mounts/auth/userpass/roles", false},
 	}
 
 	for _, tc := range tcases {
@@ -571,7 +575,7 @@ func TestParseUnauthenticatedPaths(t *testing.T) {
 	}
 	allPaths := append(paths, wildcardPaths...)
 
-	p, err := parseUnauthenticatedPaths(allPaths)
+	p, err := parseSpecialPaths(allPaths)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -629,7 +633,7 @@ func TestParseUnauthenticatedPaths_Error(t *testing.T) {
 	}
 
 	for _, tc := range tcases {
-		_, err := parseUnauthenticatedPaths(tc.paths)
+		_, err := parseSpecialPaths(tc.paths)
 		if err == nil || err != nil && !strings.Contains(err.Error(), tc.err) {
 			t.Fatalf("bad: path: %s expect: %v got %v", tc.paths, tc.err, err)
 		}
diff --git a/vault/seal/seal.go b/vault/seal/seal.go
index 755a88efb6..17526958ed 100644
--- a/vault/seal/seal.go
+++ b/vault/seal/seal.go
@@ -8,16 +8,13 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"os"
 	"reflect"
 	"sort"
-	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
 
 	metrics "github.com/armon/go-metrics"
-	"github.com/google/go-cmp/cmp"
 	"github.com/hashicorp/go-hclog"
 	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/hashicorp/go-kms-wrapping/v2/aead"
@@ -62,174 +59,6 @@ type SealGenerationInfo struct {
 	Enabled    bool
 }
 
-// Validate is used to sanity check the seal generation info being created
-func (sgi *SealGenerationInfo) Validate(existingSgi *SealGenerationInfo, hasPartiallyWrappedPaths bool) error {
-	existingSealsLen := 0
-	numConfiguredSeals := len(sgi.Seals)
-	configuredSealNameAndType := sealNameAndTypeAsStr(sgi.Seals)
-
-	// If no previous generation info exists, make sure we perform the initial migration/setup
-	// check for enabled configured seals to allow an old style seal migration configuration
-	if existingSgi == nil {
-		if numConfiguredSeals > 1 {
-			return fmt.Errorf("Initializing a cluster or enabling multi-seal on an existing "+
-				"cluster must occur with a single seal before adding additional seals\n"+
-				"Configured seals: %v", configuredSealNameAndType)
-		}
-
-		// No point in comparing anything more as we don't have any information around the
-		// existing seal if any actually existed
-		return nil
-	}
-
-	// Validate that we're in a safe spot with respect to disabling multiseal
-	if existingSgi.Enabled && !sgi.Enabled {
-		if len(existingSgi.Seals) > 1 {
-			return fmt.Errorf("multi-seal is disabled but previous configuration had multiple seals.  re-enable and migrate to a single seal before disabling multi-seal")
-		} else if !existingSgi.IsRewrapped() {
-			return fmt.Errorf("multi-seal is disabled but previous storage was not fully re-wrapped, re-enable multi-seal and allow rewrapping to complete before disabling multi-seal")
-		}
-	}
-
-	existingSealNameAndType := sealNameAndTypeAsStr(existingSgi.Seals)
-	previousShamirConfigured := false
-
-	if sgi.Generation == existingSgi.Generation {
-		if !haveMatchingSeals(sgi.Seals, existingSgi.Seals) {
-			return fmt.Errorf("existing seal generation is the same, but the configured seals are different\n"+
-				"Existing seals: %v\n"+
-				"Configured seals: %v", existingSealNameAndType, configuredSealNameAndType)
-		}
-		return nil
-	}
-
-	existingSealsLen = len(existingSgi.Seals)
-	for _, sealKmsConfig := range existingSgi.Seals {
-		if sealKmsConfig.Type == wrapping.WrapperTypeShamir.String() {
-			previousShamirConfigured = true
-			break
-		}
-	}
-
-	if !previousShamirConfigured && (!existingSgi.IsRewrapped() || hasPartiallyWrappedPaths) && os.Getenv("VAULT_SEAL_REWRAP_SAFETY") != "disable" {
-		return errors.New("cannot make seal config changes while seal re-wrap is in progress, please revert any seal configuration changes")
-	}
-
-	numSealsToAdd := 0
-	// With a previously configured shamir seal, we are either going from [shamir]->[auto]
-	// or [shamir]->[another shamir] (since we do not allow multiple shamir
-	// seals, and, mixed shamir and auto seals). Also, we do not allow shamir seals to
-	// be set disabled, so, the number of seals to add is always going to be the length
-	// of new seal configs.
-	if previousShamirConfigured {
-		numSealsToAdd = numConfiguredSeals
-	} else {
-		numSealsToAdd = numConfiguredSeals - existingSealsLen
-	}
-
-	numSealsToDelete := existingSealsLen - numConfiguredSeals
-	switch {
-	case numSealsToAdd > 1:
-		return fmt.Errorf("cannot add more than one seal\n"+
-			"Existing seals: %v\n"+
-			"Configured seals: %v", existingSealNameAndType, configuredSealNameAndType)
-
-	case numSealsToDelete > 1:
-		return fmt.Errorf("cannot delete more than one seal\n"+
-			"Existing seals: %v\n"+
-			"Configured seals: %v", existingSealNameAndType, configuredSealNameAndType)
-
-	case !previousShamirConfigured && existingSgi != nil && !haveCommonSeal(existingSgi.Seals, sgi.Seals):
-		// With a previously configured shamir seal, we are either going from [shamir]->[auto] or [shamir]->[another shamir],
-		// in which case we cannot have a common seal because shamir seals cannot be set to disabled, they can only be deleted.
-		return fmt.Errorf("must have at least one seal in common with the old generation\n"+
-			"Existing seals: %v\n"+
-			"Configured seals: %v", existingSealNameAndType, configuredSealNameAndType)
-	}
-	return nil
-}
-
-func sealNameAndTypeAsStr(seals []*configutil.KMS) string {
-	info := []string{}
-	for _, seal := range seals {
-		info = append(info, fmt.Sprintf("Name: %s Type: %s", seal.Name, seal.Type))
-	}
-	return fmt.Sprintf("[%s]", strings.Join(info, ", "))
-}
-
-// haveMatchingSeals verifies that we have the corresponding matching seals by name and type, config and other
-// properties are ignored in the comparison
-func haveMatchingSeals(existingSealKmsConfigs, newSealKmsConfigs []*configutil.KMS) bool {
-	if len(existingSealKmsConfigs) != len(newSealKmsConfigs) {
-		return false
-	}
-
-	for _, existingSealKmsConfig := range existingSealKmsConfigs {
-		found := false
-		for _, newSealKmsConfig := range newSealKmsConfigs {
-			if cmp.Equal(existingSealKmsConfig, newSealKmsConfig, compareKMSConfigByNameAndType()) {
-				found = true
-				break
-			}
-		}
-
-		if !found {
-			return false
-		}
-	}
-	return true
-}
-
-// haveCommonSeal verifies that we have at least one matching seal across
-// the inputs by name and type, config and other properties are ignored in
-// the comparison
-func haveCommonSeal(existingSealKmsConfigs, newSealKmsConfigs []*configutil.KMS) bool {
-	for _, existingSealKmsConfig := range existingSealKmsConfigs {
-		for _, newSealKmsConfig := range newSealKmsConfigs {
-			// Technically we might be matching the "wrong" seal if the old seal was renamed to
-			// "transit-disabled" and we have a new seal named transit. There isn't any way for
-			// us to properly distinguish between them
-			if cmp.Equal(existingSealKmsConfig, newSealKmsConfig, compareKMSConfigByNameAndType()) {
-				return true
-			}
-		}
-	}
-
-	// We might have renamed a disabled seal that was previously used so attempt to match by
-	// removing the "-disabled" suffix
-	for _, seal := range findRenamedDisabledSeals(newSealKmsConfigs) {
-		clonedSeal := seal.Clone()
-		clonedSeal.Name = strings.TrimSuffix(clonedSeal.Name, configutil.KmsRenameDisabledSuffix)
-
-		for _, existingSealKmsConfig := range existingSealKmsConfigs {
-			if cmp.Equal(existingSealKmsConfig, clonedSeal, compareKMSConfigByNameAndType()) {
-				return true
-			}
-		}
-	}
-
-	return false
-}
-
-func findRenamedDisabledSeals(configs []*configutil.KMS) []*configutil.KMS {
-	disabledSeals := []*configutil.KMS{}
-	for _, seal := range configs {
-		if seal.Disabled && strings.HasSuffix(seal.Name, configutil.KmsRenameDisabledSuffix) {
-			disabledSeals = append(disabledSeals, seal)
-		}
-	}
-	return disabledSeals
-}
-
-func compareKMSConfigByNameAndType() cmp.Option {
-	// We only match based on name and type to avoid configuration changes such
-	// as a Vault token change in the config map from eliminating the match and
-	// preventing startup on a matching seal.
-	return cmp.Comparer(func(a, b *configutil.KMS) bool {
-		return a.Name == b.Name && a.Type == b.Type
-	})
-}
-
 // SetRewrapped updates the SealGenerationInfo's rewrapped status to the provided value.
 func (sgi *SealGenerationInfo) SetRewrapped(value bool) {
 	sgi.rewrapped.Store(value)
diff --git a/vault/seal/seal_generation_validation_ce.go b/vault/seal/seal_generation_validation_ce.go
new file mode 100644
index 0000000000..01b657331b
--- /dev/null
+++ b/vault/seal/seal_generation_validation_ce.go
@@ -0,0 +1,10 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build !enterprise
+
+package seal
+
+func ValidateMultiSealGenerationInfo(_ bool, _, _ *SealGenerationInfo, _ bool) error {
+	return nil
+}
diff --git a/vault/seal_util_ce.go b/vault/seal_util_ce.go
new file mode 100644
index 0000000000..f20df5692a
--- /dev/null
+++ b/vault/seal_util_ce.go
@@ -0,0 +1,16 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise
+
+package vault
+
+import (
+	"context"
+
+	"github.com/hashicorp/vault/sdk/physical"
+)
+
+func HasPartiallyWrappedPaths(_ context.Context, _ physical.Backend) (bool, error) {
+	return false, nil
+}
diff --git a/vault/sealunwrapper_test.go b/vault/sealunwrapper_test.go
index c505ee2589..ce26bba893 100644
--- a/vault/sealunwrapper_test.go
+++ b/vault/sealunwrapper_test.go
@@ -48,8 +48,6 @@ func performTestSealUnwrapper(t *testing.T, phys physical.Backend, logger log.Lo
 	cluster := NewTestCluster(t, base, &TestClusterOptions{
 		Logger: logger,
 	})
-	cluster.Start()
-	defer cluster.Cleanup()
 
 	physImem := phys.(interface{ Underlying() *inmem.InmemBackend }).Underlying()
 
diff --git a/vault/testing.go b/vault/testing.go
index 8d7d1fb9d2..b9ed33430c 100644
--- a/vault/testing.go
+++ b/vault/testing.go
@@ -102,6 +102,9 @@ oOyBJU/HMVvBfv4g+OVFLVgSwwm6owwsouZ0+D/LasbuHqYyqYqdyPJQYzWA2Y+F
 )
 
 // TestCore returns a pure in-memory, uninitialized core for testing.
+//
+// NOTE: Writing your test using NewTestCluster in a new package is strongly
+// preferable to writing a test in the vault package utilizing the TestCore functions.
 func TestCore(t testing.TB) *Core {
 	return TestCoreWithSeal(t, nil, false)
 }
@@ -121,6 +124,9 @@ func TestCoreNewSeal(t testing.TB) *Core {
 
 // TestCoreWithConfig returns a pure in-memory, uninitialized core with the
 // specified core configurations overridden for testing.
+//
+// NOTE: Writing your test using NewTestCluster in a new package is strongly
+// preferable to writing a test in the vault package utilizing the TestCore functions.
 func TestCoreWithConfig(t testing.TB, conf *CoreConfig) *Core {
 	return TestCoreWithSealAndUI(t, conf)
 }
@@ -271,7 +277,7 @@ func TestCoreWithSealAndUINoCleanup(t testing.TB, opts *CoreConfig) *Core {
 
 	conf.ActivityLogConfig = opts.ActivityLogConfig
 	conf.BillingConfig = opts.BillingConfig
-	testApplyEntBaseConfig(conf, opts)
+	TestApplyEntBaseConfig(conf, opts)
 
 	c, err := NewCore(conf)
 	if err != nil {
@@ -387,6 +393,9 @@ func TestCoreSeal(core *Core) error {
 
 // TestCoreUnsealed returns a pure in-memory core that is already
 // initialized and unsealed.
+//
+// NOTE: Writing your test using NewTestCluster in a new package is strongly
+// preferable to writing a test in the vault package utilizing the TestCore functions.
 func TestCoreUnsealed(t testing.TB) (*Core, [][]byte, string) {
 	t.Helper()
 	core := TestCore(t)
@@ -420,6 +429,9 @@ func TestCoreUnsealedWithMetricsAndConfig(t testing.TB, conf *CoreConfig) (*Core
 
 // TestCoreUnsealedRaw returns a pure in-memory core that is already
 // initialized, unsealed, and with raw endpoints enabled.
+//
+// NOTE: Writing your test using NewTestCluster in a new package is strongly
+// preferable to writing a test in the vault package utilizing the TestCore functions.
 func TestCoreUnsealedRaw(t testing.TB) (*Core, [][]byte, string) {
 	t.Helper()
 	core := TestCoreRaw(t)
@@ -427,7 +439,10 @@ func TestCoreUnsealedRaw(t testing.TB) (*Core, [][]byte, string) {
 }
 
 // TestCoreUnsealedWithConfig returns a pure in-memory core that is already
-// initialized, unsealed, with the any provided core config values overridden.
+// initialized, unsealed, with any provided core config values overridden.
+//
+// NOTE: Writing your test using NewTestCluster in a new package is strongly
+// preferable to writing a test in the vault package utilizing the TestCore functions.
 func TestCoreUnsealedWithConfig(t testing.TB, conf *CoreConfig) (*Core, [][]byte, string) {
 	t.Helper()
 	core := TestCoreWithConfig(t, conf)
@@ -559,8 +574,13 @@ var (
 	testCredentialBackends = map[string]logical.Factory{}
 )
 
-// This adds a credential backend for the test core. This needs to be
+// AddTestCredentialBackend adds a credential backend for the test core. This needs to be
 // invoked before the test core is created.
+//
+// Deprecated: Relies upon global test variables, and prone to race conditions,
+// and tests using this function cannot run in parallel.
+// A test utilizing NewTestCluster living outside the Vault package should
+// be strongly preferred instead.
 func AddTestCredentialBackend(name string, factory logical.Factory) error {
 	if name == "" {
 		return fmt.Errorf("missing backend name")
@@ -572,8 +592,13 @@ func AddTestCredentialBackend(name string, factory logical.Factory) error {
 	return nil
 }
 
-// This adds a logical backend for the test core. This needs to be
+// AddTestLogicalBackend adds a logical backend for the test core. This needs to be
 // invoked before the test core is created.
+//
+// Deprecated: Relies upon global test variables, and prone to race conditions,
+// and tests using this function cannot run in parallel.
+// A test utilizing NewTestCluster living outside the Vault package should
+// be strongly preferred instead.
 func AddTestLogicalBackend(name string, factory logical.Factory) error {
 	if name == "" {
 		return fmt.Errorf("missing backend name")
@@ -675,6 +700,8 @@ func TestWaitPerfStandby(t testing.TB, core *Core) {
 	}
 }
 
+// TestWaitActive waits for a given core to become the active node.
+// This function is NOT required on a new cluster returned by NewTestCluster.
 func TestWaitActive(t testing.TB, core *Core) {
 	t.Helper()
 	if err := TestWaitActiveWithError(core); err != nil {
@@ -739,6 +766,7 @@ type TestCluster struct {
 	LicensePublicKey  ed25519.PublicKey
 	LicensePrivateKey ed25519.PrivateKey
 	opts              *TestClusterOptions
+	cleanupOnce       sync.Once
 }
 
 func (c *TestCluster) SetRootToken(token string) {
@@ -748,9 +776,6 @@ func (c *TestCluster) SetRootToken(token string) {
 	}
 }
 
-func (c *TestCluster) Start() {
-}
-
 func (c *TestCluster) start(t testing.TB) {
 	t.Helper()
 	for i, core := range c.Cores {
@@ -991,37 +1016,45 @@ func (c *TestClusterCore) NetworkLayer() cluster.NetworkLayer {
 	return c.Core.clusterNetworkLayer
 }
 
+// Cleanup cleans up the Vault cluster. It's called automatically and tied to t.Cleanup().
+// This remains for now to satisfy the VaultCluster interface. Changing that could be breaking
+// for users of the SDK.
+//
+// Deprecated: This should almost never be called directly for clusters resulting from
+// NewTestCluster.
 func (c *TestCluster) Cleanup() {
-	c.Logger.Info("cleaning up vault cluster")
-	if tl, ok := c.Logger.(*corehelpers.TestLogger); ok {
-		tl.StopLogging()
-	}
+	c.cleanupOnce.Do(func() {
+		c.Logger.Info("cleaning up vault cluster")
+		if tl, ok := c.Logger.(*corehelpers.TestLogger); ok {
+			tl.StopLogging()
+		}
 
-	wg := &sync.WaitGroup{}
-	for _, core := range c.Cores {
-		wg.Add(1)
-		lc := core
+		wg := &sync.WaitGroup{}
+		for _, core := range c.Cores {
+			wg.Add(1)
+			lc := core
 
-		go func() {
-			defer wg.Done()
-			if err := lc.stop(); err != nil {
-				// Note that this log won't be seen if using TestLogger, due to
-				// the above call to StopLogging.
-				lc.Logger().Error("error during cleanup", "error", err)
-			}
-		}()
-	}
+			go func() {
+				defer wg.Done()
+				if err := lc.stop(); err != nil {
+					// Note that this log won't be seen if using TestLogger, due to
+					// the above call to StopLogging.
+					lc.Logger().Error("error during cleanup", "error", err)
+				}
+			}()
+		}
 
-	wg.Wait()
+		wg.Wait()
 
-	// Remove any temp dir that exists
-	if c.TempDir != "" {
-		os.RemoveAll(c.TempDir)
-	}
+		// Remove any temp dir that exists
+		if c.TempDir != "" {
+			os.RemoveAll(c.TempDir)
+		}
 
-	if c.CleanupFunc != nil {
-		c.CleanupFunc()
-	}
+		if c.CleanupFunc != nil {
+			c.CleanupFunc()
+		}
+	})
 }
 
 func (c *TestCluster) ensureCoresSealed() error {
@@ -1170,6 +1203,7 @@ type TestClusterOptions struct {
 
 	// ABCDLoggerNames names the loggers according to our ABCD convention when generating 4 clusters
 	ABCDLoggerNames bool
+	DisableTLS      bool
 }
 
 type TestPluginConfig struct {
@@ -1371,6 +1405,10 @@ func NewTestCluster(t testing.TB, base *CoreConfig, opts *TestClusterOptions) *T
 		})
 	}
 
+	scheme := "https"
+	if opts.DisableTLS {
+		scheme = "http"
+	}
 	//
 	// Listener setup
 	//
@@ -1427,10 +1465,14 @@ func NewTestCluster(t testing.TB, base *CoreConfig, opts *TestClusterOptions) *T
 		tlsConfigs = append(tlsConfigs, tlsConfig)
 		lns := []*TestListener{
 			{
-				Listener: tls.NewListener(ln, tlsConfig),
-				Address:  ln.Addr().(*net.TCPAddr),
+				Address: ln.Addr().(*net.TCPAddr),
 			},
 		}
+		if opts.DisableTLS {
+			lns[0].Listener = ln
+		} else {
+			lns[0].Listener = tls.NewListener(ln, tlsConfig)
+		}
 		listeners = append(listeners, lns)
 		var handler http.Handler = http.NewServeMux()
 		handlers = append(handlers, handler)
@@ -1458,8 +1500,8 @@ func NewTestCluster(t testing.TB, base *CoreConfig, opts *TestClusterOptions) *T
 			audit.TypeSocket: audit.NewSocketBackend,
 			audit.TypeSyslog: audit.NewSyslogBackend,
 		},
-		RedirectAddr:    fmt.Sprintf("https://127.0.0.1:%d", listeners[0][0].Address.Port),
-		ClusterAddr:     "https://127.0.0.1:0",
+		RedirectAddr:    fmt.Sprintf(scheme+"://127.0.0.1:%d", listeners[0][0].Address.Port),
+		ClusterAddr:     scheme + "://127.0.0.1:0",
 		DisableMlock:    true,
 		EnableUI:        true,
 		EnableRaw:       true,
@@ -1556,8 +1598,9 @@ func NewTestCluster(t testing.TB, base *CoreConfig, opts *TestClusterOptions) *T
 		coreConfig.PeriodicLeaderRefreshInterval = base.PeriodicLeaderRefreshInterval
 		coreConfig.ClusterAddrBridge = base.ClusterAddrBridge
 		coreConfig.ObservationSystemConfig = base.ObservationSystemConfig
+		coreConfig.EnableUnauthenticatedAccess = base.EnableUnauthenticatedAccess
 
-		testApplyEntBaseConfig(coreConfig, base)
+		TestApplyEntBaseConfig(coreConfig, base)
 	}
 	if coreConfig.ClusterName == "" {
 		coreConfig.ClusterName = t.Name()
@@ -1733,6 +1776,10 @@ func NewTestCluster(t testing.TB, base *CoreConfig, opts *TestClusterOptions) *T
 		// once, otherwise when they re-initialize themselves they can yield 500s.
 		time.Sleep(coreConfig.PeriodicLeaderRefreshInterval)
 	}
+
+	// Register cleanup with t.Cleanup so it's automatically called when the test ends
+	t.Cleanup(testCluster.Cleanup)
+
 	return &testCluster
 }
 
@@ -1849,7 +1896,11 @@ func (testCluster *TestCluster) newCore(t testing.TB, idx int, coreConfig *CoreC
 		firstCoreNumber = opts.FirstCoreNumber
 	}
 
-	localConfig.RedirectAddr = fmt.Sprintf("https://127.0.0.1:%d", listeners[0].Address.Port)
+	scheme := "https"
+	if opts != nil && opts.DisableTLS {
+		scheme = "http"
+	}
+	localConfig.RedirectAddr = fmt.Sprintf(scheme+"://127.0.0.1:%d", listeners[0].Address.Port)
 
 	// if opts.SealFunc is provided, use that to generate a seal for the config instead
 	if opts != nil && opts.SealFunc != nil {
@@ -1913,10 +1964,10 @@ func (testCluster *TestCluster) newCore(t testing.TB, idx int, coreConfig *CoreC
 
 	if opts != nil && opts.ClusterLayers != nil {
 		localConfig.ClusterNetworkLayer = opts.ClusterLayers.Layers()[idx]
-		localConfig.ClusterAddr = "https://" + localConfig.ClusterNetworkLayer.Listeners()[0].Addr().String()
+		localConfig.ClusterAddr = scheme + "://" + localConfig.ClusterNetworkLayer.Listeners()[0].Addr().String()
 	}
 	if opts != nil && opts.BaseClusterListenPort != 0 {
-		localConfig.ClusterAddr = fmt.Sprintf("https://127.0.0.1:%d", opts.BaseClusterListenPort+idx)
+		localConfig.ClusterAddr = fmt.Sprintf(scheme+"://127.0.0.1:%d", opts.BaseClusterListenPort+idx)
 	}
 
 	switch {
@@ -2137,7 +2188,11 @@ func (testCluster *TestCluster) getAPIClient(
 	port int, tlsConfig *tls.Config,
 ) *api.Client {
 	transport := cleanhttp.DefaultPooledTransport()
-	transport.TLSClientConfig = tlsConfig.Clone()
+	scheme := "http"
+	if opts != nil && !opts.DisableTLS {
+		scheme = "https"
+		transport.TLSClientConfig = tlsConfig.Clone()
+	}
 	if err := http2.ConfigureTransport(transport); err != nil {
 		t.Fatal(err)
 	}
@@ -2152,7 +2207,7 @@ func (testCluster *TestCluster) getAPIClient(
 	if config.Error != nil {
 		t.Fatal(config.Error)
 	}
-	config.Address = fmt.Sprintf("https://127.0.0.1:%d", port)
+	config.Address = fmt.Sprintf(scheme+"://127.0.0.1:%d", port)
 	config.HttpClient = client
 	config.MaxRetries = 0
 	apiClient, err := api.NewClient(config)
diff --git a/vault/testing_util_stubs_oss.go b/vault/testing_util_stubs_oss.go
index 712db3a90c..0997e8f31f 100644
--- a/vault/testing_util_stubs_oss.go
+++ b/vault/testing_util_stubs_oss.go
@@ -18,7 +18,7 @@ func testExtraTestCoreSetup(testing.TB, ed25519.PrivateKey, *TestClusterCore) {}
 func testAdjustUnderlyingStorage(tcc *TestClusterCore) {
 	tcc.UnderlyingStorage = tcc.physical
 }
-func testApplyEntBaseConfig(coreConfig, base *CoreConfig) {}
+func TestApplyEntBaseConfig(coreConfig, base *CoreConfig) {}
 
 // Ent specific test config for licensing
 func (c *Core) testSetTestPubKeys(config CoreConfig)       {}
diff --git a/vault/token_store.go b/vault/token_store.go
index c70f585003..93ffd8496a 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -758,6 +758,16 @@ type TokenStore struct {
 func NewTokenStore(ctx context.Context, logger log.Logger, core *Core, config *logical.BackendConfig) (*TokenStore, error) {
 	// Create a sub-view
 	view := core.systemBarrierView.SubView(tokenSubPath)
+	if core.IsDRSecondary() {
+		// Generally speaking, DR secondaries do not handle requests using tokens
+		// from the TokenStore.  Requests to DR secondaries should either be
+		// unauthenticated, or use a batch token, or use a DR operation token
+		// created using the generate-operation-token api.  With the change to
+		// make generate-operation-token authenticated by default, we're now also
+		// allowing regular root tokens from the primary cluster to be used.
+		//
+		view.setReadOnlyErr(logical.ErrReadOnly)
+	}
 
 	// Initialize the store
 	t := &TokenStore{
@@ -1107,9 +1117,11 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err
 	}
 
 	switch entry.Type {
-	case logical.TokenTypeDefault, logical.TokenTypeService:
+	case logical.TokenTypeDefault, logical.TokenTypeService, logical.TokenTypeEnt:
 		// In case it was default, force to service
-		entry.Type = logical.TokenTypeService
+		if entry.Type == logical.TokenTypeDefault {
+			entry.Type = logical.TokenTypeService
+		}
 
 		// Generate an ID if necessary
 		userSelectedID := true
@@ -1126,7 +1138,7 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err
 			}
 		}
 
-		if userSelectedID {
+		if userSelectedID && entry.Type != logical.TokenTypeEnt {
 			switch {
 			case strings.HasPrefix(entry.ID, consts.ServiceTokenPrefix):
 				return fmt.Errorf("custom token ID cannot have the 'hvs.' prefix")
@@ -1151,7 +1163,10 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err
 			entry.ID = fmt.Sprintf("%s.%s", entry.ID, tokenNS.ID)
 		}
 
-		if tokenNS.ID != namespace.RootNamespaceID || strings.HasPrefix(entry.ID, consts.ServiceTokenPrefix) || strings.HasPrefix(entry.ID, consts.LegacyServiceTokenPrefix) {
+		if tokenNS.ID != namespace.RootNamespaceID ||
+			strings.HasPrefix(entry.ID, consts.ServiceTokenPrefix) ||
+			strings.HasPrefix(entry.ID, consts.LegacyServiceTokenPrefix) ||
+			strings.HasPrefix(entry.ID, consts.GetEnterpriseTokenPrefix()) {
 			if entry.CubbyholeID == "" {
 				cubbyholeID, err := base62.Random(TokenLength)
 				if err != nil {
@@ -1163,7 +1178,7 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err
 
 		// If the user didn't specifically pick the ID, e.g. because they were
 		// sudo/root, check for collision; otherwise trust the process
-		if userSelectedID {
+		if userSelectedID || entry.Type == logical.TokenTypeEnt {
 			exist, _ := ts.lookupInternal(ctx, entry.ID, false, true)
 			if exist != nil {
 				return fmt.Errorf("cannot create a token with a duplicate ID")
@@ -1503,17 +1518,16 @@ func (ts *TokenStore) Lookup(ctx context.Context, id string) (*logical.TokenEntr
 	if id == "" {
 		return nil, fmt.Errorf("cannot lookup blank token")
 	}
+	normalizedID := normalizeEnterpriseTokenToID(id)
 
 	// If it starts with "b." it's a batch token
-	if IsBatchToken(id) {
-		return ts.lookupBatchToken(ctx, id)
+	if IsBatchToken(normalizedID) {
+		return ts.lookupBatchToken(ctx, normalizedID)
 	}
-
-	lock := locksutil.LockForKey(ts.tokenLocks, id)
+	lock := locksutil.LockForKey(ts.tokenLocks, normalizedID)
 	lock.RLock()
 	defer lock.RUnlock()
-
-	return ts.lookupInternal(ctx, id, false, false)
+	return ts.lookupInternal(ctx, normalizedID, false, false)
 }
 
 func (ts *TokenStore) stripBatchPrefix(id string) string {
@@ -1636,7 +1650,7 @@ func (ts *TokenStore) lookupInternal(ctx context.Context, id string, salted, tai
 		// If possible, always use the token's namespace. If it doesn't match
 		// the request namespace, ensure the request namespace is a child
 		_, nsID := namespace.SplitIDFromString(id)
-		if nsID != "" {
+		if nsID != "" || strings.HasPrefix(id, consts.GetEnterpriseTokenPrefix()) {
 			tokenNS, err := NamespaceByID(ctx, nsID, ts.core)
 			if err != nil {
 				return nil, fmt.Errorf("failed to look up namespace from the token: %w", err)
@@ -1740,6 +1754,11 @@ func (ts *TokenStore) lookupInternal(ctx context.Context, id string, salted, tai
 		return entry, nil
 	}
 
+	if entry.IsRoot() {
+		// We don't need to check for persistence or expiration for root tokens.
+		return entry, nil
+	}
+
 	// Perform these checks on upgraded fields, but before persisting
 
 	// If we are still restoring the expiration manager, we want to ensure the
@@ -1753,6 +1772,11 @@ func (ts *TokenStore) lookupInternal(ctx context.Context, id string, salted, tai
 		}
 	}
 
+	// don't check for lease
+	if entry.Type == logical.TokenTypeEnt {
+		return entry, nil
+	}
+
 	le, err := ts.expiration.FetchLeaseTimesByToken(ctx, entry)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch lease times: %w", err)
@@ -2266,6 +2290,11 @@ func (ts *TokenStore) handleTidy(ctx context.Context, req *logical.Request, data
 				return fmt.Errorf("failed to fetch cubbyhole storage keys: %w", err)
 			}
 
+			err = ts.handleTidyEnterpriseTokens(quitCtx, ns, tidyErrors)
+			if err != nil {
+				return err
+			}
+
 			var countParentEntries, deletedCountParentEntries, countParentList, deletedCountParentList int64
 
 			// Scan through the secondary index entries; if there is an entry
@@ -2654,6 +2683,11 @@ func (ts *TokenStore) handleCreate(ctx context.Context, req *logical.Request, d
 
 // handleCreateCommon handles the auth/token/create path for creation of new tokens
 func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Request, d *framework.FieldData, orphan bool, role *tsRoleEntry) (*logical.Response, error) {
+	normalizedClientToken := normalizeEnterpriseTokenToID(req.ClientToken)
+	if !orphan && IsEnterpriseTokenId(normalizedClientToken) {
+		return logical.ErrorResponse("enterprise tokens cannot create child tokens"), logical.ErrInvalidRequest
+	}
+
 	// Read the parent policy
 	parent, err := ts.Lookup(ctx, req.ClientToken)
 	if err != nil {
@@ -3321,6 +3355,10 @@ func (ts *TokenStore) handleRevokeTree(ctx context.Context, req *logical.Request
 }
 
 func (ts *TokenStore) revokeCommon(ctx context.Context, req *logical.Request, data *framework.FieldData, id string) (*logical.Response, error) {
+	normalizedID := normalizeEnterpriseTokenToID(id)
+	if IsEnterpriseTokenId(normalizedID) {
+		return logical.ErrorResponse("cannot revoke ent token"), nil
+	}
 	te, err := ts.Lookup(ctx, id)
 	if err != nil {
 		return nil, err
@@ -3365,6 +3403,11 @@ func (ts *TokenStore) handleRevokeOrphan(ctx context.Context, req *logical.Reque
 		return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest
 	}
 
+	normalizedID := normalizeEnterpriseTokenToID(id)
+	if IsEnterpriseTokenId(normalizedID) {
+		return logical.ErrorResponse("enterprise token cannot be revoked"), nil
+	}
+
 	// Do a lookup. Among other things, that will ensure that this is either
 	// running in the same namespace or a parent.
 	te, err := ts.Lookup(ctx, id)
@@ -3402,7 +3445,21 @@ func (ts *TokenStore) handleLookup(ctx context.Context, req *logical.Request, da
 	if id == "" {
 		return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest
 	}
-
+	if IsEnterpriseToken(id) {
+		// If the token specified in the request body is different from the caller's
+		// token, resolve the token ID based on the body token's claims (JTI) instead
+		// of req.EnterpriseTokenMetadata, otherwise we may silently return the caller's
+		// own token entry or fail for non-Enterprise token callers.
+		if id == req.ClientToken {
+			id = getEnterpriseTokenId(req.EnterpriseTokenMetadata)
+		} else {
+			resolvedID, err := resolveEnterpriseTokenIDForLookup(id)
+			if err != nil {
+				return logical.ErrorResponse("invalid token"), logical.ErrInvalidRequest
+			}
+			id = resolvedID
+		}
+	}
 	lock := locksutil.LockForKey(ts.tokenLocks, id)
 	lock.RLock()
 	defer lock.RUnlock()
@@ -3514,6 +3571,10 @@ func (ts *TokenStore) handleRenew(ctx context.Context, req *logical.Request, dat
 	if id == "" {
 		return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest
 	}
+	normalizedID := normalizeEnterpriseTokenToID(id)
+	if IsEnterpriseTokenId(normalizedID) {
+		return logical.ErrorResponse("enterprise tokens cannot be renewed"), nil
+	}
 	incrementRaw := data.Get("increment").(int)
 
 	// Convert the increment
diff --git a/vault/token_store_ce.go b/vault/token_store_ce.go
new file mode 100644
index 0000000000..8685c7dbda
--- /dev/null
+++ b/vault/token_store_ce.go
@@ -0,0 +1,25 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise
+
+package vault
+
+import (
+	"context"
+
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/vault/helper/namespace"
+)
+
+func getEnterpriseTokenId(_ string) string {
+	return ""
+}
+
+func normalizeEnterpriseTokenToID(token string) string {
+	return token
+}
+
+func (ts *TokenStore) handleTidyEnterpriseTokens(_ context.Context, _ *namespace.Namespace, _ *multierror.Error) error {
+	return nil
+}
diff --git a/vault/ui.go b/vault/ui.go
index b5b0b0e9dc..601c49f1dc 100644
--- a/vault/ui.go
+++ b/vault/ui.go
@@ -43,7 +43,7 @@ func NewUIConfig(enabled bool, physicalStorage physical.Backend, barrierStorage
 	if isHVD != "" && isHVD != "0" {                  // only if HVD, set connect-src to include posthog
 		connectSrcHeader = "connect-src 'self' https://eu.i.posthog.com;"
 	}
-	defaultHeaders.Set("Content-Security-Policy", "default-src 'none'; "+connectSrcHeader+" img-src 'self' data:; script-src 'self'; style-src 'unsafe-inline' 'self'; form-action  'none'; frame-ancestors 'none'; font-src 'self'")
+	defaultHeaders.Set("Content-Security-Policy", "default-src 'none'; "+connectSrcHeader+" img-src 'self' data:; script-src 'self'; style-src 'self'; form-action  'none'; frame-ancestors 'none'; font-src 'self'")
 	return &UIConfig{
 		physicalStorage: physicalStorage,
 		barrierStorage:  barrierStorage,
diff --git a/vault/version_store.go b/vault/version_store.go
index 46fbac98ad..4121abaa1b 100644
--- a/vault/version_store.go
+++ b/vault/version_store.go
@@ -199,6 +199,9 @@ func (c *Core) IsNewInstall(ctx context.Context) bool {
 	return oldestVersion == "" && newestVersion == ""
 }
 
+// IsJWT validates if a token is of JWT format, which was historically
+// a possibility for wrapping tokens, though not something we
+// encourage today.
 func IsJWT(token string) bool {
 	return len(token) > 3 && strings.Count(token, ".") == 2 &&
 		(token[3] != '.' && token[1] != '.')
diff --git a/vault/version_store_ce.go b/vault/version_store_ce.go
new file mode 100644
index 0000000000..2e0d8e3cd6
--- /dev/null
+++ b/vault/version_store_ce.go
@@ -0,0 +1,14 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise
+
+package vault
+
+func IsEnterpriseToken(token string) bool {
+	return false
+}
+
+func IsEnterpriseTokenId(tokenID string) bool {
+	return false
+}
diff --git a/vault/wrapping.go b/vault/wrapping.go
index cedba608f1..36b8abfaf3 100644
--- a/vault/wrapping.go
+++ b/vault/wrapping.go
@@ -348,8 +348,7 @@ DONELISTHANDLING:
 }
 
 // validateWrappingToken checks whether a token is a wrapping token. The passed
-// in logical request will be updated if the wrapping token was provided within
-// a JWT token.
+// in logical request may be updated.
 func (c *Core) validateWrappingToken(ctx context.Context, req *logical.Request) (valid bool, err error) {
 	if req == nil {
 		return false, fmt.Errorf("invalid request")
@@ -409,13 +408,8 @@ func (c *Core) validateWrappingToken(ctx context.Context, req *logical.Request)
 	}
 
 	// Check for it being a JWT. If it is, and it is valid, we extract the
-	// internal client token from it and use that during lookup. The second
-	// check is a quick check to verify that we don't consider a namespaced
-	// token to be a JWT -- namespaced tokens have two dots too, but Vault
-	// token types (for now at least) begin with a letter representing a type
-	// and then a dot.
+	// internal client token from it and use that during lookup.
 	if IsJWT(token) {
-		// Implement the jose library way
 		parsedJWT, err := jwt.ParseSigned(token)
 		if err != nil {
 			return false, fmt.Errorf("wrapping token could not be parsed: %w", err)
diff --git a/version/VERSION b/version/VERSION
index 94ec2d9ccd..05ea4cf25d 100644
--- a/version/VERSION
+++ b/version/VERSION
@@ -1 +1 @@
-1.22.0-beta1
+3.0.0-beta1